#activeexploitation — Public Fediverse posts
Live and recent posts from across the Fediverse tagged #activeexploitation, aggregated by home.social.
-
Update your #Apple devices ASAP. Two vulnerabilities, CVE-2025-31200 and CVE-2025-31201, have been fixed: https://support.apple.com/en-us/122282
"Apple is aware of a report that this issue may have been exploited in an extremely sophisticated attack against specific targeted individuals on iOS."
While iOS has been known to be targeted, the fixes are available for all Apple devices and should be installed as soon as possible.
-
pls appreciate i wore an aqua colored sweater to talk about aquabot
🚨Active exploitation attempt🚨
Akamai Security Intelligence and Response Team (SIRT) has identified a new variant of the Mirai-based Aquabot, dubbed Aquabotv3 keeping in line with the naming conventions of the first two.it is using CVE-2024-41710, a command injection vulnerability that affects Mitel SIP models. There was a POC made public in august 2024 but this is the first time it's been seen actively seeking exploitation ITW.
not only that! This malware exhibits a behavior we have never before seen with a Mirai variant: a function (report_kill) to report back to the C2 when a kill signal was caught on the infected device.
We (we = the SIRT) have not seen any response from the C2 as of the date this was originally posted (Jan. 28, 2024).
Incredible work Larry Cashdollar and Kyle Lefton 🎉
Full technical analysis including IOCs:
https://www.akamai.com/blog/security-research/2025-january-new-aquabot-mirai-variant-exploiting-mitel-phones#mirai #malware #activeexploitation #security #research #botnet
-
#Ivanti has revealed #activeexploitation against a vulnerability in its appliances
The vulnerability is tracked as CVE-2025-0282, and when exploited, allows an attacker to remotely execute code
Administrators are advised to patch ASAP
-
#PaloAlto reveals #activeexploitation against vulnerability in its firewall
The vulnerability is tracked as CVE-2024-3393, and when exploited, causes the firewall to reboot
Administrators are advised to patch ASAP, or to apply mitigations if not able to patch
-
Security researchers reveal #activeexploitation against Progress #WhatsUpGold vulnerability
The vulnerability is tracked as CVE-2024-4885, and when exploited, allows an attacker to execute any code. Security researchers have observed exploitation of this vulnerability since Aug 1, 2024.
Administrators are advised to patch ASAP
-
Security researchers reveal they have observed #activeexploitation against vulnerability in #SolarWinds #ServU
The vulnerability is tracked as CVE-2024-28995, and when exploited, allows an attacker to read sensitive files on the system. Researchers have released proof-of-concept exploits, and widespread exploitation came soon after.
Administrators are advised to patch ASAP
-
Security researchers reveal they have observed #activeexploitation against vulnerability in #SolarWinds #ServU
The vulnerability is tracked as CVE-2024-28995, and when exploited, allows an attacker to read sensitive files on the system. Researchers have released proof-of-concept exploits, and widespread exploitation came soon after.
Administrators are advised to patch ASAP
-
Security researchers reveal they have observed #activeexploitation against vulnerability in #SolarWinds #ServU
The vulnerability is tracked as CVE-2024-28995, and when exploited, allows an attacker to read sensitive files on the system. Researchers have released proof-of-concept exploits, and widespread exploitation came soon after.
Administrators are advised to patch ASAP
-
Security researchers reveal they have observed #activeexploitation against vulnerability in #SolarWinds #ServU
The vulnerability is tracked as CVE-2024-28995, and when exploited, allows an attacker to read sensitive files on the system. Researchers have released proof-of-concept exploits, and widespread exploitation came soon after.
Administrators are advised to patch ASAP
-
@campuscodi Kudos to @h4sh for assigning the CVE to the actively exploited CrushFTP zero-day: https://infosec.exchange/@h4sh/112316550866303546
According to his analysis and patch diffing, the CVSSv3 score for CVE-2024-4040 is 7.7 HIGH: Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
Did some patch diffing on the new #crushFTP bug, and it does look like the bug has 2 components and at least one of them need some form of authentication to exploit (need creation of something).
