LAST UPDATED: 2023-08-09
This report identifies hosts that have the Hypertext Transfer Protocol (HTTP) service running on some port that may have a vulnerability.
It currently focuses on the following vulnerabilities:
- Zimbra Communication Suite – a CVE-2022-37042 vulnerability discovered by Volexity (blog published 2022-08-10) that allows for remote code execution, and has been exploited in the wild since at least June 2022. This vulnerability was patched in Zimbra releases ZCS 9.0.0 Patch 26 and ZCS 8.8.15 Patch 33, July 28th,2022. If you receive a report on an IP tagged
cve-2022-37042it is likely you are vulnerable to this exploit and possibly already compromised (which may involve a webshell being installed by an attacker). Please note we are making this assessment entirely on the ZCS build time, and tagging all versions earlier than 2022-07-26 build time as vulnerable. Hence, there is a possibility of false positives.
- HTTP hosts that implement Basic Authentication in plain HTTP. This is a security risk as credentials are transmitted in cleartext, without encryption. Enforce the use of HTTPS instead. Instances found will be tagged
basic-authin the report message.
- Exposed .git folders. We scan every IPv4 for with a GET /.git/config query. The tag in this case is
git-config-file.For an overview of security risks associated with .git exposure and what actions you can take to mitigate the risk, please read “Unprotected .git folders on the internet pose a security risk” by NCSC CH.
- Vulnerability in the Oracle Access Manager product of Oracle Fusion Middleware (component: OpenSSO Agent), tagged as
cve-2021-35587allowing for unauthenticated remote code execution. If you get such an alert make sure to apply Oracle’s patches here.
- Likely AMI MegaRAC vulnerabilities – used by multiple vendors – as described in Eclypsium’s post “Supply Chain Vulnerabilities Put Server Ecosystem at Risk”. In this case we scan for exposed Redfish API endpoints, however we are not able to verify if these have been patched and thus not vulnerable anymore (CVE-2022-40259). Nevertheless, these should not be exposed to the public Internet. We tag these as
potential-megarac. The difference in the tags reflects our confidence in identifying the device. If you get an alert make sure to apply your vendor’s latest patches!
- Fortinet CVE-2022-42475 (CVSS 9.8 RCE) based on Fortinet version scanning (where possible). These are tagged
cve-2022-42475. If you get an alert make sure to apply the patch specified in the advisory.
- Citrix CVE-2022-27510 (CVSS 9.8 RCE) based on version information parsed from /vpn/index.html. These are tagged
cve-2022-27510. If you get an alert make sure to apply the updates specified in the advisory. For additional background please read the Fox-IT article on remotely fingerprinting Citrix ADC and Gateway versions.
- VMware CVE-2021-21972 (remote code execution vulnerability in the vSphere Client, CVSS 9.8 RCE). These are tagged
cve-2021-21972. Note: this check is version based. If you get an alert make sure to apply the updates specified in the advisory.
- Multiple VMware ESXi vulnerabilities: CVE-2021-21974 (CVSS 8.8), CVE-2020-3992 (CVSS 9.8), CVE-2019-5544 (CVSS 9.8) tagged as
cve-2019-5544. As of 2023-02-06, it is possible they are being used in ransomware attacks as described in this CERT-FR advisory. Note: this check is version based. It is possible that these services have other mitigations in place. Nevertheless, if you receive an alert, we recommend to apply the latest VMware updates!
- Joomla CVE-2023-23752: An improper access check allows unauthorized access to webservice endpoints, affecting Joomla! CMS versions 4.0.0-4.2.7. While this has been given only a CVSS of 5.3, exploitation details are public and trivial, and many of the vulnerable endpoints disclose their actual unencrypted passwords. Make sure to update your Joomla instance as advised in their advisory  – Core – Improper access check in webservice endpoints. Tagged as
- Geoserver CVE-2023-25157 (CVSS 9.8) and CVE-2022-24816 (CVSS 9.8). These are two unauthenticated RCE vulnerabilities in GeoServer, a popular open source software server written in Java that allows users to share and edit geospatial data. Tagging is based on the version returned for a query for /geoserver/web/. Make sure to apply the latest patches to your Geoserver instance! Tagged as
- Jenkins CVE-2023-27898. CVE tagging is based on X-Jenkins header: LTS >= 2.270.0 < 2.375.4 or non-LTS >= 2.270 <= 2.393. Tagged as
- Fortinet CVE-2023-27997 (a heap buffer overflow in SSL-VPN pre-authentication that can be exploited by remote attackers to execute code or commands). See the Fortinet FG-IR-23097 advisory for Fortinet versions affected and patch information. Tagged as
cve-2023-27997. This is a version based assessment. Make sure to apply patches!
