Happy Friday! The following are the release notes for this holiday shortened week:
The team developed an authentication bypass exploit for PAN-OS systems. This vulnerability was added to CISA KEV on February 18, but it does not provide unlimited access to authenticated actions. It only gives access to a restricted subset of pages that do not contain role check or user session parameters. The team attempted to enumerate and identify as many sensitive potential endpoints as possible and all caveats are noted in the exploit documentation. It seems highly likely to us that this vulnerability is only really useful when chained with another (e.g. For example, using CVE-2024-9474 or CVE-2025-0111, as described by Palo Alto Networks - and note that we have existing coverage for CVE-2024-9474)
VulnCheck also provided pcaps, a version scanner, Shodan, Censys, FOFA, and ZoomEye queries, GreyNoise tags, and signatures for Snort and Suricata.
The team created an exploit, pcaps, network signatures, and queries for CVE-2024-53704, an authentication bypass in the SSLVPN component of SonicWall SonicOS. Successful exploitation depends on at least one VPN client being connected to the server. The oldest swap cookie will be returned by our exploit, which can then be used to hijack the associated VPN session.
The team notes more than 100,000 instances on Censys. Additionally, the vulnerability is being exploited in the wild. It was added to VulnCheck KEV on Feb 13, 2025; it was later added to CISA KEV on Feb 18, 2025.
Rounding out our CyberPanel coverage, the team developed an exploit for CVE-2024-51568, affecting the filemanager/upload endpoint. Like the previous two CyberPanel vulnerabilities we've covered, this has been reported to be exploited in the wild, including by ransomware. The Initial Access team developed an exploit, pcaps, Shodan, Censys, FOFA, and ZoomEye queries, GreyNoise tags, and signatures for Snort and Suricata.
The team is actively putting the finishing touches on the BeyondTrust variant of this client vulnerability. Rapid7 very subtly stated that this has been exploited in the wild alongside CVE-2024-12356 (part of VulnCheck KEV since December), so the team believe it's important to get a full understanding of this issue.