After the first stage, the reading of the file outside of VFS sandbox might not need authentication. I am not sure.#CrushFTP #zeroday #vulnerability #CVE_2024_4040 #eitw #activeexploitation
-
Shoutout to @h4sh for getting a CVE ID assigned to this actively exploited zero-day CrushFTP vulnerability: CVE-2024-4040 (reported by Simon Garrelou, of Airbus CERT). https://www.cve.org/CVERecord?id=CVE-2024-4040
VFS Sandbox Escape in CrushFTP in all versions before 10.7.1 and 11.1.0 on all platforms allows remote attackers with low privileges to read files from the filesystem outside of VFS Sandbox.
#zeroday #eitw #activeexploitation #CrushFTP #vulnerability #CVE_2024_4040
-
Microsoft reported that APT28 (Fancy Bear, Forest Blizzard) used a custom tool to elevate privileges and steal credentials in compromised networks. This GooseEgg tool leveraged CVE-2022-38028 (7.8 high, disclosed 11 October 2022 by Microsoft; Windows Print Spooler Elevation of Privilege Vulnerability) as a zero-day since at least June 2020 (possibly as early as April 2019) which was 2 years 4 months. APT28 is publicly attributed to Russian General Staff Main Intelligence Directorate (GRU). IOC provided. 🔗 https://www.microsoft.com/en-us/security/blog/2024/04/22/analyzing-forest-blizzards-custom-post-compromise-tool-for-exploiting-cve-2022-38028-to-obtain-credentials/
cc: @serghei @campuscodi @briankrebs @jwarminsky
#APT28 #cyberespionage #Russia #FancyBear #ForestBlizzard #CVE_2022_38028 #eitw #activeexploitation #GooseEgg
-
CrushFTP has released software updates to address a zero-day vulnerability that is being actively exploited.
The vulnerability does not yet have a CVE ID. When exploited, can allow an attacker to download sensitive files from the system.
Administrators are advised to patch ASAP.
-
Palo Alto Networks released additional details about CVE-2024-3400: the fact that it is a combination of two bugs in PAN-OS; how an attacker was exploiting it; how disabling telemetry initially worked; and how they fixed it. The timeline from discovery to remediation encompasses the whole blog post. Overall a comprehensive after-action review from a company that notified the public almost immediately of an exploited zero-day. 🔗https://www.paloaltonetworks.com/blog/2024/04/more-on-the-pan-os-cve/
#CVE_2024_3400 #PaloAltoNetworks #zeroday #activeexploitation #eitw #kev #KnownExploitedVulnerabilitiesCatalog #vulnerability #ProofofConcept #PANOS #IOC
-
It's not a Friday without an actively exploited zero-day vulnerability (with no CVE ID) in a file transfer product. cc: @todb
- Bleeping Computer: CrushFTP warns users to patch exploited zero-day “immediately”
- CrushFTP: CrushFTP: Update
- Exploitation report: CrowdStrike on Reddit: SITUATIONAL AWARENESS // 2024-04-19 // CrushFTP Virtual Filesystem Escape Vulnerability in the Wild
-
Bleeping Computer: GreyNoise and ShadowServer Foundation are reporting active exploitation of CVE-2024-3400 (10.0 critical, disclosed 12 April 2024 by Palo Alto Networks as an exploited zero-day, OS Command Injection Vulnerability in GlobalProtect Gateway, added to CISA KEV Catalog, has Proof of Concept). The good news is that all hotfixes for vulnerable versions of PAN-OS are now released. 🔗 https://www.bleepingcomputer.com/news/security/22-500-palo-alto-firewalls-possibly-vulnerable-to-ongoing-attacks/
#CVE_2024_3400 #PaloAltoNetworks #activeexploitation #eitw #kev
-
Zscaler observed exploitation of the Palo Alto Networks PAN-OS command injection zero-day vulnerability CVE-2024-3400 following the release of the PoC exploit code. Zscaler provides an attack flow diagram, and a technical analysis of the Upstyle backdoor and its layers. IOC provided. 🔗 https://www.zscaler.com/blogs/security-research/look-cve-2024-3400-activity-and-upstyle-backdoor-technical-analysis
