Happy Halloween! The following are the Initial Access Intelligence team's deliverables for the past week.
The team added network signatures for CVE-2025-7083 (Belkin), CVE-2025-34132 (LILIN), CVE-2024-51228 (TOTOLINK), CVE-2024-3721 (TBK DVR), and CVE-2020-35714 (Ralink SDK). We've observed all four being exploited in the wild in our Canary Intelligence.
This week, the team added an exploit, PCAPs, a YARA rule, and ASM queries to accompany the network signatures delivered to customers last week for CVE-2025-59287. Over the past seven days, more threat intel teams have corroborated the initial reports of WSUS being exploited in the wild (Huntress, Unit42, Eye Security), underscoring attackers' continued interest in the vulnerability. We're also seeing a fair number of WSUS instances still available online, with Shodan suggesting ~2500 WSUS servers and FOFA numbers reaching upwards of 6,000 publicly available instances.
The team also added an exploit for an OS command injection vulnerability in the FOG Project's /fog/management/export.php endpoint. The internet-facing exposure for this product is on the lower side (ZoomEye shows around 250), but that's expected for an asset management and computer imaging system that is usually deployed internally. This exploit comes with PCAPs, network signatures, and queries.
The team added an exploit, YARA rule, and Docker target to existing content (network signatures and ASM queries) for this exploited-in-the-wild vulnerability that has seen a regular stream of exploit attempts the past several years, per Shadowserver. GreyNoise also shows attempts. Threat actor activity for this CVE is presently unattributed. Our exploit targets a vulnerable environment we've packaged in Docker (included). A Spring Expression Language (SpEL) expression is injected into the target to execute a command payload. Users have a choice between an SSL reverse shell, unencrypted reverse shell, or HTTP-based binary dropper.
The team added an exploit for a command injection vulnerability affecting PHP servers with Xdebug enabled. Remote debugging is a feature of Xdebug, which a developer might enable to test applications but an attacker can also leverage to run arbitrary system commands. Xdebug is fairly easy to identify via its custom cookie header, and the team's ASM queries found around 2,000 internet-facing instances. This exploit comes with ASM queries in addition to previously delivered signatures and PCAPs.
By request, the team added a version scanner for CVE-2025-9242, an unauthenticated remote code execution vulnerability in WatchGuard's Fireware OS that was analyzed by watchTowr. Our scanner parses the SA Init response of the Fireware iked service to determine the version of the target host. It comes with Censys queries (only) that cross-reference the Firebox web service with the IKE service to discover valid endpoints. Censys shows over 100,000 instances of Fireware devices running an IKE service.
Notably, our team assesses that this vulnerability is unlikely to be universally exploitable and would require per-target knowledge (i.e., hard-coded memory addresses for necessary gadgets) in order to achieve successful remote code execution. We will continue to research exploitation strategies. To facilitate version scanning, we have also added an additional package, ikve2, to go-exploit. While not currently a full implementation of the IKEv2 protocol, it provides a foundation for future enhancements.
Finally, the team corrected CVE attribution for the Oracle E-Business Suite (EBS) exploit VulnCheck delivered on October 9, 2025. The exploit, which was originally thought to map to CVE-2025-61882 as a result of incorrect vendor advisory information, is now correctly attributed to CVE-2025-61884, a separate remote code execution vulnerability in Oracle EBS.