Fortnightly Critical Vulnerabilities: February Part 1
The FireCompass research team identified a huge number of CVEs that are high in severity and ransomware, botnets, and threat actors creating Havoc. Some of the CVEs identified are of popular commercial products used by various industries and some new & well-known malware targeting industries for this week. In this, we will list important CVEs discovered as well as the list of malware, threat actors and botnets which were most active along with the CVEs that they were using in their campaigns.
List of Critical Vulnerabilities That Were Exploited – FireCompass Research :
- CVE-2020-12812, CVE-2024-21762 – FortiOS Multiple Vulnerability
- CVE-2020-0688, CVE-2021-34523, CVE-2024-21410 – Microsoft Exchange Multiple Vulnerability
- CVE-2021-21972 – vSphere Client
- CVE-2023-35188 – SolarWinds Platform
- CVE-2024-21364, CVE-2024-21376, CVE-2024-20667 – Microsoft Azure Multiple Vulnerability
- CVE-2024-21413, CVE-2024-21378 – Microsoft Outlook Multiple Vulnerability
- CVE-2023-51072 – NOC-Nagios XI
- CVE-2023-32328, CVE-2023-32330, CVE-2023-43017 – IBM Security Verify Access Multiple Vulnerability
- CVE-2023-39297, CVE-2023-45025, CVE-2023-47568 – QNAP OS Multiple Vulnerability
- CVE-2024-20252, CVE-2024-20254, CVE-2024-20255 – Cisco Expressway Series and Cisco TelePresence Video Communication Server (VCS) Multiple Vulnerability
- CVE-2024-0338 – XAMPP
- CVE-2024-0253, CVE-2024-0269 – ManageEngine ADAudit Plus Multiple Vulnerability
List of Malwares And Threat Actors:
- CVE-2022-42475 – FortiOS SSL-VPN
- CVE-2023-36025 – Microsoft Windows and Windows Server
-> (Request Demo) 10 X Pen Testing Frequency & 100% Asset Coverage
Detailed Analysis: Vulnerabilities
CVE-2020-12812, CVE-2024-21762 – FortiOS Multiple Vulnerability:
CVE-2020-12812
CVE-2020-12812 is a vulnerability in FortiOS SSL VPN that allows users to bypass two-factor authentication (2FA) by simply changing the case of their username. This vulnerability exists because of inconsistent case-sensitivity handling between local and remote authentication methods. For example, if a user’s username is stored in lowercase on the local system but uppercase on the remote authentication server, they can bypass 2FA by logging in with a mixed-case username (e.g., “jUsEr” instead of “user”). This vulnerability affects FortiOS versions 6.4.0, 6.2.0 to 6.2.3, and 6.0.9 and below. It is recommended to upgrade to FortiOS 6.4.1 or later, 6.2.4 or later, or 6.0.10 or later to address this vulnerability.
CVE-2024-21762
CVE-2024-21762 is a critical vulnerability in Fortinet FortiOS and FortiProxy software that exposes devices to attackers. This vulnerability, caused by an out-of-bounds write issue, allows attackers to remotely execute arbitrary code or commands on affected devices by sending specially crafted requests. This means attackers could potentially take full control of your device and use it for malicious purposes. If you use Fortinet FortiOS or FortiProxy, it’s crucial to update to the latest patched version immediately to address this vulnerability and protect your devices.
A total of 42 endpoints of FortiOS are exposed on the Shodan.
CVE-2021-21972 – vSphere Client
A critical vulnerability in VMware vCenter Server (versions 7.x before 7.0 U1c, 6.7 before 6.7 U3l, and 6.5 before 6.5 U3n) and VMware Cloud Foundation (versions 4.x before 4.2 and 3.x before 3.10.1.2) allows remote attackers with network access to port 443 to execute arbitrary code with unrestricted privileges on the underlying operating system. This vulnerability exists due to an unauthenticated remote code execution flaw within a vCenter Server plugin.
A total of more than 2K endpoints of vSphare are exposed on the Shodan.
