Critical CVEs And Active Threats: IBM Security, CISCO Expressway, Microsoft Windows and More

This week from February 5th to 9th, the FireCompass research team identified a huge number of CVEs that are high in severity and ransomware, botnets, and threat actors creating havoc. Some of the CVEs identified are of popular commercial products used by various industries and some new & well-known malware targeting industries for this week. In this, we will list important CVEs discovered as well as the list of malware, threat actors and botnets which were most active along with the CVEs that they were using in their campaigns.

List of Critical Vulnerabilities That Were Exploited – FireCompass Research :

• CVE-2023-51072 – NOC-Nagios XI
• CVE-2023-32328, CVE-2023-32330, CVE-2023-43017 – IBM Security Verify Access Multiple Vulnerability
• CVE-2023-39297, CVE-2023-45025, CVE-2023-47568 – QNAP OS Multiple Vulnerability
• CVE-2024-20252, CVE-2024-20254, CVE-2024-20255 – Cisco Expressway Series and Cisco TelePresence Video Communication Server (VCS) Multiple Vulnerability
• CVE-2024-0338 – XAMPP
• CVE-2024-0253, CVE-2024-0269 – ManageEngine ADAudit Plus Multiple Vulnerability

List of Malwares And Threat Actors:

• CVE-2022-42475 – FortiOS SSL-VPN
• CVE-2023-36025 – Microsoft Windows and Windows Server

-> (Request Demo) 10 X Pen Testing Frequency & 100% Asset Coverage

Detailed Analysis: Vulnerabilities

CVE-2023-51072 – NOC-Nagios XI

Nagios XI versions up to 2024R1 contain an XSS vulnerability where low-privileged users can upload audio files laced with malicious code. This code silently executes for any user viewing the file, potentially granting attackers complete control over accounts, data, and even the entire system. Upgrade immediately to version 2024R1.0.1 or later, disable audio uploads if unused, and educate users to avoid falling victim. Remember, vigilance and ongoing security measures are crucial for complete protection.

A total of 914 endpoints of NOC-Nagios XI are exposed on the Shodan.

-> Hackers Won't Wait For Your Next Pen Test: Know Automated Continuous Pen Test

CVE-2023-32328, CVE-2023-32330, CVE-2023-43017 – IBM Security Verify Access Multiple Vulnerability

CVE-2023-32328

IBM Security Verify Access versions up to 10.0.6.1 are vulnerable due to insecure communication protocols, potentially allowing attackers on the network to gain complete control of the server. This critical vulnerability (CVE-2023-32328) exposes sensitive information and lacks a publicly available exploit yet. Update immediately to a patched version (10.0.7 or later) to mitigate the risk. Remember, swift action and vigilance are key to protecting your systems.

CVE-2023-32330

CVE-2023-32330 exposes a critical vulnerability in IBM Security Verify Access 10.0.0.0 to 10.0.6.1, where insecure calls within the system could grant attackers on the network complete control of the server. This vulnerability (IBM X-Force ID: 254977) poses a severe risk as it lacks a public exploit yet. Immediate patching to version 10.0.7 or later is essential to safeguard your system and sensitive data. Remember, staying ahead of vulnerabilities through timely updates and proactive security measures is crucial.

CVE-2023-43017

A critical vulnerability (CVE-2023-43017) exists in IBM Security Verify Access versions 10.0.0.0 to 10.0.6.1. Privileged users with malicious intent can exploit this flaw to install a configuration file enabling remote access, potentially compromising confidentiality, integrity, and availability of the system. While technical details are limited, immediate patching to version 10.0.7 or later is essential to address this high-risk vulnerability. Remember, staying informed and proactive with security updates is crucial for optimal protection.

A total of 90 endpoints of IBM Security Verify Access are exposed on the Shodan.

>> [Request RECON Demo] - Reconnaissance Techniques As Threat Actors

CVE-2023-39297, CVE-2023-45025, CVE-2023-47568 – QNAP OS Multiple Vulnerability

CVE-2023-39297

Several QNAP operating systems are vulnerable to CVE-2023-39297, an OS command injection flaw allowing authenticated users to execute malicious commands remotely. Update immediately to QTS 5.1.4.2596 (build 20231128) or later, QTS 4.5.4.2627 (build 20231225) or later, QuTS hero h5.1.4.2596 (build 20231128) or later, QuTS hero h4.5.4.2626 (build 20231225) or later, or QuTScloud c5.1.5.2651 or later to prevent attackers from potentially taking control of your system.

CVE-2023-45025

QNAP operating systems before QTS 5.1.4.2596 (build 20231128), QTS 4.5.4.2627 (build 20231225), QuTS hero h5.1.4.2596 (build 20231128), QuTS hero h4.5.4.2626 (build 20231225), and QuTScloud c5.1.5.2651 are vulnerable to CVE-2023-45025, an OS command injection flaw. This vulnerability allows malicious users to execute commands on your system over the network, potentially granting them complete control. Update immediately to the mentioned versions or later to mitigate the risk.

