The team developed PCAPs, ASM queries, and signatures for CVE-2026-41940, a zero-day auth bypass vulnerability in cPanel that results in RCE as root. The vulnerability has already been added to CISA and VulnCheck KEV, and has seen active exploitation in the wild since its disclosure on April 28, 2026.
This week, the team developed the first-known exploit for CVE-2026-2033, which leads to arbitrary file read/write or RCE on most default configurations of MLflow. No threat actors have been seen exploiting this vulnerability yet, but we expect to see exploitation in the coming weeks due to the popularity of MLflow and targeting of similar AI/ML projects. Our exploit comes with a PCAP, Suricata and Snort rules, a vulnerable Docker container, and ASM queries that report around 4,000 internet-exposed hosts.
The team developed an exploit for CVE-2025-69985, a critical code execution vulnerability in frangoteam FUXA. CVE-2025-69985 is a patch bypass of CVE-2023-33831, an exploited vulnerability the team covered previously that has also been detected in the wild by VulnCheck Canaries. Our Censys query finds around 200 exposed instances of the platform, which is likely more common on internal networks. Our exploit comes with target Docker containers, PCAPs, network signatures, and ASM queries.
The team developed an exploit for a critical command injection vulnerability in LILIN DVR devices. VulnCheck's Canary network first detected exploitation of the vulnerability in October 2025; it has also been exploited in the wild by the RondoDox and Rebirth botnets. FOFA reports over 40K devices exposed to the internet. Our exploit comes with PCAPs, network rules, and ASM queries.
By customer request, the team developed an exploit for CVE-2024-38812, a critical pre-authenticated remote code execution vulnerability in VMware vCenter Server's vmdird DCERPC service. The vulnerability is on both VulnCheck KEV and CISA KEV; in December 2025, CrowdStrike attributed exploitation of the vulnerability to WARP PANDA in an analysis of China-nexus intrusions that included BRICKSTORM malware deployment. Our exploit comes with PCAPs, Suricata and Snort rules, and ASM queries.
Finally, by customer request, the team added an exploit for CVE-2022-42475, an unauthenticated heap-based overflow in Fortinet FortiOS SSL-VPN. First disclosed as a zero-day in 2022, this vulnerability has been repeatedly exploited in the wild, with it hitting F5's top 10 exploited CVE list in January of this year. Exploitation has been attributed to many different threat actors, including Muddy Water (Iran), Volt Typhoon (China), and the Lockbit ransomware group. Our Shodan query finds ~260K Fortigate instances on the public internet as of this writing.
The team added an exploit, more ASM queries, and a new PCAP to pre-existing artifacts, which include Snort and Suricata rules from a previous release.