AppCheck presents our weekly roundup of critical vulnerabilities being actively exploited ‘in the wild’ by organised threat actors, during the week ending 10th January 2025. Organisations in both the public and private sectors can use the list each week as an input to their vulnerability management prioritisation framework: ‘Known Exploited Vulnerabilities’ are vulnerabilities that are confirmed as being actively used to target and exploit organisations around the globe within the last seven days. As such, they represent perhaps the greatest ongoing cybersecurity risk to businesses, and a very real and present threat. The vulnerabilities are often being exploited by highly organised criminal groups for direct financial gain, via techniques such as malware and ransomware installation. AppCheck summarises the details of each known ongoing exploitation below, but for full details – including impact, versions affected, and any remediation or mitigation guidance – check out AppCheck’s free ‘Detections Service’ at https://detections.appcheck-ng.com/ – you can click on the title of any of the exploitations below to see more information from this service.
This week: With another holiday season over and what sometimes feels like sleepwalking bleary-eyed into the new year, we’ve seen multiple critical vulnerabilities flagged by CISA, highlighting both legacy and bleeding-edge ‘0-day’ vulnerabilities being exploited across various platforms and services. The attacks range from exploits targeting the ‘big name’ vendors such as Oracle, Ivanti and Palo Alto, and Mitel, to renewed waves of exploitation targeting end-of-life (EoL) devices. Timely patching and proactive security measures remain paramount as always.
CISA (America’s Cyber Defense Agency) maintains a catalogue of ‘KEV’s (Known Exploited Vulnerabilities), publishing alerts of known exploitations on an often-daily basis. Although intended primarily as advisories for US governmental and federal agencies, the list is openly published for the benefit of the wider cybersecurity community and network defenders, and to help every organisation better manage vulnerabilities to keep pace with a volatile and shifting threat landscape.
Does getting one of the first 2025 CVEs have the same cachet as being the first with a new car registration plate? Probably not, so Ivanti are likely not too happy to back in the spotlight again this week, this time due to reports from CISA that the company’s VPN and NAC solutions are being targeted by attackers. The attacks are reported to be part of an organised malware campaign thought to be linked to Chinese nation-state actors. The company is scrambling to produce patches for the ‘0-day’ exploit, but only one of the three vulnerable services has patches available at time of going to press.
The inclusion of a static cryptographic key in the USAHERDS application from Acclaim Systems has been causing “udder” destruction this week according to an alert from CISA. The key, common to all installations, allows attackers to present seemingly-legitimate code bundles that pass validation before being executed on target hosts. The software is relatively niche, but anyone vulnerable is encouraged to moooooove quickly to get released patches applied.
A warning from CISA this week – and echoed by an advisory from the vendor – that attackers are sticking spokes in the wheels of Palo Alto firewalls, using DNS lookup packets that cause the firewalls to perform a soft reset and enter maintenance mode. With fail-closed operation, that means any and all screened services also being knocked offline until the firewalls can be manually reset. Patches are available for all impacted version streams now.
Another vintage offering for Oracle’s WebLogic Server from 2020 has found itself on CISA’s radar this week. This one allows for a complete compromise of vulnerable servers via arbitrary code execution (RCE). There’s publicly available exploit code that dishes the dirt on how this one can be exploited and attackers haven’t been reticent to jump on the opportunity. With patches available since as early as April 2020, its perhaps surprising to find that there are still vulnerable unpatched instances falling victim.
Following the breach of a single customer instance at the start of the month, a review and forensic investigation by BeyondTrust found that many more customer instances had been compromised by attackers via a then-0-day (since patched) command injection vulnerability. Customers with on-premise deployments are advised to upgrade as soon as possible, and check for any indications of compromise (IoC).
Two network video recorders (NVRs) from Nuuo are reported by CISA to be undergoing active exploitation via an endpoint that fails to require authentication for the bulk upload/import of user accounts. CISA has not released any further details of the specific exploitations that led to this advisory, however it is reasonable to assume, as is the case with similar devices, that the joint cybersecurity alert regarding the compromise of up to 260,000 Internet-connected devices in September 2024 is at the heart of these exploitations as well. There’s no shortage of publicly available exploit code for these, and both devices are considered End-of-Life (EoL).
A path traversal flaw in Mitel’s MiCollab solution has been observed being exploited as part of an exploit chain alongside a second vulnerability (CVE-2024-41713), which AppCheck have reported on previously. Reports now indicate that the two exploits are being chained together by attackers. No fix is currently available at the time or writing, with the discoverer releasing PoC exploit code following no action from the vendor 100 days after the vulnerability was first reported to them.
To keep up to date with future high-profile advisories for critical ongoing exploitations that may threaten your technical estate, tune in next Friday for next week’s KEV roundup.
We now offer additional coverage of critical security updates from several key vendors too, including:
AppCheck is a software security vendor based in the UK, offering a leading security scanning platform that automates the discovery of security flaws within organisations websites, applications, network, and cloud infrastructure. AppCheck are authorized by the Common Vulnerabilities and Exposures (CVE) Program as a CVE Numbering Authority (CNA).
No software to download or install.
Contact us or call us 0113 887 8380
AppCheck is a software security vendor based in the UK, offering a leading security scanning platform that automates the discovery of security flaws within organisations websites, applications, network and cloud infrastructure. AppCheck are authorized by te Common Vulnerabilities and Exposures (CVE) Program aas a CVE Numbering Authority (CNA)
