Changelog

We protect your findings with the same rigor we use to find them.

‎ ‎

This certification validates that your data is governed by a continuously reviewed system of security controls covering access management, risk assessment, incident response, physical security, and asset management.

‎ ‎

For your team, this means audited, third-party proof of our security practices, helping reduce friction during vendor reviews and procurement assessments.

‎ ‎

👉 See our certification 👈

We added detection for CVE-2026-1281 (Ivanti Endpoint Manager Mobile RCE) into the Network Vulnerability Scanner and paired it with exploit validation in Sniper.

‎

Why it matters

Unauthenticated. Remote. Full server compromise.

‎

CVE-2026-1281 allows attackers to execute arbitrary commands on exposed Ivanti EPMM servers without credentials. Public reporting confirms active exploitation, and proof-of-concept code is available.

‎

Because EPMM servers often integrate with identity systems and manage mobile fleets, compromise can provide attackers with a direct path into enterprise infrastructure.

‎

How to use

Detect exposed Ivanti EPMM instances with the Network Scanner → validate exploitability with controlled proof-of-concept execution in Sniper → re-scan after patching to confirm remediation

We added an exclusive exploit for CVE-2026-24061 (GNU Inetutils Telnetd) into Sniper and paired it with Network Scanner detection, available exclusively to Pentest-Tools.com customers.

‎

Why it matters

This critical authentication bypass (CVSS 9.8) lets unauthenticated attackers gain immediate root access via a malicious USER environment variable. With over 200,000 instances exposed globally, it is a high-impact target for mass exploitation against legacy and embedded systems.

‎

How to use

Detect with the Network Scanner → validate the risk with a one-click proof-of-concept in Sniper → check for forensic traces of exploitation to assist your post-compromise hunting. 

The Website Scanner and API Scanner already display findings while the scan runs. Scan logs now also record the exact moment when a new finding is added directly in the console output.

‎

This provides a more granular, step-by-step view of discovery as the scan progresses.

‎

Why this matters:

• See the precise moment a vulnerability is identified during longer scans

• Correlate findings with specific scan phases or payloads

• Troubleshoot unexpected behavior with additional context

• Gain better traceability in API-driven or automated workflows

‎

For teams running continuous or automated testing, this adds clearer operational insight during the scan itself, not only after it finishes.

The Network Vulnerability Scanner now detects CVE-2025-62507, a remote code execution vulnerability affecting Redis.

‎

This check helps identify Redis instances that may be exposed to this vulnerability, particularly in internet-facing deployments or misconfigured internal environments.

‎

Why this matters:

• Identify Redis servers vulnerable to remote code execution

• Detect exposed or improperly configured Redis deployments

• Prioritize remediation for systems reachable from external networks

• Add coverage for Redis environments in continuous network scanning

If you run Redis in production or development environments, this detection helps you quickly assess potential exposure.

‎

👉 Know your Redis exposure

You can now filter scan results by tool ID when calling the GET /scans endpoint.

‎

This update allows you to combine tool and start_time filters to return only the scans you care about, making it easier to work with large scan histories and automate downstream workflows.

‎

Use this to:
• Build tool-specific dashboards
• Generate targeted reports
• Reduce post-processing in API consumers

👉 See the updated API documentation 👈

We’ve improved the detection accuracy of active detectors in the Website Vulnerability Scanner to surface more real issues with less noise.

‎ ‎

This update adds coverage for:
• CSRF bypass via POST/PUT to GET conversion
• Insecure CORS configurations caused by subdomain trust
• Serialized object detection in JSON payloads to flag potential deserialization risks

‎ ‎

These improvements help reduce false positives and provide clearer signals during validation and triage.

Sniper now includes an exploit module for CVE-2025-11833, an account takeover vulnerability in the WordPress SMTP Plugin.

‎ ‎

This allows you to validate impact directly by demonstrating account takeover when the vulnerability is present, helping turn detection into clear, actionable evidence.

🫤 We know the last thing you want to deal with on Dec 31st is a new vulnerability. But MongoBleed (CVE-2025-14847) isn't waiting for the ball to drop.
‎

Our team already updated the Pentest-Tools.com Network Scanner to detect this information disclosure flaw that's currently letting unauthenticated attackers leak MongoDB server info.
‎

Whether you’re on-call or just checking in, we’ve made it fast to see if your servers are at risk. 🎯 Scan your IPs for CVE-2025-14847, patch it fast, and have a safe New Year!

‎
👉 Get the CVE details 👈

If you spent part of this year juggling “just one more scan,” one more CVE, and one more person asking “so… are we actually exposed?”, you’re not alone.

Security work kept getting broader, louder, and more accountable - and the hardest part often wasn’t finding issues, but making sense of them fast enough to act.

That’s the lens for our 2025 year in review: what your day-to-day looked like when scanning became routine, and when “more findings” stopped helping.

Before we dive into 2026, here is a look at what we achieved together over the last 12 months.

👉 Read the full 2025 review 👈

We’ve just added an exclusive exploit for CVE-2025-55182 (React2Shell) into Sniper and paired it with Network Scanner detection - available exclusively to Pentest-Tools.com customers.

