Following the disclosure of three new Cisco ASA vulnerabilities this week (CVE-2025-20333, CVE-2025-20362, and CVE-2025-20363), the team developed search engine queries that detect the WebVPN interface on Cisco ASA and Cisco ASA-X systems. Each search identifies between 80,000 and 150,000 internet facing hosts. Additionally, Baidu provides interesting insight into deployment in CN space. Two of the vulnerabilities were exploited as zero-days and linked to the ArcaneDoor espionage campaign. The team will continue working on these vulnerabilities throughout the next week.
The team also added queries for CVE-2025-20352, another zero-day disclosed this week in Cisco IOS and IOS XE's SNMP subsystem.
Vulnerable versions of CSLU (2.0.0-2.0.2) are configured with a hard-coded credential that an attacker can leverage to communicate with the service's REST API. The vulnerability has been on VulnCheck's KEV list since February 27, 2025 and was added to CISA KEV a little more than a month later. This exploit comes with PCAPs, rules, and a GreyNoise query (only) due to the ambiguity of the API output.
The team also added coverage for an unauthenticated account takeover vulnerability in open-source generative AI development platform Flowise. No exploitation of this vulnerability has been reported as of yet, but this application has a fairly notable online footprint. For instance, FOFA currently shows close to 22k instances on the public internet. Coverage also includes a version scanner, search engine queries, PCAPs, and a Docker target.
The team continued their quest to cover command injection vulnerabilities in FortiSIEM with an exploit for CVE-2023-34992, the original FortiSIEM vulnerability that spawned two later variants that VulnCheck has covered recently (CVE-2025-25256, CVE-2024-23108). While the original issue isn't known to be exploited in the wild, both of the later variants were added to VulnCheck KEV in 2025, and CVE-2024-23108 was mentioned in the BlackBasta chat leaks earlier this year. The exploit comes with PCAPs, network rules, and a YARA rule.
Finally, the team also released go-exploit 1.48.0, and the initial-access feed was updated to use this version. The release contains a new C3P0 Java deserialization payload, 3DES encryption logic, a user-agent update, and updated dependencies.