- Possibly compromised Progress MOVEit Transfer instances with webshells. Tagged as
moveit. These will have been breached most likely due to CVE-2023-34362. Read more on the MOVEit vulnerability in the Progress advisory “MOVEit Transfer Critical Vulnerability 31May2023”. Check our Device Identification report for all exposed instances (no vulnerability assessment)
- VMware CVE-2023-20892 (vCenter Server contains a heap overflow vulnerability due to the usage of uninitialized memory in the implementation of the DCERPC protocol). Scan is based on VMware versions detected. Tagged as
- Fortinet CVE-2023-33308 (FortiOS/FortiProxy – Proxy mode with deep inspection – Stack-based buffer overflow). This is a version based assessment. Make sure to apply patches! Tagged as
- Citrix CVE-2023-3519 (Citrix NetScaler ADC and NetScaler Gateway Code Injection Vulnerability). This assessment is version based – that is we tag all IPs where we see a version hash in a Citrix instance. This is due to the fact that Citrix has removed version hash information in recent revisions, including the latest update with the fix. It is thus safe to assume in our view that all instances that still provide version hashes have not been updated and thus, providing no mitigation is in place, remain vulnerable. In addition, we have also added tagged as vulnerable instances that return a Last Modified headers with a date before July 1, 2023 00:00:00Z. Make sure to update as per the Citrix ADC and Citrix Gateway Security Bulletin for CVE-2023-3519, CVE-2023-3466, CVE-2023-3467 advisory. Tagged as
cve-2023-3519.If you received an alert for your network/constituency or did not patch before July 20th 2023 please read our Technical Summary of Observed Citrix CVE-2023-3519 Incidents for information how to detect and hunt for compromise, including webshells installed by threat actors.
- Ivanti Endpoint Manager (EPMM), formerly known as MobileIron Core CVE-2023-35078. CVE-2023-35078 is a pre-auth RCE that has been exploited by threat actors against the Norwegian government. Make sure to update to the latest version as per the Ivanti advisory. We also notify of instances possibly vulnerable to an Apache HTTP server vulnerability CVE-2023-25690. Tagged as
- Metabase CVE-2023-38646. An unauthenticated attacker can run arbitrary commands with the same privileges as the Metabase server on the server you are running Metabase. Make sure to upgrade as per the Metabase advisory. This is a version based scan. Tagged
- Ivant Endpoint Manager (EPMM), formerly known as MobileIron Core CVE-2023-35082. This is a pre-auth RCE. Make sure to update to the latest version. Tagged as
cve-2023-35082[tagging first added 2023-08-07]
- PaperCut NG/MF CVE-2023-39143 (PaperCut NG and PaperCut MF before 22.1.3 on Windows allow path traversal, enabling attackers to upload, read, or delete arbitrary files). Tagged as
cve-2023-39143[tagging first added 2023-08-08]
- JetBrains TeamCity CVE-2023-42793 (JetBrains TeamCity before 2023.05.4 authentication bypass leading to RCE). If you receive a report, please make sure to check for signs of compromise and update (see the JetBrains advisory). Tagged as
cve-2023-42793. [tagging first added 2023-09-29]
Other vulnerabilities may be added in the future to this report. As some of the assessments are version based, false positives may be possible (or alternatively, mitigations/workarounds may be in place or affected features not enabled). Please let us know if you believe that is the case for a report we sent you.
You can view results from our vulnerable HTTP scans in our Dashboard here. You can select a tag for a CVE for specific vulnerability to track by selecting
CVE-XXXX-XXXX+, ie. a CVE tag with a + suffix.
Looking for vulnerable Microsoft Exchange CVEs that we track? We have a separate Vulnerable Exchange Server report.
For a report on all exposed devices/models/products check out our Device Identification report. This report effectively provides an asset inventory you can use for incident triage.
For a report about all accessible HTTP hosts (including those without vulnerabilities) please see our Accessible HTTP Report.
For more information on our scanning efforts, check out our Internet scanning summary page.
This report has an IPv4 and IPv6 version.
Filename(s): scan_http_vulnerable, scan6_http_vulnerable