(CVE Update August 2023) New and Critical CVEs Exploited In WildAugust 11, 2023November 29, 2024 For the Last 2 Weeks, FireCompass research identified a huge number of CVEs that are high in severity and ransomware, botnet, threat actors creating havoc. Some of the CVEs identified are of popular commercial products used by variants of industries and some new & well know malwares targeting industries for this week. In this, we will list important CVEs discovered this week as well as list of malware, threat actors and botnets which were most active this week along with the CVEs that they were using in their campaigns.The Key Vulnerabilities that FireCompass has focused on are:CVE-2023-34635 – Wifi Soft Unibox Administrator SQL InjectionMultiple WebMin VulnerabilitiesCVE-2023-37580 – Zimbra Collaboration (ZCS) XSSCVE-2023-38750 – Zimbra Collaboration (ZCS) XML File ExposureCVE-2023-3983 – Advantech iView Blind SQLiCVE-2022-39986 – RasAP Unauthenticated RCECVE-2022-39987 – RasAP Authenticated RCECVE-2023-39108, CVE-2023-39109, CVE-2023-39110 – Multiple RConfig VulnerabilitiesCVE-2023-38357 – RWS WorldServer Unauthorized AccessCVE-2023-33493 – Prestashop Ajaxmanager File and Database Remote File UploadCVE-2023-39147 – UVDesk Arbitrary File Upload>> Get A Free Assessment: Hacker's View Of Your Attack SurfaceThe Key malwares and threat actors that FireCompass has focused on are:CVE-2023-2868 – Barracuda Email Security Gateway (appliance form factor only) productCVE-2022-0543 – RedisCVE-2023-3519 – Citrix ADC, Citrix GatewayCVE-2023-3466 – Citrix ADC, Citrix GatewayCVE-2023-3467 – Citrix ADC, Citrix GatewayCVE-2021-26855 – Microsoft Exchange ServerCVE-2021-26857 – Microsoft Exchange ServerCVE-2021-26858 – Microsoft Exchange ServerCVE-2021-27065 – Microsoft Exchange ServerCVE-2021-30116 – Kaseya VSATo remain safe against these critical vulnerabilities, it is imperative that organizations must find them at the earliest and fix them. Firecompass Research Team urges organizations to identify their exposed assets, and test and fix the vulnerabilities. The Firecompass CART/EASM platform finds and tests the above-mentioned vulnerabilities, and similar critical vulnerabilities on our customer’s network as soon as they are discovered.-> Hackers Won't Wait For Your Next Pen Test: Know Automated Continuous Pen TestFrom Above Lists: Below is brief about CVEsCVE-2023-34635 – Wifi Soft Unibox Administrator SQL InjectionWifi Soft Unibox Administrator contains a SQL injection vulnerability that lets the attacker access sensitive data. The vulnerability occurs because of not validating or sanitizing the user input in the username field of the login page. Here is the POC for the exploit – https://www.exploit-db.com/exploits/51610Multiple Webmin VulnerabilitiesWebmin, which is a web-based server application, has multiple vulnerabilities identified this week. All are Cross site scripting vulnerabilities that let the attacker gain arbitrary remote code execution or access to sensitive files. Here is the list of CVEs.CVE-2023-38303CVE-2023-38304CVE-2023-38305CVE-2023-38306CVE-2023-38307CVE-2023-38308CVE-2023-38309CVE-2023-38310CVE-2023-38311CVE-2023-37580 & CVE-2023-38750 – Zimbra Collaboration (ZCS)Two vulnerabilities have been identified in Zimbra Collaboration(ZCS) one is CVE-2023-37580 which is a XSS in Zimbra Web Client. This specific vulnerability was mentioned in CISA known vulnerabilities last week. Another CVE-2023-38750 is a sensitive file exposure. Letting the attacker view internal XML and JSP files.CVE-2023-3983 – Advantech iView An authenticated SQL injection vulnerability exists in Advantech iView let the attacker perform blind sql injection.CVE-2022-39986 & CVE-2022-39987 – RasAP RCETwo vulnerabilities have been identified in RasAP wireless routers. First one, CVE-2022-39986 which is unauthenticated remote code execution and the second one CVE-2023-3983 which