From 2a0b83e6e8c14ea89c9f64c9d3b95e27a1ac396e Mon Sep 17 00:00:00 2001 From: Aarush Date: Tue, 10 Feb 2026 17:23:23 +0530 Subject: [PATCH 01/10] Add FortiWeb authentication bypass vulnerability check Signed-off-by: Aarush --- docs/Modules.md | 1 + 1 file changed, 1 insertion(+) diff --git a/docs/Modules.md b/docs/Modules.md index 3c66a26f2..5ec85db5b 100644 --- a/docs/Modules.md +++ b/docs/Modules.md @@ -151,6 +151,7 @@ If you want to scan all ports please define -g 1-65535 range. Otherwise Nettacke - '**exponent_cms_cve_2021_38751_vuln**' – check the target for Exponent CMS CVE-2021-38751 - '**f5_cve_2020_5902_vuln**' – check the target for F5 RCE CVE-2020-5902 vulnerability - '**forgerock_am_cve_2021_35464_vuln**' – check the target for ForgeRock AM CVE-2021-35464 +- '**fortiweb_auth_bypass_cve_2025_64446_vuln** - check for FortiWeb authentication bypass vulnerability - '**galera_webtemp_cve_2021_40960_vuln**' – check the target for Galera WebTemplate CVE-2021-40960 - '**grafana_cve_2021_43798_vuln**' – check the target for Grafana CVE-2021-43798 vulnerability - '**graphql_vuln**' – check the target for exposed GraphQL introspection endpoint From b1ffe4e499e1fb1f301286e19bdd423b8932ddf6 Mon Sep 17 00:00:00 2001 From: Aarush Date: Tue, 10 Feb 2026 17:29:23 +0530 Subject: [PATCH 02/10] Remove FortiWeb auth bypass vulnerability entry Removed entry for FortiWeb authentication bypass vulnerability. Signed-off-by: Aarush --- docs/Modules.md | 1 - 1 file changed, 1 deletion(-) diff --git a/docs/Modules.md b/docs/Modules.md index 5ec85db5b..3c66a26f2 100644 --- a/docs/Modules.md +++ b/docs/Modules.md @@ -151,7 +151,6 @@ If you want to scan all ports please define -g 1-65535 range. Otherwise Nettacke - '**exponent_cms_cve_2021_38751_vuln**' – check the target for Exponent CMS CVE-2021-38751 - '**f5_cve_2020_5902_vuln**' – check the target for F5 RCE CVE-2020-5902 vulnerability - '**forgerock_am_cve_2021_35464_vuln**' – check the target for ForgeRock AM CVE-2021-35464 -- '**fortiweb_auth_bypass_cve_2025_64446_vuln** - check for FortiWeb authentication bypass vulnerability - '**galera_webtemp_cve_2021_40960_vuln**' – check the target for Galera WebTemplate CVE-2021-40960 - '**grafana_cve_2021_43798_vuln**' – check the target for Grafana CVE-2021-43798 vulnerability - '**graphql_vuln**' – check the target for exposed GraphQL introspection endpoint From 6db5ee7a84b8d3fe34529bfb5983aca0ceffc334 Mon Sep 17 00:00:00 2001 From: Aarush Date: Tue, 10 Feb 2026 17:45:01 +0530 Subject: [PATCH 03/10] Fix vulnerability name in wp_plugin_cve_2021_38314.yaml Signed-off-by: Aarush --- nettacker/modules/vuln/wp_plugin_cve_2021_38314.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/nettacker/modules/vuln/wp_plugin_cve_2021_38314.yaml b/nettacker/modules/vuln/wp_plugin_cve_2021_38314.yaml index 6b2c22f46..88df2b91a 100644 --- a/nettacker/modules/vuln/wp_plugin_cve_2021_38314.yaml +++ b/nettacker/modules/vuln/wp_plugin_cve_2021_38314.yaml @@ -1,5 +1,5 @@ info: - name: CVE_2021_39320_vuln + name: CVE_2021_39314_vuln author: OWASP Nettacker Team severity: 7 description: Sensitive Information Leakage - The Gutenberg Template Library & Redux Framework plugin <= 4.2.11 for WordPress From 6fd226a7ac69c0796a408ff136f2a1ea69398386 Mon Sep 17 00:00:00 2001 From: Aarush Date: Tue, 10 Feb 2026 17:45:59 +0530 Subject: [PATCH 04/10] Rename CVE identifier from 39314 to 39320 Signed-off-by: Aarush --- nettacker/modules/vuln/wp_plugin_cve_2021_38314.