VULNERA Pulse

Oracle — WebLogic Server

CVE-2017-3506 / Added: June 3, 2024

HIGH CVSS 7.40 EPSS Score 95.72 EPSS Percentile 99.43

Oracle WebLogic Server, a product within the Fusion Middleware suite, contains an OS command injection vulnerability that allows an attacker to execute arbitrary code via a specially crafted HTTP request that includes a malicious XML document.

Headlines

• June 6, 2024 - CISA says 'patch now' to 7-year-old Oracle WebLogic bug
• June 4, 2024 - Oracle WebLogic Server OS Command Injection Flaw Under Active Attack
• June 3, 2024 - CISA adds Oracle WebLogic Server flaw to its Known Exploited Vulnerabilities catalog
• Dec. 20, 2023 - 8220 gang exploits old Oracle WebLogic vulnerability to deliver infostealers, cryptominers
• Dec. 19, 2023 - 8220 Gang Exploiting Oracle WebLogic Server Vulnerability to Spread Malware
• May 18, 2023 - 8220 Gang Exploiting Oracle WebLogic Flaw to Hijack Servers and Mine Cryptocurrency
• Sept. 19, 2018 - Click It Up: Targeting Local Government Payment Portals | Mandiant

Back to top ↑

CVE-2024-1800

CRITICAL CVSS 9.90 EPSS Score 0.05 EPSS Percentile 15.96

Remote Code Execution Public Exploits Available

Published: March 20, 2024

In Progress® Telerik® Report Server versions prior to 2024 Q1 (10.0.24.130), a remote code execution attack is possible through an insecure deserialization vulnerability.

Quotes

• The vulnerability is very simple, the endpoint which is responsible for setting up the server for the first time is accessible unauthenticated even after the admin has finished the setup process
• In Progress Telerik Report Server, version 2024 Q1 (10.0.24.305) or earlier, on IIS, an unauthenticated attacker can gain access to Telerik Report Server restricted functionality via an authentication bypass vulnerability
• An attacker with remote access and an ability to execute malicious code on such an asset may allow such an attacker to not only interfere with reporting functionality but also to better understand a victim’s network or gain further access leveraging the Active Directory integration. Such an attack can serve as a beachhead, or beginning, on a victim organization for attackers

Headlines

• June 4, 2024 - Telerik Report Server Flaw Could Let Attackers Create Rogue Admin Accounts
• June 4, 2024 - PoC for Progress Telerik RCE chain released (CVE-2024-4358, CVE-2024-1800)
• June 4, 2024 - Experts released PoC exploit code for a critical bug in Progress Telerik Report Servers
• June 3, 2024 - Exploit for critical Progress Telerik auth bypass released, patch now

CVE-2024-29974

CRITICAL CVSS 9.80 EPSS Score 0.09 EPSS Percentile 39.02

Remote Code Execution

Published: June 4, 2024

** UNSUPPORTED WHEN ASSIGNED ** The remote code execution vulnerability in the CGI program “file_upload-cgi” in Zyxel NAS326 firmware versions before V5.21(AAZF.17)C0 and NAS542 firmware versions before V5.21(ABAG.14)C0 could allow an unauthenticated attacker to execute arbitrary code by uploading a crafted configuration file to a vulnerable device.

Quotes

• Zyxel has treated the disclosure process fairly, agreeing to a coordinated disclosure
• Due to the critical severity of vulnerabilities CVE-2024-29972, CVE-2024-29973, and CVE-2024-29974, Zyxel has made patches available to customers [...] despite the products already having reached end-of-vulnerability-support

Headlines

• June 6, 2024 - Zyxel patches critical flaws in EOL NAS devices
• June 5, 2024 - Emergency patches released for EOL Zyxel NAS boxes
• June 5, 2024 - Zyxel addressed three RCEs in end-of-life NAS devices
• June 4, 2024 - Zyxel issues emergency RCE patch for end-of-life NAS devices
• June 4, 2024 - Urgent Security Update for Zyxel NAS Devices: Patches Available for Critical Flaws

CVE-2024-29973

CRITICAL CVSS 9.80 EPSS Score 0.09 EPSS Percentile 38.42

Risk Context N/A

Published: June 4, 2024

** UNSUPPORTED WHEN ASSIGNED ** The command injection vulnerability in the “setCookie” parameter in Zyxel NAS326 firmware versions before V5.21(AAZF.17)C0 and NAS542 firmware versions before V5.21(ABAG.14)C0 could allow an unauthenticated attacker to execute some operating system (OS) commands by sending a crafted HTTP POST request.

