Known Exploited Vulnerabilities Authentication Bypass Capability Group

CVE-2024-4358 is an authentication bypass vulnerability. This has been seen to be chained with CVE-2024-1800 in order to achieve remote code execution.

This vulnerability is exploited by an adversary who has already exploited an ESXi system and gained access to a valid account. Using this account, the adversary creates a new AD group named "ESXi Admins" that the ESXi Hypervisor grants full admin privileges. Adversary groups such as Storm-0506, Storm-1175, Octo Tempest, and Manatee Tempest have leveraged this vulnerability to deploy ransomware known as Akira and Black Basta onto compromised environments.

This vulnerability is exploited by an adversary who has already exploited an ESXi system and gained access to a valid account. Using this account, the adversary creates a new AD group named "ESXi Admins" that the ESXi Hypervisor grants full admin privileges. Adversary groups such as Storm-0506, Storm-1175, Octo Tempest, and Manatee Tempest have leveraged this vulnerability to deploy ransomware known as Akira and Black Basta onto compromised environments.

This vulnerability is exploited by an adversary who has already exploited an ESXi system and gained access to a valid account. Using this account, the adversary creates a new AD group named "ESXi Admins" that the ESXi Hypervisor grants full admin privileges. Adversary groups such as Storm-0506, Storm-1175, Octo Tempest, and Manatee Tempest have leveraged this vulnerability to deploy ransomware known as Akira and Black Basta onto compromised environments.

This authentication bypass vulnerability is exploited by an unauthenticated, remote adversary via an alternative path issue in the web component allowing attackers to perform admin actions and achieve remote code execution. To exploit this vulnerability, attackers need to generate an unauthenticated 404 HTTP response, pass the HTTP query string “?jsp=/app/rest/server”, and append “;.jsp” to the HTTP path parameter.

This authentication bypass vulnerability is exploited by an unauthenticated, remote adversary via an alternative path issue in the web component allowing attackers to perform admin actions and achieve remote code execution. To exploit this vulnerability, attackers need to generate an unauthenticated 404 HTTP response, pass the HTTP query string “?jsp=/app/rest/server”, and append “;.jsp” to the HTTP path parameter.

This vulnerability is exploited through an authentication bypass weakness in the web component of Ivanti Connect Secure and Ivanti Policy Secure. Remote attackers leverage this vulnerability to gain unauthorized access by bypassing control checks.

This vulnerability is exploited through an authentication bypass weakness in the web component of Ivanti Connect Secure and Ivanti Policy Secure. Remote attackers leverage this vulnerability to gain unauthorized access by bypassing control checks.

This vulnerability is exploited through an authentication bypass weakness in the web component of Ivanti Connect Secure and Ivanti Policy Secure. Remote attackers leverage this vulnerability to gain unauthorized access by bypassing control checks.

This vulnerability is exploited through an authentication bypass weakness in the web component of Ivanti Connect Secure and Ivanti Policy Secure. Remote attackers leverage this vulnerability to gain unauthorized access by bypassing control checks.

This vulnerability is exploited through an authentication bypass in JetBrains TeamCity, allowing remote attackers with HTTP(S) access to perform unauthorized remote code execution. This vulnerability enables attackers to gain administrative control of the TeamCity server and execute cmd.exe for various malicious activities, including downloading and executing harmful files.

This vulnerability is exploited through an authentication bypass in JetBrains TeamCity, allowing remote attackers with HTTP(S) access to perform unauthorized remote code execution. This vulnerability enables attackers to gain administrative control of the TeamCity server and execute cmd.exe for various malicious activities, including downloading and executing harmful files.

This vulnerability was exploited by unauthenticated actors who accessed the System Manager Portal of Ivanti MobileIron Sentry via port 8433, leveraging an authentication bypass flaw to achieve remote code execution. This flaw allows attackers to access sensitive APIs, enabling them to change configurations, execute system commands, or write files onto the system. This vulnerability was part of a campaign involving cryptocurrency mining and internal network reconnaissance. The exploitation allowed attackers to deploy malicious tools and conduct unauthorized activities within the network, ultimately compromising system integrity and security.The exploitation facilitated unauthorized access to the Ivanti Sentry server, allowing the execution of OS commands as a system administrator using "sudo." Observations revealed that suspicious SSL connections over port 8433 led to HTTP GET requests, indicating the abuse of command-line utilities like wget and cURL.

