Check out the analysis by @cryptocat.me for CVE-2026-20127 in Cisco SD WAN. That other PoC posted last week exploits a totally different bug that doesn't match the reported IOCs (some kind of file upload due to path traversal in vManage maybe). We asses with high confidence this is CVE-2026-20127 🔥
We have disclosed CVE-2026-2329, a critical unauth stack-based buffer overflow vuln affecting the Grandstream GXP1600 series of VoIP phones. Read our disclosure on the @rapid7.com blog, including technical details for unauth RCE, and accompanying @metasploit-r7.bsky.social modules: r-7.co/4tIzope
We just published our @rapid7.com analysis of CVE-2026-1731, a critical command injection affecting BeyondTrust Privileged Remote Access (PRA) & Remote Support (RS). Unauthenticated RCE, with a root cause due to Bash arithmetic evaluation. Analysis/PoC here: attackerkb.com/topics/jNMBc...
We now have a (draft) @metasploit-r7.bsky.social exploit module for the recent Fortinet FortiWeb vulns, chaining CVE-2025-64446 (auth bypass) + CVE-2025-58034 (command injection) to achieve unauthenticated RCE with root privileges: github.com/rapid7/metas...
⚠️ In Aug. 2025, Rapid7 found #TwonkyServer susceptible to multiple vulns – granting unauthenticated attackers plaintext admin credentials, full admin access to the instance & control of all stored media files.
At the time of publication, these vulns have not been patched. Read on: r-7.co/4a0JiuU
We posted our AttackerKB @rapid7.com Analysis of the new EITW FortiWeb command injection vuln, CVE-2025-58034. The patch fixes several command injections, so we reproduced the SAML config name injection, and popped a reverse root shell 🎯 Full details here: attackerkb.com/topics/zClpI...
New @metasploit-r7.bsky.social aux module in the pull queue for the FortiWeb vuln (no CVE at this time). Based on the PoC captured and posted by Defused, it leverages an auth bypass to create a new local admin account on the target: github.com/rapid7/metas...
We just published our AttackerKB @rapid7.com analysis of CVE-2025-12480. Disclosed yesterday, but patched back in July, it's an access control bypass affecting not only Gladinet Triofox, but as we show, also Gladinet CentreStack. Full analysis & RCE details here: attackerkb.com/topics/5C4wR...
As Pwn2Own Ireland 2025 draws to a close, a huge thank you to @thezdi.bsky.social for putting on another great contest! I reflected on why @rapid7.com has taken part at #Pwn2Own over the last two years, and our successes so far in the world of competitive zero day exploit development r-7.co/4o6RM85
The auth bypass appears to be a patch bypass of an older 2018 vuln (CVE-2018-0296). The buffer overflow is in a Lua endpoint, but unsafe native code operations allow a buffer to be overflowed and memory corruption to occur.
We just posted our AttackerKB @rapid7.com Analysis for the recent Cisco 0day chain; CVE-2025-20362 and CVE-2025-20333. Full technical root cause analysis of both the auth bypass and buffer overflow are here: attackerkb.com/topics/Szq5u...
and shout out to @iagox86.bsky.social who figured out the access control bypass part of this back in his 2023 analysis of the CVE-2023-0069 patch 🔥
We have published our AttackerKB @rapid7.com Analysis for the recent GoAnywhere MFT vuln, CVE-2025-10035. It's an access control bypass + unsafe deserialization + an as-yet unknown issue in how an attacker can know a specific private key! attackerkb.com/topics/LbA9A...
⚠️ Rapid7 has identified a permission bypass vuln. in multiple versions of #OnePlus OxygenOS installed on its Android smartphones.
When leveraged, any app on the device may read SMS/MMS data & metadata via the default Telephony provider. More in our blog: r-7.co/42EujlR
Come join @rapid7.com ! I’m hiring for a Senior Security Researcher to join our team. You'll get to work on n-day analysis, zero-day research, exploit development, and more - focusing on enterprise software and appliances. Fully remote in the UK, more details here: careers.rapid7.com/jobs/senior-...
