In October, we classified four vulnerabilities as trending that we consider the most dangerous flaws currently popular among attackers or at risk of exploitation in the near future.

Three vulnerabilities were discovered in Microsoft solutions. The first, CVE-2024-43573, affects the MSHTML browser engine for processing and displaying HTML pages and can be used in phishing attacks. Exploitation of the vulnerability may lead to confidential information leaks. The next two vulnerabilities (CVE-2024-35250, CVE-2024-30090) allow attackers to escalate privileges to the maximum SYSTEM level in the Windows operating system. After gaining full control of a node, the attacker can follow through on their other goals.

The fourth vulnerability (CVE-2024-31982) is critical and affects XWiki. When exploited, attackers can use remote code execution (RCE) on the server to gain complete control over the system or its individual components, inject malware, disrupt host operations, or steal confidential data.

Read more about these vulnerabilities, cases of their exploitation, and remediation methods in the digest.

According to The Verge, the following vulnerabilities can affect approximately one billion devices. Any users with outdated versions of Windows are potentially at risk.

Microsoft Windows MSHTML Platform Spoofing Vulnerability

CVE-2024-43573 (CVSS 6.5, medium severity)

This vulnerability in the MSHTML platform of the Windows operating system could lead to the unauthorized disclosure of confidential data. Exploitation of the vulnerability first requires specific actions from a user. Attackers can achieve this with malicious attachments or links leading to fake resources in phishing emails.

Signs of exploitation: documented exploitation from Microsoft. CISA also added the vulnerability to its Known Exploited Vulnerabilities Catalog.

Potential number of victims: all Windows users (including Windows Server) who haven't installed the latest version.

Publicly available exploits: not available in open sources.

Windows Kernel-Mode Driver Elevation of Privilege Vulnerability

CVE-2024-35250 (CVSS 7.8, high severity)

An attacker who successfully exploits this vulnerabilty could gain maximum SYSTEM privileges by manipulating the IOCTL_KS_PROPERTY request in the ks.sys kernel driver. After gaining full control of a host, they can then follow through on the next attack stages and carry out any actions as a local administrator, including install malware, modify or delete important files, and gain access to confidential data.

Signs of exploitation: Microsoft does not confirm any successful exploitations of the vulnerability.

Potential number of victims: all Windows users (including Windows Server) who haven't downloaded the latest security updates.

Publicly available exploits: the PoC was published with open access.

Windows Kernal Streaming Service Elevation of Privilege Vulnerability

CVE-2024-30090 (CVSS 7.0, high severity)

The vulnerability allows attackers to escalate privileges by manipulating IOCTL requests¹. Windows uses Kernel Streaming to handle data streams from webcams, microphones, and other audio devices. Improper event handling during request conversion from 32-bit to 64-bit lets attackers exploit an error pattern to gain kernel mode access and SYSTEM privileges (similar to CVE-2024-35250). Successful exploitation of this vulnerability requires an attacker to win a race condition².

Signs of exploitation: Microsoft does not confirm any successful exploitations of the vulnerability.

Potential number of victims: all Windows users (including Windows Server) who haven't downloaded the latest security updates. 

Publicly available exploits: the PoC was published with open access. 

How to eliminate the vulnerabilities in this digest: download security updates from the following official Microsoft pages: CVE-2024-43573, CVE-2024-35250, and CVE-2024-30090.
 

Open source XWiki remote code execution vulnerability

CVE-2024-31982 (CVSS 10.0, critical severity)

XWiki is a platform for creating collaborative projects using the wiki paradigm. The vulnerability is caused by a lack of validation³ values ​​in search queries. Attackers can manipulate text in the search bar to execute arbitrary code on the server and gain complete control of the system to follow through on attack goals, including installing malware.

Signs of exploitation: no available data.

Number of potential victims: 21,000+.

Publicly available exploits: the PoC was published with open access.

Remediation and compensation measures: update XWiki to versions 14.10.20, 15.5.4, and 15.10RC1. If for some reason you're unable to update, apply this fix to Main.DatabaseSearch.
 

Using solutions containing trending vulnerabilities can jeopardize any company. These flaws are the most dangerous and require immediate remediation. In the MaxPatrol VM vulnerability management system, information about trending vulnerabilities is received within 12 hours of their detection to help eliminate threats quickly and protect company infrastructure. We also recommend using web application level firewalls, such as PT Application Firewall. These security tools help keep resources that are accessible by an unlimited number of users online secure.

This digest provides examples of vulnerabilities that attackers have been exploiting recently. Information about them and publicly available exploits is accurate as of October 31, 2024.