RE: https://infosec.exchange/@BSidesLuxembourg/116420285582471119
looking forward to presenting, see you in a few weeks 👋🇱🇺
Rishi
@rxerium@infosec.exchange
mastodon
4.6.0-alpha.7+glitch
Senior Security Researcher // rxerium.com
0
Followers
0
Following
Joined October 29, 2024
Website:
Posts
1
0
1
🚨 Fortinet just disclosed CVE-2026-39808 and CVE-2026-39813 - 2 critical vulnerabilities affecting FortiSandbox. No active exploitation itw reported as of yet.
Scan your infrastructure to find vulnerable instances:
CVE-2026-39808: https://github.com/rxerium/rxerium-templates/blob/main/2026/CVE-2026-39808.yaml
CVE-2026-39813: https://github.com/rxerium/rxerium-templates/blob/main/2026/CVE-2026-39813.yaml
CVE-2026-39808 (CVSS 9.1):
An Improper Neutralization of Special Elements used in an OS Command ('OS command injection') vulnerability [CWE-78] in FortiSandbox may allow an unauthenticated attacker to execute unauthorized code or commands via crafted HTTP requests.
CVE-2026-39813 (CVSS 9.1):
A Path Traversal vulnerability [CWE-24] in FortiSandbox JRPC API may allow an unauthenticated attacker to bypass authentication via specially crafted HTTP requests.
Patches are available as per vendor advisories:
https://fortiguard.fortinet.com/psirt/FG-IR-26-112
https://fortiguard.fortinet.com/psirt/FG-IR-26-100
Scan your infrastructure to find vulnerable instances:
CVE-2026-39808: https://github.com/rxerium/rxerium-templates/blob/main/2026/CVE-2026-39808.yaml
CVE-2026-39813: https://github.com/rxerium/rxerium-templates/blob/main/2026/CVE-2026-39813.yaml
CVE-2026-39808 (CVSS 9.1):
An Improper Neutralization of Special Elements used in an OS Command ('OS command injection') vulnerability [CWE-78] in FortiSandbox may allow an unauthenticated attacker to execute unauthorized code or commands via crafted HTTP requests.
CVE-2026-39813 (CVSS 9.1):
A Path Traversal vulnerability [CWE-24] in FortiSandbox JRPC API may allow an unauthenticated attacker to bypass authentication via specially crafted HTTP requests.
Patches are available as per vendor advisories:
https://fortiguard.fortinet.com/psirt/FG-IR-26-112
https://fortiguard.fortinet.com/psirt/FG-IR-26-100
1
0
0
🚨 Pre-Auth RCE vuln tagged as CVE-2026-39987 (CVSS 9.3) seeing active exploitation in the wild as reported by Vulncheck and Bleeping Computer.
Passively scan infrastructure to find potentially vulnerable instances:
https://github.com/rxerium/rxerium-templates/blob/main/2026/CVE-2026-39987.yaml
An unauthenticated attacker can obtain a full interactive root shell on the server via a single WebSocket connection. No user interaction or authentication token is required, even when authentication is enabled on the marimo instance
https://github.com/marimo-team/marimo/security/advisories/GHSA-2679-6mx9-h9xc
Passively scan infrastructure to find potentially vulnerable instances:
https://github.com/rxerium/rxerium-templates/blob/main/2026/CVE-2026-39987.yaml
An unauthenticated attacker can obtain a full interactive root shell on the server via a single WebSocket connection. No user interaction or authentication token is required, even when authentication is enabled on the marimo instance
https://github.com/marimo-team/marimo/security/advisories/GHSA-2679-6mx9-h9xc
0
0
0
🚨 Forticlient EMS Zero Day disclosed minutes ago actively being exploited in the wild as being report by @DefusedCyber & @fortinet
I've created a vulnerability detection script to check for vulnerable instances:
https://github.com/rxerium/rxerium-templates/blob/main/2026/CVE-2026-35616.yaml
Fortinet recommends that you install hotfixes for EMS 7.4.5 / 7.4.6 as per their advisory:
https://www.fortiguard.com/psirt/FG-IR-26-099
I've created a vulnerability detection script to check for vulnerable instances:
https://github.com/rxerium/rxerium-templates/blob/main/2026/CVE-2026-35616.yaml
Fortinet recommends that you install hotfixes for EMS 7.4.5 / 7.4.6 as per their advisory:
https://www.fortiguard.com/psirt/FG-IR-26-099
0
0
2
Note: these queries only surface public repos that explicitly committed the affected versions. The impact is far wider.
