VULNERA Pulse

D-Link — DIR-605 Router

CVE-2021-40655 / Added: May 16, 2024

HIGH CVSS 7.50 EPSS Score 10.46 EPSS Percentile 94.98

D-Link DIR-605 routers contain an information disclosure vulnerability that allows attackers to obtain a username and password by forging a post request to the /getcfg.php page.

Headlines

• May 16, 2024 - CISA Alerts on Active Exploitation of Flaws in D-Link Routers and Chromium Browser

Back to top ↑

D-Link — DIR-600 Router

CVE-2014-100005 / Added: May 16, 2024

MEDIUM CVSS 6.80 EPSS Score 87.85 EPSS Percentile 98.65

D-Link DIR-600 routers contain a cross-site request forgery (CSRF) vulnerability that allows an attacker to change router configurations by hijacking an existing administrator session.

Headlines

• May 17, 2024 - CISA Warns of Actively Exploited D-Link Router Vulnerabilities - Patch Now
• May 16, 2024 - CISA Alerts on Active Exploitation of Flaws in D-Link Routers and Chromium Browser

Back to top ↑

Google — Chromium Visuals

CVE-2024-4761 / Added: May 16, 2024

CVSS Not Assigned EPSS Score 4.51 EPSS Percentile 92.44

Google Chromium V8 Engine contains an unspecified out-of-bounds memory write vulnerability via a crafted HTML page. This vulnerability could affect multiple web browsers that utilize Chromium, including, but not limited to, Google Chrome, Microsoft Edge, and Opera.

Headlines

• May 17, 2024 - CISA adds Chrome zero-days to its Known Exploited Vulnerabilities catalog
• May 16, 2024 - CISA Alerts on Active Exploitation of Flaws in D-Link Routers and Chromium Browser
• May 16, 2024 - Google fixes seventh actively exploited Chrome zero-day this year
• May 16, 2024 - Patch Now: Another Google Zero-Day Under Exploit in the Wild
• May 16, 2024 - Third Chrome Zero-Day Patched by Google Within One Week
• May 16, 2024 - Google Patches Yet Another Actively Exploited Chrome Zero-Day Vulnerability
• May 15, 2024 - Google fixes third actively exploited Chrome zero-day in a week
• May 15, 2024 - Microsoft Patches 61 Flaws, Including Two Actively Exploited Zero-Days
• May 14, 2024 - Microsoft Windows DWM Zero-Day Poised for Mass Exploit
• May 14, 2024 - Microsoft fixes exploited bugs, one used in QakBot attacks
• May 14, 2024 - Microsoft fixes exploited bugs, one used in QakBot attacks
• May 14, 2024 - Dangerous Google Chrome Zero-Day Allows Sandbox Escape
• May 14, 2024 - New Chrome Zero-Day Vulnerability CVE-2024-4761 Under Active Exploitation
• May 14, 2024 - Google Patches Second Chrome Zero-Day in One Week
• May 14, 2024 - Google fixes sixth actively exploited Chrome zero-day this year
• May 14, 2024 - Google Chrome emergency update fixes 6th zero-day exploited in 2024
• May 14, 2024 - CVE-2024-4761: Zero-Day Vulnerability Patched in Google Chrome

Back to top ↑

Microsoft — Windows

CVE-2024-30040 / Added: May 14, 2024

HIGH CVSS 8.80 EPSS Score 0.94 EPSS Percentile 83.04

Microsoft Windows MSHTML Platform contains an unspecified vulnerability that allows for a security feature bypass.

Headlines

• May 17, 2024 - Microsoft Has Yet to Patch 7 Pwn2Own Zero-Days
• May 15, 2024 - Microsoft Fixes Three Zero-Days in May Patch Tuesday
• May 15, 2024 - Microsoft Patches 61 Flaws, Including Two Actively Exploited Zero-Days
• May 15, 2024 - No mayday call necessary for the year’s fifth Patch Tuesday
• May 15, 2024 - Microsoft Patches Actively Exploited 0-Day Flaws (CVE-2024-30040 & CVE-2024-30051)
• May 14, 2024 - May 2024 Patch Tuesday: Updates and Analysis | CrowdStrike
• May 14, 2024 - Microsoft Windows DWM Zero-Day Poised for Mass Exploit
• May 14, 2024 - Microsoft fixes exploited bugs, one used in QakBot attacks
• May 14, 2024 - Microsoft fixes exploited bugs, one used in QakBot attacks
• May 14, 2024 - Microsoft Patch Tuesday security updates for May 2024 fixes 2 actively exploited zero-days
• May 14, 2024 - Patch Tuesday, May 2024 Edition –
• May 14, 2024 - May 2024 Patch Tuesday: Microsoft fixes exploited zero-days (CVE-2024-30051, CVE-2024-30040)
• May 14, 2024 - Microsoft May 2024 Patch Tuesday fixes 3 zero-days, 61 flaws
• May 14, 2024 - Critical Patches Issued for Microsoft Products, May 14, 2024