Quotes

• Zyxel has treated the disclosure process fairly, agreeing to a coordinated disclosure
• Due to the critical severity of vulnerabilities CVE-2024-29972, CVE-2024-29973, and CVE-2024-29974, Zyxel has made patches available to customers [...] despite the products already having reached end-of-vulnerability-support

Headlines

• June 6, 2024 - Zyxel patches critical flaws in EOL NAS devices
• June 5, 2024 - Emergency patches released for EOL Zyxel NAS boxes
• June 5, 2024 - Zyxel addressed three RCEs in end-of-life NAS devices
• June 4, 2024 - Zyxel issues emergency RCE patch for end-of-life NAS devices
• June 4, 2024 - Urgent Security Update for Zyxel NAS Devices: Patches Available for Critical Flaws

CVE-2024-29972

CRITICAL CVSS 9.80 EPSS Score 0.09 EPSS Percentile 38.42

Risk Context N/A

Published: June 4, 2024

** UNSUPPORTED WHEN ASSIGNED ** The command injection vulnerability in the CGI program "remote_help-cgi" in Zyxel NAS326 firmware versions before V5.21(AAZF.17)C0 and NAS542 firmware versions before V5.21(ABAG.14)C0 could allow an unauthenticated attacker to execute some operating system (OS) commands by sending a crafted HTTP POST request.

Quotes

• Zyxel has treated the disclosure process fairly, agreeing to a coordinated disclosure
• Due to the critical severity of vulnerabilities CVE-2024-29972, CVE-2024-29973, and CVE-2024-29974, Zyxel has made patches available to customers [...] despite the products already having reached end-of-vulnerability-support

Headlines

• June 6, 2024 - Zyxel patches critical flaws in EOL NAS devices
• June 5, 2024 - Emergency patches released for EOL Zyxel NAS boxes
• June 5, 2024 - Zyxel addressed three RCEs in end-of-life NAS devices
• June 4, 2024 - Zyxel issues emergency RCE patch for end-of-life NAS devices
• June 4, 2024 - Urgent Security Update for Zyxel NAS Devices: Patches Available for Critical Flaws

CVE-2024-4358

CRITICAL CVSS 9.80 EPSS Score 0.05 EPSS Percentile 19.43

Actively Exploited Public Exploits Available

Published: May 29, 2024

In Progress Telerik Report Server, version 2024 Q1 (10.0.24.305) or earlier, on IIS, an unauthenticated attacker can gain access to Telerik Report Server restricted functionality via an authentication bypass vulnerability.

Quotes

• The vulnerability is very simple, the endpoint which is responsible for setting up the server for the first time is accessible unauthenticated even after the admin has finished the setup process
• In Progress Telerik Report Server, version 2024 Q1 (10.0.24.305) or earlier, on IIS, an unauthenticated attacker can gain access to Telerik Report Server restricted functionality via an authentication bypass vulnerability
• An attacker with remote access and an ability to execute malicious code on such an asset may allow such an attacker to not only interfere with reporting functionality but also to better understand a victim’s network or gain further access leveraging the Active Directory integration. Such an attack can serve as a beachhead, or beginning, on a victim organization for attackers

Headlines

• June 4, 2024 - Telerik Report Server Flaw Could Let Attackers Create Rogue Admin Accounts
• June 4, 2024 - PoC for Progress Telerik RCE chain released (CVE-2024-4358, CVE-2024-1800)
• June 4, 2024 - Experts released PoC exploit code for a critical bug in Progress Telerik Report Servers
• June 3, 2024 - Exploit for critical Progress Telerik auth bypass released, patch now

CVE-2018-20062

CRITICAL CVSS 9.80 EPSS Score 96.68 EPSS Percentile 99.65

CISA Known Exploited Actively Exploited Remote Code Execution Public Exploits Available

Published: Dec. 11, 2018

An issue was discovered in NoneCms V1.3. thinkphp/library/think/App.php allows remote attackers to execute arbitrary PHP code via crafted use of the filter parameter, as demonstrated by the s=index/\think\Request/input&filter=phpinfo&data=1 query string.

Vendors Impacted: 5none, Thinkphp

Product Impacted: Nonecms

Quotes

• The attackers used the cmd.cat/chattr docker image container that retrieves the payload from their own command-and-control (C&C) infrastructure
• Attackers are exploiting known vulnerabilities, some of them several years old, and they are having success doing so. A prime example of this is the ThinkPHP remote code execution (RCE) vulnerabilities CVE-2018-20062 and CVE-2019-9082

Headlines

• June 7, 2024 - Chinese threat actor exploits old ThinkPHP flaws since Oct. 2023
• June 7, 2024 - Commando Cat Cryptojacking Attacks Target Misconfigured Docker Instances
• June 7, 2024 - ThinkPHP Vulnerabilities Under Active Exploit: Researchers Warn
• June 6, 2024 - Hackers exploit 2018 ThinkPHP flaws to install ‘Dama’ web shells

CVE-2019-9082

HIGH CVSS 8.80 EPSS Score 97.45 EPSS Percentile 99.95

CISA Known Exploited Remote Code Execution Public Exploits Available

Published: Feb. 24, 2019

ThinkPHP before 3.2.4, as used in Open Source BMS v1.1.1 and other products, allows Remote Command Execution via public//?s=index/\think\app/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]= followed by the command.

