VULNERA Pulse

Ivanti — Cloud Services Appliance (CSA)

CVE-2024-8963 / Added: Sept. 19, 2024

CRITICAL CVSS 9.40

Ivanti Cloud Services Appliance (CSA) contains a path traversal vulnerability that could allow a remote, unauthenticated attacker to access restricted functionality. If CVE-2024-8963 is used in conjunction with CVE-2024-8190, an attacker could bypass admin authentication and execute arbitrary commands on the appliance.

Headlines

• Sept. 19, 2024 - Ivanti warns of another critical CSA flaw exploited in attacks
• Sept. 19, 2024 - Ivanti Releases Admin Bypass Security Update for Cloud Services Appliance | CISA

Back to top ↑

Oracle — WebLogic Server

CVE-2020-14644 / Added: Sept. 18, 2024

CRITICAL CVSS 9.80 EPSS Score 24.29 EPSS Percentile 96.70

Oracle WebLogic Server, a product within the Fusion Middleware suite, contains a deserialization vulnerability. Unauthenticated attackers with network access via T3 or IIOP can exploit this vulnerability to achieve remote code execution.

Headlines

• Sept. 19, 2024 - U.S. CISA adds Microsoft Windows, Apache HugeGraph-Server, Oracle JDeveloper, Oracle WebLogic Server, and Microsoft SQL Server bugs to its Known Exploited Vulnerabilities catalog
• Sept. 19, 2024 - CISA Warns of Actively Exploited Apache, Microsoft, and Oracle Vulnerabilities

Back to top ↑

Oracle — ADF Faces

CVE-2022-21445 / Added: Sept. 18, 2024

CRITICAL CVSS 9.80 EPSS Score 7.86 EPSS Percentile 94.36

Oracle ADF Faces library, included with Oracle JDeveloper Distribution, contains a deserialization of untrusted data vulnerability leading to unauthenticated remote code execution.

Headlines

• Sept. 19, 2024 - U.S. CISA adds Microsoft Windows, Apache HugeGraph-Server, Oracle JDeveloper, Oracle WebLogic Server, and Microsoft SQL Server bugs to its Known Exploited Vulnerabilities catalog
• Sept. 19, 2024 - CISA Warns of Actively Exploited Apache, Microsoft, and Oracle Vulnerabilities

Back to top ↑

Apache — HugeGraph-Server

CVE-2024-27348 / Added: Sept. 18, 2024

CRITICAL CVSS 9.80 EPSS Score 0.89 EPSS Percentile 82.91

Apache HugeGraph-Server contains an improper access control vulnerability that could allow a remote attacker to execute arbitrary code.

Headlines

• Sept. 19, 2024 - U.S. CISA adds Microsoft Windows, Apache HugeGraph-Server, Oracle JDeveloper, Oracle WebLogic Server, and Microsoft SQL Server bugs to its Known Exploited Vulnerabilities catalog
• Sept. 19, 2024 - GitLab Patches Critical SAML Authentication Bypass Flaw in CE and EE Editions
• Sept. 19, 2024 - CISA Warns of Actively Exploited Apache, Microsoft, and Oracle Vulnerabilities
• July 17, 2024 - Critical Apache HugeGraph Vulnerability Under Attack - Patch ASAP
• July 17, 2024 - Active Exploits Targeting Apache HugeGraph Flaw (CVE-2024-27348): PoC Code Released
• June 7, 2024 - POC exploit code published for critical Apache HugeGraph bug
• June 5, 2024 - Analysis of CVE-2024-2738 Apache HugeGraph
• June 5, 2024 - CVE-2024-27348: Apache HugeGraph RCE Vulnerability, PoC Exploit Published
• April 23, 2024 - Multiple Vulnerabilities Patched in Apache HugeGraph – Update Immediately

Back to top ↑

Microsoft — SQL Server

CVE-2020-0618 / Added: Sept. 18, 2024

HIGH CVSS 8.80 EPSS Score 97.32 EPSS Percentile 99.91

Microsoft SQL Server Reporting Services contains a deserialization vulnerability when handling page requests incorrectly. An authenticated attacker can exploit this vulnerability to execute code in the context of the Report Server service account.

