rapid7.com
Resources curated from this publisher and indexed across appsec.fyi topic pages. Last item added: 2026-06-19.
| Date Added | Resource | Excerpt |
|---|---|---|
| 2026-06-19 2026 | Rapid7 Analysis: CVE-2020-12271: Sophos XG Firewall Pre-Auth SQL Injection VulnerabilityRCE | Analysis of CVE-2020-12271 details a pre-authentication SQL injection vulnerability affecting Sophos XG Firewalls, which can lead to remote code execution. Exploited in the wild, this zero-day flaw, with a CVSSv3 score of 10, allows attackers to download malware, establish persistence, and exfiltrate credentials. Affected versions include 17.0, 17.1, 17.5, and 18.0. The analysis highlights reverse engineering efforts and ongoing threats even after a patch is available. |
| 2026-06-19 2026 | CVE-2021-4191: GitLab GraphQL API User Enumeration (FIXED)GraphQL | Writeup of CVE-2021-4191, a GitLab GraphQL API vulnerability, details how remote, unauthenticated attackers could enumerate usernames, names, and email addresses. This information leak, classified as CWE-359, enables attackers to build user lists for brute-force attacks and sophisticated phishing campaigns. The article discusses the vulnerability's introduction in GitLab versions 13.0, outlines exploitation methods via the `/api/graphql` endpoint, and provides a Python script for user enumeration. Mitigation advice includes patching GitLab instances and disabling public profiles. |
| 2026-06-17 2026 | Rapid7 Analysis: CVE-2022-28219XXE | Analysis of CVE-2022-28219 details a Java deserialization vulnerability in ManageEngine ADAudit Plus, which, when combined with a blind XXE vulnerability, allows for remote code execution as the service user. The Java deserialization flaw is found in the `/cewolf` endpoint's `img` parameter, permitting path traversal to deserialize arbitrary files. The secondary blind XXE vulnerability in the `/api/agent/tabs/agentData` endpoint can be leveraged to plant files, including serialized Java objects from ysoserial payloads, enabling RCE. This analysis was performed on build 7055, with fixes available in build 7060. |
| 2026-06-17 2026 | Rapid7 Analysis: CVE-2020-3992 ESXi OpenSLP remote code execution vulnerabilityRCE | Analysis of CVE-2020-3992 details a critical use-after-free vulnerability in VMware ESXi's OpenSLP service, allowing remote code execution with a CVSSv3 score of 9.8. This actively exploited vulnerability, also seen in conjunction with CVE-2019-5544, poses a significant threat as ransomware groups target critical hypervisor infrastructure. Mitigation involves patching ESXi, disabling the SLP service, and restricting management network access. |
| 2026-06-17 2026 | Rapid7 Analysis: CVE-2020-16952 Microsoft SharePoint Remote Code Execution VulnerabilitiesRCE | Analysis of CVE-2020-16952 details a Microsoft SharePoint remote code execution vulnerability. Exploitable by authenticated users, it allows arbitrary file disclosure, including the web.config file, enabling .NET deserialization attacks via ysoserial.net. A Metasploit module and Python proof-of-concept exist, demonstrating straightforward exploitation by leaking keys to forge malicious ViewState payloads. Rapid7 recommends immediate patching for SharePoint Foundation 2013, Enterprise Server 2016, and Server 2019. |
| 2026-06-17 2026 | Rapid7 Analysis: CVE-2021-26084 Confluence Server OGNL injectionRCE | Analysis of CVE-2021-26084 details a critical OGNL injection vulnerability in Atlassian Confluence Server and Data Center. This flaw, carrying a CVSSv3 score of 9.8, allows unauthenticated remote code execution. Widespread exploitation began in September 2021, with attackers initially deploying coin miners and later ransomware. The vulnerability resides in the `createpage-entervariables` functionality, and proof-of-concept code is publicly available. |