lets an authenticated remote attacker perform SQL injection.Here is the POC for both of the CVEs – https://medium.com/@ismael0x00/multiple-vulnerabilities-in-raspap-3c35e78809f2>> Discover & Test your Ransomware Attack SurfaceMultiple RConfig VulnerabilitiesMultiple vulnerabilities in RConfig network configuration management contains SSRF vulnerabilities. Here is the list of CVEsCVE-2023-39108CVE-2023-39109CVE-2023-39110CVE-2023-38357 – RWS WorldServer Unauthorized AccessSession tokens in RWS WorldServer 11.7.3 and earlier have a low entropy and can be enumerated, leading to unauthorized access to user sessions. POC – https://packetstormsecurity.com/files/173609/RWS-WorldServer-11.7.3-Session-Token-Enumeration.htmlCVE-2023-33493 – Prestashop Ajaxmanager File and Database Remote File UploadAn Unrestricted Upload of File with Dangerous Type vulnerability in the Ajaxmanager File and Database explorer (ajaxmanager) module for PrestaShop through 2.3.0, allows remote attackers to upload dangerous files without restrictions. POC – https://security.friendsofpresta.org/module/2023/07/28/ajaxmanager.htmlCVE-2023-39147 – UVDesk Arbitrary File UploadAn arbitrary file upload vulnerability in Uvdesk 1.1.3 allows attackers to execute arbitrary code via uploading a crafted image file. POC – https://packetstormsecurity.com/files/173878/Uvdesk-1.1.3-Shell-Upload.htmlCVE-2023-26316 – Xiaomi Cloud Service XSSA XSS vulnerability exists in the Xiaomi cloud service Application product. The vulnerability is caused by Web view’s whitelist checking function allowing java script protocol to be loaded and can be exploited by attackers to steal Xiaomi cloud service account’s cookies.CVE-2023-26317 – Xiaomi Router Command InjectionA vulnerability has been discovered in Xiaomi routers that could allow command injection through an external interface.CVE-2023-1437 – Advantech WebAccessAdvantech WebAccess/SCADA are vulnerable to use of untrusted pointers. The RPC arguments the client sent could contain raw memory pointers for the server to use as-is. This could allow an attacker to gain access to the remote file system and the ability to execute commands and overwrite files.CVE-2023-38954 – ZKTeco BioAccess IVS SQL InjectionZKTeco BioAccess IVS v3.3.1 was discovered to contain a SQL injection vulnerability.CVE-2023-37679 – NextGen Mirth Connect Remote Code ExecutionA remote command execution (RCE) vulnerability in NextGen Mirth Connect v4.3.0 allows attackers to execute arbitrary commands on the hosting server.>> Find Critical Risks in 72 Hours & Continuous Risk Hunting (Request Demo)Multiple Suprema BioStart 2 vulnerabilitiesSuprema BioStart 2 a web-based, open, and integrated security platform that provides comprehensive functionality for access control, time & attendance management, visitor management has multiple vulnerabilitiesCVE-2023-33363 – Authentication BypassCVE-2023-33364 – OS Command Injection VulnerabilityCVE-2023-33365 – Path Traversal VulnerabilityCVE-2023-33366 – SQL Injection VulnerabilityCVE-2023-4145 & CVE-2023-38708 Pimcore VulnerabilityPimcore which is a data and experience management tool has two vulnerabilities.CVE-2023-4145 – Cross Site Scripting VulnerabilityCVE-2023-38708 – Path Traversal VulnerabilityAsus RT-AX82U VulnerabilitiesAsus RT-AX82U router has multiple vulnerabilities discovered by Talos.CVE-2022-38393 – Denial of service vulnerabilityCVE-2022-38105 – Information disclosure vulnerabilityCVE-2022-35401 – Authentication Bypass Vulnerability-> (Request Demo) 10 X Pen Testing Frequency & 100% Asset CoverageImportant Weekly Threat ActorsCVE-2023-2868 – Barracuda Email Security Gateway (appliance form factor only) productBarracuda revealed that the attackers like pro-China hacker group (UNC4841) are suspected to exploit the CVE-2023-2868 remote command injection zero-day to drop previously unknown malware dubbed Saltwater and SeaSpy and a malicious