CVE-2019-11580
published 2019-06-03CVE-2019-11580: Atlassian Crowd and Crowd Data Center had the pdkinstall development plugin incorrectly enabled in release builds. Attackers who can send unauthenticated or…
PriorityP199critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
KEVITWEXPLOITRansomwareInitial access
CISA Known Exploited Vulnerabilitydue 2022-05-03
Exploited in the wild
EPSS
95.36%
99.9th percentile
Atlassian Crowd and Crowd Data Center had the pdkinstall development plugin incorrectly enabled in release builds. Attackers who can send unauthenticated or authenticated requests to a Crowd or Crowd Data Center instance can exploit this vulnerability to install arbitrary plugins, which permits remote code execution on systems running a vulnerable version of Crowd or Crowd Data Center. All versions of Crowd from version 2.1.0 before 3.0.5 (the fixed version for 3.0.x), from version 3.1.0 before 3.1.6 (the fixed version for 3.1.x), from version 3.2.0 before 3.2.8 (the fixed version for 3.2.x), from version 3.3.0 before 3.3.5 (the fixed version for 3.3.x), and from version 3.4.0 before 3.4.4 (the fixed version for 3.4.x) are affected by this vulnerability.
Affected
15 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| atlassian | crowd | >= 2.1.0 < unspecified | unspecified |
| atlassian | crowd | >= 2.1.0 < 3.0.5 | 3.0.5 |
| atlassian | crowd | >= 3.1.0 < unspecified | unspecified |
| atlassian | crowd | >= 3.1.0 < 3.1.6 | 3.1.6 |
| atlassian | crowd | >= 3.2.0 < unspecified | unspecified |
| atlassian | crowd | >= 3.2.0 < 3.2.8 | 3.2.8 |
| atlassian | crowd | >= 3.3.0 < unspecified | unspecified |
| atlassian | crowd | >= 3.3.0 < 3.3.5 | 3.3.5 |
| atlassian | crowd | >= 3.4.0 < unspecified | unspecified |
| atlassian | crowd | >= 3.4.0 < 3.4.4 | 3.4.4 |
| atlassian | crowd | >= unspecified < 3.0.5 | 3.0.5 |
| atlassian | crowd | >= unspecified < 3.1.6 | 3.1.6 |
| atlassian | crowd | >= unspecified < 3.2.8 | 3.2.8 |
| atlassian | crowd | >= unspecified < 3.3.5 | 3.3.5 |
| atlassian | crowd | >= unspecified < 3.4.4 | 3.4.4 |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor for unauthenticated or authenticated HTTP POST requests to the Atlassian Crowd endpoint /crowd/admin/uploadplugin.action, particularly with multipart/mixed Content-Type headers, as this is the exploitation vector for CVE-2019-11580. ↗
- →Hunt for JAR file uploads to Atlassian Crowd instances, especially files named rce.jar, as threat actors have been observed uploading malicious plugin payloads with this filename during exploitation of CVE-2019-11580. ↗
- →Exploitation of CVE-2019-11580 allows arbitrary plugin installation without authentication; alert on any new plugin installation events in Atlassian Crowd audit logs, especially from unexpected source IPs. ↗
- ·The vulnerable component is the pdkinstall development plugin, which was incorrectly left enabled in production/release builds of Atlassian Crowd and Crowd Data Center. Verify that this plugin is disabled in any deployed instance. ↗
- ·If upgrading is not immediately feasible, Atlassian provided mitigation steps and a bash script to automate mitigation on Linux systems; apply these as an interim measure. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vulncheck9.8CRITICAL
cisa9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
CISA
Atlassian Crowd and Crowd Data Center Remote Code Execution Vulnerability
cisa·2021-11-03·CVSS 9.8
CVE-2019-11580 [CRITICAL] Atlassian Crowd and Crowd Data Center Remote Code Execution Vulnerability
Vulnerability: Atlassian Crowd and Crowd Data Center Remote Code Execution Vulnerability
Affected: Atlassian Crowd and Crowd Data Center
Atlassian Crowd and Crowd Data Center contain a remote code execution vulnerability resulting from a pdkinstall development plugin being incorrectly enabled in release builds.
