IONIX THREAT CENTER

Get up-to-the-minute zero-day exposure information on your assets and respond three times faster to validated exploits.

The information on this page is the same information our customers receive in real-time when there is a new CVE impacting their assets.

Created Date
Source IONIX Threat Lab

CVE-2024-45519 – Zimbra Collaboration Unauthenticated Remote Command Execution

Multiple versions of Zimbra Collaboration application are affected by an unauthenticated remote command execution vulnerability (CVE-2024-45519). Specifically crafted SMTP commands to Zimbra’s email server component can result in the execution of local OS commands. Versions less than 9.0.0 Patch 41, less than 10.0.9, less than 10.1.1, or less than 8.8.15 Patch 46 are vulnerable.

Remotely detecting of the exact exploit is difficult. Users should instead check that any assets flagged as “Potentially Affected” to ensure they are updated to the latest version of Zimbra.

References:
Created Date
Source IONIX Threat Lab

Critical Linux CUPS Printing System Flaws Could Lead to Remote Command Execution

CUPS (Common UNIX Printing System) is a standards-based, open-source printing system. Recent several vulnerabilities (CVE-2024-47076, CVE-2024-47175, CVE-2024-47176, CVE-2024-47177) were discovered and are potentially allowing hackers to remotely run code on machines that expose the service over UDP (usually, on port 631).

It is recommended to block ports for UDP. It is a good practice to avoid open IPP services also over UDP.

As checking for affected UDP open services triggers a connection from the vulnerable machine to the attacking system, and relying on the fact that most of the detected vulnerable systems over UDP had open IPP service over TCP on the same port, IONIX marks assets as potentially affected based on services with open IPP ports (TCP). Notice, that having IPP service publicly open is also not not a good practice, and we recommend to close it as well.

References:

Created Date
Source IONIX Threat Lab

CVE-2024-8752 – Directory Transversal Vulnerability at WebIQ

The Windows version of WebIQ 2.15.9 is affected by a directory traversal vulnerability that allows remote attackers to read any file on the system.

References:
Created Date
Source IONIX Threat Lab

CVE-2024-8503 – Blind SQL Injection in VICIdial

An unauthenticated attacker can leverage a time-based SQL injection vulnerability in VICIdial to enumerate database records.

References:
Created Date
Source IONIX Threat Lab

CVE-2024-40711 – deserialization lead to remote code execution in Veeam Backup

A deserialization of untrusted data vulnerability with a malicious payload can allow an unauthenticated remote code execution (RCE).

References:
Created Date
Source IONIX Threat Lab

CVE-2024-6670 – SQL Injection in WhatsUp Gold by Progress

In WhatsUp Gold versions released before 2024.0.0, a SQL Injection vulnerability allows an unauthenticated attacker to retrieve the users encrypted password.

References:
Created Date
Source IONIX Threat Lab

CVE-2024-38856 – Incorrect Authorization vulnerability in Apache OFBiz

Incorrect Authorization vulnerability in Apache OFBiz. This issue affects Apache OFBiz: through 18.12.14. Users are recommended to upgrade to version 18.12.15, which fixes the issue. Unauthenticated endpoints could allow execution of screen rendering code of screens if some preconditions are met (such as when the screen definitions don’t explicitly check user’s permissions because they rely on the configuration of their endpoints).

References:
Created Date
Source IONIX Threat Lab

CVE-2024-6205 – SQL Injection at PayPlus Payment Gateway (WordPress plugin)

The PayPlus Payment Gateway WordPress plugin before 6.6.9 does not properly sanitise and escape a parameter before using it in a SQL statement via a WooCommerce API route available to unauthenticated users, leading to an SQL injection vulnerability.

References:
Created Date
Source IONIX Threat Lab

CVE-2024-36401 – GeoServer Remote Code Execution

GeoServer is an open source server that allows users to share and edit geospatial data. Prior to versions 2.23.6, 2.24.4, and 2.25.2, multiple OGC request parameters allow Remote Code Execution (RCE) by unauthenticated users through specially crafted input against a default GeoServer installation due to unsafely evaluating property names as XPath expressions. The GeoTools library API that GeoServer calls evaluates property/attribute names for feature types in a way that unsafely passes them to the commons-jxpath library which can execute arbitrary code when evaluating XPath expressions.

