[{"title":"n8n Improper Input Validation Unauthenticated RCE Exploit","body":"This module chains two vulnerabilities in n8n to achieve unauthenticated remote code execution. The module abuses a vulnerable unauthenticated form endpoint to read local files from the target system. That file read primitive is then used to recover the n8n home path, configuration data, and encryption key material. The module then reads the n8n SQLite database to extract administrator account data from the application datastore. With that information, it forges an authenticated administrator token and creates a malicious workflow through the n8n API.","created":"\u003Ctime datetime=\u00222026-03-31T00:00:00-05:00\u0022 class=\u0022datetime\u0022\u003EMarch 31, 2026\u003C\/time\u003E\n","field_cve_link":"\u003Ca href=\u0022https:\/\/www.cve.org\/CVERecord?id=CVE-2026-21858\u0022 target=\u0022_blank\u0022\u003ECVE-2026-21858\u003C\/a\u003E, \u003Ca href=\u0022https:\/\/www.cve.org\/CVERecord?id=CVE-2025-68613\u0022 target=\u0022_blank\u0022\u003ECVE-2025-68613\u003C\/a\u003E","field_exploit_platform":"Linux","field_exploit_type":"Exploits \/ Remote Code Execution","field_product_name":"Impact"},{"title":"MSHTML Framework Security Feature Bypass Vulnerability Exploit","body":"This vulnerability involves the improper neutralization of special elements used in a command (\u0027command injection\u0027) in Windows MSHTML, allowing an unauthorized attacker to execute a crafted DLL file located in a shared folder and bypass Mark of the Web. The steps performed by the exploit are: Creates a DLL containing an Impact agent and places it in an SMB file share. It also creates an .lnk file for direct access. Using the provided link, download the .lnk file in the browser.","created":"\u003Ctime datetime=\u00222026-03-18T00:00:00-05:00\u0022 class=\u0022datetime\u0022\u003EMarch 18, 2026\u003C\/time\u003E\n","field_cve_link":"\u003Ca href=\u0022https:\/\/www.cve.org\/CVERecord?id=CVE-2026-21513\u0022 target=\u0022_blank\u0022\u003ECVE-2026-21513\u003C\/a\u003E","field_exploit_platform":"Windows","field_exploit_type":"Exploits \/ Client Side","field_product_name":"Impact"},{"title":"FreeBSD rtsold IPv6 Remote Command Execution Exploit","body":"rtsold passes unvalidated domain search list options from router advertisement messages directly to the resolvconf shell script, which fails to properly quote its input. This allows an attacker on the local network to inject arbitrary shell commands that are executed with root privileges when the vulnerable system processes a malicious router advertisement. The deployed network agent will run with root privileges. The exploit performs the following steps: Builds the Ethernet envelope to ensure the data travels without OS restrictions.","created":"\u003Ctime datetime=\u00222026-03-05T00:00:00-06:00\u0022 class=\u0022datetime\u0022\u003EMarch 5, 2026\u003C\/time\u003E\n","field_cve_link":"\u003Ca href=\u0022https:\/\/www.cve.org\/CVERecord?id=CVE-2025-14558\u0022 target=\u0022_blank\u0022\u003ECVE-2025-14558\u003C\/a\u003E","field_exploit_platform":"FreeBSD","field_exploit_type":"Exploits \/ Remote","field_product_name":"Impact"},{"title":"Microsoft Windows Notepad Markdown Command Injection Exploit","body":"The vulnerability relates to an improper neutralization of special elements used in a command (\u0027command injection\u0027) in Windows Notepad App, this allows an unauthorized attacker to execute code locally.","created":"\u003Ctime datetime=\u00222026-02-26T00:00:00-06:00\u0022 class=\u0022datetime\u0022\u003EFebruary 26, 2026\u003C\/time\u003E\n","field_cve_link":"\u003Ca href=\u0022https:\/\/www.cve.org\/CVERecord?id=CVE-2026-20841\u0022 target=\u0022_blank\u0022\u003ECVE-2026-20841\u003C\/a\u003E","field_exploit_platform":"","field_exploit_type":"Exploits \/ Client Side","field_product_name":"Impact"},{"title":"SolarWinds Web Help Desk Authentication Bypass Exploit (CVE-2025-40554)","body":"The vulnerability exists in the WebObjects request handling mechanism where improper validation of the badparam parameter allows attackers to bypass authentication controls. The exploit performs the following steps: Connects to SolarWinds Web Help Desk and retrieves initial session cookies. Searches through headers, cookies, and HTML for the WebObjects session identifier. Accesses a special route with manipulated \u0027badparam\u0027 parameters to test the bypass. Exploits the improperly validated \u0027badparam\u0027 parameter to bypass login and obtain admin session.","created":"\u003Ctime datetime=\u00222026-02-18T00:00:00-06:00\u0022 class=\u0022datetime\u0022\u003EFebruary 18, 2026\u003C\/time\u003E\n","field_cve_link":"\u003Ca href=\u0022https:\/\/www.cve.org\/CVERecord?id=CVE-2025-40554\u0022 target=\u0022_blank\u0022\u003ECVE-2025-40554\u003C\/a\u003E","field_exploit_platform":"Windows","field_exploit_type":"Exploits \/ Remote","field_product_name":"Impact"},{"title":"SmarterMail Unauthenticated Arbitrary File Upload Exploit","body":"This module exploits an unauthenticated arbitrary file upload in SmarterMail. The vulnerability consists of the arbitrary uploading of a non-binary file (asp, html, txt, etc.) to any location on the target machine without user authentication. However, the SmarterMail server listening on port 9998 (SYSTEM) simply uploads the file but cannot execute ASPX files. Furthermore, if the IIS server on port 80 is active, the file can be written to the root directory of that server and executed through it, with the permissions of the IIS user (a High Integrity Level user).","created":"\u003Ctime datetime=\u00222026-02-09T00:00:00-06:00\u0022 class=\u0022datetime\u0022\u003EFebruary 9, 2026\u003C\/time\u003E\n","field_cve_link":"\u003Ca href=\u0022https:\/\/www.cve.org\/CVERecord?id=CVE-2025-52691\u0022 target=\u0022_blank\u0022\u003ECVE-2025-52691\u003C\/a\u003E","field_exploit_platform":"Windows","field_exploit_type":"Exploits \/ Remote","field_product_name":"Impact"},{"title":"GNU Inetutils telnetd Authentication Bypass Vulnerability Remote Code Execution Exploit","body":"This module uses an authentication bypass vulnerability in telnetd to deploy a network agent. The module will bypass authentication by adding the \u0022-f root\u0022 value to the USER environment variable in a telnet connection. The deployed network agent will run with root user privileges.","created":"\u003Ctime datetime=\u00222026-01-27T00:00:00-06:00\u0022 class=\u0022datetime\u0022\u003EJanuary 27, 2026\u003C\/time\u003E\n","field_cve_link":"\u003Ca href=\u0022https:\/\/www.cve.org\/CVERecord?id=CVE-2026-24061\u0022 target=\u0022_blank\u0022\u003ECVE-2026-24061\u003C\/a\u003E","field_exploit_platform":"Linux","field_exploit_type":"Exploits \/ Authentication Weakness \/ Known Vulnerabilities","field_product_name":"Impact"},{"title":"Asus Armoury Crate Elevation of Privilege Vulnerability Exploit","body":"An authorization bypass vulnerability exists in the AsIO3.sys functionality of Asus Armoury Crate. A specially crafted hard link can lead to an authorization bypass. An attacker can create a hard link to trigger this vulnerability. This module allows a local unprivileged user to execute arbitrary code with SYSTEM privileges.","created":"\u003Ctime datetime=\u00222026-01-26T00:00:00-06:00\u0022 class=\u0022datetime\u0022\u003EJanuary 26, 2026\u003C\/time\u003E\n","field_cve_link":"\u003Ca href=\u0022https:\/\/www.cve.org\/CVERecord?id=CVE-2025-3464\u0022 target=\u0022_blank\u0022\u003ECVE-2025-3464\u003C\/a\u003E","field_exploit_platform":"Windows","field_exploit_type":"Exploits \/ Local \/ Privilege Escalation","field_product_name":"Impact"},{"title":"Fortinet FortiWeb CLI SAML Config OS Command Injection Exploit","body":"This module uses an authenticated OS command injection vulnerability in Fortinet FortiWeb to deploy a python agent. First, the module will login in the target application using the given credentials. If no credentials are supplied, the module will attempt to create a new user with administrative privileges (prof_admin) in the target system using random credentials via CVE-2025-64446 vulnerability. If authentication succeeds, the module will save the new user credentials as an identity in Impact. Next, the module will retrieve the target system version via the \/api\/v2.0\/system\/state endpoint.","created":"\u003Ctime datetime=\u00222026-01-20T00:00:00-06:00\u0022 class=\u0022datetime\u0022\u003EJanuary 20, 2026\u003C\/time\u003E\n","field_cve_link":"\u003Ca href=\u0022https:\/\/www.cve.org\/CVERecord?id=CVE-2025-58034\u0022 target=\u0022_blank\u0022\u003ECVE-2025-58034\u003C\/a\u003E","field_exploit_platform":"Linux","field_exploit_type":"Exploits \/ OS Command Injection \/ Known Vulnerabilities","field_product_name":"Impact"},{"title":"MongoDB Unauthenticated Remote Memory Leak Exploit","body":"MongoDB Server is vulnerable to a memory disclosure flaw due to improper validation of length parameters in Zlib-compressed protocol headers. This vulnerability allows unauthenticated remote attackers to read sensitive information from server memory. This module will check if the target machine is vulnerable and it will try to dump memory contents to the Module Log window and also writes them in a file. This memory dump may contain sensitive data, as explained above. This module performs the following steps: Establishes TCP connection to the target MongoDB server on port 27017.","created":"\u003Ctime datetime=\u00222026-01-16T00:00:00-06:00\u0022 class=\u0022datetime\u0022\u003EJanuary 16, 2026\u003C\/time\u003E\n","field_cve_link":"\u003Ca href=\u0022https:\/\/www.cve.org\/CVERecord?id=CVE-2025-14847\u0022 target=\u0022_blank\u0022\u003ECVE-2025-14847\u003C\/a\u003E","field_exploit_platform":"Linux","field_exploit_type":"Exploits \/ Remote","field_product_name":"Impact"},{"title":"Fortinet FortiWeb Relative Path Traversal Vulnerability Exploit","body":"This module uses a relative path traversal vulnerability that leads to an authentication bypass in Fortinet FortiWeb to create a new user with administrative privileges (prof_admin) in the target system. First, the module will check if the target is vulnerable to the authentication bypass by checking the path traversal against a specific endpoint with an empty payload. If the target is vulnerable, the vulnerability will be used again to create a new user with administrative privileges (prof_admin) in the target system using the provided credentials.","created":"\u003Ctime datetime=\u00222026-01-05T00:00:00-06:00\u0022 class=\u0022datetime\u0022\u003EJanuary 5, 2026\u003C\/time\u003E\n","field_cve_link":"\u003Ca href=\u0022https:\/\/www.cve.org\/CVERecord?id=CVE-2025-64446\u0022 target=\u0022_blank\u0022\u003ECVE-2025-64446\u003C\/a\u003E","field_exploit_platform":"Linux","field_exploit_type":"Exploits \/ Authentication Weakness \/ Known Vulnerabilities","field_product_name":"Impact"},{"title":"Fortinet FortiWeb Relative Path Traversal Vulnerability Webapp Exploit","body":"This module uses a relative path traversal vulnerability that leads to an authentication bypass in Fortinet FortiWeb to create a new user with administrative privileges (prof_admin) in the target system. First, the module will check if the target is vulnerable to the authentication bypass by checking the path traversal against a specific endpoint with an empty payload. If the target is vulnerable, the vulnerability will be used again to create a new user with administrative privileges (prof_admin) in the target system using the provided credentials.","created":"\u003Ctime datetime=\u00222026-01-05T00:00:00-06:00\u0022 class=\u0022datetime\u0022\u003EJanuary 5, 2026\u003C\/time\u003E\n","field_cve_link":"\u003Ca href=\u0022https:\/\/www.cve.org\/CVERecord?id=CVE-2025-64446\u0022 target=\u0022_blank\u0022\u003ECVE-2025-64446\u003C\/a\u003E","field_exploit_platform":"Linux","field_exploit_type":"Exploits \/ Authentication Weakness \/ Known Vulnerabilities","field_product_name":"Impact"},{"title":"React Server Components React2Shell Deserialization Vulnerability Remote Code Execution Exploit","body":"This module uses an