Happy Friday! The following is the content the Initial Access team developed this week:
Reportedly observed being exploited in the wild by Akamai, the team developed a vulnerable docker container, exploits, pcaps, and network signatures for this vulnerability. Apache Camel is a framework so discovering it and exploiting it is non-trivial, but clearly attackers are finding a way.
GLPI has two previous entries on VulnCheck KEV (and one entry on CISA KEV), so the team is always looking out for no vulnerabilities in this software. Despite its history, we still see thousands listed on Shodan, and FOFA lists tens of thousands (which is somewhat hard to believe).
This exploit is a blind SQL injection vulnerability that leaks the user, password hashes, and any API tokens for active sessions. On top of the exploit, the team delivered a version check, vulnerable docker instance, pcap, network signatures, and search queries. Finally worth noting that GreyNoise sees malicious traffic for this CVE.
In late March, Rhino Security Labs published vulnerabilities they found in Appsmith, a very popular application development platform (more than 36k stars on GitHub). The team developed an exploit that chains bad default configuration (account registration) with CVE-2024-55963..
The team delivered pcaps, network signatures signatures, version scanning capabilities, a target Docker container, and queries for Shodan, Censys, FOFA, ZoomEye, and detection queries for GreyNoise. The team noted that there are more than 1,000 hosts listed on Shodan.
thumb.php Command InjectionThe team created an exploit, pcap, network signatures, YARA rule, queries, and a Docker target for CVE-2023-50917, a command injection in MajorDoMo's thumb.php file. MajorDoMo is a home automation platform supporting the Russian and English language communities.
We were interested in this target because we were surprised to see targets online, largely in Russia. And according to GreyNoise, the vulnerability continues to see exploitation attempts as well.
The team has migrated our CVE-2025-2825 content for CrushFTP to CVE-2025-31161 due to CVE-2025-2825 being moved to rejected status.