Platform Updates

April updates: Get RCE evidence for 6 critical CVEs

Updated at
Reading time
read
Article tags

Cybercriminals don’t give up. Neither do we.

We’re proud to bring you the only tools that currently detect CVE-2022-24086 affecting Magento and Adobe Commerce.

After weeks of working on auto-exploitation for this critical CVE (CVSSv3 9.8), we finally have it!

As a Pentest-Tools.com customer, you can run Sniper Auto-Exploiter to get conclusive proof that validates targets vulnerable to this high-risk vulnerability, which bad actors have already shown interest in.

This exclusive capability is also embedded into our Network Scanner which provides pre-filled, ready-to-send reports and automatically populates the Attack Surface view.

Find vulnerable targets

Wait, there’s more?

In the past weeks, our team also worked on more platform updates to support your work.

  • 5 new high-risk CVEs you can now exploit with Sniper

  • API support added for the Find Domains tool

  • Website Scanner findings include an “Unconfirmed” tag

1. Prove exploitation risk for these 5 widespread CVEs with Sniper

Besides the high-risk Magento vulnerability, our team also enhanced Sniper Automatic Exploiter with automatic (and safe) exploitation capabilities for:

  1. the critical RCE vulnerability that impacts various Redis versions – CVE-2022-0543 (CVSSv3 10)
    another high-risk RCE vulnerability affecting VMware Workspace ONE Access and Identity Manager – CVE-2022-22954 (CVSSv3 9.8)

  2. the critical RCE vulnerability found in specific Apache Struts 2 versions – CVE-2021-31805 (CVSSv3 9.8)

  3. the severe RCE vulnerability discovered in different Drupal versions – CVE-2018-7600 (CVSSv3 9.8)

  4. the unrestricted file upload vulnerability found in Adobe ColdFusion versions – CVE-2018-15961 (CVSSv3 9.8)

Get exploitation proof

Curious to unpack the technical details behind high-risk vulnerabilities such as the unsafe session storage in Zabbix or the notorious Spring4Shell RCE?

Our security research team provides a steady supply of manual exploitation guides that can expand your know-how or help train your team.

2. API support now available for Find Domains

The improvement allows you to programmatically run focused scans against your targets through our API.

Using specific parameters, you can automate the scanning workflow to quickly discover domain names owned by a company and map its attack surface.

Find all the details here and save invaluable time with our pre-configured scanners.

3. Easily find and filter your Website Scanner findings

When you scan your targets with our custom-built Website Scanner, findings that aren’t automatically validated get a specific “Unconfirmed” tag.

To make things easier for you, our scanner automatically validates findings and tags them as Confirmed so you can select and add them to your pentest report.

With the Unconfirmed tag, you can easily spot findings that require your attention. Do a manual check before reporting them for high-quality engagements. Check out the support article for more details on how to validate findings.

Here’s where you’ll find the Unconfirmed tag in the Findings section after each scan:

Hope these updates help you streamline your ethical hacking engagements so you can do more of the things you enjoy.

Get future pentesting guides!

We won't spam you with useless information.

Ready to apply what you read?

Use our free tools

Related articles