Overview 

Cyble Research & Intelligence Labs (CRIL) has released its latest Weekly Vulnerability Insights report, offering a detailed overview of the critical vulnerabilities discovered between December 25, 2024, and December 31, 2024. The report highlights key security threats and vulnerabilities, including the addition of a major exploit to the Cybersecurity and Infrastructure Security Agency (CISA) Known Exploited Vulnerabilities (KEV) catalog. 

The identified vulnerabilities have exposed a range of systems to active exploitation, with attackers leveraging flaws to compromise routers, firewalls, and web servers. During the reporting period, CISA incorporated CVE-2024-3393, a high-severity vulnerability in Palo Alto Networks’ PAN-OS, into its KEV catalog. This flaw, which affects the PAN-OS DNS packet handling, is actively being exploited by attackers to disable Palo Alto firewalls by forcing them to reboot, disrupting service for users worldwide.  

Weekly Vulnerability Insights report: Key Vulnerabilities and Exploits 

The CRIL report also shares details into several critical vulnerabilities, including CVE-2024-33112, CVE-2022-37056, CVE-2019-10891, and CVE-2015-2051, which are primarily impacting D-Link products. These vulnerabilities, predominantly related to command injection flaws, have been exploited by attackers to deploy malware, often providing them with initial footholds within compromised networks. 

1. CVE-2024-33112 (D-Link DIR-845L Router): This critical command injection vulnerability allows remote attackers to execute arbitrary commands on affected devices. Exploitation of this flaw has been linked to various botnets, such as Ficora and Capsaicin, which target outdated routers to facilitate further attacks. 

2. CVE-2022-37056 (D-Link GO-RT-AC750 GORTAC750_revA_v101b03): A command injection vulnerability that allows attackers to exploit a flaw in the router’s web interface, enabling unauthorized command execution. 

3. CVE-2019-10891 (D-Link DIR-806 Devices): This vulnerability allows attackers to inject arbitrary shell commands via specially crafted HTTP headers, leading to potential device compromise. 

4. CVE-2015-2051 (D-Link DIR-645 Wired/Wireless Router): Similar to the above vulnerabilities, this flaw allows attackers to execute arbitrary commands by exploiting a GetDeviceSettings action in the HNAP interface. 

In addition to these, several vulnerabilities with broad internet exposure were found in other widely used systems: 

• CVE-2024-12856 (Four-Faith Routers): An OS command injection vulnerability that affects Four-Faith router models used in Internet of Things (IoT) environments. Attackers can execute arbitrary commands via HTTP requests, with some reports indicating active exploitation of this flaw to establish reverse shells. 

• CVE-2024-45387 (Apache Traffic Control): This SQL injection vulnerability in Apache Traffic Ops, a component critical for managing Content Delivery Networks (CDNs), allows privileged users to execute arbitrary SQL commands, potentially compromising the underlying database. 

• CVE-2024-43441 (Apache HugeGraph-Server): This vulnerability enables an authentication bypass, allowing attackers to access data without proper authorization in Apache HugeGraph, an open-source graph database. 

• CVE-2024-52046 (Apache MINA): A remote code execution (RCE) vulnerability affecting the Apache MINA framework used in network applications. By exploiting this flaw, attackers can gain unauthorized control over systems. 

Vulnerabilities Discussed on Underground Forums 

CRIL also reported on ongoing discussions in underground forums, where cybercriminals actively share exploits and Proof of Concepts (PoCs) for newly discovered vulnerabilities. Key vulnerabilities discussed include: 

• CVE-2023-21554 (Microsoft Message Queuing): A critical RCE vulnerability in Microsoft’s MSMQ service. This flaw, known as “QueueJumper,” was highlighted by a forum user offering to purchase access to vulnerable servers. 

• CVE-2024-9122 (Google Chrome): A Type Confusion vulnerability in Google Chrome, affecting versions prior to 129.0.6668.70. Exploitation of this flaw could allow attackers to execute arbitrary code on affected systems. 

