The cybersecurity landscape has seen a surge in critical vulnerabilities and exploits over the past month, impacting widely used software and cloud services. These CVEs have various implications for security across organizations, highlighting the need for vigilance in patch management and cybersecurity defenses. Explore some of the most impactful CVEs disclosed during November and early December 2024.
As we near the end of 2024, the cybersecurity landscape continues to be shaped by new and emerging vulnerabilities that demand immediate attention. In this blog post, we explore some of the most impactful CVEs disclosed during November and early December 2024.
These vulnerabilities span a wide array of systems and software, showcasing the diversity of attack vectors and the critical need for proactive security measures. From remote code execution flaws to privilege escalation vulnerabilities, each CVE on this list represents a significant risk to organizations and individuals alike.
Whether you’re a security professional, IT admin, or simply someone concerned about digital safety, this roundup will provide insights into these critical threats and what can be done to mitigate them.
Palo Alto Networks has disclosed two severe vulnerabilities affecting PAN-OS: CVE-2024-0012, an authentication bypass flaw, and CVE-2024-9474, a privilege escalation vulnerability. These vulnerabilities have been actively exploited in the wild since November 2024, allowing unauthenticated attackers to gain remote code execution (RCE) and escalate privileges to administrator level.
When these vulnerabilities are chained, an attacker can exploit the management interface of PAN-OS, gain administrative access, and execute arbitrary actions on affected systems. These vulnerabilities have been linked to exploitation observed in cloud environments, with at least 2,000 compromised instances reported globally.
The combined exploitation of CVE-2024-0012 and CVE-2024-9474 allows attackers to bypass authentication, escalate privileges, and execute arbitrary code on PAN-OS devices. Since the publication of a proof-of-concept (PoC) on November 19, 2024, exploitation activity has sharply increased. Attackers are deploying malicious payloads, including web shells, crypto miners, and Sliver implants.
The attack has been observed by Wiz researchers in various cloud environments, with 24% of enterprise cloud environments containing vulnerable PAN-OS devices. Approximately 7% of these devices are exposed to unauthenticated remote code execution due to their internet-facing status.
Wiz researchers have observed several malicious actions following the exploitation of these vulnerabilities, including the deployment of simple web shells for remote access.
Some attacks involve the use of the Sliver implant for further command-and-control (C2) communication, with the IP address 77.221.158[.]154 used for C2 activity. The presence of these implants suggests an ongoing effort by threat actors to exploit vulnerable PAN-OS devices for a variety of malicious purposes.
These versions are vulnerable to both CVE-2024-0012 and CVE-2024-9474. Organizations running affected versions must take immediate action to mitigate these risks.
To protect systems from these vulnerabilities, security teams should:
By promptly applying patches and securing management interfaces, organizations can significantly reduce the risk of exploitation associated with these critical vulnerabilities.
CVE-2024-11667 is a directory traversal vulnerability that could allow attackers to upload or download files via a specially crafted URL.
A security update has been issued to specifically address vulnerabilities in various Zyxel products. Users with affected versions are strongly advised to update to the latest version to mitigate the risks.
The affected products for CVE-2024-11667 are as follows:
Patches addressing this vulnerability are available in the latest firmware updates. To resolve the issue, users should upgrade to Zyxel ZLD Firewall firmware version 5.39 or later.
Additionally, the CISA (Cybersecurity and Infrastructure Security Agency) has added several vulnerabilities affecting Zyxel, North Grid Proself, ProjectSend, and CyberPanel products to its Known Exploited Vulnerabilities (KEV) catalog, citing ongoing exploitation in active cyberattacks.
The vulnerabilities listed include:
CVE-2023-45727 was included in the KEV catalog following a Trend Micro report last November which linked its exploitation to the Earth Kasha (MirrorFace) cyber espionage group associated with China.
Furthermore, VulnCheck reported last week that CVE-2024-11680 has been targeted by cybercriminals since at least September 2024 for dropping post-exploitation payloads.
The vulnerabilities CVE-2024-51378 and CVE-2024-11667 have been linked to ransomware campaigns such as PSAUX and Helldown, according to researchers at Censys and Sekoia.
CISA has urged Federal Civilian Executive Branch (FCEB) agencies to apply fixes for these vulnerabilities by December 25, 2024, to protect their networks.
