Core Impact Quarterly Chronicle: Exploits and Updates | Q2 2025

Core Impact Exploit Library Additions

One of Core Impact’s most valuable features is its certified exploit library, maintained by a team (formerly Core Labs) within the Fortra Intelligence & Research Experts (FIRE) group. This team conducts in-depth research to evaluate and prioritize the most critical vulnerabilities, ensuring the library is updated with high-impact, reliable exploits that enable pen testers to use the same techniques as modern real-world threats.

While you can keep track of new releases through our  exploit mailing list, our quarterly blogs provide a more detailed summary of recent additions to the library.

CVE-2025-27636: Apache Camel Header Filter Bypass Vulnerability

Authors: Marcos Accossatto, Nahuel González (QA), and Daniel De Luca (QA)

CVSS:  Not formally scored yet, estimated Medium to High severity

CVE Reference: CVE-2025-27636

Key Vulnerability Details

• Header filter bypass/injection vulnerability exists in Apache Camel's default incoming header filter mechanism, enabling a network based attack
• A flaw in the default filter only blocks headers starting with "Camel", "camel", or "org.apache.camel," but can be bypassed by altering letter casing like "cAmel" or "cAMEL"
• Impacted versions include Apache Camel 3.10.0 through 3.22.3, Apache Camel 4.8.0 through 4.8.4 LTS, Apache Camel 4.10.0 through 4.10.1 LTS
• Classified as Improper Handling of Case Sensitivity (CWE-178)

Exploitation Impact and Mitigation

• Successful exploitation could allow attackers to invoke arbitrary methods from the Bean registry using manipulated headers, which could lead to remote code execution when combined with components like camel-exec
• Apache has released patches in versions 4.10.2, 4.8.5, and 3.22.4
• Organizations can also implement the remove Headers EIP to filter out suspicious headers

Attacks in the Wild

• This vulnerability is being actively exploited in the wild and has been detected in over 70 countries

Exploitation Mechanism

1. Exploit module uses a message header injection vulnerability to deploy an agent in Apache Camel.
2. It will use the vulnerability to determine the underlying OS system and check if the target is vulnerable.
3. If so, HTTP requests are crafted with manipulated Camel header names using case variations (e.g., "cAMEL" instead of "Camel").
4. Malicious headers pass through to Camel components, altering their behavior.
5. Depending on the component, this can lead to method invocation changes, queue manipulation, or potential command execution

CVE-2025-31161: CrushFTP Authentication Bypass Critical Vulnerability

Authors: Fernando Páez Barceló, Nahuel González (QA)

CVSS:  9.8 CRITICAL

CVE Reference: CVE-2025-31161 (originally tracked as CVE-2025-2825)

Key Vulnerability Details

• An authentication bypass vulnerability exists in CrushFTP file transfer software allowing unauthenticated access
• The flaw involves a race condition in AWS4-HMAC authorization method within CrushFTP's HTTP component
• Impacts CrushFTP versions 10.0.0 through 10.8.3 and 11.0.0 through 11.3.0
• Classified as Authentication Bypass by Primary Weakness (CWE-305)

Exploitation Impact and Mitigation

• Successful exploitation allows attackers to impersonate any user including administrators without credentials
• This could lead to full system compromise, data theft, and installation of backdoors
• CrushFTP has released patches in versions 10.8.4 and 11.3.1

Attacks in the Wild

• This vulnerability has been actively exploited in the wild
• CISA has released an alert and added this vulnerability to the Known Exploited Vulnerabilities Catalog

Exploitation Mechanism

1. Module sends HTTP GET request to /WebInterface/function/?command=getUserList&serverGroup=MainUsers
2. This includes a 44-character string in the CrushAuth cookie.
3. It then uses a malformed Authorization header to cause an index out-of-bounds error, preventing session cleanup
4. The server validates user existence without password verification due to race condition.
5. Having achieved administrative access without valid credentials, further actions could include creating backdoor accounts, uploading malware, or exfiltrating data.

