Happy Friday! Below are the Initial Access Intelligence team's deliverables for the past week, including signature and query coverage for several emerging threats.
Earlier this week, F5 disclosed a major security incident that prompted an emergency directive from CISA. In response to customer requests for assistance in identifying potential risk, the team developed a scanner for BIG-IP management interfaces. This will allow teams to quickly identify versions based on known mapping and vulnerability timeline ranges. ASM queries are also available.
This week the team added an exploit for a VulnCheck-discovered authenticated RCE vulnerability in Flowise that can be chained with CVE-2025-26319 for fully unauthenticated code execution. While the post-auth vulnerability isn't yet exploited in the wild, CVE-2025-26319 has seen consistent attempted exploitation. Flowise has a notable internet footprint; multiple ASM queries are available for each ASM platform to account for title changes across major versions of Flowise.
Our exploit comes with PCAPs, network rules, a YARA rule, a version scanner, and a target Docker container.
The team also added an exploit for Tenda routers vulnerable to unauthenticated OS command injection. This vulnerability is known to have been exploited in the wild since 2020, and it has been leveraged by at least six different botnets, including RondoDox and MooBot. FOFA shows more than 12,000 of these devices on the public internet. The exploit comes with PCAPs, network rules, and ASM queries.
This vulnerability in LG Simple Editor allows an unauthenticated user to craft a malicious request and inject arbitrary commands that run as NT AUTHORITY\SYSTEM. This vulnerability allows for direct code execution, which we leverage to download and run the .exe of your choice through our go-exploit HTTPServeShell feature. As with our prior LG Simple Editor coverage, FOFA queries show around 100 instances exposed to the internet, with a majority geolocated in Korea. This exploit includes a version scanner, ASM queries, a PCAP, and signatures.
Finally, three high-profile vulnerabilities in Redis were recently disclosed and have prompted a wave of low-quality PoC. By customer request, the team has added signatures and queries for the two CVEs with the highest likelihood of becoming adversary targets: CVE-2025-46818, a privilege escalation vulnerability, and CVE-2025-49844, a use-after-free issue that, if fully developed, would allow for arbitrary code execution in the context of the affected service. PCAPs are also provided for the privilege escalation flaw. We have yet to see a PoC that actually triggers the UAF.