Happy Friday! Below are the Initial Access Intelligence team's deliverables for the past week.
The team developed an exploit for CVE-2026-3055, a critical information leak vulnerability in Citrix NetScaler ADC and Gateway. This vulnerability allows attackers to retrieve random memory from the NetScaler system and potentially access sensitive data. We covered this vulnerability because of customer requests and NetScaler's record of in-the-wild exploitation, but the team was skeptical of practical utility. The required configuration is unlikely to be common in real-world deployments, the attacker doesn't control which types of data are returned, and the attack itself is obvious — meaning an adversary would have to flood vulnerable endpoints in hopes of getting useful data back, far exceeding normal request volumes.
Our queries show between 5K and 10K potentially vulnerable systems. Our exploit comes with PCAPs, network signatures, YARA rules, and ASM queries.
This week, the team added an exploit for an unauthenticated SQL injection vulnerability in Fortinet FortiClient EMS that permits an attacker to both extract data and obtain a remote shell on the target due to the superuser permissions under which the postgres user runs. Despite having a small number of affected versions and a small online footprint (~100 instances, per FOFA), CVE-2026-21643 has already seen in-the-wild exploit attempts. The vulnerability is on the VulnCheck KEV as of March 26, 2026. It is not yet on CISA KEV. Coverage includes an exploit, PCAPs, network signatures, ASM queries, and a YARA rule.
The team also added an exploit for a chain of two high-severity vulnerabilities in the popular MCP-Atlassian server. We initially worked on these vulnerabilities because when combined, they supposedly result in RCE. In our development and testing, the potential for RCE is highly situational and unlikely to exist in common configurations. This exploit delivers unauthenticated arbitrary file read and write capabilities that ultimately allow for disclosure of sensitive API keys — and in specific situations, RCE.
Our exploit comes with a target Docker container, PCAPs, and network rules. No ASM queries are provided because of a lack of fingerprintable elements in the default HTTP responses of this service; however, a target validation function has been provided.
By customer request, the team developed an exploit for CVE-2020-9054, a critical pre-auth command injection vulnerability in Zyxel NAS firmware 5.21 that allows for remote code execution via the NAS login page. The vulnerability has been exploited in the wild by the RondoDox, Emotet, BotenaGo, and Mirai botnets (among others). FOFA queries show more than 66K internet-exposed devices. Our exploit comes with PCAPs, Suricata and Snort rules, and ASM queries.
The team delivered network signatures for a critical authentication bypass vulnerability in Progress ShareFile. We covered this vulnerability because the trivial bypass is likely to be exploited given that ShareFile is a high-value target for data theft and extortion. The team's ASM queries show around 1,000 potentially vulnerable internet-exposed systems.
The team added ASM queries this week for CVE-2025-53521, a vulnerability in BIG-IP APM that was initially thought to be a DoS when it was disclosed after an F5 security incident in 2025. In March 2026, the vulnerability was reclassified as a remote code execution flaw; F5 noted it had also been exploited in the wild. Our queries show more than 153K BIG-IP systems online.
To improve our rule coverage of VulnCheck KEV CVEs, along with what we believe are likely to be future VulnCheck KEV CVEs, we added network detections and PCAPs for the following vulnerabilities.
| CVE | Vendor | Product | Artifact Name |
|---|---|---|---|
| CVE-2025-55523 | Agent0AI | Agent-Zero | Agent0AI Agent-Zero download_work_dir_file Arbitrary File Download |
| CVE-2024-50603 | Aviatrix | Controller | Aviatrix Controller OS Command Injection |
| CVE-2024-51977 | Brother | MFC-L9570CDW | Brother MFC-L9570CDW Information Disclosure via mnt_info.csv |
| CVE-2026-31816 | Budibase | Budibase | Budibase Authentication Bypass via Webhook Path Pattern |
| CVE-2025-53833 | binarytorch | LaRecipe | binarytorch LaRecipe Server-Side Template Injection Remote Code Execution |
| CVE-2025-3515 | codedropz | Drag and Drop Multiple File Upload for Contact Form 7 | codedropz Drag and Drop Multiple File Upload for Contact Form 7 Arbitrary File Upload |
| CVE-2025-56520 | Dify | Dify | Dify remote-files Server-Side Request Forgery |
| CVE-2025-0674 | Elber | ESE | Elber ESE Authentication Bypass Password Reset |
| CVE-2025-34035 | EnGenius | EnShare Cloud Service | EnGenius EnShare Cloud Service usbinteract.cgi Command Injection |
| CVE-2025-2539 | File Away | File Away | File Away Plugin fileaway-stats Arbitrary File Read |
| CVE-2025-1661 | HUSKY | WooCommerce Products Filter | HUSKY WooCommerce Products Filter woof_text_search Local File Inclusion |
| CVE-2025-32814 | Infoblox | NetMRI | Infoblox NetMRI Login Unauthenticated SQL Injection |
| CVE-2024-48766 | jokob-sk | NetAlertX | NetAlertX logs.php Directory Traversal File Read |
| CVE-2025-41646 | KUNBUS | RevPi | KUNBUS RevPi Webstatus Authentication Bypass |
| CVE-2025-45985 | LB-LINK | BL-WR9000 | LB-LINK Router set_hidessid_cfg Command Injection |
| CVE-2025-68043 | LottieFiles | LottieFiles | LottieFiles Missing Authorization Settings Disclosure |
| CVE-2026-28414 | Gradio | Gradio | Gradio Absolute Path Traversal Arbitrary File Read |
| CVE-2026-27174 | MJDM | MajorDoMo | MJDM MajorDoMo Console Eval Remote Code Execution |
| CVE-2025-28367 | mojoPortal | BetterImageGallery | mojoPortal BetterImageGallery imagehandler Directory Traversal |
| CVE-2025-25231 | Omnissa | Workspace ONE UEM | Omnissa Workspace ONE UEM Path Traversal |
| CVE-2025-71243 | SPIP | Saisies | SPIP Saisies PHP Code Injection Remote Code Execution |
| CVE-2025-7441 | StoryChief | StoryChief | StoryChief WordPress Plugin webhook Arbitrary File Upload |
| CVE-2025-13315 | Twonky | Server | Twonky Server Authentication Bypass Log File Exposure |
| CVE-2025-52665 | Ubiquiti | UniFi Access | Ubiquiti UniFi Access Backup Export Command Injection |
| CVE-2024-8425 | WPSwings | WooCommerce Ultimate Gift Card | WPSwings WooCommerce Ultimate Gift Card Arbitrary File Upload |
| CVE-2026-2025 | WPFunnels | Mail Mint | WPFunnels Mail Mint Information Disclosure via Unauthenticated REST API |
| CVE-2025-9985 | WordPress | Featured Image from URL | Featured Image From URL fifu-plugin.log Log File Information Exposure |
| CVE-2025-11833 | wpexperts | Post SMTP | wpexperts Post SMTP Email Log Disclosure |
| CVE-2026-29058 | WWBN | AVideo Encoder | WWBN AVideo Encoder getImage.php Command Injection |
| CVE-2025-34040 | Zhiyuan | OA Platform | Zhiyuan OA Platform wpsAssistServlet Arbitrary File Upload |