References:
Created Date
Source IONIX Threat Lab

CVE-2024-5217 – ServiceNow Unauthenticated Remote Code Execution

ServiceNow has addressed an input validation vulnerability that was identified in the Washington DC, Vancouver, and earlier Now Platform releases. This vulnerability could enable an unauthenticated user to remotely execute code within the context of the Now Platform. The vulnerability is addressed in the listed patches and hot fixes below, which were released during the June 2024 patching cycle. If you have not done so already, we recommend applying security patches relevant to your instance as soon as possible.

References:
Created Date
Source IONIX Threat Lab

CVE-2024-6387 – OpenSSH Unauthenticated Remote Code Execution (regreSSHion)

CVE-2024-6387, also known as regreSSHion, is an unauthenticated remote code execution vulnerability in OpenSSH’s server that grants full root access. It affects the default configuration and does not require user interaction. It poses a significant exploit risk. A crude public exploit does exist for 32-bit systems, but not 64-bit systems.

This vulnerability is a regression of the previously patched vulnerability CVE-2006-5051, reported and fixed in 2006. Due to this uncommon vector of a code regression (re)creating a vulnerability, the versions of OpenSSH sshd are affected is strange: Versions earlier than 4.4p1 are vulnerable unless they have already been patched for CVE-2006-5051 and CVE-2008-4109. Versions from 4.4p1 up to, but not including, 8.5p1 are not vulnerable. Versions from 8.5p1 up to, but not including, 9.8p1 vulnerable.

To resolve the issue, upgrade to the latest version of OpenSSH.

References:
Created Date
Source IONIX Threat Lab

CVE-2024-38526 – Polyfill Supply Chain Attack for malicious code execution

The Polyfill.io service uses JavaScript code to add modern functionality to older browsers that do not usually support it. For example, it adds JavaScript functions that are not available for older browsers but are present in modern ones. Sansec warned today that polyfill.io domain and service was purchased earlier this year by a Chinese company named ‘Funnull’ and the script has been modified to introduce malicious code on websites in a supply chain attack. Over 100,000 domains are affected. References:
Created Date
Source IONIX Threat Lab

CVE-2024-34102 – XML External EntityXML at Adobe Commerce (MAGENTO)

Adobe Commerce (MAGENTO) versions 2.4.7, 2.4.6-p5, 2.4.5-p7, 2.4.4-p8 and earlier are affected by an Improper Restriction of XML External Entity Reference (‘XXE’) vulnerability that could result in arbitrary code execution. An attacker could exploit this vulnerability by sending a crafted XML document that references external entities. Exploitation of this issue does not require user interaction.

References:
Created Date
Source IONIX Threat Lab

CVE-2024-4577 – Argument Injection Vulnerability at PHP-CGI

CVE-2024-4577 critical remote code execution vulnerability in the PHP programming language could potentially allow unauthenticated attackers to take full control of affected PHP servers.

The vulnerability arises from an oversight in the Best-Fit feature of encoding conversion within the Windows operating system during PHP implementation. This oversight allows attackers to bypass protections for a previous vulnerability, CVE-2012-1823, using specific character sequences. Consequently, arbitrary code can be executed on remote PHP servers via an argument injection attack, enabling unauthorized access and control.

References:
Created Date
Source IONIX Threat Lab

CVE-2024-24919 – Exposure of Sensitive Information at Check Point Security Gateway

Potentially allowing an attacker to read certain information on Check Point Security Gateways once connected to the internet and enabled with remote Access VPN or Mobile Access Software Blades. A Security fix that mitigates this vulnerability is available.

References:
Created Date
Source IONIX Threat Lab

CVE-2024-3495 – SQL Injection at Country State City Dropdown CF7 (WordPress plugin)

The Country State City Dropdown CF7 plugin for WordPress is vulnerable to SQL Injection via the ‘cnt’ and ‘sid’ parameters in versions up to, and including, 2.7.2 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.