CVE-2025-23120: Veeam Backup & Replication Remote Code Execution

Authors: Marcos Accossatto, Nahuel González (QA)

CVSS:  9.9 CRITICAL

CVE Reference: CVE-2025-23120

Key Vulnerability Details

• A remote code execution vulnerability exists in Veeam Backup & Replication through deserialization flaws
• The vulnerability affects domain-joined Veeam servers, despite this being against security best practices
• Impacts Veeam Backup & Replication version 12.3.0.310 and all earlier version 12 builds
• Classified as Deserialization of Untrusted Data (CWE-502)

Exploitation Impact and Mitigation

• Successful exploitation allows any domain user to execute arbitrary code with Veeam privileges
• This could lead to backup destruction, data theft, and malware deployment
• Veeam has released patch version 12.3.1 (build 12.3.1.1139)

Attacks in the Wild

• No major attacks have been reported at this time

Exploitation Mechanism

1. The Module triggers the vulnerability by crafting a .NET class type object and sending it to the VeeamAuthService .NET remote endpoint.
2. Deserialization of the crafted object will execute system commands, prompting agent deployment.
3. The agent is deployed with NT AUTHORITY\SYSTEM user privileges to access Veeam Backup and Replication.

Ready to learn more about Core Impact? 

Request a Quote 

CVE-2025-21333: Windows Hyper-V NT Kernel Integration VSP Elevation of Privilege

Authors: Esteban Kazimirow, Nahuel González (QA)

CVSS:  7.8 HIGH

CVE Reference: CVE-2025-21333

Key Vulnerability Details

• An elevation of privilege vulnerability exists in Windows Hyper-V NT Kernel Integration Virtual Service Provider
• A flaw exists in the kernel component which allows a heap-based buffer overflow
• The vulnerability affects Windows 10, Windows 11, and Windows Server versions
• Vulnerability was discovered using an AI platform
• Classified as Heap-based Buffer Overflow (CWE-122)

Exploitation Impact and Mitigation

• Successful exploitation allows local attackers to elevate privileges to SYSTEM
• This could enable lateral movements and eventually complete system compromise
• Microsoft released patches as part of January 2025 Patch Tuesday

Attacks in the Wild

• This vulnerability was actively exploited in the wild as a zero-day
• CISA has added this vulnerability to the Known Exploited Vulnerabilities Catalog

Exploitation Mechanism

1. Module sprays WNF objects to control heap layout.
2. It then calls NtCreateCrossVmEvent with a malicious security descriptor to overflow a heap buffer.
3. From there it frees corrupted WNF objects and replaces them with IORING RegBuffers and PipeAttribute objects.
4. The system EPROCESS is then located and the token is copied to the target process.
5. The current process token is overwritten to gain SYSTEM privileges.
6. Corrupted objects are restored to avoid crashes.

CVE-2024-36394, CVE-2025-2776 - SysAid On-Prem Unauthenticated Remote Code Execution Exploit

Authors: Marcos Accossatto, Daniel De Luca (QA)

CVSS:  9.8 CRITICAL,   9.3 CRITICAL

CVE Reference: CVE-2024-36394, CVE-2025-2776

Key Vulnerability Details

• CVE-2025-2776 – An XML External Entity (XXE) injection vulnerability exists in the Server URL processing functionality that enables unauthenticated attackers to achieve administrator account takeover and read arbitrary files
• CVE-2024-36394 – An OS command injection vulnerability exists in SysAid On-Prem that allows authenticated attackers to execute arbitrary commands
• When chained together, can lead to unauthenticated remote code execution
• Impacts SysAid On-Prem versions 23.3.40 and below
• Classified as OS Command Injection (CWE-78) and Improper Restriction of XML External Entity Reference (CWE-611)

Exploitation Impact and Mitigation

• Attackers can use CVE-2025-2776 to gain administrator access without authentication, then leverage CVE-2024-36394 to execute arbitrary system commandsCan lead to full system compromise, data exfiltration, and lateral
• movement within the network
• SysAid released patches in version 24.4.60 (March 2025)

Attacks in the Wild

• This vulnerability chain has been actively exploited in the wild
• Both vulnerabilities have been added to CISA’s Known Exploited Vulnerabilites Catalog

Exploitation Mechanism

1. The module uses CVE-2025-277, located in the com.ilient.mdm.GetMdmMessage java class, to download the InitAccount.cmd file.
2. This file contains the username and password of the main administrator in plain text in its first line.
3. The module will then create a new identity with these credentials and will log into the application.
4. The module will then exploit CVE-2024-36394 to execute system commands to deploy an agent.

