Intruder reported this vulnerability to Octopus Deploy on Dec 3, 2024 and it was fixed fairly quickly, with patches available from Jan 14, 2025. The exploit is simple and discoverable by attackers with basic knowledge, so active exploitation is expected if you're running a vulnerable version. Impact is limited to active directory account names, emails and local AD usernames, but this information is highly useful to attackers mounting mass password spraying or phishing campaigns, making exploitation likely in a targeted attack scenario. Please see the advisory for affected versions and a patch.
Insights
The latest vulnerability intelligence on critical CVEs from the Intruder Security Team.
- Link to CVE page
CVE-2025-0589
medium 6.9
Intruder Insights
Updated Feb 25, 2025
- Link to CVE page
CVE-2025-0108
high 8.8
Exploit known
Intruder Insights
Updated Feb 13, 2025
The mitigations that were put in place following the previous authentication bypass (CVE-2024-0012) were incomplete. The authentication step for the management panel can be abused to change the order of processing requests between various underlying technologies (apache, nginx, PHP), resulting in an auth bypass. AssetNote released a technical breakdown of this vulnerability.
Palo Alto have released patches for the vulnerability, details are available here
- Link to CVE page
CVE-2024-55591
critical 9.8
Exploit known
Intruder Insights
Updated Jan 29, 2025
This vulnerability affects the terminal console functionality within the Fortigate admin panel. It exploits a weakness in the WebSockets implementation and allows an unauthenticated attacker to create administrative accounts on the Fortinet device. watchTowr have released a technical post breaking the vulnerability down.
ArcticWolf have observed a handful of exploitations of this vulnerability in early December, where an unauthenticated threat actor has created administrative accounts and changed device configurations. They have listed a number of IoC's which can help with identifying any malicious activity on devices. Fortinet have also released similar IoC's for this vulnerability.
Fortinet have released patching information and their own IoC's here.
Intruder Premium customers will be checked for this weakness today (Jan 16th) and notified if they are vulnerable.
- Link to CVE page
CVE-2025-21298
critical 9.8
Intruder Insights
Updated Jan 15, 2025
CVE-2025-21298 allows attackers to execute code by sending a malicious RTF email. The exploit triggers when the email is opened or previewed in an unpatched Outlook client, requiring no user interaction beyond viewing the message. To mitigate the risk, apply Microsoft's patch immediately, or as a temporary measure, disable RTF reading and configure Outlook to display emails in plain text.
- Link to CVE page
CVE-2025-0282
critical 9.0
Exploit known
Intruder Insights
Updated Jan 9, 2025
Buffer Overflows such as this one require an advanced skillset, and time and knowledge to exploit. In addition, the exploit must be specific to the version that is targeted (as noted by Google Mandiant).
The recommendation is to fix according to your usual critical patching schedule, but prioritise over other criticals as this vulnerability has been added to the KEV list. That said, due to the complexities with this vulnerability class, we don't expect widespread exploitation.
Patching information has been released by Ivanti. However, the recommendation to use the ICT scanner by Ivanti appears to be flawed as pointed out by Google Mandiant. To help with detecting compromises, they have released YARA rules for this vulnerability.
- Link to CVE page
CVE-2024-49112
critical 9.8
Intruder Insights
Updated Jan 2, 2025
SafeBreach published a writeup on January 1st which exploits a denial of service condition and attributes it to this CVE, but the original researcher that reported this bug to Microsoft disagrees
Though the full PoC being published does mean that attacks are more likely, the exploit for CVE-2024-49112 is not yet in the public domain, and so only highly resourced attack groups are likely to be able to exploit the RCE
- Link to CVE page
CVE-2024-50623
critical 9.8
Exploit known
Intruder Insights
Updated Dec 10, 2024
CVE-2024-50623 can be exploited by an unauthenticated attacker to gain remote code execution on affected Cleo servers. Widespread exploitation has been observed. The vendor's advisory page is available here.
John Hammond at Huntress has released a technical article regarding this vulnerability, including a list of IOC's from live attacks in the wild. Originally it was believed that this patch was insufficient in fixing this CVE, due to ongoing exploitation against patched hosts. However, it seems that there is a second unauthenticated remote code execution vulnerability which does not carry a CVE currently. Further details regarding this unknown CVE can be found here.
