CVE-2018-7600
published 2018-03-29CVE-2018-7600: Drupal before 7.58, 8.x before 8.3.9, 8.4.x before 8.4.6, and 8.5.x before 8.5.1 allows remote attackers to execute arbitrary code because of an issue…
PriorityP1100critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
KEVITWEXPLOITRansomwareInitial access
CISA Known Exploited Vulnerabilitydue 2022-05-03
Exploited in the wild
EPSS
99.99%
100.0th percentile
Drupal before 7.58, 8.x before 8.3.9, 8.4.x before 8.4.6, and 8.5.x before 8.5.1 allows remote attackers to execute arbitrary code because of an issue affecting multiple subsystems with default or common module configurations.
Affected
18 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | debian_linux | — | — |
| debian | debian_linux | — | — |
| debian | debian_linux | — | — |
| drupal | core | >= 7.0 < 7.58 | 7.58 |
| drupal | core | >= 8.0 < 8.3.9 | 8.3.9 |
| drupal | core | >= 8.0.0 < 8.3.9 | 8.3.9 |
| drupal | core | >= 8.4.0 < 8.4.6 | 8.4.6 |
| drupal | core | >= 8.5.0 < 8.5.1 | 8.5.1 |
| drupal | drupal | <= 7.57 | — |
| drupal | drupal | — | — |
| drupal | drupal | >= 7.0 < 7.58 | 7.58 |
| drupal | drupal | >= 8.0 < 8.3.9 | 8.3.9 |
| drupal | drupal | >= 8.0.0 < 8.3.9 | 8.3.9 |
| drupal | drupal | >= 8.4 < 8.4.6 | 8.4.6 |
| drupal | drupal | >= 8.4.0 < 8.4.6 | 8.4.6 |
| drupal | drupal | >= 8.5 < 8.5.1 | 8.5.1 |
| drupal | drupal | >= 8.5.0 < 8.5.1 | 8.5.1 |
| drupal | drupal_core | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Inspect POST body (both application/x-www-form-urlencoded and multipart/form-data) for the presence of '#post_render', '#pre_render', '#access_callback', or '#lazy_builder' keys, which are the four exploitable Form API functions. ↗
- →Initial PoC exploited the mail[] array with #post_render calling PHP exec(). Screen HTTP requests to /user/register for mail[] parameters containing PHP function names (exec, system, passthru, eval, shell_exec, etc.). ↗
- →A second PoC targets the timezone form field using #lazy_builder; the server returns HTTP 500 even on successful exploitation — do not rely on HTTP response code to determine exploitation success. ↗
- →Drupal 7.x exploitation via /user/password requires two sequential HTTP requests and targets the _triggering_element_name form field. Correlate pairs of requests to this endpoint. ↗
- →Screen for dangerous PHP functions in request parameters: exec, system, passthru, eval, shell_exec, popen, pcntl_exec, preg_replace, create_function, proc_open, assert, include, require, include_once, require_once, and backtick operator. ↗
- →Palo Alto Networks Threat Prevention Signature 40627 identifies HTTP requests containing the CVE-2018-7600 exploit code. ↗
- →Wild exploit payloads use wget, curl, and second-stage download mechanisms. Alert on outbound wget/curl calls originating from the web server process after requests to /user/register or /user/password. ↗
- ·The /user/register exploit path is effective against Drupal 8.x by default. Drupal 7.x requires a different endpoint (/user/password) due to differing default configurations. ↗
- ·The vulnerability affects default and common module configurations across multiple Drupal subsystems — not just a single optional module — making virtually all default Drupal deployments vulnerable. ↗
- ·No authentication is required to exploit this vulnerability; anonymous users can trigger RCE simply by visiting an affected endpoint. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
osv9.8CRITICAL
vulncheck9.8CRITICAL
cisa9.8CRITICAL
vendor_ubuntu3.5LOW
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
CISA
Drupal Core Remote Code Execution Vulnerability
cisa·2021-11-03·CVSS 9.8
CVE-2018-7600 [CRITICAL] CWE-20 Drupal Core Remote Code Execution Vulnerability
Vulnerability: Drupal Core Remote Code Execution Vulnerability
Affected: Drupal Drupal Core
Drupal Core contains a remote code execution vulnerability that could allow an attacker to exploit multiple attack vectors on a Drupal site, resulting in complete site compromise.
Required Action: Apply updates per vendor instructions.
Notes: https://nvd.nist.gov/vuln/detail/CVE-2018-7600
Remediation Due Date: 2022-05-03
Ubuntu
Drupal vulnerabilities
vendor_ubuntu·2021-03-15·CVSS 3.5
CVE-2018-7600 [LOW] Drupal vulnerabilities
Title: Drupal vulnerabilities
Summary: Several security issues were fixed in Drupal.
It was discovered that Drupal did not properly process certain input. An
attacker could use this vulnerability to execute arbitrary code or
completely compromise a Drupal site. (CVE-2018-7600, CVE-2018-7602)
It was discovered that password reset URLs in Drupal could be forged. An
attacker could use this vulnerability to gain access to another user's
account. This issue affected only Ubuntu 14.04 ESM. (CVE-2015-2559)
It was discovered that Drupal did not properly protect against open
redirects. An attacker could use this vulnerability to send unsuspecting
users to 3rd party sites and potentially carry out phishing attacks.
This issue affected only Ubuntu 14.04 ESM. (CVE-2015-2749, CVE-2015-2750)
Instru
Drupal
Drupal core - Highly critical - Remote Code Execution - SA-CORE-2018-002
vendor_drupal·2018-03-28
CVE-2018-7600 [CRITICAL] Drupal core - Highly critical - Remote Code Execution - SA-CORE-2018-002
Title: Drupal core - Highly critical - Remote Code Execution - SA-CORE-2018-002
Vulnerability Type: Remote Code Execution
Description: A remote code execution vulnerability exists within multiple subsystems of Drupal 7.x and 8.x. This potentially allows attackers to exploit multiple attack vectors on a Drupal site, which could result in the site being completely compromised. The security team has written an FAQ about this issue. Edited 2020, February 13 to fix links to patch files.
Solution: Upgrade to the most recent version of Drupal 7 or 8 core. If you are running 7.x, upgrade to Drupal 7.58 . (If you are unable to update immediately, you can attempt to apply this patch to fix the vulnerability until such time as you are able to completely update.) If you are running 8.5.x, upgrade t
Drupal
Drupal 7 and 8 core highly critical release on March 28th, 2018 - PSA-2018-001
vendor_drupal·2018-03-21
CVE-2018-7600 [CRITICAL] Drupal 7 and 8 core highly critical release on March 28th, 2018 - PSA-2018-001
Title: Drupal 7 and 8 core highly critical release on March 28th, 2018 - PSA-2018-001
Vulnerability Type: Drupal 7 and 8 core highly critical release on March 28th, 2018
Description: Advisory ID: DRUPAL-PSA-2018-001 Project: Drupal Core Version: 7.x, 8.x Date: 2018-March-21 Description There will be a security release of Drupal 7.x, 8.3.x, 8.4.x, and 8.5.x on March 28th 2018 between 18:00 - 19:30 UTC , one week from the publication of this document, that will fix a highly critical security vulnerability. The Drupal Security Team urges you to reserve time for core updates at that time because exploits might be developed within hours or days. Security release announcements will appear on the Drupal.org security advisory page . While Drupal 8.3.x and 8.4.x are no longer supported and we don
GHSA
Drupal Core Remote Code Execution Vulnerability
ghsa·2022-05-14
CVE-2018-7600 [CRITICAL] CWE-20 Drupal Core Remote Code Execution Vulnerability
Drupal Core Remote Code Execution Vulnerability
Drupal before 7.58, 8.x before 8.3.9, 8.4.x before 8.4.6, and 8.5.x before 8.5.1 allows remote attackers to execute arbitrary code because of an issue affecting multiple subsystems with default or common module configurations.
OSV
Drupal Core Remote Code Execution Vulnerability
osv·2022-05-14
CVE-2018-7600 [CRITICAL] Drupal Core Remote Code Execution Vulnerability
Drupal Core Remote Code Execution Vulnerability
Drupal before 7.58, 8.x before 8.3.9, 8.4.x before 8.4.6, and 8.5.x before 8.5.1 allows remote attackers to execute arbitrary code because of an issue affecting multiple subsystems with default or common module configurations.
OSV
drupal7 vulnerabilities
osv·2021-03-15·CVSS 3.5
CVE-2018-7600 [LOW] drupal7 vulnerabilities
drupal7 vulnerabilities
It was discovered that Drupal did not properly process certain input. An
attacker could use this vulnerability to execute arbitrary code or
completely compromise a Drupal site. (CVE-2018-7600, CVE-2018-7602)
It was discovered that password reset URLs in Drupal could be forged. An
attacker could use this vulnerability to gain access to another user's
account. This issue affected only Ubuntu 14.04 ESM. (CVE-2015-2559)
It was discovered that Drupal did not properly protect against open
redirects. An attacker could use this vulnerability to send unsuspecting
users to 3rd party sites and potentially carry out phishing attacks.
This issue affected only Ubuntu 14.04 ESM. (CVE-2015-2749, CVE-2015-2750)
OSV
CVE-2018-7600: Drupal before 7
osv·2018-03-29·CVSS 9.8
CVE-2018-7600 [CRITICAL] CVE-2018-7600: Drupal before 7
Drupal before 7.58, 8.x before 8.3.9, 8.4.x before 8.4.6, and 8.5.x before 8.5.1 allows remote attackers to execute arbitrary code because of an issue affecting multiple subsystems with default or common module configurations.
OSV
CVE-2018-7600: A remote code execution vulnerability exists within multiple subsystems of Drupal 7
osv·2018-03-28
CVE-2018-7600 CVE-2018-7600: A remote code execution vulnerability exists within multiple subsystems of Drupal 7
A remote code execution vulnerability exists within multiple subsystems of Drupal 7.x and 8.x. This potentially allows attackers to exploit multiple attack vectors on a Drupal site, which could result in the site being completely compromised.
