Our Vulnerability Research

Common Vulnerabilities and Exposures

SAP security alert for CVE-2025-24870 indicating a critical threat level for insecure secrets management exposing plaintext credentials and access to banking transactions and enterprise data.

What This Vulnerability Research Portfolio Represents

Discoveries That Matter

Our vulnerability research team reverse engineers your enterprise software to find the 0-days that threaten your infrastructure - before attackers do.

Enterprise Focus

The vulnerabilities below affect systems organizations use: SAP. IBM. Check Point. F5. BMC. Microsoft. Rapid7. Cyberark.

Logos of five technology companies: IBM, Check Point, Microsoft, SAP, and CyberArk on a black background.

Current Research

We identified a wide range of CVEs across various industries - each of the vulnerabilities have been assigned a threat level ranging from critical to low. We pride ourselves in beating others to identify critical CVEs in large infrastructure for orgasations such as IBM and Microsoft.

Sorty by Threat level
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
CVE-2022-35500
Threat level
Medium

Stored cross-site scripting in comment functionality in Amasty Blog Pro for Magento 2

See more
CVE-2022-30615
Threat level
Medium

Cross-site scripting in IBM InfoSphere Information Server allows script injection via crafted input

See more
CVE-2021-3584
Threat level
Critical

Server-side remote code execution in Foreman allows authenticated attackers to execute arbitrary commands on the server

See more
CVE-2021-34254
Threat level
Medium

Open redirect in OurUmbraco allows attackers to redirect users to malicious external websites

See more
CVE-2021-24378
Threat level
Medium

Authenticated stored XSS in Autoptimize WordPress plugin allows administrators to inject persistent scripts

See more
CVE-2021-24377
Threat level
Critical

Race condition leading to remote code execution in Autoptimize WordPress plugin allows arbitrary file writes

See more
CVE-2021-24376
Threat level
Critical

Arbitrary file upload in Autoptimize WordPress plugin allows uploading and executing malicious PHP files

See more
CVE-2021-21559
Threat level
High

Security vulnerability in Dell EMC NetWorker allows privilege escalation or unauthorized access

See more
CVE-2021-21558
Threat level
High

Security vulnerability in Dell EMC NetWorker allows privilege escalation or unauthorized access (second issue)

See more
CVE-2021-1675
Threat level
Critical

Windows Print Spooler elevation of privilege (PrintNightmare) - allows remote code execution and local privilege escalation

See more
CVE-2020-6856
Threat level
High

XML External Entity (XXE) injection in JOC Cockpit/Jobscheduler allows reading server files and SSRF

See more
CVE-2020-6855
Threat level
Medium

Denial of service in JOC Cockpit/Jobscheduler allows attackers to crash the job scheduling service

See more
CVE-2020-6854
Threat level
Medium

Multiple stored cross-site scripting vulnerabilities in JOC Cockpit/Jobscheduler allow persistent script injection

See more
CVE-2020-5920
Threat level
Critical

SQL injection in F5 BIG-IP AFM (Advanced Firewall Manager) allows database attacks on security appliance

See more
CVE-2020-5907
Threat level
High

TMOS Shell privilege escalation in F5 BIG-IP allows users to gain elevated privileges

See more

We map your systems before testing how they break.

That's why critical findings usually show up outside the original scope - attackers don't respect scope documents.

Book a consultation
arrow_right [#333] Created with Sketch.

Security Assessment Services FAQ

Questions enterprise security teams ask before partnering with AFINE for security assessments.

Is AFINE ISO 27001 certified and what compliance frameworks do you support?

Yes, AFINE is ISO 27001 certified. Beyond certification, we maintain operational security excellence built through 10 years of enterprise work. Our security assessment services support DORA, PCI DSS, SOC 2, ISO 27001, TIBER-EU, NESA, and FCA compliance. We've conducted hundreds of assessments for regulated institutions like PKO BP, ING Bank, and BGK.

What certifications and specialized expertise does AFINE team hold?

Every team member holds minimum OSCP or eWPTX certification. Our researchers average 7-10 years offensive security experience with OSCE, OSWE, OSED, OSEP, CRTO, CSSA, CISSP, CISA, and BSCP certifications. We've published CVEs in SAP, Microsoft, CyberArk, Palo Alto, F5, IBM, and other enterprise software.

What makes AFINE different from other penetration testing vendors?

We've published 150+ CVEs in enterprise software and understand how attackers exploit complex systems beyond automated scanning. Our manual testing finds business logic flaws and attack chains others miss. Isabel Group confirmed we "keep finding critical issues where other pentesters have not found them." Our 10-year exclusive focus on banking, critical infrastructure, and healthcare environments means we understand compliance and production system safety.