# Exploit Title: WebMethods Integration Server 10.15.0.0000-0092 - Improper Access on Login Page # Date: 25-01-2024 # Exploit Author: Rasime Ekici # Vendor Homepage: www.softwareag.com # Version: 10.15.0000-0092 # Tested on: 10.15.0000-0092 # CVE : 2024-23733 Description: The /WmAdmin/,/invoke/vm.server/login login page in the Integration Server in Software AG webMethods 10.15.0 before Core Fix7 allows remote attackers to reach the administration panel,discovering server hostname and version information by sending arbitary username and blank password to the /WmAdmin/#/login/ uri Interpret the http traffic and send a dummy username with blank password on login screen and drop the request to "/admin/navigation/license" to not logged out.Thus you may able to see: -real hostname of the installed server -version info -administrative api endpoints