CVE-2023-35188 – SolarWinds Platform
CVE-2023-35188 exposes a critical security risk in SolarWinds Platform versions up to 2023.4.2. It allows attackers to remotely execute malicious code within the platform if they have valid user credentials. This vulnerability arises from a flaw in how the platform handles SQL statements, specifically within the “create” function. While user authentication is required for exploitation, attackers could potentially leverage stolen credentials or social engineering tactics to gain access. Upgrading to the latest SolarWinds Platform version (2023.4.3 or later) is essential to mitigate this risk.
A total of 315 endpoints of SolarWinds Platform are exposed on the Shodan.
>> [Request RECON Demo] - Reconnaissance Techniques As Threat Actors
CVE-2024-21364, CVE-2024-21376, CVE-2024-20667 – Microsoft Azure Multiple Vulnerability:
CVE-2024-21364
CVE-2024-21364 is a recently discovered critical vulnerability in Microsoft Azure Site Recovery that allows attackers to escalate their privileges on the system. While specific details of the exploit are still emerging, it’s crucial to prioritize patching your Azure Site Recovery instance immediately to prevent potential compromise.
CVE-2024-21376
CVE-2024-21376 is a critical vulnerability in Microsoft Azure Kubernetes Service (AKS) affecting Confidential Containers (AKSCC). It allows attackers to remotely execute malicious code within AKS, potentially granting them unrestricted access to sensitive data and resources. This vulnerability arises due to improper isolation between untrusted AKS nodes and AKSCC, enabling attackers to exploit specific configurations and gain control over confidential guests and containers. The vulnerability requires no authentication and carries a CVSSv3 score of 9.0, indicating a severe risk. Microsoft has released security patches, and immediate patching is crucial to mitigate this vulnerability.
CVE-2024-20667
A critical vulnerability (CVE-2024-20667) exists in Azure DevOps Server versions 2019.1.2, 2020.1.2, and 2022.1, allowing attackers to remotely execute malicious code on affected servers. This vulnerability, categorized as “remote code execution,” grants attackers complete control over the server, enabling them to steal sensitive data, disrupt operations, or install malware.The vulnerability stems from an issue with how the server processes specific requests. Exploiting this vulnerability requires no user interaction or authentication, making it highly dangerous.
A total of more than 217K endpoints of Azure are exposed on the Shodan.
-> Hackers Won't Wait For Your Next Pen Test: Know Automated Continuous Pen Test
CVE-2024-21413, CVE-2024-21378 – Microsoft Outlook Multiple Vulnerability:
CVE-2024-21413
CVE-2024-21413 is a critical remote code execution vulnerability affecting Microsoft Outlook versions included in Microsoft Office 2019, Microsoft 365 Apps for Enterprise, Microsoft Office LTSC 2021, and Microsoft Office 2016. It allows attackers to gain high privileges on a vulnerable system, potentially leading to data theft, malware installation, or complete system compromise.The vulnerability arises from a flaw in how Outlook handles malicious links that bypass the Protected View Protocol. This enables attackers to leak local NTLM credential information and ultimately achieve remote code execution (RCE) without requiring any user interaction or specific privileges.
CVE-2024-21378
A critical vulnerability (CVE-2024-21378) exists in Microsoft Outlook, potentially affecting various versions within Microsoft Office suites (2019, 365 Apps, LTSC 2021, 2016). This vulnerability allows attackers to remotely execute malicious code on your system, granting them complete control and potentially leading to data breaches, malware installation, or system disruption.
A total of 698 endpoints of Microsoft Outlook are exposed on the Shodan.
CVE-2023-51072 – NOC-Nagios XI
Nagios XI versions up to 2024R1 contain an XSS vulnerability where low-privileged users can upload audio files laced with malicious code. This code silently executes for any user viewing the file, potentially granting attackers complete control over accounts, data, and even the entire system. Upgrade immediately to version 2024R1.0.1 or later, disable audio uploads if unused, and educate users to avoid falling victim. Remember, vigilance and ongoing security measures are crucial for complete protection.
A total of 914 endpoints of NOC-Nagios XI are exposed on the Shodan.
