Insights

This vulnerability affects the terminal console functionality within the Fortigate admin panel. It exploits a weakness in the WebSockets implementation and allows an unauthenticated attacker to create administrative accounts on the Fortinet device. watchTowr have released a technical post breaking the vulnerability down.

ArcticWolf have observed a handful of exploitations of this vulnerability in early December, where an unauthenticated threat actor has created administrative accounts and changed device configurations. They have listed a number of IoC's which can help with identifying any malicious activity on devices. Fortinet have also released similar IoC's for this vulnerability.

Fortinet have released patching information and their own IoC's here.

Intruder Premium customers will be checked for this weakness today (Jan 16th) and notified if they are vulnerable.

CVE-2025-21298 allows attackers to execute code by sending a malicious RTF email. The exploit triggers when the email is opened or previewed in an unpatched Outlook client, requiring no user interaction beyond viewing the message. To mitigate the risk, apply Microsoft's patch immediately, or as a temporary measure, disable RTF reading and configure Outlook to display emails in plain text.

Buffer Overflows such as this one require an advanced skillset, and time and knowledge to exploit. In addition, the exploit must be specific to the version that is targeted (as noted by Google Mandiant).

The recommendation is to fix according to your usual critical patching schedule, but prioritise over other criticals as this vulnerability has been added to the KEV list. That said, due to the complexities with this vulnerability class, we don't expect widespread exploitation.

Patching information has been released by Ivanti. However, the recommendation to use the ICT scanner by Ivanti appears to be flawed as pointed out by Google Mandiant. To help with detecting compromises, they have released YARA rules for this vulnerability.

SafeBreach published a writeup on January 1st which exploits a denial of service condition and attributes it to this CVE, but the original researcher that reported this bug to Microsoft disagrees

Though the full PoC being published does mean that attacks are more likely, the exploit for CVE-2024-49112 is not yet in the public domain, and so only highly resourced attack groups are likely to be able to exploit the RCE

CVE-2024-50623 can be exploited by an unauthenticated attacker to gain remote code execution on affected Cleo servers. Widespread exploitation has been observed. The vendor's advisory page is available here.

John Hammond at Huntress has released a technical article regarding this vulnerability, including a list of IOC's from live attacks in the wild. Originally it was believed that this patch was insufficient in fixing this CVE, due to ongoing exploitation against patched hosts. However, it seems that there is a second unauthenticated remote code execution vulnerability which does not carry a CVE currently. Further details regarding this unknown CVE can be found here.

The vulnerabilities CVE-2024-0012 and CVE-2024-9474 can be combined to allow for an unauthenticated attacker to gain command line access to the vulnerable device. Compromising a vulnerable device would allow an attacker to gain access to internal networks as these devices are designed to sit on the edge of networks.

The vulnerability is due to a misconfigured Nginx instance and a command injection vulnerability, both of which are exploitable in the devices default state. Watchtowr have released a technical blog post detailing the vulnerability and its exploitation.

Palo Alto have released patches and hotfixes for the PAN-OS vulnerabilities, details are available here and here.

The vulnerabilities CVE-2024-0012 and CVE-2024-9474 can be combined to allow for an unauthenticated attacker to gain command line access to the vulnerable device. Compromising a vulnerable device would allow an attacker to gain access to internal networks as these devices are designed to sit on the edge of networks.

The vulnerability is due to a misconfigured Nginx instance and a command injection vulnerability, both of which are exploitable in the devices default state. Watchtowr have released a technical blog post detailing the vulnerability and its exploitation.

Palo Alto have released patches and hotfixes for the PAN-OS vulnerabilities, details are available here and here.

This is a wormable vulnerability that is very easy to exploit and we expect imminent and automated exploitation of this vulnerability.

As for the pre-requisites, for the exploit to work, at least one user of the application needs to have "Two Factor Authentication" (2FA) enabled within Really Simple Security. As soon as the 2FA feature is enabled, an unauthenticated attacker can make a request to the vulnerable function and WordPress will return a valid session token for the victim.

A partial proof of concept has been released which does not work out of the box. However, due to how simple this vulnerability is, it requires little effort to get it working.

