DugganUSA LLC is a cybersecurity company based in Minnesota that builds AI-powered threat intelligence tools. Our platform indexes over 1 million indicators of compromise (IOCs), 400,000+ DOJ Epstein documents, and provides a free STIX 2.1 threat feed consumed by Fortune 500 companies and defense contractors.

Butterbot is DugganUSA's AI-powered security chatbot with 40+ tools for searching IOCs, correlating threat indicators, traversing threat graphs, analyzing behavioral patterns, and running CARVER risk assessments. It uses OpenAI function calling with Meilisearch-backed indexes.

What is AIPM (AI Presence Management)?

AIPM is a tool that audits how AI models (GPT, Claude, Gemini, Perplexity) perceive and recommend your brand. It calculates an AIPM-NPS score by directly querying AI models, analyzes your website structure for AI crawler readiness, and provides optimization recommendations. Think 'SEO for the LLM era.'

Is the Epstein Files search free?

Yes. The Epstein Files Search at epstein.dugganusa.com offers a free tier with 500 queries per day. It covers all 12 DOJ EFTA datasets (400K+ documents), 2M+ ICIJ offshore entities, and 2M+ federal decisions. Professional and enterprise tiers are available for researchers and journalists needing higher limits.

Who founded DugganUSA?

DugganUSA was founded by Patrick Duggan on December 1, 2025, in Minnesota. Patrick's background includes Dell EMC, Palo Alto Networks, and embedded work at Microsoft on JEDI/Azure Stack. The company's D-U-N-S number is 14-363-3562.

What is the DugganUSA STIX feed?

DugganUSA operates a free STIX 2.1 threat intelligence feed at analytics.dugganusa.com/api/v1/stix-feed. It contains 1M+ indicators of compromise including botnet C2s, malicious IPs, and attack infrastructure. The feed is TAXII 2.1 compliant and is consumed by major organizations including Microsoft, AT&T, Amazon, and defense contractors.

Our Exploit Harvester Caught CVE-2026-37748 Thirty-Seven Minutes After the PoC Dropped. Here's What It Found.

Patrick Duggan
9 minutes ago
5 min read

At 17:27 UTC today, a security researcher in Pune, India named Varad Mene pushed a new repository to GitHub: a working proof-of-concept exploit for CVE-2026-37748 — an unrestricted file upload vulnerability in Visitor Management System 1.0 that escalates to remote code execution.

Two files in the repo. A README. A Python exploit script. 1,986 bytes of weaponized code.

At 18:04 UTC today — thirty-seven minutes after the push — our exploit harvester pipeline had the repo indexed, the exploit patterns extracted, and the credentials-of-interest (default admin/admin, test123/test123) added to our IOC database. Every enterprise consumer of the DugganUSA STIX feed had the signature in their pipeline before the researcher's repo had a single star or fork.

This is Pattern 49 doing exactly what we designed it to do: close the window between when an exploit becomes public and when defenders can act on it. Thirty-seven minutes is not nothing. Thirty-seven minutes is the difference between "we're aware of this" and "three customers got popped before we read about it on a Monday-morning briefing."

What The Vulnerability Is

CVE-2026-37748 is an unrestricted file upload in Visitor Management System 1.0 — a generic PHP web application in the same family as countless small-business visitor sign-in systems. The attack path is textbook:

Attacker visits the visitor-registration page of a deployed instance
Uploads what looks like a visitor photo — except the file is a PHP webshell with a doctored MIME type or extension trick
The application accepts the upload because it trusts client-side validation
The webshell lands somewhere web-accessible in the uploads directory
Attacker browses to the webshell URL and runs arbitrary commands as the webserver user

From there it's the standard playbook — cat the database config, extract credentials, pivot laterally, install persistence, steal whatever visitor logs the system stored. If you've seen one PHP file-upload RCE, you've seen a hundred.

What makes this specific CVE worth an urgent write-up isn't novelty. It's deployment concentration.

Who Actually Runs Visitor Management System 1.0

This class of software is deployed everywhere you don't think to look:

Small offices using generic visitor sign-in kiosks
Independent schools and community colleges
Gyms and fitness centers
Independent medical clinics and small practices
Coworking spaces that want visitor tracking without a Kisi or Envoy subscription
Industrial facilities in emerging markets
HOAs and property management companies
Religious institutions running volunteer/visitor tracking

The common thread: self-hosted PHP, shared hosting, rarely patched, IT run by whoever's willing to take the weekend call. These are exactly the SMB and non-profit organizations that our industry tells to buy enterprise threat intelligence and then prices out of the market at $100K a year.

