Happy Friday! This morning, our research team kicked off an emerging threat response to CVE-2025-64446 in Fortinet FortiWeb. See our blog for details. The team is working on additional coverage of this vulnerability in addition to what has already been delivered (see notes below). We are also excited to host an upcoming webinar on Tuesday, November 18, on the launch of VulnCheck Canary Intelligence. You can sign up for the webinar here and read about recent XWiki exploitation observed by VulnCheck canaries here.
This week, news broke about widespread exploitation of a silently patched Fortinet FortiWeb vulnerability that's been under attack since early October. The vulnerability, which was belatedly assigned CVE-2025-64446, is a relative path traversal issue that allows unauthenticated adversaries to add administrative users on target devices. As part of our emerging threat response for this vulnerability, the team created a PCAP and wrote Snort and Suricata rules to detect exploitation on the wire. The team also reviewed and revised our ASM queries, which confirmed that internet exposure is on the lower side for this vulnerability; approximately 300 servers are exposed online per Shodan. The team is continuing to develop a custom exploit implementation.
Following previously delivered Suricata and Snort rules for this vulnerability, the team added an exploit for CVE-2025-34299, an unauthenticated file upload flaw in Monsta FTP versions 2.11 and below. FOFA currently shows nearly 3,000 publicly available instances of Monsta FTP. Based on the application's default /mftp/ URI, and as evidenced by watchTowr's analysis, actual exposure may be higher. This vulnerability is not yet known to be exploited in the wild. Coverage includes an exploit, network signatures, ASM queries, PCAPs, and a Docker target.
The team added an exploit this week for "SessionReaper," or CVE-2025-54236, affecting Adobe Commerce and Magento. The vulnerability arises from a deserialization issue that results in remote code execution when exploited successfully. Several security firms have reported exploitation in the wild; exploits have not yet been attributed to a specific threat actor. FOFA identifies around 180,000 targets on the public internet. The team delivered an exploit, network signatures, ASM queries, PCAPs, and a Docker target.
The team developed an exploit for CVE-2025-11953 in the React Native Metro Server component that combines an unexpected network interface exposure and a command injection bug to achieve remote code execution. The vulnerability behavior is operating system-dependent, with Windows being exploitable by default. The team developed an in-memory NodeJS payload to support exploitation.
Interestingly, publicly available proof-of-concepts that are widely available appear to be largely incorrect or untested; none of the exploits have generalized Linux or macOS variants that rely on host configuration settings. The team has provided an exploit, PCAPs, network signatures, and broad queries.
/goform/Mail_Test Command InjectionCVE-2018-25120 is a trivial command injection in D-Link's "ShareCenter" NAS model DNS-343. The vendor has already designated this model as end-of-life (EOL) and signaled they will not be patching the issue. According to FOFA, approximately 450 of these devices are exposed online. VulnCheck spotted in-the-wild exploitation of this vulnerability in our canary data and published an advisory for it. In this release, we've included an exploit, PCAP, and Docker target; we've also improved upon existing network signatures and ASM queries.