CVE-2025-32756: Buffer Overflow in Fortinet products, 9.8 rating 🔥
Some Fortinet products, including FortiMail, FortiRecorder, and FortiVoice, are vulnerable to a buffer overflow that could allow a remote, unauthenticated attacker to execute arbitrary code or commands.
The vulnerability is not new, but a PoC was recently released!
Search at Netlas.io:
👉 Link: https://nt.ls/nmu5K
👉 Dork: certificate.subject.common_name:"FortiMail" OR certificate.subject.common_name:"FortiRecorder" OR certificate.subject.common_name:"FortiVoice"
Vendor's advisory: https://fortiguard.fortinet.com/psirt/FG-IR-25-254
Some Fortinet products, including FortiMail, FortiRecorder, and FortiVoice, are vulnerable to a buffer overflow that could allow a remote, unauthenticated attacker to execute arbitrary code or commands.
The vulnerability is not new, but a PoC was recently released!
Search at Netlas.io:
👉 Link: https://nt.ls/nmu5K
👉 Dork: certificate.subject.common_name:"FortiMail" OR certificate.subject.common_name:"FortiRecorder" OR certificate.subject.common_name:"FortiVoice"
Vendor's advisory: https://fortiguard.fortinet.com/psirt/FG-IR-25-254
1🔥8❤4🫡1
Hey Hunter's,
DarkShadow here back again, just dropping a simple FOFA dork that i made to find all Grafana vulnerable versions which are using AWS and that help to you read all cloud metadata through Grafana SSRF CVE-2025-4123
FOFA dork:
Grep the full dork in comment 🔥
#dork #fofa #bugbountytips
DarkShadow here back again, just dropping a simple FOFA dork that i made to find all Grafana vulnerable versions which are using AWS and that help to you read all cloud metadata through Grafana SSRF CVE-2025-4123
FOFA dork:
app="grafana" && cloud_name="aws" && (body="Grafana v10.0.0"body="Grafana v10.0.1" body="Grafana v10.0.2"body="Grafana v10.0.3" body="Grafana v10.0.4"body="Grafana v10.0.5" body="Grafana v10.0.6"body="Grafana v10.0.7" body="Grafana v10.0.8"body="Grafana v10.0.9" body="Grafana v10.0.10"body="Grafana v10.0.11" body="Grafana v10.0.12"body="Grafana v10.1.0" body="Grafana v10.1.1"body="Grafana v10.1.2" body="Grafana v10.1.3"body="Grafana v10.1.4" body="Grafana v10.1.5"body="Grafana v10.1.6" body="Grafana v10.1.7"body="Grafana v10.1.8" body="Grafana v10.1.9"body="Grafana v10.1.10" body="Grafana v10.2.0"body="Grafana v10.2.1" body="Grafana v10.2.2"body="Grafana v10.2.3" body="Grafana v10.2.4"body="Grafana v10.2.5" body="Grafana v10.2.6"body="Grafana v10.2.7" body="Grafana v10.3.0"body="Grafana v10.3.1" body="Grafana v10.3.2"body="Grafana v10.3.3" body="Grafana v10.3.4"body="Grafana v10.3.5" body="Grafana v10.4.0"body="Grafana v10.4.1" body="Grafana v10.4.2"body="Grafana v10.4.3" body="Grafana v10.4.4"body="Grafana v10.4.5" body="Grafana v10.4.6"body="Grafana v10.4.7" body="Grafana v10.4.8"body="Grafana v10.4.9" body="Grafana v10.4.10"body="Grafana v10.4.11" body="Grafana v10.4.12"body="Grafana v10.4.13" body="Grafana v10.4.14"body="Grafana v10.4.15" body="Grafana v10.4.16"body="Grafana v10.4.17" body="Grafana v11.0.0"body="Grafana v11.0.1" body="Grafana v11.0.2"body="Grafana v11.0.3" body="Grafana v11.0.4"body="Grafana v11.0.5" body="Grafana v11.1.0"body="Grafana v11.1.1" body="Grafana v11.1.2"body="Grafana v11.1.3" body="Grafana v11.1.4"body="Grafana v11.2.0" body="Grafana v11.2.1"body="Grafana v11.2.2" body="Grafana v11.2.3"body="Grafana v11.3.0" body="Grafana v11.3.1"body="Grafana v11.3.2" body="Grafana v11.3.3"body="Grafana v11.4.0" body="Grafana v11.4.1"body="Grafana v11.4.2" body="Grafana v11.4.3"body="Grafana v11.5.0" body="Grafana v11.5.1"body="Grafana v11.5.2" body="Grafana v11.5.3"body="Grafana v11.5.4" body="Grafana v11.5.5"body="Grafana v11.5.6" body="Grafana v11.6.0" || body="Grafana v12.0.0")
Grep the full dork in comment 🔥
#dork #fofa #bugbountytips
❤18🔥7👍2🗿1
CVE-2025-42989: Missing Authorization in SAP NetWeaver, 9.6 rating 🔥
One of the vulnerabilities disclosed in a recent patch allows an authenticated user to escalate their privileges, which could critically impact the integrity and availability of the system.