Vendors Impacted: Zzzcms, Opensourcebms, Thinkphp

Products Impacted: Open Source Background Management System, Zzzphp, Thinkphp

Quotes

• The attackers used the cmd.cat/chattr docker image container that retrieves the payload from their own command-and-control (C&C) infrastructure
• Attackers are exploiting known vulnerabilities, some of them several years old, and they are having success doing so. A prime example of this is the ThinkPHP remote code execution (RCE) vulnerabilities CVE-2018-20062 and CVE-2019-9082

Headlines

• June 7, 2024 - Chinese threat actor exploits old ThinkPHP flaws since Oct. 2023
• June 7, 2024 - Commando Cat Cryptojacking Attacks Target Misconfigured Docker Instances
• June 7, 2024 - ThinkPHP Vulnerabilities Under Active Exploit: Researchers Warn
• June 6, 2024 - Hackers exploit 2018 ThinkPHP flaws to install ‘Dama’ web shells

CVE-2024-24919

HIGH CVSS 8.60 EPSS Score 94.50 EPSS Percentile 99.23

CISA Known Exploited Actively Exploited Remote Code Execution Public Exploits Available

Published: May 28, 2024

Potentially allowing an attacker to read certain information on Check Point Security Gateways once connected to the internet and enabled with remote Access VPN or Mobile Access Software Blades. A Security fix that mitigates this vulnerability is available.

Vendors Impacted: Checkpoint, Check Point

Products Impacted: Quantum Spark Firmware, Quantum Spark, Cloudguard Network Security, Quantum Security Gateway, Quantum Security Gateways, Quantum Security Gateway Firmware

Quotes

• A small number of login attempts
• With a public proof of concept out, and exploitation quickly ramping up, we recommend patching Check Point as soon as possible
• Oracle WebLogic Server, a product within the Fusion Middleware suite, contains an OS command injection vulnerability that allows an attacker to execute arbitrary code via a specially crafted HTTP request that includes a malicious XML document

Headlines

• June 6, 2024 - Attacks Surge on Check Point's Recent VPN Zero-Day Flaw
• June 4, 2024 - Oracle WebLogic Server OS Command Injection Flaw Under Active Attack
• June 3, 2024 - Check Point to customers: Patch your VPN ASAP
• June 3, 2024 - 13,800+ Check Point Gateways Exposed: 0-Day CVE-2024-24919 Flaw Under Attack
• June 2, 2024 - newsletter Round 474 by Pierluigi Paganini – INTERNATIONAL EDITION
• June 2, 2024 - Week in review: Attackers trying to access Check Point VPNs, NIST CSF 2.0 security metrics evolution

CVE-2017-3506

HIGH CVSS 7.40 EPSS Score 95.72 EPSS Percentile 99.43

CISA Known Exploited Actively Exploited Remote Code Execution Public Exploits Available

Published: April 24, 2017

Vulnerability in the Oracle WebLogic Server component of Oracle Fusion Middleware (subcomponent: Web Services). Supported versions that are affected are 10.3.6.0, 12.1.3.0, 12.2.1.0, 12.2.1.1 and 12.2.1.2. Difficult to exploit vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle WebLogic Server. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle WebLogic Server accessible data as well as unauthorized access to critical data or complete access to all Oracle WebLogic Server accessible data. CVSS 3.0 Base Score 7.4 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N).

Vendor Impacted: Oracle

Product Impacted: Weblogic Server

Quotes

• Water Sigbin's activities involving the exploitation of CVE-2017-3506 and CVE-2023-21839 underscore the adaptability of modern threat actors
• Oracle WebLogic Server, a product within the Fusion Middleware suite, contains an OS command injection vulnerability that allows an attacker to execute arbitrary code via a specially crafted HTTP request that includes a malicious XML document

Headlines

• June 6, 2024 - CISA says 'patch now' to 7-year-old Oracle WebLogic bug
• June 4, 2024 - Oracle WebLogic Server OS Command Injection Flaw Under Active Attack
• June 3, 2024 - CISA adds Oracle WebLogic Server flaw to its Known Exploited Vulnerabilities catalog

CVE-2024-27348

CVSS Not Assigned EPSS Score 0.09 EPSS Percentile 36.78

Actively Exploited Remote Code Execution Public Exploits Available

Published: April 22, 2024

RCE-Remote Command Execution vulnerability in Apache HugeGraph-Server.This issue affects Apache HugeGraph-Server: from 1.0.0 before 1.3.0 in Java8 & Java11 Users are recommended to upgrade to version 1.3.0 with Java11 & enable the Auth system, which fixes the issue.

Quotes

• Also you could enable the
• Not allowed to execute command via Gremlin

Headlines

• June 7, 2024 - POC exploit code published for critical Apache HugeGraph bug
• June 5, 2024 - Analysis of CVE-2024-2738 Apache HugeGraph
• June 5, 2024 - CVE-2024-27348: Apache HugeGraph RCE Vulnerability, PoC Exploit Published