Happy Friday! The following are the Initial Access Intelligence team's deliverables for the past week.
The team delivered a fresh exploit for CrushFTP that takes advantage of a race condition in AS2 validation. When we send two requests quickly enough, we can trick the server into thinking the second request was sent by an admin. Our exploit leverages this to create a new admin user. This is timely, as our friends at watchTowr just released a blog on the vulnerability and active exploitation they've observed against their honeypots.
The team also updated our network signatures for CVE-2025-54309, which has been on VulnCheck KEV since July 18.
The team delivered an exploit for a Fortinet FortiWeb auth bypass, which as far as we can tell only has private exploits and is not yet known to be exploited in the wild. Vulnerability information published by the researcher (0xBigShaq) left out some key details, but happily, Fortinet patches didn't. Our exploit returns the session cookie for an admin user. The team also added threat queries, PCAPs, and network signatures.
This flaw was added to VulnCheck KEV on August 23, underscoring again that backup and recovery solutions continue to be coveted attack targets. An unauthenticated attacker can retrieve an API key for the localadmin account by injecting arguments into Commvault's /Login endpoint. This API token can be used for many of the 5,000+ API endpoints provided by the Commvault server. The exploit attempts to first derive the target's hostname for use in a second request that aims to retrieve a localadmin API token. If the token is successfully retrieved, it will be dumped in the terminal output.
API endpoints include those that are documented here and here, as well as the undocumented API calls that are found in various .NET DLLs (CVWebControllerClient.dll, for example), which can be found on any Commvault commserve/webserver/commandcenter Docker image.
This exploit comes with PCAPs, network rules, and queries.
The team added an exploit for the Tenda AC20 router that allows attackers with access to the web panel to enable remote root telnet access. Based on the team's analysis and fingerprinting, the device does not appear to be widely deployed in an exploitable configuration, as the telnet interface is not internet-facing by default and requires a non-standard configuration. CVE-2025-9090 would likely be used in an exploit chain or leveraged once an adversary has established a foothold.
The team delivered PCAPs, network signatures, and search engine queries.
The team also added coverage this week for an incorrect privilege assignment vulnerability in the OttoKit plugin for WordPress. The plugin touts an install base of over 100k, FOFA shows that there are ~100k instances on the public internet, and attackers have demonstrated interest in previous OttoKit vulns in addition to this one. CVE-2025-27007's EPSS Score percentile currently sits at 0.99 and has seen attempts at exploitation dating back to April 2025, when it was added to VulnCheck KEV.
The exploit creates a valid access key to authenticate to the OttoKit plugin's API via improper validation of wp_authenticate_application_password() during the creation of an OttoKit-to-WordPress connection. With the key, the exploit creates an administrator account on the WordPress target. Administrator creds are then used to deploy a malicious WordPress plugin to obtain a reverse shell against the WordPress installation.
PCAPs, network signatures, a YARA rule, a Docker target, and search engine queries were also added.