CERT-EU - Publications - Security Advisories

2020-060: UPDATE: Multiple Vulnerabilities in SolarWinds Orion

Wednesday, December 16, 2020 12:37:00 PM CET

Multiple vulnerabilities have been discovered in SolarWinds Orion, a popular Network Management System software, the most severe of which could allow for arbitrary code execution. Numerous public and private organisations around the world are affected. Additionally, the attackers gained access to victims via trojanised SolarWinds Orion updates. The attack was a very sophisticated supply chain attack. In this case, it appears that the code was intended to be used in a targeted way as its exploitation requires manual intervention. The campaign has been dubbed SunBurst by FireEye and Solarigate by Microsoft.
While the malicious activity was only made public in December 2020, researchers at ReversingLabs analysed SolarWinds binaries and identified modifications to installer packages as early as October 2019.
While analyzing artifacts from the SolarWinds Orion supply-chain attack, another backdoor has been discovered, named Supernova. The malware is a webshell planted in the code of the Orion network and applications monitoring platform and enabled adversaries to run arbitrary code on machines running the trojanised version of the software. This had been thought to be part of the intrusion toolset but in reality this was a different piece of malware, targeting SolarWinds Orion installations that had been left unpatched for a vulnerability tracked as CVE-2019-8917 and exposed online.

2020-059: Cisco Jabber Desktop and Mobile Client Software Vulnerabilities

Monday, December 14, 2020 11:47:00 AM CET

On 10th of December, Cisco released an advisory about multiple vulnerabilities in Cisco Jabber for Windows, Jabber for MacOS, and Jabber for mobile platforms. These vulnerabilities could allow an attacker to execute arbitrary programs on the underlying operating system (OS) with elevated privileges or gain access to sensitive information.

2020-058: Cisco AnyConnect Secure Mobility Client Vulnerability

Tuesday, December 08, 2020 02:15:00 PM CET

Cisco released an advisory on the 4th of December regarding a vulnerability in the interprocess communication (IPC) channel of Cisco AnyConnect Secure Mobility Client Software. It could allow an authenticated local attacker to cause a targeted AnyConnect user to execute a malicious script.

2020-057: Critical Vulnerabilities in VMware Products

Wednesday, November 25, 2020 04:51:00 PM CET

VMware has released security advisories to address several security vulnerabilities including critical ones. Patches or workarounds are available for some of these vulnerabilities.

2020-056: Authentication-Bypass Vulnerability in PaloAlto GlobalProtect

Friday, November 13, 2020 01:50:00 PM CET

On 11th of November 2020, Palo Alto released a security advisory to address an authentication bypass vulnerability that exists in the GlobalProtect SSL VPN component of Palo Alto Networks PAN-OS software. The vulnerability allows an attacker to bypass all client certificate checks with an invalid certificate. A remote attacker can successfully authenticate as any user and gain access to restricted VPN network resources when the gateway or portal is configured to rely entirely on certificate-based authentication.

2020-055: Critical Vulnerability in the Solaris PAM Library

Thursday, November 05, 2020 02:32:00 PM CET

Within its monthly Critical Patch Update Advisory, Oracle released patch for a critical vulnerability affecting Solaris Pluggable Authentication Module (PAM).
FireEye discovered during an investigation traces of exploitation of this vulnerability since 2018. Moreover, FireEye associated the vulnerability with Oracle Solaris SSHD Remote Root Exploit identified on black-market for sale. This vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Solaris.

2020-054: Critical Vulnerability in Oracle WebLogic Server

Tuesday, November 03, 2020 04:13:00 PM CET

On the 1st of November 2020, Oracle released an out-of-band patch to address a critical vulnerability (CVSS score 9.8) that has been assigned CVE-2020-14750. According to Oracle, this bug is linked to the vulnerability CVE-2020-14882. However, Oracle did not provide any information about the relation between both of the security flaws. The CVE-2020-14750 vulnerability could allow a non-authenticated attacker to remotely execute arbitrary code on the server

2020-053: Critical Vulnerability in Oracle WebLogic Server

Friday, October 30, 2020 05:38:00 PM CET

In October, within the monthly Critical Patch Update Advisory addressing hundreds of vulnerabilities, Oracle released an update about a critical vulnerability affecting WebLogic Server. This vulnerability may allow unauthenticated attackers with network access via HTTP to achieve total compromise and takeover of vulnerable Oracle WebLogic Servers. This bug has been assigned CVE-2020-14882 and has a CVSS score of 9.8 and is now being reported as being exploited in the wild.

