Happy Friday! The Initial Access Intelligence team's deliverables for the past week are below.
A vulnerability in the peering authentication of the Cisco Catalyst SD-WAN Controller could allow an unauthenticated, remote attacker to bypass authentication and obtain administrative privileges on an affected system. Using this account, the attacker could access NETCONF, which would then enable them to manipulate network configuration for the SD-WAN fabric.
This vulnerability is under active exploitation by threat actor UAT-8616. Reports of exploitation have been corroborated by investigations from Five Eyes Intelligence Partners and Cisco's own Talos team. See Cisco's advisory for mitigation and remediation recommendations. The team delivered ASM queries, along with a validation and version check to identify vulnerable instances.
This week, the team added a new RCE exploit for Microsoft SharePoint. This exploit combines two separate vulnerabilities in order to achieve unauthenticated remote code execution on vulnerable SharePoint servers. The first is CVE-2023-29357, an auth bypass vulnerability that allows for impersonation of an administrator session on the target. The second is CVE-2023-24955, which allows for authenticated RCE. This exploit triggers a remote shell back to the attacking host from an HTTP-based VBS reverse shell payload that is served by the attacker.
Both vulnerabilities are known to be used in ransomware campaigns, and ZoomEye reports over 150,000 SharePoint services exposed on the internet. This exploit comes with PCAPs, network rules, and ASM queries.
The team added an exploit for an unauthenticated file write vulnerability in MLflow, an open-source machine learning management platform. No evidence of in-the-wild exploitation has been noted as of yet, but MLflow's access to data and lack of authentication by default may make it an interesting target for attackers. Our FOFA query shows just under 4,000 instances of MLflow publicly accessible on the internet. The team also provided ASM queries, PCAPs, and a Docker target as part of the coverage for CVE-2023-6018.
The team added an exploit for a pre-authenticated command injection vulnerability in WAVLINK WN535K2 and WN535K3 mesh routers that allows for arbitrary command execution as root. The affected devices are effectively end-of-life with no patch available. Related CVEs with the same root cause affect nightled.cgi (CVE-2022-2487) and touchlist_sync.cgi (CVE-2022-2488). CVE-2022-2486 has been exploited in the wild by as-yet unattributed threat actors and has been on VulnCheck KEV since January 2023. It is not yet on CISA KEV. Roughly 500 instances appear to be exposed online, and GreyNoise is tracking exploitation attempts.
The team delivered an exploit, a PCAP, network signatures, a target Docker image, and ASM queries for CVE-2022-2486.
Finally, the team developed an exploit for CVE-2021-21315, an OS command injection vulnerability in npm's system information library that allows for RCE. The vulnerability has been exploited in the wild by unattributed threat actors since June 2021. The team's exploit comes with Snort, Suricata, and YARA rules, a target Docker container, PCAPs, and a GreyNoise query.