- Jump to Initial Access Release Notes
- Jump to Recent Initial Access Activity
- Jump to Open Source Latest Releases
3 new indices
Microsoft EOL
The Microsoft EOL data feed contains Microsoft product lifecycle data including release, retirement dates and support policies.
Browse the eol-microsoft index
Virtuozzo Security Advisories
Virtuozzo security advisories are official notifications released by Virtuozzo to address security vulnerabilities and updates for the Virtuozzo ReadyKernel patch service. These advisories provide important information about the vulnerabilities, their potential impact, and recommendations for users to apply necessary patches or updates to ensure the security of their systems.
AIX Security Advisories
AIX security advisories are official notifications released by IBM to address security vulnerabilities and updates in the AIX operating system. These advisories provide important information about the vulnerabilities, their potential impact, and recommendations for users to apply necessary patches or updates to ensure the security of their systems.
Initial Access Release Notes
CVE-2024-8069: Citrix Session Recording (Virtual Apps and Desktops) .NET Deserialization
The team developed an exploit and signatures for CVE-2024-8069, a .NET deserialization vulnerability in Citrix Session Recording, a product in Citrix's Virtual Apps and Desktops suite. This vulnerability was added to the VulnCheck KEV on November 12, 2024 due to observed exploitation by ShadowServer. The SANS Internet Storm Center corroborated exploitation in the wild on November 18.The vulnerability can be exploited through MSMQ over HTTP, making the attack more widely applicable across targets. Unfortunately, the software is not discoverable via Shodan, Censys, FOFA, and Zoomeye. The team delivered pcaps, network signatures, an exploit, and GreyNoise query. The team noted one Russian host in GreyNoise (at the time of this writing) scanning for the vulnerability.
CVE-2024-0012: PAN-OS Authentication Bypass and CVE-2024-9474 Authenticated Command Injection
This PAN-OS exploit chain started life as a zero-day and was added to CISA KEV and VulnCheck KEV on November 18. Exploitation in the wild has been confirmed by Unit 42 and Shadow Server (among others). The team delivered an exploit chaining the CVEs to achieve remote code execution. We also delivered a network scanner, a version scanner, pcap, Snort and Suricata signatures, and Shodan, Censys, ZoomEye, FOFA, and GreyNoise queries. The provided pcap contains network traffic for chaining the vulnerabilities together.The team delivered a couple of GreyNoise queries that appear to identify activity across the vulnerable endpoints. Additionally, the Shodan query in particular does a good job removing honeypots to identify an exposure of some ~14,000 systems.
CVE-2024-10914: D-Link ShareCenter DNS Command Injection
The D-Link ShareCenter DNS-320/DNS-320LW/DNS-325/DNS-340L products contain an unauthenticated remote code execution vulnerability via shell injection in the account_mgr.cgi script. The vulnerability was first added to the VulnCheck KEV in mid-November due to exploitation attempts flagged by ShadowServer. Our GreyNoise query likely bolsters this finding.
The team developed an exploit for this target by completing the exploit chain that was not public, which required developing go-exploit base64 chunking logic to allow easier data optimization to reduce multiple requests, as well as a bypass for the potential for multiple executions in the vulnerable code using lexical names with a shell glob. The team also provides Suricata, Snort, and PCAPs for DNS-325.
CVE-2024-47575 Fortinet FortiManager fgfmd Missing Authentication
In previous weeks, the team had landed multiple deliverables but this week finalized and delivered the exploit accompanied by a network scanner. The exploit comes with a usable certificate/key embedded, but can also use user provided values. As part of delivering this exploit, go-exploit was updated to support the fgfm authentication protocol.
IP Intel Update
IP Intel was updated to track the ngioweb botnet. Specifically we've fingerprinted ngioweb Loaders and ngioweb Backconnect C2. This addition was based on recent research published by Black Lotus Research about the NSOCKS proxy service.
go-exploit updated to 1.31.0
The team released go-exploit 1.31.0. This release contains an update to the latest Edge User-Agent, improved HTTP multipart handling, support for the Fortinet fgfmd protocol, a base64 chunked encoder, and documentation updates.
Where to Find Our Content
As always, we welcome your feedback. Additionally you can download artifacts at the following locations:
- initial access repository description and Shodan/Censys/FOFA/Zoomeye/GreyNoise queries here.
- initial access repository (exploit source) here or password protected here.
- Snort and Suricata rules can be grabbed here and here.
- IP Intel can be found here (and there are also the 10d, 30d, and 90d variants).
Recent Initial Access activity
Palo Alto Networks PAN-OS Management Interface Command Injection Vulnerability was added on Nov, 21 and is found in 1 product.
View more detail on CVE-2024-9474
Palo Alto Network Expedition Authentication Bypass & Command Injection was added on Oct, 24 and is found in 1 product.
View more detail on CVE-2024-9464
pgAdmin OAuth2 Information Disclosure was added on Nov, 7 and is found in 1 product.
View more detail on CVE-2024-9014
Smart HMI WebIQ File Leak was added on Oct, 31 and is found in 1 product.
View more detail on CVE-2024-8752
ViciDial Blind SQL Credential Leak was added on Oct, 16 and is found in 1 product.
View more detail on CVE-2024-8503
Citrix Session Recording (Virtual Apps and Desktops) .NET Deserialization was added on Nov, 21 and is found in 1 product.
View more detail on CVE-2024-8069
ABB ASPECT System Credential Disclosure was added on Oct, 15 and is found in 3 products.
View more detail on CVE-2024-6209
Palo Alto Network Expedition Authentication Bypass was added on Oct, 24 and is found in 1 product.