2020-052: Critical Cisco IOS XR Software Vulnerability Under Attack

Wednesday, October 21, 2020 02:46:00 PM CEST

Cisco released a warning on the 20th of October regarding the attacks that are actively targeting the CVE-2020-3118 high severity vulnerability found to affect multiple carrier-grade routers that run the company's Cisco IOS XR Software. An advisory for this vulnerability was released by Cisco in the 5th of February. It is related to the Cisco Discovery Protocol implementation for Cisco IOS XR Software that could allow an unauthenticated, adjacent attacker to execute arbitrary code or cause a reload on an affected device.

2020-051: VMware ESXi OpenSLP - Remote Code Execution Vulnerability

Wednesday, October 21, 2020 11:44:00 AM CEST

On the 20th of October 2020, VMware released a security advisory for a vulnerability affecting ESXi OpenSLP, identified as CVE-2020-3992. OpenSLP as used in VMware ESXi has a use-after-free issue. VMware has evaluated the severity of this issue to be in the *critical severity range with a maximum CVSSv3 base score of 9.8 out of 10.

2020-050: Microsoft Sharepoint - Remote Code Execution Vulnerability

Monday, October 19, 2020 06:01:00 PM CEST

On the 13th of October 2020, Microsoft released a security advisory for a vulnerability affecting Microsoft Sharepoint identified as CVE-2020-16952. Since then, security specialist Steven Seeley released a proof of concept on how to exploit the vulnerability. Also, a Metasploit module exploiting CVE-2020-16952 has been published and contains remote check logic as well as supplementary exploitation details.
Successful exploitation of this vulnerability would allow an attacker to run arbitrary code and carry out security actions in the context of the SharePoint application pool and the SharePoint server farm account. The issue results from the lack of proper validation of user-supplied data which can result in a server-side code include. Authentication is however required to exploit this vulnerability.

2020-049: Critical Vulnerability in Microsoft Outlook

Wednesday, October 14, 2020 02:48:00 PM CEST

On 13th of October 2020, Microsoft released several security advisories to address security vulnerabilities. One of the reported vulnerabilities, affects Oulook, and it can be triggered by previewing a malicious e-mail. An attacker who successfully exploits this vulnerability could gain the ability to execute code on the target client.

2020-048: Critical Vulnerability in Microsoft Windows TCP/IP Stack

Wednesday, October 14, 2020 02:24:00 PM CEST

On 13th of October 2020, Microsoft released several security advisories to address security vulnerabilities. One of the reported vulnerabilities, affects Windows TCP/IP stack. An attacker who successfully exploits this vulnerability could gain the ability to execute code on the target server or client.

2020-047: Cisco Webex Teams Client Vulnerability

Friday, October 09, 2020 11:57:00 AM CEST

On 7th of October 2020, Cisco released three security advisories with an impact evaluated as High. One of them is impacting Windows client version of Cisco Webex Teams. The vulnerability is a DLL Hijacking Vulnerability and could potentially be used by an attacker with a foothold on a system to have another user execute a malicious DLL when Cisco Webex Teams starts.
There is no known attacks leveraging this vulnerability or proof-of-concept available for now.

2020-046: UPDATE: Zerologon Critical Vulnerability Affecting Windows Domain Controllers

Tuesday, September 15, 2020 01:33:00 PM CEST

On 11th of August 2020, Microsoft released a critical security advisory affecting all supported versions of Windows Server. The vulnerability is described as Netlogon Elevation of Privilege and got assigned CVE-2020-1472.
On 11th of September 2020, Secura released a white paper and testing tool for the vulnerability. The paper describes how an attacker with a foothold on a victim network could leverage this vulnerability to compromise an unpatched Domain Controller. The attacker can obtain domain admin privileges by taking advantage of flaws in a cryptographic authentication protocol.
Starting on the 14th of September 2020, several security researchers modified the initial testing tool created by Secura to provide full proof of concept of the vulnerability, allowing any attacker with a foothold on a victim network to easily elevate its privileges to domain admin.
On 23rd of September 2020, SAMBA also released security patches addressing the vulnerability, explaining that SAMBA server is vulnerable if used as a Domain Controller.
On 24th of September 2020, Microsoft Security Intelligence warned that ongoing attacks were being observed abusing Zerologon vulnerability.

2020-045: Vulnerabilities in Palo Alto PAN-OS

Thursday, September 10, 2020 12:05:00 PM CEST

On 9th of September 2020, Palo Alto released several security advisories, updates, and workarounds to address security vulnerabilities including five high severity vulnerabilities and one critical one for PAN-OS:
* CVE-2020-2040 PAN-OS: Buffer overflow when Captive Portal or Multi-Factor Authentication (MFA) is enabled - CVSS score 9.8 (critical)
* CVE-2020-2036 PAN-OS: Reflected Cross-Site Scripting (XSS) vulnerability in management web interface - CVSS score 8.8 (high)
* CVE-2020-2041 PAN-OS: Management web interface denial-of-service (DoS) - CVSS score 7.5 (high)
* CVE-2020-2037 PAN-OS: OS command injection vulnerability in the management web interface - CVSS score 7.2 (high)
* CVE-2020-2038 PAN-OS: OS command injection vulnerability in the management web interface - CVSS score 7.2 (high)
* CVE-2020-2042 PAN-OS: Buffer overflow in the management web interface - CVSS score 7.2 (high)
The critical vulnerability is exploitable only if Captive Portal or Multi-Factor Authentication (MFA) are enabled and does not impact GlobalProtect VPN or PAN-OS management web interfaces.
As of today, there is no known public proof-of-concept, however this type of vulnerabilities trigger high interest for different threat actors and proof-of-concept usually emerges quite quickly after the release of a patch. For this reason, it is highly recommended to patch the exposed PAN-OS devices as soon as possible.

2020-044: UPDATE: Remote Code Execution Vulnerability Affecting Microsoft Exchange

Wednesday, September 09, 2020 11:43:00 AM CEST

On 9th of September 2020, Microsoft released several security advisories, updates, and workarounds to address security vulnerabilities. One of the reported vulnerabilities affects Microsoft Exchange server.
Based on the description provided by Microsoft, the vulnerability is due to improper validation of cmdlet arguments. An attacker authenticated with specific Exchange role could run arbitrary code in the context of the System user, leading to a full compromise of the Exchange server.
On the 10th of September 2020, Source Incite released details and proof-of-concept for the vulnerability. The vulnerability is due to lack of proper validation of user-supplied data when using the "New-DlpPolicy" cmdlet. To exploit this vulnerability, the authenticated attacker needs the *Data Loss Prevention* (DLP) role assigned. This role is usually assigned to administrationa account only, however this type of vulnerabilities trigger high interest for different threat actors and proof-of-concept usually emerges quite quickly after the release of a patch. For this reason, it is highly recommended to patch the exposed Exchange servers as soon as possible.

2020-043: Critical Vulnerabilities in Cisco Products

Thursday, September 03, 2020 01:35:00 PM CEST

On 29th of August and on 2nd of September, Cisco released several security advisories, updates, and workarounds to address security vulnerabilities including five high severity vulnerabilities, and one critical:
* CVE-2020-3495 - Arbitrary Code Execution - CVSS score 9.9 (critical)
* CVE-2020-3566 - Memory Exhaustion - CVSS score 8.6 (high)
* CVE-2020-3530 - Authenticated User Privilege Escalation - CVSS score 8.4 (high)
* CVE-2020-3430 - Command Injection - CVSS score 8.8 (high)
* CVE-2020-3478 - File Overwrite Vulnerability - CVSS score 8.1 (high)
* CVE-2020-3473 - Authenticated User Privilege Escalation - CVSS score 7.8 (high)

2020-042: XSS Vulnerability in F5 BIG-IP

Friday, August 28, 2020 12:49:00 PM CEST

An HTML-injection vulnerability (CVE-2020-5915) has been discovered affecting multiple F5 BIG-IP Products. Insufficient sanitisation of user input in Traffic Management User Interface (TMUI) or Configuration Utility component can potentially allow an attacker to execute arbitrary commands.

2020-041: Default Credentials Vulnerability in Cisco vWAAS

Thursday, August 20, 2020 11:07:00 AM CEST

On 19th of August, Cisco released a security advisory for a vulnerability affecting Cisco ENCS 5400-W Series and CSP 5000-W Series appliances. They are affected, it they are running Cisco Virtual Wide Area Application Services (vWAAS) with Cisco Enterprise NFV Infrastructure Software (NFVIS)-bundled image releases 6.4.5, or 6.4.3d and earlier.
This vulnerability allows an unauthenticated, remote attacker to log into the NFVIS CLI of an affected device by using accounts that have a default, static password.
Cisco is not aware of any public announcements or malicious use of the vulnerability.

