Insights

For this vulnerability to be exploitable, the ImageMagick image processing library needs to be used to resize or add a text watermark to a user-uploaded file which was saved using a user-provided filename, or where the parameters for adding a watermark are user-controlled. File upload implementations that use a randomly generated filename before image resizing are not vulnerable.

This vulnerability is simple to exploit and we expect to see active exploitation soon. However, attackers will need to locate file upload functionality within your applications first which will be difficult to fully automate at scale, so mass exploitation is unlikely.

This is a critical remote code execution vulnerability in Sharepoint when used on-prem - Sharepoint for Microsoft 365 is not affected. It is a variant of a previous bug which, in combination with CVE-2025-53771, allows an unauthenticated attacker to use a deserialization vulnerability to run code on the server.

If you host a Sharepoint instance you should immediately apply the security update and review the advice on this Microsoft page. Paying particular attention to the sections describing how to rotate your Machine Key and detect if you were already compromised.

As there was a lag time between information on this vulnerability being available to attackers and the availability of the patch, there has been active exploitation of Sharepoint instances during this period.

We have deployed an active check (11am 22nd July) and set off an Emerging Threat Scan for all of our Enterprise customers. In addition, we are committing this to the public Nuclei templates repository so that you can check your systems via Intruder - or for free via Nuclei as soon as the request is merged.

This is a serious local privilege escalation vulnerability in the sudo tool, which is present on most Unix systems. You should update this as soon as possible if your version is less than 1.9.14.

Exploiting this vulnerability requires an attacker to have access to the machine already - so it's most serious in environments where lower-privileged users routinely have access to systems. However, all vulnerable systems should be patched.

This CVE references a Java Expression Language injection vulnerability in Ivanti EPMM, which allows a user with access to a particular API to execute arbitrary code.

In conjunction with CVE-2025-4427 - an auth bypass vulnerability which gives access to the API in question - this can be used by an unauthenticated attacker.

More information on exact vulnerable versions can be found here - you should patch immediately if vulnerable. Note that in the recommended deployment of EPMM, where the API is not accessible to the internet, the impact is reduced.

If caching is in use on this application, it is likely this can be used to poison the cache, causing the modified data to be shown to other users.

There is also potential to then use this for cross-site scripting, although, this would depend on how the data is processed by the client, and will not be the case for all applications.

In order for this application to be vulnerable, React Router must be used in Framework mode.

This vulnerability is caused by the installer for the application using a hardcoded value for the validation and decryption key (sometimes known as the machine keys). These values are the same for all instances created by the vulnerable installer, and so an attacker can find these keys for your instance very easily.

If an attacker possesses these keys, they can execute code of their choice on the server remotely using well-known methods.

Updating to the latest version will cause the keys to be regenerated to secret values.

This authentication bypass vulnerability in Next.js allows an attacker to bypass middleware validation steps such as checking the user is authorized to access a resource. The exploit is simple to use and could potentially be exploited en-masse, though some manual effort is likely to be required to identify routes that are not accessible without authentication.

The advisory states that deployments using next start and output: 'standalone' should be updated as a priority, and lists the affected versions.

Next.js is a full stack framework, and applications which are only using front-end elements of the framework will not be vulnerable. Additionally, popular WAFs like Cloudflare added detection rules for this exploit already, so there is also reduced risk for applications which are deployed behind a WAF with effective rules. However, WAFs should not be relied upon to protect against this weakness, as further research could reveal bypasses, or alternative routes to exploit the weakness.

Intruder reported this vulnerability to Octopus Deploy on Dec 3, 2024 and it was fixed fairly quickly, with patches available from Jan 14, 2025. The exploit is simple and discoverable by attackers with basic knowledge, so active exploitation is expected if you're running a vulnerable version. Impact is limited to active directory account names, emails and local AD usernames, but this information is highly useful to attackers mounting mass password spraying or phishing campaigns, making exploitation likely in a targeted attack scenario. Please see the advisory for affected versions and a patch.

The mitigations that were put in place following the previous authentication bypass (CVE-2024-0012) were incomplete. The authentication step for the management panel can be abused to change the order of processing requests between various underlying technologies (apache, nginx, PHP), resulting in an auth bypass. AssetNote released a technical breakdown of this vulnerability.

