Sina Kheirkhah (@SinSinology)

SysOwned, Your Friendly Support Ticket - SysAid On-Premise Pre-Auth RCE Chain (CVE-2025-2775 And Friends)

It’s… another week, and another vendor who is apparently experienced with ransomware gangs but yet struggles with email. In what we've seen others term "the watchTowr treatment", we are once again (surprise, surprise) disclosing vulnerability research that allowed us to gain pre-authenticated Remote Command Execution

SonicBoom, From Stolen Tokens to Remote Shells - SonicWall SMA (CVE-2023-44221, CVE-2024-38475)

Another day, another edge device being targeted - it’s a typical Thursday! In today’s blog post, we’re excited to share our previously private analysis of the now exploited in-the-wild N-day vulnerabilities affecting SonicWall’s SMA100 appliance. Over the last few months, our client base has fed us

By Executive Order, We Are Banning Blacklists - Domain-Level RCE in Veeam Backup & Replication (CVE-2025-23120)

It’s us again! Once again, we hear the collective groans - but we're back and with yet another merciless pwnage of an inspired and clearly comprehensive RCE solution - no, wait, it's another vuln in yet another backup and replication solution.. While we would enjoy

Exploitation Walkthrough and Techniques - Ivanti Connect Secure RCE (CVE-2025-0282)

As we saw in our previous blogpost, we fully analyzed Ivanti’s most recent unauthenticated Remote Code Execution vulnerability in their Connect Secure (VPN) appliance. Specifically, we analyzed CVE-2025-0282. Today, we’re going to walk through exploitation. Once again, however, stopping short of providing the world with a Detection Artifact

Do Secure-By-Design Pledges Come With Stickers? - Ivanti Connect Secure RCE (CVE-2025-0282)

Did you have a good break? Have you had a chance to breathe? Wake up. It’s 2025, and the chaos continues. Haha, see what we did? We wrote the exact same thing in 2024 because 2024 was exactly the same. As an industry, we are on GroundHog day -

Cleo Harmony, VLTrader, and LexiCom - RCE via Arbitrary File Write (CVE-2024-50623)

We were having a nice uneventful week at watchTowr, when we got news of some ransomware operators using a zero-day exploit in Cleo MFT software - namely, LexiCom, VLTransfer, and Harmony - applications that many large enterprises rely on to share files securely. Cleo have a (paywalled) advisory, linked to

Hop-Skip-FortiJump-FortiJump-Higher - Fortinet FortiManager CVE-2024-47575

It’s been a tricky time for Fortinet (and their customers) lately - arguably, even more so than usual. Adding to the steady flow of vulnerabilities in appliances recently was a nasty CVSS 9.8 vulnerability in FortiManager, their tool for central management of FortiGate appliances. As always, the opinions

Visionaries Have Democratised Remote Network Access - Citrix Virtual Apps and Desktops (CVE-2024-8068 and CVE-2024-8069)

Well, we’re back again, with yet another fresh-off-the-press bug chain (and associated Interactive Artifact Generator). This time, it’s in Citrix’s “Virtual Apps and Desktops” offering. This is a tech stack that enables end-users (and likely, your friendly neighbourhood ransomware gang) to access their full desktop environment from

Veeam Backup & Response - RCE With Auth, But Mostly Without Auth (CVE-2024-40711)

Every sysadmin is familiar with Veeam’s enterprise-oriented backup solution, ‘Veeam Backup & Replication’. Unfortunately, so is every ransomware operator, given it's somewhat 'privileged position' in the storage world of most enterprise's networks. There's no point deploying cryptolocker malware on a target

Auth. Bypass In (Un)Limited Scenarios - Progress MOVEit Transfer (CVE-2024-5806)

In the early hours of a day in a month in 2024, watchTowr Labs was sent a chat log: 13:37 -!- dav1d_bl41ne [def_not_phalanx@kernel.org] has joined #!hack (irc.efnet.nl) 13:37 -!- dav1d_bl41ne changed the topic of #!hack to: mag1c sh0w