This module uses a relative path traversal vulnerability that leads to an authentication bypass in Fortinet FortiWeb to create a new user with administrative privileges (prof_admin) in the target system. First, the module will check if the target is vulnerable to the authentication bypass by checking the path traversal against a specific endpoint with an empty payload. If the target is vulnerable, the vulnerability will be used again to create a new user with administrative privileges (prof_admin) in the target system using the provided credentials. If no credentials are provided, the module will generate a random one. The new user credentials will be added as an identity in Impact.

This module uses a relative path traversal vulnerability that leads to an authentication bypass in Fortinet FortiWeb to create a new user with administrative privileges (prof_admin) in the target system. First, the module will check if the target is vulnerable to the authentication bypass by checking the path traversal against a specific endpoint with an empty payload. If the target is vulnerable, the vulnerability will be used again to create a new user with administrative privileges (prof_admin) in the target system using the provided credentials. If no credentials are provided, the module will generate a random one. The new user credentials will be added as an identity in Impact.

This module uses an insecure deserialization vulnerability in React Server Components to deploy an agent. The module will first check if the target is vulnerable by using the given endpoint with a generic payload. If the target is vulnerable, an OSCI agent will be deployed and the vulnerability will be used again, with a payload that will deploy an in-memory webshell. This webshell can be used later by the OSCI agent to execute OS commands or deploy a network agent. The deployed agent will run with the same privileges of the webapp.

This module exploits a nested PHP array object deserialization in the MagentoFrameworkSessionSessionManager class via the $sessionConfig variable using the /rest/default/V1/guest-carts/abc/order endpoint of Magento Open Source and Adobe Commerce to deploy an agent. First, the module will upload a PHP script in the /pub/media/customer_address/s/e directory of the web application using the /customer/address_file/upload endpoint. The default webroot directory value (/var/www/html/magento/pub/) can be changed using the WEBROOT module parameter. Then, it will trigger the vulnerability using a crafted PHP array object via the /rest/default/V1/guest-carts/abc/order endpoint, that will copy the uploaded PHP script to the given webroot directory. Finally, it will deploy the agent by calling the PHP script in the webroot directory. It's important to notice that the apache user account (www-data) must have write access to the webroot directory for this exploit to work. The deployed agent will run with the apache user account (www-data) privileges.

This module exploits a nested PHP array object deserialization in the MagentoFrameworkSessionSessionManager class via the $sessionConfig variable using the /rest/default/V1/guest-carts/abc/order endpoint of Magento Open Source and Adobe Commerce to deploy an agent. First, the module will upload a PHP script in the /pub/media/customer_address/s/e directory of the web application using the /customer/address_file/upload endpoint. The default webroot directory value (/var/www/html/magento/pub/) can be changed using the WEBROOT module parameter. Then, it will trigger the vulnerability using a crafted PHP array object via the /rest/default/V1/guest-carts/abc/order endpoint, that will copy the uploaded PHP script to the given webroot directory. Finally, it will deploy the agent by calling the PHP script in the webroot directory. It's important to notice that the apache user account (www-data) must have write access to the webroot directory for this exploit to work. The deployed agent will run with the apache user account (www-data) privileges.

This module exploits a Server-Side Request Forgery via the getUiType parameter in the /OA_HTML/configurator/UiServlet endpoint of Oracle E-Business Suite to deploy an agent. First, the module will register an endpoint in the local webserver that will be used in the attack to send a xsl file to the target that will execute system commands to deploy the agent. Then, it will retrieve a required CSRF token via the /OA_HTML/runforms.jsp and /OA_HTML/JavaScriptServlet endpoints. Finally, it will use the Server-Side Request Forgery vulnerability combined with a Carriage Return/Line Feed (CRLF) injection to smuggle a request to the /OA_HTML/help/../ieshostedsurvey.jsp endpoint that will trigger a GET HTTP request to the local webserver, which will, in turn, deliver the xsl file that will deploy the agent. The deployed agent will run with the oracle user account privileges.

This module exploits an OS Command Injection present in the getCASURL perl function of Dell Unity to deploy an agent. The module will trigger the vulnerability by embedding the system commands to deploy the agent in a request to the /misc endpoint. Spaces in the system command will be replaced with the ${IFS} shell variable. The deployed agent will run with the apache user account privileges.

This module uses an authentication bypass vulnerability via a race condition in AS2 validation in CrushFTP to create a new administrative user in the target application. If the credentials for the new administrative user are not provided, the module will generate random ones. If the exploitation succeeds the credentials will be checked against the target. Also, if the module created random credentials for the attack, a new identity with these credentials will be created. Since this modules uses a race condition to exploit the vulnerability, the MAX_TRIES parameter can be used to limit the amount of requests that will be sent to the target system.

An attacker can exploit this vulnerability to run remote commands on the target, achieving code execution. The vulnerability stems from how the WingFTP server usernames are processed, allowing attackers to execute arbitrary commands. When the server does not allow anonymous access, successful exploitation of this vulnerability requires valid user credentials (username and password). This exploit performs the following steps: Sends a POST request to loginok.html with the malicious command in the username field. Extracts the session cookie (UID). The server responds with a UID cookie in Set-Cookie. Uses the extracted UID cookie to access dir.html. Requests and execute the necessary files to install an agent.

A critical vulnerability (CVE-2025-32463) was discovered in Sudo versions 1.9.14 through 1.9.17. The vulnerability allows local users to obtain root access by exploiting the --chroot option, where /etc/nsswitch.conf from a user-controlled directory is used. This exploit creates a temporary directory structure that mimics a normal root environment, uploads a malicious /etc/nsswitch.conf which in turn calls a shared object that escalates privileges, the exploit is triggered when executing sudo with the -R flag pointing to the user controlled directory.