In November, we highlighted eight trending vulnerabilities. These represent the most dangerous security flaws, either currently being widely exploited by cybercriminals or likely to be exploited in the near future.

Three vulnerabilities were found in Microsoft products. The first one (CVE-2024-43451) allows the theft of the NTLMv2 hash¹, which is used in Windows systems for authentication, enabling an attacker to authenticate on the network as a legitimate user. After that, the attackers can proceed to the next stages of the attack: escalating privileges to administrator level, executing malicious code, and moving laterally to other systems. Ultimately, they can gain full control over compromised devices, steal confidential data, or deploy malware. 

The second vulnerability (CVE-2024-49039) allows an attacker to escalate privileges in Windows and execute commands to manage services, network settings, or user accounts. This could lead to a breach of confidential data. 

The third vulnerability (CVE-2024-49040) affects Microsoft Exchange 2016 and 2019 mail servers, allowing attackers to spoof the sender addresses of incoming emails. This flaw can be exploited in phishing attacks to gain access to sensitive information.

Special attention should be given to the critical vulnerability, CVE-2024-47575, in the FortiManager management system. This vulnerability allows attackers to execute malicious code, gain access to confidential information, and obtain control over Fortinet devices within the corporate network. As a result, attackers can disrupt the operation of compromised devices or block traffic between segments, leading to network failures and reduced security.

Additionally, security researchers discovered the vulnerability CVE-2024-48990 in the needrestart utility of the Ubuntu Linux OS. The utility is used to identify processes that need to be restarted after updating system libraries. Exploiting this vulnerability enables attackers with local access to escalate their privileges to the superuser (root) level. This could lead to a breach of confidential data, injection of malware, as well as the deletion or modification of important files.

Two more vulnerabilities (CVE-2024-0012 and CVE-2024-9474) were discovered in products by Palo Alto Networks. By exploiting these flaws simultaneously, an unauthenticated attacker can gain administrator privileges and perform remote code execution on the compromised device. As a result, cybercriminals can obtain control of the system or its components, inject malware, disrupt device operation, or steal confidential data.

The vulnerability CVE-2024-11667 was found in Zyxel firewalls. The exploitation of this vulnerability enables attackers to remotely conduct a directory traversal attack² and gain access to protected directories and files. This can lead to credential compromise, malware injection, failures in critical system and resources, and even ransom demands.

Read below to learn about these vulnerabilities, how they are exploited, and mitigation strategies in this digest.

The Windows vulnerabilities described below potentially affect around a billion devices, according to The Verge. Any users with outdated versions of Windows are potentially at risk.

NTLMv2 hash disclosure vulnerability in Windows

CVE-2024-43451 (CVSS 6.5, medium severity)

The vulnerability is related to the outdated MSHTML (Microsoft HTML) platform, which is still used in modern versions of Windows to render web pages. This vulnerability allows an attacker to obtain NTLMv2 hash values and authenticate as a legitimate user without credentials.

To exploit the vulnerability, a user only needs to minimally interact with a malicious URL file, such as right-clicking on it, moving it to another folder, or deleting it. There is no need to open the malicious file at all. If cybercriminals manage to compromise an administrator account, they can proceed to the next stages of the attack, such as altering or deleting crucial files, installing malware, or stealing confidential data.

Signs of exploitation: Microsoft notes cases of the vulnerability's exploitation. According to ClearSky, the vulnerability was used to distribute the SparkRAT malware. CISA also added the vulnerability to its Known Exploited Vulnerabilities Catalog.

Publicly available exploits: not available in open sources.

Privilege escalation vulnerability in the Windows Task Scheduler

CVE-2024-49039 (CVSS 8.8, high severity)

This vulnerability discovered in the Windows Task Scheduler is related to authentication flaws. To successfully exploit this flaw, an attacker needs to run a specially crafted application on the target system. 

The attack can be initiated from AppContainer with low privileges. AppContainer allows you to package an application with all its dependencies (including libraries, configuration files, and runtime environment) into an isolated environment that can be easily transferred and run on any system that supports containerization. Containerization ensures the application is isolated from the main operating system and other applications, granting it access only to specifically allocated resources. 

