New exploits for JoomShaper SP Page Builder, Splunk, Cisco UCM, JCE, and many more

Happy Thursday! Release notes come a day early this week in observance of the US July 4 holiday. Below are the team's deliverables for the past week.

CVE-2026-48908: JoomShaper SP Page Builder Unauthenticated Custom Icon Upload Remote Code Execution

The team developed an exploit for CVE-2026-48908, a critical unauthenticated remote code execution vulnerability in SP Page Builder, a widely deployed drag-and-drop page-builder extension for Joomla by JoomShaper. It impacts a wide range of Builder versions, from 1.0.0 through 6.6.1 inclusive. The vulnerability is actively being exploited in the wild, with reports of compromised Joomla installations on JoomShaper's support forum, per Censys. Our Shodan query identifies over 3,800 internet-exposed Joomla sites running SP Page Builder.

Our coverage includes the exploit and a version scanner, a Docker target, PCAPs, network signatures, and a YARA rule.

CVE-2026-48907: JCE for Joomla Unauthenticated Profiles Import Remote Code Execution

The team developed an exploit for CVE-2026-48907, a critical pre-authentication remote code execution vulnerability in JCE (Joomla Content Editor) versions 1.0.0 through 2.9.99.4. Disclosed on June 10, 2026, this vulnerability allows unauthenticated attackers to bypass access controls on the profiles.import endpoint and execute arbitrary PHP code by uploading a malicious profile file to Joomla's publicly accessible tmp/ directory. The vulnerability was quickly added to VulnCheck's KEV on June 12th and soon after was picked up by CISA's KEV on June 16, 2026, with a CVSS score of 10.0. Our Censys query identifies over 8,000 exposed Joomla instances running vulnerable JCE versions.

The exploit includes a version scanner, PCAPs, Suricata and Snort detection rules, and a Docker target for validation and testing.

CVE-2026-48558: SimpleHelp OIDC Authentication Bypass

The team developed an exploit for CVE-2026-48558, a critical authentication bypass in SimpleHelp, a remote-support and remote-access platform used by managed service providers and IT teams to reach downstream customer endpoints. That MSP position makes it a high-value foothold: A single compromised SimpleHelp server can fan out to every machine it administers. Additionally, our Censys query identifies 36,812 Internet-exposed SimpleHelp hosts, any of which is a potential target if OIDC is enabled. Attackers have been observed by Blackpoint leveraging CVE-2026-48558 to deliver a TaskWeaver loader and the Djinn stealer. This evidence led to the addition of this CVE to the VulnCheck and CISA KEV lists on June 29, 2026.

Our coverage includes the exploit and version scanner, a Docker target, encrypted and unencrypted PCAPs, Suricata and Snort rules, a YARA rule, a Sigma rule, and ASM queries.

CVE-2026-20230: Cisco Unified Communications Manager WebDialer SSRF

This week, the team added coverage for CVE-2026-20230, an unauthenticated SSRF vulnerability in versions below 15SU5 and below 14SU6 of Cisco Unified Communications Manager. The vulnerability was first disclosed on June 3, 2026, and exploit attempts followed soon afterward, per Defused Cyber. CVE-2026-20230 was subsequently added to both the VulnCheck KEV and CISA KEV lists. Our FOFA query currently shows just over 700 results on the public Internet.

Our coverage comes with an exploit, network signatures, a YARA rule, PCAPs, and ASM queries.

CVE-2026-20253: Splunk PostgreSQL Sidecar Service Pre-Auth Remote Code Execution

The team developed an exploit for CVE-2026-20253, a critical pre-authentication remote code execution vulnerability in Splunk Enterprise's PostgreSQL Sidecar Service. Recently disclosed by WatchTowr Labs, the vulnerability allows unauthenticated attackers to exploit unsafe file operations in the /backup and /restore endpoints to achieve arbitrary file write and code execution. This exploit was added to VulnCheck's KEV on June 15th and to the CISA KEV three days later. Our Censys query identifies over 23,000 exposed Splunk Enterprise instances online.

