CRZ-001
RFC1918 internal IPs in public DNS
low
CVSS 3.1: 5.3 · Asset: admin-pre.corezoid.com
- Severity: Low
- CVSS 3.1:
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N→ 5.3 (informational → low) - CWE: CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor)
- Asset:
admin-pre.corezoid.com(public DNS) - Discovered: 2026-04-26
- Status: Open
- Reporter: Claude (CVP pentest)
Summary
The public DNS record for admin-pre.corezoid.com
resolves to an AWS-internal ELB hostname
(internal-corezoid-pre-int-987618387.eu-west-1.elb.amazonaws.com)
whose A records include three RFC1918 private addresses
— 10.50.0.9, 10.50.0.39,
10.50.10.202. These IPs are unreachable from the public
internet but their exposure via public DNS leaks internal subnet
layout.
Reproduction
$ dig +short admin-pre.corezoid.com A
internal-corezoid-pre-int-987618387.eu-west-1.elb.amazonaws.com.
10.50.0.9
10.50.0.39
10.50.10.202
$ dig +short admin-pre.corezoid.com CNAME
internal-corezoid-pre-int-987618387.eu-west-1.elb.amazonaws.com.Evidence
recon/raw/dns-a-records.txt(line for admin-pre.corezoid.com)
Impact
Low severity, but provides useful reconnaissance information to an attacker:
- Confirms the
/16subnet schema used internally (10.50.0.0/16VPC) - Confirms pre-prod admin is behind an internal-only ALB, not public
- Combined with any SSRF or VPN compromise later, attacker knows exactly which IPs to target first
Remediation
- The pre-prod admin ALB is internal — it should not
have a public DNS record at all. Remove
admin-pre.corezoid.comfrom the public DNS zone and host it on a private zone (Route53 Private Hosted Zone) accessible only via VPN. - Alternatively, if external accessibility is actually required, front
it with a public ALB and do not expose the
internal-*CNAME.
References
- CWE-200: Exposure of Sensitive Information
- OWASP WSTG-INFO-03: Review Webserver Metafiles for Information Leakage