References:
Created Date
Source IONIX Threat Lab

CVE-2024-4956 – Path Traversal at Sonatype Nexus Repository Manager 3

Path Traversal in Sonatype Nexus Repository 3 allows an unauthenticated attacker to read system files. Fixed in version 3.68.1.

References:
Created Date
Source IONIX Threat Lab

CVE-2024-2876 – SQL Injection at Email Subscribers by Icegram Express (WordPress plugin)

The Email Subscribers by Icegram Express – Email Marketing, Newsletters, Automation for WordPress & WooCommerce plugin for WordPress is vulnerable to SQL Injection via the ‘run’ function of the ‘IG_ES_Subscribers_Query’ class in all versions up to, and including, 5.7.14 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.

References:
Created Date
Source IONIX Threat Lab

CISA Adds CVE-2023-7028 Exploited Vulnerability to Catalog

CISA has added CVE-2023-7028 vulnerability to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation.

CVE-2023-7028 GitLab Community and Enterprise Editions Improper Access Control Vulnerability

References:
Created Date
Source IONIX Threat Lab

CVE-2024-27956 – WP-Automatic Plugin Bug to Create Admin Accounts on WordPress Sites

This vulnerability in the Automatic Plugin for WordPress, allows a SQL injection (SQLi) flaw and poses a severe threat as attackers can exploit it to gain unauthorized access to websites, create admin‑level user accounts, upload malicious files, and potentially take full control of affected sites.
This vulnerability is being used to perform unauthorized database queries and create new admin accounts on susceptible WordPress sites
It impacts all versions of the plugin prior to 3.92.0. The issue has been resolved in version 3.92.1 released on February 27, 2024, although the release notes make no mention of it.

References:Read More
Created Date
Source IONIX Threat Lab

CVE-2024-20359 Cisco Adaptive Security Appliance and Firepower Threat Defense Persistent Local Code

A vulnerability in a legacy capability that allowed for the preloading of VPN clients and plug-ins and that has been available in Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an authenticated, local attacker to execute arbitrary code with root-level privileges. Administrator-level privileges are required to exploit this vulnerability.

This vulnerability is due to improper validation of a file when it is read from system flash memory. An attacker could exploit this vulnerability by copying a crafted file to the disk0: file system of an affected device. A successful exploit could allow the attacker to execute arbitrary code on the affected device after the next reload of the device, which could alter system behavior and persist across reboots.

Customers can detect if they are vulnerable using Cisco’s software checker. Customers with a Cisco Service Contract can download security fixes.

References:
Created Date
Source IONIX Threat Lab

CVE-2024-20353 – Cisco Adaptive Security Appliance and Firepower Threat Defense Denial of Service

A vulnerability in the management and VPN web servers for Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to cause the device to reload unexpectedly, resulting in a denial of service (DoS) condition.

This vulnerability is due to incomplete error checking when parsing an HTTP header. An attacker could exploit this vulnerability by sending a crafted HTTP request to a targeted web server on a device. A successful exploit could allow the attacker to cause a DoS condition when the device reloads.

To determine whether a device that is running Cisco ASA Software or FTD Software is affected, use the “show asp table socket | include SSL” command and look for an SSL listen socket on any TCP port.

Customers with a Cisco Service Contract can download security fixes.

References:
Created Date
Source IONIX Threat Lab

CVE-2024-4040 – CrushFTP VFS Sandbox Escape

A server side template injection vulnerability in CrushFTP in all versions before 10.7.1 and 11.1.0 on all platforms allows unauthenticated remote attackers to read files from the filesystem outside of the VFS Sandbox, bypass authentication to gain administrative access, and perform remote code execution on the server.

Public exploits for this vulnerability were published and are used by hackers.

References:
Created Date
Source IONIX Threat Lab

CVE-2024-3400 – PAN-OS OS Command Injection Vulnerability in GlobalProtect Gateway

An OS Command Injection vulnerability in PAN GlobalProtect is being exploited in the wild. IONIX is now running a full exploit simulation for this vulnerability to better detect vulnerability devices.