2020-040: Critical Vulnerabilities in Citrix XenMobile

Wednesday, August 12, 2020 12:00:00 PM CEST

On 11th of August, Citrix released a blog post and Security Update about critical vulnerabilities affected XenMobile servers products.
No technical details were shared by Citrix, however some sources indicate that by combining some of those vulnerabilities, an unauthenticated attackers could gain admin control on XenMobile Servers if exploitation is successful.
Citrix recommends these upgrades be made immediately. As of this writing, there are no known exploits. However, by analysing security patches, attacker could quickly identify exploits for these vulnerabilities and start scanning for victims exposing XenMobile servers on Internet.

2020-039: Critical Vulnerabilities in Cisco Products

Thursday, July 30, 2020 02:03:00 PM CEST

On 29th of July, Cisco released several security updates to address security vulnerabilities including three critical ones: an authentication bypass (CVE-2020-3382), a buffer overflow (CVE-2020-3375), and an authorization bypass (CVE-2020-3374). Additionally, Cisco issued an advisory update v1.7 for a series of critical vulnerabilities (first published on 17th of June) related to Treck IP stack (from CVE-2020-11896 to CVE-2020-11914).
Moreover, the company also issued security updates to fix another eight high and medium severity vulnerabilities found to affect several other Cisco Data Center Network Manager (DCNM) Software versions (CVE-2020-3377, CVE-2020-3384, CVE-2020-3383, CVE-2020-3386, CVE-2020-3376, CVE-2020-3460, CVE-2020-3462, CVE-2020-3461).

2020-038: Critical Wordpress Plugin Vulnerability

Thursday, July 30, 2020 02:02:00 PM CEST

On 19th of June, Wordfence Threat Intelligence team discovered a vulnerability that affects Wordpress plugin Comments – wpDiscuz. This flaw gives unauthenticated attackers the ability to upload arbitrary files, including PHP files, and achieve remote code execution on a vulnerable site’s server. According to Wordfence, the security flaw is rated as critical severity with a CVSS base score of 10.0.

2020-037: UPDATE: Citrix Workspace Vulnerability

Wednesday, July 22, 2020 04:42:00 PM CEST

Citrix Workspace is vulnerable to a remote command execution attack. The flaw sees Workspace app's automatic update feature abused to gain access to a vulnerable Workspace app installation, with the attack vector being a named pipe. Citrix have assigned CVE-2020-8207 to the vulnerability and released updated versions for Workspace app.
Since July, there has been found a secondary attack vector, which would allow attackers to elevate privileges and remotely execute arbitrary commands under the SYSTEM account.

2020-036: Critical Cisco Vulnerabilities

Thursday, July 16, 2020 12:06:00 PM CEST

Cisco released 31 Security Advisories for vulnerabilities affecting its products. Five of them are rated critical with CVSS Score 9.8. In particular, critical vulnerabilities affect: telnet service of firewall routers (CVE-2020-3330), web-based management interface of routers (CVE-2020-3323, CVE-2020-3144, and CVE-2020-3331), and web management interface of Cisco Prime License Manager (PLM) software (CVE-2020-3140).

2020-035: UPDATE: Windows DNS Server Remote Code Execution Vulnerability

Tuesday, July 14, 2020 08:14:00 PM CEST

A remote code execution vulnerability exists in Windows Domain Name System (DNS) servers when they fail to properly handle requests. An attacker who successfully exploited the vulnerability could run arbitrary code in the context of the Local System Account. Windows servers that are configured as DNS servers are at risk from this vulnerability. The vulnerability was originally found by Check Point, and dubbed SIGRed. It has been present for at least last 17 years.

2020-034: UPDATE: SAP - Critical Vulnerability

Tuesday, July 14, 2020 12:48:00 PM CEST

On the 14th of July 2020, SAP released eight Security Notes on the Security Patch Day. Security Note "#2934135" addresses a critical vulnerability CVE-2020-6286 affecting the SAP NetWeaver Application Server (AS) Java component LM Configuration Wizard. Through a vulnerability dubbed RECON by Onapsis who discovered the flaw, an unauthenticated attacker take control of trusted SAP applications. As of 16th of July 2020, exploits have been released and active scanning for the vulnerability is ongoing.

