June 16, 2025
Four new fingerprints and two Rapid Response bulletins.
Rapid Response
The Censys Rapid Response team published information about and queries for the following issues and vulnerabilities.
-
Wazuh RCE Vulnerability Exploited to Deploy Mirai Botnets
- Use the following queries to identify exposed Wazuh servers, but they are not necessarily vulnerable to the exploit.
- Platform query
- Legacy Search query
- ASM query
-
ASM risk query
- This query can be used to find instances of Wazuh server that are vulnerable to the exploit.
- Use the following queries to identify exposed Wazuh servers, but they are not necessarily vulnerable to the exploit.
-
Roundcube Webmail Vulnerable to Authenticated RCE [CVE-2025-49113]
- Use the following queries to find Roundcube Webmail instances. Not all of these are necessarily vulnerable to the exploit described in the bulletin.
- Platform query
- Legacy Search query
- ASM query
-
ASM risk query
- This query can be used to find instances of Roundcube Webmail that are vulnerable to the exploit.
- Use the following queries to find Roundcube Webmail instances. Not all of these are necessarily vulnerable to the exploit described in the bulletin.
New fingerprints
Added the following fingerprints.
Type | Name | Description | Query |
|---|---|---|---|
software | Synology VPN Plus Server | This is a Synology VPN Plus Server. | |
software | 3CX Web Client | The 3CX Web Client is a browser-based application that provides users with tools for communication and collaboration, including call management, video conferencing, live chat, and integration with messaging platforms such as WhatsApp, Facebook, and SMS/MMS. | |
risk | Vulnerable Wazuh [CVE-2025-24016] | An unsafe deserialization vulnerability allows for remote code execution on Wazuh servers. The vulnerability can be triggered by anybody with API access (compromised dashboard or Wazuh servers in the cluster) or, in certain configurations, even by a compromised agent. | ASM query: |
risk | Vulnerable Roundcube [CVE-2025-49113] | This is a Roundcube server running a version of Roundcube that is vulnerable to CVE-2025-49113. Roundcube Webmail before 1.5.10 and 1.6.x before 1.6.11 allows remote code execution by authenticated users because the _from parameter in a URL is not validated in program/actions/settings/upload.php, leading to PHP Object Deserialization. | ASM query: |