Horizon3.ai
Continuously find, fix, and verify your exploitable attack surface
Empowering Educational Compliance: Navigating the Future with Autonomous Pentesting in Academia
How Autonomous Pentesting with NodeZero Transformed University Protection The post Empowering Educational Compliance: Navigating the Future with Autonomous Pentesting in Academia appeared first on Horizon3.ai ...
CVE-2023-48788: Fortinet FortiClientEMS SQL Injection Deep Dive
Introduction In a recent PSIRT, Fortinet acknowledged CVE-2023-48788 – a SQL injection in FortiClient EMS that can lead to remote code execution. FortiClient EMS is an endpoint management solution for enterprises that ...
Fortinet FortiWLM Deep-Dive, IOCs, and the Almost Story of the “Forti Forty”
Earlier this year, soon after reproducing a remote code execution vulnerability for the Fortinet FortiNAC, I was on the hunt for a set of new research targets. Fortinet seemed like a decent ...
NextChat: An AI Chatbot That Lets You Talk to Anyone You Want To
NextChat a.k.a ChatGPT-Next-Web, a popular Gen AI ChatBot, is vulnerable to a critical server-side request forgery (SSRF) vulnerability. The post NextChat: An AI Chatbot That Lets You Talk to Anyone You Want ...
CVE-2024-1403: Progress OpenEdge Authentication Bypass Deep-Dive
On February 27, 2024, Progress released a security advisory for OpenEdge, their application development and deployment platform suite. The advisory details that there exists an authentication bypass vulnerability which effects […] The ...
ConnectWise ScreenConnect: Authentication Bypass Deep Dive
Introduction On February 19, 2023, ConnectWise published a security advisory for their ScreenConnect remote management tool. In the advisory, they describe two vulnerabilities, an authentication bypass with CVSS 10.0 and a […] The ...
NodeZero APT: Azure Password Spray Leads to Business Email Compromise
NodeZero APT: Azure Password Spray to Business Email Compromise The post NodeZero APT: Azure Password Spray Leads to Business Email Compromise appeared first on Horizon3.ai ...
Rust Won’t Save Us: An Analysis of 2023’s Known Exploited Vulnerabilities
Introduction Memory safety issues have plagued the software industry for decades. The Cybersecurity & Infrastructure Security Agency (CISA) has been leading a charge for secure-by-design and encouraging developers and vendors […] The ...
CVE-2024-21893: Another Ivanti Vulnerability Exploited in the Wild. Verify with NodeZero Today!
On 22 January, Ivanti published an advisory stating that they discovered two new, high-severity vulnerabilities (CVE-2024-21888 and CVE-2024-21893) after researching previously reported vulnerabilities affecting Ivanti Connect Secure, Ivanti Policy Secure […] The ...
Gone Phishing: How an Intern’s Credentials can be a Gateway to Your Crown Jewels
“Who cares that the intern was phished during our phishing campaign? It’s an intern, they don't have access to anything important." The post Gone Phishing: How an Intern’s Credentials can be a ...