Happy Friday! The following are the deliverables the Initial Access Intelligence team released the past week.
This week, by customer request, the team added an original exploit for a Java deserialization flaw in N-able N-central that allows for authenticated code execution. The vulnerability resides in the license uploader functionality and was exploited as a zero-day when it was disclosed a few weeks ago. Threat activity is unattributed so far, and no public proof-of-concept code is available.
N-central is a remote monitoring and management (RMM) platform, a technology category that attackers love to abuse. Both FOFA and ZoomEye show a few thousand internet-exposed instances, primarily in North America. Our exploit also includes PCAPs, network signatures, a YARA rule, and search engine queries.
The team added an exploit for a command injection-style unauthenticated remote code execution vulnerability in the Shenzhen Aitemi M300 Wi-Fi repeater that allows us to run arbitrary commands as root. This network device is intended to connect to a local network, making it a great initial access vector, and the user manual lists no way to update your firmware, so devices appear permanently vulnerable. There are a few hundred to a few thousand of these repeaters on the public internet, depending on the ASM engine.
Our exploit also includes PCAPs, network signatures, and search engine queries.
The team added an unauthenticated RCE exploit for the BentoML Python library, which is used to build online services using AI model inferences. API endpoints created using affected versions of the library are susceptible to deserialization via a crafted Python pickle payload. FOFA shows just under 1K BentoML services on the public internet, though we wouldn't be surprised to see this increase over time as LLM adoption continues to grow (and exposure grows with it).
The exploit comes with a vulnerable Docker target, PCAPs, version detection, and network rules.
The team also covered CVE-2024-51092, an authenticated command injection vulnerability in LibreNMS, a network monitoring application. FOFA shows ~19k instances of this software on the public internet, and GreyNoise points to scanning attempts related to the vulnerability. A big swath of versions (<=24.9.1) are affected, which means attackers have a wider range of options when they're looking for potential targets.
The exploit also includes PCAPs, a YARA rule, network signatures, and search engine queries.