This week, six new vulnerabilities were added to the CISA KEV catalog, putting Ivanti and Microsoft under high pressure as both had two critical zero-day flaws flagged. Heightening the urgency, severe vulnerabilities from Qualcomm and Fortinet also joined the list, intensifying the cybersecurity landscape. 

Meanwhile, longstanding vulnerabilities continue to pose significant risks, with a seven-year-old flaw in Microsoft now being exploited by LemonDuck malware. 

In addition, the Mirai botnet continued its efforts on TP-Link Archer AX21 routers, illustrating its relentless pursuit of consumer device exploitation. Simultaneously, the Sysrv and Enemy botnets have been found actively exploiting vulnerabilities in Spring Cloud Gateway, broadening their attack surface. Furthermore, the IoT_Reaper botnet persists in its activities, consistently targeting a longstanding vulnerability in MVPower CCTV DVR models.

Current trending vulnerabilities offer insights into the latest emerging and widely discussed threats, helping to make informed decisions. 

CVE-2024-43047

A use-after-free vulnerability has been identified in the Qualcomm Digital Signal Processor (DSP) service, impacting multiple Qualcomm chipsets. This vulnerability, which has a high CVSS score of 7.8 has also been included in the CISA Known Exploited Vulnerabilities (KEV) catalog.

CVE-2024-43572

A remote code execution vulnerability in Microsoft Management Console (MMC), with a CVSS score of 7.8, enables malicious MSC files to execute remote code on vulnerable systems and has been added to the CISA KEV list.

CVE-2024-43573

A spoofing vulnerability in the Windows MSHTML Platform, which can be exploited by a remote attacker by tricking a user into opening a malicious file, has been added to the CISA KEV list.

CVE-2024-9379, CVE-2024-9380 and CVE-2024-9381

Ivanti has released a patch for three security vulnerabilities in its Cloud Service Appliance (CSA), which were actively exploited as zero-days in the wild. These vulnerabilities were weaponized in conjunction with another flaw, CVE-2024-8963, which the company addressed last month.  Successful exploitation of these vulnerabilities could enable an authenticated attacker with admin privileges to bypass security restrictions, execute arbitrary SQL commands, or achieve remote code execution, posing a significant risk to affected systems. In response, CISA has added CVE-2024-9379 and CVE-2024-9380 to its Known Exploited Vulnerabilities (KEV) catalog.

CVE-2024-23113

A critical format string vulnerability has been identified in multiple Fortinet products, which, once exploited, allows attackers to infiltrate networks, access sensitive data, or establish a foothold for lateral movement within the environment. Rated with a CVSS score of 9.8, this severe vulnerability has been added to the CISA Known Exploited Vulnerabilities (KEV) catalog.

Telemetry collected from Loginsoft sensors were analyzed and processed to derive insights on what is actively being exploited and actively being scanned. As source of truth, source IPv4 addresses & payloads can be provided on need-to-know basis.

Identified vulnerabilities exploited by botnets, including recent CVEs logged in Misp. Presenting the top 5 CVEs with payloads suggestive of botnet activities, like utilizing wget with IP addresses.

We proactively monitor the vulnerabilities which are targeted by adversaries. Each vulnerability is humanly studied and mapped with Mitre ATT&CK tactics and techniques. Source of information is derived from our vulnerability intelligence platform collected and curated information from various sources such as Twitter, Telegram, OSINT groups, Blogs, Data leak Sites and more.  

CVE-2017-0144

Recent investigations revealed that LemonDuck malware leveraged a seven-year-old remote code execution vulnerability in Microsoft's Server Message Block (SMB) protocol for cryptomining activities. This flaw could allow attackers to execute arbitrary code on targeted servers, potentially giving them control over the system.

It refers to vulnerabilities discovered and potentially exploited before their official inclusion in the National Vulnerability Database. The LOVI Platform aggregates and distributes data from open sources and social media, currently tracking over 100 security alerts and planning to expand.

1. https://www.cisa.gov/news-events/alerts/2024/10/09/cisa-adds-three-known-exploited-vulnerabilities-catalog 
2. https://www.cisa.gov/news-events/alerts/2024/10/08/cisa-adds-three-known-exploited-vulnerabilities-catalog 
3. https://notes.netbytesec.com/2024/10/lemonduck-unleashes-cryptomining.html 
4. https://www.darkreading.com/vulnerabilities-threats/brute-force-attacks-vulnerability-exploits-top-initial-attack-vectors 
5. https://thehackernews.com/2024/10/zero-day-alert-three-critical-ivanti.html