-
Notifications
You must be signed in to change notification settings - Fork 7
CVE Module Reference
Andre Henrique edited this page Jun 2, 2026
·
1 revision
Language: English (en-US) | pt-BR: ../pt-BR/22-cve-modulos-referencia.md
Complete table of all CVE-tagged exploit modules in EmbedXPL-Forge, sorted by CVSS score descending. Modules without a CVE are listed separately at the end.
Use
generic/cve/cve_lookupin the interactive shell to search this database programmatically. Useuse <module_path>to load any module listed here.
| Module path | CVE | CVSS | Vendor | Product | Type | Key options |
check() returns |
|---|---|---|---|---|---|---|---|
exploits/firewalls/cisco/cisco_sdwan_dtls_auth_bypass_cve_2026_20182 |
CVE-2026-20182 | 10.0 | Cisco | SD-WAN Manager (vManage) | DTLS auth bypass + SSH key injection |
target, dtls_port, ssh_pubkey
|
True if vManage detected + DTLS responds |
exploits/firewalls/cisco/isa3000_asa_rce_cve_2018_0101 |
CVE-2018-0101 | 10.0 | Cisco | ASA, ISA3000 | IKEv1/IKEv2 heap overflow RCE |
target, lhost, lport
|
True if ASA responding + version in range |
exploits/firewalls/cisco/ios_xe_webui_privesc_cve_2023_20198 |
CVE-2023-20198 | 10.0 | Cisco | IOS XE | WebUI privilege escalation (CISA KEV) |
target, port
|
True if IOS XE WebUI accessible |
exploits/firewalls/paloalto/panos_saml_auth_bypass_cve_2020_2021 |
CVE-2020-2021 | 10.0 | Palo Alto | PAN-OS | SAML authentication bypass |
target, port
|
True if SAML SP enabled |
exploits/firewalls/cisco/cisco_fmc_auth_bypass_rce_cve_2026_20079 |
CVE-2026-20079 | 9.8 | Cisco | FMC (Firepower Mgmt Center) | Auth bypass + RCE |
target, lhost, lport
|
True if FMC detected |
exploits/firewalls/fortinet/forticlient_ems_preauth_rce_cve_2026_35616 |
CVE-2026-35616 | 9.8 | Fortinet | FortiClient EMS | Pre-auth RCE |
target, port, lhost
|
True if EMS exposed |
exploits/firewalls/fortinet/fortios_heap_overflow_rce_cve_2026_25249 |
CVE-2026-25249 | 9.8 | Fortinet | FortiOS | HTTPS daemon heap overflow RCE |
target, port, lhost
|
True if FortiOS + version affected |
exploits/firewalls/fortinet/fortios_auth_bypass_cve_2022_40684 |
CVE-2022-40684 | 9.8 | Fortinet | FortiOS, FortiProxy | Admin auth bypass |
target, port
|
True if API returns 200 without auth |
exploits/firewalls/fortinet/fortios_sslvpn_path_traversal_cve_2018_13379 |
CVE-2018-13379 | 9.8 | Fortinet | FortiOS | SSL-VPN path traversal |
target, port
|
True if /remote/fgt_lang?lang= traversal works |
exploits/firewalls/fortinet/fortios_heap_overflow_rce_cve_2023_27997 |
CVE-2023-27997 | 9.8 | Fortinet | FortiOS | SSL-VPN heap overflow (XORtigate) |
target, lhost, lport
|
True if FortiOS + SSL-VPN + version affected |
exploits/firewalls/fortinet/fortimanager_fortijump_cve_2024_47575 |
CVE-2024-47575 | 9.8 | Fortinet | FortiManager | FortiJump unauthenticated RCE |
target, port, lhost
|
True if FortiManager API accessible |
exploits/firewalls/fortinet/forticlientems_sqli_rce_cve_2023_48788 |
CVE-2023-48788 | 9.8 | Fortinet | FortiClientEMS | SQLi -> RCE |
target, port
|
True if EMS login page detected |
exploits/firewalls/fortinet/fortios_oob_write_rce_cve_2025_53844 |
CVE-2025-53844 | 9.8 | Fortinet | FortiOS | OOB write RCE |
target, lhost
|
True if version in affected range |
exploits/firewalls/juniper/juniper_srx_unauth_rce_cve_2025_21590 |
CVE-2025-21590 | 9.8 | Juniper | SRX series | Unauthenticated RCE |
target, port, lhost
|
True if J-Web accessible + version match |