• CVE-2024-54152 (AngularJS): A critical code injection vulnerability in the Angular Expressions library, which could allow attackers to execute arbitrary code on systems running vulnerable versions of AngularJS. 

• CVE-2024-21182 (Oracle WebLogic Server): A high-severity RCE vulnerability in Oracle’s WebLogic Server, allowing attackers to exploit the flaw to gain control of vulnerable systems without needing any authentication. 

• CVE-2024-12987 (DrayTek Vigor Routers): A critical command injection vulnerability affecting DrayTek Vigor2960 and Vigor300B routers. Attackers can exploit this flaw remotely to execute arbitrary commands on affected devices. 

Recommendations and Mitigations 

To defend against these vulnerabilities, CRIL recommends the following best practices: 

1. Ensure that the latest patches from official vendors are promptly applied to all systems and devices. This minimizes the risk of exploitation by reducing the attack surface available to threat actors. 

2. Organizations should establish a comprehensive patch management process that includes regular patch assessments, testing, and deployment. Automating this process can help ensure that critical patches are applied without delay. 

3. Limit the exposure of critical infrastructure by dividing networks into secure segments. This prevents attackers from moving freely within a network and helps protect sensitive systems from internet-facing threats. 

4. Develop and maintain an incident response plan to ensure a coordinated and effective response to security incidents. Regularly test and update the plan to ensure it is aligned with current threat levels. 

5. Implement monitoring solutions to detect and log malicious activities. Utilizing SIEM (Security Information and Event Management) systems can help organizations identify suspicious activities in real-time and respond to mitigate damage. 

6. Enforce strong password policies, encourage regular password changes, and implement Multi-Factor Authentication (MFA) to reduce the risk of unauthorized access. 

7. Regularly perform vulnerability assessments and penetration testing (VAPT) to identify and remediate security flaws within systems. 

Conclusion 

The December Weekly Vulnerability Insights Report highlights the persistent threat posed by both known and newly discovered vulnerabilities. With CVE-2024-3393 now included in the CISA KEV catalog and ongoing exploitation of flaws like CVE-2024-33112 and CVE-2022-37056, it’s evident that attackers are targeting a wide range of systems, from mainstream to niche. 

Organizations must act quickly to patch vulnerabilities and strengthen their cybersecurity posture to protect against these critical risks. Cyble, with its AI-driven threat intelligence and advanced platforms like Cyble Vision, empowers businesses to stay ahead of cyber threats. By leveraging Cyble’s solutions and adhering to the recommendations in this report, organizations can enhance their defenses and protect their infrastructure and sensitive data from exploitation. 

The post Cyble Research Reports Critical Vulnerabilities Exposing Routers, Firewalls, and Web Servers appeared first on Cyble.

Blog – Cyble – ​Read More

Overview 

The Indian Computer Emergency Response Team (CERT-In) has issued an alert regarding a critical security vulnerability in the WPForms plugin for WordPress. The flaw, identified as CVE-2024-11205, could allow attackers to bypass authorization controls and perform payment refunds and subscription cancellations on Stripe-powered websites.  

This WPForms plugin vulnerability, affecting WPForms versions 1.8.4 through 1.9.2.1, leaves WordPress sites vulnerable to exploitation by authenticated users with lower-level permissions. The vulnerability was disclosed publicly on December 9, 2024, by Wordfence researchers, and a patch was made available in WPForms version 1.9.2.2. 

The flaw stems from the absence of a capability check in the wpforms_is_admin_page function. This function is responsible for determining whether a user is accessing the admin interface via an AJAX request. Without proper authorization checks, attackers with Subscriber-level access or higher could bypass the restrictions and execute critical actions such as refunds and subscription cancellations on Stripe-powered sites. 

This vulnerability has been documented in the CIVN-2025-0001 Vulnerability Note, issued by CERT-In on January 1, 2025, indicating a High severity rating. Websites that rely on WPForms for financial transactions are particularly at risk of unauthorized modifications to their data, potentially causing significant financial losses and disruption of services.

