Cyble Research Reports Critical Vulnerabilities Exposing Routers, Firewalls, and Web Servers

Cyble Research Reports Critical Vulnerabilities Exposing Routers, Firewalls, and Web Servers

/in

Weekly Vulnerability Insights

Overview 

Cyble Research & Intelligence Labs (CRIL) has released its latest Weekly Vulnerability Insights report, offering a detailed overview of the critical vulnerabilities discovered between December 25, 2024, and December 31, 2024. The report highlights key security threats and vulnerabilities, including the addition of a major exploit to the Cybersecurity and Infrastructure Security Agency (CISA) Known Exploited Vulnerabilities (KEV) catalog. 

The identified vulnerabilities have exposed a range of systems to active exploitation, with attackers leveraging flaws to compromise routers, firewalls, and web servers. During the reporting period, CISA incorporated CVE-2024-3393, a high-severity vulnerability in Palo Alto Networks’ PAN-OS, into its KEV catalog. This flaw, which affects the PAN-OS DNS packet handling, is actively being exploited by attackers to disable Palo Alto firewalls by forcing them to reboot, disrupting service for users worldwide.  

Weekly Vulnerability Insights report: Key Vulnerabilities and Exploits 

The CRIL report also shares details into several critical vulnerabilities, including CVE-2024-33112, CVE-2022-37056, CVE-2019-10891, and CVE-2015-2051, which are primarily impacting D-Link products. These vulnerabilities, predominantly related to command injection flaws, have been exploited by attackers to deploy malware, often providing them with initial footholds within compromised networks. 

  1. CVE-2024-33112 (D-Link DIR-845L Router): This critical command injection vulnerability allows remote attackers to execute arbitrary commands on affected devices. Exploitation of this flaw has been linked to various botnets, such as Ficora and Capsaicin, which target outdated routers to facilitate further attacks. 

  1. CVE-2022-37056 (D-Link GO-RT-AC750 GORTAC750_revA_v101b03): A command injection vulnerability that allows attackers to exploit a flaw in the router’s web interface, enabling unauthorized command execution. 

  1. CVE-2019-10891 (D-Link DIR-806 Devices): This vulnerability allows attackers to inject arbitrary shell commands via specially crafted HTTP headers, leading to potential device compromise. 

  1. CVE-2015-2051 (D-Link DIR-645 Wired/Wireless Router): Similar to the above vulnerabilities, this flaw allows attackers to execute arbitrary commands by exploiting a GetDeviceSettings action in the HNAP interface. 

In addition to these, several vulnerabilities with broad internet exposure were found in other widely used systems: 

  • CVE-2024-12856 (Four-Faith Routers): An OS command injection vulnerability that affects Four-Faith router models used in Internet of Things (IoT) environments. Attackers can execute arbitrary commands via HTTP requests, with some reports indicating active exploitation of this flaw to establish reverse shells. 

  • CVE-2024-45387 (Apache Traffic Control): This SQL injection vulnerability in Apache Traffic Ops, a component critical for managing Content Delivery Networks (CDNs), allows privileged users to execute arbitrary SQL commands, potentially compromising the underlying database. 

  • CVE-2024-43441 (Apache HugeGraph-Server): This vulnerability enables an authentication bypass, allowing attackers to access data without proper authorization in Apache HugeGraph, an open-source graph database. 

  • CVE-2024-52046 (Apache MINA): A remote code execution (RCE) vulnerability affecting the Apache MINA framework used in network applications. By exploiting this flaw, attackers can gain unauthorized control over systems. 

Vulnerabilities Discussed on Underground Forums 

CRIL also reported on ongoing discussions in underground forums, where cybercriminals actively share exploits and Proof of Concepts (PoCs) for newly discovered vulnerabilities. Key vulnerabilities discussed include: 

  • CVE-2023-21554 (Microsoft Message Queuing): A critical RCE vulnerability in Microsoft’s MSMQ service. This flaw, known as “QueueJumper,” was highlighted by a forum user offering to purchase access to vulnerable servers. 

  • CVE-2024-9122 (Google Chrome): A Type Confusion vulnerability in Google Chrome, affecting versions prior to 129.0.6668.70. Exploitation of this flaw could allow attackers to execute arbitrary code on affected systems. 

  • CVE-2024-54152 (AngularJS): A critical code injection vulnerability in the Angular Expressions library, which could allow attackers to execute arbitrary code on systems running vulnerable versions of AngularJS. 

  • CVE-2024-21182 (Oracle WebLogic Server): A high-severity RCE vulnerability in Oracle’s WebLogic Server, allowing attackers to exploit the flaw to gain control of vulnerable systems without needing any authentication. 

  • CVE-2024-12987 (DrayTek Vigor Routers): A critical command injection vulnerability affecting DrayTek Vigor2960 and Vigor300B routers. Attackers can exploit this flaw remotely to execute arbitrary commands on affected devices. 

Recommendations and Mitigations 

To defend against these vulnerabilities, CRIL recommends the following best practices: 

  1. Ensure that the latest patches from official vendors are promptly applied to all systems and devices. This minimizes the risk of exploitation by reducing the attack surface available to threat actors. 

  1. Organizations should establish a comprehensive patch management process that includes regular patch assessments, testing, and deployment. Automating this process can help ensure that critical patches are applied without delay. 

  1. Limit the exposure of critical infrastructure by dividing networks into secure segments. This prevents attackers from moving freely within a network and helps protect sensitive systems from internet-facing threats. 

  1. Develop and maintain an incident response plan to ensure a coordinated and effective response to security incidents. Regularly test and update the plan to ensure it is aligned with current threat levels. 

  1. Implement monitoring solutions to detect and log malicious activities. Utilizing SIEM (Security Information and Event Management) systems can help organizations identify suspicious activities in real-time and respond to mitigate damage. 

  1. Enforce strong password policies, encourage regular password changes, and implement Multi-Factor Authentication (MFA) to reduce the risk of unauthorized access. 

  1. Regularly perform vulnerability assessments and penetration testing (VAPT) to identify and remediate security flaws within systems. 

Conclusion 

The December Weekly Vulnerability Insights Report highlights the persistent threat posed by both known and newly discovered vulnerabilities. With CVE-2024-3393 now included in the CISA KEV catalog and ongoing exploitation of flaws like CVE-2024-33112 and CVE-2022-37056, it’s evident that attackers are targeting a wide range of systems, from mainstream to niche. 

Organizations must act quickly to patch vulnerabilities and strengthen their cybersecurity posture to protect against these critical risks. Cyble, with its AI-driven threat intelligence and advanced platforms like Cyble Vision, empowers businesses to stay ahead of cyber threats. By leveraging Cyble’s solutions and adhering to the recommendations in this report, organizations can enhance their defenses and protect their infrastructure and sensitive data from exploitation. 

The post Cyble Research Reports Critical Vulnerabilities Exposing Routers, Firewalls, and Web Servers appeared first on Cyble.

Blog – Cyble – ​Read More