Core Impact Chronicle: Exploits and Updates | H2 2025

Core Impact Exploit Library Additions

One of Core Impact’s most valuable features is its certified exploit library, maintained by a team (formerly Core Labs) within the Fortra Intelligence & Research Experts (FIRE) group. This team conducts in-depth research to evaluate and prioritize the most critical vulnerabilities, ensuring the library is updated with high-impact, reliable exploits that enable pen testers to use the same techniques as modern real-world threats.

While you can keep track of new releases through our  exploit mailing list, our quarterly blogs provide a more detailed summary of recent additions to the library.

This list highlights the depth of our H2 work and reflects how much the team has accomplished, and that’s without July, which was included in the previous exploit recap. You can check out all the H2 exploits in the Q1 blog and Q2 blog. 

CVE-2025-55182: React Server Components React2Shell Deserialization Vulnerability Remote Code Execution Exploit

Authors: Marcos Accossatto and Daniel De Luca (QA)

CVSS:  10.0 CRITICAL 

CVE Reference: CVE-2025-55182

Key Vulnerability Details

• A pre-authentication remote code execution vulnerability exists in React Server Components that allows unauthenticated attackers to execute arbitrary code on the server by exploiting insecure deserialization in the React Server Components Flight protocol
• The vulnerability stems from the Flight protocol's failure to properly validate incoming payload structures, allowing prototype pollution and manipulation of server-side JavaScript execution paths
• Affected packages include react-server-dom-parcel, react-server-dom-turbopack, and react-server-dom-webpack in React versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0
• Classified as Deserialization of Untrusted Data (CWE-502), with prototype pollution (CWE-1321) as the underlying exploitation mechanism

Exploitation Impact and Mitigation

• Successful exploitation enables attackers to execute arbitrary JavaScript code with server process privileges, potentially leading to full system compromise, credential harvesting, data exfiltration, lateral movement, and deployment of persistent backdoors or cryptocurrency miners
• Patches have been released in versions 19.0.1, 19.1.2, and 19.2.1 of react-server-dom-webpack, react-server-dom-parcel and react-server-dom-turbopack

Attacks in the Wild

• This vulnerability has been actively exploited in the wild since December 2025, including exploitation attributed to China state-nexus threat groups and varied attack types, including botnets and cryptocurrency miners
• CISA has added this vulnerability to the Known Exploited Vulnerabilities Catalog

Exploitation Mechanism

1. The exploit module first sends a crafted RSC Flight payload to the given endpoint to check if the target is vulnerable.
2. If the target is vulnerable, an OSCI agent is deployed, and the vulnerability is used again with a payload that deploys an in-memory webshell.
3. The in-memory webshell can be used later by the OSCI agent to execute OS commands or deploy a network agent.
4. The deployed agent will run with the same privileges of the Webapp.

CVE-2025-59287: Microsoft Windows Server Update Service (WSUS) Deserialization Remote Code Execution Vulnerability

Authors: Esteban Kazimirow and Nahuel González (QA)

CVSS:  9.8 CRITICAL 

Reference: CVE-2025-59287

Key Vulnerability Details

• A critical remote code execution vulnerability exists in Microsoft Windows Server Update Services (WSUS) due to unsafe deserialization of AuthorizationCookie, enabling unauthenticated attackers to execute arbitrary code with SYSTEM privileges
• Affected versions include Microsoft Windows Server 2012, Windows Server 2012 R2, Windows Server 2016, Windows Server 2019, Windows Server 2022, and Windows Server 2025 where the WSUS Server Role is enabled
• Classified as Deserialization of Untrusted Data (CWE-502)

Exploitation Impact and Mitigation

• Successful exploitation grants unauthenticated attackers SYSTEM-level code execution on the WSUS server, which can be leveraged to deploy persistent webshells, execute reconnaissance commands, pivot laterally through the network, and potentially poison the update supply chain by pushing malicious packages to managed endpoints
• Microsoft released security patches addressing this vulnerability in an out-of-band update in October 2025
• CISA has issued an alert strong urging organizations to implement the update

Attacks in the Wild

• CVE-2025-59287 has been actively exploited in the wild since October 2025, with Dutch National Cyber Security Centre (NCSC) reporting observed attack chains leveraging exposed WSUS endpoints to send specially crafted requests
• CISA has added this vulnerability to the Known Exploited Vulnerabilities Catalog

Exploitation Mechanism

1. The exploit module retrieves the ServerID via a SOAP request to the ReportingWebService.
2. It then obtains an authorization cookie and a reporting cookie.
3. The module then constructs and sends a malicious event payload and checks the server's response to confirm success.
4. The deployed agent will run with SYSTEM privileges.