When a working exploit drops for this class of software, the window between public PoC and first compromise is measured in hours, not weeks. SMB defenders don't have 24/7 SOCs. They have a sysadmin who checks logs on Monday morning.

What The Exploit Looks Like In Practice

The PoC published today is a Python script that handles authentication, file upload, and post-exploitation in under two kilobytes. The patterns worth detecting:

Default credentials in the target-enumeration logic: admin / admin, test123 / test123. These are the installation defaults the researcher tested against — meaning anyone who never changed them is immediately vulnerable.
POST requests to upload endpoints with file extensions that don't match declared MIME types — for example, files with a .php extension carrying an image/jpeg Content-Type header
PHP command-execution functions appearing in served content after upload. The usual suspects: the PHP system function, the shell_exec function, passthru, and the exec primitive. Any time these appear in content that should have been a visitor photograph, you have a compromise in progress.
Sequential file access — upload immediately followed by a GET request to the uploaded path is the fingerprint of exploitation-in-progress

These are now live IOC patterns in our index. Every DugganUSA STIX feed consumer has the detection signature. Over three hundred organizations across forty-six countries can deploy the alert rule by end of day.

About The Researcher

For transparency: this is not a malicious actor. Varad Mene is a security researcher based in Pune, India, affiliated with Hindustan Institute of Computer Arts at Savitribai Phule Pune University. Six public repositories, fourteen followers, a clear self-identification as a VAPT (Vulnerability Assessment and Penetration Testing) practitioner. His GitHub account has been active since January 2023.

This is legitimate disclosure research. The long-running community debate about when to publish weaponized PoCs is not ours to adjudicate — reasonable people disagree. What we can do is compress the detection window so defenders have a fighting chance the moment research becomes public.

If you're reading this, Varad — good work. The exploit is clean and the documentation is clear. We'd welcome you as a STIX feed consumer (it's free) and to keep an eye on what we publish.

What To Do If You Run This Software

Check if you have Visitor Management System 1.0 deployed anywhere. Look for paths like /visitor-management/, /vms/, /sign-in/, /visitor/ on any internet-facing subdomain you operate.
If you find an instance, take it off the public internet today. Put it behind a VPN, restrict to internal IPs, or shut it down until patched.
Change default credentials immediately if the instance must stay live. admin/admin is the front door.
Review upload directory contents for any files created in the last 30 days with PHP extensions. Any .php file in an uploads folder is an indicator of compromise.

Apply the WAF rule blocking POST requests to upload endpoints where the file extension and declared Content-Type disagree
Review webserver access logs for sequential upload + GET patterns in the same session
Rotate any credentials that may have been stored in the database accessible from a compromised instance
Monitor outbound connections from the host — compromised Visitor Management deployments are commonly repurposed as staging servers for lateral movement

If you consume our STIX feed: The detection patterns are live. If your SIEM is pulling our feed daily, the alert rule is already in your pipeline.

If you don't consume our feed yet: analytics.dugganusa.com/api/v1/stix-feed. Free tier. Microsoft, AT&T, and Starlink pull it daily. The CVE-2026-37748 signature is in it.

The Meta Point

The exploit harvester pipeline we're running is the product, not a feature. Every six hours, our system crawls GitHub for weaponized CVE code, extracts exploitation patterns, cross-references against our indicator database, and pushes detection signatures to the STIX feed.

This is one of eighty-four active detection rules the harvester runs. It caught a zero-hour weaponized PoC in thirty-seven minutes today. It will catch the next one tomorrow.

Commercial threat intelligence vendors charge hundreds of thousands of dollars a year to deliver alerts that typically arrive after the first wave of compromises has already landed. We're building the opposite — a pipeline that delivers the signature before the first wave lands, running at seventy-five dollars a month in infrastructure cost, free at the edge, and consumed by three hundred organizations across forty-six countries.

The Fortinet CVE deadline was this morning. CVE-2026-37748 dropped this afternoon. Tomorrow there will be another. The attackers don't rest and neither does the harvester.

If you run Visitor Management System 1.0 — patch. If you don't — ingest our feed so you catch the next one.

— Patrick

References:

The researcher's disclosure repository: github.com/menevarad007/CVE-2026-37748
DugganUSA STIX 2.1 Threat Intelligence Feed: analytics.dugganusa.com/api/v1/stix-feed
DugganUSA Exploit Harvester (public API endpoint): analytics.dugganusa.com/api/v1/admin/harvest