#CVE_2024_3400 #PaloAltoNetworks #zeroday #activeexploitation #eitw #kev #KnownExploitedVulnerabilitiesCatalog #vulnerability #ProofofConcept #threatintel #IOC
-
Microsoft reports that financially motivated attackers are exploiting several OpenMetadata vulnerabilities to gain access to Kubernetes workloads for cryptomining activity. CVE-2024-28255, CVE-2024-28847, CVE-2024-28253, CVE-2024-28848, CVE-2024-28254 could be exploited by attackers to bypass authentication and achieve remote code execution. "Since the beginning of April, we have observed exploitation of this vulnerability in Kubernetes environments." Microsoft describes the attack flow and provides IOC 🔗 https://www.microsoft.com/en-us/security/blog/2024/04/17/attackers-exploiting-new-critical-openmetadata-vulnerabilities-on-kubernetes-clusters/
#threatintel #eitw #OpenMetadata #activeexploitation #CVE_2024_28255 #CVE_2024_28847 #CVE_2024_28253 #CVE_2024_28848 #CVE_2024_28254 #IOC
-
Microsoft reports that financially motivated attackers are exploiting several OpenMetadata vulnerabilities to gain access to Kubernetes workloads for cryptomining activity. CVE-2024-28255, CVE-2024-28847, CVE-2024-28253, CVE-2024-28848, CVE-2024-28254 could be exploited by attackers to bypass authentication and achieve remote code execution. "Since the beginning of April, we have observed exploitation of this vulnerability in Kubernetes environments." Microsoft describes the attack flow and provides IOC 🔗 https://www.microsoft.com/en-us/security/blog/2024/04/17/attackers-exploiting-new-critical-openmetadata-vulnerabilities-on-kubernetes-clusters/
#threatintel #eitw #OpenMetadata #activeexploitation #CVE_2024_28255 #CVE_2024_28847 #CVE_2024_28253 #CVE_2024_28848 #CVE_2024_28254 #IOC
-
Microsoft reports that financially motivated attackers are exploiting several OpenMetadata vulnerabilities to gain access to Kubernetes workloads for cryptomining activity. CVE-2024-28255, CVE-2024-28847, CVE-2024-28253, CVE-2024-28848, CVE-2024-28254 could be exploited by attackers to bypass authentication and achieve remote code execution. "Since the beginning of April, we have observed exploitation of this vulnerability in Kubernetes environments." Microsoft describes the attack flow and provides IOC 🔗 https://www.microsoft.com/en-us/security/blog/2024/04/17/attackers-exploiting-new-critical-openmetadata-vulnerabilities-on-kubernetes-clusters/
#threatintel #eitw #OpenMetadata #activeexploitation #CVE_2024_28255 #CVE_2024_28847 #CVE_2024_28253 #CVE_2024_28848 #CVE_2024_28254 #IOC
-
Microsoft reports that financially motivated attackers are exploiting several OpenMetadata vulnerabilities to gain access to Kubernetes workloads for cryptomining activity. CVE-2024-28255, CVE-2024-28847, CVE-2024-28253, CVE-2024-28848, CVE-2024-28254 could be exploited by attackers to bypass authentication and achieve remote code execution. "Since the beginning of April, we have observed exploitation of this vulnerability in Kubernetes environments." Microsoft describes the attack flow and provides IOC 🔗 https://www.microsoft.com/en-us/security/blog/2024/04/17/attackers-exploiting-new-critical-openmetadata-vulnerabilities-on-kubernetes-clusters/
#threatintel #eitw #OpenMetadata #activeexploitation #CVE_2024_28255 #CVE_2024_28847 #CVE_2024_28253 #CVE_2024_28848 #CVE_2024_28254 #IOC
-