The security team has written an [FAQ](https://groups.drupal.org/security/faq-2018-002) about this issue.
*Edited 2020, February 13 to fix links to patch files.*
VulnCheck
Drupal Core Remote Code Execution Vulnerability
vulncheck·2018·CVSS 9.8
CVE-2018-7600 [CRITICAL] CWE-20 Drupal Core Remote Code Execution Vulnerability
Drupal Core Remote Code Execution Vulnerability
Drupal Core contains a remote code execution vulnerability that could allow an attacker to exploit multiple attack vectors on a Drupal site, resulting in complete site compromise.
Affected: Drupal Drupal Core
Required Action: Apply updates per vendor instructions.
Known Ransomware Campaign Use: Known
Exploitation References: https://blog.netlab.360.com/botnet-muhstik-is-actively-exploiting-drupal-cve-2018-7600-in-a-worm-style-en/; https://cert.gov.ua/article/2725; https://blog.talosintelligence.com/2019/04/seaturtle.html; https://www.alibabacloud.com/blog/8220-mining-group-now-uses-rootkit-to-hide-its-miners_595055; https://www.f5.com/labs/articles/threat-intelligence/vulnerabilities--exploits--and-malware-driving-attack-campaigns-in-jul
VulnCheck
Oracle Corporation WebLogic Server Remote Code Execution Vulnerability
vulncheck·2017·CVSS 7.5
CVE-2017-10271 [HIGH] Oracle Corporation WebLogic Server Remote Code Execution Vulnerability
Oracle Corporation WebLogic Server Remote Code Execution Vulnerability
Oracle Corporation WebLogic Server contains a vulnerability that allows for remote code execution.
Affected: Oracle WebLogic Server
Required Action: Apply updates per vendor instructions.
Known Ransomware Campaign Use: Known
Exploitation References: https://unit42.paloaltonetworks.com/malware-used-by-rocke-group-evolves-to-evade-detection-by-cloud-security-products/; https://blog.netlab.360.com/botnet-muhstik-is-actively-exploiting-drupal-cve-2018-7600-in-a-worm-style-en/; https://isc.sans.edu/diary/Criminals+Dont+Read+Instructions+or+Use+Strong+Passwords/23850; https://blog.talosintelligence.com/2018/08/rocke-champion-of-monero-miners.html; https://www.lacework.com/blog/elf-of-the-month-new-lucky-ransomware-sample
Suricata
ET WEB_SPECIFIC_APPS [eSentire] Drupalgeddon2 <8.3.9 <8.4.6 <8.5.1 RCE Through Registration Form (CVE-2018-7600)
suricata·2018-07-10·CVSS 9.8
CVE-2018-7600 [CRITICAL] ET WEB_SPECIFIC_APPS [eSentire] Drupalgeddon2 <8.3.9 <8.4.6 <8.5.1 RCE Through Registration Form (CVE-2018-7600)
ET WEB_SPECIFIC_APPS [eSentire] Drupalgeddon2 $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS [eSentire] Drupalgeddon2 <8.3.9 <8.4.6 <8.5.1 RCE Through Registration Form (CVE-2018-7600)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"user/password&name"; nocase; fast_pattern; content:"markup|5d 3d|"; nocase; distance:0; pcre:"/^\[(?:%(?:25)?23|#)\s*(?:access_callback|pre_render|post_render|lazy_builder)/Ri"; reference:cve,2018-7600; reference:url,research.checkpoint.com/uncovering-drupalgeddon-2; classtype:attempted-admin; sid:2025646; rev:2; metadata:affected_product Drupal_Server, attack_target Client_Endpoint, created_at 2018_07_10, deployment Perimeter, performance_impact Moderate, confidence High, signature_severity Major, tag CISA_KEV, updated_at 2020_08_25;
Suricata
ET WEB_SPECIFIC_APPS Drupalgeddon2 <8.3.9 <8.4.6 <8.5.1 RCE Through Registration Form (CVE-2018-7600)
suricata·2018-04-26·CVSS 9.8
CVE-2018-7600 [CRITICAL] ET WEB_SPECIFIC_APPS Drupalgeddon2 <8.3.9 <8.4.6 <8.5.1 RCE Through Registration Form (CVE-2018-7600)
ET WEB_SPECIFIC_APPS Drupalgeddon2 $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Drupalgeddon2 <8.3.9 <8.4.6 <8.5.1 RCE Through Registration Form (CVE-2018-7600)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"user/password"; pcre:"/(?:%(?:25)?23|#)\s*(access_callback|pre_render|post_render|lazy_builder)/"; http.request_body; content:"_triggering_element_name"; reference:cve,2018-7600; reference:url,research.checkpoint.com/uncovering-drupalgeddon-2; classtype:attempted-admin; sid:2025534; rev:3; metadata:affected_product Drupal_Server, attack_target Web_Server, created_at 2018_04_26, deployment Datacenter, confidence High, signature_severity Minor, tag drupalgeddon, tag CISA_KEV, updated_at 2020_08_25;)
Suricata
ET WEB_SPECIFIC_APPS [PT OPEN] Drupalgeddon2 <8.3.9 <8.4.6 <8.5.1 RCE Through Registration Form (CVE-2018-7600)
suricata·2018-04-13·CVSS 9.8
CVE-2018-7600 [CRITICAL] ET WEB_SPECIFIC_APPS [PT OPEN] Drupalgeddon2 <8.3.9 <8.4.6 <8.5.1 RCE Through Registration Form (CVE-2018-7600)
ET WEB_SPECIFIC_APPS [PT OPEN] Drupalgeddon2 $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS [PT OPEN] Drupalgeddon2 <8.3.9 <8.4.6 <8.5.1 RCE Through Registration Form (CVE-2018-7600)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/user/register"; http.request_body; content:"drupal"; pcre:"/(%23|#)(access_callback|pre_render|post_render|lazy_builder)/i"; reference:cve,2018-7600; reference:url,research.checkpoint.com/uncovering-drupalgeddon-2; classtype:attempted-admin; sid:2025494; rev:3; metadata:affected_product Drupal_Server, attack_target Web_Server, created_at 2018_04_13, deployment Datacenter, signature_severity Major, tag CISA_KEV, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2020_08_25;)
Exploit-DB
Drupal < 8.3.9 / < 8.4.6 / < 8.5.1 - 'Drupalgeddon2' Remote Code Execution (Metasploit)
exploitdb·2018-04-17·CVSS 9.8
CVE-2018-7600 [CRITICAL] Drupal < 8.3.9 / < 8.4.6 / < 8.5.1 - 'Drupalgeddon2' Remote Code Execution (Metasploit)
Drupal 'Drupalgeddon2',
'Description' => %q{
CVE-2018-7600 / SA-CORE-2018-002
Drupal before 7.58, 8.x before 8.3.9, 8.4.x before 8.4.6, and 8.5.x before 8.5.1
allows remote attackers to execute arbitrary code because of an issue affecting
multiple subsystems with default or common module configurations.
The module can load msf PHP arch payloads, using the php/base64 encoder.
The resulting RCE on Drupal looks like this: php -r 'eval(base64_decode(#{PAYLOAD}));'
},
'License' => MSF_LICENSE,
'Author' =>
[
'Vitalii Rudnykh', # initial PoC
'Hans Topo', # further research and ruby port
'José Ignacio Rojo' # further research and msf module
],
'References' =>
[
['SA-CORE', '2018-002'],
['CVE', '2018-7600'],
],
'DefaultOptions' =>
{
'encoder' => 'php/base64',
'payload' => 'php/meterpreter/reverse
Exploit-DB
Drupal < 8.3.9 / < 8.4.6 / < 8.5.1 - 'Drupalgeddon2' Remote Code Execution (PoC)
exploitdb·2018-04-13·CVSS 9.8
CVE-2018-7600 [CRITICAL] Drupal < 8.3.9 / < 8.4.6 / < 8.5.1 - 'Drupalgeddon2' Remote Code Execution (PoC)
Drupal < 8.3.9 / < 8.4.6 / < 8.5.1 - 'Drupalgeddon2' Remote Code Execution (PoC)
---
#!/usr/bin/env
import sys
import requests
print ('################################################################')
print ('# Proof-Of-Concept for CVE-2018-7600')
print ('# by Vitalii Rudnykh')
print ('# Thanks by AlbinoDrought, RicterZ, FindYanot, CostelSalanders')
print ('# https://github.com/a2u/CVE-2018-7600')
print ('################################################################')
print ('Provided only for educational or information purposes\n')
target = input('Enter target url (example: https://domain.ltd/): ')
# Add proxy support (eg. BURP to analyze HTTP(s) traffic)
# set verify = False if your proxy certificate is self signed
# remember to set proxies both for http and https
#
# example:
#
Exploit-DB
Drupal < 7.58 / < 8.3.9 / < 8.4.6 / < 8.5.1 - 'Drupalgeddon2' Remote Code Execution
exploitdb·2018-04-13·CVSS 9.8
CVE-2018-7600 [CRITICAL] Drupal < 7.58 / < 8.3.9 / < 8.4.6 / < 8.5.1 - 'Drupalgeddon2' Remote Code Execution
Drupal &1' ); }"
bashcmd = "echo " + Base64.strict_encode64(bashcmd) + " | base64 -d"
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
# Function http_request [type] [data]
def http_request(url, type="get", payload="", cookie="")
puts verbose("HTTP - URL : #{url}") if $verbose
puts verbose("HTTP - Type: #{type}") if $verbose
puts verbose("HTTP - Data: #{payload}") if not payload.empty? and $verbose
begin
uri = URI(url)
request = type =~ /get/? Net::HTTP::Get.new(uri.request_uri) : Net::HTTP::Post.new(uri.request_uri)
request.initialize_http_header({"User-Agent" => $useragent})
request.initialize_http_header("Cookie" => cookie) if not cookie.empty?
request.body = payload if not payload.empty?
return $http.request(request)
rescue SocketError
puts error("Ne
Metasploit
Drupal Drupalgeddon 2 Forms API Property Injection
metasploit
Drupal Drupalgeddon 2 Forms API Property Injection
Drupal Drupalgeddon 2 Forms API Property Injection
This module exploits a Drupal property injection in the Forms API. Drupal 6.x, < 7.58, 8.2.x, < 8.3.9, < 8.4.6, and < 8.5.1 are vulnerable.