Technical Details of the WPForms Plugin Vulnerability (CVE-2024-11205) 

The vulnerability exists in versions 1.8.4 through 1.9.2.1 of the WPForms plugin, where the wpforms_is_admin_ajax function lacks proper checks to ensure that the user requesting sensitive actions is authorized to do so. This function is intended to confirm whether a request originates from an admin interface, but because it does not perform capability checks, attackers can exploit the flaw to trigger ajax_single_payment_refund and ajax_single_payment_cancel functions.

These functions are used to process Stripe payments, but in the vulnerable versions of WPForms, they can be exploited by authenticated users with as little as Subscriber-level access. While nonce protection exists to prevent attacks such as Cross-Site Request Forgery (CSRF), authenticated attackers can bypass this protection by obtaining the nonce. This means that an attacker could potentially: 

• Initiate unauthorized refunds for legitimate payments, resulting in financial harm to businesses. 
• Cancel active subscriptions, disrupting services and harming customer relationships. 

These unauthorized actions could lead to a loss of revenue, significant operational costs, and reputational damage, particularly for businesses that rely on WPForms for managing payments and subscriptions. 

Exploitation Scenario 

The vulnerability allows attackers with Subscriber-level access or higher to exploit the ajax_single_payment_refund and ajax_single_payment_cancel functions. Normally, these actions are restricted to administrators, but the missing capability checks allow lower-level users to initiate them. 

Once an attacker gains access to these functions, they can initiate unauthorized refunds for Stripe payments and cancel active subscriptions. This could result in: 

• Unauthorized refunds can cause significant revenue loss for businesses. 
• Attacks that cancel subscriptions can interfere with customer services, leading to customer dissatisfaction and churn. 
• Unauthorized transactions can lead to a loss of trust among customers and potential harm to the business’s reputation. 

Given WPForms’ widespread use, this flaw affects millions of WordPress websites, with businesses of all sizes being vulnerable to exploitation. 

Remediation and Patch Details 

WPForms quickly addressed the issue by releasing a patched version of the plugin, version 1.9.2.2, on November 18, 2024. Users who are running versions 1.8.4 through 1.9.2.1 are strongly advised to update to the latest version immediately to protect their websites from exploitation. 

In addition to the patch, Wordfence, a leading security service for WordPress, took swift action to protect its users. On November 15, 2024, Wordfence Premium, Care, and Response users received a firewall rule to protect against potential exploits targeting this vulnerability. Protection for users of the free version of Wordfence was rolled out on December 15, 2024. 

The impact of this CVE-2024-11205 vulnerability is severe for businesses that rely on WPForms to manage payments and subscriptions via Stripe. If exploited, the vulnerability could result in: 

• Financial damage from unauthorized refunds and subscription cancellations. 
• Disruption of business operations, particularly for e-commerce sites that rely on WPForms for processing payments. 
• Loss of customer trust, as attackers could interfere with services and create doubts about the site’s security. 

Conclusion 

The CVE-2024-11205 vulnerability poses a risk to WPForms users, allowing attackers with Subscriber-level access or higher to initiate unauthorized payment refunds and cancel subscriptions. To mitigate this threat, it is crucial for users to update to the latest patched version, 1.9.2.2, which addresses the issue. The vulnerability’s potential impact on financial transactions and business operations makes it imperative for WordPress site administrators to prioritize this update, particularly those using WPForms for payment and subscription management. 

References:  

• https://www.cert-in.org.in/ 

• https://www.wordfence.com/blog/2024/12/6000000-wordpress-sites-protected-against-payment-refund-and-subscription-cancellation-vulnerability-in-wpforms-wordpress-plugin/ 

• https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/wpforms-lite/wpforms-184-1921-missing-authorization-to-authenticated-subscriber-payment-refund-and-subscription-cancellation 

The post CERT-In Issues Alert on WPForms Vulnerability That Can Disrupt Payment and Subscription Services appeared first on Cyble.

Blog – Cyble – ​Read More