Why it matters 

React2Shell is a critical, unauthenticated, remote code execution (RCE) vector—prime for mass exploitation given the ubiquity of Next.js and React. This release gives you fast detection and zero-guesswork validation in one place.

How to use

Detect with the Network Scanner → validate in Sniper → re-scan to confirm remediation and rule out residual exposure across multiple assets.

We’ve just added an exclusive exploit for CVE-2025-64446 & CVE-2025-58034 (Fortinet FortiWeb) into Sniper and paired it with Network Scanner detection - available exclusively to Pentest-Tools.com customers.

Why it matters 

Fortinet FortiWeb is a critical authentication bypass and remote code execution (RCE) vector, allowing remote unauthenticated attackers to fully compromise the FortiWeb server and steal confidential information, install ransomware, or pivot to the internal network.

How to use

Detect with the Network Scanner → validate in Sniper → re-scan to confirm remediation and rule out residual exposure across multiple assets.

We’ve improved the Findings experience: grouping now takes the port into account. If the same issue is detected on the same target but on different ports, you’ll see separate entries, so nothing gets merged away by accident.

Why it matters
In real environments, the same vulnerability can show up on multiple exposed services. For example, a misconfiguration on :80 and :8080, or the same TLS issue on several HTTPS ports. Previously, grouping by target + finding could collapse these into one row, which made reporting and remediation tracking messier. With port-aware grouping, each affected service keeps its own finding, evidence, status, and notes, giving you cleaner remediation workflows and more accurate reports.

How to use

Run your scans as usual → open Findings → filter or group duplicates if you want a compact view → edit, verify, or export each port-specific finding separately → re-scan after fixes to confirm every exposed port is clean.

We’ve added an exclusive exploit for CVE-2020-36847 (WordPress Simple File List - Unauthenticated RCE) into Sniper, so you can move from suspicion to proof of rce in a controlled, ethical way.

Why it matters
CVE-2020-36847 is a critical, unauthenticated Remote Code Execution vulnerability in the Simple File List plugin for WordPress. Versions up to and including 4.2.2 let an attacker upload a php payload disguised as an image, then use the plugin’s rename function to change the extension to .php and run it on the server. The result is full arbitrary code execution with no login required, a fast path to site takeover, database access, credential theft, and lateral movement if the host can reach internal services. Updating to 4.2.3 or later fixes the issue.

How to use

Validate in Sniper → capture RCE evidence safely → patch the plugin (4.2.3+) → re-run Sniper to confirm remediation and rule out other exposed sites using the same plugin.

We’ve just rolled out an update to Website Scanner’s active SQLi detection: it now injects payloads into all custom, non-standard cookies and cuts down false positives by skipping cookies that were already checked. This means broader coverage on real-world apps that stash input in quirky cookie names, without noisy duplicates in your results.

Why it matters
SQL injection still shows up in places scanners can miss, especially in custom cookies used for state, feature flags, or tracking. By extending payload injection to every custom cookie, Website Scanner can uncover SQLi paths that previously hid outside “standard” cookie patterns. At the same time, the improved logic avoids re-testing cookies it has already validated, which reduces repeat hits and lowers the chance of false positives. Net effect: more real findings, less triage fatigue.

How to use

Run Website Scanner as usual → review any confirmed SQLi findings → validate further with SQLi Exploiter if needed → fix and re-scan to confirm remediation and ensure no custom-cookie vectors remain exposed.

We’ve just added an exclusive exploit for CVE-2025-11953 (React Native Community CLI development server) into Sniper and paired it with Network Scanner detection, so you can spot and confirm this RCE in one workflow.

Why it matters
CVE-2025-11953 is a critical, unauthenticated Remote Code Execution issue in the Metro development server started by the react native community cli. The server exposes an endpoint vulnerable to os command injection, letting an external attacker run arbitrary commands on the host if the dev server is reachable over the network. With a CVSS of 9.8, the impact is full compromise of the dev server environment and whatever credentials, source code, or internal network access it can reach.

How to use

Detect with the Network Scanner → validate in Sniper → re-scan to confirm remediation and catch leftover exposure across other hosts running the Metro dev server.

We’ve just added detection for CVE-2025-55315 (HTTP Request Smuggling in ASP.NET Core) into Network Scanner, so you can quickly flag affected kestrel-backed apps during your perimeter and internal scans.

Why it matters 

CVE-2025-55315 is a critical request smuggling vulnerability in ASP.NET Core’s kestrel server. It stems from inconsistent parsing of HTTP requests, which can let an attacker “hide” one request inside another and slip past intermediate components or app logic. In real terms, that can mean bypassing authentication or authorization checks, hijacking sessions, leaking data, or causing unexpected request routing inside your app stack. Microsoft rated it critical with a CVSS of 9.9 and shipped fixes in the october 2025 security updates across supported .net / asp.net core versions.

How to use

Scan with Network Scanner → patch / upgrade the affected asp.net core runtime or app packages → re-scan to verify fixes and confirm no exposed instances remain.

