Happy Friday! The VulnCheck Initial Access Intelligence team has been busy as always. Here are the deliverables we shipped:
This vulnerability was added to VulnCheck KEV on April 29, 2025 and was included in the WatchTowr "SonicBoom" exploit chain. The team developed a version scanner, an exploit that downloads the temp.db containing user sessions, pcap, network signatures, and search engine queries.
The team used the version scanner against Shodan data and found quite a few vulnerable systems. Scanning can be frustrated by the geographic-based filtering feature on the SMA. Although it isn't too hard to get around, it's a useful feature to weed out low-skilled attackers and likely worth using. We also noticed that GreyNoise is seeing traffic on both URIs that Watchtowr published regarding this vulnerability: here and here.
This week we added an exploit for Magnus Solution's "Magnus Billing" php-based web application. The attack leverages a pretty straight-forward command injection via an unauthenticated GET parameter to a vulnerable PHP endpoint. The provided exploit yields a reverse shell connection upon successful exploitation.
This application has been reported to have been exploited in the wild (VulnCheck KEV) on many occasions and has an EPSS percentile of 93%.
This exploit comes with a target docker container, suricata and snort rules, pcaps, and web queries.
Casdoor is a platform that provides identity and access management and single-sign-on for applications. An unauthenticated attacker can remotely leverage a vulnerability in this product to create an admin user which would then enable them to access and modify any of the users, identities, and organizations managed by the Casdoor instance. This vulnerability was added to VulnCheck KEV on May 2, 2025 and this GreyNoise query shows active crawling traffic for the vulnerable path.
The team delivered an exploit to create an admin user; alongside the exploit, the team also provides a target docker container, suricata and snort rules, pcaps, and web queries.
Vulnerable versions of WinZip incorrectly apply alternative-data stream (ADS and sometimes Mark-of-the-Web) to certain filetypes when extracted using the GUI. This issue allows attackers targeting WinZip users to execute malicious word documents or batch files. The team created a exploit for this vulnerability that generates a ZIP file containing a .bat file that executes a Visual Basic reverse shell payload. When this file is opened by a vulnerable version of WinZip, it will execute the payload without triggering SmartScreen filters.
The initial publication of this vulnerability's details seem to have potentially broke embargo causing the details to be deleted from GitHub. The deleted publication was still accessible from the Git history and the team cached it prior to deletion. The WinZip developers appear to have fixed the bug on current versions, but at the time of this writing there is no public information regarding what exact versions of WinZip are affected by this vulnerability.
In addition to the delivered exploit, we are adding our first Sigma rule into the feed. The provided Sigma rule triggers on files created by WinZip that do not have the proper ADS information.
The team wrapped up the initial stages of unifying the C2 shutdown and session tracking. This change allows the framework to perform clean C2 shutdowns, improves the responsiveness of C2 shutdowns, exposes functions for C2 and exploit developers to utilize session and activity information pertaining to the C2 servers, and allows the use of OS signals to facilitate custom handling of C2 shutdowns.