| 2026-06-17 2026 | Rapid7 Analysis: Pre-auth RCE in ForgeRock Access Manager (CVE-2021-35464)RCE | Analysis of CVE-2021-35464 reveals a pre-authentication remote code execution vulnerability in ForgeRock Access Manager and OpenIdentity Platform's OpenAM. This Java deserialization flaw within the JATO framework is exploitable via a simple GET or POST request, yielding code execution on vulnerable systems running versions below 7.0 on Java 8. Rapid7 identified over 1,000 internet-facing systems potentially exposed, with proof-of-concept exploit code readily available. |
| 2026-06-17 2026 | Rapid7 Analysis: CVE-2021-44228 (Log4Shell)RCE | Analysis of CVE-2021-44228, the Log4Shell vulnerability in Apache Log4j, details its critical remote code execution capabilities triggered by specially crafted log messages. This write-up provides exploitation methods, including a proof-of-concept against Apache Struts 2, and outlines mitigation strategies like upgrading Log4j, setting system properties, or removing the `JndiLookup` class. It also recommends monitoring for indicators like "${jndi:" strings and mentions IDS coverage from EmergentThreat Labs. |
| 2026-06-17 2026 | Rapid7 Analysis: CVE-2022-26134RCE | Analysis of CVE-2022-26134 details a critical unauthenticated RCE vulnerability in Atlassian Confluence Server and Data Center. This OGNL injection flaw, exploitable via HTTP requests, allows attackers to execute arbitrary code on the server. Rapid7's writeup provides technical details on exploitation, including crafted curl commands that insert payloads into URIs and retrieve command output via HTTP headers, and notes that this vulnerability is similar to CVE-2021-26084. |
| 2026-06-17 2026 | Rapid7 Analysis: CVE-2022-3786RCE | Analysis of CVE-2022-3786 details an arbitrary-length overflow vulnerability in OpenSSL's Punycode library within libcrypto.so. This flaw, occurring during Punycode domain name parsing via the `ossl_a2ulabel` function, allows for infinite period characters to be appended to a buffer, potentially leading to denial of service or, in rare circumstances, exploitable memory corruption. While exploitation is unlikely due to specific memory layout requirements, affected versions include OpenSSL 3.0.0 through 3.0.6. Updating to OpenSSL 3.0.7 is recommended. |
| 2026-06-17 2026 | Rapid7 Analysis: CVE-2023-42793RCE | Analysis of CVE-2023-42793 reveals a critical authentication bypass in JetBrains TeamCity, affecting versions prior to 2023.05.4. This vulnerability, stemming from an improper handling of the wildcard path `/**/RPC2` within the `RequestInterceptors` class, allows unauthenticated attackers to achieve remote code execution. By exploiting this flaw, attackers can gain access to sensitive data like source code and build artifacts, potentially enabling supply chain attacks. The analysis details patch diffing using BeyondCompare and decompilation with cfr to identify the root cause in `RequestInterceptors.java` and the target endpoint within the `rest-api.jar`. |
| 2026-06-17 2026 | Rapid7 Analysis: CVE-2023-46747RCE | Analysis of CVE-2023-46747 details an unauthenticated remote code execution vulnerability in F5 BIG-IP's Traffic Management User Interface (TMUI). This flaw, stemming from mishandled AJP requests between Apache and the AJP server, allows attackers to smuggle AJP requests. By crafting specific requests, an attacker can create a new administrator user, change its password, and then exploit the system to leak hashes or execute OS commands via the `mgmt/tm/util/bash` resource, achieving full device compromise. |
| 2026-06-17 2026 | Rapid7 Analysis: CVE-2024-12356SQLi | Analysis of CVE-2024-12356, a critical unauthenticated RCE in BeyondTrust Privileged Remote Access and Remote Support, reveals it was exploited as a zero-day alongside a newly discovered PostgreSQL vulnerability, CVE-2025-1094. Rapid7's research indicates CVE-2024-12356, more accurately an argument injection (CWE-88) than command injection (CWE-77), often relies on CVE-2025-1094 for RCE. While the BeyondTrust patch addresses both vulnerabilities, Rapid7 also found a method to exploit CVE-2025-1094 independently in certain implementations. |