This vulnerability was exploited by unauthenticated actors who accessed the System Manager Portal of Ivanti MobileIron Sentry via port 8433, leveraging an authentication bypass flaw to achieve remote code execution. This flaw allows attackers to access sensitive APIs, enabling them to change configurations, execute system commands, or write files onto the system. This vulnerability was part of a campaign involving cryptocurrency mining and internal network reconnaissance. The exploitation allowed attackers to deploy malicious tools and conduct unauthorized activities within the network, ultimately compromising system integrity and security.The exploitation facilitated unauthorized access to the Ivanti Sentry server, allowing the execution of OS commands as a system administrator using "sudo." Observations revealed that suspicious SSL connections over port 8433 led to HTTP GET requests, indicating the abuse of command-line utilities like wget and cURL.

This vulnerability was exploited by unauthenticated actors who accessed the System Manager Portal of Ivanti MobileIron Sentry via port 8433, leveraging an authentication bypass flaw to achieve remote code execution. This flaw allows attackers to access sensitive APIs, enabling them to change configurations, execute system commands, or write files onto the system. This vulnerability was part of a campaign involving cryptocurrency mining and internal network reconnaissance. The exploitation allowed attackers to deploy malicious tools and conduct unauthorized activities within the network, ultimately compromising system integrity and security.The exploitation facilitated unauthorized access to the Ivanti Sentry server, allowing the execution of OS commands as a system administrator using "sudo." Observations revealed that suspicious SSL connections over port 8433 led to HTTP GET requests, indicating the abuse of command-line utilities like wget and cURL.

This vulnerability was exploited by unauthenticated actors who accessed the System Manager Portal of Ivanti MobileIron Sentry via port 8433, leveraging an authentication bypass flaw to achieve remote code execution. This flaw allows attackers to access sensitive APIs, enabling them to change configurations, execute system commands, or write files onto the system. This vulnerability was part of a campaign involving cryptocurrency mining and internal network reconnaissance. The exploitation allowed attackers to deploy malicious tools and conduct unauthorized activities within the network, ultimately compromising system integrity and security.The exploitation facilitated unauthorized access to the Ivanti Sentry server, allowing the execution of OS commands as a system administrator using "sudo." Observations revealed that suspicious SSL connections over port 8433 led to HTTP GET requests, indicating the abuse of command-line utilities like wget and cURL.

This vulnerability was exploited by unauthenticated actors who accessed the System Manager Portal of Ivanti MobileIron Sentry via port 8433, leveraging an authentication bypass flaw to achieve remote code execution. This flaw allows attackers to access sensitive APIs, enabling them to change configurations, execute system commands, or write files onto the system. This vulnerability was part of a campaign involving cryptocurrency mining and internal network reconnaissance. The exploitation allowed attackers to deploy malicious tools and conduct unauthorized activities within the network, ultimately compromising system integrity and security.The exploitation facilitated unauthorized access to the Ivanti Sentry server, allowing the execution of OS commands as a system administrator using "sudo." Observations revealed that suspicious SSL connections over port 8433 led to HTTP GET requests, indicating the abuse of command-line utilities like wget and cURL.

This vulnerability was exploited by unauthenticated actors who accessed the System Manager Portal of Ivanti MobileIron Sentry via port 8433, leveraging an authentication bypass flaw to achieve remote code execution. This flaw allows attackers to access sensitive APIs, enabling them to change configurations, execute system commands, or write files onto the system. This vulnerability was part of a campaign involving cryptocurrency mining and internal network reconnaissance. The exploitation allowed attackers to deploy malicious tools and conduct unauthorized activities within the network, ultimately compromising system integrity and security.The exploitation facilitated unauthorized access to the Ivanti Sentry server, allowing the execution of OS commands as a system administrator using "sudo." Observations revealed that suspicious SSL connections over port 8433 led to HTTP GET requests, indicating the abuse of command-line utilities like wget and cURL.

This vulnerability was exploited by unauthenticated actors who accessed the System Manager Portal of Ivanti MobileIron Sentry via port 8433, leveraging an authentication bypass flaw to achieve remote code execution. This flaw allows attackers to access sensitive APIs, enabling them to change configurations, execute system commands, or write files onto the system. This vulnerability was part of a campaign involving cryptocurrency mining and internal network reconnaissance. The exploitation allowed attackers to deploy malicious tools and conduct unauthorized activities within the network, ultimately compromising system integrity and security.The exploitation facilitated unauthorized access to the Ivanti Sentry server, allowing the execution of OS commands as a system administrator using "sudo." Observations revealed that suspicious SSL connections over port 8433 led to HTTP GET requests, indicating the abuse of command-line utilities like wget and cURL.