- Link to CVE page
CVE-2024-9474
medium 6.9
Exploit known
Intruder Insights
Updated Nov 19, 2024
The vulnerabilities CVE-2024-0012 and CVE-2024-9474 can be combined to allow for an unauthenticated attacker to gain command line access to the vulnerable device. Compromising a vulnerable device would allow an attacker to gain access to internal networks as these devices are designed to sit on the edge of networks.
The vulnerability is due to a misconfigured Nginx instance and a command injection vulnerability, both of which are exploitable in the devices default state. Watchtowr have released a technical blog post detailing the vulnerability and its exploitation.
Palo Alto have released patches and hotfixes for the PAN-OS vulnerabilities, details are available here and here.
- Link to CVE page
CVE-2024-0012
critical 9.3
Exploit known
Intruder Insights
Updated Nov 19, 2024
The vulnerabilities CVE-2024-0012 and CVE-2024-9474 can be combined to allow for an unauthenticated attacker to gain command line access to the vulnerable device. Compromising a vulnerable device would allow an attacker to gain access to internal networks as these devices are designed to sit on the edge of networks.
The vulnerability is due to a misconfigured Nginx instance and a command injection vulnerability, both of which are exploitable in the devices default state. Watchtowr have released a technical blog post detailing the vulnerability and its exploitation.
Palo Alto have released patches and hotfixes for the PAN-OS vulnerabilities, details are available here and here.
- Link to CVE page
CVE-2024-10924
critical 9.8
Intruder Insights
Updated Nov 15, 2024
This is a wormable vulnerability that is very easy to exploit and we expect imminent and automated exploitation of this vulnerability.
As for the pre-requisites, for the exploit to work, at least one user of the application needs to have "Two Factor Authentication" (2FA) enabled within Really Simple Security. As soon as the 2FA feature is enabled, an unauthenticated attacker can make a request to the vulnerable function and WordPress will return a valid session token for the victim.
A partial proof of concept has been released which does not work out of the box. However, due to how simple this vulnerability is, it requires little effort to get it working.
- Link to CVE page
CVE-2024-43451
medium 6.5
Exploit known
Intruder Insights
Updated Nov 14, 2024
Although the exploit targets functionality predominantly used by deprecated browser Internet Explorer, exploitation is also possible if Microsoft Edge allows opening pages in IE mode. In this mode, Microsoft Edge makes use of the vulnerable MSHTML platform, but only when group policy is specifically configured to allow it.
- Link to CVE page
CVE-2024-8069
medium 5.1
Intruder Insights
Updated Nov 13, 2024
Watchtowr have released a technical article about this vulnerability and its discovery. The details within the article, and poc video call into question the official vulnerability information released by Citrix.
The exploit chain used by Watchtowr relies on sending a HTTP request to the MSMQ which the vulnerable software utilises. By default, MSMQ doesn't operate over HTTP. However, Citrix have enabled a feature which will allow any host to directly communicate to it via HTTP. With this information and the evidence laid out by Watchtowr, it is clear that this is an attack in which an unauthenticated attacker can exploit a vulnerable instance remotely. Thus, this CVSS score should be in the high 9's.
What isn't certain is if the discrepancy in vulnerability details is down to the triager at Citrix not fully understanding the exploit chain, or if it is more malicious whereby another vendor is attempting to downplay the severity of a vulnerability within their software.
Following the release of the proof of concept on the 12th of November 2024, the Shadowserver foundation have witnessed attempts at exploitation.
- Link to CVE page
CVE-2024-51774
high 8.1
Intruder Insights
Updated Nov 5, 2024
Exploiting this vulnerability requires the attacker to execute a Man-in-the-Middle (MITM) attack, which is unlikely to be exploitable against the average user.
- Link to CVE page
CVE-2024-47575
critical 9.8
Exploit known
Intruder Insights
Updated Oct 24, 2024
For an instance of FortiManager to be exploitable by this vulnerability (FortiJump), the FGFM protocol (
tcp/541
ortcp/542
if using IPv6) needs to be exposed to the internet, either by the FortiManager instance or a FortiGate device which is connected to a vulnerable FortiManager instance. This is because the FGFM protocol can allow access to FortiManager devices which are behind NAT if a FortiGate product is exposed to the internet and has FGFM enabled.FGFM needs to be enabled, this is now disabled by default following the patch for CVE-2024-23113.
Mandiant have a comprehensive article on this weakness, its use in the wild by threat actors, IOCs and mitigation strategies. Watchtowr have released a second blog explaining the full technical details of this attack. In this post Watchtowr outline how the original mitigations did not fully patch systems against this vulnerability.
