Insights

cPanel is a very popular hosting framework which is often very difficult to avoid exposing to the internet. The exploit for this weakness gives the attacker root access to cPanel (and from there easy RCE on the system), and the exploit is reliable, well documented, and affects all versions of cPanel except the latest patch. There are well over a million hosts exposed, and though cPanel does have some automated self-upgrade functionality, it can be turned off, and the window before an upgrade (usually up to 24h) is long enough for attacker to have already exploited this weakness. cPanel have provided a script you can use to detect if compromise has already occurred, which can be found here.

This and the similar vulnerability CVE-2026-1281 allow an unauthenticated attacker to execute code remotely on unpatched Ivanti EPMM instances.

A patch is available from Ivanti here and should be installed immediately. There is a page for defenders who need to check if their instance has been compromised here, though this is a work in progress.

Note that this is a temporary patch which will be removed with further version updates. If you update the version of your EPMM instance after patching, you must apply the patch again. A fully patched version of EPMM will be available in future which will permanently fix the vulnerability.

This vulnerability was known to be used in the wild before being disclosed by the vendor. Proof of concept code is now available publicly, so increased attack activity is expected.

This and the similar vulnerability CVE-2026-1340 allow an unauthenticated attacker to execute code remotely on unpatched Ivanti EPMM instances.

A patch is available from Ivanti here and should be installed immediately. There is a page for defenders who need to check if their instance has been compromised here, though this is a work in progress.

Note that this is a temporary patch which will be removed with further version updates. If you update the version of your EPMM instance after patching, you must apply the patch again. A fully patched version of EPMM will be available in future which will permanently fix the vulnerability.

This vulnerability was known to be used in the wild before being disclosed by the vendor. Proof of concept code is now available publicly, so increased attack activity is expected.

This is a serious vulnerability which allows an unauthenticated remote attacker to retrieve information from MongoDB's memory. A proof-of-concept is available to the public.

Similar to other heap disclosure vulnerabilities such as Heartbleed, the impact of exploitation will vary depending on the information an attacker is able to obtain from the heap. However, it is quite likely that the leaked memory will contain credentials or other sensitive information, especially as attackers learn more about the vulnerability and use it more effectively.

Regardless of patch status, MongoDB should not be exposed to the internet and access should be restricted by a firewall or similar controls. You should also apply the patch as soon as possible, to avoid the vulnerability being exploited internally.

This vulnerability allows for code execution via a deserialisation vulnerability within the react-server-dom packages. This will affect React, NextJS and downstream projects who utilise these frameworks.

AssetNote released a technical research post and detection technique which is effective at identifying unpatches instances, where as full RCE chains may fail due to WAF's fingerprinting those payloads and bypasses heavily. Vercel's CEO released a simple breakdown of the issue and how it works.

We have witnessed widespread exploitation activity for this vulnerability, especially exploiting this to deploy an in-memory webshell. There has been some community efforts to detect exploitation activity, however exploiting this vulnerability usually leaves little to no trace which is difficult for defenders.

Patching immediately is the only effective strategy for dealing with this vulnerability.

This vulnerability allows for code execution via a deserialisation vulnerability within the react-server-dom packages. This will affect React, NextJS and downstream projects who utilise these frameworks.

AssetNote released a technical research post and detection technique which is effective at identifying unpatches instances, where as full RCE chains may fail due to WAF's fingerprinting those payloads and bypasses heavily. Vercel's CEO released a simple breakdown of the issue and how it works.

We have witnessed widespread exploitation activity for this vulnerability, especially exploiting this to deploy an in-memory webshell. There has been some community efforts to detect exploitation activity, however exploiting this vulnerability usually leaves little to no trace which is difficult for defenders.

Patching immediately is the only effective strategy for dealing with this vulnerability.

This exploit was picked up by Defused as early as October 2nd where it was thought to be a variant of CVE-2022-40684. However, Fortinet have confirmed that this is a new vulnerability and have assigned this CVE to the vulnerability. This vulnerability takes advantage of both a path traversal (/api/v2.0/cmdb/system/admin%3f/../../../../../cgi-bin/fwbcgi) and an auth bypass via the cookie CGIINFO.

Fortinet offer little information within their disclosure, and until today there was no patching information as mentioned within watchTowr's article. The infosec community has collated some IOC's which can be found here. This vulnerability has been actively exploited to create a new administrative user, any instances of Fortiweb that have exposed the web GUI to the internet should be considered compromised.

