Attack Research

Filters

Showing 13–18 of 76 results

CVE-2023-48788: Fortinet FortiClient EMS SQL Injection Deep Dive

March 21, 2024 | Attack Blogs

Introduction In a recent PSIRT, Fortinet acknowledged CVE-2023-48788 – a SQL injection in FortiClient EMS that can lead to remote code execution. FortiClient EMS is an endpoint management solution for enterprises that provides a central location for administering enrolled endpoints. This SQL injection vulnerability is caused by user controlled strings that are passed directly into database queries. In this post...

Fortinet FortiWLM Deep-Dive, IOCs, and the Almost Story of the “Forti Forty”

March 14, 2024 | Attack Blogs, Disclosures

Early in 2023, soon after reproducing a remote code execution vulnerability for the Fortinet FortiNAC, I was on the hunt for a set of new research targets. Fortinet seemed like a decent place to start given the variety of lesser-known security appliances I had noticed while searching for the FortiNAC firmware. The first target I landed on was the Fortinet...

NextChat: An AI Chatbot That Lets You Talk to Anyone You Want To

March 11, 2024 | Attack Blogs, Disclosures

NextChat a.k.a ChatGPT-Next-Web, a popular Gen AI ChatBot, is vulnerable to a critical server-side request forgery (SSRF) vulnerability.

CVE-2024-1403: Progress OpenEdge Authentication Bypass Deep-Dive

March 6, 2024 | Attack Blogs

On February 27, 2024, Progress released a security advisory for OpenEdge, their application development and deployment platform suite. The advisory details that there exists an authentication bypass vulnerability which effects certain components of the OpenEdge platform. Our proof of concept can be found here. When the OpenEdge Authentication Gateway (OEAG) is configured with an OpenEdge Domain that uses the OS...

ConnectWise ScreenConnect: Authentication Bypass Deep Dive

February 21, 2024 | Attack Blogs

Introduction On February 19, 2023, ConnectWise published a security advisory for their ScreenConnect remote management tool. In the advisory, they describe two vulnerabilities, an authentication bypass with CVSS 10.0 and a path traversal with CVSS 8.4 (both currently without assigned CVE IDs). In this post we will dive into the technical details of the authentication bypass. You can view our POC...