Required Action: Apply updates per vendor instructions.
Notes: https://nvd.nist.gov/vuln/detail/CVE-2019-11580
Remediation Due Date: 2022-05-03
GHSA
GHSA-8977-4jwc-24g8: Atlassian Crowd and Crowd Data Center had the pdkinstall development plugin incorrectly enabled in release builds
ghsa_unreviewed·2022-05-24
CVE-2019-11580 [CRITICAL] GHSA-8977-4jwc-24g8: Atlassian Crowd and Crowd Data Center had the pdkinstall development plugin incorrectly enabled in release builds
Atlassian Crowd and Crowd Data Center had the pdkinstall development plugin incorrectly enabled in release builds. Attackers who can send unauthenticated or authenticated requests to a Crowd or Crowd Data Center instance can exploit this vulnerability to install arbitrary plugins, which permits remote code execution on systems running a vulnerable version of Crowd or Crowd Data Center. All versions of Crowd from version 2.1.0 before 3.0.5 (the fixed version for 3.0.x), from version 3.1.0 before 3.1.6 (the fixed version for 3.1.x), from version 3.2.0 before 3.2.8 (the fixed version for 3.2.x), from version 3.3.0 before 3.3.5 (the fixed version for 3.3.x), and from version 3.4.0 before 3.4.4 (the fixed version for 3.4.x) are affected by this vulnerability.
VulnCheck
Atlassian Crowd and Crowd Data Center Remote Code Execution Vulnerability
vulncheck·2019·CVSS 9.8
CVE-2019-11580 [CRITICAL] Atlassian Crowd and Crowd Data Center Remote Code Execution Vulnerability
Atlassian Crowd and Crowd Data Center Remote Code Execution Vulnerability
Atlassian Crowd and Crowd Data Center contain a remote code execution vulnerability resulting from a pdkinstall development plugin being incorrectly enabled in release builds.
Affected: Atlassian Crowd and Crowd Data Center
Required Action: Apply updates per vendor instructions.
Known Ransomware Campaign Use: Known
Exploitation References: https://cisa.gov/news-events/cybersecurity-advisories/aa20-275a; https://media.defense.gov/2020/Oct/20/2002519884/-1/-1/0/CSA_CHINESE_EXPLOIT_VULNERABILITIES_UOO179811.PDF; https://us-cert.cisa.gov/ncas/alerts/aa20-275a; https://www.cisa.gov/news-events/cybersecurity-advisories/aa21-209a; https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json; http
Suricata
ET WEB_SPECIFIC_APPS Atlassian Crowd Plugin Upload Attempt (CVE-2019-11580)
suricata·2019-07-16·CVSS 9.8
CVE-2019-11580 [CRITICAL] ET WEB_SPECIFIC_APPS Atlassian Crowd Plugin Upload Attempt (CVE-2019-11580)
ET WEB_SPECIFIC_APPS Atlassian Crowd Plugin Upload Attempt (CVE-2019-11580)
Rule: alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Atlassian Crowd Plugin Upload Attempt (CVE-2019-11580)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/admin/uploadplugin.action"; endswith; fast_pattern; http.request_body; content:"Content-Disposition|3a 20|form-data|3b 20|name=|22|file_"; content:"Content-Type|3a 20|application/octet-stream|0d 0a 0d 0a 50 4b 03 04|"; distance:0; reference:url,www.corben.io/atlassian-crowd-rce/; reference:cve,CVE-2019-11580; classtype:attempted-admin; sid:2027712; rev:3; metadata:attack_target Web_Server, created_at 2019_07_16, deployment Perimeter, performance_impact Low, confidence Medium, signature_severity Major,
Metasploit
Atlassian Crowd pdkinstall Unauthenticated Plugin Upload RCE
metasploit
Atlassian Crowd pdkinstall Unauthenticated Plugin Upload RCE
Atlassian Crowd pdkinstall Unauthenticated Plugin Upload RCE
This module can be used to upload a plugin on Atlassian Cloud via the pdkinstall development plugin as an unauthenticated attacker. The payload is uploaded as a JAR archive containing a servlet using a POST request to /crowd/admin/uploadplugin.action. The check command will check that the /crowd/admin/uploadplugin.action page exists and that it responds appropriately to determine if the target is vulnerable or not.
