Happy Friday! The following are the Initial Access Intelligence team's deliverables for the past week. If you missed the launch of VulnCheck Canary Intelligence, you can read about it here or watch the launch webcast on demand here.
The team developed an exploit for CVE-2025-12480, an authentication bypass vulnerability in Gladinet Triofox that was exploited as a zero-day by a threat actor Mandiant tracks as UNC6485. Our exploit follows the same attack path that UNC6485 did when initially exploiting the vulnerability, leveraging a complex set of steps that fully emulates the user interaction over more than 20 requests and makes use of an embedded PostgreSQL server for callbacks. A detailed analysis is provided to customers in the exploit documentation. Our exploit includes a scanner, version checker, PCAPs, ASM queries, and Snort, Suricata, and Sigma signatures.
This week, the team added more coverage for directory traversal and authentication bypass vulnerabilities in FortiWeb, both of which are encapsulated in CVE-2025-64446. Although Fortinet did not disclose the vulnerability until November 14, in-the-wild exploitation attempts were first noticed in early October 2025. No threat groups have been attributed as of yet; read our emerging threat blog for more information. There are currently just over 1,300 instances of FortiWeb publicly available on the internet, per FOFA. Our coverage includes an exploit, Suricata and Snort rules, a YARA rule, PCAPs, and ASM queries.
The team also added coverage for CVE-2021-22986, an older SSRF vulnerability in F5 BIG-IP's iControl REST API that's been targeted by ransomware and botnets, among other threat groups. Our FOFA and ZoomEye queries show anywhere from 48,000 to 161,000+ F5 BIG-IP devices exposed to the internet. The team's exploit and version scanner compliment our existing network rules, PCAPs, and ASM queries.
Spotted in our canary data, CVE-2023-31059 is a simple path traversal in a monolithic web application for controlling 3D printers. The server runs as SYSTEM when deployed on Windows, so any file SYSTEM has access to can be disclosed. The default file to disclose is /ProgramData/Repetier-Server/database/user.sql, which may contain user credentials. According to FOFA, approximately 840 of these servers are online. We have added an exploit, version scanner, PCAP, network signatures, and ASM queries for this vulnerability.
Finally, the team released go-exploit 1.51.0, which adds new functions to generate random network MAC addresses, cleans up our .NET serialization functions, and adds a new set of payloads for simple NodeJS reverse shells; both clear-text and TLS communications are supported.