Skip to content

Weaknesses

NodeZero identifies and surfaces many weaknesses that it finds during a pentest. These weaknesses are designated with either a Common Vulnerabilities and Exposures (CVE) identifier (e.g., CVE-2021-44228), or a Horizon3.ai weakness identifier (e.g., H3-2022-0001).

This page provides a reference for Horizon3.ai-discovered Weaknesses. These weaknesses, which Horizon3.ai discovers through original research, might appear in your pentest reports up to 90 days before we publicly list them on this site. (For details, please see our Vulnerability Disclosure Policy). Once these weaknesses are publicly disclosed and assigned a CVE ID, we add that CVE in pentest results.

For information on previously disclosed CVEs that NodeZero finds in tests, please search the official CVE website maintained by the MITRE Corporation.

Weakness ID                  Name
H3-2020-0001 Remote Desktop Username Disclosure
H3-2020-0002 Anonymous Access to ZooKeeper API
H3-2020-0003 Anonymous Access to Printer using PJL or PS
H3-2020-0004 Zone Transfer Allowed to Any Server
H3-2020-0005 Anonymous FTP Enabled
H3-2020-0006 LDAP Null Bind Allowed
H3-2020-0007 SMB Null Session Allowed
H3-2020-0008 Guest Account Enabled
H3-2020-0009 Weak NFS Export Permissions
H3-2020-0010 NFS UID/GID Manipulation Possible
H3-2020-0012 LLMNR/NBT-NS Poisoning Possible
H3-2020-0014 Weak or Default Credentials
H3-2020-0016 Insecure IPMI Implementation
H3-2020-0017 IPMI Cipher Zero Vulnerability
H3-2020-0018 Fundamentally Insecure Protocols Detected
H3-2020-0021 Unauthenticated Access to the Jenkins Script Console
H3-2020-0022 Insecure Java JMX Configuration
H3-2020-0023 Apache Hadoop YARN ResourceManager Unauthenticated Command Execution
H3-2020-0028 FTP Directory Traversal Vulnerability
H3-2020-0030 Android Debug Bridge (ADB) over TCP Enabled
H3-2021-0001 Public Access to Amazon S3 Bucket
H3-2021-0002 Subdomain Takeover
H3-2021-0003 Unauthenticated Access to Sensitive Kubelet API Endpoints
H3-2021-0004 Kubernetes Privileged Container Exposure
H3-2021-0005 Unauthenticated Kubelet API Remote Code Execution Vulnerability
H3-2021-0006 Unauthenticated Kubernetes API Server Access
H3-2021-0007 Kubernetes Service Account Token Exposure
H3-2021-0008 Unauthenticated Etcd Access
H3-2021-0009 Unauthenticated Docker Registry API Access
H3-2021-0010 Unauthenticated Docker Engine API Access
H3-2021-0011 Kerberos Pre-Authentication Disabled
H3-2021-0012 Weak or Default Credentials - FTP
H3-2021-0013 Weak or Default Credentials - Telnet
H3-2021-0014 Weak or Default Credentials - SSH
H3-2021-0015 Weak or Default Credentials - SNMP
H3-2021-0016 Weak or Default Credentials - Microsoft SQL Server
H3-2021-0017 Weak or Default Credentials - MySQL
H3-2021-0018 Weak or Default Credentials - Postgres
H3-2021-0019 Weak or Default Credentials - Password Spray
H3-2021-0020 Weak or Default Credentials - Cracked Credentials
H3-2021-0021 Weak or Default Credentials - Web Applications
H3-2021-0022 IPV6 DNS Hijacking Possible Using Mitm6
H3-2021-0023 Public Access to Azure Blob Storage Container
H3-2021-0024 Dangling DNS Record
H3-2021-0029 AWS Unrestricted Assume Role Access
H3-2021-0030 SMB Signing Not Required
H3-2021-0031 Public Access to Git Repository
H3-2021-0032 Credential Reuse
H3-2021-0033 mDNS Poisoning Possible
H3-2021-0034 LLMNR Poisoning Possible
H3-2021-0035 NBT-NS Poisoning Possible
H3-2021-0036 Unauthenticated Access to Elasticsearch
H3-2021-0038 Kerberoasting
H3-2021-0039 Unrestricted Sudo Privileges
H3-2021-0040 AWS Instance Metadata Service v1 Exposed
H3-2021-0042 Credential Dumping - Security Account Manager (SAM) Database
H3-2021-0043 Credential Dumping - Local Security Authority (LSA) Secrets
H3-2021-0044 Credential Dumping - Local Security Authority Subsystem Service (LSASS) Memory
H3-2021-0045 Credential Dumping - /etc/shadow File