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/nettacker/modules/vuln/wp_plugin_cve_2021_38314.yaml b/nettacker/modules/vuln/wp_plugin_cve_2021_38314.yaml index 88df2b91a..6b2c22f46 100644 --- a/nettacker/modules/vuln/wp_plugin_cve_2021_38314.yaml +++ b/nettacker/modules/vuln/wp_plugin_cve_2021_38314.yaml @@ -1,5 +1,5 @@ info: - name: CVE_2021_39314_vuln + name: CVE_2021_39320_vuln author: OWASP Nettacker Team severity: 7 description: Sensitive Information Leakage - The Gutenberg Template Library & Redux Framework plugin <= 4.2.11 for WordPress From dd080aa0ff484676ac451436024140bd0cfcffae Mon Sep 17 00:00:00 2001 From: Aarush289 Date: Thu, 9 Apr 2026 22:33:51 +0530 Subject: [PATCH 05/10] new module added --- docs/Modules.md | 1 + nettacker/core/lib/http.py | 10 +++- .../vuln/solarwinds_whd_cve_2025_40536.yaml | 58 +++++++++++++++++++ 3 files changed, 68 insertions(+), 1 deletion(-) create mode 100644 nettacker/modules/vuln/solarwinds_whd_cve_2025_40536.yaml diff --git a/docs/Modules.md b/docs/Modules.md index 10cd1c6a1..432cfbe82 100644 --- a/docs/Modules.md +++ b/docs/Modules.md @@ -163,6 +163,7 @@ If you want to scan all ports please define -g 1-65535 range. Otherwise Nettacke - '**ProFTPd_restriction_bypass_vuln**' - check ProFTPd for CVE-2009-3639 - '**server_version_vuln**' - check if the web server is leaking server banner in 'Server' response header - '**smartermail_cve_2026_24423_vuln**' - check the target for SmarterMail CVE-2026-24423 vulnerability +- '**solarwinds_whd_cve_2025_40536_vuln** - check SolarWinds Web Help Desk vulnerable version via build token - '**sonicwall_sslvpn_cve_2024_53704_vuln**' - check the target for SonicWALL SSLVPN CVE-2024-53704 vulnerability - '**ssl_signed_certificate_vuln**' - check for self-signed & other signing issues(weak signing algorithm) in SSL certificate - '**ssl_expired_certificate_vuln**' - check if SSL certificate has expired or is close to expiring diff --git a/nettacker/core/lib/http.py b/nettacker/core/lib/http.py index 776266036..3e172229e 100644 --- a/nettacker/core/lib/http.py +++ b/nettacker/core/lib/http.py @@ -8,6 +8,7 @@ import aiohttp import uvloop +import traceback from nettacker.core.lib.base import BaseEngine from nettacker.core.utils.common import ( @@ -23,6 +24,7 @@ async def perform_request_action(action, request_options): start_time = time.time() async with action(**request_options) as response: + print(f"Received response with status {response.status} for URL: {response.url} and with content response: {await response.content.read()}") return { "reason": response.reason, "url": str(response.url), @@ -45,6 +47,7 @@ async def send_request(request_options, method): def response_conditions_matched(sub_step, response): if not response: return {} + print(f"Received response with status {response.status} for URL: {response.url} and with content response: {response.content}") condition_type = sub_step["response"]["condition_type"] conditions = sub_step["response"]["conditions"] condition_results = {} @@ -179,8 +182,13 @@ def run( try: response = asyncio.run(send_request(sub_step, backup_method)) response["content"] = response["content"].decode(errors="ignore") + print(f"content is {response['content']}") break - except Exception: + except Exception as e: + print(f"Error occurred during HTTP request: {e}") + print("error type:",type(e)) + print("error:",repr(e)) + traceback.print_exc() response = [] sub_step["method"] = backup_method sub_step["response"] = backup_response diff --git