Happy Friday! The following are the Initial Access Intelligence team's deliverables for the past week.
The team added network signatures for five CVEs observed in the wild in our Canary Intelligence. These are particularly interesting to the team because the target software is predominantly East Asian. The five CVEs are: CVE-2021-4461 (Seeyon), CVE-2023-7325 (Anheng), CVE-2024-0778 (Uniview), CVE-2023-7305 (SmartBI), and CVE-2023-52163 (DIGIEVER).
In mid-October 2025, the team released signatures for multiple Redis vulnerabilities, including CVE-2025-49844. This week, we added a working use-after-free exploit for the vulnerability. While this is a fully functional exploit, it should be noted that due to the volatile nature of the memory manipulation involved, this exploit should not be used against critical or production systems. This vulnerability is not yet known to be exploited in the wild as of November 7, 2025.
The exploit includes a target Docker container for testing, PCAPs, and two new network rules to go with pre-existing rules and queries. ASM queries estimate that around 25,000 vulnerable Redis instances are currently exposed to the public internet.
Based on intelligence from VulnCheck Canaries, the team added coverage for an authenticated command injection vulnerability in the Linksys E1700 router. Per FOFA, there are just over 130 instances publicly exposed as of November 7, 2025. Coverage also includes PCAPs, network signatures, and ASM queries.
The team also added an exploit for CVE-2025-7083 in Belkin F9K1122 WiFi Repeaters this week after VulnCheck Canaries observed exploitation in the wild for the first time on October 28, 2025. The CVE is not on CISA KEV at time of writing. Our ASM queries for this vulnerability find over 1,000 of these devices exposed to the internet. This exploit comes with a version scanner to go with our previously delivered PCAP, signatures, and ASM queries.
Added to VulnCheck KEV in 2023 and spotted in our canary data on October 31, 2025, CVE-2021-21479 is a Java Expression Language (EL) injection in SAP's SCIMono, a reference implementation of the SCIM 2.0 standard. With a packet capture and network signatures already in the feed, this release adds an exploit, another PCAP, network signature improvements, a Docker target, and GreyNoise queries for this exploited-in-the-wild vulnerability. It is not on CISA KEV at time of writing.