CRITICAL: Vulnerable HTTP Report

DESCRIPTION LAST UPDATED: 2025-05-12

DEFAULT SEVERITY LEVEL: CRITICAL

This report identifies hosts that have the Hypertext Transfer Protocol (HTTP) service running on some port that may have a vulnerability.

We typically focus on pre-auth RCE vulnerabilities (or vulnerabilities that can be chained together by attackers to remotely execute code) in critical or otherwise popular software that is often exposed to the public Internet. We strongly recommend reviewing any system (and your network!) for signs of compromise if you receive a report from us. This is because many of these are known to be actively exploited in the wild. You should also make sure to proceed to mitigate the vulnerability based on the current vendor recommendations.

It currently contains checks for the following vulnerabilities in exposed HTTP services:

  • Zimbra Communication Suite – a CVE-2022-37042 vulnerability discovered by Volexity (blog published 2022-08-10) that allows for remote code execution, and has been exploited in the wild since at least June 2022. This vulnerability was patched in Zimbra releases ZCS 9.0.0 Patch 26 and ZCS 8.8.15 Patch 33, July 28th,2022. If you receive a report on an IP tagged cve-2022-37042 it is likely you are vulnerable to this exploit and possibly already compromised (which may involve a webshell being installed by an attacker). Please note we are making this assessment entirely on the ZCS build time, and tagging all versions earlier than 2022-07-26 build time as vulnerable. Hence, there is a possibility of false positives.
  • HTTP hosts that implement Basic Authentication in plain HTTP. This is a security risk as credentials are transmitted in cleartext, without encryption. Enforce the use of HTTPS instead.  Instances found will be tagged basic-auth in the report message. Note these are classified as severity MEDIUM, lower than the report default
  • Exposed .git folders. We scan every IPv4 for with a GET /.git/config query. The tag in this case is git-config-file. For an overview of security risks associated with .git exposure and what actions you can take to mitigate the risk, please read “Unprotected .git folders on the internet pose a security risk” by NCSC CH.
  • Vulnerability in the Oracle Access Manager product of Oracle Fusion Middleware (component: OpenSSO Agent), tagged as cve-2021-35587 allowing for unauthenticated remote code execution. If you get such an alert make sure to apply Oracle’s patches here.
  • Likely AMI MegaRAC vulnerabilities – used by multiple vendors – as described in Eclypsium’s post “Supply Chain Vulnerabilities Put Server Ecosystem at Risk”.  In this case we scan for exposed Redfish API endpoints, however we are not able to verify if these have been patched and thus not vulnerable anymore (CVE-2022-40259). Nevertheless, these should not be exposed to the public Internet. We tag these as megarac and potential-megaracThe difference in the tags reflects our confidence in identifying the device. If you get an alert make sure to apply your vendor’s latest patches!
  • Fortinet CVE-2022-42475 (CVSS 9.8 RCE) based on Fortinet version scanning (where possible).  These are tagged cve-2022-42475If you get an alert make sure to apply the patch specified in the advisory.
  • Citrix  CVE-2022-27510 (CVSS 9.8 RCE) based on version information parsed from /vpn/index.html. These are tagged cve-2022-27510If you get an alert make sure to apply the updates specified in the advisory. For additional background please read the Fox-IT article on remotely fingerprinting Citrix ADC and Gateway versions.
  • VMware CVE-2021-21972 (remote code execution vulnerability in the vSphere Client, CVSS 9.8 RCE).  These are tagged cve-2021-21972. Note: this check is version based. If you get an alert make sure to apply the updates specified in the advisory.
  • Multiple VMware ESXi vulnerabilities: CVE-2021-21974 (CVSS 8.8), CVE-2020-3992 (CVSS 9.8),  CVE-2019-5544 (CVSS 9.8) tagged as cve-2021-21974, cve-2020-3992, cve-2019-5544. As of 2023-02-06, it is possible they are being used in ransomware attacks as described in this CERT-FR advisory. Note: this check is version based. It is possible that these services have other mitigations in place. Nevertheless, if you receive an alert, we recommend to apply the latest VMware updates!
  • Joomla CVE-2023-23752: An improper access check allows unauthorized access to webservice endpoints, affecting Joomla! CMS versions 4.0.0-4.2.7. While this has been given only a CVSS of 5.3, exploitation details are public and trivial, and many of the vulnerable endpoints disclose their actual unencrypted passwords. Make sure to update your Joomla instance as advised in their advisory [20230201] – Core – Improper access check in webservice endpoints. Tagged as cve-2023-23752.
  • GeoServer CVE-2023-25157 (CVSS 9.8) and CVE-2022-24816 (CVSS 9.8).  These are two unauthenticated RCE vulnerabilities in GeoServer, a popular open source software server written in Java that allows users to share and edit geospatial data. Tagging is based on the version returned for a query for /geoserver/web/. Make sure to apply the latest patches to your Geoserver instance! Tagged as cve-2023-25157 and cve-2022-24816.
  • Jenkins CVE-2023-27898. CVE tagging is based on X-Jenkins header:  LTS >= 2.270.0 < 2.375.4 or non-LTS >= 2.270 <= 2.393.  Tagged as cve-2023-27898.
  • Fortinet CVE-2023-27997  (a heap buffer overflow in SSL-VPN pre-authentication that can be exploited by remote attackers to execute code or commands). See the Fortinet FG-IR-23097 advisory for Fortinet versions affected and patch information.  Tagged as cve-2023-27997. This is a version based assessment. Make sure to apply patches!
  • Possibly compromised Progress MOVEit Transfer instances with webshells. Tagged as moveit. These will have been breached most likely due to CVE-2023-34362. Read more on the MOVEit vulnerability in the Progress advisory “MOVEit Transfer Critical Vulnerability 31May2023”. Check our Device Identification report for all exposed instances (no vulnerability assessment)
  • VMware CVE-2023-20892 (vCenter Server contains a heap overflow vulnerability due to the usage of uninitialized memory in the implementation of the DCERPC protocol). Scan is based on VMware versions detected. Tagged as  cve-2023-20892