a/nettacker/modules/vuln/solarwinds_whd_cve_2025_40536.yaml b/nettacker/modules/vuln/solarwinds_whd_cve_2025_40536.yaml new file mode 100644 index 000000000..a51be2a30 --- /dev/null +++ b/nettacker/modules/vuln/solarwinds_whd_cve_2025_40536.yaml @@ -0,0 +1,58 @@ +info: + name: solarwinds_whd_cve_2025_40536_vuln + author: Nettacker Team + severity: 8.1 + description: | + Identifies SolarWinds Web Help Desk instances + by analyzing response content and extracting + the embedded build version token from resource URLs. + The detected version is evaluated against the patched + threshold (12.8.8 HF1) to determine potential exposure. + This enables passive and safe identification of systems affected by the security control bypass vulnerability. + reference: + - https://www.solarwinds.com/trust-center/security-advisories/cve-2025-40536 + - https://nvd.nist.gov/vuln/detail/CVE-2025-40536 + profiles: + - vuln + - http + - high_severity + - cve2025 + - cve + - cisa kev + - solarwinds + - webhelpdesk + - passive + +payloads: + - library: http + steps: + - method: get + timeout: 50 + headers: + User-Agent: "{user_agent}" + Host: "{target}" + allow_redirects: false + ssl: false + url: + nettacker_fuzzer: + input_format: "{{schema}}://{target}:{{ports}}/helpdesk/WebObjects/Helpdesk.woa" + prefix: "" + suffix: "" + interceptors: + data: + schema: + - "http" + - "https" + ports: + - 80 + - 443 + + response: + condition_type: and + conditions: + status_code: + regex: "200" + reverse: false + # content: + # regex: "(?s)(?=.*(Web Help Desk Software|SolarWinds WorldWide|/WebObjects/Helpdesk\\.woa))(?=.*\\?v=12_([0-7]|8_[0-7])_[0-9]+_[0-9]+)" + # reverse: false \ No newline at end of file From 8ba9258130497a07e1738bcd2e069c417737a6b6 Mon Sep 17 00:00:00 2001 From: Aarush289 Date: Thu, 9 Apr 2026 23:05:23 +0530 Subject: [PATCH 06/10] remove the debug comments --- nettacker/core/lib/http.py | 9 +-------- .../modules/vuln/solarwinds_whd_cve_2025_40536.yaml | 8 ++++---- 2 files changed, 5 insertions(+), 12 deletions(-) diff --git a/nettacker/core/lib/http.py b/nettacker/core/lib/http.py index 3e172229e..768d485e7 100644 --- a/nettacker/core/lib/http.py +++ b/nettacker/core/lib/http.py @@ -24,7 +24,6 @@ async def perform_request_action(action, request_options): start_time = time.time() async with action(**request_options) as response: - print(f"Received response with status {response.status} for URL: {response.url} and with content response: {await response.content.read()}") return { "reason": response.reason, "url": str(response.url), @@ -47,7 +46,6 @@ async def send_request(request_options, method): def response_conditions_matched(sub_step, response): if not response: return {} - print(f"Received response with status {response.status} for URL: {response.url} and with content response: {response.content}") condition_type = sub_step["response"]["condition_type"] conditions = sub_step["response"]["conditions"] condition_results = {} @@ -182,13 +180,8 @@ def run( try: response = asyncio.run(send_request(sub_step, backup_method)) response["content"] = response["content"].decode(errors="ignore") - print(f"content is {response['content']}") break - except Exception as e: - print(f"Error occurred during HTTP request: {e}") - print("error type:",type(e)) - print("error:",repr(e)) - traceback.print_exc() + except Exception: response = [] sub_step["method"] = backup_method sub_step["response"] = backup_response diff --git a/nettacker/modules/vuln/solarwinds_whd_cve_2025_40536.yaml b/nettacker/modules/vuln/solarwinds_whd_cve_2025_40536.yaml index a51be2a30..ab9758371 100644 --- a/nettacker/modules/vuln/solarwinds_whd_cve_2025_40536.yaml +++ b/nettacker/modules/vuln/solarwinds_whd_cve_2025_40536.yaml @@ -27,7 +27,7 @@ payloads: - library: http steps: - method: get - timeout: 50 + timeout: 10 headers: User-Agent: "{user_agent}" Host: "{target}" @@ -53,6 +53,6 @@ payloads: status_code: regex: "200" reverse: false - # content: - # regex: "(?s)(?