Headlines

• Sept. 19, 2024 - U.S. CISA adds Microsoft Windows, Apache HugeGraph-Server, Oracle JDeveloper, Oracle WebLogic Server, and Microsoft SQL Server bugs to its Known Exploited Vulnerabilities catalog
• Sept. 19, 2024 - CISA Warns of Actively Exploited Apache, Microsoft, and Oracle Vulnerabilities
• Sept. 4, 2024 - Evolution of Mallox: from private ransomware to RaaS
• Dec. 14, 2023 - Mallox ransomware Exploits Old Flaws in MS-SQL & ODBC
• Aug. 7, 2023 - Mallox Ransomware Group Revamps Malware Variants, Evasion Tactics
• July 20, 2023 - Mallox Ransomware Group Activity Shifts Into High Gear

Back to top ↑

Adobe — Flash Player

CVE-2014-0497 / Added: Sept. 17, 2024

CRITICAL CVSS 9.80 EPSS Score 97.23 EPSS Percentile 99.87

Adobe Flash Player contains an integer underflow vulnerability that allows a remote attacker to execute arbitrary code.

Back to top ↑

Adobe — Flash Player

CVE-2013-0643 / Added: Sept. 17, 2024

HIGH CVSS 8.80 EPSS Score 39.12 EPSS Percentile 97.30

Adobe Flash Player contains an incorrect default permissions vulnerability in the Firefox sandbox that allows a remote attacker to execute arbitrary code via crafted SWF content.

Back to top ↑

Adobe — Flash Player

CVE-2013-0648 / Added: Sept. 17, 2024

HIGH CVSS 8.80 EPSS Score 36.49 EPSS Percentile 97.23

Adobe Flash Player contains an unspecified vulnerability in the ExternalInterface ActionScript functionality that allows a remote attacker to execute arbitrary code via crafted SWF content.

Back to top ↑

Adobe — Flash Player

CVE-2014-0502 / Added: Sept. 17, 2024

HIGH CVSS 8.80 EPSS Score 85.93 EPSS Percentile 98.61

Adobe Flash Player contains a double free vulnerability that allows a remote attacker to execute arbitrary code.

Back to top ↑

Progress — WhatsUp Gold

CVE-2024-6670 / Added: Sept. 16, 2024

CRITICAL CVSS 9.80 EPSS Score 95.63 EPSS Percentile 99.46

Progress WhatsUp Gold contains a SQL injection vulnerability that allows an unauthenticated attacker to retrieve the user's encrypted password if the application is configured with only a single user.

Headlines

• Sept. 17, 2024 - U.S. CISA adds Microsoft Windows MSHTML Platform and Progress WhatsUp Gold bugs to its Known Exploited Vulnerabilities catalog
• Sept. 17, 2024 - CISA Flags Two Actively Exploited Vulnerabilities: Critical Threats to Windows and WhatsUp Gold
• Sept. 13, 2024 - Progress WhatsUp Gold Exploited Just Hours After PoC Release for Critical Flaw
• Sept. 12, 2024 - Hackers targeting WhatsUp Gold with public exploit since August
• Sept. 12, 2024 - WhatsUp Gold Under Attack: New RCE Vulnerabilities Exploited
• Sept. 2, 2024 - Proof-of-Concept Exploit Released for WhatsUp Gold Authentication Bypass (CVE-2024-6670)
• Aug. 23, 2024 - Critical Vulnerabilities Uncovered in Progress WhatsUp Gold (CVE-2024-6670 & CVE-2024-6671)

Back to top ↑

Microsoft — Windows

CVE-2024-43461 / Added: Sept. 16, 2024

HIGH CVSS 8.80 EPSS Score 16.24 EPSS Percentile 96.08

Microsoft Windows MSHTML Platform contains a user interface (UI) misrepresentation of critical information vulnerability that allows an attacker to spoof a web page. This vulnerability was exploited in conjunction with CVE-2024-38112.

