ToolShell and Cisco ISE Updates, New Jenkins and WordPress Plugin Coverage, SQL Server Deserialization, Customer-Requested Signatures, and Expanded Attacker Infrastructure Tracking

Happy Friday! The following are the deliverables the VulnCheck Initial Access Intelligence team published over the last week:

ToolShell Update: CVE-2025-49704, CVE-2024-49706, and CVE-2025-53771

The team updated the feed to document that we have exploits for CVE-2025-49704, CVE-2024-49706, and CVE-2025-53771.

The team additionally completed a second variant of the attack chain to execute a DLL in-memory. A default DLL that reads environment variables and returns them to the caller was provided, but customers can supply their own DLL via the -dll flag.

Additionally, the team implemented a -cryptodata flag that uses the output returned by the default DLL payload to execute commands on the remote host via a malicious Viewstate payload (rather than the ToolShell exploit). This convenience feature may provide some amount of persistence if the target host did not have its Viewstate keys changed after patching ToolShell.

CVE-2025-20337: Cisco ISE Command Injection (and Container Escape)

As a follow-up to our recent Cisco ISE content, the team delivered an exploit, pcaps, network signatures, YARA, and queries for CVE-2025-20337, a root command injection and Docker container escape in the same product. The vulnerability actually stems from the earlier CVE-2025-20281's Java deserialization, where, instead of a gadget chain, a string array is serialized to include a second-order command injection. Unfortunately, the injection lands inside a container, but this is easily escaped by mounting the host's root and planting a shell in cron, thereby compromising the root user on the host. Our exploit is based on the research we performed while analyzing CVE-2025-20281, which we have also updated with a note on privilege escalation from the web user.

According to our sources, CVE-2025-20337 is being exploited in the wild, along with CVE-2025-20281 now. Technical details are now public, so we expect to see increased exploitation. Both CVEs were added to VulnCheck KEV and later CISA KEV.

CVE-2025-53652: Jenkins Git-Parameter Plugin Injection

The team added coverage for an injection vulnerability impacting the git-parameter plugin for Jenkins. Jenkins, somewhat curiously, disclosed this as a CVSSv3 5.4 (Medium). However, the team was able to demonstrate unauthenticated command injection as the jenkins user (although it does seem that configurations will typically make this an authenticated RCE).

While the vulnerability affects a plugin, Jenkins reports ~60,000 installs or 23% of all controllers. We also note that there are more than 40,000 internet-facing Jenkins servers, making this, at least, an interesting vulnerability.

In addition to the exploit, the team has provided network signatures, a Docker target, and pcaps.

CVE-2025-4322: StylemixThemes Motors WordPress Plugin Admin Password Reset RCE

The Motors WordPress plugin is commonly used by automotive sellers and was affected by weak validation in a password reset function, allowing an attacker to reset any user’s password (eventually allowing for RCE). This vulnerability was added to VulnCheck KEV due to reports from Patchstack and Wordfence. This is the type of vulnerability we've observed attackers use in order to leverage legitimate hosts for further attacks or malware hosting. FOFA finds a number of these across the globe (although mostly in the US and Germany).

The team delivered an exploit, pcaps, network signatures, and search engine queries.

CVE-2020-0618: SQL Server Reporting Services Deserialization RCE

Continuing the trend of Windows deserialization vulnerabilities, and thanks to the new go-exploit library, the team also added an exploit for SQL Server Reporting Services. This vulnerability has been known to be used by TargetCompany ransomware.

This exploit comes with pcaps and network rules. There is little to no descriptive information when communicating with this service as an unauthenticated user, so search engine queries for this exploit have not been provided.

Customer Requested Network Signatures

This week we added a slew of customer-requested network signatures, pcaps, and related search engine queries (where possible). Included were:

  • CVE-2025-3943: Affecting Tridium Niagara (see this research by Nozomi).
  • CVE-2025-41678, CVE-2025-41675, CVE-2025-41673, CVE-2025-41674, and CVE-2025-41679: elmholz Industrial Router REX100 (see this research by CyberDanube).
  • CVE-2012-2998: Affecting Trend Micro Control Manager
  • CVE-2010-0103: Affecting Energize DUO

IP Intel Update

IP Intel was updated to include tracking of open source post-exploitation frameworks Pyramid and Adaptix. We also added tracking for ACR Stealer and Matanbuchus web panels, as well as Oyster Backdoor.