Exploit development can be an advanced penetration testing skill that takes time to master. Additionally, when on a job, pen testers often don’t have the resources to create a new exploit. Many resort to searching for and using pre-written exploits that have not been tested and must go through the timely effort of quality assurance testing in order to ensure they are secure and effective.
Core Impact users can save time by finding all the up-to-date exploits they need in one place. We provide a robust library of exploits designed to enable pen testers to safely and efficiently conduct successful penetration tests. Witten by our own internal team, you can trust they have been thoroughly tested and validated by our experts.
The universe of vulnerabilities is huge and not all of them represent the same risk for the customers. Vulnerabilities do not all have the same level of criticality. Some may be easily exploitable by a low-level user, while others may not be exploitable at all. To increase the efficiency of the attacks and the quality of the exploits provided, the Core Impact team has developed selection criteria to prioritize its analysis and implementation. We determine which exploits warrant creation based on the following questions:
What are the most critical attacks from the attacker’s perspective?
What new vulnerabilities are more likely to be exploited in real attacks?
What exploits are the most valuable for Core Impact?
Once an exploit is approved, its priority order considers the following variables:
Vulnerability Properties: CVE, disclosure date, access mechanism and privileges needed.
Target Environment Setup: OS, application prevalence, version and special configurations needed.
Value Provided to Core Impact: Customer request, usage in multiple attacks, allows the installation of an agent, etc.
Technical Cost vs. Benefit: An analysis weighing the resources needed to build an exploit with the internal and external knowledge gained in its creation.
Each one of these variables has a different weight and provides a ranking of the potential exploits to be developed. Following those criteria, the top of the list would contain, for example, a vulnerability on Windows (most popular OS) that can be exploited remotely, without authentication and that provides super user privileges.
Correspondingly, a vulnerability on an application that is rarely installed, needs special configurations, and requires User Interaction, would be at the bottom.
Stay Informed of New Core Certified Exploits
Subscribe to receive regular email updates on new exploits available for Core Impact
Browse the Core Certified Exploit Library
We provide pen testers with real-time updates for a wide range of exploits for different platforms, operating systems, and applications.
Search our continuously growing library to discover an exploit that will allow you to gain and retain access on the target host or application.
This module uses a relative path traversal vulnerability that leads to an authentication bypass in Fortinet FortiWeb to create a new user with administrative privileges (prof_admin) in the target system. First, the module will check if the target is vulnerable to the authentication bypass by checking the path traversal against a specific endpoint with an empty payload. If the target is vulnerable, the vulnerability will be used again to create a new user with administrative privileges (prof_admin) in the target system using the provided credentials.
This module uses a relative path traversal vulnerability that leads to an authentication bypass in Fortinet FortiWeb to create a new user with administrative privileges (prof_admin) in the target system. First, the module will check if the target is vulnerable to the authentication bypass by checking the path traversal against a specific endpoint with an empty payload. If the target is vulnerable, the vulnerability will be used again to create a new user with administrative privileges (prof_admin) in the target system using the provided credentials.
Exploits / Authentication Weakness / Known Vulnerabilities
Impact
Windows Server Update Service WSUS Deserialization Remote Code Execution Exploit
The vulnerability exists within the GetCookie() endpoint due to unsafe deserialization of AuthorizationCookie objects. The application insecurely decrypts cookie data using AES-128-CBC and subsequently deserialize it via BinaryFormatter without sufficient type validation.
React Server Components React2Shell Deserialization Vulnerability Remote Code Execution Exploit
This module uses an insecure deserialization vulnerability in React Server Components to deploy an agent. The module will first check if the target is vulnerable by using the given endpoint with a generic payload. If the target is vulnerable, an OSCI agent will be deployed and the vulnerability will be used again, with a payload that will deploy an in-memory webshell. This webshell can be used later by the OSCI agent to execute OS commands or deploy a network agent. The deployed agent will run with the same privileges of the webapp.
