Happy Friday! The following are the release notes for the Initial Access team's deliverables from the last week:
To support both the new Censys platform and the legacy platform that a number of our customers still use, we've updated the Initial Access data to include a new censysLegacyQueries field. This field will only have URL starting with https://search.censys.io. We will now begin transitioning all censysQueries entries to https://platform.censys.io/.
Additionally, we've added support for driftnetQueries and have begun adding queries for search via driftnet where possible.
Fortinet CVE-2025-25256 is a recently exploited vulnerability in FortiSIEM that we added to VulnCheck KEV on August 12, 2025; addition to CISA KEV is still pending. GreyNoise has also observed recent activity.
The bug is a command injection in the phMonitor service, which listens on TCP *:7900 without any authentication. Interaction with the service is performed over a custom binary protocol that, for this particular vulnerability, consumes an XML document. This input is then used by an injectable shell command, which is filtered for the "bad characters" " \t\r\n\v\"'|&>;". We were able to bypass this restriction to execute complex shell commands. Supported payloads include an SSL reverse shell, cleartext reverse shell, and HTTP-based binary dropper.
Coverage added for this vulnerability includes an exploit, PCAPs, network signatures, and a GreyNoise query.
This easy-to-exploit vulnerability has likely flown under the radar because INCD and NVD both scored this a "local" vulnerability, with INCD's CVSSv3 score coming in at an ignorable 5.3. The reality is CVE-2022-30622 allows an unauthenticated and remote attacker to dump all credentials from these systems, including a backdoor account, achieving administrator access on this little system that has wide application in military, navigation, and civil engineering.
The team found hundreds to thousands of these systems online, depending on the search service used. As far as we can tell, no patch exists for this issue. The team delivered an exploit that dumps all the credentials, a PCAP, Suricata and Snort rules, and search engine queries.
Continuing our efforts to cover all popular deserialization exploits, we added another authenticated exploit for Microsoft SharePoint, which continues to be a popular target for a wide range of adversaries. The flaw is due to a lack of proper input validation on XML added to a DataSet object in vulnerable installations of SharePoint. Kaspersky's research team noted in July 2025 that one of the vulnerabilities in the recent SharePoint "ToolShell" exploit chain (CVE-2025-53770) arose from an incomplete fix for CVE-2020-1147.
This exploit yields an asynchronous HTTP VBS-based shell back to the attacker, executed via cscript. Alternatively, an arbitrary command may be executed using the -command flag, though no output will be returned in the terminal when executed in this manner.
The exploit comes with search engine queries, PCAPs, and network rules.
This week, the team added coverage for CVE-2025-46811, a missing authentication vulnerability in SUSE Manager's /rhn/websocket/minion/remote-commands endpoint. SUSE Manager, also known as SUSE Multi-Linux Manager, has the capability to issue remote commands to any and all connected clients / minions through this endpoint over a websocket connection without authentication. Official guides online suggest SUSE Manager can handle >1000 clients. That along with publicly available instances identified online suggest a valuable target for attackers.
Coverage also includes PCAPs, search engine queries, and a YARA rule to assist in detecting exploitation attempts on the SUSE Manager Server. We also added tracking for SUSE Manager honeypots.
The team added an exploit for for "Web-Check", an OSINT tool for analyzing web applications. Vulnerable versions of the application are susceptible to command injection via the url parameter of the /api/screenshot endpoint.
By default, the provided exploit attempts to exploit this vector to establish an encrypted reverse shell back to the attacking host. Other payload options offered are an unencrypted reverse shell and a Node.js-based reverse shell reverse.cjs (provided) which is served using the -httpServeFile.FilesToServe flag with the -c2 HTTPServeShell option as per our usual dropper-style exploits.
The exploit comes with a target Docker container, PCAPs, Snort and Suricata rules, and search engine queries.