Intruder customers can use the attack surface view to find out if they have port
tcp/541
exposed to the internet. - Link to CVE page
CVE-2024-9634
critical 9.8
Intruder Insights
Updated Oct 16, 2024
The original fix which the developers implemented for CVE-2024-5932 was insufficient and did not cover all form fields such as "Company Name" which is used when a donation is made on behalf of a company.
The previous fix has now been extended to cover all fields that are submitted by a donations form.
- Link to CVE page
CVE-2024-23113
critical 9.8
Exploit known
Intruder Insights
Updated Oct 15, 2024
In practice, exploitation of this vulnerability is nuanced, and not all vulnerable versions are exploitable due to requiring certificates which can only be configured by an administrator. As such, and as per this full writeup, the real-world risk is likely lower than its CVSS score suggests.
- Link to CVE page
CVE-2023-4911
high 7.8
Exploit known
Intruder Insights
Updated Oct 15, 2024
Fedora, Ubuntu, and Debian are the systems most at risk from the bug. It's found in the GNU C Library (glibc) in the GNU system, which is found in most systems running the Linux kernel.
More information is available in our blog post here.
- Link to CVE page
CVE-2021-44228
critical 10.0
Exploit known
Intruder Insights
Updated Oct 15, 2024
Log4j is a remote code execution vulnerability, in the popular log4j package, which is everywhere.
More information is available in our blog post here.
- Link to CVE page
CVE-2022-3602
high 7.5
Intruder Insights
Updated Oct 15, 2024
The vulnerability that caused mass speculation online was downgraded to High following a secondary review from those involved with the OpenSSL project. This was due to a handful of limitations and modern system protections, which, when combined significantly reduce the likelihood of real world exploitation.
More information is available in our blog post here.
- Link to CVE page
CVE-2023-4966
critical 9.4
Exploit known
Intruder Insights
Updated Oct 15, 2024
The NetScaler suite of products includes load balancing, firewall and VPN services, so one possible impact is compromised remote access to your private networks. NetScaler responds to certain requests by dumping memory back to the sender, which can contain access tokens for logged in users. The exploit is as bad as whatever you’ve given access to remotely through your NetScaler system. And because they're logged in sessions, MFA won't protect you.
More information is available in our blog post here.
- Link to CVE page
CVE-2024-28698
critical 9.8
Intruder Insights
Updated Oct 15, 2024
This vulnerability affects applications using the CSLA.NET framework. It allows an attacker to execute code on the server if they are also able to upload a file to the server to a known location, for example if the application allows users to upload images.
More information is available in our blog post here.
- Link to CVE page
CVE-2022-22965
critical 9.8
Exploit known
Intruder Insights
Updated Oct 15, 2024
The vulnerability affects Spring Framework versions 5.3.0 to 5.3.17, 5.2.0 to 5.2.19, as well as all older versions. For an application to be fully vulnerable to the currently (13/04/2020) known vectors, a number of pre-requisites are required for the application to be vulnerable.
More information is available in our blog post here.
- Link to CVE page
CVE-2024-5806
critical 9.1
Intruder Insights
Updated Oct 15, 2024
This vulnerability affects Progress MOVEit servers utilising SFTP and allows attackers to log in as any user if they can successfully guess their username. Depending on how MOVEit is configured, this could be a trivial step.
More information is available in our blog post here.
- Link to CVE page
CVE-2023-38545
critical 9.8
Intruder Insights
Updated Oct 15, 2024
This vulnerability affects curl if you use curl proxy-resolver mode via a SOCKS5 proxy, and there is a clear path for attackers to control which server curl is pointing at, e.g. with untrusted user inputs on a public application.
More information is available in our blog post here.
- Link to CVE page
CVE-2024-24919
high 8.6
Exploit known
Intruder Insights
Updated Oct 15, 2024
This vulnerability affects Check Point Security Gateways. Active exploitation has been identified, and public proof of concepts have also been released.
More information is available in our blog post here.
- Link to CVE page
CVE-2024-3400
critical 10.0
Exploit known
Intruder Insights
Updated Oct 15, 2024
The serious vulnerability affects a number of Palo Alto GlobalProtect devices which utilize device analytics. Active exploitation of this vulnerability has been witnessed by a number of organizations.
More information is available in our blog post here.
