Cyble Research & Intelligence Labs (CRIL) researchers investigated 22 security vulnerabilities this week, plus industrial control system (ICS) vulnerabilities and dark web exploits, to help us arrive at our list of six vulnerabilities that security teams need to prioritize.
Those vulnerabilities include exploitable flaws in ServiceNow, Acronis, VMware, Microsoft Outlook, Progress Telerik and Docker Engine.
Each week, The Cyber Express partners with Cyble’s highly skilled dark web and threat intelligence researchers to highlight the vulnerabilities that are at higher risk of exploit and attack and should be prioritized for fixes by security teams.
The Week’s Top Vulnerabilities
These are the six high-severity and critical vulnerabilities that Cyble researchers have highlighted this week.
CVE-2024-37085: VMware ESXi
Impact Analysis: This high-severity authentication bypass vulnerability impacts VMware ESXi, an enterprise-class, type-1 hypervisor, and is under active attack by ransomware groups. A malicious actor with sufficient Active Directory (AD) permissions can gain full access to an ESXi host that was previously configured to use AD for user management. The attacker can also add new users to the ‘ESX Admins’ group and leverage admin permissions to steal sensitive data from VMs, move laterally through victims’ networks, and then encrypt the ESXi hypervisor’s file system, causing outages and disrupting business operations.
Internet Exposure? Yes
Patch Available? Yes
CVE-2017-11774: Microsoft Outlook
Impact Analysis: This high-severity vulnerability impacts Microsoft Outlook 2010 SP2, Outlook 2013 SP1 and RT SP1, and Outlook 2016, and allows an attacker to execute arbitrary commands due to how Microsoft Office handles objects in memory. Recently, researchers released a new red team post-exploitation framework named “Specula,” with which Microsoft Outlook can be turned into a C2 beacon to remotely execute code. The framework works by creating a custom Outlook Home Page using WebView by exploiting CVE-2017-11774. Since outlook.exe is a trusted process, it makes it easier for attackers to evade existing software as commands are executed. Cyble researchers concluded that because of the new research, “we believe that we may observe attackers using the tool for malicious purposes in the future.”
Internet Exposure? No
Patch Available? Yes
CVE-2024-4879: ServiceNow
Impact Analysis: This critical severity input validation vulnerability affects the ServiceNow cloud-based enterprise workflow management platform. The vulnerability allows unauthenticated attackers to perform remote code execution on multiple versions of the Now Platform and leads to date breach attacks.
Internet Exposure? Yes
Patch Available? Yes
CVE-2024-6327: Progress Telerik Report Server
Impact Analysis: This critical insecure deserialization vulnerability impacts Progress Telerik Report Server, a server-based reporting platform. Attackers can exploit the vulnerability to compromise vulnerable devices, leading to remote code execution and later data exfiltration attacks. It’s the second time in recent months that Progress Telerik has been hit by major vulnerabilities.
Internet Exposure? Yes
Patch Available? Yes
CVE-2024-41110: Docker Engine
Impact Analysis: This 10/10 critical vulnerability impacts certain versions of Docker Engine, an open-source client-server technology. Attackers can leverage the vulnerability to bypass authorization plugins (AuthZ) under certain circumstances, which could lead to unauthorized actions, including privilege escalation.
Internet Exposure? No
Patch Available? Yes
CVE-2023-45249: Acronis Cyber Infrastructure
Impact Analysis: This critical remote command execution vulnerability impacts Acronis Cyber Infrastructure (ACI), a multi-tenant, hyper-converged infrastructure solution designed for cyber protection. The vulnerability allows attackers to bypass authentication on vulnerable servers using default credentials. Recently, CISA added the vulnerability to its Known Exploited Vulnerabilities Catalog, implying that attackers are actively exploiting the flaw to target organizations.
Internet Exposure? Yes
Patch Available? Yes
Dark Web Exploits, ICS Vulnerabilities, and More
The full Cyble report for subscribers also looks at 11 vulnerability exploits discussed on the dark web, three industrial control system (ICS) vulnerabilities, and the vulnerabilities with the highest number of web asset exposures, some numbering in the hundreds of thousands.
The vulnerability report is just one of hundreds produced by Cyble researchers each week, in addition to client-specific customizable reporting and alerts. Cyble’s weekly sensor report, for example, this week looked at roughly 20 vulnerability exploits and malware, ransomware and phishing attacks observed in Cyble’s scanning activities, along with indicators of compromise (IoCs).