We’ve just added an exclusive exploit for CVE-2025-61882 (Oracle E-Business Suite BI Publisher RCE) into Sniper and paired it with Network Scanner detection - available exclusively to Pentest-Tools.com customers.

Why it matters
This vulnerability is a critical, unauthenticated, pre-auth Remote Code Execution in Oracle EBS (versions 12.2.3 → 12.2.14). It has a CVSS of ~9.8 and is actively exploited in the wild. It allows remote attackers to run arbitrary code and potentially take over the Concurrent Processing subsystem, often containing high-value ERP, payroll, and financial data. This module gives you fast detection and zero-guesswork validation in one place.

How to use

detect with the Network Scanner → validate in Sniper → re-scan to confirm remediation and rule out residual exposure across multiple assets.

Inspired by James Kettle's article and to keep on top on latest research, we introduced the new CL.0 Request Smuggler in our HTTP Request Smuggling detector from Website Vulnerability Scanner. It is automatically enabled inside the detector and it helps uncover more request smuggling attacks.

You asked, we listened. You can now download more reports at once directly from the Reports page. Instead of saving each report individually, you can select multiple generated reports and download them together as a single .zip archive.

Why it matters
Handling multiple assessments or projects often means managing many reports. This update helps you work faster and stay organized by reducing repetitive actions and keeping related files together.

How to use

1. Go to the Reports page in your account.

2. Select all the reports you want to download.

3. Click Download. You’ll receive a .zip file containing all the selected reports.

Key benefits

1. Save time by downloading multiple reports simultaneously

2. Keep related files neatly grouped

3. Simplify sharing and storage of report archives

We’ve just added an exclusive exploit for CVE-2025-54236 (Magento & Adobe Commerce SessionReaper) into Sniper and paired it with Network Scanner detection - available exclusively to Pentest-Tools.com customers.

Why it matters
SessionReaper is a low-complexity, remote, unauthenticated vector — prime for mass exploitation. This release gives you fast detection and zero-guesswork validation in one place.

How to use

detect with the Network Scanner → validate in Sniper → re-scan to confirm remediation and rule out residual exposure across multiple assets.

Want to learn the story behind the exploit? Dip into the detailed write-up on the blog!

Why it matters
CVE-2025-26399 is a critical remote code execution vulnerability that could allow attackers to run arbitrary commands on vulnerable SolarWinds Web Help Desk instances. Early detection is essential to prevent potential exploitation and maintain the security of your infrastructure.

How to use
Run a scan with Network Scanner against your targets as usual. The tool will automatically check for signs of CVE-2025-26399 exposure and flag any vulnerable hosts.

Key benefits

• Detect vulnerable SolarWinds Web Help Desk instances affected by CVE-2025-26399

• Gain visibility into potential exposure before attackers can exploit it

• Strengthen your security posture with timely vulnerability insights

Keeping compliance evidence current shouldn’t be a manual job.

That’s why now you can sync validated vulnerabilities and scheduled scan results directly into Vanta - automatically.

Here’s what’s new:

🎯 32 Vanta tests + 2 controls mapped - your findings now tie directly to relevant Vanta compliance checks.

🎯 Daily sync at 05:00 UTC - stay continuously audit-ready without uploading reports manually.

🎯 Smart filtering - manual findings are included, while informational or closed findings are excluded to keep data clean.

🎯 Scheduled scans automatically synced to Compliance → Documents → Vulnerability Scan (up to 5 per recurrence).

🎯 Available on all paid plans.

👉 If you’ve used the integration before, please re-link your Vanta account to grant permissions for vulnerability syncing.

See how it works in this short demo:

Now you can securely access your private Azure infrastructure with our fresh internal network scanning (VPN agent) capability — so you can run internal vulnerability scans and pentests in minutes.

Key benefits:

🎯 Complete visibility – Extend your vulnerability assessments beyond the perimeter to cover internal servers, endpoints, and services in Azure.

🎯 Secure by design – All scans are tunneled through the VPN Agent with no inbound firewall changes required.

🎯 Unified view – Run the same Pentest-Tools.com tools for both external and internal testing, managed from a single interface.

🎯 Fast deployment – Launch in minutes and start scanning immediately, without manual setup.

💡 Ideal for: security teams covering hybrid environments and consultants managing client cloud networks.

Why it matters
CVE-2025-10035 is a remote code execution vulnerability that allows attackers to execute arbitrary commands on vulnerable Fortra GoAnywhere MFT instances. Detecting affected systems early is crucial to mitigate risks and protect sensitive data.

How to use
Scan your targets using Network Scanner. The tool automatically checks whether CVE-2025-10035 affects any detected Fortra GoAnywhere MFT installations and highlights vulnerable hosts in the results.

Key benefits

• Identify Fortra GoAnywhere MFT instances vulnerable to CVE-2025-10035

• Reduce exposure to active exploitation attempts

• Support faster remediation through precise detection

We keep enhancing the Network Scanner coverage so you can find critical issues before attackers do.

The latest? This critical vulnerability in SonicWall SonicOS - CVE-2024-40766 (Unauthorized access) allows an unauthenticated remote attacker to gain access as admin on the management console.

PRO TIP: run targeted CVE scans to validate patching, identify remaining attack surface, and generate evidence for stakeholders.

