Happy Wednesday, folks. It's a short week here in the U.S. because of the Thanksgiving holiday, but that doesn't mean we're short on exploits! The following are the Initial Access Intelligence team's deliverables for this week.
The team added ASM queries, a PCAP, and network signatures for CVE-2025-61757, an auth bypass and RCE vulnerability in Oracle Fusion Middleware's Identity Manager. This vulnerability has multiple public PoCs and is being exploited in the wild. Despite the widespread news coverage, not too many of these targets are online, with FOFA reporting the highest count at around 100 results across 14 unique IPs. We suspect many OIM customers have moved to Oracle Cloud, where the product's footprint is less discernible.
The team added coverage this week for a set of authenticated command injection vulnerabilities impacting Fortinet's FortiWeb CLI. Despite the need for authentication, CVE-2025-58034 was added to both the VulnCheck KEV and CISA KEV on November 18, 2025 amid zero-day exploitation. Given that CVE-2025-58034 and CVE-2025-64446 share identical vulnerable versions of FortiWeb, it's likely that attackers are pairing the two to establish a foothold on vulnerable instances. Publicly available FortiWeb instances still sit at just over 1,300, per FOFA. Our coverage includes an exploit, PCAPs, and ASM queries.
The team added a post-authentication exploit for a critical remote code execution vulnerability in Taiga, an open-source agile project management tool. Versions before 6.9.0 are susceptible to a Python deserialization attack via the now-deprecated tribe_gig parameter when making a POST request to /api/v1/userstories. Shodan returns over 900 instances of the target on the internet at the time of this writing. The provided exploit also comes with PCAPs and ASM queries. Due to the very generic nature of this exploit however, no network rules could be included.
The team developed an exploit for RaspberryMatic and OpenCCU that takes advantage of an unauthenticated file upload and archive file extraction path traversal to achieve remote code execution. Deployments of these systems are popular in European markets for self-managing IoT/smart devices, making them particularly interesting to attackers looking to build out botnet capabilities. Our exploit comes with PCAPs and ASM queries.
CVE-2020-5902 is a critical vulnerability in F5 BIG-IP's Traffic Management User Interface (TMUI) REST API that has been exploited by at least a dozen different threat groups since its disclosure in 2020. Known adversaries include several ransomware groups, multiple botnets, and threat actors linked to Russia, China, and Iran. Successful exploitation allows attackers to bypass authentication and inject commands, allowing for remote code execution. Our ZoomEye query still returns 161,000+ F5 BIG-IP devices exposed to the internet. The team's exploit and version scanner join our pre-existing network rules, PCAPs, and ASM queries.
IP Intelligence Update
IPIntel was updated to track the ASUS WrtHug campaign described by SecurityScorecard. We are currently tracking 100+ compromised ASUS routers, which we expect to increase.