This vulnerability was exploited by unauthenticated actors who accessed the System Manager Portal of Ivanti MobileIron Sentry via port 8433, leveraging an authentication bypass flaw to achieve remote code execution. This flaw allows attackers to access sensitive APIs, enabling them to change configurations, execute system commands, or write files onto the system. This vulnerability was part of a campaign involving cryptocurrency mining and internal network reconnaissance. The exploitation allowed attackers to deploy malicious tools and conduct unauthorized activities within the network, ultimately compromising system integrity and security.The exploitation facilitated unauthorized access to the Ivanti Sentry server, allowing the execution of OS commands as a system administrator using "sudo." Observations revealed that suspicious SSL connections over port 8433 led to HTTP GET requests, indicating the abuse of command-line utilities like wget and cURL.

This vulnerability was exploited by unauthenticated actors who accessed the System Manager Portal of Ivanti MobileIron Sentry via port 8433, leveraging an authentication bypass flaw to achieve remote code execution. This flaw allows attackers to access sensitive APIs, enabling them to change configurations, execute system commands, or write files onto the system. This vulnerability was part of a campaign involving cryptocurrency mining and internal network reconnaissance. The exploitation allowed attackers to deploy malicious tools and conduct unauthorized activities within the network, ultimately compromising system integrity and security.The exploitation facilitated unauthorized access to the Ivanti Sentry server, allowing the execution of OS commands as a system administrator using "sudo." Observations revealed that suspicious SSL connections over port 8433 led to HTTP GET requests, indicating the abuse of command-line utilities like wget and cURL.

This vulnerability is exploited through an unauthenticated API access flaw in Ivanti EPMM. Attackers initiate this vulnerability by leveraging the default internet-facing API configuration, allowing them to access restricted functionalities without authentication. This enables them to extract personally identifiable information (PII) and perform administrative actions, such as creating new accounts and making configuration changes.

This vulnerability is exploited through an unauthenticated API access flaw in Ivanti EPMM. Attackers initiate this vulnerability by leveraging the default internet-facing API configuration, allowing them to access restricted functionalities without authentication. Reports state attackers who exploited this vulnerability gained access personally identifiable information (PII) and added an administrator account on the affected EPMM server, to allow for further system compromise.

This vulnerability is exploited through an unauthenticated API access flaw in Ivanti EPMM. Attackers initiate this vulnerability by leveraging the default internet-facing API configuration, allowing them to access restricted functionalities without authentication. Reports state attackers who exploited this vulnerability gained access personally identifiable information (PII) and added an administrator account on the affected EPMM server, to allow for further system compromise.

This vulnerability is exploited by an adversary who has fully compromised ESXi host. The adversary can exploit the authentication bypass flaw, leading to a failure in authenticating host-to-guest operations. The threat group UNC3886 has exploited this vulnerability to deploy VirtualPita and VirtualPie backdoors on guest VMs by escalating privileges to root on compromised ESXi hosts. This allows for unauthenticated command execution and file transfer.

This vulnerability is exploited by an adversary who has fully compromised ESXi host. The adversary can exploit the authentication bypass flaw, leading to a failure in authenticating host-to-guest operations. The threat group UNC3886 has exploited this vulnerability to deploy VirtualPita and VirtualPie backdoors on guest VMs by escalating privileges to root on compromised ESXi hosts. This allows for unauthenticated command execution and file transfer.

This vulnerability is exploited by an adversary who has fully compromised ESXi host. The adversary can exploit the authentication bypass flaw, leading to a failure in authenticating host-to-guest operations. The threat group UNC3886 has exploited this vulnerability to deploy VirtualPita and VirtualPie backdoors on guest VMs by escalating privileges to root on compromised ESXi hosts. This allows for unauthenticated command execution and file transfer.

This authentication bypass vulnerability allows an adversary to create an admin ssh key via any HTTP method.

This authentication bypass vulnerability allows an adversary to create an admin ssh key via any HTTP method.

This vulnerability is exploited by a malicious actor via improper validation via SAML to modify session data and escalate privileges to gain admin access to the Zabbix Frontend. This allows attackers to control the saml_data[username_attribute] value. This flaw enables unauthenticated users to bypass authentication and access the Zabbix dashboard as a highly-privileged user, such as the default "Admin" user. Additionally, incorrect handling of Zabbix installer files permits unauthenticated users to access and reconfigure servers.

This vulnerability is exploited by a malicious actor via improper validation via SAML to modify session data and escalate privileges to gain admin access to the Zabbix Frontend. This allows attackers to control the saml_data[username_attribute] value. This flaw enables unauthenticated users to bypass authentication and access the Zabbix dashboard as a highly-privileged user, such as the default "Admin" user. Additionally, incorrect handling of Zabbix installer files permits unauthenticated users to access and reconfigure servers.