Nuclei
Atlassian Crowd and Crowd Data Center - Unauthenticated Remote Code Execution
nuclei·CVSS 9.8
CVE-2019-11580 [CRITICAL] Atlassian Crowd and Crowd Data Center - Unauthenticated Remote Code Execution
Atlassian Crowd and Crowd Data Center - Unauthenticated Remote Code Execution
Atlassian Crowd and Crowd Data Center is susceptible to a remote code execution vulnerability because the pdkinstall development plugin is incorrectly enabled in release builds. Attackers who can send unauthenticated or authenticated requests to a Crowd or Crowd Data Center instance can exploit this vulnerability to install arbitrary plugins, which permits remote code execution on systems running a vulnerable version of Crowd or Crowd Data Center. All versions of Crowd from version 2.1.0 before 3.0.5 (the fixed version for 3.0.x), from version 3.1.0 before 3.1.6 (the fixed version for 3.1.x),from version 3.2.0 before 3.2.8 (the fixed version for 3.2.x), from version 3.3.0 before 3.3.5 (the fixed version for 3.3.
Unit42
The Shadow Campaigns: Uncovering Global Espionage
blogs_unit42·2026-02-05
The Shadow Campaigns: Uncovering Global Espionage
Threat Research Center
Threat Actor Groups
Nation-State Cyberattacks
## The Shadow Campaigns: Uncovering Global Espionage
Unit 42
Published: February 5, 2026
Nation-State Cyberattacks
Threat Actor Groups
Espionage
Government
Phishing
TGR-STA-1030
## Executive Summary
This investigation unveils a new cyberespionage group that Unit 42 tracks as TGR-STA-1030. We refer to the group’s activity as the Shadow Campaigns. We assess with high confidence that TGR-STA-1030 is a state-aligned group that operates out of Asia. Over the past year, this group has compromised government and critical infrastructure organizations across 37 countries. This means that approximately one out of every five countries has experienced a critical breach from this group in the past year. Further, betwe
Unit42
The Shadow Campaigns: Uncovering Global Espionage
blogs_unit42·2026-02-05
The Shadow Campaigns: Uncovering Global Espionage
## Executive Summary
This investigation unveils a new cyberespionage group that Unit 42 tracks as TGR-STA-1030. We refer to the group’s activity as the Shadow Campaigns. We assess with high confidence that TGR-STA-1030 is a state-aligned group that operates out of Asia. Over the past year, this group has compromised government and critical infrastructure organizations across 37 countries. This means that approximately one out of every five countries has experienced a critical breach from this group in the past year. Further, between November and December 2025, we observed the group conducting active reconnaissance against government infrastructure associated with 155 countries.
