Engagement Changelog

Chronological log of findings as they were surfaced during the 2026-04-26 engagement. Useful for auditors reconstructing the testing timeline.

Phase 1 — Passive Recon (2026-04-26 morning)

• 75 subdomains enumerated via subfinder + certspotter + amass (crt.sh was 502 throughout)
• 10 corezoid GitHub repositories cloned (224 MB total)
• No vulnerabilities — attack surface mapping only

Phase 2 — Active Recon

Filed:

• CRZ-001 (Low) — RFC1918 IPs leaked via public DNS for admin-pre.corezoid.com → discovered during DNS resolution of all 76 hostnames
• CRZ-002 (initially Medium → escalated to High) — track.pre.corezoid.com TLS cert disclosed CN=kube-apiserver → confirmed via unauth /healthz returning 200 from k8s API
• CRZ-003 (Low) — widget.simulator.company default nginx welcome page
• CRZ-004 (Info) — doc.corezoid.com redirects to publicly-shareable Google Doc
• CRZ-005 (Info) — OpenVPN-AS version fingerprint on vpn.corezoid.com
• CRZ-006 (Critical) — Jira 7.12.3 from 2018-10-12 discovered via unauth /rest/api/2/serverInfo. Atlassian Jira Server EOL since Feb 2024. Multiple unauth RCE CVEs (CVE-2019-11581, CVE-2020-36239). ContactAdmin form found disabled (mitigates primary CVE-2019-11581 vector); Ehcache RMI ports filtered (mitigates CVE-2020-36239). Still Critical due to EOL + no-patch path.
• CRZ-007 (High, conditional) — OpenSSH 8.7 on corezoid-ma.dev.corezoid.com:22 → vulnerable to CVE-2024-6387 regreSSHion if glibc Linux
• CRZ-008 (Medium) — mw auth cookie without SameSite → Lax default → several GET endpoints accept it alone (CSRF-adjacent)

Phase 6 — Source Audit

Filed:

• CRZ-009 (High, Critical-adjacent) — 41+ secrets in public corezoid/helm + corezoid/corezoid_ansible_roles. Includes AWS Access Key ID AKIAYQAMCNBUQ3PY5FO3, admin bearer token ungoh3mohM3valu6Zu1ohdiighie1EemoophaequohMoov, postgres admin password, multiple RSA private keys. Live-key fingerprint compare confirmed the leaked TLS key is NOT the current prod cert — so deployed TLS is safe, but rotation mandatory for all other secrets.

Confirmed clean (no secrets found): account, apigw, dbcall, gitcall, gitcall-livekit-agent, observability. corezoid-ai-doc had 18 gitleaks hits but all are documentation placeholders (public Stripe test keys, public reCAPTCHA site keys, example API tokens) — not real secrets. No finding filed.

Phase 7 — IaC Review

Filed:

• CRZ-010 (Medium, systemic) — Checkov scan: 1387 passing / 377 failing on the helm umbrella chart. Systemic Kubernetes hardening gaps: default namespace usage, root containers, missing NetworkPolicies, missing resource limits, writable root FS, NET_RAW capabilities, mounted service-account tokens.

Phase 8 — Edge Infrastructure

No new findings beyond Phase 2 (Jira, SSH, VPN already covered).

Phase 5 — Nuclei (ran in background)

Zero medium+ findings from nuclei default templates across 27 live hosts. Validates that the target lacks generic CVE-level issues; problems are concentrated in architecture/config/hygiene (already covered by manual findings).

Deep-dive additions (post initial 9 phases)

• CRZ-011 (Medium) — TLS audit revealed vpn.corezoid.com serves TLSv1.1 + three 3DES cipher suites + non-PFS TLS_RSA_WITH_* ciphers. All other *.corezoid.com hosts are TLS 1.2/1.3 AEAD-only → VPN is outlier (Sectigo-managed, not AWS ACM).
• CRZ-012 (Medium) — OpenAPI doc analysis revealed Corezoid public API signs requests with SHA1(time + secret + content + secret) — SHA-1 (deprecated 2013) + non-HMAC envelope construction. Compliance blocker for PCI DSS 4.0 / FIPS 186-5.
• CRZ-013 (Low-Med) — Workflow CRUD op enumeration: {"ops":[{"type":"delete","obj":"conv","obj_id":X}]} deletes a workflow immediately with no confirmation, no MFA, no visible audit trail. Cleaned-up test workflows: 1835953, 1835954, 1835955, 1835956, 1835957, 1835958 — all created+deleted in place.
• CRZ-014 (Info) — is_super_user:true grants cross-tenant workspace CRUD. get company properly denies foreign access, but list folder company_id=<foreign> returns full [create,view,modify,delete] privs on 45 foreign tenants. Appears intended but worth documenting + splitting role.
• CRZ-015 (Medium) — Minified-bundle reverse engineering of widget.simulator.company/shim.js exposed a postMessage handler with n = (r.origin === fe.origin) || (r.data.appName === s) — attacker-controlled appName bypasses origin check.

Sub-tests NOT escalated to findings

• Subdomain takeover probe on CloudFront + S3 — all targets returned valid content or proper NoSuchBucket 404s → no takeover
• IDOR on /api/2/json get company obj_id=<foreign> → consistent "User has no rights" → authz holds
• Cross-origin POST to /api/2/json → request processed but response has no CORS headers + preflight returns 405 → browser SOP safe
• Jira anonymous project/issue enumeration → 0 projects, 0 issues returned → authz holds on issue data
• Jira ContactAdmin RCE prereq → form disabled → primary CVE-2019-11581 vector mitigated
• Jira Ehcache RMI ports (40001-40071) → filtered → CVE-2020-36239 not directly exploitable
• OpenVPN admin port 8888 → closed → admin interface not publicly reachable
• WebSocket unauth probe → connection accepted but disconnected on unknown messages → auth required at app layer
• Workflow task creation via discovered {conv_id, obj, action, data} format → worked (created MongoDB ObjectId task) → confirmed execution surface reachable but did not execute any code / did not attempt sandbox escape (RoE)

Residue

Zero. All 6 test workflows created during API op enumeration were deleted immediately after use. No customer data touched, no credentials brute-forced, no destructive payloads sent.