Microsoft reports that financially motivated attackers are exploiting several OpenMetadata vulnerabilities to gain access to Kubernetes workloads for cryptomining activity. CVE-2024-28255, CVE-2024-28847, CVE-2024-28253, CVE-2024-28848, CVE-2024-28254 could be exploited by attackers to bypass authentication and achieve remote code execution. "Since the beginning of April, we have observed exploitation of this vulnerability in Kubernetes environments." Microsoft describes the attack flow and provides IOC 🔗 https://www.microsoft.com/en-us/security/blog/2024/04/17/attackers-exploiting-new-critical-openmetadata-vulnerabilities-on-kubernetes-clusters/
#threatintel #eitw #OpenMetadata #activeexploitation #CVE_2024_28255 #CVE_2024_28847 #CVE_2024_28253 #CVE_2024_28848 #CVE_2024_28254 #IOC
-
TrustedSec CTO Justin Elze shared CVE-2024-3400 exploit in the wild on Twitter yesterday, reports that
149.28.194.95was attempting to exploit CVE-2024-3400#CVE_2024_3400 #PaloAltoNetworks #zeroday #activeexploitation #eitw #kev #KnownExploitedVulnerabilitiesCatalog #vulnerability #ProofofConcept #threatintel #IOC
-
In case you missed it, Palo Alto Networks updated their security advisory in terms of product and mitigation guidance, exploit status, and PAN-OS fix availability: 🔗 https://security.paloaltonetworks.com/CVE-2024-3400
- Exploitation status: Proof of concepts for this vulnerability have been publicly disclosed by third parties.
- Workarounds and mitigations: In earlier versions of this advisory, disabling device telemetry was listed as a secondary mitigation action. Disabling device telemetry is no longer an effective mitigation. Device telemetry does not need to be enabled for PAN-OS firewalls to be exposed to attacks related to this vulnerability.
- Solution:
- - 10.2.6-h3 (Released 4/16/24)
- - 11.0.3-h10 (Released 4/16/24)
- - 11.0.2-h4 (Released 4/16/24)
- - 11.1.0-h3 (Released 4/16/24)
#CVE_2024_3400 #PaloAltoNetworks #zeroday #activeexploitation #eitw #kev #KnownExploitedVulnerabilitiesCatalog #vulnerability #ProofofConcept
-
Fortinet warns that multiple botnets continue exploiting CVE-2023-1389 (8.8 high, disclosed 15 March 2023, added to CISA's KEV Catalog 01 May 2023) TP-Link command injection for wide-scale spread. Botnets include Moobot, Miroi, the Golang-based agent “AGoent,” and the Gafgyt Variant. The blog post explores their infection traffic patterns and offer insights into these botnets. 🔗 https://www.fortinet.com/blog/threat-research/botnets-continue-exploiting-cve-2023-1389-for-wide-scale-spread
#CVE_2023_1389 #TPLink #eitw #activeexploitation #botnet #moobot #miroi #agoent #mirai #gafgyt #threatintel #IOC
-
Fortinet warns that multiple botnets continue exploiting CVE-2023-1389 (8.8 high, disclosed 15 March 2023, added to CISA's KEV Catalog 01 May 2023) TP-Link command injection for wide-scale spread. Botnets include Moobot, Miroi, the Golang-based agent “AGoent,” and the Gafgyt Variant. The blog post explores their infection traffic patterns and offer insights into these botnets. 🔗 https://www.fortinet.com/blog/threat-research/botnets-continue-exploiting-cve-2023-1389-for-wide-scale-spread
#CVE_2023_1389 #TPLink #eitw #activeexploitation #botnet #moobot #miroi #agoent #mirai #gafgyt #threatintel #IOC
-
Fortinet warns that multiple botnets continue exploiting CVE-2023-1389 (8.8 high, disclosed 15 March 2023, added to CISA's KEV Catalog 01 May 2023) TP-Link command injection for wide-scale spread. Botnets include Moobot, Miroi, the Golang-based agent “AGoent,” and the Gafgyt Variant. The blog post explores their infection traffic patterns and offer insights into these botnets. 🔗 https://www.fortinet.com/blog/threat-research/botnets-continue-exploiting-cve-2023-1389-for-wide-scale-spread
#CVE_2023_1389 #TPLink #eitw #activeexploitation #botnet #moobot #miroi #agoent #mirai #gafgyt #threatintel #IOC
