Happy Friday! This was a busy week for the team:
The team conducted a rapid response on the IngressNightmare vulnerabilities reported by Wiz. First publishing Snort and Suricata signatures for known variants to the feed, and then the team conducted a deep dive into exploit development. The team ended up delivering an exploit, pcap, network signatures, search engine signatures, and a vulnerable docker container.
Based on our analysis there aren't many vulnerable Kubernetes endpoints on the internet, but the resulting access likely makes this still worth the effort for attackers.
We've seen this is a very popular issue for exploit developers, with our exploits index already reaching 34 unique exploits. The team analyzed this vulnerability and created a vulnerable docker container, exploit, pcaps, network signatures, and search engine queries. But our assessment of the vulnerability is that it isn't widely exploitable and when it is exploitable won't necessarily yield useful access. However, due to ease of exploitation, it's unsurprising to see the first attempts hit GreyNoise.
This vulnerability was recently published in an ICS advisory by CISA, added to CISA KEV, and included in an Akamai blog regarding its exploitation in the wild. Each of these sources references Edimax IC-7100 as the (CISA), or a (Akamai), vulnerable device. However, the team concluded that neither are correct. The IC-7100 is unaffected by CVE-2025-1316 (it doesn't even handle the reported exploited parameters).
After much sleuthing, the team found an Edimax device that is vulnerable: the IC-3015 which is even older than the IC-7100 (which is already a decade EOL) and uses a totally different web server subsystem. The team delivered search queries, pcap, network rules, and a lengthy write-up detailing the discovery of the actual vulnerable device.
Likely our final Netatalk exploit for a while, this one exploits a heap overflow in the afp_getappl function. As mentioned previously, Netatalk does have a surprisingly large internet exposure (Shodan flags 65k hosts at the moment). This particular CVE was discovered by Claroty while attacking a Synology DS920+ in a pwn2own event.
The team delivered an exploit, pcap, and vulnerable docker container.
Upon customer request, the team added content for a long-standing entry of the CISA KEV catalog affecting ManageEngine Desktop Central before 10.0.474. According to our exploits index this vulnerability is regularly listed as exploited on ShadowServer and is known to be used by APT41 (aka Wicked Panda),
As per our usual repertoire, this is a no-auth, remote exploit. Upon successful exploitation, a payload is deserialized resulting in a reverse TCP shell with nt\system privileges. This exploit comes equipped with version scanning, a working exploit, network rules, and pcap files.
The team worked on two bug fixes this week: We fixed syntax errors in Snort SID 12700433 and 12700474. And we fixed the new Go toolchain directive breaking the exploit for CVE-2021-43798.