LIVETHREAT INTELLIGENCE
NVD/NISTCVE-2025-29927 — Next.js Middleware Auth Bypass · All versions <15.2.3 affectedCRITICAL 9.1AlienVault OTXAPT29 (Cozy Bear) — Active Spear-Phishing Campaign Targeting NATO DiplomatsCRITICAL 9.3Recorded FutureCl0p Ransomware — MOVEit-style Campaign Targeting MFT Solutions GloballyCRITICAL 9.5Shodan22,000+ Redis Instances Exposed on Port 6379 — No Auth — Cryptominer RiskHIGH 8.9VirusTotalCVE-2025-21298 — Windows OLE Remote Code Execution · CISA KEV Catalog AddedCRITICAL 9.8Censys14,500+ Exposed Kubernetes API Servers Detected — Anonymous Access EnabledHIGH 8.7AlienVault OTXFIN7 Carbanak Group — New JavaScript Backdoor Targeting Retail POS SystemsHIGH 8.4NVD/NISTCVE-2025-24813 — Apache Tomcat RCE via Partial PUT · Exploit Code PublicCRITICAL 9.8Recorded FutureDark Web Auction: 2.1M U.S. Healthcare Records Listed · PII + Insurance DataHIGH 8.1VirusTotalLumma Stealer v4.1 — New Evasion Bypass for Windows Defender SmartScreenHIGH 8.6NVD/NISTCVE-2025-30065 — Apache Parquet RCE via Schema Parsing · CVSS Maximum ScoreCRITICAL 10.0Recorded FutureSalt Typhoon (China) — Telco Backdoors Persist in 3 U.S. Carriers Post-DisclosureCRITICAL 9.2VirusTotalDragonForce Ransomware — New Affiliate Program Attracting LockBit DefectorsHIGH 8.5ShodanCitrix NetScaler Bleed (CVE-2023-4966) — 4,800 Unpatched Hosts Still ExploitableCRITICAL 9.4CensysIvanti Connect Secure 0-Day Chain — Nation-State Actor Exploitation ConfirmedCRITICAL 9.0AlienVault OTXBEC Surge Q1 2026 — $3.1B in Wire Fraud · AI Voice Cloning in UseHIGH 7.9NVD/NISTCVE-2025-29927 — Next.js Middleware Auth Bypass · All versions <15.2.3 affectedCRITICAL 9.1AlienVault OTXAPT29 (Cozy Bear) — Active Spear-Phishing Campaign Targeting NATO DiplomatsCRITICAL 9.3Recorded FutureCl0p Ransomware — MOVEit-style Campaign Targeting MFT Solutions GloballyCRITICAL 9.5Shodan22,000+ Redis Instances Exposed on Port 6379 — No Auth — Cryptominer RiskHIGH 8.9VirusTotalCVE-2025-21298 — Windows OLE Remote Code Execution · CISA KEV Catalog AddedCRITICAL 9.8Censys14,500+ Exposed Kubernetes API Servers Detected — Anonymous Access EnabledHIGH 8.7AlienVault OTXFIN7 Carbanak Group — New JavaScript Backdoor Targeting Retail POS SystemsHIGH 8.4NVD/NISTCVE-2025-24813 — Apache Tomcat RCE via Partial PUT · Exploit Code PublicCRITICAL 9.8Recorded FutureDark Web Auction: 2.1M U.S. Healthcare Records Listed · PII + Insurance DataHIGH 8.1VirusTotalLumma Stealer v4.1 — New Evasion Bypass for Windows Defender SmartScreenHIGH 8.6NVD/NISTCVE-2025-30065 — Apache Parquet RCE via Schema Parsing · CVSS Maximum ScoreCRITICAL 10.0Recorded FutureSalt Typhoon (China) — Telco Backdoors Persist in 3 U.S. Carriers Post-DisclosureCRITICAL 9.2VirusTotalDragonForce Ransomware — New Affiliate Program Attracting LockBit DefectorsHIGH 8.5ShodanCitrix NetScaler Bleed (CVE-2023-4966) — 4,800 Unpatched Hosts Still ExploitableCRITICAL 9.4CensysIvanti Connect Secure 0-Day Chain — Nation-State Actor Exploitation ConfirmedCRITICAL 9.0AlienVault OTXBEC Surge Q1 2026 — $3.1B in Wire Fraud · AI Voice Cloning in UseHIGH 7.9
← Blog·Penetration Testing9 min read1,870 views

Wireless Network Penetration: How We Compromised a WPA2-Enterprise Network at a Fortune 500

WPA2-Enterprise is widely considered secure. During a physical penetration test of a Fortune 500 headquarters, our team compromised the wireless network using an evil twin attack and certificate validation failure — without ever breaking the encryption.

H
HorizonShield Red Team
February 19, 2026

The Assumption: WPA2-Enterprise Is Uncrackable

WPA2-Enterprise with 802.1X authentication is substantially more secure than WPA2-Personal. There is no shared PSK to crack. Authentication is per-user, certificate-based. It is the correct choice for enterprise environments. It is not, however, immune to client-side misconfiguration.

The Attack: Evil Twin with RADIUS Interception

Using a laptop with two wireless adapters, we broadcast an access point with the same SSID as the corporate network. Our "RADIUS server" on the evil twin did not present a valid certificate — it presented a self-signed certificate. The question was whether client devices were configured to validate the server certificate.

They were not. Zero of the 23 Windows laptops that connected to our evil twin challenged the certificate. Each device presented its corporate credentials (NTLM hash) to our RADIUS server in the handshake.

Cracking NTLM Hashes Offline

The captured NTLMv2 hashes were taken offline for hashcat cracking. A workstation with a modern GPU processed approximately 140 billion guesses per second against an NTLM hash. Five of the 23 captured hashes were cracked within 4 hours using a combination of a 14-character wordlist and rule-based mutations. One belonged to a domain administrator.

The Fix: Certificate Validation Enforcement

The remediation is entirely on the client side: configure wireless profiles to validate the RADIUS server certificate against a specific trusted CA and certificate fingerprint, and prevent users from accepting untrusted certificates. This is a Group Policy configuration in Windows environments and can be deployed centrally.

Physical Security Note

This attack was conducted from a café within signal range of the headquarters. No physical access to the building was required. Wi-Fi penetration testing scope should always include coverage from public areas adjacent to the facility.

Penetration TestingCybersecurityHorizonShield
← More Articles
H
HorizonShield Red Team
HorizonShield Security Team

Cybersecurity expert at HorizonShield, specializing in threat intelligence, incident response, and enterprise security architecture.

Related Articles

📰
📰
📰