exploits/firewalls/juniper/jweb_oob_write_rce_cve_2024_21591 |
CVE-2024-21591 | 9.8 | Juniper | SRX, EX | J-Web OOB write RCE |
target, port, lhost
|
True if Junos + affected version |
exploits/firewalls/juniper/jweb_php_rce_cve_2023_36845 |
CVE-2023-36845 | 9.8 | Juniper | SRX, EX | J-Web PHP env RCE |
target, port, lhost
|
True if J-Web PHP env injectable |
exploits/firewalls/sonicwall/sonicos_sslvpn_auth_bypass_cve_2024_53704 |
CVE-2024-53704 | 9.8 | SonicWall | SonicOS | SSL-VPN improper auth bypass |
target, port
|
True if version < fix boundary |
exploits/firewalls/sonicwall/sonicos_sslvpn_auth_bypass_cve_2024_53700 |
CVE-2024-53700 | 9.8 | SonicWall | SonicOS | SSL-VPN session hijack |
target, port
|
True if SonicOS detected + affected |
exploits/firewalls/sonicwall/sma_password_reset_cve_2021_20034 |
CVE-2021-20034 | 9.8 | SonicWall | SMA100 | Arbitrary file delete -> password reset |
target, port
|
True if SMA100 management accessible |
exploits/firewalls/sonicwall/sma100_sqli_cve_2021_20016 |
CVE-2021-20016 | 9.8 | SonicWall | SMA100 | Unauthenticated SQLi |
target, port
|
True if SMA100 login endpoint injectable |
exploits/firewalls/sonicwall/sonicos_vpn_buffer_overflow_cve_2020_5135 |
CVE-2020-5135 | 9.8 | SonicWall | SonicOS | VPN buffer overflow |
target, port, lhost
|
True if VPN portal accessible + version match |
exploits/firewalls/sonicwall/sslvpn_shellshock_rce_visualdoor |
— | 9.8 | SonicWall | SMA/SSL-VPN | Shellshock RCE |
target, port, lhost
|
True if shellshock CGI injectable |
exploits/firewalls/checkpoint/checkpoint_remote_code_exec_cve_2023_28461 |
CVE-2023-28461 | 9.8 | Check Point | Quantum Security Gateway | RCE |
target, port, lhost
|
True if Check Point GW detected |
exploits/firewalls/pfsense/pfblockerng_rce_cve_2022_31814 |
CVE-2022-31814 | 9.8 | pfSense | pfBlockerNG | Unauthenticated RCE |
target, port, lhost
|
True if pfBlockerNG installed + vulnerable version |
exploits/firewalls/pfsense/pfsense_csrf_rce_cve_2019_16667 |
CVE-2019-16667 | 9.8 | pfSense | pfSense | CSRF to RCE |
target, port
|
True if pfSense detected |
exploits/firewalls/pfsense/antibruteforce_bypass_cve_2023_27100 |
CVE-2023-27100 | 9.8 | pfSense | pfSense | Anti-bruteforce bypass |
target, port
|
True if affected version |
exploits/firewalls/pfsense/interfaces_cmd_injection_cve_2023_42326 |
CVE-2023-42326 | 9.8 | pfSense | pfSense | Interfaces command injection |
target, port, lhost
|
True if interfaces endpoint injectable |
exploits/firewalls/zyxel/ike_cmd_injection_cve_2023_28771 |
CVE-2023-28771 | 9.8 | Zyxel | Firewall (ZLD) | IKE command injection |
target, port
|
True if IKE endpoint injectable |
exploits/firewalls/zyxel/usg_flex_cmd_injection_cve_2022_30525 |
CVE-2022_30525` | 9.8 | Zyxel | USG FLEX | Unauthenticated command injection |
target, port, lhost
|
True if setWan() injectable |
exploits/firewalls/zyxel/buffer_overflow_cve_2023_33009 |
CVE-2023-33009 | 9.8 | Zyxel | Firewall | Buffer overflow |
target, port, lhost
|
True if affected version |
exploits/firewalls/watchguard/firebox_auth_bypass_cve_2022_26776 |
CVE-2022-26776 | 9.8 | WatchGuard | Firebox | Auth bypass |
target, port
|
True if Firebox detected + version match |
exploits/firewalls/sophos/firewall_code_injection_cve_2022_3236 |
CVE-2022-3236 | 9.8 | Sophos | XG Firewall | Code injection |
target, port, lhost
|
True if Sophos FW portal accessible |
exploits/firewalls/sophos/xg_auth_bypass_cve_2022_1040 |
CVE-2022-1040 | 9.8 | Sophos | XG Firewall | Auth bypass |
