Happy Friday! It was a packed week in threat-land. Here are the VulnCheck Initial Access Intelligence team's deliverables for the past week.
A new zero-day vulnerability in Oracle EBS fueled a recent wave of extortion emails attributed to financially motivated threat group Cl0p. Initial intrusions have been discovered as far back as August 2025, though it's likely adversary activity started even earlier. The VulnCheck team moved fast to address this threat — publishing ASM queries, a PCAP, and signatures early in the week, followed by the exploit itself. The exploit, which was posted online by a rival threat group after Cl0p claimed credit for the initial attack, is now driving mass exploitation. Slightly under 5K instances of Oracle EBS remain exposed to the internet.
Get the full story in VulnCheck's emerging threat blog.
Earlier this week, Rapid7 published technical details on an auth bypass CVE-2025-20362 and buffer overflow CVE-2025-20333 in Cisco's ASA and FTD firewalls. These vulnerabilities had been exploited in the wild as zero-day by threat actor UAT4356 and were linked to the ArcaneDoor campaign. Successfully chaining these vulnerabilities in an attack requires deep knowledge of ASA/FTD internals.
The team added packet captures and network signatures for both vulnerabilities. Search engine queries were added in the 2025-09-26 release.
Late last week, watchTowr published a write-up on Dell UnityVSA, a virtual storage appliance. Vulnerable versions are susceptible to pre-auth RCE, allowing attackers to make a simple GET request in order to execute an arbitrary command as the web service user. While these have virtually no internet-facing footprint, "storage" and "appliance" are both terms that make adversary ears perk up. Our exploit comes with queries, network signatures, and PCAPs.
LG Simple Editor is a Windows-based software tool built for creating digital content for LG TVs. The vulnerability is in the makeDetailContent endpoint, where an unauthenticated user can copy files and change their file extensions. Public exploit code has been available since 2023.
Our search queries find only around 100 of these exposed to the internet. This exploit uploads a webshell, enabling persistent access, and runs commands as NT AUTHORITY\SYSTEM. At time of release, it is not being flagged by Windows Defender. The team also delivered PCAPs, network rules, queries, and a version check.