Vulncheck Kev

API / Schema

Integrate with VulnCheck KEV using an open API / JSON schema that is easy to follow.

VulnCheck provides VulnCheck KEV as a Community service, helping provide timely visibility into known exploited vulnerabilities. The service is available using the VulnCheck community dashboard, API endpoint and machine readable JSON.

VulnCheck KEV API

curl --request GET \
    --url https://api.vulncheck.com/v3/backup/vulncheck-kev \
    --header 'Accept: application/json' \
    --header 'Authorization: Bearer insert_token_here'

JSON Schema

VulnCheck KEV has an easy to follow schema, which is made up of strings, arrays of strings, and times (as well as objects including these data types).

Included below is an example VulnCheck KEV record with every field filled out. Included further below are the data structures for parsing this JSON object in the Go programming language.

Example VulnCheck KEV entry

Below is an example complete record for VulnCheck KEV, with all fields filled out.

  {
    "vendorProject": "ZK Framework",
    "product": "AuUploader",
    "shortDescription": "ZK Framework AuUploader servlets contain an unspecified vulnerability that could allow an attacker to retrieve the content of a file located in the web context. The ZK Framework is an open-source Java framework. This vulnerability can impact multiple products, including but not limited to ConnectWise R1Soft Server Backup Manager.",
    "vulnerabilityName": "ZK Framework AuUploader Unspecified Vulnerability",
    "required_action": "Apply updates per vendor instructions.",
    "knownRansomwareCampaignUse": "Known",
    "cve": [
      "CVE-2022-36537"
    ],
    "vulncheck_xdb": [
      {
        "xdb_id": "0508bf2f3fce",
        "xdb_url": "https://vulncheck.com/xdb/0508bf2f3fce",
        "date_added": "2022-12-09T11:29:26Z",
        "exploit_type": "initial-access",
        "clone_ssh_url": "git@github.com:agnihackers/CVE-2022-36537-EXPLOIT.git"
      },
      {
        "xdb_id": "5ba33e292bd5",
        "xdb_url": "https://vulncheck.com/xdb/5ba33e292bd5",
        "date_added": "2022-12-09T14:15:52Z",
        "exploit_type": "initial-access",
        "clone_ssh_url": "git@github.com:Malwareman007/CVE-2022-36537.git"
      }
    ],
    "vulncheck_reported_exploitation": [
      {
        "url": "https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json",
        "date_added": "2023-02-27T00:00:00Z"
      },
      {
        "url": "https://www.fortinet.com/blog/threat-research/lockbit-most-prevalent-ransomware",
        "date_added": "2023-07-10T00:00:00Z"
      },
      {
        "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog",
        "date_added": "2023-10-12T00:00:00Z"
      },
      {
        "url": "https://blog.fox-it.com/2023/02/22/from-backup-to-backdoor-exploitation-of-cve-2022-36537-in-r1soft-server-backup-manager/",
        "date_added": "2023-02-22T00:00:00Z"
      },
      {
        "url": "https://www.rapid7.com/blog/post/2023/03/01/etr-active-exploitation-of-zk-framework-cve-2022-36537/",
        "date_added": "2023-03-01T00:00:00Z"
      },
      {
        "url": "https://information.rapid7.com/rs/411-NAK-970/images/Rapid7-2023-Mid-Year-Threat-Review.pdf",
        "date_added": "2023-08-17T00:00:00Z"
      }
    ],
    "dueDate": "2023-03-20T00:00:00Z",
    "cisa_date_added": "2023-02-27T00:00:00Z",
    "date_added": "2023-02-22T00:00:00Z"
  }

Example data structures for VulnCheck KEV

Below are example data structures for marshalling or unmarshalling VulnCheck KEV data structures.

type VulnCheckKEV struct {
    VendorProject              string `json:"vendorProject"`
    Product                    string `json:"product"`
    Description                string `json:"shortDescription"`
    Name                       string `json:"vulnerabilityName"`
    RequiredAction             string `json:"required_action"`
    KnownRansomwareCampaignUse string `json:"knownRansomwareCampaignUse"`

    CVE []string `json:"cve"`

    VulnCheckXDB                  []XDB             `json:"vulncheck_xdb"`
    VulnCheckReportedExploitation []ReportedExploit `json:"vulncheck_reported_exploitation"`

    DueDate       *time.Time `json:"dueDate,omitempty"`
    CisaDateAdded *time.Time `json:"cisa_date_added,omitempty"`
    DateAdded     time.Time  `json:"date_added"`
}

type ReportedExploit struct {
    Url       string    `json:"url"`
    DateAdded time.Time `json:"date_added"`
}

type XDB struct {
    XDBID       string    `json:"xdb_id"`
    XDBURL      string    `json:"xdb_url"`
    DateAdded   time.Time `json:"date_added"`
    ExploitType string    `json:"exploit_type"`
    CloneSSHURL string    `json:"clone_ssh_url"`
}

Coverage Criteria

Only vulnerabilities reported to have been exploited in the wild are included in VulnCheck KEV.

Attribution Notice

Leveraging VulnCheck KEV and the data in it, in your own production, solution, or service, is easy to do at no additional cost, but requires prominent attribution to VulnCheck.