This vulnerability is exploited by a malicious actor via improper validation via SAML to modify session data and escalate privileges to gain admin access to the Zabbix Frontend. This allows attackers to control the saml_data[username_attribute] value. This flaw enables unauthenticated users to bypass authentication and access the Zabbix dashboard as a highly-privileged user, such as the default "Admin" user. Additionally, incorrect handling of Zabbix installer files permits unauthenticated users to access and reconfigure servers.

This vulnerability is exploited by a malicious actor via improper validation via SAML to modify session data and escalate privileges to gain admin access to the Zabbix Frontend. This allows attackers to control the saml_data[username_attribute] value. This flaw enables unauthenticated users to bypass authentication and access the Zabbix dashboard as a highly-privileged user, such as the default "Admin" user. Additionally, incorrect handling of Zabbix installer files permits unauthenticated users to access and reconfigure servers.

This authentication bypass vulnerability is exploited by remote attackers via the User Portal and Webadmin components. This vulnerability allows an attacker to execute arbitrary code on the victim machine. It was actively exploited by Chinese state-sponsored APT groups, including "Drifting Cloud," to target organizations and governments across South Asia, particularly in Afghanistan, Bhutan, India, Nepal, Pakistan, and Sri Lanka. The attackers leveraged this vulnerability to deploy webshells, conduct man-in-the-middle attacks by modifying DNS responses, and intercept user credentials and session cookies from content management systems. This vulnerability was exploited by Chinese state-sponsored threat actors as part of a broader campaign named "Pacific Rim." This campaign involved multiple Chinese APT groups, including APT31, APT41, and Volt Typhoon, targeting Sophos firewalls. The backdoor PygmyGoat, a novel rootkit that takes the form of a shared object ("libsophos.so"), has been found to be delivered following the exploitation of this vulnerability. The use of the rootkit was observed between March and April 2022 on a government device and a technology partner, and again in May 2022 on a machine in a military hospital based in Asia. This vulnerability was also exploited by at least two advanced persistent threat (APT) groups in a highly targeted attack campaign. The attackers used the vulnerability to place malicious files into a fixed filesystem location on affected devices, leveraging a combination of authentication bypass and command injection to execute arbitrary commands as root. The attack involved deploying various malware families, including GoMet and Gh0st RAT, to maintain persistent access and exfiltrate sensitive data. The attackers demonstrated significant knowledge of the device firmware, using custom ELF binaries and runtime packers like VMProtect to complicate analysis. They manipulated internal commands to move and manipulate files, execute processes, and exfiltrate data. The campaign targeted network security devices, employing a two-stage attack to drop remote access tools and execute commands remotely.

This authentication bypass vulnerability is exploited by remote attackers via the User Portal and Webadmin components. This vulnerability allows an attacker to execute arbitrary code on the victim machine. It was actively exploited by Chinese state-sponsored APT groups, including "Drifting Cloud," to target organizations and governments across South Asia, particularly in Afghanistan, Bhutan, India, Nepal, Pakistan, and Sri Lanka. The attackers leveraged this vulnerability to deploy webshells, conduct man-in-the-middle attacks by modifying DNS responses, and intercept user credentials and session cookies from content management systems. This vulnerability was exploited by Chinese state-sponsored threat actors as part of a broader campaign named "Pacific Rim." This campaign involved multiple Chinese APT groups, including APT31, APT41, and Volt Typhoon, targeting Sophos firewalls. The backdoor PygmyGoat, a novel rootkit that takes the form of a shared object ("libsophos.so"), has been found to be delivered following the exploitation of this vulnerability. The use of the rootkit was observed between March and April 2022 on a government device and a technology partner, and again in May 2022 on a machine in a military hospital based in Asia. This vulnerability was also exploited by at least two advanced persistent threat (APT) groups in a highly targeted attack campaign. The attackers used the vulnerability to place malicious files into a fixed filesystem location on affected devices, leveraging a combination of authentication bypass and command injection to execute arbitrary commands as root. The attack involved deploying various malware families, including GoMet and Gh0st RAT, to maintain persistent access and exfiltrate sensitive data. The attackers demonstrated significant knowledge of the device firmware, using custom ELF binaries and runtime packers like VMProtect to complicate analysis. They manipulated internal commands to move and manipulate files, execute processes, and exfiltrate data. The campaign targeted network security devices, employing a two-stage attack to drop remote access tools and execute commands remotely.

