Happy Friday! The Initial Access Intelligence team's deliverables for the past week are below.
The team developed the first known exploit for CVE-2026-20129, a CVSS 9.8 authentication bypass that closes out our weeks-long Cisco exploit development bonanza. Our exploit allows unauthenticated attackers to use a reserved machine account to create new, high-privileged users on the system. It's not yet known to be exploited in the wild. The exploit comes with PCAPs, ASM queries, and a YARA rule to support detection.
By customer request, the team developed an exploit for CVE-2022-20775, an older path traversal vulnerability in Cisco SD-WAN's CLI that was recently found to have been exploited in conjunction with CVE-2026-20127 in a multi-year UAT-8616 campaign. The group reportedly leveraged CVE-2026-20127 to downgrade SD-WAN devices, then used CVE-2022-20775 to escalate privileges to root and establish persistence before finally restoring devices to their original version.
A public write-up on the vulnerability with pseudo-code has been available for several years, but our team found notable discrepancies between reported observations and actual exploit behavior. Our Censys query identifies around 3K exposed devices online, with nearly all located in the United States. The team previously delivered an exploit for CVE-2026-20127, which means teams looking to emulate UAT-8616 activity can use our exploits to do so. At time of writing, there are no functional public exploits for CVE-2022-20775. Our exploit comes with a YARA rule.
The team added an exploit for CVE-2026-25049, an authenticated expression evaluation RCE in the workflow expression logic in n8n. The team previously covered CVE-2025-68613, an exploited vulnerability for which CVE-2026-25049 is a patch bypass. CVE-2025-68613 is also notably listed on both the VulnCheck KEV and CISA KEV lists, and our team has observed in-the-wild exploit attempts pairing CVE-2026-21858 with CVE-2025-68613 to achieve unauthenticated RCE. Iranian-backed threat group MuddyWater has previously been attributed to exploitation of CVE-2025-68613. n8n has a fairly large footprint, with just under 20K instances according to our Shodan query.
Coverage includes an exploit, PCAPs, network signatures, ASM queries, and a Docker target.
The team also developed an exploit this week for CVE-2026-33017, another critical remote code execution vulnerability in Langflow. Sysdig reported exploitation in the wild a mere day after the vulnerability was disclosed (and before the CVE was published). It was added to VulnCheck KEV on March 19 and to CISA KEV six days later.
Our exploit comes with PCAPs and ASM queries, which suggest a few hundred to a few thousand internet-exposed hosts. No network rules were provided, as the vulnerable endpoint accepts code under legitimate circumstances, meaning rules would likely yield false positives and be easily bypassed.
By customer request, the team developed an exploit for CVE-2019-17621, an older critical vulnerability in D-Link DIR-859 routers. The vulnerability, which has been exploited by Flax Typhoon (Ethereal Panda) as well as the Mirai and RondoDox botnets, allows remote attackers to perform OS command injection into a D-Link UPnP endpoint to achieve remote code execution. FOFA shows roughly 450 internet-exposed devices. Our exploit comes with PCAPs, Suricata and Snort rules, and ASM queries.
The team wrote ASM queries for a critical vulnerability in Citrix NetScaler that allows for memory overread in affected NetScalers configured as SAML IDPs. ZoomEye and FOFA find several thousand potentially vulnerable systems online (just shy of 6K unique IPs).
Finally, to expand Suricata and Snort coverage for vulnerabilities included in VulnCheck KEV, the team added rules and PCAPs for the following:
| CVE | Vendor | Product |
|---|---|---|
| CVE-2016-15057 | Apache | Continuum |
| CVE-2022-25369 | Dynamicweb | Dynamicweb |
| CVE-2025-15503 | Sangfor | OSM |
| CVE-2025-25037 | Aquatronica | Controller System |
| CVE-2025-26793 | Hirsch | Enterphone MESH |
| CVE-2025-34023 | Karel | IP1211 |
| CVE-2025-34031 | Moodle | Jmol Filter |
| CVE-2025-34143 | ETQ | Reliance |
| CVE-2026-1603 | Ivanti | Endpoint Manager |
| CVE-2026-21859 | axllent | Mailpit |
| CVE-2026-23744 | MCPJam | Inspector |
| CVE-2024-55457 | MasterSAM | Star Gate |
| CVE-2024-57049 | TP-Link | Archer C20 |
| CVE-2025-13486 | WordPress | ACF Extended |
| CVE-2025-34045 | WeiPHP | WeiPHP |
| CVE-2025-4008 | Smartbedded | MeteoBridge |
| CVE-2025-4009 | Evertz | SDVN 3080ipx-10G |
| CVE-2025-4632 | Samsung | MagicINFO 9 |
| CVE-2025-54782 | NestJS | devtools-integration |