Headlines

• Sept. 17, 2024 - U.S. CISA adds Microsoft Windows MSHTML Platform and Progress WhatsUp Gold bugs to its Known Exploited Vulnerabilities catalog
• Sept. 17, 2024 - CISA Flags Two Actively Exploited Vulnerabilities: Critical Threats to Windows and WhatsUp Gold
• Sept. 17, 2024 - Microsoft confirms IE zero-day exploited in sneaky update
• Sept. 16, 2024 - 'Void Banshee' Exploits Second Microsoft Zero-Day
• Sept. 16, 2024 - CISA warns of Windows flaw used in infostealer malware attacks
• Sept. 16, 2024 - Recently patched Windows flaw CVE-2024-43461 was actively exploited as a zero-day before July 2024
• Sept. 16, 2024 - Microsoft confirms second 0-day exploited by Void Banshee APT (CVE-2024-43461)
• Sept. 16, 2024 - New Zero-Day Emerges After Microsoft Patch Tuesday: CVE-2024-43461 Targets Windows MSHTML
• Sept. 15, 2024 - Windows vulnerability abused braille “spaces” in zero-day attacks
• Sept. 15, 2024 - Week in review: Veeam Backup & Replication RCE could soon be exploited, Microsoft fixes 4 0-days
• Sept. 10, 2024 - Microsoft Discloses 4 Zero-Days in September Update
• Sept. 10, 2024 - Microsoft fixes 4 exploited zero-days and a code defect that nixed earlier security fixes

Back to top ↑

CVE-2024-45409

CRITICAL CVSS 10.00 EPSS Score 0.04 EPSS Percentile 16.38

Actively Exploited Remote Code Execution

Published: Sept. 10, 2024

The Ruby SAML library is for implementing the client side of a SAML authorization. Ruby-SAML in <= 12.2 and 1.13.0 <= 1.16.0 does not properly verify the signature of the SAML Response. An unauthenticated attacker with access to any signed saml document (by the IdP) can thus forge a SAML Response/Assertion with arbitrary contents. This would allow the attacker to log in as arbitrary user within the vulnerable system. This vulnerability is fixed in 1.17.0 and 1.12.3.

Quotes

• We strongly recommend that all installations running a version affected by the issues described below are upgraded to the latest version as soon as possible
• An unauthenticated attacker with access to any signed SAML document (by the IdP) can thus forge a SAML Response/Assertion with arbitrary contents, according to a security advisory

Headlines

• Sept. 19, 2024 - GitLab Patches Critical SAML Authentication Bypass Flaw in CE and EE Editions
• Sept. 18, 2024 - GitLab releases fix for critical SAML authentication bypass flaw
• Sept. 18, 2024 - GitLab Releases Critical Security Patch for CVE-2024-45409 (CVSS 10) Vulnerability

CVE-2024-38812

CRITICAL CVSS 9.80 EPSS Score 0.04 EPSS Percentile 9.64

Remote Code Execution Public Exploits Available

Published: Sept. 17, 2024

The vCenter Server contains a heap-overflow vulnerability in the implementation of the DCERPC protocol. A malicious actor with network access to vCenter Server may trigger this vulnerability by sending a specially crafted network packet potentially leading to remote code execution.

Quotes

• Broadcom is not currently aware of exploitation ‘in the wild’
• By sending a specially crafted network packet potentially leading to remote code execution
• A malicious actor with network access to vCenter Server may trigger this vulnerability by sending a specially crafted network packet potentially leading to remote code execution

Headlines

• Sept. 18, 2024 - Critical VMware vCenter Server bugs fixed (CVE-2024-38812)
• Sept. 18, 2024 - Broadcom fixed Critical VMware vCenter Server flaw CVE-2024-38812
• Sept. 18, 2024 - Patch Issued for Critical VMware vCenter Flaw Allowing Remote Code Execution
• Sept. 18, 2024 - CVE-2024-38812: VMware's 9.8 Severity Security Nightmare
• Sept. 17, 2024 - VMware patches serious flaws in vCenter Server
• Sept. 17, 2024 - Broadcom fixes critical RCE bug in VMware vCenter Server

CVE-2024-29847

CRITICAL CVSS 9.80 EPSS Score 0.11 EPSS Percentile 44.05

Remote Code Execution Public Exploits Available

Published: Sept. 12, 2024

Deserialization of untrusted data in the agent portal of Ivanti EPM before 2022 SU6, or the 2024 September update allows a remote unauthenticated attacker to achieve remote code execution.