This authentication bypass vulnerability is exploited by remote attackers via the User Portal and Webadmin components. This vulnerability allows an attacker to execute arbitrary code on the victim machine. It was actively exploited by Chinese state-sponsored APT groups, including "Drifting Cloud," to target organizations and governments across South Asia, particularly in Afghanistan, Bhutan, India, Nepal, Pakistan, and Sri Lanka. The attackers leveraged this vulnerability to deploy webshells, conduct man-in-the-middle attacks by modifying DNS responses, and intercept user credentials and session cookies from content management systems. This vulnerability was exploited by Chinese state-sponsored threat actors as part of a broader campaign named "Pacific Rim." This campaign involved multiple Chinese APT groups, including APT31, APT41, and Volt Typhoon, targeting Sophos firewalls. The backdoor PygmyGoat, a novel rootkit that takes the form of a shared object ("libsophos.so"), has been found to be delivered following the exploitation of this vulnerability. The use of the rootkit was observed between March and April 2022 on a government device and a technology partner, and again in May 2022 on a machine in a military hospital based in Asia. This vulnerability was also exploited by at least two advanced persistent threat (APT) groups in a highly targeted attack campaign. The attackers used the vulnerability to place malicious files into a fixed filesystem location on affected devices, leveraging a combination of authentication bypass and command injection to execute arbitrary commands as root. The attack involved deploying various malware families, including GoMet and Gh0st RAT, to maintain persistent access and exfiltrate sensitive data. The attackers demonstrated significant knowledge of the device firmware, using custom ELF binaries and runtime packers like VMProtect to complicate analysis. They manipulated internal commands to move and manipulate files, execute processes, and exfiltrate data. The campaign targeted network security devices, employing a two-stage attack to drop remote access tools and execute commands remotely.

This authentication bypass vulnerability is exploited by remote attackers via the User Portal and Webadmin components. This vulnerability allows an attacker to execute arbitrary code on the victim machine. It was actively exploited by Chinese state-sponsored APT groups, including "Drifting Cloud," to target organizations and governments across South Asia, particularly in Afghanistan, Bhutan, India, Nepal, Pakistan, and Sri Lanka. The attackers leveraged this vulnerability to deploy webshells, conduct man-in-the-middle attacks by modifying DNS responses, and intercept user credentials and session cookies from content management systems. This vulnerability was exploited by Chinese state-sponsored threat actors as part of a broader campaign named "Pacific Rim." This campaign involved multiple Chinese APT groups, including APT31, APT41, and Volt Typhoon, targeting Sophos firewalls. The backdoor PygmyGoat, a novel rootkit that takes the form of a shared object ("libsophos.so"), has been found to be delivered following the exploitation of this vulnerability. The use of the rootkit was observed between March and April 2022 on a government device and a technology partner, and again in May 2022 on a machine in a military hospital based in Asia. This vulnerability was also exploited by at least two advanced persistent threat (APT) groups in a highly targeted attack campaign. The attackers used the vulnerability to place malicious files into a fixed filesystem location on affected devices, leveraging a combination of authentication bypass and command injection to execute arbitrary commands as root. The attack involved deploying various malware families, including GoMet and Gh0st RAT, to maintain persistent access and exfiltrate sensitive data. The attackers demonstrated significant knowledge of the device firmware, using custom ELF binaries and runtime packers like VMProtect to complicate analysis. They manipulated internal commands to move and manipulate files, execute processes, and exfiltrate data. The campaign targeted network security devices, employing a two-stage attack to drop remote access tools and execute commands remotely.

This authentication bypass vulnerability is exploited by remote attackers via the User Portal and Webadmin components. This vulnerability allows an attacker to execute arbitrary code on the victim machine. It was actively exploited by Chinese state-sponsored APT groups, including "Drifting Cloud," to target organizations and governments across South Asia, particularly in Afghanistan, Bhutan, India, Nepal, Pakistan, and Sri Lanka. The attackers leveraged this vulnerability to deploy webshells, conduct man-in-the-middle attacks by modifying DNS responses, and intercept user credentials and session cookies from content management systems. This vulnerability was exploited by Chinese state-sponsored threat actors as part of a broader campaign named "Pacific Rim." This campaign involved multiple Chinese APT groups, including APT31, APT41, and Volt Typhoon, targeting Sophos firewalls. The backdoor PygmyGoat, a novel rootkit that takes the form of a shared object ("libsophos.so"), has been found to be delivered following the exploitation of this vulnerability. The use of the rootkit was observed between March and April 2022 on a government device and a technology partner, and again in May 2022 on a machine in a military hospital based in Asia. This vulnerability was also exploited by at least two advanced persistent threat (APT) groups in a highly targeted attack campaign. The attackers used the vulnerability to place malicious files into a fixed filesystem location on affected devices, leveraging a combination of authentication bypass and command injection to execute arbitrary commands as root. The attack involved deploying various malware families, including GoMet and Gh0st RAT, to maintain persistent access and exfiltrate sensitive data. The attackers demonstrated significant knowledge of the device firmware, using custom ELF binaries and runtime packers like VMProtect to complicate analysis. They manipulated internal commands to move and manipulate files, execute processes, and exfiltrate data. The campaign targeted network security devices, employing a two-stage attack to drop remote access tools and execute commands remotely.

