In an unexpected turn, this week has only one new vulnerability added to the CISA KEV list, marking a significant drop from last week's addition of 11 CVEs. The lone addition, CVE-2024-7593, is a critical authentication bypass vulnerability affecting Ivanti's Virtual Traffic Manager (vTM). Meanwhile, critical vulnerabilities in Cisco's Smart Licensing Utility and Cellopoint's Secure Email Gateways have gained significant attention, as publicly available proof-of-concept exploits have made these flaws increasingly attractive to threat actors.
For the third consecutive week, the Mirai botnet has been relentlessly targeting TP-Link Archer AX21 routers, showcasing its tenacity in exploiting consumer devices. At the same time, the Sysrv and Enemy botnets have been observed actively exploiting vulnerabilities in Spring Cloud Gateway, further expanding their reach. Meanwhile, the IoT_Reaper botnet remains active, persistently exploiting an eight-year-old vulnerability in MVPower CCTV DVR models.
Current trending vulnerabilities offer insights into the latest emerging and widely discussed threats, helping to make informed decisions.
An authentication bypass vulnerability in Ivanti's Virtual Traffic Manager (vTM) that arises due to an improper authentication algorithm, enables remote attackers to bypass admin panel security measures. With a CVSS score of 9.8 and a high EPSS of 0.97325 along with a readily available proof of concept, it is now added to the CISA KEV list.
A critical vulnerability in the Microchip Advanced Software Framework (ASF), affecting versions 3.52.0.2574 and earlier, arises from its implementation of the Tinydhcp server, allowing remote attackers to execute arbitrary code through specially crafted DHCP request packets sent to a multicast address on the affected systems.
A critical vulnerability in Cisco Smart Licensing Utility (CSLU) versions 2.0.0, 2.1.0, and 2.2.0 allows unauthenticated attackers to bypass authentication and gain administrative access. This vulnerability arising from a hidden static user credential could lead to attackers manipulating licensing data or launching further attacks within the network. Despite its low EPSS score of 0.16329, the availability of a proof-of-concept exploit for this vulnerability makes it a significant threat.
A buffer overflow vulnerability in the Cellopoint Secure Email Gateway can be exploited by remote attackers, allowing them to access sensitive email communications, install malware, exfiltrate data, and disable essential security measures, thereby exposing the network to further threats. The existence of proof of concept enhances the risk of exploitation, underscoring the urgent need for immediate remediation.
Telemetry collected from Loginsoft sensors were analyzed and processed to derive insights on what is actively being exploited and actively being scanned. As source of truth, source IPv4 addresses & payloads can be provided on need-to-know basis.
Identified vulnerabilities exploited by botnets, including recent CVEs logged in Misp. Presenting the top 5 CVEs with payloads suggestive of botnet activities, like utilizing wget with IP addresses.
We proactively monitor the vulnerabilities which are targeted by adversaries. Each vulnerability is humanly studied and mapped with Mitre ATT&CK tactics and techniques. Source of information is derived from our vulnerability intelligence platform collected and curated information from various sources such as Twitter, Telegram, OSINT groups, Blogs, Data leak Sites and more.
CVE-2024-36401
Recent investigations by Trend Micro have revealed that an eval injection vulnerability in GeoServer, which can lead to remote code execution, has been actively exploited by the Chinese threat actor Earth Baxia. This group has leveraged the flaw to deploy Cobalt Strike payloads, and a custom backdoor called EAGLEDOOR. Historically, attackers have also exploited this vulnerability to deliver SideWalk malware, a sophisticated backdoor tied to the APT41 threat group. Moreover, the flaw has been used to spread Mirai variants such as JenX and the Condi DDoS bot.
CVE-2024-21338
Sentinel Labs reported that an affiliate group associated with Mallox ransomware has exploited a privilege escalation vulnerability in Windows Kernel, using a Linux-based ransomware tool called Krystina to gain elevated privileges. This strategic use of cross-platform tools enhanced the attackers' ability to deepen system access and amplified the overall impact of their ransomware operations.
It refers to vulnerabilities discovered and potentially exploited before their official inclusion in the National Vulnerability Database. The LOVI Platform aggregates and distributes data from open sources and social media, currently tracking over 100 security alerts and planning to expand.