CVE-2025-33073: Microsoft Windows SMB Client DNS Injection Remote Exploit

Authors: Fernando Páez Barceló, Nahuel González (QA), and Daniel De Luca (QA)

CVSS:  8.8 HIGH 

Reference: CVE-2025-33073

Key Vulnerability Details

• An improper access control vulnerability exists in the Microsoft Windows SMB Client that enables an authenticated remote attacker to execute arbitrary commands with SYSTEM privileges through NTLM reflection bypass
• The vulnerability exploits a logical flaw in how Windows handles NTLM authentication when coerced with specially crafted DNS records, tricking the SMB client into performing local authentication and bypassing longstanding NTLM reflection mitigations
• Affected platforms include Windows 10, Windows 11, Windows Server 2012, 2012 R2, 2016, 2019, 2022, and Windows Server 2025
• Classified as Improper Access Control (CWE-284)

Exploitation Impact and Mitigation

• Successful exploitation enables an authenticated attacker to escalate privileges to SYSTEM level, potentially leading to full system compromise, credential harvesting, lateral movement, malware deployment, and complete domain takeover in Active Directory environments
• Microsoft released patches addressing this vulnerability as part of a June 2025 Patch Tuesday security update

Attacks in the Wild

• This vulnerability has been actively exploited in the wild since October 2025
• CISA has added this vulnerability to the Known Exploited Vulnerabilities Catalog

Exploitation Mechanism

1. The exploit module injects a malicious DNS record localhost1UWhRCAAAAAAAAAAAAAAAAAAAAAAAAAAAAwbEAYBAAAA via LDAP to the domain controller, pointing to the attacker's IP address.
2. An NTLM relay server (ntlmrelayx) is started on the tester’s system, waiting for SMB authentication attempts from the target.
3. The module uses RPC coercion techniques to force the victim system to authenticate to the attacker-controlled DNS name.
4. The crafted DNS record containing marshalled target information causes the Windows SMB client to interpret the connection as a local authentication request, bypassing NTLM reflection mitigations.
5. The ntlmrelayx server relays the captured SYSTEM-level authentication back to the victim and installs an agent with SYSTEM privileges on the target system.

CVE-2025-55680: Microsoft Windows Cloud Files Mini Filter Driver Elevation of Privilege Vulnerability

Authors:  Cristian Rubio and Daniel De Luca (QA)

CVSS:  7.8 HIGH 

Reference: CVE-2025-55680

Key Vulnerability Details

• An elevation of privilege vulnerability exists in the Windows Cloud Files Mini Filter Driver (cldflt.sys) that allows a locally authenticated attacker with standard user privileges to execute arbitrary code with SYSTEM privileges
• The vulnerability resides in the placeholder file creation call chain, where the driver validates a pathname to prevent symbolic link attacks but performs the actual file operation later, allowing an attacker to modify the path string between validation and use
• Impacted platforms include multiple editions and versions of Microsoft Windows 10, Windows 11, and Windows Server
• Classified as Time-of-check Time-of-use (TOCTOU) Race Condition (CWE-367)

Exploitation Impact and Mitigation

• Successful exploitation enables a low-privileged, authenticated attacker to bypass file write protections and create arbitrary files in protected system directories with kernel-level privileges, leading to full SYSTEM compromise through DLL side-loading techniques. This could result in complete system takeover, data breaches, and malware deployment
• Microsoft released a patch for this vulnerability as part of an October 2025 Patch Tuesday security update

Attacks in the Wild

• No major attacks have been reported at this time

Exploitation Mechanism

1. Start RasMan service.
2. Create sync root directory.
3. Create junction directory.
4. Create target junction and symlink.
5. Register sync root.
6. Create threads to exploit race condition and detect exploitation.
7. Trigger race condition.
8. Write the Core Impact agent and execute it.

CVE-2025-24990: Microsoft Windows Agere Modem Driver Elevation of Privilege Vulnerability

Authors: Cristian Rubio and Daniel De Luca (QA)

CVSS:  7.8 HIGH 

Reference: CVE-2025-24990

Key Vulnerability Details

• An elevation of privilege vulnerability exists in the Windows Agere Modem Driver (ltmdm64.sys) that enables a locally authenticated attacker with standard user privileges to execute arbitrary code with SYSTEM privileges
• The vulnerability exists due to improper handling of user-mode to kernel-mode transitions, allowing attackers to supply kernel addresses to the DeviceIoControl API
• Affected platforms include Windows, Windows 11, Windows Server 2008 through Windows Server 2025, and all Server Core installations
• Classified as Untrusted Pointer Dereference (CWE-822)

Exploitation Impact and Mitigation

• Successful exploitation allows an attacker to gain full administrative privileges on the affected system, enabling access, modification, or deletion of critical system data, installation of malware with administrative rights, disabling of security controls including Endpoint Detection and Response (EDR) solutions, and complete system compromise
• Security researchers have noted the exploitation may be particularly attractive for Bring Your Own Vulnerable Driver (BYOVD) attacks targeting EDR evasion since the vulnerable driver is present on all Windows systems by default
• Microsoft removed the ltmdm64.sys driver entirely in the October 2025 cumulative update rather than issuing an in-place patch

Attacks in the Wild

• This vulnerability was classified as a zero-day and has been actively exploited in the wild prior to patch availability
• CISA has added this vulnerability to the Known Exploited Vulnerabilities Catalog

Exploitation Mechanism

1. The exploit module starts by leaking the address of the current process.
2. It then leaks the address of the System process.
3. The address of the I/O ring is leaked.
4. The vulnerability is triggered to overwrite IoRing->RegBuffersCount.
5. The vulnerability is triggered again to overwrite IoRing->RegBuffers.
6. The address of the System process token is leaked using the I/O ring.
7. The current process token is overwritten with the System process token using the I/O ring.
8. The IoRing->RegBuffersCount is reset to 0.
9. The Core Impact agent is injected into an elevated process.

