Our Vulnerability Research

Common Vulnerabilities and Exposures

SAP security alert for CVE-2025-24870 indicating a critical threat level for insecure secrets management exposing plaintext credentials and access to banking transactions and enterprise data.

What This Vulnerability Research Portfolio Represents

Discoveries That Matter

Our vulnerability research team reverse engineers your enterprise software to find the 0-days that threaten your infrastructure - before attackers do.

Enterprise Focus

The vulnerabilities below affect systems organizations use: SAP. IBM. Check Point. F5. BMC. Microsoft. Rapid7. Cyberark.

Logos of five technology companies: IBM, Check Point, Microsoft, SAP, and CyberArk on a black background.

Current Research

We identified a wide range of CVEs across various industries - each of the vulnerabilities have been assigned a threat level ranging from critical to low. We pride ourselves in beating others to identify critical CVEs in large infrastructure for orgasations such as IBM and Microsoft.

Sorty by Threat level
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
CVE-2020-25134
Threat level
High

Authenticated directory traversal and local file inclusion in Observium via different parameter

See more
CVE-2020-25133
Threat level
High

Authenticated directory traversal and local file inclusion in Observium allows reading server files

See more
CVE-2020-25132
Threat level
High

SQL injection in Observium via different injection point allows database attacks

See more
CVE-2020-25131
Threat level
Medium

Cross-site scripting in Observium network monitoring platform allows script injection

See more
CVE-2020-25130
Threat level
High

SQL injection in Observium network monitoring platform allows database manipulation

See more
CVE-2020-25102
Threat level
Medium

Cross-site scripting in SilverStripe Advanced Reports Module allows script injection

See more
CVE-2020-1569
Threat level
Critical

Memory corruption in Microsoft Edge (EdgeHTML) allows remote code execution via crafted web content

See more
CVE-2020-15596
Threat level
High

DLL hijacking in touchpad driver allows local attackers to execute arbitrary code with elevated privileges

See more
CVE-2020-13700
Threat level
High

Insecure direct object reference in ACF to REST API WordPress plugin allows unauthorized data access via permalink manipulation

See more
CVE-2020-13484
Threat level
High

Unauthenticated server-side request forgery in Bitrix CRM allows attackers to access internal systems

See more
CVE-2020-13483
Threat level
Medium

Cross-site scripting with WAF bypass in Bitrix CRM allows script injection despite security controls

See more
CVE-2020-13443
Threat level
Critical

Remote command execution via unrestricted file upload in ExpressionEngine allows arbitrary code execution

See more
CVE-2020-11976
Threat level
Medium

Directory traversal in Apache Wicket allows reading Wicket markup source files from the server

See more
CVE-2019-19129
Threat level
Medium

Remote stored XSS via attachment name in Afterlogic WebMail Pro 8.3.11 allows persistent script injection

See more
CVE-2019-14521
Threat level
Critical

Arbitrary file upload leading to remote code execution in Energy Logserver allows server compromise

See more

We map your systems before testing how they break.

That's why critical findings usually show up outside the original scope - attackers don't respect scope documents.

Book a consultation
arrow_right [#333] Created with Sketch.

Security Assessment Services FAQ

Questions enterprise security teams ask before partnering with AFINE for security assessments.

Is AFINE ISO 27001 certified and what compliance frameworks do you support?

Yes, AFINE is ISO 27001 certified. Beyond certification, we maintain operational security excellence built through 10 years of enterprise work. Our security assessment services support DORA, PCI DSS, SOC 2, ISO 27001, TIBER-EU, NESA, and FCA compliance. We've conducted hundreds of assessments for regulated institutions like PKO BP, ING Bank, and BGK.

What certifications and specialized expertise does AFINE team hold?

Every team member holds minimum OSCP or eWPTX certification. Our researchers average 7-10 years offensive security experience with OSCE, OSWE, OSED, OSEP, CRTO, CSSA, CISSP, CISA, and BSCP certifications. We've published CVEs in SAP, Microsoft, CyberArk, Palo Alto, F5, IBM, and other enterprise software.

What makes AFINE different from other penetration testing vendors?

We've published 150+ CVEs in enterprise software and understand how attackers exploit complex systems beyond automated scanning. Our manual testing finds business logic flaws and attack chains others miss. Isabel Group confirmed we "keep finding critical issues where other pentesters have not found them." Our 10-year exclusive focus on banking, critical infrastructure, and healthcare environments means we understand compliance and production system safety.