Happy Friday! The VulnCheck Initial Access Intelligence team has been busy this week—because attackers don’t stick to office hours. Here are the deliverables we shipped:
Last week, Rapid7 released details on an authentication bypass affecting Citrix NetScaler. The vulnerability has an EPSS in the 90th percentile, and NetScaler appears in CISA KEV eight times. So, it seemed like a pretty important vulnerability to cover. Additionally, we note that the GreyNoise query we developed for this delivery appears to be seeing activity.
The team developed an exploit that leaks a session key and then creates a super admin account. We also developed pcaps, network signatures, a YARA rule, and search engine queries.
The team added an exploit for the Commvault Innovation release vulnerability identified by watchTowr, which allows unauthenticated remote code execution via path traversal and unsafe use of zip extraction. The vulnerable version range suggests that internet exposure is smaller than anticipated, with only a few hundred admin panels directly accessible.
We identified gaps in public detection signatures that incorrectly rely only on the reports path, and adjusted our Suricata and Snort rules to detect other variants. We also created pcaps, YARA rules, and search engine queries.
This week, the team added an exploit for the open-source content management system FoxCMS. This unauthenticated remote exploit executes arbitrary PHP code via a GET parameter. Using this vector, the exploit coerces the target system into retrieving and executing a reverse shell PHP snippet hosted via an HTTP file server that is set up at runtime.
This exploit comes with queries, pcaps, a target Docker container, and network signatures.
In mid-February, Orange Cyberdefense’s CSIRT observed and investigated active exploitation of Craft CMS by an unspecified threat actor. This led to the discovery and fixing of this CVE. They reported around 13,000 vulnerable instances, identified via a nuclei template.
The team delivered network signatures, a YARA rule, the exploit itself, and search queries.
In late April, ReliaQuest observed attackers exploiting a new SAP NetWeaver vulnerability in the wild. Since then, others, including CISA KEV, have also reported exploitation.
The team developed a GreyNoise query and network signatures to detect this activity.