target, port
|
True if user portal auth bypassable |
exploits/firewalls/sophos/xg_sqli_asnarok_cve_2020_12271 |
CVE-2020-12271 | 9.8 | Sophos | XG Firewall | SQLi (Asnarok) |
target, port
|
True if Sophos FW + preauth SQLi |
exploits/firewalls/mikrotik/mikrotik_routeros_rce_cve_2022_45315 |
CVE-2022-45315 | 9.8 | MikroTik | RouterOS | Stack overflow RCE |
target, lhost
|
True if RouterOS + affected version |
exploits/firewalls/opnsense/opnsense_sqli_rce_cve_2021_23239 |
CVE-2021-23239 | 9.8 | OPNsense | OPNsense | SQLi to RCE |
target, port, lhost
|
True if OPNsense login injectable |
exploits/firewalls/huawei/huawei_usg_auth_bypass_rce_cve_2021_22323 |
CVE-2021-22323 | 9.8 | Huawei | USG6000V2 | Integer overflow -> RCE |
target, port, lhost
|
True if USG + version in range |
exploits/firewalls/huawei/huawei_usg_cmd_inject_cve_2019_1023 |
CVE-2019-1023 | 9.8 | Huawei | USG6xxx | Command injection |
target, port, command
|
True if USG mgmt injectable |
exploits/firewalls/siemens/ruggedcom_web_rce_cve_2023_24845 |
CVE-2023-24845 | 9.8 | Siemens | RUGGEDCOM | Web interface RCE |
target, port, lhost
|
True if RUGGEDCOM web detected |
exploits/firewalls/siemens/scalance_cmd_injection_cve_2023_44373 |
CVE-2023-44373 | 9.8 | Siemens | SCALANCE | Command injection |
target, port, command
|
True if SCALANCE API injectable |
exploits/firewalls/vyos/vyos_rce_cve_2023_31992 |
CVE-2023-31992 | 9.8 | VyOS | VyOS | REST API RCE |
target, port, lhost
|
True if VyOS REST accessible |
exploits/firewalls/stormshield/stormshield_sns_rce_cve_2020_18175 |
CVE-2020-18175 | 9.8 | Stormshield | SNS | RCE |
target, port, lhost
|
True if SNS mgmt accessible |
exploits/firewalls/paloalto/panos_dns_heap_rce_cve_2026_0264 |
CVE-2026-0264 | 9.8 | Palo Alto | PAN-OS | DNS heap overflow RCE |
target, port, lhost
|
True if PAN-OS + version affected |
exploits/firewalls/paloalto/panos_userid_bof_rce_cve_2026_0300 |
CVE-2026-0300 | 9.8 | Palo Alto | PAN-OS | User-ID agent buffer overflow |
target, lhost
|
True if User-ID service accessible |
exploits/firewalls/moxa/edr_g_jwt_hardcoded_cve_2024_9137 |
CVE-2024-9137 | 9.8 | Moxa | EDR-G9010 | Hardcoded JWT secret |
target, port
|
True if EDR-G detected + hardcoded key works |
exploits/firewalls/cisco/asa_vpn_bruteforce_cve_2023_20269 |
CVE-2023-20269 | 9.8 | Cisco | ASA / FTD | SSL-VPN credential brute-force |
target, port, wordlist
|
True if ASA VPN portal accessible |
exploits/appliances/f5/bigip_icontrol_rest_rce_cve_2022_1388 |
CVE-2022-1388 | 9.8 | F5 | BIG-IP | iControl REST auth bypass + RCE |
target, port, command
|
True if iControl REST 200 without auth |
exploits/appliances/f5/bigip_bigiq_icontrol_rce_cve_2021_22986 |
CVE-2021-22986 | 9.8 | F5 | BIG-IQ | iControl REST unauthenticated RCE |
target, port, command
|
True if BIG-IQ iControl accessible |
exploits/appliances/citrix/netscaler_rce_cve_2023_3519 |
CVE-2023-3519 | 9.8 | Citrix | NetScaler ADC/Gateway | Unauthenticated RCE |
target, port, lhost
|
True if NetScaler unauth endpoint reachable |
exploits/appliances/citrix/netscaler_path_traversal_cve_2019_19781 |
CVE-2019-19781 | 9.8 | Citrix | NetScaler | Path traversal (Shitrix) |
target, port
|
True if traversal path accessible |
exploits/firewalls/fortinet/fortios_sslvpn_rce_cve_2024_21762 |
CVE-2024-21762 | 9.6 | Fortinet | FortiOS | SSL-VPN OOB write RCE |
target, port, lhost
|
True if SSL-VPN + version affected |
