This knowledge base article will provide insight into:
- Definition of an initial access exploit
- Different types of techniques for gaining initial access
- Examples of initial access exploits
- Examples of a zero-day exploit attack
- How attackers choose targets
- Initial access exploit mitigations
Initial access in cybersecurity refers to the stage where an attacker first gains unauthorized access to a target network or system. Using this entry point, they can launch additional malicious activities, like lateral movement or data theft.
Attackers often gain initial access by exploiting operating system, software, and firmware vulnerabilities. The need for vendors and security researchers to publicly disclose and document vulnerabilities often makes it simple for threat actors to research and exploit the weaknesses.
Techniques, as represented in the MITRE ATT&CK Framework offer insight into the different ways that attackers can achieve their objectives. The eleven techniques listed in the Framework are:
- Content Injection: Using compromised data transfer channels to insert malicious content into systems.
- Drive-by Compromise: Delivering exploit code to a browser so they can gain access when a user visits a website during normal browsing.
- Exploit Public-Facing Application: Taking advantage of a vulnerable external-facing remote service, like virtual private network (VPN) or web application, to connect to the internal enterprise resources.
- Hardware Additions: Introducing computer accessories, networking hardware, or other computer devices, like a thumb drive, that act as an initial attack vector.
- Phishing: Sending fake emails that appear legitimate to trick users into sharing credentials or downloading malicious code with sub techniques that include Spearphishing Attachment, Spearphishing Link, Spearphishing via Service, and Spearphishing Voice.
- Replication Through Removable Media: Taking advantage of Autorun features to deploy malware when someone inserts the media into a system and executes, often enabling the threat actors to gain unauthorized access to disconnected or air-gapped networks.
- Supply Chain Compromise: Manipulating products or product delivery mechanisms to compromise data or systems with subtechniques that include Compromise Software Dependencies and Development Tools, Compromise Software Supply Chain, and Compromise Hardware Supply Chain.
- Trusted Relationship: Using a trusted third-party relationship with an established connection that may lack protection or receive less scrutiny.
- Valid Accounts: Obtaining and using leaked or stolen credentials for legitimate users to bypass access controls that organizations implement for remote access, like VPNs, Outlook Web Access, network devices, or remote desktop applications with subtechniques that include Default Accounts, Domain Accounts, Local Accounts, and Cloud Accounts.
- Wi-Fi Networks: Connecting to a target organization’s wireless networks by exploiting open Wi-Fi networks using devices or valid account credentials.
A wide variety of vulnerabilities can be exploited for initial access by attackers. In some cases security researchers are able to provide Proof of Concept (PoC) exploits to help security and vulnerability management teams prioritize their remediation activities. The PoC exploits show how attackers could use a vulnerability to gain initial access. Examples include:
BeyondTrust Privileged Remote Access & Remote Support CVE-2024-12356 and CVE-2025-1094
These vulnerabilities allow unauthenticated remote code execution (RCE) in BeyondTrust products. In this PoC exploit, researchers developed pcaps to demonstrate potential risk impact of CVE-2025-1094 which was not listed in the Cybersecurity & Infrastructure security Agency (CISA) Known Exploited Vulnerability (KEV) list.
Researchers showed that attackers targeting vulnerable versions of WinZip are able to exploit this flaw to execute malicious MS Word documents or batch files.
This vulnerability has an Exploit Prediction Scoring System (EPSS) in the 90th percentile with NetScaler being mentioned eight times in the CISA KEV. This PoC leaks a session key and creates a super admin account to show how attackers could compromise systems.
This vulnerability, listed in the CISA KEV, is triggered when a user extracts or previews a ZIP archive containing a malicious file. The PoC generates malicious payloads and demonstrates how to catch the SMB authentication request.
This vulnerability enables attackers to create arbitrary unauthenticated user password resets that grant a full account takeover. The PoC included an exploit, pcaps, Suricata & Snort rules, Greynoise, FOFA, Shodan, Censys, and ZoomEye queries.
A zero-day exploit occurs when threat actors use a previously unknown software vulnerability to gain unauthorized access to and control over systems before the manufacturer can deploy a security update. Zero-day exploits can be especially useful for initial access, as defenders have few options for remediation and there may be less security inspection than typical for a known vulnerability.
In the first half of 2024, researchers identified 53 zero-day vulnerabilities with exploitation evidence available at or before anyone publicly disclosed the vulnerabilities. Examples include:
Prior to publishing the vulnerability, a post-authentication vulnerability affecting these routers enabled attackers to leverage the device’s default credentials and engage in unauthenticated remote command injections. When modifying the device’s system time, attackers could use an OS command injection.
Prior to publishing the vulnerability, an authentication bypass vulnerability affecting switches and routers enabled attackers to install implants on them. With privileged access, attackers could likely monitor network traffic, pivot into protected networks, and perform various man-in-the-middle (MitM) attacks.
Attackers typically engage in reconnaissance about an organization’s people and technology stack to gather information about vulnerabilities, network misconfigurations, and key personnel. They may choose to focus on a specific industry where organizations manage high-value sensitive data, like healthcare or financial services. They may also look to specific geographic regions if they are motivated politically. Alternately, tools such as Shodan or honey pots allow attackers to identify opportunistic targets.
Many cybersecurity best practices are focused on stopping or limiting the impact of initial access. To mitigate the risk that attackers can gain or weaponize initial access, organizations should consider the following security controls:
- Multi-factor authentication (MFA): Leveraging authenticator apps or security challenge prompts at authentication time helps to ensure users are who they say they are when accessing critical resources.
- Principle of least privilege: Limit user access as precisely as possible so users can access only the resources necessary to complete their job functions to mitigate risks of unauthorized users moving laterally across systems.
- Secure software configurations: Change default credentials on commercial products and limit software and hardware functionality.
- Vulnerability management: Identify vulnerabilities across devices, software, and firmware then apply security updates or implement compensating controls as quickly as possible.
- Detection and Response: Implement detections, like Suricata or YARA rules, and leverage detection and response systems across the network, endpoint, and cloud to alert security teams about potential incidents.
As the organization’s attack surface expands, identifying anomalous activity and malicious activity becomes more difficult. With VulnCheck Exploit & Vulnerability intelligence, security and vulnerability remediation teams gain access to a breadth of data that incorporates the NIST National Vulnerability Database (NVD) and CISA Known Exploited Vulnerability (KEV) catalog coupled with exploit intelligence that provides insight into real-world attacker activity.
With our Exploit Intelligence that provides initial access intelligence, organizations can rapidly improve their vulnerability prioritization and remediation capabilities with data about public and commercial exploits, including reported exploited, weaponized exploits, threat actors attributed with the vulnerability, ransomware campaigns using the vulnerability, and botnets attributed to the vulnerability.