| 2026-04-22 2026 | Grav CMS Twig SSTI Authenticated Sandbox Bypass RCESSTI | Module for exploiting CVE-2025-66294, a Grav CMS Twig SSTI vulnerability that bypasses sandbox restrictions for remote code execution. This exploit utilizes weak regex in `cleanDangerousTwig` to handle nested Twig calls and leverages CVE-2025-66301, a broken access control flaw, allowing authenticated users to modify YAML frontmatter for payload injection. |
| 2026-04-19 2026 | CVE-2025-1094: PostgreSQL psql SQL Injection (Fixed) — Rapid7SQLi | Analysis of CVE-2025-1094, a high-severity SQL injection vulnerability in PostgreSQL's psql tool, impacting versions prior to 17.3, 16.7, 15.11, 14.16, and 13.19. Discovered by Rapid7, this flaw, with a CVSS 3.1 score of 8.1, arises from improper handling of escaped untrusted input containing invalid UTF-8 characters. Exploitation can lead to arbitrary code execution via meta-commands or arbitrary SQL statement execution. This vulnerability was found to be a prerequisite for exploiting CVE-2024-12356 against BeyondTrust products, though both are now patched. |
| 2026-04-17 2026 | Active Exploitation of Confluence CVE-2022-26134 (Rapid7)SSTI | Writeup of CVE-2022-26134 details an unauthenticated OGNL injection vulnerability in Confluence Server and Data Center, allowing remote code execution. The vulnerability is actively exploited in the wild, with proof-of-concept exploits targeting HTTP requests to inject OGNL payloads. Successful exploitation allows attackers to execute commands and exfiltrate output via HTTP response headers, similar to the previous CVE-2021-26084. Rapid7's analysis highlights the OGNL injection mechanism and provides examples of exploitation, emphasizing the risk to internet-facing instances. |
| 2026-04-10 2026 | CSRF Attacks - Rapid7CSRF | Reference defining Cross-Site Request Forgery (CSRF) attacks, detailing how they exploit user trust and authenticated sessions to perform unauthorized actions, such as money transfers or account alterations. It covers attack mechanisms, including social engineering and stored CSRF via XSS like the Samy MySpace worm, and highlights impacts on services like Gmail and Facebook. Prevention strategies emphasize enabling CSRF protection, utilizing CSRF tokens, and conducting regular web application security testing and penetration testing to mitigate risks. |
| 2026-04-10 2026 | React2Shell: Critical Unauthenticated RCE in React Server ComponentsRCE | Writeup of CVE-2025-55182, a critical unauthenticated RCE vulnerability affecting React Server Components and frameworks like Next.js, dubbed React2Shell. Exploitation in-the-wild has begun, with a working proof-of-concept and Metasploit module available. The vulnerability, with a CVSS of 10.0, allows attackers to execute arbitrary code via malicious HTTP requests. Remediation involves updating affected React packages to versions 19.0.1, 19.1.2, or 19.2.1. Rapid7 customers have detection capabilities via Exposure Command, InsightVM, and Nexpose. |
| 2026-04-10 2026 | CVE-2026-1731: Critical Unauthenticated RCE in BeyondTrust Remote SupportRCE | Writeup of CVE-2026-1731, a critical unauthenticated RCE in BeyondTrust Remote Support and Privileged Remote Access products, which allows attackers to execute arbitrary OS commands. This vulnerability, with a CVSSv4 score of 9.9, affects RS versions 25.3.1 and prior, and PRA versions 24.3.4 and prior. While SaaS instances were patched, self-hosted deployments require manual updates. Discovered by Hacktron AI, the flaw was added to CISA's KEV list on February 13, 2026. Rapid7 customers using Exposure Command, InsightVM, and Nexpose can assess their exposure with authenticated checks released February 9, 2026. |
| 2026-04-06 2026 | Metasploit Wrap-Up 04/03/2026RCE | Library updates for Metasploit Framework introduce new HTTP/HTTPS CMD payloads for Windows, enabling RCE against FreeScout (CVE-2026-27636, CVE-2026-28289) and Grav CMS (CVE-2025-50286). It also adds a generic HTTP command execution exploit, a Windows persistence technique via `UserInitMprLogonScript`, and various enhancements, bug fixes, and documentation updates. |