exploits/firewalls/fortinet/fortios_websocket_auth_bypass_cve_2024_55591 |
CVE-2024-55591 | 9.6 | Fortinet | FortiOS | WebSocket CSF proxy auth bypass |
target, port
|
True if WebSocket endpoint bypassable |
exploits/firewalls/paloalto/panos_cas_auth_bypass_cve_2026_0265 |
CVE-2026-0265 | 9.3 | Palo Alto | PAN-OS | Cloud Auth Service bypass |
target, port
|
True if CAS endpoint accessible |
exploits/firewalls/paloalto/panos_mgmt_auth_bypass_cve_2024_0012 |
CVE-2024-0012 | 9.3 | Palo Alto | PAN-OS | Management WebUI auth bypass |
target, port
|
True if mgmt UI bypasses auth |
exploits/firewalls/sonicwall/sonicos_sslvpn_access_cve_2024_40766 |
CVE-2024-40766 | 9.3 | SonicWall | SonicOS | Improper access control |
target, port
|
True if access control bypass confirmed |
exploits/firewalls/fortinet/fortios_sslvpn_heap_rce_cve_2022_42475 |
CVE-2022-42475 | 9.3 | Fortinet | FortiOS | SSL-VPN heap overflow (XORtigate) |
target, port, lhost
|
True if SSL-VPN accessible + version affected |
exploits/firewalls/fortinet/fortiswitch_unauth_passwd_cve_2024_48887 |
CVE-2024-48887 | 9.3 | Fortinet | FortiSwitch | Unauthenticated password change |
target, port, username
|
True if PATCH to admin API returns 200 without auth |
exploits/firewalls/siemens/sinema_rc_path_traversal_cve_2022_32257 |
CVE-2022-32257 | 9.1 | Siemens | SINEMA Remote Connect | Path traversal |
target, port
|
True if traversal returns content |
exploits/firewalls/fortinet/forticloud_sso_auth_bypass_cve_2026_24858 |
CVE-2026-24858 | 9.1 | Fortinet | FortiCloud | SSO auth bypass |
target, port
|
True if SSO endpoint bypasses auth |
exploits/firewalls/mikrotik/mikrotik_winbox_cred_bypass_cve_2018_14847 |
CVE-2018-14847 | 9.1 | MikroTik | RouterOS | Winbox credential bypass |
target, port
|
True if Winbox port open + version affected |
exploits/firewalls/moxa/edr_cmd_injection_cve_2024_9138 |
CVE-2024-9138 | 9.1 | Moxa | EDR firewall | Command injection |
target, port, command
|
True if API endpoint injectable |
exploits/firewalls/checkpoint/checkpoint_vpn_lfi_chain_cve_2024_24919 |
CVE-2024-24919 | 8.6 | Check Point | Quantum Security Gateway | VPN arbitrary file read |
target, port, read_file
|
True if LFI endpoint returns content |
exploits/firewalls/checkpoint/security_gateway_info_disclosure_cve_2024_24919 |
CVE-2024-24919 | 8.6 | Check Point | Quantum Security Gateway | Info disclosure variant |
target, port
|
True if info disclosure path accessible |
exploits/firewalls/watchguard/firebox_cyclops_blink_cve_2022_23176 |
CVE-2022-23176 | 8.8 | WatchGuard | Firebox | Cyclops Blink state-sponsored implant |
target, port
|
True if Firebox + affected version |
exploits/firewalls/pfsense/pfsense_rrd_cmd_injection_cve_2023_27253 |
CVE-2023-27253 | 8.8 | pfSense | pfSense | RRD command injection |
target, port, command
|
True if RRD endpoint injectable |
exploits/firewalls/fortinet/fortios_sslvpn_session_reuse_cve_2024_50562 |
CVE-2024-50562 | 8.1 | Fortinet | FortiOS | SSL-VPN session token reuse |
target, port
|
True if session token reuse accepted |
exploits/firewalls/globalprotect_cmd_injection_cve_2024_3400 |
CVE-2024-3400 | 10.0 | Palo Alto | PAN-OS GlobalProtect | OS command injection (CISA KEV) |
target, port, lhost, lport
|
True if GP gateway detected + version affected |
exploits/firewalls/paloalto/globalprotect_auth_bypass_cve_2026_0257 |
CVE-2026-0257 | 7.8 | Palo Alto | PAN-OS GlobalProtect | Auth override cookie bypass (CISA KEV) |
target, forge_user, lhost
|
True if cookie accepted |
