VULNERA Pulse

Kingsoft — WPS Office

CVE-2024-7262 / Added: Sept. 3, 2024

HIGH CVSS 7.80 EPSS Score 4.70 EPSS Percentile 92.82

Kingsoft WPS Office contains a path traversal vulnerability in promecefpluginhost.exe on Windows that allows an attacker to load an arbitrary Windows library.

Headlines

• Sept. 4, 2024 - CISA Issues Alert: Three Actively Exploited Vulnerabilities Demand Immediate Attention
• Sept. 1, 2024 - Week in review: SonicWall critical firewalls flaw fixed, APT exploits WPS Office for Windows RCE
• Aug. 29, 2024 - South Korean APT Exploits 1-Click WPS Office Bug, Nabs Chinese Intel
• Aug. 28, 2024 - South Korean hackers exploited WPS Office zero-day to deploy malware
• Aug. 28, 2024 - APT-C-60 Group Exploit WPS Office Flaw to Deploy SpyGlace Backdoor
• Aug. 28, 2024 - ESET Uncovers Zero-Day Vulnerabilities in WPS Office, Exploited by APT-C-60
• Aug. 28, 2024 - APT group exploits WPS Office for Windows RCE vulnerability (CVE-2024-7262)
• Aug. 28, 2024 - Analysis of two arbitrary code execution vulnerabilities affecting WPS Office
• Aug. 28, 2024 - South Korean Spies Exploit WPS Office Zero-Day
• Aug. 16, 2024 - WPS Office Vulnerabilities Expose 200 Million Users: CVE-2024-7262 Exploited in the Wild

Back to top ↑

DrayTek — VigorConnect

CVE-2021-20124 / Added: Sept. 3, 2024

HIGH CVSS 7.50 EPSS Score 49.18 EPSS Percentile 97.56

Draytek VigorConnect contains a path traversal vulnerability in the file download functionality of the WebServlet endpoint. An unauthenticated attacker could leverage this vulnerability to download arbitrary files from the underlying operating system with root privileges.

Headlines

• Sept. 4, 2024 - CISA Issues Alert: Three Actively Exploited Vulnerabilities Demand Immediate Attention

Back to top ↑

DrayTek — VigorConnect

CVE-2021-20123 / Added: Sept. 3, 2024

HIGH CVSS 7.50 EPSS Score 49.45 EPSS Percentile 97.58

Draytek VigorConnect contains a path traversal vulnerability in the DownloadFileServlet endpoint. An unauthenticated attacker could leverage this vulnerability to download arbitrary files from the underlying operating system with root privileges.

Headlines

• Sept. 4, 2024 - CISA Issues Alert: Three Actively Exploited Vulnerabilities Demand Immediate Attention

Back to top ↑

CVE-2024-7261

CRITICAL CVSS 9.80 EPSS Score 0.09 EPSS Percentile 39.12

Actively Exploited

Published: Sept. 3, 2024

The improper neutralization of special elements in the parameter "host" in the CGI program of Zyxel NWA1123ACv3 firmware version 6.70(ABVT.4) and earlier, WAC500 firmware version 6.70(ABVS.4) and earlier, WAX655E firmware version 7.00(ACDO.1) and earlier, WBE530 firmware version 7.00(ACLE.1) and earlier, and USG LITE 60AX firmware version V2.00(ACIP.2) could allow an unauthenticated attacker to execute OS commands by sending a crafted cookie to a vulnerable device.

Quotes

• Zyxel has released patches addressing an operating system (OS) command injection vulnerability in some access point (AP) and security router versions
• For end-users who received your Zyxel device from an ISP, we recommend you reach out to the ISP’s support team directly, as the device may have custom-built settings
• The improper neutralization of special elements in the parameter 'host' in the CGI program of some AP and security router versions could allow an unauthenticated attacker to execute OS commands by sending a crafted cookie to a vulnerable device