Vendor Impacted: Ivanti

Product Impacted: Endpoint Manager

Quotes

• While we are pretty sure that the vulnerability described in this post is the true CVE-2024-29847, we feel it would be more accurately described as a command injection
• Following public disclosure, Ivanti has confirmed exploitation of this vulnerability in the wild. At the time of this update, we are aware of a limited number of customers who have been exploited

Headlines

• Sept. 16, 2024 - Exploit code released for critical Ivanti RCE flaw, patch now
• Sept. 16, 2024 - PoC Exploit Released for Ivanti EPM Flaw CVE-2024-29847 (CVSS 10)
• Sept. 15, 2024 - Week in review: Veeam Backup & Replication RCE could soon be exploited, Microsoft fixes 4 0-days
• Sept. 15, 2024 - newsletter Round 489 by Pierluigi Paganini – INTERNATIONAL EDITION
• Sept. 14, 2024 - Ivanti Cloud Service Appliance flaw is being actively exploited

CVE-2024-45694

CRITICAL CVSS 9.80 EPSS Score 0.08 EPSS Percentile 36.06

Risk Context N/A

Published: Sept. 16, 2024

The web service of certain models of D-Link wireless routers contains a Stack-based Buffer Overflow vulnerability, which allows unauthenticated remote attackers to exploit this vulnerability to execute arbitrary code on the device.

Vendor Impacted: Dlink

Products Impacted: Dir-X5460 Firmware, Dir-X4860, Dir-X4860 Firmware, Dir-X5460

Quotes

• SolarWinds Access Rights Manager (ARM) was found to be susceptible to a remote code execution vulnerability
• When D-Link became aware of the reported security issues, we promptly started investigating and developing security patches. The third-party publicly disclosed the problem before the patches were available on our standard 90-day security patch release schedule

Headlines

• Sept. 17, 2024 - SolarWinds Issues Patch for Critical ARM Vulnerability Enabling RCE Attacks
• Sept. 16, 2024 - D-Link addressed three critical RCE in wireless router models
• Sept. 16, 2024 - Urgent D-Link Router Security Flaws Expose Millions to Remote Attacks

CVE-2024-37079

CRITICAL CVSS 9.80 EPSS Score 0.09 EPSS Percentile 40.46

Remote Code Execution Public Exploits Available

Published: June 18, 2024

vCenter Server contains a heap-overflow vulnerability in the implementation of the DCERPC protocol. A malicious actor with network access to vCenter Server may trigger this vulnerability by sending a specially crafted network packet potentially leading to remote code execution.

Vendor Impacted: Vmware

Products Impacted: Cloud Foundation, Vcenter Server

Quotes

• By sending a specially crafted network packet potentially leading to remote code execution
• A malicious actor with network access to vCenter Server may trigger this vulnerability by sending a specially crafted network packet potentially leading to remote code execution

Headlines

• Sept. 18, 2024 - Broadcom fixed Critical VMware vCenter Server flaw CVE-2024-38812
• Sept. 18, 2024 - Patch Issued for Critical VMware vCenter Flaw Allowing Remote Code Execution
• Sept. 17, 2024 - Broadcom fixes critical RCE bug in VMware vCenter Server

CVE-2024-27348

CRITICAL CVSS 9.80 EPSS Score 0.89 EPSS Percentile 82.91

CISA Known Exploited Actively Exploited Remote Code Execution Public Exploits Available

Published: April 22, 2024

RCE-Remote Command Execution vulnerability in Apache HugeGraph-Server.This issue affects Apache HugeGraph-Server: from 1.0.0 before 1.3.0 in Java8 & Java11 Users are recommended to upgrade to version 1.3.0 with Java11 & enable the Auth system, which fixes the issue.

