By customer request, the team added another original exploit this week for CVE-2025-8876, a KEV-listed improper input validation vulnerability in N-able N-central that enables post-auth command injection. Much like N-central CVE-2025-8875, which the team covered last week, threat activity is unattributed so far, and no public proof-of-concept code is available. Exposure hasn't changed much in the past week: FOFA and ZoomEye still show a few thousand internet-exposed instances of N-central, primarily in North America. Our exploit includes PCAPs, network signatures, a YARA rule, and search engine queries.
The team also added an exploit for a critical improper access control vulnerability in Docker Desktop that allows for full host compromise via a web request if Docker Desktop runs on Windows (credit to Felix Boulet for the find). A malicious container could access the Docker control plane API and launch additional containers without encountering authentication, enabling unauthorized access to user files on the host system. Enhanced Container Isolation (ECI) does not mitigate the vulnerability either. Our exploit includes PCAPs, network signatures, and search engine queries.
The team developed an exploit for a critical improper authentication vulnerability in the FOG Project, a network computer cloning and management solution. The exploit allows for unauthenticated database recovery and password hash access. FOG has a small but present footprint on the internet, but is more widely used on internal networks for lab or other shared system environments — this means there's potential for wormability during disk imaging. CVE-2025-58443 isn't known to be exploited in the wild yet. Our exploit includes PCAPs, network signatures, YARA rules, and search engine queries.
This week the team added an exploit for CVE-2025-32969, an unauthenticated time-based blind SQL injection vulnerability in XWiki that was added to the VulnCheck KEV on September 4. The vulnerability permits the extraction of user credentials from vulnerable XWiki instances despite any page restrictions applied to the server. As of today, FOFA shows approximately 4000 instances exposed to the internet. The exploit includes PCAPs, network signatures, search engine queries, and Docker targets for spinning up XWiki with either a MySQL or Postgres backend.