The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has officially included several vulnerabilities affecting Zyxel, ProjectSend, North Grid Proself, and CyberPanel in its Known Exploited Vulnerabilities (KEV) catalog. This decision follows evidence of these vulnerabilities being actively exploited in the wild, raising alarms for businesses utilizing these products.
Among the identified vulnerabilities is CVE-2024-51378, which carries a CVSS score of 10.0, indicating a critical level of risk. This particular flaw allows for authentication bypass and the execution of arbitrary commands via shell metacharacters in the statusfile property. Security experts are also concerned about CVE-2023-45727, rated at 7.5, which involves improper restriction of XML External Entity (XXE) references, enabling potential remote attacks. Another critical issue, CVE-2024-11680, has a score of 9.8 and can permit unauthenticated attackers to create accounts and deploy harmful web shells. Lastly, CVE-2024-11667, with a CVSS score of 7.5, enables file uploads or downloads through a path traversal vulnerability in the web management interface.
The citation of CVE-2023-45727 in the KEV catalog is notably linked to a recent report from Trend Micro, which suggested its exploitation by a sophisticated cyber espionage group associated with China, known as Earth Kasha (also referred to as MirrorFace). Concurrently, VulnCheck reported that attempts to weaponize CVE-2024-11680 have been observed as early as September 2024, highlighting the ongoing efforts by threat actors to deploy post-exploitation payloads.
Moreover, vulnerabilities CVE-2024-51378 and CVE-2024-11667 have been implicated in various ransomware campaigns, including those labeled PSAUX and Helldown, as identified by cybersecurity researchers at Censys and Sekoia. Businesses in the Federal Civilian Executive Branch (FCEB) are strongly advised to remediate these vulnerabilities by December 25, 2024, in an effort to strengthen their network defenses.
In a related development, the Japan Computer Emergency Response Team Coordination Center (JPCERT/CC) has issued a warning regarding security flaws in I-O DATA routers, specifically models UD-LT1 and UD-LT1/EX. Unknown actors are reportedly exploiting these vulnerabilities, including CVE-2024-45841, which allows guest account users to access sensitive files, and CVE-2024-47133, which enables OS command injection for administrative users. Another critical vulnerability, CVE-2024-52564, could give attackers the ability to disable firewall functions and manipulate router configurations.
Patches addressing CVE-2024-52564 have been released, while fixes for the remaining vulnerabilities are expected by December 18, 2024. Meanwhile, I-O DATA is urging customers to enhance their security by disabling remote access and changing default passwords.
The ongoing threat landscape underscores the need for proactive security measures in both domestic and international contexts. As these vulnerabilities are exploited, business owners must stay vigilant and informed, using frameworks like the MITRE ATT&CK to understand potential tactics and techniques that could be employed by adversaries. Strategies such as initial access, privilege escalation, and command and control (C2) mechanisms remain critical considerations for effective cybersecurity planning.