CVE-2025-20333, CVE-2025-20362: Cisco Secure ASA and FTD VPN Web Server Authentication Bypass and Remote Code Execution Vulnerability Chain

Authors: Marcos Accossatto and Daniel De Luca (QA)

CVSS: 
CVE-2025-20333:  9.9 CRITICAL  
CVE-2025-20362:  6.5 MEDIUM 

Reference: CVE-2025-20333, CVE-2025-20362

Key Vulnerability Details

• CVE-2025-20333 — A remote code execution vulnerability in the VPN web server of Cisco Secure Firewall ASA and FTD Software that allows authenticated attackers to execute arbitrary code with root privileges via crafted HTTP(S) requests
• CVE-2025-20362 — An authentication bypass vulnerability in the same VPN web server component that enables unauthenticated, remote attackers to access restricted URL endpoints that would otherwise require authentication
• When chained together, these vulnerabilities allow unauthenticated remote code execution, enabling complete device compromise
• Affected platforms include Cisco ASA Software releases 9.12 through 9.23 and Cisco FTD Software releases 7.0 through 7.7 with remote access VPN features enabled
• CVE-2025-20333 is classified as Buffer Overflow (CWE-120); CVE-2025-20362 is classified as Missing Authorization (CWE-862)  

Exploitation Impact and Mitigation

• Successful exploitation enables unauthenticated remote attackers to chain the authentication bypass (CVE-2025-20362) with the RCE vulnerability (CVE-2025-20333) to execute arbitrary code as root, resulting in complete device takeover
• Cisco released patches in November 2025

Attacks in the Wild

• Both vulnerabilities were exploited as zero-days, delivering malware such as RayInitiator and LINE VIPER
• In November 2025, Cisco identified a new attack variant causing unpatched devices to unexpectedly reload, resulting in denial of service conditions

Exploitation Mechanism

1. The exploit module first checks if the target is vulnerable to the authentication bypass (CVE-2025-20362) by sending crafted HTTP requests to restricted VPN-related URL endpoints.
2. If the target is vulnerable, the module exploits the path traversal flaw in CVE-2025-20362 to bypass authentication checks and gain access to protected endpoints without valid credentials.
3. The module then leverages the authenticated session to send malicious HTTP(S) requests that trigger the buffer overflow vulnerability (CVE-2025-20333) in the VPN web server's input validation routines.
4. The crafted payload causes memory corruption, enabling arbitrary code execution with root privileges on the target device.
5. In the denial of service variant, the exploit causes the device to unexpectedly reload, disrupting VPN services and network connectivity.

CVE-2025-54236: Adobe Commerce and Magento Open Source SessionReaper Unauthenticated Remote Code Execution Vulnerability

Authors: Marcos Accossatto and Nahuel González (QA)

CVSS:  9.1 CRITICAL 

Reference: CVE-2025-54236

Key Vulnerability Details

• A nested deserialization vulnerability exists in the Magento\Framework\Session\SessionManager class that allows unauthenticated attackers to achieve customer account takeover or remote code execution via the Commerce REST API
• The vulnerability occurs due to improper input validation in the ServiceInputProcessor.php handling of API objects, allowing attackers to inject malicious serialized data through the $sessionConfig variable
• Affected versions include Adobe Commerce 2.4.9-alpha2 and earlier, Adobe Commerce B2B 1.5.3-alpha2 and earlier, and Magento Open Source 2.4.9-alpha2 and earlier across all supported version branches
• Classified as Improper Input Validation (CWE-20)

Exploitation Impact and Mitigation

• Successful exploitation allows unauthenticated attackers to hijack customer sessions and, when file-based session storage is in use, achieve full remote code execution with the ability to upload PHP webshells, exfiltrate customer data, and deploy payment skimmers
• Adobe released an emergency hotfix (VULN-32437-2-4-X-patch) in September 2025, and the regular security patch was released in October 2025

Attacks in the Wild

• This vulnerability has been actively exploited since October 2025, with automated campaigns hitting over 50% of all Magento stores globally
• CISA has added this vulnerability to the Known Exploited Vulnerabilities Catalog

Exploitation Mechanism

1. The exploit module uploads a PHP script in the /pub/media/customer_address/s/e directory of the web application using the /customer/address_file/upload endpoint. The default webroot directory value (/var/www/html/magento/pub/) can be changed using the WEBROOT module parameter.
2. It then triggers the vulnerability using a crafted PHP array object via the /rest/default/V1/guest-carts/abc/order endpoint, exploiting a nested PHP array object deserialization in the Magento\Framework\Session\SessionManager class via the $sessionConfig variable. This copies the uploaded PHP script to the given webroot directory.
3. The module then deploys the agent by calling the PHP script in the webroot directory.
4. The apache user account (www-data) must have write access to the webroot directory for this exploit to work.
5. The deployed Core Impact agent will run with the apache user account (www-data) privileges.