Back to top ↑

Microsoft — DWM Core Library

CVE-2024-30051 / Added: May 14, 2024

HIGH CVSS 7.80 EPSS Score 0.05 EPSS Percentile 19.29

Microsoft DWM Core Library contains a privilege escalation vulnerability that allows an attacker to gain SYSTEM privileges.

Headlines

• May 17, 2024 - Microsoft Has Yet to Patch 7 Pwn2Own Zero-Days
• May 16, 2024 - Rounding up some of the major headlines from RSA
• May 15, 2024 - Microsoft Fixes Three Zero-Days in May Patch Tuesday
• May 15, 2024 - Microsoft Patches 61 Flaws, Including Two Actively Exploited Zero-Days
• May 15, 2024 - No mayday call necessary for the year’s fifth Patch Tuesday
• May 15, 2024 - CVE-2024-30051: Windows Zero-Day Vulnerability Exploited to Deliver QakBot Malware
• May 15, 2024 - Microsoft Patches Actively Exploited 0-Day Flaws (CVE-2024-30040 & CVE-2024-30051)
• May 14, 2024 - May 2024 Patch Tuesday: Updates and Analysis | CrowdStrike
• May 14, 2024 - Microsoft Windows DWM Zero-Day Poised for Mass Exploit
• May 14, 2024 - Microsoft fixes exploited bugs, one used in QakBot attacks
• May 14, 2024 - Microsoft fixes exploited bugs, one used in QakBot attacks
• May 14, 2024 - Microsoft Patch Tuesday security updates for May 2024 fixes 2 actively exploited zero-days
• May 14, 2024 - Patch Tuesday, May 2024 Edition –
• May 14, 2024 - May 2024 Patch Tuesday: Microsoft fixes exploited zero-days (CVE-2024-30051, CVE-2024-30040)
• May 14, 2024 - Microsoft fixes Windows zero-day exploited in QakBot malware attacks
• May 14, 2024 - Only one critical vulnerability included in May’s Microsoft Patch Tuesday; One other zero-day in DWN Core
• May 14, 2024 - Microsoft May 2024 Patch Tuesday fixes 3 zero-days, 61 flaws
• May 14, 2024 - QakBot attacks with Windows zero-day (CVE-2024-30051)
• May 14, 2024 - Critical Patches Issued for Microsoft Products, May 14, 2024

Back to top ↑

Google — Chromium

CVE-2024-4671 / Added: May 13, 2024

CRITICAL CVSS 9.60 EPSS Score 0.88 EPSS Percentile 82.41

Google Chromium Visuals contains a use-after-free vulnerability that allows a remote attacker to exploit heap corruption via a crafted HTML page. This vulnerability could affect multiple web browsers that utilize Chromium, including, but not limited to, Google Chrome, Microsoft Edge, and Opera.