Exploits / OS Command Injection / Known Vulnerabilities
Impact
Windows Server Update Service WSUS Deserialization Remote Code Execution
The vulnerability exists within the GetCookie() endpoint due to unsafe deserialization of AuthorizationCookie objects. The application insecurely decrypts cookie data using AES-128-CBC and subsequently deserializes it via BinaryFormatter without sufficient type validation. The deployed agent will run with SYSTEM privileges. This exploit performs the following steps: Retrieves the ServerID via a SOAP request to the ReportingWebService. Obtains an authorization cookie. Obtains a reporting cookie. Constructs and sends a malicious event payload. Checks the server's response to confirm success
Microsoft Windows SMB Client DNS Injection Remote Exploit
This module exploits an access control issue in Windows SMB clients to deploy a remote agent with SYSTEM privileges through a multi-stage attack chain: 1. DNS Injection: Adds a malicious DNS record 'localhost1UWhRCAAAAAAAAAAAAAAAAAAAAAAAAAAAAwbEAYBAAAA' via LDAP to the domain controller, pointing to the attacker's IP address. 2. NTLM Relay: Starts an ntlmrelayx server that waits for SMB authentication attempts and relays them to install an agent with SYSTEM privileges on the target system. 3.
Microsoft Windows Cloud Files Mini Filter Driver Elevation of Privilege Vulnerability Exploit (CVE-2025-55680)
The Windows Cloud Files Mini Filter module (clfs.sys) present in Microsoft Windows is vulnerable to a Time-of-check Time-of-use (TOCTOU) race condition, which can result in arbitrary file write. This module allows a local unprivileged user to execute arbitrary code with SYSTEM privileges. The steps performed by the exploit are: Start RasMan service Create sync root directory Create junction directory Create target junction and symlink Register sync root Create threads to exploit race condition and detect exploitation Trigger race condition Write the agent and execute it
Cisco Secure ASA files_action.lua Buffer Overflow DoS
This module exploits an authentication bypass vulnerability combined and a buffer overflow in Cisco Secure ASA to cause a denial of service effect. First, the module will check if the target is vulnerable to the authentication bypass. If the target is vulnerable, it will proceed to cause the denial of service.
Microsoft Windows Agere Modem Driver Elevation of Privilege Vulnerability Exploit
The Agere Windows Modem module (ltmdm64.sys) present in Microsoft Windows is vulnerable to an untrusted pointer dereference, which can result in arbitrary memory write. This module allows a local unprivileged user to execute arbitrary code with SYSTEM privileges.
Magento Open Source and Adobe Commerce SessionReaper Remote Code Execution Webapp Exploit
This module exploits a nested PHP array object deserialization in the MagentoFrameworkSessionSessionManager class via the $sessionConfig variable using the /rest/default/V1/guest-carts/abc/order endpoint of Magento Open Source and Adobe Commerce to deploy an agent. First, the module will upload a PHP script in the /pub/media/customer_address/s/e directory of the web application using the /customer/address_file/upload endpoint. The default webroot directory value (/var/www/html/magento/pub/) can be changed using the WEBROOT module parameter.
Magento Open Source and Adobe Commerce SessionReaper Remote Code Execution Exploit
This module exploits a nested PHP array object deserialization in the MagentoFrameworkSessionSessionManager class via the $sessionConfig variable using the /rest/default/V1/guest-carts/abc/order endpoint of Magento Open Source and Adobe Commerce to deploy an agent. First, the module will upload a PHP script in the /pub/media/customer_address/s/e directory of the web application using the /customer/address_file/upload endpoint. The default webroot directory value (/var/www/html/magento/pub/) can be changed using the WEBROOT module parameter.
Microsoft Windows Common Log File System Driver Elevation of Privilege Vulnerability Exploit (CVE-2025-29824)
The Common Log File System Driver (clfs.sys) present in Microsoft Windows is vulnerable to a Use After Free, which can result in an arbitrary write. This module allows a local unprivileged user to execute arbitrary code with SYSTEM privileges.
This module exploits a Server-Side Request Forgery via the getUiType parameter in the /OA_HTML/configurator/UiServlet endpoint of Oracle E-Business Suite to deploy an agent. First, the module will register an endpoint in the local webserver that will be used in the attack to send a xsl file to the target that will execute system commands to deploy the agent. Then, it will retrieve a required CSRF token via the /OA_HTML/runforms.jsp and /OA_HTML/JavaScriptServlet endpoints.
Dell Unity getCASURL Remote OS Command Injection Exploit
This module exploits an OS Command Injection present in the getCASURL perl function of Dell Unity to deploy an agent. The module will trigger the vulnerability by embedding the system commands to deploy the agent in a request to the /misc endpoint. Spaces in the system command will be replaced with the ${IFS} shell variable. The deployed agent will run with the apache user account privileges.
