Happy Friday! The following summarizes the work the VulnCheck Initial Access Intelligence team released over the last week:
The team added an exploit to generate WinRAR files with path traversals in hidden file data streams, and emulated the ESET Research / RomCom functionality. Unlike other public PoCs, our exploit does not require an external program execution and instead implements and builds the RAR header directly.
We additionally noticed that many of the public PoCs that were first released were fake and did not create a vulnerable data stream at all, but interestingly put the payload file in the expected locations, which may have misled organizations building protections.
The team delivered Sigma and YARA rules, pcaps, and an exploit.
The team followed up last week's ScriptCase authentication bypass, CVE-2025-47227, with a command injection that it can be paired with (CVE-2025-47228). It appears ScriptCase can be reasonably deployed on Linux or Windows, so the team opted to create an exploit that drops a webshell (therefore easily supporting both platforms). The team also created PCAP, version scanner, network signatures, and search engine queries.
The team wrote a blog that digs into finding, exploiting, and defending ScriptCase from these CVEs. We observed hundreds of vulnerable servers and attackers scanning for the base /scriptcase/ URL.
VulnCheck CNA recently assigned CVE-2025-2611 to an unpatched command injection vulnerability, discovered by researcher Valentin Lobstein (aka Chocapikk), affecting ICTBroadcast. The vulnerability currently has an EPSS percentile of 0.97575 and a recently merged Metasploit module. The team notes internet-accessible instances, so future exploitation in the wild seems likely.
The team delivered an exploit, PCAP, search engine queries, a vulnerable docker container, and network signatures.
The team delivered an SQL injection exploit, which enables disclosing sensitive information from arbitrary tables in the Postgres database of a GeoServer instance. The team's exploit dumps user credentials, enabling attackers to take over admin accounts. GeoServer connects geospatial data from any major data source, data which is highly sensitive, with many food, health, transit, and emergency services relying on accurate data to operate. Our FOFA queries identified tens of thousands of GeoServer instances currently online.
By customer request, we were asked to identify the failure in public network signatures for this vulnerability. Noting the issue was related to path normalization, we wrote our own signatures to correctly detect attempted exploitation. We are also including the packet capture we tested against. CVE-2019-11510 still sees exploitation activity today.
The team delivered Snort and Suricata rules, pcaps, GreyNoise query, and an exploit.