We added 4 fresh, high-value exploit modules to Sniper: Auto-Exploiter, our proprietary offensive tool, so you can confirm risk quickly and produce stronger evidence for remediation:

Fortinet FortiSIEM - CVE-2025-25256 (RCE)
Sniper will give you proof of exploit for this critical RCE vulnerability in FortiSIEM deployments.

Microsoft SharePoint - CVE-2025-53771 (Auth Bypass) & CVE-2025-49704 (RCE)
Sniper now includes modules to test both authentication bypass and RCE paths in SharePoint so you can demonstrate end-to-end impact.

FreePBX — CVE-2025-57819 (Auth Bypass → SQLi → RCE)
A chained failure: Sniper can validate the authentication bypass that leads to SQL injection and potential RCE in affected FreePBX installs.

OpenSSH — CVE-2018-15473 (Username enumeration)
We added a module to automate proof of username enumeration on OpenSSH services (useful in pentests and red-team enumeration phases).

Why this helps: consultants get fast, reproducible PoCs for client reports; internal teams get quick validation that prioritizes remediation of exploitable paths.

Remember: if Sniper can exploit it, our Network Scanner can detect it!

Manual reporting slowing you down? 

Our new Burp Suite extension lets you send selected Audit Issues directly to your Pentest-Tools.com workspace- no copy-paste needed.

It’s built for pentesters who want clean, consistent findings that are ready to report - faster.

See how it works:

Fresh improvements to our proprietary Website Scanner let you handle authentication and findings with less hassle and more clarity:

Record auth flows with Chrome – We’ve moved to Chrome Developer Tools to record and configure logins faster and with more reliability. Start here.

Re-enabled Check Authentication  – Test your credentials upfront and see a screenshot of a successful login, so you know it works.

Spot outdated server software clearly – The scanner creates a separate finding for each vulnerable technology instead of lumping them together, so you can act on what matters.

We’ve expanded support for the Exploit Prediction Scoring System (EPSS) to help you quickly assess which vulnerabilities are most likely to be exploited:

For the Website Scanner – Findings now show the CVE name and EPSS score right at the top, so you immediately know which ones attackers are most likely to exploit.

For the WordPress & Drupal Scanners – Findings now include EPSS data and are better organized with CVE name, score, and percentile highlighted.

Your scan results are now easier to work with:

Collapse findings – Hide or expand findings with a single click for cleaner navigation.

View all statuses – Findings with any status (not just Open) now appear in their own tab.

Classification in headers – CVSS, EPSS, CISA KEV, and Confidence (Certain/Uncertain) are now at the top of each finding.

Grouped findings via API – Use the new group_findings param on /findings to pull data grouped exactly like in the dashboard.

We’ve added even more improvements that make asset and findings management more efficient:

Multiple AWS regions – Import assets across multiple regions (default region config) without adding separate integrations. 

Asset descriptions everywhere – Asset descriptions now show in Scans and Findings (including manual findings) for easier identification.

Patching is only half the job — validating your mitigations is what ensures your SharePoint infrastructure is actually secure.

The Network Vulnerability Scanner now provides fast, targeted detection for this unauthenticated critical RCE vulnerability (CVE-2025-53770, CVSSv3 9.8):

✅ Instantly scan SharePoint servers using a single-CVE scan

✅ Confirm whether patches were effective 

✅ Get detailed, evidence-backed findings to report confidently and prioritize remediation where it matters most.

The Network Scanner can now detect if your assets are affected by CVE-2025-5777 (CVSSv3 7.5), a critical Remote Code Execution vulnerability in Citrix NetScaler.

Add this to your external exposure checks or client asset reviews to flag high-risk systems early.

Need fast, flexible API scans or do you want to do a full-fledged integration test?

The API Vulnerability Scanner now supports all our scanning depths:

🎯 Light for fast results

🎯 Deep for full-coverage scans

🎯 Custom lets you select scan depth and choose between REST or GraphQL APIs.

🌟 Bonus: The API spec file is now optional — so you can start testing even if documentation is incomplete.

The Network Scanner now flags several types of DNSSEC (Domain Name System Security Extensions) misconfigurations that are often overlooked, but impactful:

✅ Large DNSSEC responses (amplification risks)

✅ Weak cryptographic algorithms

✅ Missing or insecure DNS cookies

✅ Improper or missing EDNS usage

Ideal for:
🎯 Security consultants doing external infrastructure reviews
🎯 Internal security teams hardening critical DNS services

Running large test sets using grouped scans? Now, when all scans in a group finish, the aggregated results are available right in your Reports section - not just by email.

This update makes life easier for consultants managing multiple clients and teams tracking internal remediation workflows.

Sniper: Auto-Exploiter, our proprietary offensive solution, now gives you proof of exploitation for two new RCEs - helping you confirm impact with just a few clicks:

• CVE-2025-47577 (CVSSv3 10.0) – a dangerous RCE in WordPress TemplateInvaders TI WooCommerce Wishlist allowing for Upload a Web Shell to a server

• CVE-2025-4427 (CVSSv3 5.3) – a medium RCE in Ivanti Endpoint Manager Mobile allowing attackers to access protected resources without proper credentials. 