Palo Alto have released patches for the vulnerability, details are available here

This vulnerability affects the terminal console functionality within the Fortigate admin panel. It exploits a weakness in the WebSockets implementation and allows an unauthenticated attacker to create administrative accounts on the Fortinet device. watchTowr have released a technical post breaking the vulnerability down.

ArcticWolf have observed a handful of exploitations of this vulnerability in early December, where an unauthenticated threat actor has created administrative accounts and changed device configurations. They have listed a number of IoC's which can help with identifying any malicious activity on devices. Fortinet have also released similar IoC's for this vulnerability.

Fortinet have released patching information and their own IoC's here.

Intruder Premium customers will be checked for this weakness today (Jan 16th) and notified if they are vulnerable.

CVE-2025-21298 allows attackers to execute code by sending a malicious RTF email. The exploit triggers when the email is opened or previewed in an unpatched Outlook client, requiring no user interaction beyond viewing the message. To mitigate the risk, apply Microsoft's patch immediately, or as a temporary measure, disable RTF reading and configure Outlook to display emails in plain text.

Buffer Overflows such as this one require an advanced skillset, and time and knowledge to exploit. In addition, the exploit must be specific to the version that is targeted (as noted by Google Mandiant).

The recommendation is to fix according to your usual critical patching schedule, but prioritise over other criticals as this vulnerability has been added to the KEV list. That said, due to the complexities with this vulnerability class, we don't expect widespread exploitation.

Patching information has been released by Ivanti. However, the recommendation to use the ICT scanner by Ivanti appears to be flawed as pointed out by Google Mandiant. To help with detecting compromises, they have released YARA rules for this vulnerability.

SafeBreach published a writeup on January 1st which exploits a denial of service condition and attributes it to this CVE, but the original researcher that reported this bug to Microsoft disagrees

Though the full PoC being published does mean that attacks are more likely, the exploit for CVE-2024-49112 is not yet in the public domain, and so only highly resourced attack groups are likely to be able to exploit the RCE

CVE-2024-50623 can be exploited by an unauthenticated attacker to gain remote code execution on affected Cleo servers. Widespread exploitation has been observed. The vendor's advisory page is available here.

John Hammond at Huntress has released a technical article regarding this vulnerability, including a list of IOC's from live attacks in the wild. Originally it was believed that this patch was insufficient in fixing this CVE, due to ongoing exploitation against patched hosts. However, it seems that there is a second unauthenticated remote code execution vulnerability which does not carry a CVE currently. Further details regarding this unknown CVE can be found here.

The vulnerabilities CVE-2024-0012 and CVE-2024-9474 can be combined to allow for an unauthenticated attacker to gain command line access to the vulnerable device. Compromising a vulnerable device would allow an attacker to gain access to internal networks as these devices are designed to sit on the edge of networks.

The vulnerability is due to a misconfigured Nginx instance and a command injection vulnerability, both of which are exploitable in the devices default state. Watchtowr have released a technical blog post detailing the vulnerability and its exploitation.

Palo Alto have released patches and hotfixes for the PAN-OS vulnerabilities, details are available here and here.

The vulnerabilities CVE-2024-0012 and CVE-2024-9474 can be combined to allow for an unauthenticated attacker to gain command line access to the vulnerable device. Compromising a vulnerable device would allow an attacker to gain access to internal networks as these devices are designed to sit on the edge of networks.

The vulnerability is due to a misconfigured Nginx instance and a command injection vulnerability, both of which are exploitable in the devices default state. Watchtowr have released a technical blog post detailing the vulnerability and its exploitation.

Palo Alto have released patches and hotfixes for the PAN-OS vulnerabilities, details are available here and here.

This is a wormable vulnerability that is very easy to exploit and we expect imminent and automated exploitation of this vulnerability.

As for the pre-requisites, for the exploit to work, at least one user of the application needs to have "Two Factor Authentication" (2FA) enabled within Really Simple Security. As soon as the 2FA feature is enabled, an unauthenticated attacker can make a request to the vulnerable function and WordPress will return a valid session token for the victim.

