CyberSecurity news

FlagThis - #exploit

Divya@gbhackers.com - 84d

Critical Vulnerabilities in Zyxel, CyberPanel, North Grid, and ProjectSend - CISA issued alerts about multiple actively exploited vulnerabilities affecting Zyxel firewalls, CyberPanel, North Grid, and ProjectSend.
The Cybersecurity and Infrastructure Security Agency (CISA) has issued urgent warnings about multiple actively exploited vulnerabilities affecting popular software and hardware. These flaws impact Zyxel firewalls, CyberPanel, North Grid, and ProjectSend, allowing attackers unauthorized system access and control. Specifically, CyberPanel's CVE-2024-51378, with a critical CVSS score of 10.0, allows authentication bypass and arbitrary command execution, facilitating ransomware deployment. Other vulnerabilities include improper authentication in ProjectSend (CVE-2024-11680), improper XML External Entity restriction in North Grid Proself (CVE-2023-45727), and path traversal in Zyxel firewalls (CVE-2024-11667). These vulnerabilities have been linked to various ransomware campaigns, including PSAUX and Helldown.

Organizations utilizing these products are strongly advised to immediately implement the necessary security updates and mitigations provided by the vendors. The high severity of these vulnerabilities, particularly the perfect score given to CVE-2024-51378, underscores the urgent need for action to prevent exploitation. CISA has added these flaws to its Known Exploited Vulnerabilities catalog and urges federal agencies to remediate them by December 25, 2024. Failure to act promptly leaves organizations vulnerable to significant security breaches and data loss.

Recommended read:
References :
  • gbhackers.com: CISA Warns of Zyxel Firewalls, CyberPanel, North Grid, & ProjectSend Flaws Exploited in Wild
  • securityonline.info: CVE-2024-51378 (CVSS 10): Critical CyberPanel Flaw Under Active Attack, CISA Warns
  • The Hacker News: CISA Warns of Active Exploitation of Flaws in Zyxel, ProjectSend, and CyberPanel
  • The Hacker News: Information about the Mitel MiCollab zero-day vulnerability.
  • Help Net Security: Details on the Mitel MiCollab zero-day vulnerability and PoC exploit.
  • www.bleepingcomputer.com: Report on the Mitel MiCollab zero-day vulnerability.
  • www.cysecurity.news: CISA Warns of Critical Exploits in ProjectSend, Zyxel, and Proself Systems
  • watchTowr Labs: watchTowr : Mitel MiCollab is an application for voice, video, messaging, presence, audio conferencing, mobility and team collaboration. watchTowr publishes vulnerability details for CVE-2024-35286 (SQL Injection), and CVE-2024-41713 (authentication bypass). Additionally they publicly disclose a post-authenticated arbitrary file read vulnerability (unpatched) that Mitel failed to patch within 100 days of reporting. This includes proof of concept.
  • www.csoonline.com: Mitel MiCollab VoIP authentication bypass opens new attack paths
  • www.mitel.com: Mitel security advisory addressing CVE-2024-41713.
  • The Register - Security: Information about the zero-day vulnerability in Mitel MiCollab that allows attackers to access sensitive files.
  • securityaffairs.com: U.S. CISA adds CyberPanel flaw to its Known Exploited Vulnerabilities catalog
  • gbhackers.com: Report on multiple ICS advisories released by CISA, focusing on vulnerabilities and exploits in AutomationDirect and Planet Technology products.
@thecyberexpress.com - 35d

Ivanti CSA Vulnerabilities Exploited - Multiple critical vulnerabilities in Ivanti CSA are being actively exploited by Chinese state-sponsored actors, allowing attackers to gain unauthorized access and execute arbitrary code.
US cybersecurity agencies, CISA and the FBI, have issued warnings regarding the active exploitation of four critical vulnerabilities within Ivanti Cloud Service Appliances (CSA). These flaws, designated as CVE-2024-8963, CVE-2024-9379, CVE-2024-8190, and CVE-2024-9380, are being leveraged by Chinese state-sponsored actors to breach vulnerable networks. The agencies released detailed technical information, including indicators of compromise (IOCs), highlighting that attackers are using two primary exploit chains to gain unauthorized access, execute arbitrary code, and implant webshells on victim systems.

Specifically, one exploit chain combines CVE-2024-8963, CVE-2024-8190, and CVE-2024-9380, while the other uses CVE-2024-8963 along with CVE-2024-9379. These vulnerabilities affect Ivanti CSA versions 4.6x before 519, and versions 5.0.1 and below for CVE-2024-9379 and CVE-2024-9380. Notably, CSA version 4.6 is end-of-life and does not receive security patches, making it particularly susceptible. The agencies urge organizations to apply patches promptly and implement robust security measures to defend against these active threats, further highlighting the speed at which disclosed vulnerabilities are weaponized.

