We now have a (draft) @metasploit-r7.bsky.social exploit module for the recent Fortinet FortiWeb vulns, chaining CVE-2025-64446 (auth bypass) + CVE-2025-58034 (command injection) to achieve unauthenticated RCE with root privileges: github.com/rapid7/metas...

We posted our AttackerKB @rapid7.com Analysis of the new EITW FortiWeb command injection vuln, CVE-2025-58034. The patch fixes several command injections, so we reproduced the SAML config name injection, and popped a reverse root shell 🎯 Full details here: attackerkb.com/topics/zClpI...

New @metasploit-r7.bsky.social aux module in the pull queue for the FortiWeb vuln (no CVE at this time). Based on the PoC captured and posted by Defused, it leverages an auth bypass to create a new local admin account on the target: github.com/rapid7/metas...

We just published our AttackerKB @rapid7.com analysis of CVE-2025-12480. Disclosed yesterday, but patched back in July, it's an access control bypass affecting not only Gladinet Triofox, but as we show, also Gladinet CentreStack. Full analysis & RCE details here: attackerkb.com/topics/5C4wR...

We now have a (draft) @metasploit-r7.bsky.social exploit module in the pull queue for the recent Microsoft SharePoint Server unauthenticated RCE zero-day (CVE-2025-53770), based on the in-the-wild exploit published a few days ago. Check it out here: github.com/rapid7/metas...

Our @metasploit-r7.bsky.social auxiliary module for the new Brother auth bypass is available. The module will leak a serial number via HTTP/HTTPS/IPP (CVE-2024-51977), SNMP, or PJL, generate the devices default admin password (CVE-2024-51978), and then validate the creds: github.com/rapid7/metas...

I wrote a PoC for the recent Ivanti Connect Secure stack buffer overflow, CVE-2025-0282, based on the exploitation strategy watchTowr published, along with an assessment of exploitability given the lack of a suitable info leak to break ASLR: attackerkb.com/assessments/...

We now have a @metasploit-r7.bsky.social RCE exploit module in the pull queue for CVE-2024-55956 - an unauthenticated file write vulnerability affecting Cleo LexiCom, VLTrader, and Harmony which was exploited in the wild last month as 0day: github.com/rapid7/metas...

We have published our Rapid7 analysis of the new Cleo vuln, now known as CVE-2024-55956. An unauthenticated file write affecting LexiCom, VLTrader, and Harmony versions 5.8.0.23 and below, that can be leveraged to achieve unauth RCE. Full analysis here: attackerkb.com/topics/geR0H...

Phase 2 achieves RCE by leveraging an authenticated stack based buffer overflow, to execute arbitrary OS commands, and then a code signing bypass to execute arbitrary native code as root.

Phase 1 achieves an auth bypass by leveraging an unauth stack based buffer overflow to reach an out-of-bounds heap read, in turn leaking a secret from heap memory which allows us to reset the admin password. Finally a null pointer dereference forces a device reboot.