PAN versions PAN-OS 10.2, PAN-OS 11.0, and PAN-OS 11.1 impacted. loud NGFW, Panorama appliances, and Prisma Access are not impacted by this vulnerability. All other versions of PAN-OS are also not impacted.

PAN is in the process of releasing hotfixes to update the affected versions. At this time not all versions have a hotfix available. You should check with PAN to see if a hotfix is available.

Additionally, PAN customers with a Threat Prevention subscription can protect themselves enabling Threat ID 95187.

In earlier versions of this advisory, disabling device telemetry was listed as a secondary mitigation action. Disabling device telemetry is no longer an effective mitigation.

References:
Created Date
Source IONIX Threat Lab

CVE-2024-2879 – SQL Injection in LayerSlider (WordPress plugin)

The LayerSlider plugin for WordPress is vulnerable to SQL Injection via the ls_get_popup_markup action in versions 7.9.11 and 7.10.0 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
Exploits are available online and attempts to exploit the vulnerability were detected.

References:
Created Date
Source IONIX Threat Lab

CVE-2024-29059 – Leaking ObjRefs and Potential Remote Code Execution by Exploiting .NET Remoting

.NET Remoting allows invocation of methods across so-called remoting boundaries. Supported transports between the client and server include HTTP and TCP. .NET Remoting was already considered a legacy technology in 2009, but it is still in use due to the wide usage of ASP. NET (e.g., IIS, Sharepoint and others) and backward compatibility.
Leakage of ObjRef instances allows hackers to remotely manipulate the server, and in some cases to remotely run code on the server.
IONIX Exploit Simulation successfully simulated the leakage via a POST request to the “/RemoteApplicationMetadata.rem?wsdl” endpoint, but did not use the leaked ObjRefs to manipulate the server.
To remediate, update the ASP.NET application and verify that it does not leak ObjRef objects that could be used for attacking the server.

References:
Created Date
Source IONIX Threat Lab

CVE-2024-20767 – Adobe ColdFusion Arbitrary File Read

ColdFusion versions 2023.6, 2021.12, and earlier are affected by an Improper Access Control vulnerability that could lead to arbitrary file system read.
An attacker could leverage this vulnerability to bypass security measures and gain unauthorized access to sensitive files and perform arbitrary file system write. Exploitation of this issue does not require user interaction.

References:
Created Date
Source IONIX Threat Lab

CVE-2024-27954 – File Download and SSRF in Automatic (WordPress plugin)

Automatic, a WordPress plugin, in versions <= 3.92.0 is vulnerable to Unauthenticated Arbitrary File Download and Server-Side Request Forgery attacks. The security issue is easy to exploit and it is reported to be exploited in the wild.

Created Date
Source IONIX Threat Lab

CVE-2024-21762 – Potentially Vulnerable Fortinet Devices

According to Fortinet, the Fortinet FortiOS vulnerability (affecting also Fortinet VPN) CVE-2024-21762 allows attackers to execute unauthorized code or commands via specifically crafted requests and is potentially exploited in the wild.
CISA marked the vulnerability as exploited.

While a full exploit simulation is not available, the IONIX research team used a deeper version analysis to distinguish between patched versions and older, vulnerable ones.
The analysis leverages a change that was done in the patched version that blocks “chunk-encoded” malformed requests. Our testing tool sends multiple test requests to see that the assets are live and then sends a badly formed “chunk-encoded” probe that is expected to time out only on vulnerable versions.

References:
Created Date
Source IONIX Threat Lab

CVE-2024-1071 – SQL Injection in Ultimate Member (WordPress plugin)

The Ultimate Member plugin for WordPress is vulnerable to SQL Injection via the ‘sorting’ parameter in versions 2.1.3 to 2.8.2 due to insufficient escaping on the user-supplied parameter and lack of sufficient preparation on the existing SQL query.
This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.

