This week’s cybersecurity update highlights critical vulnerabilities and emerging threats. The CISA KEV catalog has added a severe flaw in the Microsoft Windows Common Log File System (CLFS) Driver, while active exploitation of the Hunk Companion WordPress plugin is underway. Ivanti CSA remains in the spotlight due to new vulnerabilities, and Google has patched two RCE flaws in its Cellular Baseband Subcomponent. The WP Umbrella plugin continues to pose risks, and a PoC exploit has been released for Mitel MiCollab vulnerabilities.

Botnet activity surged, with Zerobot targeting Tenda WiFi routers, Andoryu exploiting GitLab flaws, and IoT Reaper and AndroxGh0St continuing to exploit outdated vulnerabilities in Cisco routers and PHP Unit. Additionally, Mirai, Tsunami, Brickerbot, and Bashlite are exploiting an eight-year-old flaw in the Eir D1000 Modem.

In recent malware activity, Malichus malware has been exploiting vulnerabilities in Cleo Lexicom, VLTrader, and Harmony products, while Mauri ransomware is leveraging weaknesses in the Apache ActiveMQ server to infect systems.

Current trending vulnerabilities offer insights into the latest emerging and widely discussed threats, helping to make informed decisions.  

CVE-2024-49138

An Elevation of Privilege vulnerability in the Windows Common Log File System (CLFS) Driver, with a CVSS score of 7.8 (High), has been exploited as a zero-day in the wild, according to Tenable researchers, though specific details of the exploitation remain unknown. Microsoft has addressed this flaw through a security update released as part of its Patch Tuesday program. Additionally, the vulnerability has been included in the CISA Known Exploited Vulnerabilities (KEV) catalog, highlighting its critical nature and the urgency for patching.

‍CVE-2024-11972

A critical vulnerability (CVSS 9.8) has been identified in the Hunk Companion WordPress plugin, affecting all versions prior to 1.9.0. This flaw allows attackers to arbitrarily install plugins through unauthenticated POST requests, posing a severe security risk. Active exploitation of this vulnerability has been detected in the wild, emphasizing the urgency for affected users to update to the patched version 1.9.0 immediately to safeguard their systems.

‍CVE-2024-11639

A critical authentication bypass vulnerability (CVSS 10) has been identified in the admin web console of Ivanti CSA, affecting versions prior to 5.0.3. This flaw allows remote, unauthenticated attackers to gain administrative access, posing a severe threat to system security. While Ivanti has released a security update to address the issue and stated that there is no evidence of active exploitation, the urgency for patching remains high. Previous vulnerabilities in Ivanti products have been exploited by state-sponsored attackers, underscoring the importance of immediate action to prevent potential misuse.  

‍CVE-2024-39343 and CVE-2024-53842

Google's December 2024 security update addresses 28 vulnerabilities in total, including two critical Remote Code Execution (RCE) flaws, CVE-2024-39343 and CVE-2024-53842, in the Cellular Baseband subcomponent. These vulnerabilities could allow remote attackers to execute arbitrary code on affected devices. The update, specifically rolled out for Google Pixel devices and Samsung Mobile Processors, underscores the urgency for users to apply the patches and secure their systems against potential exploitation.

‍CVE-2024-12209

A critical Local File Inclusion (LFI) vulnerability (CVSS 9.8) in the WP Umbrella plugin for WordPress allows unauthenticated attackers to gain complete control over affected websites. The flaw, present in all versions up to and including 2.17.0, can be exploited by manipulating the filename parameter within the umbrella-restore action, enabling the injection and execution of malicious code on the server. This can lead to full access to the website’s files and databases, resulting in a complete compromise of the affected site, as reported by Wordfence.

‍CVE-2024-41713 and CVE-2024-35286

Cybersecurity researchers have released a proof-of-concept (PoC) exploit combining two critical vulnerabilities in Mitel MiCollab. CVE-2024-41713 (CVSS 9.8) allows attackers to exploit insufficient input validation in the NuPoint Unified Messaging (NPM) component, enabling path traversal attacks. This vulnerability, when chained with an arbitrary file read zero-day, grants attackers access to sensitive files. The flaw was discovered by WatchTowr Labs while investigating another critical vulnerability, CVE-2024-35286, which also exposes MiCollab to unauthorized access and operation manipulation.

Telemetry collected from Loginsoft sensors were analyzed and processed to derive insights on what is actively being exploited and actively being scanned.  As source of truth, source IPv4 addresses & payloads can be provided on need-to-know basis.

Identified vulnerabilities exploited by botnets, including recent CVEs logged in Misp. Presenting the top 5 CVEs with payloads suggestive of botnet activities, like utilizing wget with IP addresses.

We proactively monitor the vulnerabilities which are targeted by adversaries. Each vulnerability is humanly studied and mapped with Mitre ATT&CK tactics and techniques. Source of information is derived from our vulnerability intelligence platform collected and curated information from various sources such as Twitter, Telegram, OSINT groups, Blogs, Data leak Sites and more.    

‍CVE-2024-50623

An unauthenticated remote code execution vulnerability, with a CVSS score of 8.8 (High) and active exploitation, has been discovered in Cleo Lexicom, VLTrader, and Harmony products, affecting versions prior to 5.8.0.23. This vulnerability allows attackers to upload malicious files, exposing systems to significant security risks. Although Cleo initially addressed a similar flaw allowing unrestricted file uploads and downloads, Huntress researchers identified that the patch was incomplete, leaving systems vulnerable to continued attacks. The flaw has been exploited by Malichus malware as a zero-day in the wild. To resolve this, Cleo has released an updated patch, version 5.8.0.24, and urges users to upgrade immediately to mitigate potential threats.

CVE-2023-46604

A critical remote code execution vulnerability (CVSS 9.8) in Apache ActiveMQ and ActiveMQ Artemis allows attackers to execute malicious commands and gain full control over target systems. Apache has released patches to resolve this issue. In addition to exploiting the flaw, attackers maintain access through techniques like creating hidden backdoor accounts for RDP access and deploying Quasar RAT for credential theft and remote command execution. Mauri ransomware also leverages this vulnerability to encrypt files and demand a ransom.

It refers to vulnerabilities discovered and potentially exploited before their official inclusion in the National Vulnerability Database. The LOVI Platform aggregates and distributes data from open sources and social media, currently tracking over 100 security alerts and planning to expand.

1. https://www.cisa.gov/news-events/alerts/2024/12/10/cisa-adds-one-known-exploited-vulnerability-catalog
2. https://www.tenable.com/blog/microsofts-december-2024-patch-tuesday-addresses-70-cves-cve-2024-49138
3. https://asec.ahnlab.com/en/85000/
4. https://cybersecuritynews.com/malichus-malware-exploiting-cleo-0-day/  
5. https://labs.watchtowr.com/where-theres-smoke-theres-fire-mitel-micollab-cve-2024-35286-cve-2024-41713-and-an-0day/  
6. https://thehackernews.com/2024/12/critical-mitel-micollab-flaw-exposes.html  
7. https://source.android.com/docs/security/bulletin/pixel/2024-12-01  
8. https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/wp-health/wp-umbrella-update-backup-restore-monitoring-2170-unauthenticated-local-file-inclusion