insecure deserialization vulnerability in React Server Components to deploy an agent. The module will first check if the target is vulnerable by using the given endpoint with a generic payload. If the target is vulnerable, an OSCI agent will be deployed and the vulnerability will be used again, with a payload that will deploy an in-memory webshell. This webshell can be used later by the OSCI agent to execute OS commands or deploy a network agent. The deployed agent will run with the same privileges of the webapp.","created":"\u003Ctime datetime=\u00222025-12-12T00:00:00-06:00\u0022 class=\u0022datetime\u0022\u003EDecember 12, 2025\u003C\/time\u003E\n","field_cve_link":"\u003Ca href=\u0022https:\/\/www.cve.org\/CVERecord?id=CVE-2025-55182\u0022 target=\u0022_blank\u0022\u003ECVE-2025-55182\u003C\/a\u003E","field_exploit_platform":"Linux","field_exploit_type":"Exploits \/ OS Command Injection \/ Known Vulnerabilities","field_product_name":"Impact"},{"title":"Windows Server Update Service WSUS Deserialization Remote Code Execution","body":"The vulnerability exists within the GetCookie() endpoint due to unsafe deserialization of AuthorizationCookie objects. The application insecurely decrypts cookie data using AES-128-CBC and subsequently deserializes it via BinaryFormatter without sufficient type validation. The deployed agent will run with SYSTEM privileges. This exploit performs the following steps: Retrieves the ServerID via a SOAP request to the ReportingWebService. Obtains an authorization cookie. Obtains a reporting cookie. Constructs and sends a malicious event payload. Checks the server\u0027s response to confirm success","created":"\u003Ctime datetime=\u00222025-12-09T00:00:00-06:00\u0022 class=\u0022datetime\u0022\u003EDecember 9, 2025\u003C\/time\u003E\n","field_cve_link":"\u003Ca href=\u0022https:\/\/www.cve.org\/CVERecord?id=CVE-2025-59287\u0022 target=\u0022_blank\u0022\u003ECVE-2025-59287\u003C\/a\u003E","field_exploit_platform":"Windows","field_exploit_type":"Exploits \/ Remote Code Execution","field_product_name":"Impact"},{"title":"Microsoft Windows SMB Client DNS Injection Remote Exploit","body":"This module exploits an access control issue in Windows SMB clients to deploy a remote agent with SYSTEM privileges through a multi-stage attack chain: 1. DNS Injection: Adds a malicious DNS record \u0027localhost1UWhRCAAAAAAAAAAAAAAAAAAAAAAAAAAAAwbEAYBAAAA\u0027 via LDAP to the domain controller, pointing to the attacker\u0027s IP address. 2. NTLM Relay: Starts an ntlmrelayx server that waits for SMB authentication attempts and relays them to install an agent with SYSTEM privileges on the target system. 3.","created":"\u003Ctime datetime=\u00222025-12-05T00:00:00-06:00\u0022 class=\u0022datetime\u0022\u003EDecember 5, 2025\u003C\/time\u003E\n","field_cve_link":"\u003Ca href=\u0022https:\/\/www.cve.org\/CVERecord?id=CVE-2025-33073\u0022 target=\u0022_blank\u0022\u003ECVE-2025-33073\u003C\/a\u003E","field_exploit_platform":"Windows","field_exploit_type":"Exploits \/ Remote","field_product_name":"Impact"},{"title":"Microsoft Windows Cloud Files Mini Filter Driver Elevation of Privilege Vulnerability Exploit (CVE-2025-55680)","body":"The Windows Cloud Files Mini Filter module (clfs.sys) present in Microsoft Windows is vulnerable to a Time-of-check Time-of-use (TOCTOU) race condition, which can result in arbitrary file write. This module allows a local unprivileged user to execute arbitrary code with SYSTEM privileges. The steps performed by the exploit are: Start RasMan service Create sync root directory Create junction directory Create target junction and symlink Register sync root Create threads to exploit race condition and detect exploitation Trigger race condition Write the agent and execute it","created":"\u003Ctime datetime=\u00222025-12-01T00:00:00-06:00\u0022 class=\u0022datetime\u0022\u003EDecember 1, 2025\u003C\/time\u003E\n","field_cve_link":"\u003Ca href=\u0022https:\/\/www.cve.org\/CVERecord?id=CVE-2025-55680\u0022 target=\u0022_blank\u0022\u003ECVE-2025-55680\u003C\/a\u003E","field_exploit_platform":"Windows","field_exploit_type":"Exploits \/ Local \/ Privilege Escalation","field_product_name":"Impact"},{"title":"Microsoft Windows Agere Modem Driver Elevation of Privilege Vulnerability Exploit","body":"The Agere Windows Modem module (ltmdm64.sys) present in Microsoft Windows is vulnerable to an untrusted pointer dereference, which can result in arbitrary memory write. This module allows a local unprivileged user to execute arbitrary code with SYSTEM privileges.","created":"\u003Ctime datetime=\u00222025-11-19T00:00:00-06:00\u0022 class=\u0022datetime\u0022\u003ENovember 19, 2025\u003C\/time\u003E\n","field_cve_link":"\u003Ca href=\u0022https:\/\/www.cve.org\/CVERecord?id=CVE-2025-24990\u0022 target=\u0022_blank\u0022\u003ECVE-2025-24990\u003C\/a\u003E","field_exploit_platform":"Windows","field_exploit_type":"Exploits \/ Local \/ Privilege Escalation","field_product_name":"Impact"},{"title":"Cisco Secure ASA files_action.lua Buffer Overflow DoS","body":"This module exploits an authentication bypass vulnerability combined and a buffer overflow in Cisco Secure ASA to cause a denial of service effect. First, the module will check if the target is vulnerable to the authentication bypass. If the target is vulnerable, it will proceed to cause the denial of service.","created":"\u003Ctime datetime=\u00222025-11-19T00:00:00-06:00\u0022 class=\u0022datetime\u0022\u003ENovember 19, 2025\u003C\/time\u003E\n","field_cve_link":"\u003Ca href=\u0022https:\/\/www.cve.org\/CVERecord?id=CVE-2025-20333\u0022 target=\u0022_blank\u0022\u003ECVE-2025-20333\u003C\/a\u003E, \u003Ca href=\u0022https:\/\/www.cve.org\/CVERecord?id=CVE-2025-20362\u0022 target=\u0022_blank\u0022\u003ECVE-2025-20362\u003C\/a\u003E","field_exploit_platform":"","field_exploit_type":"Denial of Service \/ Remote","field_product_name":"Impact"},{"title":"Magento Open Source and Adobe Commerce SessionReaper Remote Code Execution Exploit","body":"This module exploits a nested PHP array object deserialization in the MagentoFrameworkSessionSessionManager class via the $sessionConfig variable using the \/rest\/default\/V1\/guest-carts\/abc\/order endpoint of Magento Open Source and Adobe Commerce to deploy an agent. First, the module will upload a PHP script in the \/pub\/media\/customer_address\/s\/e directory of the web application using the \/customer\/address_file\/upload endpoint. The default webroot directory value (\/var\/www\/html\/magento\/pub\/) can be changed using the WEBROOT module parameter.","created":"\u003Ctime datetime=\u00222025-11-05T00:00:00-06:00\u0022 class=\u0022datetime\u0022\u003ENovember 5, 2025\u003C\/time\u003E\n","field_cve_link":"\u003Ca href=\u0022https:\/\/www.cve.org\/CVERecord?id=CVE-2025-54236\u0022 target=\u0022_blank\u0022\u003ECVE-2025-54236\u003C\/a\u003E","field_exploit_platform":"Linux","field_exploit_type":"Exploits \/ Remote Code Execution","field_product_name":"Impact"},{"title":"Magento Open Source and Adobe Commerce SessionReaper Remote Code Execution Webapp Exploit","body":"This module exploits a nested PHP array object deserialization in the MagentoFrameworkSessionSessionManager class via the $sessionConfig variable using the \/rest\/default\/V1\/guest-carts\/abc\/order endpoint of Magento Open Source and Adobe Commerce to deploy an agent. First, the module will upload a PHP script in the \/pub\/media\/customer_address\/s\/e directory of the web application using the \/customer\/address_file\/upload endpoint. The default webroot directory value (\/var\/www\/html\/magento\/pub\/) can be changed using the WEBROOT module parameter.","created":"\u003Ctime datetime=\u00222025-11-05T00:00:00-06:00\u0022 class=\u0022datetime\u0022\u003ENovember 5, 2025\u003C\/time\u003E\n","field_cve_link":"\u003Ca href=\u0022https:\/\/www.cve.org\/CVERecord?id=CVE-2025-54236\u0022 target=\u0022_blank\u0022\u003ECVE-2025-54236\u003C\/a\u003E","field_exploit_platform":"Linux","field_exploit_type":"Exploits \/ Remote Code Execution","field_product_name":"Impact"},{"title":"Microsoft Windows Common Log File System Driver Elevation of Privilege Vulnerability Exploit (CVE-2025-29824)","body":"The Common Log File System Driver (clfs.sys) present in Microsoft Windows is vulnerable to a Use After Free, which can result in an arbitrary write. This module allows a local unprivileged user to execute arbitrary code with SYSTEM privileges.","created":"\u003Ctime datetime=\u00222025-11-03T00:00:00-06:00\u0022 class=\u0022datetime\u0022\u003ENovember 3, 2025\u003C\/time\u003E\n","field_cve_link":"\u003Ca href=\u0022https:\/\/www.cve.org\/CVERecord?id=CVE-2025-29824\u0022 target=\u0022_blank\u0022\u003ECVE-2025-29824\u003C\/a\u003E","field_exploit_platform":"Windows","field_exploit_type":"Exploits \/ Local \/ Privilege Escalation","field_product_name":"Impact"},{"title":"Oracle E-Business Suite getUiType Server-Side Request Forgery Remote Code Execution Vulnerability Exploit","body":"This module exploits a Server-Side Request Forgery via the getUiType parameter in the \/OA_HTML\/configurator\/UiServlet endpoint of Oracle E-Business Suite to deploy an agent. First, the module will register an endpoint in the local webserver that will be used in the attack to send a xsl file to the target that will execute system commands to deploy the agent. Then, it will retrieve a required CSRF token via the \/OA_HTML\/runforms.jsp and \/OA_HTML\/JavaScriptServlet endpoints.","created":"\u003Ctime datetime=\u00222025-10-20T00:00:00-05:00\u0022 class=\u0022datetime\u0022\u003EOctober 20, 2025\u003C\/time\u003E\n","field_cve_link":"\u003Ca href=\u0022https:\/\/www.cve.org\/CVERecord?id=CVE-2025-61882\u0022 target=\u0022_blank\u0022\u003ECVE-2025-61882\u003C\/a\u003E","field_exploit_platform":"Linux","field_exploit_type":"Exploits \/ Remote Code Execution","field_product_name":"Impact"},{"title":"Dell Unity getCASURL Remote OS Command Injection Exploit","body":"This module exploits an OS Command Injection present in the getCASURL perl function of Dell Unity to deploy an agent. The module will trigger the vulnerability by embedding the system commands to deploy the agent in a request to the \/misc endpoint. Spaces in the system command will be replaced with the ${IFS} shell variable. The deployed agent will run with the apache user account privileges.","created":"\u003Ctime datetime=\u00222025-10-14T00:00:00-05:00\u0022 class=\u0022datetime\u0022\u003EOctober 14, 2025\u003C\/time\u003E\n","field_cve_link":"\u003Ca href=\u0022https:\/\/www.cve.org\/CVERecord?id=CVE-2025-36604\u0022 target=\u0022_blank\u0022\u003ECVE-2025-36604\u003C\/a\u003E","field_exploit_platform":"Linux","field_exploit_type":"Exploits \/ OS Command Injection \/ Known Vulnerabilities","field_product_name":"Impact"},{"title":"Microsoft SharePoint Server DataSetSurrogateSelector Deserialization Remote OS Command Injection Exploit","body":"This module exploits a OS Command Injection via ASP.NET markup vulnerability present in the WikiContentWebpart Web Part of Microsoft SharePoint Server to deploy an agent. The deployed agent will run with the SharePoint Server service account privileges.","created":"\u003Ctime datetime=\u00222025-09-26T00:00:00-05:00\u0022 class=\u0022datetime\u0022\u003ESeptember 26, 2025\u003C\/time\u003E\n","field_cve_link":"\u003Ca href=\u0022https:\/\/www.cve.org\/CVERecord?id=CVE-2025-49704\u0022 target=\u0022_blank\u0022\u003ECVE-2025-49704\u003C\/a\u003E","field_exploit_platform":"Windows","field_exploit_type":"Exploits \/ OS Command Injection \/ Known Vulnerabilities","field_product_name":"Impact"},{"title":"Microsoft Windows Kernel AppId Elevation of Privilege Vulnerability Exploit","body":"The Application Identity Service module (appid.sys) present in Microsoft Windows is vulnerable to an untrusted pointer dereference, which can result in arbitrary code execution. This module allows a local unprivileged user running as \u0022LOCAL SERVICE\u0022 to execute arbitrary code with SYSTEM privileges.","created":"\u003Ctime datetime=\u00222025-09-15T00:00:00-05:00\u0022 class=\u0022datetime\u0022\u003ESeptember 