This group primarily targets government ministries and departments. For example, the group has successfully com
Greynoiseio
The Noise in the Silence: Unmasking CISA's Hidden KEV Ransomware Updates
blogs_greynoiseio·2026-02-02
The Noise in the Silence: Unmasking CISA's Hidden KEV Ransomware Updates
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Find out immediately if an asset communicates with a malicious IP address
Vulnerability Prioritization Get real-time insight into active exploitation trends to better understand risk and severity
SOC Efficiency Filter out noisy, low priority and false-positive alerts from mass internet scanners
Incident Investigation Add context to incidents to speed the determinations of scope and timelines
Threat Hunting Quickly identify anomalous behavior and enrich your threat hunting campaigns
Why GreyNoise
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Fin
Unit42
01flip: Multi-Platform Ransomware Written in Rust
blogs_unit42·2025-12-10
01flip: Multi-Platform Ransomware Written in Rust
Threat Research Center
Threat Research
Ransomware
## 01flip: Multi-Platform Ransomware Written in Rust
Hiroaki Hara
Published: December 10, 2025
Cybercrime
Ransomware
Threat Research
Bitcoin
CL-CRI-103
Cryptocurrency
Forums
Linux
Rust
Sliver
Windows
## Executive Summary
In June 2025, we observed a new ransomware family named 01flip targeting a limited set of victims in the Asia-Pacific region. 01flip ransomware is fully written in the Rust programming language and supports multi-platform architectures by leveraging the cross-compilation feature of Rust.
These financially motivated attackers likely carried this out through manual means. We have confirmed an alleged data leak from an affected organization on a dark web forum shortly after the attack. We are currently t
Unit42
01flip: Multi-Platform Ransomware Written in Rust
blogs_unit42·2025-12-10
01flip: Multi-Platform Ransomware Written in Rust
## Executive Summary
In June 2025, we observed a new ransomware family named 01flip targeting a limited set of victims in the Asia-Pacific region. 01flip ransomware is fully written in the Rust programming language and supports multi-platform architectures by leveraging the cross-compilation feature of Rust.
These financially motivated attackers likely carried this out through manual means. We have confirmed an alleged data leak from an affected organization on a dark web forum shortly after the attack. We are currently tracking this activity as CL-CRI-1036, signifying a cluster of malicious activity that is likely related to cybercrime.
Our key findings are:
- Financially motivated attackers behind CL-CRI-1036 use 01flip ransomware, a newly observed ransomware family purely written in
Qualys
CISA Alert: Top Routinely Exploited Vulnerabilities | Qualys
blogs_qualys·2021-07-29·CVSS 10.0
[CRITICAL] CISA Alert: Top Routinely Exploited Vulnerabilities | Qualys
#### Table of Contents
- Top Routinely Exploited Vulnerabilities
- Detect CISAs Top Routinely Exploited Vulnerabilities using Qualys VMDR
- Recommendations
- Remediation and Mitigation
- Get Started Now
On July 28, 2021, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) released a cybersecurity advisory detailing the top 30 publicly known vulnerabilities that have been routinely exploited by cyber threat actors in 2020 and 2021. Organizations are advised to prioritize and apply patches or workarounds for these vulnerabilities as soon as possible.
The advisory states, “If an organization is unable to update all software shortly after a patch is released, prioritize implementing patches for CVEs that are already known to be exploited or that would be accessible to the large
Qualys
CISA Alert: Top Routinely Exploited Vulnerabilities
blogs_qualys·2021-07-29·CVSS 9.1
[CRITICAL] CISA Alert: Top Routinely Exploited Vulnerabilities
## Table of Contents
Top Routinely Exploited Vulnerabilities
Detect CISAs Top Routinely Exploited Vulnerabilities using Qualys VMDR
Recommendations
Remediation and Mitigation
Get Started Now
On July 28, 2021, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) released a cybersecurity advisory detailing the top 30 publicly known vulnerabilities that have been routinely exploited by cyber threat actors in 2020 and 2021. Organizations are advised to prioritize and apply patches or workarounds for these vulnerabilities as soon as possible.
The advisory states, “If an organization is unable to update all software shortly after a patch is released, prioritize implementing patches for CVEs that are already known to be exploited or that would be accessible to the largest numbe
Trendmicro
Manage Zero Day Exploits (ZDI) with Trend Micro Solutions
blogs_trendmicro·2021-04-28
Manage Zero Day Exploits (ZDI) with Trend Micro Solutions
Cyberbedrohungen
## How Trend Micro Helps Manage Exploited Vulnerabilities
As technological innovations evolve, protecting companies from cyber threats tomorrow secures their businesses today. Read how Trend Micro protects customers from vulnerability exploits by blocking them as early as possible.