This vulnerability is described as an account takeover, however there were rumours early on that this may be more significant.

Assetnote released a research article on the 22nd of October breaking down the vulnerability, highlighting that this is far more serious than Adobe have described. Ultimately through the deserialization vulnerability, an attacker can gain code execution by the creation of a backdoor php file. In order to achieve that, the attacker must know, or be able to guess the (e.g. default) installation path of Magento.

While this vulnerability is significant, Oracle EBS should not be exposed to the internet due to the nature of the service and the sensitivity of the data housed within it.

Oracle have made articles in the past to describe deployments that are internet facing and relying upon Oracle WAF for protection, which is not best practice. This is directly contradicted by the official deployment documentation. The documentation acknowledges that this should not be exposed to the internet, and if it needs to be a bastion host should be used to access the instance (scenario 3).

Disappointingly, the UK's NCSC also mistakenly links to the poor quality article over the deployment documentation.

Our recommendation remains the same, Oracle EBS should not be exposed to the internet. Intruder's scanners report an attack surface risk as an issue if this panel is exposed.

Note that the public CVSS score for this vulnerability is too low - it has been scored as if it was a local vulnerability, when it can be exploited remotely.

This vulnerability is essentially a remote code execution vulnerability, as an attacker can use the LFI to obtain the Machine Key for the installation and then leverage this in the same way as a previous vulnerability discovered earlier in the year.

Attackers have knowledge of how to exploit this and there is no patch currently available. If you have an exposed instance, you must apply the mitigation discussed by Huntress in their post and consider that the server may be compromised.

Authenticated access and the ability to run Lua scripts is required to exploit this vulnerability. However, all affected instances without authentication configured are vulnerable. Further details from the Redis team can be found here.

As this vulnerability is known to have been exploited by real attackers, the patch should be applied immediately.

If you have a vulnerable device connected to the internet, as well as patching, it is important to check that the device was not already compromised.

NCSC-NL, the Dutch National Cybersecurity Centre, have produced a tool available here which can help with this. Note that despite being marked as for an older CVE, this script is also receiving updates to check for issues relating to CVE-2025-7775.

Researchers have been analysing the patch and have been able to trigger the crash within the iOS JPEG lossless decompression within RawCamera.bundle. Some git repositories with the results of their analysis have been made public here and here.

According to Apple, this issue has been "exploited in an extremely sophisticated attack against specific targeted individuals". A vulnerability of this nature takes significant resources to develop. As such, this is extremely valuable to threat actors where some vulnerability brokers would pay up to $15 million for a working proof-of-concept for this type of attack. Therefore we can assume widespread exploitation has not happened, but with the progress researchers have been making it will only be a matter of time before that happens. Patches should be applied immediately.

For this vulnerability to be exploitable, the ImageMagick image processing library needs to be used to resize or add a text watermark to a user-uploaded file which was saved using a user-provided filename, or where the parameters for adding a watermark are user-controlled. File upload implementations that use a randomly generated filename before image resizing are not vulnerable.

This vulnerability is simple to exploit and we expect to see active exploitation soon. However, attackers will need to locate file upload functionality within your applications first which will be difficult to fully automate at scale, so mass exploitation is unlikely.

This is a critical remote code execution vulnerability in Sharepoint when used on-prem - Sharepoint for Microsoft 365 is not affected. It is a variant of a previous bug which, in combination with CVE-2025-53771, allows an unauthenticated attacker to use a deserialization vulnerability to run code on the server.

If you host a Sharepoint instance you should immediately apply the security update and review the advice on this Microsoft page. Paying particular attention to the sections describing how to rotate your Machine Key and detect if you were already compromised.

As there was a lag time between information on this vulnerability being available to attackers and the availability of the patch, there has been active exploitation of Sharepoint instances during this period.

We have deployed an active check (11am 22nd July) and set off an Emerging Threat Scan for all of our Enterprise customers. In addition, we are committing this to the public Nuclei templates repository so that you can check your systems via Intruder - or for free via Nuclei as soon as the request is merged.

This is a serious local privilege escalation vulnerability in the sudo tool, which is present on most Unix systems. You should update this as soon as possible if your version is less than 1.9.14.

