The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has recently expanded its Known Exploited Vulnerabilities (KEV) catalog by adding several critical vulnerabilities that are currently being exploited. These affect Zyxel, North Grid Proself, ProjectSend, and CyberPanel products.

Identified Vulnerabilities

CVE-2024-51378: Rated with a CVSS score of 10.0, this flaw involves incorrect default permissions, potentially allowing unauthorized command execution through shell metacharacters.

CVE-2023-45727: With a CVSS score of 7.5, this vulnerability stems from improper restriction of XML External Entity (XXE) references, enabling remote XXE attacks.

CVE-2024-11680: Scoring 9.8 on the CVSS scale, this flaw in authentication processes allows remote attackers to create accounts, upload web shells, and integrate harmful JavaScript.

CVE-2024-11667: This path traversal vulnerability, rated 7.5, permits file manipulation through specifically crafted URLs within the web management interface.

Trend Micro's Findings

The inclusion of CVE-2023-45727 coincides with a report from Trend Micro on November 19, 2024. It links the vulnerability to a cyber espionage group with ties to China, known as Earth Kasha or MirrorFace.

Recent Exploitation Attempts

Security firm VulnCheck has observed efforts to exploit CVE-2024-11680 since September 2024, targeting the deployment of post-exploitation payloads.

Ransomware Associations

Censys and Sekoia have identified that CVE-2024-51378 and CVE-2024-11667 are being used in various ransomware operations, including PSAUX and Helldown. Federal agencies are advised to patch these vulnerabilities by December 25, 2024, to prevent unauthorized access and potential damage.

Additional Exploits on I-O DATA Router Flaws

The Japan Computer Emergency Response Team Coordination Center (JPCERT/CC) has also highlighted ongoing exploitation of I-O DATA routers (models UD-LT1 and UD-LT1/EX) by unidentified actors. The vulnerabilities under scrutiny include:

CVE-2024-45841: Allows credential exposure due to incorrect permission assignments, with a CVSS rating of 6.5.

CVE-2024-47133: An OS command injection flaw, scored at 7.2, that permits command execution under administrative accounts.

CVE-2024-52564: This feature inclusion vulnerability, with a 7.5 rating, can be exploited remotely to disable firewall functionality or execute OS commands.

While a firmware update (Ver2.1.9) addressing CVE-2024-52564 is available, fixes for the other issues are forthcoming on December 18, 2024 (Ver2.2.0). Until then, I-O DATA advises users to secure their routers by disabling remote management, updating guest passwords, and strengthening administrator password policies. For ongoing cybersecurity updates, connect with us on Twitter and LinkedIn.

The link has been copied!