CVE-2025-29824: Microsoft Windows Common Log File System Driver Elevation of Privilege Vulnerability

Authors: Cristian Rubio, Ricardo Narvaja, and Daniel De Luca (QA)

CVSS:  7.8 HIGH 

Reference: CVE-2025-29824

Key Vulnerability Details

• An elevation of privilege vulnerability exists in the Windows Common Log File System (CLFS) kernel driver that allows a locally authenticated attacker with standard user privileges to escalate privileges to SYSTEM level
• The vulnerability stems from improper handling of objects in memory by the CLFS driver (clfs.sys), resulting in a use-after-free condition when specific structures are manipulated during log file operations
• Affected platforms include Windows 10, Windows 11, and Windows Server 2008 through Windows Server 2025
• Windows 11 version 24H2 is not affected by the observed exploitation due to additional access restrictions on NtQuerySystemInformation requiring SeDebugPrivilege
• Classified as Use After Free (CWE-416)

Exploitation Impact and Mitigation

• Successful exploitation enables a standard user to escalate privileges to SYSTEM, allowing attackers to inject payloads into privileged processes, dump LSASS memory to harvest credentials, and deploy ransomware with full administrative control of the compromised system
• Microsoft released a security patch addressing this vulnerability as part of an April 2025 Patch Tuesday update

Attacks in the Wild

• This vulnerability was exploited as a zero-day by the threat actor Storm-2460, who deployed it against organizations in the IT and real estate sectors in the United States, the financial sector in Venezuela, a Spanish software company, and the retail sector in Saudi Arabia
• CISA has added this vulnerability to the Known Exploited Vulnerabilities Catalog

Exploitation Mechanism

1. The exploit module creates a target directory to stage the necessary CLFS log and container files for exploitation.
2. A pool spray is performed using pipes to shape the kernel pool layout and position controlled data adjacent to the vulnerable CLFS objects.
3. Two threads are created to win a race condition in the CLFS driver, triggering the UAF vulnerability.
4. The RtlSetAllBits function is used to overwrite the current process's token with the value 0xFFFFFFFF, enabling all privileges for the process.
5. With elevated privileges, a new agent is injected into an elevated process to run as SYSTEM.

CVE-2025-61882: Oracle E-Business Suite getUiType Server-Side Request Forgery Remote Code Execution Vulnerability

Authors: Marcos Accossatto and Nahuel González (QA)

CVSS:  9.8 CRITICAL 

Reference: CVE-2025-61882

Key Vulnerability Details

• A pre-authentication remote code execution vulnerability exists in Oracle E-Business Suite that chains multiple weaknesses including Server-Side Request Forgery (SSRF), CRLF injection, authentication bypass, and unsafe XSLT processing to achieve unauthenticated code execution
• Affected versions include Oracle E-Business Suite versions 12.2.3 through 12.2.14, specifically impacting the Concurrent Processing component through its BI Publisher Integration
• Classified as Improper Authentication (CWE-287)

Exploitation Impact and Mitigation

• Successful exploitation enables unauthenticated attackers to achieve full remote code execution, allowing them to deploy web shells, execute arbitrary system commands, move laterally across networks, and exfiltrate sensitive business data including financial records, payroll information, and vendor contracts
• Oracle released an emergency patch in October 2025

Attacks in the Wild

• This vulnerability was classified as a zero-day and has been actively exploited in the wild by the Cl0p ransomware group
• These ransomware campaigns are targeting global industries including finance, healthcare, aviation, and government sectors
• CISA has added this vulnerability to the Known Exploited Vulnerabilities Catalog

Exploitation Mechanism

1. The exploit module will register an endpoint in the local webserver that will be used in the attack to send a xsl file to the target that will execute system commands to deploy the agent.
2. From there, it will retrieve a required CSRF token via the /OA_HTML/runforms.jsp and /OA_HTML/JavaScriptServlet endpoints.
3. It will then use the Server-Side Request Forgery vulnerability combined with a Carriage Return/Line Feed (CRLF) injection to smuggle a request to the /OA_HTML/help/../ieshostedsurvey.jsp endpoint that will trigger a GET HTTP request to the local webserver.
4. This will ideliver the xsl file that will deploy the agent.
5. The deployed agent will run with the oracle user account privileges.