Nuclei
Drupal - Remote Code Execution
nuclei·CVSS 9.8
CVE-2018-7600 [CRITICAL] Drupal - Remote Code Execution
Drupal - Remote Code Execution
Drupal before 7.58, 8.x before 8.3.9, 8.4.x before 8.4.6, and 8.5.x before 8.5.1 allows remote attackers to execute arbitrary code because of an issue affecting multiple subsystems with default or common module configurations.
Template:
id: CVE-2018-7600
info:
name: Drupal - Remote Code Execution
author: pikpikcu
severity: critical
description: Drupal before 7.58, 8.x before 8.3.9, 8.4.x before 8.4.6, and 8.5.x before 8.5.1 allows remote attackers to execute arbitrary code because of an issue affecting multiple subsystems with default or common module configurations.
impact: |
Critical
remediation: |
Upgrade to the latest version of Drupal or apply the official patch provided by Drupal security team.
reference:
- https://github.com/vulhub/vulhub/tree/mast
Tenable
CVE-2026-9082: Highly Critical SQL Injection Vulnerability in Drupal Core (SA-CORE-2026-004)
blogs_tenable·2026-05-21·CVSS 6.5
CVE-2026-9082 [MEDIUM] CVE-2026-9082: Highly Critical SQL Injection Vulnerability in Drupal Core (SA-CORE-2026-004)
## Exposure Management
## Explore By Use Case
## Explore By Industry
## Tenable is the one clear leader in Exposure Management
## Exposure management
resource center
## Accelerate your exposure management strategy with practical resources and tools.
## Explore By Use Case
## Explore By Industry
## Tenable is the one clear leader in Exposure Management
## Exposure management
resource center
## Accelerate your exposure management strategy with practical resources and tools.
## CVE-2026-9082: Highly Critical SQL Injection Vulnerability in Drupal Core (SA-CORE-2026-004)
A highly critical SQL injection vulnerability in Drupal core's database abstraction layer affects sites running PostgreSQL.
## Key Takeaways
CVE-2026-9082 is a highly critical SQL injection vulnerabi
Fortinet
Mirai, RAR1Ransom, and GuardMiner – Multiple Malware Campaigns Target VMware Vulnerability
blogs_fortinet·2022-10-21·CVSS 9.8
CVE-2022-22954 [CRITICAL] Mirai, RAR1Ransom, and GuardMiner – Multiple Malware Campaigns Target VMware Vulnerability
FORTIGUARD LABS THREAT RESEARCH
Mirai, RAR1Ransom, and GuardMiner – Multiple Malware Campaigns Target VMware Vulnerability
By Cara Lin | October 21, 2022
In April, VMware patched a vulnerability CVE-2022-22954. It causes server-side template injection because of the lack of sanitization on parameters “deviceUdid” and “devicetype”. It allows attackers to inject a payload and achieve remote code execution on VMware Workspace ONE Access and Identity Manager. FortiGuard Labs published Threat Signal Report about it and also developed IPS signature in April.
We observed attacks in the wild since then. Most of the payloads focus on probing a victim’s sensitive data, for example, passwords, hosts file, etc. But in August, there were a few particular payloads, which got our interest. They had th
Qualys
Managing CISA Known Exploited Vulnerabilities with Qualys VMDR | Qualys
blogs_qualys·2022-02-23
Managing CISA Known Exploited Vulnerabilities with Qualys VMDR | Qualys
#### Table of Contents
- Situation
- Directive Scope
- CISA Catalog of Known Exploited Vulnerabilities
- Detect CISA Vulnerabilities Using Qualys VMDR
- CISA Exploited RTI
- Detailed Operational Dashboard
- Remediation
- Federal Enterprises and Agencies Can Act Now
- Summary
- Getting Started
CISA released a directive in November 2021, recommending urgent and prioritized remediation of actively exploited vulnerabilities. Both government agencies and corporations should heed this advice. This blog outlines how Qualys Vulnerability Management, Detection & Response can be used by any organization to respond to this directive efficiently and effectively.
## Situation
Last November 2021, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) released a Binding Operational Directiv
Trendmicro
CISA Reports Top Vulnerabilities From Remote Work
blogs_trendmicro·2021-09-21·CVSS 9.1
[CRITICAL] CISA Reports Top Vulnerabilities From Remote Work
Exploits & Vulnerabilities
## CISA Reports Top Vulnerabilities From Remote Work
Trend Micro’s Next-Generation IPS protects organizations from threats as attackers now target remote work-related vulnerabilities.
By: Jon Clay Sep 21, 2021 Read time: ( words)
Save to Folio
As COVID-19 moves people to the cloud, cyber actors now aim at shooting the sky.
On July 28, 2021, the US Cybersecurity and Infrastructure Security Agency (CISA) released a report detailing the top exploited vulnerabilities in 2020 and 2021. The report shows that the attackers’ favorite new targets are vulnerabilities published after 2019 and relevant to remote work, VPN (Virtual Private Network), and cloud-based technologies.
As remote work became widespread, cyber actors have been taking advantage of the young, unp
Trendmicro
CISA Reports Top Vulnerabilities From Remote Work
blogs_trendmicro·2021-09-21·CVSS 9.1
[CRITICAL] CISA Reports Top Vulnerabilities From Remote Work
Exploits & Vulnerabilities
# CISA Reports Top Vulnerabilities From Remote Work
Trend Micro’s Next-Generation IPS protects organizations from threats as attackers now target remote work-related vulnerabilities.
By: Jon Clay
2021/09/21
Read time: ( words)
Save to Folio
As COVID-19 moves people to the cloud, cyber actors now aim at shooting the sky.
On July 28, 2021, the US Cybersecurity and Infrastructure Security Agency (CISA) released a report detailing the top exploited vulnerabilities in 2020 and 2021. The report shows that the attackers’ favorite new targets are vulnerabilities published after 2019 and relevant to remote work, VPN (Virtual Private Network), and cloud-based technologies.
As remote work became widespread, cyber actors have been taking advantage of the young, unpat
Trendmicro
CISA Reports Top Vulnerabilities From Remote Work
blogs_trendmicro·2021-09-21·CVSS 9.1
[CRITICAL] CISA Reports Top Vulnerabilities From Remote Work
Exploits y vulnerabilidades
## CISA Reports Top Vulnerabilities From Remote Work
Trend Micro’s Next-Generation IPS protects organizations from threats as attackers now target remote work-related vulnerabilities.
By: Jon Clay Sep 21, 2021 Read time: ( words)
Save to Folio
As COVID-19 moves people to the cloud, cyber actors now aim at shooting the sky.
On July 28, 2021, the US Cybersecurity and Infrastructure Security Agency (CISA) released a report detailing the top exploited vulnerabilities in 2020 and 2021. The report shows that the attackers’ favorite new targets are vulnerabilities published after 2019 and relevant to remote work, VPN (Virtual Private Network), and cloud-based technologies.
As remote work became widespread, cyber actors have been taking advantage of the young, un
Trendmicro
CISA Reports Top Vulnerabilities From Remote Work
blogs_trendmicro·2021-09-21·CVSS 9.1
[CRITICAL] CISA Reports Top Vulnerabilities From Remote Work
Exploits & Vulnerabilities
## CISA Reports Top Vulnerabilities From Remote Work
Trend Micro’s Next-Generation IPS protects organizations from threats as attackers now target remote work-related vulnerabilities.
By: Jon Clay 2021/09/21 Read time: ( words)
Save to Folio
As COVID-19 moves people to the cloud, cyber actors now aim at shooting the sky.
On July 28, 2021, the US Cybersecurity and Infrastructure Security Agency (CISA) released a report detailing the top exploited vulnerabilities in 2020 and 2021. The report shows that the attackers’ favorite new targets are vulnerabilities published after 2019 and relevant to remote work, VPN (Virtual Private Network), and cloud-based technologies.
As remote work became widespread, cyber actors have been taking advantage of the young, unpat
Trendmicro
CISA Reports Top Vulnerabilities From Remote Work
blogs_trendmicro·2021-09-21·CVSS 9.1
[CRITICAL] CISA Reports Top Vulnerabilities From Remote Work
Sfruttamento vulnerabilità
## CISA Reports Top Vulnerabilities From Remote Work
Trend Micro’s Next-Generation IPS protects organizations from threats as attackers now target remote work-related vulnerabilities.
By: Jon Clay Sep 21, 2021 Read time: ( words)
Save to Folio
As COVID-19 moves people to the cloud, cyber actors now aim at shooting the sky.
On July 28, 2021, the US Cybersecurity and Infrastructure Security Agency (CISA) released a report detailing the top exploited vulnerabilities in 2020 and 2021. The report shows that the attackers’ favorite new targets are vulnerabilities published after 2019 and relevant to remote work, VPN (Virtual Private Network), and cloud-based technologies.
As remote work became widespread, cyber actors have been taking advantage of the young, unp
Trendmicro
CISA Reports Top Vulnerabilities From Remote Work
blogs_trendmicro·2021-09-21·CVSS 9.1
[CRITICAL] CISA Reports Top Vulnerabilities From Remote Work
Ausnutzung von Schwachstellen
## CISA Reports Top Vulnerabilities From Remote Work
Trend Micro’s Next-Generation IPS protects organizations from threats as attackers now target remote work-related vulnerabilities.
By: Jon Clay Sep 21, 2021 Read time: ( words)
Save to Folio
As COVID-19 moves people to the cloud, cyber actors now aim at shooting the sky.
On July 28, 2021, the US Cybersecurity and Infrastructure Security Agency (CISA) released a report detailing the top exploited vulnerabilities in 2020 and 2021. The report shows that the attackers’ favorite new targets are vulnerabilities published after 2019 and relevant to remote work, VPN (Virtual Private Network), and cloud-based technologies.