This authentication bypass vulnerability is exploited by remote attackers via the User Portal and Webadmin components. This vulnerability allows an attacker to execute arbitrary code on the victim machine. It was actively exploited by Chinese state-sponsored APT groups, including "Drifting Cloud," to target organizations and governments across South Asia, particularly in Afghanistan, Bhutan, India, Nepal, Pakistan, and Sri Lanka. The attackers leveraged this vulnerability to deploy webshells, conduct man-in-the-middle attacks by modifying DNS responses, and intercept user credentials and session cookies from content management systems. This vulnerability was exploited by Chinese state-sponsored threat actors as part of a broader campaign named "Pacific Rim." This campaign involved multiple Chinese APT groups, including APT31, APT41, and Volt Typhoon, targeting Sophos firewalls. The backdoor PygmyGoat, a novel rootkit that takes the form of a shared object ("libsophos.so"), has been found to be delivered following the exploitation of this vulnerability. The use of the rootkit was observed between March and April 2022 on a government device and a technology partner, and again in May 2022 on a machine in a military hospital based in Asia. This vulnerability was also exploited by at least two advanced persistent threat (APT) groups in a highly targeted attack campaign. The attackers used the vulnerability to place malicious files into a fixed filesystem location on affected devices, leveraging a combination of authentication bypass and command injection to execute arbitrary commands as root. The attack involved deploying various malware families, including GoMet and Gh0st RAT, to maintain persistent access and exfiltrate sensitive data. The attackers demonstrated significant knowledge of the device firmware, using custom ELF binaries and runtime packers like VMProtect to complicate analysis. They manipulated internal commands to move and manipulate files, execute processes, and exfiltrate data. The campaign targeted network security devices, employing a two-stage attack to drop remote access tools and execute commands remotely.

CVE-2021-44515 is an authentication bypass vulnerability. Post-exploit, APT actors were observed dropping a webshell, downloading post-exploitation tools, enumerating domain users and groups, conducting network reconnaissance, attempting lateral movement and dumping credentials.

CVE-2021-44515 is an authentication bypass vulnerability. Post-exploit, APT actors were observed dropping a webshell, downloading post-exploitation tools, enumerating domain users and groups, conducting network reconnaissance, attempting lateral movement and dumping credentials.

CVE-2021-44515 is an authentication bypass vulnerability. Post-exploit, APT actors were observed dropping a webshell, downloading post-exploitation tools, enumerating domain users and groups, conducting network reconnaissance, attempting lateral movement and dumping credentials.

CVE-2021-44515 is an authentication bypass vulnerability. Post-exploit, APT actors were observed dropping a webshell, downloading post-exploitation tools, enumerating domain users and groups, conducting network reconnaissance, attempting lateral movement and dumping credentials.

CVE-2021-44515 is an authentication bypass vulnerability. Post-exploit, APT actors were observed dropping a webshell, downloading post-exploitation tools, enumerating domain users and groups, conducting network reconnaissance, attempting lateral movement and dumping credentials.

This is an authentication bypass vulnerability that can enable remote code execution. Numerous post-exploitation impacts by threat actors are detailed in the referenced CISA report.

This is an authentication bypass vulnerability that can enable remote code execution. Numerous post-exploitation impacts by threat actors are detailed in the referenced CISA report.

This is an authentication bypass vulnerability that can enable remote code execution. Numerous post-exploitation impacts by threat actors are detailed in the referenced CISA report.

This is an authentication bypass vulnerability that can enable remote code execution. Numerous post-exploitation impacts by threat actors are detailed in the referenced CISA report.

This is an authentication bypass vulnerability that can enable remote code execution. Numerous post-exploitation impacts by threat actors are detailed in the referenced CISA report.

This is an authentication bypass vulnerability that can enable remote code execution. Numerous post-exploitation impacts by threat actors are detailed in the referenced CISA report.

This is an authentication bypass vulnerability that can enable remote code execution. Numerous post-exploitation impacts by threat actors are detailed in the referenced CISA report.

This is an authentication bypass vulnerability that can enable remote code execution. Numerous post-exploitation impacts by threat actors are detailed in the referenced CISA report.

This is an authentication bypass vulnerability that can enable remote code execution. Numerous post-exploitation impacts by threat actors are detailed in the referenced CISA report.