CVE-2025-36604: Dell Unity getCASURL Remote OS Command Injection Exploit

Authors: Authors: Marcos Accossatto, Nahuel González (QA) and Daniel De Luca (QA)

CVSS:  9.8 CRITICAL 

Reference: CVE-2025-36604

Key Vulnerability Details

• A pre-authentication OS command injection vulnerability exists in the getCASURL Perl function of Dell Unity, allowing an unauthenticated attacker with remote network access to execute arbitrary operating system commands on the target system
• The flaw stems from improper input sanitization in the login redirect mechanism, enabling injection of shell metacharacters and command substitution sequences
• Affected versions include Dell Unity, Dell UnityVSA, and Dell Unity XT running Operating Environment (OE) version 5.5 and all prior versions
• Classified as Improper Neutralization of Special Elements used in an OS Command, or "OS Command Injection" (CWE-78)

Exploitation Impact and Mitigation

• Successful exploitation enables an unauthenticated remote attacker to execute arbitrary commands on the underlying operating system of the storage appliance, potentially leading to full system compromise, unauthorized access to sensitive enterprise data, configuration tampering, malware deployment, and lateral movement across storage infrastructure
• Dell has released a patch addressing this vulnerability as part of Security Advisory DSA-2025-281

Attacks in the Wild

• No major attacks have been reported at this time

Exploitation Mechanism

1. The module first exploits an OS Command Injection present in the getCASURL perl function of Dell Unity to deploy a Core Impact agent.
2. The module triggers the vulnerability by embedding the system commands to deploy the agent in a request to the /misc endpoint.
3. Spaces in the system command are replaced with the ${IFS} shell variable to bypass input filtering.
4. The deployed agent runs with the Apache user account privileges.

CVE-2025-49704: Microsoft SharePoint Server DataSetSurrogateSelector Deserialization Remote OS Command Injection Exploit

Authors: Marcos Accossatto and Nahuel González (QA)

CVSS:  8.8 HIGH

Reference: CVE-2025-49704

Key Vulnerability Details

• A remote code execution vulnerability exists in the DataSetSurrogateSelector class of Microsoft SharePoint Server, enabling an authenticated attacker to inject and execute arbitrary OS commands over the network
• The vulnerability stems from insufficiently strict type-name parsing and validation logic within the DataSetSurrogateSelector filter
• Affected platforms include Microsoft SharePoint Enterprise Server 2016, Microsoft SharePoint Server 2019, Microsoft SharePoint Server Subscription Edition
• Classified as Improper Control of Generation of Code, also known as Code Injection (CWE-94)

Exploitation Impact and Mitigation

• Successful exploitation enables an attacker to execute arbitrary commands under the context of the SharePoint Server service account, potentially leading to full system compromise, lateral movement across integrated Microsoft services, data exfiltration, web shell deployment, and ransomware distribution
• When chained with CVE-2025-49706 (authentication bypass), the attack can be performed without any credentials, significantly increasing the threat surface
• Microsoft released a security patch as part of a July Patch Tuesday security update
• SharePoint Server 2013 and 2010 are also affected but are end-of-support and will not receive patches

Attacks in the Wild

• This vulnerability has been actively exploited in the wild as part of the "ToolShell" attack chain since at least July 2025
• Microsoft has attributed exploitation to Chinese nation-state threat actors Linen Typhoon and Violet Typhoon, as well as Storm-2603
• SharePoint servers have been compromised across industries, including federal and state agencies, universities, energy companies, and healthcare organizations
• CISA has added this vulnerability to the Known Exploited Vulnerabilities Catalog

Exploitation Mechanism

1. The module first verifies the SharePoint version instance by connecting to /_layouts/15/start.aspx and extracting the siteClientTag version
2. Using NTLM authentication (with impacket), the module authenticates to the target SharePoint server using provided credentials.
3. The exploit generates a crafted .NET serialized object containing an embedded DLL within a serialized ObjectDataProvider and LosFormatter chain
4. The command to execute (cmd.exe /c "{command}") is injected into the DLL binary, replacing placeholder bytes
5. Wraps DLL in serialized ObjectDataProvider + LosFormatter gadget chain
6. Targets /_layouts/15/ToolPane.aspx endpoint
7. Sends malicious ExcelDataSet WebPart via MSOTlPn_DWP POST parameter
8. SharePoint deserializes the LosFormatter object chain
9. Gadget chain triggers unsafe .NET deserialization
10. Embedded DLL is instantiated and executed
11. OS command is executed via cmd.exe /c "{injected_command}"
12. Command runs as SharePoint Server service account using PowerShell fileless to deploy the Core Impact agent.

CVE-2024-21338: Microsoft Windows Kernel AppId Elevation of Privilege Vulnerability Exploit

Authors: Cristian Rubio, Nahuel González (QA), and Daniel De Luca (QA)

CVSS:  7.8 HIGH

Reference: CVE-2024-21338

Key Vulnerability Details

• An elevation of privilege vulnerability exists in the Application Identity (AppId) Service driver (appid.sys), a core component of Windows AppLocker. The vulnerability targets a built-in Windows driver, enabling fileless kernel-level attacks without the need to load any custom or third-party drivers
• Affected platforms include Windows 10 version 1703 (RS2/15063) and later, Windows 11 through 23H2, and multiple editions of Windows Server
• Classified as Untrusted Pointer Dereference (CWE-822)