  • Fortinet CVE-2023-33308 (FortiOS/FortiProxy – Proxy mode with deep inspection – Stack-based buffer overflow). This is a version based assessment. Make sure to apply patches! Tagged as cve-2023-33308.
  • Citrix CVE-2023-3519 (Citrix NetScaler ADC and NetScaler Gateway Code Injection Vulnerability). This assessment is version based – that is we tag all IPs where we see a version hash in a Citrix instance. This is due to the fact that Citrix has removed version hash information in recent revisions, including the latest update with the fix. It is thus safe to assume in our view that all instances that still provide version hashes have not been updated and thus, providing no mitigation is in place, remain vulnerable. In addition, we have also added tagged as vulnerable instances that return a Last Modified headers with a date before July 1, 2023 00:00:00Z. Make sure to update as per the Citrix ADC and Citrix Gateway Security Bulletin for CVE-2023-3519, CVE-2023-3466, CVE-2023-3467 advisory. Tagged as cve-2023-3519. If you received an alert for your network/constituency or did not patch before July 20th 2023 please read our Technical Summary of Observed Citrix CVE-2023-3519 Incidents for information how to detect and hunt for compromise, including webshells installed by threat actors.
  • Ivanti Endpoint Manager (EPMM), formerly known as MobileIron Core CVE-2023-35078. CVE-2023-35078 is a pre-auth RCE that has been exploited by threat actors against the Norwegian government. Make sure to update to the latest version as per the Ivanti advisory.  We also notify of instances possibly vulnerable to an Apache HTTP server vulnerability CVE-2023-25690. Tagged as cve-2023-35078 and cve-2023-25690. 
  • Metabase CVE-2023-38646. An unauthenticated attacker can run arbitrary commands with the same privileges as the Metabase server on the server you are running Metabase. Make sure to upgrade as per the Metabase advisory. This is a version based scan. Tagged cve-2023-38646.
  • Ivanti Endpoint Manager (EPMM), formerly known as MobileIron Core CVE-2023-35082. This is a pre-auth RCE. Make sure to update to the latest version. Tagged as cve-2023-35082 [tagging first added 2023-08-07]
  • PaperCut NG/MF CVE-2023-39143 (PaperCut NG and PaperCut MF before 22.1.3 on Windows allow path traversal, enabling attackers to upload, read, or delete arbitrary files). Tagged as cve-2023-39143[tagging first added 2023-08-08]
  • JetBrains TeamCity CVE-2023-42793 (JetBrains TeamCity before 2023.05.4 authentication bypass leading to RCE). If you receive a report, please make sure to check for signs of compromise and update (see the JetBrains advisory). Tagged as cve-2023-42793[tagging first added 2023-09-29]
  • Citrix NetScaler ADC and NetScaler Gateway CVE-2023-4966 (Sensitive information disclosure in NetScaler ADC and NetScaler Gateway, 9.4 CVSS). Follow the patching instructions from the Citrix advisory. Tagged as  cve-2023-4966[tagging first added 2023-10-11]
  • Roundcube Webmail  CVE-2023-5631 (Roundcube before 1.4.15, 1.5.x before 1.5.5, and 1.6.x before 1.6.4 allows stored XSS via an HTML e-mail message with a crafted SVG document). While rated “only” CVSS 5.4, it has been used by at least one APT actor to execute JavaScript code in the browser of the victim in the context of their Roundcube session. For more details of how this vulnerability can be exploited see ESET’s Winter Vivern exploits zero-day vulnerability in Roundcube Webmail servers writeup. Please make sure to update your Roundcube Webmail versions and investigate if your users may have been targeted: See: https://roundcube.net/news/2023/10/16/security-updates-1.5.5-and-1.4.15 and https://roundcube.net/news/2023/10/16/security-update-1.6.4-released. Tagged as cve-2023-5631. [tagging first added 2023-10-27]
  • VMware vCenter CVE-2023-34048 (VMware vCenter Server Out-of-Bounds Write Vulnerability). This is a CVSS 9.8 RCE. Make sure to follow the VMware advisory for updating.  We perform a version check over the exposed HTTP interface, but actual exploitation requires access to the DCERPC service. We tag cve-2023-34048 all the versions that are vulnerable and in addition tag vcenter-dcerpc-exposed all instances that also have the DCERPC service accessible (and thus exploitable).[tagging first added 2023-11-02]
  • CrushFTP CVE-2023-43177 (CrushFTP prior to 10.5.1 is vulnerable to Improperly Controlled Modification of Dynamically-Determined Object Attributes). This is a pre-auth RCE. Make sure you upgrade. Tagged as  cve-2023-43177. [tagging first added 2023-11-20]
  • F5 BIG-IP CVE-2023-46747 (F5 BIG-IP Configuration Utility Authentication Bypass Vulnerability). This is a pre-auth RCE. Please follow update and mitigation advice listed in the F5 advisory on the issue.  You should also not expose this configuration interface to the Internet regardless of this vulnerability! Tagged as cve-2023-46747. [tagging first added 2023-11-28]
  • Ivanti Connect Secure (previously known as Pulse Connect Secure VPN)  CVE-2023-46805 & CVE-2024-21887.  These vulnerabilities when chained together allow for pre-auth RCE. The vulnerabilities are confirmed exploited in the wild by Volexity. If you receive a report from us make sure to check for signs of compromise. Make sure to apply the mitigation proposed by Ivanti in their advisory: CVE-2023-46805 (Authentication Bypass) & CVE-2024-21887 (Command Injection) for Ivanti Connect Secure and Ivanti Policy Secure Gateways. Tagged as cve-2023-46805 and cve-2024-21887. For tagging, we use the methodology described by WatchTowr. This should enable identification of instances that have NOT applied the mitigation provided by Ivanti, thus remaining vulnerable. Any Ivanti Connect Secure device that responds to our request with either of the following is tagged as vulnerable [tagging first added 2024-01-14]:
    • 403 Forbidden and does NOT contain Access to the Web site is blocked by your administrator. Please notify your system administrator in the  body (as of 2023-01-10 we also take into account equivalent texts in other languages that Ivanti supports to avoid FPs – if you find we missed a language please let us know!)
    • 302 Found

Please note on 2024-02-02 we modified detection to take into account the patch released by Ivanti (ie. to not report instances that removed the mitigation but patched as vulnerable).

  • Citrix CVE-2023-6549 (“Improper Restriction of Operations within the Bounds of a Memory Buffer in NetScaler ADC and NetScaler Gateway allows Unauthenticated Denial of Service”). See Citrix advisory for details. Tagged as cve-2023-6549. [tagging first added 2024-01-18]
  • NextGen Healthcare Mirth Connect CVE-2023-43208 (NextGen Healthcare Mirth Connect before version 4.4.1 is vulnerable to unauthenticated remote code execution). Please update to the latest version! For details behind the vulnerability see this writeup by Horizon3.ai. This is a version based scan. Tagged as cve-2023-43208. [tagging first added 2024-01-18]
  • GitLab CE/EE CVE-2023-7028 (User account password reset emails can be delivered to an unverified email address).  See the GitLab advisory for me details and patch information. Tagged as cve-2023-7028.[tagging first added 2024-01-22]
  • Fortra GoAnywhere MFT CVE-2024-0204 (Authentication bypass in Fortra’s GoAnywhere MFT prior to 7.4.1 allows an unauthorized user to create an admin user via the administration portal.). If you receive a report from us make sure to review for signs of compromise and follow the Fortra advisory on patching. Please note that remote access to the administration portal is required for remote exploitation. We also share a list of unpatched GoAnywhere MFT instances based on the SSH banner in our Accessible SSH report – this does not mean these devices are remotely exploitable as access to the HTTP admin portal is required for exploitability. Tagged as cve-2024-0204.[tagging first added 2024-01-25].
  • Jenkins CVE-2024-23897 (Arbitrary file read vulnerability through the CLI can lead to RCE). See Jenkins advisory for details and patch. Tagged as cve-2024-23897.[tagging first added 2024-01-26]
  • Ivanti Connect Secure CVE-2024-22024  & CVE-2024-21887 (all version based). These are all RCE vulnerabilities exploited in the wild. If you receive an alert from us on a vulnerable device, make sure to review for compromise. Follow latest Ivanti guidelines/patches. Tagged as cve-2024-22024, cve-2024-21887.  [tagging first added 2024-02-13].
  • Roundcube CVE-2023-43770 – Roundcube Webmail Persistent Cross-Site Scripting (XSS) Vulnerability (version based). This vulnerability has been added to the CISA Known Exploited Vulnerability catalog and is present in versions before 1.4.14, 1.5.x before 1.5.4, and 1.6.x before 1.6.3. Make sure to patch to the latest version of Roudcube! Tagged as cve-2023-43770. [tagging first added 2024-02-13]
  • Fortinet CVE-2024-21762 – Fortinet FortiOS Out-of-Bound Write Vulnerability (version based on cases where we can establish the version). This vulnerability has been added to the CISA Known Exploited Vulnerability catalog. Follow Fortinet advisory FG-IR-24-015.  Check for possible compromise. Tagged as cve-2024-21762 [tagging first added 2024-02-13]. Update: We expanded the scanning to use an indirect version scan (thanks Gi7w0rm & LeakIX!) . Added 2024-03-05.
  • JetBrains TeamCity CVE-2024-23917 (Authentication bypass leading to RCE was possible). This is a version based scan. Make sure to update to latest version! Tagged as cve-2024-23917 [tagging first added 2024-02-14]
  • ConnectWise ScreenConnect RCE vulnerabilities (CVE-2024-1709): An authentication bypass using an alternate path or channel (CVSS 10) and a path traversal issue (CVSS 8.4).  Affected versions: ScreenConnect 23.9.7 and prior. Make sure to update to the latest versions! Tagged originally as vulnerable-screenconnect as no CVE was originally assigned [this tagging first added 2024-02-20]. Update: these are now tagged cve-2024-1709 after 2024-02-22.
  • JetBrains TeamCity CVE-2024-27198 (authentication bypass vulnerability in the web component of TeamCity). This vulnerability was discovered by Rapid7  See the advisory from JetBrains and update to the latest version! This is a version based scan. Tagged as cve-2024-27198. [tagging first added 2024-03-05]
  • VMware ESXi multiple vulnerabilities addressed in VMSA-2024-0006 . We use CVE-2024-22252 to tag but this covers also the other CVE-2024-22253, CVE-2024-22254, CVE-2024-22255 that have been reported. Tagged as cve-2024-22252. [tagging first added 2024-03-07]
  • Fortinet FortiClient EMS SQL injection CVE-2023-48788  (FG-IR-24-007).  This is a version based detection. If you receive an alert, make sure to check for signs of compromise and update. Tagged as cve-2023-48788. Please note actual exploitation involves port 8013 access, which we do not check for with this detection. [tagging first added 2024-03-22]
  • Ivanti Connect Secure & Policy Secure Gateways CVE-2024-21894 (Heap Overflow which may lead to RCE) and CVE-2024-22053 (Heap Overflow which may lead to memory read), both assessed CVSS 8.2 by Ivanti. This is a version based detection. See Ivanti advisory for details. Tagged as cve-2024-21894, cve-20240-22053[tagging first added 2024-04-04]
  • Ivanti Endpoint Manager (EPMM), formerly known as MobileIron Core CVE-2023-39335 (Certificate creation authentication bypass in UPDATEPROFILE handler – CVSS 9.8 RCE). See the Ivanti advisory for affected versions and patch details. Tagged as  cve-2023-39335. [tagging first added 2024-04-05].
  • D-Link NAS CVE-2024-3273 (D-Link DNS-320L, DNS-325, DNS-327L and DNS-340L up to 20240403 backdoor and remote command injection vulnerability). This scan is based on identification of the device exposure only – this is because these devices are end-of-life and not supported any more (ie. no fix will be issued). See D-Link advisory for details. If you receive an alert you should take the device offline or at the very least block external access (from the public Internet). As the vulnerability is being exploited in the wild also by botnets, assume compromise. Tagged as cve-2024-3273. [tagging first added 2024-04-09]
  • Fortinet FortiClient Linux CVE-2023-45590 (Remote Code Execution due to dangerous ELECTRONJS configuration, see Fortinet advisory for patch details FG-IR-23-087). This is a version based scan. Tagged as cve-2023-45590. [tagging first added 2024-04-12]
  • Palo Alto GlobalProtect CVE-2024-3400 (Palo Alto Networks PAN-OS Command Injection Vulnerability). Please read the Palo Alto advisory for mitigation/patch details. This vulnerability is exploited in the wild. This is a version based scan (inferred from ETag/Last-Modified headers). Please note it does not detect mitigations, just the vulnerable version. As we do not know if a mitigation is in place, unpatched versions are tagged possible-cve-2024-3400.  However, in cases where we are additionally able to identify exploitation artefacts remotely we tag the instance as cve-2024-3400 (as there is supportive information confirming successful exploitation run – please note that that does not automatically mean they devices are compromised).[tagging for possible-cve-2024-3400 first added 2024-04-17, tagging for cve-2024-3400 first added 2024-04-19]. Note: Data for 2024-04-17 is in the Accessible SSL report with the same tag.
  • CrushFTP CVE-2024-4040 (CrushFTP VFS Sandbox Escape Vulnerability, CVSS 9.8). See vendor advisory for update (v11) and v10– patched in v11.1.0 and 10.7.1.  See also Rapid7 writeup (“Rapid7’s vulnerability research team analyzed CVE-2024-4040 and determined that it is fully unauthenticated and trivially exploitable; successful exploitation allows for not only arbitrary file read as root, but also authentication bypass for administrator account access and full remote code execution.“). This vulnerability is exploited in the wild. We infer the patch time of the instance from the available data to make a decision on whether to tag an instance. Tagged as cve-2024-4040.[tagging first added 2024-04-24]
  • Qlik Sense CVE-2023-48365 (unauthenticated remote code execution in Qlik Sense Enterprise for Windows before August 2023 Patch 2). This vulnerability is exploited in the wild by Cactus ransomware – see the writeup by ArcticWolf and Fox-IT. Thank you for the collaboration with Fox-IT and DIVD in setting up this scan. Tagged as cve-2023-48365. [tagging first added 2024-04-24]
  • Tinyproxy CVE-2023-49606 (Tinyproxy HTTP Connection Headers use-after-free vulnerability that allows for pre-auth RCE). See patch information: https://github.com/tinyproxy/tinyproxy/issues/533. Please note that whether this vulnerability is actually exploitable or not is disputed: https://github.com/tinyproxy/tinyproxy/issues/533#issuecomment-2101202712. Tagging is version based.  Tagged as cve-2023-49606. [tagging first added 2024-05-08]
  • Veeam Backup Enterprise Manager CVE-2024-29849 – Veeam Backup Enterprise Manager allows unauthenticated users to log in as any user to enterprise manager web interface (as well as other vulnerabilities in all versions less than 12.1.2). See: https://www.veeam.com/kb4581. This scan is version based. Tagged as cve-2024-29849. [tagging first added 2024-05-24]
  • Progress Telerik Report Server CVE-2024-4358 authentication bypass vulnerability. See: https://docs.telerik.com/report-server/knowledge-base/registration-auth-bypass-cve-2024-4358. This scan is version based. Tagged as cve-2024-4358. [tagging first added 2024-06-05]
  • SolarWinds Serv-U CVE-2024-28995 directory traversal vulnerability. Patch info: https://www.solarwinds.com/trust-center/security-advisories/cve-2024-28995. This scan is version based. Tagged as cve-2024-28995.[tagging first added 2024-06-09]
  • VMware vCenter CVE-2024-37079 heap-overflow vulnerability in the implementation of the DCERPC protocol. We perform a version check over the exposed HTTP interface, but actual exploitation requires access to the DCERPC service. We tag cve-2024-37079 all the versions that are vulnerable and in addition tag vcenter-dcerpc-exposed all instances that also have the DCERPC service accessible (and thus exploitable). Note this version check also covers CVE-2024-37080. See VMware advisory. [tagging first added 2024-06-19]
  • GeoServer CVE-2024-36401 (CVSS 9.8 GeoTools Eval Injection Vulnerability). Please note the vulnerability is known to be exploited in the wild and seen in our honeypot sensors. It has also been added CISA’s KEV catalog. This check is version based.  If you receive an alert, check for signs of compromise and update. Tagged as cve-2024-36401. [tagging first added 2024-07-23]
  • Cisco Smart Software Manager On-Prem (SSM On-Prem) CVE-2024-20419 – a vulnerability that could allow an unauthenticated, remote attacker to change the password of any user, including administrative users. See the Cisco advisory for necessary updates. This is a version based scan. Tagged as cve-2024-20419. [tagging first added 2024-07-26]
  • VMware ESXi CVE-2024-37085 authentication bypass vulnerability. While only rated MEDIUM criticality (CVSS 6.8) by Broadcom, we consider the vulnerability much more serious as it is being exploited in the wild by ransomware actors. If you receive an alert for your instance, please check for compromise and update. This is a version based scan. We do not check for workarounds or whether the ESXi hypervisor is domain joined, a condition of exploitability. Any report should be viewed as potentially vulnerable and to be verified by the recipient. Tagged as cve-2024-37085. [tagging first added 2024-07-30]
  • Progress Telerik Report Server CVE-2024-6327 insecure deserialization vulnerability. See: https://docs.telerik.com/report-server/knowledge-base/deserialization-vulnerability-cve-2024-6327. This scan is version based. Tagged as cve-2024-6327. [tagging first added 2024-08-03]
  • SolarWinds Web Help Desk CVE-2024-28986 (SolarWinds Web Help Desk Java Deserialization of Untrusted Data Vulnerability). This vulnerability has been exploited in the wild according to CISA and on the CISA KEV list. Note we currently attempt to identify unpatched versions remotely. Please see https://www.solarwinds.com/trust-center/security-advisories/cve-2024-28986 for patch information. Tagged as cve-2024-28986. [tagging first added 2024-08-22]