References:
Created Date
Source IONIX Threat Lab

Akira Ransomware Group leverages Cisco CVE-2020-3259

According to CISA and other reports, an old vulnerability in Cisco ASA and FTD, CVE-2020-3259, is being exploited by the Akira Ransomware group (and others). This vulnerability involves an unauthenticated memory disclosure issue.
IONIX research team has conducted a scan for CVE-2020-3580, another Cisco ASA/FTD vulnerability. With high probability, assets that are vulnerable to CVE-2020-3580 are also vulnerable to CVE-2020-3259.
While the IONIX research team tests the feasibility of simulating a CVE-2020-3259 exploit non-intrusively, we recommend:
1. Use the IONIX platform to test whether you are vulnerable to spot assets that are vulnerable to CVE-2020-3580 (Action Items).
2. Review all the Cisco ASA assets. Notice that assets might be vulnerable to CVE-2020-3259 without being vulnerable to CVE-2020-3580.
3. For relevant assets, follow the guide by Cisco.
4. Keep an eye on security bulletins and updates from IONIX and Cisco

References:
Created Date
Source IONIX Threat Lab

CVE-2024-22024 – XML External Entity (XXE) vulnerability in Ivanti Connect Secure

An XML external entity or XXE vulnerability in the SAML component of Ivanti Connect Secure (9.x, 22.x; previously known as PulseSecure), Ivanti Policy Secure (9.x, 22.x) and ZTA gateways which allows an attacker to access certain restricted resources without authentication.
CISA recognized this vulnerability as exploited.

References:
Created Date
Source IONIX Threat Lab

CVE-2024-21893 – Server-side Request Forgery (SSRF) vulnerability in Ivanti Connect Secure

A server-side request forgery vulnerability in the SAML component of Ivanti Connect Secure (9.x, 22.x; previously known as PulseSecure) and Ivanti Policy Secure (9.x, 22.x), and Ivanti Neurons for ZTA allows an attacker to access certain restricted resources without authentication.
The vulnerability was recognized by CISA as exploitable.

References:
Created Date
Source IONIX Threat Lab

CVE-2024-1061 – SQL Injection in HTML5 Video Player (WordPress plugin)

The ‘HTML5 Video Player’ WordPress Plugin, version < 2.5.25 is affected by an unauthenticated SQL injection vulnerability in the 'id' parameter in the 'get_view' function.

Created Date
Source IONIX Threat Lab

Local File Inclusion and potential RCE in Jenkins CVE-2024-23897

Jenkins 2.441 and earlier, LTS 2.426.2 and earlier does not disable a feature of its CLI command parser that replaces an ‘@’ character followed by a file path in an argument with the file’s contents, allowing unauthenticated attackers to read arbitrary files on the Jenkins controller file system.
This leads to information leakage and potentially to remote code execution on the server.

References:
Created Date
Source IONIX Threat Lab

Remote Code Execution vulnerability in Atlassian Confluence Data Center

A template injection vulnerability on older versions of Confluence Data Center and Server allows an unauthenticated attacker to achieve RCE on an affected instance. Customers using an affected version must take immediate action.
CISA recognized this vulnerability as exploited.

References:
Created Date
Source IONIX Threat Lab

CVE-2023-7028 Gitlab Account Takeover via Password Reset without user interactions

An issue has been discovered in GitLab CE/EE, in which user account password reset emails could be delivered to an unverified email address resulting in Account Takeover via Password Reset without user interactions.
It is strongly recommend that all installations running a version affected by the issues described below are upgraded to the latest version as soon as possible.

Read More
Created Date
Source IONIX Threat Lab

CVE-2024-0352 – Arbitrary File Upload vulnerability in Likeshop

A vulnerability classified as critical was found in Likeshop up to 2.5.7.20210311. This vulnerability affects the function FileServer::userFormImage of the file server/application/api/controller/File.php of the component HTTP POST Request Handler.
The manipulation of the argument file leads to unrestricted upload. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used.

References:

REQUEST A THREAT EXPOSURE REPORT TODAY

Discover the full extent of your online exposure so you can protect it.