// cves

vulnerability type	Stack-based Buffer Overflow
cvss vector	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
cwe	CWE-787: Out-of-bounds Write
published	February 24, 2026
affected versions	FreeBSD 13.5, 14.3, 14.4, 15.0
researchers	Adam Crosser (Praetorian)

description

FreeBSD's routing socket interface (route(4)) contains a stack-based buffer overflow vulnerability in the rtsock_msg_buffer() function. The function copies sockaddr structures into a sockaddr_storage structure on the stack without properly validating the source sockaddr length field. A malicious program can craft requests that trigger a 127-byte stack buffer overflow, corrupting the stack canary and causing a kernel panic. All supported FreeBSD versions are affected, including FreeBSD 13.5, 14.3, 14.4, and 15.0. No workaround is available; a system upgrade is required.

impact

An unprivileged local user can crash the kernel through a stack buffer overflow in the routing socket handler, causing a kernel panic. The overflow corrupts a stack canary value, triggering a panic upon function return. Other kernel bugs may exist which allow defeating this mitigation, at which point local privilege escalation may be possible.

vulnerability type	Local Privilege Escalation
cvss vector	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
cwe	CWE-276: Incorrect Default Permissions
published	August 28, 2024
affected versions	Version 18 (Windows)
researchers	Adam Crosser (Praetorian)

description

3CX Phone System for Windows contains improper file permissions on the configuration file within the ProgramData directory. Any unprivileged operating system user can read the config.json file, which contains PostgreSQL database credentials. An attacker can use these credentials to connect to the PostgreSQL instance running as NT AUTHORITY\SYSTEM and load a malicious DLL through PostgreSQL extension functionality, achieving local privilege escalation. The vulnerability affects version 18 and was fixed in version 20 Update 1.

impact

An unprivileged local user can escalate privileges to NT AUTHORITY\SYSTEM. By reading exposed PostgreSQL credentials from the configuration file and connecting to the database service running as SYSTEM, an attacker can load a malicious DLL via PostgreSQL extension abuse to achieve full system compromise.

vulnerability type	Local Privilege Escalation
cvss vector	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
cwe	CWE-862: Missing Authorization
published	April 22, 2024
affected versions	2.6.0 - 2.8.2
researchers	Adam Crosser (Praetorian)

description

Ant Media Server exposes an unauthenticated Java Management Extensions (JMX) remote management interface on localhost port 5599/TCP. While the service only listens on localhost, any unprivileged local operating system user can connect to the JMX service and leverage the MLet Bean to load a remote MBean from an attacker-controlled server, achieving code execution within the context of the "antmedia" service account.

impact

An attacker with any level of local access can escalate privileges to root. The antmedia service account has sudo privileges, allowing full system compromise. Ant Media Server is a popular live streaming engine used by over 2,000 enterprises globally. This vulnerability is nearly identical to CVE-2023-26269 identified in Apache James.

vulnerability type	Cross-Site WebSocket Hijacking (CSWSH)
cvss vector	CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H
cwe	CWE-346: Origin Validation Error
published	February 20, 2024
affected versions	< 1.1.21
researchers	Adam Crosser (Praetorian)

description

MeshCentral, a web-based remote monitoring and endpoint management solution, contains a cross-site websocket hijacking vulnerability within the control.ashx endpoint. This component is the primary mechanism used within MeshCentral to perform administrative actions on the server. The application does not properly validate the origin of websocket connections, allowing attackers to originate cross-site websocket connections from adjacent subdomains or through XSS vulnerabilities.

impact

When an attacker convinces a victim administrator to click a malicious link, they can connect to the control.ashx endpoint as the victim user, read the server configuration file to leak the sessionKey variable used to sign session cookies, generate login tokens, and achieve persistent access to administrator accounts. This enables complete account takeover and control of all managed endpoints.

vulnerability type	Java Deserialization
cvss vector	CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cwe	CWE-502: Deserialization of Untrusted Data
published	February 1, 2024
affected versions	<= 5.18.0
researchers	Adam Crosser (Praetorian)

description

Relution, a mobile device management (MDM) platform, contains a deserialization vulnerability in its inter-cluster communication component. The JGroups-based cluster service on port 7800 accepts serialized Java objects without validation, allowing an unauthenticated attacker to submit malicious payloads that trigger unsafe deserialization. While Java 17 module encapsulation restrictions limit standard gadget chains, alternative attack vectors using AspectJWeaver payload chains bypass these protections to achieve code execution.

