Happy Friday, and happy holidays! The Initial Access Intelligence team's last batch of exploits for 2025 is below, including artifacts for several recent emerging threats. The team will be back the week of January 5, 2026 (!) in full force. We wish everyone a very happy and healthy new year!
This week, the team added an exploit for CVE-2025-37164, a CVSS 10 vulnerability in HPE's OneView IT infrastructure management software that graced security news headlines this week. The vulnerability arises from an unauthenticated command injection issue that allows for remote code execution on vulnerable target systems. There was no known exploitation in the wild at time of disclosure; Rapid7 published full details and a Metasploit module implementation on Friday, December 19. The Rapid7 team noted the following in their analysis: "we suspect that only ‘HPE OneView for VMs’ version 6.x is vulnerable to CVE-2025-37164, whereas all unpatched versions of ‘HPE OneView for HPE Synergy’ are vulnerable to CVE-2025-37164. More clarification is needed from the vendor to confirm or deny this hypothesis."
Our exploit comes with PCAPs, a version scanner, detection rules, and ASM queries.
Following reports of in-the-wild exploitation from Huntress and Arctic Wolf, the team added ASM queries for two critical vulnerabilities in a variety of Fortinet products that allow remote unauthenticated attackers to bypass FortiCloud SSO login authentication if the feature is enabled. The two vulnerabilities have identical descriptions and a single vendor advisory. Our targeted queries look for the FortiCloud SSO login button on the system's login page, which disappeared once the feature was disabled in our testing. Internet exposure results using this method appear to be extremely low, and in Shodan's case absent altogether. More detail and research observations are available in our emerging threat blog.
The team also developed an exploit for an authenticated command injection vulnerability in ASUS RT-AX55 routers that allows for remote code execution. CVE-2023-41345 was exploited in a suspected China-nexus campaign that SecurityScorecard's STRIKE team recently christened "Operation wrtHug." Our exploit comes with PCAPs, detection rules, and ASM queries, which find anywhere from tens of thousands to hundreds of thousands of devices on the public internet.
The team also added a second authenticated command injection RCE exploit for CVE-2023-39780, another flaw in ASUS RT-AX55 routers that GreyNoise wrote about earlier this year. The vulnerability is also referenced in SecurityScorecard's report on "Operation wrtHug", a widespread compromise of ASUS devices. The exploit comes with PCAPs, detection rules, and ASM queries.
Finally, the team added an exploit for an authenticated file upload vulnerability in the FreePBX Endpoint Manager module's custom firmware upload logic. This vulnerability was patched alongside two other vulnerabilities discovered following zero-day exploitation of CVE-2025-57819, which the team covered in September 2025. FreePBX still maintains a fairly large online footprint, nearing 43,000 instances according to FOFA. The exploit comes with network signatures, ASM queries, and PCAPs.