Horizon3 Attack Team

We used Claude to discover CVE-2026-34197, a remote code execution vulnerability affecting the #Apache #ActiveMQ Classic web console. This is exploitable with default creds or completely unauthenticated for certain versions. horizon3.ai/intelligence/b…

Today we are disclosing the details of CVE-2025-40551, an unauth deserialization vuln leading to remote code execution affecting SolarWinds WebHelpDesk. Find the technical details, indicators of compromise, and proof-of-concept exploit in the blog. horizon3.ai/attack-researc…

Shout out to @_splitline_ and @cfreal_ for their prior work that enabled this research.

We found an interesting CTF-inspired vuln CVE-2026-22200 affecting osTicket, a popular ticketing system. It allows anonymous attackers to exfil local files as BMP images through the mPDF library. This can be chained to RCE if the host is vuln to CNEXT (CVE-2024-2961) horizon3.ai/attack-researc…

Today we are disclosing the details of CVE-2025-64155, an unauth argument injection leading to root remote code execution affecting the Fortinet FortiSIEM. Find the technical details, indicators of compromise, and proof-of-concept exploit in the blog. horizon3.ai/attack-researc…

Check out our new deep dive on CVE-2025-66039 and other related CVEs. We found an authentication bypass, multiple SQL injections, and file upload to RCE in FreePBX. horizon3.ai/attack-researc…

horizon3.ai/attack-researc… While investigating prior CISA KEVs effecting N-able N-central, we discovered a series of vulns that would allow an unauth attacker to leak files via XXE, and in most cases, compromise the N-central database. The DB contains AD creds, API keys, SSH keys, and integration secrets. Check out our latest blog detailing CVE-2025-9316 and CVE-2025-11700.

Our latest disclosures for CVE-2025-8355 and CVE-2025-8356 - discovering a critical RCE in Xerox FreeFlow Core horizon3.ai/attack-researc…

Session keys and passwords aplenty, here’s our deep-dive for CVE-2025-5777, aka CitrixBleed 2. Apart from the normal root-cause analysis, we’ve doubled down on actionable steps to investigate Indicators of Compromise. horizon3.ai/attack-researc…

@Chak092 This is an example log from ns.log that shows what the non-printable characters look like. We have blurred the specific subsystem source for the time being.

@Horizon3Attack @Horizon3Attack , can you put some content or screenshots of NS.log that do not contain sensitive information? Thanks

CVE-2025-5777, aka #CitrixBleed 2, allows leaking of memory in the response which can allow for compromising session tokens, and other sensitive information. A deep-dive to follow next week.

Checkout our new deep dive on CVE-2025-34508 -- a path traversal vulnerability in #ZendTo. horizon3.ai/attack-researc…

Our latest blog looks at CVE-2025-20188, an arbitrary file upload in #Cisco IOS XE Wireless Controllers due to a hardcoded credential. horizon3.ai/attack-researc…

Check out our latest deep dive into the #Fortinet CVE-2025-32756, a classic buffer overflow! This is being exploited in the wild and was added to the CISA KEV catalog last week. horizon3.ai/attack-researc…

Just finished reproducing CVE-2025-32433 and putting together a quick PoC exploit — surprisingly easy. Wouldn’t be shocked if public PoCs start dropping soon. If you’re tracking this, now’s the time to take action. #Erlang #SSH

We discovered an interesting code injection vulnerability, CVE-2025-3248, affecting #Langflow, a popular agentic AI workflow tool. This enables unauthenticated attackers to fully compromise Langflow servers. horizon3.ai/attack-researc…

Our Indicators of Compromise blog post for CVE-2025-2825, an authentication bypass affecting #CrushFTP. horizon3.ai/attack-researc…

Today, we are disclosing the details of 4 vulns effecting #Ivanti #EPM which allow an unauth attacker to coerce the machine credential of the EPM server to be used in relay attacks. horizon3.ai/attack-researc… Depending on the environment, compromising the EPM server may be possible - allowing attackers to pivot from the EPM server to EPM clients. 🔺 CVE-2024-10811 🔺 CVE-2024-13161 🔺 CVE-2024-13160 🔺 CVE-2024-13159