Veeam has recently released patches to address a critical remote code execution (RCE) vulnerability, CVE-2024-42448, affecting its Service Provider Console (VSPC). With a CVSS score of 9.9, this flaw allows attackers to execute arbitrary code remotely on vulnerable servers, potentially leading to severe security breaches.
In its advisory, Veeam provides details of the two vulnerabilities:
Both vulnerabilities impact Veeam Service Provider Console 8.1.0.21377 and all earlier versions in the 7 and 8 builds. The flaws have been resolved in version 8.1.0.21999. Unsupported versions are presumed to be vulnerable as well, so upgrading is highly recommended.
Since the potential consequences of these vulnerabilities are severe, immediate action is Critical. Successful exploitation of these flaws would result in the execution of arbitrary code, potentially taking full control of affected servers, severe data Breaches gaining access tp sensitive data (including NTLM hashes), operational disruption such as disrupting or disabling services, eventually and finally resulting in significant business interruptions.
Additionally, similar vulnerabilities have been exploited by ransomware groups in the past, amplifying the risk of cyberattacks.
To protect your infrastructure, security managers should:
Veeam’s prompt patching of CVE-2024-42448 and CVE-2024-42449 underscores the importance of timely system updates to protect against critical vulnerabilities. Given the severity of these flaws, organizations using VSPC must act swiftly to upgrade to the latest version to safeguard their systems from potential exploitation.
A critical vulnerability in Mitel MiCollab has been exploited in the wild, allowing attackers to gain unauthorized access to sensitive files and potentially execute administrative actions. The flaw, identified as CVE-2024-41713 (CVSS score: 9.8), stems from insufficient input validation within the NuPoint Unified Messaging (NPM) component of the system, enabling a path traversal attack.
Mitel MiCollab, a platform combining chat, voice, video, and SMS messaging services, integrates with Microsoft Teams and other applications. NPM, a voicemail system for server-based communication, allows users to access messages remotely or via clients like Microsoft Outlook.
The vulnerability was uncovered by WatchTowr Labs, who discovered it while investigating another critical flaw in the NPM component, CVE-2024-35286 (CVSS score: 9.8), which allowed arbitrary database and management operations. Mitel addressed the latter flaw in May 2024 with an update to MiCollab version 9.8 SP1 (9.8.1.5).
The identified issue arises when an attacker manipulates the ReconcileWizard component by injecting a path traversal string (“..;/”) into the HTTP request. This input can grant attackers access to sensitive system information, such as /etc/passwd, without the need for authentication.
In addition to the path traversal, the flaw can be chained with an existing unpatched post-authentication arbitrary file read vulnerability, allowing an attacker to further extract critical information.
Mitel has warned that successful exploitation of this vulnerability could compromise the confidentiality, integrity, and availability of the affected systems. The advisory states that the flaw could lead to unauthorized access to provisioning data, non-sensitive user and network information, and unauthorized administrative actions on MiCollab servers.
The vulnerability was patched in MiCollab 9.8 SP2 (9.8.2.12), which was released on October 9, 2024. This update also addressed another critical issue, CVE-2024-47223, a SQL injection vulnerability in the Audio, Web, and Video Conferencing (AWV) component, which had the potential to allow arbitrary database query execution and information disclosure.
Security researcher Sonny Macdonald highlighted that this investigation serves as an important reminder: full source code access isn’t always necessary to discover vulnerabilities. A combination of CVE research and effective online search techniques can also lead to the identification of critical security flaws.
The disclosure of CVE-2024-41713 underscores the importance of keeping systems up to date and securing critical communication infrastructure from potential attacks.
In November 2024, researchers from Zero Day Initiative (ZDI) disclosed a critical vulnerability in the widely used open-source file archiving software, 7-Zip. Tracked as CVE-2024-11477, this flaw allows remote attackers to execute arbitrary code on affected systems by exploiting an issue in the Zstandard decompression library.
This vulnerability was first identified earlier in 2024 and reported to 7-Zip in June.
The vulnerability stems from an integer underflow within 7-Zip’s implementation of Zstandard decompression. When user-supplied data is inadequately validated during the decompression process, it can lead to an underflow that allows remote code execution.