CVE-2025-26125: IObit Malware Fighter Privilege Escalation Vulnerability

Authors: Cristian Rubio, Nahuel González (QA)

CVSS:  7.3 HIGH

CVE Reference: CVE-2025-26125

Key Vulnerability Details

• An elevation of privilege vulnerability exists in the IMFForceDelete driver of IObit Malware Fighter v12.1.0, allowing locally authenticated attackers to execute code with SYSTEM privileges
• The vulnerability stems from an exposed ioctl that enables attackers to arbitrarily delete files and escalate privileges through manipulation of critical system files
• Impacted versions include IObit Malware Fighter 12.1.0 and earlier
• Classified as Exposed IOCTL with Insufficient Access Control (CWE-782)

Exploitation Impact and Mitigation   

• Successful exploitation can lead to a privilege escalation from a standard user to NT AUTHORITY\SYSTEM, granting an attacker full system control and the ability to perform any action on the compromised host
• Patches have been implemented into version 12.2.0 and beyond

Attacks in the Wild

• No major attacks have been reported at this time

Exploitation Mechanism

1. The module leverages the vulnerable IMFForceDelete driver to gain the ability to arbitrarily delete files and folders from the system.
2. Before deleting the file, the module backs up the file to the user's temporary folder.
3. The module proceeds to delete critical system files.
4. These files can then be recreated with weakened access controls, enabling the pen tester to elevate privileges.

CVE-2025-24054: Microsoft Windows NTLM Hash Disclosure Spoofing Vulnerability

Authors: Marcos Accossatto, Nahuel González (QA)

CVSS:  6.5 MEDIUM

CVE Reference: CVE-2025-24054

Key Vulnerability Details

• A spoofing vulnerability exists in Windows NTLM that allows hash disclosure via crafted files
• The vulnerability requires minimal user interaction with a malicious .library-ms file
• Impacts all supported Windows and Windows Server versions
• Classified as External Control of File Name or Path (CWE-73)

Exploitation Impact and Mitigation

• Successful exploitation leaks NTLMv2-SSP hashes without user execution
• Captured hashes can be cracked offline or used in relay attacks
• Microsoft released patches as part of March 2025 Patch Tuesday

Attacks in the Wild

• This vulnerability chain has been actively exploited in the wild, including a campaign targeting Polish and Romanian government agencies
• CISA has added this vulnerability to the Known Exploited Vulnerabilities Catalog

Exploitation Mechanism

1. The exploit module creates a malicious .library-ms file.
2. This file contains a reference to an attacker-controlled SMB server.
3. When the file is viewed or selected, Windows initiates SMB authentication.
4. NTLMv2-SSP hashes are captured by the pen tester’s server.
5. Hashes are then used for offline cracking or relay attacks.

CVE-2025-31125: Vite Frontend Tooling Framework File Disclosure Vulnerability

Authors: Esteban Kazimirow, Nahuel González (QA)

CVSS:  5.3 MEDIUM

CVE Reference: CVE-2025-31125

Key Vulnerability Details

• An arbitrary file read vulnerability is present Vite's development server allowing unauthorized access to protected files.
• The vulnerability is the result of a flaw that enables bypass of server.fs.deny protections through specially crafted query parameters.
• Impacted versions include Vite 6.2.0 to 6.2.3, 6.1.0 to 6.1.3, 6.0.0 to 6.0.13, 5.0.0 to 5.4.16, or 0 to 4.5.11.
• Classified as Information Exposure (CWE-200) and Improper Access Control (CWE-284)

Exploitation Impact and Mitigation

• Unauthenticated attackers can read arbitrary files on the server including configuration files, source code, and sensitive data
• Patches have been implemented into Vite versions 6.2.4, 6.1.3, 6.0.13, 5.4.16, and 4.5.11

Attacks in the Wild

• No major attacks have been reported at this time

Exploitation Mechanism

1. The exploit module crafts a malicious URL request
2. The request is then sent to the Vite development server, which includes the target filename combined with a specific parameter.
3. If the server responds 200 OK, it will then process the Base64 encoded response through a decoding routine, which will display the file’s contents.
4. The module can then save the leaked file locally.

CVE-2025-49113: Roundcube Webmail Remote Code Execution via PHP Object Deserialization

Authors: Marcos Accossatto, Daniel De Luca (QA)

CVSS:  9.9 CRITICAL

CVE Reference: CVE-2025-49113

Key Vulnerability Details

• A remote code execution vulnerability exists in Roundcube Webmail due to insecure deserialization of PHP objects in email processing functions
• This vulnerability, which remained undiscovered for a decade, stems from insufficient sanitization of user-supplied input during file upload operations, allowing attackers to inject malicious serialized PHP objects
• Impacted versions include Roundcube Webmail before 1.5.10 and 1.6.x before 1.6.11
• Classified as Deserialization of Untrusted Data (CWE-502)

