Skip to content

runZero 4.9: IT/OT Topology & Attack Path Mapping

In converged IT/OT environments, visibility is the foundation of defense. runZero 4.9 moves beyond asset lists to provide a unified source of truth, visualizing reachability and highlighting the risks that matter most.
Strategic Insight: 30% of OT assets are typically only one hop away from an internet-exposed device. runZero identifies these hidden “bridges” before attackers do.
 

Attack Path Mapping

Visualize 2D and 3D trajectories from initial compromise to operational shutdown. Identify high-risk pivot points and harden your choke points.

 

Sub-Asset Discovery

Peer behind protocol gateways like Modbus and BACnet to enumerate the PLCs and fieldbus devices that were previously invisible.

 

Bridge Detection

Automatically surface “multi-homed” devices connected to multiple networks, bypassing your firewall and segmentation strategies.

 

Operationalizing the Air-Gap

Stop relying on the “Segmentation Illusion.” runZero 4.9 ensures your air-gap is a reality by unmasking “insecure by design” protocols and identifying the forgotten workstations that turn minor IT breaches into catastrophic operational failures.

About runZero
runZero, a network discovery and asset inventory solution, was founded in 2018 by HD Moore, the creator of Metasploit. HD envisioned a modern active discovery solution that could find and identify everything on a network–without credentials. As a security researcher and penetration tester, he often employed benign ways to get information leaks and piece them together to build device profiles. Eventually, this work led him to leverage applied research and the discovery techniques developed for security and penetration testing to create runZero.

About Version 2 Limited
Version 2 Digital is one of the most dynamic IT companies in Asia. The company distributes a wide range of IT products across various areas including cyber security, cloud, data protection, end points, infrastructures, system monitoring, storage, networking, business productivity and communication products.

Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, different vertical industries, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

CVE-2026-3854: GitHub Enterprise Server RCE

Risk Impact: Successful exploitation allows for complete system compromise. Immediate patching is required.

Required Updates

BranchPatch Version
3.14.x3.14.25+
3.15.x3.15.20+
3.16.x3.16.16+
3.17.x3.17.13+
3.18.x3.18.7+
3.19.x3.19.4+

 

Network Hunting

Use the following query in your runZero Software Inventory to locate all GHES installations:

vendor:=GitHub AND product:="Enterprise%"

Security Bulletin: Citrix Hypervisor Vulnerabilities

URGENT: On April 24, 2026, researchers identified 89 vulnerabilities in XAPI. No patches are currently available. A full system rebuild is advised due to the foundational nature of these flaws.

Vulnerability Overview

The latest audit reveals 89 flaws across the XAPI codebase (dating back to 2006). These allow authenticated vm-admin users to execute cross-hypervisor lateral movement and storage protocol injection without triggering security alerts.

Severity Distribution:

  • 5 Critical
  • 28 High
  • 46 Medium
  • 10 Low

Network Discovery (runZero)

Use these queries to inventory your hypervisor environment:

Locate XAPI-affected assets:
os:="Citrix XenServer"

Locate legacy Citrix/XenServer assets:
(product:citrix and type:hypervisor) or product:xenserver

Legacy Vulnerability Reminders

Ensure your environment is also audited for previous disclosures, including CVE-2024-45817 (Deadlock risk) and CVE-2022-24805/9 (SNMP service crashes). Limit management interface access to reduce your attack surface until architectural rebuilds can be performed.

About runZero
runZero, a network discovery and asset inventory solution, was founded in 2018 by HD Moore, the creator of Metasploit. HD envisioned a modern active discovery solution that could find and identify everything on a network–without credentials. As a security researcher and penetration tester, he often employed benign ways to get information leaks and piece them together to build device profiles. Eventually, this work led him to leverage applied research and the discovery techniques developed for security and penetration testing to create runZero.

About Version 2 Limited
Version 2 Digital is one of the most dynamic IT companies in Asia. The company distributes a wide range of IT products across various areas including cyber security, cloud, data protection, end points, infrastructures, system monitoring, storage, networking, business productivity and communication products.

Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, different vertical industries, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

Security Bulletin: LiteLLM RCE Chain


Critical Threat Alert: LiteLLM Proxy RCE Chain

Multiple vulnerabilities (SQLi, SSTI, and Command Injection) have been disclosed, allowing for full system compromise of LiteLLM instances.

Vulnerability Summary

Advisory IDTypeAccess LevelSeverity
GHSA-r75f-5x8p-qvmcSQL InjectionUnauthenticatedCritical (9.3)
GHSA-xqmj-j6mv-4862SSTIAuthenticatedHigh
GHSA-v4p8-mg3p-g94gCommand ExecutionAuthenticatedHigh

Remediation Guidance

Affected Versions: v1.81.16 – v1.83.6

Recommended Action: Immediately upgrade to v1.83.7-stable or later.

Network Hunting (runZero Query)

Identify exposed LiteLLM instances by searching for specific HTTP headers and HTML titles:

_asset.protocol:http AND protocol:http AND (html.title:=”LiteLLM%” OR last.html.title:=”LiteLLM%”)

OT Security Principles: The Final Four

 

Principle 5: Boundary Hardening

Your perimeter is your strongest asset against legacy vulnerabilities.

  • Rotate default passwords immediately.
  • Implement phish-resistant MFA.
  • Use context-aware access (Location, OS version, Time).

Principle 6: Impact Limitation

Assume a breach will happen. Design your network to contain it.

  • Segmentation: Isolate functional networks via firewalls.
  • Lateral Movement Defense: Use microsegmentation to block host-to-host pivoting.

Principle 7: Logging & Monitoring

Logs must be actionable, not just stored.

Focus AreaAction
AnomaliesAlert on traffic baselines.
Break-GlassHigh-criticality alerts on emergency account use.
Data FlowsMonitor cross-segment transfers.

Principle 8: Isolation Planning

Develop a “kill switch” strategy that maintains critical functions.

  • Test Site Isolation before an actual emergency occurs.
  • Ensure critical functions operate in “Offline Mode.”

How runZero Helps

Gain total visibility across your OT environment:

  • Discover coverage gaps and bridging devices.
  • Identify edge devices with unauthorized connections.
  • Audit hardware for default configuration risks.

About runZero
runZero, a network discovery and asset inventory solution, was founded in 2018 by HD Moore, the creator of Metasploit. HD envisioned a modern active discovery solution that could find and identify everything on a network–without credentials. As a security researcher and penetration tester, he often employed benign ways to get information leaks and piece them together to build device profiles. Eventually, this work led him to leverage applied research and the discovery techniques developed for security and penetration testing to create runZero.

About Version 2 Limited
Version 2 Digital is one of the most dynamic IT companies in Asia. The company distributes a wide range of IT products across various areas including cyber security, cloud, data protection, end points, infrastructures, system monitoring, storage, networking, business productivity and communication products.

Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, different vertical industries, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

Critical Security Advisory: Fortinet FortiClient EMS

Executive Summary: Improper access controls in the FortiClient EMS API allow unauthenticated attackers to execute arbitrary code. Immediate patching is mandatory for all affected assets.

 

Vulnerability Profile

  • CVE ID: CVE-2026-35616
  • CVSS Score: 9.1 (Critical)
  • Impact: Remote Code Execution (RCE)

 

Remediation Table

Affected BranchRequired Patch / Action
FortiClientEMS 7.4Upgrade to 7.4.7 or higher
FortiClientEMS 7.4.5Apply Hotfix 7.4.5.2111
FortiClientEMS 7.4.6Apply Hotfix 7.4.6.2170

Asset Discovery (runZero)

Utilize the following service query to identify potentially exposed endpoints within your network:

_asset.protocol:http AND protocol:http AND favicon.ico.image.mmh3:=-800551065

About runZero
runZero, a network discovery and asset inventory solution, was founded in 2018 by HD Moore, the creator of Metasploit. HD envisioned a modern active discovery solution that could find and identify everything on a network–without credentials. As a security researcher and penetration tester, he often employed benign ways to get information leaks and piece them together to build device profiles. Eventually, this work led him to leverage applied research and the discovery techniques developed for security and penetration testing to create runZero.

