New at Horizon3.ai

Mythos has collapsed the attack path. | Learn how to prove your defenses now. →

Attack Blogs

SEARCH

CATEGORIES

TAGS

    Attack Blogs

    The Ni8mare Test: n8n RCE Under the Microscope (CVE-2026-21858)

    CVE-2026-21858, the so-called “Ni8mare” n8n RCE, drew significant attention—but real-world impact appears limited. Horizon3.ai breaks down the technical prerequisites, observed exposure, and why most organizations are unlikely to be affected.
    Read More →
    Unauthenticated n8n form endpoint used as part of Ni8mare vulnerability testing
    Attack Blogs, Attack Paths, Attack Research

    The FreePBX Rabbit Hole: CVE-2025-66039 and others

    December 11, 2025
    We dive into a new set of FreePBX issues beyond CVE-2025-57819: an authentication bypass in webserver mode (CVE-2025-66039), multiple SQL injections (CVE-2025-61675), and an arbitrary file upload bug leading to remote code execution (CVE-2025-61678). Together, they allow authenticated or unauthenticated attackers to achieve code execution on vulnerable FreePBX instances using risky auth settings. This write-up…
    Read More →
    Visual header graphic representing FreePBX security vulnerabilities, including authentication bypass, SQL injection, and remote code execution risks.
    Attack Blogs, Disclosures

    N-able N-central: From N-days to 0-days

    Horizon3.ai discovered two critical vulnerabilities in N-able N-central — CVE-2025-9316 and CVE-2025-11700 — that can be chained to leak credentials and fully compromise the appliance. This in-depth analysis details how the flaws were found, exploited, responsibly disclosed, and patched in version 2025.4, turning N-days into true 0-days.
    Read More →
    Illustrative image supporting the content on the “n able n central from n days to 0 days” page.
    Attack Blogs, Attack Paths

    The Quiet Attack Path

    October 21, 2025
    Attackers turn native Active Directory features into a low-noise, high-impact playbook: stealthy enumeration, Kerberoasting, and AS-REP roasting can produce crackable credentials and clear paths to domain admin in minutes. This post walks through the first 15 minutes of an AD intrusion, why traditional SIEM/EDR struggles to detect it, and what defenders must catch early to…
    Read More →
    Attack Blogs

    From Support Ticket to Zero Day

    August 13, 2025
    Examining a Critical Vulnerability in Xerox FreeFlow Core
    Read More →
    Attack Blogs

    CVE-2025-5777: CitrixBleed 2 Write-Up… Maybe?

    July 7, 2025
    Background and Confusion On June 17, 2025, Citrix published an advisory detailing CVE-2025-5777 and CVE-2025-5349. Affected products include: On June 25, 2025, they also published an advisory detailing CVE-2025-6543. Affected products include: Of the three vulnerabilities, two of them have been receiving a bit of buzz: While we’ve developed a working exploit for one of…
    Read More →
    Attack Blogs, Disclosures

    CVE-2025-34508: Another File Sharing Application, Another Path Traversal

    June 17, 2025
    Learn how Horizon3.ai uncovered CVE-2025-34508 in ZendTo, allowing attackers to access sensitive files through a path traversal flaw.
    Read More →
    Attack Blogs

    What 7,000+ NodeZero RAT Attempts Show Us About Cyber Security

    June 9, 2025
    Discover how NodeZero's autonomous RAT operates, why credentials dominate post-exploitation, and what it means for your cyber defense.
    Read More →
    Attack Blogs

    Cisco IOS XE WLC Arbitrary File Upload Vulnerability (CVE-2025-20188) Analysis

    May 29, 2025
    Explore how a hard-coded JWT in Cisco IOS XE WLC enables unauthenticated file upload and potential RCE—and how to mitigate it.
    Read More →
    Attack Blogs

    CVE-2025-32756: Low-Rise Jeans are Back and so are Buffer Overflows

    May 22, 2025
    Analyze CVE-2025-32756, a Fortinet buffer overflow flaw under active attack, and see how NodeZero can validate exposure now.
    Read More →