As remote work became widespread, cyber actors have been taking advantage of the young,
Qualys
CISA Alert: Top Routinely Exploited Vulnerabilities
blogs_qualys·2021-07-29·CVSS 9.1
[CRITICAL] CISA Alert: Top Routinely Exploited Vulnerabilities
## Table of Contents
Top Routinely Exploited Vulnerabilities
Detect CISAs Top Routinely Exploited Vulnerabilities using Qualys VMDR
Recommendations
Remediation and Mitigation
Get Started Now
On July 28, 2021, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) released a cybersecurity advisory detailing the top 30 publicly known vulnerabilities that have been routinely exploited by cyber threat actors in 2020 and 2021. Organizations are advised to prioritize and apply patches or workarounds for these vulnerabilities as soon as possible.
The advisory states, “If an organization is unable to update all software shortly after a patch is released, prioritize implementing patches for CVEs that are already known to be exploited or that would be accessible to the largest numbe
Unit42
Network Attack Trends: Internet of Threats (November 2020-January 2021)
blogs_unit42·2021-04-12·CVSS 7.5
CVE-2020-28188 [HIGH] Network Attack Trends: Internet of Threats (November 2020-January 2021)
# Executive Summary
Unit 42 researchers analyzed network attack trends over Winter 2020 and discovered many interesting exploits in the wild. During the period of Nov. 2020 to Jan. 2021, the majority of the attacks we observed were classified as critical (75%), compared to the 50.4% we reported in the fall of 2020. Several newly observed exploits, including CVE-2020-28188, CVE-2020-17519, and CVE-2020-29227, have emerged and were continuously being exploited in the wild as of late 2020 to early 2021.
This blog provides details of the newly observed exploits as well as a dive deep into the exploitation analysis, vendor analysis, attack origin, and attack category distribution.
Palo Alto Networks Next-Generation Firewall customers are protected from these attacks with the URL Filtering an
Unit42
Network Attack Trends: Internet of Threats (November 2020-January 2021)
blogs_unit42·2021-04-12·CVSS 7.5
[HIGH] Network Attack Trends: Internet of Threats (November 2020-January 2021)
Threat Research Center
Trend Reports
Vulnerabilities
## Network Attack Trends: Internet of Threats (November 2020-January 2021)
Lei Xu
Yue Guan
Vaibhav Singhal
Published: April 12, 2021
Malware
Trend Reports
Vulnerabilities
Botnet
DDoS
Exploit kit
IoT
Network security trends
## Executive Summary
Unit 42 researchers analyzed network attack trends over Winter 2020 and discovered many interesting exploits in the wild. During the period of Nov. 2020 to Jan. 2021, the majority of the attacks we observed were classified as critical (75%), compared to the 50.4% we reported in the fall of 2020 . Several newly observed exploits, including CVE-2020-28188 , CVE-2020-17519 , and CVE-2020-29227 , have emerged and were continuously being exploited in the wild as of late 2020 to earl
Unit42
Network Attack Trends: Internet of Threats (August-October 2020)
blogs_unit42·2021-01-22·CVSS 9.8
CVE-2012-2311 [CRITICAL] Network Attack Trends: Internet of Threats (August-October 2020)
Threat Research Center
Trend Reports
Vulnerabilities
## Network Attack Trends: Internet of Threats (August-October 2020)
Yue Guan
Lei Xu
Ken Hsu
Zhibin Zhang
Published: January 22, 2021
Malware
Trend Reports
Vulnerabilities
DDoS
Exploits
IoT
Network security trends
## Executive Summary
Unit 42 researchers observed interesting attack trends from August-October 2020. Despite a surge in scanner activities and HTTP directory traversal exploitation attempts, CVE-2012-2311 and CVE-2012-1823 , which were the most commonly exploited vulnerabilities in the wild in early summer 2020 , are no longer at the top of that list. Several new critical exploits, including but not limited to CVE-2020-17496 and CVE-2020-25213 , have emerged and were being utilized at a constant and concern
Unit42
Network Attack Trends: Internet of Threats (August-October 2020)
blogs_unit42·2021-01-22·CVSS 9.8
CVE-2012-2311 [CRITICAL] Network Attack Trends: Internet of Threats (August-October 2020)
## Executive Summary
Unit 42 researchers observed interesting attack trends from August-October 2020. Despite a surge in scanner activities and HTTP directory traversal exploitation attempts, CVE-2012-2311 and CVE-2012-1823, which were the most commonly exploited vulnerabilities in the wild in early summer 2020, are no longer at the top of that list. Several new critical exploits, including but not limited to CVE-2020-17496 and CVE-2020-25213, have emerged and were being utilized at a constant and concerning rate as of fall 2020. To complicate matters, malicious actors are well aware that new exploits aren’t always needed to get the job done. Based on observations of malicious traffic for the designated three months, weaponized ThinkPHP vulnerabilities like CVE-2018-20062 and CVE-2019-908
Checkpoint
Rudeminer, Blacksquid and Lucifer Walk Into A Bar
blogs_checkpoint·2020-09-15·CVSS 9.8
CVE-2018-10561 [CRITICAL] Rudeminer, Blacksquid and Lucifer Walk Into A Bar
Latest Publications
CPR Podcast Channel
AI Research
Web 3.0 Security
Intelligence Reports
ThreatCloud AI
Threat Intelligence & Research
Zero Day Protection
Sandblast File Analysis
About Us
SUBSCRIBE
AI Research 2
Android Malware 23
Artificial Intelligence 4
ChatGPT 3
Check Point Research Publications 455
Cloud Security 1
CPRadio 44
Crypto 2
Data & Threat Intelligence 2
Data Analysis 0
Demos 22
Global Cyber Attack Reports 408
How To Guides 13
Ransomware 5
Russo-Ukrainian War 1
Security Report 1
Threat and data analysis 0
Threat Research 174
Web 3.0 Security 11
Wipers 0
## Rudeminer, Blacksquid and Lucifer Walk Into A Bar
Research by David Driker, Amir Landau
Background
Lucifer is a Windows crypto miner and DDOS hybrid malware. Three months ago, researcher
Unit42
The State of Exploit Development: 80% of Exploits Publish Faster than CVEs
blogs_unit42·2020-08-26
The State of Exploit Development: 80% of Exploits Publish Faster than CVEs
Threat Research Center
Threat Research
Vulnerabilities
## The State of Exploit Development: 80% of Exploits Publish Faster than CVEs
Jay Chen
Published: August 26, 2020
Threat Research
Vulnerabilities
Exploit
## Executive Summary
With the ever-increasing number of new vulnerabilities, vulnerability management becomes one of the most critical processes in ensuring continuous business operation. While it is clear that timely patching is essential, it’s also important to know quantitatively how a delay could increase risk. What is the chance that attackers breach my organization using a CVE just disclosed or using an unknown (zero-day) vulnerability? To understand the state of vulnerability disclosure and exploit development, Unit 42 researchers analyzed 45,450 publicly availabl
Unit42
The State of Exploit Development: 80% of Exploits Publish Faster than CVEs
blogs_unit42·2020-08-26
The State of Exploit Development: 80% of Exploits Publish Faster than CVEs
## Executive Summary
With the ever-increasing number of new vulnerabilities, vulnerability management becomes one of the most critical processes in ensuring continuous business operation. While it is clear that timely patching is essential, it’s also important to know quantitatively how a delay could increase risk. What is the chance that attackers breach my organization using a CVE just disclosed or using an unknown (zero-day) vulnerability? To understand the state of vulnerability disclosure and exploit development, Unit 42 researchers analyzed 45,450 publicly available exploits in Exploit Database at the time of this writing. The research correlated the exploit data with vulnerability and patch information to study exploit development in multiple facets.
The research reveals that:
-
Securelist
Incident Response Analyst Report of 2019
blogs_securelist·2020-08-06
Incident Response Analyst Report of 2019
Table of Contents
- Executive summary
- Recommendations
- Reasons for incident response
- Distribution of reasons for top regions
- Distribution of reasons for industries
- Initial vectors or how adversaries get in
- Tools and exploits
- Attack duration
- Operational metrics
- How fast we responded
- How long response took
- MITRE ATT&CK tactics and techniques
- Conclusion
Authors
- Ayman Shaaban
- Grigory Sablin
- Kaspersky GERT
Download full report (PDF)
As an incident response service provider, Kaspersky delivers a global service that results in global visibility of adversaries’ cyber-incident tactics and techniques used in the wild. In this report, we share our teams’ conclusions and analysis based on incident responses and statistics from 2019. As well as a range of highlights,
Securelist
Incident Response Analyst Report 2019
blogs_securelist·2020-08-06
Incident Response Analyst Report 2019
Table of Contents
Executive summary
Verticals and industries
Recommendations
Reasons for incident response
Distribution of reasons for top regions
Distribution of reasons for industries
Initial vectors or how adversaries get in
Tools and exploits
30% of all incidents were tied to legitimate tools
Exploits
Attack duration
Operational metrics
False positives rate
Age of attack
How fast we responded
How long response took
MITRE ATT&CK tactics and techniques
Conclusion
Authors
Ayman Shaaban
Grigory Sablin
Kaspersky GERT
Download full report (PDF)
As an incident response service provider, Kaspersky delivers a global service that results in global visibility of adversaries’ cyber-incident tactics and techniques used in the wild. In this report, we share our teams’ conclus
Unit42
Lucifer: New Cryptojacking and DDoS Hybrid Malware Exploiting High and Critical Vulnerabilities to Infect Windows Devices
blogs_unit42·2020-06-24·CVSS 9.8
[CRITICAL] Lucifer: New Cryptojacking and DDoS Hybrid Malware Exploiting High and Critical Vulnerabilities to Infect Windows Devices
Threat Research Center
Threat Research
Vulnerabilities
## Lucifer: New Cryptojacking and DDoS Hybrid Malware Exploiting High and Critical Vulnerabilities to Infect Windows Devices
Ken Hsu
Durgesh Sangvikar
Zhibin Zhang
Chris Navarrete
Published: June 24, 2020
Threat Research
Vulnerabilities
Cryptocurrency mining
Cryptojacking
DDoS
Lucifer
## Executive Summary
On May 29, 2020, Unit 42 researchers discovered a new variant of a hybrid cryptojacking malware from numerous incidents of CVE-2019-9081 exploitation in the wild. A closer look revealed the malware, which we’ve dubbed “Lucifer”, is capable of conducting DDoS attacks and well-equipped with all kinds of exploits against vulnerable Windows hosts. The first wave of the campaign stopped on June 10, 2020. The attacker th
Unit42
Lucifer: New Cryptojacking and DDoS Hybrid Malware Exploiting High and Critical Vulnerabilities to Infect Windows Devices
blogs_unit42·2020-06-24·CVSS 9.8
CVE-2019-9081 [CRITICAL] Lucifer: New Cryptojacking and DDoS Hybrid Malware Exploiting High and Critical Vulnerabilities to Infect Windows Devices
## Executive Summary
On May 29, 2020, Unit 42 researchers discovered a new variant of a hybrid cryptojacking malware from numerous incidents of CVE-2019-9081 exploitation in the wild. A closer look revealed the malware, which we’ve dubbed “Lucifer”, is capable of conducting DDoS attacks and well-equipped with all kinds of exploits against vulnerable Windows hosts. The first wave of the campaign stopped on June 10, 2020. The attacker then resumed their campaign on June 11, 2020, spreading an upgraded version of the malware and wreaking havoc. The sample was compiled on Thursday, June 11, 2020 10:39:47 PM UTC and caught by Palo Alto Networks Next-Generation Firewall. At the time of writing, the campaign’s still ongoing.