exploits/firewalls/paloalto/panos_auth_bypass_cve_2025_0108 |
CVE-2025-0108 | 9.1 | Palo Alto | PAN-OS | Management interface auth bypass |
target, port
|
True if mgmt API accessible without auth |
exploits/firewalls/paloalto/panos_privesc_cve_2024_9474 |
CVE-2024-9474 | 6.9 | Palo Alto | PAN-OS | Privilege escalation (chain with CVE-2024-0012) |
target, port
|
True if privesc path reachable |
exploits/firewalls/juniper/juniper_srx_file_upload_rce_cve_2023_36851 |
CVE-2023-36851 | 5.3 | Juniper | SRX series | Unauthenticated file upload |
target, port
|
True if upload endpoint accessible |
exploits/firewalls/cisco/asa_ftd_path_traversal_cve_2020_3452 |
CVE-2020-3452 | 7.5 | Cisco | ASA / FTD | SSL-VPN path traversal |
target, port
|
True if traversal returns content |
exploits/firewalls/checkpoint/endpoint_security_privesc_cve_2019_8461 |
CVE-2019-8461 | 7.8 | Check Point | Endpoint Security | Privilege escalation | target |
True if endpoint client exposed |
exploits/firewalls/mikrotik/mikrotik_jailbreak_cve_2019_3977 |
CVE-2019-3977 | 7.5 | MikroTik | RouterOS | Jailbreak / escalation |
target, port
|
True if jailbreak path exploitable |
exploits/firewalls/cisco/cisco_asa_ftd_firestarter_chain_cve_2025_20362_20333 |
CVE-2025-20362 + CVE-2025-20333 | 10.0 | Cisco | ASA / FTD | FireStarter exploit chain |
target, lhost, lport
|
True if ASA + chain path available |
exploits/firewalls/cisco/cisco_asa_webvpn_rce_cve_2014_3390 |
CVE-2014-3390 | 10.0 | Cisco | ASA | WebVPN RCE |
target, port, lhost
|
True if ASA WebVPN accessible + version affected |
exploits/firewalls/sangfor/sangfor_ngfw_unauth_rce_cve_2019_13393 |
CVE-2019-13393 | 9.8 | Sangfor | NGFW | Unauthenticated RCE |
target, port, lhost
|
True if NGFW management portal accessible |
exploits/firewalls/sophos/sophos_xg_rce_cve_2020_29583 |
CVE-2020-29583 | 9.8 | Sophos | XG Firewall | Hardcoded credential RCE |
target, port
|
True if XG hardcoded device-admin creds accepted |
exploits/firewalls/checkpoint/checkpoint_gaia_portal_sqli_cve_2021_30358 |
CVE-2021-30358 | 9.8 | Check Point | Gaia portal | SQL injection |
target, port
|
True if Gaia portal SQLi confirmed |
exploits/firewalls/juniper/juniper_ex_auth_bypass_cve_2019_0028 |
CVE-2019-0028 | 9.8 | Juniper | EX series | J-Web authentication bypass |
target, port
|
True if J-Web auth bypass returns session |
exploits/firewalls/cisco/cisco_asa_snmp_rce_cve_2016_6366 |
CVE-2016-6366 | 9.8 | Cisco | ASA | SNMP RCE (EXTRABACON) |
target, community
|
True if SNMP accessible + version in range |
exploits/firewalls/fortinet/fortianalyzer_sql_inject_cve_2021_26103 |
CVE-2021-26103 | 9.8 | Fortinet | FortiAnalyzer | SQL injection |
target, port
|
True if FortiAnalyzer API endpoint injectable |
exploits/nac/aruba/aruba_clearpass_rce_cve_2023_25594 |
CVE-2023-25594 | 9.8 | Aruba | ClearPass Policy Manager | Unauthenticated RCE |
target, port, lhost
|
True if ClearPass management interface accessible |
exploits/nac/aruba/aruba_clearpass_sqli_cve_2022_37897 |
CVE-2022-37897 | 9.8 | Aruba | ClearPass Policy Manager | SQL injection |
target, port
|
True if ClearPass guest portal SQLi confirmed |
exploits/vpn/ivanti/ivanti_connect_secure_ssrf_rce_cve_2024_21888 |
CVE-2024-21888 | 9.8 | Ivanti | Connect Secure | SSRF + RCE chain |
target, port, lhost
|
True if Connect Secure SSRF endpoint reachable |
exploits/appliances/citrix/citrix_bleed_info_disclosure_cve_2023_4966 |
