FlagThis

Multiple vulnerabilities were found in various products including a zero-day in industrial routers which were leveraged by a Mirai based botnet, a vulnerability in the Nuclei vulnerability scanner that allows code execution, and an OpenVPN vulnerability which leaks private keys. The vulnerabilities allow attackers to gain unauthorized access, execute code, or steal sensitive information. These incidents highlight the continuous need for robust security measures and timely patching.

A critical vulnerability, identified as CVE-2024-8474, exists in OpenVPN Connect prior to version 3.5.0. This flaw can expose users’ private keys by logging them in clear text within the application logs. Attackers with unauthorized access to these logs could decrypt VPN traffic, thereby compromising user confidentiality. Additionally, a separate vulnerability (CVE-2024-5594) in OpenVPN before 2.6.11 allows malicious peers to inject arbitrary data through improperly sanitized PUSH_REPLY messages, leading to potential exploitation of third-party plugins or executables. Both vulnerabilities pose serious risks to the security of OpenVPN users.