  • Veeam Backup & Replication CVE-2024-40711 (deserialization of untrusted data vulnerability with a malicious payload can allow an unauthenticated remote code execution) – affecting Veeam Backup & Replication 12.1.2.172 and all earlier version 12 builds. Please update as per Veeam advisory: https://www.veeam.com/kb4649 Tagged as cve-2024-40711. [tagging first added 2024-09-06]
  • FileSender CVE-2024-45186 (server-side template injection vulnerability that allows non-authenticated users to retrieve credentials). Please review the advisory Vulnerability in FileSender versions below 2.49 and 3.x beta and update. Tagged as  cve-2024-45186. [tagging first added 2024-09-13]
  • VMware vCenter Server CVE-2024-38812 (heap-overflow vulnerability in the implementation of the DCERPC protocol). We perform a version check over the exposed HTTP interface which detects patch status, but actual exploitation requires access to the DCERPC service which also needs to be exposed. These will have an additional tag vcenter-dcerpc-exposed. See the Broadcom advisory for more information and update!  Tagged as  cve-2024-38812. [tagging first added 2024-09-19].
  • Zimbra Collaboration CVE-2024-45519 command execution vulnerability (postjournal service). The vulnerability is known to be exploited in the wild and added to the CISA KEV catalog. This check is version based (ie. it attempts to identify unpatched versions). If you receive an alert from us, make sure to review for signs of compromise and update your instances to the latest version.  Note that the postjournal service is not enabled by default. Please note that this vulnerability is exploitable via SMTP which needs to be accessible on the target host while our version check is HTTP based. See also: https://blog.zimbra.com/2024/10/zimbra-cve-2024-45519-vulnerability-stay-secure-by-updating/ Tagged as cve-2024-45519 [tagging first added 2024-10-04].
  • Fortinet CVE-2024-23113(Fortinet Multiple Products Format String Vulnerability). The vulnerability is known to be exploited in the wild and added to the CISA KEV catalog. If you receive an alert from us, make sure to review for signs of compromise and update your instances. This check is version based. See Fortinet advisory: https://www.fortiguard.com/psirt/FG-IR-24-029. Tagged as cve-2024-23113 [tagging first added 2024-10-10].
  • SolarWinds Serv-U CVE-2024-45711 Directory Traversal Remote Code Execution Vulnerability. Patch info: https://www.solarwinds.com/trust-center/security-advisories/cve-2024-45711. This scan is version based. Tagged as cve-2024-45711. [tagging first added 2024-10-18].
  • SolarWinds Web Help Desk CVE-2024-28987 (SolarWinds Web Help Desk Hardcoded Credential Vulnerability). This vulnerability has been exploited in the wild according to CISA and on the CISA KEV list. We first observed exploitation attempts October 7th, 2024. Note we currently attempt to identify unpatched versions remotely.  For patch details, see: https://www.solarwinds.com/trust-center/security-advisories/cve-2024-28987. Tagged as cve-2024-28987. [tagging first added 2024-10-23]
  • Microsoft SharePoint CVE-2024-38094 (SharePoint Deserialization Vulnerability allowing for RCE). This vulnerability has been exploited in the wild according to CISA and on the CISA KEV list. This scan is version based. If you receive an alert from us, check for signs of compromise and patch. See: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-38094.  Tagged as cve-2024-28987.[tagging first added 2024-11-09]
  • Synology DiskStation and BeeStation CVE-2024-10443 RCE.  For more background please read the disclosure: https://www.midnightblue.nl/research/riskstation. See also advisory and patch information from Synology. (specifically https://www.synology.com/en-global/security/advisory/Synology_SA_24_18 and https://www.synology.com/en-global/security/advisory/Synology_SA_24_19). This scan is version based. Please note that we report out only exposed instances that are likely vulnerable, but the vulnerability can also be exploited remotely using the Synology cloud against devices that remain unpatched even behind a firewall. Tagged as cve-2024-10443. [tagging first added 2024-11-09]
  • Rejetto HTTP File Server CVE-2024-23692 (Rejetto HTTP File Server Improper Neutralization of Special Elements Used in a Template Engine Vulnerability). This vulnerability is exploited in the wild and on CISA KEV list. This scan is version based. Tagged as cve-2024-23692. [tagging first added 2024-11-15]
  • Atlassian Confluence Data Center and Server CVE-2023-22515 (Atlassian Confluence Data Center and Server Broken Access Control Vulnerability). This vulnerability is exploited in the wild and on CISA KEV list. This scan is version based. Tagged as cve-2023-22515. [tagging first added 2024-11-16]
  • PaperCut MF/NG CVE-2023-27350 (PaperCut MF/NG Improper Access Control Vulnerability). This vulnerability is exploited in the wild and on CISA KEV list. This scan is version based. Tagged as cve-2023-27350. [tagging first added 2024-11-16]
  • OwnCloud CVE-2023-49103 (ownCloud graphapi Information Disclosure Vulnerability). This vulnerability is exploited in the wild and on CISA KEV list. We scan to check for the output of /apps/graphapi/vendor/microsoft/microsoft-graph/tests/GetPhpInfo.php/.css. Tagged as cve-2023-49103. [tagging first added 2024-11-16]
  • Palo Alto Networks CVE-2024-0012 (Palo Alto Networks PAN-OS Management Interface Authentication Bypass Vulnerability). This vulnerability is exploited in the wild together with CVE-2024-9474 and on CISA KEV list. If you receive an alert from us, please check for signs of compromise and patch. Check based on methodology provided by watchTowr (thank you!).  For more details, please read:

    Tagged as cve-2024-0012. [tagging first added 2024-11-20]

  • ProjectSend CVE-2024-11680 (versions prior to r1720 are affected by an improper authentication vulnerability which can be exploited by remote unauthenticated attackers to achieve RCE).  For more details on the vulnerability see https://www.synacktiv.com/sites/default/files/2024-07/synacktiv-projectsend-multiple-vulnerabilities.pdf. Make sure to patch to the latest version. This is a version based scan. Tagged as cve-2024-11680.[tagging first added 2024-11-27]
  • Veeam Service Provider Console CVE-2024-42448 RCE. The vulnerability has been fixed in 8.1.0.21999. This is a version based scan. Tagged as cve-2024-42448 [tagging first added 2024-12-06]
  • Cleo Harmony, VLTrader and LexiCom products CVE-2024-50623 (unrestricted file upload and download that could lead to remote code execution) and CVE-2024-12632. CVE-2024-55956 was then assigned in place of CVE-2024-12632 which was rejected as a duplicate.  Note CVE-2024-50623 was patched in Cleo-Product-Security-Advisory-CVE-2024-50623 for all versions before 5.8.0.21, but the patch according to has proven ineffective, making all exposed versions vulnerable. See also: https://labs.watchtowr.com/cleo-cve-2024-50623/. This was later fixed by Cleo in another patch release Cleo-Product-Security-Update-CVE-2024-55956. for all versions below 5.8.0.24. Please also see our Device Identification report for all exposed instances. Note: both vulnerabilities are being exploited in the wild. This is a version based scan. Tagged as cve-2024-50623 [tagging first added 2024-12-11] and cve-2024-12632[tagging first added 2024-12-13]. We will update cve-2024-12632 with cve-2024-55956 shortly.
  • Qlik Sense Enterprise for Windows CVE-2024-55579. Make sure to update per Qlik advisory. This is a version based scan. Tagged as cve-2024-55579 [tagging first added 2024-12-11]
  • Ivanti Connect Secure CVE-2025-0282 (Ivanti Connect Secure Stack-Based Buffer Overflow Vulnerability). This vulnerability is known to be exploited in the wild. If you receive an alert from us please follow CISA mitigation instructions. See Ivanti advisory for patch information. This is a version based scan for unpatched instances. We would like to thank watchTowr for the collaboration and insights. Tagged as cve-2025-0282. [tagging first added 2025-01-09]
  • Fortinet FortiOS and FortiProxy CVE-2024-55591 (Authentication bypass in Node.js websocket module). This affects the administrative interface. See https://www.fortiguard.com/psirt/FG-IR-24-535 for mitigation and patch information. We scan using a methodology developed by watchTowr. Please note this vulnerability is confirmed to be exploited in the wild. Tagged as cve-2024-55591.[tagging first added 2025-01-16].
  • SimpleHelp CVE-2024-57727 multiple path traversal vulnerabilities that enable unauthenticated remote attackers to download arbitrary files. This is a version based check. For details, check out the research by HORIZON3.ai. For patch info, consult this SimpleHelp advisory. Tagged as cve-2024-57727. Note that the same versions are affected by other CVEs as well. [tagging first added 2025-01-23]
  • GFI Kerio Control CVE-2024-52875 multiple HTTP response splitting vulnerabilities that can be used to achieve RCE. This vulnerability is patched in Kerio Control version 9.4.5 Patch 1. This is a version based check. Tagged as cve-2024-52875.[tagging first added 2025-02-05]
  • Paessler PRTG Network Monitor CVE-2018-19410 (CVSS 9.8) Local File Inclusion vulnerability. This is an older vulnerability but known to be exploited in the wild and on CISA KEV. If you receive an alert from us, verify for signs of compromise and make sure to update your PRTG instance to the latest version. This is a version based check. Tagged as cve-2018-19410[tagging first added 2025-02-08]
  • Trimble Cityworks CVE-2025-0994 Deserialization Vulnerability. Known to be exploited in the wild and on CISA KEV. If you receive an alert from us, verify for signs of compromise and make sure to update to the latest version. See https://www.cisa.gov/news-events/ics-advisories/icsa-25-037-04. This is a version based check. Tagged as cve-2025-0994[tagging first added 2025-02-08]
  • Ivanti Connect Secure CVE-2025-22467 (authenticated stack-based buffer overflow allowing for RCE). This vulnerability and others have been patched by Ivanti. If you receive an alert from us, make sure to apply the patch! This is a version based check.  Tagged as cve-2025-22467[tagging first added 2025-02-22].
  • Nakivo Backup & Replication CVE-2024-48248 (arbitrary file read vulnerability). Note this vulnerability has had a patch issued by Nakivo Nov 4th (v11.0.0.88174). If you receive an alert from us, please make sure to update to the latest version. This is a version based check. For a deep dive of the vulnerability please check out this blog from watchTowr. Thank you to watchTowr for the early heads up. We added vulnerable-nakivo-backup tagging on 2025-02-13. We also updated the scan to add the tag cve-2024-48248 on 2025-02-27. [tagging first added 2025-02-13]
  • Hirsch (formerly Identiv) Enterphone MESH CVE-2025-26793 (default credentials allowing access to buildings). If you receive an alert from us, please make sure to update your credentials. Note: we perform a version check only, there is no attempt to log in. False positives may be possible if the default credentials were changed, which apparently requires multiple steps. Tagged as  cve-2025-26793. [tagging first added 2025-02-26]
  • VMware ESXi CVE-2025-22224 heap overflow vulnerability. A malicious actor with local administrative privileges on a virtual machine may exploit this issue to execute code as the virtual machine’s VMX process running on the host. This vulnerability is known to be exploited in the wild. If you receive an alert from us, please check for any signs of a compromise and please follow the advisory from Broadcom for update/patch information. This is a version based scan. Tagged as cve-2025-22224. [tagging first added 2025-03-04]
  • Veeam Backup & Replication CVE-2025-23120 RCE. Make sure to follow the guidance on the hotfix released by Veeam addressing this vulnerability. For background on the vulnerability please review this analysis by watchTowr. This is a version check. Tagged as cve-2025-23120. [tagging first added 2025-03-20]