=.*(Web Help Desk Software|SolarWinds WorldWide|/WebObjects/Helpdesk\\.woa))(?=.*\\?v=12_([0-7]|8_[0-7])_[0-9]+_[0-9]+)" - # reverse: false \ No newline at end of file + content: + regex: "(?s)(?=.*(Web Help Desk Software|SolarWinds WorldWide|/WebObjects/Helpdesk\\.woa))(?=.*\\?v=12_([0-7]|8_[0-7])_[0-9]+_[0-9]+)" + reverse: false \ No newline at end of file From 102cdbe529caf5fd71df62ccec9d290dff66926b Mon Sep 17 00:00:00 2001 From: Aarush289 Date: Thu, 9 Apr 2026 23:06:43 +0530 Subject: [PATCH 07/10] changes of http removed --- nettacker/core/lib/http.py | 1 - nettacker/modules/vuln/solarwinds_whd_cve_2025_40536.yaml | 2 +- 2 files changed, 1 insertion(+), 2 deletions(-) diff --git a/nettacker/core/lib/http.py b/nettacker/core/lib/http.py index 768d485e7..776266036 100644 --- a/nettacker/core/lib/http.py +++ b/nettacker/core/lib/http.py @@ -8,7 +8,6 @@ import aiohttp import uvloop -import traceback from nettacker.core.lib.base import BaseEngine from nettacker.core.utils.common import ( diff --git a/nettacker/modules/vuln/solarwinds_whd_cve_2025_40536.yaml b/nettacker/modules/vuln/solarwinds_whd_cve_2025_40536.yaml index ab9758371..b0fd8aa6f 100644 --- a/nettacker/modules/vuln/solarwinds_whd_cve_2025_40536.yaml +++ b/nettacker/modules/vuln/solarwinds_whd_cve_2025_40536.yaml @@ -27,7 +27,7 @@ payloads: - library: http steps: - method: get - timeout: 10 + timeout: 3 headers: User-Agent: "{user_agent}" Host: "{target}" From b7be1d3a5704227a592105d87cd904fe67624aaa Mon Sep 17 00:00:00 2001 From: Aarush289 Date: Thu, 9 Apr 2026 23:54:47 +0530 Subject: [PATCH 08/10] fixed the version regex --- docs/Modules.md | 2 +- nettacker/modules/vuln/solarwinds_whd_cve_2025_40536.yaml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/Modules.md b/docs/Modules.md index 432cfbe82..ee6329ca7 100644 --- a/docs/Modules.md +++ b/docs/Modules.md @@ -163,7 +163,7 @@ If you want to scan all ports please define -g 1-65535 range. Otherwise Nettacke - '**ProFTPd_restriction_bypass_vuln**' - check ProFTPd for CVE-2009-3639 - '**server_version_vuln**' - check if the web server is leaking server banner in 'Server' response header - '**smartermail_cve_2026_24423_vuln**' - check the target for SmarterMail CVE-2026-24423 vulnerability -- '**solarwinds_whd_cve_2025_40536_vuln** - check SolarWinds Web Help Desk vulnerable version via build token +- '**solarwinds_whd_cve_2025_40536_vuln**' - check SolarWinds Web Help Desk vulnerable version via build token - '**sonicwall_sslvpn_cve_2024_53704_vuln**' - check the target for SonicWALL SSLVPN CVE-2024-53704 vulnerability - '**ssl_signed_certificate_vuln**' - check for self-signed & other signing issues(weak signing algorithm) in SSL certificate - '**ssl_expired_certificate_vuln**' - check if SSL certificate has expired or is close to expiring diff --git a/nettacker/modules/vuln/solarwinds_whd_cve_2025_40536.yaml b/nettacker/modules/vuln/solarwinds_whd_cve_2025_40536.yaml index b0fd8aa6f..7b04cf34f 100644 --- a/nettacker/modules/vuln/solarwinds_whd_cve_2025_40536.yaml +++ b/nettacker/modules/vuln/solarwinds_whd_cve_2025_40536.yaml @@ -54,5 +54,5 @@ payloads: regex: "200" reverse: false content: - regex: "(?s)(?