watchTowr Labs is the epicentre of offensive security expertise at watchTowr - where research, innovation, and real attacker insight power our Preemptive Exposure Management technology.| watchTowr Labs
What is the main purpose of a Content Management System (CMS)? We have to accept that when we ask such existential and philosophical questions, we’re also admitting that we have no idea and that there probably isn’t an easy answer (this is our excuse, and we&| watchTowr Labs
On July 18, 2025, users of CrushFTP woke up to an announcement: https://www.crushftp.com/crush11wiki/Wiki.jsp?page=CompromiseJuly2025As we’ve all experienced in 2025, 2025 has been the year of vendors burying their heads in the sand with regard to in-the-wild exploitation, even in the| watchTowr Labs
We’re back, and we’ve finished telling everyone that our name was on the back of Phrack!!!!1111 Whatever, nerds. Today, we're back to scheduled content. Like our friendly neighbourhood ransomware gangs and APT groups, we've continued to spend irrational amounts of time looking at critical enterprise-grade solutions -| watchTowr Labs
It’s Friday, but we’re here today with unscheduled content - pushing our previously scheduled shenanigans to next week. Fortinet is no stranger to the watchTowr Labs research team. Today we’re looking at CVE-2025-25256 - a pre-authentication command injection in FortiSIEM that lets an attacker compromise an organization’| watchTowr Labs
Did you have a good break? Have you had a chance to breathe? Wake up. It’s 2025, and the chaos continues. Haha, see what we did? We wrote the exact same thing in 2024 because 2024 was exactly the same. As an industry, we are on GroundHog day -| watchTowr Labs
It’s 2025, and at this point, we’re convinced there’s a secret industry-wide pledge: every network appliance must include at least one trivially avoidable HTTP header parsing bug - preferably pre-auth. Bonus points if it involves sscanf. If that’s the case, well done! SonicWall’s SMA100 series| watchTowr Labs
Welcome back to yet another day in this parallel universe of security. This time, we’re looking at Fortinet’s FortiWeb Fabric Connector. “What is that?” we hear you say. That's a great question; no one knows. For the uninitiated, or unjaded; Fortinet’| watchTowr Labs
Before you dive into our latest diatribe, indulge us and join us on a journey. Sit in your chair, stand at your desk, lick your phone screen - close your eyes and imagine a world in which things are great. It’s sunny outside, the birds are chirping, and your| watchTowr Labs
Welcome to June! We’re back—this time, we're exploring Sitecore’s Experience Platform (XP), demonstrating a pre-auth RCE chain that we reported to Sitecore in February 2025. We’ve spent a bit of time recently looking at CMS’s given the basic fact that they represent attractive targets for| watchTowr Labs
Keeping your ears to the ground and eyes wide open for the latest vulnerability news at watchTowr is a given. Despite rummaging through enterprise code looking for 0days on a daily basis, our interest was piqued this week when news of fresh vulnerabilities was announced in a close friend -| watchTowr Labs
It’s… another week, and another vendor who is apparently experienced with ransomware gangs but yet struggles with email. In what we've seen others term "the watchTowr treatment", we are once again (surprise, surprise) disclosing vulnerability research that allowed us to gain pre-authenticated Remote| watchTowr Labs
Another day, another edge device being targeted - it’s a typical Thursday! In today’s blog post, we’re excited to share our previously private analysis of the now exploited in-the-wild N-day vulnerabilities affecting SonicWall’s SMA100 appliance. Over the last few months, our client| watchTowr Labs
As we pack our bags and prepare for the adult-er version of BlackHat (that apparently doesn’t require us to print out stolen mailspoolz to hand to people at their talks), we want to tell you about a recent adventure - a heist, if you will. No heist story is| watchTowr Labs
