VULNERA Pulse

VMware — ESXi

CVE-2024-37085 / Added: July 30, 2024

HIGH CVSS 7.20 EPSS Score 1.22 EPSS Percentile 85.46

VMware ESXi contains an authentication bypass vulnerability. A malicious actor with sufficient Active Directory (AD) permissions can gain full access to an ESXi host that was previously configured to use AD for user management by re-creating the configured AD group ('ESXi Admins' by default) after it was deleted from AD.

Headlines

• Aug. 4, 2024 - Week in review: VMware ESXi zero-day exploited, SMS Stealer malware targeting Android users
• Aug. 1, 2024 - +20,000 internet-exposed VMware ESXi instances vulnerable to CVE-2024-37085
• July 31, 2024 - VMware ESXi Vulnerability Exposes Thousands of Servers to Ransomware
• July 30, 2024 - CISA adds VMware ESXi bug to its Known Exploited Vulnerabilities catalog
• July 30, 2024 - Ransomware Gangs Exploit ESXi Bug for Instant, Mass Encryption of VMs
• July 30, 2024 - CISA warns of VMware ESXi bug exploited in ransomware attacks
• July 30, 2024 - Black Basta ransomware switches to more evasive custom malware
• July 30, 2024 - Ransomware gangs are loving this dumb but deadly ESXi flaw
• July 30, 2024 - VMware ESXi auth bypass zero-day exploited by ransomware operators (CVE-2024-37085)
• July 30, 2024 - VMware ESXi Flaw Exploited by Ransomware Groups for Admin Access
• July 30, 2024 - CVE-2024-37085: VMware ESXi Vulnerability Exploited by Ransomware Gangs
• July 29, 2024 - Ransomware gangs exploit VMware ESXi bug CVE-2024-37085
• July 29, 2024 - Microsoft: Ransomware gangs exploit VMware ESXi auth bypass in attacks

Back to top ↑

Acronis — Cyber Infrastructure (ACI)

CVE-2023-45249 / Added: July 29, 2024

CRITICAL CVSS 9.80 EPSS Score 12.21 EPSS Percentile 95.42

Acronis Cyber Infrastructure (ACI) allows an unauthenticated user to execute commands remotely due to the use of default passwords.

Headlines

• Aug. 4, 2024 - Week in review: VMware ESXi zero-day exploited, SMS Stealer malware targeting Android users
• July 29, 2024 - Critical Flaw in Acronis Cyber Infrastructure Exploited in the Wild
• July 29, 2024 - Actively Exploited ServiceNow and Acronis Vulnerabilities Pose Significant Threats to Government and Private Sectors
• July 29, 2024 - Acronis Cyber Infrastructure bug actively exploited in the wild
• July 29, 2024 - Critical Acronis Cyber Infrastructure vulnerability exploited in the wild (CVE-2023-45249)
• July 26, 2024 - Acronis warns of Cyber Infrastructure default password abused in attacks
• July 26, 2024 - Acronis Cyber Infrastructure Users Urged to Patch Critical Vulnerability (CVE-2023-45249)

Back to top ↑

ServiceNow — Utah, Vancouver, and Washington DC Now

CVE-2024-5217 / Added: July 29, 2024

CRITICAL CVSS 9.80 EPSS Score 96.00 EPSS Percentile 99.51

ServiceNow Washington DC, Vancouver, and earlier Now Platform releases contain an incomplete list of disallowed inputs vulnerability in the GlideExpression script. An unauthenticated user could exploit this vulnerability to execute code remotely.

Headlines

• July 29, 2024 - PatchNow: ServiceNow Critical RCE Bugs Under Active Exploit
• July 29, 2024 - Actively Exploited ServiceNow and Acronis Vulnerabilities Pose Significant Threats to Government and Private Sectors
• July 25, 2024 - Critical ServiceNow RCE flaws actively exploited to steal credentials
• July 25, 2024 - Researchers Reveal ConfusedFunction Vulnerability in Google Cloud Platform
• July 25, 2024 - ServiceNow Exploits Used in Global Reconnaissance Campaign
• July 12, 2024 - ServiceNow Security Alert: Critical Vulnerabilities Expose Businesses to RCE and Data Breaches

Back to top ↑

ServiceNow — Utah, Vancouver, and Washington DC Now

CVE-2024-4879 / Added: July 29, 2024

CRITICAL CVSS 9.80 EPSS Score 96.44 EPSS Percentile 99.61

ServiceNow Utah, Vancouver, and Washington DC Now releases contain a jelly template injection vulnerability in UI macros. An unauthenticated user could exploit this vulnerability to execute code remotely.

