Like many have reported, we too noticed exploit attempts for CVE-2025-64446 in our honeypots.
These are POST requests to this path:
With this User Agent String:
And this is the data of the POST request:
This creates a new admin user (profile: prof_admin).
You can find this JSON data back in this PoC.
Didier Stevens
Senior handler
blog.DidierStevens.com
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.