=.*(Web Help Desk Software|SolarWinds WorldWide|/WebObjects/Helpdesk\\.woa))(?=.*\\?v=12_([0-7]|8_[0-7])_[0-9]+_[0-9]+)" + regex: "(?s)(?=.*(Web Help Desk Software|SolarWinds WorldWide|/WebObjects/Helpdesk\\.woa))(?=.*\\?v=12_(?:[0-7]_[0-9]+|8_(?:[0-8])_[0-9]+)_[0-9]+)" reverse: false \ No newline at end of file From daf9bc30783f9f3e7bd80ee0e0575cf8c7114290 Mon Sep 17 00:00:00 2001 From: Aarush289 Date: Fri, 10 Apr 2026 00:09:13 +0530 Subject: [PATCH 09/10] updated the desciption --- nettacker/modules/vuln/solarwinds_whd_cve_2025_40536.yaml | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/nettacker/modules/vuln/solarwinds_whd_cve_2025_40536.yaml b/nettacker/modules/vuln/solarwinds_whd_cve_2025_40536.yaml index 7b04cf34f..31f2ee74b 100644 --- a/nettacker/modules/vuln/solarwinds_whd_cve_2025_40536.yaml +++ b/nettacker/modules/vuln/solarwinds_whd_cve_2025_40536.yaml @@ -6,8 +6,9 @@ info: Identifies SolarWinds Web Help Desk instances by analyzing response content and extracting the embedded build version token from resource URLs. - The detected version is evaluated against the patched - threshold (12.8.8 HF1) to determine potential exposure. + The detected version is evaluated against known vulnerable + ranges (all 12.x versions up to and including 12.8.8 HF1). + Versions prior to the fixed release (2026.1) are considered potentially vulnerable. This enables passive and safe identification of systems affected by the security control bypass vulnerability. reference: - https://www.solarwinds.com/trust-center/security-advisories/cve-2025-40536 From 344e21bd21946f5ed55e0bf8ff90d7caca162710 Mon Sep 17 00:00:00 2001 From: Aarush289 Date: Fri, 10 Apr 2026 15:58:57 +0530 Subject: [PATCH 10/10] version scan added --- docs/Modules.md | 2 +- .../modules/scan/solarwinds_whd_version.yaml | 50 ++++++++++++++++ .../vuln/solarwinds_whd_cve_2025_40536.yaml | 59 ------------------- 3 files changed, 51 insertions(+), 60 deletions(-) create mode 100644 nettacker/modules/scan/solarwinds_whd_version.yaml delete mode 100644 nettacker/modules/vuln/solarwinds_whd_cve_2025_40536.yaml diff --git a/docs/Modules.md b/docs/Modules.md index ee6329ca7..62b96a6f1 100644 --- a/docs/Modules.md +++ b/docs/Modules.md @@ -35,6 +35,7 @@ OWASP Nettacker Modules can be of type **Scan** (scan for something), **Vuln** ( - '**pma_scan**' - Scan the target for PHP MyAdmin presence - '**port_scan**' - Scan the target for open ports identifying the popular services using signatures (.e.g SSH on port 2222) - '**smartermail_version_scan**' - Scan the target and identify the SmarterMail version +- '**solarwinds_whd_version_scan**' - Scan the target and identify the SolarWinds Web Help Desk version - '**ssl_expiring_certificate_scan**' - Scan the target for SSL/TLS certificates nearing expiration - '**subdomain_scan**' - Scan the target for subdomains (target must be a domain e.g. owasp.org) - '**viewdns_reverse_iplookup_scan**' - Identify which sites/domains are hosted on the target host using ViewDNS.info @@ -163,7 +164,6 @@ If you want to scan all ports please define -g 1-65535 range. Otherwise Nettacke - '**ProFTPd_restriction_bypass_vuln**' - check ProFTPd for CVE-2009-3639 - '**server_version_vuln**' - check if the web server is leaking server banner in 'Server' response header - '**smartermail_cve_2026_24423_vuln**' - check