AppCheck presents our weekly roundup of critical vulnerabilities being actively exploited ‘in the wild’ by organised threat actors, during the week ending 17th January 2025. Organisations in both the public and private sectors can use the list each week as an input to their vulnerability management prioritisation framework: ‘Known Exploited Vulnerabilities’ are vulnerabilities that are confirmed as being actively used to target and exploit organisations around the globe within the last seven days. As such, they represent perhaps the greatest ongoing cybersecurity risk to businesses, and a very real and present threat. The vulnerabilities are often being exploited by highly organised criminal groups for direct financial gain, via techniques such as malware and ransomware installation. AppCheck summarises the details of each known ongoing exploitation below, but for full details – including impact, versions affected, and any remediation or mitigation guidance – check out AppCheck’s free ‘Detections Service’ at https://detections.appcheck-ng.com/ – you can click on the title of any of the exploitations below to see more information from this service.
This week: Another bumper crop of active exploitations with multiple alerts from CISA for critical flaws including three zero-day vulnerabilities for Microsoft, together with attacks against products from Fortinet, Qlik Sense, BeyondTrust and newcomers Aviatrix. With a large selection of targets we’re seeing multiple compromise exposures including exploit chains, ransomware, and administrative takeovers. These are joined by security alerts revealing additional exploitation activities targeting products from GFI, Microsoft (again), Netgear and D-Link routers (again, again) delivering even more potential exposures ripe for the picking.
CISA (America’s Cyber Defense Agency) maintains a catalogue of ‘KEV’s (Known Exploited Vulnerabilities), publishing alerts of known exploitations on an often-daily basis. Although intended primarily as advisories for US governmental and federal agencies, the list is openly published for the benefit of the wider cybersecurity community and network defenders, and to help every organisation better manage vulnerabilities to keep pace with a volatile and shifting threat landscape.
Released by CISA in conjunction with Microsoft’s regular ‘Patch Tuesday’ monthly security update bundle, this week sees the active exploitation of three separate ‘0-day’ vulnerabilities reported, all in the Hyper-V virtualization platform. All three flaws allow for privilege escalation for local authenticated users, so the exploitation activity is likely to involve post-compromise activity where attackers have already gained initial footholds on target systems as part of an exploit chain involving unrelated vulnerabilities.
A critical vulnerability in Fortinet’s FortiOS and FortiProxy allows remote attackers to spoof their origin in requests to a WebSocket endpoint which allows them to make administrative changes as if they were parked at a trusted local console. No authentication needed, go nuts. Reportedly exploited in the wild since November 2024, the vendor has only released a fix within the last 48 hours… as well as indicators of compromise for those for whom patching may be too late.
A previous HTTP message-splitting vulnerability in Qlik’s ‘Qlik Sense’ business intelligence platform (CVE-2023-41265) was already the subject of a CISA exploitation alert back in December 2023. However, the vendor’s “fix” transpired to not be quite as fix-y as customers may have hoped, and the same threat actors have been joyfully conducting a variant of the same attack again. Exploitation has involved the encryption of data from over 100 business – rich pickings given the software is a data analysis and business intelligence platform – in targeted ransomware attacks by the ‘Cactus’ group.
Another explosive sequel released by CISA arrives courtesy of this OS command injection vulnerability in multiple BeyondTrust products. Thought to be post-exploitation activity following the exploitation of an earlier vulnerability (CVE-2024-12356) it has now been suggested that these two related exploitations are the work of state-sponsored threat actor “Silk Typhoon”. Customers are being advised to upgrade as soon as possible, and check for any indicators of compromise (IoC) at the earliest opportunity.
Not perhaps a household name yet in all quarters, but Aviatrix’s Controller solution has made strong inroads in the cloud networking space. It has had a relatively unblemished history, with only one prior CISA advisory back in 2021, but has hit the headlines this week after attackers were found to be taking advantage of an OS Command Injection vulnerability in one of the product’s APIs in order to compromise a number of customer instances.
Although CISA provides a generally broad coverage of the highest profile exploitations, it can sometimes lag behind the curve in time to initial report for emerging exploitations. It can also sometimes deliberately not publish some exploitations if it feels that there is limited threat to US government and federal agencies, due to its operational remit. AppCheck therefore uses numerous alternate threat intelligence sources to enrich its coverage of high profile exploitations and 0-days reported elsewhere. AppCheck processes and aims to prioritise the addition of detection for known-exploited vulnerabilities highlighted in non-CISA sources, in exactly the same way as for CISA-published ones.
A complex chain of linked vulnerabilities in GFI’s firewall/Unified Threat Management (UTM) solution is being exploited by attackers in the wild to achieve complete compromise of vulnerable devices. The exploitation requires victims to fall for a traditional XSS attack, but exploits CRLF and CSRF vulnerabilities to allow a single-click by a victim to deliver full remote code execution (RCE) capabilities to attackers.
Following the publication of Proof-of-Concept (PoC) exploit code earlier this month, reports are now circulating that a flaw in Microsoft’s LDAP service, dubbed ‘LDAPNightmare’ , is undergoing active exploitation. It has also been suggested that this could be the springboard to seeing a exploitation of a remote code execution (RCE) flaw in the same service (CVE-2024-49112). In something of a twist to the usual story however, there are also reports that malware is being circulated which purports to be the exploit code for this vulnerability, but in reality has been designed to steal information from the victim.
A schoolboy error in Netgear router access control logic, combined with a seemingly-deliberate ability to execute arbitrary commands via GET request (what could possibly go wrong?) must have attackers rubbing their hands with glee. Despite a 2024 CVE ID assignment, sources have indicated that some of the devices in question may have been exploited potentially since as early as 2017. A fix is available, but with the devices sunsetted by the vendor, replacement is the cannier option.
Reports indicate that both the FICORA and CAPSAICIN botnets are targeting an unpatched flaw in D-Link’s Wi-Fi router in order to spread themselves across the globe. These nasty bots are capable of everything from deploying malware, executing malicious commands or launching denial-of-service (DoS) attacks. There’s no patch for this one, since the product is considered end-of-life (EoL) and D-Link have warned users to stop using these older models.
To keep up to date with future high-profile advisories for critical ongoing exploitations that may threaten your technical estate, tune in next Friday for next week’s KEV roundup.
We now offer additional coverage of critical security updates from several key vendors too, including:
AppCheck is a software security vendor based in the UK, offering a leading security scanning platform that automates the discovery of security flaws within organisations websites, applications, network, and cloud infrastructure. AppCheck are authorized by the Common Vulnerabilities and Exposures (CVE) Program as a CVE Numbering Authority (CNA).
No software to download or install.
Contact us or call us 0113 887 8380
AppCheck is a software security vendor based in the UK, offering a leading security scanning platform that automates the discovery of security flaws within organisations websites, applications, network and cloud infrastructure. AppCheck are authorized by te Common Vulnerabilities and Exposures (CVE) Program aas a CVE Numbering Authority (CNA)
