Happy Friday! The team enjoyed last Friday off, so this week we have a monster changelog full of good content!
The team added an exploit for an unauthenticated command injection vulnerability in Control Web Panel (previously known as CentOS Web Panel). Considering the number of potential targets online (over 200,000), we expect to see exploitation attempts against this vulnerability in the near future.
The exploit requires providing a valid username, but from there it deploys a reverse shell to the target via a POST request to the CWP user panel's file permissions functionality. Specifically, the value of the t_total parameter is passed to a chmod command, permitting unauthenticated RCE. In addition to the exploit, we supplied PCAPs, Snort/Suricata rules, a YARA rule, and search engine queries.
CitrixBleed2 is an unauthenticated and remote memory disclosure affecting Citrix NetScaler. A previous similar iteration of this vulnerability, CitrixBleed, was used by attackers in the wild to leak sessions and gain access to NetScaler. On June 26, Reliaquest was the first to state they'd seen CitrixBleed2 exploited in the wild. ShadowServer followed on July 2 and CISA added it to their KEV on July 10. The team delivered an exploit, pcap, network signature rules, and search queries.
By customer request, VulnCheck analyzed SonicWall CVE-2025-23006, a pre-auth deserialization vulnerability in the SMA1000 series of appliances. Though no public exploits appear to exist, the vulnerability has been exploited by threat actors since January 2025. CVE-2025-23006 was added to VulnCheck KEV on January 22 and CISA KEV on January 24.
The vulnerability is an auth bypass in a specific set of path prefixes chained with Java deserialization in a number of Struts actions. We have prepared an exploit, version scanner, packet captures, network signatures, and a YARA rule for this release. Shodan, Censys, FOFA, and ZoomEye queries are also provided.
CVE-2025-20281 is billed as unauthenticated RCE in Cisco's Identity Services Engine (ISE) and ISE Passive Identity Connector. While validating the vulnerability, we found existing public PoCs to all be variations of the same fake PoC. So, we decided to analyze the patch from Cisco and determine the true root cause. The patch adds authentication to a single endpoint that was previously unauthenticated by mistake. This endpoint consumes a Java serialization stream, which is susceptible to RCE when deserialized and also results in second-order command injection.
We have not observed reports of exploitation in the wild, but we expect this to change soon as attackers figure out the vulnerability. An exploit, packet captures, network signatures, and YARA are provided, along with Shodan, Censys, FOFA, ZoomEye, and GreyNoise queries to identify targets and exploitation activity.
Anonymous or authenticated users of Wing FTP can inject code and achieve RCE on Wing FTP servers. The team developed an exploit for this vulnerability after identifying that it has a large user base in Thailand and China and additionally appears to embed the client licensing information in the server, which could potentially enable actors attempting to target specific organizations. This vulnerability was added to VulnCheck KEV on July 10 due to a report by Huntress.
The team provides an exploit, pcap, network signature rules, and search queries.
The team added an exploit for Sante PACS Server and PACS Server PG versions >=4.1.0 which are susceptible to an unauthenticated path traversal vulnerability allowing attackers to download arbitrary files from the server, notably the HTTP.db database file containing user authentication information and additional potentially sensitive information relevant to the PACS server. This vulnerability, discovered by Tenable, has both a Metasploit module and Nuclei template, so future exploitation in the wild shouldn't surprise anyone.
This exploit comes with pcap files, network rules, and queries.
As a follow-up from the previous work reproducing the watchTowr Sitecore exploit chain, the team created an exploit for the file upload zip slip vulnerability. Our exploit automatically combines CVE-2025-34509 to chain hardcoded credentials or can use provided credentials for authentication.
The team provides pcaps, network signatures, and queries.
The final follow-up to the Sitecore watchTowr bugs is an authenticated webshell upload in the Sitecore PowerShell plugin that is commonly installed on production deployments. Our exploit validates whether or not exploitation is possible for the bug and also combines the previous hardcoded credential vulnerabilities if no credentials are provided.
The team provides pcaps, network signatures, and queries for this vulnerability.
Keeping with recent developments to our deserialization payloads, thanks to go-exploit improvements, we added Exchange Server's CVE-2020-0688. This vulnerability has been known to be used by threat actors and ransomware crews over the last five years. The exploit comes with a sigma, Suricata, and Snort rule as well as pcaps and queries.