About Version 2 Limited
Version 2 Digital is one of the most dynamic IT companies in Asia. The company distributes a wide range of IT products across various areas including cyber security, cloud, data protection, end points, infrastructures, system monitoring, storage, networking, business productivity and communication products.

Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, different vertical industries, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

F5 BIG-IP Security Advisory – March 2026


CRITICAL: CVE-2025-53521 Escalated to RCE (CVSS 9.8) – Active Exploitation Confirmed

F5 has confirmed that a previously disclosed DoS vulnerability is now a Remote Code Execution (RCE) threat. Immediate patching is required for all BIG-IP Access Policy Manager (APM) instances.

Remediation Table

Affected VersionRequired Patch Version
17.5.x17.5.1.3 or later
17.1.x17.1.3 or later
16.1.x16.1.6.1 or later
15.1.x15.1.10.8 or later
CISA KEV Status: This vulnerability was added to the Known Exploited Vulnerabilities catalog on March 27, 2026. Federal agencies and private enterprises are urged to disconnect or patch management interfaces immediately.
 

Asset Identification Queries (runZero)

Locate potentially compromised software modules:

vendor:=F5 AND product:=”BIG-IP Access Policy Manager”

Locate all F5-based operating systems within the network:

os:=”F5%”

About runZero
runZero, a network discovery and asset inventory solution, was founded in 2018 by HD Moore, the creator of Metasploit. HD envisioned a modern active discovery solution that could find and identify everything on a network–without credentials. As a security researcher and penetration tester, he often employed benign ways to get information leaks and piece them together to build device profiles. Eventually, this work led him to leverage applied research and the discovery techniques developed for security and penetration testing to create runZero.

About Version 2 Limited
Version 2 Digital is one of the most dynamic IT companies in Asia. The company distributes a wide range of IT products across various areas including cyber security, cloud, data protection, end points, infrastructures, system monitoring, storage, networking, business productivity and communication products.

Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, different vertical industries, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

Security Advisory: GNU Inetutils telnetd

Multiple vulnerabilities have been discovered in the GNU Inetutils telnetd server, affecting most modern Linux deployments. These flaws allow for authentication bypass and remote code execution (RCE) before a login prompt is even shown.

Status: No Patches Available. It is highly recommended to disable the Telnet service on all vulnerable hosts immediately.

Vulnerability Summary

VulnerabilityDesignationCVSSAffected Versions
SLC Buffer OverflowN/ACriticalUp to 2.7
Auth Bypass ($USER variable)CVE-2026-240619.81.9.3 and higher

Identification via runZero

Use the following query in your Asset Inventory to find potentially impacted Linux systems:

_asset.protocol:=telnet AND protocol:=telnet AND os:Linux AND banner:=”%login:” AND NOT banner:busybox

Recommended Actions

  • Disable telnetd across the entire network.
  • Ensure strict network access controls (firewalls) are in place.
  • Replace Telnet with SSH for remote management.

About runZero
runZero, a network discovery and asset inventory solution, was founded in 2018 by HD Moore, the creator of Metasploit. HD envisioned a modern active discovery solution that could find and identify everything on a network–without credentials. As a security researcher and penetration tester, he often employed benign ways to get information leaks and piece them together to build device profiles. Eventually, this work led him to leverage applied research and the discovery techniques developed for security and penetration testing to create runZero.

About Version 2 Limited
Version 2 Digital is one of the most dynamic IT companies in Asia. The company distributes a wide range of IT products across various areas including cyber security, cloud, data protection, end points, infrastructures, system monitoring, storage, networking, business productivity and communication products.

Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, different vertical industries, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

HPE Aruba Networking Security Advisory

Security Advisory: HPE Aruba Networking AOS-CX

HPE has disclosed several vulnerabilities in the AOS-CX network operating system. Successful exploitation could allow adversaries to bypass authentication or execute arbitrary commands on the underlying OS.

