Yet another happy Friday! The following are the release notes from the Initial Access Intelligence team's efforts this week:
Our friends over at watchTowr recently published a writeup for an information disclosure vulnerability in the NAKIVO Backup and Replication solution. The team replicated and created an exploit for this vulnerability and additionally added support for the Linux or Cloud hosted instances that contained request restrictions. Our exploit will attempt to detect the underlying OS and, depending on the responses, pull varied sets of encrypted database, decryption keys, and log files.
We provide PCAPs, network signatures, and queries for this vulnerability.
The team created an exploit, pcap, network signatures, and queries for CVE-2025-27364, an argument injection RCE in MITRE's Caldera, an adversary emulation platform notable for its C2 framework. By injecting build arguments into Caldera's dynamic compilation feature for agents, an unauthenticated attacker can execute code as the user running the C2. This is all accomplished through the C2's /file/download endpoint.
We were particularly interested in this vulnerability because it targets offensive tooling developed by a well-known organization, enabling offensive operations against... offensive operations. Numerous instances of the C2's web interface are present online, though we have not observed exploitation in the wild yet. A GreyNoise tag does exist.
Wazuh is a free and open-source platform used for threat prevention, detection, and response - making it a particularly fun target for vulnerability research. While not many Wazuh instances appear exposed on the internet, our GreyNoise queries show us a few malicious actors are targeting them. While researching, the team found that exploitation required a Wazuh Cluster to be running, and that a worker manager needs to handle the malicious request. We delivered a Docker environment that spins up a vulnerable cluster, along with an authenticated exploit, target validation, and a version check.
Of course, delivered as well are the goodies you know and love: PCAPs and queries for GreyNoise, ZoomEye, FOFA, Shodan, and Censys. Snort and Suricata signatures are in progress and coming before the weekend.
The D-Tale server is vulnerable to a Flask session forgery that allows for bypass of the session and the triggering of serialized data, leading to remote code execution. The exploit logic for the forgery was also ported to our CVE-2025-0655 exploit to allow for the detection of authentication pages and the bypass of authentication for previous versions of D-Tale.
We also now provide Docker images for both CVEs with and without authentication, allowing for attacks of both authentication-enabled and unauthenticated configurations.
The team developed the exploit, version checking, and signatures for Snort and Suricata, as well as updated queries for GreyNoise, ZoomEye, FOFA, Shodan, and Censys.