Recommended read:
References :
  • ciso2ciso.com: FBI/CISA Share Details on Ivanti Exploits Chains: What Network Defenders Need to Know
  • Pyrzout :vm:: Four Critical Ivanti CSA Vulnerabilities Exploited—CISA and FBI Urge Mitigation
  • www.bleepingcomputer.com: CISA and the FBI warned today that attackers are still exploiting Ivanti Cloud Service Appliances (CSA) security flaws patched since September to breach vulnerable networks.
  • thecyberexpress.com: Four Critical Ivanti CSA Vulnerabilities Exploited—CISA and FBI Urge Mitigation
  • www.helpnetsecurity.com: Report on Cisco's fixes for ClamAV vulnerability and a critical Meeting Management flaw.
  • www.scworld.com: Ivanti CSA exploit chains examined in joint CISA, FBI advisory
  • CySec Feeds: CISA and FBI Release Advisory on How Threat Actors Chained Vulnerabilities in Ivanti Cloud Service Applications
  • ciso2ciso.com: FBI/CISA Share Details on Ivanti Exploits Chains: What Network Defenders Need to Know – Source: www.securityweek.com
  • Pyrzout :vm:: Anatomy of an Exploit Chain: CISA, FBI Detail Ivanti CSA Attacks  – Source:cyble.com #'Cyber
  • securityonline.info: CISA and FBI Warn of Exploited Ivanti CSA Vulnerabilities in Joint Security Advisory
  • securityonline.info: CISA and FBI Warn of Exploited Ivanti CSA Vulnerabilities in Joint Security Advisory
  • ciso2ciso.com: Anatomy of an Exploit Chain: CISA, FBI Detail Ivanti CSA Attacks
@gbhackers.com - 5d

Ivanti EPM Vulnerabilities Exploited - PoC exploit code is now available for critical information disclosure vulnerabilities in Ivanti EPM, allowing remote attackers to leak sensitive information.
References: arcticwolf.com , bsky.app , gbhackers.com ...
Proof-of-concept exploit code has been released for critical vulnerabilities affecting Ivanti Endpoint Manager (EPM). Disclosed in January, these vulnerabilities allow remote, unauthenticated attackers to potentially compromise systems through credential coercion. Security firm Horizon3.ai published the exploit code and technical details on February 19, 2025, escalating the risk for organizations utilizing the Ivanti EPM platform. The vulnerabilities stem from improper validation of user input, allowing attackers to manipulate file paths and force the EPM server to authenticate to malicious SMB shares.

These vulnerabilities, identified as CVE-2024-10811, CVE-2024-13161, CVE-2024-13160, and CVE-2024-13159, affect the WSVulnerabilityCore.dll component of Ivanti EPM. An attacker can coerce the Ivanti EPM machine account credential to be used in relay attacks, potentially leading to a full domain compromise. The exploit chain involves credential harvesting and relay attacks.

Recommended read:
References :
  • arcticwolf.com: On 19 February 2025, Horizon3.ai published proof-of-concept (PoC) exploit code and technical details for critical Ivanti Endpoint Manager (EPM) vulnerabilities disclosed in January.
  • bsky.app: Horizon3 has published a write-up and POCs for four credential coercion vulnerabilities the company found and Ivanti patched in January. Bugs can be used by "an unauthenticated attacker to coerce the Ivanti EPM machine account credential to be used in relay attacks"
  • gbhackers.com: PoC Exploit Released for Ivanti EPM Vulnerabilities
  • gbhackers.com: GB Hackers Post on POC exploit for Ivanti vulnerabilities.
@ciso2ciso.com - 46d

Fake PoC exploits targets researchers with malware - A fake proof-of-concept exploit targets security researchers, disguising itself as a fix for a Microsoft LDAP vulnerability, deploying information-stealing malware.
A fake proof-of-concept (PoC) exploit, dubbed "LDAPNightmare," is targeting cybersecurity researchers by disguising itself as a fix for the critical Microsoft LDAP vulnerability CVE-2024-49113. The attackers created a malicious repository that mimics a legitimate one, containing a fake "poc.exe" file which, when executed, deploys information-stealing malware. This malicious code steals sensitive data from the infected machine, including computer information, running processes, network details, and installed updates, sending the stolen data to a remote server controlled by the attackers.

This sophisticated attack uses a multi-stage delivery process. The initial executable drops and runs a PowerShell script that then downloads and executes another malicious script from Pastebin. The attackers have specifically targeted the Windows Lightweight Directory Access Protocol (LDAP) denial-of-service vulnerability in an attempt to exfiltrate valuable data from researchers focused on mitigating security risks. Researchers are urged to verify repository authenticity, prioritize official sources, and check for any suspicious activity to avoid falling victim to this malware.

Recommended read:
References :
  • ciso2ciso.com: Fake PoC Exploit Targets Cybersecurity Researchers with Malware – Source:hackread.com
  • hackread.com: Fake PoC Exploit Uses Microsoft Vulnerability to Target Cybersecurity Researchers with Malware
  • securityonline.info: Fake LDAPNightmare PoC Exploit Conceals Information-Stealing Malware
  • Latest from TechRadar: Security experts are being targeted with fake malware discoveries
  • Pyrzout :vm:: Fake PoC Exploit Targets Cybersecurity Researchers with Malware – Source:hackread.com
  • osint10x.com: Fake PoC Exploit Targets Cybersecurity Researchers with Malware

Blogs

Research Tools