Happy Friday! The following is the content the Initial Access team developed this week:
The team added content for a recent FortiSwitch vulnerability that allows arbitrary unauthenticated user password resets granting full account take over. To our knowledge, there is no (correct) public proof of concept for this vulnerability and we believe there are at least a couple thousand of these online. The team created an exploit, pcaps, Suricata & Snort rules, Greynoise, FOFA, Shodan, Censys, and ZoomEye queries.
The team added a new exploit for this vulnerability affecting Ivanti Endpoint Manager. The exploit uses go-exploit's new HTTP-based VBS reverse shell that is downloaded by the target using curl and executed using cscript. This payload has the added benefit of not being prevented by mark of the web.
Although not known to be exploited in the wild, this vulnerability has an EPSS percentile of 0.9895. The team additionally developed pcap and network detections for this vulnerability.
The team delivered a new exploit that chains with last week's delivery of CVE-2025-24799 to achieve unauthenticated and remote code execution. The team also delivered a vulnerable docker container, a version scanner, network signatures, and search engine queries.
The team added an exploit, pcap, network signatures, and queries for an arbitrary file upload with authentication bypass in NETGEAR's ProSAFE Network Management System, aka the NMS300, which runs on Windows. The exploit drops a minimal JSP webshell offering command execution as NT AUTHORITY\SYSTEM. Although not known to be exploited in the wild, the availability of a Metasploit module and targets online would suggest it probably has been.
Upon request, the team added pcaps and network detection rules for a pre-auth heap-based overflow vulnerability in certain FortiOS versions. Despite its complexity, this vulnerability has been reportedly exploited by many threat actors in including Volt Typhoon, Silent Chollima, Flax Typhoon, and many others.
These pcaps and rules for this vulnerability come in addition to the already existing search engine queries in our feed.
This is another heap-based overflow in FortiOS. It is related to the other addition this week, CVE-2023-27997, in that it shares a lot of overlap among the affected versions along with a likeness in it's active exploitation. This addition adds pcaps, queries, and detection rules.
X-Forwarded-For Buffer OverflowThe team added coverage for CVE-2025-22457 affecting Ivanti Connect Secure, Policy Secure, and ZTA Gateways. Initially, the vulnerability was described as unexploitable due to the character restrictions of only numbers and periods in the input. However, it was later discovered that the bug was being exploited in the wild by a nation-state threat actor. Rapid7 performed analysis on the bug and determined the means of exploitation, reproducing full, unauthenticated RCE. Due to the nature of these devices at the network edge, they have proven to be popular - and valuable - targets for attackers of all calibers.
The team is providing a version scanner, pcap, network signatures, and queries for CVE-2025-22457 to assist customers in managing this critical vulnerability.
The team added a detection for SpiceRAT, a gh0stRAT variant. Campaigns involving RATs like SpiceRAT often serve as a foundation for future escalation. While currently delivered via malicious LNK and HTA links in phishing, these tools are frequently coupled with vulnerability-related exploits, such as Office or Windows zero-days, as threat actors evolve their tactics.
go-exploit 1.42.0 was released with a new C2 backend (HTTPShellServer) that enables reverse shells over HTTP. Additionally, a new vbs-based payload targeting Windows victims was added.