Recently patched security vulnerabilities affecting Progress Kemp LoadMaster and VMware vCenter Server have been reported as actively exploited in the wild. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) highlighted the severity of these issues on Monday, adding CVE-2024-1212—which has received a maximum severity score of 10.0—to its Known Exploited Vulnerabilities (KEV) catalog.
This particular vulnerability in Progress Kemp LoadMaster was resolved by Progress Software in February 2024, following the discovery of an OS command injection vulnerability. This flaw allows unauthenticated remote attackers to execute arbitrary commands via the LoadMaster management interface, posing significant risks to affected systems.
Rhino Security Labs, which initially reported this vulnerability, indicated that successful exploitation could grant an attacker full control over the load balancer, given access to the administrator web user interface. These security breaches present a serious concern for organizations relying on Kemp LoadMaster devices.
Simultaneously, CISA revealed that attackers have also started exploiting critical vulnerabilities in VMware vCenter Server, specifically CVE-2024-38812 and CVE-2024-38813. Both vulnerabilities, disclosed during the Matrix Cup cybersecurity competition in China earlier this year, received severity scores of 9.8 and 7.5, respectively. These security flaws were initially addressed in a patch released in September 2024, but subsequent updates were issued as initial fixes did not fully resolve the issues.
For CVE-2024-38812, the vulnerability involves a heap overflow within the DCERPC protocol implementation, enabling remote code execution for attackers with network access. On the other hand, CVE-2024-38813 allows for privilege escalation, giving malicious actors the means to elevate their access rights to root level.
While there are no confirmed real-world incidents involving these VMware vulnerabilities, CISA has advised that Federal Civilian Executive Branch (FCEB) agencies must remediate CVE-2024-1212 by December 9, 2024, in order to minimize potential risks. Additionally, a recent report from Sophos underscores the increasing threat of cybercriminals weaponizing vulnerabilities like CVE-2024-40711 in Veeam Backup & Replication, a critical flaw that has enabled the deployment of a new ransomware variant, Frag.
On November 20, 2024, CISA further updated its KEV catalog to include the two VMware vCenter Server-related vulnerabilities, requiring FCEB agencies to implement vendor-mandated mitigations by December 11, 2024. It’s important to note that SonicWall, in a report from late March 2024, indicated observing exploitation attempts against CVE-2024-1212, though details about the targeted systems and the nature of attacks remain unclear.
As these incidents unfold, business leaders should consider the implications for their cybersecurity posture, particularly with regard to adversary tactics outlined in the MITRE ATT&CK framework. Potential tactics leveraged in these ongoing exploits include initial access through common web interfaces, as well as privilege escalation techniques that threaten the integrity of networked systems. Rapid remediation and proactive monitoring will be crucial in navigating these evolving threats.
