Happy Friday, and welcome to another jam-packed release! Below are the Initial Access Intelligence team's deliverables for the past week.
By customer request, we introduced two new network rule types that include impact compromised or impact successful-exploitation in their metadata. Rules marked as compromised are designed to flag hosts that respond with artifacts indicating they have already been compromised, such as the presence of a webshell or similar post exploitation indicator.
Rules marked as successful-exploitation apply when a server responds to an exploitation attempt with behavior or content that confirms the exploit succeeded. These classifications provide clearer context around observed activity and help distinguish between evidence of compromise and confirmation that an exploit worked as intended.
The team merged a large community-contributed enhancement to go-exploit this week that creates a new package to support more complete and cross-compilable Windows Local Privilege Escalation exploits. This paves the way for better go-exploit support for exploitation and post-exploitation activities on Windows local hosts. Documentation for Windows Local Privilege Escalation patterns has been added as well. Our thanks to vbuccigrossi for the great contribution!
Following Rapid7’s publication of a proof of concept for CVE-2026-1731 and reports from watchTowr that the vulnerability is now being exploited in the wild, the team added new websocket-based network rules that leverage Suricata 8’s new websocket inspection capabilities to detect exploitation of CVE-2026-1731 in BeyondTrust Privileged Remote Access (PRA) and Remote Support (RS). We also introduced a websocket-based rule for CVE-2025-1094, which affects the same products, and added both a PCAP and version scanner for CVE-2026-1731 to strengthen detection and validation capabilities. Snort 2.9 does not support websocket inspection and is therefore unable to provide equivalent coverage.
In parallel, we revised our queries for these products, identified vulnerable internet-facing systems, and believe active hunting is underway beyond watchTowr’s public statement. We also introduced new Nuclei templates under a nuclei/ directory to support synchronization with broader internet scanning efforts going forward.
This week, the team delivered an exploit for CVE-2025-26633, an improper neutralization vulnerability also known as "MSC EvilTwin." MSC EvilTwin is a technique that requires local access and tricks Microsoft's Management Console (MMC) into running malicious commands, allowing for malware download and execution. Trend Micro reported on Russian threat actor Water Gamayun leveraging this vulnerability to stealthily execute malicious binaries and exfiltrate data. Our exploit also includes a Sigma rule to identify MSC EvilTwin exploitation via Sysmon event logs generated during the attack.
The team also added exploits for both CVE-2025-9316 and CVE-2025-11700, two vulnerabilities that, when exploited together, will result in unauthenticated arbitrary file reads against vulnerable N-central instances. Previous N-central vulnerabilities like CVE-2025-8875 and CVE-2025-8876 — both of which our team covered previously — have seen in-the-wild exploitation, and these latest two vulnerabilities are no exception: CVE-2025-9316 and CVE-2025-11700 were added to the VulnCheck KEV on December 15, 2025. Neither vulnerability is on CISA KEV at time of writing. Publicly exposed N-central instances currently sit at just under 3,500 hosts based on our FOFA query.
Coverage includes exploits, PCAPs, and ASM queries for both CVEs, plus network signatures and a YARA rule for CVE-2025-11700.
Last week, the team delivered an exploit chain for SolarWinds Web Help Desk, leveraging CVE-2025-40536 to bypass authentication and CVE-2025-40551 to gain remote code execution. This week, we split out the network signatures such that customers can now uniquely identify exploitation of the authentication bypass (CVE-2025-40536). This is beneficial if attackers use the bypass in future exploit chains or in malicious scanning for vulnerable instances.