Nuclei templates added for MITRE Caldera RCE and exploited Ivanti buffer overflow
ProjectDiscovery contributors submitted new Nuclei detection templates for two high-impact vulnerabilities: CVE-2025-27364, a remote code execution flaw affecting MITRE Caldera, and CVE-2025-22457, a stack-based buffer overflow affecting Ivanti Connect Secure, Policy Secure, and ZTA Gateways. The Caldera submission adds a community template for identifying exposure to the RCE issue, while the Ivanti submission adds version-based detection logic tied to product web portal pages.
The Ivanti flaw was described as a CVSS 9.0 vulnerability in X-Forwarded-For header processing and was reported as actively exploited in the wild by China-nexus threat actors, with references to Mandiant, Google TAG, and inclusion in CISA's Known Exploited Vulnerabilities catalog. The proposed Ivanti template checks for versions earlier than 22.7R2.6, giving defenders a way to quickly identify potentially exposed appliances, while the Caldera template expands scanning coverage for organizations using the adversary emulation platform.
Timeline
Apr 4, 2026
Community Nuclei template proposed for CVE-2025-22457
A community contributor opened a pull request to add a Nuclei detection template for CVE-2025-22457. The proposed template performs version-based detection for vulnerable Ivanti Connect Secure, Policy Secure, and ZTA Gateway instances.
Apr 4, 2026
Community Nuclei template proposed for CVE-2025-27364
A community contributor opened a pull request to add a Nuclei detection template for CVE-2025-27364, described in the reference as a remote code execution issue affecting MITRE Caldera. The visible content does not provide earlier disclosure or exploitation details beyond the template submission.
Apr 4, 2025
CVE-2025-22457 added to CISA Known Exploited Vulnerabilities catalog
CVE-2025-22457 was added to CISA’s Known Exploited Vulnerabilities catalog after being identified as actively exploited in the wild. Reporting cited Mandiant and Google TAG attributing exploitation to China-nexus threat actors.
Apr 4, 2025
Ivanti discloses CVE-2025-22457 in Connect Secure products
Ivanti disclosed CVE-2025-22457, a stack-based buffer overflow in X-Forwarded-For header processing affecting Ivanti Connect Secure, Policy Secure, and ZTA Gateways. The issue impacts versions earlier than 22.7R2.6 and carries a CVSS score of 9.0.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Sources
Related Stories
Nuclei Templates Added for MITRE Caldera RCE and GitLab SAML Auth Bypass
ProjectDiscovery contributors submitted new Nuclei detection templates for two newly tracked vulnerabilities: **`CVE-2025-27364`**, described as an **unauthenticated remote code execution** flaw in **MITRE Caldera**, and **`CVE-2025-25291`**, an **authentication bypass** issue in **`ruby-saml`** affecting **GitLab SAML SSO** deployments. The references indicate both issues were significant enough to prompt rapid addition of scanning coverage in the public `nuclei-templates` repository. Available details remain limited because the source material is drawn from GitHub pull request metadata rather than full advisories, but the vulnerability labels point to potentially high-impact exposure in identity and adversary-emulation infrastructure. Security teams using **GitLab SAML single sign-on** or **MITRE Caldera** should track vendor guidance, validate exposure to **`CVE-2025-25291`** and **`CVE-2025-27364`**, and prepare to use updated detection content as part of vulnerability assessment workflows.
1 months ago
Nuclei Templates Added for CWP Control Web Panel and Letta AI RCE Flaws
ProjectDiscovery's `nuclei-templates` repository added detection content for two remote code execution vulnerabilities: **CVE-2025-48703** affecting **CWP Control Web Panel** and **CVE-2025-51482** affecting **Letta AI**. One pull request identifies the CWP issue as an RCE flaw, while a second names an RCE path in Letta AI via the `/v1/tools/run` endpoint. The references indicate public detection coverage is being created for both issues, which can increase defender visibility as well as attacker awareness. The available material does not include affected versions, exploitation evidence, patch guidance, or victim impact, but it does confirm that both vulnerabilities were significant enough to warrant dedicated `nuclei` checks for internet-exposed systems.
1 months ago
Nuclei Templates Added for CVE-2021-42392 and PhotoPrism Unauthenticated Exposure
ProjectDiscovery contributors submitted new **Nuclei** detection content to expand coverage for two separate security issues: `CVE-2021-42392` and an unauthenticated exposure condition affecting **PhotoPrism**. Pull request **#15734**, opened by **maciejklimek**, proposes adding a template for `CVE-2021-42392`, while pull request **#15766**, opened by **pussycat0x**, adds `photoprism-unauth-exposure.yaml` to identify publicly accessible PhotoPrism instances without authentication. Both submissions were presented as defensive scanning updates in the `projectdiscovery/nuclei-templates` repository and included standard validation notes stating they were tested against vulnerable and patched targets. Repository automation requested reviewer attention, and the PhotoPrism template was marked ready to merge, while the `CVE-2021-42392` template remained open pending review; neither reference indicated an active intrusion campaign or confirmed breach tied to the detections.
1 months ago