-> (Request Demo) 10 X Pen Testing Frequency & 100% Asset Coverage
CVE-2023-32328, CVE-2023-32330, CVE-2023-43017 – IBM Security Verify Access Multiple Vulnerability
CVE-2023-32328
IBM Security Verify Access versions up to 10.0.6.1 are vulnerable due to insecure communication protocols, potentially allowing attackers on the network to gain complete control of the server. This critical vulnerability (CVE-2023-32328) exposes sensitive information and lacks a publicly available exploit yet. Update immediately to a patched version (10.0.7 or later) to mitigate the risk. Remember, swift action and vigilance are key to protecting your systems.
CVE-2023-32330
CVE-2023-32330 exposes a critical vulnerability in IBM Security Verify Access 10.0.0.0 to 10.0.6.1, where insecure calls within the system could grant attackers on the network complete control of the server. This vulnerability (IBM X-Force ID: 254977) poses a severe risk as it lacks a public exploit yet. Immediate patching to version 10.0.7 or later is essential to safeguard your system and sensitive data. Remember, staying ahead of vulnerabilities through timely updates and proactive security measures is crucial.
CVE-2023-43017
A critical vulnerability (CVE-2023-43017) exists in IBM Security Verify Access versions 10.0.0.0 to 10.0.6.1. Privileged users with malicious intent can exploit this flaw to install a configuration file enabling remote access, potentially compromising confidentiality, integrity, and availability of the system. While technical details are limited, immediate patching to version 10.0.7 or later is essential to address this high-risk vulnerability. Remember, staying informed and proactive with security updates is crucial for optimal protection.
A total of 90 endpoints of IBM Security Verify Access are exposed on the Shodan.
>> [Request RECON Demo] - Reconnaissance Techniques As Threat Actors
CVE-2023-39297, CVE-2023-45025, CVE-2023-47568 – QNAP OS Multiple Vulnerability
CVE-2023-39297
Several QNAP operating systems are vulnerable to CVE-2023-39297, an OS command injection flaw allowing authenticated users to execute malicious commands remotely. Update immediately to QTS 5.1.4.2596 (build 20231128) or later, QTS 4.5.4.2627 (build 20231225) or later, QuTS hero h5.1.4.2596 (build 20231128) or later, QuTS hero h4.5.4.2626 (build 20231225) or later, or QuTScloud c5.1.5.2651 or later to prevent attackers from potentially taking control of your system.
CVE-2023-45025
QNAP operating systems before QTS 5.1.4.2596 (build 20231128), QTS 4.5.4.2627 (build 20231225), QuTS hero h5.1.4.2596 (build 20231128), QuTS hero h4.5.4.2626 (build 20231225), and QuTScloud c5.1.5.2651 are vulnerable to CVE-2023-45025, an OS command injection flaw. This vulnerability allows malicious users to execute commands on your system over the network, potentially granting them complete control. Update immediately to the mentioned versions or later to mitigate the risk.
CVE-2023-47568
QNAP operating systems before QTS 5.1.5.2645 (build 20240116), QTS 4.5.4.2627 (build 20231225), QuTS hero h5.1.5.2647 (build 20240118), QuTS hero h4.5.4.2626 (build 20231225), and QuTScloud c5.1.5.2651 are vulnerable to CVE-2023-47568. This SQL injection flaw lets authenticated users inject malicious code over the network, potentially compromising your system. Update immediately to the mentioned versions or later to secure your QNAP device.
A total of more than 508K endpoints of QNAP OS are exposed on the Shodan.
-> Hackers Won't Wait For Your Next Pen Test: Know Automated Continuous Pen Test
CVE-2024-20252, CVE-2024-20254, CVE-2024-20255 – Cisco Expressway Series and Cisco TelePresence Video Communication Server (VCS) Multiple Vulnerability
CVE-2024-20252
Unpatched Cisco Expressway Series and TelePresence VCS devices (up to a specific date) are vulnerable to multiple CSRF attacks, allowing unauthenticated remote attackers to manipulate the system and potentially gain control. These critical vulnerabilities require immediate patching to Cisco Expressway Control (Expressway-C) or Edge (Expressway-E) devices and TelePresence VCS servers to prevent attackers from exploiting them.
