Menu
AppCheck presents our weekly roundup of critical vulnerabilities being actively exploited ‘in the wild’ by organised threat actors, during the week ending 13th December 2024. Organisations in both the public and private sectors can use the list each week as an input to their vulnerability management prioritisation framework: ‘Known Exploited Vulnerabilities’ are vulnerabilities that are confirmed as being actively used to target and exploit organisations around the globe within the last seven days. As such, they represent perhaps the greatest ongoing cybersecurity risk to businesses, and a very real and present threat. The vulnerabilities are often being exploited by highly organised criminal groups for direct financial gain, via techniques such as malware and ransomware installation. AppCheck summarises the details of each known ongoing exploitation below, but for full details – including impact, versions affected, and any remediation or mitigation guidance – check out AppCheck’s free ‘Detections Service’ at https://detections.appcheck-ng.com/ – you can click on the title of any of the exploitations below to see more information from this service.
This week: Following regularly scheduled patch drops from software behemoths Microsoft and Adobe, it will come as no surprise to see that both vendors have made it into our list this week, featuring reports of active exploitation across multiple products. This week features only a single bleeding-edge ‘0-day’ vulnerability from CISA, the remainder of the list instead featuring a motley collection of legacy vulnerabilities that continue to be exploited often years after their initial discovery. Further evidence if it was needed that these slightly long-in-the-tooth flaws can often cause just as much mayhem as shiny new ones if they remain unaddressed. Elsewhere, security researchers from Huntress, ShadowServer, and CheckPoint have delivered reports of flaws in products from Cleo, Ericsson and iBoss being actively targeted in the wild.
CISA (America’s Cyber Defense Agency) maintains a catalogue of ‘KEV’s (Known Exploited Vulnerabilities), publishing alerts of known exploitations on an often-daily basis. Although intended primarily as advisories for US governmental and federal agencies, the list is openly published for the benefit of the wider cybersecurity community and network defenders, and to help every organisation better manage vulnerabilities to keep pace with a volatile and shifting threat landscape.
The Net-NTLMv2 (NT Lan Manager) hashes used for authentication in Windows domains are a frequent focus of attacker efforts. Due to a lack of cryptographic salting, the hashes are “password-equivalent”, meaning that they can essentially be submitted as credentials to other services if captured by attackers, leading to onward compromise of further systems. They have understandably therefore been the focus of a string of previous exploitations, joined this week by a specific flaw in Microsoft’s Outlook that has been highlighted by Kaspersky as one of their “Top 5” most exploited vulnerabilities observed for the last financial quarter.
The “Most Wanted” list of most common exploitations from CheckPoint Security includes a template injection vulnerability in both free and paid versions of Adobe Commerce and Magento. Originally reported by CISA as under attack back in 2022, it is reportedly seeing a resurgence in interest from attackers this month. Worthy of note is that none of the affected products are currently being supported, so whilst the patches or upgrades might protect from targeted exploitation of this particular vulnerability, moving to a more recent and supported release branch should be the advised course of action here to protect against more recently discovered flaws too.
There are very few actual details for this one so far, with no word on the technical specifics or the culprit responsible for the active exploitation warning, which was published by Microsoft as part of their December patch Tuesday security updates.
Although CISA provides a generally broad coverage of the highest profile exploitations, it can sometimes lag behind the curve in time to initial report for emerging exploitations. It can also sometimes deliberately not publish some exploitations if it feels that there is limited threat to US government and federal agencies, due to its operational remit. AppCheck therefore uses numerous alternate threat intelligence sources to enrich its coverage of high profile exploitations and 0-days reported elsewhere. AppCheck processes and aims to prioritise the addition of detection for known-exploited vulnerabilities highlighted in non-CISA sources, in exactly the same way as for CISA-published ones.
Third-party researchers Huntress have reported the ongoing exploitation “en masse” of a critical file upload vulnerability in Cleo file transfer solutions. The presence of an arbitrary-write primitive is being exploited by attackers to gain full command line access. With file transfer solutions typically net-exposed and dual-legged, compromise is already being seen leveraged to use as a launchpad for further onward attacks against otherwise-screened services within corporate networks, such as AD services. With the vendor’s first patch attempt ineffective, this one is still a ‘0-day’ and alternative mitigations such as firewalling provides the only protection at this time.
But who checks the code of code-checkers? A critical authentication bypass vulnerability in the API endpoints of Ericsson’s ‘CodeChecker’ static analysis (SAST) solution is reported by the ShadowServer organisation to be undergoing exploitation globally, but with a particular focus on UK-based organisations. A fix is available from the vendor and customers are advised to patch urgently.
Researchers at CheckPoint Security highlighted this vulnerability this week on their “Most Wanted” list as having been widely exploited over the past 4 weeks. The vulnerability, which permits client-side execution of arbitrary code (‘XSS’) is the more pernicious “stored” or persistent variant – meaning that an attacker does not have to target individual users via means such as phishing. Instead, a single request is sufficient to store the malicious payload server-side, leaving any and all visitors to the affected site or service vulnerable to exploit.
To keep up to date with future high-profile advisories for critical ongoing exploitations that may threaten your technical estate, tune in next Friday for next week’s KEV roundup.
We now offer additional coverage of critical security updates from several key vendors too, including:
AppCheck is a software security vendor based in the UK, offering a leading security scanning platform that automates the discovery of security flaws within organisations websites, applications, network, and cloud infrastructure. AppCheck are authorized by the Common Vulnerabilities and Exposures (CVE) Program as a CVE Numbering Authority (CNA).
No software to download or install.
Contact us or call us 0113 887 8380
AppCheck is a software security vendor based in the UK, offering a leading security scanning platform that automates the discovery of security flaws within organisations websites, applications, network and cloud infrastructure. AppCheck are authorized by te Common Vulnerabilities and Exposures (CVE) Program aas a CVE Numbering Authority (CNA)
