Exploits for SiteCore, SolarView, and ThinVNC. New Scanners for Sophos UTM. A new go-exploit release and an IP-Intel update.

Happy Friday! The following covers the work the VulnCheck Initial Access Intelligence team published this week:

CVE-2025-27218: Sitecore Experience Platform XM & XP Deserialization RCE

The team analyzed and created an exploit for a recently disclosed Sitecore XM & XP unauthenticated deserialization vulnerability. The exploit can be used against any valid web path and requires only a header used for thumbnail generation. Of note, the default current install versions at the time of release do not come pre-patched and are vulnerable. Sitecore has previously appeared on the CISA KEV list (and associated with ransomware), so we anticipate that this CVE will as well.

This deliverable also contains Shodan, Censys, FOFA, and ZoomEye queries as well as PCAPs, Suricata and Snort signatures, and search queries for Google and Baidu. Of note, Baidu appeared to pick up many finger-printable instances.

CVE-2022-40881: Contec SolarView Series Command Injection

By customer request, VulnCheck analyzed this vulnerability affecting Contec SolarView devices. The team noted malicious activity flagged by GreyNoise on the vulnerable endpoint, ShadowServer activity, and three public exploits (including a Nuclei scanner).

The team found the vulnerability only affects a narrow band of versions: anything before the 2020 release is missing the vulnerable endpoint, and anything after is patched. Leaving only a handful of vulnerable systems online. Additionally, we found that while the public exploits all used command=ping in the request, command=nslookup also works (and this is what we implemented), and exploitation can occur via the URI or HTTP body. Finally, we found the device's webroot symlinks to tmp, so our exploit drops a PHP webshell.

The team also delivered a pcap, network detections, GreyNoise query, and Shodan/Censys/FOFA/ZoomEye queries.

Sophos UTM Scanners and CVE-2020-25223 Update

By customer request, VulnCheck developed a version scanner for the Sophos UTM Web Admin interface. Scanners for the most recent CVE were put in the scanners/sophos/utm subdirectory, and the exploit for CVE-2020-25223 was updated with a version scanner. The team also did a scan of a small country with ~400 internet facing UTM devices, and found ~10% of the firewalls are not on the latest version.

CVE-2022-25226: ThinVNC Authentication Bypass

The team added coverage for Cybele Software's ThinVNC authentication bypass leading to remote command execution. CVE-2022-25226 has an exceptionally high EPSS Percentile (>97%), and with a newly released Nuclei template we anticipate seeing internet-wide scans for this issue. Remote desktop tooling has long been a favorite target of attacks, and since this vulnerability was never patched and there are internet-facing targets... it's not rocket science.

The team created an exploit, pcap, network signatures, and queries for CVE-2022-25226. Our exploit performs the necessary desktop operations to spawn a reverse shell, though the attack is by no means stealthy - especially if someone is watching the screen.

IP-Intel C2 Update

The team added a detection for NanoCore RAT, a remote access trojan commonly installed by exploiting known vulnerabilities like CVE-2017-0199, CVE-2017-8570 (Microsoft Office), and CVE-2023-38831 (WinRAR).

go-exploit Updated to 1.38.0

The new release updates the builtin HTTP User Agent to the most recent Windows Edge User Agent, updates a variety of Go dependencies, and adds a new Python SSL reverse shell payload that is compatible with Python 3.12

Future Work

Like many of you, we received notice that Censys is deprecating their old search for their new platform. We will begin the work of transitioning all of our old queries to the new platform. Similar to the previous ZoomEye migration, this will take a handful of weeks to complete.