Happy Friday! The following are the deliverables the VulnCheck Initial Access Intelligence team published over the last week:
The team updated the feed to document that we have exploits for CVE-2025-49704, CVE-2024-49706, and CVE-2025-53771.
The team additionally completed a second variant of the attack chain to execute a DLL in-memory. A default DLL that reads environment variables and returns them to the caller was provided, but customers can supply their own DLL via the -dll
flag.
Additionally, the team implemented a -cryptodata
flag that uses the output returned by the default DLL payload to execute commands on the remote host via a malicious Viewstate payload (rather than the ToolShell exploit). This convenience feature may provide some amount of persistence if the target host did not have its Viewstate keys changed after patching ToolShell.
As a follow-up to our recent Cisco ISE content, the team delivered an exploit, pcaps, network signatures, YARA, and queries for CVE-2025-20337, a root command injection and Docker container escape in the same product. The vulnerability actually stems from the earlier CVE-2025-20281's Java deserialization, where, instead of a gadget chain, a string array is serialized to include a second-order command injection. Unfortunately, the injection lands inside a container, but this is easily escaped by mounting the host's root and planting a shell in cron, thereby compromising the root
user on the host. Our exploit is based on the research we performed while analyzing CVE-2025-20281, which we have also updated with a note on privilege escalation from the web user.
According to our sources, CVE-2025-20337 is being exploited in the wild, along with CVE-2025-20281 now. Technical details are now public, so we expect to see increased exploitation. Both CVEs were added to VulnCheck KEV and later CISA KEV.
The team added coverage for an injection vulnerability impacting the git-parameter
plugin for Jenkins. Jenkins, somewhat curiously, disclosed this as a CVSSv3 5.4 (Medium). However, the team was able to demonstrate unauthenticated command injection as the jenkins
user (although it does seem that configurations will typically make this an authenticated RCE).
While the vulnerability affects a plugin, Jenkins reports ~60,000 installs or 23% of all controllers. We also note that there are more than 40,000 internet-facing Jenkins servers, making this, at least, an interesting vulnerability.
In addition to the exploit, the team has provided network signatures, a Docker target, and pcaps.
The Motors WordPress plugin is commonly used by automotive sellers and was affected by weak validation in a password reset function, allowing an attacker to reset any user’s password (eventually allowing for RCE). This vulnerability was added to VulnCheck KEV due to reports from Patchstack and Wordfence. This is the type of vulnerability we've observed attackers use in order to leverage legitimate hosts for further attacks or malware hosting. FOFA finds a number of these across the globe (although mostly in the US and Germany).
The team delivered an exploit, pcaps, network signatures, and search engine queries.
Continuing the trend of Windows deserialization vulnerabilities, and thanks to the new go-exploit library, the team also added an exploit for SQL Server Reporting Services. This vulnerability has been known to be used by TargetCompany ransomware.
This exploit comes with pcaps and network rules. There is little to no descriptive information when communicating with this service as an unauthenticated user, so search engine queries for this exploit have not been provided.
This week we added a slew of customer-requested network signatures, pcaps, and related search engine queries (where possible). Included were:
IP Intel was updated to include tracking of open source post-exploitation frameworks Pyramid and Adaptix. We also added tracking for ACR Stealer and Matanbuchus web panels, as well as Oyster Backdoor.