Exploitation Impact and Mitigation

• Successful exploitation enables an attacker to escalate from LOCAL SERVICE or low-privileged user permissions to full SYSTEM-level access. With SYSTEM privileges, an attacker can perform direct kernel object manipulation (DKOM), disable security products including endpoint detection and response (EDR) tools, deploy rootkits, steal credentials, and achieve complete system takeover.
• Microsoft released a security patch as part of a February Patch Tuesday security update

Attacks in the Wild

• Classified as a zero-day, this vulnerability was actively exploited in the wild by the North Korean state-sponsored Lazarus Group (APT38), leveraging the flaw to deploy an updated version of their FudModule rootkit, which used the kernel read/write primitive to perform direct kernel object manipulation and disable protected security processes
• CISA has added this vulnerability to the Known Exploited Vulnerabilities Catalog

Exploitation Mechanism

1. The exploit module leaks the address of the current thread by leveraging kernel information disclosure techniques.
2. It then leaks the address of the current process token to identify the privilege level of the active process.
3. The address of the SYSTEM process token is leaked, providing the target token value needed for privilege escalation.
4. The address of the ExpProfileDelete kernel function is leaked and used to construct the exploit's control flow redirection chain.
5. The vulnerability is then triggered to overwrite PreviousMode.
6. The exploit replaces the current process with the SYSTEM process token, effectively elevating the process to SYSTEM-level privileges.
7. The original PreviousMode value is restored to maintain system stability and avoid detection.

CVE-2025-54309: CrushFTP AS2 Authentication Bypass Vulnerability Exploit

Authors: Marcos Accossatto and Nahuel González (QA)

CVSS:  9.8 CRITICAL 

Reference: CVE-2025-54309

Key Vulnerability Details

• A critical authentication bypass vulnerability exists in CrushFTP's managed file transfer software that allows a remote, unauthenticated attacker to obtain administrative access via HTTPS by exploiting a race condition in the Applicability Statement 2 (AS2) protocol validation process
• The vulnerability stems from the mishandling of AS2 validation in the ServerSessionHTTP.java class where the code fails to enforce proper cryptographic checks and does not sufficiently validate multipart message content
• Affects CrushFTP version 10 prior to 10.8.5 and version 11 prior to 11.3.4
• Classified as Unprotected Alternate Channel (CWE-420)

Exploitation Impact and Mitigation

•  Successful exploitation allows an unauthenticated remote attacker to gain full administrative control of the CrushFTP server, enabling data exfiltration, backdoor creation via administrative account manipulation, lateral movement within enterprise networks, and complete server takeover.
• CrushFTP has released patched versions addressing this vulnerability: upgrade to CrushFTP 10.8.5_12 or later for version 10 deployments, and 11.3.4_26 or later for version 11.
• CrushFTP has noted that attackers have been modifying the web interface to display fake version numbers mimicking patched releases

Attacks in the Wild

• Classified as a zero-day that has been actively exploited in the wild since at least July 2025.
• An exploit toolkit targeting vulnerable servers has been observed for sale on an underground cybercrime forum that includes reconnaissance, exploitation, and web shell capabilities.
• CISA has added this vulnerability to the Known Exploited Vulnerabilities Catalog

Exploitation Mechanism

1. The exploit module uses an authentication bypass vulnerability via a race condition in AS2 validation to create a new administrative user in the target application.
2. If the credentials for the new administrative user are not provided, the module will generate a random one.
3. If the exploitation succeeds, the module verifies the newly created administrative credentials against the target by authenticating with them.
4. If the module generates random credentials for the attack, a new identity with these credentials is created for persistence.

CVE-2024-38063: Microsoft Windows TCP IP IPv6 remote DoS

Authors: Esteban Kazimirow and Daniel De Luca (QA)

CVSS:  9.8 CRITICAL

Reference: CVE-2024-38063

Key Vulnerability Details

• A critical zero-click remote code execution vulnerability in the Windows TCP/IP stack allows unauthenticated attackers to execute arbitrary code or cause denial of service by sending specially crafted IPv6 packets to vulnerable Windows systems
• Impacted systems include all versions of Windows 10, Windows 11, and Windows Server 2008, 2012, 2016, 2019, and 2022 with IPv6 enabled
• Classified as an Integer Underflow weakness (CWE-191)

Exploitation Impact and Mitigation

• Successful exploitation grants attackers SYSTEM-level privileges, enabling data theft, ransomware deployment, lateral movement, and leads to complete system compromise
• Microsoft released security patches as part of an August Patch Tuesday security update
• The zero-click nature means no user interaction is required, so Microsoft recommends disabling IPv6 if it is not required for additional protection

Attacks in the Wild

• No major attacks have been reported at this time

Exploitation Mechanism

1. The exploit module obtains the data needed to launch an attack, such as a local device ID and target MAC address.
2. It then sets the IPv6 headers and builds specially crafted packets affecting the IPv6 stack (tcpip.sys driver).
3. The module will send packets to the target, causing a denial of service.
4. Check if the remote machine is down due to Blue Screen of Death (BSOD).

