Happy Friday! Here are the release notes from the Initial Access team for this past holiday-shortened week:
Originally exploited in the wild as a zero-day by Stealth Falcon (aka FruityArmor, G0038), as disclosed by Check Point Research on June 10, this vulnerability allows an attacker to execute arbitrary code by triggering a connect-back to an attacker-controlled WebDAV server.
The team developed a novel exploit with a built-in WebDAV server that forces the client to generate a reverse shell by executing an ipconfig.exe binary hosted on the malicious server (malicious ipconfig.exe provided or the user can provide their own). The team additionally provided a Sigma rule and an evtx file for testing said rule.
Following up on last week's vBulletin work, the team has added CVE-2025-48827 to our repertoire. While it hasn't yet appeared on the CISA KEV list, exploitation in the wild has been reported as early as May 25 (ISC), and GreyNoise has observed consistent probing. It's worth noting that successful exploitation requires the target to be running PHP 8.1 or later.
Our team developed an exploit that uploads a webshell to the target, along with a version scanner, network detection rules, search engine queries, and a packet capture for reference.
RoundCube is widely deployed, with hundreds of thousands or potentially millions of internet-facing installations. There are confirmed reports of in-the-wild exploitation and evidence of exploit listings in underground markets. Given the scope of exposure and availability of working exploits, this vulnerability is likely to appear on the CISA Known Exploited Vulnerabilities list, joining other RoundCube issues of lesser impact.
The team developed and validated a working exploit that yields a reverse shell. Supporting materials include a packet capture, network detection signatures, and search engine queries for threat hunting / attack surface management.