Lucifer is quite powerful in its capabilities. Not only is it capable
Qualys
Top 19+ Vulnerability CVEs in Santa’s Dashboard Tracking
blogs_qualys·2019-12-27·CVSS 8.8
[HIGH] Top 19+ Vulnerability CVEs in Santa’s Dashboard Tracking
A recent report identified 19+ vulnerabilities that should be mitigated by end of year 2019. These are a range of top vulnerabilities attacked and leveraged by Advance Persistent Threat (APT) actors from all parts of the world.
The list below shows those top 19 vulnerabilities, and it should be no surprise that you can easily track and remediate them via a dashboard within Qualys. Import the dashboard into your subscription for easy insight into what assets and vulnerabilities in your organization are at risk.
No.
CVE
Products Affected by CVE
CVSS Score (NVD)
Examples of Threat Actors
1
CVE-2017-11882
Microsoft Office
7.8
APT32 (Vietnam), APT34 (Iran), APT40 (China), APT-C-35 (India), Cobalt Group (Spain, Ukraine), Silent Group (Russia), Lotus Blossom (China), FIN7 (Russia)
2
Qualys
Top 19+ Vulnerability CVEs in Santa’s Dashboard Tracking | Qualys
blogs_qualys·2019-12-27·CVSS 8.8
[HIGH] Top 19+ Vulnerability CVEs in Santa’s Dashboard Tracking | Qualys
A recent report identified 19+ vulnerabilities that should be mitigated by end of year 2019. These are a range of top vulnerabilities attacked and leveraged by Advance Persistent Threat (APT) actors from all parts of the world.
The list below shows those top 19 vulnerabilities, and it should be no surprise that you can easily track and remediate them via a dashboard within Qualys. Import the dashboard into your subscription for easy insight into what assets and vulnerabilities in your organization are at risk.
No.
CVE
Products Affected by CVE
CVSS Score (NVD)
Examples of Threat Actors
1
CVE-2017-11882
Microsoft Office
7.8
APT32 (Vietnam), APT34 (Iran), APT40 (China), APT-C-35 (India), Cobalt Group (Spain, Ukraine), Silent Group (Russia), Lotus Blossom (China), FIN7 (Russia)
2
CVE-2018-
Zscaler
A look at the recent BuleHero botnet payload | Zscaler
blogs_zscaler·2019-12-12
A look at the recent BuleHero botnet payload | Zscaler
Provide users with seamless, secure, reliable access to applications and data.
Build and run secure cloud apps, enable zero trust cloud connectivity, and protect workloads from data center to cloud.
Provide zero trust connectivity for IoT and OT devices and secure remote access to OT systems.
Provide zero trust site-to-site connectivity and reliable access to B2B apps for partners.
Industry Report
Zscaler: A Leader in the 2025 Gartner® Magic Quadrant™ for Security Service Edge (SSE)
USE CASES
INDUSTRY & MARKET SOLUTIONS
PARTNERS
TECHNOLOGY PARTNERS
Resource Center
Events & Trainings
Security Research & Services
Tools
Community & Support
CXO REVOLUTIONARIES
Amplifying the voices of real-world digital and zero trust pioneers
Discover how it began and where it’s going
Meet o
Checkpoint
8th July – Threat Intelligence Bulletin
blogs_checkpoint·2019-07-08·CVSS 7.8
CVE-2018-7600 [HIGH] 8th July – Threat Intelligence Bulletin
Latest Publications
CPR Podcast Channel
AI Research
Web 3.0 Security
Intelligence Reports
ThreatCloud AI
Threat Intelligence & Research
Zero Day Protection
Sandblast File Analysis
About Us
SUBSCRIBE
2026
2025
2024
2023
2022
2021
2020
2019
2018
2017
2016
## 8th July – Threat Intelligence Bulletin
For the latest discoveries in cyber research for the week of 8th July 2019, please download our Threat Intelligence Bulletin
TOP ATTACKS AND BREACHES
The Japanese-American international convenience store 7/11 has shut down its new mobile payment app after threat actors stole $500,000 from its users. The attackers were able to perform unwanted charges on customers’ accounts due to a flaw in the password reset function, which allows anyone to reset the password for other cu
Trendmicro
Spreader verbreitet Kryptowährungs-Miner
blogs_trendmicro·2019-07-01
Spreader verbreitet Kryptowährungs-Miner
Malware
## Spreader verbreitet Kryptowährungs-Miner
Ein Golang-basierter Spreader kommt in einer Kampagne zum Einsatz, die einen Kryptowährungs-Miner verteilt. Golang oder Go ist eine quelloffene Programmiersprache, die in letzter Zeit häufig für Malware-Aktivitäten eingesetzt wird.
By: Augusto Remillano II, Mark Vicente Jul 01, 2019 Read time: ( words)
Save to Folio
Originalbeitrag von Augusto Remillano II und Mark Vicente
Ein Golang-basierter Spreader kommt in einer Kampagne zum Einsatz, die einen Kryptowährungs-Miner verteilt. Golang oder Go ist eine quelloffene Programmiersprache, die in letzter Zeit häufig für Malware-Aktivitäten eingesetzt wird. Trend Micro hat bereits im Mai die Nutzung des Spreaders entdeckt und ihn in einer neuen Kampagne wieder gefunden.
Der Spreader scann
Tenable
Sea Turtle DNS Hijacking Campaign Utilizes At Least Seven Patched Vulnerabilities
blogs_tenable·2019-04-19
Sea Turtle DNS Hijacking Campaign Utilizes At Least Seven Patched Vulnerabilities
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Talos
DNS Hijacking Abuses Trust In Core Internet Service
blogs_talos·2019-04-17
DNS Hijacking Abuses Trust In Core Internet Service
By Danny Adamitis, David Maynor, Warren Mercer, Matthew Olney and Paul Rascagneres.
Update 4/18: A correction has been made to our research based on feedback from Packet Clearing House, we thank them for their assistance
## Preface
This blog post discusses the technical details of a state-sponsored attack manipulating DNS systems. While this incident is limited to targeting primarily national security organizations in the Middle East and North Africa, and we do not want to overstate the consequences of this specific campaign, we are concerned that the success of this operation will lead to actors more broadly attacking the global DNS system. DNS is a foundational technology supporting the Internet. Manipulating that system has the potential to undermine the trust users have on the inter
Talos
DNS Hijacking Abuses Trust In Core Internet Service
blogs_talos·2019-04-17
DNS Hijacking Abuses Trust In Core Internet Service
## DNS Hijacking Abuses Trust In Core Internet Service
By Danny Adamitis , David Maynor , Warren Mercer , Matthew Olney and Paul Rascagneres . Update 4/18: A correction has been made to our research based on feedback from Packet Clearing House, we thank them for their assistance
## Preface
This blog post discusses the technical details of a state-sponsored attack manipulating DNS systems. While this incident is limited to targeting primarily national security organizations in the Middle East and North Africa, and we do not want to overstate the consequences of this specific campaign, we are concerned that the success of this operation will lead to actors more broadly attacking the global DNS system. DNS is a foundational technology supporting the Internet. Manipulating that system has t
Talos
Cisco Talos Honeypot Analysis Reveals Rise in Attacks on Elasticsearch Clusters
blogs_talos·2019-02-26·CVSS 8.1
[HIGH] Cisco Talos Honeypot Analysis Reveals Rise in Attacks on Elasticsearch Clusters
## Cisco Talos Honeypot Analysis Reveals Rise in Attacks on Elasticsearch Clusters
Christopher Evans of Cisco Talos conducted the research for this post.
## EXECUTIVE SUMMARY
Cisco Talos warns users that they need to keep a close eye on unsecured Elasticsearch clusters. We have recently observed a spike in attacks from multiple threat actors targeting these clusters. These attackers are targeting clusters using versions 1.4.2 and lower, and are leveraging old vulnerabilities to pass scripts to search queries and drop the attacker's payloads. These scripts are being leveraged to drop both malware and cryptocurrency miners on victim machines. Talos has also been able to identify social media accounts associated with one of these threat actors. Because Elasticsearch is typically used to ma
Talos
Cisco Talos Honeypot Analysis Reveals Rise in Attacks on Elasticsearch Clusters
blogs_talos·2019-02-26·CVSS 8.1
[HIGH] Cisco Talos Honeypot Analysis Reveals Rise in Attacks on Elasticsearch Clusters
Christopher Evans of Cisco Talos conducted the research for this post.