H3-2021-0046 Credential Dumping - Active Directory Services Database (NTDS)
H3-2022-0001 Web Application Cross Site Scripting Vulnerability
H3-2022-0002 Azure Multi-Factor Authentication Disabled
H3-2022-0003 Remote Desktop Protocol (RDP) Port Exposed to the Internet
H3-2022-0004 Server Message Block (SMB) Port Exposed to the Internet
H3-2022-0005 Secure Socket Shell (SSH) Port Exposed to the Internet
H3-2022-0006 Database Port Exposed to the Internet
H3-2022-0007 Telnet Port Exposed to the Internet
H3-2022-0008 File Transfer Protocol (FTP) Port Exposed to the Internet
H3-2022-0009 Simple Network Management Protocol (SNMP) Port Exposed to the Internet
H3-2022-0010 Risky Port Exposed to the Internet
H3-2022-0016 Active Directory Certificate Services Misconfiguration Privilege Escalation - Subject Alternative Name
H3-2022-0017 Active Directory Certificate Services Misconfiguration Privilege Escalation - Any Purpose or No (aka SubCA) EKU Misconfiguration
H3-2022-0018 Active Directory Certificate Services Misconfigured Enrollment Agent Template
H3-2022-0019 Active Directory Certificate Services - Template May Be Requested by Enrollment Agent Signature
H3-2022-0020 Active Directory Certificate Services Misconfigured Template Access Controls
H3-2022-0021 Active Directory Certificate Services Domain Escalation via Vulnerable PKI AD Object Access Controls
H3-2022-0022 Active Directory Certificate Services - EDITF_ATTRIBUTESUBJECTALTNAME2 flag set
H3-2022-0023 Active Directory Certificate Services: Vulnerable Certificate Authority Access Control
H3-2022-0024 Active Directory Certificate Services Misconfiguration: NTLM Relay to AD CS HTTP Endpoint
H3-2022-0033 Unauthenticated Access to Jenkins People Directory
H3-2022-0041 Symfony Profiler Enabled
H3-2022-0067 Weak or Default Credentials - MongoDB
H3-2022-0069 Web Directory Listing
H3-2022-0070 Anonymous MongoDB Access
H3-2022-0074 AWS Assume Role Access
H3-2022-0075 Public-Facing Application Exposed with HTTP Basic Authentication
H3-2022-0076 Unauthenticated AWS Cognito Role
H3-2022-0078 Unauthenticated Gitlab User Enumeration
H3-2022-0079 Credential Dumping - AWS Instance Metadata Service v2
H3-2022-0080 WordPress Unauthenticated User Enumeration
H3-2022-0082 Exposed Kubernetes Version
H3-2022-0084 Credential Reuse - Windows Local Administrator Accounts
H3-2022-0085 Credential Reuse - Shared Windows Local User and Domain User Accounts
H3-2022-0086 Domain User with Local Administrator Privileges
H3-2022-0087 Password Reuse
H3-2022-0088 Public Access to Amazon EC2 AMI
H3-2022-0089 Public Access to Amazon EBS Snapshot
H3-2022-0090 Public Access to Amazon RDS Snapshot
H3-2022-0093 Weak or Default Credentials - Cracked Credentials from Active Directory Services Database (NTDS)
H3-2022-0095 Password Reuse Found in Active Directory Services Database (NTDS)
H3-2023-0001 Apache Superset Authentication Bypass Misconfiguration
H3-2023-0002 Flask Authentication Bypass Misconfiguration
H3-2023-0003 Pre-Windows 2000 Computer Set
H3-2023-0008 AWS Multi-Factor Authentication Disabled
H3-2023-0009 Kerberos Unconstrained Delegation
H3-2023-0010 Kerberos Constrained Delegation
H3-2023-0019 Credential Dumping - Data Protection API (DPAPI) Secrets
H3-2023-0020 PaperCut File Upload Remote Code Execution Vulnerability
H3-2023-0021 Phished Credential
H3-2023-0022 PaperCut Arbitrary File Read and Deletion Vulnerability
H3-2023-0023 Apache Solr Arbitrary File Read Vulnerability
H3-2023-0027 NextGen Mirth Connect Remote Code Execution Vulnerability
H3-2023-0029 Password in Active Directory User Attribute
H3-2023-0030 Active Directory - User Password Not Required
H3-2024-0001 AWS Privilege Escalation - iam:AttachUserPolicy
H3-2024-0002 AWS Privilege Escalation - iam:PutUserPolicy
H3-2024-0003 AWS Privilege Escalation - iam:AttachRolePolicy
