Share
## https://sploitus.com/exploit?id=BFE83A8D-F513-50B7-A821-F4E3185BD9F4
# CVE-2025-1868: Advanced IP Scanner & Advanced Port Scanner NTLM Leakage HTTP Tester

Small dockerizer PHP app that triggers an NTLM handshake and extracts the claimed **domain**, **user**, and **workstation** from NTLM Type 3 messages.

It does not validate passwords.  
It does not store challenges.  
It only logs claimed identity and request metadata.

This is useful to confirm when a scanner or troubleshooting workflow is causing outbound NTLM authentication over HTTP.

Detailed info: https://labs.itresit.es/2026/01/03/cve-2025-1868-unpatched-advanced-ip-scanner-silently-exposes-ntlm-during-scans/

## Important
This tester must be published on **host port 80**. If you publish it on a different port, validation may fail.

## Run
```bash
./run.sh
```

## Logs
```bash
tail -f data/scan.log
```

## More References
- https://nvd.nist.gov/vuln/detail/CVE-2025-1868
- https://www.cve.org/CVERecord?id=2025-1868
- https://www.incibe.es/incibe-cert/alerta-temprana/vulnerabilidades/cve-2025-1868
- https://labs.itresit.es/published-vulnerabilities/