15, 2025\u003C\/time\u003E\n","field_cve_link":"\u003Ca href=\u0022https:\/\/www.cve.org\/CVERecord?id=CVE-2024-21338\u0022 target=\u0022_blank\u0022\u003ECVE-2024-21338\u003C\/a\u003E","field_exploit_platform":"Windows","field_exploit_type":"Exploits \/ Local \/ Privilege Escalation","field_product_name":"Impact"},{"title":"CrushFTP AS2 Authentication Bypass Vulnerability Exploit","body":"This module uses an authentication bypass vulnerability via a race condition in AS2 validation in CrushFTP to create a new administrative user in the target application. If the credentials for the new administrative user are not provided, the module will generate random ones. If the exploitation succeeds the credentials will be checked against the target. Also, if the module created random credentials for the attack, a new identity with these credentials will be created.","created":"\u003Ctime datetime=\u00222025-09-08T00:00:00-05:00\u0022 class=\u0022datetime\u0022\u003ESeptember 8, 2025\u003C\/time\u003E\n","field_cve_link":"\u003Ca href=\u0022https:\/\/www.cve.org\/CVERecord?id=CVE-2025-54309\u0022 target=\u0022_blank\u0022\u003ECVE-2025-54309\u003C\/a\u003E","field_exploit_platform":"Windows, Linux","field_exploit_type":"Exploits \/ Remote","field_product_name":"Impact"},{"title":"Microsoft Windows TCP IP IPv6 remote DoS (CVE-2024-38063)","body":"A memory corruption vulnerability in the Windows IPv6 stack allows remote Denial of Service via maliciously crafted IPv6 Fragment Header packets. Exploitation requires no authentication or user interaction. Attackers need only send specially designed packets to vulnerable hosts. Impacts all Windows versions with IPv6 enabled (default since Windows 10). This exploit performs the following steps: Obtains the data needed to launch the attack, such as local device ID and target MAC address. sets the IPv6 headers.","created":"\u003Ctime datetime=\u00222025-09-05T00:00:00-05:00\u0022 class=\u0022datetime\u0022\u003ESeptember 5, 2025\u003C\/time\u003E\n","field_cve_link":"\u003Ca href=\u0022https:\/\/www.cve.org\/CVERecord?id=CVE-2024-38063\u0022 target=\u0022_blank\u0022\u003ECVE-2024-38063\u003C\/a\u003E","field_exploit_platform":"Windows","field_exploit_type":"Denial of Service \/ Remote","field_product_name":"Impact"},{"title":"Progress OpenEdge saveSvcConfig Remote OS Command Injection Exploit","body":"This module uses an authenticated OS command injection vulnerability to deploy an agent in the target system that will run with NT AUTHORITY\\\\SYSTEM user privileges. The vulnerability is present in the saveSvcConfig method of the com.progress.ubroker.tools.AbstractGuiPluginRemObj java class. The vulnerable class can be reached by creating an instance of the com.progress.chimera.adminserver.AdminContext class via the com.progress.chimera.adminserver.IAdminServer interface.","created":"\u003Ctime datetime=\u00222025-09-04T00:00:00-05:00\u0022 class=\u0022datetime\u0022\u003ESeptember 4, 2025\u003C\/time\u003E\n","field_cve_link":"\u003Ca href=\u0022https:\/\/www.cve.org\/CVERecord?id=CVE-2025-7388\u0022 target=\u0022_blank\u0022\u003ECVE-2025-7388\u003C\/a\u003E","field_exploit_platform":"Windows","field_exploit_type":"Exploits \/ OS Command Injection \/ Known Vulnerabilities","field_product_name":"Impact"},{"title":"Microsoft Windows File Explorer Spoofing Information Disclosure Exploit","body":"This module exploits a high-severity vulnerability in Windows File Explorer. The exploit works by creating a specially crafted .lnk (shortcut) file that, when placed in a folder viewed by a victim, forces the system to automatically connect to an attacker-controlled SMB server. This connection happens without any user interaction and results in the victim\u0027s NTLM hash being sent to the attacker. It is possible to use tools like \u0022John the Ripper\u0022 to attempt decrypting the original password associated with the hash.","created":"\u003Ctime datetime=\u00222025-08-29T00:00:00-05:00\u0022 class=\u0022datetime\u0022\u003EAugust 29, 2025\u003C\/time\u003E\n","field_cve_link":"\u003Ca href=\u0022https:\/\/www.cve.org\/CVERecord?id=CVE-2025-50154\u0022 target=\u0022_blank\u0022\u003ECVE-2025-50154\u003C\/a\u003E","field_exploit_platform":"Windows","field_exploit_type":"Exploits \/ Client Side \/ Authentication Coercion","field_product_name":"Impact"},{"title":"Microsoft Windows Local Session Manager DoS","body":"This module triggers a denial-of-service flaw in the Windows Local Session Manager (LSM). It was found to exist in Windows 11 but not in Windows 10. The vulnerability allows an authenticated, low-privileged user to crash the LSM service by making a simple Remote Procedure Call (RPC) to the RpcGetSessionIds function. The impact of this vulnerability is significant, as a crash of the LSM service can prevent users from logging in or out and affects services that depend on LSM, such as Remote Desktop Protocol (RDP) and Microsoft Defender.","created":"\u003Ctime datetime=\u00222025-08-21T00:00:00-05:00\u0022 class=\u0022datetime\u0022\u003EAugust 21, 2025\u003C\/time\u003E\n","field_cve_link":"\u003Ca href=\u0022https:\/\/www.cve.org\/CVERecord?id=CVE-2025-26651\u0022 target=\u0022_blank\u0022\u003ECVE-2025-26651\u003C\/a\u003E","field_exploit_platform":"Windows","field_exploit_type":"Denial of Service \/ Remote","field_product_name":"Impact"},{"title":"Microsoft Windows Disk Cleanup Tool Privilege Escalation Exploit","body":"A vulnerability in the update service of Microsoft Windows Disk Cleanup Tool could allow an authenticated local attacker, to execute a crafted dll with SYSTEM user privileges. The steps performed by the exploit are: First It creates 3 folders: C:\\$Windows.~WS, C:\\ESD\\Windows, C:\\ESD\\Download, inserts dummy .txt files and pauses. Create a thread to run first stage of executable FolderOrFileDeleteToSystem to set up the Config.msi. Create a second thread to run the second executable FolderContentsDeleteToFolderDelete to redirect content cleanup from C:\\ESD\\Windows to C:\/Config.msi.","created":"\u003Ctime datetime=\u00222025-08-13T00:00:00-05:00\u0022 class=\u0022datetime\u0022\u003EAugust 13, 2025\u003C\/time\u003E\n","field_cve_link":"\u003Ca href=\u0022https:\/\/www.cve.org\/CVERecord?id=CVE-2025-21420\u0022 target=\u0022_blank\u0022\u003ECVE-2025-21420\u003C\/a\u003E","field_exploit_platform":"Windows","field_exploit_type":"Exploits \/ Local \/ Privilege Escalation","field_product_name":"Impact"},{"title":"Wing FTP Server Remote Command Execution Exploit","body":"An attacker can exploit this vulnerability to run remote commands on the target, achieving code execution. The vulnerability stems from how the WingFTP server usernames are processed, allowing attackers to execute arbitrary commands. When the server does not allow anonymous access, successful exploitation of this vulnerability requires valid user credentials (username and password). This exploit performs the following steps: Sends a POST request to loginok.html with the malicious command in the username field. Extracts the session cookie (UID).","created":"\u003Ctime datetime=\u00222025-08-07T00:00:00-05:00\u0022 class=\u0022datetime\u0022\u003EAugust 7, 2025\u003C\/time\u003E\n","field_cve_link":"\u003Ca href=\u0022https:\/\/www.cve.org\/CVERecord?id=CVE-2025-47812\u0022 target=\u0022_blank\u0022\u003ECVE-2025-47812\u003C\/a\u003E","field_exploit_platform":"Windows, Linux","field_exploit_type":"Exploits \/ Remote","field_product_name":"Impact"},{"title":"Sudo Chroot Privilege escalation Exploit (CVE-2025-32463)","body":"A critical vulnerability (CVE-2025-32463) was discovered in Sudo versions 1.9.14 through 1.9.17. The vulnerability allows local users to obtain root access by exploiting the --chroot option, where \/etc\/nsswitch.conf from a user-controlled directory is used. This exploit creates a temporary directory structure that mimics a normal root environment, uploads a malicious \/etc\/nsswitch.conf which in turn calls a shared object that escalates privileges, the exploit is triggered when executing sudo with the -R flag pointing to the user controlled directory.","created":"\u003Ctime datetime=\u00222025-08-01T00:00:00-05:00\u0022 class=\u0022datetime\u0022\u003EAugust 1, 2025\u003C\/time\u003E\n","field_cve_link":"\u003Ca href=\u0022https:\/\/www.cve.org\/CVERecord?id=CVE-2025-32463\u0022 target=\u0022_blank\u0022\u003ECVE-2025-32463\u003C\/a\u003E","field_exploit_platform":"Linux","field_exploit_type":"Exploits \/ Local \/ Privilege Escalation","field_product_name":"Impact"},{"title":"Kibana Local File Inclusion Exploit","body":"Kibana\u0027s api does not sanitize one of its method\u0027s parameters allowing for an attacker to specify any file of the target system, this file will be treated as a js and executed","created":"\u003Ctime datetime=\u00222025-07-22T00:00:00-05:00\u0022 class=\u0022datetime\u0022\u003EJuly 22, 2025\u003C\/time\u003E\n","field_cve_link":"\u003Ca href=\u0022https:\/\/www.cve.org\/CVERecord?id=CVE-2018-17246\u0022 target=\u0022_blank\u0022\u003ECVE-2018-17246\u003C\/a\u003E","field_exploit_platform":"Linux","field_exploit_type":"Exploits \/ Local File Inclusion","field_product_name":"Impact"},{"title":"VMware Workspace ONE Access LocalPasswordAuthAdapter Authentication Bypass Vulnerability Exploit","body":"This module connects to the remote host and attempts to determine by sending specially crafted requests, if the target is vulnerable to CVE-2022-22972 based on the inspection of the target\u0027s response. If the target is vunerable, the module will output the cookie obtained in the authentication bypass (HZN cookie).","created":"\u003Ctime datetime=\u00222025-07-22T00:00:00-05:00\u0022 class=\u0022datetime\u0022\u003EJuly 22, 2025\u003C\/time\u003E\n","field_cve_link":"\u003Ca href=\u0022https:\/\/www.cve.org\/CVERecord?id=CVE-2022-22972\u0022 target=\u0022_blank\u0022\u003ECVE-2022-22972\u003C\/a\u003E","field_exploit_platform":"Linux","field_exploit_type":"Exploits \/ Remote","field_product_name":"Impact"},{"title":"SolarWinds Web Help Desk Hardcoded Credentials Vulnerability Exploit","body":"This vulnerability (CVE-2024-28987) is caused by the presence of hardcoded credentials in the application, allowing unauthenticated attackers to remotely read and modify all help desk ticket details. It enables authentication with a predefined account (helpdeskIntegrationUser\/dev-C4F8025E7) Affected versions include SolarWinds Web Help Desk 12.8.3 Hotfix 1 and all previous versions. An attacker exploiting this vulnerability can: - Access the REST API without requiring valid credentials. - Retrieve sensitive information from support tickets.","created":"\u003Ctime datetime=\u00222025-07-22T00:00:00-05:00\u0022 class=\u0022datetime\u0022\u003EJuly 22, 2025\u003C\/time\u003E\n","field_cve_link":"\u003Ca href=\u0022https:\/\/www.cve.org\/CVERecord?id=CVE-2024-28987\u0022 target=\u0022_blank\u0022\u003ECVE-2024-28987\u003C\/a\u003E","field_exploit_platform":"Windows","field_exploit_type":"Exploits \/ Remote","field_product_name":"Impact"},{"title":"SNMPv3 HMAC Bypass Exploit","body":"This module connects to a SNMPv3 agent in order to determine if its vulnerable to HMAC authentication bypass","created":"\u003Ctime datetime=\u00222025-07-22T00:00:00-05:00\u0022 class=\u0022datetime\u0022\u003EJuly 22, 2025\u003C\/time\u003E\n","field_cve_link":"\u003Ca href=\u0022https:\/\/www.cve.org\/CVERecord?id=CVE-2008-0960\u0022 target=\u0022_blank\u0022\u003ECVE-2008-0960\u003C\/a\u003E","field_exploit_platform":"","field_exploit_type":"Exploits \/ Remote","field_product_name":"Impact"},{"title":"Samba SMBv1 Out-Of-Bounds Read Information Disclosure Vulnerability Exploit","body":"This module connects to the remote host and attempts to determine by sending specially crafted requests, if the target is vulnerable to CVE-2022-32742 based on the inspection of the target\u0027s response.","created":"\u003Ctime datetime=\u00222025-07-22T00:00:00-05:00\u0022 class=\u0022datetime\u0022\u003EJuly 22, 2025\u003C\/time\u003E\n","field_cve_link":"\u003Ca href=\u0022https:\/\/www.cve.org\/CVERecord?id=CVE-2022-32742\u0022 