Happy Friday! The team continued their Cisco quest this week, delivering exploits for two more recent Cisco vulns in addition to a few other customer-requested flaws. The following are the Initial Access Intelligence team's deliverables for the past week.
By customer request and popular demand, the team developed an original exploit for CVE-2026-20079, a CVSS 10 authentication bypass vulnerability in Cisco Firewall Management Center (FMC) that allows for RCE. The vulnerability requires two very specific pre-requisites that may reduce real-world exploitability: The system must have been recently rebooted, and no UI users can have authenticated to it. The VulnCheck team's exploit is the first known valid exploit for the vulnerability.
Successful exploitation allows an attacker to make many different API calls, but interestingly, the post-authentication bypass script executions do not appear to have been patched. Private vendor-supplied detections also do not appear to detect the VulnCheck-developed exploit variant. Our exploit comes with PCAPs, network signatures for five variants, YARA rules, and a detailed writeup of exploitation caveats and vulnerability details.
This week, also by popular demand, the team delivered an exploit and network signatures for CVE-2026-20127, a CVSS 10 auth bypass in Cisco SD-WAN that was exploited as a zero-day by UAT-8616, per Cisco Talos. See our emerging threat blog for more details on this and other recent Cisco SD-WAN vulnerabilities. Our exploit and detections join our previously delivered ASM queries, GreyNoise query, and YARA rule.
The team added coverage for a critical OS command injection in Linksys E-series routers that VulnCheck's CNA issued a CVE for in June 2025 after Shadowserver observed in-the-wild exploitation with old public exploit code. The vulnerability has been exploited by "TheMoon" worm, which SANS wrote about in 2014, and more recently has seen exploitation by the RondoDox botnet. Shadowserver still shows a steady stream of regular exploit attempts. CVE-2025-34037 has been on VulnCheck KEV since June 23, 2025. It is not yet on CISA KEV. In addition to the exploit, the team provided ASM queries, PCAPs, and network signatures.
By customer request, the team also added coverage for a legacy authentication bypass vulnerability impacting multiple Fortinet products. The vulnerability was first disclosed in late 2022 and subsequently added to both the VulnCheck and CISA KEV lists. VulnCheck Canary Intelligence data sees exploitation attempts for the vulnerability as recently as March 14, 2026. The vulnerability has been exploited by multiple threat actors, including Pioneer Kitten, Vanguard Panda, Aquatic Panda, and most recently, Belsen Group. Our Shodan query suggests a large footprint, with just over 25K instances of FortiGate online as of this writing.
Our exploit comes with ASM queries, PCAPs, and network signatures.
Finally, by customer request, the team developed an exploit for CVE-2010-3964, a high-severity unauthenticated file upload vulnerability in the Document Conversions Launcher Service running on installations of SharePoint 2007 SP2. On versions of Windows 2003 and older, RCE is also possible. The exploit joins pre-existing network rules and PCAPs for this vulnerability, which isn't known to be exploited in the wild. No ASM queries are available for this target due to the lack of unique fingerprinting possible on the affected service.