12/04/2024-12/11/2024 Active Exploitation of Flaws in Zyxel, ProjectSend, and CyberPanel, Cleo File Transfer Vulnerability, CLFS Driver Flaw And More.

1. CISA Warns of Active Exploitation of Flaws in Zyxel, ProjectSend, and CyberPanel

CISA has added vulnerabilities affecting Zyxel, North Grid Proself, ProjectSend, and CyberPanel products to its Known Exploited Vulnerabilities (KEV) catalog due to active exploitation. These include CVE-2024-51378 (CVSS: 10.0), a critical flaw enabling command execution via authentication bypass; CVE-2023-45727, tied to a China-linked espionage group; CVE-2024-11680, exploited for web shell deployments; and CVE-2024-11667, abused in ransomware campaigns like PSAUX and Helldown. Agencies must address these issues by December 25, 2024. Separately, JPCERT/CC reports three exploited vulnerabilities in I-O DATA routers, including CVE-2024-52564 (CVSS: 7.5), allowing attackers to disable firewalls. While some fixes are available, others are expected by December 18, 2024. Users should restrict remote management, secure credentials, and update firmware promptly.

2. Cleo File Transfer Vulnerability Under Exploitation 

Huntress warned that an improperly patched vulnerability (CVE-2024-50623) in Cleo’s file transfer products—Harmony, VLTrader, and LexiCom—has been exploited in the wild since early December. The flaw, meant to be fixed in version 5.8.0.21, allows remote code execution. Threat actors have used it to establish persistence, perform reconnaissance, and conduct stealthy post-exploitation activities. At least 10 businesses, primarily in the consumer goods, food, trucking, and shipping sectors, have been compromised, with attack attempts targeting 1,700 servers. Exploitation surged on December 8. The incident resembles the MOVEit hack, where a zero-day was used to steal vast data from numerous organizations.Huntress and Rapid7 have observed active attacks, shared indicators of compromise, and provided mitigation guidance. Cleo is preparing a new patch, expected mid-week, and updating its advisory.

3. CISA Adds Microsoft Windows CLFS Driver Flaw To Its Known Exploited Vulnerabilities Catalog

CISA has added CVE-2024-49138, a Microsoft Windows Common Log File System (CLFS) driver vulnerability (CVSS: 7.8), to its KEV catalog. This flaw, addressed in Microsoft’s December 2024 Patch Tuesday updates, allows local attackers to escalate privileges to SYSTEM via a heap-based buffer overflow. While Microsoft has not disclosed details of the attacks exploiting this zero-day, federal agencies are required to remediate the vulnerability by December 31, 2024, under Binding Operational Directive 22-01. Private organizations are also urged to review the KEV catalog and mitigate listed vulnerabilities to secure their systems. The flaw is part of 71 vulnerabilities patched this month, highlighting the importance of timely updates to prevent potential exploitation.

4. Ivanti Issues Critical Security Updates for CSA and Connect Secure Vulnerabilities

Ivanti has issued security updates to fix critical vulnerabilities in its Cloud Services Application (CSA) and Connect Secure products, which could lead to privilege escalation and remote code execution. Key flaws include CVE-2024-11639 (CVSS: 10.0), an authentication bypass allowing remote attackers to gain admin access, and CVE-2024-11772, a command injection issue enabling code execution. Other vulnerabilities, such as CVE-2024-11773, CVE-2024-11633, and CVE-2024-11634, involve SQL injection and argument injection attacks. CVE-2024-8540 (CVSS: 8.8) addresses insecure permissions in Ivanti Sentry, allowing local attackers to modify components. Fixes are available in Ivanti CSA 5.0.3, Connect Secure 22.7R2.4, Policy Secure 22.7R1.2, and Sentry versions 9.20.2, 10.0.2, and 10.1.0. While no active exploitation has been reported, users are urged to update promptly, as Ivanti products have previously been targeted by state-sponsored attackers.

5. Researchers Uncover Flaws in Popular Open-Source Machine Learning Frameworks

Cybersecurity researchers have uncovered security flaws in open-source machine learning (ML) tools like MLflow, H2O, PyTorch, and MLeap, potentially allowing code execution. Discovered by JFrog, these issues target ML clients and libraries handling safe model formats like Safetensors.Key vulnerabilities include CVE-2024-27132 (XSS in MLflow, enabling client-side remote code execution), CVE-2024-6960 (unsafe deserialization in H2O, leading to code execution), and path traversal flaws in PyTorch and MLeap, allowing arbitrary file overwrite and potential code execution. Attackers exploiting these flaws could gain access to ML services like model registries or MLOps pipelines, enabling lateral movement, exposure of credentials, and backdooring of ML models.

JFrog warns against loading untrusted ML models, even from safe formats, as they may lead to remote code execution. Organizations must scrutinize their ML models to prevent significant damage from these vulnerabilities.