Headlines

• July 29, 2024 - PatchNow: ServiceNow Critical RCE Bugs Under Active Exploit
• July 29, 2024 - Actively Exploited ServiceNow and Acronis Vulnerabilities Pose Significant Threats to Government and Private Sectors
• July 25, 2024 - Critical ServiceNow RCE flaws actively exploited to steal credentials
• July 25, 2024 - Researchers Reveal ConfusedFunction Vulnerability in Google Cloud Platform
• July 25, 2024 - ServiceNow Exploits Used in Global Reconnaissance Campaign
• July 12, 2024 - ServiceNow Security Alert: Critical Vulnerabilities Expose Businesses to RCE and Data Breaches

Back to top ↑

CVE-2023-45249

CRITICAL CVSS 9.80 EPSS Score 12.21 EPSS Percentile 95.42

CISA Known Exploited Actively Exploited Remote Code Execution

Published: July 24, 2024

Remote command execution due to use of default passwords. The following products are affected: Acronis Cyber Infrastructure (ACI) before build 5.0.1-61, Acronis Cyber Infrastructure (ACI) before build 5.1.1-71, Acronis Cyber Infrastructure (ACI) before build 5.2.1-69, Acronis Cyber Infrastructure (ACI) before build 5.3.1-53, Acronis Cyber Infrastructure (ACI) before build 5.4.4-132.

Vendor Impacted: Acronis

Products Impacted: Cyber Infrastructure, Cyber Infrastructure (Aci)

Quotes

• This update contains fixes for 1 ctitical severity security vulnerability and should be installed immediately by all users
• This update contains fixes for 1 critical severity security vulnerability [CVE-2023-45249] and should be installed immediately by all users. This vulnerability is known to be exploited in the wild

Headlines

• July 29, 2024 - Critical Flaw in Acronis Cyber Infrastructure Exploited in the Wild
• July 29, 2024 - Actively Exploited ServiceNow and Acronis Vulnerabilities Pose Significant Threats to Government and Private Sectors
• July 29, 2024 - Acronis Cyber Infrastructure bug actively exploited in the wild
• July 29, 2024 - Critical Acronis Cyber Infrastructure vulnerability exploited in the wild (CVE-2023-45249)

CVE-2024-6990

HIGH CVSS 8.80

Risk Context N/A

Published: Aug. 1, 2024

Uninitialized Use in Dawn in Google Chrome on Android prior to 127.0.6533.88 allowed a remote attacker to potentially perform out of bounds memory access via a crafted HTML page. (Chromium security severity: Critical)

Headlines

• July 31, 2024 - CVE-2024-7205 in eWeLink Cloud Service Exposes Devices to Takeover
• July 31, 2024 - Urgent Chrome Update: Google Patches Critical Security Flaw (CVE-2024-6990)

CVE-2023-28252

HIGH CVSS 7.80 EPSS Score 2.16 EPSS Percentile 89.40

CISA Known Exploited Actively Exploited Remote Code Execution Used In Ransomware Public Exploits Available

Published: April 11, 2023

Windows Common Log File System Driver Elevation of Privilege Vulnerability

Vendor Impacted: Microsoft

Products Impacted: Windows 10 20h2, Windows 10 21h2, Windows 11 22h2, Windows 11 21h2, Windows Server 2008, Windows 10 1809, Windows Server 2016, Windows Server 2019, Windows 10 22h2, Windows Server 2022, Windows, Windows 10 1507, Windows 10 1607, Windows Server 2012

Quotes

• This method is actively exploited in the wild by the abovementioned threat actors
• Microsoft researchers have uncovered a vulnerability in ESXi hypervisors being exploited by several ransomware operators to obtain full administrative permissions on domain-joined ESXi hypervisors
• A malicious actor with sufficient Active Directory (AD) permissions can gain full access to an ESXi host that was previously configured to use AD for user management by re-creating the configured AD group ('ESXi Admins' by default) after it was deleted from AD

Headlines

• July 30, 2024 - Ransomware gangs are loving this dumb but deadly ESXi flaw
• July 30, 2024 - VMware ESXi Flaw Exploited by Ransomware Groups for Admin Access
• July 30, 2024 - CVE-2024-37085: VMware ESXi Vulnerability Exploited by Ransomware Gangs
• July 29, 2024 - Ransomware gangs exploit VMware ESXi bug CVE-2024-37085
• July 29, 2024 - Microsoft: Ransomware gangs exploit VMware ESXi auth bypass in attacks

CVE-2017-11882

HIGH CVSS 7.80 EPSS Score 97.44 EPSS Percentile 99.95

CISA Known Exploited Actively Exploited Remote Code Execution Public Exploits Available

Published: Nov. 15, 2017

Microsoft Office 2007 Service Pack 3, Microsoft Office 2010 Service Pack 2, Microsoft Office 2013 Service Pack 1, and Microsoft Office 2016 allow an attacker to run arbitrary code in the context of the current user by failing to properly handle objects in memory, aka "Microsoft Office Memory Corruption Vulnerability". This CVE ID is unique from CVE-2017-11884.