Headlines

• May 17, 2024 - CISA adds Chrome zero-days to its Known Exploited Vulnerabilities catalog
• May 16, 2024 - Google fixes seventh actively exploited Chrome zero-day this year
• May 16, 2024 - Patch Now: Another Google Zero-Day Under Exploit in the Wild
• May 16, 2024 - Third Chrome Zero-Day Patched by Google Within One Week
• May 16, 2024 - Google Patches Yet Another Actively Exploited Chrome Zero-Day Vulnerability
• May 15, 2024 - Google fixes third actively exploited Chrome zero-day in a week
• May 15, 2024 - Microsoft Patches 61 Flaws, Including Two Actively Exploited Zero-Days
• May 15, 2024 - No mayday call necessary for the year’s fifth Patch Tuesday
• May 14, 2024 - Dangerous Google Chrome Zero-Day Allows Sandbox Escape
• May 14, 2024 - New Chrome Zero-Day Vulnerability CVE-2024-4761 Under Active Exploitation
• May 14, 2024 - Google Patches Second Chrome Zero-Day in One Week
• May 14, 2024 - Another Chrome Vulnerability
• May 14, 2024 - Google fixes sixth actively exploited Chrome zero-day this year
• May 14, 2024 - Google issues urgent Chrome update to patch zero-day vulnerability
• May 14, 2024 - Google Chrome emergency update fixes 6th zero-day exploited in 2024
• May 13, 2024 - Microsoft Edge Zero-Day Vulnerability Patched: Urgent Update Needed
• May 13, 2024 - Encrypted mail service still okay with giving PII to cops
• May 12, 2024 - Week in review: Veeam fixes RCE flaw in backup management platform, Patch Tuesday forecast
• May 10, 2024 - Google fixes fifth actively exploited Chrome zero-day this year
• May 10, 2024 - Chrome Zero-Day Alert — Update Your Browser to Patch New Vulnerability
• May 10, 2024 - Google fixes Chrome zero-day with in-the-wild exploit (CVE-2024-4671)
• May 10, 2024 - Google fixes fifth Chrome zero-day exploited in attacks this year
• May 10, 2024 - Google Rushes to Patch Chrome Zero-Day Exploit: CVE-2024-4671

Back to top ↑

CVE-2024-4671

CRITICAL CVSS 9.60 EPSS Score 0.88 EPSS Percentile 82.41

CISA Known Exploited Actively Exploited Remote Code Execution

Published: May 14, 2024

Use after free in Visuals in Google Chrome prior to 124.0.6367.201 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)

Vendor Impacted: Google

Products Impacted: Chromium, Chrome

Quotes

• Access to one of the largest cyber security companies
• Google is aware that an exploit for CVE-2024-4671 exists in the wild
• To manipulate the specially crafted file, but not necessarily click or open the malicious file
• Makes it possible to manipulate parts of the memory which are allocated to more critical functions
• Proton has minimal user information, as illustrated by the fact that in this case data obtained from Apple was used to identify the terrorism suspect
• The Stable channel has been updated to 124.0.6367.201/.202 for Mac and Windows and 124.0.6367.201 for Linux which will roll out over the coming days/weeks
• An unauthenticated attacker who successfully exploited this vulnerability could gain code execution through convincing a user to open a malicious document at which point the attacker could execute arbitrary code in the context of the user

Headlines

• May 17, 2024 - CISA adds Chrome zero-days to its Known Exploited Vulnerabilities catalog
• May 16, 2024 - Google fixes seventh actively exploited Chrome zero-day this year
• May 16, 2024 - Patch Now: Another Google Zero-Day Under Exploit in the Wild
• May 16, 2024 - Third Chrome Zero-Day Patched by Google Within One Week
• May 16, 2024 - Google Patches Yet Another Actively Exploited Chrome Zero-Day Vulnerability
• May 15, 2024 - Google fixes third actively exploited Chrome zero-day in a week
• May 15, 2024 - Microsoft Patches 61 Flaws, Including Two Actively Exploited Zero-Days
• May 15, 2024 - No mayday call necessary for the year’s fifth Patch Tuesday
• May 14, 2024 - Dangerous Google Chrome Zero-Day Allows Sandbox Escape
• May 14, 2024 - New Chrome Zero-Day Vulnerability CVE-2024-4761 Under Active Exploitation
• May 14, 2024 - Google Patches Second Chrome Zero-Day in One Week
• May 14, 2024 - Another Chrome Vulnerability
• May 14, 2024 - Google fixes sixth actively exploited Chrome zero-day this year
• May 14, 2024 - Google issues urgent Chrome update to patch zero-day vulnerability
• May 14, 2024 - Google Chrome emergency update fixes 6th zero-day exploited in 2024
• May 13, 2024 - Microsoft Edge Zero-Day Vulnerability Patched: Urgent Update Needed
• May 13, 2024 - Encrypted mail service still okay with giving PII to cops
• May 12, 2024 - Week in review: Veeam fixes RCE flaw in backup management platform, Patch Tuesday forecast

CVE-2024-22267

CRITICAL CVSS 9.30 EPSS Score 0.04 EPSS Percentile 8.57

Risk Context N/A

Published: May 14, 2024

VMware Workstation and Fusion contain a use-after-free vulnerability in the vbluetooth device. A malicious actor with local administrative privileges on a virtual machine may exploit this issue to execute code as the virtual machine's VMX process running on the host.

Quotes

• Believe that multiple threat actors have access to it
• A malicious actor with local administrative privileges on a virtual machine may exploit this issue to execute code as the virtual machine's VMX process running on the host
• VMware would like to thank Gwangun Jung (@pr0ln) & Junoh Lee (@bbbig12) of Theori (@theori_io) and STAR Labs SG working with the Pwn2Own 2024 Security Contest for independently reporting this issue to us

Headlines

• May 14, 2024 - Microsoft fixes exploited bugs, one used in QakBot attacks
• May 14, 2024 - VMware fixed zero-day flaws demonstrated at Pwn2Own2024
• May 14, 2024 - VMware Patches Severe Security Flaws in Workstation and Fusion Products
• May 14, 2024 - VMware fixes three zero-day bugs exploited at Pwn2Own 2024
• May 14, 2024 - Broadcom Reveals Critical VMware Flaws: Code Execution (CVE-2024-22267) and Data Leaks

CVE-2024-30040

HIGH CVSS 8.80 EPSS Score 0.94 EPSS Percentile 83.04

CISA Known Exploited

Published: May 14, 2024

Windows MSHTML Platform Security Feature Bypass Vulnerability

Vendor Impacted: Microsoft

Products Impacted: Windows 10 1809, Windows Server 2022, Windows 11 22h2, Windows 11 23h2, Windows Server 2016, Windows 10 21h2, Windows 10 1607, Windows 10 22h2, Windows 11 21h2, Windows Server 2019, Windows, Windows 10 1507, Windows Server 2022 23h2

Quotes

• Numerous and diverse local users
• Publicly known at the time of the release
• Believe that multiple threat actors have access to it
• These types of bugs are very commonly used by threat actors
• An attacker who successfully exploited this vulnerability could gain SYSTEM privileges
• To manipulate the specially crafted file, but not necessarily click or open the malicious file
• An unauthenticated attacker who successfully exploited this vulnerability could gain code execution through convincing a user to open a malicious document at which point the attacker could execute arbitrary code in the context of the user
• An attacker would have to convince the user to load a malicious file onto a vulnerable system, typically by way of an enticement in an Email or Instant Messenger message, and then convince the user to manipulate the specially crafted file, but not necessarily click or open the malicious file

Headlines

• May 17, 2024 - Microsoft Has Yet to Patch 7 Pwn2Own Zero-Days
• May 15, 2024 - Microsoft Fixes Three Zero-Days in May Patch Tuesday
• May 15, 2024 - Microsoft Patches 61 Flaws, Including Two Actively Exploited Zero-Days
• May 15, 2024 - No mayday call necessary for the year’s fifth Patch Tuesday
• May 15, 2024 - Microsoft Patches Actively Exploited 0-Day Flaws (CVE-2024-30040 & CVE-2024-30051)
• May 14, 2024 - May 2024 Patch Tuesday: Updates and Analysis | CrowdStrike
• May 14, 2024 - Microsoft Windows DWM Zero-Day Poised for Mass Exploit
• May 14, 2024 - Microsoft fixes exploited bugs, one used in QakBot attacks
• May 14, 2024 - Microsoft Patch Tuesday security updates for May 2024 fixes 2 actively exploited zero-days
• May 14, 2024 - Patch Tuesday, May 2024 Edition –
• May 14, 2024 - May 2024 Patch Tuesday: Microsoft fixes exploited zero-days (CVE-2024-30051, CVE-2024-30040)
• May 14, 2024 - Microsoft May 2024 Patch Tuesday fixes 3 zero-days, 61 flaws
• May 14, 2024 - Critical Patches Issued for Microsoft Products, May 14, 2024

CVE-2024-30051

HIGH CVSS 7.80 EPSS Score 0.05 EPSS Percentile 19.29

CISA Known Exploited Actively Exploited

Published: May 14, 2024

Windows DWM Core Library Elevation of Privilege Vulnerability

Vendor Impacted: Microsoft

Products Impacted: Windows 10 1809, Windows Server 2022, Windows 11 22h2, Windows 11 23h2, Windows Server 2016, Windows 10 21h2, Windows 10 1607, Windows 10 22h2, Windows 11 21h2, Windows Server 2019, Dwm Core Library, Windows 10 1507

