This week the team added an exploit for a recent high-profile RCE vulnerability in FreePBX, based in part on analysis from watchTowr. The flaw was discovered as a zero-day following a post on the FreePBX community forum. It affects the Endpoint Manager module, which despite being a commercial component is installed on FreePBX systems by default and is exploitable even when unlicensed. FOFA currently shows over 40k instances of FreePBX accessible over the public internet. Notably, we've seen a number of fake PoCs for this bug, which underscores the importance of well-vetted research artifacts.
VulnCheck's coverage also includes PCAPs, network signatures, search engine queries, and a YARA rule.
The team added an exploit for Burk Technology's ARC Solo, an ICS device made for remote monitoring and control that's often used in broadcasting. Our exploit bypasses authentication to change the password for the admin user, allowing a remote attacker to log in with full permissions to manage connected equipment. There are a couple hundred to a thousand or so of these on the public internet; CISA released an ICS bulletin when the vulnerability was disclosed highlighting low attack complexity and remote exploitability. Our exploit includes network signatures, a PCAP, a version scanner, and ASM queries.
The team also added an exploit, PCAPs, network signatures, a YARA rule, and a GreyNoise query for CVE-2024-23108, a second-order command injection in FortiSIEM. This vulnerability is very similar to CVE-2025-25256, which we added an exploit for in August 2025. CVE-2024-23108 was mentioned in the BlackBasta chat leaks earlier this year, has reportedly been exploited in the wild by multiple threat actors, and was added to VulnCheck KEV on February 25, 2025. It has not yet been added to CISA KEV.
Finally, the team added an exploit and demo application for a Django FilteredRelation SQL injection. As with many library function-based flaws, the vulnerable function is not able to be fingerprinted without source access; because of the combination of exploit requirements, we wouldn't expect to see this vulnerability exploited broadly against real-world environments. It is likely that there may be second-order vulnerabilities in specific applications. A demo exploit, Dockerized application, and PCAPs are provided for this vulnerability.