CRITICAL NOTICE: CVE-2026-23813 allows unauthenticated remote adversaries to reset the administrator password. Immediate patching is required.
 

Vulnerability Summary

CVE IDTypeCVSS
CVE-2026-23813Authentication Bypass9.8
CVE-2026-23814CLI Command Injection8.8
CVE-2026-23815Binary Command Injection7.2
CVE-2026-23816OS Command Injection7.2
CVE-2026-23817Open Redirect6.5

 

Remediation Steps

Update to the following versions or later to resolve these issues:

  • AOS-CX 10.10.xxxx: Upgrade to 10.10.1180
  • AOS-CX 10.13.xxxx: Upgrade to 10.13.1161
  • AOS-CX 10.16.xxxx: Upgrade to 10.16.1030
  • AOS-CX 10.17.xxxx: Upgrade to 10.17.1001

 

Asset Identification (runZero)

To locate potentially vulnerable systems in your inventory, use the following query:

hw:=”HPE Aruba CX%” AND protocol:http

About runZero
runZero, a network discovery and asset inventory solution, was founded in 2018 by HD Moore, the creator of Metasploit. HD envisioned a modern active discovery solution that could find and identify everything on a network–without credentials. As a security researcher and penetration tester, he often employed benign ways to get information leaks and piece them together to build device profiles. Eventually, this work led him to leverage applied research and the discovery techniques developed for security and penetration testing to create runZero.

About Version 2 Limited
Version 2 Digital is one of the most dynamic IT companies in Asia. The company distributes a wide range of IT products across various areas including cyber security, cloud, data protection, end points, infrastructures, system monitoring, storage, networking, business productivity and communication products.

Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, different vertical industries, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

Operationalizing CISA KEV for Real-World Risk

The CISA Known Exploited Vulnerabilities (KEV) Catalog is a critical global signal, yet it is often misunderstood as a simple to-do list. To address the challenges of reasoning under uncertainty, we are introducing two new resources designed to help defenders analyze KEV data with the rigor required for modern environments.

KEVology: Analyzing Timelines, Scores, and Exploits

A new report by former CISA Section Chief Tod Beardsley. This analysis investigates how KEV entries behave in practice and identifies the interactions between scoring systems and commodity exploitation that truly matter to defenders.

Read the KEVology Report ➞

KEV Collider: Experimental Threat Signal Analysis

A community-driven web application and open-source dataset. It allows security teams to “smash together” risk signals to explore how different combinations of data change the reality of operational risk.

Launch KEV Collider ➞

The Reality of Prioritization

The KEV is not a definitive list of the most dangerous vulnerabilities; it is an operational tool shaped by specific exploitation criteria. Effective prioritization requires a combination of signals because no single metric provides a complete picture:

  • CVSS: Describes potential severity, but lacks likelihood.
  • EPSS: Models the probability of exploitation, but ignores local exposure.
  • SSVC: Provides a decision-making framework without environmental context.

From Documentation to Active Investigation

Developed by runZero, the KEV Collider enables investigators to layer the CISA KEV with the enrichment data needed to distinguish between theoretical risks and immediate emergencies. This approach allows teams to move toward evidence-based reasoning where prioritization is treated as a hypothesis to be tested and revised.

About runZero
runZero, a network discovery and asset inventory solution, was founded in 2018 by HD Moore, the creator of Metasploit. HD envisioned a modern active discovery solution that could find and identify everything on a network–without credentials. As a security researcher and penetration tester, he often employed benign ways to get information leaks and piece them together to build device profiles. Eventually, this work led him to leverage applied research and the discovery techniques developed for security and penetration testing to create runZero.

About Version 2 Limited
Version 2 Digital is one of the most dynamic IT companies in Asia. The company distributes a wide range of IT products across various areas including cyber security, cloud, data protection, end points, infrastructures, system monitoring, storage, networking, business productivity and communication products.

Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, different vertical industries, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.