Like many have reported, we too noticed exploit attempts for CVE-2025-64446 in our honeypots.

These are POST requests to this path:

With this User Agent String:

And this is the data of the POST request:

This creates a new admin user (profile: prof_admin).

You can find this JSON data back in this PoC.

Didier Stevens
Senior handler
blog.DidierStevens.com