Happy Friday, and welcome to a jam-packed Initial Access Intelligence release. The team's deliverables for the past week are below, and we also welcomed two new team members to help us cram even more exploits into future releases.
In response to a newly disclosed zero-day vulnerability, the team shipped ASM queries for CVE-2026-0300, an unpatched heap buffer overflow vulnerability in the User-ID Authentication Portal (aka Captive Portal) in Palo Alto Networks PAN-OS. The bug allows an unauthenticated attacker to execute arbitrary code with root privileges. No public exploits exist yet, but the vendor confirmed limited exploitation in the wild. Our FOFA query identifies over 30,000 exposed portals. The team will continue to research this vulnerability in the coming weeks.
Following up on last week's signatures and queries, the team developed an exploit for CVE-2026-41940, a recent cPanel vulnerability that has been broadly exploited in the wild since it was disclosed on April 28. VulnCheck is tracking Sorry ransomware and Mirai botnet exploitation, along with daily exploit attempts hitting Shadowserver honeypots. Our Censys query finds over 7 million potentially vulnerable hosts online.
VulnCheck has the only weaponized exploit for this vulnerability, but more than two dozen PoCs are publicly available. Our exploit comes with PCAPs, network rules, and queries.
The team developed an exploit for CVE-2026-31431, a Linux kernel vulnerability that allows a low-privileged user to escalate to root. While this isn't an initial access vulnerability, the bug has drawn significant media attention, amplified by its AI-assisted discovery and the attendant marketing. The team has seen 120+ working public exploits since the vulnerability's release — most are ports to new languages and add nothing technically novel. Exploitation in the wild was confirmed on May 1, 2026.
Notably, VulnCheck's exploit for this vulnerability is non-destructive. The original public proof-of-concept exploit targets the su binary in the page cache to spawn a root session, but does not restore the original su binary, leaving the modified binary in cache until reboot and breaking any subsequent su invocation in the interim. Our team instead targets /etc/passwd, wherein the exploit captures the original contents, modifies the file in cache to add a root-equivalent entry, spawns a root shell, and restores /etc/passwd to its original state.
The exploit leaves no artifacts in log files; based on our analysis, existing public rules detect features of the original proof of concept rather than the underlying technique — meaning they break the moment an attacker recompiles or reimplements. Detection at the network or host log layer is not viable for this class of exploit; runtime kernel telemetry is the appropriate control surface.
This week we added coverage for CVE-2026-40466, an authenticated code injection vulnerability affecting multiple versions of Apache ActiveMQ Classic. This follows our coverage of the recently exploited CVE-2026-34197, for which CVE-2026-40466 is a patch bypass. CVE-2026-40466 has already made it onto VulnCheck's KEV list after VulnCheck's Canary network detected first-time exploitation on May 7, 2026. It is not yet on CISA KEV. Notably, we've seen exploit attempts for CVE-2026-34197 hit VulnCheck Canaries as recently as May 6, so it's likely we'll see more activity for CVE-2026-40466 as well. Our Shodan query reports nearly 3,000 internet-exposed ActiveMQ hosts at time of writing.
Coverage includes an exploit, ASM queries, network signatures, a YARA rule, PCAPs, and a Docker target.
The team also delivered signatures, ASM queries, PCAPs, and an exploit for CVE-2026-39813 in FortiSandbox. The vulnerability allows unauthenticated attackers to execute authenticated (but read-only) JRPC API calls on affected FortiSandbox instances, leaking sensitive system configuration information. Current ASM queries estimate roughly 250 exposed devices. The vulnerability hasn't yet been exploited in the wild.
The team also added a new exploit for CVE-2026-39808, an OS command injection flaw in FortiSandbox. Multiple government organizations and CERTs have released advisories regarding this trivially exploitable command injection vulnerability. It is not yet known to be exploited in the wild.
The team developed an exploit for CVE-2026-27760, a critical pre-auth RCE vulnerability in OpenCATS, an open-source Applicant Tracking System. We confirmed exploitability on the most recent tagged release (0.9.7.4, 2024-04-23). A fix has since landed on the upstream default branch, but no release ships it yet, so anyone pinned to the latest version remains vulnerable. No exploitation in the wild has been reported yet. Our Shodan query finds around 25 OpenCATS instances online, a small but high-value surface given the HR and recruiting data these systems hold. Our exploit comes with a target Docker container, PCAPs, Suricata, Snort, YARA and Sigma rules, and ASM queries.
The team developed an exploit for CVE-2026-33439, a critical unauthenticated remote code execution vulnerability in OpenIdentityPlatform OpenAM <= 16.0.5. The fix for an earlier vulnerability, CVE-2021-35464, hardened the sibling jato.pageSession parameter back in 2021 but missed jato.clientSession, leaving the public password-reset endpoints exposed to the same attack until the 16.0.6 fix was applied. Public proof-of-concept code is available on GitHub, though no in-the-wild exploitation has been reported yet. Our exploit comes with PCAPs, Suricata and Snort rules, and ASM queries.
This week, by customer request, the team added an exploit for CVE-2023-1389, an unauthenticated command injection vulnerability in TP-Link Archer AX21 (AX1800) routers prior to firmware version 1.1.4 Build 20230219. The vulnerability was first exploited in May 2023 and since then has been observed in multiple botnet attacks. The team's exploit and PCAPs join our existing ASM queries and network rule coverage for this vulnerability. There are currently over 10,000 potentially vulnerable instances found on Shodan.
While analyzing CVE-2021-42911 on a DrayTek Vigor 2960 at a customer's request, the team noticed that DrayTek had patched a command injection issue in 1.5.1.4 without assigning a CVE. The VulnCheck CNA team has since assigned this vulnerability CVE-2022-50994.
DrayTek Vigor routers have historically been a popular target for attackers, appearing on the CISA KEV catalog three separate times. They have been associated with Ethereal Panda and more generally linked to Chinese attackers by the NSA. A number of botnets are also known to exploit these routers, including Rustobot, Mirai, Moobot, Gafgyt, BotenaGo, Airashi, and Smargaft.
The team delivered an exploit, a vulnerable Docker container, PCAPs, a Suricata rule, and ASM queries. According to Censys, there are approximately 7,000 potentially vulnerable routers online.