Happy Friday! The following are the release notes for the VulnCheck Initial Access Intelligence team deliverables over the last week.
This week, the IAI team jumped at the opportunity to cover CVE-2025-20188, an arbitrary file write in Cisco's IOS XE Software for Wireless LAN Controllers (WLCs). A hardcoded secret in JWT generation allows an otherwise unauthenticated attacker to write arbitrary files anywhere on the system via path traversal. The functionality is exposed through an OpenResty-based file upload endpoint. The team leveraged this knowledge with a little memory editing to root the appliance for exploit development.
Starting with an analysis by Horizon3, the team reproduced the file write but observed caveats to RCE by writing and reloading a service configuration, which also required two requests to be sent in sequence. Digging into the other inotify-based services on the target, the team discovered a command injection that could be triggered by the file write. Based on prior research into IOS XE, the exploit for CVE-2025-20188 achieves a reverse root shell in one request, connecting back to the attacker through the appropriate network namespace.
For this release, we have provided an exploit, packet captures, Suricata and Snort rules, and multiple search queries for the target and indicators of its exploitation. The GreyNoise query for the affected URI appears to show recent activity, suggesting potential exploitation in the wild.
The team developed an exploit for a recent CISA KEV addition affecting Draytek Vigor 2960, 3900, and 300B routers. Incorrect parsing and sanitizing of a URL parameter allows an attacker to inject a command to be run as root. Our exploit takes advantage of this flaw to deploy a bind shell, listening on a user-specified port for incoming connections.
While current advisories list the vulnerable version as just 1.5.1.4, the team has independently verified that version 1.5.1.3 on the Vigor 2960 is also affected.
As usual, the team provides additional goodies in the form of pcaps, network signatures, and queries.
The team developed an exploit for a recent VulnCheck KEV addition affecting the Flowise application. An incorrect permissions check and a path traversal allow an attacker to overwrite the API key configuration file and gain access to all API interactions.
Our exploit allows for API key overwriting, but additionally supports arbitrary file writes that may be used to drop a web shell and achieve remote code execution in configurations that enable CGI-style web execution.
The team provided a vulnerable Docker image, pcaps, network signatures, and queries.
The team added an exploit for another recent VulnCheck KEV addition affecting Samsung's MagicInfo. Affected versions allow unauthenticated attackers to upload arbitrary files to a specified location via path traversal in order to obtain command access using a JSP file.
The provided exploit does exactly this: it attempts to upload a JSP file to the root of the MagicInfo service. Upon successful upload, an example curl command is printed to the terminal, which can be used to issue system commands to the underlying host with NT\SYSTEM privileges. This is a known actively exploited vulnerability in the wild.
The exploit comes with pcaps, rules, queries, and network signatures.
The team added an exploit for a vulnerability known to be used by a handful of ransomware crews that affects Veeam Backup and Replication. Vulnerable versions allow unauthenticated attackers to interact with the .NET Remoting service listening on the Veeam mount service, port 6170, via an unencrypted NTLMSSP-based connection. An attacker can issue requests to this service and wrap malicious .NET serialization payloads inside of an ObjRef in order to bypass the application’s deserialization blacklist and coerce the host to call back to the attacking host to execute another payload served by a rogue remoting service.
In the provided exploit, all of these steps are automated, and upon successful execution, it yields an asynchronous HTTP-based VBS shell executed on the remote host via cscript.exe, which is retrieved from a second service listening on the attacker's host.