What's that Skippy? Another Ivanti Connect Secure vulnerability? At this point, regular readers will know all about Ivanti (and a handful of other vendors of the same class of devices), from our regular analysis. Do you know the fun things about these posts? We can copy text from| watchTowr Labs
We know what you’re waiting for - this isn’t it. Today, we’re back with more tales of our adventures in Kentico’s Xperience CMS. Due to it’s wide usage, the type of solution, and the types of enterprises using this solution - any serious vulnerability, or| watchTowr Labs
It’s us again! Once again, we hear the collective groans - but we're back and with yet another merciless pwnage of an inspired and clearly comprehensive RCE solution - no, wait, it's another vuln in yet another backup and replication solution.. While we would enjoy a world in which| watchTowr Labs
I recently joined watchTowr, and it is, therefore, time - time for my first watchTowr Labs blogpost, previously teased in a tweet of a pre-auth RCE chain affecting some ‘unknown software’. Joining the team, I wanted to maintain the trail of destruction left by the watchTowr Labs team, and so| watchTowr Labs
As an industry, we believe that we’ve come to a common consensus after 25 years of circular debates - disclosure is terrible, information is actually dangerous, it’s best that it’s not shared, and the only way to really to ensure that no one ever uses information in| watchTowr Labs
As we saw in our previous blogpost, we fully analyzed Ivanti’s most recent unauthenticated Remote Code Execution vulnerability in their Connect Secure (VPN) appliance. Specifically, we analyzed CVE-2025-0282. Today, we’re going to walk through exploitation. Once again, however, stopping short of providing the world with a Detection Artifact| watchTowr Labs
After the excitement of our .MOBI research, we were left twiddling our thumbs. As you may recall, in 2024, we demonstrated the impact of an unregistered domain when we subverted the TLS/SSL CA process for verifying domain ownership to give ourselves the ability to issue valid and trusted TLS/| watchTowr Labs
Every sysadmin is familiar with Veeam’s enterprise-oriented backup solution, ‘Veeam Backup & Replication’. Unfortunately, so is every ransomware operator, given it's somewhat 'privileged position' in the storage world of most enterprise's networks. There's no point deploying cryptolocker malware on a target unless you can also deny access to backups, and| watchTowr Labs
Welcome back to another watchTowr Labs blog. Brace yourselves, this is one of our most astounding discoveries. Summary What started out as a bit of fun between colleagues while avoiding the Vegas heat and $20 bottles of water in our Black Hat hotel rooms - has now seemingly become a| watchTowr Labs
In the early hours of a day in a month in 2024, watchTowr Labs was sent a chat log: 13:37 -!- dav1d_bl41ne [def_not_phalanx@kernel.org] has joined #!hack (irc.efnet.nl) 13:37 -!- dav1d_bl41ne changed the topic of #!hack to: mag1c sh0w| watchTowr Labs - Blog
Orange Tsai tweeted a few hours ago about “One of [his] PHP vulnerabilities, which affects XAMPP by default”, and we were curious to say the least. XAMPP is a very popular way for administrators and developers to rapidly deploy Apache, PHP, and a bunch of other tools, and any bug| watchTowr Labs - Blog
Gather round, gather round - it’s time for another blogpost tearing open an SSLVPN appliance and laying bare a recent in-the-wild exploited bug. This time, it is Check Point who is the focus of our penetrative gaze. Check Point, for those unaware, is the vendor responsible for the 'CloudGuard| watchTowr Labs
Welcome to April 2024, again. We’re back, again. Over the weekend, we were all greeted by now-familiar news—a nation-state was exploiting a “sophisticated” vulnerability for full compromise in yet another enterprise-grade SSLVPN device. We’ve seen all the commentary around the certification process of these devices for certain| watchTowr Labs
Did you have a good break? Have you had a chance to breathe? Wake up. It’s 2024, and the chaos continues - thanks to Volexity (Volexity’s writeup), the industry has been alerted to in-the-wild exploitation of 2 incredibly serious 0days (CVE-2023-46805 and CVE-2024-21887 - two bugs, Command Injection| watchTowr Labs