CVE-2024-20254
Unpatched Cisco Expressway and TelePresence VCS devices (up to a specific date) are susceptible to various CSRF attacks, enabling unauthenticated remote attackers to execute arbitrary actions and potentially take control of the system. These critical vulnerabilities demand immediate patching of both Cisco Expressway Control/Edge devices and TelePresence VCS servers to prevent exploitation.
CVE-2024-20255
An unpatched Cisco Expressway Series or TelePresence VCS server harbours a CSRF vulnerability in its SOAP API. This means a remote attacker, without needing any prior authentication, can trick a user with access to the REST API into clicking a malicious link. If successful, the attacker can force the affected system to reload, potentially disrupting operations or setting the stage for further attacks. Immediate patching is crucial to close this security gap.
A total of more than 200 endpoints of Cisco Expressway Series and VCS are exposed on the Shodan.
CVE-2024-0338 – XAMPP
XAMPP versions up to 8.2.4 are vulnerable to an exploit (CVE-2024-0338) where attackers can inject malicious code through a long file debug argument. This code gives them full control of the system, allowing them to steal data, install malware, or disrupt operations. Upgrade to XAMPP version 8.2.5 or later immediately to prevent attackers from exploiting this critical vulnerability.
A total of more than 3.5K endpoints of XAMPP are exposed on the Shodan.
CVE-2024-0253, CVE-2024-0269 – ManageEngine ADAudit Plus Multiple Vulnerability
CVE-2024-0253
ManageEngine ADAudit Plus versions 7270 and below contain a critical vulnerability (CVE-2024-0253) that allows authenticated attackers to inject malicious SQL code. This could grant them complete control over the system, compromising sensitive data and disrupting operations. Upgrade to version 7271 or later immediately to address this vulnerability.
CVE-2024-0269
ManageEngine ADAudit Plus versions 7270 and below are susceptible to an authenticated SQL injection vulnerability (CVE-2024-0269) within the File-Summary DrillDown feature. This allows attackers with valid access to inject malicious code and potentially compromise the entire system. Thankfully, a fix is available in version 7271, so upgrading immediately is crucial to safeguard your data and infrastructure.
A total of 479 endpoints of ManageEngine ADAudit Plus are exposed on the Shodan.
-> (Request Demo) 10 X Pen Testing Frequency & 100% Asset Coverage
Important Weekly Threat Actors
CVE-2022-42475 – FortiOS SSL-VPN
A Chinese cyber-espionage group exploited the CVE-2022-42475 FortiOS SSL-VPN vulnerability to compromise FortiGate firewalls at the Dutch Ministry of Defence. They deployed a persistent RAT malware named Coathanger, designed to steal data and potentially gain control of the system. This malware is stealthy and survives reboots and firmware upgrades. Dutch intelligence linked the attack with high confidence to a Chinese state-sponsored hacking group, highlighting the dangers of unpatched vulnerabilities and the sophisticated tactics employed by such actors.
A total of 808 endpoints of FortiOS are exposed on the Shodan.
CVE-2023-36025 – Microsoft Windows and Windows Server
CVE-2023-36025 was exploited by attackers wielding a new variant of Mispadu Stealer, a Delphi-based malware targeting Latin America, particularly Mexico. This malware, linked to a broader banking malware family, spread via phishing emails containing URLs that bypassed SmartScreen warnings using CVE-2023-36025. The attackers are unknown, but the malware’s characteristics suggest connections to a Mispadu sample from earlier in 2023. This incident highlights the evolving tactics of cybercriminals and the need for proactive defence measures against constantly developing malware threats.
A total of more than 23K endpoints of Windows and Windows Server are exposed on the Shodan.
Blog By
Author: Debdipta Halder
Assisted By: Soumyanil Biswas, Faran Siddiqui, Anirban Bain
About FireCompass:
FireCompass is a SaaS platform for Continuous Automated Pen Testing, Red Teaming and External Attack Surface Management (EASM). FireCompass continuously indexes and monitors the deep, dark and surface webs using nation-state grade reconnaissance techniques. The platform automatically discovers an organization’s digital attack surface and launches multi-stage safe attacks, mimicking a real attacker, to help identify breach and attack paths that are otherwise missed out by conventional tools.
Feel free to get in touch with us to get a better view of your attack surface.