Happy Friday to those that celebrate it! Here are the VulnCheck Initial Access team's deliverables for this past week.
On May 6, Akamai reported this vulnerability was exploited in the wild. On May 7, the vulnerability was added to CISA KEV. However, we found evidence of exploitation in the wild dating back to September 2024. With thousands of these GeoVision devices online, they were likely a useful target for quite some time.
Exploitation occurs when DateSetting.cgi invokes ntpdate.sh via libswapi.so. Interestingly, ntpdate.sh can easily get stuck in an infinite loop preventing the attacker's injection from ever executing. VulnCheck's exploit, obviously, avoids that pitfall but we are less sure about the other exploits that have been publicly shared. The team delivered an exploit, pcap, Snort/Suricata rules, and search engine queries.
SysAid had previously been listed in VulnCheck KEV with exploitation associated with the cl0p ransomware group. So when SysAid recently got the watchTowr treatment, we knew we needed to provide some coverage ASAP. The team developed an exploit for the latter part of the watchTowr SysAid bug chain, enabling authenticated users to gain remote code execution.
Unlike the public proofs-of-concept, our exploit was developed against the Linux & Docker SysAid deployment, which enables our exploit to work against both versions. It should be noted that at the time of publication that the SysAid suggested Docker deployment utilizes a default vulnerable installation and does not currently appear to have a published patched version in Docker Hub.
The team has provided an exploit, version scanners, pcaps, detection signatures, and queries for SysAid. The additional information leak XXEs and full chain will be completed in the next few weeks.
Continuing our prioritization of ICS/OT systems with known exploitation in the wild (attacks observed on Shadow Server as recently as yesterday), the team developed an unauthenticated exploit for the open-source FUXA SCADA/HMI dashboard software. The vulnerability arises from improperly sandboxed JavaScript components for dashboard objects, allowing an attacker to call the underlying NodeJS environment and achieve remote code execution.
The FUXA software appears to have a few hundred installs exposed to the internet, indicating potential targets for malicious actors with a SCADA-focused objective.
The team provided Snort and Suricata rules, pcaps, version checking, and queries.
Catching up with work done by MDSec's ActiveBreach team, we implemented an attack against Arcserve to retrieve an administrator session token via the SOAP API. Using this token we can retrieve the username as well as the password ciphertext for the administrative Windows user configured for the application. Finally, this plaintext password is then used to log into the application and execute a command as the service account. This exploit comes with pcaps, version checking, and queries.