The exploit includes a companion PostgreSQL control server that dynamically instruments the attack, along with PCAPs, Suricata and Snort detection rules, and a Docker target for validation and testing.

CVE-2024-20017: Netgear WAX206 MediaTek wappd IAPP Stack-Based Buffer Overflow

The team developed an exploit for CVE-2024-20017, an unauthenticated stack-based buffer overflow in the wappd/wapp daemon of the MediaTek MT series chipset Wi-Fi SDK. The exploit specifically targets the Netgear WAX206, though it's worth noting CVE-2024-20017 is exploitable across a wide array of network devices and vendors. We have yet to see any evidence of in-the-wild exploitation, though that may change given the sustained threat actor interest in router exploitation over time. Our FOFA query shows just over 100 devices online currently.

The exploit ships with a version scanner, PCAPs, Suricata and Snort detection rules, and ASM queries.

CVE-2025-11539: Grafana Image Renderer Arbitrary File Write to RCE

The team developed an exploit for CVE-2025-11539, an arbitrary file write that can be escalated to remote code execution in the Grafana Image Renderer, the headless Chromium plugin Grafana uses to render and export dashboards as images and CSV. No evidence of in-the-wild exploitation has been observed at this time. Our Censys query identifies over 350 instances online.

Our exploit ships with PCAPs, a Docker target, ASM queries, and Suricata and Snort rules.

CVE-2025-49828: CyberArk Conjur Policy Factory ERB SSTI RCE

The team developed an exploit for CVE-2025-49828, an authenticated SSTI vulnerability enabling remote code execution in CyberArk Conjur, an open-source secrets manager. Since Conjur brokers credentials across an environment, exploitation of CVE-2025-49828 has the potential to expose the secrets it protects. The team has not yet observed any evidence of exploitation in the wild, but that may change given the high impact and potential for lateral movement across Conjur environments.

Our exploit comes with a Docker target, PCAPs, ASM queries, and network signatures.

CVE-2026-0773: Upsonic Unauthenticated Cloudpickle Deserialization RCE

The team developed an exploit for CVE-2026-0773, an unauthenticated deserialization vulnerability affecting multiple versions of Upsonic, an open-source framework for building agentic AI applications. This joins another critical vulnerability in Upsonic, CVE-2026-30625. While neither vulnerability has been observed as exploited in the wild, that is likely to change given attackers' interest in AI agent orchestration environments (Langflow exploitation observed last week).

Our exploit comes with a Docker target, PCAPs, and network signatures.

CVE-2024-22263: Spring Cloud Data Flow Skipper Arbitrary File Write to RCE

The team developed an exploit for CVE-2024-22263, an arbitrary file write permitting RCE in the Skipper server bundled with Spring Cloud Data Flow, VMware Tanzu's microservices orchestrator for streaming and batch data pipelines. Spring Cloud Data Flow is commonly integrated with Kubernetes and Cloud Foundry environments for batch data processing. The team has not yet observed any evidence of CVE-2024-22263 being exploited in the wild.

Our exploit ships with a version scanner, PCAPs, a Docker target, and joins the network signatures added in a previous release.

CVE-2026-47729: Squid Proxy FTP Gateway Heap Over-Read Information Disclosure

The team developed an exploit for CVE-2026-47729, an out-of-bounds read in Squid's FTP gateway. Dubbed SquidBleed, the vulnerability triggers when a proxied FTP server's banner contains the string "NetWare" and Squid takes a whitespace-skipping path that, on a directory-listing entry with no filename, reads past the end of the line and copies adjacent heap memory into the response. Our target intel query identifies just under 1,000 instances of Squid online.

Our exploit ships with an unencrypted PCAP, a Docker target, ASM queries, and Suricata and Snort rules.