Happy Friday! The following are the Initial Access Intelligence team's deliverables for the past week.
This week, the team developed an exploit for CVE-2025-53690, an actively exploited vulnerability in Sitecore XM and XP that was added to VulnCheck KEV in September 2025 and has since been used by at least one China-nexus adversary. This vulnerability arises from guidance in older public docs that directed Sitecore admins to hard-code an encryption key; any system using the hard-coded sample key is vulnerable to a .NET deserialization attack. This bug could potentially persist outside of the stated versions, based on what the IIS configuration file has enabled; configurations should be manually reviewed.
The exploit comes with PCAPs and ASM queries, which identify 1,757 Sitecore systems on the public internet. No Suricata nor Snort signatures are provided, as the majority of non-API endpoints are vulnerable, and encrypted state data cannot be easily decrypted in Suricata and Snort.
The team added an exploit for CVE-2025-20282, an unauthenticated file upload vulnerability in Cisco ISE. The vulnerability was disclosed alongside CVE-2025-20281 in June of 2025 and was added to VulnCheck KEV on January 20, 2026. It is not yet on CISA KEV. Our FOFA query currently shows just under 800 exposed instances on the public internet. Coverage also includes network signatures, PCAPs, ASM queries, and a YARA rule.
The team added an exploit chain for SolarWinds Web Help Desk, leveraging CVE-2025-40536 to bypass authentication and CVE-2025-40551 to gain remote code execution. CVE-2025-40551 has been exploited in the wild and is on both CISA KEV and VulnCheck KEV. Censys identifies more than 54K instances of the vulnerable product exposed online. Our exploit also includes a version check, network signatures, and a PCAP.
The team also added yet another exploit for n8n this week. This authenticated RCE takes advantage of a recently discovered sandbox bypass to run arbitrary JavaScript code, resulting in a reverse shell on the target host. The team's ASM queries suggest that between 200K and 300K exposed n8n services are currently exposed to the internet. Despite this large external presence, there is no evidence of exploitation at time of writing. This exploit comes with ASM queries, PCAPs, and a target Docker container. Network fingerprints matched so closely to a previous n8n vulnerability, CVE-2025-68613, that we decided to simply add this latest CVE to that rule.
The team added coverage for an unauthenticated—and truly trivial—command injection in FortiWLM, Fortinet's wireless management product. CVE-2023-34993 was discovered along with 15 other issues by Horizon3. Exploitation gets you a direct line to the appliance's root account. The vulnerability is exploited in the wild by as-yet unattributed threat actors. Fortunately, very few instances appear to be exposed online. Given the simplicity of exploitation, this vulnerability should have been patched years ago, regardless of where it lies in your environment. The team delivered an exploit, PCAPs, network signatures, a YARA rule, and ASM queries.
Finally, we released go-exploit v1.55.0, which adds encrypted ViewState support for go-exploit's .NET serialization payload generation. This offers an alternative to the legacy serialization payload support currently available in the library, which is necessary for targets running on later versions of the .NET Framework.