Latest Exploited CVEs and CISA KEV Updates

October 4, 2024
Executive Summary
Trending / Critical Vulnerabilities
Exploit Activity and Mass Scanning Observed on Cytellite Sensors
Vulnerabilities abused by Botnet
Vulnerabilities Abused by Malware
PRE-NVD observed for this week
External References
Subscribe to our Reports

Executive Summary

In a troubling development this week, cybersecurity vulnerabilities surged, with six new entries added to the CISA KEV list, a dramatic rise from just one CVE identified last week. Critical vulnerabilities identified in Ivanti EPM and Zimbra's postjournal service have become attractive targets for threat actors, primarily due to the availability of proof-of-concept exploits.  

The persistent threats posed by outdated vulnerabilities were exemplified by the Motion Spell GitHub repository and SAP Commerce Cloud, both of which were recognized as critical risks and subsequently added to the CISA KEV list.

Two significant command injection vulnerabilities affecting DrayTek Vigor routers, and D-Link DIR-820 routers were exploited by threat actors to disseminate the Mirai botnet. In addition, for the third week in a row, the Mirai botnet has targeted TP-Link Archer AX21 routers, showcasing its relentless focus on compromising consumer devices.  

Simultaneously, the Sysrv and Enemy botnets have been detected actively exploiting vulnerabilities in Spring Cloud Gateway, effectively broadening their scope of attack. Additionally, the IoT_Reaper botnet continues its operations, persistently targeting an eight-year-old vulnerability found in MVPower CCTV DVR models.

Trending / Critical Vulnerabilities

Current trending vulnerabilities offer insights into the latest emerging and widely discussed threats, helping to make informed decisions.  

CVE-2024-29824

A critical SQL Injection vulnerability has been identified in the Ivanti EPM Versions 2022 SU5 and earlier. With a high CVSS Score of 9.6, this vulnerability was added to the CISA KEV catalog. Although this vulnerability has a low EPSS of 0.00067, the publicly available proof of concept makes it highly susceptible to exploitation.

CVE-2024-45519

A critical vulnerability in Zimbra's postjournal service enables unauthenticated attackers to execute arbitrary code on affected systems. With a CVSS score of 10 and an available proof-of-concept, this vulnerability has been added to the CISA KEV list, emphasizing the urgent need for users to apply patches and strengthen security measures.

CVE-2023-25280

According to Unit 42, a critical command injection vulnerability in D-Link DIR820LA1_FW105B03 routers has been actively exploited by a variant of the Mirai Botnet since March 2023. This vulnerability allows attackers to escalate privileges to root through a specially crafted payload. Due to its severity, it has been added to the CISA KEV list.

CVE-2021-4043

A null pointer dereference vulnerability has been identified in versions of the Motion Spell GitHub repository GPAC prior to 1.1.0, allowing attackers to execute arbitrary code. With a publicly available proof of concept demonstrating the exploit, this vulnerability has been classified as severe and subsequently added to the CISA KEV list.

CVE-2020-15415

A critical command injection vulnerability in DrayTek Vigor3900, Vigor2960, and Vigor300B routers allowed attackers to execute arbitrary code remotely. This vulnerability was exploited by the V3G4 variant of the Mirai botnet from July to December 2022 and has been recently added to the CISA KEV list.

CVE-2019-0344

A critical deserialization of untrusted data vulnerability in SAP Commerce Cloud allows attackers to execute malicious code on the target system by exploiting flaws in the deserialization process. By leveraging this flaw, attackers can execute arbitrary code with the privileges of the 'Hybris' user, potentially compromising the security of the application. This vulnerability has been added to the CISA KEV list, highlighting its severity and the urgent need for patching.

Exploit Activity and Mass Scanning Observed on Cytellite Sensors

Telemetry collected from Loginsoft sensors were analyzed and processed to derive insights on what is actively being exploited and actively being scanned.  As source of truth, source IPv4 addresses & payloads can be provided on need-to-know basis.

Vulnerabilities Product Severity Title Exploited – in the-wild CISA KEV
CVE-2024-4577 PHP-CGI on Windows High Critical argument injection vulnerability in PHP on Windows servers True True
CVE-2023-4415 Ruijie RG-EW1200G 07161417 r483 High Improper Authentication vulnerability in Ruijie RG-EW1200G 07161417 r483 False False
CVE-2023-4966 D-Link NAS devices Critical Command Injection Vulnerability in D-Link NAS devices True True
CVE-2023-38646 Metabase open source and Metabase Enterprise Critical Remote code execution vulnerability in Metabase open source before 0.46.6.1 and Metabase Enterprise before 1.46.6.1 True True
CVE-2023-1389 TP-Link Archer AX-21 High Command Injection Vulnerability in TP-Link Archer AX-21 True True
CVE-2022-34045 Wavlink Devices Critical Hardcoded encryption/decryption key vulnerability in Wavlink False False
CVE-2022-30489 Wavlink Devices Medium Cross-site scripting vulnerability in Wavlink Devices False False
CVE-2022-30023 Tenda Devices High Command injection vulnerability via the Ping function in Tenda Products False False
CVE-2022-25168 Apache Hadoop Critical Command injection vulnerability in org.apache.hadoop.fs.FileUtil.unTarUsingTar in Apache Hadoop False False
CVE-2022-41040 Microsoft Exchange Server High Server-Side Request Forgery Vulnerability in Microsoft Exchange Server True True
CVE-2022-22947 Spring Cloud Gateway Critical Remote code execution vulnerability in Spring Cloud Gateway prior to 3.1.1+ and 3.0.7+ True True

