Welcome to Initial Access Intelligence Fridays, exploit-maxxing edition. Below are the team's many, many deliverables for the past week.
This week, the team added an exploit for CVE-2026-20182, a critical auth bypass in Cisco Catalyst SD-WAN Controller's vdaemon service disclosed on May 14 amid in-the-wild exploitation by UAT-8616. The vulnerability allows remote attackers to bypass authentication and obtain administrative privileges on an affected system. The team's Censys query, which found 2K+ SD-WAN instances online last week, now sees only about 400, meaning admins are (understandably) pulling these off the internet. Our exploit comes with a PCAP and queries; rules are not supplied, as a roguely joined vHub is impossible to discern from syslogs or network traffic alone.
The team also shipped ASM queries for Drupal this week after CVE-2026-9082, a SQL injection that leads to information disclosure (and potentially privilege escalation or RCE) was disclosed as a "highly critical" release despite a medium-severity CVSS score. The vulnerability was added to KEV lists on May 22 after Drupal updated their advisory to note in-the-wild exploit attempts. Our Shodan query finds 29K+ Drupal instances on the public internet. The team will continue working on an exploit for this vulnerability next week.
The team developed an exploit for CVE-2026-39842, a critical (CVSS 9.9) post-authentication RCE vulnerability in the rules engine of OpenRemote, an open-source IoT platform. The shipped openremote/manager Docker image runs as root, and out-of-the-box deployments of 1.21.0 ship default credentials on the master realm Keycloak with the privilege required to reach the vulnerable path attached to the admin account, so the practical effect on an untouched install is unauth-as-default-creds RCE as root. Our Shodan query returns single-digit hits at time of writing, consistent with a niche open-source IoT platform without a dominant managed-service offering, so the at-scale exposed surface stays narrow compared to typical web-panel CVEs; no exploitation has been reported yet. Our exploit comes with queries, a target Docker container, a version scanner, encrypted and unencrypted PCAPs, and Suricata, Snort, and YARA rules.
The team developed an exploit for CVE-2025-67888, a pre-authentication OS command injection in Control Web Panel (CWP, formerly CentOS Web Panel); the CWP service runs as root in stock installs, so successful exploitation lands at root, with the vulnerable path gated by either Softaculous or SitePad being installed through CWP's Scripts Manager. Our Shodan query has historically tracked on the order of 200K+ internet-exposed CWP instances. No exploitation has been reported yet, but CWP more broadly has a documented exploitation history (CVE-2022-44877 drew active scanning within weeks of disclosure, CVE-2025-48703 began seeing exploitation in August 2025). Our exploit comes with ASM queries, a version scanner, PCAPs, and Suricata and Snort rules.
The team developed an exploit for CVE-2026-27966, an arbitrary code execution vulnerability in popular AI workflow development platform Langflow. The CSV Agent node in Langflow hardcodes allow_dangerous_code=True, which automatically exposes LangChain’s Python REPL tool, allowing for RCE. Versions 1.6.0 to 1.8.0rc2 are affected. By default, Langflow also has the auto login feature enabled, which makes the attack more likely to succeed. Our Shodan query finds more than 67K exposed Langflow hosts on the public internet; the vulnerability is not yet known to be exploited in the wild.
The team developed an exploit for CVE-2026-43284, nicknamed "DirtyFrag", a Linux kernel bug in the IPsec packet-handling code that lets an unprivileged local user become root. The vulnerability is in the same family as "Fragnesia" (CVE-2026-46300, below), and the recently shipped Copy Fail (CVE-2026-31431). CVE-2026-43284 was added to VulnCheck KEV on May 11, 2026. Like our Copy Fail exploit, VulnCheck's CVE-2026-43284 exploit implementation is non-destructive. Disk content is never touched, and the change does not survive a reboot or a cache flush. As with other page-cache-poisoning bugs, detection at the network or host-log layer is not viable; runtime kernel telemetry remains the best control surface.
The team developed an exploit for CVE-2026-46300, a high-severity vulnerability in the Linux kernel that allows any logged-in, unprivileged user to gain full root (administrator) access on the system. This is one of three recently disclosed "Dirty Frag" Linux kernel LPEs. It affects most current Linux distributions in their default configurations; Ubuntu 23.10 and 24.04 and later are not affected by default due to additional sandboxing controls. No exploitation has been reported to date.
The team added an exploit for CVE-2025-60021, a critical remote command injection vulnerability in Apache bRPC that Qilin ransomware affiliates have reportedly used for initial access. Exploitation requires jemalloc preloaded, memory profiling enabled, and the endpoint exposed. CISA KEV does not have an entry for this vulnerability, but it's been on VulnCheck KEV since May 1, 2026. Our FOFA query identifies nearly 900 potentially exposed instances online. Coverage includes an exploit with reverse shell and custom command support, Suricata and Snort signatures, a vulnerable Docker container, and FOFA and ZoomEye ASM queries. Shodan and Censys are excluded, as they do not appear to properly index the bRPC HTML content and therefore do not yield any results.
Per customer request, the team added an exploit for CVE-2023-27997, a heap overflow vulnerability affecting multiple versions of Fortinet's FortiOS SSL-VPN software. The vulnerability, which grants unauthenticated RCE and was nicknamed "XORtigate," was disclosed as a zero-day in June 2023. It's still of interest to attackers: In March 2026, Fortgale reported exploitation in a coordinated campaign as recently as February. CVE-2023-27997 has been used by threat actor groups such as Ethereal Panda, Pioneer Kitten, and Silent Chollima, among others. Our Shodan query currently shows ~250K instances of SSL-VPN on the public internet. Coverage includes an exploit, additional ASM queries, and PCAPs. These deliverables join network signatures, which were added in a prior release.
The team also added an exploit for CVE-2022-46364, an unauthenticated vulnerability in Apache CXF, a Java framework widely embedded in enterprise web services. The flaw lets an attacker coerce a vulnerable CXF server into fetching arbitrary URLs and leaking the responses back. In real deployments, that means reading sensitive files off the server, reaching internal services, or retrieving temporary credentials from cloud environments. Any exposed CXF web service that accepts a parameter (i.e., almost all of them) is reachable. Every public PoC released for this CVE to date only works against a single demo service and has to be hand edited for any other target; VulnCheck's exploit inspects the target's service definition at runtime and adapts to whatever service is running, so the same binary works against arbitrary CXF deployments. Our ZoomEye query finds more than 2,300 CXF instances exposed to the public internet.
Coverage includes an exploit, a target Docker container, encrypted and unencrypted PCAPs, Suricata and Snort rules, a YARA rule, and ASM queries.