target=\u0022_blank\u0022\u003ECVE-2022-32742\u003C\/a\u003E","field_exploit_platform":"Linux","field_exploit_type":"Exploits \/ Remote","field_product_name":"Impact"},{"title":"Progress OpenEdge authorizeUser Authentication Bypass Vulnerability Exploit","body":"An authentication bypass vulnerability in Progress OpenEdge allows unauthenticated remote attackers to authenticate in the target application as NT AUTHORITY\/SYSTEM. The vulnerability is present in the native system library auth.dll, and is reached via the authorizeUser function. This module performs the vulnerability verification by creating an instance of the com.progress.chimera.adminserver.AdminContext class via the com.progress.chimera.adminserver.IAdminServer interface. All requests to target will be made using Java RMI requests.","created":"\u003Ctime datetime=\u00222025-07-22T00:00:00-05:00\u0022 class=\u0022datetime\u0022\u003EJuly 22, 2025\u003C\/time\u003E\n","field_cve_link":"\u003Ca href=\u0022https:\/\/www.cve.org\/CVERecord?id=CVE-2024-1403\u0022 target=\u0022_blank\u0022\u003ECVE-2024-1403\u003C\/a\u003E","field_exploit_platform":"Windows","field_exploit_type":"Exploits \/ Remote","field_product_name":"Impact"},{"title":"Palo Alto PAN-OS GlobalProtect Unmarshal Reflection Vulnerability Exploit","body":"An unmarshal reflection vulnerability in GlobalProtect feature of Palo Alto Networks PAN-OS software allows unauthenticated remote attackers to create empty arbitrary directories and files in the operating system. If device telemetry is enabled, then remote OS command injection is possible via the dt_curl python module. This module performs the vulnerability verification in three steps. The first step, does a control check using a random filename against the \/images directory. Since this file shouldn\u0027t exist in the target webapp, the webserver will return a 404 HTTP code.","created":"\u003Ctime datetime=\u00222025-07-22T00:00:00-05:00\u0022 class=\u0022datetime\u0022\u003EJuly 22, 2025\u003C\/time\u003E\n","field_cve_link":"\u003Ca href=\u0022https:\/\/www.cve.org\/CVERecord?id=CVE-2024-3400\u0022 target=\u0022_blank\u0022\u003ECVE-2024-3400\u003C\/a\u003E","field_exploit_platform":"Linux","field_exploit_type":"Exploits \/ Remote","field_product_name":"Impact"},{"title":"MySQL Authentication Bypass Exploit","body":"This module connects to a MySQL server in order to determine if its vulnerable to memcmp authentication bypass","created":"\u003Ctime datetime=\u00222025-07-22T00:00:00-05:00\u0022 class=\u0022datetime\u0022\u003EJuly 22, 2025\u003C\/time\u003E\n","field_cve_link":"\u003Ca href=\u0022https:\/\/www.cve.org\/CVERecord?id=CVE-2012-2122\u0022 target=\u0022_blank\u0022\u003ECVE-2012-2122\u003C\/a\u003E","field_exploit_platform":"Linux","field_exploit_type":"Exploits \/ Remote","field_product_name":"Impact"},{"title":"Microsoft Windows NetLogon CVE-2020-1472 Exploit","body":"This module connects to the remote domain controller host and attempts to determine by requesting a specially crafted packet, if the target is vulnerable to CVE-2020-1472 based on the inspection of the target\u0027s response.","created":"\u003Ctime datetime=\u00222025-07-22T00:00:00-05:00\u0022 class=\u0022datetime\u0022\u003EJuly 22, 2025\u003C\/time\u003E\n","field_cve_link":"\u003Ca href=\u0022https:\/\/www.cve.org\/CVERecord?id=CVE-2020-1472\u0022 target=\u0022_blank\u0022\u003ECVE-2020-1472\u003C\/a\u003E","field_exploit_platform":"Windows","field_exploit_type":"Exploits \/ Remote","field_product_name":"Impact"},{"title":"IBM DB2 Web Query for IBM i Log4shell Vulnerability Exploit","body":"This module connects to the remote host and attempts to determine by sending specially crafted requests, if the target is vulnerable to CVE-2021-44228 based on the inspection of the target\u0027s response.","created":"\u003Ctime datetime=\u00222025-07-22T00:00:00-05:00\u0022 class=\u0022datetime\u0022\u003EJuly 22, 2025\u003C\/time\u003E\n","field_cve_link":"\u003Ca href=\u0022https:\/\/www.cve.org\/CVERecord?id=CVE-2021-44228\u0022 target=\u0022_blank\u0022\u003ECVE-2021-44228\u003C\/a\u003E","field_exploit_platform":"","field_exploit_type":"Exploits \/ Remote","field_product_name":"Impact"},{"title":"Fortra GoAnywhere MFT InitialAccountSetup Direct Request Vulnerability Exploit","body":"This module connects to the remote host and attempts to determine by sending specially crafted requests, if the target is vulnerable or not to CVE-2024-0204 based on the inspection of the target\u0027s response. If the target is vulnerable, the module will create a new admin user in the target system using the provided credentials. If no credentials are provided, it will generate a random one. Also, the new admin credentials will be added as an identity.","created":"\u003Ctime datetime=\u00222025-07-22T00:00:00-05:00\u0022 class=\u0022datetime\u0022\u003EJuly 22, 2025\u003C\/time\u003E\n","field_cve_link":"\u003Ca href=\u0022https:\/\/www.cve.org\/CVERecord?id=CVE-2024-0204\u0022 target=\u0022_blank\u0022\u003ECVE-2024-0204\u003C\/a\u003E","field_exploit_platform":"Windows","field_exploit_type":"Exploits \/ Remote","field_product_name":"Impact"},{"title":"Fortinet FortiGate SSL VPN Remote Code Execution Vulnerability Exploit","body":"This module connects to the remote host and attempts to determine by sending specially crafted requests, if the target is vulnerable to CVE-2023-27997. The detection of the vulnerability is probabilistic. The module does ~400 requests trigguering the heap overflow in a special way that it doesn\u0027t corrupt anything used in memory and another ~400 requests without doing the overflow. Then it calculates the mean of each group and does a Welch\u0027s T-Test. It could be the case that the result of the test is not reliable. In that case, the module is going to repeat the process.","created":"\u003Ctime datetime=\u00222025-07-22T00:00:00-05:00\u0022 class=\u0022datetime\u0022\u003EJuly 22, 2025\u003C\/time\u003E\n","field_cve_link":"\u003Ca href=\u0022https:\/\/www.cve.org\/CVERecord?id=CVE-2023-27997\u0022 target=\u0022_blank\u0022\u003ECVE-2023-27997\u003C\/a\u003E","field_exploit_platform":"","field_exploit_type":"Exploits \/ Remote","field_product_name":"Impact"},{"title":"Conficker Exploit","body":"This module connects to a remote target via any exposed DCE RPC endpoints and fingerprints them to determine if the machine appears to be compromised by the Conficker worm. The module is able to detect B, C and D variants of the worm.","created":"\u003Ctime datetime=\u00222025-07-22T00:00:00-05:00\u0022 class=\u0022datetime\u0022\u003EJuly 22, 2025\u003C\/time\u003E\n","field_cve_link":"\u003Ca href=\u0022https:\/\/www.cve.org\/CVERecord?id=CVE-2008-4250\u0022 target=\u0022_blank\u0022\u003ECVE-2008-4250\u003C\/a\u003E","field_exploit_platform":"Windows","field_exploit_type":"Exploits \/ Remote","field_product_name":"Impact"},{"title":"Cisco IOS XE WMSA Encoding Bypass Vulnerability Exploit","body":"This module connects to the remote host and attempts to determine by sending specially crafted requests, if the target is vulnerable to CVE-2023-20198 based on the inspection of the target\u0027s response. If the target is vulnerable, the module will create a new local administrator user in the target system using the provided credentials. Also, the new credentials will be added as an identity.","created":"\u003Ctime datetime=\u00222025-07-22T00:00:00-05:00\u0022 class=\u0022datetime\u0022\u003EJuly 22, 2025\u003C\/time\u003E\n","field_cve_link":"\u003Ca href=\u0022https:\/\/www.cve.org\/CVERecord?id=CVE-2023-20198\u0022 target=\u0022_blank\u0022\u003ECVE-2023-20198\u003C\/a\u003E","field_exploit_platform":"","field_exploit_type":"Exploits \/ Remote","field_product_name":"Impact"},{"title":"Atlassian Questions for Confluence Hardcoded Credentials Vulnerability Exploit","body":"This module connects to the remote host and attempts to determine by sending specially crafted requests, if the target is vulnerable to CVE-2022-26138 based on the inspection of the target\u0027s response. If the target is vunerable, the module will output the cookie obtained in the authentication process.","created":"\u003Ctime datetime=\u00222025-07-22T00:00:00-05:00\u0022 class=\u0022datetime\u0022\u003EJuly 22, 2025\u003C\/time\u003E\n","field_cve_link":"\u003Ca href=\u0022https:\/\/www.cve.org\/CVERecord?id=CVE-2022-26138\u0022 target=\u0022_blank\u0022\u003ECVE-2022-26138\u003C\/a\u003E","field_exploit_platform":"Windows, Linux","field_exploit_type":"Exploits \/ Remote","field_product_name":"Impact"},{"title":"Fortinet FortiWeb get_fabric_user_by_token SQL Injection Vulnerability Exploit","body":"This module uses a SQL injection vulnerability in Fortinet FortiWeb to deploy an agent in the appliance that will run with root user privileges. The vulnerability is reached via the \/api\/fabric\/device\/status endpoint. The module will first check if the target is vulnerable using the previous endpoint with a generic payload. Then, it will use the vulnerability to upload and write a webshell in disk that will allow the execution of OS commands to deploy an agent.","created":"\u003Ctime datetime=\u00222025-07-21T00:00:00-05:00\u0022 class=\u0022datetime\u0022\u003EJuly 21, 2025\u003C\/time\u003E\n","field_cve_link":"\u003Ca href=\u0022https:\/\/www.cve.org\/CVERecord?id=CVE-2025-25257\u0022 target=\u0022_blank\u0022\u003ECVE-2025-25257\u003C\/a\u003E","field_exploit_platform":"Linux","field_exploit_type":"Exploits \/ Remote Code Execution","field_product_name":"Impact"},{"title":"Speculative Store Bypass Exploit","body":"Systems with microprocessors utilizing speculative execution and speculative execution of memory reads before the addresses of all prior memory writes are known may allow unauthorized disclosure of information to an attacker with local user access via a side-channel analysis, aka Speculative Store Bypass (SSB), Variant 4.","created":"\u003Ctime datetime=\u00222025-07-21T00:00:00-05:00\u0022 class=\u0022datetime\u0022\u003EJuly 21, 2025\u003C\/time\u003E\n","field_cve_link":"\u003Ca href=\u0022https:\/\/www.cve.org\/CVERecord?id=CVE-2018-3639\u0022 target=\u0022_blank\u0022\u003ECVE-2018-3639\u003C\/a\u003E","field_exploit_platform":"Linux","field_exploit_type":"Exploits \/ Local","field_product_name":"Impact"},{"title":"Spectre Exploit","body":"Spectre breaks the isolation between different applications. It allows an attacker to trick error-free programs, which follow best practices, into leaking their secrets. In fact, the safety checks of said best practices actually increase the attack surface and may make applications more susceptible to Spectre","created":"\u003Ctime datetime=\u00222025-07-21T00:00:00-05:00\u0022 class=\u0022datetime\u0022\u003EJuly 21, 2025\u003C\/time\u003E\n","field_cve_link":"\u003Ca href=\u0022https:\/\/www.cve.org\/CVERecord?id=CVE-2017-5153\u0022 target=\u0022_blank\u0022\u003ECVE-2017-5153\u003C\/a\u003E","field_exploit_platform":"Linux, Windows","field_exploit_type":"Exploits \/ Local","field_product_name":"Impact"},{"title":"NTFS Set Short Name Exploit","body":"This module allow to set a short name 8.3 of a file when you don\u0027t have write privileges to the directory where the file is located.The vulnerability exists due to NtfsSetShortNameInfo does not properly impose security restrictions in NTFS Set Short Name, which leads to security restrictions bypass and privilege escalation. SETTING THE STAGE.","created":"\u003Ctime datetime=\u00222025-07-21T00:00:00-05:00\u0022 class=\u0022datetime\u0022\u003EJuly 21, 2025\u003C\/time\u003E\n","field_cve_link":"\u003Ca href=\u0022https:\/\/www.cve.org\/CVERecord?id=CVE-2021-43240\u0022 target=\u0022_blank\u0022\u003ECVE-2021-43240\u003C\/a\u003E","field_exploit_platform":"Windows","field_exploit_type":"Exploits \/ Local","field_product_name":"Impact"},{"title":"Meltdown Exploit","body":"Meltdown breaks the most fundamental isolation between user applications and the operating system. This attack allows a program to access the memory, and thus also the secrets, of other programs and the operating system. It must