01/08/2025-01/15/2025 Critical SimpleHelp Flaws, Major Vulnerabilities Patched in SonicWall, Palo Alto Expedition, and Aviatrix Controllers, Critical RCE Flaw in GFI KerioControl And More.

1. Critical SimpleHelp Flaws Allow File Theft, Privilege Escalation, and RCE Attacks

Researchers have identified critical vulnerabilities in SimpleHelp remote access software, potentially enabling information disclosure, privilege escalation, and remote code execution. Horizon3.ai’s Naveen Sunkavally described the flaws as easy to exploit:

• CVE-2024-57727: An unauthenticated path traversal flaw lets attackers download arbitrary files, including hashed admin and technician passwords.
• CVE-2024-57728: Allows admins or privileged technicians to upload files anywhere, potentially enabling remote code execution.
• CVE-2024-57726: A privilege escalation vulnerability lets low-privilege technicians gain admin access by exploiting missing authorization checks.

Attackers could chain CVE-2024-57726 and CVE-2024-57728 to gain admin control and execute malicious payloads. Following disclosure on January 6, 2025, SimpleHelp released patches in versions 5.3.9, 5.4.10, and 5.5.8. Users are urged to patch immediately, update admin and technician passwords, and restrict login IPs to protect against potential exploitation.

2. CISA Adds Second BeyondTrust CVE to Known Exploited Vulnerabilities List

CISA added a command injection vulnerability in BeyondTrust Remote Support and Privileged Access products (CVE-2024-12686) to its catalog of known exploited vulnerabilities. This medium-severity flaw (CVSS 6.6) allows attackers with admin privileges to inject commands into networks as site users. It follows CVE-2024-12356, a critical command injection flaw (CVSS 9.8) linked to BeyondTrust’s investigation into a December attack spree. During the attacks, a compromised SaaS API key led to password resets for multiple accounts, affecting some RemoteSupport SaaS customers. It’s unclear if CVE-2024-12686 is exploited alone or chained with CVE-2024-12356. Federal agencies are investigating connections between these CVEs and the Treasury Department hack, attributed to a Chinese state-linked actor using a stolen vendor key.

3. Major Vulnerabilities Patched in SonicWall, Palo Alto Expedition, and Aviatrix Controllers

Palo Alto Networks has patched several vulnerabilities in its Expedition migration tool, including a high-severity flaw (CVE-2025-0103, CVSS 7.8) that allows authenticated attackers to access sensitive data like passwords, device configurations, and API keys. Expedition, which reached end-of-life on December 31, 2024, also had other flaws:

• CVE-2025-0104 (CVSS 4.7): XSS allowing phishing and session theft.
• CVE-2025-0105 (CVSS 2.7): File deletion by unauthenticated attackers.
• CVE-2025-0106 (CVSS 2.7): File enumeration via wildcard expansion.
• CVE-2025-0107 (CVSS 2.3): OS command injection enabling data disclosure.

Fixes are available in versions 1.2.100 and 1.2.101. Palo Alto advises restricting access or disabling the tool if unused.

Meanwhile, SonicWall patched SonicOS vulnerabilities, including CVE-2024-53704 (authentication bypass) and CVE-2024-53706 (privilege escalation). Polish firm Securing also disclosed a critical Aviatrix Controller flaw (CVE-2024-50603, CVSS 10.0) fixed in versions 7.1.4191 and 7.2.4996. Users are urged to apply these updates promptly.

4. Critical RCE Flaw in GFI KerioControl Allows Remote Code Execution via CRLF Injection

Threat actors are exploiting a recently disclosed security flaw in GFI KerioControl firewalls, CVE-2024-52875, enabling remote code execution (RCE). The vulnerability stems from a CRLF injection attack that allows HTTP response splitting, potentially leading to cross-site scripting (XSS). KerioControl versions 9.2.5–9.4.5 are affected, as disclosed by security researcher Egidio Romano. Exploitation involves injecting malicious inputs into HTTP headers, exploiting unsanitized user input in specific URI paths like /nonauth/addCertException.cs and /nonauth/guestConfirm.cs. GFI released a fix (version 9.4.5 Patch 1) on December 19, 2024. However, a proof-of-concept exploit surfaced, enabling adversaries to craft malicious URLs that trigger firmware upgrades via admin clicks, potentially granting root access. GreyNoise reported exploitation attempts from seven IPs since December 28, 2024. Over 23,800 internet-exposed KerioControl instances are at risk, mainly in Iran, Italy, and the U.S. Users should secure their instances immediately to mitigate threats.