A partial proof of concept has been released which does not work out of the box. However, due to how simple this vulnerability is, it requires little effort to get it working.

Although the exploit targets functionality predominantly used by deprecated browser Internet Explorer, exploitation is also possible if Microsoft Edge allows opening pages in IE mode. In this mode, Microsoft Edge makes use of the vulnerable MSHTML platform, but only when group policy is specifically configured to allow it.

Watchtowr have released a technical article about this vulnerability and its discovery. The details within the article, and poc video call into question the official vulnerability information released by Citrix.

The exploit chain used by Watchtowr relies on sending a HTTP request to the MSMQ which the vulnerable software utilises. By default, MSMQ doesn't operate over HTTP. However, Citrix have enabled a feature which will allow any host to directly communicate to it via HTTP. With this information and the evidence laid out by Watchtowr, it is clear that this is an attack in which an unauthenticated attacker can exploit a vulnerable instance remotely. Thus, this CVSS score should be in the high 9's.

What isn't certain is if the discrepancy in vulnerability details is down to the triager at Citrix not fully understanding the exploit chain, or if it is more malicious whereby another vendor is attempting to downplay the severity of a vulnerability within their software.

Following the release of the proof of concept on the 12th of November 2024, the Shadowserver foundation have witnessed attempts at exploitation.

Exploiting this vulnerability requires the attacker to execute a Man-in-the-Middle (MITM) attack, which is unlikely to be exploitable against the average user.

For an instance of FortiManager to be exploitable by this vulnerability (FortiJump), the FGFM protocol (tcp/541 or tcp/542 if using IPv6) needs to be exposed to the internet, either by the FortiManager instance or a FortiGate device which is connected to a vulnerable FortiManager instance. This is because the FGFM protocol can allow access to FortiManager devices which are behind NAT if a FortiGate product is exposed to the internet and has FGFM enabled.

FGFM needs to be enabled, this is now disabled by default following the patch for CVE-2024-23113.

Mandiant have a comprehensive article on this weakness, its use in the wild by threat actors, IOCs and mitigation strategies. Watchtowr have released a second blog explaining the full technical details of this attack. In this post Watchtowr outline how the original mitigations did not fully patch systems against this vulnerability.

Intruder customers can use the attack surface view to find out if they have port tcp/541 exposed to the internet.

The original fix which the developers implemented for CVE-2024-5932 was insufficient and did not cover all form fields such as "Company Name" which is used when a donation is made on behalf of a company.

The previous fix has now been extended to cover all fields that are submitted by a donations form.

In practice, exploitation of this vulnerability is nuanced, and not all vulnerable versions are exploitable due to requiring certificates which can only be configured by an administrator. As such, and as per this full writeup, the real-world risk is likely lower than its CVSS score suggests.

Fedora, Ubuntu, and Debian are the systems most at risk from the bug. It's found in the GNU C Library (glibc) in the GNU system, which is found in most systems running the Linux kernel.

More information is available in our blog post here.

Log4j is a remote code execution vulnerability, in the popular log4j package, which is everywhere.

More information is available in our blog post here.

The vulnerability that caused mass speculation online was downgraded to High following a secondary review from those involved with the OpenSSL project. This was due to a handful of limitations and modern system protections, which, when combined significantly reduce the likelihood of real world exploitation.

More information is available in our blog post here.

The NetScaler suite of products includes load balancing, firewall and VPN services, so one possible impact is compromised remote access to your private networks. NetScaler responds to certain requests by dumping memory back to the sender, which can contain access tokens for logged in users. The exploit is as bad as whatever you’ve given access to remotely through your NetScaler system. And because they're logged in sessions, MFA won't protect you.

More information is available in our blog post here.

This vulnerability affects applications using the CSLA.NET framework. It allows an attacker to execute code on the server if they are also able to upload a file to the server to a known location, for example if the application allows users to upload images.

More information is available in our blog post here.

The vulnerability affects Spring Framework versions 5.3.0 to 5.3.17, 5.2.0 to 5.2.19, as well as all older versions. For an application to be fully vulnerable to the currently (13/04/2020) known vectors, a number of pre-requisites are required for the application to be vulnerable.

More information is available in our blog post here.