By: Jon Clay Apr 28, 2021 Read time: ( words)
Save to Folio
As technological innovations evolve, protecting companies from cyber threats tomorrow secures their businesses today. Exploiting known vulnerabilities to successfully compromise an organization has long been a common tactic used by malicious actors. Whether Heartbleed, EternalBlue, or most recently Zerologon, threat actors take advantage of newly disclosed vulnerabilities in their attacks. But even with thousands of new vulnerabili
Trendmicro
Manage Zero Day Exploits (ZDI) with Trend Micro Solutions
blogs_trendmicro·2021-04-28
Manage Zero Day Exploits (ZDI) with Trend Micro Solutions
Cyber Threats
## How Trend Micro Helps Manage Exploited Vulnerabilities
As technological innovations evolve, protecting companies from cyber threats tomorrow secures their businesses today. Read how Trend Micro protects customers from vulnerability exploits by blocking them as early as possible.
By: Jon Clay 2021/04/28 Read time: ( words)
Save to Folio
As technological innovations evolve, protecting companies from cyber threats tomorrow secures their businesses today. Exploiting known vulnerabilities to successfully compromise an organization has long been a common tactic used by malicious actors. Whether Heartbleed, EternalBlue, or most recently Zerologon, threat actors take advantage of newly disclosed vulnerabilities in their attacks. But even with thousands of new vulnerabilities
Trendmicro
Manage Zero Day Exploits (ZDI) with Trend Micro Solutions
blogs_trendmicro·2021-04-28
Manage Zero Day Exploits (ZDI) with Trend Micro Solutions
Minacce cyber
## How Trend Micro Helps Manage Exploited Vulnerabilities
As technological innovations evolve, protecting companies from cyber threats tomorrow secures their businesses today. Read how Trend Micro protects customers from vulnerability exploits by blocking them as early as possible.
By: Jon Clay Apr 28, 2021 Read time: ( words)
Save to Folio
As technological innovations evolve, protecting companies from cyber threats tomorrow secures their businesses today. Exploiting known vulnerabilities to successfully compromise an organization has long been a common tactic used by malicious actors. Whether Heartbleed, EternalBlue, or most recently Zerologon, threat actors take advantage of newly disclosed vulnerabilities in their attacks. But even with thousands of new vulnerabilitie
Trendmicro
Manage Zero Day Exploits (ZDI) with Trend Micro Solutions
blogs_trendmicro·2021-04-28
Manage Zero Day Exploits (ZDI) with Trend Micro Solutions
Ciberamenazas
## How Trend Micro Helps Manage Exploited Vulnerabilities
As technological innovations evolve, protecting companies from cyber threats tomorrow secures their businesses today. Read how Trend Micro protects customers from vulnerability exploits by blocking them as early as possible.
By: Jon Clay Apr 28, 2021 Read time: ( words)
Save to Folio
As technological innovations evolve, protecting companies from cyber threats tomorrow secures their businesses today. Exploiting known vulnerabilities to successfully compromise an organization has long been a common tactic used by malicious actors. Whether Heartbleed, EternalBlue, or most recently Zerologon, threat actors take advantage of newly disclosed vulnerabilities in their attacks. But even with thousands of new vulnerabilitie
Trendmicro
Manage Zero Day Exploits (ZDI) with Trend Micro Solutions
blogs_trendmicro·2021-04-28
Manage Zero Day Exploits (ZDI) with Trend Micro Solutions
Cyber Threats
## How Trend Micro Helps Manage Exploited Vulnerabilities
As technological innovations evolve, protecting companies from cyber threats tomorrow secures their businesses today. Read how Trend Micro protects customers from vulnerability exploits by blocking them as early as possible.
