Happy Friday! The following is the content that the Initial Access Intelligence team delivered over the last week.
We added coverage for Fortinet CVE-2025-25257, a pre-auth SQL injection in the FortiWeb management interface. Our exploit achieves RCE with a pure-Python SSL reverse shell. Using the queries we've provided, the team noted few targets online, with results numbering only in the hundreds. This is in line with prior research and continues to confirm the low exposure of the FortiWeb management interface. Nonetheless, we added this vulnerability to VulnCheck KEV on July 11, 2025, citing Shadowserver for the reported exploitation.
Along with an exploit, we are providing packet captures, Suricata and Snort rules, and the aforementioned queries for visible targets and exploitation in the wild.
The team added coverage for the second Apache Camel header injection RCE variant, otherwise known as CVE-2025-29891. While the initial CVE, CVE-2025-27636, required exploiting the vulnerability through request headers, CVE-2025-29891 is exploited by supplying the payload through request parameters. This variant has been reported as exploited in the wild.
Included along with this exploit are Snort and Suricata rules, pcaps, and a vulnerable Docker target for testing.
The team added network signatures, search queries, and a pcap for an unauthenticated SSRF vulnerability affecting various versions of SugarCRM. Through the /css/preview API call, Leaner Style Sheets (Less) code can be injected, permitting file reads via the use of an @import statement. Though no exploit attempts have been detected in the wild for this one, attackers have shown interest in SugarCRM as a target in the past.
This week, an exploit for an authenticated command injection vulnerability affecting Kubernetes Windows nodes was added. Vulnerable versions of Windows nodes with the NodeLogQuery feature enabled permit querying service logs with a regex through the pattern parameter. The contents of this parameter get passed to a PowerShell command, enabling RCE.
We have not seen any evidence of exploitation attempts so far, but this could change given the number of potential targets found online. Provided alongside the exploit are Suricata and Snort rules, a Sigma rule, pcaps, and search queries.
Continuing to flex go-exploit's dotnet deserialization payload library, the team added coverage for CVE-2021-42321 affecting Microsoft Exchange Server. This vulnerability has been associated with FIN7 (aka Carbon Spider) and multiple ransomware groups, including Hive and Black Basta.
The team developed an exploit, network rules, and search queries.
Again, flexing go-exploit's dotnet prowess, the team added coverage for CVE-2022-23277 affecting Microsoft Exchange. This vulnerability has no public information regarding exploitation in the wild, but it has a whopping EPSS percentile of 0.98702. Additionally, we observe that this vulnerability is very similar to CVE-2021-42321 (just a more complex deserialization payload), so that EPSS percentile is likely well founded.
The team developed an exploit, network rules, and search queries.
The team added a Linuxsys cryptominer PCAP and network rules in the c2/ subdirectory. These artifacts are related to our recent publication The Linuxsys Cryptominer.