Horizon3.ai Attack Team

33 exploits Active since May 2022
CVE-2022-40684 NOMISEC CRITICAL WORKING POC
Fortinet Fortiproxy < 7.0.7 - Authentication Bypass
An authentication bypass using an alternate path or channel [CWE-288] in Fortinet FortiOS version 7.2.0 through 7.2.1 and 7.0.0 through 7.0.6, FortiProxy version 7.2.0 and version 7.0.0 through 7.0.6 and FortiSwitchManager version 7.2.0 and 7.0.0 allows an unauthenticated atttacker to perform operations on the administrative interface via specially crafted HTTP or HTTPS requests.
355 stars
CVSS 9.8
CVE-2022-39952 NOMISEC CRITICAL WORKING POC
Fortinet FortiNAC keyUpload.jsp arbitrary file write
A external control of file name or path in Fortinet FortiNAC versions 9.4.0, 9.2.0 through 9.2.5, 9.1.0 through 9.1.7, 8.8.0 through 8.8.11, 8.7.0 through 8.7.6, 8.6.0 through 8.6.5, 8.5.0 through 8.5.4, 8.3.7 may allow an unauthenticated attacker to execute unauthorized code or commands via specifically crafted HTTP request.
266 stars
CVSS 9.8
CVE-2022-1388 NOMISEC CRITICAL WORKING POC
F5 BIG-IP iControl RCE via REST Authentication Bypass
On F5 BIG-IP 16.1.x versions prior to 16.1.2.2, 15.1.x versions prior to 15.1.5.1, 14.1.x versions prior to 14.1.4.6, 13.1.x versions prior to 13.1.5, and all 12.1.x and 11.6.x versions, undisclosed requests may bypass iControl REST authentication. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated
231 stars
CVSS 9.8
CVE-2022-22972 NOMISEC CRITICAL WORKING POC
VMware Identity Manager Workspace ONE Access and vRealize Automation - Authentication Bypass
VMware Workspace ONE Access, Identity Manager and vRealize Automation contain an authentication bypass vulnerability affecting local domain users. A malicious actor with network access to the UI may be able to obtain administrative access without the need to authenticate.
153 stars
CVSS 9.8
CVE-2022-47966 NOMISEC CRITICAL WORKING POC
ManageEngine ADSelfService Plus Unauthenticated SAML RCE
Multiple Zoho ManageEngine on-premise products, such as ServiceDesk Plus through 14003, allow remote code execution due to use of Apache Santuario xmlsec (aka XML Security for Java) 1.4.1, because the xmlsec XSLT features, by design in that version, make the application responsible for certain security protections, and the ManageEngine applications did not provide those protections. This affects Access Manager Plus before 4308, Active Directory 360 before 4310, ADAudit Plus before 7081, ADManager Plus before 7162, ADSelfService Plus before 6211, Analytics Plus before 5150, Application Control Plus before 10.1.2220.18, Asset Explorer before 6983, Browser Security Plus before 11.1.2238.6, Device Control Plus before 10.1.2220.18, Endpoint Central before 10.1.2228.11, Endpoint Central MSP before 10.1.2228.11, Endpoint DLP before 10.1.2137.6, Key Manager Plus before 6401, OS Deployer before 1.1.2243.1, PAM 360 before 5713, Password Manager Pro before 12124, Patch Manager Plus before 10.1.2220.18, Remote Access Plus before 10.1.2228.11, Remote Monitoring and Management (RMM) before 10.1.41. ServiceDesk Plus before 14004, ServiceDesk Plus MSP before 13001, SupportCenter Plus before 11026, and Vulnerability Manager Plus before 10.1.2220.18. Exploitation is only possible if SAML SSO has ever been configured for a product (for some products, exploitation requires that SAML SSO is currently active).
127 stars
CVSS 9.8
CVE-2024-0204 NOMISEC CRITICAL WORKING POC
Fortra GoAnywhere MFT Unauthenticated Remote Code Execution
Authentication bypass in Fortra's GoAnywhere MFT prior to 7.4.1 allows an unauthorized user to create an admin user via the administration portal.