Use Sniper to demonstrate real-world risk, complete with payloads and proof. 

Don’t forget: if Sniper can exploit it, our Network Scanner can detect it.

The Website Scanner’s spidering process now uses Locality Sensitive Hashing (LSH) to compare similar pages more efficiently.

What this means for you:

✅ Cover more ground in less time and surface hidden endpoints quickly

✅ Improve test coverage on apps with repetitive structures or dynamic content

You may see more URLs discovered in your scans - slightly longer scan time, but way better visibility! 

We’re constantly optimizing our proprietary Website Scanner for better scan performance. 

Working with /api/v2/scans? 

You can now filter by start_time to get only the results you need at one point.

Bonus: scan results are now sorted by most recent first by default, helping you spot what’s relevant without digging.

False positives don’t just waste time - they erode trust, delay remediation, and bury real issues under a pile of noise.

That’s why we’ve built and integrated the Machine Learning classifier - a purpose-trained machine learning model - directly into our Website Scanner and URL Fuzzer.

Instead of relying on brittle RegEx logic, the ML Classifier analyzes every HTML response during a scan and automatically sorts it into one of four smart categories:

📌 HIT – High-value targets like login pages, exposed secrets, and backups

📌 MISS – Confirmed dead ends, even when status codes are misleading

📌 PARTIAL HIT – Ambiguous but interesting results (like firewall pages or redirects)

📌 INCONCLUSIVE – Requires browser-based rendering for confirmation

This means you can quickly focus on what matters, reduce triage time, and get clearer, cleaner results.

The Website Scanner’s automatic authentication method also got an upgrade!

Now powered by Machine Learning, it can better detect and interact with complex login flows.

This beta feature kicks in as a backup if the classic method fails, giving you a smarter fallback when testing modern apps.

You can now push vulnerability scan results from Pentest-Tools.com into your Nucleus workspace. Choose to automate based on conditions, or manually send only the Findings you need. No more custom scripts. No more manual data wrangling. One single source of truth for smoother findings management.

▶️ Watch this demo with our product manager, Dragos and:

✅ Control what gets sent and where
✅ Keep client data cleanly separated
✅ Centralize your vuln management in Nucleus

We’ve added EPSS scores & percentiles, and CISA KEV flags for the Network Scanner’s findings so you identify what’s critical, faster:

• EPSS (Exploit Prediction Scoring System) helps you estimate the real-world likelihood of exploitation

• CISA KEV (Known Exploited Vulnerabilities) flags confirmed threats

You’ll now see this data in the classification section of each network scan finding. 

Whether you’re triaging results internally or reporting to clients, this adds vital context for a more accurate prioritization.

Complement it with our case against single-metric risk models.

Every JSON report you generate from Pentest-Tools.com now includes scan metadata - including the target, scan type, and timing details.

Perfect for consultants automating reporting workflows or teams feeding results into SIEMs, dashboards, or custom pipelines.

We’ve made several key improvements to our proprietary Website Scanner to help you uncover more vulnerabilities - with greater precision:

✅ Light scans now include all passive detections so you get richer results with a quick scan
✅ GraphQL endpoint fuzzing now included to automatically identify GraphQL endpoints and test them as injection points
✅ Response Header Injection detection is still live in the active module since last month, but too useful not to mention again!

Sniper: Auto-Exploiter, our proprietary offensive solution, now validates exploitability for CVE-2024-56145 (CVSSv3 9.8), a critical Remote Code Execution vulnerability in Craft CMS.

Just like the rest of our exploit modules, this lets you:

• Get proof of exploitation within minutes and skip manual PoC building

• Strengthen your reports with screenshots and payload evidence

As always, if Sniper can exploit it, our Network Scanner can detect it.

Our API Scanner now includes detection for mass assignment vulnerabilities, a risk often overlooked but highly impactful - especially in misconfigured APIs.

Plus, it’s included in both standalone API scans and integrated web scans with our Website Scanner, giving you deeper insight with no extra setup.

We’ve fine-tuned the port lists across our scanners to focus on the most relevant and commonly exposed ports - based on the latest exposure patterns in real-world environments.

This ensures you’re scanning what matters, not wasting time on ports that don’t.

Time matters - especially when a new critical CVE is looming over your infrastructures! 

That’s why the Network Vulnerability Scanner now automatically optimizes the engine selection when you scan for a specific CVE.

This means:

• We only enable the engines that can detect the targeted CVEs

• Faster scan completion without losing detection depth

• Quicker results your team can use to coordinate and patch

Generate, download, and view your reports via API — no more account login needed!

We’ve made this update so you can integrate reporting into your automated workflows at scale:

• Trigger the reports you need programmatically

• Save time on repetitive manual tasks

• Control what gets delivered and where 

  

We’ve upgraded our proprietary Website Scanner to give you better visibility and deeper coverage of your apps:

• Findings now include port, service, and protocol data

• The scanner’s Active module now detects Response Header Injection, a commonly missed attack vector in real-world apps

Whether you're auditing a third-party web app or scanning production assets, these updates give you faster, more precise insights.