-
Fortinet warns that multiple botnets continue exploiting CVE-2023-1389 (8.8 high, disclosed 15 March 2023, added to CISA's KEV Catalog 01 May 2023) TP-Link command injection for wide-scale spread. Botnets include Moobot, Miroi, the Golang-based agent “AGoent,” and the Gafgyt Variant. The blog post explores their infection traffic patterns and offer insights into these botnets. 🔗 https://www.fortinet.com/blog/threat-research/botnets-continue-exploiting-cve-2023-1389-for-wide-scale-spread
#CVE_2023_1389 #TPLink #eitw #activeexploitation #botnet #moobot #miroi #agoent #mirai #gafgyt #threatintel #IOC
-
Fortinet warns that multiple botnets continue exploiting CVE-2023-1389 (8.8 high, disclosed 15 March 2023, added to CISA's KEV Catalog 01 May 2023) TP-Link command injection for wide-scale spread. Botnets include Moobot, Miroi, the Golang-based agent “AGoent,” and the Gafgyt Variant. The blog post explores their infection traffic patterns and offer insights into these botnets. 🔗 https://www.fortinet.com/blog/threat-research/botnets-continue-exploiting-cve-2023-1389-for-wide-scale-spread
#CVE_2023_1389 #TPLink #eitw #activeexploitation #botnet #moobot #miroi #agoent #mirai #gafgyt #threatintel #IOC
-
watchTowr may have successfully replicated CVE-2024-3400 (10.0 critical, disclosed 12 April 2024 by Palo Alto Networks as an exploited zero-day, CWE-77: Command Injection; OS Command Injection Vulnerability in GlobalProtect Gateway, added to CISA KEV Catalog). Instead of releasing a Proof of Concept, they provided a "detection artefact generator tool" 🔗 https://labs.watchtowr.com/palo-alto-putting-the-protecc-in-globalprotect-cve-2024-3400/
#CVE_2024_3400 #PaloAltoNetworks #zeroday #activeexploitation #eitw #kev #KnownExploitedVulnerabilitiesCatalog #vulnerability #threatintel #IOC
-
@jullrich of SANS ISC warns that the widely shared GitHub exploit is almost certainly fake (cc: @mttaggart ) and two IP addresses were attempting CVE-2024-3400 exploitation:
173.255.223.159and146.70.192.174🔗 https://isc.sans.edu/diary/rss/30838#CVE_2024_3400 #PaloAltoNetworks #zeroday #activeexploitation #eitw #kev #KnownExploitedVulnerabilitiesCatalog #vulnerability #threatintel #IOC
-
Happy hotfix day from Palo Alto Networks who released 3 hotfixes for CVE-2024-3400 (10.0 critical, disclosed 12 April 2024 as an exploited zero-day) with 15 more hotfixes expected in the coming days: 🔗 https://security.paloaltonetworks.com/CVE-2024-3400
- PAN-OS 10.2:
- 10.2.9-h1 (Released 14 April)
- 10.2.8-h3 (Released 15 April)
- 10.2.7-h8 (Released 15 April)
- 10.2.6-h3 (Released 16 April)
- 10.2.5-h6 (Released 16 April)
- 10.2.3-h13 (Released 18 April)
- 10.2.1-h2 (Released 18 April)
- 10.2.2-h5 (Released 18 April)
- 10.2.0-h3 (Released 18 April)
- 10.2.4-h16 (Released 18 April)
- PAN-OS 11.0:
- 11.0.4-h1 (Released 14 April)
- 11.0.4-h2 (Released 17 April)
- 11.0.3-h10 (Released: 16 April)
- 11.0.2-h4 (Released 16 April)
- 11.0.1-h4 (Released 18 April)
- 11.0.0-h3 (Released 18 April)
- PAN-OS 11.1:
- 11.1.2-h3 (Released 14 April)
- 11.1.1-h1 (Released 16 April)
- 11.1.0-h3 (Released: 16 April)
#CVE_2024_3400 #PaloAltoNetworks #zeroday #activeexploitation #eitw #kev #KnownExploitedVulnerabilitiesCatalog #vulnerability #threatintel #IOC
- PAN-OS 10.2:
-
It should come as no surprise that Palo Alto Networks did not release hotfixes* for affected versions of PAN-OS 10.2, PAN-OS 11.0, and PAN-OS 11 by the self-imposed deadline of Sunday 14 April 2024 like they estimated in their security advisory. 48 hours to develop/test/release is a tight delivery window with the whole infosec community breathing down their necks.