Although the exploit targets functionality predominantly used by deprecated browser Internet Explorer, exploitation is also possible if Microsoft Edge allows opening pages in IE mode. In this mode, Microsoft Edge makes use of the vulnerable MSHTML platform, but only when group policy is specifically configured to allow it.

Watchtowr have released a technical article about this vulnerability and its discovery. The details within the article, and poc video call into question the official vulnerability information released by Citrix.

The exploit chain used by Watchtowr relies on sending a HTTP request to the MSMQ which the vulnerable software utilises. By default, MSMQ doesn't operate over HTTP. However, Citrix have enabled a feature which will allow any host to directly communicate to it via HTTP. With this information and the evidence laid out by Watchtowr, it is clear that this is an attack in which an unauthenticated attacker can exploit a vulnerable instance remotely. Thus, this CVSS score should be in the high 9's.

What isn't certain is if the discrepancy in vulnerability details is down to the triager at Citrix not fully understanding the exploit chain, or if it is more malicious whereby another vendor is attempting to downplay the severity of a vulnerability within their software.

Following the release of the proof of concept on the 12th of November 2024, the Shadowserver foundation have witnessed attempts at exploitation.

Exploiting this vulnerability requires the attacker to execute a Man-in-the-Middle (MITM) attack, which is unlikely to be exploitable against the average user.

For an instance of FortiManager to be exploitable by this vulnerability (FortiJump), the FGFM protocol (tcp/541 or tcp/542 if using IPv6) needs to be exposed to the internet, either by the FortiManager instance or a FortiGate device which is connected to a vulnerable FortiManager instance. This is because the FGFM protocol can allow access to FortiManager devices which are behind NAT if a FortiGate product is exposed to the internet and has FGFM enabled.

FGFM needs to be enabled, this is now disabled by default following the patch for CVE-2024-23113.

Mandiant have a comprehensive article on this weakness, its use in the wild by threat actors, IOCs and mitigation strategies. Watchtowr have released a second blog explaining the full technical details of this attack. In this post Watchtowr outline how the original mitigations did not fully patch systems against this vulnerability.

Intruder customers can use the attack surface view to find out if they have port tcp/541 exposed to the internet.

The original fix which the developers implemented for CVE-2024-5932 was insufficient and did not cover all form fields such as "Company Name" which is used when a donation is made on behalf of a company.

The previous fix has now been extended to cover all fields that are submitted by a donations form.

In practice, exploitation of this vulnerability is nuanced, and not all vulnerable versions are exploitable due to requiring certificates which can only be configured by an administrator. As such, and as per this full writeup, the real-world risk is likely lower than its CVSS score suggests.

Fedora, Ubuntu, and Debian are the systems most at risk from the bug. It's found in the GNU C Library (glibc) in the GNU system, which is found in most systems running the Linux kernel.

More information is available in our blog post here.

Log4j is a remote code execution vulnerability, in the popular log4j package, which is everywhere.

More information is available in our blog post here.

The vulnerability that caused mass speculation online was downgraded to High following a secondary review from those involved with the OpenSSL project. This was due to a handful of limitations and modern system protections, which, when combined significantly reduce the likelihood of real world exploitation.

More information is available in our blog post here.

The NetScaler suite of products includes load balancing, firewall and VPN services, so one possible impact is compromised remote access to your private networks. NetScaler responds to certain requests by dumping memory back to the sender, which can contain access tokens for logged in users. The exploit is as bad as whatever you’ve given access to remotely through your NetScaler system. And because they're logged in sessions, MFA won't protect you.

More information is available in our blog post here.

This vulnerability affects applications using the CSLA.NET framework. It allows an attacker to execute code on the server if they are also able to upload a file to the server to a known location, for example if the application allows users to upload images.

More information is available in our blog post here.

The vulnerability affects Spring Framework versions 5.3.0 to 5.3.17, 5.2.0 to 5.2.19, as well as all older versions. For an application to be fully vulnerable to the currently (13/04/2020) known vectors, a number of pre-requisites are required for the application to be vulnerable.

More information is available in our blog post here.