The Subdomain Finder now integrates getallurls (GAU) in the External APIs test, pulling in subdomain data from archived URLs and Wayback content.

This adds another layer to your discovery workflows, especially valuable for:

✅ Early-stage engagement scoping

✅ In-depth attack surface mapping 

✅ Historical asset continuous monitoring with scheduled scans

Pentest Robots make it easier to:

• Set up repeatable testing flows across clients with predefined or custom Robots

• Run scheduled assessment sequences on internal assets

• Deliver consistent, scalable testing with less effort
  

You can now launch a Pentest Robot from the New Scan button, thanks to the new dedicated Robots tab — making your workflows even faster.

Sniper: Auto-Exploiter now supports three high-risk CVEs, helping you validate exploitability with just a few clicks — no manual scripting needed:

✅ CVE-2024-11635 (CVSSv3 9.8) – an RCE in WordPress File Upload plugin using the require-once PHP statement, with attacker controllable data as an argument.

✅ CVE-2025-0890 (CVSSv3 9.8) – insecure default credentials for the Telnet function in Zyxel devices allowing an attacker to fully compromise your server.

✅ CVE-2024-40891 (CVSSv3 8.8) – a post-authentication command injection vulnerability in Zyxel via Telnet.

For consultants, this means stronger deliverables and faster turnaround. For internal teams, actionable exploitability validation without time-consuming setup.

Bonus reminder: all these CVEs can be detected with our Network Scanner.

SonicWall’s Secure Mobile Access 1000 Series has a newly disclosed RCE — CVE-2025-23006 (CVSSv3 9.8) that allows an unauthenticated attacker to run arbitrary code on the target.

Our Network Vulnerability Scanner can now specifically target and detect this CVE, so you can:

• Flag affected assets in external infrastructure reviews

• Stay ahead of exposure with your continuous monitoring flows

• Deliver remediation-ready reports for stakeholders

Our Network Scanner now provides fast, reliable detection for the critical Next.js vulnerability, CVE-2025-29927, so you can quickly identify affected applications.

We've streamlined the detection process to help you pinpoint and address this risk effectively.

How it works:

✅ Run a CVE-focused network vulnerability scan against your Next.js applications.

✅ The scanner will automatically check for CVE-2025-29927, highlighting vulnerable instances.

✅ Get clear, actionable results to prioritize patching and mitigation.

Dive deeper: understand and fix CVE-2025-29927

For a comprehensive understanding of the CVE-2025-29927 vulnerability, its impact, and detailed remediation steps, read our in-depth article.

This write-up includes:

• A technical breakdown of the vulnerability.

• Affected Next.js versions.

• Practical exploitation scenarios.

• Business impact examples.

• Step-by-step mitigation guidance.

This month’s Website Scanner updates help you uncover hard-to-spot web app issues faster:

📌 Redirects buried in JavaScript can slip past traditional scans. Now our scanner checks for DOM-based open redirects, giving you deeper visibility into vulnerable behavior inside the browser.

📌 See emails as standalone findings for faster review and better reporting. 

📌 Found an XSS? No need to manually recreate your payload - just click “Exploit with XSS Exploiter” in the Website Scanner and capture screenshots, cookies, and request data every time it gets triggered.

Need to add a new teammate, client, or just more recipients to scan notifications or change your alerts settings? We heard you loud and clear!

Now you can edit notification settings for Scheduled Scans without recreating them from scratch.

✅ Adjust on the fly
✅ Keep your workflow flexible

Misconfigured buckets can leak versioned objects, exposing sensitive data. Our Cloud Scanner has a new finding for public AWS S3 bucket version listings, so you can:

✅ Spot dangerous misconfigs fast and remediate
✅ Support continuous secure cloud hygiene

Proof of exploitation is what separates noise from real risk. Sniper: Auto-Exploiter, our proprietary offensive tool, now supports:

• CVE-2024-50498 (CVSSv3 9.8) – an RCE in WP Query Console that affects all WordPress versions and can allow code injection.
  

Use Sniper to confirm impact and cut straight to remediation.

As always, remember that if Sniper can exploit it, our Network Scanner can detect it.

Plus, Sniper is now giving you a clearer view of payloads, responses, and proof of exploitation with the latest in our scan results UI makeover.

Our pentest robots are becoming increasingly popular for handling large-scale vulnerability assessments. And now, they're even easier to use, especially for those of you who need customized automation.

We’ve made it simpler to keep track of pentest robots scans: instead of listing all scans individually, the Scans section now displays one entry per pentest robot, making it easier to map your actions to what you see in our product.

How it works:

✅ Each pentest robot now has a single log entry, reducing clutter

✅ You can access all scan resulting from a single pentest robot accessed within its own log block

✅ Improved clarity helps you focus on results - not on tracking individual scans.

Need to prove exploitability for highly targeted CVEs beyond a shadow of a doubt? 

Our proprietary offensive tool, Sniper: Auto-Exploiter, is now even more powerful, helping you get proof of exploitation for critical vulnerabilities in popular content management systems:

• CVE-2024-10924 (CVSSv3 9.8) - an RCE in the Really Simple Security WordPress plugin that can let an attacker leverage an authentication bypass and compromise your server.