Exploitation Impact and Mitigation

• Session tokens and other sensitive data can be exposed, potentially enabling unauthorized access to internal applications, VPNs, data center networks, and internal networks
• Authenticated users can execute arbitrary commands at the web server level, leading to full system compromise
• Roundcube has released patches in versions 1.5.10 and 1.6.11

Attacks in the Wild

• No major attacks have been reported at this time
• However, an exploit was found to be available for sale in at least one hacker forum, making exploitation attempts highly probable
• The exploit still works despite patches being implemented, but does require a working login

Exploitation Mechanism

1. The module uses the given credentials to authenticate against Roundcube Webmail in the target.
2. It will then generate a payload for agent deployment and abuse the _from parameter defined in the upload.php file to inject it in the $_SESSION variable.
3. This variable will be processed by the unserialized function in the rcube_session class.
4. Finally, the module will proceed to logout from the webapp to trigger the PHP object deserialization vulnerability and deploy the Core Impact agent.

CVE-2025-26633: Microsoft Management Console Security Feature Bypass

Authors: Esteban Kazimirow, Daniel De Luca (QA)

CVSS:  7.0 HIGH

CVE Reference: CVE-2025-26633

Key Vulnerability Details

• A security feature bypass vulnerability exists in Microsoft Management Console allowing attackers to bypass security restrictions through manipulation of .msc files
• The vulnerability allows attackers to bypass security restrictions by manipulating .msc files and the Multilingual User Interface Path (MUIPath)
• Impacts multiple Windows versions including Windows 10, 11, and Windows Server editions
• Classified as improper neutralization (CWE-707)

Exploitation Impact and Mitigation

• Successful exploitation allows attackers to maintain persistence and steal sensitive data from infected systems
• Microsoft released a patch for this vulnerability in a March security update

Attacks in the Wild

• This vulnerability has been actively exploited in the wild a zero-day by the Russian threat actor EncryptHub (also tracked as LARVA-208 and Water Gamayun) targeting defense organizations

Exploitation Mechanism

1. This module runs a malicious web server on the CORE IMPACT Console and waits for an unsuspecting user to trigger the exploit by connecting to the web server.
2. Once triggered, the server runs a script to fetch a PowerShell file
3. From there, it deploys a Core Impact agent.

CVE-2025-5777: Citrix NetScaler "CitrixBleed 2" Vulnerability

Authors: Marcos Accossatto, Daniel De Luca (QA)

CVSS:  9.3 CRITICAL

CVE Reference: CVE-2025-5777

Key Vulnerability Details

• A pre-authentication vulnerability exists, allowing memory disclosure through malformed POST requests
• An insufficient input validation leads to memory overread when the NetScaler is configured as a Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) OR AAA virtual server
• Impacts NetScaler ADC and Gateway versions 14.1 prior to 14.1-43.56 and 13.1 prior to 13.1-58.32
• Classified as use of uninitialized variable (CWE-457) and Out-of-Bounds Read (CWE-125)

Exploitation Impact and Mitigation

• If successfully exploited, attackers can easily retrieve memory contents by sending malformed POST requests during login attempts, potentially stealing user session tokens
• Patches have been implemented in versions 14.1-43.56 and 13.1-58.32

Attacks in the Wild

• Though debated, there is evidence that this vulnerability has been actively exploited in the wild
• CISA has added this vulnerability to the Known Exploited Vulnerabilities Catalog

Exploitation Mechanism

1. This module will determine if the target system is vulnerable by obtaining a memory leak.
2. The exploit first builds the target base URL (HTTP or HTTPS, with IP/port
3. Then craft an authentication HTTP POST request to the vulnerable endpoint /p/u/doAuthentication.do, using randomized headers (like User-Agent) and the payload, this is the trigger that abuses insufficient input validation inside Citrix NetScaler’s authentication handler.
4. When the vulnerability exists, the server responds with XML that unintentionally includes memory contents inside <ReadOnly><InitialValue> ... </InitialValue>
5. The exploit parses the response looking for that marker and extracts the leaked data.
6. Finally the exploit parses the hex dump to ascii making it easier to spot sensitive values like cookies, session IDs, or passwords.

CVE-2025-33053: Microsoft Internet Shortcut Remote File Execution Vulnerability Exploit

Authors: Ricardo Narvaja, Nahuel González (QA)

CVSS:  8.8 HIGH

CVE Reference: CVE-2025-33053

Key Vulnerability Details

• A remote code execution vulnerability exists in Microsoft’s Web Distributed Authoring and Versioning (WebDAV), which is a protocol for extending HTTP protocol functionality for interacting with files
• Attackers can force devices to execute arbitrary code remotely from WebDAV servers under their control
• Affects Windows 10, 11, and Windows Server versions with WebDAV enabled
• Classified as external control of file name or path (CWE-610)

Exploitation Impact and Mitigation

• If successfully exploited, a built-in Windows tool can be tricked into executing a malicious executable from that remote location, allowing attackers to maintain stealth
• Can ultimately lead to complete system compromise
• Microsoft released a patch for this vulnerability in a June security update

Attacks in the Wild

• This vulnerability has been actively exploited in the wild by the APT group, Stealth Falcon, to deliver a tailor-made espionage tool to a major defense organization in Turkey
• CISA has added this vulnerability to the Known Exploited Vulnerabilities Catalog

Exploitation Mechanism

1. This Client Side exploit crafts a malicious .URL file that can be sent to a target via a phishing email.
2. Once the email clicked on by a targeted user, the executable is launched.
3. It will then attempt to access the specified path (for example, a WebDAV or SMB share), resulting in the execution of arbitrary code.

CVE-2025-25257: Fortinet FortiWeb SQL Injection Vulnerability

Authors: Marcos Accossatto, Nahuel González (QA)

CVSS:  9.8 CRITICAL

CVE Reference: CVE-2025-25257

Key Vulnerability Details

• An SQL command vulnerability exists in FortiWeb in which an improper neutralization of special elements may allow an unauthenticated attacker to execute unauthorized SQL code
• A flaw exists in a function called "get_fabric_user_by_token" that's associated with the Fabric Connector component
• Impacts FortiWeb versions 7.6.0-7.6.3, 7.4.0-7.4.7, 7.2.0-7.2.10, and 7.0.0-7.0.10
• Classified as SQL injection (CWE-89)

Exploitation Impact and Mitigation

• If successfully exploited, attackers can achieve pre-authenticated remote code execution on vulnerable servers, ultimately leading to complete compromise of the FortiWeb appliance and connected infrastructure
• Fortinet addressed the issue with the release of security patches in versions 7.6.4, 7.4.8, 7.2.11, and 7.0.11

Attacks in the Wild

• Fortinet has confirmed this vulnerability has been actively exploited in the wild on Fortiweb

Exploitation Mechanism

1. The module will first check if the target is vulnerable using the previous endpoint with a generic payload.
2. Then, it will use the vulnerability to upload and write a webshell in disk that will allow the execution of OS commands to deploy an agent.
3. Next, it will use the vulnerability again to upload, write and execute a python script that will give execution permission to the uploaded webshell.
4. Finally, it will send several requests to the webshell to deploy a Core Impact agent.
5. Once the agent is deployed, the webshell and the python script will be erased from the target system.

CVE-2025-32463: Sudo chroot Elevation of Privilege Vulnerability

Authors: Alexis Balbachan, Daniel De Luca (QA)

 CVSS:  9.3 CRITICAL

CVE Reference: CVE-2025-32463

Key Vulnerability Details

• An elevation of privilege vulnerability exists in sudo's -R (--chroot) option that allows any local user to escalate privileges to root by tricking sudo into loading an arbitrary shared library
• The vulnerability stems from a change in sudo 1.9.14 that resolved paths via chroot() using the user-specified root directory while the sudoers file was still being evaluated
• Impacted versions include sudo 1.9.14 through 1.9.17 across all major Linux distributions including Ubuntu, Fedora, Debian, and RHEL
• Classified as an Inclusion of Functionality from Untrusted Control Sphere (CWE-829)

Exploitation Impact and Mitigation

• Successful exploitation allows any local, unprivileged user to gain root access without needing existing sudo permissions or special configurations
• This could lead to complete system compromise, allowing attackers to install malware, access sensitive data, modify system configurations, or establish persistent backdoors
• Patches have been implemented in version 1.9.17p1 and the chroot feature has been marked as deprecated, with plans to remove it entirely in future releases

Attacks in the Wild

• No major attacks have been reported at this time

Exploitation Mechanism

1. This module creates a temporary directory structure that mimics a normal root environment.
2. It then uploads a malicious /etc/nsswitch.conf, which calls a shared object that escalates privileges.
3. The exploit is triggered when executing sudo with the -R flag pointing to the user controlled directory.
4. Lastly, the module installs a Core Impact agent running with root privileges.