This module abuses insufficient validation in the unauthenticated JCE profiles.import endpoint to upload a crafted profile file with a PHP extension. When the file is written under the Joomla tmp directory and executed by the web server, it provides a command execution primitive. 1. Fingerprints the JCE Editor component and checks the detected version. 2. Extracts a Joomla CSRF token from the site root. 3. Uploads a PHP command runner through the vulnerable profiles.import task. 4. Verifies code execution from the Joomla tmp directory. 5. Detects the target operating system through the command runner. 6. Uses the resulting command primitive to commit an OSCI agent or deploy a network agent.
A Server-Side Request Forgery vulnerability in the PeopleSoft Enterprise PeopleTools product of Oracle PeopleSoft (component: Updates Environment Management) allows unauthenticated remote attackers with network access via HTTP to compromise PeopleSoft Enterprise PeopleTools. This module uses the previous vulnerability to upload a jsp webshell into the PSEMHUB.war directory to deploy a network agent via the /PSIGW/HttpListeningConnector endpoint. First, the module will validate the vulnerability by using a random string as operation. If the target is vulnerable, the response should be a base64 encoded java string object with the text "Invalid Operation specified" Then, the module will use the REGISTER_WITH_PEERNAME operation, to get a valid peer ObjectName Then, the module will use the HANDLE_MESSAGE operation with an embedded ExecuteProcessActivityCommand object to create the jsp webshell file inside the PSEMHUB.war directory (a web-accessible location). Finally, the module will make a request to the webshell to deploy the network agent. The deployed agent will run with the same user privileges as the target software.
A Server-Side Request Forgery vulnerability in the PeopleSoft Enterprise PeopleTools product of Oracle PeopleSoft (component: Updates Environment Management) allows unauthenticated remote attackers with network access via HTTP to compromise PeopleSoft Enterprise PeopleTools. This module uses the previous vulnerability to upload a jsp webshell into the PSEMHUB.war directory to deploy a network agent via the /PSIGW/HttpListeningConnector endpoint. First, the module will validate the vulnerability by using a random string as operation. If the target is vulnerable, the response should be a base64 encoded java string object with the text "Invalid Operation specified" Then, the module will use the REGISTER_WITH_PEERNAME operation, to get a valid peer ObjectName Then, the module will use the HANDLE_MESSAGE operation with an embedded ExecuteProcessActivityCommand object to create the jsp webshell file inside the PSEMHUB.war directory (a web-accessible location). Finally, the module will make a request to the webshell to deploy the network agent. The deployed agent will run with the same user privileges as the target software.
This module exploits CVE-2026-33017 by abusing Langflow's public temporary flow build endpoint to inject and execute a custom component. The component runs operating system commands through the Langflow Python process. If AUTO_LOGIN is enabled on the target, the module can automatically create a public flow. Otherwise, provide a known public FLOW ID. If no FLOW ID is provided, the module can use AUTO_LOGIN to obtain an access token and create a public Langflow flow. The module then submits a crafted temporary custom component to the /api/v1/build_public_tmp/{flow_id}/flow endpoint. That component executes operating system commands through the Langflow Python process and returns command output through Langflow build events. When DEPLOY OSCI AGENT is enabled, the module commits an OSCI agent that reuses the same Langflow primitive to relaunch commands later. When DEPLOY NETWORK AGENT is enabled, the module stages an Impact payload from the embedded web server and launches it through the vulnerable Langflow service. The module polls Langflow job events to track execution and confirm whether command execution or agent deployment succeeded. The deployed agent will run with the privileges of the Langflow service account.
This module uses an authenticated OS command injection vulnerability in Fortinet FortiWeb to deploy a python agent. First, the module will login in the target application using the given credentials. If no credentials are supplied, the module will attempt to create a new user with administrative privileges (prof_admin) in the target system using random credentials via CVE-2025-64446 vulnerability. If authentication succeeds, the module will save the new user credentials as an identity in Impact. Next, the module will retrieve the target system version via the /api/v2.0/system/state endpoint. The version will be used to select the attack payload. Then, the module will switch to websockets usage via the /ws/cli/open endpoint to access the CLI. Finally, it will send CLI commands to create a new SAML configuration with the OS commands to deploy a python agent. The deployed python agent will run with root user privileges.
This module uses a relative path traversal vulnerability that leads to an authentication bypass in Fortinet FortiWeb to create a new user with administrative privileges (prof_admin) in the target system. First, the module will check if the target is vulnerable to the authentication bypass by checking the path traversal against a specific endpoint with an empty payload. If the target is vulnerable, the vulnerability will be used again to create a new user with administrative privileges (prof_admin) in the target system using the provided credentials. If no credentials are provided, the module will generate a random one. The new user credentials will be added as an identity in Impact.
This module uses a relative path traversal vulnerability that leads to an authentication bypass in Fortinet FortiWeb to create a new user with administrative privileges (prof_admin) in the target system. First, the module will check if the target is vulnerable to the authentication bypass by checking the path traversal against a specific endpoint with an empty payload. If the target is vulnerable, the vulnerability will be used again to create a new user with administrative privileges (prof_admin) in the target system using the provided credentials. If no credentials are provided, the module will generate a random one. The new user credentials will be added as an identity in Impact.
This module uses an insecure deserialization vulnerability in React Server Components to deploy an agent. The module will first check if the target is vulnerable by using the given endpoint with a generic payload. If the target is vulnerable, an OSCI agent will be deployed and the vulnerability will be used again, with a payload that will deploy an in-memory webshell. This webshell can be used later by the OSCI agent to execute OS commands or deploy a network agent. The deployed agent will run with the same privileges of the webapp.
This module exploits an OS Command Injection present in the getCASURL perl function of Dell Unity to deploy an agent. The module will trigger the vulnerability by embedding the system commands to deploy the agent in a request to the /misc endpoint. Spaces in the system command will be replaced with the ${IFS} shell variable. The deployed agent will run with the apache user account privileges.