Headlines

• Sept. 4, 2024 - Zyxel Patches Critical OS Command Injection Flaw in Access Points and Routers
• Sept. 4, 2024 - Zyxel fixed critical OS command injection flaw in multiple routers
• Sept. 3, 2024 - Zyxel warns of critical OS command injection flaw in routers
• Sept. 3, 2024 - Critical flaw in Zyxel's secure routers allows OS command execution via cookie (CVE-2024-7261)
• Sept. 3, 2024 - CVE-2024-7261 (CVSS 9.8): Zyxel Patches Critical Vulnerability in Wi-Fi Devices

CVE-2024-38856

CRITICAL CVSS 9.80 EPSS Score 93.27 EPSS Percentile 99.14

CISA Known Exploited Actively Exploited Remote Code Execution Public Exploits Available

Published: Aug. 5, 2024

Incorrect Authorization vulnerability in Apache OFBiz. This issue affects Apache OFBiz: through 18.12.14. Users are recommended to upgrade to version 18.12.15, which fixes the issue. Unauthenticated endpoints could allow execution of screen rendering code of screens if some preconditions are met (such as when the screen definitions don't explicitly check user's permissions because they rely on the configuration of their endpoints).

Vendor Impacted: Apache

Product Impacted: Ofbiz

Quotes

• Apache OFBiz is used by numerous large organizations, and previously disclosed vulnerabilities for it have seen exploitation in the wild
• An attacker with no valid credentials exploit missing view authorization checks in the web application to execute arbitrary code on the server
• Apache OFBiz below 18.12.16 is vulnerable to unauthenticated remote code execution on Linux and Windows. An attacker with no valid credentials can exploit missing view authorization checks in the web application to execute arbitrary code on the server

Headlines

• Sept. 6, 2024 - Apache OFBiz team patches critical RCE vulnerability (CVE-2024-45195)
• Sept. 6, 2024 - Apache fixed a new remote code execution flaw in Apache OFBiz
• Sept. 6, 2024 - Apache OFBiz Update Fixes High-Severity Flaw Leading to Remote Code Execution
• Sept. 5, 2024 - Apache fixes critical OFBiz remote code execution vulnerability
• Aug. 31, 2024 - End-of-life IP cams being used to spread new Mirai botnet

CVE-2024-32113

CRITICAL CVSS 9.80 EPSS Score 92.30 EPSS Percentile 99.04

CISA Known Exploited Actively Exploited Remote Code Execution Public Exploits Available

Published: May 8, 2024

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Apache OFBiz.This issue affects Apache OFBiz: before 18.12.13. Users are recommended to upgrade to version 18.12.13, which fixes the issue.

Vendor Impacted: Apache

Product Impacted: Ofbiz

Quotes

• Apache OFBiz is used by numerous large organizations, and previously disclosed vulnerabilities for it have seen exploitation in the wild
• An attacker with no valid credentials exploit missing view authorization checks in the web application to execute arbitrary code on the server
• Apache OFBiz below 18.12.16 is vulnerable to unauthenticated remote code execution on Linux and Windows. An attacker with no valid credentials can exploit missing view authorization checks in the web application to execute arbitrary code on the server

Headlines

• Sept. 6, 2024 - Apache OFBiz team patches critical RCE vulnerability (CVE-2024-45195)
• Sept. 6, 2024 - Apache fixed a new remote code execution flaw in Apache OFBiz
• Sept. 6, 2024 - Apache OFBiz Update Fixes High-Severity Flaw Leading to Remote Code Execution
• Sept. 5, 2024 - Apache fixes critical OFBiz remote code execution vulnerability

CVE-2024-36104

CRITICAL CVSS 9.10 EPSS Score 1.06 EPSS Percentile 84.45

Remote Code Execution Public Exploits Available

Published: June 4, 2024

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Apache OFBiz. This issue affects Apache OFBiz: before 18.12.14. Users are recommended to upgrade to version 18.12.14, which fixes the issue.

