Security case studies
Real, disclosed vulnerabilities — mapped to OWASP Top 10:2025 and CWE. Each has the incident, the vulnerable code, the fix, and the Benteng tool that catches the class.
CVE-2025-10035· OWASP A08
GoAnywhere MFT — unauthenticated deserialization RCE
A forged, signed object deserialized by GoAnywhere's admin console gave pre-auth remote code execution.
CWE-502 Deserialization of Untrusted Data
CVE-2025-66516· OWASP A01
Apache Tika — unauthenticated SSRF / XXE
A crafted document parsed by Tika made the server fetch attacker-chosen URLs and read local files.
CWE-611 XML External Entity
CVE-2024-12356· OWASP A05
BeyondTrust Remote Support — SQL injection to breach
A SQL injection in a remote-support product was part of the chain that reached the US Treasury.
CWE-89 SQL Injection
CVE-2024-3094· OWASP A03
xz-utils — supply-chain backdoor (nearly an SSH RCE)
A trusted maintainer slipped a hidden backdoor into a core Linux compression library.
CWE-506 Embedded Malicious Code
CVE-2026-7871· OWASP A03
Langflow — RCE via the Redis backend
Anyone who could reach Langflow's Redis got code execution through unsafe deserialization.
CWE-502 Deserialization of Untrusted Data
Prompt injection· OWASP A03
Prompt injection — the $1 Chevrolet
Visitors overrode a dealership chatbot's instructions and made it 'agree' to sell a car for $1.
CWE-1427 Prompt Injection
Error handling· OWASP A10
Fail-open auth — the exception that grants access
An auth check that throws on error and is caught into 'allow' silently opens the door.
CWE-703 Improper Check of Exceptional Conditions
Access control· OWASP A01
IDOR — reading another tenant's data by changing an id
An endpoint returns any record by id without checking who owns it.
CWE-639 Authorization Bypass Through User-Controlled Key
Secrets· OWASP A02
Hardcoded / default secret — CWE-798
A fallback secret baked into the code becomes the same key on every deployment.
CWE-798 Use of Hard-coded Credentials
CORS· OWASP A02
CORS — wildcard origin with credentials
Reflecting the Origin (or *) while allowing credentials lets any site read authenticated responses.
CWE-942 Permissive Cross-domain Policy
Path traversal· OWASP A01
Path traversal — ../ into arbitrary file read
User-controlled filenames with ../ escape the intended directory and read system files.
CWE-22 Path Traversal
MCP / AI tooling· OWASP A03
MCP tool poisoning — malicious instructions in a tool description
A malicious MCP server hides instructions in a tool's description that the agent silently obeys.
CWE-77 Command Injection (via tool)