Exploiting this vulnerability requires an attacker to have access to the machine already - so it's most serious in environments where lower-privileged users routinely have access to systems. However, all vulnerable systems should be patched.

This CVE references a Java Expression Language injection vulnerability in Ivanti EPMM, which allows a user with access to a particular API to execute arbitrary code.

In conjunction with CVE-2025-4427 - an auth bypass vulnerability which gives access to the API in question - this can be used by an unauthenticated attacker.

More information on exact vulnerable versions can be found here - you should patch immediately if vulnerable. Note that in the recommended deployment of EPMM, where the API is not accessible to the internet, the impact is reduced.

If caching is in use on this application, it is likely this can be used to poison the cache, causing the modified data to be shown to other users.

There is also potential to then use this for cross-site scripting, although, this would depend on how the data is processed by the client, and will not be the case for all applications.

In order for this application to be vulnerable, React Router must be used in Framework mode.

This vulnerability is caused by the installer for the application using a hardcoded value for the validation and decryption key (sometimes known as the machine keys). These values are the same for all instances created by the vulnerable installer, and so an attacker can find these keys for your instance very easily.

If an attacker possesses these keys, they can execute code of their choice on the server remotely using well-known methods.

Updating to the latest version will cause the keys to be regenerated to secret values.

This authentication bypass vulnerability in Next.js allows an attacker to bypass middleware validation steps such as checking the user is authorized to access a resource. The exploit is simple to use and could potentially be exploited en-masse, though some manual effort is likely to be required to identify routes that are not accessible without authentication.

The advisory states that deployments using next start and output: 'standalone' should be updated as a priority, and lists the affected versions.

Next.js is a full stack framework, and applications which are only using front-end elements of the framework will not be vulnerable. Additionally, popular WAFs like Cloudflare added detection rules for this exploit already, so there is also reduced risk for applications which are deployed behind a WAF with effective rules. However, WAFs should not be relied upon to protect against this weakness, as further research could reveal bypasses, or alternative routes to exploit the weakness.

Intruder reported this vulnerability to Octopus Deploy on Dec 3, 2024 and it was fixed fairly quickly, with patches available from Jan 14, 2025. The exploit is simple and discoverable by attackers with basic knowledge, so active exploitation is expected if you're running a vulnerable version. Impact is limited to active directory account names, emails and local AD usernames, but this information is highly useful to attackers mounting mass password spraying or phishing campaigns, making exploitation likely in a targeted attack scenario. Please see the advisory for affected versions and a patch.

The mitigations that were put in place following the previous authentication bypass (CVE-2024-0012) were incomplete. The authentication step for the management panel can be abused to change the order of processing requests between various underlying technologies (apache, nginx, PHP), resulting in an auth bypass. AssetNote released a technical breakdown of this vulnerability.

Palo Alto have released patches for the vulnerability, details are available here

This vulnerability affects the terminal console functionality within the Fortigate admin panel. It exploits a weakness in the WebSockets implementation and allows an unauthenticated attacker to create administrative accounts on the Fortinet device. watchTowr have released a technical post breaking the vulnerability down.

ArcticWolf have observed a handful of exploitations of this vulnerability in early December, where an unauthenticated threat actor has created administrative accounts and changed device configurations. They have listed a number of IoC's which can help with identifying any malicious activity on devices. Fortinet have also released similar IoC's for this vulnerability.

Fortinet have released patching information and their own IoC's here.

Intruder Premium customers will be checked for this weakness today (Jan 16th) and notified if they are vulnerable.

CVE-2025-21298 allows attackers to execute code by sending a malicious RTF email. The exploit triggers when the email is opened or previewed in an unpatched Outlook client, requiring no user interaction beyond viewing the message. To mitigate the risk, apply Microsoft's patch immediately, or as a temporary measure, disable RTF reading and configure Outlook to display emails in plain text.

Buffer Overflows such as this one require an advanced skillset, and time and knowledge to exploit. In addition, the exploit must be specific to the version that is targeted (as noted by Google Mandiant).

The recommendation is to fix according to your usual critical patching schedule, but prioritise over other criticals as this vulnerability has been added to the KEV list. That said, due to the complexities with this vulnerability class, we don't expect widespread exploitation.

Patching information has been released by Ivanti. However, the recommendation to use the ICT scanner by Ivanti appears to be flawed as pointed out by Google Mandiant. To help with detecting compromises, they have released YARA rules for this vulnerability.