5. Critical Ivanti Connect Secure zero-day flaw under attack

Ivanti disclosed a critical vulnerability, CVE-2025-0282, affecting Connect Secure, Policy Secure, and ZTA gateways. This stack-based buffer overflow flaw, with a 9.0 CVSS score, enables remote code execution in Connect Secure versions before 22.7R2.5, Policy Secure before 22.7R1.2, and ZTA gateways before 22.7R2.3. Another vulnerability, CVE-2025-0283, allows privilege escalation for local attackers and has a 7.0 CVSS score. While CVE-2025-0282 exploitation is confirmed for Connect Secure, Ivanti reports no exploitation of Policy Secure, ZTA gateways, or CVE-2025-0283. Ivanti released patches for affected Connect Secure versions, with Policy Secure and ZTA patches expected by January 21. Exploitation of CVE-2025-0282 can be detected using Ivanti’s Integrity Checker Tool (ICT).

Ivanti credited Mandiant and Microsoft for their assistance and emphasized proactive monitoring with ICT to safeguard network infrastructure.

01/03/2025-01/08/2025 Fake Hardhat npm Packages, Critical Flaws in Mitel and Oracle Systems, Nuclei Flaw, High-Severity Vulnerabilities in Cellular and Secure Routers.

1. Fake Hardhat npm Packages Target Ethereum Developers

A malicious campaign is targeting Ethereum developers using fake Hardhat npm packages to steal private keys, as reported by the Socket.dev Research Team. This supply chain attack exploits developers’ trust by mimicking legitimate Hardhat plugins, claiming similar functionalities like gas optimization and smart contract testing.

Hosted on npm, the fake packages appear trustworthy but steal sensitive data, including private keys and mnemonics, from the Hardhat environment. The stolen data is encrypted and sent to attacker-controlled endpoints. Attackers could also deploy malicious contracts, potentially disrupting the Ethereum mainnet.
Socket.dev researchers identified 20 malicious packages from three authors, including one with over 1,000 downloads, highlighting the campaign’s reach.
To protect against such threats, developers should implement strict security monitoring and auditing measures. Carefully scrutinizing npm packages and maintaining vigilant development practices are crucial to safeguarding Ethereum projects.

2. CISA Flags Critical Flaws in Mitel and Oracle Systems Amid Active Exploitation

CISA added three vulnerabilities affecting Mitel MiCollab and Oracle WebLogic Server to its Known Exploited Vulnerabilities (KEV) catalog due to active exploitation evidence.

The flaws include:

• CVE-2024-41713 (CVSS 9.1): A Mitel MiCollab path traversal flaw allowing unauthorized access.
• CVE-2024-55550 (CVSS 4.4): A Mitel MiCollab path traversal issue enabling an admin to read local files.
• CVE-2020-2883 (CVSS 9.8): An Oracle WebLogic vulnerability exploitable via IIOP or T3.

CVE-2024-41713 and CVE-2024-55550 can be chained to allow remote attackers to read arbitrary server files. WatchTowr Labs reported these Mitel flaws in efforts to replicate another critical vulnerability (CVE-2024-35286).

Exploitation details, attackers, and targets remain unclear. Federal agencies must patch these flaws by January 28, 2025, per Binding Operational Directive 22-01.

3. Nuclei Flaw Lets Malicious Templates Bypass Signature Verification

A now-fixed vulnerability in the open-source vulnerability scanner Nuclei (CVE-2024-43405)  could potentially allow attackers to bypass template signature verification and execute malicious code on local systems.

Nuclei uses over 10,000 YAML templates to scan websites for vulnerabilities. Each template includes a digest hash for signature verification, ensuring integrity. However, researchers at Wiz discovered flaws in how Nuclei’s Go regex-based verification and YAML parser handle line breaks and multiple # digest: lines.
Attackers could exploit these mismatches to bypass verification by injecting malicious # digest: payloads that evade detection but execute when processed. Wiz demonstrated this by crafting a template using mismatched newline interpretations. Users should update to the latest version and run Nuclei in isolated environments to mitigate risks from malicious templates.

4. Moxa Alerts Users to High-Severity Vulnerabilities in Cellular and Secure Routers

Taiwan-based Moxa has disclosed two critical vulnerabilities in its routers and network appliances that could enable privilege escalation and command execution:

• CVE-2024-9138 (CVSS 8.6): Hard-coded credentials allowing authenticated users to gain root access, leading to system compromise and service disruption.
• CVE-2024-9140 (CVSS 9.3): Exploitation of special characters to bypass input restrictions, enabling unauthorized command execution.

These flaws, reported by researcher Lars Haulin, affect several product lines, including EDR-810, EDR-8010, EDR-G902, EDR-G9004, and TN-4900 Series with specific firmware versions.