By exploiting this vulnerability, attackers can elevate their privileges to the medium integrity³ level, which would enable them to execute RPC functions⁴ of privileged accounts. As a result, attackers can proceed to the next stages of the attack—other systems on the network.

Signs of exploitation: Microsoft notes cases of the vulnerability's exploitation. According to ESET Research, CVE-2024-49039 is used in conjunction with another vulnerability in Mozilla products (CVE-2024-9680) to spread the RomCom malware. CISA also added the vulnerability to its Known Exploited Vulnerabilities Catalog.

Publicly available exploits: available in open sources.

Vulnerability in the Microsoft Exchange mail server allowing attackers to spoof sender addresses

CVE-2024-49040 (CVSS 7.5, high severity)

This vulnerability is caused by improper handling of recipient addresses by the mail server, allowing attackers to conduct spoofing attacks⁵—sending emails with a fake sender address, making it appear legitimate. Successful exploitation of this vulnerability significantly increases the effectiveness of phishing attacks, which are often the first step towards infiltrating a company's internal network, and can lead to data breaches, malware deployment, or financial losses.

Signs of exploitation: Microsoft notes that attackers may exploit this vulnerability.

Number of potential victims: all users of Microsoft Exchange Server 2016 and 2019 who have not installed the security updates.

Publicly available exploits: not available in open sources.

Mitigation: install the security updates available on the official Microsoft pages: CVE-2024-43451, CVE-2024-49039, and CVE-2024-49040.

Remote code execution vulnerability

CVE-2024-47575 (CVSS score: 9.8; critical severity)

FortiManager is an integrated platform for the centralized management and monitoring of Fortinet's hardware and software solutions. The vulnerability is related to a missing authentication for critical function in the fgfmsd process, responsible for data exchange between the FortiGate firewall and the FortiManager management system. 

Successful exploitation of this vulnerability allows an unauthenticated attacker to remotely execute arbitrary commands on the FortiManager server. As a result, a threat actor can steal configuration data from threat actor-controlled devices and files from the FortiManager server, including encrypted account passwords. Stolen information can be used to breach FortiGate firewalls in order to gain initial access to the corporate network and facilitate further attacks.

Signs of exploitation: Fortinet notes cases of vulnerability's exploitation. According to Mandiant, since June, CVE-2024-47575 has been actively exploited by the UNC5820 group, whose cyberattacks have compromised over 50 servers. CISA also added the vulnerability to its Known Exploited Vulnerabilities Catalog.

Number of potential victims: all users of vulnerable versions. Researchers report that more than 55,000 devices with FortiManager are accessible online.

Publicly available exploits: available in open sources. The exploit was added to Metasploit Framework, a popular penetration testing tool.

Mitigation: all users are advised to update FortiManager to the patched version. If updating to the latest firmware version is not possible, Fortinet recommends using compensating measures:

• Prevent devices with unknown serial numbers from registering in FortiManager by adding the appropriate parameter to the configuration file (for versions 7.0.12 or later, 7.2.5 or later, 7.4.3 or later).

• Apply a custom certificate when creating an SSL tunnel and when authenticating FortiGate devices with FortiManager (for versions 7.2.2 or later, 7.4.0 or later, 7.6.0 or later).

• Create a whitelist of IP addresses for FortiGate devices that are allowed to connect to FortiManager (for versions 7.2.0 or later).

Privilege escalation vulnerability in the needrestart package used to identify processes that need to be restarted 

CVE-2024-48990 (CVSS Score: 7.8; High Severity)

The needrestart utility is installed by default on Ubuntu Server version 21.04 or later. It is used to identify services or processes that need to be restarted after system library updates. This vulnerability allows an authorized attacker to escalate privileges on the system by executing arbitrary code with superuser (root) rights and modifying the PYTHONPATH environment variable⁶. As a result, attackers can install malicious software and gain full access to all files and information, including confidential data, system files, and user credentials.

Signs of exploitation: no confirmed cases of exploitation.

