Cyble Research and Intelligence Labs (CRIL) investigated 27 vulnerabilities during the week of October 9-15 and identified 11 as high-priority fixes for security teams.
Cyble researchers also observed 14 vulnerability exploits discussed on dark web and cybercrime forums, raising the likelihood that those vulnerabilities will be exploited more frequently.
Of the vulnerabilities highlighted by Cyble threat researchers, two are being actively exploited by state-sponsored threat actors, and five could be chained together to hijack Palo Alto Networks firewalls.
Among the vulnerabilities investigated by Cyble researchers this week, Cyble’s Odin vulnerability exposure search tool detected 427,000 vulnerable Fortinet devices exposed to the internet after CVE-2024-23113, a 9.8-severity Format String Vulnerability, was added to CISA’s Known Exploited Vulnerabilities catalog on Oct. 9.
Other vulnerable web-facing assets detected by Cyble Odin include 87,000 exposed GitLab and SAML instances, 35,000 vulnerable Zimbra servers, 7,800 vulnerable Ivanti Cloud Services Appliances, and 2,400 exposed Veeam Backup instances (chart below). Cyble issued separate advisories regarding several of those vulnerabilities (see links).
Product & Vulnerability | Internet Exposures |
Fortinet (CVE-2024-23113) | 427,134 |
Gitlab EE (CVE-2024-9164) | 87,402 |
SAML Toolkits (CVE-2024-45409) | 87,042 |
Zimbra Web Client (CVE-2024-45519) | 35,064 |
Ivanti CSA (CVE2024-9380, CVE-2024-9379) | 7,831 |
Veeam Backup & Replication (CVE-2024- 40711) | 2,408 |
Below are the 11 high-priority vulnerabilities and 14 dark web exploits in detail.
These 11 vulnerabilities should be prioritized by security teams, according to Cyble researchers.
CVE-2024-30088: A high-severity privilege escalation vulnerability in Windows that enables attackers to escalate their privileges to the SYSTEM level, giving them significant control over compromised devices. Researchers disclosed that the Iranian state-sponsored hacking group APT34, aka OilRig, is exploiting the CVE-2024-30088 flaw to elevate their privileges on compromised devices in their new campaigns targeting government and critical infrastructure entities in the United Arab Emirates and the Gulf region.
CVE-2024-9486: This critical vulnerability affects Kubernetes Image Builder, a specialized tool designed for creating virtual machine images that are optimized for Kubernetes environments. The flaw impacts versions <= v0.1.37, where default credentials are enabled during the image build process. The credentials can be used to gain root access. Kubernetes clusters are only affected if their nodes use VM images created via the Image Builder project with its Proxmox provider.
CVE-2024-38178: A high-severity type confusion vulnerability that impacts Internet Explorer. Recently, government agencies disclosed that ScarCruft, a state-sponsored cyber-espionage threat actor known for targeting systems in South Korea and Europe, launched a new campaign dubbed “Code on Toast.” This campaign leveraged toast pop-up ads to perform zero-click malware infections by exploiting the CVE-2024-38178 vulnerability.
CVE-2024-40711: This critical deserialization of untrusted data vulnerability impacts Veeam Backup & Replication (VBR) and can lead to unauthenticated remote code execution (RCE). Recently, researchers discovered that Akira and Fog ransomware groups are now exploiting the vulnerability to gain RCE on vulnerable servers.
CVE-2024-9164: This critical vulnerability impacts GitLab Enterprise Edition (EE). The flaw allows unauthorized users to trigger Continuous Integration/Continuous Delivery (CI/CD) pipelines on any branch of a repository. An attacker capable of bypassing branch protections could potentially perform code execution or gain access to sensitive information.
CVE-2024-9463, CVE-2024-9464, CVE-2024-9465, CVE-2024-9466, CVE-2024-9467: These vulnerabilities – the first of which carries a 9.9 severity rating – impact Palo Alto Networks Expedition, a migration tool designed to facilitate the transition of network configurations from various vendors to Palo Alto Networks PAN-OS. This tool is particularly useful for organizations looking to switch from competitors, as it helps streamline the migration process and reduce the time and effort required for configuration changes. The flaws can be chained to let attackers hijack PAN-OS firewalls and are being discussed by threat actors (see dark web section below). CVE-2024-9463 and CVE-2024-9464 are OS command injection vulnerabilities allowing an unauthenticated attacker to run arbitrary OS commands as root in Expedition. Upon successful exploitation, the vulnerabilities may result in the disclosure of usernames, cleartext passwords, device configurations, and device API keys of PAN-OS firewalls.
