Description
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network. The weakness in the system can be a software bug, a temporary glitch, or a misconfiguration.
Exploited applications are often websites/web servers, but can also include databases (like SQL), standard services (like SMB or SSH), network device administration and management protocols (like SNMP and Smart Install), and any other system with Internet-accessible open sockets.(Citation: NVD CVE-2016-6662)(Citation: CIS Multiple SMB Vulnerabilities)(Citation: US-CERT TA18-106A Network Infrastructure Devices 2018)(Citation: Cisco Blog Legacy Device Attacks)(Citation: NVD CVE-2014-7169) On ESXi infrastructure, adversaries may exploit exposed OpenSLP services; they may alternatively exploit exposed VMware vCenter servers.(Citation: Recorded Future ESXiArgs Ransomware 2023)(Citation: Ars Technica VMWare Code Execution Vulnerability 2021) Depending on the flaw being exploited, this may also involve Exploitation for Stealth or Exploitation for Client Execution.
If an application is hosted on cloud-based infrastructure and/or is containerized, then exploiting it may lead to compromise of the underlying instance or container. This can allow an adversary a path to access the cloud or container APIs (e.g., via the Cloud Instance Metadata API), exploit container host access via Escape to Host, or take advantage of weak identity and access management policies.
Adversaries may also exploit edge network infrastructure and related appliances, specifically targeting devices that do not support robust host-based defenses.(Citation: Mandiant Fortinet Zero Day)(Citation: Wired Russia Cyberwar)
For websites and databases, the OWASP top 10 and CWE top 25 highlight the most common web-based vulnerabilities.(Citation: OWASP Top 10)(Citation: CWE top 25)
Web Application Security Testing Guide
Read our in-depth pentesting guide related to this technique
Platforms
Mitigations (8)
Application Isolation and SandboxingM1048
Application isolation will limit what other processes and system features the exploited target can access.
Filter Network TrafficM1037
Restrict outbound network traffic from public-facing servers to prevent unauthorized connections from initiating communications with attacker-controlled infrastructure. While this may not prevent the initial exploitation, it limits the attacker's ability to verify and control the compromised server post-exploit, reducing the overall impact of the attack.
Network SegmentationM1030
Segment externally facing servers and services from the rest of the network with a DMZ or on separate hosting infrastructure.
Vulnerability ScanningM1016
Regularly scan externally facing systems for vulnerabilities and establish procedures to rapidly patch systems when critical vulnerabilities are discovered through scanning and through public disclosure.(Citation: OWASP Top 10)
Privileged Account ManagementM1026
Use least privilege for service accounts will limit what permissions the exploited process gets on the rest of the system.
Exploit ProtectionM1050
Web Application Firewalls may be used to limit exposure of applications to prevent exploit traffic from reaching the application.
Limit Access to Resource Over NetworkM1035
Ensure that all publicly exposed services are actually intended to be so, and restrict access to any that should only be available internally.
Update SoftwareM1051
Update software regularly by employing patch management for externally exposed applications.
Threat Groups (44)
| ID | Group | Context |
|---|---|---|
| G0106 | Rocke | [Rocke](https://attack.mitre.org/groups/G0106) exploited Apache Struts, Oracle WebLogic (CVE-2017-10271), and Adobe ColdFusion (CVE-2017-3066) vulnera... |
| G0027 | Threat Group-3390 | [Threat Group-3390](https://attack.mitre.org/groups/G0027) has exploited the Microsoft SharePoint vulnerability CVE-2019-0604 and CVE-2021-26855, CVE-... |
| G0046 | FIN7 | [FIN7](https://attack.mitre.org/groups/G0046) has compromised targeted organizations through exploitation of CVE-2021-31207 in Exchange.(Citation: Mic... |
| G1017 | Volt Typhoon | [Volt Typhoon](https://attack.mitre.org/groups/G1017) has gained initial access through exploitation of multiple vulnerabilities in internet-facing so... |
| G1055 | VOID MANTICORE | [VOID MANTICORE](https://attack.mitre.org/groups/G1055) has exploited public facing vulnerabilities within victim environments to include SharePoint C... |
| G0034 | Sandworm Team | [Sandworm Team](https://attack.mitre.org/groups/G0034) exploits public-facing applications for initial access and to acquire infrastructure, such as e... |
| G0007 | APT28 | [APT28](https://attack.mitre.org/groups/G0007) has used a variety of public exploits, including CVE 2020-0688 and CVE 2020-17144, to gain execution on... |
| G0094 | Kimsuky | [Kimsuky](https://attack.mitre.org/groups/G0094) has exploited various vulnerabilities for initial access, including Microsoft Exchange vulnerability ... |
| G1003 | Ember Bear | [Ember Bear](https://attack.mitre.org/groups/G1003) gains initial access to victim environments by exploiting external-facing services. Examples inclu... |
| G0135 | BackdoorDiplomacy | [BackdoorDiplomacy](https://attack.mitre.org/groups/G0135) has exploited CVE-2020-5902, an F5 BIP-IP vulnerability, to drop a Linux backdoor. [Backdoo... |
| G0115 | GOLD SOUTHFIELD | [GOLD SOUTHFIELD](https://attack.mitre.org/groups/G0115) has exploited Oracle WebLogic vulnerabilities for initial compromise.(Citation: Secureworks R... |
