Cyble researchers had a busy week, investigating 19 vulnerabilities in the week ended Oct.1 and flagging eight of them as high priority.
Cyble’s weekly IT vulnerability report also noted that researchers observed 10 exploits being discussed on dark web and cybercrime forums, including an OpenSSH vulnerability with 8 million exposures and claimed zero days in Apple and Android.
Vulnerabilities in SolarWinds, Microsoft, Zimbra, WordPress and Fortinet were also discussed by threat actors on underground forums.
Optigo, NVIDIA, Adobe and Linux CUPS are Top Priorities
The report from Cyble Research & Intelligence Labs (CRIL) flagged eight vulnerabilities in four products for security teams to prioritize:
CVE-2024-41925 & CVE-2024-45367: ONS-S8 Spectra Aggregation Switch
The ONS-S8 Spectra Aggregation Switch is a network management device from Optigo Networks that is used to deploy passive optical networking (PON) in intelligent buildings. The PHP Remote File Inclusion (RFI) and weak authentication vulnerabilities were also the subject of an advisory from CISA because of their low attack complexity and the product’s use in critical infrastructure.
CVE-2024-0132: NVIDIA Container Toolkit
This high-severity Time-of-check Time-of-Use (TOCTOU) vulnerability in the NVIDIA Container Toolkit could be used for container escape attacks and to gain full access to the host system, leading to code execution, denial of service, escalation of privileges, information disclosure, and data tampering.
CVE-2024-34102: Adobe Commerce
This 9.8-severity Improper Restriction of XML External Entity Reference (‘XXE’) vulnerability in Adobe Commerce/Magento could be exploited by sending a crafted XML document that references external entities, leading to arbitrary code execution. Researchers have observed multiple Adobe Commerce and Magento stores compromised by threat actors using the vulnerability, and it’s also being discussed on cybercrime forums.
CVE-2024-47076, CVE-2024-47175, CVE-2024-47176, CVE-2024-47177: CUPS Vulnerabilities
These recently disclosed vulnerabilities – CVE-2024-47076 (libcupsfilters), CVE-2024-47175 (libppd), CVE-2024-47176 (cups-browsed) and CVE-2024-47177 (cups-filters) – impact CUPS (Common UNIX Printing System), a modular printing system designed for Unix-like operating systems. Under certain conditions, attackers could chain the vulnerabilities in multiple components of the CUPS open-source printing system to execute arbitrary code remotely.
Dark Web Exploits Noted by Cyble
Cyble researchers observed 10 or more vulnerabilities and exploits discussed in Telegram channels and on cybercrime forums, suggesting that security teams should give these issues a higher priority.
CVE-2024-28987: A critical vulnerability in SolarWinds Web Help Desk (WHD) software created by hardcoded developer login credentials.
CVE-2024-38200: A critical vulnerability in Microsoft Office created by improper handling of certain document properties, which could potentially expose NTLM hashes and other sensitive information.
CVE-2023-32413: This vulnerability in various Apple operating systems comes from from improper synchronization when multiple processes use shared resources concurrently, which can lead to unexpected system behavior.
CVE-2024-43917: This critical SQL Injection vulnerability affects the TI WooCommerce Wishlist plugin for WordPress, in versions up to 2.8.2.
CVE-2024-45519: A critical Remote Code Execution (RCE) vulnerability was identified in the postjournal service of the Zimbra Collaboration Suite, a widely used email and collaboration platform. Cyble researchers also issued a separate report on the Zimbra vulnerability, and CISA added it to the agency’s Known Exploited Vulnerabilities catalog.
CVE-2024-8275: A critical SQL injection vulnerability in the Events Calendar Plugin for WordPress that affects all versions up to and including 6.6.4.
CVE-2024-6387: A threat actor offered a list of IP addresses that may be affected by this vulnerability, which is also known as RegreSSHion, a critical remote code execution (RCE) vulnerability in the OpenSSH secure networking utilities. Cyble’s Odin vulnerability search service shows more than 8 million web-facing hosts exposed to this vulnerability.
CVE-2024-34102: A threat actor offered to sell a critical security vulnerability affecting Adobe Commerce and Magento, specifically versions 2.4.6 and earlier.
FortiClient: A threat actor on BreachForums advertised exploits for vulnerabilities present in Fortinet’s FortiClient EMS 7.4/7.3 that result in SQL Injection and Remote Code Execution. The actor is selling the exploits for $30,000.
Apple and Android Zero Day: A threat actor on BreachForums is advertising a 0-day exploit present in Apple’s iMessage and Android’s text messaging that the actor claims results in Remote Code Execution (RCE). The TA is selling the binary for the exploit for $800,000.