Quotes

• Apache OFBiz is used by numerous large organizations, and previously disclosed vulnerabilities for it have seen exploitation in the wild
• An attacker with no valid credentials exploit missing view authorization checks in the web application to execute arbitrary code on the server
• Apache OFBiz below 18.12.16 is vulnerable to unauthenticated remote code execution on Linux and Windows. An attacker with no valid credentials can exploit missing view authorization checks in the web application to execute arbitrary code on the server

Headlines

• Sept. 6, 2024 - Apache OFBiz team patches critical RCE vulnerability (CVE-2024-45195)
• Sept. 6, 2024 - Apache fixed a new remote code execution flaw in Apache OFBiz
• Sept. 6, 2024 - Apache OFBiz Update Fixes High-Severity Flaw Leading to Remote Code Execution
• Sept. 5, 2024 - Apache fixes critical OFBiz remote code execution vulnerability

CVE-2024-7971

HIGH CVSS 8.80 EPSS Score 0.16 EPSS Percentile 53.09

CISA Known Exploited Actively Exploited Remote Code Execution Used In Ransomware

Published: Aug. 21, 2024

Type confusion in V8 in Google Chrome prior to 128.0.6613.84 allowed a remote attacker to exploit heap corruption via a crafted HTML page. (Chromium security severity: High)

Vendor Impacted: Google

Products Impacted: Chromium V8, Chrome

Quotes

• Out of sight, out of mind
• The attack chain goes from directly compromising a sandboxed Chrome renderer process to compromising the Windows kernel rather than targeting the Chrome browser process
• Citrine Sleet is based in North Korea and primarily targets financial institutions, particularly organizations and individuals managing cryptocurrency, for financial gain
• The observed zero-day exploit attack by Citrine Sleet used the typical stages seen in browser exploit chains. First, the targets were directed to the Citrine Sleet-controlled exploit domain voyagorclub[.]space. While we cannot confirm at this time how the targets were directed, social engineering is a common tactic used by Citrine Sleet. Once a target connected to the domain, the zero-day RCE exploit for CVE-2024-7971 was served

Headlines

• Sept. 5, 2024 - The best and worst ways to get users to improve their account security
• Sept. 4, 2024 - CVE-2024-38106: 0-Day Windows Kernel Vulnerability Exploited in the Wild, PoC Published
• Sept. 3, 2024 - North Korean APT Exploits Novel Chromium, Windows Bugs to Steal Crypto
• Aug. 31, 2024 - North Korea-linked APT Citrine Sleet exploit Chrome zero-day to deliver FudModule rootkit
• Aug. 31, 2024 - North Korean Hackers Deploy FudModule Rootkit via Chrome Zero-Day Exploit

CVE-2024-32896

HIGH CVSS 7.80 EPSS Score 0.08 EPSS Percentile 36.09

CISA Known Exploited Actively Exploited Remote Code Execution

Published: June 13, 2024

there is a possible way to bypass due to a logic error in the code. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is needed for exploitation.

Vendors Impacted: Google, Android

Products Impacted: Pixel, Android

Quotes

• There is a possible way to bypass due to a logic error in the code
• There are indications that CVE-2024-32896 may be under limited, targeted exploitation

Headlines

• Sept. 4, 2024 - Google fixed actively exploited Android flaw CVE-2024-32896
• Sept. 4, 2024 - Google backports fix for Pixel EoP flaw to other Android devices
• Sept. 4, 2024 - Google Confirms CVE-2024-32896 Exploited in the Wild, Releases Android Security Patch
• Sept. 4, 2024 - Google Patches Actively Exploited Zero-Day in September Android Update

CVE-2023-38831

HIGH CVSS 7.80 EPSS Score 31.24 EPSS Percentile 97.06

CISA Known Exploited Actively Exploited Remote Code Execution Public Exploits Available

Published: Aug. 23, 2023

RARLAB WinRAR before 6.23 allows attackers to execute arbitrary code when a user attempts to view a benign file within a ZIP archive. The issue occurs because a ZIP archive may include a benign file (such as an ordinary .JPG file) and also a folder that has the same name as the benign file, and the contents of the folder (which may include executable content) are processed during an attempt to access only the benign file. This was exploited in the wild in April through October 2023.

