The CVE lifecycle begins with the identification of a vulnerability. Once verified, it is assigned a CVE ID and a preliminary CVSS score, as it progresses toward remediation and final disclosure – ideally within a 90-day cycle. For higher-risk scenarios, CISA manages the KEV (Known Exploited Vulnerabilities) catalog that sets tighter schedule and criteria for actively exploited vulnerabilities. For zero-day vulnerabilities the deadline for remediation is set for 21 days.

Nuclei is an open-source vulnerability scanner by ProjectDiscovery that uses powerful YAML templates. Nuclei helps cybersecurity experts to quickly identify different vulnerabilities and the ability to create custom templates makes usage both efficient and highly customizable. Nuclei has a very active community, usually preparing custom templates in response to critical CVEs in a matter of hours.

By analyzing current CVEs, we can form a realistic image of how rapidly organizations can leverage Nuclei scans to protect themselves from present-day attacks.

1. CVE-2026-24061 – GNU Inetutils telnetd Remote Authentication Bypass via USER Environment Variable

The vulnerability was published on 21st of January 2026 as CVE with 9.8 critical CVSS score. And on 26th added to KEV catalog and by that time already had a PoC and Nuclei template based on it. Upon discovery it turned out that the vulnerability had existed already in 2015, leading back to a single commit in GNU InetUtils Github repository.

This vulnerability affects telnetd service and is based on how it handles USER environment variable. When connecting to Telnet service, one can send environment variables. The service then takes this variable and feeds it as input directly to system login command without sanitation. The attacker can set the USER variable as “-f root” and when Telnet executes the command: “/usr/bin/login -h [host] -f root” the -f flag tells the login program to bypass the password check. The result is immediate root level access to the server.

From attacker’s point-of-view all needed is to open Telnet port and vulnerable version of inetutils making the vulnerability easy to exploit while consequences can be devastating once the attacker gets full access to target systems. Hence, this CVE was quickly added to KEV catalog and solution was offered.

The Nuclei template was made based on the available Proof of Concept, to both detect and intrude the target system. Instead of malicious activities it executes “id” command while regex searching for characters like “uid=” and “gid=” and system messages “Last login” and “Debian”. Upon scanning, recognizing user as root serves as concrete proof that the system is vulnerable. The template metadata includes shodan and fofa queries to further aid in searching for vulnerable ports and devices. The estimated time from discovery to Nuclei template was around ~5 days.

2. CVE-2026-23760 – SmarterTools SmarterMail contain an authentication bypass vulnerability in the password reset API

This vulnerability concerns SmarterMail versions prior to build 9511 and the CVE was published on 22nd of January 2026 with 9.8 critical CVSS score. The PoC was published within 48-hour window. On 26th the CVE was added on KEV catalog as the exploit was known to be used for ransomware attacks. The Nuclei template appeared within 24 hours from KEV catalog addition.

The vulnerability had to do with how mail server handles user authentication. The “force-reset-password” endpoint accepted anonymous requests while not verifying the existing password. This allowed the attacker to feed arbitrary password data and be able to change password to their liking. After gaining access the attacker could navigate to Volume Mounts under Settings and the attacker could chain commands via input fields to e.g. create a hidden administrator account that would persist even if the once-attacker-changed password gets reset. From that point forward the attacker could try to elevate user rights from SmarterMail admin to SYSTEM/Root level admin.

The successful exploit requires the admin username, which is often easily discoverable via public email addresses. So, the question of how challenging this exploitation could be, is based on whether the mail server lives in Cloud or On-premises, and whether the admin account is named something else than the default. In any case, the only way to remediate from this vulnerability is to update the SmarterMail builds. Not doing so could lead to complete loss of data, identity theft and ransomware. The reasons hindering the updating process might vary from fear of causing email service disruptions to limited testing resources.

The Nuclei template is similarly intrusive and demonstrates the successful attack 1:1. It has a variable that generates a random alphanumeric text with a length of 12 characters as new password. Upon Nuclei scan the new password is extracted and shows up in scan results as ‘”New Password: ” + password’. The template has a tag “intrusive” to signal the user that the template in fact does the attack and changes the password, so it shouldn’t be used against production server. This in turn, underlines the importance of checking which templates to use per scan, instead of blindly using entire template directories unless sure what each template does.

3. CVE-2026-1731 – Remote code execution vulnerability in BeyondTrust Remote Support (RS) and Privileged Remote Access (PRA)

This CVE was published on 6th of February 2026 with 9.8 critical CVSS score, PoC on 11th and added to KEV catalog on 13th. It was known to be part of a ransomware campaign. According to Github, the Nuclei template was created on 10th of February suggesting it was made before PoC release, but this is difficult to confirm.

In comparison to previous CVEs under examination, this concerns a vulnerability that lives inside tools created to improve cybersecurity. The issue here occurs due misuse of an in-built feature of Bash command-line interface. In the background, there’s a script called “thin-scc- wrapper” which performs arithmetic comparisons during the WebSocket handshake. The problem is that Bash is trying to evaluate incoming numeric comparisons as expressions instead of strings. When attacker connects to BeyondTrust the device asks for a version number which attacker gives as “remoteVersion” input value. If remoteVersion is set e.g. “a[$(cmd)]0” Bash is trying to figure out the version number in question by trying to find index “a”, and while doing so ends up running the command inside square brackets. In this case running whatever is the value of “cmd”.

While gaining access to these systems, the attacker’s behavior is limited to installed tools and Bash interpreter. But the attacker could still run any command a system administrator could. What makes this especially vulnerable is the fact that the attacker does not need to know any user credentials. The attacker simply sends a request to upgrade HTTP connection to WebSocket connection, followed by sending a poisoned “remoteVersion” value during the WebSocket handshake. The version number check happens before advancing to phase asking user credentials and is already giving the attacker means for remote code execution. To remediate from this vulnerability actions from vendor, programmers and administrators are required.

The Nuclei template’s structure is twofold. First, it makes a normal HTTP request to find out the “default_company” value. Second phase runs a JavaScript engine locally to construct the binary WebSocket layer byte by byte, opening an encrypted TCP connection while sending a custom HTTP header to upgrade the connection type to WebSocket. The template uses out-of-bound techniques
using Nuclei’s own interactsh_protocol service, which logs the connection attempt (dns/http) to a unique address. This multi-step logic demonstrates Nuclei’s flexibility in handling protocols like WebSocket (RFC 6455).

Conclusions

We examined three vulnerabilities ranging from injections to bypasses. In each case, the transition from published CVE to Nuclei template was relatively fast and sped up by the schedule set by KEV catalog addition. Even though, determining the exact template creation times can be challenging. The process of creating community templates in response to newly discovered vulnerabilities is generally fast. Estimates can vary between 1h to a month, depending on the vulnerability in question. In some cases, up to 90 days.

There are also 0-day vulnerabilities and other recently published critical CVEs, in which cases the PoCs does not exist early on, or the vendor refuses to publish them right away. In these cases, the templates are likely created by e.g. reverse engineering or comparing changes on a binary level. However, what can make these vulnerabilities persistent for many years is the fact that patching up the vulnerable systems remains often on the vendors and end-users. Not to mention that the vulnerability might often live in critical legacy systems and devices, making patching a difficult task. This remains to be one of the issues in cybersecurity in general.

At the end of the day, it doesn’t matter. Instead, what does matter is that there’s good tools acknowledging these issues and more so, hardworking groups and individuals creating these templates, thus swiftly responding to the ever present threats of our digital world.

Iiro Vanhatalo

Iiro works as an intern at 2NS Cybersecurity and is researching the latest vulnerabilities and their journey to Nuclei templates.