This is an authentication bypass vulnerability that can enable remote code execution. Numerous post-exploitation impacts by threat actors are detailed in the referenced CISA report.

This is an authentication bypass vulnerability that can enable remote code execution. Numerous post-exploitation impacts by threat actors are detailed in the referenced CISA report.

This is an authentication bypass vulnerability that can enable remote code execution. Numerous post-exploitation impacts by threat actors are detailed in the referenced CISA report.

CVE-2021-40539 is an authentication bypass vulnerability affecting representational state transfer (REST) application programming interface (API) URLs that could enable remote code execution. Successful exploitation of the vulnerability allows an attacker to place webshells, which enable the adversary to conduct post-exploitation activities, such as compromising administrator credentials, conducting lateral movement, and exfiltrating registry hives and Active Directory files.

This is an authentication bypass vulnerability that can enable remote code execution. Numerous post-exploitation impacts by threat actors are detailed in the referenced CISA report.

This authentication bypass vulnerability is exploited by both unauthenticated and authenticated adversaries via the snapshot feature in Grafana. Attackers have leveraged this vulnerability to access and manipulate snapshot data, potentially leading to unauthorized data exposure and loss. Exploitation techniques have not been publicly published. In exploitation scenarios, adversaries can view snapshots with the lowest database key by accessing specific paths, such as /dashboard/snapshot/:key or /api/snapshots/:key. If the "public_mode" configuration is set to true, unauthenticated users can also delete these snapshots using the path /api/snapshots-delete/:deleteKey. This capability allows attackers to enumerate and delete snapshot data, resulting in complete data loss.

This authentication bypass vulnerability is exploited by both unauthenticated and authenticated adversaries via the snapshot feature in Grafana. Attackers have leveraged this vulnerability to access and manipulate snapshot data, potentially leading to unauthorized data exposure and loss. Exploitation techniques have not been publicly published. In exploitation scenarios, adversaries can view snapshots with the lowest database key by accessing specific paths, such as /dashboard/snapshot/:key or /api/snapshots/:key. If the "public_mode" configuration is set to true, unauthenticated users can also delete these snapshots using the path /api/snapshots-delete/:deleteKey. This capability allows attackers to enumerate and delete snapshot data, resulting in complete data loss.

This vulnerability allows a few REST-API URLs without authentication.

CVE-2020-8193 is an Authorization Bypass vulnerability in Citrix ADC, Gateway, and SD-WAN WANOP Appliance in various versions allows attacker to bypass authentication mechanisms via crafted requests.

CVE-2020-8193 is an Authorization Bypass vulnerability in Citrix ADC, Gateway, and SD-WAN WANOP Appliance in various versions allows attacker to bypass authentication mechanisms via crafted requests.

CVE-2020-12812 is an improper authentication vulnerability in Fortinet's FortiOS, specifically affecting the SSL VPN feature. This vulnerability allows attackers to bypass two-factor authentication under certain conditions, potentially leading to unauthorized access to sensitive systems.

CVE-2020-12812 is an improper authentication vulnerability in Fortinet's FortiOS, specifically affecting the SSL VPN feature. This vulnerability allows attackers to bypass two-factor authentication under certain conditions, potentially leading to unauthorized access to sensitive systems.

This vulnerability is exploited by logging in with an empty password on a misconfigured system.

This vulnerability is exploited because of password misconfiguration.

This exploit is part of a chain of exploits (with CVE-2025-0108 and CVE-2024-9474) that can end with an attacker gaining root access to the system. This vulnerability allows the attacker to bypass authentication using the PAN-OS web management interface, as well as invoke PHP scripts. The attacker can also use their newfound privileged access to reconfigure the firewall, allowing for backdoors to be created.

This exploit is part of a chain of exploits (with CVE-2025-0108 and CVE-2024-9474) that can end with an attacker gaining root access to the system. This vulnerability allows the attacker to bypass authentication using the PAN-OS web management interface, as well as invoke PHP scripts. The attacker can also use their newfound privileged access to reconfigure the firewall, allowing for backdoors to be created.

This exploit is part of a chain of exploits (with CVE-2025-0108 and CVE-2024-9474) that can end with an attacker gaining root access to the system. This vulnerability allows the attacker to bypass authentication using the PAN-OS web management interface, as well as invoke PHP scripts. The attacker can also use their newfound privileged access to reconfigure the firewall, allowing for backdoors to be created.

An attacker can add a local_access_token parameter to a request targeting a specific endpoint on vulnerable Fortinet devices, leading to an authentication bypass. From there, they can obtain super_admin privileges.