• CVE-2023-41892 (CVSSv3 9.8) - a Craft CMS Unauthenticated RCE classified as a high-impact, low-complexity attack vector.  

And remember: if it’s exploitable with Sniper, it’s a confirmed risk you can also detect with our Network Vulnerability Scanner. 

We ran Hydra, a pentester’s favourite, and our proprietary Password Auditor against 26 web applications — including Microsoft Exchange, WordPress, and Joomla.

The comparison criteria? Their ability to:

• Identify login credentials, endpoints and parameters

• Recognize error messages & protection mechanisms

• Detect defensive measures like IP blacklisting, CAPTCHA, account lockout, and rate limiting.

The results make choosing a tool for password auditing much easier: Hydra might be a classic, but our Password Auditor is the real match for modern security defenses.

Also included in this benchmark: a step-by-step guide to bruteforcing all 26 tested apps, from WordPress to Exchange. 

The UI facelift continues! 

We’ve upgraded the look and feel of scan results for another important part of your security toolbox: 

📌 WAF Scanner

📌 SQLi Exploiter

📌 People Hunter

📌 Subdomain Takeover

📌 Joomla Scanner

📌 ICMP Ping

📌 Whois Lookup

This means clearer findings and a better organization across the board.

To help you get eyes on the most burning security issues as fast as possible, we’ve updated the Website Scanner and the API Scanner to classify the most severe risks as Critical if their CVSSv3 score is over 9.0. 

This means:

📌 More time to realistically assess business impact

📌 More accurate risk and mitigation prioritization.

Plus, this month comes with even more improvements in our Website Scanner:

• You can now test authentication with headers with the Authentication functionality, before starting a new scan for a better setup configuration.

• The Find Login Interfaces passive test now detects Basic HTTP/NTLM Authentication — helping you map authentication entry points with greater accuracy.
  

Surfacing critical findings with high precision is our goal with the Network Vulnerability Scanner.

That’s why it now generates critical findings if the CVSSv3 score is over 9.0, to help you prioritize and address the most urgent vulnerabilities more efficiently.

Of course, both coverage and depth are important! 

Discover our latest network detections in our Vulnerability & Exploit Database, including one for CVE-2025-0282, a Remote Code Execution vulnerability in Ivanti Connect Secure.

You can now see exactly when your last scheduled scan didn’t run successfully — right from Scheduled Scans.

To help you troubleshoot, we’ve created a support article with all the common causes and how to fix them. It’s quicker to understand what happened.

Sniper: Auto-Exploiter, our proprietary offensive tool, comes with an expanding arsenal for proving exploitability for high-risk, widespread CVEs.

Just look at these new vulns for which you can get proof of exploitation:

• CVE-2024-51567  and CVE-2024-51378 (CVSSv3 9.8) — two CyberPanel RCEs that can let an attacker gain root access on a target machine.

• CVE-2024-50623 (CVSSv3 9.8) — Arbitrary File Read and Write vulnerabilities in Cleo Harmony, VLTrader, and LexiCom.

• CVE-2024-11680 (CVSSv3 9.8) — a ProjectSand Authentication Bypass vulnerability 

As always, don’t forget: if it’s exploitable with Sniper, you can detect it with our Network Scanner!

We first developed Pentest Robots so you can chain multiple tools into custom, automatic testing flows.

Now, they just got simpler.

You can start a scan directly from the Pentest Robots page, targeting multiple assets in one go. Effortless and efficient!

People Hunter lets you discover email addresses and social media profiles starting from a web application — for a more accurate attack surface assessment. 

Now it’s faster with these two key optimizations:

• Get results in real-time as the crawler works its ways through the target

• See external query results when the scan starts.

Besides finding critical vulnerabilities in web apps, our proprietary Website Scanner automatically validates them to get rid of false positives.

In the last few weeks, we’ve added even more highly accurate detections for:

• insecure deserialization in Ruby-based applications with the scanner’s Active module.

• Python pickle objects, together with an out of band deserialization method so you don’t get any unwanted RCEs in production.

Wondering what else you can detect with our Website Scanner? Find all our web app detections in the Vulnerability Database by filtering after the tool’s name!

We’ve made one of the top 3 Pentest-Tools.com favorites even faster! 50% faster for deep scans!

Without compromising on quality, our Subdomain Finder gets results much quicker thanks to this latest improvement: loading fingerprinting tools in a more efficient way.

The scan results facelift continues! We’ve recently rolled out visual updates for:

• Port Scanner

• Subdomain Finder

• Domain Finder

• URL Fuzzer

• Virtual Hosts Finder

Enjoy a cleaner experience for better insights at a glance.

Our proprietary Website Vulnerability Scanner just got more powerful with these November updates:

Validate with SQLi Exploiter button: Found an SQL Injection vulnerability? Validate it instantly in one click! Our SQLi Exploiter auto-fills details like HTTP methods, POST data, and test parameters.

Insecure deserialization detection for Python-based applications in the scanner’s Active module. (‘Nough said!)