  • GLPI CVE-2025-24801.  An authenticated user can upload and force the execution of *.php files located on the GLPI server. Please follow patch guidance from GLPI. This is a version check. Tagged as cve-2025-24801. [tagging first added 2025-03-20]
  • Kubernetes Ingress-nginx CVE-2025-1974. [in Kubernetes]under certain conditions, an unauthenticated attacker with access to the pod network can achieve arbitrary code execution in the context of the ingress-nginx controller. Please note we only make a check for exposure not for the vulnerability. In some cases it is possible the vulnerability was already patched. Nevertheless, we should not be able to access the the Admission Controller component of the Ingress NGINX Controller from the Internet and it should not be exposed. For this reason we are tagging accessible instances with the possible-cve-2025-1974 tag. You can also track exposure in our Device Identification report with device model set to Kubernetes Admission Controller. Please make sure to patch for this and other vulnerabilities. Read more on the vulnerabilities in this blog by Wiz. [tagging first added 2025-03-25]
  • CrushFTP CVE-2025-2825 (CVSS 9.8). CrushFTP versions 10.0.0 through 10.8.3 and 11.0.0 through 11.3.0 are affected by a vulnerability that may result in unauthenticated access. Please follow update instructions from CrushFTP and consider switching on automatic updates! We infer the patch time of the instance from the available data to make a decision on whether to tag an instance. Tagged as cve-2025-2825.[tagging first added 2025-03-27]
  • Ivanti Connect Secure CVE-2025-22457 . A stack-based buffer overflow in Ivanti Connect Secure before version 22.7R2.6, Ivanti Policy Secure before version 22.7R1.4, and Ivanti ZTA Gateways before version 22.8R2.2 allows a remote unauthenticated attacker to achieve remote code execution. This vulnerability and others have been patched by Ivanti in February. For more background on exploitation of this vulnerability and IoCs, please see Mandiant’s blog at Suspected China-Nexus Threat Actor Actively Exploiting Critical Ivanti Connect Secure Vulnerability (CVE-2025-22457). If you receive an alert from us, make sure to check for signs of compromise and apply the patch! This is a version based check.  Tagged as cve-2025-22457[tagging first added 2025-04-04].
  • FortiSwitch CVE-2024-48887 A unverified password change vulnerability in Fortinet FortiSwitch GUI may allow a remote unauthenticated attacker to change admin passwords via a specially crafted request. Note this affects the management interface which should not be exposed to the Internet regardless of this CVE. Please follow https://www.fortiguard.com/psirt/FG-IR-24-435 for patch and mitigation guidance. Our check is based on inferring the version of FortSwitch. Tagged as cve-2024-48887[tagging first added 2025-04-10]
  • Gladinet CentreStack & Triofox CVE-2025-30406. Gladinet CentreStack Use of Hard-coded Cryptographic Key Vulnerability. This vulnerability is known to be exploited in the wild. For background please read the disclosure from Huntress. Make sure to review for compromise and patch to the latest release. Vendor advisory: https://gladinetsupport.s3.us-east-1.amazonaws.com/gladinet/securityadvisory-cve-2005.pdf. Please note the vulnerability affects Triofox as well.  This is a version based check. Tagged as cve-2025-30406[tagging first added 2025-04-17].
  • Infodraw Media Relay System CVE-2025-43928In Infodraw Media Relay Service (MRS) 7.1.0.0, the MRS web server (on port 12654) allows reading arbitrary files via ../ directory traversal in the username field. For background please read the disclosure from Mint Secure. This is a version based check. Tagged as cve-2025-43928[tagging first added 2025-04-23].
  • SAP NetWeaver CVE-2025-31324 (CVSS 3.1 10.0). SAP NetWeaver Visual Composer Metadata Uploader is not protected with a proper authorization, allowing unauthenticated agent to upload potentially malicious executable binaries that could severely harm the host system. For background, please read the disclosure by ReliaQuest and overview by RedRays.  This vulnerability is exploited in the wild and on the CISA KEV list. If you receive an alert from us make sure to check for compromise and install the patch – https://me.sap.com/notes/3594142. Tagged as cve-2025-31324[tagging first added 2025-04-25].
  • ScreenConnect CVE-2025-3935. ScreenConnect versions 25.2.3 and earlier versions may be susceptible to a ViewState code injection attack. Please update as per ScreenConnect advisory. This is a version based check. Tagged as cve-2025-3935. [tagging first added 2025-04-30]
  • SysAid CVE-2025-2775 (multiple pre-auth XXE and OS command injection). This is a version based check – all versions prior to 24.4.60 are tagged as cve-2025-2775 starting 2025-06-07 (note on 2025-05-06  sysaid-vulnerable was applied instead, before the release of watchTowr’s analysis that was shared in the Accessible SSL and Accessible HTTP reports). This tagging covers other CVEs as well as described by watchTowr. If you receive an alert from us, make sure to patch. [tagging first added 2025-05-06 as sysaid-vulnerable and shared in Accessible SSL/Accessible HTTP, replaced 2026-06-07 with cve-2025-2775]
  • Samsung magicINFO 9 CVE-2024-7399 – tagged as cve-2024-7399. However, there is some confusion as to whether the the vulnerability was fixed upon disclosure of CVE-2024-7399 or whether this is a new potential additional zero-day as described by Huntress here. CVE-2024-7399 is described as an improper limitation of a pathname to a restricted directory vulnerability in Samsung MagicINFO 9 Server version before 21.1050 allows attackers to write arbitrary file as system authority. Since 21.050 has also been confirmed as vulnerable we also apply the vulnerable-samsung-magicinfo tag to that version and earlier). Our assessment is based solely on a version check. Note: Samsung has released 21.052 which potentially fixes the new vulnerability (or otherwise fixes an incomplete patch for CVE-2024-7399) https://eu.community.samsung.com/t5/samsung-solutions/update-magicinfo-server-v9-21-1052-0-setup-file/ta-p/11374265. Starting 2025-05-13, this version will not be tagged by us as vulnerable. Please make sure to check for signs of compromise as we have observed attacks in the wild. [tagging first added 2025-05-11].

