Tag
#authentication-bypass
7 posts tagged #authentication-bypass.
-
Analysis · May 20, 2026 · Colten Anderson
The F5 auth bypass that fit in one header: Connection: X-F5-Auth-Token
CVE-2022-1388 let unauthenticated attackers run commands as root on F5 BIG-IP by abusing hop-by-hop header handling. Naming the auth-token header in the Connection header made the proxy strip it after the auth check read it, but before the backend did.
-
Field Note · May 20, 2026 · Colten Anderson
F5 CVE-2023-46747: the backend trusted a header that said 'I'm already an admin'
The Tomcat backend behind F5's config utility trusted a remote_user header as proof of authentication, assuming only the front-end could set it. HTTP-to-AJP request smuggling let attackers set it themselves, for unauthenticated root. Here's how to check, patch, and lock it down.
-
Field Note · May 20, 2026 · Colten Anderson
Patching the Fortinet auth bypass doesn't remove the admin account the attacker added
CVE-2022-40684 let unauthenticated attackers act as administrator on FortiOS, FortiProxy, and FortiSwitchManager by spoofing trusted headers. The exploit's payoff was planting an SSH key or super-admin account, so patching after exposure leaves the back door in place.
-
Analysis · May 20, 2026 · Colten Anderson
A CVSS 10 that hinged on one unchecked box: 'Validate Identity Provider Certificate'
CVE-2020-2021 let attackers bypass authentication on Palo Alto firewalls and VPNs using SAML, but only when one option was disabled: 'Validate Identity Provider Certificate.' A perfect-10 bug whose presence depended on a checkbox.
-
Analysis · May 5, 2026 · Colten Anderson
PaperCut's other bug just became a ransomware vector again
CVE-2023-27351, the auth bypass that lived in CVE-2023-27350's shadow, is back. Storm-1175 is deploying Medusa ransomware through it with sub-24-hour exploitation tempo. CISA added it to KEV in April 2026. If you patched the RCE in 2023 and moved on, check whether the auth bypass actually closed.
-
Analysis · May 5, 2026 · Colten Anderson
The 6.5 that enabled 400 compromises: authentication bypasses and the CVSS blind spot
CVE-2025-49706 scored CVSS 6.5. It enabled unauthenticated RCE across 400+ SharePoint servers. Authentication bypasses are consistently underscored, and consistently the vulnerability class that turns a bad bug into a mass-exploitation campaign.
-
Analysis · May 5, 2026 · Colten Anderson
48 hours from patch to exploitation: CVE-2026-23760 and the window that doesn't exist anymore
SmarterMail's patch shipped January 15. Attackers decompiled the .NET assemblies, found the fix, built a working exploit, and were inside production systems by January 17. Then they breached SmarterTools itself.