SafeBreach published a writeup on January 1st which exploits a denial of service condition and attributes it to this CVE, but the original researcher that reported this bug to Microsoft disagrees

Though the full PoC being published does mean that attacks are more likely, the exploit for CVE-2024-49112 is not yet in the public domain, and so only highly resourced attack groups are likely to be able to exploit the RCE

CVE-2024-50623 can be exploited by an unauthenticated attacker to gain remote code execution on affected Cleo servers. Widespread exploitation has been observed. The vendor's advisory page is available here.

John Hammond at Huntress has released a technical article regarding this vulnerability, including a list of IOC's from live attacks in the wild. Originally it was believed that this patch was insufficient in fixing this CVE, due to ongoing exploitation against patched hosts. However, it seems that there is a second unauthenticated remote code execution vulnerability which does not carry a CVE currently. Further details regarding this unknown CVE can be found here.

The vulnerabilities CVE-2024-0012 and CVE-2024-9474 can be combined to allow for an unauthenticated attacker to gain command line access to the vulnerable device. Compromising a vulnerable device would allow an attacker to gain access to internal networks as these devices are designed to sit on the edge of networks.

The vulnerability is due to a misconfigured Nginx instance and a command injection vulnerability, both of which are exploitable in the devices default state. Watchtowr have released a technical blog post detailing the vulnerability and its exploitation.

Palo Alto have released patches and hotfixes for the PAN-OS vulnerabilities, details are available here and here.

The vulnerabilities CVE-2024-0012 and CVE-2024-9474 can be combined to allow for an unauthenticated attacker to gain command line access to the vulnerable device. Compromising a vulnerable device would allow an attacker to gain access to internal networks as these devices are designed to sit on the edge of networks.

The vulnerability is due to a misconfigured Nginx instance and a command injection vulnerability, both of which are exploitable in the devices default state. Watchtowr have released a technical blog post detailing the vulnerability and its exploitation.

Palo Alto have released patches and hotfixes for the PAN-OS vulnerabilities, details are available here and here.

This is a wormable vulnerability that is very easy to exploit and we expect imminent and automated exploitation of this vulnerability.

As for the pre-requisites, for the exploit to work, at least one user of the application needs to have "Two Factor Authentication" (2FA) enabled within Really Simple Security. As soon as the 2FA feature is enabled, an unauthenticated attacker can make a request to the vulnerable function and WordPress will return a valid session token for the victim.

A partial proof of concept has been released which does not work out of the box. However, due to how simple this vulnerability is, it requires little effort to get it working.

Although the exploit targets functionality predominantly used by deprecated browser Internet Explorer, exploitation is also possible if Microsoft Edge allows opening pages in IE mode. In this mode, Microsoft Edge makes use of the vulnerable MSHTML platform, but only when group policy is specifically configured to allow it.

Watchtowr have released a technical article about this vulnerability and its discovery. The details within the article, and poc video call into question the official vulnerability information released by Citrix.

The exploit chain used by Watchtowr relies on sending a HTTP request to the MSMQ which the vulnerable software utilises. By default, MSMQ doesn't operate over HTTP. However, Citrix have enabled a feature which will allow any host to directly communicate to it via HTTP. With this information and the evidence laid out by Watchtowr, it is clear that this is an attack in which an unauthenticated attacker can exploit a vulnerable instance remotely. Thus, this CVSS score should be in the high 9's.

What isn't certain is if the discrepancy in vulnerability details is down to the triager at Citrix not fully understanding the exploit chain, or if it is more malicious whereby another vendor is attempting to downplay the severity of a vulnerability within their software.

Following the release of the proof of concept on the 12th of November 2024, the Shadowserver foundation have witnessed attempts at exploitation.

Exploiting this vulnerability requires the attacker to execute a Man-in-the-Middle (MITM) attack, which is unlikely to be exploitable against the average user.

For an instance of FortiManager to be exploitable by this vulnerability (FortiJump), the FGFM protocol (tcp/541 or tcp/542 if using IPv6) needs to be exposed to the internet, either by the FortiManager instance or a FortiGate device which is connected to a vulnerable FortiManager instance. This is because the FGFM protocol can allow access to FortiManager devices which are behind NAT if a FortiGate product is exposed to the internet and has FGFM enabled.

