Report: exploit

Description

Get a specific exploit intelligence report (CVE, exploit kit, zero-day activity, etc.) by its report ID.

The request is an HTTP GET and accepts:

  • doc_id (path) — string identifier of the exploit report document

  • lang (query, optional) — language code for localized narrative fields when available.

No request body is required.

Response

Exploit intelligence report document containing exploit details, returned as a single JSON object.

Core response fields typically include:

  • m_title — exploit or module title

  • m_url — direct URL for the exploit/module page

  • m_base_url — base URL of the publishing site or contact page

  • m_content — normalized exploit description or short text body

  • m_important_content — key snippet or short summary emphasizing the exploit name or purpose

  • m_network — network type of the source, typically clearnet

  • m_content_type — internal labels such as cve, exploit, poc

  • m_weblink — list of additional URLs related to the exploit (e.g. source code or commits)

  • content_type — high-level classification tags used by other modules

  • m_name — author or contributor information

  • m_code_snippet — list of code or command snippets showing usage of the exploit

  • m_platform — list of affected or supported platforms

  • m_scrap_file — internal scraper identifier or file prefix

  • m_domain — domains related to the exploit content and references

  • m_hash — internal hash for this document, used for deduplication and correlation

  • m_update_date — last time the document was updated in the system

  • m_creation_date — first time the document was created/ingested into the system

Depending on the source and context, additional enrichment fields may be present, such as CVE identifiers, threat actor information or extended narrative text.

Example response:

{
  "m_title": "Windows Registry Only Persistence",
  "m_url": "https://www.rapid7.com/db/modules/exploit/windows/persistence/registry/",
  "m_base_url": "https://www.rapid7.com/contact/",
  "m_content": "Windows Registry Only Persistence",
  "m_important_content": "Windows Registry Only Persistence",
  "m_network": "clearnet",
  "m_content_type": ["cve"],
  "m_weblink": [
    "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/windows/persistence/registry.rb",
    "https://github.com/rapid7/metasploit-framework/commits/master//modules/exploits/windows/persistence/registry.rb"
  ],
  "content_type": ["persistence"],
  "m_name": "Donny Maasland donny.maasland@fox-it.com,h00die",
  "m_code_snippet": [
    "msf > use exploit/windows/persistence/registry\n\n    msf exploit(registry) > show targets\n\n        ...targets...\n\n    msf exploit(registry) > set TARGET < target-id >\n\n    msf exploit(registry) > show options\n\n        ...show and set options...\n\n    msf exploit(registry) > exploit"
  ],
  "m_platform": ["Windows"],
  "m_scrap_file": "_rapid7",
  "m_domain": [
    "github.com",
    "rapid7.com",
    "rapid7.com/contact"
  ],
  "m_hash": "6c88d95f4d98b5c95f65a79da548fd5c3b33d6ac319790c33630dc2f2d869019",
  "m_update_date": "2025-10-28T18:09:14.512739+00:00",
  "m_creation_date": "2025-10-28T18:09:14.516589+00:00"
}

Additionally, the response may include automatically extracted indicators of compromise (IOCs). Only indicators that are actually found in the underlying content are returned; IOC fields with no data are omitted from the response.

Supported IOC / enrichment fields:

  • m_phone_number — Phone Numbers

  • m_email — Emails

  • m_domain — Domains

  • m_country — Country

  • m_url — URLs

  • m_cve — CVE & CWE

  • m_ip — IP Addresses

  • m_yara_rule — YARA Rules

  • m_encoded_urls — Encoded URLs

  • m_file_paths — File Paths

  • m_credit_card — Credit Cards

  • m_org — Organizations

  • m_company_name — Company Names

  • m_person — Persons

  • m_location — Locations

  • m_language — Languages

  • m_user_agents — User Agents

  • m_asns — ASNs

  • m_team — Teams

  • m_hashtag — Hashtags

  • m_mention — Mentions

  • m_social_media_profiles — Social Media Profiles

  • m_currencies — Currencies

  • m_crypto_address — Crypto Addresses

  • m_xmpp_addresses — XMPP Addresses

  • m_enterprise_attack_tactics — Enterprise ATT&CK Tactics

  • m_enterprise_attack_techniques — Enterprise ATT&CK Techniques

  • m_document_id — Document IDs

  • m_au_abn — Australian IDs

  • m_us_passport — US IDs

  • m_us_bank_number — US Bank Numbers

  • m_platform — Platform

  • m_author — Author

  • m_industry — Industry

  • m_scrap_file — Scrap Script