Number of potential victims: all users of vulnerable versions of Ubuntu Server  and other Linux distributions using the needrestart utility up to version 3.8.

Publicly available exploits: a PoC has been published and is openly accessible.

Mitigation: users need to update the software according to these recommendations and disable the interpreter scanning feature in the needrestart configuration file.

Authentication bypass vulnerability in PAN-OS web interface⁷

CVE-2024-0012 (CVSS score: 9.8; critical severity)

The vulnerability is related to a flaw discovered in the uiEnvSetup.php script. The script contains the HTTP_X_PAN_AUTHCHECK parameter, which indicates whether authentication is required to access the PAN-OS management web page. By default, this parameter is set to "on," and the script redirects users to the login page. To bypass authentication, attackers can create a malicious HTTP request with the HTTP_X_PAN_AUTHCHECK parameter set to "off." 

By successfully exploiting this vulnerability, an unauthenticated attacker with access to the management web interface can gain the PAN-OS administrator privileges. With these privileges, the attacker can view confidential information, tamper with the configuration, or exploit other vulnerabilities to escalate privileges.

Signs of exploitation: Palo Alto Networks notes cases of the vulnerability's exploitation. According to Arctic Wolf, attackers have been using this vulnerability in conjunction with another vulnerability in PAN-OS (CVE-2024-9474) since November 19. CISA also added the vulnerability to its Known Exploited Vulnerabilities Catalog.

Number of potential victims: according to researchers from Shadowserver, this vulnerability could affect over 2,000 devices.

Publicly available exploits: available in open sources. The exploit was added to the Metasploit Framework.

Mitigation: install updates on vulnerable devices and follow the vendor's recommendations.

Privilege escalation vulnerability in PAN-OS

CVE-2024-9474 (CVSS score: 7.2; high severity)

This vulnerability in the script for creating remote sessions lies in the lack of input data validation. By exploiting this vulnerability, an attacker with access to the web management interface can execute arbitrary commands on a device with root user privileges. Next, the attacker may attempt to deploy post-exploitation tools or malware on the compromised device, steal configuration data, upload mining binaries, and other payloads.

Signs of exploitation: Palo Alto Networks notes cases of the vulnerability's exploitation. CISA also added the vulnerability to its Known Exploited Vulnerabilities Catalog.

Number of potential victims: according to researchers from Shadowserver, the vulnerability may affect more than 2,000 devices.

Publicly available exploits: there is a tool available in the public domain for exploiting this vulnerability. The exploit was added to the Metasploit Framework.

Mitigation: install updates on vulnerable devices and follow the vendor's recommendations. 

Directory traversal vulnerability in Zyxel firewalls

CVE-2024-11667 (CVSS score: 7.5; high severity)

The vulnerability in the web management interface of Zyxel ATP and USG FLEX series firewalls is related to improper handling of paths to restricted files or directories. This vulnerability allows an unauthenticated remote attacker to upload arbitrary files to the device via specially crafted URLs and gain access to administrator credentials. An attacker can change firewall rules, deploy malware, steal confidential information, and create a hidden VPN connection to exfiltrate data.

Signs of exploitation: Zyxel notes cases of the vulnerability's exploitation. According to CERT-Bund, attackers are widely using this vulnerability to spread the Helldown ransomware, targeting 32 companies worldwide.

Number of potential victims: all users of Zyxel ATP and USG FLEX firewalls with firmware versions ZLD 4.32–5.38.

Publicly available exploits: not available in open sources.

Mitigation: users are advised to update vulnerable firmware versions and change administrator credentials.

Using popular solutions containing trending vulnerabilities can jeopardize any company. The trending vulnerabilities are highly dangerous and require immediate remediation. In the MaxPatrol VM vulnerability management system, information about vulnerabilities is received within 12 hours of their detection to help eliminate the most dangerous threats quickly and protect company infrastructure. Additionally, we recommend using web application firewalls, such as PT Application Firewall, which help secure public resources.

This digest provides examples of vulnerabilities that attackers have been exploiting recently. Information about them and publicly available exploits is accurate as of November 30, 2024.