EDIT: A hotfix is now available for select affected versions of PAN-OS: https://security.paloaltonetworks.com/CVE-2024-3400
#CVE_2024_3400 #PaloAltoNetworks #zeroday #activeexploitation #eitw #kev #KnownExploitedVulnerabilitiesCatalog #vulnerability #threatintel #IOC
-
CISA put out an additional security alert about CVE-2024-3400, noting that Palo Alto Networks released workaround guidance for the command injection vulnerability. 🔗 https://www.cisa.gov/news-events/alerts/2024/04/12/palo-alto-networks-releases-guidance-vulnerability-pan-os-cve-2024-3400
#CVE_2024_3400 #PaloAltoNetworks #zeroday #activeexploitation #eitw #kev #KnownExploitedVulnerabilitiesCatalog #vulnerability #CISA
-
Just to make it easier to read through the various reports (saying almost the same exact thing), I've assembled a Palo Alto Networks zero-day MEGA list:
- Palo Alto Networks security advisory: CVE-2024-3400 PAN-OS: OS Command Injection Vulnerability in GlobalProtect Gateway
UPDATE: Volexity and Unit 42 talk about the threat actor, campaign, and include indicators of compromise:
- Volexity: Zero-Day Exploitation of Unauthenticated Remote Code Execution Vulnerability in GlobalProtect (CVE-2024-3400)
- Unit 42: Threat Brief: Operation MidnightEclipse, Post-Exploitation Activity Related to CVE-2024-3400
Here's the rest of the related reporting:
- Zscaler: Another CVE (PAN-OS Zero Day), Another Reason to Consider Zero Trust
- The Register: Zero-day exploited right now in Palo Alto Networks' GlobalProtect gateways
- Bleeping Computer:
- SANS ISC: Critical Palo Alto GlobalProtect Vulnerability Exploited (CVE-2024-3400)
- CERT-EU: Critical Vulnerability in PAN-OS software
- Qualys: PAN-OS OS Command Injection Vulnerability Exploited in the Wild (CVE-2024-3400)
- Rapid7: CVE-2024-3400: Critical Command Injection Vulnerability in Palo Alto Networks Firewalls
- The Hacker News:
- Security Week:
- SOCRadar: Critical OS Command Injection Vulnerability in Palo Alto's GlobalProtect Gateway: CVE-2024-3400. The patch is not available yet.
