The team has started delivering ZoomEye and FOFA queries alongside the Censys and Shodan queries that we have always provided. The queries are available in the README.md of new releases this week, and will be added to the API in the near future. We will work over the coming months to update older content with ZoomEye and FOFA queries.
The team added two separate exploits for ABB ASPECT (unrelated but grouped for brevity). This software is for building energy management and supervision. Our Censys query flags ~350 of these online. Our version scanners say all are vulnerable to CVE-2024-6209 (credential leak which can be followed by auth RCE), and ~90% are vulnerable to CVE-2023-0636 (unauth RCE). The team delivered network signatures, pcaps, queries, asset detection, version scanners, and exploits for these two vulnerabilities. Note that they are not known to be exploited in any KEV list, but seems like obvious targets.
The team developed a remote code execution exploit via buffer overflow that utilizes CVE-2024-2961 inside of the XXE exploited by CVE-2024-34102 for Magento in order to trigger remote execution based on the research by Charles Fol dubbed "CNEXT". This complex chain combines 3 XXE queries, PHP specific filter creation, iconv() function in glibc contains a 4 byte overflow when strings are converted to the ISO-2022-CN-EXT character set, and heap massaging techniques to make the exploit consistently one-shot and not require bruteforce techniques. A docker container was provided with the set up for a vulnerable Magento host.
This vulnerability is a blind SQL injection vulnerability in ViciDial's log_custom_support function, one of many functions supported by the VERM_AJAX_functions.php endpoint. Leveraging if conditions and sleep statements, an attacker can leak data from the database. Credentials are stored in plaintext by default on ViciDial systems, making them a prime target. The team delivered an exploit that bruteforces and leaks admin and user login credentials 1 bit at a time. Additionally the team crafted Suricata and Snort signatures, as well as version checks.
Further improving our Flax Typhoon coverage as per the joint advisory put out by the FBI, NSA, CNMF, etc. we added asset detection, pcap, Snort / Suricata rules, and Shodan/Censys/FOFA/ZoomEye queries for Telesquare CVE-2021-46442. As we've mentioned previously, this vulnerability is the exact same as CVE-2024-29269 but assigned to different router model (which isn't how CVE are supposed to work). Our Censys query only flags about 50 targets online (likely all patched).
Thanks to a customer tip, our detection for CVE-2024-45507 have been updated to account for more exploitable paths for CVE-2024-45507.
The team added tracking of GobRAT and Bulbature Staging, based on research by Sekoia, has been added to our IP-Intel. From our current 3-day backup, here is an example on Censys.