CVE-2023-4966 | 9.4 | Citrix | NetScaler ADC/Gateway | CitrixBleed session token leak |
target, port
|
True if memory disclosure returns valid session token |
exploits/firewalls/sophos/sophos_utm_rce_cve_2022_4934 |
CVE-2022-4934 | 8.8 | Sophos | UTM | Web proxy command injection |
target, port, command
|
True if UTM web proxy endpoint injectable |
exploits/firewalls/cisco/cisco_ios_xe_csrf_rce_cve_2021_1442 |
CVE-2021-1442 | 8.8 | Cisco | IOS XE | CSRF to RCE |
target, port
|
True if CSRF endpoint accessible + IOS XE affected |
exploits/firewalls/checkpoint/checkpoint_mobile_access_ssrf_cve_2020_6017 |
CVE-2020-6017 | 8.1 | Check Point | Mobile Access | SSRF |
target, port, ssrf_target
|
True if SSRF confirmed via Mobile Access portal |
exploits/firewalls/fortinet/fortios_path_traversal_cve_2022_40685 |
CVE-2022-40685 | 7.5 | Fortinet | FortiOS | Path traversal |
target, port, read_file
|
True if traversal path returns file content |
exploits/firewalls/cisco/cisco_asa_path_traversal_cve_2018_0296 |
CVE-2018-0296 | 7.5 | Cisco | ASA | HTTP path traversal |
target, port
|
True if traversal returns directory listing |
| Module path | CVE | CVSS | Vendor | Type | Key options |
check() returns |
|---|---|---|---|---|---|---|
exploits/cameras/hikvision/rtsp_rce_cve_2021_36260 |
CVE-2021-36260 | 9.8 | Hikvision | Unauth RCE via HTTP PUT |
target, port, command
|
True if webLanguage PUT returns 400/200 |
exploits/cameras/hikvision/info_disclosure_cve_2017_7921 |
CVE-2017-7921 | 9.8 | Hikvision | Unauth config/credential disclosure |
target, port
|
True if disclosure endpoint returns content |
exploits/cameras/hikvision/nas_auth_bypass_cve_2023_28808 |
CVE-2023-28808 | 9.8 | Hikvision | NAS auth bypass |
target, port
|
True if NAS API bypasses auth |
exploits/cameras/dahua/cctv_rce_cve_2021_36260 |
CVE-2021-36260 | 9.8 | Dahua | configManager.cgi RCE |
target, port
|
True if configManager.cgi accessible |
exploits/cameras/dahua/auth_bypass_cve_2021_33044 |
CVE-2021-33044 | 9.8 | Dahua | Auth bypass |
target, port
|
True if bypass request returns session |
exploits/cameras/reolink/reolink_baicells_auth_bypass_rce_cve_2021_40655 |
CVE-2021-40655 | 9.8 | Reolink | Auth bypass + RCE |
target, port, lhost
|
True if auth bypass confirmed |
exploits/cameras/tapo/tapo_c200_c210_unauth_rce_cve_2021_4045 |
CVE-2021-4045 | 9.8 | TP-Link Tapo | Unauth RCE |
target, port, lhost
|
True if exploit path accessible |
exploits/cameras/edimax/ic7100_unauth_rce_cve_2025_1316 |
CVE-2025-1316 | 9.8 | Edimax | Unauth RCE |
target, port, lhost
|
True if RCE endpoint accessible |
exploits/cameras/uniview/uniview_nvr_unauth_rce_cve_2024_37630 |
CVE-2024-37630 | 9.8 | Uniview | Unauth RCE |
target, port, lhost
|
True if Uniview NVR + endpoint accessible |
exploits/cameras/motioneye/motioneye_rce_cve_2025_60787 |
CVE-2025-60787 | 9.8 | MotionEye | Unauth RCE |
target, port, lhost
|
True if MotionEye version < fix |
exploits/cameras/axis/srv_parhand_rce_cve_2018_10660 |
CVE-2018-10660 | 9.8 | Axis | parhand RCE |
target, port, lhost
|
True if parhand service accessible |
exploits/cameras/annke/annke_dvr_nvr_unauth_rce_cve_2021_32941 |
CVE-2021-32941 | 9.8 | Annke | Unauth RCE |
target, port, lhost
|
True if Annke DVR + affected |
exploits/cameras/dahua/dvr_auth_bypass_cve_2013_6117 |
CVE-2013-6117 | 9.8 | Dahua | DVR auth bypass |
target, port
|
True if old DVR bypass works |
exploits/cameras/reolink/reolink_nvr_p2p_uid_extract_cve_2022_30600 |
CVE-2022-30600 | 7.5 | Reolink | P2P UID extraction |