Vendor Impacted: Rarlab

Product Impacted: Winrar

Quotes

• Samples similar to Head Mare’s toolkit
• Head Mare uses more up-to-date methods for obtaining initial access
• In their attacks, Head Mare mainly uses publicly available software, which is typical of most hacktivist groups targeting Russian companies in the context of the Russo-Ukrainian conflict

Headlines

• Sept. 4, 2024 - Head Mare hacktivist group targets Russia and Belarus
• Sept. 3, 2024 - Hacktivists Exploits WinRAR Vulnerability in Attacks Against Russia and Belarus
• Sept. 2, 2024 - Head Mare hacktivists: attacks on companies in Russia and Belarus

CVE-2024-45195

HIGH CVSS 7.50 EPSS Score 0.12 EPSS Percentile 46.93

Remote Code Execution

Published: Sept. 4, 2024

Direct Request ('Forced Browsing') vulnerability in Apache OFBiz. This issue affects Apache OFBiz: before 18.12.16. Users are recommended to upgrade to version 18.12.16, which fixes the issue.

Vendor Impacted: Apache

Product Impacted: Ofbiz

Quotes

• Apache OFBiz is used by numerous large organizations, and previously disclosed vulnerabilities for it have seen exploitation in the wild
• An attacker with no valid credentials exploit missing view authorization checks in the web application to execute arbitrary code on the server
• Apache OFBiz below 18.12.16 is vulnerable to unauthenticated remote code execution on Linux and Windows. An attacker with no valid credentials can exploit missing view authorization checks in the web application to execute arbitrary code on the server

Headlines

• Sept. 6, 2024 - Apache OFBiz team patches critical RCE vulnerability (CVE-2024-45195)
• Sept. 6, 2024 - Apache fixed a new remote code execution flaw in Apache OFBiz
• Sept. 6, 2024 - Apache OFBiz Update Fixes High-Severity Flaw Leading to Remote Code Execution
• Sept. 5, 2024 - Apache fixes critical OFBiz remote code execution vulnerability

CVE-2024-38106

HIGH CVSS 7.00 EPSS Score 0.04 EPSS Percentile 10.09

CISA Known Exploited

Published: Aug. 13, 2024

Windows Kernel Elevation of Privilege Vulnerability

Vendor Impacted: Microsoft

Products Impacted: Windows 10 21h2, Windows 10 1507, Windows 11 24h2, Windows 10 1809, Windows 11 21h2, Windows 11 23h2, Windows, Windows 10 22h2, Windows 11 22h2, Windows Server 2016, Windows Server 2022, Windows 10 1607, Windows Server 2019, Windows Server 2022 23h2

Quotes

• The attack chain goes from directly compromising a sandboxed Chrome renderer process to compromising the Windows kernel rather than targeting the Chrome browser process
• Citrine Sleet is based in North Korea and primarily targets financial institutions, particularly organizations and individuals managing cryptocurrency, for financial gain

Headlines

• Sept. 4, 2024 - CVE-2024-38106: 0-Day Windows Kernel Vulnerability Exploited in the Wild, PoC Published
• Sept. 3, 2024 - North Korean APT Exploits Novel Chromium, Windows Bugs to Steal Crypto
• Aug. 31, 2024 - North Korea-linked APT Citrine Sleet exploit Chrome zero-day to deliver FudModule rootkit
• Aug. 31, 2024 - North Korean Hackers Deploy FudModule Rootkit via Chrome Zero-Day Exploit

CVE-2024-40766

CVSS Not Assigned EPSS Score 0.04 EPSS Percentile 9.56

Actively Exploited Remote Code Execution

Published: Aug. 23, 2024

An improper access control vulnerability has been identified in the SonicWall SonicOS management access, potentially leading to unauthorized resource access and in specific conditions, causing the firewall to crash. This issue affects SonicWall Firewall Gen 5 and Gen 6 devices, as well as Gen 7 devices running SonicOS 7.0.1-5035 and older versions.

Quotes

• This vulnerability is potentially being exploited in the wild. Please apply the patch as soon as possible for affected products. The latest patch builds are available for download on mysonicwall.com

Headlines

• Sept. 6, 2024 - SonicWall SSLVPN access control flaw is now exploited in attacks
• Sept. 6, 2024 - SonicWall Confirms Critical CVE-2024-40766 Vulnerability Actively Exploited in the Wild
• Sept. 1, 2024 - Week in review: SonicWall critical firewalls flaw fixed, APT exploits WPS Office for Windows RCE