Michael Heinzl

33 exploits Active since Nov 2022
CVE-2025-49848 WRITEUP HIGH WRITEUP
PRJ File Parser - Memory Corruption
An out-of-bounds write vulnerability exists within the parsing of PRJ files. The issues result from the lack of proper validation of user-supplied data, which can result in different memory corruption issues within the application, such as reading and writing past the end of allocated data structures.
CVSS 7.8
CVE-2025-66585 WRITEUP HIGH WRITEUP
AzeoTech DAQFactory <20.7 - Use After Free
In AzeoTech DAQFactory release 20.7 (Build 2555), a use after free vulnerability can be exploited to cause memory corruption while parsing specially crafted .ctl files. This could allow an attacker to execute code in the context of the current process.
CVSS 7.8
CVE-2025-66586 WRITEUP HIGH WRITEUP
AzeoTech DAQFactory <20.7 - Memory Corruption
In AzeoTech DAQFactory release 20.7 (Build 2555), an access of resource using incompatible type vulnerability can be exploited to cause memory corruption while parsing specially crafted .ctl files. This could allow an attacker to execute code in the context of the current process.
CVSS 7.8
CVE-2025-66588 WRITEUP HIGH WRITEUP
AzeoTech DAQFactory < 21.1 - Use-After-Free
In AzeoTech DAQFactory release 20.7 (Build 2555), an access of uninitialized pointer vulnerability can be exploited by an attacker which can lead to arbitrary code execution.
CVSS 7.8
CVE-2025-66590 WRITEUP HIGH WRITEUP
AzeoTech DAQFactory <20.7 - Memory Corruption
In AzeoTech DAQFactory release 20.7 (Build 2555), an out-of-bounds write vulnerability can be exploited by an attacker to cause the program to write data past the end of an allocated memory buffer. This can lead to arbitrary code execution or a system crash.
CVSS 7.8
CVE-2025-6793 METASPLOIT CRITICAL ruby WORKING POC
Marvell QConvergeConsole < 5.5.0.85 - Unauthenticated Path Traversal and Arbitrary File Deletion via QLogicDownloadImpl
Marvell QConvergeConsole QLogicDownloadImpl Directory Traversal Arbitrary File Deletion and Information Disclosure Vulnerability. This vulnerability allows remote attackers to delete arbitrary files and disclose sensitive information on affected installations of Marvell QConvergeConsole. Authentication is not required to exploit this vulnerability. The specific flaw exists within the QLogicDownloadImpl class. The issue results from the lack of proper validation of a user-supplied path prior to using it in file operations. An attacker can leverage this vulnerability to delete files and disclose information in the context of SYSTEM. Was ZDI-CAN-24912.
CVSS 9.4
CVE-2024-24809 METASPLOIT HIGH ruby WORKING POC
Traccar - Unrestricted File Upload
Traccar is an open source GPS tracking system. Versions prior to 6.0 are vulnerable to path traversal and unrestricted upload of file with dangerous type. Since the system allows registration by default, attackers can acquire ordinary user permissions by registering an account and exploit this vulnerability to upload files with the prefix `device.` under any folder. Attackers can use this vulnerability for phishing, cross-site scripting attacks, and potentially execute arbitrary commands on the server. Version 6.0 contains a patch for the issue.
CVSS 8.5
CVE-2024-24809 METASPLOIT HIGH ruby WORKING POC
Traccar - Unrestricted File Upload
Traccar is an open source GPS tracking system. Versions prior to 6.0 are vulnerable to path traversal and unrestricted upload of file with dangerous type. Since the system allows registration by default, attackers can acquire ordinary user permissions by registering an account and exploit this vulnerability to upload files with the prefix `device.` under any folder. Attackers can use this vulnerability for phishing, cross-site scripting attacks, and potentially execute arbitrary commands on the server. Version 6.0 contains a patch for the issue.
CVSS 8.5
CVE-2024-5910 METASPLOIT CRITICAL ruby WORKING POC
Palo Alto Expedition Remote Code Execution (CVE-2024-5910 and CVE-2024-9464)
Missing authentication for a critical function in Palo Alto Networks Expedition can lead to an Expedition admin account takeover for attackers with network access to Expedition. Note: Expedition is a tool aiding in configuration migration, tuning, and enrichment. Configuration secrets, credentials, and other data imported into Expedition is at risk due to this issue.
CVSS 9.8
CVE-2022-38120 METASPLOIT MEDIUM ruby WORKING POC
POWERCOM UPSMON PRO Path Traversal (CVE-2022-38120) and Credential Harvester (CVE-2022-38121)
UPSMON PRO’s has a path traversal vulnerability. A remote attacker with general user privilege can exploit this vulnerability to bypass authentication and access arbitrary system files.
CVSS 6.5
CVE-2025-24865 METASPLOIT CRITICAL ruby WORKING POC
mySCADA myPRO Manager - Info Disclosure
The administrative web interface of mySCADA myPRO Manager can be accessed without authentication which could allow an unauthorized attacker to retrieve sensitive information and upload files without the associated password.
CVSS 10.0
CVE-2025-22896 METASPLOIT HIGH ruby WORKING POC
mySCADA myPRO Manager Credential Harvester (CVE-2025-24865 and CVE-2025-22896)
mySCADA myPRO Manager stores credentials in cleartext, which could allow an attacker to obtain sensitive information.