An attacker can add a local_access_token parameter to a request targeting a specific endpoint on vulnerable Fortinet devices, leading to an authentication bypass. From there, they can obtain super_admin privileges.

An attacker can add a local_access_token parameter to a request targeting a specific endpoint on vulnerable Fortinet devices, leading to an authentication bypass. From there, they can obtain super_admin privileges.

An attacker can add a local_access_token parameter to a request targeting a specific endpoint on vulnerable Fortinet devices, leading to an authentication bypass. From there, they can obtain super_admin privileges.

By sending a malicious request to the Redfish Host Interface, an attacker can manipulate the HTTP header, tricking the Baseboard Management Controller (BMC) into thinking that the request originates from a trusted source, leading to authentication bypass. This can lead to complete system control, deployment of malware at the firmware level, and network disruptions.

By sending a malicious request to the Redfish Host Interface, an attacker can manipulate the HTTP header, tricking the Baseboard Management Controller (BMC) into thinking that the request originates from a trusted source, leading to authentication bypass. This can lead to complete system control, deployment of malware at the firmware level, and network disruptions.

By sending a malicious request to the Redfish Host Interface, an attacker can manipulate the HTTP header, tricking the Baseboard Management Controller (BMC) into thinking that the request originates from a trusted source, leading to authentication bypass. This can lead to complete system control, deployment of malware at the firmware level, and network disruptions.

By sending a malicious request to the Redfish Host Interface, an attacker can manipulate the HTTP header, tricking the Baseboard Management Controller (BMC) into thinking that the request originates from a trusted source, leading to authentication bypass. This can lead to complete system control, deployment of malware at the firmware level, and network disruptions.

By sending a malicious request to the Redfish Host Interface, an attacker can manipulate the HTTP header, tricking the Baseboard Management Controller (BMC) into thinking that the request originates from a trusted source, leading to authentication bypass. This can lead to complete system control, deployment of malware at the firmware level, and network disruptions.

Due to a regex flaw, an attacker can use non-canonical URLs to bypass authentication. When chained with CVE-2022-43769, can lead to unauthorized code execution.

Due to a regex flaw, an attacker can use non-canonical URLs to bypass authentication. When chained with CVE-2022-43769, can lead to unauthorized code execution.

Due to the router's administrative web-app having improper validation of session cookies, an unauthorized user can gain administrative access to the device management interface.

Due to the router's administrative web-app having improper validation of session cookies, an unauthorized user can gain administrative access to the device management interface.

Due to the router's administrative web-app having improper validation of session cookies, an unauthorized user can gain administrative access to the device management interface.

Improper validation of AS2 messages in CrushFTP without DMZ proxy enabled were reported to be exploited to bypass authentication and gain administrative access over HTTPS, leading to system compromise, data exfiltration, and lateral movement.

Improper validation of AS2 messages in CrushFTP without DMZ proxy enabled were reported to be exploited to bypass authentication and gain administrative access over HTTPS, leading to system compromise, data exfiltration, and lateral movement.

Improper validation of AS2 messages in CrushFTP without DMZ proxy enabled were reported to be exploited to bypass authentication and gain administrative access over HTTPS, leading to system compromise, data exfiltration, and lateral movement.

By sending a specially crafted HTTP GET request to the Ivanti EPMM endpoint, an attacker can bypass the authentication mechanisms. This can be chained with CVE-2025-4428 to achieve remote code execution.

By sending a specially crafted HTTP GET request to the Ivanti EPMM endpoint, an attacker can bypass the authentication mechanisms. This can be chained with CVE-2025-4428 to achieve remote code execution.

By sending a specially crafted HTTP GET request to the Ivanti EPMM endpoint, an attacker can bypass the authentication mechanisms. This can be chained with CVE-2025-4428 to achieve remote code execution.

By sending a specially crafted HTTP GET request to the Ivanti EPMM endpoint, an attacker can bypass the authentication mechanisms. This can be chained with CVE-2025-4428 to achieve remote code execution.

This vulnerability in CrushFTP has been exploited to give attackers control how the software handles authentication, allowing access to the administrative account. From there, attackers have the ability to read and upload files, execute arbitrary code, create backdoors in the form of new administrative accounts, and conduct a full system takeover.

This vulnerability in CrushFTP has been exploited to give attackers control how the software handles authentication, allowing access to the administrative account. From there, attackers have the ability to read and upload files, execute arbitrary code, create backdoors in the form of new administrative accounts, and conduct a full system takeover.

This vulnerability in CrushFTP has been exploited to give attackers control how the software handles authentication, allowing access to the administrative account. From there, attackers have the ability to read and upload files, execute arbitrary code, create backdoors in the form of new administrative accounts, and conduct a full system takeover.