This week saw a significant increase in critical vulnerabilities, with Five new entries added to CISA's Known Exploited Vulnerabilities (KEV) catalog. Among these, the Dahua IP Camera authentication bypass vulnerabilities (CVE-2021-33044 and CVE-2021-33045) stand out as significant security threats, allowing attackers to bypass authentication and potentially gain unauthorized access to and control over affected devices.
Critical vulnerabilities have also been discovered in widely used software such as Jenkins, WPS Office, and LiteSpeed Cache, posing serious risks to organizations by potentially allowing attackers to gain complete control over affected systems. In response, Google has released patches for CVE-2024-7971, a critical zero-day vulnerability in its Chrome browser. This marks the ninth actively exploited Chrome vulnerability addressed by Google in 2024, highlighting the persistent threats to browser security.
Cybercriminal groups, including IntelBroker and RansomEXX, have targeted Jenkins, while the Lazarus APT group has exploited a previously patched vulnerability in Microsoft Windows.
Meanwhile, the notorious Mirai botnet continues its destructive activities by exploiting vulnerabilities in networking devices. This week, it was observed targeting vulnerabilities in LB-LINK BL devices, TP-Link Archer AX21 routers, and the miniigd SOAP service in Realtek SDK, further expanding its reach.
Despite being a few years old, vulnerabilities like CVE-2022-0185 and CVE-2021-31196 remain actively exploited, underscoring the ongoing need to prioritize regular security updates.
A serious path traversal bug, CVE-2024-23897 affects Jenkins 2.441 and earlier and LTS 2.426.2 and earlier versions, where one of the CLI command parser features allows unauthenticated attackers to read files. This method only allows read access to the first few lines of the file, but once authenticated, users can access complete files.
A very high CVSS of 9.8 and an equally high EPSS score of 0.97084 signifies the severity of this flaw. It comes as no surprise that this is heavily being exploited in the wild, which led CISA to add this CVE to their Known Vulnerability Exploit catalog[1].
The popular Office suite WPS by Kingsoft suffered a path traversal bug due to improper validation in one of the executables shipped with their Windows version. This validation failure allowed attackers to load any Windows library and this resulted in attackers developing single-click exploits disguised as malicious spreadsheets, resulting in possible remote code execution.
The exploit is already being used by attackers actively in the wild[2] and the severity of the bug can be seen from a high CVSS score of 9.3, although the EPSS score is a low 0.00055.
Affecting the Linux Kernel, CVE-2022-0185 is a heap-based buffer overflow with a high CVSS score of 8.5. Occurring to the way a certain supplied parameter length is handled by the filesystem functionality, specifically the “legacy_parse_param” function, the overflow exploit can allow an unprivileged user to escalate their privileges in the system.
The flaw has a low EPSS score of 0.0006 but due to recent evidence of this bug being exploited in the wild, CISA added the exploit to their KEV catalog[3].
Dahua IP camera had an authentication bypass vulnerability, allowing attackers to use crafted packets and log in without authentication. While CVE-2021-33044 affects Dahua IP cameras and VTH/VTO (video intercom) devices, CVE-2021-33045 was assigned for NVR, DVR, and other families of devices suffering from the same flaws of authentication bypass.
CVE-2021-33044 has a severe CVSS score of 9.8 and an EPSS score of 0.06877, while CVE-2021-33045 has the same CVSS score of 9.8 but a higher EPSS score of 0.25281. Both of these flaws were recently seen being exploited in the wild and consequently, CISA added both the CVEs to their KEV catalog[3].
Recently included in the CISA’s KEV catalog, CVE-2021-31196 was a remote code execution vulnerability discovered in Microsoft Exchange Server in 2021.
Although code execution bugs are severe, Microsoft reports that this flaw has “Exploitation Less Likely” as the exploitation assessment, which might explain the relatively lower CVSS score of 7.2 and an EPSS score of 0.01258, compared to other remote code execution bugs[3].
A vulnerability has been discovered in Google Chrome, involving a type confusion bug that results in possible heap corruption. This CVE impacts the V8 JavaScript engine and can be exploited through a specially crafted HTML page.
CVE-2024-7971 is among several V8-related bugs recently addressed by Google, carrying a CVS score of 8.6 and an EPSS score of 0.00159. Further, this vulnerability has also been included in CISA’s KEV catalog[4].
With multiple public exploits available, a privilege escalation bug was recently discovered in the LightSpeed Cache software. A hash used for user simulation is reportedly weak and can be brute-forced by attackers to gain administrative privileges, typically on a WordPress site leading to complete compromise.
The vulnerability affects over 5,000,000 sites and exploits in the wild have already been reported[5].
Previously reported privilege escalation vulnerability affecting Microsoft Windows Ancillary Function Driver for WinSock was seen being exploited by Lazarus, a North Korea-based APT[7].
A zero-day exploit, if an attacker was able to enter a vulnerable server the flaw would have allowed them to elevate their permissions to SYSTEM privileges. The flaw was patched by Microsoft during one of their August Patch Tuesday.
The critical vulnerability affecting Jenkins, as discussed in the first section, is being heavily exploited by multiple threat actors. RansomEXX ransomware group targeted India’s banking infrastructure, where the initial access was gained through stealing sensitive files using CVE-2024-23897[8].
IntelBroker threat actor was seen compromising GitHub repositories by stealing credentials from Jenkins files and subsequently, stealing secrets stored in GitHub[9]. They then used these stolen secrets to further perform exploits.
Targeting Taiwan through the popular, recently discovered command injection flaw in the PHP-CGI OS. Emerging backdoor, known as Backdoor.Msupedge, was seen abusing CVE-2024-4577 as the initial intrusion tactic, as command injection allows arbitrary code execution, resulting in compromise. The backdoor was reportedly seen using DNS to communicate with its command and control center.
Affecting the ‘CloudGuard Network Security' appliance, Check Point’s SSLVPN offering, CVE-2024-24919 is a flaw that exposes sensitive information to unauthenticated attackers. As per research, the bug was due to an underlying path traversal exploit affecting a certain endpoint[6].
As per CheckPoint’s advisory, they have seen this being exploited in the wild and heavily scanned by threat actors. It is advised to immediately patch the affected systems, as updated versions are available.
Cytellite sensors also experienced significant exploit activity and mass scanning toward multiple router devices, including Wavelink, Tenda, LB-Link, and TP-Link. GeoServer command injection (CVE-2022-24847) and Apache Hadoop RCE (CVE-2022-25168) are still being exploited in the wild. For further details, please refer to our previous reports.
Mirai botnet’s exploitation of LB-LINK BL Devices through common injection flaws continues this week. Remote code execution in HUwaei routers and MVPower CCTV/DVR devices by emerging botnets still persists. For further details, please refer to our previous reports.
The LOVI platform monitors multiple feeds and social media, tracking over 100 alerts to aggregate and distribute details related to vulnerabilities that have a high chance of being exploited by threat actors before these vulnerabilities are added to the National Vulnerability Database. To learn more, get in touch with our security researchers.