Hackers are exploiting critical Apache Struts flaw using public PoC
Hackers are attempting to leverage a recently fixed critical vulnerability (CVE-2023-50164) in Apache Struts that leads to remote code execution, in attacks that rely on publicly available proof-of-concept exploit code.
Fake CVE-2023-40477 Proof of Concept Leads to VenomRAT
A phony proof-of-concept (PoC) code for CVE-2023-40477 delivered a payload of VenomRAT. We detail our findings, including an analysis of the malicious code.
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability in SonicWall GMS, SonicWall Analytics enables an authe…
The vulnerability was assigned CVE-2023-32784. It should be fixed in KeePass 2.54, which should come out in ~July 2023. Thanks again to Dominik Reichl for his fast response and creative fix!
PoC exploit for recently patched Microsoft Word RCE is public (CVE-2023-21716)
A PoC exploit for CVE-2023-21716, a critical RCE vulnerability in Microsoft Word that can be exploited when the user previews a specially crafted RTF document, is now publicly available.
Assessing Potential Exploitation of Sophos Firewall and CVE-2022-3236
Sophos took immediate steps to remediate CVE-2022-3236 – an unauthenticated and remote code execution vulnerability affecting the Sophos Firewall Webadmin and User Portal HTTP interfaces – with an automated hotfix sent out in September 2022. Through its advisory published on September 23, 2022, it also alerted users who don't receive automatic hotfixes to apply the update themselves. The advisory stated the vulnerability had previously been used against "a small set of specific organizations, primarily in the South Asia region." In December, Sophos released v19.5 GA GA with an official fix. Key Takeaways * As there are no public proof-of-concept exploits for CVE-2022-3236, we created our own to determine its potential for mass exploitation. * We scanned internet-facing Sophos Firewalls and found more than 4,000 firewalls that were too old to receive a hotfix. * We encourage Sophos Firewall administrators to look through their logs to determine if they see indications of exploit attempts. Two files to focus on include /logs/csc.log and /log/validationError.log. * Internet-facing firewalls appear to largely be eligible for hotfixes and the default authentication captcha likely prevented mass exploitation.
PoC exploit for recently patched Microsoft Word RCE is public (CVE-2023-21716)
A PoC exploit for CVE-2023-21716, a critical RCE vulnerability in Microsoft Word that can be exploited when the user previews a specially crafted RTF document, is now publicly available.
Fortinet FortiNAC CVE-2022-39952 Deep-Dive and IOCs
Fortinet FortiNAC CVE-2022-39952 Deep-Dive and IOCs. This vulnerability allows remote code execution as the root user. (advisory https://www.fortiguard.com/psirt?date=02-2023)
Assessing Potential Exploitation of Sophos Firewall and CVE-2022-3236
Sophos took immediate steps to remediate CVE-2022-3236 – an unauthenticated and remote code execution vulnerability affecting the Sophos Firewall Webadmin and User Portal HTTP interfaces – with an automated hotfix sent out in September 2022. Through its advisory published on September 23, 2022, it also alerted users who don't receive automatic hotfixes to apply the update themselves. The advisory stated the vulnerability had previously been used against "a small set of specific organizations, primarily in the South Asia region." In December, Sophos released v19.5 GA GA with an official fix. Key Takeaways * As there are no public proof-of-concept exploits for CVE-2022-3236, we created our own to determine its potential for mass exploitation. * We scanned internet-facing Sophos Firewalls and found more than 4,000 firewalls that were too old to receive a hotfix. * We encourage Sophos Firewall administrators to look through their logs to determine if they see indications of exploit attempts. Two files to focus on include /logs/csc.log and /log/validationError.log. * Internet-facing firewalls appear to largely be eligible for hotfixes and the default authentication captcha likely prevented mass exploitation.