65 stars
CVSS 9.8
CVE-2023-34051 NOMISEC CRITICAL WORKING POC
VMware Aria Operations for Logs - RCE
VMware Aria Operations for Logs contains an authentication bypass vulnerability. An unauthenticated, malicious actor can inject files into the operating system of an impacted appliance which can result in remote code execution.
61 stars
CVSS 9.8
CVE-2023-27350 NOMISEC CRITICAL WORKING POC
PaperCut MF and NG 8.0-20.1.7 - Unauthenticated Remote Code Execution via SetupCompleted
This vulnerability allows remote attackers to bypass authentication on affected installations of PaperCut NG 22.0.5 (Build 63914). Authentication is not required to exploit this vulnerability. The specific flaw exists within the SetupCompleted class. The issue results from improper access control. An attacker can leverage this vulnerability to bypass authentication and execute arbitrary code in the context of SYSTEM. Was ZDI-CAN-18987.
57 stars
CVSS 9.8
CVE-2023-48788 NOMISEC CRITICAL WORKING POC
Fortinet Forticlient Endpoint Management Server - SQL Injection
A improper neutralization of special elements used in an sql command ('sql injection') in Fortinet FortiClientEMS version 7.2.0 through 7.2.2, FortiClientEMS 7.0.1 through 7.0.10 allows attacker to execute unauthorized code or commands via specially crafted packets.
52 stars
CVSS 9.8
CVE-2024-9464 NOMISEC MEDIUM WORKING POC
Palo Alto Networks Expedition 1.2.0-1.2.95 - Authenticated OS Command Injection
An OS command injection vulnerability in Palo Alto Networks Expedition allows an authenticated attacker to run arbitrary OS commands as root in Expedition, resulting in disclosure of usernames, cleartext passwords, device configurations, and device API keys of PAN-OS firewalls.
45 stars
CVSS 6.5
CVE-2023-38035 NOMISEC CRITICAL WORKING POC
Ivanti Sentry MICSLogService Auth Bypass resulting in RCE (CVE-2023-38035)
A security vulnerability in MICS Admin Portal in Ivanti MobileIron Sentry versions 9.18.0 and below, which may allow an attacker to bypass authentication controls on the administrative interface due to an insufficiently restrictive Apache HTTPD configuration.
40 stars
CVSS 9.8
CVE-2024-23108 NOMISEC CRITICAL WORKING POC
Fortinet FortiSIEM - OS Command Injection
An improper neutralization of special elements used in an os command ('os command injection') vulnerability in Fortinet allows attacker to execute unauthorized code or commands via via crafted API requests.
34 stars
CVSS 10.0
CVE-2025-64155 NOMISEC CRITICAL WORKING POC
FortiSIEM 6.7.0-6.7.10, 7.0.0-7.0.4, 7.1.0-7.1.8, 7.3.0-7.3.4, 7.4.0 - OS Command Injection via TCP Requests
An improper neutralization of special elements used in an os command ('os command injection') vulnerability in Fortinet FortiSIEM 7.4.0, FortiSIEM 7.3.0 through 7.3.4, FortiSIEM 7.1.0 through 7.1.8, FortiSIEM 7.0.0 through 7.0.4, FortiSIEM 6.7.0 through 6.7.10 may allow an attacker to execute unauthorized code or commands via crafted TCP requests.
30 stars
CVSS 9.8
CVE-2024-9465 NOMISEC CRITICAL WORKING POC
Palo Alto Networks Expedition 1.2.0-1.2.95 - Unauthenticated SQL Injection and Arbitrary File Write
An SQL injection vulnerability in Palo Alto Networks Expedition allows an unauthenticated attacker to reveal Expedition database contents, such as password hashes, usernames, device configurations, and device API keys. With this, attackers can also create and read arbitrary files on the Expedition system.
30 stars
CVSS 9.1
CVE-2023-34992 NOMISEC CRITICAL WORKING POC
FortiSIEM 6.6.0-6.6.2 - OS Command Injection via Crafted API Requests
A improper neutralization of special elements used in an os command ('os command injection') vulnerability in Fortinet allows attacker to execute unauthorized code or commands via crafted API requests.