tool called SeaSide to establish reverse shells for easy remote access.CVE-2022-0543 – RedisThe Unit 42 researchers who spotted the Rust-based worm (named P2PInfect) on July 11 also found that it hacks into Redis servers that have been left vulnerable to the maximum severity CVE-2022-0543 Lua sandbox escape vulnerability.While over Internet-exposed 307,000 Redis servers have been discovered in the last two weeks, only 934 instances are potentially vulnerable to this malware’s attacks, according to the researchers. POC: https://packetstormsecurity.com/files/166885/Redis-Lua-Sandbox-Escape.htmlCVE-2023-3519, CVE-2023-3466, CVE-2023-3467 – Citrix ADC, Citrix GatewayAround two weeks ago, the count of Citrix appliances vulnerable to CVE-2023-3519 attacks stood at around 15,000. Besides patching CVE-2023-3519, Citrix also patched two other high-severity vulnerabilities the same day, CVE-2023-3466 and CVE-2023-3467, which could be exploited for reflected cross-site scripting (XSS) attacks and privilege escalation to root. Ransomware gangs, including REvil and DoppelPaymer, have taken advantage of similar Citrix Netscaler ADC and Gateway vulnerabilities to breach corporate networks in past attacks.CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, CVE-2021-27065 – Microsoft Exchange ServerThe widespread vulnerabilities like, CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, CVE-2021-27065 in Microsoft Exchange have been held responsible for numerous exploits impacting thousands of organizations globally. Notably, Acer’s ransomware attack emerged as the first high-profile incident directly linked to the exploitation of these Microsoft Exchange vulnerabilities. This association marked a significant milestone in the world of ransomware attacks, particularly in connection with the popular mail server software hack.CVE-2021-30116 – Kaseya VSAOn July 2, 2021, the REvil ransomware attack leveraged multiple zero-day vulnerabilities in Kaseya’s VSA (Virtual System/Server Administrator) product that helps Kaseya customers to monitor and manage their infrastructure. To deploy ransomware payloads on the systems of Kaseya customers and their clients, the REvil operators exploited zero-day vulnerability CVE-2021-30116. It was found to be exploited by the infamous IoT/Linux botnet Mirai.>> Get A Free Assessment: Hacker's View Of Your Attack SurfaceBy: Firecompass Research Team – Debdipta Halder, Soumyanil Biswas, Faran SiddiquiReferences Firecompass Threat Intel Teamhttps://www.cisa.gov/known-exploited-vulnerabilities-catalogNVD CVE FeedAbout FireCompass:FireCompass is a SaaS platform for Continuous Automated Pen Testing, Red Teaming and External Attack Surface Management (EASM). FireCompass continuously indexes and monitors the deep, dark and surface webs using nation-state grade reconnaissance techniques. The platform automatically discovers an organization’s digital attack surface and launches multi-stage safe attacks, mimicking a real attacker, to help identify breach and attack paths that are otherwise missed out by conventional tools.Feel free to get in touch with us to get a better view of your attack surface.Related Posts:(CVE Update March 2023) New and Critical CVEs…CVE Update October 2023 - New Critical CVE Alert 2023New & Critical CVEs Exploited In Wild - 3CX Supply… Priyanka AashPriyanka has 10+ years of experience in Strategy, Community Building & Inbound Marketing and through CISO Platform has earlier worked with marketing teams of IBM, VMware, F5 Networks, Barracuda Network, Checkpoint, and more. Priyanka is passionate about Entrepreneurship and Enterprise Marketing Strategy. Earlier she co-founded CISO Platform- the world’s 1st online platform for collaboration and knowledge sharing among senior information security executives.Tags:Critical CVEscveCVE-2022-39986CVE-2022-39987CVE-2023-34635CVE-2023-37580CVE-2023-38750CVE-2023-3983Vulnerability