Vulnerabilities abused by Botnet

Identified vulnerabilities exploited by botnets, including recent CVEs logged in Misp. Presenting the top 5 CVEs with payloads suggestive of botnet activities, like utilizing wget with IP addresses.

Vulnerability Product Title Exploit Abused by Botnet
CVE-2023-1389 TP-Link Archer AX21 An unauthenticated command injection vulnerability found in the TP-Link Archer AX21 WiFi router True AGoent
Gafgyt
Moobot
Miori
Mirai
Condi
CVE-2022-22947 Spring Cloud Gateway Remote code execution vulnerability in Spring Cloud Gateway prior to 3.1.1+ and 3.0.7+ True Enemybot
GuardMiner
Sysrv-botnet
CVE-2021-41773 Apache HTTP Server Path traversal vulnerability in Apache HTTP Server True Zerobot
CVE-2016-20016 MVPower CCTV DVR models Remote code execution vulnerability in MVPower CCTVDVR models True IoT-Repear

Vulnerabilities Abused by Malware

We proactively monitor the vulnerabilities which are targeted by adversaries. Each vulnerability is humanly studied and mapped with Mitre ATT&CK tactics and techniques. Source of information is derived from our vulnerability intelligence platform collected and curated information from various sources such as Twitter, Telegram, OSINT groups, Blogs, Data leak Sites and more.

CVE-2024-36401

Recent investigations by Trend Micro have revealed that an eval injection vulnerability in GeoServer, which can lead to remote code execution, has been actively exploited by the Chinese threat actor Earth Baxia. This group has leveraged the flaw to deploy Cobalt Strike payloads, and a custom backdoor called EAGLEDOOR. Historically, attackers have also exploited this vulnerability to deliver SideWalk malware, a sophisticated backdoor tied to the APT41 threat group. Moreover, the flaw has been used to spread Mirai variants such as JenX and the Condi DDoS bot.

CVE-2024-21338

Sentinel Labs reported that an affiliate group associated with Mallox ransomware has exploited a privilege escalation vulnerability in Windows Kernel, using a Linux-based ransomware tool called Krystina to gain elevated privileges. This strategic use of cross-platform tools enhanced the attackers' ability to deepen system access and amplified the overall impact of their ransomware operations.

Vulnerability Severity Title Patch Targeted By Malware OSS
CVE-2024-36401 Critical Eval Injection vulnerability in GeoServer leads to remote code execution True Earth Baxia True
CVE-2024-21338 High Privilege Escalation vulnerability in Windows Kernel True Mallox
Kryptina
True

PRE-NVD observed for this week

It refers to vulnerabilities discovered and potentially exploited before their official inclusion in the National Vulnerability Database. The LOVI Platform aggregates and distributes data from open sources and social media, currently tracking over 100 security alerts and planning to expand.

CVE-ID Type of Vulnerability Product Reference
CVE-2024-8844 Out-Of-Bounds Read PDF-XChange Editor Resource
CVE-2024-9112 Out-Of-Bounds Write FastStone Image Viewer Resource
CVE-2024-8927 Authentication Bypass Multiple PHP versions Resource
CVE-2024-8822 Out-Of-Bounds Read PDF-XChange Editor Resource
CVE-2024-8819 Out-Of-Bounds Read PDF-XChange Editor Resource

External References

  1. https://www.cisa.gov/news-events/alerts/2024/10/02/cisa-adds-one-known-exploited-vulnerability-catalog  
  2. https://www.cisa.gov/news-events/alerts/2024/10/03/cisa-adds-one-known-exploited-vulnerability-catalog
  3. https://www.cisa.gov/news-events/alerts/2024/09/30/cisa-adds-four-known-exploited-vulnerabilities-catalog
  4. https://www.horizon3.ai/attack-research/attack-blogs/cve-2024-29824-deep-dive-ivanti-epm-sql-injection-remote-code-execution-vulnerability/  
  5. https://unit42.paloaltonetworks.com/mirai-variant-targets-iot-exploits/  
  6. https://unit42.paloaltonetworks.com/mirai-variant-v3g4/
  7. https://www.draytek.com/about/security-advisory/vigor3900-/-vigor2960-/-vigor300b-remote-code-injection/execution-vulnerability-(cve-2020-14472  

Get notified

Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.

Latest Reports

Latest Reports