be executed on an agent with root privileges only for linux system.","created":"\u003Ctime datetime=\u00222025-07-21T00:00:00-05:00\u0022 class=\u0022datetime\u0022\u003EJuly 21, 2025\u003C\/time\u003E\n","field_cve_link":"\u003Ca href=\u0022https:\/\/www.cve.org\/CVERecord?id=CVE-2017-5754\u0022 target=\u0022_blank\u0022\u003ECVE-2017-5754\u003C\/a\u003E","field_exploit_platform":"Linux, Windows","field_exploit_type":"Exploits \/ Local","field_product_name":"Impact"},{"title":"Mark Of The Web Vulnerability Exploit","body":"Windows ZIP extraction bug (CVE-2022-41049) lets attackers craft ZIP files, which evade warnings on attempts to execute packaged files, even if ZIP file was downloaded from the Internet. The \u0022Mark Of The Web\u0022 is not transferred from the Zipped File into the Unzipped File if the target is vulnerable.","created":"\u003Ctime datetime=\u00222025-07-21T00:00:00-05:00\u0022 class=\u0022datetime\u0022\u003EJuly 21, 2025\u003C\/time\u003E\n","field_cve_link":"\u003Ca href=\u0022https:\/\/www.cve.org\/CVERecord?id=CVE-2022-41049\u0022 target=\u0022_blank\u0022\u003ECVE-2022-41049\u003C\/a\u003E","field_exploit_platform":"Windows","field_exploit_type":"Exploits \/ Local","field_product_name":"Impact"},{"title":"glibc getaddrinfo Buffer Overflow Exploit","body":"This module executes a program designed to check for a buffer overflow in glibc\u0027s getaddrinfo function. Multiple stack-based buffer overflows in the send_dg and send_vc functions in the libresolv library in the GNU C Library allow remote attackers to cause a denial of service or possibly execute arbitrary code via a crafted DNS response that triggers a call to the getaddrinfo function with the AF_UNSPEC or AF_INET6 address family.","created":"\u003Ctime datetime=\u00222025-07-21T00:00:00-05:00\u0022 class=\u0022datetime\u0022\u003EJuly 21, 2025\u003C\/time\u003E\n","field_cve_link":"\u003Ca href=\u0022https:\/\/www.cve.org\/CVERecord?id=CVE-2015-7547\u0022 target=\u0022_blank\u0022\u003ECVE-2015-7547\u003C\/a\u003E","field_exploit_platform":"Linux","field_exploit_type":"Exploits \/ Local","field_product_name":"Impact"},{"title":"GHOST glibc gethostbyname Buffer Overflow Exploit","body":"This module executes a program designed to test a buffer overflow in glibc\u0027s __nss_hostname_digits_dots function. The function is used by the gethostbyname*() functions family used for name resolution. Under some circumstances, the use of those functions when the vulnerable underlying function is present, may lead to remote code execution, privilege escalation, or information disclosure.","created":"\u003Ctime datetime=\u00222025-07-21T00:00:00-05:00\u0022 class=\u0022datetime\u0022\u003EJuly 21, 2025\u003C\/time\u003E\n","field_cve_link":"\u003Ca href=\u0022https:\/\/www.cve.org\/CVERecord?id=CVE-2015-0235\u0022 target=\u0022_blank\u0022\u003ECVE-2015-0235\u003C\/a\u003E","field_exploit_platform":"Linux","field_exploit_type":"Exploits \/ Local","field_product_name":"Impact"},{"title":"Microsoft Internet Shortcut Remote File Execution Vulnerability Exploit","body":"The vulnerability relates to the use of Windows .URL files to execute a remote binary via a UNC path. When the targeted user opens or previews the .URL file (for example, from an email), the system attempts to access the specified path (for example, a WebDAV or SMB share), resulting in the execution of arbitrary code.","created":"\u003Ctime datetime=\u00222025-07-17T00:00:00-05:00\u0022 class=\u0022datetime\u0022\u003EJuly 17, 2025\u003C\/time\u003E\n","field_cve_link":"\u003Ca href=\u0022https:\/\/www.cve.org\/CVERecord?id=CVE-2025-33053\u0022 target=\u0022_blank\u0022\u003ECVE-2025-33053\u003C\/a\u003E","field_exploit_platform":"Windows","field_exploit_type":"Exploits \/ Client Side","field_product_name":"Impact"},{"title":"Citrix NetScaler ADC and Gateway Memory Overread Vulnerability CitrixBleed2 Exploit","body":"An insufficient input validation leading to memory overread in Citrix NetScaler ADC and Citrix NetScaler Gateway when the NetScaler is configured as a Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) OR AAA virtual server may allow unauthenticated remote attackers to exfiltrate cookies, session IDs, or passwords from the target application. The vulnerability is reached via the \/p\/u\/doAuthentication.do endpoint. This module will attempt to trigger the vulnerability to determine if the target system is vulnerable.","created":"\u003Ctime datetime=\u00222025-07-08T00:00:00-05:00\u0022 class=\u0022datetime\u0022\u003EJuly 8, 2025\u003C\/time\u003E\n","field_cve_link":"\u003Ca href=\u0022https:\/\/www.cve.org\/CVERecord?id=CVE-2025-5777\u0022 target=\u0022_blank\u0022\u003ECVE-2025-5777\u003C\/a\u003E","field_exploit_platform":"FreeBSD","field_exploit_type":"Exploits \/ Remote","field_product_name":"Impact"},{"title":"Microsoft Management Console MSC Exploit (CVE-2025-26633)","body":"This module exploits a vulnerability in Microsoft Management Console (MMC). This module runs a malicious web server on the CORE IMPACT Console and waits for an unsuspecting user to trigger the exploit by connecting to the web server. The Microsoft Management Console contains a security flaw that allows remote code execution via malicious .msc files with embedded ActiveX control. An attacker sends a crafted .msc file with embedded ActiveX containing a link to a malicious server. The server executes a script to fetch a PowerShell file ultimately deploying an agent.","created":"\u003Ctime datetime=\u00222025-07-03T00:00:00-05:00\u0022 class=\u0022datetime\u0022\u003EJuly 3, 2025\u003C\/time\u003E\n","field_cve_link":"\u003Ca href=\u0022https:\/\/www.cve.org\/CVERecord?id=CVE-2025-26633\u0022 target=\u0022_blank\u0022\u003ECVE-2025-26633\u003C\/a\u003E","field_exploit_platform":"Windows","field_exploit_type":"Exploits \/ Client Side","field_product_name":"Impact"},{"title":"Roundcube Webmail unserialize PHP Object Deserialization Vulnerability Exploit","body":"This module uses an authenticated PHP object deserialization vulnerability to deploy an agent in Roundcube Webmail that will run with the same privileges as the webapp. The module will use the given credentials to authenticate against Roundcube Webmail in the target. Then, it will generate a payload for agent deployment and abuse the _from parameter defined in the upload.php file to inject it in the $_SESSION variable. This variable will be processed by the unserialize function in the rcube_session class.","created":"\u003Ctime datetime=\u00222025-06-12T00:00:00-05:00\u0022 class=\u0022datetime\u0022\u003EJune 12, 2025\u003C\/time\u003E\n","field_cve_link":"\u003Ca href=\u0022https:\/\/www.cve.org\/CVERecord?id=CVE-2025-49113\u0022 target=\u0022_blank\u0022\u003ECVE-2025-49113\u003C\/a\u003E","field_exploit_platform":"Linux","field_exploit_type":"Exploits \/ Remote Code Execution","field_product_name":"Impact"},{"title":"Vite Arbitrary File Read Exploit (CVE-2025-31125)","body":"The Vite development server is vulnerable to arbitrary file read due to insufficient path validation when processing URL requests. This exploit sends a crafted URL request to the Vite development server, that includes the target filename combined with an specific parameter. If the server responds 200 OK, after that processes the server\u0027s Base64-encoded response through a decoding routine and displays the file contents. Optionally, the exploit can save the leaked file locally where the user defines it in the OUTPUT_PATH parameter.","created":"\u003Ctime datetime=\u00222025-06-05T00:00:00-05:00\u0022 class=\u0022datetime\u0022\u003EJune 5, 2025\u003C\/time\u003E\n","field_cve_link":"\u003Ca href=\u0022https:\/\/www.cve.org\/CVERecord?id=CVE-2025-31125\u0022 target=\u0022_blank\u0022\u003ECVE-2025-31125\u003C\/a\u003E","field_exploit_platform":"Linux","field_exploit_type":"Exploits \/ Remote File Disclosure","field_product_name":"Impact"},{"title":"Microsoft Windows library-ms NTLMv2 Information Disclosure Exploit","body":"This exploit leverages an information disclosure vulnerability in Microsoft Windows. By crafting a malicious .library-ms file, an attacker can coerce authentication to an untrusted server and steal NTLMv2 hashes. This exploit does not install an agent, it manages to obtain the NTLMv2 hash of a legitimate user. It is possible to use tools like \u0022John the Ripper\u0022 to attempt decrypting the original password associated with the hash.","created":"\u003Ctime datetime=\u00222025-05-28T00:00:00-05:00\u0022 class=\u0022datetime\u0022\u003EMay 28, 2025\u003C\/time\u003E\n","field_cve_link":"\u003Ca href=\u0022https:\/\/www.cve.org\/CVERecord?id=CVE-2025-24054\u0022 target=\u0022_blank\u0022\u003ECVE-2025-24054\u003C\/a\u003E","field_exploit_platform":"Windows","field_exploit_type":"Exploits \/ Client Side \/ Authentication Coercion","field_product_name":"Impact"},{"title":"IObit Malware Fighter Arbitrary File Delete Exploit","body":"This module exploits an arbitrary file deletion vulnerability that allows an unprivileged user to delete files in protected folders. Before deleting the file, the module backs up the file to the user\u0027s temporary folder.","created":"\u003Ctime datetime=\u00222025-05-21T00:00:00-05:00\u0022 class=\u0022datetime\u0022\u003EMay 21, 2025\u003C\/time\u003E\n","field_cve_link":"\u003Ca href=\u0022https:\/\/www.cve.org\/CVERecord?id=CVE-2025-26125\u0022 target=\u0022_blank\u0022\u003ECVE-2025-26125\u003C\/a\u003E","field_exploit_platform":"Windows","field_exploit_type":"Exploits \/ Local \/ Privilege Escalation","field_product_name":"Impact"},{"title":"SysAid on-prem GetMdmMessage XML External Entity Remote Code Execution Vulnerability Exploit","body":"This module uses a XML External Entity vulnerability in combination with an authenticated OS command injection to deploy an agent in SysAid on-prem that will run with the sysaidinternal user privileges. The module will use the XML External Entity vulnerability located in the com.ilient.mdm.GetMdmMessage java class and accessed via the \/mdm\/serverurl endpoint to download the InitAccount.cmd file located in the C:\\Program Files\\SysAidServer\\logs folder. The InitAccount.cmd contains the username and password of the main administrator in plain text in its first line.","created":"\u003Ctime datetime=\u00222025-05-16T00:00:00-05:00\u0022 class=\u0022datetime\u0022\u003EMay 16, 2025\u003C\/time\u003E\n","field_cve_link":"\u003Ca href=\u0022https:\/\/www.cve.org\/CVERecord?id=CVE-2025-2776\u0022 target=\u0022_blank\u0022\u003ECVE-2025-2776\u003C\/a\u003E, \u003Ca href=\u0022https:\/\/www.cve.org\/CVERecord?id=CVE-2024-36394\u0022 target=\u0022_blank\u0022\u003ECVE-2024-36394\u003C\/a\u003E","field_exploit_platform":"Windows","field_exploit_type":"Exploits \/ OS Command Injection \/ Known Vulnerabilities","field_product_name":"Impact"},{"title":"SysAid on-prem GetMdmMessage XML External Entity Remote Code Execution Vulnerability Webapp Exploit","body":"This module uses a XML External Entity vulnerability in combination with an authenticated OS command injection to deploy an agent in SysAid on-prem that will run with the sysaidinternal user privileges. The module will use the XML External Entity vulnerability located in the com.ilient.mdm.GetMdmMessage java class and accessed via the \/mdm\/serverurl endpoint to download the InitAccount.cmd file located in the C:\\Program Files\\SysAidServer\\logs folder. The InitAccount.cmd contains the username and password of the main administrator in plain text in its first line.","created":"\u003Ctime datetime=\u00222025-05-16T00:00:00-05:00\u0022 class=\u0022datetime\u0022\u003EMay 16, 2025\u003C\/time\u003E\n","field_cve_link":"\u003Ca href=\u0022https:\/\/www.cve.org\/CVERecord?id=CVE-2025-2776\u0022 target=\u0022_blank\u0022\u003ECVE-2025-2776\u003C\/a\u003E, \u003Ca href=\u0022https:\/\/www.cve.org\/CVERecord?id=CVE-2024-36394\u0022 target=\u0022_blank\u0022\u003ECVE-2024-36394\u003C\/a\u003E","field_exploit_platform":"Windows","field_exploit_type":"Exploits \/ OS Command Injection \/ Known Vulnerabilities","field_product_name":"Impact"},{"title":"Windows Hyper-V NT Kernel Integration VSP Privilege Escalation Exploit (CVE-2025-21333)","body":"The vulnerability in vkrnlintvsp.sys (VkiRootAdjustSecurityDescriptorForVmwp()) stems from insufficient validation of the Dacl AclSize field in a Security Descriptor. Since this value is user-controlled, an attacker can trigger an integer overflow in the ExAllocatePool2() size calculation, leading to a heap-based buffer overflow , allowing a local attacker to exploit them for privilege escalation. The steps performed by the exploit are: Sprays WNF objects to control heap layout. Calls NtCreateCrossVmEvent with a malicious Security Descriptor to overflow a heap buffer.","created":"\u003Ctime datetime=\u00222025-05-09T00:00:00-05:00\u0022 class=\u0022datetime\u0022\u003EMay 9, 2025\u003C\/time\u003E\n","field_cve_link":"\u003Ca href=\u0022https:\/\/www.cve.org\/CVERecord?id=CVE-2025-21333\u0022 target=\u0022_blank\u0022\u003ECVE-2025-21333\u003C\/a\u003E","field_exploit_platform":"Windows","field_exploit_type":"Exploits \/ Local \/ Privilege Escalation","field_product_name":"Impact"},{"title":"Veeam Backup and Replication Blacklist xmlFrameworkDs NET Deserialization Vulnerability Remote Code Execution Exploit","body":"This module uses a .NET deserialization vulnerability to deploy an agent in Veeam Backup and Replication that will run with the NT AUTHORITY\\SYSTEM user privileges. The module will trigger the vulnerability by crafting a Veeam.Backup.EsxManager.xmlFrameworkDs .NET class type object and sending it to the \/VeeamAuthService .NET remoting endpoint using an external .NET executable. The deserialization of the crafted object will execute system commands to deploy the agent.","created":"\u003Ctime datetime=\u00222025-04-30T00:00:00-05:00\u0022 class=\u0022datetime\u0022\u003EApril 30, 2025\u003C\/time\u003E\n","field_cve_link":"\u003Ca href=\u0022https:\/\/www.cve.org\/CVERecord?id=CVE-2025-23120\u0022 target=\u0022_blank\u0022\u003ECVE-2025-23120\u003C\/a\u003E","field_exploit_platform":"Windows","field_exploit_type":"Exploits \/ Remote Code Execution","field_product_name":"Impact"},{"title":"CrushFTP WebInterface Auth Bypass Exploit","body":"This vulnerability enables unauthenticated attackers to bypass authentication in CrushFTP versions 10.0.0 through 10.8.3 and 11.0.0 through 11.3.0. The vulnerability stems from how the CrushAuth cookie and AWS4-style Authorization header are processed, allowing attackers to impersonate an administrator by crafting specific values using a valid username. A valid username is required for the attack to succeed, but no password is needed. By default, CrushFTP includes a built-in administrative user named crushadmin.","created":"\u003Ctime datetime=\u00222025-04-24T00:00:00-05:00\u0022 class=\u0022datetime\u0022\u003EApril 24, 2025\u003C\/time\u003E\n","field_cve_link":"\u003Ca href=\u0022https:\/\/www.cve.org\/CVERecord?id=CVE-2025-31161\u0022 target=\u0022_blank\u0022\u003ECVE-2025-31161\u003C\/a\u003E","field_exploit_platform":"Windows, Linux","field_exploit_type":"Exploits \/ Remote","field_product_name":"Impact"},{"title":"Apache Camel Message Header Injection Vulnerability Remote Code Execution Webapp Exploit","body":"This module uses a message header injection vulnerability to deploy an agent in Apache Camel that will run with the same privileges as the webapp. First, this module will use the vulnerability to determine the underlying OS system and check if the target is vulnerable. If the underlying OS can be determined, then the target is assumed to be vulnerable and the vulnerability will be used again to deploy an agent.","created":"\u003Ctime datetime=\u00222025-04-04T00:00:00-05:00\u0022 class=\u0022datetime\u0022\u003EApril 4, 2025\u003C\/time\u003E\n","field_cve_link":"\u003Ca href=\u0022https:\/\/www.cve.org\/CVERecord?id=CVE-2025-27636\u0022 target=\u0022_blank\u0022\u003ECVE-2025-27636\u003C\/a\u003E","field_exploit_platform":"Linux, Windows","field_exploit_type":"Exploits \/ OS Command Injection \/ Known Vulnerabilities","field_product_name":"Impact"},{"title":"Microsoft Windows Cloud Files Mini Filter Driver Privilege Escalation Exploit (CVE-2024-30085)","body":"The Cloud Files Mini Filter Driver (cldflt.sys) present in Microsoft Windows is vulnerable to a buffer overflow, which can result in out-of-bounds memory write to paged pool memory. This module allows a local unprivileged user to execute arbitrary code with SYSTEM privileges. The steps performed by the exploit are: Register a sync root and set its reparse point data Spray memory using WNF and ALPC Trigger the vulnerability to get an arbitrary write Overwrite the token privileges of current process Inject a new agent into an elevated process to run as SYSTEM","created":"\u003Ctime datetime=\u00222025-03-31T00:00:00-05:00\u0022 class=\u0022datetime\u0022\u003EMarch 31, 2025\u003C\/time\u003E\n","field_cve_link":"\u003Ca href=\u0022https:\/\/www.cve.org\/CVERecord?id=CVE-2024-30085\u0022 target=\u0022_blank\u0022\u003ECVE-2024-30085\u003C\/a\u003E","field_exploit_platform":"Windows","field_exploit_type":"Exploits \/ Local \/ Privilege Escalation","field_product_name":"Impact"},{"title":"Windows Error Reporting Privilege Escalation Exploit (CVE-2024-26169)","body":"The Windows Error Reporting (WER) service, which runs with SYSTEM privileges, interacts with registry keys to store and process crash reports. The vulnerability stems from weak access controls on these registry keys, allowing a local attacker to exploit them for privilege escalation.","created":"\u003Ctime datetime=\u00222025-03-21T00:00:00-05:00\u0022 class=\u0022datetime\u0022\u003EMarch 21, 2025\u003C\/time\u003E\n","field_cve_link":"\u003Ca href=\u0022https:\/\/www.cve.org\/CVERecord?id=CVE-2024-26169\u0022 target=\u0022_blank\u0022\u003ECVE-2024-26169\u003C\/a\u003E","field_exploit_platform":"Windows","field_exploit_type":"Exploits \/ Local \/ Privilege Escalation","field_product_name":"Impact"},{"title":"Microsoft Windows Common Log File System Driver Elevation of Privilege Vulnerability Exploit (CVE-2024-38196)","body":"The Common Log File System Driver (clfs.sys) present in Microsoft Windows is vulnerable to a memory corruption vulnerability. This module allows a local unprivileged user to execute arbitrary code with SYSTEM privileges by creating a specially crafted BLF file. The steps performed by the exploit are: Create a crafted BLF file Trigger the vulnerability to get an arbitrary read\/write primitive Get SYSTEM privileges by replacing the current process token","created":"\u003Ctime datetime=\u00222025-02-20T00:00:00-06:00\u0022 class=\u0022datetime\u0022\u003EFebruary 20, 2025\u003C\/time\u003E\n","field_cve_link":"\u003Ca href=\u0022https:\/\/www.cve.org\/CVERecord?id=CVE-2024-38196\u0022 target=\u0022_blank\u0022\u003ECVE-2024-38196\u003C\/a\u003E","field_exploit_platform":"Windows","field_exploit_type":"Exploits \/ Local \/ Privilege Escalation","field_product_name":"Impact"},{"title":"Windows Common Log File System Driver LoadContainerQ Elevation of Privilege Vulnerability Exploit","body":"CLFS.sys driver before 10.0.22621.4601 in Windows 11 23H2 exposes functionality that allows low-privileged users to read and write arbitrary memory via specially crafted requests and elevate system privileges. The steps performed by the exploit are: Allocate memory at address 0x0000000002100000 (stored in the variable pcclfscontainer). Call CreateLogFile() and AddLogContainer() to create the .BLF and the container files under selected path. Fetch the malicious .BLF from the data replaced in the executable and overwrite the original .BLF with the crafted .BLF.","created":"\u003Ctime datetime=\u00222025-02-11T00:00:00-06:00\u0022 class=\u0022datetime\u0022\u003EFebruary 11, 2025\u003C\/time\u003E\n","field_cve_link":"\u003Ca href=\u0022https:\/\/www.cve.org\/CVERecord?id=CVE-2024-49138\u0022 target=\u0022_blank\u0022\u003ECVE-2024-49138\u003C\/a\u003E","field_exploit_platform":"Windows","field_exploit_type":"Exploits \/ Local \/ Privilege Escalation","field_product_name":"Impact"},{"title":"Microsoft Kernel Streaming WOW Thunk Service Driver Elevation of Privilege Vulnerability Exploit (CVE-2024-38144)","body":"The Kernel Streaming WOW Thunk Service module (ksthunk.sys) present in Microsoft Windows is vulnerable to an integer overflow, which can result in arbitrary memory write. This module allows a local unprivileged user to execute arbitrary code with SYSTEM privileges.","created":"\u003Ctime datetime=\u00222025-02-06T00:00:00-06:00\u0022 class=\u0022datetime\u0022\u003EFebruary 6, 2025\u003C\/time\u003E\n","field_cve_link":"\u003Ca href=\u0022https:\/\/www.cve.org\/CVERecord?id=CVE-2024-38144\u0022 target=\u0022_blank\u0022\u003ECVE-2024-38144\u003C\/a\u003E","field_exploit_platform":"Windows","field_exploit_type":"Exploits \/ Local \/ Privilege Escalation","field_product_name":"Impact"},{"title":"Microsoft Windows Ancillary Function Driver UAF Privilege Excalation Exploit (CVE-2024-38193)","body":"Afd.sys module present in Microsoft Windows is vulnerable to a race condition during buffer management, where a temporary reference counter increment is improperly handled, leading to use-after-free scenarios. This occurs when accessing registered buffers for send\/receive operations. The steps performed by the exploit are: Creates corrupt kernel structures Gets arbitrary read\/write primitives Steals token for privilege escalation Restores system state Creates a new agent process running as SYSTEM","created":"\u003Ctime datetime=\u00222025-01-29T00:00:00-06:00\u0022 class=\u0022datetime\u0022\u003EJanuary 29, 2025\u003C\/time\u003E\n","field_cve_link":"\u003Ca href=\u0022https:\/\/www.cve.org\/CVERecord?id=CVE-2024-38193\u0022 target=\u0022_blank\u0022\u003ECVE-2024-38193\u003C\/a\u003E","field_exploit_platform":"Windows","field_exploit_type":"Exploits \/ Local \/ Privilege Escalation","field_product_name":"Impact"},{"title":"Ivanti Connect Secure IFT_PREAUTH_INIT clientCapabilities Buffer Overflow Remote Code Execution Exploit","body":"This module uses a stack-based buffer overflow vulnerability to deploy an agent in Ivanti Connect Secure that will run with the nr user privileges. First, this module will check if the target is an Ivanti Connect Secure appliance. If it is, it will determine if the target is vulnerable by retrieving it\u0027s version number using 2 different methods. Then, the module will try to leak the base address of the libdsplibs.so library. To perform this, a random endpoint will be registered in the local webserver.","created":"\u003Ctime datetime=\u00222025-01-28T00:00:00-06:00\u0022 class=\u0022datetime\u0022\u003EJanuary 28, 2025\u003C\/time\u003E\n","field_cve_link":"\u003Ca href=\u0022https:\/\/www.cve.org\/CVERecord?id=CVE-2025-0282\u0022 target=\u0022_blank\u0022\u003ECVE-2025-0282\u003C\/a\u003E","field_exploit_platform":"Linux","field_exploit_type":"Exploits \/ Remote Code Execution","field_product_name":"Impact"},{"title":"Microsoft Office Spoofing NTLMv2 Disclosure Vulnerability","body":"This exploit leverages an Information Disclosure vulnerability in Microsoft Office. By sending an email with a specially crafted link, an attacker can coerce authentication to an untrusted server and steal NTLM hashes. The link points to an HTTP server. When the client opens it in a browser, if the user is on the trusted list, it connects to the HTTP server and obtains the NTLM user hashes. This exploit does not install an agent, it manages to obtain the NTLM hash of a legitimate user.","created":"\u003Ctime datetime=\u00222025-01-09T00:00:00-06:00\u0022 class=\u0022datetime\u0022\u003EJanuary 9, 2025\u003C\/time\u003E\n","field_cve_link":"\u003Ca href=\u0022https:\/\/www.cve.org\/CVERecord?id=CVE-2024-38200\u0022 target=\u0022_blank\u0022\u003ECVE-2024-38200\u003C\/a\u003E","field_exploit_platform":"Windows","field_exploit_type":"Exploits \/ Client Side \/ Authentication Coercion","field_product_name":"Impact"},{"title":"Cacti Cmd Realtime WebApp Remote Code Execution Exploit","body":"This issue allows unauthenticated users to execute arbitrary commands