Happy Friday! The following are the Initial Access Intelligence team's deliverables for the past week.
The team published an exploit for CVE-2026-24423, a VulnCheck-discovered vulnerability in SmarterMail (fixed in build 9511) that allowed unauthenticated attackers to achieve remote code execution via the ConnectToHub API mounting logic. This vulnerability was discovered independently by researchers at VulnCheck, watchTowr, and CODE WHITE GmbH. The team's full technical analysis is available on our blog.
VulnCheck canaries have detected in-the-wild exploitation of this vulnerability, which was immediately added to VulnCheck KEV. SmarterMail systems are widely deployed, with our queries showing upwards of 13,000 online. The team delivered PCAPs, signatures, queries, and an exploit that works on Windows, Linux, Docker, and macOS platforms.
Continuing our bug roundup for SmarterMail, the team added an exploit for versions prior to build 9511 that allowed for arbitrary account password resets via a single parameter. This exploit follows and then utilizes the mounting API to pass arbitrary code, achieving remote code execution. Note: This exploit will reset the administrator account, which may mean higher likelihood of discovery. The team also developed network signatures, a PCAP, and a target Docker container; our exploit accommodates all platforms supported by SmarterMail.
This week, the team added another exploit for Gladinet CentreStack, this time taking advantage of a static encryption key to create access tickets for the /storage/filesvr.dn endpoint, which ultimately allows for local file inclusion. The vulnerability has been exploited in the wild and has tentatively been floated as a possible initial access vector for Cl0p extortion attacks. Due to the generic and encrypted nature of the LFI request, no network rules are provided for this exploit. Our exploit includes PCAPs and ASM queries, which suggest that around 500 CentreStack targets are currently exposed on the internet.
By customer request, the team developed an exploit for an RCE flaw in Livewire, a Laravel full-stack framework. This exploit requires a web application created with Livewire to have components mounted and configured, which Synacktiv indicated is fairly common. While exploitation in the wild has yet to be observed, our ZoomEye and FOFA queries find between 49K and 131K exposed targets. Our exploit comes with network rules, a version check, a PCAP, and a target Docker image.
The team added an exploit for Fortinet FortiOS CVE-2024-55591, a WebSocket-based authentication bypass that allows an unauthenticated attacker to execute CLI (management shell) commands as the targeted user. This CVE has been exploited in the wild by threat actors and a variety of ransomware groups. FOFA reports over 300k results. Our exploit comes with an unencrypted PCAP that joins previously delivered rules and queries.
telnetd Authentication BypassThe team also added an exploit for a fun old-school vulnerability in the GNU Inetutils Telnet daemon (telnetd). Versions through 2.7 are vulnerable to an authentication bypass via a -f root value for the USER environment variable. Successful exploitation allows remote attackers to bypass authentication and log in to the target system as root or any other user they specify. GreyNoise observes 100+ IPs attempting exploitation — their blog on the vulnerability is also worth reading. Our exploit comes with network rules, a PCAP, and a target Docker image.
Finally, the team added an exploit for an arbitrary file read stemming from a directory traversal vulnerability in open-source AI analytics software MindsDB. The vulnerability is exploitable without authentication by default, and the product has broad third-party integration support, both of which attackers may find appealing. One caveat of exploitation is that successfully disclosed files are moved from their original location to MindsDB storage, potentially impacting the availability of the service. As of this writing, there is no evidence of exploitation in the wild. Our FOFA query indicates that there are just under 250 instances exposed online.
The team also added network signatures, ASM queries, PCAPs, and a Docker target for the vulnerability.