By: Jon Clay Apr 28, 2021 Read time: ( words)
Save to Folio
As technological innovations evolve, protecting companies from cyber threats tomorrow secures their businesses today. Exploiting known vulnerabilities to successfully compromise an organization has long been a common tactic used by malicious actors. Whether Heartbleed, EternalBlue, or most recently Zerologon, threat actors take advantage of newly disclosed vulnerabilities in their attacks. But even with thousands of new vulnerabilitie
Trendmicro
Manage Zero Day Exploits (ZDI) with Trend Micro Solutions
blogs_trendmicro·2021-04-28
Manage Zero Day Exploits (ZDI) with Trend Micro Solutions
Cyber Threats
# How Trend Micro Helps Manage Exploited Vulnerabilities
As technological innovations evolve, protecting companies from cyber threats tomorrow secures their businesses today. Read how Trend Micro protects customers from vulnerability exploits by blocking them as early as possible.
By: Jon Clay
2021/04/28
Read time: ( words)
Save to Folio
Photo credit: pxhere
As technological innovations evolve, protecting companies from cyber threats tomorrow secures their businesses today. Exploiting known vulnerabilities to successfully compromise an organization has long been a common tactic used by malicious actors. Whether Heartbleed, EternalBlue, or most recently Zerologon, threat actors take advantage of newly disclosed vulnerabilities in their attacks. But even with thousands o
Unit42
Threat Brief: FireEye Red Team Tool Breach
blogs_unit42·2020-12-11
Threat Brief: FireEye Red Team Tool Breach
Threat Research Center
High Profile Threats
Vulnerabilities
## Threat Brief: FireEye Red Team Tool Breach
Unit 42
Published: December 10, 2020
High Profile Threats
Malware
Vulnerabilities
FireEye breach
## Executive Summary
On Dec. 8, 2020, one of the leading cybersecurity companies in the industry, FireEye, reported a breach and data exfiltration unlike any that we have seen previously. What makes this attack unique is not only the target, FireEye being a well-known cybersecurity company, but that the stolen data contains the internal, custom-crafted red-team and penetration testing tools used by the company to imitate different threat actors during customer security consultations. FireEye’s blog provided a wealth of information for defenders to implement security controls
Unit42
Threat Brief: FireEye Red Team Tool Breach
blogs_unit42·2020-12-11
Threat Brief: FireEye Red Team Tool Breach
## Executive Summary
On Dec. 8, 2020, one of the leading cybersecurity companies in the industry, FireEye, reported a breach and data exfiltration unlike any that we have seen previously. What makes this attack unique is not only the target, FireEye being a well-known cybersecurity company, but that the stolen data contains the internal, custom-crafted red-team and penetration testing tools used by the company to imitate different threat actors during customer security consultations. FireEye’s blog provided a wealth of information for defenders to implement security controls and mitigations for defense against the stolen tools. This data is being used by Palo Alto Networks to help ensure our customers are protected if the attackers choose to utilize the tools for malicious purposes.
It i
Fortinet
FireEye Red Team Tool Breach | Fortinet
blogs_fortinet·2020-12-11·CVSS 8.8
[HIGH] FireEye Red Team Tool Breach | Fortinet
PSIRT BLOGS
FireEye Red Team Tool Breach
By Carl Windsor | December 11, 2020
Executive Summary
On December 8th cyber security vendor FireEye reported a breach of their network and data exfiltration which included their internally developed Red Team tools. FireEye took the step of publishing details of these tools in a GitHub repository to allow other vendors to protect against their use by potential adversaries.
This breach has been attributed to a nation state threat actor so we do not expect to see these tools be widely abused in the wild, however with the additional information provided by FireEye, Fortinet have been able to ensure that these tools cannot be abused.
