The recent #ConnectWise #ScreenConnect authentication bypass vulnerability is extremely trivial to reverse and exploit. Blog and exploit POC will drop soon.

The recent #Progress #OpenEdge auth bypass, CVE-2024-1403, allows an unauth user to obtain admin perms to control svcs. While a path to RCE was not discovered in the limited time we dedicated, it is likely possible. The gist, if username == “NT AUTHORITY/SYSTEM”: you may pass.

Today we are disclosing a critical SSRF vulnerability, CVE-2023-49785, in a popular Gen AI chatbot, NextChat a.k.a ChatGPT-Next-Web. This disclosure comes 107 days after initial report. There is no patch at this time. horizon3.ai/attack-researc…

The recent #Fortinet #FortiClient Endpoint Management Server (EMS) SQL injection vulnerability, CVE-2023-48788, allows an unauth attacker to obtain RCE as SYSTEM on the server. IOCs, POC, and deep-dive blog to be released next week. In the meantime, check DAS service logs for

Today we are disclosing several vulnerabilities effecting the #Fortinet #FortiWLM (Wireless LAN Manager). The vulnerabilities span from command injection, SQL injection, to file reads. While most were patched late last year, 2 remain unpatched after 307 days from our initial

Our deep-dive for the recent #Fortinet #FortiClient EMS SQL injection vulnerability, CVE-2023-48788, that leads to RCE as SYSTEM. horizon3.ai/attack-researc…

Our deep-dive, IOCs, and exploit for CVE-2023-34992, an unauth command injection as root, effecting #Fortinet #FortiSIEM appliances. horizon3.ai/attack-researc…

Back again - more cmd injections for the #Fortinet #FortiSIEM! Today we’re disclosing the details surrounding CVE-2024-23108 and CVE-2024-23109. These result from the use of Python’s os.system() in scripts which an unauth attacker controls arguments. horizon3.ai/attack-researc…

Our latest post by one of our recent team additions, Luke Harding, revisits CVE-2023-48788 - a SQL injection for #Fortinet #FortiClient EMS. He details exploitation obstacles and payload crafting between the two mainline versions of the software. horizon3.ai/attack-researc…

Our deep-dive for the recent #Ivanti Endpoint Manager (EPM) unauth SQL injection to RCE vulnerability: CVE-2024-29824. horizon3.ai/attack-researc…

In light of a recent potential breach affecting #HuggingFace, here are a few vulnerabilities we disclosed that affected #Gradio and our recent work with Hugging Face to secure their Spaces environment: 🔺 CVE-2023-51449 🔺 CVE-2023-1561 horizon3.ai/attack-researc…

CVE-2024-29847, affecting #Ivanti EPM, allows remote unauthenticated attackers to execute arbitrary commands as SYSTEM. Check out our latest deep-dive: horizon3.ai/attack-researc… Credit to SinSinology for the initial discovery.

In our latest post, we investigate the recent #CISA #KEV for CVE-2024-8190: a command injection vulnerability affecting #Ivanti Cloud Service Appliance. horizon3.ai/attack-researc…