AppCheck presents our weekly roundup of critical vulnerabilities being actively exploited ‘in the wild’ by organised threat actors, during the week ending 24th January 2025. Organisations in both the public and private sectors can use the list each week as an input to their vulnerability management prioritisation framework: ‘Known Exploited Vulnerabilities’ are vulnerabilities that are confirmed as being actively used to target and exploit organisations around the globe within the last seven days. As such, they represent perhaps the greatest ongoing cybersecurity risk to businesses, and a very real and present threat. The vulnerabilities are often being exploited by highly organised criminal groups for direct financial gain, via techniques such as malware and ransomware installation. AppCheck summarises the details of each known ongoing exploitation below, but for full details – including impact, versions affected, and any remediation or mitigation guidance – check out AppCheck’s free ‘Detections Service’ at https://detections.appcheck-ng.com/ – you can click on the title of any of the exploitations below to see more information from this service.
This week: We’ve unearthed a bumper crop of exploitations for your collective delectation and delight this week! CISA have warned of the active exploitation of an XSS flaw in the jQuery JavaScript DOM-manipulation library. Elsewhere, a variety of third party sources have provided details of a smorgasbord of ongoing malicious activity in the wild. Vendors with vulnerable products undergoing exploitation include household names such as Sophos and Huawei, as well as more niche products from companies including Repetier-Server, VICIdial and Craft. Most notably, this week has seen several reports of the massive-scale exploitation of a variety of router and firewall hardware from vendors including Four Faith, Cambium Networks and MikroTik to power botnet swarms.
CISA (America’s Cyber Defense Agency) maintains a catalogue of ‘KEV’s (Known Exploited Vulnerabilities), publishing alerts of known exploitations on an often-daily basis. Although intended primarily as advisories for US governmental and federal agencies, the list is openly published for the benefit of the wider cybersecurity community and network defenders, and to help every organisation better manage vulnerabilities to keep pace with a volatile and shifting threat landscape.
The jQuery JavaScript library is thought be used by nearly 80% of the 10 million most popular web applications in the world, so when reports surface with the active exploitation of this little bundle of cross-site scripting (XSS) joy, it’s worth taking the time to investigate. Despite the vulnerable library versions being long-since patched, the common tendency to leave library dependencies untouched for compatibility or stability reasons means that many web applications are still running vulnerable versions and hence vulnerable to exploit.
Although CISA provides a generally broad coverage of the highest profile exploitations, it can sometimes lag behind the curve in time to initial report for emerging exploitations. It can also sometimes deliberately not publish some exploitations if it feels that there is limited threat to US government and federal agencies, due to its operational remit. AppCheck therefore uses numerous alternate threat intelligence sources to enrich its coverage of high profile exploitations and 0-days reported elsewhere. AppCheck processes and aims to prioritise the addition of detection for known-exploited vulnerabilities highlighted in non-CISA sources, in exactly the same way as for CISA-published ones.
A deserialization vulnerability in the AMC/CMC Consoles of multiple products in SonicWall’s enterprise-grade SMA 1000 series of appliances is undergoing exploitation in the wild. The weakness was initially detected by Microsoft’s Threat Intelligence team’s investigation of suspicious activity, and confirmed to be a previously-unknown ‘0-day’ vulnerability. The vendor has now rushed out a patch, and issued device hardening guidelines to provide additional mitigation for impacted customers.
Following an initial ‘honey-pot’ catch in November 2024, attackers are known to be targeting a 0-day vulnerability in at least two models of industrial grade routers from vendor Four-Faith. Researchers are reporting that these attacks are continuing unabated through January 2025. With an estimated 15,000 internet-facing devices vulnerable, that’s a lot of potential devices up for grabs for botnet recruitment. In addition to the command execution flaw itself, the use of default credentials on the devices makes this one particularly easy to exploit. Several weeks on from initial report, there’s still no word from the vendor on any patches or fixes, further increasing the threat and making alternative mitigations the only option to reduce risk of exploitation.
