Happy Friday! The following are the Initial Access Intelligence team's deliverables for the past week.
The team released signatures and a PCAP for CVE-2025-64155, an unauthenticated vulnerability in Fortinet FortiSIEM that was added to VulnCheck KEV on January 15, 2026. The flaw arises from incorrect user input sanitization on a specific request to the FortiSIEM phMonitor service, allowing attackers to overwrite existing files and use existing cron jobs to escalate to root. The team will continue working on a complete exploit next week.
The team released an exploit this week for CVE-2025-8110, an authenticated vulnerability in the Gogs Git server that was exploited as a zero-day in December 2025, per Wiz. The exploit is authenticated, but if account registration is enabled, the exploit will automatically attempt registration and exploitation. Our exploit is entirely self-contained and does not call out to external Git binaries, unlike all of the known public PoCs at time of writing. The team's ASM queries shows a solid number of internet-exposed Gogs servers, ranging from several thousand (Shodan, Censys) to 17K+ (FOFA); all instances that are running the affected version and contain registration links should be considered vulnerable.
Coverage includes ASM queries, network signatures, YARA rules, PCAPs, and a target Docker container.
Hot on the heels of last week's release, which included coverage of an unauthenticated RCE chain in n8n (CVE-2026-21858 and CVE-2026-68613), this week brings an exploit for CVE-2026-21877, an authenticated RCE in the workflow automation platform. The vulnerability is not yet known to have been reported as exploited in the wild, though technical details are publicly available. VulnCheck was able to exploit the vulnerability for arbitrary file write to RCE. FOFA suggests an incredible 580K instances of the product are exposed to the internet.
The team added an exploit, version scanner, PCAP, network signatures, Docker target, and ASM queries for this CVE.
The team also added multiple authenticated SQL injection vulnerabilities in FreePBX's Endpoint Manager module, all of which were patched under CVE-2025-61675. This was among the FreePBX vulnerabilities recently discovered by Horizon3. Of note, CVE-2025-66039, an authentication bypass, can be paired with CVE-2025-61675 to achieve unauthenticated RCE on installations with the webserver authorization type enabled. FreePBX's online footprint is quite large, currently sitting at ~42K instances, per FOFA. Coverage also includes ASM queries, network signatures, and PCAPs.
Finally, the team added another authenticated RCE exploit for the ASUS RT-AX55 router, the last in a batch of exploits from 2023 that recently resurfaced in the "WrtHug" APT campaign that SecurityScorecard wrote about. This exploit is similar to others released recently, though it targets yet another code path in the firmware. This particular exploit targets the code authentication module of the "AiProtection" portion of the router's web service. Our exploit comes with PCAPs, detection rules, and ASM queries. FOFA shows more than 260K internet-exposed devices).