Happy Friday! The following is the work the VulnCheck Initial Access Intelligence team completed over the last week:
The team tackled the recent CrushFTP authentication bypass that has already been added to VulnCheck KEV. CrushFTP was previously added to CISA KEV for CVE-2024-4040 and we anticipate similar results with this new vulnerability.
The team developed an exploit for the CrushFTP authentication bypass, and during analysis identified a path to remote code execution using administrator controlled settings. From our team's analysis of public proofs-of-concept and writeups on prior vulns, this exploitation method is unique. In addition to remote code execution, this exploit supports listing arbitrary files and downloading directories or files as any user.
Our team developed pcap, Snort and Suricata rules, queries for Shodan, Censys, FOFA, and ZoomEye, and utilized a tag from GreyNoise.
The team also tackled CVE-2025-30208 affecting Vite. We noticed a lot of attacker interest in this, with our exploits index already reporting 18 exploits. Our Shodan query also bubbled up quite few Vite honeypots, so defenders are also looking out for this in the wild. Curiously, we saw some hits on this GreyNoise query, which may indicate exploitation in the wild.
The team created an exploit, version scanner, pcap, network signatures, queries, and a vulnerable Docker target.
The team developed artifacts for this Splunk vulnerability that has been under active exploitation. This is a particularly dangerous vulnerability when considering Splunk's popularity and its presence on both internal and external networks. A conservative estimate puts the number of Splunk enterprise products exposed to the internet in the tens of thousands.
This version of the exploit comes with functionality for automated dumping of the entire Splunk configuration folder into a local directory tree. There is also a flag for the exploit that attempts to brute force the letter of the drive that Splunk is installed on in the event that you do not know it. It also of course comes with the basic functionality for downloading a single file from the drive, relative to the Splunk install root or the system root.
This exploit comes standard with PCAPs, network signatures, and queries.
On VulnCheck-KEV for some time now, the team found vulnerable instances online and with a dozen public exploits, the team believes the threat remains active. The team developed an exploit, version scanner, network signatures, queries, and vulnerable docker container.
Added detection for njRAT, originally published in 2012. While njRAT is often delivered through phishing campaigns, it has also been distributed using vulnerabilities in client-side software such as CVE-2018-15982, a critical Adobe Flash vulnerability exploited by the Lord Exploit Kit, used in malvertising campaigns to deliver njRAT. Post-infection, the infrastructure loaded the Eris ransomware to infected systems.