Quotes

• Numerous and diverse local users
• AI is the best thing ever for security
• Publicly known at the time of the release
• Believe that multiple threat actors have access to it
• These types of bugs are very commonly used by threat actors
• An attacker who successfully exploited this vulnerability could gain SYSTEM privileges
• To manipulate the specially crafted file, but not necessarily click or open the malicious file
• CVE-2024-30051 is used to gain initial access into a target environment and requires the use of social engineering tactics via email, social media or instant messaging to convince a target to open a specially crafted document file
• After sending our findings to Microsoft, we began to closely monitor our statistics in search of exploits and attacks that exploit this zero-day vulnerability, and in mid-April we discovered an exploit for this zero-day vulnerability
• An unauthenticated attacker who successfully exploited this vulnerability could gain code execution through convincing a user to open a malicious document at which point the attacker could execute arbitrary code in the context of the user
• An attacker would have to convince the user to load a malicious file onto a vulnerable system, typically by way of an enticement in an Email or Instant Messenger message, and then convince the user to manipulate the specially crafted file, but not necessarily click or open the malicious file

Headlines

• May 17, 2024 - Microsoft Has Yet to Patch 7 Pwn2Own Zero-Days
• May 16, 2024 - Rounding up some of the major headlines from RSA
• May 15, 2024 - Microsoft Fixes Three Zero-Days in May Patch Tuesday
• May 15, 2024 - Microsoft Patches 61 Flaws, Including Two Actively Exploited Zero-Days
• May 15, 2024 - No mayday call necessary for the year’s fifth Patch Tuesday
• May 15, 2024 - CVE-2024-30051: Windows Zero-Day Vulnerability Exploited to Deliver QakBot Malware
• May 15, 2024 - Microsoft Patches Actively Exploited 0-Day Flaws (CVE-2024-30040 & CVE-2024-30051)
• May 14, 2024 - May 2024 Patch Tuesday: Updates and Analysis | CrowdStrike
• May 14, 2024 - Microsoft Windows DWM Zero-Day Poised for Mass Exploit
• May 14, 2024 - Microsoft fixes exploited bugs, one used in QakBot attacks
• May 14, 2024 - Microsoft Patch Tuesday security updates for May 2024 fixes 2 actively exploited zero-days
• May 14, 2024 - Patch Tuesday, May 2024 Edition –
• May 14, 2024 - May 2024 Patch Tuesday: Microsoft fixes exploited zero-days (CVE-2024-30051, CVE-2024-30040)
• May 14, 2024 - Microsoft fixes Windows zero-day exploited in QakBot malware attacks
• May 14, 2024 - Only one critical vulnerability included in May’s Microsoft Patch Tuesday; One other zero-day in DWN Core
• May 14, 2024 - Microsoft May 2024 Patch Tuesday fixes 3 zero-days, 61 flaws
• May 14, 2024 - QakBot attacks with Windows zero-day (CVE-2024-30051)
• May 14, 2024 - Critical Patches Issued for Microsoft Products, May 14, 2024

CVE-2024-23296

HIGH CVSS 7.80 EPSS Score 0.08 EPSS Percentile 34.77

CISA Known Exploited Remote Code Execution

Published: March 5, 2024

A memory corruption issue was addressed with improved validation. This issue is fixed in iOS 17.4 and iPadOS 17.4. An attacker with arbitrary kernel read and write capability may be able to bypass kernel memory protections. Apple is aware of a report that this issue may have been exploited.

Vendor Impacted: Apple

Products Impacted: Ipad Os, Multiple Products, Iphone Os

Quotes

• May have been actively exploited
• Believe that multiple threat actors have access to it
• This will help mitigate the misuse of devices designed to help keep track of belongings
• An attacker with arbitrary kernel read and write capability may be able to bypass kernel memory protections
• MarketplaceKit now generates a different client_id every time it is called. Now there’s no way for alternative marketplace developers to identify users who have already purchased the marketplace app