- CISA:
- The Record: Palo Alto Networks warns of zero-day in VPN product
- Ars Technica:“Highly capable” hackers root corporate networks by exploiting firewall 0-day
#CVE_2024_3400 #PaloAltoNetworks #zeroday #activeexploitation #eitw #kev #KnownExploitedVulnerabilitiesCatalog #vulnerability #threatintel #IOC
-
Hot off the press! CISA adds CVE-2024-3400 (10.0 critical, disclosed 12 April 2024, PAN-OS: OS Command Injection Vulnerability in GlobalProtect Gateway) to the Known Exploited Vulnerabilities (KEV) Catalog 🔗 https://www.cisa.gov/news-events/alerts/2024/04/12/cisa-adds-one-known-exploited-vulnerability-catalog
#CVE_2024_3400 #PaloAltoNetworks #zeroday #activeexploitation #eitw #kev #KnownExploitedVulnerabilitiesCatalog #vulnerability
-
@jerry Dunno about any other issue, but the cybersecurity community is finding out about CVE-2024-3400, an actively exploited and unpatched zero-day in the GlobalProtect feature of Palo Alto Networks PAN-OS software for specific PAN-OS versions. https://security.paloaltonetworks.com/CVE-2024-3400
-
CERT-EU warns of an exploited zero-day for Palo Alto Networks: CVE-2024-3400 (10.0 critical, disclosed 12 April 2024) command injection vulnerability in the GlobalProtect feature of Palo Alto Networks PAN-OS software. Affected versions are PAN-OS 10.2, PAN-OS 11.0, and PAN-OS 11.1. This zero-day is NOT patched yet, and hotfix releases will be made available starting 14 April 2024. 🔗 https://cert.europa.eu/publications/security-advisories/2024-037/ and original Palo Alto Networks security advisory: https://security.paloaltonetworks.com/CVE-2024-3400
#CVE_2024_3400 #PaloAltoNetworks #eitw #activeexploitation #vulnerability #zeroday
-
@jgreig of The Record writes that CISA confirmed reports by cybersecurity companies and researchers that some older D-Link devices are being exploited by threat actors, and added CVE-2024-3273 and CVE-2024-3272 to its Known Exploited Vulnerabilities list on Thursday 🔗 https://therecord.media/dlink-devices-exploited-vulnerabilities-cisa
#CVE_2024_3272 #CVE_2024_3273 #eitw #activeexploitation #CISA #KEV #KnownExploitedVulnerabilitiesCatalog #DLink
-
Hot off the press! CISA adds D-Link vulnerabilities CVE-2024-3273 (7.3 high, Command Injection) and CVE-2024-3272 (9.8 critical, Hard-coded Credentials), both disclosed 03 April 2024, to the Known Exploited Vulnerabilities (KEV) Catalog 🔗 https://www.cisa.gov/news-events/alerts/2024/04/11/cisa-adds-two-known-exploited-vulnerabilities-catalog
#CVE_2024_3272 #CVE_2024_3273 #eitw #activeexploitation #CISA #KEV #KnownExploitedVulnerabilitiesCatalog #DLink
-
Red Canary reported that in late March 2024, threat actors exploited CVE-2023-48788 (9.8 critical, disclosed 12 March 2024 by Fortinet, Proof of Concept by Horizon3) in FortiClient enterprise management servers (FortiClient EMS) to install unauthorized remote management and monitoring (RMM) tools and PowerShell backdoors. While no IOC are listed, they provide detection methods for post-exploitation activity. 🔗 https://redcanary.com/blog/cve-2023-48788/
#threatintel #CVE_2023_48788 #Fortinet #CISA #KEV #eitw #activeexploitation #KnownExploitedVulnerabilitiesCatalog
-
@TheDustinChilds of Zero Day Initiative alleges that CVE-2024-29988 (8.8 high) was also exploited in the wild and should be marked an exploited zero-day 🔗 https://www.zerodayinitiative.com/blog/2024/4/9/the-april-2024-security-updates-review
This is an odd one, as a ZDI threat researcher found this vulnerability being in the wild, although Microsoft currently doesn’t list this as exploited. I would treat this as in the wild until Microsoft clarifies. The bug itself acts much like CVE-2024-21412 – it bypasses the Mark of the Web (MotW) feature and allows malware to execute on a target system. Threat actors are sending exploits in a zipped file to evade EDR/NDR detection and then using this bug (and others) to bypass MotW.
cc:@todb
#zeorday #CVE_2024_29988 #PatchTuesday #Microsoft #vulnerability #eitw #activeexploitation #motw
-
@TheDustinChilds of Zero Day Initiative alleges that CVE-2024-29988 (8.8 high) was also exploited in the wild and should be marked an exploited zero-day 🔗 https://www.zerodayinitiative.com/blog/2024/4/9/the-april-2024-security-updates-review
This is an odd one, as a ZDI threat researcher found this vulnerability being in the wild, although Microsoft currently doesn’t list this as exploited. I would treat this as in the wild until Microsoft clarifies. The bug itself acts much like CVE-2024-21412 – it bypasses the Mark of the Web (MotW) feature and allows malware to execute on a target system. Threat actors are sending exploits in a zipped file to evade EDR/NDR detection and then using this bug (and others) to bypass MotW.