CVE-2024-9465 is an SQL injection vulnerability that allows an unauthenticated attacker to reveal Expedition database contents, such as password hashes, usernames, device configurations, and device API keys. CVE-2024-9466 is a vulnerability in cleartext storage of sensitive information that allows an authenticated attacker to reveal firewall usernames, passwords, and API keys generated using those credentials. CVE-2024-9467 is a reflected XSS vulnerability allowing attackers to execute malicious JavaScript code in the context of an authenticated Expedition user’s browser.
Cyble researchers also observed numerous vulnerability exploits discussed in cybercrime forums and on Telegram channels. These vulnerabilities could become increasingly exploited because of these dark web activities, meriting higher priority attention from security teams.
CVE-2024-30052: A remote code execution (RCE) vulnerability affecting Microsoft Visual Studio, particularly versions 2022 prior to 17.8.11 and certain configurations of Visual Studio 2019.
CVE-2024-20353: A critical vulnerability identified in Cisco’s Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) software, which allows for a Denial-of-Service (DoS) attack. The vulnerability enables an attacker to send crafted HTTP requests that can cause the device to reload unexpectedly, leading to service disruptions.
CVE-2024-7479: A critical security vulnerability affecting TeamViewer’s Remote Client and Remote Host products for Windows. The vulnerability arises from improper verification of cryptographic signatures during the installation of VPN drivers, allowing attackers with local, unprivileged access to escalate their privileges and execute arbitrary code.
CVE-2024-7481: A critical security vulnerability affecting TeamViewer’s Remote Client and Remote Host products for Windows. The vulnerability arises from improper verification of cryptographic signatures during the installation of printer drivers, allowing attackers with local, unprivileged access to escalate their privileges and execute arbitrary code.
CVE-2024-42640: A critical vulnerability affecting the angular-base64-upload library, specifically in versions prior to v0.1.21. This vulnerability allows remote code execution (RCE) through the demo/server.php endpoint, enabling attackers to upload arbitrary files to the server.
CVE-2024-9464: A critical OS command injection vulnerability found in Palo Alto Networks’ Expedition tool, which allows an attacker to execute arbitrary OS commands as root, potentially leading to the disclosure of sensitive information.
CVE-2024-45409: A critical vulnerability affecting the Ruby-SAML and OmniAuth-SAML libraries. This flaw allows unauthenticated attackers to bypass Security Assertion Markup Language (SAML) authentication mechanisms by exploiting weaknesses in the signature verification process of SAML responses.
CVE-2024-45200: A recently identified vulnerability affecting Mario Kart 8 Deluxe, specifically versions prior to 3.0.3. This security flaw, dubbed “KartLANPwn,” is classified as a stack-based buffer overflow that occurs during the local multiplayer (LAN/LDN) gameplay mode, which allows remote attackers on the same local network to execute arbitrary code or cause a denial-of-service (DoS) condition on the victim’s console without requiring user interaction or elevated privileges.
CVE-2024-6769: This vulnerability affects multiple versions of Microsoft Windows, including Windows 10, Windows 11, and various Windows Server editions. It exploits a combination of DLL Hijacking and Activation Cache Poisoning, allowing an attacker to elevate privileges from a medium to a high-integrity process without triggering a User Account Control (UAC) prompt.
CVE-2024-38816: A high-severity path traversal vulnerability was discovered in the Spring Framework and VMWare Tanzu Spring platform, affecting multiple versions. This vulnerability allows attackers to exploit improper handling of static resources, potentially gaining unauthorized access to sensitive files on the server.
CVE-2024-5830: A critical security vulnerability was discovered in Google Chrome’s V8 JavaScript engine, affecting versions prior to 126.0.6478.54. This vulnerability is a type of confusion bug that an attacker can exploit to execute arbitrary code within the Chrome renderer sandbox simply by enticing a victim to visit a malicious website.
CVE-2024-20404: A medium severity vulnerability affecting the webbased management interface of Cisco Finesse. The issue comes from insufficient validation of user-supplied input for specific HTTP requests, which allows remote attackers to conduct Server-Side Request Forgery (SSRF) attacks on an affected system.
CVE-2024-0044: A high-severity vulnerability affecting Android versions 12, 12L, 13, and 14 and is present in the createSessionInternal function of the PackageInstallerService.java, allowing attackers to execute a “run-as any app” attack. This exploit can lead to local escalation of privileges without requiring user interaction, primarily due to improper input validation.
CVE-2024-45519: A critical Remote Code Execution (RCE) vulnerability was discovered in the postjournal service of the Zimbra Collaboration Suite, a widely used email and collaboration platform.
To protect against these vulnerabilities and exploits, organizations should implement the following best practices:
These vulnerabilities highlight the urgent need for security teams to prioritize patching critical vulnerabilities in major products. With increasing discussions of these exploits on dark web forums, organizations must stay vigilant and proactive. Implementing strong security practices is essential to protect sensitive data and maintain system integrity.