The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added multiple security flaws affecting products from Zyxel, North Grid Proself, ProjectSend, and CyberPanel to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation in the wild.
The list of vulnerabilities is as follows –
- CVE-2024-51378 (CVSS score: 10.0) – An incorrect default permissions vulnerability that allows for authentication bypass and the execution of arbitrary commands using shell metacharacters in the statusfile property
- CVE-2023-45727 (CVSS score: 7.5) – An improper restriction of XML External Entity (XXE) reference vulnerability that could allow a remote, unauthenticated attacker to conduct an XXE attack
- CVE-2024-11680 (CVSS score: 9.8) – An improper authentication vulnerability that allows a remote, unauthenticated attacker to create accounts, upload web shells, and embed malicious JavaScript
- CVE-2024-11667 (CVSS score: 7.5) – A path traversal vulnerability in the web management interface that could allow an attacker to download or upload files via a crafted URL
The inclusion of CVE-2023-45727 to the KEV catalog comes in the wake of a Trend Micro report released on November 19, 2024, that linked its active exploitation to a China-nexus cyber espionage group dubbed Earth Kasha (aka MirrorFace).
Then last week, cybersecurity vendor VulnCheck revealed that malicious actors have been attempting to weaponize CVE-2024-11680 as early as September 2024 for dropping post-exploitation payloads.
The abuse of CVE-2024-51378 and CVE-2024-11667, on the other hand, has been attributed to various ransomware campaigns such as PSAUX and Helldown, according to Censys and Sekoia.
Federal Civilian Executive Branch (FCEB) agencies are recommended to remediate the identified vulnerabilities by December 25, 2024, to secure their networks.
Multiple Bugs in I-O DATA routers Under Attack
The development comes as JPCERT/CC warned that three security flaws in I-O DATA routers UD-LT1 and UD-LT1/EX are being exploited by unknown threat actors.
- CVE-2024-45841 (CVSS score: 6.5) – An incorrect permission assignment for critical resource vulnerability that allows an attacker with guest account access to read sensitive files, including those containing credentials
- CVE-2024-47133 (CVSS score: 7.2) – An operating system (OS) command injection vulnerability that allows a logged-in user with an administrative account to execute arbitrary commands
- CVE-2024-52564 (CVSS score: 7.5) – An inclusion of undocumented features vulnerability that allows a remote attacker to disable the firewall function, and execute arbitrary OS commands or alter router configuration
While patches for CVE-2024-52564 have been made available with firmware Ver2.1.9, fixes for the remaining two shortcomings are not expected to be released until December 18, 2024 (Ver2.2.0).
In the meanwhile, the Japanese company is advising that customers limit the settings screen from being exposed to the internet by disabling remote management, changing default guest user passwords, and ensuring administrator passwords are not trivial to guess.