VULNERA Pulse

CyberPersons — CyberPanel

CVE-2024-51378 / Added: Dec. 4, 2024

CRITICAL CVSS 9.80 EPSS Score 0.04 EPSS Percentile 11.95

CyberPanel contains an incorrect default permissions vulnerability that allows for authentication bypass and the execution of arbitrary commands using shell metacharacters in the statusfile property.

Headlines

• Dec. 9, 2024 - ⚡ THN Recap: Top Cybersecurity Threats, Tools and Tips (Dec 2 - 8)
• Dec. 6, 2024 - U.S. CISA adds CyberPanel flaw to its Known Exploited Vulnerabilities catalog
• Dec. 5, 2024 - CISA Warns of Active Exploitation of Flaws in Zyxel, ProjectSend, and CyberPanel
• Dec. 5, 2024 - CVE-2024-51378 (CVSS 10): Critical CyberPanel Flaw Under Active Attack, CISA Warns
• Oct. 30, 2024 - Ransomware hits web hosting servers via vulnerable CyberPanel instances
• Oct. 30, 2024 - PSAUX Ransomware is Exploiting Two Max Severity Flaws (CVE-2024-51567, CVE-2024-51568) in CyberPanel

Back to top ↑

ProjectSend — ProjectSend

CVE-2024-11680 / Added: Dec. 3, 2024

CRITICAL CVSS 9.80 EPSS Score 0.32 EPSS Percentile 71.48

ProjectSend contains an improper authentication vulnerability that allows a remote, unauthenticated attacker to enable unauthorized modification of the application's configuration via crafted HTTP requests to options.php. Successful exploitation allows attackers to create accounts, upload webshells, and embed malicious JavaScript.

Headlines

• Dec. 9, 2024 - ⚡ THN Recap: Top Cybersecurity Threats, Tools and Tips (Dec 2 - 8)
• Dec. 5, 2024 - CISA Warns of Active Exploitation of Flaws in Zyxel, ProjectSend, and CyberPanel
• Dec. 4, 2024 - U.S. CISA adds ProjectSend, North Grid Proself, and Zyxel firewalls bugs to its Known Exploited Vulnerabilities catalog
• Dec. 4, 2024 - CISA Flags Three Actively Exploited Vulnerabilities in Critical Systems
• Dec. 2, 2024 - THN Recap: Top Cybersecurity Threats, Tools and Tips (Nov 25 - Dec 1)
• Dec. 1, 2024 - newsletter Round 500 by Pierluigi Paganini – INTERNATIONAL EDITION
• Nov. 28, 2024 - Malicious Actors Exploit ProjectSend Critical Vulnerability
• Nov. 28, 2024 - ProjectSend critical flaw actively exploited in the wild, experts warn
• Nov. 28, 2024 - ProjectSend critical flaw actively exploited in the wild, experts warn
• Nov. 27, 2024 - Hackers exploit ProjectSend flaw to backdoor exposed servers
• Nov. 27, 2024 - Critical Flaw in ProjectSend Under Active Exploitation Against Public-Facing Servers
• Nov. 27, 2024 - CVE-2024-11680 (CVSS 9.8): Critical ProjectSend Vulnerability Actively Exploited, PoC Published

Back to top ↑

Zyxel — Multiple Firewalls

CVE-2024-11667 / Added: Dec. 3, 2024

CRITICAL CVSS 9.80 EPSS Score 0.04 EPSS Percentile 10.60

Multiple Zyxel firewalls contain a path traversal vulnerability in the web management interface that could allow an attacker to download or upload files via a crafted URL.

Headlines

• Dec. 9, 2024 - ⚡ THN Recap: Top Cybersecurity Threats, Tools and Tips (Dec 2 - 8)
• Dec. 5, 2024 - CISA Warns of Active Exploitation of Flaws in Zyxel, ProjectSend, and CyberPanel
• Dec. 4, 2024 - U.S. CISA adds ProjectSend, North Grid Proself, and Zyxel firewalls bugs to its Known Exploited Vulnerabilities catalog
• Dec. 4, 2024 - CISA Flags Three Actively Exploited Vulnerabilities in Critical Systems
• Nov. 29, 2024 - CVE-2024-11667: Critical Vulnerability in Zyxel Firewalls Actively Exploited

Back to top ↑

North Grid — Proself

CVE-2023-45727 / Added: Dec. 3, 2024

HIGH CVSS 7.50 EPSS Score 0.17 EPSS Percentile 55.31

North Grid Proself Enterprise/Standard, Gateway, and Mail Sanitize contain an improper restriction of XML External Entity (XXE) reference vulnerability, which could allow a remote, unauthenticated attacker to conduct an XXE attack.

Headlines

• Dec. 9, 2024 - ⚡ THN Recap: Top Cybersecurity Threats, Tools and Tips (Dec 2 - 8)
• Dec. 5, 2024 - CISA Warns of Active Exploitation of Flaws in Zyxel, ProjectSend, and CyberPanel
• Dec. 4, 2024 - CISA Flags Three Actively Exploited Vulnerabilities in Critical Systems
• Nov. 26, 2024 - CISA Urges Agencies to Patch Critical "Array Networks" Flaw Amid Active Attacks
• Nov. 21, 2024 - Earth Kasha Expands Operations: New LODEINFO Malware Hits Government and High-Tech
• July 31, 2024 - Chinese Hackers Target Japanese Firms with LODEINFO and NOOPDOOR Malware
• Oct. 18, 2023 - CVE-2023-45727: Proself Zero-Day Security Vulnerability

Back to top ↑

CVE-2024-35286

CRITICAL CVSS 9.80 EPSS Score 0.04 EPSS Percentile 10.60

Public Exploits Available

Published: Oct. 21, 2024

A vulnerability in NuPoint Messenger (NPM) of Mitel MiCollab through 9.8.0.33 allows an unauthenticated attacker to conduct a SQL injection attack due to insufficient sanitization of user input. A successful exploit could allow an attacker to access sensitive information and execute arbitrary database and management operations.

Quotes

• No sensible admin would do this
• A successful exploit of this vulnerability could allow an attacker to gain unauthorized access, with potential impacts to the confidentiality, integrity, and availability of the system
• WatchTowr contacted Mitel on August 26 about the new vulnerability. Mitel informed watchTowr of plans to patch the first week of December 2024. At the time of publishing, there has been no update on the Mitel Security Advisory page
• MiCollab comprises a softphone application deployed to endpoints and a central server component capable of coordinating telephone calls between endpoints and also to the outside world. It’s like a mini telephone exchange, and it boasts the features you’d expect – voicemail, file sharing, and even desktop sharing so that users can show each other what they’re doing. While it’s obvious how dangerous compromise of features such as ‘desktop sharing’ are, there are usually larger dangers exposed by the telephone function itself

Headlines

• Dec. 6, 2024 - Unpatched Zero-Day Vulnerability in Mitel MiCollab Exposes Businesses to Serious Security Risks
• Dec. 6, 2024 - PoC exploit chains Mitel MiCollab 0-day, auth-bypass bug
• Dec. 5, 2024 - Bypass Bug Revives Critical N-Day in Mitel MiCollab
• Dec. 5, 2024 - Critical Mitel MiCollab Flaw Exposes Systems to Unauthorized File and Admin Access
• Dec. 5, 2024 - Mitel MiCollab zero-day and PoC exploit unveiled
• Dec. 5, 2024 - Mitel MiCollab zero-day flaw gets proof-of-concept exploit

CVE-2024-11680

CRITICAL CVSS 9.80 EPSS Score 0.32 EPSS Percentile 71.48

CISA Known Exploited Actively Exploited Remote Code Execution Public Exploits Available

Published: Nov. 26, 2024

ProjectSend versions prior to r1720 are affected by an improper authentication vulnerability. Remote, unauthenticated attackers can exploit this flaw by sending crafted HTTP requests to options.php, enabling unauthorized modification of the application's configuration. Successful exploitation allows attackers to create accounts, upload webshells, and embed malicious JavaScript.

Vendor Impacted: Projectsend

Product Impacted: Projectsend

Quotes

• VulnCheck noticed that public-facing ProjectSend servers had started to change their landing page titles to long, random-ish strings. Some of the

Headlines

• Dec. 5, 2024 - CISA Warns of Active Exploitation of Flaws in Zyxel, ProjectSend, and CyberPanel
• Dec. 4, 2024 - U.S. CISA adds ProjectSend, North Grid Proself, and Zyxel firewalls bugs to its Known Exploited Vulnerabilities catalog
• Dec. 4, 2024 - CISA Flags Three Actively Exploited Vulnerabilities in Critical Systems
• Dec. 2, 2024 - THN Recap: Top Cybersecurity Threats, Tools and Tips (Nov 25 - Dec 1)
• Dec. 1, 2024 - newsletter Round 500 by Pierluigi Paganini – INTERNATIONAL EDITION

CVE-2024-8785

CRITICAL CVSS 9.80 EPSS Score 0.04 EPSS Percentile 17.46

Actively Exploited Remote Code Execution

Published: Dec. 2, 2024

In WhatsUp Gold versions released before 2024.0.1, a remote unauthenticated attacker could leverage NmAPI.exe to create or change an existing registry value in registry path HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Ipswitch\.

Quotes

• An unauthenticated remote attacker can invoke the UpdateFailoverRegistryValues operation via a netTcpBinding at net.tcp://:9643
• Specifically, the attacker can change HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Ipswitch\Network Monitor\WhatsUp Gold\Setup\InstallDir to a UNC path pointing to a host controlled by the attacker (i.e., \\\share\WhatsUp)

Headlines

• Dec. 5, 2024 - Exploit Code Available: Critical Flaw Found in WhatsUp Gold- CVE-2024-8785 (CVSS 9.8)
• Dec. 4, 2024 - PoC exploit for critical WhatsUp Gold RCE vulnerability released (CVE-2024-8785)
• Dec. 3, 2024 - Exploit released for critical WhatsUp Gold RCE flaw, patch now

CVE-2024-9680

CRITICAL CVSS 9.80 EPSS Score 0.31 EPSS Percentile 70.85

CISA Known Exploited Actively Exploited Remote Code Execution Public Exploits Available

Published: Oct. 9, 2024

An attacker was able to achieve code execution in the content process by exploiting a use-after-free in Animation timelines. We have had reports of this vulnerability being exploited in the wild. This vulnerability affects Firefox < 131.0.2, Firefox ESR < 128.3.1, Firefox ESR < 115.16.1, Thunderbird < 131.0.1, Thunderbird < 128.3.1, and Thunderbird < 115.16.0.

Vendors Impacted: Debian, Mozilla

Products Impacted: Firefox Esr, Debian Linux, Firefox, Thunderbird

Quotes

• The borderless nature of cybercrime means international police cooperation is essential, and the success of this operation supported by Interpol shows what results can be achieved when countries work together

Headlines

• Dec. 3, 2024 - Zero-Day Exploit Code Released for Windows Task Scheduler Flaw (CVE-2024-49039), Actively Exploited by RomCom Group
• Dec. 1, 2024 - Thousands more cyber scammers nabbed by Interpol operation
• Dec. 1, 2024 - Week in review: Exploitable flaws in corporate VPN clients, malware loader created with gaming engine

CVE-2024-41713

CRITICAL CVSS 9.10 EPSS Score 0.05 EPSS Percentile 23.17

Public Exploits Available

Published: Oct. 21, 2024

A vulnerability in the NuPoint Unified Messaging (NPM) component of Mitel MiCollab through 9.8 SP1 FP2 (9.8.1.201) could allow an unauthenticated attacker to conduct a path traversal attack, due to insufficient input validation. A successful exploit could allow unauthorized access, enabling the attacker to view, corrupt, or delete users' data and system configurations.

Quotes

• No sensible admin would do this
• A successful exploit of this vulnerability could allow an attacker to gain unauthorized access, with potential impacts to the confidentiality, integrity, and availability of the system
• WatchTowr contacted Mitel on August 26 about the new vulnerability. Mitel informed watchTowr of plans to patch the first week of December 2024. At the time of publishing, there has been no update on the Mitel Security Advisory page
• MiCollab comprises a softphone application deployed to endpoints and a central server component capable of coordinating telephone calls between endpoints and also to the outside world. It’s like a mini telephone exchange, and it boasts the features you’d expect – voicemail, file sharing, and even desktop sharing so that users can show each other what they’re doing. While it’s obvious how dangerous compromise of features such as ‘desktop sharing’ are, there are usually larger dangers exposed by the telephone function itself

Headlines

• Dec. 6, 2024 - Unpatched Zero-Day Vulnerability in Mitel MiCollab Exposes Businesses to Serious Security Risks
• Dec. 6, 2024 - PoC exploit chains Mitel MiCollab 0-day, auth-bypass bug
• Dec. 5, 2024 - Bypass Bug Revives Critical N-Day in Mitel MiCollab
• Dec. 5, 2024 - Critical Mitel MiCollab Flaw Exposes Systems to Unauthorized File and Admin Access
• Dec. 5, 2024 - Mitel MiCollab zero-day and PoC exploit unveiled
• Dec. 5, 2024 - Mitel MiCollab zero-day flaw gets proof-of-concept exploit

CVE-2024-49039

HIGH CVSS 8.80 EPSS Score 0.68 EPSS Percentile 80.55

CISA Known Exploited Public Exploits Available

Published: Nov. 12, 2024

Windows Task Scheduler Elevation of Privilege Vulnerability

Vendor Impacted: Microsoft

Products Impacted: Windows 10 22h2, Windows Server 2022 23h2, Windows 10 1507, Windows 10 1607, Windows 11 22h2, Windows Server 2019, Windows Server 2016, Windows 11 24h2, Windows, Windows 11 23h2, Windows 10 21h2, Windows 10 1809, Windows Server 2022, Windows Server 2025

Quotes

• The borderless nature of cybercrime means international police cooperation is essential, and the success of this operation supported by Interpol shows what results can be achieved when countries work together

Headlines

• Dec. 3, 2024 - Zero-Day Exploit Code Released for Windows Task Scheduler Flaw (CVE-2024-49039), Actively Exploited by RomCom Group
• Dec. 1, 2024 - Thousands more cyber scammers nabbed by Interpol operation
• Dec. 1, 2024 - Week in review: Exploitable flaws in corporate VPN clients, malware loader created with gaming engine

CVE-2024-42449

HIGH CVSS 7.10 EPSS Score 0.04 EPSS Percentile 10.60

Risk Context N/A

Published: Dec. 4, 2024

From the VSPC management agent machine, under condition that the management agent is authorized on the server, it is possible to remove arbitrary files on the VSPC server machine.

Quotes

• A critical vulnerability in the VSPC presents a significant risk to organizations using this software
• These service providers often trust their third-party vendor tools to manage client data and ensure business continuity
• From the VSPC management agent machine, under the condition that the management agent is authorized on the server, it is possible to perform Remote Code Execution (RCE) on the VSPC server machine
• We encourage service providers using supported versions of Veeam Service Provider Console (versions 7 & 8) to update to the latest cumulative patch. Service Providers using unsupported versions are strongly encouraged to upgrade to the latest version of Veeam Service Provider Console

Headlines

• Dec. 5, 2024 - Veeam Urges Immediate Update to Patch Severe Vulnerabilities
• Dec. 4, 2024 - Veeam Urges Updates After Discovering Critical Vulnerability
• Dec. 4, 2024 - Veeam addressed critical Service Provider Console (VSPC) bug
• Dec. 4, 2024 - Veeam Issues Patch for Critical RCE Vulnerability in Service Provider Console
• Dec. 4, 2024 - CVE-2024-42448 (CVSS 9.9): Critical RCE Vulnerability in Veeam VSPC
• Dec. 3, 2024 - Veeam warns of critical RCE bug in Service Provider Console
• Dec. 3, 2024 - Veeam plugs serious holes in Service Provider Console (CVE-2024-42448, CVE-2024-42449)

CVE-2014-2120

MEDIUM CVSS 6.10 EPSS Score 0.25 EPSS Percentile 65.06

CISA Known Exploited Actively Exploited Remote Code Execution

Published: March 19, 2014

Cross-site scripting (XSS) vulnerability in the WebVPN login page in Cisco Adaptive Security Appliance (ASA) Software allows remote attackers to inject arbitrary web script or HTML via an unspecified parameter, aka Bug ID CSCun19025.

Vendor Impacted: Cisco

Products Impacted: Adaptive Security Appliance Software, Adaptive Security Appliance (Asa)

Quotes

• Insufficient input validation of a parameter
• The vulnerability is due to insufficient input validation of a parameter
• These attacks highlight how technical debt and low cybersecurity maturity can compound risk
• An attacker could exploit this vulnerability by convincing a user to access a malicious link
• A vulnerability in the WebVPN login page of Cisco Adaptive Security Appliance (ASA) Software could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of WebVPN on the Cisco ASA

Headlines

• Dec. 5, 2024 - Warning issued for 10-year-old vulnerability, security leaders discuss
• Dec. 3, 2024 - Cisco ASA flaw CVE-2014-2120 is being exploited in the wild
• Dec. 3, 2024 - Decade-Old Cisco Vulnerability Under Active Exploit
• Dec. 3, 2024 - Cisco Warns of Exploitation of Decade-Old ASA WebVPN Vulnerability
• Dec. 3, 2024 - Cisco Confirms Active Exploitation of Decade-Old WebVPN Vulnerability in ASA Software

CVE-2023-40238

MEDIUM CVSS 5.50 EPSS Score 0.04 EPSS Percentile 17.58

Actively Exploited

Published: Dec. 7, 2023

A LogoFAIL issue was discovered in BmpDecoderDxe in Insyde InsydeH2O with kernel 5.2 before 05.28.47, 5.3 before 05.37.47, 5.4 before 05.45.47, 5.5 before 05.53.47, and 5.6 before 05.60.47 for certain Lenovo devices. Image parsing of crafted BMP logo files can copy data to a specific address during the DXE phase of UEFI execution. This occurs because of an integer signedness error involving PixelHeight and PixelWidth during RLE4/RLE8 compression.

Vendor Impacted: Insyde

Product Impacted: Insydeh2o

Quotes

• While this appears to be a proof-of-concept rather than an active threat, Bootkitty signals a major shift as attackers expand bootkit attacks beyond the Windows ecosystem
• Our initial analysis confirmed it is a UEFI bootkit, named Bootkitty by its creators and surprisingly the first UEFI bootkit targeting Linux, specifically, a few Ubuntu versions
• [Bootkitty's] main goal is to disable the kernel's signature verification feature and to preload two as yet unknown ELF binaries via the Linux init process (which is the first process executed by the Linux kernel during system startup)
• When these images are parsed during boot, the vulnerability can be triggered and an attacker-controlled payload can arbitrarily be executed to hijack the execution flow and bypass security features like Secure Boot, including hardware-based Verified Boot mechanisms

Headlines

• Dec. 3, 2024 - BootKitty Linux UEFI bootkit spotted exploiting LogoFAIL flaws
• Dec. 2, 2024 - 'Bootkitty' First Bootloader to Take Aim at Linux
• Dec. 2, 2024 - BootKitty UEFI malware exploits LogoFAIL to infect Linux systems
• Dec. 2, 2024 - Security Alert: Bootkitty Bootkit Targets Linux via UEFI Vulnerability (CVE-2023-40238)