target, port
|
True if P2P UID disclosed |
exploits/cameras/zivif/ipcheck_rce_cve_2017_17105 |
CVE-2017-17105 | 9.8 | Zivif | RCE via ipcheck |
target, port, lhost
|
True if ipcheck CGI injectable |
exploits/cameras/amcrest/amcrest_camera_unauth_info_disclosure_cve_2019_3950 |
CVE-2019-3950 | 7.5 | Amcrest | Unauth info disclosure |
target, port
|
True if disclosure endpoint accessible |
| Module path | CVE | CVSS | Vendor | Product | Type | Key options |
check() returns |
|---|---|---|---|---|---|---|---|
exploits/ics/ur_polyscope5_dashboard_cmd_injection_cve_2026_8153 |
CVE-2026-8153 | 9.8 | Universal Robots | PolyScope 5 | Dashboard command injection |
target, port, command
|
True if PolyScope API injectable |
exploits/ics/freertos/freertos_plus_tcp_oob_write_cve_2025_5688 |
CVE-2025-5688 | 9.8 | FreeRTOS | FreeRTOS+TCP | OOB write |
target, port, lhost
|
True if affected version |
exploits/ics/rockwell/compactlogix_auth_bypass_cve_2021_22681 |
CVE-2021-22681 | 9.8 | Rockwell | CompactLogix | CIP auth bypass |
target, port, action
|
True if CIP session established without auth |
exploits/ics/rockwell/compactlogix_code_injection_cve_2022_1161 |
CVE-2022-1161 | 9.8 | Rockwell | CompactLogix | Code injection via ladder logic |
target, port
|
True if code injection path reachable |
exploits/ics/rockwell/compactlogix_cip_dos_cve_2024_6077 |
CVE-2024-6077 | 8.6 | Rockwell | CompactLogix | CIP DoS |
target, port
|
True if CIP port responds |
exploits/ics/schneider/modicon_modbus_control_cve_2018_7841 |
CVE-2018-7841 | 9.8 | Schneider | Modicon M340 | Unauthorized Modbus control |
target, port, unit_id
|
True if Modbus accessible + control allowed |
exploits/ics/schneider/net55xx_encoder_rce_cve_2018_7784 |
CVE-2018-7784 | 9.8 | Schneider | NET55xx | RCE via web |
target, port, lhost
|
True if web interface injectable |
exploits/ics/siemens/siprotec_relay_dos_cve_2015_5374 |
CVE-2015-5374 | 7.8 | Siemens | SIPROTEC | Relay DoS |
target, port
|
True if relay service accessible |
exploits/ics/scada/fuxa_scheduler_rce_cve_2026_25939 |
CVE-2026-25939 | 9.8 | FUXA | FUXA SCADA | Scheduler RCE |
target, port, command
|
True if FUXA scheduler injectable |
exploits/ics/scada/laquis_arb_file_write_cve_2021_41579 |
CVE-2021-41579 | 8.8 | LAQUIS | LAQUIS SCADA | Arbitrary file write |
target, port
|
True if file write path accessible |
exploits/ics/scadaflex/sc168_file_write_cve_2022_25359 |
CVE-2022-25359 | 9.1 | ScadaFlex | SC-168 | Arbitrary file write |
target, port
|
True if file write path accessible |
exploits/ics/osprey/pump_controller_auth_bypass_cve_2023_28648 |
CVE-2023-28648 | 9.8 | Osprey | Pump Controller | Auth bypass |
target, port
|
True if auth bypass confirmed |
exploits/ics/advantech/switch_shellshock_cve_2015_6023 |
CVE-2015-6023 | 9.8 | Advantech | Industrial switch | Shellshock |
target, port, lhost
|
True if CGI shellshock injectable |
exploits/ics/bluetooth_ble/blueborne_attack_cve_2017_0781 |
CVE-2017-0781 | 8.8 | Multiple | Android BT | BlueBorne RCE |
target (BT MAC), interface
|
True if device BT reachable + Android 8.0 unpatched |
exploits/ics/bluetooth_ble/wifi_krack_attack_cve_2017_13077 |
CVE-2017-13077 | 8.8 | Multiple | WPA2 | KRACK key reinstallation |
target (BSSID), interface
|
True if AP affected |
exploits/ics/bluetooth_ble/wifi_kr00k_attack_cve_2019_15126 |
CVE-2019-15126 | 6.5 | Broadcom/Cypress | Wi-Fi chip | Kr00k decrypt |
target (MAC), interface
|