This vulnerability affects Progress MOVEit servers utilising SFTP and allows attackers to log in as any user if they can successfully guess their username. Depending on how MOVEit is configured, this could be a trivial step.

More information is available in our blog post here.

This vulnerability affects curl if you use curl proxy-resolver mode via a SOCKS5 proxy, and there is a clear path for attackers to control which server curl is pointing at, e.g. with untrusted user inputs on a public application.

More information is available in our blog post here.

This vulnerability affects Check Point Security Gateways. Active exploitation has been identified, and public proof of concepts have also been released.

More information is available in our blog post here.

The serious vulnerability affects a number of Palo Alto GlobalProtect devices which utilize device analytics. Active exploitation of this vulnerability has been witnessed by a number of organizations.

More information is available in our blog post here.

The attack is believed to be a nation-state level attack, and only the rogue developer and groups with which the compromised key has been shared would be able to gain access. As such, it is not likely to be widely exploited.

More information is available in our blog post here.

This vulnerability affects OpenSSH and could allow an attacker to execute commands on an affected device. The vulnerability is highly complex and has limitations which is likely to prevent widespread exploitation.

More information is available in our blog post here.

Following Palo Alto's announcement of several vulnerabilities in their configuration generation tool Expedition, Horizon released a technical breakdown. In addition to this, watchTowr also released a proof of concept for CVE-2024-9463.

These vulnerabilities are trivial to exploit pose a significant risk to Expedition, whether you expose this to the internet or not.

While this software is not commonly exposed to the internet, a significant risk still remains where an attacker can access the device from the same network as Expedition.

Following Palo Alto's announcement of several vulnerabilities in their configuration generation tool Expedition, Horizon released a technical breakdown. In addition to this, watchTowr also released a proof of concept for CVE-2024-9463.

These vulnerabilities are trivial to exploit pose a significant risk to Expedition, whether you expose this to the internet or not.

While this software is not commonly exposed to the internet, a significant risk still remains where an attacker can access the device from the same network as Expedition.

Following Palo Alto's announcement of several vulnerabilities in their configuration generation tool Expedition, Horizon released a technical breakdown. In addition to this, watchTowr also released a proof of concept for CVE-2024-9463.

These vulnerabilities are trivial to exploit pose a significant risk to Expedition, whether you expose this to the internet or not.

While this software is not commonly exposed to the internet, a significant risk still remains where an attacker can access the device from the same network as Expedition.

Following Palo Alto's announcement of several vulnerabilities in their configuration generation tool Expedition, Horizon released a technical breakdown. In addition to this, watchTowr also released a proof of concept for CVE-2024-9463.

These vulnerabilities are trivial to exploit pose a significant risk to Expedition, whether you expose this to the internet or not.

While this software is not commonly exposed to the internet, a significant risk still remains where an attacker can access the device from the same network as Expedition.

Following Palo Alto's announcement of several vulnerabilities in their configuration generation tool Expedition, Horizon released a technical breakdown. In addition to this, watchTowr also released a proof of concept for CVE-2024-9463.

These vulnerabilities are trivial to exploit pose a significant risk to Expedition, whether you expose this to the internet or not.

While this software is not commonly exposed to the internet, a significant risk still remains where an attacker can access the device from the same network as Expedition.

CVE-2024-29824

Unauthenticated SQL Injection & RCE in Ivanti EPM 2022 SU5 and prior, allowing attackers to gain full control over the EPM host.

This vulnerability has been actively exploited in the wild, so we strongly recommend patching as soon as possible.

If exploited, an attacker could use the compromised Ivanti EPM host to move laterally across the network, potentially targeting other infrastructure.

For detailed information and patch instructions, refer to the advisory available here

CVE-2024-45409

Attackers could leverage this vulnerability against a GitLab instance to push compromised builds or malicious updates to end users, causing widespread impact across the organization's supply chain.

The Ruby-SAML library used in GitLab versions <= 12.2 and 1.13.0 to 1.16.0 fails to properly verify SAML signatures. This vulnerability (CVE-2024-45409) allows a remote unauthenticated attacker to forge SAML responses, enabling unauthorized access to arbitrary gitlab accounts.

A patch and mitigations to prevent exploitation are available here