CVE-2023-47568

QNAP operating systems before QTS 5.1.5.2645 (build 20240116), QTS 4.5.4.2627 (build 20231225), QuTS hero h5.1.5.2647 (build 20240118), QuTS hero h4.5.4.2626 (build 20231225), and QuTScloud c5.1.5.2651 are vulnerable to CVE-2023-47568. This SQL injection flaw lets authenticated users inject malicious code over the network, potentially compromising your system. Update immediately to the mentioned versions or later to secure your QNAP device.

A total of more than 508K endpoints of QNAP OS are exposed on the Shodan.

CVE-2024-20252, CVE-2024-20254, CVE-2024-20255 – Cisco Expressway Series and Cisco TelePresence Video Communication Server (VCS) Multiple Vulnerability

CVE-2024-20252

Unpatched Cisco Expressway Series and TelePresence VCS devices (up to a specific date) are vulnerable to multiple CSRF attacks, allowing unauthenticated remote attackers to manipulate the system and potentially gain control. These critical vulnerabilities require immediate patching to Cisco Expressway Control (Expressway-C) or Edge (Expressway-E) devices and TelePresence VCS servers to prevent attackers from exploiting them.

CVE-2024-20254

Unpatched Cisco Expressway and TelePresence VCS devices (up to a specific date) are susceptible to various CSRF attacks, enabling unauthenticated remote attackers to execute arbitrary actions and potentially take control of the system. These critical vulnerabilities demand immediate patching of both Cisco Expressway Control/Edge devices and TelePresence VCS servers to prevent exploitation.

CVE-2024-20255

An unpatched Cisco Expressway Series or TelePresence VCS server harbours a CSRF vulnerability in its SOAP API. This means a remote attacker, without needing any prior authentication, can trick a user with access to the REST API into clicking a malicious link. If successful, the attacker can force the affected system to reload, potentially disrupting operations or setting the stage for further attacks. Immediate patching is crucial to close this security gap.

A total of more than 200 endpoints of Cisco Expressway Series and VCS are exposed on the Shodan.

CVE-2024-0338 – XAMPP

XAMPP versions up to 8.2.4 are vulnerable to an exploit (CVE-2024-0338) where attackers can inject malicious code through a long file debug argument. This code gives them full control of the system, allowing them to steal data, install malware, or disrupt operations. Upgrade to XAMPP version 8.2.5 or later immediately to prevent attackers from exploiting this critical vulnerability.

A total of more than 3.5K endpoints of XAMPP are exposed on the Shodan.

CVE-2024-0253, CVE-2024-0269 – ManageEngine ADAudit Plus Multiple Vulnerability

CVE-2024-0253

ManageEngine ADAudit Plus versions 7270 and below contain a critical vulnerability (CVE-2024-0253) that allows authenticated attackers to inject malicious SQL code. This could grant them complete control over the system, compromising sensitive data and disrupting operations. Upgrade to version 7271 or later immediately to address this vulnerability.

CVE-2024-0269

ManageEngine ADAudit Plus versions 7270 and below are susceptible to an authenticated SQL injection vulnerability (CVE-2024-0269) within the File-Summary DrillDown feature. This allows attackers with valid access to inject malicious code and potentially compromise the entire system. Thankfully, a fix is available in version 7271, so upgrading immediately is crucial to safeguard your data and infrastructure.

A total of 479 endpoints of ManageEngine ADAudit Plus are exposed on the Shodan.

Important Weekly Threat Actors

CVE-2022-42475 – FortiOS SSL-VPN

A Chinese cyber-espionage group exploited the CVE-2022-42475 FortiOS SSL-VPN vulnerability to compromise FortiGate firewalls at the Dutch Ministry of Defence. They deployed a persistent RAT malware named Coathanger, designed to steal data and potentially gain control of the system. This malware is stealthy and survives reboots and firmware upgrades. Dutch intelligence linked the attack with high confidence to a Chinese state-sponsored hacking group, highlighting the dangers of unpatched vulnerabilities and the sophisticated tactics employed by such actors.

A total of 808 endpoints of FortiOS are exposed on the Shodan.

CVE-2023-36025 – Microsoft Windows and Windows Server

CVE-2023-36025 was exploited by attackers wielding a new variant of Mispadu Stealer, a Delphi-based malware targeting Latin America, particularly Mexico. This malware, linked to a broader banking malware family, spread via phishing emails containing URLs that bypassed SmartScreen warnings using CVE-2023-36025. The attackers are unknown, but the malware’s characteristics suggest connections to a Mispadu sample from earlier in 2023. This incident highlights the evolving tactics of cybercriminals and the need for proactive defence measures against constantly developing malware threats.

A total of more than 23K endpoints of Windows and Windows Server are exposed on the Shodan.

Blog By

Author: Debdipta Halder

Assisted By: Soumyanil Biswas, Faran Siddiqui, Anirban Bain

About FireCompass:

FireCompass is a SaaS platform for Continuous Automated Pen Testing, Red Teaming  and External Attack Surface Management (EASM). FireCompass continuously indexes and monitors the deep, dark and surface webs using nation-state grade reconnaissance techniques. The platform automatically discovers an organization’s digital attack surface and launches multi-stage safe attacks, mimicking a real attacker, to help identify breach and attack paths that are otherwise missed out by conventional tools.

Feel free to get in touch with us to get a better view of your attack surface.

Important Resources: