VULNERA Pulse

Palo Alto Networks — PAN-OS

CVE-2024-3393 / Added: Dec. 30, 2024

CVSS Not Assigned EPSS Score 1.18 EPSS Percentile 84.81

Palo Alto Networks PAN-OS contains a vulnerability in parsing and logging malicious DNS packets in the DNS Security feature that, when exploited, allows an unauthenticated attacker to remotely reboot the firewall. Repeated attempts to trigger this condition will cause the firewall to enter maintenance mode.

Headlines

• Jan. 6, 2025 - Data describing 800K VW EVs exposed online
• Dec. 31, 2024 - CISA Warns of Actively Exploited Palo Alto Firewall Flaw (CVE-2024-3393)
• Dec. 30, 2024 - ⚡ THN Weekly Recap: Top Cybersecurity Threats, Tools and Tips
• Dec. 27, 2024 - Hackers exploit DoS flaw to disable Palo Alto Networks firewalls
• Dec. 27, 2024 - Palo Alto Networks fixed a high-severity PAN-OS flaw
• Dec. 27, 2024 - Palo Alto Releases Patch for PAN-OS DoS Flaw — Update Immediately
• Dec. 27, 2024 - CVE-2024-3393: PAN-OS Vulnerability Now Exploited in the Wild

Back to top ↑

CVE-2024-12356

CRITICAL CVSS 9.80 EPSS Score 1.30 EPSS Percentile 85.61

CISA Known Exploited Actively Exploited Remote Code Execution Public Exploits Available

Published: Dec. 17, 2024

A critical vulnerability has been discovered in Privileged Remote Access (PRA) and Remote Support (RS) products which can allow an unauthenticated attacker to inject commands that are run as a site user.

Vendor Impacted: Beyondtrust

Products Impacted: Privileged Remote Access, Privileged Remote Access (Pra) And Remote Support (Rs) , Remote Support

Quotes

• The incident has been attributed to a China state-sponsored Advanced Persistent Threat (APT) actor
• If this data is correct, it reflects the age-old tradeoff in software service operating philosophies and licensing models
• Based on available indicators, the incident has been attributed to a China state-sponsored Advanced Persistent Threat (APT) actor
• On December 8, 2024, Treasury was notified by a third-party software service provider, BeyondTrust, that a threat actor had gained access to a key used by the vendor to secure a cloud-based service used to remotely provide technical support for Treasury Departmental Offices (DO) end users
• In a letter informing lawmakers of the episode, the Treasury Department said that it had been notified on Dec. 8 by a third-party software service company, BeyondTrust, that the hacker had obtained a security key that allowed it to remotely gain access to certain Treasury workstations and documents on them

Headlines

• Jan. 3, 2025 - Thousands of Buggy BeyondTrust Systems Remain Exposed
• Dec. 31, 2024 - China-linked actors hacked US Treasury Department
• Dec. 31, 2024 - Chinese APT Exploits BeyondTrust API Key to Access U.S. Treasury Systems and Documents
• Dec. 31, 2024 - US Treasury Department Admits It Got Hacked by China
• Dec. 30, 2024 - US Treasury Department breached through remote support platform

CVE-2024-49112

CRITICAL CVSS 9.80 EPSS Score 0.09 EPSS Percentile 40.23

Actively Exploited Remote Code Execution Public Exploits Available

Published: Dec. 12, 2024

Windows Lightweight Directory Access Protocol (LDAP) Remote Code Execution Vulnerability

Quotes

• With no pre-requisites except that the DNS server of the victim DC has Internet connectivity
• The ability to run code on a DC or to elevate users’ privileges through a DC heavily affects network security posture
• LDAP is the protocol that workstations and servers in Microsoft's Active Directory use to access and maintain directory services information

Headlines

• Jan. 3, 2025 - LDAPNightmare, a PoC exploit targets Windows LDAP flaw CVE-2024-49113
• Jan. 3, 2025 - LDAPNightmare PoC Exploit Crashes LSASS and Reboots Windows Domain Controllers
• Jan. 2, 2025 - Active Directory Flaw Can Crash Any Microsoft Server
• Jan. 2, 2025 - PoC Exploit Released for Zero-Click Vulnerability CVE-2024-49112 in Windows
• Dec. 30, 2024 - Patch Critical Windows Vulnerabilities for 2024

CVE-2022-37056

CRITICAL CVSS 9.80 EPSS Score 0.70 EPSS Percentile 80.14

Risk Context N/A

Published: Aug. 28, 2022

D-Link GO-RT-AC750 GORTAC750_revA_v101b03 and GO-RT-AC750_revB_FWv200b02 is vulnerable to Command Injection via /cgibin, hnap_main,

Vendor Impacted: Dlink

Products Impacted: Go-Rt-Ac750 Firmware, Go-Rt-Ac750

Quotes

• If the device has reached end-of-life and no longer receives security updates, it should be replaced with a new model
• Attackers frequently reuse older attacks, which accounts for the continued spread of the ‘FICORA’ and ‘CAPSAICIN’ botnets
• As a general policy, when products reach EOS/EOL, they can no longer be supported, and all firmware development for these products ceases

Headlines

• Jan. 2, 2025 - D-Link Issues Warning on End-of-Life Routers Vulnerable to Botnet Exploits
• Dec. 29, 2024 - Malware botnets exploit outdated D-Link routers in recent attacks
• Dec. 29, 2024 - CVE-2024-33112 and More: How FICORA and CAPSAICIN Botnets Are Exploiting D-Link Devices

CVE-2019-10891

CRITICAL CVSS 9.80 EPSS Score 4.74 EPSS Percentile 92.57

Risk Context N/A

Published: Sept. 6, 2019

An issue was discovered in D-Link DIR-806 devices. There is a command injection in function hnap_main, which calls system() without checking the parameter that can be controlled by user, and finally allows remote attackers to execute arbitrary shell commands with a special HTTP header.

Vendor Impacted: Dlink

Products Impacted: Dir-806 Firmware, Dir-806

Quotes

• If the device has reached end-of-life and no longer receives security updates, it should be replaced with a new model
• Attackers frequently reuse older attacks, which accounts for the continued spread of the ‘FICORA’ and ‘CAPSAICIN’ botnets
• As a general policy, when products reach EOS/EOL, they can no longer be supported, and all firmware development for these products ceases

Headlines

• Jan. 2, 2025 - D-Link Issues Warning on End-of-Life Routers Vulnerable to Botnet Exploits
• Dec. 29, 2024 - Malware botnets exploit outdated D-Link routers in recent attacks
• Dec. 29, 2024 - CVE-2024-33112 and More: How FICORA and CAPSAICIN Botnets Are Exploiting D-Link Devices

CVE-2015-2051

CRITICAL CVSS 9.80 EPSS Score 94.89 EPSS Percentile 99.47

CISA Known Exploited Actively Exploited Remote Code Execution

Published: Feb. 23, 2015

The D-Link DIR-645 Wired/Wireless Router Rev. Ax with firmware 1.04b12 and earlier allows remote attackers to execute arbitrary commands via a GetDeviceSettings action to the HNAP interface.

Vendors Impacted: D-Link, Dlink

Products Impacted: Dir-645, Dir-645 Router, Dir-645 Firmware

Quotes

• If the device has reached end-of-life and no longer receives security updates, it should be replaced with a new model
• Attackers frequently reuse older attacks, which accounts for the continued spread of the ‘FICORA’ and ‘CAPSAICIN’ botnets
• As a general policy, when products reach EOS/EOL, they can no longer be supported, and all firmware development for these products ceases

Headlines

• Jan. 2, 2025 - D-Link Issues Warning on End-of-Life Routers Vulnerable to Botnet Exploits
• Dec. 29, 2024 - Malware botnets exploit outdated D-Link routers in recent attacks
• Dec. 29, 2024 - CVE-2024-33112 and More: How FICORA and CAPSAICIN Botnets Are Exploiting D-Link Devices

CVE-2024-49113

HIGH CVSS 7.50 EPSS Score 0.05 EPSS Percentile 18.91

Public Exploits Available

Published: Dec. 12, 2024

Windows Lightweight Directory Access Protocol (LDAP) Denial of Service Vulnerability

Quotes

• With no pre-requisites except that the DNS server of the victim DC has Internet connectivity
• LDAP is the protocol that workstations and servers in Microsoft's Active Directory use to access and maintain directory services information
• SafeBreach Labs developed a proof of concept exploit for CVE-2024-49113 that crashes any unpatched Windows Server (not just DCs) with no pre-requisites except that the DNS server of the victim DC has Internet connectivity

Headlines

• Jan. 3, 2025 - LDAPNightmare, a PoC exploit targets Windows LDAP flaw CVE-2024-49113
• Jan. 3, 2025 - LDAPNightmare PoC Exploit Crashes LSASS and Reboots Windows Domain Controllers
• Jan. 2, 2025 - Active Directory Flaw Can Crash Any Microsoft Server

CVE-2024-33112

HIGH CVSS 7.50 EPSS Score 0.04 EPSS Percentile 11.01

Risk Context N/A

Published: May 6, 2024

D-Link DIR-845L router v1.01KRb03 and before is vulnerable to Command injection via the hnap_main()func.

Quotes

• If the device has reached end-of-life and no longer receives security updates, it should be replaced with a new model
• Attackers frequently reuse older attacks, which accounts for the continued spread of the ‘FICORA’ and ‘CAPSAICIN’ botnets
• As a general policy, when products reach EOS/EOL, they can no longer be supported, and all firmware development for these products ceases

Headlines

• Jan. 2, 2025 - D-Link Issues Warning on End-of-Life Routers Vulnerable to Botnet Exploits
• Dec. 29, 2024 - Malware botnets exploit outdated D-Link routers in recent attacks
• Dec. 29, 2024 - CVE-2024-33112 and More: How FICORA and CAPSAICIN Botnets Are Exploiting D-Link Devices

CVE-2024-12856

HIGH CVSS 7.20 EPSS Score 0.05 EPSS Percentile 18.38

Actively Exploited Remote Code Execution

Published: Dec. 27, 2024

The Four-Faith router models F3x24 and F3x36 are affected by an operating system (OS) command injection vulnerability. At least firmware version 2.0 allows authenticated and remote attackers to execute arbitrary OS commands over HTTP when modifying the system time via apply.cgi. Additionally, this firmware version has default credentials which, if not changed, would effectively change this vulnerability into an unauthenticated and remote OS command execution issue.

Quotes

• Customers experiencing this denial-of-service (DoS) when their firewall blocks malicious DNS packets that trigger this issue
• At least firmware version 2.0 allows authenticated and remote attackers to execute arbitrary OS commands over HTTP when modifying the system time via apply.cgi
• The attacker leveraged the router’s default credentials, effectively resulting in unauthenticated remote command injection. VulnCheck has assigned this issue CVE-2024-12856
• We notified Four-Faith and our customers about this issue on December 20, 2024. Questions about patches, affected models, and affected firmware versions should be directed at Four-Faith

Headlines

• Dec. 30, 2024 - Hackers exploit Four-Faith router flaw to open reverse shells
• Dec. 30, 2024 - ⚡ THN Weekly Recap: Top Cybersecurity Threats, Tools and Tips
• Dec. 30, 2024 - Threat actors attempt to exploit a flaw in Four-Faith routers
• Dec. 30, 2024 - Four-Faith Industrial Routers Under Attack: CVE-2024-12856 Exploited in the Wild

CVE-2019-12168

HIGH CVSS 7.20 EPSS Score 0.55 EPSS Percentile 77.45

Remote Code Execution

Published: May 17, 2019

Four-Faith Wireless Mobile Router F3x24 v1.0 devices allow remote code execution via the Command Shell (aka Administration > Commands) screen.

Vendor Impacted: Four-Faith

Products Impacted: F3x24 Firmware, F3x24

Quotes

• At least firmware version 2.0 allows authenticated and remote attackers to execute arbitrary OS commands over HTTP when modifying the system time via apply.cgi
• We notified Four-Faith and our customers about this issue on December 20, 2024. Questions about patches, affected models, and affected firmware versions should be directed at Four-Faith

Headlines

• Dec. 30, 2024 - Hackers exploit Four-Faith router flaw to open reverse shells
• Dec. 30, 2024 - Threat actors attempt to exploit a flaw in Four-Faith routers

CVE-2024-12686

MEDIUM CVSS 6.60 EPSS Score 0.04 EPSS Percentile 11.28

Risk Context N/A

Published: Dec. 18, 2024

A vulnerability has been discovered in Privileged Remote Access (PRA) and Remote Support (RS) which can allow an attacker with existing administrative privileges to inject commands and run as a site user.

Quotes

• The incident has been attributed to a China state-sponsored Advanced Persistent Threat (APT) actor
• Based on available indicators, the incident has been attributed to a China state-sponsored Advanced Persistent Threat (APT) actor
• On December 8, 2024, Treasury was notified by a third-party software service provider, BeyondTrust, that a threat actor had gained access to a key used by the vendor to secure a cloud-based service used to remotely provide technical support for Treasury Departmental Offices (DO) end users
• In a letter informing lawmakers of the episode, the Treasury Department said that it had been notified on Dec. 8 by a third-party software service company, BeyondTrust, that the hacker had obtained a security key that allowed it to remotely gain access to certain Treasury workstations and documents on them

Headlines

• Dec. 31, 2024 - China-linked actors hacked US Treasury Department
• Dec. 31, 2024 - Chinese APT Exploits BeyondTrust API Key to Access U.S. Treasury Systems and Documents
• Dec. 31, 2024 - US Treasury Department Admits It Got Hacked by China
• Dec. 30, 2024 - US Treasury Department breached through remote support platform