A brace of vulnerabilities in Repetier-Server (a 3D Print Management Solution from Hot-Water GmbH) have been getting hammered in the wild this week according to the non-profit Shadowserver foundation. Foremost among the reported flaws is a file inclusion via path traversal weakness that is being exploited to gain access to arbitrary files from host systems. It may seem odd that a 3D printing solution is exposed on the public internet, but the company markets the ‘remote access’ function as a class-leading advantage in the product.
The US government has recently unsealed details of charges brought against the hackers responsible for the massive scale exploitation of Sophos firewalls. The exploitation of the then-‘0-day’ SQL injection flaw in the operating system for Sophos Firewalls was responsible for the deployment of malware designed to extract password hashes. Somewhere in the region of 81,000 vulnerable firewalls were reportedly targeted, including several dozen reportedly in critical national infrastructure. The US Department of State has announced rewards of up to $10 million for information about multiple linked individuals who may be participating in cyber attacks against U.S. critical infrastructure entities under the direction of a foreign government.
A timing-based SQL injection vulnerability in the VICIdial PBX telephony solution allows attackers to exfiltrate data via observable timing discrepancies in responses. By asking a series of ‘Yes/No’ questions and observing the server response time, its possible to tease out sensitive data, including administrative credentials, from the database. Researchers at Cybel have reported ongoing exploitations in the wild.
A router from Huawei, which first found fame way back in 2017 for helping to spread the MIRAI botnet variant dubbed SATORI, is back in the news again this week. This time, the command injection flaw is being exploited to spread yet another MIRAI botnet variant, dubbed SATORI. The original exploitation was considered prolific and there are clear signs that there are still plenty of vulnerable routers out in the big wide world ripe for exploitation. No patch was ever released for this one, but we did have a chuckle at the suggested mitigation strategy from the vendor of putting the vulnerable firewall behind another firewall. Although presumably, that means a different model. Right?
Security researchers have found evidence of the emergence of a AISURU botnet variant known as AIRASHI, which has been exploiting a 0-day vulnerability in the cnPilot series of routers from Cambium Networks. The botnet looks to be widespread, with a reported command-and-control (CNC) presence via 144 IPs distributed across 19 countries and 10 AS numbers (Autonomous System Numbers, ASN). Once compromised, the devices are being used to spread further malware as well as participate directly in DDoS attacks.
Researchers at Infoblox have recently published threat intelligence for the exploitation of a 0-day vulnerability in MikroTik routers. In this instance, a botnet thought to be in the order of 13,000 compromised devices is being used to conduct malware spam (‘malspam’) campaigns following the successful takeover of vulnerable routers. This isn’t the first time that MikroTik routers have found themselves in the service of evil botnet masters. Since no fix is available from the vendor at time of publication, the best advice at this point is to ensure that any potentially vulnerable devices are fully patched and account credentials updated and to increase monitoring of device logs for potential indications of compromise (IoCs).
Reports have come in of the ongoing, active exploitation of an unusual FTP-based remote file inclusion vulnerability in the popular content management system Craft CMS. Exploitation allows attackers with the means to perform remote code execution, leading to the total compromise of any vulnerable web servers. With over 150,000 websites reportedly powered by this CMS and potentially vulnerable, thankfully a patch is already available to fix this flaw.
To keep up to date with future high-profile advisories for critical ongoing exploitations that may threaten your technical estate, tune in next Friday for next week’s KEV roundup.
AppCheck now offers additional coverage of critical security updates from several key vendors too, including:
AppCheck is a software security vendor based in the UK, offering a leading security scanning platform that automates the discovery of security flaws within organisations websites, applications, network, and cloud infrastructure. AppCheck are authorized by the Common Vulnerabilities and Exposures (CVE) Program as a CVE Numbering Authority (CNA).
No software to download or install.
Contact us or call us 0113 887 8380
AppCheck is a software security vendor based in the UK, offering a leading security scanning platform that automates the discovery of security flaws within organisations websites, applications, network and cloud infrastructure. AppCheck are authorized by te Common Vulnerabilities and Exposures (CVE) Program aas a CVE Numbering Authority (CNA)