cc:@todb
#zeorday #CVE_2024_29988 #PatchTuesday #Microsoft #vulnerability #eitw #activeexploitation #motw
-
@TheDustinChilds of Zero Day Initiative alleges that CVE-2024-29988 (8.8 high) was also exploited in the wild and should be marked an exploited zero-day 🔗 https://www.zerodayinitiative.com/blog/2024/4/9/the-april-2024-security-updates-review
This is an odd one, as a ZDI threat researcher found this vulnerability being in the wild, although Microsoft currently doesn’t list this as exploited. I would treat this as in the wild until Microsoft clarifies. The bug itself acts much like CVE-2024-21412 – it bypasses the Mark of the Web (MotW) feature and allows malware to execute on a target system. Threat actors are sending exploits in a zipped file to evade EDR/NDR detection and then using this bug (and others) to bypass MotW.
cc:@todb
#zeorday #CVE_2024_29988 #PatchTuesday #Microsoft #vulnerability #eitw #activeexploitation #motw
-
@TheDustinChilds of Zero Day Initiative alleges that CVE-2024-29988 (8.8 high) was also exploited in the wild and should be marked an exploited zero-day 🔗 https://www.zerodayinitiative.com/blog/2024/4/9/the-april-2024-security-updates-review
This is an odd one, as a ZDI threat researcher found this vulnerability being in the wild, although Microsoft currently doesn’t list this as exploited. I would treat this as in the wild until Microsoft clarifies. The bug itself acts much like CVE-2024-21412 – it bypasses the Mark of the Web (MotW) feature and allows malware to execute on a target system. Threat actors are sending exploits in a zipped file to evade EDR/NDR detection and then using this bug (and others) to bypass MotW.
cc:@todb
#zeorday #CVE_2024_29988 #PatchTuesday #Microsoft #vulnerability #eitw #activeexploitation #motw
-
@TheDustinChilds of Zero Day Initiative alleges that CVE-2024-29988 (8.8 high) was also exploited in the wild and should be marked an exploited zero-day 🔗 https://www.zerodayinitiative.com/blog/2024/4/9/the-april-2024-security-updates-review
This is an odd one, as a ZDI threat researcher found this vulnerability being in the wild, although Microsoft currently doesn’t list this as exploited. I would treat this as in the wild until Microsoft clarifies. The bug itself acts much like CVE-2024-21412 – it bypasses the Mark of the Web (MotW) feature and allows malware to execute on a target system. Threat actors are sending exploits in a zipped file to evade EDR/NDR detection and then using this bug (and others) to bypass MotW.
cc:@todb
#zeorday #CVE_2024_29988 #PatchTuesday #Microsoft #vulnerability #eitw #activeexploitation #motw
-
@jullrich of SANS ISC is on top of the new information from Sophos, and correctly identifies CVE-2024-26234 as an exploited zero-day in the Patch Tuesday summary. 🔗 https://isc.sans.edu/diary/rss/30822
#PatchTuesday #CVE_2024_26234 #zeroday #eitw #activeexploitation #vulnerability
-
@jullrich of SANS ISC is on top of the new information from Sophos, and correctly identifies CVE-2024-26234 as an exploited zero-day in the Patch Tuesday summary. 🔗 https://isc.sans.edu/diary/rss/30822
#PatchTuesday #CVE_2024_26234 #zeroday #eitw #activeexploitation #vulnerability
-
@jullrich of SANS ISC is on top of the new information from Sophos, and correctly identifies CVE-2024-26234 as an exploited zero-day in the Patch Tuesday summary. 🔗 https://isc.sans.edu/diary/rss/30822
#PatchTuesday #CVE_2024_26234 #zeroday #eitw #activeexploitation #vulnerability
-
@jullrich of SANS ISC is on top of the new information from Sophos, and correctly identifies CVE-2024-26234 as an exploited zero-day in the Patch Tuesday summary. 🔗 https://isc.sans.edu/diary/rss/30822
#PatchTuesday #CVE_2024_26234 #zeroday #eitw #activeexploitation #vulnerability