Threat Mitigation
None of the vulnerabilities disclosed as targeted in the tools were zero days, therefore FortiGuard
Qualys
Solorigate/Sunburst : Theft of Cybersecurity Tools | FireEye Breach
blogs_qualys·2020-12-10
Solorigate/Sunburst : Theft of Cybersecurity Tools | FireEye Breach
Update Jan 5, 2021 : New patching section with two new dashboard widgets showing the number of missing FireEye-related patches in your environment and the number of assets in your environment missing one of those patches.
Update Dec 23, 2020 : Added a new section on compensating controls.
Update Dec 22, 2020: FireEye disclosed the theft of their Red Team assessment tools. Hackers now have an influential collection of new techniques to draw upon.
Using Qualys VMDR, the vulnerabilities for Solorigate/SUNBURST can be prioritized for the following Real-Time Threat Indicators (RTIs):
Active Attacks
Solorigate Sunburst ( New RTI )
Original post : On December 8, 2020, FireEye disclosed theft of their Red Team assessment tools. These tools are used by FireEye to test and validate the securit
Qualys
Solorigate/Sunburst : Theft of Cybersecurity Tools | FireEye Breach | Qualys
blogs_qualys·2020-12-10
Solorigate/Sunburst : Theft of Cybersecurity Tools | FireEye Breach | Qualys
Update Jan 5, 2021: New patching section with two new dashboard widgets showing the number of missing FireEye-related patches in your environment and the number of assets in your environment missing one of those patches.
Update Dec 23, 2020: Added a new section on compensating controls.
Update Dec 22, 2020: FireEye disclosed the theft of their Red Team assessment tools. Hackers now have an influential collection of new techniques to draw upon.
Using Qualys VMDR, the vulnerabilities for Solorigate/SUNBURST can be prioritized for the following Real-Time Threat Indicators (RTIs):
- Active Attacks
- Solorigate Sunburst (New RTI)
Original post: On December 8, 2020, FireEye disclosed theft of their Red Team assessment tools. These tools are used by FireEye to test and validate the security
Tenable
Government Agencies Warn of State-Sponsored Actors Exploiting Publicly Known Vulnerabilities
blogs_tenable·2020-10-23
Government Agencies Warn of State-Sponsored Actors Exploiting Publicly Known Vulnerabilities
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Qualys
NSA Alert: Chinese State-Sponsored Actors Exploit Known Vulnerabilities | Qualys
blogs_qualys·2020-10-22·CVSS 9.8
CVE-2020-15505 [CRITICAL] NSA Alert: Chinese State-Sponsored Actors Exploit Known Vulnerabilities | Qualys
#### Table of Contents
- Detect 25 Publicly Known Vulnerabilities using VMDR
Update November 25, 2020: The UK National Cyber Security Centre alerts that APT nation-state groups and cybercriminals are exploiting MobileIron RCE vulnerability (CVE-2020-15505).
Original post: On October 20, 2020, the United States National Security Agency (NSA) released a cybersecurity advisory on Chinese state-sponsored malicious cyber activity. The NSA alert provided a list of 25 publicly known vulnerabilities that are known to be recently leveraged by cyber actors for various hacking operations.
“Since these techniques include exploitation of publicly known vulnerabilities, it is critical that network defenders prioritize patching and
mitigation efforts,” said the NSA advisory. It also recommended “crit
Qualys
NSA Alert: Chinese State-Sponsored Actors Exploit Known Vulnerabilities
blogs_qualys·2020-10-22·CVSS 10.0
CVE-2020-15505 [CRITICAL] NSA Alert: Chinese State-Sponsored Actors Exploit Known Vulnerabilities
## Table of Contents
Detect 25 Publicly Known Vulnerabilities using VMDR
Update November 25, 2020 : The UK National Cyber Security Centre alerts that APT nation-state groups and cybercriminals are exploiting MobileIron RCE vulnerability (CVE-2020-15505).
Original post : On October 20, 2020, the United States National Security Agency (NSA) released a cybersecurity advisory on Chinese state-sponsored malicious cyber activity. The NSA alert provided a list of 25 publicly known vulnerabilities that are known to be recently leveraged by cyber actors for various hacking operations.