This flaw specifically affects 7-Zip versions prior to 24.07, including version 24.06. While user interaction is required to exploit this vulnerability (typically through the decompression of a specially crafted file), the attack vector can vary depending on how 7-Zip is implemented on a system.
Despite the flaw being rated with a CVSS score of 7.8, classifying it as high-severity, there have been no active exploits of this vulnerability observed in the wild. However, a malicious actor has uploaded a fake proof-of-concept file on GitHub, leading to a phishing landing page. The URL associated with this file was flagged as malicious on VirusTotal.
If exploited, this vulnerability could allow an attacker to execute arbitrary code on the affected system.
The scope of potential damage includes unauthorized data access, system hijacking, and the possibility of malware propagation within an organization’s network. The extent of the impact would depend on the system’s permissions at the time of the attack.
To mitigate the risk posed by CVE-2024-11477, users and organizations should take immediate action to update to 7-Zip version 24.07 or later. This patched version addresses the vulnerability and secures the decompression library.
In addition to upgrading software, the following best practices are recommended:
CVE-2024-11477 presents a significant security risk for users of 7-Zip, especially as compressed files are commonly used in malicious email campaigns to distribute malware.
While there are no active exploits yet, the potential for weaponization of this vulnerability remains high. Timely updates, secure configuration, and vigilant monitoring are crucial to protect systems from this and similar vulnerabilities.
CVE-2024-43498 is a critical Remote Code Execution (RCE) vulnerability affecting the System.Formats.Nrbf
package used in .NET 9.0 applications. This vulnerability allows remote unauthenticated attackers to send specially crafted requests or files, which can lead to arbitrary code execution on the server.
This flaw is critical as it could lead to data breaches, unauthorized access, and potential further exploitation of vulnerable systems. It affects any .NET 9.0 application running on versions prior to 9.0.0
.
According to Microsoft’s advisory on this issue, the RCE flaw in .NET and Visual Studio that could be triggered by sending a “specially crafted requests to a vulnerable .NET webapp or by loading a specially crafted file into a vulnerable desktop app” as mentioned also by Trend Micro’s Zero Day Initiative.
If your application uses the System.Formats.Nrbf
package and is running on .NET 9.0 versions prior to 9.0.0
, you are affected. The vulnerability allows attackers to exploit deserialization issues, executing arbitrary code remotely. To verify whether this applies you should either:
packages.config
file or use the NuGet Package Manager to confirm whether System.Formats.Nrbf
is included, and if so, verify the version number.dotnet --info
command to identify the .NET runtime and SDK versions installed on your system.There is no current confirmation of active exploitation in the wild for this vulnerability. However, due to its potential for remote code execution, it is critical to apply patches and mitigations promptly to reduce the risk of exploitation.
Since this high-risk vulnerability in the System.Formats.Nrbf
package can lead to remote code execution, it is essential to apply the necessary updates to your .NET
runtime and SDK as well as update the affected package to version 9.0.0
or later.
Failure to do so may expose your applications to critical security risks. To mitigate this vulnerability:
Update the .NET Runtime and SDK:
Download and install the updated version of .NET 9.0 Runtime
or .NET 9.0.100 SDK
to ensure the latest patches are applied. Visual Studio users will be prompted to update Visual Studio, which will also update the required .NET SDKs.
Update the Vulnerable Package:
If your application references the System.Formats.Nrbf
package, update to version 9.0.0
or later. This can be done with the following command:
Recompile and Redeploy Self-contained Applications:
If you’ve deployed self-contained applications targeting affected versions, these must be recompiled and redeployed to ensure they are no longer vulnerable.
If your application does not use the NrbfDecoder
component, you are not affected by this vulnerability. However, a temporary workaround for those who do use it is to avoid processing untrusted data or requests until the patch is applied.
SailPoint IdentityIQ, a widely-used identity and access management (IAM) platform, has been found to harbor a critical security vulnerability, tracked as CVE-2024-10905. With a maximum CVSS score of 10.0, this flaw poses a severe risk, potentially allowing attackers unauthorized access to sensitive data and critical system files.
CVE-2024-10905 impacts IdentityIQ versions 8.2, 8.3, 8.4, and earlier releases. Enterprises reliant on this platform for managing user access and safeguarding proprietary information face heightened risks without immediate remediation.