FGFM needs to be enabled, this is now disabled by default following the patch for CVE-2024-23113.

Mandiant have a comprehensive article on this weakness, its use in the wild by threat actors, IOCs and mitigation strategies. Watchtowr have released a second blog explaining the full technical details of this attack. In this post Watchtowr outline how the original mitigations did not fully patch systems against this vulnerability.

Intruder customers can use the attack surface view to find out if they have port tcp/541 exposed to the internet.

The original fix which the developers implemented for CVE-2024-5932 was insufficient and did not cover all form fields such as "Company Name" which is used when a donation is made on behalf of a company.

The previous fix has now been extended to cover all fields that are submitted by a donations form.

In practice, exploitation of this vulnerability is nuanced, and not all vulnerable versions are exploitable due to requiring certificates which can only be configured by an administrator. As such, and as per this full writeup, the real-world risk is likely lower than its CVSS score suggests.

Fedora, Ubuntu, and Debian are the systems most at risk from the bug. It's found in the GNU C Library (glibc) in the GNU system, which is found in most systems running the Linux kernel.

More information is available in our blog post here.

Log4j is a remote code execution vulnerability, in the popular log4j package, which is everywhere.

More information is available in our blog post here.

The vulnerability that caused mass speculation online was downgraded to High following a secondary review from those involved with the OpenSSL project. This was due to a handful of limitations and modern system protections, which, when combined significantly reduce the likelihood of real world exploitation.

More information is available in our blog post here.

The NetScaler suite of products includes load balancing, firewall and VPN services, so one possible impact is compromised remote access to your private networks. NetScaler responds to certain requests by dumping memory back to the sender, which can contain access tokens for logged in users. The exploit is as bad as whatever you’ve given access to remotely through your NetScaler system. And because they're logged in sessions, MFA won't protect you.

More information is available in our blog post here.

This vulnerability affects applications using the CSLA.NET framework. It allows an attacker to execute code on the server if they are also able to upload a file to the server to a known location, for example if the application allows users to upload images.

More information is available in our blog post here.

The vulnerability affects Spring Framework versions 5.3.0 to 5.3.17, 5.2.0 to 5.2.19, as well as all older versions. For an application to be fully vulnerable to the currently (13/04/2020) known vectors, a number of pre-requisites are required for the application to be vulnerable.

More information is available in our blog post here.

This vulnerability affects Progress MOVEit servers utilising SFTP and allows attackers to log in as any user if they can successfully guess their username. Depending on how MOVEit is configured, this could be a trivial step.

More information is available in our blog post here.

This vulnerability affects curl if you use curl proxy-resolver mode via a SOCKS5 proxy, and there is a clear path for attackers to control which server curl is pointing at, e.g. with untrusted user inputs on a public application.

More information is available in our blog post here.

This vulnerability affects Check Point Security Gateways. Active exploitation has been identified, and public proof of concepts have also been released.

More information is available in our blog post here.

The serious vulnerability affects a number of Palo Alto GlobalProtect devices which utilize device analytics. Active exploitation of this vulnerability has been witnessed by a number of organizations.

More information is available in our blog post here.

The attack is believed to be a nation-state level attack, and only the rogue developer and groups with which the compromised key has been shared would be able to gain access. As such, it is not likely to be widely exploited.

More information is available in our blog post here.

This vulnerability affects OpenSSH and could allow an attacker to execute commands on an affected device. The vulnerability is highly complex and has limitations which is likely to prevent widespread exploitation.

More information is available in our blog post here.

Following Palo Alto's announcement of several vulnerabilities in their configuration generation tool Expedition, Horizon released a technical breakdown. In addition to this, watchTowr also released a proof of concept for CVE-2024-9463.

These vulnerabilities are trivial to exploit pose a significant risk to Expedition, whether you expose this to the internet or not.

While this software is not commonly exposed to the internet, a significant risk still remains where an attacker can access the device from the same network as Expedition.

Following Palo Alto's announcement of several vulnerabilities in their configuration generation tool Expedition, Horizon released a technical breakdown. In addition to this, watchTowr also released a proof of concept for CVE-2024-9463.

These vulnerabilities are trivial to exploit pose a significant risk to Expedition, whether you expose this to the internet or not.

While this software is not commonly exposed to the internet, a significant risk still remains where an attacker can access the device from the same network as Expedition.