Happy Friday! The Initial Access Intelligence team's deliverables for the past week are below.
This week, the team developed an exploit for CVE-2026-24291, a Windows local privilege escalation dubbed "RegPwn" by MDSec. The vulnerability arises because Windows Accessibility Infrastructure incorrectly trusts registry configurations. A wide range of Windows versions are vulnerable, and the team's testing confirmed the flaw is easily exploitable — both of which lead us to believe the vulnerability will be exploited in the wild in the future. The team also provided Sigma rules for this vulnerability.
The team developed an exploit for CVE-2026-29059, a medium-severity path traversal vulnerability discovered by Chocapikk in popular open-source workflow automation platform Windmill. The vulnerable product boasts more than 10 million downloads and is also commonly embedded in Nextcloud Flow, which exposes the vulnerable Windmill endpoints. We covered this vulnerability because it allows unauthenticated attackers to read arbitrary files and achieve remote code execution via an unauthenticated file retrieval endpoint. Our ZoomEye query reports roughly 800 internet-exposed Windmill installations, though that notably doesn't include potential Nextcloud Flow installations (for which queries weren't feasible).
Our exploit comes with a version scanner, PCAPs, ASM queries, a Docker container, and network rules.
The team developed an exploit for CVE-2026-34197, an improper input validation vulnerability in Apache ActiveMQ classic that allows for authenticated remote code execution over the Jolokia API. Our testing confirmed that exploitation is trivial, and our Shodan query finds nearly 3,000 hosts online. This vulnerability has been exploited in the wild and is on VulnCheck KEV. Our exploit comes with a target Docker container, ASM queries, Suricata and Snort rules, and PCAPs.
In addition to the authenticated variant of this vulnerability (above), the team developed the first known exploit for CVE-2024-32114, which affects older ActiveMQ instances and allows for unauthenticated exploitation of the Jolokia API. The vulnerability isn't known to be exploited at time of writing. Our exploit comes with a target Docker container, ASM queries, Suricata and Snort rules, and PCAPs.
The team also added an exploit for an unauthenticated PHP code injection vulnerability in MetInfo CMS, an open-source content management system popular in China. Previous MetInfo CMS vulnerabilities include CVE-2025-63551 (XXE/SSRF) and CVE-2025-60450 (stored XSS), neither of which has been found to grant RCE. Our FOFA query finds around 2,000 MetInfo CMS instances on the public internet, with the largest share located in China followed by the United States. Our exploit comes with PCAPs, ASM queries, network signatures, a YARA rule, and a Docker target.
The team also added signatures and PCAPs for the following vulnerabilities to improve our detection coverage for VulnCheck KEVs.
| CVE | Vendor | Product | Name |
|---|---|---|---|
| CVE-2017-9833 | Boa | Web Server | Boa Web Server Arbitrary File Access via FILECAMERA Path Traversal |
| CVE-2020-13942 | Apache | Unomi | Apache Unomi MVEL Expression Language Injection Command Execution |
| CVE-2020-15568 | TerraMaster | TOS | TerraMaster TOS exportUser.php Remote Code Execution |
| CVE-2020-17519 | Apache | Flink | Apache Flink jobmanager/logs Directory Traversal Arbitrary File Read |
| CVE-2021-28799 | QNAP | HBS 3 | QNAP HBS 3 Broken Hard-Coded SID |
| CVE-2022-31137 | Roxy-WI | Roxy-WI | Roxy-WI options.py Command Injection |
| CVE-2022-3980 | Sophos | Mobile | Sophos Mobile XML External Entity Injection |
| CVE-2022-40022 | Microchip | SyncServer S650 | Microchip SyncServer S650 Ping Command Injection |