CVE-2025-7388: Progress OpenEdge saveSvcConfig Remote OS Command Injection Exploit

Authors: Marcos Accossatto, Nahuel González (QA), and Daniel De Luca (QA)

CVSS:  8.4 HIGH

Reference: CVE-2025-7388

Key Vulnerability Details

• A remote code execution vulnerability in the Progress OpenEdge AdminServer component allows authenticated users to inject and execute operating system commands via the Java RMI interface
• Impacted versions include  OpenEdge LTS Releases 12.2.17, 12.8.8, and all earlier versions on both Windows and Linux platforms
• Classified as Improper Neutralization of Special Elements used in an OS Command (CWE-77)

Exploitation Impact and Mitigation

• Successful exploitation enables attackers to execute arbitrary system commands, potentially leading to complete system compromise, data exfiltration, ransomware deployment, and lateral movement within the enterprise network
• Progress Software released patches in OpenEdge LTS Update 12.2.18 and 12.8.9 addressing the vulnerability through input sanitization that forcibly encloses WorkDir values in double quotes while stripping injected quotes and RMI hardening that disables remote RMI by default

Attacks in the Wild

• No major in-the-wild attacks have been reported at this time

Exploitation Mechanism

1. If no username and password are provided, the module will use the CVE-2024-1403 vulnerability to authenticate against the target application as the NT AUTHORITY/SYSTEM user. If a username and password are provided, then those credentials will be used for authentication.
2. Once authenticated, it will create an instance of the com.progress.chimera.adminserver.AdminContext class via the com.progress.chimera.adminserver.IAdminServer interface.
3. From there, it will use the getPlugins method to obtain a list of the interfaces exposed by the com.progress.ubroker.tools.NSRemoteObject plugin.
4. Then, an operator can use the getRemoteManageObject method of the com.progress.ubroker.tools.NSRemoteObject class via the com.progress.ubroker.tools.IYodaSharedResources interface to create an instance of an object compatible with the com.progress.ubroker.tools.IYodaRMI interface.
5. Then, use the doRemoteToolCmd method via the com.progress.ubroker.tools.IYodaRMI interface to add a payload to deploy an agent inside the Progress\\OpenEdge\\properties\\ubroker.properties file. An entry to an application *service* will be added.

CVE-2025-50154: Microsoft Windows File Explorer Spoofing Information Disclosure Exploit

Authors: Cristian Rubio, Nahuel González (QA), and Daniel De Luca (QA)

CVSS:  7.5 HIGH

Reference: CVE-2025-50154

Key Vulnerability Details

• A zero-click NTLM credential leakage vulnerability in Windows File Explorer that bypasses Microsoft's patch for CVE-2025-24054 allows attackers to extract NTLMv2-SSP hashes without any user interaction by exploiting a gap left in the original mitigation
• Though Microsoft blocked icons from UNC paths in the April 2025 patch, they did not block icons embedded in remote executable files, allowing attackers to point a .lnk file's TargetPath to a remote binary to trigger NTLM authentication (
• Affected versions include Windows 10 (all supported versions), Windows 11 (22H2, 23H2, 24H2), Windows Server 2012, 2016, 2019, 2022, and Windows Server 2025)
• Classified as Exposure of Sensitive Information to an Unauthorized Actor (CWE-200)

Exploitation Impact and Mitigation

• Successful exploitation allows attackers to capture NTLMv2-SSP hashes which can be used for offline password cracking using tools like John the Ripper or Hashcat, or leveraged in NTLM relay attacks to authenticate to other services, potentially leading to privilege escalation, lateral movement, and remote code execution
• Microsoft released a patch in the August 2025 Patch Tuesday security update addressing CVE-2025-24054
• Additional patches were released in October 2025 that disabled File Explorer's preview feature for files marked with Mark of the Web

Attacks in the Wild

• CVE-2025-50154 bypasses the patch for predecessor vulnerability CVE-2025-24054  
• This vulnerability was actively exploited in campaigns targeting government and private institutions in Poland and Romania
• SMB servers receiving stolen credentials in related NTLM exploitation campaigns were located in Russia, Bulgaria, the Netherlands, Australia, and Turkey, with one IP address (previously linked to APT28 (Fancy Bear) activity

Exploitation Mechanism

1. The exploit module creates a specially crafted .lnk (shortcut) file that sets the TargetPath to point to a remote executable on an attacker-controlled SMB server.
2. The malicious .lnk file is delivered to the target via a phishing email attachment, shared network folder, synchronized cloud storage, or other file delivery mechanism.
3. When the target places the file in a folder, the system is forced to automatically connect to an attacker-controlled SMB server.
4. This enables the attacker to capture the NTLMv2-SSP hash using tools like Responder or Impacket's SMB server
5. The module can then crack the hash offline. It can also relay it to other network services for immediate authentication.

