Vulnerabilities in Zyxel, ProjectSend and CyberPanel are being actively exploited, so patch now
- CISA has added a number of serious flaws to its catalog
- One of the bugs is a 10/10
- However, one of these is being exploited by Chinese state-sponsored actors
Multiple vulnerabilities affecting solutions from Zyxel, North Grid Proself, ProjectSend, and CyberPanel are being actively exploited to bypass authentication, conduct XXE attacks, remove malicious JavaScript, deploy arbitrary files, and more.
Earlier this year, multiple cybersecurity researchers, vendors and professionals warned about these bugs at different times, with reports coming in from Sekoia, Censys, VulnCheck and others.
Now the US Cybersecurity and Infrastructure Security Agency (CISA) has added these flaws to its list of Known Exploited Vulnerabilities (KEV), confirming exploitation in the wild. Federal agencies have a three-week deadline to patch the software or stop using it altogether. This deadline ends on December 25, 2024.
Earth Kasha
The most dangerous of the flaws is an incorrect default permissions vulnerability discovered in CyberPanel. It has a severity rating of 10/10 (critical) and is tracked as CVE-2024-51378. It can be used to bypass authentication and execute arbitrary commands using shell metacharacters.
Other notable mentions include an incorrect mitigation of the XML External Entity (XEE) reference vulnerability, tracked as CVE-2023-45727, with a severity score of 7.5. This includes Proself Enterprise/Standard Edition Ver5.62 and earlier, Proself Gateway Edition Ver1.65 and earlier, and Proself Mail Sanitize Edition Ver1.08.
Late last month, Trend Micro researchers said this bug was one of several used by Chinese state-sponsored threat actors Earth Kasha (also known as MirrorFace). The Chinese also used bugs in Array AG and Fortinet FortiOS/FortiProxy to establish initial access to their targets’ endpoints.
Additionally, a bug in ProjectSend versions before r1720 allows a remote, unauthenticated user to create accounts, upload web shells, and embed malicious JavaScript. It is tracked as CVE-2024-11680 and comes with a severity score of 9.8 (critical).
All bugs recently added to KEV can be found at this link.
Via The hacker news