Happy Friday! For our friends in the US, enjoy the holiday weekend! Here are the VulnCheck Initial Access team's deliverables for this past week.
As promised, these exploits complete the watchTowr SysAid exploit chain. We've added all three variants of the XXEs, which result in information leaks. If the XXE exploits successfully extract credentials, then CVE-2024-36394 can potentially be used to achieve full RCE.
The team has developed an exploit, version scanners, PCAPs, network signatures, and queries for internet-facing targets. At the time of initial publication, there appear to be roughly 1,000 potential SysAid targets online. Additionally, we note activity on all three of the XXE-vulnerable endpoints via GreyNoise: /lshw, /mdm/checkin, and /mdm/serverurl.
We added a PCAP and network rules for both CVE-2025-4427 and CVE-2025-4428, an auth bypass and RCE, respectively, in Ivanti Endpoint Manager Mobile (EPMM), an MDM solution formerly known as MobileIron Core. These vulnerabilities were added to CISA KEV on May 19 and have been observed by Shadow Server as early as May 15. Multiple organizations, including Wiz, have shared indicators of compromise associated with these CVEs.
This vulnerability is a simple /assets/../ path traversal in the Vendure server. Vendure is a popular open-source e-commerce platform with a decent number of targets online. Our exploit dumps the contents of the .env file (default value) in the project's root. Various secrets and credentials can be found in this file. We have also provided a PCAP, network signatures, and queries for this vulnerability.
Versions of ChangeDetection before 45.20, an open-source web application platform to track external website changes, are vulnerable to a Jinja2 server-side template injection (SSTI), allowing execution of arbitrary Python code. The provided exploit triggers this SSTI to yield a reverse shell (either encrypted or unencrypted) back to the attacking host. The exploit comes with a target Docker container, queries, network rules, and PCAPs.
The team notes the CVE has an incredibly high EPSS percentile (0.99624), multiple public exploits, and internet-facing targets.
This memory corruption vulnerability affects Apache HTTP Server versions 2.4.17 through 2.4.38. It has been listed in VulnCheck KEV since inception. The exploit is delivered as a web shell that accepts a command, which will run at 6:25 AM as the server performs a routine graceful shutdown for log rotation (triggering the vulnerability). The exploit comes with a vulnerable Docker container, a version check, and search queries.
Upon client request, the team added PCAPs and network signatures for two older vulnerabilities: CVE-2019-19781 (Citrix) and CVE-2010-3964 (SharePoint Server).