Vendor Impacted: Microsoft

Product Impacted: Office

Quotes

• It's the first time we have seen SideWinder targeting ports and maritime facilities in EMEA
• SideWinder makes use of email spear-phishing, document exploitation and DLL side-loading techniques in an attempt to avoid detection and deliver targeted implants
• Threat actors hope that by eliciting strong emotions such as fear or anxiety, the target will be compelled to immediately open and read the document. The victim will then be so distracted that they won’t notice strange events on their device such as (for example) system popups or increased fan noise caused by high CPU utilization, which is often an early warning sign of a malware infection in progress

Headlines

• Aug. 1, 2024 - SideWinder APT Group Sets Sights on Ports and Maritime Facilities in Espionage Campaign
• July 31, 2024 - India-Linked SideWinder Group Pivots to Hacking Maritime Targets
• July 30, 2024 - SideWinder phishing campaign targets maritime facilities in multiple countries
• July 30, 2024 - New SideWinder Cyber Attacks Target Maritime Facilities in Multiple Countries

CVE-2017-0199

HIGH CVSS 7.80 EPSS Score 97.52 EPSS Percentile 99.99

CISA Known Exploited Actively Exploited Remote Code Execution Used In Ransomware Public Exploits Available

Published: April 12, 2017

Microsoft Office 2007 SP3, Microsoft Office 2010 SP2, Microsoft Office 2013 SP1, Microsoft Office 2016, Microsoft Windows Vista SP2, Windows Server 2008 SP2, Windows 7 SP1, Windows 8.1 allow remote attackers to execute arbitrary code via a crafted document, aka "Microsoft Office/WordPad Remote Code Execution Vulnerability w/Windows API."

Vendors Impacted: Microsoft, Philips

Products Impacted: Intellispace Portal, Windows 7, Office, Windows Vista, Windows Server 2008, Office And Wordpad, Windows Server 2012

Quotes

• It's the first time we have seen SideWinder targeting ports and maritime facilities in EMEA
• SideWinder makes use of email spear-phishing, document exploitation and DLL side-loading techniques in an attempt to avoid detection and deliver targeted implants
• Threat actors hope that by eliciting strong emotions such as fear or anxiety, the target will be compelled to immediately open and read the document. The victim will then be so distracted that they won’t notice strange events on their device such as (for example) system popups or increased fan noise caused by high CPU utilization, which is often an early warning sign of a malware infection in progress

Headlines

• Aug. 1, 2024 - SideWinder APT Group Sets Sights on Ports and Maritime Facilities in Espionage Campaign
• July 31, 2024 - India-Linked SideWinder Group Pivots to Hacking Maritime Targets
• July 30, 2024 - SideWinder phishing campaign targets maritime facilities in multiple countries
• July 30, 2024 - New SideWinder Cyber Attacks Target Maritime Facilities in Multiple Countries

CVE-2024-23296

HIGH CVSS 7.80 EPSS Score 0.16 EPSS Percentile 52.02

CISA Known Exploited Actively Exploited Remote Code Execution

Published: March 5, 2024

A memory corruption issue was addressed with improved validation. This issue is fixed in iOS 17.4 and iPadOS 17.4. An attacker with arbitrary kernel read and write capability may be able to bypass kernel memory protections. Apple is aware of a report that this issue may have been exploited.

Vendor Impacted: Apple

Products Impacted: Ipad Os, Multiple Products, Iphone Os

Headlines

• July 30, 2024 - Multiple Vulnerabilities in Apple Products Could Allow for Arbitrary Code Execution
• July 30, 2024 - Apple Extends Zero-Day Patch to Older Macs, Urges Immediate Update

CVE-2017-11774

HIGH CVSS 7.80 EPSS Score 88.57 EPSS Percentile 98.74

CISA Known Exploited Actively Exploited Remote Code Execution Public Exploits Available

Published: Oct. 13, 2017

Microsoft Outlook 2010 SP2, Outlook 2013 SP1 and RT SP1, and Outlook 2016 allow an attacker to execute arbitrary commands, due to how Microsoft Office handles objects in memory, aka "Microsoft Outlook Security Feature Bypass Vulnerability."