## EXECUTIVE SUMMARY
Cisco Talos warns users that they need to keep a close eye on unsecured Elasticsearch clusters. We have recently observed a spike in attacks from multiple threat actors targeting these clusters. These attackers are targeting clusters using versions 1.4.2 and lower, and are leveraging old vulnerabilities to pass scripts to search queries and drop the attacker's payloads. These scripts are being leveraged to drop both malware and cryptocurrency miners on victim machines. Talos has also been able to identify social media accounts associated with one of these threat actors. Because Elasticsearch is typically used to manage very large datasets, the repercussions of a successful attack on a cluster coul
Tenable
Drupalgeddon Attacks Continue on Sites Missing Security Updates (CVE-2018-7600, CVE-2018-7602)
blogs_tenable·2018-11-20·CVSS 9.8
[CRITICAL] Drupalgeddon Attacks Continue on Sites Missing Security Updates (CVE-2018-7600, CVE-2018-7602)
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Tenable
Drupalgeddon Attacks Continue on Sites Missing Security Updates (CVE-2018-7600, CVE-2018-7602)
blogs_tenable·2018-11-20·CVSS 7.0
CVE-2018-7600 [HIGH] Drupalgeddon Attacks Continue on Sites Missing Security Updates (CVE-2018-7600, CVE-2018-7602)
Blog / Cyber Exposure Alerts
Subscribe
# Drupalgeddon Attacks Continue on Sites Missing Security Updates (CVE-2018-7600, CVE-2018-7602)
Satnam Narang
November 20, 2018
2 Min Read
Recent attacks targeting Drupal instances vulnerable to Drupalgeddon 2 and Drupalgeddon 3 highlight the importance of identifying and patching vulnerable sites.
#### Background
In March 2018, Drupal published a security advisory, SA-CORE-2018-002 that addressed a critical Remote Code Execution (RCE) vulnerability with a CVE identifier of CVE-2018-7600. Tenable’s Security Response Team published a blog as well.
A few weeks after the publication of this security advisory, researchers at Check Point Software Technologies and Dofinity published “Uncovering Drupalgeddon 2.0,” providing technical details about C
Qualys
Detecting Apache Struts 2 Namespace RCE: CVE-2018-11776
blogs_qualys·2018-08-23·CVSS 8.1
CVE-2018-11776 [HIGH] Detecting Apache Struts 2 Namespace RCE: CVE-2018-11776
## Table of Contents
The Vulnerability
Recommended Response
Detections
Protection
A new remote code execution vulnerability in Apache Struts 2, CVE-2018-11776, was disclosed yesterday. While this vulnerability does not exist with a default configuration of Struts, it does exist in commonly seen configurations for some Struts plugins.
Update August 24, 2018 : A dashboard for this vulnerability is now available to download.
## The Vulnerability
Struts improperly validates namespaces , allowing for OGNL injection, and can lead to full remote code execution on the target system. For a more detailed technical look at the vulnerability, please see our Threat Protection blog on this topic. Struts versions 2.3.34 and 2.5.16 and before are impacted.
## Recommended Response
Due to the ease
Qualys
Detecting Apache Struts 2 Namespace RCE | Qualys
blogs_qualys·2018-08-23·CVSS 8.1
CVE-2018-11776 [HIGH] Detecting Apache Struts 2 Namespace RCE | Qualys
#### Table of Contents
- The Vulnerability
- Recommended Response
- Detections
- Protection
A new remote code execution vulnerability in Apache Struts 2, CVE-2018-11776, was disclosed yesterday. While this vulnerability does not exist with a default configuration of Struts, it does exist in commonly seen configurations for some Struts plugins.
Update August 24, 2018: A dashboard for this vulnerability is now available to download.
## The Vulnerability
Struts improperly validates namespaces, allowing for OGNL injection, and can lead to full remote code execution on the target system. For a more detailed technical look at the vulnerability, please see our Threat Protection blog on this topic. Struts versions 2.3.34 and 2.5.16 and before are impacted.
## Recommended Response
Due to the
Qualys
Staying Safe in the Era of Browser-based Cryptocurrency Mining
blogs_qualys·2018-07-25
Staying Safe in the Era of Browser-based Cryptocurrency Mining
Qualys Malware Research Labs is announcing the release of Qualys BrowserCheck CoinBlocker Chrome extension to detect and block browser-based cryptocurrency mining, aka cryptojacking .
## Cryptojacking
Cryptojacking attacks leverage the victim system’s resources via malicious JavaScript to mine certain cryptocurrencies. Attackers carry out these attacks by infecting popular sites with JavaScript that enables cryptojacking. Any visitor to such sites will download the JavaScript and unknowingly contribute its system resources to mine a cryptocurrency that is added to the attacker’s wallet. The resource-intensive mining process is carried out on victim systems typically consumes more than 70% of CPU, that reduces system performance, increases power consumption and can cause possible permanen
Qualys
Staying Safe in the Era of Browser-based Cryptocurrency Mining | Qualys
blogs_qualys·2018-07-25
Staying Safe in the Era of Browser-based Cryptocurrency Mining | Qualys
Qualys Malware Research Labs is announcing the release of Qualys BrowserCheck CoinBlocker Chrome extension to detect and block browser-based cryptocurrency mining, aka cryptojacking.
### Cryptojacking
Cryptojacking attacks leverage the victim system’s resources via malicious JavaScript to mine certain cryptocurrencies. Attackers carry out these attacks by infecting popular sites with JavaScript that enables cryptojacking. Any visitor to such sites will download the JavaScript and unknowingly contribute its system resources to mine a cryptocurrency that is added to the attacker’s wallet. The resource-intensive mining process is carried out on victim systems typically consumes more than 70% of CPU, that reduces system performance, increases power consumption and can cause possible permanen
Trendmicro
Drupal Bug Exploited to Deliver Monero-Mining Malware
blogs_trendmicro·2018-06-21·CVSS 9.8
CVE-2018-7602 [CRITICAL] Drupal Bug Exploited to Deliver Monero-Mining Malware
Malware
# Drupal Bug Exploited to Deliver Monero-Mining Malware
We were able to observe a series of network attacks exploiting, a security flaw (CVE-2018-7602) in the Drupal content management framework. For now, these attacks aim to turn affected systems into Monero-mining bots.
By: Smart Home Network Team, IoT Reputation Service Team
2018/06/21
Read time: ( words)
Save to Folio
We were able to observe a series of network attacks exploiting CVE-2018-7602, a security flaw in the Drupal content management framework. For now, these attacks aim to turn affected systems into Monero-mining bots. Of note are its ways of hiding behind the Tor network to elude detection and how it checks the affected system first before infecting it with a cryptocurrency-mining malware. While these attacks c
Fortinet
Yet Another Crypto Mining Botnet?
blogs_fortinet·2018-05-03·CVSS 9.8
[CRITICAL] Yet Another Crypto Mining Botnet?
FORTIGUARD LABS THREAT RESEARCH
Yet Another Crypto Mining Botnet?
By David Maciejak | May 03, 2018
In February 2018, several Russian nuclear scientists were arrested for allegedly mining cryptocurrencies using computing resources located at a Russian nuclear warhead facility. Globally, cryptominers are rapidly increasing and spreading for an obvious reason: it’s lucrative. Threat actors are also surfing this wave by using different kind of attacks to compromise not only personal computer but also servers. They are looking for powerful CPU resources to mine cryptocurrencies, such as Monero (XMR), among others, as fast as they can. The more infected machines they can get mining for them, the more money they can make.
Over the last few months we have begun to see a switch away from traditi
Unit42
Exploit in the Wild: #drupalgeddon2 - Analysis of CVE-2018-7600
blogs_unit42·2018-05-01·CVSS 9.8
CVE-2018-7600 [CRITICAL] Exploit in the Wild: #drupalgeddon2 - Analysis of CVE-2018-7600
About CVE-2018-7600
On 28 March 2018, the Drupal core security team released security advisory SA-CORE-2018-002 which discusses a highly critical vulnerability CVE-2018-7600, later nicknamed drupalgeddon2. The vulnerability is present on all Drupal versions 7.x before 7.58, 8.3.x versions before 8.3.9, 8.4.x versions before 8.4.6, and 8.5.x before 8.5.1.
The vulnerability is estimated to impact over one million Drupal users and websites. The vulnerability can enable remote code execution and results from insufficient input validation on the Drupal 7 Form API. Attacks against Drupalgeddon2 target AJAX requests composed of Drupal Form API’s renderable arrays, which are used to render a requested page through Drupal’s theming system.
An attacker can use this vulnerability to force the serv
Unit42
Exploit in the Wild: #drupalgeddon2 - Analysis of CVE-2018-7600
blogs_unit42·2018-05-01·CVSS 9.8
CVE-2018-7600 [CRITICAL] Exploit in the Wild: #drupalgeddon2 - Analysis of CVE-2018-7600
## Exploit in the Wild: #drupalgeddon2 - Analysis of CVE-2018-7600
Yanhui Jia
Matthew Tennis
Yi Ren
Rongbo Shao
Published: May 1, 2018
Threat Research
Vulnerabilities
Attacks
CVE-2018-7600
Drupalgeddon2
Exploits
About CVE-2018-7600
On 28 March 2018, the Drupal core security team released security advisory SA-CORE-2018-002 which discusses a highly critical vulnerability CVE-2018-7600 , later nicknamed drupalgeddon2. The vulnerability is present on all Drupal versions 7.x before 7.58 , 8.3.x versions before 8.3.9 , 8.4.x versions before 8.4.6 , and 8.5.x before 8.5.1 .