The vulnerability arises from improper handling of API requests and static content stored within the application directory. Specifically, inadequate input validation and improper access control mechanisms enable attackers to exploit API endpoints, bypass authentication, and execute arbitrary code. Once exploited, this flaw can grant malicious actors access to sensitive resources and potentially escalate privileges within the system.
Key steps in the exploitation process include:
The vulnerability affects the following SailPoint IdentityIQ versions:
Organizations running any of these versions must act urgently to mitigate risks. The risks associated with CVE-2024-10905 are multifaceted:
Industries such as finance, healthcare, government, and technology—those that store high-value or sensitive data—are particularly vulnerable.
To address the risks posed by CVE-2024-10905, organizations should implement the following actions immediately:
CVE-2024-10905 exemplifies the importance of proactive cybersecurity measures and continuous vigilance in safeguarding IAM platforms. Enterprises must prioritize timely updates, implement robust security practices, and conduct regular assessments to minimize risks.
Acting now ensures the protection of sensitive data and builds trust in a security-conscious digital world.
CVE-2024-8785 is a critical Remote Code Execution (RCE) vulnerability affecting versions of Progress WhatsUp Gold released before 24.0.1. With a CVSS score of 9.8, this flaw allows remote, unauthenticated attackers to exploit the NmAPI.exe process to manipulate the Windows registry, ultimately enabling remote code execution.
Due to the severity of this issue, administrators are strongly advised to update their systems to version 24.0.1 or newer to mitigate risks.
The vulnerability stems from insufficient validation in the NmAPI.exe
API interface, which is used to manage network operations. Attackers can send malicious requests to this interface to:
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Ipswitch\
. Exploitation occurs via the UpdateFailoverRegistryValues operation at the endpoint net.tcp://<target-host>:9643
. Attackers change critical registry paths and, upon service restarts, can execute unauthorized commands by pointing the service to malicious files hosted on their servers.
Importantly, no authentication is required, making this vulnerability highly dangerous as it can be exploited remotely and without user credentials.
If exploited, this vulnerability could result in:
While Progress Software has confirmed the existence of a public exploit, the exploit code itself is not widely available. A detailed writeup by Tenable describes how the flaw can be leveraged. At the time of writing, Censys identified over 1,200 exposed WhatsUp Gold instances online, with significant concentrations in Brazil (51%) and other regions. However, not all exposed instances are necessarily vulnerable, as version details are not always discernible.
Progress Software issued a security advisory in September 2024, along with a patch in version 24.0.1 to address CVE-2024-8785. Administrators are urged to upgrade to this version immediately to safeguard their systems. Adding to its urgency, previous attacks targeting WhatsUp Gold have demonstrated the platform’s appeal to malicious actors, emphasizing the importance of swift remediation.
For added security, ensure the service is configured to operate in restricted network environments and monitor for unusual activity on port 9643.
Microsoft’s December 2024 Patch Tuesday release tackled 71 vulnerabilities across its product suite, including CVE-2024-49138, a zero-day vulnerability actively exploited by attackers to escalate privileges to SYSTEM level.
CVE-2024-49138 is a heap-based buffer overflow in the Windows Common Log File System (CLFS) Driver. This flaw enables attackers to elevate their privileges on a compromised system. The local attack vector means exploitation requires access to the system either physically, remotely (e.g., via SSH), or through user interaction, such as opening a malicious file.
The vulnerability was reported by CrowdStrike’s Advanced Research Team, and although specifics about in-the-wild exploitation remain scarce, experts like Tenable’s Satnam Narang highlight that CLFS vulnerabilities have historically been a favorite target for ransomware groups. Dustin Childs from Trend Micro’s Zero Day Initiative adds that this flaw is likely paired with code execution exploits, common in ransomware campaigns and phishing attacks.
Microsoft also patched two other privilege escalation flaws in the CLFS Driver. While these vulnerabilities are not under active exploitation, Microsoft warns they are likely to be targeted, urging swift updates.