| G1016 | FIN13 | [FIN13](https://attack.mitre.org/groups/G1016) has exploited known vulnerabilities such as CVE-2017-1000486 (Primefaces Application Expression Languag... |
| G0098 | BlackTech | [BlackTech](https://attack.mitre.org/groups/G0098) has exploited a buffer overflow vulnerability in Microsoft Internet Information Services (IIS) 6.0,... |
| G0059 | Magic Hound | [Magic Hound](https://attack.mitre.org/groups/G0059) has exploited the Log4j utility (CVE-2021-44228), on-premises MS Exchange servers via "ProxyShell... |
| G1051 | Medusa Group | [Medusa Group](https://attack.mitre.org/groups/G1051) has leveraged public facing vulnerabilities in their campaigns against victim organizations to g... |
| G1041 | Sea Turtle | [Sea Turtle](https://attack.mitre.org/groups/G1041) gained access to victim environments by exploiting multiple known vulnerabilities over several cam... |
| G1053 | Storm-0501 | [Storm-0501](https://attack.mitre.org/groups/G1053) has exploited N-day vulnerabilities associated with public facing services to gain initial access ... |
| G0117 | Fox Kitten | [Fox Kitten](https://attack.mitre.org/groups/G0117) has exploited known vulnerabilities in Fortinet, PulseSecure, and Palo Alto VPN appliances.(Citati... |
| G1021 | Cinnamon Tempest | [Cinnamon Tempest](https://attack.mitre.org/groups/G1021) has exploited multiple unpatched vulnerabilities for initial access including vulnerabilitie... |
| G1043 | BlackByte | [BlackByte](https://attack.mitre.org/groups/G1043) exploited vulnerabilities such as ProxyLogon and ProxyShell for initial access to victim environmen... |
Associated Software (8)
| ID | Name | Type | Context |
|---|---|---|---|
| S0623 | Siloscape | Malware | [Siloscape](https://attack.mitre.org/software/S0623) is executed after the attacker gains initial access to a Windows container using a known vulnerab... |
| S0225 | sqlmap | Tool | [sqlmap](https://attack.mitre.org/software/S0225) can be used to automate exploitation of SQL injection vulnerabilities.(Citation: sqlmap Introduction... |
| S0516 | SoreFang | Malware | [SoreFang](https://attack.mitre.org/software/S0516) can gain access by exploiting a Sangfor SSL VPN vulnerability that allows for the placement and de... |
| S0412 | ZxShell | Malware | [ZxShell](https://attack.mitre.org/software/S0412) has been dropped through exploitation of CVE-2011-2462, CVE-2013-3163, and CVE-2014-0322.(Citation:... |
| S1105 | COATHANGER | Malware | [COATHANGER](https://attack.mitre.org/software/S1105) is installed following exploitation of a vulnerable FortiGate device. (Citation: NCSC-NL COATHAN... |
| S1242 | Qilin | Malware | [Qilin](https://attack.mitre.org/software/S1242) has been delivered through exploitation of exposed applications and interfaces including Citrix and R... |
| S1184 | BOLDMOVE | Malware | [BOLDMOVE](https://attack.mitre.org/software/S1184) is associated with exploitation of CVE-2022-49475 in FortiOS.(Citation: Google Cloud BOLDMOVE 2023... |
| S0224 | Havij | Tool | [Havij](https://attack.mitre.org/software/S0224) is used to automate SQL injection.(Citation: Check Point Havij Analysis) |
Related CWE Weaknesses
References
- Christey, S., Brown, M., Kirby, D., Martin, B., Paller, A.. (2011, September 13). 2011 CWE/SANS Top 25 Most Dangerous Software Errors. Retrieved April 10, 2019.
- CIS. (2017, May 15). Multiple Vulnerabilities in Microsoft Windows SMB Server Could Allow for Remote Code Execution. Retrieved April 3, 2018.
- Dan Goodin . (2021, February 25). Code-execution flaw in VMware has a severity rating of 9.8 out of 10. Retrieved April 8, 2025.
- German Hoeffner, Aaron Soehnen and Gianni Perez. (2023, February 7). ESXiArgs Ransomware Targets Publicly-Exposed ESXi OpenSLP Servers. Retrieved March 26, 2025.
- Greenberg, A. (2022, November 10). Russia’s New Cyberwarfare in Ukraine Is Fast, Dirty, and Relentless. Retrieved March 22, 2023.
- Marvi, A. et al.. (2023, March 16). Fortinet Zero-Day and Custom Malware Used by Suspected Chinese Actor in Espionage Operation. Retrieved March 22, 2023.
- National Vulnerability Database. (2017, February 2). CVE-2016-6662 Detail. Retrieved April 3, 2018.
- National Vulnerability Database. (2017, September 24). CVE-2014-7169 Detail. Retrieved April 3, 2018.
- Omar Santos. (2020, October 19). Attackers Continue to Target Legacy Devices. Retrieved October 20, 2020.
- OWASP. (2018, February 23). OWASP Top Ten Project. Retrieved April 3, 2018.
Frequently Asked Questions
What is T1190 (Exploit Public-Facing Application)?
T1190 is a MITRE ATT&CK technique named 'Exploit Public-Facing Application'. It belongs to the Initial Access tactic(s). Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network. The weakness in the system can be a software bug, a temporary glitch, or a misconfigur...
How can T1190 be detected?
Detection of T1190 (Exploit Public-Facing Application) typically involves monitoring system logs, network traffic, and endpoint telemetry. Use SIEM rules, EDR solutions, and behavioral analytics to identify suspicious activity associated with this technique.
What mitigations exist for T1190?
There are 8 documented mitigations for T1190. Key mitigations include: Application Isolation and Sandboxing, Filter Network Traffic, Network Segmentation, Vulnerability Scanning, Privileged Account Management.
Which threat groups use T1190?
Known threat groups using T1190 include: Rocke, Threat Group-3390, FIN7, Volt Typhoon, VOID MANTICORE, Sandworm Team, APT28, Kimsuky.