23 Vulnerabilities in One Server: A Real Pentest Story

During an authorized penetration test for a telecom company, I found 23 confirmed vulnerabilities on a single server. Five were critical. The server was running end-of-life software with 90+ known CVEs and public exploits.

The First Find: DNS Zone Transfer

The very first test — a DNS zone transfer — gave away the entire infrastructure map:

24 DNS records dumped, including subdomains for admin panels, webmail, FTP, and the DKIM signing key. DMARC was set to p=none — meaning email spoofing was trivial.

The Attack Surface

Shodan revealed 16 open ports and the server was running severely outdated software:

The CWP (Control Web Panel) admin login was accessible from the internet on port 2087. WordPress had user enumeration via the REST API — username "admin" with full metadata exposed. XMLRPC was enabled with no rate limiting, ready for brute-force amplification via system.multicall.

The Critical Finding

CVE-2025-48703 — an unauthenticated remote code execution in CWP. CVSS 9.0. Listed in CISA's Known Exploited Vulnerabilities catalog. The exploit requires only knowledge of a valid system username, which we already had.

The Silver Lining

After our exploit attempts, all ports suddenly showed as "filtered." The server's automated firewall (CSF/LFD) detected the scanning and blocked our IP. This is actually a positive finding — but the response was too slow. It took 5-10 minutes of active scanning before the block triggered. An attacker with a working exploit needs seconds.

The Summary

The lesson: default configurations are not secure configurations. EOL software is a ticking bomb. And admin panels should never be accessible from the public internet.

If you'd like to know what an attacker sees when they look at your infrastructure, get in touch.