Other vulnerabilities may be added in the future to this report. As some of the assessments are version based, false positives may be possible (or alternatively, mitigations/workarounds may be in place or affected features not enabled). Please let us know if you believe that is the case for a report we sent you.

You can view results from our vulnerable HTTP scans in our Dashboard here. You can select a tag for a CVE for specific vulnerability to track by selecting CVE-XXXX-XXXX.

Looking for vulnerable Microsoft Exchange CVEs that we track? We have a separate Vulnerable Exchange Server report.

You can track which of the above vulnerabilities we see exploited in our daily Exploited Vulnerabilities list. This is sourced from our honeypot sensor network.

For a report on all exposed devices/models/products check out our Device Identification report. This report effectively provides an asset inventory you can use for incident triage.

For a report about all accessible HTTP hosts (including those without vulnerabilities) please see our Accessible HTTP Report.

For more information on our scanning efforts, check out our Internet scanning summary page.

Severity levels are described here.

This report has an IPv4 and IPv6 version.

Filename(s): scan_http_vulnerable, scan6_http_vulnerable

Fields

  • timestamp
    Time that the IP was probed in UTC+0
  • severity
    Severity level
  • ip
    The IP address of the device in question
  • protocol
    Protocol that the HTTP response came on (always TCP)
  • port
    Port that the HTTP response came from
  • hostname
    Reverse DNS name of the device in question
  • tag
    Additional tag information about host, for example "basic-auth"
  • sector
    Sector to which the device belongs to
  • asn
    ASN of where the device in question resides
  • geo
    Country where the device in question resides
  • region
    State / Province / Administrative region where the device in question resides
  • city
    City in which the device in question resides
  • naics
    North American Industry Classification System Code
  • hostname_source
    Hostname source
  • http
    Hypertext Transfer Protocol Version
  • http_code
    HTTP Response code: e.g., 200, 401, 404
  • http_reason
    The text reason to go with the HTTP Code
  • content_type
    The MIME type of the body of the request (used with POST and PUT requests)
  • connection
    Control options for the current connection and list of hop-by-hop request fields
  • www_authenticate
    Indicates the authentication scheme that should be used to access the requested entity
  • set_cookie
    The HTTP Cookie to be set
  • server
    HTTP Server type
  • content_length
    The length of the response body in octets
  • transfer_encoding
    The form of encoding used to safely transfer the entity to the user
  • http_date
    The date and time that the message was sent
  • build_date
    Build date
  • detail
    Additional details, if any
  • build_branch
    Build branch

Sample

"timestamp","severity","ip","protocol","port","hostname","tag","sector","asn","geo","region","city","naics","hostname_source","http","http_code","http_reason","content_type","connection","www_authenticate","set_cookie","server","content_length","transfer_encoding","http_date","version","build_date","detail","build_branch"
"2010-02-10 00:00:00",medium,192.168.0.1,tcp,10001,node01.example.com,basic-auth;http,,64512,ZZ,Region,City,0,ptr,HTTP/1.0,401,Unauthorized,text/html,close,"Basic realm=\"\"IP_Camera\"\"",,httpd,,,"Wed, 10 Feb 2010 00:00:00 GMT",,,fdcd0173b7155f83f8261da0c4a618e1141716d8f8633fb4fd6c90844a08e33b,/
"2010-02-10 00:00:01",medium,192.168.0.2,tcp,10001,node02.example.com,basic-auth;http,,64512,ZZ,Region,City,0,ptr,HTTP/1.0,401,Unauthorized,text/html,close,"Basic realm=\"\"IP_Camera\"\"",,httpd,,,"Wed, 10 Feb 2010 00:00:01 GMT",,,fdcd0173b7155f83f8261da0c4a618e1141716d8f8633fb4fd6c90844a08e33b,/
"2010-02-10 00:00:02",medium,192.168.0.3,tcp,10001,node03.example.com,basic-auth;http,,64512,ZZ,Region,City,0,,HTTP/1.1,401,Unauthorized,"text/html; charset=%s",close,"Basic realm=\"\"\"\"",,475ed064-dd12-cbe4-1c3b-af42d6b62530,,,"Wed, 10 Feb 2010 00:00:02 GMT",,,02a3ace58bfe5507a76a4034e628bb8e2303ed53be8b1d3732566fb358bc6761,/

Our 135 Report Types

« Back to Network Reporting