CVSS 8.6
CVE-2023-2915 METASPLOIT HIGH ruby WORKING POC
ThinManager Path Traversal (CVE-2023-2915) Arbitrary File Delete
The Rockwell Automation Thinmanager Thinserver is impacted by an improper input validation vulnerability, Due to improper input validation, a path traversal vulnerability exists when the ThinManager software processes a certain function. If exploited, an unauthenticated remote threat actor can delete arbitrary files with system privileges. A malicious user could exploit this vulnerability by sending a specifically crafted synchronization protocol message resulting in a denial-of-service condition.
CVSS 7.5
CVE-2023-27855 METASPLOIT CRITICAL ruby WORKING POC
ThinManager Path Traversal (CVE-2023-27855) Arbitrary File Upload
In affected versions, a path traversal exists when processing a message in Rockwell Automation's ThinManager ThinServer. An unauthenticated remote attacker could potentially exploit this vulnerability to upload arbitrary files to any directory on the disk drive where ThinServer.exe is installed. The attacker could overwrite existing executable files with attacker-controlled, malicious contents, potentially causing remote code execution.
CVSS 9.8
CVE-2023-2917 METASPLOIT CRITICAL ruby WORKING POC
ThinManager Path Traversal (CVE-2023-2917) Arbitrary File Upload
The Rockwell Automation Thinmanager Thinserver is impacted by an improper input validation vulnerability.  Due to an improper input validation, a path traversal vulnerability exists, via the filename field, when the ThinManager processes a certain function. If exploited, an unauthenticated remote attacker can upload arbitrary files to any directory on the disk drive where ThinServer.exe is installed.  A malicious user could exploit this vulnerability by sending a crafted synchronization protocol message and potentially gain remote code execution abilities.
CVSS 9.8
CVE-2024-7593 METASPLOIT CRITICAL ruby WORKING POC
Ivanti Virtual Traffic Manager Authentication Bypass (CVE-2024-7593)
Incorrect implementation of an authentication algorithm in Ivanti vTM other than versions 22.2R1 or 22.7R2 allows a remote unauthenticated attacker to bypass authentication of the admin panel.
CVSS 9.8
CVE-2024-20419 METASPLOIT CRITICAL ruby WORKING POC
Cisco Smart Software Manager (SSM) On-Prem Account Takeover (CVE-2024-20419)
A vulnerability in the authentication system of Cisco Smart Software Manager On-Prem (SSM On-Prem) could allow an unauthenticated, remote attacker to change the password of any user, including administrative users. This vulnerability is due to improper implementation of the password-change process. An attacker could exploit this vulnerability by sending crafted HTTP requests to an affected device. A successful exploit could allow an attacker to access the web UI or API with the privileges of the compromised user.
CVSS 10.0
CVE-2023-6329 METASPLOIT CRITICAL ruby WORKING POC
Control iD iDSecure Authentication Bypass (CVE-2023-6329)
An authentication bypass vulnerability exists in Control iD iDSecure v4.7.32.0. The login routine used by iDS-Core.dll contains a "passwordCustom" option that allows an unauthenticated attacker to compute valid credentials that can be used to bypass authentication and act as an administrative user.
CVSS 9.8
CVE-2024-6670 METASPLOIT CRITICAL ruby WORKING POC
WhatsUp Gold SQL Injection (CVE-2024-6670)
In WhatsUp Gold versions released before 2024.0.0, a SQL Injection vulnerability allows an unauthenticated attacker to retrieve the users encrypted password.
CVSS 9.8
CVE-2024-5276 METASPLOIT CRITICAL ruby WORKING POC
Fortra FileCatalyst Workflow SQL Injection (CVE-2024-5276)
A SQL Injection vulnerability in Fortra FileCatalyst Workflow allows an attacker to modify application data.  Likely impacts include creation of administrative users and deletion or modification of data in the application database. Data exfiltration via SQL injection is not possible using this vulnerability. Successful unauthenticated exploitation requires a Workflow system with anonymous access enabled, otherwise an authenticated user is required. This issue affects all versions of FileCatalyst Workflow from 5.1.6 Build 135 and earlier.
CVSS 9.8
CVE-2022-38121 METASPLOIT MEDIUM ruby WORKING POC
UPSMON PRO - Insufficiently Protected Credentials in Configuration File
UPSMON PRO configuration file stores user password in plaintext under public user directory. A remote attacker with general user privilege can access all users‘ and administrators' account names and passwords via this unprotected configuration file.
CVSS 6.5
CVE-2025-2264 METASPLOIT HIGH ruby WORKING POC
Sante PACS Server Path Traversal (CVE-2025-2264)
A Path Traversal Information Disclosure vulnerability exists in "Sante PACS Server.exe". An unauthenticated remote attacker can exploit it to download arbitrary files on the disk drive where the application is installed.
CVSS 7.5
CVE-2023-27856 METASPLOIT HIGH ruby WORKING POC
ThinManager Path Traversal (CVE-2023-27856) Arbitrary File Download
In affected versions, path traversal exists when processing a message of type 8 in Rockwell Automation's ThinManager ThinServer. An unauthenticated remote attacker can exploit this vulnerability to download arbitrary files on the disk drive where ThinServer.exe is installed.
CVSS 7.5
CVE-2024-28987 METASPLOIT CRITICAL ruby WORKING POC
SolarWinds Web Help Desk - Hardcoded Credential
The SolarWinds Web Help Desk (WHD) software is affected by a hardcoded credential vulnerability, allowing remote unauthenticated user to access internal functionality and modify data.
CVSS 9.1
CVE-2024-6782 METASPLOIT CRITICAL ruby WORKING POC
Calibre 6.9.0-7.14.0 - Unauthenticated RCE
Improper access control in Calibre 6.9.0 ~ 7.14.0 allow unauthenticated attackers to achieve remote code execution.
CVSS 9.8