Search at Netlas.io:
👉 Link: https://nt.ls/lB0fI
👉 Dork: http.body:"This error page was generated by SAP Web Dispatcher!"
Vendor's advisory: https://support.sap.com/en/my-support/knowledge-base/security-notes-news/june-2025.html
One of the vulnerabilities disclosed in a recent patch allows an authenticated user to escalate their privileges, which could critically impact the integrity and availability of the system.
Search at Netlas.io:
👉 Link: https://nt.ls/lB0fI
👉 Dork: http.body:"This error page was generated by SAP Web Dispatcher!"
Vendor's advisory: https://support.sap.com/en/my-support/knowledge-base/security-notes-news/june-2025.html
❤6😱4
Brut Security
https://www.unsecuredapikeys.com/
Your know, what you have to do 😏
Please open Telegram to view this post
VIEW IN TELEGRAM
🤝10🔥3
Brut Security pinned «🚨 If you're looking for accurate IoT results, then Sign Up On @Netlas 😮💨 https://app.netlas.io/ref/9cc61538/»
Brut Security
🚀 New Script Alert – Subdomain Monitoring (Coming Soon!) from Brut Security For those who’ve been waiting on a simple and efficient way to monitor subdomains automatically — your wait is almost over. 😌 We’ve been working on a Bash script that: ✅ Monitors…
Please open Telegram to view this post
VIEW IN TELEGRAM
❤24🐳6👍5
✅ Runs every 6 hours
✅ Sends newly found subdomains directly to your Discord
✅ Includes .txt file + message alerts
✅ Perfect for bug bounty hunters & recon workflows
📽️ Watch the YouTube video & get started now:
👉 https://youtu.be/BkpSQKSTFUI
📥 Download & Readme on GitHub:
👉 https://github.com/Brut-Security/SubWatch
🔧 Powered by: subfinder, anew, jq, notify
Built with 💙 by Brut Security
❤️ Give it a try, share it with your team, and drop your reactions below!
Please open Telegram to view this post
VIEW IN TELEGRAM
YouTube
🚨 New Subdomain Monitoring Tool for Bug Bounty Hunters! | Brut Security
🛡️ Introducing SubWatch: Automated Subdomain Monitoring Script by Brut Security
Stay one step ahead in your recon game!
This tool continuously monitors your target domains for new subdomains using subfinder, stores historical data, and sends alerts directly…
Stay one step ahead in your recon game!
This tool continuously monitors your target domains for new subdomains using subfinder, stores historical data, and sends alerts directly…
❤19👍4🔥4😢1
Brut Security pinned «▶️ It's LIVE! 📌 SubWatch – your next favorite tool for automated subdomain monitoring! 🔍 ✅ Runs every 6 hours ✅ Sends newly found subdomains directly to your Discord ✅ Includes .txt file + message alerts ✅ Perfect for bug bounty hunters & recon workflows…»
CVE-2025-47110: Cross-site Scripting in Magento (and Adobe Commerce), 9.1 rating 🔥
An XSS vulnerability in Magento and Adobe Commerce allows an attacker to inject code into vulnerable forms and execute it in the victim's browser.
Search at Netlas.io:
👉 Link: https://nt.ls/v6wk6
👉 Dork: tag.name:"magento" AND http.headers.server:"Apache"
Vendor's advisory: https://helpx.adobe.com/security/products/magento/apsb25-50.html
An XSS vulnerability in Magento and Adobe Commerce allows an attacker to inject code into vulnerable forms and execute it in the victim's browser.
Search at Netlas.io:
👉 Link: https://nt.ls/v6wk6
👉 Dork: tag.name:"magento" AND http.headers.server:"Apache"
Vendor's advisory: https://helpx.adobe.com/security/products/magento/apsb25-50.html
❤10👍3
CVE-2025-4798, -4799: Absolute Path Traversal in DownloadManager WordPress Plugin, 4.9 - 7.2 rating❗️
Vulnerabilities shared with us by the pen tester who found them. Allow attackers to manipulate files on the server, which can lead to RCE.