0
0
0
🚨 Axios was hit by a supply chain attack as of the early hours of this morning.
I'm currently hunting affected repos on GitHub, here is what I have so far:
Vulnerable versions (via package.json):
https://github.com/search?q=%2F%5C%22axios%5C%22%3A%5Cs*%5C%22%281%5C.14%5C.1%7C0%5C.30%5C.4%29%5C%22%2F+path%3Apackage.json&type=code
Presence of plain-crypto-js:
https://github.com/search?q=plain-crypto-js+path%3Apackage-lock.json&type=code
Full technical analysis from StepSecurity:
https://www.stepsecurity.io/blog/axios-compromised-on-npm-malicious-versions-drop-remote-access-trojan
I'm currently hunting affected repos on GitHub, here is what I have so far:
Vulnerable versions (via package.json):
https://github.com/search?q=%2F%5C%22axios%5C%22%3A%5Cs*%5C%22%281%5C.14%5C.1%7C0%5C.30%5C.4%29%5C%22%2F+path%3Apackage.json&type=code
Presence of plain-crypto-js:
https://github.com/search?q=plain-crypto-js+path%3Apackage-lock.json&type=code
Full technical analysis from StepSecurity:
https://www.stepsecurity.io/blog/axios-compromised-on-npm-malicious-versions-drop-remote-access-trojan
0
1
0
🚨 CVE-2026-21643 an SQL Injection vulnerability (CVSS 9.8) is seeing active exploitation in the wild as reported by @DefusedCyber
Vulnerability detection script available here:
https://github.com/rxerium/rxerium-templates/blob/main/2026/CVE-2026-21643.yaml
This vulnerability currently only affects FortiClientEMS 7.4.4 and it is recommended that you upgrade to 7.4.5 or later as reported by Fortinet:
https://fortiguard.fortinet.com/psirt/FG-IR-25-1142
Vulnerability detection script available here:
https://github.com/rxerium/rxerium-templates/blob/main/2026/CVE-2026-21643.yaml
This vulnerability currently only affects FortiClientEMS 7.4.4 and it is recommended that you upgrade to 7.4.5 or later as reported by Fortinet:
https://fortiguard.fortinet.com/psirt/FG-IR-25-1142
0
0
0
🚨 CVE-2026-3055 (CVSS 9.3), a unauth memory overread vulnerability affecting Citrix NetScaler ADC and NetScaler Gateway appliances that could see active exploitation itw
Vulnerability detection script available here:
https://github.com/rxerium/rxerium-templates/blob/main/2026/CVE-2026-3055.yaml
Patches are available as per Citrix's advisory:
https://support.citrix.com/support-home/kbsearch/article?articleNumber=CTX696300
Vulnerability detection script available here:
https://github.com/rxerium/rxerium-templates/blob/main/2026/CVE-2026-3055.yaml
Patches are available as per Citrix's advisory:
https://support.citrix.com/support-home/kbsearch/article?articleNumber=CTX696300
0
0
1
🚨 Mandiant have identified zero-day exploitation of a high-risk vulnerability in Dell RecoverPoint for Virtual Machines, tracked as CVE-2026-22769.
RecoverPoint can be detected using this Nuclei template:
https://github.com/projectdiscovery/nuclei-templates/pull/15377/changes
Very limited exposure to the internet.
