10 zero-day exploits and attack tools listed for sale, targeting enterprise and web software

For informational purposes only

Vulnerability type: Remote Code Execution (no authentication or user interaction required) Affected versions: 6.8.1–6.9.3 Price: $105K

The seller claims it works against default installations. WordPress powers roughly 43% of all websites on the internet, putting the potential attack surface in the tens of millions of resources.

Vulnerability type: Pre-Authentication RCE (SSRF chained with post-auth primitives) Affected OS: Windows Server with Exchange 2013/2016/2019 Price: $200K

The seller specifically emphasizes that this is not ProxyLogon. At the same time, the listing references CVE-2021-28480/28481/28482 — publicly known vulnerabilities patched back in 2021.

Vulnerability type: Remote Code Execution with no user interaction Price: $100K

Per the seller, the trigger fires at the point the email is received — without opening the message and without any attachments. Zero-click bugs are particularly dangerous for targeted attacks on executives and government bodies.

Vulnerability type: Arbitrary Code Execution via .doc Affected OS: Windows 10/11 Price: $180K

The tool embeds an .exe into a Word document. A classic vector for phishing campaigns.

Vulnerability type: Arbitrary Code Execution via .mpp Affected OS: Windows 10/11 Price: $150K

An .exe is embedded into a project file and executes automatically when the file is opened. The .mpp format tends to be filtered less aggressively by mail gateways than .doc or .xls.

Vulnerability type: Arbitrary Code Execution via .xls Affected OS: Windows 10/11 Price: $100K

The same family of tools as the Word/Project builders, adapted for the Excel format.

Vulnerability type: Silent Code Execution via PDF Affected OS: Windows 7/8/8.1/10 Price: not listed

According to the seller, the exploit works on current versions of Acrobat Reader DC and bypasses filters on Gmail, Outlook, Yahoo, Yandex and other mail services.

Tool type: commercial crypter for PowerShell scripts, advertised as bypassing modern AV/EDR Affected OS: Windows Price: $75K

Tools like this are used at the delivery and execution stages, typically in combination with LotL techniques.

Vulnerability type: Pre-Authentication RCE Affected versions: 3.11.6 and earlier Price: $90K

Moodle is one of the most widely deployed LMS platforms, used extensively in universities and corporate training programs. The education sector is known for slow patching cycles, which makes vulnerabilities like this long-lived.

Vulnerability type: Shell Upload Affected versions: up to and including 6.0.03 Price: $80K

Joomla is the second most widely used CMS after WordPress, popular with government portals and NGOs in a number of regions. A shell upload provides server-side persistence and a foothold for further attacks.

💬 Discuss