This case is also a milestone for us at Huntress: it’s our first time reserving and publishing a CVE since being approved as a CVE Naming Authority (CNA).

Proud to have gone from spotting real-world exploitation → engaging the vendor → to publishing a CVE for the community.

Until a patch is released, administrators should immediately apply the workaround detailed in our post:

In observed attacks, threat actors leveraged the flaw to read sensitive files—including Web.config—and extract the application’s machine key. That access enabled further exploitation, including potential remote code execution.

Great job @jaiminton.com, @re.wtf, and James Northey

4⃣ By repurposing a legitimate monitoring tool, the actor gained persistent access and a stable C2 channel. The Nezha agent was then used to deploy the final payload: a variant of Ghost RAT, a backdoor long associated with China-nexus threat groups.

3⃣ From there, the actor used the AntSword management tool to interact with their web shell. This is a common TTP, but what came next was new to us. They used AntSword to download and install the Nezha agent, an open-source server monitoring tool, onto the victim.

2⃣ The initial access was creative. The actor exploited a misconfigured, public-facing phpMyAdmin panel. They then used a log poisoning technique to write a one-liner PHP web shell (China Chopper) to disk, bypassing authentication and gaining initial command execution.

I’m right there with you! Simplicity is a cheat code.

"Outsized value" would have been a better choice of words.