Headlines

• May 14, 2024 - Microsoft fixes exploited bugs, one used in QakBot attacks
• May 14, 2024 - Apple backports iOS zero-day patch, adds Bluetooth tracker alert
• May 14, 2024 - Apple and Google Launch Cross-Platform Feature to Detect Unwanted Bluetooth Tracking Devices
• May 13, 2024 - Apple backports fix for RTKit iOS zero-day to older iPhones
• May 13, 2024 - Apple backports fix for zero-day exploited in attacks to older iPhones
• May 13, 2024 - Threat actors may have exploited a zero-day in older iPhones, Apple warns
• May 13, 2024 - Multiple Vulnerabilities in Apple Products Could Allow for Arbitrary Code Execution

CVE-2024-30044

HIGH CVSS 7.20 EPSS Score 0.05 EPSS Percentile 18.56

Remote Code Execution

Published: May 14, 2024

Microsoft SharePoint Server Remote Code Execution Vulnerability

Quotes

• Numerous and diverse local users
• AI is the best thing ever for security
• Believe that multiple threat actors have access to it
• An attacker who successfully exploited this vulnerability could gain SYSTEM privileges
• To manipulate the specially crafted file, but not necessarily click or open the malicious file

Headlines

• May 16, 2024 - Rounding up some of the major headlines from RSA
• May 15, 2024 - Microsoft Fixes Three Zero-Days in May Patch Tuesday
• May 15, 2024 - No mayday call necessary for the year’s fifth Patch Tuesday
• May 15, 2024 - Microsoft Patches Actively Exploited 0-Day Flaws (CVE-2024-30040 & CVE-2024-30051)
• May 14, 2024 - May 2024 Patch Tuesday: Updates and Analysis | CrowdStrike
• May 14, 2024 - Microsoft fixes exploited bugs, one used in QakBot attacks
• May 14, 2024 - Patch Tuesday, May 2024 Edition –
• May 14, 2024 - May 2024 Patch Tuesday: Microsoft fixes exploited zero-days (CVE-2024-30051, CVE-2024-30040)
• May 14, 2024 - Only one critical vulnerability included in May’s Microsoft Patch Tuesday; One other zero-day in DWN Core

CVE-2024-22270

HIGH CVSS 7.10 EPSS Score 0.04 EPSS Percentile 8.57

Risk Context N/A

Published: May 14, 2024

VMware Workstation and Fusion contain an information disclosure vulnerability in the Host Guest File Sharing (HGFS) functionality. A malicious actor with local administrative privileges on a virtual machine may be able to read privileged information contained in hypervisor memory from a virtual machine.

Quotes

• Believe that multiple threat actors have access to it
• A malicious actor with local administrative privileges on a virtual machine may exploit this issue to execute code as the virtual machine's VMX process running on the host
• VMware would like to thank Gwangun Jung (@pr0ln) & Junoh Lee (@bbbig12) of Theori (@theori_io) and STAR Labs SG working with the Pwn2Own 2024 Security Contest for independently reporting this issue to us

Headlines

• May 14, 2024 - Microsoft fixes exploited bugs, one used in QakBot attacks
• May 14, 2024 - VMware fixed zero-day flaws demonstrated at Pwn2Own2024
• May 14, 2024 - VMware Patches Severe Security Flaws in Workstation and Fusion Products
• May 14, 2024 - VMware fixes three zero-day bugs exploited at Pwn2Own 2024
• May 14, 2024 - Broadcom Reveals Critical VMware Flaws: Code Execution (CVE-2024-22267) and Data Leaks

CVE-2024-22269

HIGH CVSS 7.10 EPSS Score 0.04 EPSS Percentile 8.57

Risk Context N/A

Published: May 14, 2024

VMware Workstation and Fusion contain an information disclosure vulnerability in the vbluetooth device. A malicious actor with local administrative privileges on a virtual machine may be able to read privileged information contained in hypervisor memory from a virtual machine.

Quotes

• Believe that multiple threat actors have access to it
• A malicious actor with local administrative privileges on a virtual machine may exploit this issue to execute code as the virtual machine's VMX process running on the host
• VMware would like to thank Gwangun Jung (@pr0ln) & Junoh Lee (@bbbig12) of Theori (@theori_io) and STAR Labs SG working with the Pwn2Own 2024 Security Contest for independently reporting this issue to us