on the server due to a command injection vulnerability in the `cmd_realtime.php` file. The vulnerability arises when the `register_argc_argv` option of PHP is enabled, which is the default setting in many environments. The `$poller_id` used in command execution is sourced from `$_SERVER[\u0027argv\u0027]`, which can be manipulated through URLs when this option is enabled. This module exploits this vulnerability sending a special request to \u0027cmd_realtime.php\u0027 that sets $_SERVER[\u0027argv\u0027] into an os command.","created":"\u003Ctime datetime=\u00222025-01-02T00:00:00-06:00\u0022 class=\u0022datetime\u0022\u003EJanuary 2, 2025\u003C\/time\u003E\n","field_cve_link":"\u003Ca href=\u0022https:\/\/www.cve.org\/CVERecord?id=CVE-2024-29895\u0022 target=\u0022_blank\u0022\u003ECVE-2024-29895\u003C\/a\u003E","field_exploit_platform":"Windows","field_exploit_type":"Exploits \/ OS Command Injection \/ Known Vulnerabilities","field_product_name":"Impact"},{"title":"Cacti Cmd Realtime Remote Code Execution Exploit","body":"This issue allows unauthenticated users to execute arbitrary commands on the server due to a command injection vulnerability in the `cmd_realtime.php` file. The vulnerability arises when the `register_argc_argv` option of PHP is enabled, which is the default setting in many environments. The `$poller_id` used in command execution is sourced from `$_SERVER[\u0027argv\u0027]`, which can be manipulated through URLs when this option is enabled. This module exploits this vulnerability sending a special request to \u0027cmd_realtime.php\u0027 that sets $_SERVER[\u0027argv\u0027] into an os command.","created":"\u003Ctime datetime=\u00222025-01-02T00:00:00-06:00\u0022 class=\u0022datetime\u0022\u003EJanuary 2, 2025\u003C\/time\u003E\n","field_cve_link":"\u003Ca href=\u0022https:\/\/www.cve.org\/CVERecord?id=CVE-2024-29895\u0022 target=\u0022_blank\u0022\u003ECVE-2024-29895\u003C\/a\u003E","field_exploit_platform":"Windows","field_exploit_type":"Exploits \/ OS Command Injection \/ Known Vulnerabilities","field_product_name":"Impact"},{"title":"F5 BIG-IP Next Central Manager SQL Injection Vulnerability Exploit","body":"An SQL injection vulnerability in F5 BIG-IP Next Central Manager may allow unauthenticated remote attackers to bypass authentication in the target application. The vulnerability is reached via the \/api\/login endpoint. This module will use the vulnerability to retrieve the administrative user password hash.","created":"\u003Ctime datetime=\u00222024-12-18T00:00:00-06:00\u0022 class=\u0022datetime\u0022\u003EDecember 18, 2024\u003C\/time\u003E\n","field_cve_link":"\u003Ca href=\u0022https:\/\/www.cve.org\/CVERecord?id=CVE-2024-26026\u0022 target=\u0022_blank\u0022\u003ECVE-2024-26026\u003C\/a\u003E","field_exploit_platform":"Linux","field_exploit_type":"Exploits \/ Remote","field_product_name":"Impact"},{"title":"Nagios XI monitoringwizard SQL Injection Vulnerability Exploit","body":"This exploit leverages the CVE-2024-24401 and CVE-2024-24402 vulnerabilities in Nagios XI to fully compromise the system and gain total remote control. The monitoringwizard.php component of Nagios XI version 2024R1.01 is vulnerable to a critical SQL Injection, identified as CVE-2024-24401. Initially, the exploit targets this component, performing an SQL Injection to extract the administrator key (admin key). Before proceeding, it authenticates using an existing user, regardless of their privilege level, ensuring access to the system for subsequent stages.","created":"\u003Ctime datetime=\u00222024-12-12T00:00:00-06:00\u0022 class=\u0022datetime\u0022\u003EDecember 12, 2024\u003C\/time\u003E\n","field_cve_link":"\u003Ca href=\u0022https:\/\/www.cve.org\/CVERecord?id=CVE-2024-24402\u0022 target=\u0022_blank\u0022\u003ECVE-2024-24402\u003C\/a\u003E, \u003Ca href=\u0022https:\/\/www.cve.org\/CVERecord?id=CVE-2024-24401\u0022 target=\u0022_blank\u0022\u003ECVE-2024-24401\u003C\/a\u003E","field_exploit_platform":"Linux","field_exploit_type":"Exploits \/ Remote Code Execution","field_product_name":"Impact"},{"title":"Microsoft Kernel Streaming WOW Thunk Service Driver Elevation of Privilege Vulnerability Exploit (CVE-2024-30090)","body":"The Kernel Streaming WOW Thunk Service module (ksthunk.sys) present in Microsoft Windows is vulnerable to a double-fetch, which can result in arbitrary memory decrement. This module allows a local unprivileged user to execute arbitrary code with SYSTEM privileges. The steps performed by the exploit are: Get kernel address of nt!SeDebugPrivilege Create a new thread to win the race condition Trigger the double-fetch three times and overwrite nt!SeDebugPrivilege Create a new process running the agent as SYSTEM","created":"\u003Ctime datetime=\u00222024-11-29T00:00:00-06:00\u0022 class=\u0022datetime\u0022\u003ENovember 29, 2024\u003C\/time\u003E\n","field_cve_link":"\u003Ca href=\u0022https:\/\/www.cve.org\/CVERecord?id=CVE-2024-30090\u0022 target=\u0022_blank\u0022\u003ECVE-2024-30090\u003C\/a\u003E","field_exploit_platform":"Windows","field_exploit_type":"Exploits \/ Local \/ Privilege Escalation","field_product_name":"Impact"},{"title":"Palo Alto Networks OS WebApp Remote Code Execution Exploit","body":"An authentication bypass in Palo Alto Networks PAN-OS software(CVE-2024-0012) enables an unauthenticated attacker with network access to the management web interface to gain PAN-OS administrator privileges to perform administrative actions. A privilege escalation vulnerability in Palo Alto Networks PAN-OS software(CVE-2024-9474) allows a PAN-OS administrator with access to the management web interface to perform actions on the firewall with root privileges. This module exploits these two vulnerabilities CVE-2024-0012 and CVE-2024-9474 in order to deploy an agent.","created":"\u003Ctime datetime=\u00222024-11-25T00:00:00-06:00\u0022 class=\u0022datetime\u0022\u003ENovember 25, 2024\u003C\/time\u003E\n","field_cve_link":"\u003Ca href=\u0022https:\/\/www.cve.org\/CVERecord?id=CVE-2024-0012\u0022 target=\u0022_blank\u0022\u003ECVE-2024-0012\u003C\/a\u003E, \u003Ca href=\u0022https:\/\/www.cve.org\/CVERecord?id=CVE-2024-9474\u0022 target=\u0022_blank\u0022\u003ECVE-2024-9474\u003C\/a\u003E","field_exploit_platform":"","field_exploit_type":"Exploits \/ OS Command Injection \/ Known Vulnerabilities","field_product_name":"Impact"},{"title":"Palo Alto Networks OS Remote Code Execution Exploit","body":"An authentication bypass in Palo Alto Networks PAN-OS software(CVE-2024-0012) enables an unauthenticated attacker with network access to the management web interface to gain PAN-OS administrator privileges to perform administrative actions. A privilege escalation vulnerability in Palo Alto Networks PAN-OS software(CVE-2024-9474) allows a PAN-OS administrator with access to the management web interface to perform actions on the firewall with root privileges. This module exploits these two vulnerabilities CVE-2024-0012 and CVE-2024-9474 in order to deploy an agent.","created":"\u003Ctime datetime=\u00222024-11-25T00:00:00-06:00\u0022 class=\u0022datetime\u0022\u003ENovember 25, 2024\u003C\/time\u003E\n","field_cve_link":"\u003Ca href=\u0022https:\/\/www.cve.org\/CVERecord?id=CVE-2024-0012\u0022 target=\u0022_blank\u0022\u003ECVE-2024-0012\u003C\/a\u003E, \u003Ca href=\u0022https:\/\/www.cve.org\/CVERecord?id=CVE-2024-9474\u0022 target=\u0022_blank\u0022\u003ECVE-2024-9474\u003C\/a\u003E","field_exploit_platform":"","field_exploit_type":"Exploits \/ OS Command Injection \/ Known Vulnerabilities","field_product_name":"Impact"},{"title":"Palo Alto Networks Expedition WebApp Remote Code Execution Exploit","body":"This module exploits CVE-2024-5910 to reset the password of the admin. For doing this, it will craft a special request to the endpoint \/OS\/startup\/restore\/restoreAdmin.php. After getting the admin password, it will authenticate with the admin credentials and it will exploit CVE-2024-9464 in order to deploy an agent. The exploitation of CVE-2024-9464 consists in crafting a special request to the endpoint \/bin\/CronJobs.php. As an authenticated user we can abuse this endpoint for inserting commands in the table cronjobs from pandb.","created":"\u003Ctime datetime=\u00222024-11-12T00:00:00-06:00\u0022 class=\u0022datetime\u0022\u003ENovember 12, 2024\u003C\/time\u003E\n","field_cve_link":"\u003Ca href=\u0022https:\/\/www.cve.org\/CVERecord?id=CVE-2024-5910\u0022 target=\u0022_blank\u0022\u003ECVE-2024-5910\u003C\/a\u003E, \u003Ca href=\u0022https:\/\/www.cve.org\/CVERecord?id=CVE-2024-9464\u0022 target=\u0022_blank\u0022\u003ECVE-2024-9464\u003C\/a\u003E","field_exploit_platform":"Linux","field_exploit_type":"Exploits \/ OS Command Injection \/ Known Vulnerabilities","field_product_name":"Impact"},{"title":"Palo Alto Networks Expedition Remote Code Execution Exploit","body":"This module exploits CVE-2024-5910 to reset the password of the admin. For doing this, it will craft a special request to the endpoint \/OS\/startup\/restore\/restoreAdmin.php. After getting the admin password, it will authenticate with the admin credentials and it will exploit CVE-2024-9464 in order to deploy an agent. The exploitation of CVE-2024-9464 consists in crafting a special request to the endpoint \/bin\/CronJobs.php. As an authenticated user we can abuse this endpoint for inserting commands in the table cronjobs from pandb.","created":"\u003Ctime datetime=\u00222024-11-12T00:00:00-06:00\u0022 class=\u0022datetime\u0022\u003ENovember 12, 2024\u003C\/time\u003E\n","field_cve_link":"\u003Ca href=\u0022https:\/\/www.cve.org\/CVERecord?id=CVE-2024-5910\u0022 target=\u0022_blank\u0022\u003ECVE-2024-5910\u003C\/a\u003E, \u003Ca href=\u0022https:\/\/www.cve.org\/CVERecord?id=CVE-2024-9464\u0022 target=\u0022_blank\u0022\u003ECVE-2024-9464\u003C\/a\u003E","field_exploit_platform":"Linux","field_exploit_type":"Exploits \/ OS Command Injection \/ Known Vulnerabilities","field_product_name":"Impact"},{"title":"Windows Ks Driver KSPROPERTY Privilege Escalation Exploit","body":"The Windows streaming driver (ks.sys) has a design vulnerability which can result in arbitrary memory write. This module allows a local unprivileged user to execute arbitrary code with SYSTEM privileges. The steps performed by the exploit are: Opens an audio device with read\/write access. Gets the memory address of a kernel object associated with a process, to access its details in kernel space. Allocates memory to create a fake RTL_BITMAP structure in user space, which will allow arbitrary memory read\/write operations.","created":"\u003Ctime datetime=\u00222024-11-08T00:00:00-06:00\u0022 class=\u0022datetime\u0022\u003ENovember 8, 2024\u003C\/time\u003E\n","field_cve_link":"\u003Ca href=\u0022https:\/\/www.cve.org\/CVERecord?id=CVE-2024-35250\u0022 target=\u0022_blank\u0022\u003ECVE-2024-35250\u003C\/a\u003E","field_exploit_platform":"Windows","field_exploit_type":"Exploits \/ Local \/ Privilege Escalation","field_product_name":"Impact"},{"title":"NextGen Healthcare Mirth Connect Deserialization WebApp Remote Code Execution Exploit","body":"CVE-2023-43208 stems from an insecure data deserialization process in Mirth Connect\u0027s use of the XStream library, which improperly processes untrusted XML payloads. This deserialization flaw enables us to exploit the system by sending crafted XML requests to execute code remotely on the server.","created":"\u003Ctime datetime=\u00222024-11-02T00:00:00-05:00\u0022 class=\u0022datetime\u0022\u003ENovember 2, 2024\u003C\/time\u003E\n","field_cve_link":"\u003Ca href=\u0022https:\/\/www.cve.org\/CVERecord?id=CVE-2023-43208\u0022 target=\u0022_blank\u0022\u003ECVE-2023-43208\u003C\/a\u003E","field_exploit_platform":"Windows, Linux","field_exploit_type":"Exploits \/ OS Command Injection \/ Known Vulnerabilities","field_product_name":"Impact"},{"title":"NextGen Healthcare Mirth Connect Deserialization Remote Code Execution Exploit","body":"CVE-2023-43208 stems from an insecure data deserialization process in Mirth Connect\u0027s use of the XStream library, which improperly processes untrusted XML payloads. This deserialization flaw