Subdomain whitelisting for broader scan coverage. By default, we’re whitelisting "api", but you can customize your subdomain scanning under the Custom scan settings for even more control.

You now have access to scheduled scans so it’s even easier to maintain regular monitoring routines. 

Here’s how it works:

• Set your preferred scans to run automatically on a weekly or monthly basis.

• Set up scan diff email alerts to know when something changes. 

Chaining our tools for more and better findings is our ultimate goal. 

That’s why when the Network Vulnerability Scanner detects a login interface, you’ll now see a Scan with Password Auditor button.

Click it and the scanner automatically fills in fields like target, ports, and service for faster weak credentials detection.

Not one month passes without adding new proof of exploitation to our proprietary offensive tool —  Sniper: Auto-Exploiter. 

The tool can now exploit Authentication Bypass and Remote Code Execution vulnerabilities in Palo Alto Networks Expedition:

• CVE-2024-0012 and CVE-2024-9474 (CVSSv3 9.8) - allow a remote attacker to bypass the authentication mechanism and compromise your internal network.

Prove exploitation easily and integrate this update into your offensive workflows.

You asked, we listened! The Joomla Scanner is now part of our API, ready to use directly from your scripts.

The "How to reproduce" section in the Cloud Scanner findings now includes the AWS command so you can easily validate your results.

There’s a new cloud integration in your Pentest-Tools.com toolkit!

Now you can easily import AWS targets to your account with a fast setup. 

We’re constantly expanding our integrations to improve your pentesting workflow experience. If you have any preferred tool we should consider next, let us know!

First we introduced the scan diff notification, so you can easily track changes in your targets’ security posture.

Now, we’ve made it even easier for you to set a complete monitoring flow for our Network & Website Vulnerability Scanners, Port Scanner, and Subdomain Finder.

You just select your target(s) and follow the Monitor setup process. It’s that simple! 

You’ll automatically get email alerts whenever there’s an update.

Our Network Scanner is constantly expanding its reach so you get the most from your precision network scans. 

Detect these freshly added high-impact RCEs:

• CVE-2024-47177 (CVSSv3 9) — RCE in CUPS, a standards-based, open-source printing system.

• CVE-2024-28986 (CVSSv3 9.8) — RCE in SolarWinds Web Help Desk that allows an attacker to run commands on the host machine

Get more detailed findings for:

• misconfigured DNS (because it's always DNS!) SPF, DNS DMARC, and DNS DKIM records

• a DNS Zone Transfer vulnerability

Also, know what step your scan is at with real-time updates in the Network Scanner’s scan logs.

Our team also updated the Website Scanner's capabilities this past month so you have a more comprehensive view of your targets.

You can:

• detect insecure deserialization in PHP applications with the scanner’s Active module

• automatically detect GraphQL as we’ve integrated our API Vulnerability Scanner’s test methods for this language 

We’ve also added more extensive findings to your scan results. 

The Website Scanner now:

• creates a new finding with all the API endpoints it detects during crawling

• fuzzes for Open API specifications, creates a new finding with any identified results, and even adds it into the Specification Spider

• adds exposures and exposed-panels Nuclei templates to the Interesting files finding so you detect even more publicly accessible pages that should’ve been hidden.

Plus, to make the overall scan results easier to navigate, we’re highlighting the request/response lines for all detectors, both passive and active.

Our proprietary offensive tool, Sniper: Auto Exploiter, has a wide range of available exploits — but we want to make it even more up to date.

Use Sniper to extract the proof of exploitation for a critical Palo Alto Networks Expedition RCE (CVE-2024-9463, CVSSv3 9.8) that can allow an unauthenticated attacker to inject an OS Command using special characters and fully compromise your server.

With the Cloud Vulnerability Scanner, you can assess targets across multi-cloud environments like AWS, GCP, or Azure from both within and the outside.

There’s a fresh finding for it, too!

Use our Cloud Scanner to detect the risk of data leaks because of a misconfiguration in your AWS bucket that gives a potential attacker public access to list your multipart uploads.

Our Subdomain Finder also has a new update to make your scan results more accurate.

The tool now translates key entries from the Enumeration wordlist for languages from the top level domain (TLD) through the FindSubdomains alteration test.

There’s a fresh, new Reports section in Pentest-Tools.com for you to manage and download scan results, findings, and custom reports — all in one place.

Yet, our fresh makeover comes with fresh improvements for faster and smoother reporting work:

• Asynchronous report generation, so you don’t have to worry about getting stuck on the same screen while waiting for your files. Not even for larger ones. You’ll get an in-app alert as soon as the report is ready.

• 30 days storage for all your reports. No need to regenerate or search for a specific report, we make sure they’re all in their right place.

See how you can leverage the power of automation to streamline your client reports in this hands-on demo:

There’s a new module in the active capabilities of our proprietary Website Scanner: detection for insecure deserialization in .Net applications. 

To make XSS and SQLi findings easier to navigate, we’ve also added a highlight directly in the request/response line containing the payload used in that detection.  

We’ve made Findings management even smoother so you don’t waste time on menial tasks. Now you can clone Findings in bulk with just a press of the button! Quick and easy.