H3-2024-0004 AWS Privilege Escalation - iam:PutRolePolicy
H3-2024-0005 AWS Privilege Escalation - iam:CreateAccessKey
H3-2024-0006 AWS Privilege Escalation - iam:CreateLoginProfile
H3-2024-0007 AWS Privilege Escalation - iam:UpdateLoginProfile
H3-2024-0008 AWS Privilege Escalation - iam:UpdateAssumeRolePolicy
H3-2024-0009 AWS Privilege Escalation - iam:CreatePolicyVersion
H3-2024-0010 Microsoft Entra (AzureAD) Connect Credential Dumping
H3-2024-0011 Microsoft Entra (AzureAD) - Over-Privileged Service Principal
H3-2024-0012 Microsoft Entra (AzureAD) - Service Principal Takeover
H3-2024-0016 AWS Privilege Escalation - iam:AttachGroupPolicy
H3-2024-0017 AWS Privilege Escalation - iam:PutGroupPolicy
H3-2024-0018 Unauthenticated Access to Redis
H3-2024-0019 Credential Dumping - Office365 Application Memory
H3-2024-0029 Active Directory User has Entra Administrator Role
H3-2024-0030 Traccar Device Image Upload Remote Code Execution Vulnerability
H3-2024-0032 Traccar Self-Signup Enabled
H3-2024-0034 NTLM Authentication Endpoint Exposed to the Internet
H3-2024-0035 AWS Access Key Id Third Party Canary
H3-2024-0036 Improper use of AWS Administrator Access
H3-2024-0037 Azure Cloud Kerberos Trust Abuse
H3-2024-0038 Microsoft Entra (AzureAD) - Entra Group Takeover
H3-2024-0039 Microsoft Graph App Role Privilege Elevation
H3-2024-0045 AWS Privilege Escalation via iam:PassRole and ec2:RunInstances
H3-2025-0002 Management Console Exposed to the Internet
H3-2025-0003 IIS Shortname Disclosure Vulnerability
H3-2025-0019 Git Repo-Jacking
H3-2025-0020 Wordpress Accessible WPConfig
H3-2025-0021 Wordpress Directory Listing
H3-2025-0022 Wordpress DB Repair Exposed
H3-2025-0023 Wordpress Newsletter Manager < 1.5 - Unauthenticated Open Redirect
H3-2025-0024 Active Directory Misconfiguration: Low-Privilege User with GenericAll Privileges
H3-2025-0025 Langflow Code Injection Vulnerability
H3-2025-0026 Kentico Xperience Staging Service Authentication Bypass WT-2025-0006 Vulnerability
H3-2025-0027 Kentico Xperience Staging Service Authentication Bypass WT-2025-0011 Vulnerability
H3-2025-0028 Unsecured InfluxDB Access via Misconfiguration
H3-2025-0032 Generic .env File Exposure
H3-2025-0033 Docker Compose File Exposure
H3-2025-0034 GoCD Encryption Key Exposure in Pipeline Configuration
H3-2025-0044 Oracle EBS Bispgraph File Access Vulnerability
H3-2025-0047 Puppet Node Manager Authorization Bypass
H3-2025-0048 PHP Debug Interface Exposure
H3-2025-0049 Thinkphp Remote Code Execution Vulnerability
H3-2025-0051 UpdraftPlus Plugin PEM Key Exposure
H3-2025-0053 Fortinet FortiSIEM Arbitrary File Write Remote Code Execution Vulnerability
H3-2025-0054 N-able N-central Authenticated XML External Entity (XXE) Vulnerability
H3-2025-0055 FreePBX Authentication Bypass File Upload RCE
H3-2025-0056 FreePBX Authentication Bypass SQL Injection
H3-2025-0057 N-able N-central Authentication Bypass Vulnerability
H3-2025-0058 SCCM Hierarchy Takeover via NTLM Coercion and Relay to MSSQL
H3-2025-0060 Gladinet Centrestack MachineKey Deserialization Vulnerability
H3-2025-0062 SCCM Hierarchy Takeover via NTLM Coercion and Relay to SMB
H3-2025-0068 Privilege Escalation - Potato Style Exploit
H3-2025-0073 LDAP Signing Not Required
H3-2025-0074 LDAP Channel Binding Not Required
H3-2025-0080 Sensitive Information Disclosure to Unauthenticated Users
H3-2026-0002 Kubernetes Nodes Proxy GET Permission Remote Code Execution
H3-2026-0003 MSSQL EXECUTE AS Impersonation Privilege Escalation Vulnerability
H3-2026-0004 Active Directory Certificate Services Misconfiguration: NTLM Relay to AD CS RPC Endpoint
H3-2026-0005 Web Application UNC Absolute Path Traversal Vulnerability
H3-2026-0007 SSH ControlMaster Socket Abuse
H3-2026-0011 Reversible Password Encryption Enabled on Domain Controller
H3-2026-0012 Fortinet FortiClient EMS Improper Access Control Vulnerability