Vendors Impacted: Oracle, Apache

Products Impacted: Hugegraph, Jdk, Hugegraph-Server, Jre

Quotes

• An unauthenticated attacker with access to any signed SAML document (by the IdP) can thus forge a SAML Response/Assertion with arbitrary contents, according to a security advisory

Headlines

• Sept. 19, 2024 - U.S. CISA adds Microsoft Windows, Apache HugeGraph-Server, Oracle JDeveloper, Oracle WebLogic Server, and Microsoft SQL Server bugs to its Known Exploited Vulnerabilities catalog
• Sept. 19, 2024 - GitLab Patches Critical SAML Authentication Bypass Flaw in CE and EE Editions
• Sept. 19, 2024 - CISA Warns of Actively Exploited Apache, Microsoft, and Oracle Vulnerabilities

CVE-2024-43461

HIGH CVSS 8.80 EPSS Score 16.24 EPSS Percentile 96.08

CISA Known Exploited

Published: Sept. 10, 2024

Windows MSHTML Platform Spoofing Vulnerability

Vendor Impacted: Microsoft

Products Impacted: Windows Server 2019, Windows 10 1607, Windows 10 21h2, Windows Server 2016, Windows Server 2022, Windows Server 2022 23h2, Windows 11 24h2, Windows Server 2008, Windows 10 1507, Windows 11 22h2, Windows Server 2012, Windows, Windows 11 21h2, Windows 10 22h2, Windows 10 1809, Windows 11 23h2

Quotes

• CVE-2024-43461 was exploited as a part of an attack chain relating to CVE-2024-38112
• Specifically, the attackers used special Windows Internet Shortcut files (.url extension name), which, when clicked, would call the retired Internet Explorer (IE) to visit the attacker-controlled URL
• This vulnerability allows remote attackers to execute arbitrary code on affected installations of Microsoft Windows. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file

Headlines

• Sept. 17, 2024 - U.S. CISA adds Microsoft Windows MSHTML Platform and Progress WhatsUp Gold bugs to its Known Exploited Vulnerabilities catalog
• Sept. 17, 2024 - CISA Flags Two Actively Exploited Vulnerabilities: Critical Threats to Windows and WhatsUp Gold
• Sept. 17, 2024 - Microsoft confirms IE zero-day exploited in sneaky update
• Sept. 16, 2024 - 'Void Banshee' Exploits Second Microsoft Zero-Day
• Sept. 16, 2024 - CISA warns of Windows flaw used in infostealer malware attacks
• Sept. 16, 2024 - Recently patched Windows flaw CVE-2024-43461 was actively exploited as a zero-day before July 2024
• Sept. 16, 2024 - Microsoft confirms second 0-day exploited by Void Banshee APT (CVE-2024-43461)
• Sept. 16, 2024 - New Zero-Day Emerges After Microsoft Patch Tuesday: CVE-2024-43461 Targets Windows MSHTML
• Sept. 15, 2024 - Windows vulnerability abused braille “spaces” in zero-day attacks
• Sept. 15, 2024 - Week in review: Veeam Backup & Replication RCE could soon be exploited, Microsoft fixes 4 0-days

CVE-2024-38112

HIGH CVSS 7.50 EPSS Score 64.67 EPSS Percentile 97.94

CISA Known Exploited Actively Exploited Remote Code Execution

Published: July 9, 2024

Windows MSHTML Platform Spoofing Vulnerability

Vendor Impacted: Microsoft

Products Impacted: Windows Server 2019, Windows 10 1607, Windows 10 21h2, Windows Server 2016, Windows Server 2022, Windows Server 2022 23h2, Windows Server 2008, Windows 10 1507, Windows 11 22h2, Windows Server 2012, Windows, Windows 11 21h2, Windows 10 22h2, Windows 10 1809, Windows 11 23h2

Quotes

• Exploited in conjunction with CVE-2024-38112
• As part of an attack chain [related] to CVE-2024-38112
• CVE-2024-43461 was exploited as a part of an attack chain relating to CVE-2024-38112
• Was exploited as a part of an attack chain relating to CVE-2024-38112, prior to July 2024
• We released a fix for CVE-2024-38112 in our July 2024 security updates which broke this attack chain
• Specifically, the attackers used special Windows Internet Shortcut files (.url extension name), which, when clicked, would call the retired Internet Explorer (IE) to visit the attacker-controlled URL
• This vulnerability allows remote attackers to execute arbitrary code on affected installations of Microsoft Windows. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file

