Happy Friday, and happy new year! VulnCheck's Initial Access Intelligence team is back in full force this week with plenty of new exploits and associated artifacts. Below are the team's deliverables for the past week.
On December 31, 2025 the team added an exploit for MongoDB CVE-2025-14847, aka "MongoBleed", a high-severity vulnerability that was likened to HeartBleed for its potential to disclose secrets held in memory. The vulnerability has since been added to VulnCheck KEV (December 28) and CISA KEV (December 29). Our Shodan query shows just under 100K vulnerable instances online. Our coverage also includes ASM queries, PCAPs, a Docker target, and network signatures.
By customer request, the team developed an exploit this week for a recent arbitrary file read in AI workload automation platform n8n that allows extraction of arbitrary system and configuration files when utilizing the n8n form functionality. Our exploit also downloads the n8n database and encryption keys in order to forge administrative credentials. The vulnerability isn't yet known to be exploited in the wild, but public exploit code is available, including this exploit from researcher Chocapikk that incorporates a chained sandbox escape using CVE-2025-68613, which we also covered this week. The n8n platform has a large internet-exposed target population, with our queries showing 200K - 300K+ online. Our exploit includes PCAPs, ASM queries, and network signatures.
The team also added an exploit for n8n CVE-2025-68613, a sandbox escape that achieves full RCE when chained with CVE-2026-21858 on vulnerable target systems. The exploit combines arbitrary file read, token forgery, workflow creation, and a sandbox escape to turn the initially authenticated vulnerability into RCE. The team provided ASM queries, PCAPs, network signatures, and an exploit.
The team released two more exploits for ASUS RT-AX55 router vulnerabilities used in the "WrtHug" suspected Chinese APT campaign detailed by SecurityScorecard. Both new additions exploit the RT-AX55 web interface's /start_apply.htm endpoint. The payloads differ very slightly, changing the action_script and token_status parameters to trigger on different code paths within the same "AIProtection" functionality of the vulnerable service. Notably, CVE attribution is a bit murky on these vulnerabilities, but the team did their best to map deliverables to what we believe the correct CVEs to be.
These exploits come with PCAPs, detection rules, and ASM queries (FOFA shows more than 260K internet-exposed devices).
The team also added an exploit for CVE-2025-54322, an unauthenticated Python eval() injection vulnerability found in the XSpeeder SXZOS routing software. While the software has a fairly large online footprint (17K instances according to FOFA), there's not yet any known exploitation in the wild. Included with the exploit are a Suricata network rule, ASM queries, and PCAPs.
The team also added an exploit for CVE-2025-68926, a hardcoded gRPC authentication token vulnerability in RustFS versions prior to 1.0.0-alpha.77. Our exploit leverages this to leak all of the files on the filesystem, but the vulnerability could also be leveraged for data destruction and cluster manipulation. A target Docker container is provided to assist in testing. Between 1K and 3K RustFS instances appear to be exposed online. Our exploit comes with network signatures, a PCAP, and ASM queries.
The King Addons for Elementor is a WordPress plugin susceptible to privilege escalation in versions 24.12.92 through 51.1.14. An unauthenticated attacker can register a new user with administrator privileges by specifying user_role=administrator as a POST parameter in the request. FOFA shows approximately 11,000 results for the software. Wordfence reports thousands of exploit attempts since the vulnerability's disclosure on October 31, 2025, which is also when it was added to VulnCheck KEV. The team delivered an exploit, version scanner, PCAP, network signatures, and ASM queries for this CVE.
Finally, by customer request, the team added ASM queries for an authenticated information disclosure vulnerability in Cisco ISE. The vulnerability requires administrative privileges to exploit and isn't known to be exploited in the wild at time of writing. News headlines also appear to be advertising the existence of a public PoC, but the team is aware of no actual public exploit code; it's possible that media headlines are misinterpreting the Cisco advisory's note that there is proof-of-concept code for the vulnerability, which may instead refer to private PoC for the purposes of vulnerability disclosure. Shodan shows roughly 100 instances on the internet, and FOFA finds just under 800.