The team created a version scanner, pcap, and network signatures for CVE-2025-0282, a stack-based buffer overflow in the IF-T implementation within Ivanti Connect Secure, Policy Secure, and Neurons for ZTA gateways. This vulnerability has been exploited in the wild in recent zero-day attacks.
While doing cross referencing with other countries NVDs and public proof of concepts the team identified CNVD-2020-26585, which was a remote code execution in the IT file sharing system ShowDoc popular in China (the FOFA query produces thousands of results in China). The team replicated the exploit and vulnerability and assigned it CVE-2025-0520.
The team wrote detection signatures, an exploit, version scanner, vulnerable docker image, and created searches for Censys, Shodan, FOFA, ZoomEye, as well as Google and Baidu.
This vulnerability allows a remote and unauthenticated attacker to create an admin session in the VoIP Monitor admin panel via SQLi. VulnCheck has observed this vulnerability via Shadowserver and GreyNoise consistently being targeted. With ~1k online according to Censys, the team was interested in how many vulnerable servers there actually are. Using the version scanner we developed for this delivery, we found approximately half of the responding servers are running 26.43 (latest) and only a small handful of servers are running vulnerable versions. See the README.md for scanning results.
The team produced Shodan, Censys, FOFA, ZoomEye, and GreyNoise queries. The team also produced a version scanner, exploit,pcaps, and network signatures.
This vulnerability is an information leak affecting mySCADA HMI that allows attackers to uncover the target OS, users, emails, and their privileges. The vulnerability is a little weaker than we'd generally include in Initial Access, but it has four interesting things going for it. The first is that we were provided intelligence that allows us to conclude that it was likely used in the wild. The second is that there is no public PoC that we are aware of. The third is that there are vulnerable targets on the internet. Finally, mySCADA suffers from a bunch of post-auth vulnerabilities and this leak will start getting you there.
The team produced Shodan, Censys, FOFA, ZoomEye, Google, and GreyNoise queries (no hits on GreyNoise). The team also produced a version scanner, exploit, encrypted/unencrypted pcaps, and network signatures.
The team created an exploit, version scanner, pcap, network signatures, YARA rule, and queries for CVE-2020-17506 and CVE-2020-17505, an RCE chain involving unauthenticated SQL injection and authenticated command injection, respectively. While these vulnerabilities are a little older, Shadowserver has reported recent exploitation in the wild. GreyNoise has also shown some hits and also on our query for the RCE.
In the middle of the week, Fortinet announced this vulnerability had been exploited in the wild. The team has begun trying to recreate this issue but analysis is ongoing.