Happy Friday! This week our own Cale Black published a proof of concept go-exploit and pretty interesting blog on finding a vulnerability in BigAnt! Check it out if you have some time. Otherwise, the following are this week's release notes:
The team created an exploit, version scanner, pcaps, network signatures, queries, and a Docker target for CVE-2025-24893, a code injection vulnerability in XWiki's Solr Search functionality. This vulnerability is very similar to CVE-2024-31982, which targets the Database Search functionality. By injecting code supported by XWiki's scripting engine, a remote, unauthenticated attacker can execute Groovy or Python code, leading to the execution of system commands. We expect this to be exploited in the wild in the future due to ease of exploitation and number of targets online.
Sekoia recently published a blog linking the PolarEdge botnet to Cisco RV-Series via CVE-2023-20118. Sekoai represented the vulnerability as an unauthenticated issue (which is at odds with the Cisco disclosure). The team purchased an RV-320 and armed with the latest firmware we tested out Sekoai's statements. We found the vulnerability does require authentication. Additionally, Sekoai states that the exploit can flow through config_mirror.exp as well, but we found that not to be true (at least on the rv320 using the newest firmware). We speculate that Sekoia's honeypots aren't emulating the systems correctly or that the rv042 (and other affected RV Series) may be significantly different from the rv320.
Either way, the team developed an exploit that can create a bindshell or act as a binary dropper. Additionally, pcaps and network rules were created along with search engine queries. Finally, we note that there is traffic on both cgi-bin/config.exp and cgi-bin/userLogin.cgi (the authentication URI), but nothing on cgi-bin/config_mirror.exp.
The D-Tale server allows for per-dataset configuration, including a setting to allow for custom filters, which can enable an attacker to disable security settings and bypass the patch for CVE-2024-3408 leading to remote code execution.
The application has no authentication by default and does not have much internet exposure, but is popular by stars and comments on GitHub, so it is likely to be deployed internally or in indirect targets.
The team developed a Docker image, exploit, and version checking for the vulnerability. Signatures for Snort and Suricata were created, as well as queries for GreyNoise, ZoomEye, FOFA, Google, Censys, and Shodan.
Thanks to research by Rapid7 we know that CVE-2024-12356 relies on CVE-2025-1094. This is important to note because CVE-2024-12356 is in CISA KEV, but CVE-2025-1094 is not. The team developed pcaps that demonstrate the CVE-2024-12356 and CVE-2025-1094 exploit chain, and CVE-2025-1094 as a stand alone issue. The team also developed a variety of Suricata/Snort signatures that flag exploitation and information leaks that the exploits require in order to work. We also delivered a version scanner, and search engine queries. Additionally, the team observed a large number of BeyondTrust honeypots in Shodan (with apparently short-lived IP address usage).
We began tracking BeyondTrust Remote Support honeypots. The 3 day backup currently has ~8000 honeypots.