27 stars
CVSS 10.0
CVE-2024-29824 NOMISEC HIGH WORKING POC
Ivanti EPM RecordGoodApp SQLi RCE
An unspecified SQL Injection vulnerability in Core server of Ivanti EPM 2022 SU5 and prior allows an unauthenticated attacker within the same network to execute arbitrary code.
26 stars
CVSS 8.8
CVE-2023-28324 NOMISEC CRITICAL WORKING POC
Ivanti Endpoint Manager < 2022 - Privilege Escalation or Remote Code Execution
A improper input validation vulnerability exists in Ivanti Endpoint Manager 2022 and below that could allow privilege escalation or remote code execution.
20 stars
CVSS 9.8
CVE-2024-8190 NOMISEC HIGH WORKING POC
Ivanti Cloud Services Appliance <4.6.518 - Command Injection
An OS command injection vulnerability in Ivanti Cloud Services Appliance versions 4.6 Patch 518 and before allows a remote authenticated attacker to obtain remote code execution. The attacker must have admin level privileges to exploit this vulnerability.
17 stars
CVSS 7.2
CVE-2024-1403 NOMISEC CRITICAL WORKING POC
OpenEdge < 11.7.19 - Authentication Bypass via Credential Handling Failure
In OpenEdge Authentication Gateway and AdminServer prior to 11.7.19, 12.2.14, 12.8.1 on all platforms supported by the OpenEdge product, an authentication bypass vulnerability has been identified.  The vulnerability is a bypass to authentication based on a failure to properly handle username and password. Certain unexpected content passed into the credentials can lead to unauthorized access without proper authentication.  
16 stars
CVSS 10.0
CVE-2024-13159 NOMISEC CRITICAL WORKING POC
Ivanti Endpoint Manager < 2022 - Unauthenticated Absolute Path Traversal
Absolute path traversal in Ivanti EPM before the 2024 January-2025 Security Update and 2022 SU6 January-2025 Security Update allows a remote unauthenticated attacker to leak sensitive information.
13 stars
CVSS 9.8
CVE-2026-22200 NOMISEC HIGH WORKING POC
Enhancesoft osTicket 1.17.0-1.17.6 and 1.18.0-1.18.2 - Unauthenticated Arbitrary File Read via Ticket PDF Export
Enhancesoft osTicket versions 1.18.x prior to 1.18.3 and 1.17.x prior to 1.17.7 contain an arbitrary file read vulnerability in the ticket PDF export functionality. A remote attacker can submit a ticket containing crafted rich-text HTML that includes PHP filter expressions which are insufficiently sanitized before being processed by the mPDF PDF generator during export. When the attacker exports the ticket to PDF, the generated PDF can embed the contents of attacker-selected files from the server filesystem as bitmap images, allowing disclosure of sensitive local files in the context of the osTicket application user. This issue is exploitable in default configurations where guests may create tickets and access ticket status, or where self-registration is enabled.
8 stars
CVSS 7.5
CVE-2024-28987 NOMISEC CRITICAL WORKING POC
SolarWinds Web Help Desk - Hardcoded Credential
The SolarWinds Web Help Desk (WHD) software is affected by a hardcoded credential vulnerability, allowing remote unauthenticated user to access internal functionality and modify data.
7 stars
CVSS 9.1
CVE-2025-11700 GITHUB HIGH python WORKING POC
N-able N-Central Authentication Bypass and XXE Scanner
N-central versions < 2025.4 are vulnerable to multiple XML External Entities injection leading to information disclosure
2 stars
CVSS 7.5
CVE-2025-9316 NOMISEC MEDIUM WORKING POC
N-central <2025.4 - Info Disclosure
N-central < 2025.4 can generate sessionIDs for unauthenticated users This issue affects N-central: before 2025.4.
2 stars
CVE-2023-34992 GITHUB CRITICAL python WORKING POC
FortiSIEM 6.6.0-6.6.2 - OS Command Injection via Crafted API Requests
A improper neutralization of special elements used in an os command ('os command injection') vulnerability in Fortinet allows attacker to execute unauthorized code or commands via crafted API requests.
CVSS 10.0