The vulnerability is estimated to impact over one million Drupal users and websites. The vulnerability can enable remote code execution and results from insufficient input validation on the Drupal 7 Form API. Atta
Volexity
Drupalgeddon 2: Profiting from Mass Exploitation
blogs_volexity·2018-04-16·CVSS 9.8
CVE-2018-7600 [CRITICAL] Drupalgeddon 2: Profiting from Mass Exploitation
Threat Intelligence
# Drupalgeddon 2: Profiting from Mass Exploitation
April 16, 2018
Matthew Meltzer and Steven Adair
On March 28, 2018, a patch for a highly critical vulnerability, which facilitates remote code execution against the Drupal content management system was released. The vulnerability was identified by Jasper Mattson of Druid and is covered by SA-2018-002 and CVE-2018-7600. Prior to the release of the patch, Drupal had given advanced notice of its impending release and potential consequences tied to the ease of the vulnerability’s exploitation. This sparked concerns of a new “Drupalgeddon”, where a large number of unpatched websites would be compromised. This comes on the heels of a major Drupal vulnerability from October 2014 that was widely exploited by advanced persist
Volexity
Drupalgeddon 2: Profiting from Mass Exploitation
blogs_volexity·2018-04-16·CVSS 9.8
CVE-2018-7600 [CRITICAL] Drupalgeddon 2: Profiting from Mass Exploitation
Threat Intelligence
## Drupalgeddon 2: Profiting from Mass Exploitation
April 16, 2018
Matthew Meltzer and Steven Adair
On March 28, 2018, a patch for a highly critical vulnerability, which facilitates remote code execution against the Drupal content management system was released. The vulnerability was identified by Jasper Mattson of Druid and is covered by SA-2018-002 and CVE-2018-7600 . Prior to the release of the patch, Drupal had given advanced notice of its impending release and potential consequences tied to the ease of the vulnerability’s exploitation. This sparked concerns of a new “Drupalgeddon”, where a large number of unpatched websites would be compromised. This comes on the heels of a major Drupal vulnerability from October 2014 that was widely exploited by advanced persi
Checkpoint
Uncovering Drupalgeddon 2
blogs_checkpoint·2018-04-12·CVSS 9.8
CVE-2018-7600 [CRITICAL] Uncovering Drupalgeddon 2
Latest Publications
CPR Podcast Channel
AI Research
Web 3.0 Security
Intelligence Reports
ThreatCloud AI
Threat Intelligence & Research
Zero Day Protection
Sandblast File Analysis
About Us
SUBSCRIBE
AI Research 2
Android Malware 23
Artificial Intelligence 4
ChatGPT 3
Check Point Research Publications 455
Cloud Security 1
CPRadio 44
Crypto 2
Data & Threat Intelligence 2
Data Analysis 0
Demos 22
Global Cyber Attack Reports 408
How To Guides 13
Ransomware 5
Russo-Ukrainian War 1
Security Report 1
Threat and data analysis 0
Threat Research 174
Web 3.0 Security 11
Wipers 0
## Uncovering Drupalgeddon 2
Research By: Eyal Shalev, Rotem Reiss and Eran Vaknin
Abstract
Two weeks ago, a highly critical (25/25 NIST rank) vulnerability, nicknamed Drupalgeddon 2 (SA-CO
Qualys
Microsoft Misfires with Meltdown Patch, while WannaCry Pops Up at Boeing
blogs_qualys·2018-04-02·CVSS 7.8
[HIGH] Microsoft Misfires with Meltdown Patch, while WannaCry Pops Up at Boeing
In our weekly roundup of InfoSec happenings, we start, as has often been the case this year, with concerning Meltdown / Spectre news — this time involving Microsoft — and also touch on a password hack at Under Armour, a WannaCry infection at Boeing, and a severe Drupal vulnerability.
## Microsoft patches its Meltdown patch, then patches it again
In an instance of the cure possibly being worse than the disease, a Microsoft patch for Meltdown released in January created a gaping security hole in certain systems in which it was installed.
It took Microsoft two tries to fix the issue, which affects Windows 7 (x64) and Windows Server 2008 R2 (x64) systems. The company thought it had solved the vulnerability ( CVE-2018-1038 ) with a scheduled patch last Tuesday, but then had to rush out an em
Qualys
Microsoft Misfires with Meltdown Patch, while WannaCry Pops Up at Boeing | Qualys
blogs_qualys·2018-04-02·CVSS 7.8
[HIGH] Microsoft Misfires with Meltdown Patch, while WannaCry Pops Up at Boeing | Qualys
In our weekly roundup of InfoSec happenings, we start, as has often been the case this year, with concerning Meltdown / Spectre news — this time involving Microsoft — and also touch on a password hack at Under Armour, a WannaCry infection at Boeing, and a severe Drupal vulnerability.
### Microsoft patches its Meltdown patch, then patches it again
In an instance of the cure possibly being worse than the disease, a Microsoft patch for Meltdown released in January created a gaping security hole in certain systems in which it was installed.
It took Microsoft two tries to fix the issue, which affects Windows 7 (x64) and Windows Server 2008 R2 (x64) systems. The company thought it had solved the vulnerability (CVE-2018-1038) with a scheduled patch last Tuesday, but then had to rush out an eme
Tenable
Critical Drupal Core Vulnerability: What You Need to Know
blogs_tenable·2018-03-29·CVSS 9.8
CVE-2018-7600 [CRITICAL] Critical Drupal Core Vulnerability: What You Need to Know
Blog / Cyber Exposure Alerts
Subscribe
# Critical Drupal Core Vulnerability: What You Need to Know
Josef Weiss
March 29, 2018
2 Min Read
Drupal is popular, free and open-source content management software. On March 28, the Drupal security team released patches for CVE-2018-7600, an unauthenticated remote code execution vulnerability in Drupal core. The vulnerability affects Drupal versions 6, 7 and 8. Patches have been released for versions 7.x, 8.3.x, 8.4.x and 8.5.x. No patches are expected for version 6 or 8.2.x and below.
### Impact assessment
Drupal security advisories include a risk score based on the NIST Common Misuse Scoring System. This helps give an objective sense of the risk of different issues. The risk of this vulnerability, SA-CORE-2018-002, is scored 21/25 (Highly C
Tenable
Critical Drupal Core Vulnerability: What You Need to Know
blogs_tenable·2018-03-29
Critical Drupal Core Vulnerability: What You Need to Know
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Greynoiseio
Battling Ransomware One Tag At A Time
blogs_greynoiseio
Battling Ransomware One Tag At A Time
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Find out immediately if an asset communicates with a malicious IP address
Vulnerability Prioritization Get real-time insight into active exploitation trends to better understand risk and severity
SOC Efficiency Filter out noisy, low priority and false-positive alerts from mass internet scanners
Incident Investigation Add context to incidents to speed the determinations of scope and timelines
Threat Hunting Quickly identify anomalous behavior and enrich your threat hunting campaigns
Why GreyNoise
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Fin
arXiv
HeATed Alert Triage (HeAT): Transferrable Learning to Extract Multistage Attack Campaigns
arxiv_fulltext·2022-12-28
HeATed Alert Triage (HeAT): Transferrable Learning to Extract Multistage Attack Campaigns
HeATed Alert Triage (HeAT): Transferrable Learning to Extract Multistage Attack Campaigns
Stephen Moskal, Shanchieh Jay Yang
Rochester Institute of Technology, Rochester, NY, USA
## Abstract
With growing sophistication and volume of cyber attacks combined with complex network structures, it is becoming extremely difficult for security analysts to corroborate evidences to identify multistage campaigns on their network.
This work develops HeAT (Heated Alert Triage): given a critical indicator of compromise (IoC), a severe IDS alert, HeAT produces a HeATed Attack Campaign (HAC) depicting the multistage activities that led up to the critical event.
We define the concept of ``Alert Episode Heat" to represent the analysts opinion of how much an event contributes to the attack campaign of the
arXiv
Linking Threat Tactics, Techniques, and Patterns with Defensive Weaknesses, Vulnerabilities and Affected Platform Configurations for Cyber Hunting
arxiv_fulltext·2021-02-10·CVSS 8.8
CVE-2017-11882 [HIGH] Linking Threat Tactics, Techniques, and Patterns with Defensive Weaknesses, Vulnerabilities and Affected Platform Configurations for Cyber Hunting
Top 10 Most Exploited Vulnerabilities 2016-2019
(https://us-cert.cisa.gov/ncas/alerts/aa20-133a)
.83fcdec8a329824466f140a2e6cdfeec473a9ee2 .0
longtable[]@lllllll@
& CVSS Score & Number of Tactics & Number of Techniques &
Number of CAPECs & Number of CWEs & Number of CPEs
CVE-2017-11882 & 8.55 & 0 & 0 & 12 & 1 & 4
CVE-2017-0199 & 8.55 & 0 & 0 & 0 & 0 & 9
CVE-2017-5638 & 10.0 & 1 & 3 & 51 & 1 & 53
CVE-2012-0158 & 9.3 & 0 & 0 & 3 & 1 & 29
CVE-2019-0604 & 8.65 & 1 & 3 & 51 & 1 & 4
CVE-2017-0143 & 0.0 (not listed in BRON but NVD says high severity)
& 0 & 0 & 0 & 0 & 0
CVE-2018-4878 & 8.65 & 0 & 0 & 0 & 1 & 3
CVE-2017-8759 & 8.55 & 1 & 3 & 51 & 1 & 8
CVE-2015-1641 & 9.3 & 0 & 0 & 0 & 1 & 11
CVE-2018-7600 & 8.65 & 1 & 3 & 51 & 1 & 4
longtable
4 out of Top 10 Vulnerabilities share the follow
CTF
medium / README
ctf_writeups·CVSS 9.1
[CRITICAL] medium / README
---
layout: default
title: Medium Machines
parent: Machines
nav_order: 2
description: "112+ Medium HTB machine writeups with walkthroughs"
permalink: /machines/medium/
---
# HackTheBox - Medium Machines
> Comprehensive index of retired HTB Medium-difficulty machines with key techniques and attack path summaries.