Search at Netlas.io:
👉 Link: https://nt.ls/DH8EA
👉 Dork: http.body:"plugins/wp-downloadmanager"
More information here: https://youtu.be/QTe3rf0-e7U?si=THZKoKeI1vN-arR7
Vulnerabilities shared with us by the pen tester who found them. Allow attackers to manipulate files on the server, which can lead to RCE.
Search at Netlas.io:
👉 Link: https://nt.ls/DH8EA
👉 Dork: http.body:"plugins/wp-downloadmanager"
More information here: https://youtu.be/QTe3rf0-e7U?si=THZKoKeI1vN-arR7
👍8❤2
Hey Hunters,
Sorry for the delay—DarkShadow here, back again dropping one of my secret methodologies 😁
🌀 AWS S3 Bucket Takeover Like a Pro — Super Simple but Highly Effective 🔥
✨Before diving in, let’s understand the whole scenario...
👀 1. Which buckets are vulnerable to takeover?
👀 2. What’s the real impact of taking over an S3 bucket?
👀 3. How do we find S3 buckets that are potentially vulnerable?
👀 4. How can we validate whether a bucket was actually used by the target?
⚡ 1. Vulnerable Buckets:
If a target previously used an S3 bucket and deleted it—but the subdomain (CNAME) is still pointing to amazonaws.com—that’s a perfect takeover opportunity.
⚡ 2. Impact:
If the bucket is still referenced anywhere in the backend or services, and the target forgot to remove it, you might even achieve RCE. In some cases, it can lead to full system compromise.
⚡ 3. Finding Buckets (Using FOFA):
Here’s how I hunt them down using FOFA:
🧠 FOFA Dork:
🔍 This dork gives you subdomains that point to missing or deleted buckets. FOFA indexes fingerprints across the web—even for deleted resources—so it’s a goldmine for finding exposed assets the target forgot.
⚡ 4. Validating Ownership:
🔎 Method 1: GitHub Recon
Use GitHub dorks like:
Or simply search:
You might discover hardcoded links, past commits, or configuration files that prove the target was using this bucket.
🌐 Method 2: DNS History (Not Always Effective, But Worth a Shot)
Check if the bucket was ever configured for static website hosting.
Use these tools to check historical DNS records:
If any DNS leaks or CNAME records are found, analyze them to build your proof of ownership.
🎯 So guys, I hope you enjoyed reading this little piece of my methodology.
💥 Don’t forget to follow me 👉🏼 DarkShadow
#dork #takeover #bugbountytips
Sorry for the delay—DarkShadow here, back again dropping one of my secret methodologies 😁
🌀 AWS S3 Bucket Takeover Like a Pro — Super Simple but Highly Effective 🔥
✨Before diving in, let’s understand the whole scenario...
👀 1. Which buckets are vulnerable to takeover?
👀 2. What’s the real impact of taking over an S3 bucket?
👀 3. How do we find S3 buckets that are potentially vulnerable?
👀 4. How can we validate whether a bucket was actually used by the target?
⚡ 1. Vulnerable Buckets:
If a target previously used an S3 bucket and deleted it—but the subdomain (CNAME) is still pointing to amazonaws.com—that’s a perfect takeover opportunity.
⚡ 2. Impact:
If the bucket is still referenced anywhere in the backend or services, and the target forgot to remove it, you might even achieve RCE. In some cases, it can lead to full system compromise.
⚡ 3. Finding Buckets (Using FOFA):
Here’s how I hunt them down using FOFA:
🧠 FOFA Dork:
body="specified bucket does not exist" && (host="target.com" || host="target_domain_name_only") && port="443"
🔍 This dork gives you subdomains that point to missing or deleted buckets. FOFA indexes fingerprints across the web—even for deleted resources—so it’s a goldmine for finding exposed assets the target forgot.
⚡ 4. Validating Ownership:
🔎 Method 1: GitHub Recon
Use GitHub dorks like:
org:target_org "target.s3.amazonaws.com"
Or simply search:
"target.s3.amazonaws.com"
You might discover hardcoded links, past commits, or configuration files that prove the target was using this bucket.
🌐 Method 2: DNS History (Not Always Effective, But Worth a Shot)
Check if the bucket was ever configured for static website hosting.
Use these tools to check historical DNS records:
https://securitytrails.com
https://dnsdumpster.com
https://viewdns.info
https://www.robtex.com
If any DNS leaks or CNAME records are found, analyze them to build your proof of ownership.
🎯 So guys, I hope you enjoyed reading this little piece of my methodology.
💥 Don’t forget to follow me 👉🏼 DarkShadow
#dork #takeover #bugbountytips
👏15❤12👍2🐳2🔥1