the target for SmarterMail CVE-2026-24423 vulnerability -- '**solarwinds_whd_cve_2025_40536_vuln**' - check SolarWinds Web Help Desk vulnerable version via build token - '**sonicwall_sslvpn_cve_2024_53704_vuln**' - check the target for SonicWALL SSLVPN CVE-2024-53704 vulnerability - '**ssl_signed_certificate_vuln**' - check for self-signed & other signing issues(weak signing algorithm) in SSL certificate - '**ssl_expired_certificate_vuln**' - check if SSL certificate has expired or is close to expiring diff --git a/nettacker/modules/scan/solarwinds_whd_version.yaml b/nettacker/modules/scan/solarwinds_whd_version.yaml new file mode 100644 index 000000000..26202230a --- /dev/null +++ b/nettacker/modules/scan/solarwinds_whd_version.yaml @@ -0,0 +1,50 @@ +info: + name: solarwinds_whd_version_scan + author: Nettacker Team + severity: 3 + description: fetch SolarWinds Web Help Desk version from target + reference: + - https://www.solarwinds.com/ + profiles: + - scan + - http + - solarwinds + - webhelpdesk + - version + +payloads: + - library: http + steps: + - method: get + timeout: 3 + headers: + User-Agent: "{user_agent}" + Host: "{target}" + allow_redirects: false + ssl: false + url: + nettacker_fuzzer: + input_format: "{{schema}}://{target}:{{ports}}/helpdesk/WebObjects/Helpdesk.woa" + prefix: "" + suffix: "" + interceptors: + data: + schema: + - "http" + - "https" + ports: + - 80 + - 443 + + response: + condition_type: and + conditions: + status_code: + regex: "200" + reverse: false + + content: + regex: "\\?v=([0-9]+_[0-9]+_[0-9]+_[0-9]+)" + reverse: false + + log: "SolarWinds WHD version: response_dependent['content']" \ No newline at end of file diff --git a/nettacker/modules/vuln/solarwinds_whd_cve_2025_40536.yaml b/nettacker/modules/vuln/solarwinds_whd_cve_2025_40536.yaml deleted file mode 100644 index 31f2ee74b..000000000 --- a/nettacker/modules/vuln/solarwinds_whd_cve_2025_40536.yaml +++ /dev/null @@ -1,59 +0,0 @@ -info: - name: solarwinds_whd_cve_2025_40536_vuln - author: Nettacker Team - severity: 8.1 - description: | - Identifies SolarWinds Web Help Desk instances - by analyzing response content and extracting - the embedded build version token from resource URLs. - The detected version is evaluated against known vulnerable - ranges (all 12.x versions up to and including 12.8.8 HF1). - Versions prior to the fixed release (2026.1) are considered potentially vulnerable. - This enables passive and safe identification of systems affected by the security control bypass vulnerability. - reference: - - https://www.solarwinds.com/trust-center/security-advisories/cve-2025-40536 - - https://nvd.nist.gov/vuln/detail/CVE-2025-40536 - profiles: - - vuln - - http - - high_severity - - cve2025 - - cve - - cisa kev - - solarwinds - - webhelpdesk - - passive - -payloads: - - library: http - steps: - - method: get - timeout: 3 - headers: - User-Agent: "{user_agent}" - Host: "{target}" - allow_redirects: false - ssl: false - url: - nettacker_fuzzer: - input_format: "{{schema}}://{target}:{{ports}}/helpdesk/WebObjects/Helpdesk.woa" - prefix: "" - suffix: "" - interceptors: - data: - schema: - - "http" - - "https" - ports: - - 80 - - 443 - - response: - condition_type: and - conditions: - status_code: - regex: "200" - reverse: false - content: - regex: "(?s)(?=.*(Web Help Desk Software|SolarWinds WorldWide|/WebObjects/Helpdesk\\.woa))(?=.*\\?v=12_(?:[0-7]_[0-9]+|8_(?:[0-8])_[0-9]+)_[0-9]+)" - reverse: false \ No newline at end of file