True if Broadcom chip detected |
exploits/ics/bluetooth_ble/wifi_fragattacks_cve_2020_24586 |
CVE-2020-24586 | 7.5 | Multiple | Wi-Fi (802.11) | FragAttacks |
target (BSSID) |
True if AP not patched |
| Module path | CVE | CVSS | Vendor | Type | Key options |
check() returns |
|---|---|---|---|---|---|---|
exploits/bmc/supermicro/ipmi_auth_bypass_cve_2013_4786 |
CVE-2013-4786 | 10.0 | Supermicro | IPMI 2.0 RAKP hash disclosure |
target, port
|
True if RAKP response returned |
exploits/bmc/dell/idrac9_info_disclosure_cve_2021_36300 |
CVE-2021-36300 | 9.8 | Dell | iDRAC9 unauth info disclosure |
target, port
|
True if disclosure endpoint accessible |
| Module path | CVE | CVSS | Vendor | Type |
|---|---|---|---|---|
exploits/routers/cisco/ios_xe_wlc_jwt_file_upload_cve_2025_20188 |
CVE-2025-20188 | 10.0 | Cisco | IOS XE WLC hardcoded JWT + file upload RCE |
exploits/aps/mediatek/mt7622_heap_overflow_preauth |
— | 9.8 | MediaTek | MT7622 pre-auth heap overflow |
exploits/aps/mediatek/mt7622_stack_overflow_preauth |
— | 9.8 | MediaTek | MT7622 pre-auth stack overflow |
| Module path | Vendor | Type | Notes |
|---|---|---|---|
exploits/firewalls/fortinet/fortigate_os_backdoor |
Fortinet | Hidden management account backdoor | Static credentials in FortiOS firmware |
exploits/firewalls/watchguard/xcs_9_rce |
WatchGuard | XCS 9.x RCE | No public CVE assigned |
exploits/firewalls/sonicwall/sslvpn_shellshock_rce_visualdoor |
SonicWall | VisualDoor shellshock | Exploits bash shellshock in SSL-VPN CGI |
exploits/cameras/hikvision/firmware_crypto_key_extract |
Hikvision | Firmware crypto key extraction | Hardcoded AES key in firmware |
exploits/cameras/herospeed/herospeed_nvr_hardcoded_root_hash |
Herospeed | Root hash extraction | Hash 12ZpTwfyH6/Bs across all firmware versions |
exploits/cameras/herospeed/herospeed_nvr_telnet_safecode_backdoor |
Herospeed | Telnet backdoor activation | MAC-derived SafeCode + hardcoded root passwd |
exploits/cameras/herospeed/herospeed_nvr_paramconfig_bypass |
Herospeed | Hardcoded bypass token | Token MI1YSANORQ4NAELR grants access to all endpoints |
exploits/ics/qnx/qconn_remote_exec |
QNX (RTOS) | Qconn unauthenticated RCE | QNX Qconn service allows unauth remote execution |
exploits/ics/siemens/s7_1200_plc_control |
Siemens | S7-1200 unauthenticated control | S7comm lacks authentication by default |
exploits/ics/siemens/profinet_set_ip |
Siemens | PROFINET DCP IP reassignment | Protocol has no authentication |
exploits/ics/generic/fake_dhcp_server |
Generic | Rogue DHCP server | Poisons IP configuration for MITM |
generic/upnp/igd_exploit (Stage 6: AddPortMapping) |
Multiple | Unauthenticated NAT rule injection | UPnP IGD has no authentication by design |
exploits/cameras/mvpower/dvr_jaws_rce |
MVPower | JAWS webserver RCE | No CVE — affects JAWS/1.0 DVR web server |
Getting Started
Modules
Shell & Post-Exploitation
Tools & Infrastructure
- NSE-Script-Manager
- Firmware-Tools
- Discover-Command
- Sessions-Command
- APT-Catalog
- Sysinfo-and-Compute
- Infra-Wizard-Mode
- Catalogs-and-Tools
Reference
Comecar
Modulos
- Modulos-de-Credenciais
- Modulos-de-Exploit
- Modulos-Genericos
- AutoPwn-pt-BR
- Payloads-e-Encoders
- Modulos-Dispositivos-ISP
- Modulos-OSINT
Shell e Pos-Exploracao
Ferramentas e Infraestrutura
- Gerenciador-NSE
- Firmware-Tools
- Descoberta-de-Rede
- Gerenciamento-de-Sessoes
- APT-Catalog
- Sysinfo-and-Compute
- Infra-Wizard-Mode
- Catalogos-e-Ferramentas
Referencia