Offline scanning support for Censys Platform data. GoAnywhere MFT signatures and queries. New exploits (and more) for Cisco ASDM, Kerio Control, FortiSIEM, and GL.iNet routers.

Happy Friday! Below are this week's Initial Access Intelligence deliverables, plus additional support for offline scanning with go-exploit.

go-exploit-cache Adds Censys Platform Support

VulnCheck go-exploit-cache has been updated to support the Censys Platform. Users can now use Censys Platform data to do offline scanning with our go-exploit scanners. See USAGE.md for details.

CVE-2025-10035: Fortra GoAnywhere MFT License Servlet Deserialization (Signatures / Queries)

The team added queries, network signatures, a packet capture of a simulated attack, and a Docker target for this issue, which is similar to CVE-2023-0669, another deserialization flaw that was widely exploited by multiple threat actors in 2023, including ransomware groups. This newer issue is in the same component, but successful exploitation relies on knowing a specific private key that isn't generally available (but that threat actors notably may have obtained). VulnCheck analyzed the patch for the issue and arrived at the same conclusions as other research groups. While we did notice there were private keys in the product's keystore, none of these matched the required key.

CVE-2021-1585: Cisco ASDM Launcher RCE via Malicious Software Package Download

This week the team added an exploit for an older but still unpatched vulnerability in Cisco Adaptive Security Device Manager (ASDM), a local GUI-based tool for managing Cisco firewall appliances (including ASA) and service modules. All tested versions of the ASDM Launcher are vulnerable to arbitrary code execution due to a lack of signature verification for the pdm.sgz packages used by ASDM. VulnCheck tested asdm-openjre-7231.bin (latest), asdm-openjre-7201.bin, and asdm-761.bin. CVE-2021-1585 was originally discovered by Malcolm Lashley and was included as part of broader 2022 research from VulnCheck CTO Jacob Baines on Cisco ASA and ASDM vulnerabilities. PCAPs are also available with this exploit.

CVE-2025-34070 and CVE-2025-34071: GFI Kerio Control Authentication Bypass and RCE

The Kerio Control applications are vulnerable to an authentication bypass bug caused by improper proxy handling. The first of the two exploits (CVE-2025-34070) bypasses authentication, which allows the user to download backup files and extract password hashes for offline cracking. The second exploit (CVE-2025-34071) chains the authentication bypass with the creation of a malicious upgrade image that can trigger remote code execution.

The team took the opportunity to further investigate the image upgrade system provided by Kerio and developed an image upgrade technique that will self-delete actor payloads and wipe the specific debug log entry for malicious upgrade indicators. We also crafted the image in such a way that the large file requirements were not necessary and would also bypass the successful upgrade reboot. Exploitation requires access to the proxy server, which greatly limits internet exposure. The team developed an exploit and verification checks, along with PCAPs, network signatures, and ASM search queries.

CVE-2023-50919 and CVE-2023-50445: GL.iNet Router Authentication Bypass to RCE

This week, the team added coverage for two 2023 vulnerabilities that affect a multitude of GL.iNet router models and versions. The first, CVE-2023-50919, exploits both a regex injection and SQL injection vulnerability within the authentication logic to obtain an admin token to the admin panel with the privileges of the root user. This token can then be used to authenticate to the panel to exploit CVE-2023-50445, a shell injection vulnerability. Notably, FOFA shows that there are ~11k instances of the admin panel exposed to the internet, and we've recently seen exploitation attempts for these vulnerabilities, both of which were added to the VulnCheck KEV on September 3, 2025.

This exploit also comes with PCAPs, network signatures, a version scanner, and search engine queries.

CVE-2024-23109: Fortinet FortiSIEM Command Injection

In the last of this series, VulnCheck analyzed the patch for one of several patch bypasses associated with a command injection in Fortinet FortiSIEM. This patch bypass is similar in exploitation to its counterpart, CVE-2024-23108, for which technical details are public. Both CVE-2024-23108 and CVE-2024-23109 have seen exploitation in the wild.

This original exploit also includes PCAPs, network signatures, and a YARA rule. See our related coverage for CVE-2023-34992, CVE-2024-23108, CVE-2024-23109, and CVE-2025-25256, a recent command injection through the same phMonitor process.