I just completed the reimplementation of the in-the-wild gadget to use the Msf::Util::DotNetDeserialization routines, so that part is much cleaner now, no more sketchy blobs of base64 😅
We now have a (draft) @metasploit-r7.bsky.social exploit module in the pull queue for the recent Microsoft SharePoint Server unauthenticated RCE zero-day (CVE-2025-53770), based on the in-the-wild exploit published a few days ago. Check it out here: github.com/rapid7/metas...
Our @metasploit-r7.bsky.social auxiliary module for the new Brother auth bypass is available. The module will leak a serial number via HTTP/HTTPS/IPP (CVE-2024-51977), SNMP, or PJL, generate the devices default admin password (CVE-2024-51978), and then validate the creds: github.com/rapid7/metas...
Today @rapid7.com is disclosing 8 new vulnerabilities affecting 742 models across 4 vendors. After 13 months of coordinated disclosure with Brother Industries, Ltd, we're detailing all issues including a critical auth bypass. Full details here: www.rapid7.com/blog/post/mu...
Today @rapid7.com disclosed two vulns affecting NetScaler Console and SDX, found by Senior Security Researcher Calum Hutton! 🎉 Our blog details the authenticated arbitrary file read vuln (CVE-2025-4365), and the authenticated arbitrary file write vuln (Which the vendor has not assigned a CVE for).
A new @rapid7.com Analysis of CVE-2024-58136 was just published to AttackerKB, courtesy of Calum Hutton 🔥 Affecting the Yii framework, this analysis details the root cause of CVE-2024-58136, and how it can be leveraged for RCE via a dirty file write to a log file. attackerkb.com/topics/U2Ddo...
This was an interesting challenge to go from a restricted character set "0123456789." for the overflow, to arbitrary RCE. Hat tip to watchTowr for diffing out the bug last Friday. PoC available here: github.com/sfewer-r7/CV...
We have just published our AttackerKB @rapid7.com Analysis of CVE-2025-22457, an unauthenticated stack based buffer overflow in Ivanti Connect Secure. Difficult to exploit due to severe character restrictions, we detail our full RCE technique here: attackerkb.com/topics/0ybGQ...
A VM escape exploit chain, exploited in the wild as 0day ...well that's not something we see very often 👀
Root cause analysis of Sitecore XM + XP remote code execution CVE-2025-27218 via @rapid7.com's pen testing team attackerkb.com/assessments/...
Our @metasploit-r7.bsky.social exploit module for unauthenticated RCE against BeyondTrust Privileged Remote Access & Remote Support is now available. The exploit can either leverage CVE-2024-12356 and CVE-2025-1094 together, or solely leverage CVE-2025-1094 for RCE: github.com/rapid7/metas...
We are also publishing our AttackerKB Rapid7 analysis for CVE-2024-12356 - Unauth RCE affecting BeyondTrust PRA & RS, which was exploited in the wild last Dec as 0day ...our analysis details leveraging the new PostgreSQL vuln CVE-2025-1094 for RCE! 👀 attackerkb.com/topics/G5s8Z...
Today Rapid7 has disclosed CVE-2025-1094, a new PostgreSQL SQLi vuln we discovered while researching CVE-2024-12356 in BeyondTrust Remote Support. Untrusted inputs that have been safely character escaped could still generate SQLi under certain conditions: www.rapid7.com/blog/post/20...
Process injection shenanigans are dear to my heart - it's one of the first things I ever learned in security.
Inspired by an Akamai blog last month, this blog digs into techniques to tinker with other processes on Linux, and show you how to write a little debugger in C!
Root cause analysis of #SonicWall SSL VPN auth bypass CVE-2024-53704 available now c/o Ryan Emmons: attackerkb.com/topics/UB3P3...