This vulnerability affects Progress MOVEit servers utilising SFTP and allows attackers to log in as any user if they can successfully guess their username. Depending on how MOVEit is configured, this could be a trivial step.

More information is available in our blog post here.

This vulnerability affects curl if you use curl proxy-resolver mode via a SOCKS5 proxy, and there is a clear path for attackers to control which server curl is pointing at, e.g. with untrusted user inputs on a public application.

More information is available in our blog post here.

This vulnerability affects Check Point Security Gateways. Active exploitation has been identified, and public proof of concepts have also been released.

More information is available in our blog post here.

The serious vulnerability affects a number of Palo Alto GlobalProtect devices which utilize device analytics. Active exploitation of this vulnerability has been witnessed by a number of organizations.

More information is available in our blog post here.

The attack is believed to be a nation-state level attack, and only the rogue developer and groups with which the compromised key has been shared would be able to gain access. As such, it is not likely to be widely exploited.

More information is available in our blog post here.

This vulnerability affects OpenSSH and could allow an attacker to execute commands on an affected device. The vulnerability is highly complex and has limitations which is likely to prevent widespread exploitation.

More information is available in our blog post here.

Following Palo Alto's announcement of several vulnerabilities in their configuration generation tool Expedition, Horizon released a technical breakdown. In addition to this, watchTowr also released a proof of concept for CVE-2024-9463.

These vulnerabilities are trivial to exploit pose a significant risk to Expedition, whether you expose this to the internet or not.

While this software is not commonly exposed to the internet, a significant risk still remains where an attacker can access the device from the same network as Expedition.

Following Palo Alto's announcement of several vulnerabilities in their configuration generation tool Expedition, Horizon released a technical breakdown. In addition to this, watchTowr also released a proof of concept for CVE-2024-9463.

These vulnerabilities are trivial to exploit pose a significant risk to Expedition, whether you expose this to the internet or not.

While this software is not commonly exposed to the internet, a significant risk still remains where an attacker can access the device from the same network as Expedition.

Following Palo Alto's announcement of several vulnerabilities in their configuration generation tool Expedition, Horizon released a technical breakdown. In addition to this, watchTowr also released a proof of concept for CVE-2024-9463.

These vulnerabilities are trivial to exploit pose a significant risk to Expedition, whether you expose this to the internet or not.

While this software is not commonly exposed to the internet, a significant risk still remains where an attacker can access the device from the same network as Expedition.

Following Palo Alto's announcement of several vulnerabilities in their configuration generation tool Expedition, Horizon released a technical breakdown. In addition to this, watchTowr also released a proof of concept for CVE-2024-9463.

These vulnerabilities are trivial to exploit pose a significant risk to Expedition, whether you expose this to the internet or not.

While this software is not commonly exposed to the internet, a significant risk still remains where an attacker can access the device from the same network as Expedition.

Following Palo Alto's announcement of several vulnerabilities in their configuration generation tool Expedition, Horizon released a technical breakdown. In addition to this, watchTowr also released a proof of concept for CVE-2024-9463.

These vulnerabilities are trivial to exploit pose a significant risk to Expedition, whether you expose this to the internet or not.

While this software is not commonly exposed to the internet, a significant risk still remains where an attacker can access the device from the same network as Expedition.

CVE-2024-29824

Unauthenticated SQL Injection & RCE in Ivanti EPM 2022 SU5 and prior, allowing attackers to gain full control over the EPM host.

This vulnerability has been actively exploited in the wild, so we strongly recommend patching as soon as possible.

If exploited, an attacker could use the compromised Ivanti EPM host to move laterally across the network, potentially targeting other infrastructure.

For detailed information and patch instructions, refer to the advisory available here

CVE-2024-45409

Attackers could leverage this vulnerability against a GitLab instance to push compromised builds or malicious updates to end users, causing widespread impact across the organization's supply chain.

The Ruby-SAML library used in GitLab versions <= 12.2 and 1.13.0 to 1.16.0 fails to properly verify SAML signatures. This vulnerability (CVE-2024-45409) allows a remote unauthenticated attacker to forge SAML responses, enabling unauthorized access to arbitrary gitlab accounts.

A patch and mitigations to prevent exploitation are available here