CVE-2025-26651 - Windows Local Session (LSM) Denial of Service Vulnerability Exploit

Authors: Cristian Rubio and Nahuel González (QA)

CVSS:  6.5 MEDIUM

CVE Reference: CVE-2025-26651

Key Vulnerability Details

• A denial of service vulnerability exists in the Windows Local Session Manager (LSM) due to an exposed dangerous function (RpcGetSessionIds) that fails to properly validate incoming RPC requests, allowing an authenticated low-privileged attacker to crash the LSM service over a network (Microsoft MSRC).
• The vulnerability stems from the RpcGetSessionIds function (Opnum 8) in the RPC interface 88143fd0-c28d-4b2b-8fef-8d882f6a9390 being improperly implemented in Windows 11
• Affected versions include Windows 11, Windows Server 2022, and Windows Server 2025.  
• Windows 10 is not affected as it contains a proper implementation of the function (Warpnet).
• Classified as Exposed Dangerous Method or Function (CWE-749)

Exploitation Impact and Mitigation

• Successful exploitation causes the LSM service to crash, preventing all users from logging in or out, rendering Remote Desktop Protocol (RDP) connections non-functional, and disrupting dependent security features including Microsoft Defender Application Guard, Windows Sandbox, and Docker containers (Warpnet).
• Microsoft released a patch as part of an April 2025 Patch Tuesday security update

Attacks in the Wild

• No major attacks have been reported at this time

Exploit Mechanism

1. The exploit module first creates a DCE RPC connection to the named pipe endpoint "\pipe\LSM_API_SERVICE"
2. It then binds to the LSM Enumeration interface

3. Finally, it sends the RpcGetSessionIds request which is not implemented on Windows 11 and produces a crash in the LSM service

    

CVE-2025-21420: Microsoft Windows Disk Cleanup Tool Elevation of Privilege Exploit

Authors: Ricardo Narvaja and Nahuel Gonzalez (QA)

CVSS:  7.8 HIGH

CVE Reference: CVE-2025-21420

Key Vulnerability Details

• An elevation of privilege vulnerability exists in the Microsoft Windows Disk Cleanup Tool (cleanmgr.exe) that allows a locally authenticated attacker with standard user privileges to execute a crafted DLL with SYSTEM user privileges.
• Affected versions include Windows 10 (21H2 and later), Windows 11 (all versions through 24H2), and Windows Server 2012 through Windows Server 2025
• Classified as Improper Link Resolution Before File Access ('Link Following) (CWE-59)

Exploitation Impact and Mitigation

• Successful exploitation enables a local attacker to escalate privileges from a standard user account to NT AUTHORITY\SYSTEM, allowing complete system compromise including malware deployment, data theft, persistent backdoor installation, and lateral movement across enterprise environments
• Microsoft released a patch as part of a February 2025 Patch Tuesday security update

Attacks in the Wild

• No major attacks have been reported at this time

Exploitation Mechanism

1. The exploit module first creates 3 folders: C:\$Windows.~WS, C:\ESD\Windows, C:\ESD\Download, inserts dummy .txt files and pauses.
2. From there, a thread is created to run first stage of executable FolderOrFileDeleteToSystem to set up the Config.msi.
3. A second thread is created  to run the second executable FolderContentsDeleteToFolderDelete to redirect content cleanup from C:\ESD\Windows to C:/Config.msi.
4. This creates a task named SilentCleanup to trigger content cleanup and delete Config.msi.
5. After deletion a third thread is created to run the second stage of FolderOrFileDeleteToSystem to drop HID.dll.
6. Lastly, osk.exe is run in one thread, and another thread runs mmc.exe.

CVE-2025-47812- Wing FTP Server Remote Command Execution Exploit

Authors: Esteban Kazimirow and Nahuel González (QA)

CVSS:  10.0 CRITICAL

CVE Reference: CVE-2025-47812

Key Vulnerability Details

• A vulnerability exists in Wing FTP Server's user and admin web interfaces due to improper handling of null (\0) bytes in the username parameter, allowing injection of arbitrary Lua code into user session files.
• The flaw stems from how the application's c_CheckUser() function processes usernames using strlen(), which can lead to remote code execution
• Impacts Wing FTP Server prior to version 7.4.4 on Windows (64-bit), Linux, and macOS platforms.
• Classified as Improper Neutralization of Null Byte or NUL Character (CWE-158)

Exploitation Impact and Mitigation

• Successful exploitation allows attackers to execute arbitrary system commands with root privileges, enabling complete system compromise including data exfiltration, malware deployment, lateral movement, and full network takeover
• Wing FTP Server released version 7.4.4 to address this vulnerability
• CISA mandated Federal Civilian Executive Branch (FCEB) agencies apply patches by August 4, 2025

Attacks in the Wild

• Active exploitation was first observed in July 2025, one day after public disclosure
• Over 8,000 exposed servers have been identified worldwide and CISA added this vulnerability to its Known Exploited Vulnerabilities (KEV) Catalog

Exploitation Mechanism

1. The exploit module sends a POST request to /loginok.html with a malicious command in the username field.
2. This is written in a session file, stored in the directory.
3. The UID session cookie is extracted from the authentication response.
4. The server responds with a UID cookie in Set-Cookie.
5. This extracted cookie is used to access dir.html.
6. From there, a Core Impact agent is deployed.