impact

An unauthenticated attacker with network access to the JGroups cluster communication service (port 7800) can submit malicious serialized objects that trigger unsafe deserialization, achieving remote code execution. This enables complete compromise of the MDM application and all managed client devices, including credential harvesting, arbitrary file writes, and frontend modification for keystroke logging.

vulnerability type	HTTP Request Tunneling (Patch Bypass)
cvss vector	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
cwe	CWE-444: Inconsistent Interpretation of HTTP Requests
published	November 15, 2023
cisa kev added	January 13, 2025
researchers	Adam Crosser, Thomas Hendrickson (Praetorian)

description

Incomplete fix bypass for CVE-2023-41265. The original patch attempted to prevent CL.TE HTTP request tunneling by removing the Content-Length header when Transfer-Encoding was set to "chunked". However, by specifying non-exact values for the Transfer-Encoding header (e.g., "tchunked") that the backend server would still interpret as chunked encoding, attackers could bypass the fix and achieve unauthenticated remote code execution.

impact

Allows unauthenticated attackers to execute arbitrary code on servers running vulnerable Qlik Sense instances. Actively exploited by Cactus ransomware group for initial access in enterprise environments. Over 11,000 exposed instances identified globally, with 26% in the United States.

exploitation

• Actively exploited in the wild by **Cactus ransomware**
• Used for initial access in double-extortion attacks
• Targets Fortune 500, government, and military organizations

vulnerability type	HTTP Request Tunneling
cvss vector	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
cwe	CWE-444: Inconsistent Interpretation of HTTP Requests
published	August 29, 2023
cisa kev added	December 7, 2023
researchers	Adam Crosser, Thomas Hendrickson (Praetorian)

description

HTTP Request Tunneling vulnerability due to improper validation of HTTP headers. A remote attacker can elevate privileges by tunneling HTTP requests, allowing execution of requests on the backend server hosting the repository application. When chained with CVE-2023-41266, enables unauthenticated remote code execution through the External Program Task functionality.

impact

Allows attackers to bypass the frontend proxy's security controls and impersonate a privileged service account to the backend Repository service. This enables administrative actions including adding new admin users and executing arbitrary commands via external program tasks. Over 6,000 externally-facing instances identified at disclosure, including Fortune 500 companies, military, and government entities.

exploitation

• Actively exploited in the wild by **Cactus ransomware**
• Exploited by **Magnet Goblin** threat actor
• Chain with CVE-2023-41266 for full RCE

vulnerability type	Path Traversal / Authentication Bypass
cvss vector	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N
cwe	CWE-22: Improper Limitation of a Pathname to a Restricted Directory
published	August 29, 2023
cisa kev added	December 7, 2023
researchers	Adam Crosser, Thomas Hendrickson (Praetorian)

description

Path traversal vulnerability that allows an unauthenticated remote attacker to generate an anonymous session by crafting requests beginning with `/resources/qmc/fonts/` and ending in `.ttf`. This bypasses authentication requirements enforced by the proxy service, allowing attackers to transmit HTTP requests to unauthorized internal endpoints.

impact

Enables unauthenticated attackers to bypass authentication and access internal API endpoints. When combined with CVE-2023-41265, provides the initial foothold needed to achieve full remote code execution on the target system.

exploitation

• Actively exploited in the wild by **Cactus ransomware**
• Required component for ZeroQlik exploit chain
• EPSS score: 86.5% (extremely high exploitation probability)

vulnerability type	Local Privilege Escalation / Remote Code Execution
cvss vector	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
cwe	CWE-755: Improper Handling of Exceptional Conditions
published	February 9, 2022
affected versions	GlobalProtect app 5.2 < 5.2.9 (Windows and macOS)
researchers	Adam Crosser (Praetorian)

description

Palo Alto Networks GlobalProtect app contains a vulnerability in the Connect Before Logon feature, which enables VPN authentication before Windows domain login. The feature presents an embedded browser window that can be escaped using techniques similar to Citrix kiosk escapes, allowing an attacker to access underlying system functionality and execute arbitrary commands as SYSTEM or root. The vulnerability affects GlobalProtect app 5.2 versions earlier than 5.2.9 on both Windows and macOS.

impact

An unauthenticated attacker with physical or remote access to the GlobalProtect login screen can escape the intended application user interface to execute arbitrary code. In environments with network-level authentication requirements and proper segmentation, exploitation is limited to local privilege escalation to SYSTEM or root. Without these controls, full remote code execution is achievable.