A repository of awesome vulnerability research writeups targeting various different products. This is useful for when reviewing previous research into an application or appliance.
Pwning 3CX Phone Management Backends from the Internet
https://medium.com/@frycos/pwning-3cx-phone-management-backends-from-the-internet-d0096339dd88
CVE-2017-5638
https://www.aon.com/cyber-solutions/aon_cyber_labs/an-analysis-of-cve-2017-5638/
Apache Superset Part II: RCE, Credential Harvesting and More
https://www.horizon3.ai/apache-superset-part-ii-rce-credential-harvesting-and-more/
Analysis of an Atlassian Crowd RCE - CVE-2019-11580
https://corben.io/blog/19-7-14-atlassian-crowd-rce
CVE-2023-20198
https://www.horizon3.ai/cisco-ios-xe-cve-2023-20198-deep-dive-and-poc/
Strike Three :: Symlinking Your Way to Unauthenticated Access Against Cisco UCS Director
https://srcincite.io/blog/2020/04/17/strike-three-symlinking-your-way-to-unauthenticated-access-against-cisco-ucs-director.html#authentication-bypass
Remote Code Execution in Citrix ADC (2020)
https://swarm.ptsecurity.com/remote-code-execution-in-citrix-adc/
CVE-2023-22515
https://attackerkb.com/topics/Q5f0ItSzw5/cve-2023-22515/rapid7-analysis
Vulnerability Causing Deletion of All Users in CrushFTP Admin Area
https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/vulnerability-causing-deletion-of-all-users-in-crushftp-admin-area/
CVE-2023-22374: F5 BIG-IP Format String Vulnerability
https://www.rapid7.com/blog/post/2023/02/01/cve-2023-22374-f5-big-ip-format-string-vulnerability/
F5 iControl REST Endpoint Authentication Bypass Technical Deep Dive (CVE-2022-1388)
https://www.horizon3.ai/f5-icontrol-rest-endpoint-authentication-bypass-technical-deep-dive/
With Management Comes Risk: Finding Flaws in FileWave MDM https://claroty.com/team82/research/with-management-comes-risk-finding-flaws-in-filewave-mdm
CVE-2022-0540 - Authentication Bypass in Seraph
https://blog.viettelcybersecurity.com/cve-2022-0540-authentication-bypass-in-seraph/
OpsManager (CVE-2019–17602)
https://medium.com/@frycos/finding-sql-injections-fast-with-white-box-analysis-a-recent-bug-example-ca449bce6c76
ZohOwned :: A Critical Authentication Bypass on Zoho ManageEngine Desktop Central
https://srcincite.io/blog/2022/01/20/zohowned-a-critical-authentication-bypass-on-zoho-manageengine-desktop-central.html
How to Exploit CVE-2021-40539 on ManageEngine ADSelfService Plus
https://www.synacktiv.com/en/publications/how-to-exploit-cve-2021-40539-on-manageengine-adselfservice-plus
CVE-2022-35405 Manage engines RCE (Password Manager Pro, PAM360 and Access Manager Plus)
https://www.bigous.me/2022/09/06/CVE-2022-35405.html
ManageEngine CVE-2022-47966 Technical Deep Dive
https://www.horizon3.ai/manageengine-cve-2022-47966-technical-deep-dive/
CVE-2022-47966 SAML ShowStopper
https://blog.viettelcybersecurity.com/saml-show-stopper/
Post-Auth Deserialization Remote Code Execution Issue (CVE-2021–42321)
https://peterjson.medium.com/some-notes-about-microsoft-exchange-deserialization-rce-cve-2021-42321-110d04e8852
MOVEIt Transfer RCE Part Two (CVE-2023-34362)
https://blog.assetnote.io/2023/06/13/moveit-transfer-part-two/
MOVEit Transfer CVE-2023-34362 Deep Dive and Indicators of Compromise
https://www.horizon3.ai/moveit-transfer-cve-2023-34362-deep-dive-and-indicators-of-compromise/#:~:text=The%20function%20that%20extracts%20the,the%20request%20onto%20the%20machine2
Our Pwn2Own journey against time and randomness (part 2)
https://blog.quarkslab.com/our-pwn2own-journey-against-time-and-randomness-part-2.html
PaperCut CVE-2023-27350 Deep Dive and Indicators of Compromise
https://www.horizon3.ai/papercut-cve-2023-27350-deep-dive-and-indicators-of-compromise/
SonicWall SMA 500v
https://www.rapid7.com/blog/post/2022/01/11/cve-2021-20038-42-sonicwall-sma-100-multiple-vulnerabilities-fixed-2/
SonicWall SMA 100 Series: Heap-Based Buffer Overflow (CVE-2021-20043)
https://research.nccgroup.com/2021/12/09/technical-advisory-sonicwall-sma-100-series-heap-based-buffer-overflow-cve-2021-20043/
SonicWall SMA 100 Series: Post-Authentication Remote Command Execution (CVE-2021-20044)
https://research.nccgroup.com/2021/12/09/technical-advisory-sonicwall-sma-100-series-post-authentication-remote-command-execution-cve-2021-20044/
SonicWall SMA 100 Series: Unauthenticated Stored XSS
https://research.nccgroup.com/2021/12/10/technical-advisory-sonicwall-sma-100-series-unauthenticated-stored-xss/
SonicWall SMA 100 Series: Unauthenticated Arbitrary File Deletion
https://research.nccgroup.com/2021/12/10/technical-advisory-sonicwall-sma-100-series-unauthenticated-arbitrary-file-deletion/
SonicWall SMA 100 Series: Multiple Unauthenticated Heap-based and Stack-based Buffer Overflow (CVE-2021-20045)
https://research.nccgroup.com/2021/12/09/technical-advisory-sonicwall-sma-100-series-multiple-unauthenticated-heap-based-and-stack-based-buffer-overflow-cve-2021-20045/
SonicWall Global Management System (GMS) & Analytics: Multiple Critical Vulnerabilities
https://research.nccgroup.com/2023/08/24/technical-advisory-sonicwall-global-management-system-gms-analytics-multiple-critical-vulnerabilities/
A 3-Year Tale of Hacking a Pwn2Own Target by Orange Tsai
https://www.youtube.com/watch?v=uGofhlB1vZU
Analysis of CVE-2023-46214 + PoC
https://blog.hrncirik.net/cve-2023-46214-analysis
Team City Unauthenticated Remote Code Execution (CVE-2023-42793)
https://www.sonarsource.com/blog/teamcity-vulnerability/
CVE-2022–31656
https://petrusviet.medium.com/dancing-on-the-architecture-of-vmware-workspace-one-access-eng-ad592ae1b6dd
Eat What You Kill :: Pre-authenticated Remote Code Execution in VMWare NSX Manager
https://srcincite.io/blog/2022/10/25/eat-what-you-kill-pre-authenticated-rce-in-vmware-nsx-manager.html
Exploiting Hardcoded Keys to achieve RCE in Yellowfin BI
https://blog.assetnote.io/2023/01/24/yellowfin-auth-bypass-to-rce/
Western Digital My Cloud Pro Series PR4100 NAS
https://www.crowdstrike.com/blog/pwn2own-tale-of-a-bug-found-and-lost-again/