Additionally, there was a screenshot highlighting how a hacker might find these vulnerable servers online using Shodan. For those not familiar with the Shodan service, check out this awesome Tradecraft Tuesday episode featuring YouTube superhero Tom Lawrence. Needless to say, 4,000+ results is a bit nerve-racking.
Validating the Vulnerability
Within a few hours after receiving the PoC source code from two MSP partners, the Huntress ThreatOps team completed their review and understood how to trigger the vulnerability.

With a compiled PoC, we worked closely with one of our partners to determine if the vulnerability truly existed and what risks the MSP community would face if this was true.

Rather than use the bruteforcing capability, we decided to more surgically target a single Customer ID.

In less than 30 seconds later, our fake Windows agent registered in their dashboard and we discovered the domain admin credentials we saved within this customer’s Agent & Probe settings. The whole effort took ~3hrs which was half the time it took to publish this advisory. Needless to say, this situation is pretty critical.

