Happy Friday! The following are the Initial Access Intelligence team's deliverables for the past week.
The team added ASM queries this week for CVE-2026-20182, a critical authentication bypass in Cisco Catalyst SD-WAN Controller's vdaemon service that Rapid7 disclosed on May 14. Per Cisco Talos, the vulnerability is being exploited in the wild by UAT-8616; this is the same threat actor attributed to exploitation of CVE-2026-20127, a similar vulnerability that has drawn interest from state-sponsored adversaries since it was disclosed in February. The Talos blog also notes ongoing exploitation and corrected PoC attribution for several other SD-WAN vulnerabilities previously analyzed and clarified by VulnCheck's own researchers.
The team's Censys query finds approximately 2,000 Cisco Catalyst SD-WAN instances online. The team will continue working on exploits and signatures for this vulnerability next week.
The team added queries and network rules for CVE-2026-42945, which is (ostensibly) a heap buffer overflow affecting both NGINX Plus and NGINX Open Source. An unauthenticated attacker can crash the NGINX worker process by sending crafted HTTP requests; on servers with ASLR disabled — which of course is extremely unlikely — code execution is possible. A further caveat is that the target server has to be running a specific rewrite configuration to be vulnerable, so not every NGINX instance is exploitable. Our Censys query surfaces roughly 5.7M internet-exposed NGINX servers running a potentially vulnerable version, though the truly exploitable population is likely to be a much smaller subset of those. A public PoC is available, but the VulnCheck team classified it as a DoS given that ASLR must be disabled for the PoC to work.
The team developed an exploit for CVE-2026-42167, a pre-authentication SQL injection in ProFTPD's mod_sql logging path. A working public proof-of-concept has been available since disclosure on May 1, and ZeroPath estimates that at least 1% of publicly accessible ProFTPD instances are vulnerable to pre-authentication attacks. Our Shodan query returns roughly 615,000 ProFTPD banners on port 21 globally, which based on that 1% figure would put the pre-auth exploitable surface in the low thousands. No public threat intel feed has yet tagged a dedicated CVE-2026-42167 scanning or exploitation campaign, but the combination of a public PoC and a target count of this size makes opportunistic exploitation very likely — if it's not already underway. Our exploit comes with a target Docker container, PCAPs, Suricata and Snort rules, and a YARA rule.
The team developed an exploit for CVE-2024-37032, a pre-authentication remote code execution vulnerability in popular local LLM runtime Ollama (disclosed by Wiz as "Probllama"). The CVE was added to VulnCheck KEV after Shadowserver observed in-the-wild exploitation; Shadowserver still sees regular exploit attempts, though interestingly, no real-world incidents have yet been reported. Our Shodan query returns roughly 23,700 exposed Ollama instances globally; this is a high-value surface given the model weights, prompts, and chat histories these systems host. Our exploit comes with a target Docker container, a version scanner, PCAPs, Suricata and Snort rules, and a YARA rule.
The team developed an exploit for CVE-2026-23550, an authentication bypass plus unauthenticated plugin upload in the Modular Connector WordPress plugin (the companion plugin for the Modular DS managed-WP service). Patchstack documents active in-the-wild exploitation against 40k+ installs, and the vulnerability is on VulnCheck KEV. It is not yet on CISA KEV. Our exploit comes with a target Docker container, a version scanner, PCAPs, Suricata, Snort, and YARA rules.
The team developed an exploit for CVE-2026-4257, a pre-authentication Twig server-side template injection in the Contact Form by Supsystic WordPress plugin through version 1.7.36. The vulnerability is fixed in plugin version 1.8.0, released 2026-03-26 with the changelog noting only "fixes for minor and critical vulnerabilities" rather than spelling out the CVE, so administrators who skipped that update remain exposed. The plugin has been downloaded over 640,000 times from WordPress.org and currently reports 6,000+ active installations. No dedicated CVE-2026-4257 scanning or exploitation campaigns have been reported yet, but the combination of a CVSS 9.8 unauthenticated RCE in a WordPress plugin and a public technical writeup makes opportunistic exploitation likely. Our exploit comes with a target Docker container, a version scanner, PCAPs, Suricata and Snort rules, and a YARA rule.
By customer request, the team developed an exploit for CVE-2022-24355, an unauthenticated remote code execution vulnerability in TP-Link's TL-WR940N consumer router. The bug was first disclosed via ZDI-22-265 in 2022. The CVE is not yet known to be exploited in the wild, though details are publicly available. Censys shows 2,400+ TL-WR940N routers currently internet-exposed. Our exploit comes with PCAPs, Suricata and Snort rules, and ASM queries.