New exploits for Citrix NetScaler, Cisco SD-WAN Manager, NVIDIA GEN3C, LiteLLM, and many, many more. Fresh signatures for Broadcom VMware vCenter Server.

Happy Friday! The Initial Access Intelligence team is celebrating summer by shipping a boat-load of new exploits and related artifacts. Below are the team's deliverables for the past week.

CVE-2026-8451: Citrix NetScaler SAML IDP Memory Overread

This week, the team developed an exploit for CVE-2026-8451, a pre-authentication memory disclosure vulnerability in Citrix NetScaler ADC and NetScaler Gateway, the latest entry in the "CitrixBleed" family. An unauthenticated attacker can send a single malformed request that prompts the appliance to leak a chunk of its memory in response, potentially exposing session tokens and other secrets. The target NetScaler must be configured as a SAML Identity Provider (IdP) to be exploitable. The vuln was added to VulnCheck on July 1, 2026; it is not yet on CISA KEV. The team's Censys query finds 81K potentially vulnerable internet-facing NetScaler devices. Coverage includes PCAPs, detection rules, and ASM queries.

CVE-2026-20245: Cisco Catalyst SD-WAN Manager tenant-upload Command Injection LPE

The team added an exploit for CVE-2026-20245, a vulnerability in the CLI of Cisco Catalyst SD-WAN Manager that allows an authenticated, local attacker to execute arbitrary commands as root. Cisco Catalyst SD-WAN remains a high-value enterprise target given its role in managing distributed network fabrics, and our Censys query identifies over 6K internet-exposed instances. Our coverage includes an exploit with reverse shell and arbitrary command (run-as-root) payload options, along with a PCAP and ASM queries.

CVE-2026-53805: NVIDIA GEN3C Unauthenticated Pickle Deserialization RCE

The team shipped an exploit for CVE-2026-53805, an unauthenticated remote code execution in NVIDIA GEN3C (3D-consistent image and video generation) discovered and disclosed by our own Chocapikk. GEN3C is vulnerable to pickle deserialization without authentication, allowing for arbitrary code execution as the inference process. GEN3C runs on GPU hosts that are typically reached over an SSH tunnel or an internal network, so exploitation is an unauthenticated foothold on expensive ML infrastructure wherever the API is network-reachable. The vulnerability isn't yet known to be exploited. Full details are available in our disclosure blog. Our exploit ships with encrypted and unencrypted PCAPs, a Docker target, and Suricata and Snort rules.

CVE-2026-58455: Notifiarr Dockwatch Unauthenticated OS Command Injection RCE

The team developed an exploit for CVE-2026-58455, an unauthenticated OS command injection leading to remote code execution in Dockwatch, Notifiarr's self-hosted Docker management WebUI. VulnCheck assigned this CVE based on a report from researcher rayyb0t. Because a normal Dockwatch deployment is handed the host's Docker socket, code execution inside the container is a direct path onto the host's Docker, making an exposed instance a high-impact foothold. Our Shodan query identifies a single-digit number of exposed instances online. No in-the-wild exploitation has been reported yet.

Our exploit ships with a Docker target, encrypted and unencrypted PCAPs, Suricata and Snort rules, and ASM queries.

CVE-2026-23744: MCPJam Inspector Unauthenticated Remote Code Execution

The team added an exploit for CVE-2026-23744, an unauthenticated remote code execution in MCPJam Inspector, which is a developer tool for testing and debugging MCP servers. Through v1.4.2 it binds its HTTP API to 0.0.0.0 rather than 127.0.0.1, so any host on the network can reach an endpoint that runs commands as the Inspector process. As a local debugging tool, it is rarely internet-facing (our Shodan query returns no exposed hosts), but the 0.0.0.0 bind turns any shared or untrusted network into an RCE path against a developer's machine — a growing concern as MCP tooling spreads. The team has not yet observed any evidence of in-the-wild exploitation.

Our exploit ships with PCAPs, a Docker target, Suricata and Snort rules, and ASM queries.

CVE-2026-40217: LiteLLM Internal User to Proxy Admin to Custom Code Guardrail RCE Chain

The team developed an exploit for CVE-2026-40217, the last stage of a three-bug chain (with CVE-2026-47101 and CVE-2026-47102) that turns a low-privilege internal_user virtual key in LiteLLM, BerriAI's widely deployed LLM gateway, into remote code execution as root on the gateway host. The chain escalates a basic key to proxy_admin and then runs attacker code through the custom-code guardrail, so in a shared or multi-tenant deployment any holder of a low-privilege key can take full control of the gateway and the model credentials it brokers. No in-the-wild exploitation has been reported yet.

Our exploit ships with a version scanner, PCAPs, a Docker target, Suricata and Snort rules, and a YARA rule.

CVE-2026-0766: Open WebUI Tool Creation Command Injection

The team also added an exploit for CVE-2026-0766, a post-authentication command injection in Open WebUI, an open-source AI platform that provides a ChatGPT-like GUI. It features a tools plugin system that allows users to submit Python code, which is executed without any validation, sanitization, or sandboxing of any kind in the back-end worker process. The official Open WebUI Dockerfile also defaults to running the service as root. This issue is considered "by design," with no fix planned. Our Shodan query finds 5,800+ Open WebUI instances on the public internet. No exploitation has been reported yet, but a larger internet-facing footprint means that's likely to change.

Our coverage includes queries, a Docker target, PCAPs, and Snort and Suricata rules.

CVE-2026-39987: CoreWeave Marimo Unauthenticated Terminal WebSocket RCE

The team shipped an exploit for CVE-2026-39987, a pre-authentication remote code execution vulnerability in CoreWeave Marimo, an open-source reactive notebook platform for Python. This vulnerability was observed being exploited in the wild just 10 hours after disclosure, per Sysdig. The vuln also made VulnCheck's 2026 Routinely Targeted Vulnerabilities list as a result of its usage in threat and botnet campaigns. Our Censys query shows more than 5K instances exposed.

Our coverage includes a version scanner, a target Docker container, PCAPs, and Suricata and Snort rules.

CVE-2021-32824: Apache Dubbo Telnet JNDI Injection

The team developed an exploit for CVE-2021-32824, a pre-authentication remote code execution vulnerability in Apache Dubbo, an open-source Java RPC framework. The vulnerability was disclosed by GitHub Security Lab in 2021, but no CVE was published until January 2023; to date, there has been no reported exploitation. Our exploit ships with a version scanner, a target Docker container, a PCAP, and network rules.

CVE-2023-34048: VMware vCenter Server DCE/RPC Pre-Auth Out-of-Bounds Write (Signatures Only)

By customer request, the team added detection coverage for CVE-2023-34048, an unauthenticated out-of-bounds write in the DCE/RPC service shared by VMware vCenter Server's directory and certificate services. An attacker on the network can send a single malformed packet to crash the affected service before any login, taking down a core component of the virtualization management stack and potentially leading to remote code execution. The bug was exploited in the wild as a zero-day by the China-nexus espionage group UNC3886, which used it as part of a broader campaign against VMware environments. Notably, no public proof-of-concept for this vulnerability has ever been published, leaving defenders with little to detect against until now.

Coverage includes a PCAP and Suricata and Snort rules.