The team developed an information leak exploit targeting SimpleHelp remote administrative server software. We added coverage for this vulnerability based on recent research by Horizon3.ai. The software is also common in tech support scams and has been used by threat APT groups. Additionally, the GreyNoise query we developed for this vulnerability flags two malicious IP addresses, so we anticipate this will be added to the KEV list in the future.
The team also developed Shodan, Censys, FOFA, ZoomEye, and Google queries, as well as pcap and Snort/Suricata signatures.
The team created an exploit, pcap, network signatures, a YARA rule, and queries for CVE-2025-0107, a new remote code execution vulnerability in Palo Alto Networks' Expedition product. The vulnerability is publicly known as an OS command injection, but it is perhaps better described as a partial argument injection, which leads to Java deserialization, which in turn results in RCE. Deserialization is triggered by forcing the target to call back to an attacker-provided Apache Spark server (built into our exploit). Arbitrary OS commands can then be executed as the www-data user. We have not observed exploitation of this vulnerability in the wild yet.
Previous Palo Alto Networks Expedition vulnerabilities have appeared on the CISA KEV list, so we wouldn't be surprised to see this one make it too.
The team developed Shodan, Censys, FOFA, and GreyNoise queries for finding potentially affected systems. We also created a scanner based on (but different from) the WatchTowr methodology to find vulnerable versions. After a scan of the internet, we can find very few vulnerable systems.
The team developed pcaps and networks signatures that specifically target two entities: the only known public exploit and the aforementioned watchtowr scanner. Additionally, one of our GreyNoise queries flags two IP addresses using the watchtowr vulnerability scanner.
New research published this week demonstrated that Checkpoint gateways (and specifically the Gaia Portal, as far as we could tell) were vulnerable to configuration leak and modification due to an older Apache mod_proxy vulnerability. The team developed an exploit that pulls down the victim's configuration, but an attacker can also modify the configuration (change a password) and get access that way.
The team developed a version scanner using the last modified timestamp of the portal's favicon. We used it to scan the internet and found hundreds of gateways are still vulnerable to this issue, and we expect attackers to pick up this attack and run with it. Note that CVE-2021-40438 is already listed on VulnCheck KEV, but it hadn't been associated with Checkpoint until this week (to our knowledge).
Beyond an exploit and version scanner, the team developed Shodan, Censys, FOFA, ZoomEye, GreyNoise, and Google queries, pcaps, and created Snort/Suricata rules.
The team has continued updating our catalog of completed exploits with features that were added more recently. Approximately 70% of deliverables now also have, when possible, FOFA, ZoomEye, Google, and Baidu queries as well as signature deployment metadata and the new targetEncryptedComms field in the README. We are still aiming for reaching 100% of the repository by the end of January.