Skip to content

Continuous Automated Red Teaming (CART)

CVE-2025-20281 (Cisco ISE)

Description:  Injection vulnerability in Cisco ISE API enabling unauthenticated RCE. Technical Details: CVSS Score: 10.0 (Critical) Exploit: Attackers submit crafted POST requests to /admin/XXX endpoints with malicious JSON payloads ({“command”:”exec”}), exploiting insufficient input validation to execute code with root privileges. Bobby Gould’s PoC showed unsafe deserialization in JSON inputs, enabling RCE from Chinese IPs (e.g.,… Read More »CVE-2025-20281 (Cisco ISE)

CVE-2025-2775 (SysAid On-Prem)

Description: XXE vulnerability allowing data harvesting via XML-based exploits. Technical Details: CVSS Score: 9.3 (Critical) Exploit: Attackers inject malicious XML payloads (e.g., <!ENTITY xxe SYSTEM “file:///etc/shadow”>) into /api/v1/servicenow, accessing sensitive files or exfiltrating data. The vulnerability stems from improper XML parser configuration (resolveEntities=true). Exploits chain with CVE-2025-2776 for admin takeover, modifying role_id fields (<user><role_id>admin</role_id></user>). Data… Read More »CVE-2025-2775 (SysAid On-Prem)

ServiceNow Database Exposure

Overview:  Over 105 ServiceNow databases were exposed due to critical vulnerabilities, with stolen data sold on dark web forums. Technical Details: Attack Vector: Exploited CVE-2025-2775 (SysAid On-Prem XXE vulnerability, CVSS 9.3) targeting ServiceNow’s IT service management API (/api/v1/servicenow). Exploitation: Attackers injected malicious XML payloads (e.g., <!ENTITY xxe SYSTEM “file:///etc/passwd”>) to access sensitive files and exfiltrate… Read More »ServiceNow Database Exposure

CoinDCX Cryptocurrency Exchange Breach

Overview: Indian crypto exchange CoinDCX was breached, with attackers stealing wallet credentials and transaction data, causing $1.2M in losses. Technical Details: Attack Vector: Exploited CVE-2025-20281 (Cisco ISE injection vulnerability, CVSS 10.0) in a third-party payment gateway’s API endpoint (/admin/XXX) integrated with CoinDCX. Exploitation: Attackers sent crafted POST requests (Content-Type: application/json) with malicious SQL payloads (‘… Read More »CoinDCX Cryptocurrency Exchange Breach

CVE-2025-2776 (SysAid On-Prem)

Description:  Vulnerability enabling administrator takeover via XML-based exploits. Technical Details: CVSS Score: 9.2 (Critical) Exploit: Attackers exploit weak XML validation to inject payloads that modify role_id fields (<user><role_id>admin</role_id></user>), escalating to admin privileges. The attack targets /api/v1/admin endpoints, chaining with CVE-2025-2775 for initial data access. Persistence is achieved via modified user accounts with SSH keys added… Read More »CVE-2025-2776 (SysAid On-Prem)