Happy Friday! The following are the Initial Access Intelligence team's deliverables for the past week.
This week, the team added an exploit for a critical authentication bypass vulnerability affecting versions 7.4.5 and 7.4.6 of FortiClient EMS. CVE-2026-35616 was added to the VulnCheck KEV following Defused Cyber's reports of in-the-wild exploit attempts on April 4. It was added to CISA KEV two days later. Our updated Shodan query shows just over 1,000 instances online.
The team added an original exploit this week for a critical authorization bypass in FUXA, a web-based SCADA / HMI platform for industrial automation, IoT and real-time process visualization. The vulnerability arises from missing authorization that allows unauthenticated, remote attackers to create and modify arbitrary schedulers, which ultimately enables remote code execution in ICS and SCADA environments. The team's Censys query finds 200 or so instances on the public internet with fairly global distribution. Our exploit comes with ASM queries, a target Docker container, Snort and Suricata rules, a PCAP, and a YARA rule.
The team developed an exploit for CVE-2026-28289, a critical file upload vulnerability in FreeScout, an open-source help desk and mailing system. The vulnerability allows for unauthenticated remote code execution via the mail subsystem. Exploitation requires the ability to send messages to the FreeScout system and knowledge of a known valid user. Our Censys query finds more than 700 hosts online. Our exploit comes with a target Docker container, ASM queries, Suricata and Snort rules, and PCAPs.
The team developed an exploit for CVE-2025-12548, an unauthenticated RCE vulnerability in Eclipse Che and Red Hat OpenShift DevSpaces. The flaw sits in machine-exec, a WebSocket service that developer IDEs use to open terminals inside workspace containers — and that ships with authentication disabled by default. Any attacker who can reach the service can run arbitrary commands in a developer's workspace. A Metasploit module is publicly available, though no threat actors or botnets have been observed exploiting this in the wild as of yet. Red Hat OpenShift DevSpaces is fixed in 3.22.1; upstream Eclipse Che has no code-level fix. Coverage includes an exploit with PCAPs and Suricata rules.
By customer request, the team developed an exploit for CVE-2024-21762, a critical out-of-bounds write RCE vulnerability in Fortinet FortiOS that's been exploited by several China-nexus threat actors in addition to the Mirai botnet and multiple ransomware groups. The team's exploit joins previously delivered network rules and PCAPs and also adds ASM queries, which show roughly 500K internet-facing results.
All PCAPs have been standardized to include Ethernet frames and non-loopback addresses, ensuring consistent formatting across the dataset.
| CVE | Vendor | Product | Artifact Name |
|---|---|---|---|
| CVE-2023-47248 | Apache | PyArrow | Apache PyArrow Flight RPC DoPut Deserialization Remote Code Execution |
| CVE-2025-58179 | Astro | Astro | Astro Cloudflare Adapter SSRF |
| CVE-2024-7029 | AVTECH | AVM1203 | AVTECH AVM1203 IP Camera Factory.cgi Command Injection |
| CVE-2025-71257 | BMC | FootPrints | BMC FootPrints Authentication Bypass |
| CVE-2018-0127 | Cisco | RV132W, RV134W | Cisco RV132W RV134W Information Disclosure via dumpmdm.cmd |
| CVE-2020-26073 | Cisco | SD-WAN vManage | Cisco SD-WAN vManage token Local File Inclusion |
| CVE-2023-5074 | D-Link | D-View 8 | D-Link D-View 8 Static JWT Key Authentication Bypass |
| CVE-2023-7309 | Dahua | E-Map | Dahua E-Map SOAP Bitmap File Upload Path Traversal |
| CVE-2021-20124 | Draytek | VigorConnect | Draytek VigorConnect getMapImg_acs2 Local File Inclusion |
| CVE-2021-20123 | Draytek | VigorConnect | Draytek VigorConnect Local File Inclusion via DownloadFileServlet |
| CVE-2026-25939 | FUXA | FUXA | FUXA Scheduler Authorization Bypass Arbitrary Scheduler Write |
| CVE-2026-4020 | Gravity Forms | Gravity SMTP | Gravity SMTP Sensitive Information Exposure |
| CVE-2020-7209 | HP | LinuxKI | HP LinuxKI pid Parameter Command Injection |
| CVE-2020-23575 | Kyocera | D-COPIA253MF | Kyocera d-COPIA253MF Directory Traversal Arbitrary File Read |
| CVE-2025-22214 | Landray | EIS | Landray EIS SQL Injection |
| CVE-2023-26067 | Lexmark | MC3224i | Lexmark Embedded Web Server Fax Trace Settings Command Injection |
| CVE-2023-35844 | Lightdash | Lightdash | Lightdash slack-image Directory Traversal Arbitrary File Read |
| CVE-2025-22896 | mySCADA | myPRO Manager | mySCADA myPRO Manager Credential Disclosure |
| CVE-2024-0305 | Ncast | Ncast | Ncast busiFacade Command Injection |
| CVE-2024-57046 | Netgear | DGN2200 | Netgear DGN2200 Authentication Bypass |
| CVE-2021-3223 | Node-RED | Node-RED Dashboard | Node-RED Dashboard Local File Inclusion |
| CVE-2016-5674 | NUUO | NVRmini 2, NVRsolo | NUUO NVR Debugging Center Command Injection |
| CVE-2025-1338 | NUUO | Camera | NUUO Camera Command Injection |
| CVE-2020-14864 | Oracle | Business Intelligence | Oracle Business Intelligence getPreviewImage Directory Traversal Local File Inclusion |
| CVE-2024-49380 | Plenti | Plenti | Plenti Arbitrary File Write via postLocal |
| CVE-2022-39986 | RaspAP | RaspAP | RaspAP OpenVPN cfg_id Command Injection |
| CVE-2022-31126 | Roxy-WI | Roxy-WI | Roxy-WI Command Injection Remote Code Execution |
| CVE-2018-3760 | Ruby | Rails | Ruby Rails Asset Pipeline Directory Traversal |
| CVE-2019-14251 | Temenos | T24 | Temenos T24 docDownloadPath Local File Inclusion |
| CVE-2019-19825 | TOTOLINK | Router | TOTOLINK Router CAPTCHA Bypass Information Disclosure |
| CVE-2022-31847 | Wavlink | WN579 X3 | Wavlink WN579 X3 Information Disclosure via ExportAllSettings |
| CVE-2022-2488 | Wavlink | WN535K2, WN535K3 | Wavlink touchlist_sync.cgi Command Injection |
| CVE-2022-2487 | Wavlink | WN535K2, WN535K3 | Wavlink nightled.cgi OS Command Injection |
| CVE-2016-10108 | Western Digital | MyCloud | Western Digital MyCloud google_analytics.php Command Injection |
| CVE-2019-18371 | Xiaomi | Mi WiFi R3G | Xiaomi Mi WiFi R3G extdisks Path Traversal |