**Total: 100+ machines** | Sorted roughly by retirement date (newest first)
---
## Machine Index
| # | Machine | OS | Key Techniques | Attack Path Summary | Writeup |
|---|---------|-----|----------------|---------------------|---------|
| 1 | Signed | Linux | Code Signing Bypass, Certificate Abuse | Forge code signature to deploy malicious update, escalate via trusted binary execution | [0xdf](https://0xdf.gitlab.io/2026/02/07/htb-signed.html) |
| 2 | Voleur | Linux | Data E
CTF
easy / README
ctf_writeups·CVSS 6.0
[MEDIUM] easy / README
---
layout: default
title: Easy Machines
parent: Machines
nav_order: 1
description: "120+ Easy HTB machine writeups with walkthroughs"
permalink: /machines/easy/
---
# HackTheBox Easy Machines - Comprehensive Reference
> Complete catalog of retired HTB Easy machines with OS, key vulnerability, attack path summary, and quality writeup links.
**Total: 100+ Easy Machines** | Updated: April 2026
---
## Quick Navigation
- [Classic / Legacy Machines (2017-2019)](#classic--legacy-machines-2017-2019)
- [2019-2020 Machines](#2019-2020-machines)
- [2021 Machines](#2021-machines)
- [2022 Machines](#2022-machines)
- [2023 Machines](#2023-machines)
- [2024 Machines (Season 4 & 5)](#2024-machines-season-4--5)
- [2025-2026 Machines (Season 6+)](#2025-2026-machines-season-6)
---
## Classic / Legac
CTF
Armageddon / README
ctf_writeups
Armageddon / README
# Armageddon - HackTheBox
Linux, 20 Base Points, Easy
## TL;DR
To solve this machine, we start by using `nmap` to enumerate open services and find ports `22` and `80`.
***User***: We discovered the version of `Drupal` from the file `CHANGELOG.txt`, and by using a `Drupal` exploit, we obtained a remote code execution vulnerability. Additionally, we found the credentials for `brucetherealadmin` in the database and used them to log in to `SSH` and obtain the user flag.
***Root***: By executing the command `sudo -l`, we found that we have the ability to run `/usr/bin/snap install *` as the root user. We then found an exploit for `Snap` and used it to gain a root shell.
## Machine
## Armageddon Solution
### User
Let's begin by using `nmap` to scan the target machine:
```console
┌─[e
CTF
README
ctf_writeups·CVSS 9.8
[CRITICAL] README
# Boot to root CTFs
Walkthroughs and notes of 'boot to root' CTFs mostly from VulnHub that I did for fun. I like to use vulnerable VMs from VulnHub (in addition to the ones I create) to organize hands-on penetration testing training sessions for junior security auditors/consultants :-)
### >> Classic pentest methodology to do a Boot2root CTF upload a Webshell)
➤ Clear-text passwords stored in 'public' website pages, configuration files, log files
➤ ...
2. Exploiting unpatched known vulnerabilities
➤ Web server (e.g. Apache Struts RCE: CVE-2017-12611/CVE-2017-9805/CVE-2017-9791, JBoss Java Deserialization RCE)
➤ Bash & web server CGI (e.g. Shellshock RCE CVE-2014-6271/CVE-2014-7169)
➤ Web CMS (e.g. Drupalgeddon2 RCE CVE-2018-7600)
➤ Web framework (e.g. PHP CGI RCE CVE-2012-1823)
➤ FTP s
HackerOne
[CVE-2018-7600] Remote Code Execution due to outdated Drupal server on www.█████████
hackerone·2021-03-24·CVSS 9.8
CVE-2018-7600 [CRITICAL] [CVE-2018-7600] Remote Code Execution due to outdated Drupal server on www.█████████
[CVE-2018-7600] Remote Code Execution due to outdated Drupal server on www.█████████
## Summary
Due to an outdated Drupal version, remote code execution is possible on `www.█████` via CVE-2018-7600.
## Description
Drupal before 7.58, 8.x before 8.3.9, 8.4.x before 8.4.6, and 8.5.x before 8.5.1 allows remote attackers to execute arbitrary code because of an issue affecting multiple subsystems with default or common module configurations.
Vulnerable Host:
* `www.███`
Visiting `https://www.███/███` we can see that we have a Drupal with version 7.54, which was updated the last time in 2017-02-01.
There are several critical and highly critical vulnerabilities known for this version (see `https://api.drupal.org/api/drupal/████████/7.x` and `https://www.drupal.org/security`). Among them is `
Bugzilla
CVE-2018-7600 drupal: Unsanitized requests allow remote attackers to execute arbitrary code
bugzilla·2018-03-29·CVSS 9.8
CVE-2018-7600 [CRITICAL] CVE-2018-7600 drupal: Unsanitized requests allow remote attackers to execute arbitrary code
CVE-2018-7600 drupal: Unsanitized requests allow remote attackers to execute arbitrary code
Drupal versions 6, 7 and 8 do not properly sanitize requests allowing remote attackers without credentials to execute arbitrary code.
This issue was patched in the following versions:
Drupal 7.58
Drupal 8.3.9
Drupal 8.4.6
Drupal 8.5.1
External References:
https://www.drupal.org/sa-core-2018-002
https://groups.drupal.org/security/faq-2018-002
Upstream Patches:
https://cgit.drupalcode.org/drupal/rawdiff/?h=7.x&id=2266d2a83db50e2f97682d9a0fb8a18e2722cba5
https://cgit.drupalcode.org/drupal/rawdiff/?h=8.5.x&id=5ac8738fa69df34a0635f0907d661b509ff9a28f
Discussion:
Created drupal8 tracking bugs for this issue:
Affects: fedora-all [bug 1561855]
Created drupal7 tracking bugs for this issue:
Affe
Bugzilla
CVE-2018-7600 drupal8: drupal: Unsanitized requests allow remote attackers to execute arbitrary code [fedora-all]
bugzilla·2018-03-29·CVSS 9.8
CVE-2018-7600 [CRITICAL] CVE-2018-7600 drupal8: drupal: Unsanitized requests allow remote attackers to execute arbitrary code [fedora-all]
CVE-2018-7600 drupal8: drupal: Unsanitized requests allow remote attackers to execute arbitrary code [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of fedora-all.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue
Bugzilla
CVE-2018-7600 drupal6: drupal: Unsanitized requests allow remote attackers to execute arbitrary code [epel-6]
bugzilla·2018-03-29·CVSS 9.8
CVE-2018-7600 [CRITICAL] CVE-2018-7600 drupal6: drupal: Unsanitized requests allow remote attackers to execute arbitrary code [epel-6]
CVE-2018-7600 drupal6: drupal: Unsanitized requests allow remote attackers to execute arbitrary code [epel-6]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of epel-6.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
Discussion:
Use the fol
Bugzilla
CVE-2018-7600 drupal7: drupal: Unsanitized requests allow remote attackers to execute arbitrary code [epel-all]
bugzilla·2018-03-29·CVSS 9.8
CVE-2018-7600 [CRITICAL] CVE-2018-7600 drupal7: drupal: Unsanitized requests allow remote attackers to execute arbitrary code [epel-all]
CVE-2018-7600 drupal7: drupal: Unsanitized requests allow remote attackers to execute arbitrary code [epel-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of epel-all.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue aff
Bugzilla
CVE-2018-7600 drupal7: drupal: Unsanitized requests allow remote attackers to execute arbitrary code [fedora-all]
bugzilla·2018-03-29·CVSS 9.8
CVE-2018-7600 [CRITICAL] CVE-2018-7600 drupal7: drupal: Unsanitized requests allow remote attackers to execute arbitrary code [fedora-all]
CVE-2018-7600 drupal7: drupal: Unsanitized requests allow remote attackers to execute arbitrary code [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of fedora-all.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue
http://www.securityfocus.com/bid/103534http://www.securitytracker.com/id/1040598https://badpackets.net/over-100000-drupal-websites-vulnerable-to-drupalgeddon-2-cve-2018-7600/https://blog.appsecco.com/remote-code-execution-with-drupal-core-sa-core-2018-002-95e6ecc0c714https://github.com/a2u/CVE-2018-7600https://github.com/g0rx/CVE-2018-7600-Drupal-RCEhttps://greysec.net/showthread.php?tid=2912&pid=10561https://groups.drupal.org/security/faq-2018-002https://lists.debian.org/debian-lts-announce/2018/03/msg00028.htmlhttps://research.checkpoint.com/uncovering-drupalgeddon-2/https://twitter.com/RicterZ/status/979567469726613504https://twitter.com/RicterZ/status/984495201354854401https://twitter.com/arancaytar/status/979090719003627521https://www.debian.org/security/2018/dsa-4156https://www.drupal.org/sa-core-2018-002https://www.exploit-db.com/exploits/44448/https://www.exploit-db.com/exploits/44449/https://www.exploit-db.com/exploits/44482/https://www.synology.com/support/security/Synology_SA_18_17https://www.tenable.com/blog/critical-drupal-core-vulnerability-what-you-need-to-knowhttp://www.securityfocus.com/bid/103534http://www.securitytracker.com/id/1040598https://badpackets.net/over-100000-drupal-websites-vulnerable-to-drupalgeddon-2-cve-2018-7600/https://blog.appsecco.com/remote-code-execution-with-drupal-core-sa-core-2018-002-95e6ecc0c714https://github.com/a2u/CVE-2018-7600https://github.com/g0rx/CVE-2018-7600-Drupal-RCEhttps://greysec.net/showthread.php?tid=2912&pid=10561https://groups.drupal.org/security/faq-2018-002https://lists.debian.org/debian-lts-announce/2018/03/msg00028.htmlhttps://research.checkpoint.com/uncovering-drupalgeddon-2/https://twitter.com/RicterZ/status/979567469726613504https://twitter.com/RicterZ/status/984495201354854401https://twitter.com/arancaytar/status/979090719003627521https://www.debian.org/security/2018/dsa-4156https://www.drupal.org/sa-core-2018-002https://www.exploit-db.com/exploits/44448/https://www.exploit-db.com/exploits/44449/https://www.exploit-db.com/exploits/44482/https://www.synology.com/support/security/Synology_SA_18_17https://www.tenable.com/blog/critical-drupal-core-vulnerability-what-you-need-to-knowhttps://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2018-7600
2018-03-29
Published
2021-11-03
Added to CISA KEV
Exploited in the wild