labs.watchtowr.com
Resources curated from this publisher and indexed across appsec.fyi topic pages. Last item added: 2026-06-29.
| Date Added | Resource | Excerpt |
|---|---|---|
| 2026-06-29 2026 | Enterprise Tech In Shell Out (Progress Kemp LoadMaster Uninitialized Heap to Pre-Auth RCE CVE-2026-8037)RCE | This article details a critical pre-authentication remote code execution (RCE) vulnerability, CVE-2026-8037, affecting Progress Kemp LoadMaster. The flaw stems from an uninitialized heap condition. Successful exploitation allows unauthenticated attackers to gain control of affected devices, posing a significant security risk to enterprise networks. Further details on the vulnerability and its implications are available via the provided link. |
| 2026-06-13 2026 | Why Use App-Level Auth When Every Database Has Auth? (Splunk Enterprise CVE-2026-20253 Pre-Auth RCE) - watchTowr LabsAuthZRCE | Writeup detailing Splunk Enterprise CVE-2026-20253, a pre-authentication RCE vulnerability. The analysis highlights how the PostgreSQL Sidecar Service Endpoint, enabled by default in AWS deployments and Splunk versions 10+, lacks authentication, allowing unauthenticated invocation of file operations like backup and restore. This research demonstrates a path to exploitation by proxying requests through the main Splunk web application. |
| 2026-06-12 2026 | Why Use App-Level Auth When Every Database Has Auth? (Splunk Enterprise CVE-2026-20253 Pre-Auth RCE)RCE | Writeup detailing CVE-2026-20253, a pre-authentication Remote Code Execution vulnerability in Splunk Enterprise. The writeup explains how the PostgreSQL Sidecar Service, enabled by default on AWS deployments and available in version 10+, lacks authentication, allowing unauthenticated users to trigger file operations like backup creation. This leads to arbitrary file creation and truncation, ultimately enabling RCE through the Splunkd web application which proxies requests to the vulnerable service on port 5435. |
| 2026-06-12 2026 | Marking Your Own Homework (Check Point Remote Access VPN IKEv1 Authentication Bypass CVE-2026-50751) - watchTowr LabsAuthNRCE | Analysis of CVE-2026-50751 reveals a critical authentication bypass vulnerability in Check Point Remote Access VPN IKEv1 implementations. A logic flaw in certificate validation allowed attackers to bypass signature verification by manipulating a flag, effectively preventing authentication. This vulnerability, present in multiple Gaia versions, was exploited in the wild by threat actors, including a Qilin ransomware affiliate. The patch involves modifying the `process_cert_payloads` function within the `iked` daemon to enforce policy-based certificate validation rather than client-controlled flags. |
| 2026-06-10 2026 | More Evidence That Words Don't Mean What We Thought They Meant (Ivanti Sentry Pre-Auth OS Command Injection CVE-2026-10520)RCE | Analysis of CVE-2026-10520 in Ivanti Sentry reveals a critical pre-authenticated OS command injection vulnerability. Exploiting this flaw allows remote, unauthenticated attackers to achieve root-level remote code execution by crafting specific input strings processed by the `handleMessage` endpoint. The vulnerability stems from improper handling of user-supplied `message` parameters, which are parsed and directly passed into internal commands, enabling the injection of arbitrary OS commands. This advisory details the affected versions and the technical path leading to this high-severity flaw. |
| 2026-04-16 2026 | SmarterTools SmarterMail Pre-Auth RCE (CVE-2025-52691)RCE | Writeup of CVE-2025-52691, a pre-authentication remote code execution vulnerability in SmarterTools SmarterMail. This analysis details how an unauthenticated file upload endpoint, which accepts a JSON-deserializable `contextData` parameter, allows an attacker to control a `guid` property. The patched build 9413 introduces GUID validation, suggesting its exploitation was previously possible by manipulating this field during upload processing, as detailed by Mr Chua Meng Han from CSIT. |
| 2026-04-16 2026 | Domain-Level RCE in Veeam Backup & Replication (CVE-2025-23120)RCE | Writeup detailing CVE-2025-23120, a domain-level RCE in Veeam Backup & Replication. This vulnerability arises from a flawed blacklist-based deserialization mechanism, allowing domain users to achieve SYSTEM privileges on the Veeam server. The attack leverages the .NET Remoting Channel and a specific class, `Veeam.Backup.Model.CDbCryptoKeyInfo`, which ultimately leads to inner deserialization with a blacklist. This writeup follows previous research on CVE-2024-40711, also in Veeam, highlighting the persistent issues with blacklist-based security. |
| 2026-04-16 2026 | Exploitation Walkthrough - Ivanti Connect Secure RCE (CVE-2025-0282)RCE | Walkthrough of CVE-2025-0282 in Ivanti Connect Secure, detailing a stack-based buffer overflow in the `ift_handle_1` function. Exploitation involves crafting a malicious `clientCapabilities` block exceeding 256 bytes to trigger an out-of-bounds write. While direct return address overwriting is complicated by a preceding `free()` call on `object_to_be_freed`, an alternative exploitation path leverages a virtual function call at offset 0x48 within `a1`. |
| 2025-11-12 2025 | Is It CitrixBleed4? Well No. Is It Good? Also No. (Citrix NetScaler Memory Leak & RXSS CVE-2025-12101)XSS | Writeup detailing CVE-2025-12101, a reflected XSS vulnerability found in Citrix NetScaler's SAML RelayState parameter. The analysis also covers an undocumented memory leak (WT-2025-0089) triggered by a specific AAA virtual server misconfiguration, noting the ongoing fragility of memory management in these appliances. |