View more detail on CVE-2024-5910
CyberPanel OPTIONS Command Injection was added on Oct, 31 and is found in 1 product.
View more detail on CVE-2024-51378
Fortinet FortiManager Missing Authentication Vulnerability was added on Oct, 27 and is found in 1 product.
View more detail on CVE-2024-47575
Apache Solr Authentication Bypass was added on Nov, 5 and is found in 1 product.
View more detail on CVE-2024-45216
LiteSpeed Cache Credential Leak was added on Oct, 21 and is found in 1 product.
View more detail on CVE-2024-44000
Versa Director Favicon Upload (authenticated) was added on Nov, 5 and is found in 1 product.
View more detail on CVE-2024-39717
Halo Spring WebFlux Path Traversal was added on Oct, 27 and is found in 1 product.
View more detail on CVE-2024-38816
Glibc iconv Buffer Overflow was added on Oct, 16 and is found in 1 product.
View more detail on CVE-2024-2961
LiteSpeed Cache Weak RNG RCE was added on Oct, 21 and is found in 1 product.
View more detail on CVE-2024-28000
Fortinet FortiOS Out-of-Bound Write was added on Nov, 7 and is found in 2 products.
View more detail on CVE-2024-21762
Netgear WAX206 was added on Nov, 14 and is found in 1 product.
View more detail on CVE-2024-20017
D-Link ShareCenter Command Injection was added on Nov, 17 and is found in 1 product.
View more detail on CVE-2024-10914
Palo Alto Networks PAN-OS Management Interface Authentication Bypass Vulnerability was added on Nov, 21 and is found in 1 product.
View more detail on CVE-2024-0012
Delta Electronics InfraSuite Device Master Deserialization was added on Oct, 31 and is found in 1 product.
View more detail on CVE-2023-47207
ABB ASPECT System networkDiagAjax Command Injection was added on Oct, 16 and is found in 3 products.
View more detail on CVE-2023-0636
Acronis Cyber Protect Unauthenticated RCE was added on Nov, 4 and is found in 2 products.
View more detail on CVE-2022-3405
Telesquare SDT-CW3B1 sysCommand RCE was added on Oct, 15 and is found in 1 product.
View more detail on CVE-2021-46422
SerComm CPE Router Authenticated Command Injection was added on Oct, 19 and is found in 1 product.
View more detail on CVE-2021-44080
Open Source Latest Releases
- CLI
v0.8.1 - Go-SDK
v1.6.7 - Python-SDK
v0.0.4 - Action
v1.1.3
- Initial Access Release notes
- 25 new initial-access advisories
- 3 new indices
- 18 new initial-access advisories
- 7 new indices
- 32 new initial-access advisories
- 6 new indices
- 29 new Initial Access advisories
- 16 New indices
- 4 New Features
- 13 new Initial Access advisories
- 15 New indices
- 13 New indices
- 11 new Initial Access entries
- New Initial Access features
- 3 New indices including Microsoft KB list by CVE
- 5 new Initial Access entries
- Upgraded dashboard, and the VulnCheck KEV Browser
- 6 New indices including OpenCloud Vulnerability & Security Issue Database
- 5 New Initial Access artifacts
- New Features
- 3 New Advisories
- 10 New Indices
- CVE Browser
- 4 new Initial Access advisories
- New query parameters for the ipintel-* IP Intelligence indexes and more
- 33 new indices including Microsoft Security Updates
- Introducing VulnCheck IP Intelligence
- 5 new Initial Access advisories
- 17 new indices
- Recent IA activity including Apache Druid Log4Shell and ownCloud graphapi
- 17 new Indices including LG security, and several Apache projects
- 20 new Indices including mitre-attack-cve, botnets, and ransomware
- 5 new Indices including osv and cbl-mariner
- New Changelog Initial Access Details
- 20 new indices including nokia, blackberry, and iava
- Search for aliases in all indices
- 30 new indices including checkpoint, jetbrains, and bitdefender
- New indices: epss, vulnerability-aliases, and threat-actors
- More Indices: kubernetes, rustsec-advisories, hashicorp, wolfssl, zoom, and salesforce
- New Documentation Portal
- 64 New Indices
- New Index: vulncheck-nvd2 - NIST NVD V2.0 data supplemented with VulnCheck Data
- New Indices: twcert, vde, watchguard, vyaire, and ubiquiti
- New Indices: usom, zimba, zyxel, yokogawa, nodejs, and hkcert
- We have a booth at BlackHat. Come say hi!
- New Indices: schneider-electric, dell, arch, debian, rocky, and wolfi
- Fixes to the github-exploits backup
- New Indexes: vulncheck-nvd, eol and many more
- New Indexes: nist-nvd and many more
- Multi-region support for backups
- Portal Feature: Employee Invitations
- New package managers for PURL queries
- 13 New Indexes
- OPAM, Wolfi and Swift support for PURL queries
- New V3 Exploits Index
- About 25+ more Indices
- We are now a CVE Numbering Authority
- Postman collection support
- New package managers added to our PURL support
- Providing Fixed Version in OS package manager support
- New package types support for PURL: Maven, PHP, Ruby, and Rust
- 5 New Indices: ABB, AlmaLinux, Alpine Linux, AWS and Apple
- New Endpoint: Request vulns related to a PURL
- Snort Rule added to initial-access index
- New Endpoint: Request vulns related to a CPE
- New Index: Debian Security Tracker
- Welcome to the VulnCheck Changelog
- New Indices: CNVD Flaws and CNVD Bulletins