“Since these techniques include exploitation of publicly known vulnerabilities, it is critical that network defenders prioritize patching and mitigation efforts,” said the NSA advisory. It also recommended “critic
Checkpoint
22nd July – Threat Intelligence Bulletin
blogs_checkpoint·2019-07-22
CVE-2019-11580 22nd July – Threat Intelligence Bulletin
Latest Publications
CPR Podcast Channel
AI Research
Web 3.0 Security
Intelligence Reports
ThreatCloud AI
Threat Intelligence & Research
Zero Day Protection
Sandblast File Analysis
About Us
SUBSCRIBE
2026
2025
2024
2023
2022
2021
2020
2019
2018
2017
2016
## 22nd July – Threat Intelligence Bulletin
For the latest discoveries in cyber research for the week of 22nd July 2019, please download our Threat Intelligence Bulletin
TOP ATTACKS AND BREACHES
The Bulgarian government has suffered a major data breach exposing personal and financial information of 5 million citizens after threat actors managed to hack the country’s tax reporting service. The threat
actors, who claim to be Russians, sent some of the 21 GB of stolen information to the Bulgarian media.
SyTech, a co
Tenable
CVE-2019-11580: Proof-of-Concept for Critical Atlassian Crowd Remote Code Execution Vulnerability Now Available
blogs_tenable·2019-07-15·CVSS 9.8
[CRITICAL] CVE-2019-11580: Proof-of-Concept for Critical Atlassian Crowd Remote Code Execution Vulnerability Now Available
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Recorded Future
Analyze Recent Atlassian Vulnerabilities and Keep Your Infrastructure Protected
blogs_recorded_future·CVSS 9.6
[CRITICAL] Analyze Recent Atlassian Vulnerabilities and Keep Your Infrastructure Protected
# Analyze Recent Atlassian Vulnerabilities and Keep Your Infrastructure Protected
For years, software solutions built by Atlassian have found their way to nearly every organization's software stack. Tools such as JIRA, Confluence, Bamboo, and BitBucket are often seen playing a crucial role in various departments across enterprises.
From managing projects or handling organization-wide documentation, to hosting the very code of a product being developed by the organization, the constant reliance upon and amount of historical data held within these applications have turned them into a lucrative target for attackers, expanding the attack surface in the process.
## Historical Atlassian Vulnerabilities
Traditionally, vulnerabilities within the Atlassian software stack have originated from di
HackerOne
Root Remote Code Execution on https://███
hackerone·2019-10-04·CVSS 9.8
CVE-2019-11580 [CRITICAL] Root Remote Code Execution on https://███
Root Remote Code Execution on https://███
**Summary:**
Atlassian Crowd is a centralized identity management application that allows companies to "Manage users from multiple directories - Active Directory, LDAP, OpenLDAP or Microsoft Azure AD - and control application authentication permissions in one single location."
A DOD installation is vulnerable to a remote code execution vulnerability due to not patching CVE-2019-11580.
**Description:**
From Atlassian's public [advisory](https://confluence.atlassian.com/crowd/crowd-security-advisory-2019-05-22-970260700.html):
> Crowd and Crowd Data Center had the pdkinstall development plugin incorrectly enabled in release builds. Attackers who can send unauthenticated or authenticated requests to a Crowd or Crowd Data Center instance can exploi
http://packetstormsecurity.com/files/163810/Atlassian-Crowd-pdkinstall-Remote-Code-Execution.htmlhttp://www.securityfocus.com/bid/108637https://jira.atlassian.com/browse/CWD-5388http://packetstormsecurity.com/files/163810/Atlassian-Crowd-pdkinstall-Remote-Code-Execution.htmlhttp://www.securityfocus.com/bid/108637https://jira.atlassian.com/browse/CWD-5388https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2019-11580
2019-06-03
Published
2021-11-03
Added to CISA KEV
Exploited in the wild