Vendor Impacted: Microsoft

Products Impacted: Outlook, Office

Quotes

• In a file-sharing attack scenario, an attacker could provide a specially crafted document file designed to exploit the vulnerability, and then convince users to open the document file and interact with the document

Headlines

• July 31, 2024 - Specula Tool Weaponizes Microsoft Outlook Vulnerability: New Threat for Email Users
• July 29, 2024 - New Specula tool uses Outlook for remote code execution in Windows

CVE-2018-0824

HIGH CVSS 7.50 EPSS Score 39.10 EPSS Percentile 97.26

Remote Code Execution Public Exploits Available

Published: May 9, 2018

A remote code execution vulnerability exists in "Microsoft COM for Windows" when it fails to properly handle serialized objects, aka "Microsoft COM for Windows Remote Code Execution Vulnerability." This affects Windows 7, Windows Server 2012 R2, Windows RT 8.1, Windows Server 2008, Windows Server 2012, Windows 8.1, Windows Server 2016, Windows Server 2008 R2, Windows 10, Windows 10 Servers.

Vendor Impacted: Microsoft

Products Impacted: Windows Rt 8.1, Windows 10, Windows 7, Windows Server 2008, Windows Server 2016, Windows Server 2012, Windows 8.1

Quotes

• It’s a feature, not a bug
• User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)\r\n
• The nature of research-and-development work carried out by the entity makes it a valuable target for threat actors dedicated to obtaining proprietary and sensitive technologies of interest to them
• The ShadowPad malware used in the current campaign exploited an outdated vulnerable version of Microsoft Office IME binary as a loader to load the customized second-stage loader for launching the payload

Headlines

• Aug. 2, 2024 - China's APT41 Targets Taiwan Research Institute for Cyber Espionage
• Aug. 2, 2024 - APT41 Hackers Use ShadowPad, Cobalt Strike in Taiwanese Institute Cyber Attack
• Aug. 2, 2024 - Chinese APT41 Group Breaches Taiwanese Research Institute
• Aug. 1, 2024 - There is no real fix to the security issues recently found in GitHub and other similar software
• Aug. 1, 2024 - APT41 likely compromised Taiwanese government-affiliated research institute with ShadowPad and Cobalt Strike

CVE-2024-37085

HIGH CVSS 7.20 EPSS Score 1.22 EPSS Percentile 85.46

CISA Known Exploited Actively Exploited Remote Code Execution Used In Ransomware Public Exploits Available

Published: June 25, 2024

VMware ESXi contains an authentication bypass vulnerability. A malicious actor with sufficient Active Directory (AD) permissions can gain full access to an ESXi host that was previously configured to use AD for user management https://blogs.vmware.com/vsphere/2012/09/joining-vsphere-hosts-to-active-directory.html by re-creating the configured AD group ('ESXi Admins' by default) after it was deleted from AD.

Vendor Impacted: Vmware

Products Impacted: Esxi, Cloud Foundation

Quotes

• This method is actively exploited in the wild by the abovementioned threat actors
• These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise
• Microsoft researchers have uncovered a vulnerability in ESXi hypervisors being exploited by several ransomware operators to obtain full administrative permissions on domain-joined ESXi hypervisors
• ESXi is a bare-metal hypervisor that is installed directly onto a physical server and provides direct access and control of underlying resources. ESXi hypervisors host virtual machines that may include critical servers in a network
• For clarity: these are potentially vulnerable as this is a remote version check only for patch status. We do not have detection of any workarounds in place nor do we check whether other pre-conditions of exploitability exist (domain-joined ESXi hypervisors)
• A malicious actor with sufficient Active Directory (AD) permissions can gain full access to an ESXi host that was previously configured to use AD for user management by re-creating the configured AD group ('ESXi Admins' by default) after it was deleted from AD
• This group is not a built-in group in Active Directory and does not exist by default. ESXi hypervisors do not validate that such a group exists when the server is joined to a domain and still treats any members of a group with this name with full administrative access, even if the group did not originally exist

Headlines

• Aug. 1, 2024 - +20,000 internet-exposed VMware ESXi instances vulnerable to CVE-2024-37085
• July 31, 2024 - VMware ESXi Vulnerability Exposes Thousands of Servers to Ransomware
• July 30, 2024 - CISA adds VMware ESXi bug to its Known Exploited Vulnerabilities catalog
• July 30, 2024 - Ransomware Gangs Exploit ESXi Bug for Instant, Mass Encryption of VMs
• July 30, 2024 - CISA warns of VMware ESXi bug exploited in ransomware attacks
• July 30, 2024 - Black Basta ransomware switches to more evasive custom malware
• July 30, 2024 - Ransomware gangs are loving this dumb but deadly ESXi flaw
• July 30, 2024 - VMware ESXi auth bypass zero-day exploited by ransomware operators (CVE-2024-37085)
• July 30, 2024 - VMware ESXi Flaw Exploited by Ransomware Groups for Admin Access
• July 30, 2024 - CVE-2024-37085: VMware ESXi Vulnerability Exploited by Ransomware Gangs
• July 29, 2024 - Ransomware gangs exploit VMware ESXi bug CVE-2024-37085
• July 29, 2024 - Microsoft: Ransomware gangs exploit VMware ESXi auth bypass in attacks