Another high-priority fix addresses CVE-2024-49112 also known as LDAP Vulnerability. A flaw in Windows Lightweight Directory Access Protocol (LDAP). This remote vulnerability allows unauthenticated attackers to exploit servers acting as Domain Controllers by sending crafted LDAP calls. Rob Reeves of Immersive Labs explains that the vulnerability’s low complexity and lack of authentication make it particularly dangerous.
To mitigate the risk if patching isn’t immediately possible, Microsoft recommends configuring Domain Controllers to restrict internet access or block inbound RPC connections from untrusted networks.
Two other vulnerabilities flagged as “more likely” to be exploited include:
To mitigate risks, Microsoft advises organizations to prioritize patches for CVE-2024-49138 and related CLFS vulnerabilities. For high-value systems like Domain Controllers, consider applying suggested mitigations while scheduling updates.
Satnam Narang, senior staff research engineer at Tenable, told Help Net Security “Though in-the-wild exploitation details aren’t known yet, looking back at the history of CLFS driver vulnerabilities, it is interesting to note that ransomware operators have developed a penchant for exploiting CLFS elevation of privilege flaws over the last few years”.
CISA added this newly known exploited vulnerability to its catalog. By addressing these vulnerabilities promptly, organizations can reduce their exposure to ransomware campaigns, privilege escalation exploits, and targeted attacks leveraging these flaws.
A critical remote code execution (RCE) vulnerability, CVE-2024-43602, has been identified in Microsoft’s Azure CycleCloud, a cloud management service for high-performance computing (HPC) workloads.
This vulnerability, rated with a CVSS score of 9.9, affects versions 8.0.0 through 8.6.4 and stems from improper authorization (CWE-285). Exploitation could allow attackers to execute arbitrary code remotely, endangering data integrity, service availability, and organizational compliance.
Exploiting CVE-2024-43602 allows attackers to:
The vulnerability affects the following Azure CycleCloud versions:
Users running these versions should act immediately to mitigate potential exploitation.
To address this vulnerability effectively, organizations should:
CVE-2024-43602 underscores the importance of proactive cybersecurity measures in cloud environments. Organizations using Azure CycleCloud must act swiftly to secure their systems, applying patches, reinforcing access controls, and continuously monitoring their networks.
For further guidance, refer to the Microsoft Security Response Center (MSRC). Robust and vigilant security practices are critical to minimizing risks in the ever-evolving digital landscape.
A critical security flaw, CVE-2024-11680, has been identified in ProjectSend, a widely used open-source file-sharing platform. This vulnerability, present in versions prior to r1720, stems from improper authentication mechanisms and holds a CVSSv3 score of 9.8, marking it as a critical threat.
Exploitation of this flaw allows unauthenticated attackers to modify application configurations, potentially leading to remote code execution (RCE). The vulnerability has been actively exploited in the wild, with multiple proofs of concept (PoCs) publicly available.
The vulnerability, categorized as Improper Authorization (CWE-287), is exploited by targeting the options.php endpoint. Attackers can manipulate critical settings by bypassing authentication through carefully crafted HTTP requests. This enables actions such as enabling user registrations, auto-approving new accounts, and removing upload restrictions, which pave the way for further malicious activities.
Key steps in the exploitation process include:
Successful exploitation of CVE-2024-11680 can result in:
To address this vulnerability, users are strongly advised to:
.
htaccess
file in the upload/files/
directory to prevent unauthorized PHP execution: php_flag engine off
Monitor and Harden Configurations – Regularly audit security settings and limit file upload types and user registrations to trusted sources. CVE-2024-11680 underscores the critical need for robust authentication and continuous system updates. Organizations leveraging ProjectSend must act swiftly to apply patches and strengthen their configurations. Proactive measures, such as enhanced monitoring and controlled access policies, can mitigate risks and safeguard sensitive data.
The vulnerabilities discussed in this post underscore the ever-evolving nature of cybersecurity threats. From highly targeted attacks to widespread exploits, these CVEs highlight the importance of timely patching, rigorous security practices, and constant vigilance.
As attackers continue to refine their techniques, it is crucial for organizations to stay informed, prioritize risk mitigation, and leverage tools and intelligence to protect their environments. By addressing these vulnerabilities and adopting a proactive security posture, we can collectively work toward a more secure digital landscape.
Stay tuned for more updates and insights as we continue to monitor the threat horizon and keep you informed about critical vulnerabilities.