Dell recommends upgrading to version 6.0.3.1 HF1 or later. Mitigations are also available.
Mandiant report:
https://cloud.google.com/blog/topics/threat-intelligence/unc6201-exploiting-dell-recoverpoint-zero-day
RecoverPoint can be detected using this Nuclei template:
https://github.com/projectdiscovery/nuclei-templates/pull/15377/changes
Very limited exposure to the internet.
Dell recommends upgrading to version 6.0.3.1 HF1 or later. Mitigations are also available.
Mandiant report:
https://cloud.google.com/blog/topics/threat-intelligence/unc6201-exploiting-dell-recoverpoint-zero-day
0
0
0
Yet another critical vulnerability in n8n - CVE-2026-25049 (CVSS 9.4).
Vulnerability detection script here:
https://github.com/rxerium/rxerium-templates/blob/main/2026/CVE-2026-25049.yaml
Patched versions are 1.123.17 / 2.5.2 as per:
https://github.com/n8n-io/n8n/security/advisories/GHSA-6cqr-8cfr-67f8
Vulnerability detection script here:
https://github.com/rxerium/rxerium-templates/blob/main/2026/CVE-2026-25049.yaml
Patched versions are 1.123.17 / 2.5.2 as per:
https://github.com/n8n-io/n8n/security/advisories/GHSA-6cqr-8cfr-67f8
0
0
0
🚨 2 new vulnerability scripts created for the n8n vulnerabilities disclosed today:
CVE-2026-1470:
https://github.com/rxerium/rxerium-templates/blob/main/2026/CVE-2026-1470.yaml
CVE-2026-0863:
https://github.com/rxerium/rxerium-templates/blob/main/2026/CVE-2026-0863.yaml
Happy hunting.
CVE-2026-1470:
https://github.com/rxerium/rxerium-templates/blob/main/2026/CVE-2026-1470.yaml
CVE-2026-0863:
https://github.com/rxerium/rxerium-templates/blob/main/2026/CVE-2026-0863.yaml
Happy hunting.
0
0
0
🚨 2 critical authentication bypass and remote command execution vulnerabilities in Solarwinds WHD have been disclosed.
Vulnerability detection scripts can be found below:
CVE-2025-40552:
https://github.com/rxerium/rxerium-templates/blob/main/2025/CVE-2025-40552.yaml
CVE-2025-40554:
https://github.com/rxerium/rxerium-templates/blob/main/2025/CVE-2025-40554.yaml
At the time of writing there are no signs of active exploitation in the wild but it is strongly recommended that you patch as per Solarwind's security advisory:
https://documentation.solarwinds.com/en/success_center/whd/content/release_notes/whd_2026-1_release_notes.htm
Vulnerability detection scripts can be found below:
CVE-2025-40552:
https://github.com/rxerium/rxerium-templates/blob/main/2025/CVE-2025-40552.yaml
CVE-2025-40554:
https://github.com/rxerium/rxerium-templates/blob/main/2025/CVE-2025-40554.yaml
At the time of writing there are no signs of active exploitation in the wild but it is strongly recommended that you patch as per Solarwind's security advisory:
https://documentation.solarwinds.com/en/success_center/whd/content/release_notes/whd_2026-1_release_notes.htm
0
0
0
🔎 With all the recent buzz around Clawdbot, I've created a Nuclei template to fingerprint and detect this product:
https://github.com/projectdiscovery/nuclei-templates/pull/15055
Currently, there are 240 exposed instances (via Shodan) accessible on the internet at the time of posting, but I expect that number to grow:
https://www.shodan.io/search?query=clawdbot-gw
https://github.com/projectdiscovery/nuclei-templates/pull/15055
Currently, there are 240 exposed instances (via Shodan) accessible on the internet at the time of posting, but I expect that number to grow:
https://www.shodan.io/search?query=clawdbot-gw
0
0
0