Headlines

• May 14, 2024 - Microsoft fixes exploited bugs, one used in QakBot attacks
• May 14, 2024 - VMware fixed zero-day flaws demonstrated at Pwn2Own2024
• May 14, 2024 - VMware Patches Severe Security Flaws in Workstation and Fusion Products
• May 14, 2024 - VMware fixes three zero-day bugs exploited at Pwn2Own 2024
• May 14, 2024 - Broadcom Reveals Critical VMware Flaws: Code Execution (CVE-2024-22267) and Data Leaks

CVE-2024-4761

CVSS Not Assigned EPSS Score 4.51 EPSS Percentile 92.44

CISA Known Exploited Actively Exploited Public Exploits Available

Published: May 14, 2024

Out of bounds write in V8 in Google Chrome prior to 124.0.6367.207 allowed a remote attacker to perform an out of bounds memory write via a crafted HTML page. (Chromium security severity: High)

Vendor Impacted: Google

Product Impacted: Chromium Visuals

Quotes

• Publicly known at the time of the release
• Believe that multiple threat actors have access to it
• Google is aware that an exploit for CVE-2024-4761 exists in the wild
• CVE-2024-4761: Out of bounds write in V8. Reported by Anonymous on 2024-05-09″ reads the advisory
• Makes it possible to manipulate parts of the memory which are allocated to more critical functions
• An unauthenticated attacker who successfully exploited this vulnerability could gain code execution through convincing a user to open a malicious document at which point the attacker could execute arbitrary code in the context of the user

Headlines

• May 17, 2024 - CISA adds Chrome zero-days to its Known Exploited Vulnerabilities catalog
• May 16, 2024 - CISA Alerts on Active Exploitation of Flaws in D-Link Routers and Chromium Browser
• May 16, 2024 - Google fixes seventh actively exploited Chrome zero-day this year
• May 16, 2024 - Patch Now: Another Google Zero-Day Under Exploit in the Wild
• May 16, 2024 - Third Chrome Zero-Day Patched by Google Within One Week
• May 16, 2024 - Google Patches Yet Another Actively Exploited Chrome Zero-Day Vulnerability
• May 15, 2024 - Google fixes third actively exploited Chrome zero-day in a week
• May 15, 2024 - Microsoft Patches 61 Flaws, Including Two Actively Exploited Zero-Days
• May 14, 2024 - Microsoft Windows DWM Zero-Day Poised for Mass Exploit
• May 14, 2024 - Microsoft fixes exploited bugs, one used in QakBot attacks
• May 14, 2024 - Dangerous Google Chrome Zero-Day Allows Sandbox Escape
• May 14, 2024 - New Chrome Zero-Day Vulnerability CVE-2024-4761 Under Active Exploitation
• May 14, 2024 - Google Patches Second Chrome Zero-Day in One Week
• May 14, 2024 - Google fixes sixth actively exploited Chrome zero-day this year
• May 14, 2024 - Google Chrome emergency update fixes 6th zero-day exploited in 2024
• May 14, 2024 - CVE-2024-4761: Zero-Day Vulnerability Patched in Google Chrome

CVE-2024-4947

CVSS Not Assigned EPSS Score 0.04 EPSS Percentile 8.57

Actively Exploited Remote Code Execution

Published: May 15, 2024

Type Confusion in V8 in Google Chrome prior to 125.0.6422.60 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)

Quotes

• Google is aware that an exploit for CVE-2024-4947 exists in the wild
• Successful exploitation of most severe of these vulnerabilities could allow for arbitrary code execution in the context of the logged on user. Depending on the privileges associated with the user an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights

Headlines

• May 17, 2024 - CISA adds Chrome zero-days to its Known Exploited Vulnerabilities catalog
• May 16, 2024 - Google fixes seventh actively exploited Chrome zero-day this year
• May 16, 2024 - Patch Now: Another Google Zero-Day Under Exploit in the Wild
• May 16, 2024 - Google fixes third exploited Chrome zero-day in a week (CVE-2024-4947)
• May 16, 2024 - Third Chrome Zero-Day Patched by Google Within One Week
• May 16, 2024 - Google Patches Yet Another Actively Exploited Chrome Zero-Day Vulnerability
• May 16, 2024 - CVE-2024-4947: New Chrome 0-Day Vulnerability Under Active Exploitation
• May 15, 2024 - Google patches third exploited Chrome zero-day in a week
• May 15, 2024 - Google fixes third actively exploited Chrome zero-day in a week
• May 15, 2024 - Multiple Vulnerabilities in Google Chrome Could Allow for Arbitrary Code Execution