Exploiting vulnerabilities
Which techniques are used to exploit vulnerabilities?
We have analyzed each CVE to identify the MITRE ATT&CK Enterprise techniques it enables or facilitates. These charts show the distribution of attack tactics and techniques across 16,700 annotated CVEs, their severity and exploit probability, and how actively-exploited vulnerabilities (CISA KEV) compare to the full set.
Last updated: 04 May 2026 04:03 UTC
Tactics & Techniques
How are vulnerabilities linked to tactics and techniques?
→ Click any tactic bar to filter the technique list below it.
→ Click any technique bar to open its MITRE ATT&CK detail page in a new tab.
Technique Risk
Which techniques are used to exploit the most severe vulnerabilities?
→ Each bubble is one MITRE technique. Bubble size = CVE count. The upper-right quadrant (high CVSS, high EPSS) highlights techniques associated with the most severe and exploit-likely vulnerabilities.
→ Hover (or tap) any bubble for technique details.
Top 25 techniques by CVE count.
| ID | Name | Tactic | CVEs | Avg CVSS | Avg EPSS |
|---|---|---|---|---|---|
| T1190 | Exploit Public-Facing Application | Initial Access | 11,321 | 7.51 | 0.0222 |
| T1213.006 | Databases | Collection | 2,895 | 7.15 | 0.0076 |
| T1059.007 | JavaScript | Execution | 1,708 | 5.34 | 0.0065 |
| T1068 | Exploitation for Privilege Escalation | Privilege Escalation | 1,550 | 7.75 | 0.0179 |
| T1505 | Server Software Component | Persistence | 1,205 | 6.64 | 0.0046 |
| T1499.004 | Application or System Exploitation | Impact | 1,147 | 6.85 | 0.0075 |
| T1539 | Steal Web Session Cookie | Credential Access | 971 | 5.74 | 0.0078 |
| T1203 | Exploitation for Client Execution | Execution | 843 | 7.79 | 0.0207 |
| T1210 | Exploitation of Remote Services | Lateral Movement | 739 | 8.11 | 0.0293 |
| T1059.004 | Unix Shell | Execution | 737 | 8.25 | 0.0516 |
| T1005 | Data from Local System | Collection | 700 | 7.40 | 0.0512 |
| T1505.003 | Web Shell | Persistence | 595 | 7.68 | 0.0422 |
| T1565.001 | Stored Data Manipulation | Impact | 387 | 7.18 | 0.0062 |
| T1555.003 | Credentials from Web Browsers | Credential Access | 372 | 5.47 | 0.0085 |
| T1552.001 | Credentials In Files | Credential Access | 360 | 7.17 | 0.0586 |
| T1059.008 | Network Device CLI | Execution | 311 | 7.80 | 0.0495 |
| T1083 | File and Directory Discovery | Discovery | 304 | 6.96 | 0.0658 |
| T1059 | Command and Scripting Interpreter | Execution | 292 | 8.01 | 0.0209 |
| T1185 | Browser Session Hijacking | Collection | 290 | 6.65 | 0.0072 |
| T1189 | Drive-by Compromise | Initial Access | 277 | 6.93 | 0.0121 |
| T1204.001 | Malicious Link | Execution | 276 | 6.97 | 0.0037 |
| T1202 | Indirect Command Execution | Stealth | 189 | 6.30 | 0.0419 |
| T1566.002 | Spearphishing Link | Initial Access | 185 | 6.63 | 0.0058 |
| T1105 | Ingress Tool Transfer | Command And Control | 183 | 7.21 | 0.0441 |
| T1046 | Network Service Discovery | Discovery | 180 | 6.91 | 0.0182 |
KEV Tactics
KEV Techniques
Top 25 techniques by KEV count, sorted by KEV count descending. Tap any column header to re-sort.
| ID | Name | KEV count | All count | KEV % | All % | Ratio |
|---|---|---|---|---|---|---|
| T1190 | Exploit Public-Facing Application | 94 | 11,450 | 54.7% | 68.56% | 0.8× |
| T1068 | Exploitation for Privilege Escalation | 37 | 1,568 | 21.5% | 9.39% | 2.3× |
| T1203 | Exploitation for Client Execution | 22 | 872 | 12.8% | 5.22% | 2.4× |
| T1005 | Data from Local System | 14 | 729 | 8.1% | 4.37% | 1.9× |
| T1059.004 | Unix Shell | 12 | 740 | 7.0% | 4.43% | 1.6× |
| T1210 | Exploitation of Remote Services | 12 | 747 | 7.0% | 4.47% | 1.6× |
| T1189 | Drive-by Compromise | 10 | 280 | 5.8% | 1.68% | 3.5× |
| T1505.003 | Web Shell | 6 | 601 | 3.5% | 3.60% | 1.0× |
| T1083 | File and Directory Discovery | 5 | 327 | 2.9% | 1.96% | 1.5× |
| T1195.002 | Compromise Software Supply Chain | 5 | 43 | 2.9% | 0.26% | 11.3× |
| T1552.001 | Credentials In Files | 5 | 379 | 2.9% | 2.27% | 1.3× |
| T1078.001 | Default Accounts | 4 | 129 | 2.3% | 0.77% | 3.0× |
| T1136.001 | Local Account | 4 | 60 | 2.3% | 0.36% | 6.5× |
| T1187 | Forced Authentication | 4 | 11 | 2.3% | 0.07% | 35.3× |
| T1212 | Exploitation for Credential Access | 4 | 177 | 2.3% | 1.06% | 2.2× |
| T1059 | Command and Scripting Interpreter | 3 | 309 | 1.7% | 1.85% | 0.9× |
| T1059.006 | Python | 3 | 134 | 1.7% | 0.80% | 2.2× |
| T1059.008 | Network Device CLI | 3 | 311 | 1.7% | 1.86% | 0.9× |
| T1105 | Ingress Tool Transfer | 3 | 191 | 1.7% | 1.14% | 1.5× |
| T1204.002 | Malicious File | 3 | 137 | 1.7% | 0.82% | 2.1× |
| T1211 | Exploitation for Stealth | 3 | 130 | 1.7% | 0.78% | 2.2× |
| T1611 | Escape to Host | 3 | 25 | 1.7% | 0.15% | 11.7× |
| T1003 | OS Credential Dumping | 2 | 7 | 1.2% | 0.04% | 27.7× |
| T1016 | System Network Configuration Discovery | 2 | 9 | 1.2% | 0.05% | 21.6× |
| T1041 | Exfiltration Over C2 Channel | 2 | 19 | 1.2% | 0.11% | 10.2× |