- Link to CVE page
CVE-2024-3094
critical 10.0
Intruder Insights
Updated Oct 15, 2024
The attack is believed to be a nation-state level attack, and only the rogue developer and groups with which the compromised key has been shared would be able to gain access. As such, it is not likely to be widely exploited.
More information is available in our blog post here.
- Link to CVE page
CVE-2024-6387
high 8.1
Intruder Insights
Updated Oct 15, 2024
This vulnerability affects OpenSSH and could allow an attacker to execute commands on an affected device. The vulnerability is highly complex and has limitations which is likely to prevent widespread exploitation.
More information is available in our blog post here.
- Link to CVE page
CVE-2024-9466
high 8.2
Intruder Insights
Updated Oct 15, 2024
Following Palo Alto's announcement of several vulnerabilities in their configuration generation tool Expedition, Horizon released a technical breakdown. In addition to this, watchTowr also released a proof of concept for CVE-2024-9463.
These vulnerabilities are trivial to exploit pose a significant risk to Expedition, whether you expose this to the internet or not.
While this software is not commonly exposed to the internet, a significant risk still remains where an attacker can access the device from the same network as Expedition.
- Link to CVE page
CVE-2024-9464
critical 9.3
Intruder Insights
Updated Oct 15, 2024
Following Palo Alto's announcement of several vulnerabilities in their configuration generation tool Expedition, Horizon released a technical breakdown. In addition to this, watchTowr also released a proof of concept for CVE-2024-9463.
These vulnerabilities are trivial to exploit pose a significant risk to Expedition, whether you expose this to the internet or not.
While this software is not commonly exposed to the internet, a significant risk still remains where an attacker can access the device from the same network as Expedition.
- Link to CVE page
CVE-2024-9463
critical 9.9
Exploit known
Intruder Insights
Updated Oct 15, 2024
Following Palo Alto's announcement of several vulnerabilities in their configuration generation tool Expedition, Horizon released a technical breakdown. In addition to this, watchTowr also released a proof of concept for CVE-2024-9463.
These vulnerabilities are trivial to exploit pose a significant risk to Expedition, whether you expose this to the internet or not.
While this software is not commonly exposed to the internet, a significant risk still remains where an attacker can access the device from the same network as Expedition.
- Link to CVE page
CVE-2024-9467
high 7.0
Intruder Insights
Updated Oct 15, 2024
Following Palo Alto's announcement of several vulnerabilities in their configuration generation tool Expedition, Horizon released a technical breakdown. In addition to this, watchTowr also released a proof of concept for CVE-2024-9463.
These vulnerabilities are trivial to exploit pose a significant risk to Expedition, whether you expose this to the internet or not.
While this software is not commonly exposed to the internet, a significant risk still remains where an attacker can access the device from the same network as Expedition.
- Link to CVE page
CVE-2024-9465
critical 9.2
Exploit known
Intruder Insights
Updated Oct 15, 2024
Following Palo Alto's announcement of several vulnerabilities in their configuration generation tool Expedition, Horizon released a technical breakdown. In addition to this, watchTowr also released a proof of concept for CVE-2024-9463.
These vulnerabilities are trivial to exploit pose a significant risk to Expedition, whether you expose this to the internet or not.
While this software is not commonly exposed to the internet, a significant risk still remains where an attacker can access the device from the same network as Expedition.
- Link to CVE page
CVE-2024-29824
high 8.8
Exploit known
Intruder Insights
Updated Oct 7, 2024
CVE-2024-29824
Unauthenticated SQL Injection & RCE in Ivanti EPM 2022 SU5 and prior, allowing attackers to gain full control over the EPM host.
This vulnerability has been actively exploited in the wild, so we strongly recommend patching as soon as possible.
If exploited, an attacker could use the compromised Ivanti EPM host to move laterally across the network, potentially targeting other infrastructure.
For detailed information and patch instructions, refer to the advisory available here
- Link to CVE page
CVE-2024-45409
critical 9.8
Intruder Insights
Updated Oct 7, 2024
CVE-2024-45409
Attackers could leverage this vulnerability against a GitLab instance to push compromised builds or malicious updates to end users, causing widespread impact across the organization's supply chain.
The Ruby-SAML library used in GitLab versions <= 12.2 and 1.13.0 to 1.16.0 fails to properly verify SAML signatures. This vulnerability (CVE-2024-45409) allows a remote unauthenticated attacker to forge SAML responses, enabling unauthorized access to arbitrary gitlab accounts.
A patch and mitigations to prevent exploitation are available here