Happy Friday! It's been a busy week in the VulnCheck hack house, with plenty of emerging threat analysis still ongoing. The following are the Initial Access Intelligence team's deliverables for the past week.
VulnCheck's research team invoked our emerging threat response process earlier this week for a pair of vulnerabilities in Cisco Firewall Management Center: CVE-2026-20079, an auth bypass, and CVE-2026-20131, a deserialization RCE. The team delivered ASM queries, which show roughly 200 to 700 systems on the public internet. The team also delivered Snort and Suricata rules that detect portions of what we believe to be the exploit chain. Neither vulnerability is known to be exploited in the wild at time of writing.
Correction March 10, 2026: A prior version of these release notes indicated VulnCheck had delivered signatures and queries for CVE-2026-20127, a different vulnerability in Cisco Catalyst SD-WAN Manager. Upon further analysis, however, our team concluded that public proof-of-concept exploit code attributed to CVE-2026-20127 does not exploit that CVE at all, but rather three other CVEs in Cisco Catalyst SD-WAN Manager: CVE-2026-20133, an unauthenticated information disclosure vulnerability in SD-WAN's API; CVE-2026-20128, which gives an authenticated, local attacker DCA user privileges; and CVE-2026-20122, an authenticated file overwrite. The last two of these CVEs have been exploited in the wild, per Cisco's advisories. The team provided signatures, PCAPs, and ASM queries for these issues.
To wrap up the Cisco vulnerability bonanza, the team added a YARA rule and ASM queries for an older privilege escalation vulnerability in Cisco Catalyst SD-WAN that Cisco's PSIRT reported exploited last week alongside CVE-2026-20127. Censys finds roughly 450 of these on the internet.
This week, the team conducted original research to add an exploit for a critical vulnerability in Junos OS Evolved 25.4R1-EVO on PTX Series routers. RCE is achieved via handler-based Python code injection in the On-Box Anomaly Detection Framework (api_server.py on TCP/8160). The vulnerability isn't yet exploited in the wild but is likely to end up on KEVs — watchTowr has a write-up from earlier this week. Our exploit comes with a PCAP, Suricata and Snort rules, and a target Docker container.
The team added an exploit for CVE-2026-21508, a privilege escalation vulnerability in Windows Storage. By manipulating COM class resolution through attacker-controlled registry keys, a local, low-privileged attacker can influence a process running as NT AUTHORITY\LOCAL SERVICE to initialize an attacker-chosen COM server and load a malicious DLL, resulting in elevation to LOCAL SERVICE. The vulnerability hasn't yet been exploited in the wild. The team's exploit comes with an EVTX log and a Sigma rule.
The team added an exploit for LightLLM versions 1.1.0 and earlier, which contain an unauthenticated remote code execution vulnerability in PD (prefill-decode) disaggregation mode. The vulnerability, which isn't yet known to be exploited in the wild, was originally discovered by Chocapikk and allows a remote attacker who can reach the PD master to send a crafted payload to achieve arbitrary code execution. Our exploit comes with PCAPs, network rules, and a target Docker container.
The team added an exploit for an arbitrary JavaScript code injection vulnerability in the CustomMCP server logic for multiple versions of Flowise. While no in-the-wild exploitation has been detected, previously covered Flowise vulnerabilities such as CVE-2025-8943 and CVE-2025-26319 are on VulnCheck KEV and have also been detected in the wild by VulnCheck canaries. Our FOFA query currently shows ~16K Flowise instances publicly accessible online. Versions of Flowise from 2.2.7-patch.1 to 3.0.0 do not have authentication by default, potentially making this vulnerability an even more fruitful one to exploit for attackers. The team added an exploit, network signatures, a YARA rule, ASM queries, PCAPs, and a Docker target.
Based on another find from Chocapikk, the team added an exploit for a critical vulnerability in home automation platform MajorDoMo; the exploit uses a race condition to execute an arbitrary command on the target host. The team's ASM queries find roughly a thousand internet-exposed targets on the public internet. The vulnerability has not yet been exploited in the wild. The team's exploit comes with ASM queries, PCAPs, a YARA rule, network rules, and a target Docker container.