Exploits / OS Command Injection / Known Vulnerabilities
Impact
Microsoft SharePoint Server DataSetSurrogateSelector Deserialization Remote OS Command Injection Exploit
This module exploits a OS Command Injection via ASP.NET markup vulnerability present in the WikiContentWebpart Web Part of Microsoft SharePoint Server to deploy an agent. The deployed agent will run with the SharePoint Server service account privileges.
Exploits / OS Command Injection / Known Vulnerabilities
Impact
Microsoft Windows Kernel AppId Elevation of Privilege Vulnerability Exploit
The Application Identity Service module (appid.sys) present in Microsoft Windows is vulnerable to an untrusted pointer dereference, which can result in arbitrary code execution. This module allows a local unprivileged user running as "LOCAL SERVICE" to execute arbitrary code with SYSTEM privileges.
Microsoft Windows Kernel Elevation of Privilege Vulnerability Exploit
An elevation of privilege vulnerability exists due to the Application Identity kernel module allowing untrusted pointer dereference. The vulnerability could allow an attacker to run code with elevated privileges.
This module uses an authentication bypass vulnerability via a race condition in AS2 validation in CrushFTP to create a new administrative user in the target application. If the credentials for the new administrative user are not provided, the module will generate random ones. If the exploitation succeeds the credentials will be checked against the target. Also, if the module created random credentials for the attack, a new identity with these credentials will be created.
Microsoft Windows TCP IP IPv6 remote DoS (CVE-2024-38063)
A memory corruption vulnerability in the Windows IPv6 stack allows remote Denial of Service via maliciously crafted IPv6 Fragment Header packets. Exploitation requires no authentication or user interaction. Attackers need only send specially designed packets to vulnerable hosts. Impacts all Windows versions with IPv6 enabled (default since Windows 10). This exploit performs the following steps: Obtains the data needed to launch the attack, such as local device ID and target MAC address. sets the IPv6 headers.
Progress OpenEdge saveSvcConfig Remote OS Command Injection Exploit
This module uses an authenticated OS command injection vulnerability to deploy an agent in the target system that will run with NT AUTHORITY\\SYSTEM user privileges. The vulnerability is present in the saveSvcConfig method of the com.progress.ubroker.tools.AbstractGuiPluginRemObj java class. The vulnerable class can be reached by creating an instance of the com.progress.chimera.adminserver.AdminContext class via the com.progress.chimera.adminserver.IAdminServer interface.
Exploits / OS Command Injection / Known Vulnerabilities
Impact
Microsoft Windows File Explorer Spoofing Information Disclosure Exploit
This module exploits a high-severity vulnerability in Windows File Explorer. The exploit works by creating a specially crafted .lnk (shortcut) file that, when placed in a folder viewed by a victim, forces the system to automatically connect to an attacker-controlled SMB server. This connection happens without any user interaction and results in the victim's NTLM hash being sent to the attacker. It is possible to use tools like "John the Ripper" to attempt decrypting the original password associated with the hash.
Microsoft Windows File Explorer Spoofing Vulnerability Exploit
Exposure of sensitive information to an unauthorized actor in Windows File Explorer allows an unauthorized attacker to perform spoofing over a network. A user would need to be tricked into opening a folder that contains a specially crafted file.
This module triggers a denial-of-service flaw in the Windows Local Session Manager (LSM). It was found to exist in Windows 11 but not in Windows 10. The vulnerability allows an authenticated, low-privileged user to crash the LSM service by making a simple Remote Procedure Call (RPC) to the RpcGetSessionIds function. The impact of this vulnerability is significant, as a crash of the LSM service can prevent users from logging in or out and affects services that depend on LSM, such as Remote Desktop Protocol (RDP) and Microsoft Defender.
Microsoft Windows Local Session Manager Denial of Service Vulnerability Exploit
A denial of service vulnerability exists in the Local Session Manager (LSM) service when an authenticated attacker connects to the target system and sends specially crafted requests.
Microsoft Windows Disk Cleanup Tool Privilege Escalation Exploit
A vulnerability in the update service of Microsoft Windows Disk Cleanup Tool could allow an authenticated local attacker, to execute a crafted dll with SYSTEM user privileges. The steps performed by the exploit are: First It creates 3 folders: C:\$Windows.~WS, C:\ESD\Windows, C:\ESD\Download, inserts dummy .txt files and pauses. Create a thread to run first stage of executable FolderOrFileDeleteToSystem to set up the Config.msi. Create a second thread to run the second executable FolderContentsDeleteToFolderDelete to redirect content cleanup from C:\ESD\Windows to C:/Config.msi.