enables us to exploit the system by sending crafted XML requests to execute code remotely on the server.","created":"\u003Ctime datetime=\u00222024-11-02T00:00:00-05:00\u0022 class=\u0022datetime\u0022\u003ENovember 2, 2024\u003C\/time\u003E\n","field_cve_link":"\u003Ca href=\u0022https:\/\/www.cve.org\/CVERecord?id=CVE-2023-43208\u0022 target=\u0022_blank\u0022\u003ECVE-2023-43208\u003C\/a\u003E","field_exploit_platform":"Windows, Linux","field_exploit_type":"Exploits \/ OS Command Injection \/ Known Vulnerabilities","field_product_name":"Impact"},{"title":"Arcserve Unified Data Protection wizardLogin Authentication Bypass Vulnerability Remote Code Execution Exploit","body":"This module chains 2 vulnerabilities to deploy an agent in the target system that will run with NT AUTHORITY\\\\SYSTEM user privileges. The first vulnerability is an authentication bypass present in the doLogin function of the com.ca.arcserve.edge.app.base.ui.server.EdgeLoginServiceImpl class. The second vulnerability is an authenticated path traversal file upload present in the doPost method of the com.ca.arcserve.edge.app.base.ui.server.servlet.ImportNodeServlet class.","created":"\u003Ctime datetime=\u00222024-10-30T00:00:00-05:00\u0022 class=\u0022datetime\u0022\u003EOctober 30, 2024\u003C\/time\u003E\n","field_cve_link":"\u003Ca href=\u0022https:\/\/www.cve.org\/CVERecord?id=CVE-2024-0800\u0022 target=\u0022_blank\u0022\u003ECVE-2024-0800\u003C\/a\u003E, \u003Ca href=\u0022https:\/\/www.cve.org\/CVERecord?id=CVE-2024-0799\u0022 target=\u0022_blank\u0022\u003ECVE-2024-0799\u003C\/a\u003E","field_exploit_platform":"Windows","field_exploit_type":"Exploits \/ Authentication Weakness \/ Known Vulnerabilities","field_product_name":"Impact"},{"title":"Arcserve Unified Data Protection wizardLogin Authentication Bypass Vulnerability Remote Code Execution Webapp Exploit","body":"This module chains 2 vulnerabilities to deploy an agent in the target system that will run with NT AUTHORITY\\\\SYSTEM user privileges. The first vulnerability is an authentication bypass present in the doLogin function of the com.ca.arcserve.edge.app.base.ui.server.EdgeLoginServiceImpl class. The second vulnerability is an authenticated path traversal file upload present in the doPost method of the com.ca.arcserve.edge.app.base.ui.server.servlet.ImportNodeServlet class.","created":"\u003Ctime datetime=\u00222024-10-30T00:00:00-05:00\u0022 class=\u0022datetime\u0022\u003EOctober 30, 2024\u003C\/time\u003E\n","field_cve_link":"\u003Ca href=\u0022https:\/\/www.cve.org\/CVERecord?id=CVE-2024-0800\u0022 target=\u0022_blank\u0022\u003ECVE-2024-0800\u003C\/a\u003E, \u003Ca href=\u0022https:\/\/www.cve.org\/CVERecord?id=CVE-2024-0799\u0022 target=\u0022_blank\u0022\u003ECVE-2024-0799\u003C\/a\u003E","field_exploit_platform":"Windows","field_exploit_type":"Exploits \/ Authentication Weakness \/ Known Vulnerabilities","field_product_name":"Impact"},{"title":"Microsoft Windows Telephony Server Use After Free Local Privilege Escalation Exploit","body":"The Windows NT operating system kernel executable (ntoskrnl.exe) present in Microsoft Windows is vulnerable to a race condition, which can result in arbitrary memory write. This module allows a local unprivileged user to execute arbitrary code with SYSTEM privileges.","created":"\u003Ctime datetime=\u00222024-10-25T00:00:00-05:00\u0022 class=\u0022datetime\u0022\u003EOctober 25, 2024\u003C\/time\u003E\n","field_cve_link":"\u003Ca href=\u0022https:\/\/www.cve.org\/CVERecord?id=CVE-2024-26230\u0022 target=\u0022_blank\u0022\u003ECVE-2024-26230\u003C\/a\u003E","field_exploit_platform":"Windows","field_exploit_type":"Exploits \/ Local \/ Privilege Escalation","field_product_name":"Impact"},{"title":"Microsoft Kernel Streaming WOW Thunk Service Driver Elevation of Privilege Vulnerability Exploit","body":"The Kernel Streaming WOW Thunk Service module (ksthunk.sys) present in Microsoft Windows is vulnerable to an out-of-bounds write, which can result in arbitrary memory write. This module allows a local unprivileged user to execute arbitrary code with SYSTEM privileges.","created":"\u003Ctime datetime=\u00222024-10-17T00:00:00-05:00\u0022 class=\u0022datetime\u0022\u003EOctober 17, 2024\u003C\/time\u003E\n","field_cve_link":"\u003Ca href=\u0022https:\/\/www.cve.org\/CVERecord?id=CVE-2024-38054\u0022 target=\u0022_blank\u0022\u003ECVE-2024-38054\u003C\/a\u003E","field_exploit_platform":"Windows","field_exploit_type":"Exploits \/ Local \/ Privilege Escalation","field_product_name":"Impact"},{"title":"Linux OpenPrinting cups-browsed Remote Code Execution Exploit","body":"This module chains 4 vulnerabilities to deploy an agent in a Linux target system that will run with the cups-browsed daemon user privileges. The first vulnerability is cups-browsed which binds on UDP INADDR_ANY:631 trusting any packet from any source to trigger a Get-Printer-Attributes IPP request to an attacker controlled URL. The second vulnerability is in libcupsfilters were function cfGetPrinterAttributes5 does not validate or sanitize the IPP attributes returned from an IPP server, providing attacker controlled data to the rest of the CUPS system.","created":"\u003Ctime datetime=\u00222024-10-14T00:00:00-05:00\u0022 class=\u0022datetime\u0022\u003EOctober 14, 2024\u003C\/time\u003E\n","field_cve_link":"\u003Ca href=\u0022https:\/\/www.cve.org\/CVERecord?id=CVE-2024-47175\u0022 target=\u0022_blank\u0022\u003ECVE-2024-47175\u003C\/a\u003E, \u003Ca href=\u0022https:\/\/www.cve.org\/CVERecord?id=CVE-2024-47176\u0022 target=\u0022_blank\u0022\u003ECVE-2024-47176\u003C\/a\u003E, \u003Ca href=\u0022https:\/\/www.cve.org\/CVERecord?id=CVE-2024-47076\u0022 target=\u0022_blank\u0022\u003ECVE-2024-47076\u003C\/a\u003E","field_exploit_platform":"Linux","field_exploit_type":"Exploits \/ Remote Code Execution","field_product_name":"Impact"},{"title":"GeoServer Unauthenticated WebApp Remote Code Execution Exploit","body":"In GeoServer prior to versions 2.23.6, 2.24.4, and 2.25.2, multiple OGC request parameters allow Remote Code Execution (RCE) by unauthenticated users through specially crafted input against a default GeoServer installation due to unsafely evaluating property names as XPath expressions. The GeoTools library API that GeoServer calls evaluates property\/attribute names for feature types in a way that unsafely passes them to the commons-jxpath library which can execute arbitrary code when evaluating XPath expressions.","created":"\u003Ctime datetime=\u00222024-10-11T00:00:00-05:00\u0022 class=\u0022datetime\u0022\u003EOctober 11, 2024\u003C\/time\u003E\n","field_cve_link":"\u003Ca href=\u0022https:\/\/www.cve.org\/CVERecord?id=CVE-2024-36401\u0022 target=\u0022_blank\u0022\u003ECVE-2024-36401\u003C\/a\u003E","field_exploit_platform":"Windows, Linux","field_exploit_type":"Exploits \/ Remote Code Execution","field_product_name":"Impact"},{"title":"GeoServer Unauthenticated Remote Code Execution Exploit","body":"In GeoServer prior to versions 2.23.6, 2.24.4, and 2.25.2, multiple OGC request parameters allow Remote Code Execution (RCE) by unauthenticated users through specially crafted input against a default GeoServer installation due to unsafely evaluating property names as XPath expressions. The GeoTools library API that GeoServer calls evaluates property\/attribute names for feature types in a way that unsafely passes them to the commons-jxpath library which can execute arbitrary code when evaluating XPath expressions.","created":"\u003Ctime datetime=\u00222024-10-11T00:00:00-05:00\u0022 class=\u0022datetime\u0022\u003EOctober 11, 2024\u003C\/time\u003E\n","field_cve_link":"\u003Ca href=\u0022https:\/\/www.cve.org\/CVERecord?id=CVE-2024-36401\u0022 target=\u0022_blank\u0022\u003ECVE-2024-36401\u003C\/a\u003E","field_exploit_platform":"Windows, Linux","field_exploit_type":"Exploits \/ Remote Code Execution","field_product_name":"Impact"},{"title":"Microsoft Smart App and Mark of the Web bypass tool using LNK stomping","body":"This tool bypasses Mark of the Web and Smart Screen in order to execute blocked files which usually have been downloaded from internet. It involves crafting LNK files that have non-standard target paths or internal structures. When clicked, these LNK files are modified by explorer.exe with the canonical formatting. This modification leads to removal of the MotW label before security checks are performed, this results in the execution of the locked file bypassing the warnings.","created":"\u003Ctime datetime=\u00222024-10-03T00:00:00-05:00\u0022 class=\u0022datetime\u0022\u003EOctober 3, 2024\u003C\/time\u003E\n","field_cve_link":"\u003Ca href=\u0022https:\/\/www.cve.org\/CVERecord?id=CVE-2024-38217\u0022 target=\u0022_blank\u0022\u003ECVE-2024-38217\u003C\/a\u003E","field_exploit_platform":"Windows","field_exploit_type":"Exploits \/ Tools","field_product_name":"Impact"},{"title":"Veeam Backup and Replication Blacklist ObjRef NET Deserialization Vulnerability Remote Code Execution Exploit","body":"This module uses a .NET deserialization vulnerability to deploy an agent in Veeam Backup and Replication that will run with the NT AUTHORITY\\SYSTEM user privileges. First, the module will register an endpoint in the local webserver that will be used in the attack to send a serialized gadget to the target that will execute system commands to deploy the agent. Finally, it will trigger the vulnerability by crafting a System.Runtime.Remoting.ObjRef .NET class type object and sending it to the \/VeeamAuthService .NET remoting endpoint using an external .NET executable.","created":"\u003Ctime datetime=\u00222024-09-24T00:00:00-05:00\u0022 class=\u0022datetime\u0022\u003ESeptember 24, 2024\u003C\/time\u003E\n","field_cve_link":"\u003Ca href=\u0022https:\/\/www.cve.org\/CVERecord?id=CVE-2024-40711\u0022 target=\u0022_blank\u0022\u003ECVE-2024-40711\u003C\/a\u003E","field_exploit_platform":"Windows","field_exploit_type":"Exploits \/ Remote Code Execution","field_product_name":"Impact"},{"title":"Microsoft Outlook Moniker Image Tag Information Disclosure Exploit (CVE-2024-38021)","body":"This exploit leverages an Information Disclosure vulnerability in Microsoft Outlook. By sending a mail crafting a malicious path and using the \u0022img src\u0022 tag, an attacker can coerce authentication to an untrusted server and steal NTLM hashes. The link points to an SMB server. When the client opens Outlook, if the user is on the trusted list, without clicking, it connects to the SMB server and obtains the NTLM user hashes. In case the user is not on the trusted user list, in order to exploit the vulnerability, the client must click on the attached link.","created":"\u003Ctime datetime=\u00222024-09-18T00:00:00-05:00\u0022 class=\u0022datetime\u0022\u003ESeptember 18, 2024\u003C\/time\u003E\n","field_cve_link":"\u003Ca href=\u0022https:\/\/www.cve.org\/CVERecord?id=CVE-2024-38021\u0022 target=\u0022_blank\u0022\u003ECVE-2024-38021\u003C\/a\u003E","field_exploit_platform":"Windows","field_exploit_type":"Exploits \/ Client Side \/ Authentication Coercion","field_product_name":"Impact"},{"title":"Progress WhatsUp Gold GetFileWithoutZip Directory Traversal Vulnerability Remote Code Execution Exploit","body":"This module uses a directory traversal vulnerability to deploy an agent in Progress WhatsUp Gold that will run with the IIS APPPOOL\\NmConsole user privileges. The module will launch a local webserver that will be used in the attack to send poisoned responses and to upload a webshell to the target. Then it will trigger the vulnerability via the \/NmAPI\/RecurringReport endpoint. Finally, it will buteforce a webshell name trying to find the one uploaded by the server, that will deploy an agent.","created":"\u003Ctime datetime=\u00222024-09-10T00:00:00-05:00\u0022 class=\u0022datetime\u0022\u003ESeptember 10, 2024\u003C\/time\u003E\n","field_cve_link":"\u003Ca href=\u0022https:\/\/www.cve.org\/CVERecord?id=CVE-2024-4885\u0022 target=\u0022_blank\u0022\u003ECVE-2024-4885\u003C\/a\u003E","field_exploit_platform":"Windows","field_exploit_type":"Exploits \/ Remote Code Execution","field_product_name":"Impact"}]