Moxa has issued patches for most products (firmware version 3.14 or later). For NAT-102 and TN-4900 Series, users are advised to contact Moxa Technical Support.
Mitigations include avoiding internet exposure, restricting SSH access to trusted IPs, and employing firewalls and detection mechanisms to prevent exploitation attempts.

12/25/2024-01/03/2025 Severe Security Flaws Patched in Microsoft Dynamics 365, Malicious Obfuscated NPM Package, Apache MINA CVE-2024-52046.

1. Critical Deadline: Update Old .NET Domains Before January 7, 2025 to Avoid Service Disruption

Microsoft has announced a change to how .NET installers and archives are distributed, requiring developers to update their infrastructure. This change follows Akamai’s acquisition of assets from Edgio, which is shutting down its service on January 15, 2025. .NET binaries are currently hosted on Edgio’s CDN, but Microsoft is migrating to Azure Front Door CDNs. If no action is taken, Microsoft will automatically migrate customers by January 7, 2025. However, automatic migration won’t be possible for some endpoints, and users migrating to other CDNs must set a feature flag by the same date. Configuration changes to Azure CDN by Edgio profiles will freeze on January 3, 2025. Microsoft recommends migrating to a custom domain to avoid future risks. Users must also update their codebases to avoid relying on *.azureedge[.]net.

2. Severe Security Flaws Patched in Microsoft Dynamics 365 and Power Apps Web API

Three security vulnerabilities in Dynamics 365 and Power Apps Web API, discovered by Stratus Security, were patched in May 2024. Two flaws are in the OData Web API Filter, and one is in the FetchXML API. The first vulnerability allows unauthorized access to sensitive data, like password hashes, through a lack of access control. Attackers can exploit this by performing a sequential search to retrieve the complete password hash. The second flaw lets attackers use the orderby clause to extract data from columns like email addresses. The FetchXML vulnerability allows attackers to bypass access controls and retrieve restricted data using a crafted query. These flaws could enable attackers to steal or sell password hashes and emails. Stratus Security emphasizes the need for constant cybersecurity vigilance, especially for large data holders like Microsoft.

3. Malicious Obfuscated NPM Package Disguised as an Ethereum Tool Deploys Quasar RAT

Researchers found a malicious package on npm, named ethereumvulncontracthandler, disguised as an Ethereum vulnerability detection tool. Published on December 18, 2024, it has been downloaded 66 times. When installed, it retrieves a script from a remote server to deploy the Quasar RAT, a remote access trojan, on Windows systems. The trojan uses techniques like Base64 and XOR encoding to avoid detection and establishes persistence by modifying the Windows Registry. It then connects to a command-and-control server to exfiltrate data and receive instructions. The Quasar RAT has been used in cybercrime and espionage campaigns since 2014. This discovery highlights the growing issue of fake “stars” on GitHub, used to artificially inflate the popularity of malicious repositories. Researchers urge caution, noting that star counts alone are unreliable for assessing repository quality.

4. Palo Alto Networks Patches DoS Bug in PAN-OS Software

Palo Alto Networks released a patch on Dec. 26 for a high-severity DoS vulnerability (CVE-2024-3393) in the DNS security feature of its PAN-OS firewall software. The flaw allows unauthenticated attackers to send malicious packets that reboot the firewall, causing it to enter maintenance mode after repeated attempts. This issue affects PAN-OS versions 10.X and 11.X, as well as Prisma Access running PAN-OS 10.2.8 and later, or prior to 11.2.3. The company has issued patches for affected versions. Experts warn that the vulnerability could disrupt network operations, requiring manual intervention. Palo Alto Networks discovered this flaw in production, indicating potential active exploitation. Immediate patching is recommended to avoid service disruptions and ensure continued protection from DNS-based attacks.

5. Apache MINA CVE-2024-52046: CVSS 10.0 Flaw Enables RCE via Unsafe Serialization

The Apache Software Foundation (ASF) has released patches for a critical vulnerability in the MINA Java network framework, tracked as CVE-2024-52046, with a CVSS score of 10.0. The flaw affects versions 2.0.X, 2.1.X, and 2.2.X. It arises from the ObjectSerializationDecoder, which improperly handles Java’s native deserialization protocol, allowing remote code execution (RCE) if exploited with specially crafted data. The vulnerability is exploitable only when specific methods and classes are used. ASF advises upgrading and explicitly configuring the decoder to accept safe classes. This disclosure follows recent fixes for vulnerabilities in Tomcat, Traffic Control, HugeGraph-Server, and Struts, all with significant security implications. Users are urged to update to protect against potential threats.