Headlines

• Sept. 17, 2024 - U.S. CISA adds Microsoft Windows MSHTML Platform and Progress WhatsUp Gold bugs to its Known Exploited Vulnerabilities catalog
• Sept. 17, 2024 - CISA Flags Two Actively Exploited Vulnerabilities: Critical Threats to Windows and WhatsUp Gold
• Sept. 17, 2024 - Microsoft confirms IE zero-day exploited in sneaky update
• Sept. 16, 2024 - 'Void Banshee' Exploits Second Microsoft Zero-Day
• Sept. 16, 2024 - CISA warns of Windows flaw used in infostealer malware attacks
• Sept. 16, 2024 - Recently patched Windows flaw CVE-2024-43461 was actively exploited as a zero-day before July 2024
• Sept. 16, 2024 - Microsoft confirms second 0-day exploited by Void Banshee APT (CVE-2024-43461)
• Sept. 16, 2024 - New Zero-Day Emerges After Microsoft Patch Tuesday: CVE-2024-43461 Targets Windows MSHTML
• Sept. 15, 2024 - Windows vulnerability abused braille “spaces” in zero-day attacks

CVE-2024-38813

HIGH CVSS 7.50 EPSS Score 0.04 EPSS Percentile 9.64

Risk Context N/A

Published: Sept. 17, 2024

The vCenter Server contains a privilege escalation vulnerability. A malicious actor with network access to vCenter Server may trigger this vulnerability to escalate privileges to root by sending a specially crafted network packet.

Quotes

• Broadcom is not currently aware of exploitation ‘in the wild’
• By sending a specially crafted network packet potentially leading to remote code execution
• A malicious actor with network access to vCenter Server may trigger this vulnerability by sending a specially crafted network packet potentially leading to remote code execution

Headlines

• Sept. 18, 2024 - Critical VMware vCenter Server bugs fixed (CVE-2024-38812)
• Sept. 18, 2024 - Broadcom fixed Critical VMware vCenter Server flaw CVE-2024-38812
• Sept. 18, 2024 - Patch Issued for Critical VMware vCenter Flaw Allowing Remote Code Execution
• Sept. 18, 2024 - CVE-2024-38812: VMware's 9.8 Severity Security Nightmare
• Sept. 17, 2024 - VMware patches serious flaws in vCenter Server
• Sept. 17, 2024 - Broadcom fixes critical RCE bug in VMware vCenter Server

CVE-2024-8190

HIGH CVSS 7.20 EPSS Score 15.12 EPSS Percentile 95.93

CISA Known Exploited Actively Exploited Remote Code Execution Public Exploits Available

Published: Sept. 10, 2024

An OS command injection vulnerability in Ivanti Cloud Services Appliance versions 4.6 Patch 518 and before allows a remote authenticated attacker to obtain remote code execution. The attacker must have admin level privileges to exploit this vulnerability.

Vendor Impacted: Ivanti

Product Impacted: Cloud Services Appliance

Quotes

• The vulnerability was discovered as we were investigating the exploitation that Ivanti disclosed on 13 September
• At the time of the September 13 update, exploitation of a limited number of customers has been confirmed following public disclosure
• Following public disclosure, Ivanti has confirmed exploitation of this vulnerability in the wild. At the time of this update, we are aware of a limited number of customers who have been exploited
• Successful exploitation could lead to unauthorized access to the device running the CSA. Dual-homed CSA configurations with eth0 as an internal network, as recommended by Ivanti, are at a significantly reduced risk of exploitation

Headlines

• Sept. 19, 2024 - Ivanti warns of another critical CSA flaw exploited in attacks
• Sept. 19, 2024 - Ivanti Releases Admin Bypass Security Update for Cloud Services Appliance | CISA
• Sept. 17, 2024 - PoC exploit for exploited Ivanti Cloud Services Appliance flaw released (CVE-2024-8190)
• Sept. 16, 2024 - Ivanti Cloud Bug Goes Under Exploit After Alarms Are Raised
• Sept. 16, 2024 - Exploit code released for critical Ivanti RCE flaw, patch now
• Sept. 14, 2024 - U.S. CISA adds Ivanti Cloud Services Appliance Vulnerability to its Known Exploited Vulnerabilities catalog
• Sept. 14, 2024 - Ivanti Cloud Service Appliance flaw is being actively exploited