2020-033: UPDATE: Serious MobileIron Vulnerabilities

Friday, July 10, 2020 12:21:00 PM CEST

In July 2020, an independent security researcher reported to MobileIron that he had identified vulnerabilities in MobileIron Core that could allow an attacker to execute remote exploits without authentication. MobileIron has issued patches for the affected products. The patches cover three independent vulnerabilities: CVE-2020-15505 (remote code execution), CVE-2020-15506 (authentication bypass), and CVE-2020-15507 (arbitrary file reading).
As of November 2020, proof of concept is available, and APT hacking groups are actively utilising CVE-2020-15505 vulnerability to gain access to networks.

2020-032: Critical CITRIX Vulnerabilities

Wednesday, July 08, 2020 05:40:00 PM CEST

Multiple vulnerabilities have been discovered in Citrix ADC (formerly known as NetScaler ADC), Citrix Gateway (formerly known as NetScaler Gateway) and Citrix SD-WAN WANOP. These vulnerabilities, if exploited, could result in a number of security issues including among others: (i) system compromise by an unauthenticated user on the management network, (ii) system compromise through Cross Site Scripting (XSS) on the management interface, (iii) denial of service against either the Gateway or Authentication virtual servers by an unauthenticated user.

2020-031: UPDATE: F5 Critical Vulnerability

Sunday, July 05, 2020 08:37:00 AM CEST

A new vulnerability has been discovered in the configuration interface of the BIG-IP application delivery controller (ADC) used by some of the world's biggest companies. Attackers can run commands as an unauthorized user and completely compromise a system, including interception of controller application traffic. The vulnerability can be exploited remotely, and is already being actively exploited.

2020-030: Microsoft Sharepoint - RCE in ASP.Net Web Controls

Friday, June 19, 2020 01:48:00 PM CEST

On the 6th of June 2020, Microsoft released a security advisory for a vulnerability affecting Microsoft Sharepoint identified as CVE-2020-1181. On the 17th of June 2020, Zero Day Initiative released a blog post providing a proof of concept on how to exploit the vulnerability.
This vulnerability allows authenticated users to execute arbitrary code on a SharePoint server with privileges of the service account. An attacker may create and call a specific crafted page to successfully exploit the vulnerability. In the default configuration of SharePoint, the necessary permission is given to any user as any user can create its own SharePoint site.

2020-029: FortiClient Hardcoded Cryptographic Key

Wednesday, June 03, 2020 11:50:00 AM CEST

Fortinet FortiClient for Windows uses a hard-coded cryptographic key to encrypt security sensitive data in the configuration file. The vulnerability allows an attacker with access to the configuration file to disclose sensitive configuration information on the target system. The vulnerability has received CVE number CVE-2019-16150.

2020-028: FortiClient for Windows Privilege Escalation Vulnerability

Tuesday, May 26, 2020 05:18:00 PM CEST

Fortinet FortiClient for Windows is subject of a local privilege-escalation vulnerability. The vulnerability has received CVE number CVE-2020-9291.

2020-027: DNS Protocol Vulnerability

Wednesday, May 20, 2020 12:07:00 PM CEST

On 19th of May 2020 a new DNS protocol vulnerability was made public. It was discovered by researchers from Tel Aviv University and the Interdisciplinary Center in Israel.
Disclosed vulnerability abuses DNS delegation mechanism to force DNS resolvers to generate more DNS queries to authoritative servers of attacker’s choice.
Unlike traditional random subdomain attacks, in case of this attack , the queries are generated by resolver itself. The researchers called this attack the NXNSAttack. It appears that pretty much all vendors of DNS resolvers are affected.

2020-026: Critical Oracle WebLogic Server Vulnerability Exploited

Tuesday, May 12, 2020 06:08:00 PM CEST

In April, within the monthly Critical Patch Update Advisory addressing hundreds of vulnerabilities, Oracle released an update about a critical vulnerability affecting WebLogic Server. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Oracle WebLogic. Authentication is not required to exploit this vulnerability. This bug, assigned with CVE-2020-2883, is now being reported by Oracle as being actively exploited in the wild.

2020-025: Microsoft Sharepoint - RCE in TypeConverters

Wednesday, May 06, 2020 10:19:00 PM CEST

On the 14th of April 2020, Microsoft released several security advisories for vulnerabilities affecting Microsoft Sharepoint. On the 29th of April 2020, Zero Day Initiative released a blog post providing details on one of these vulnerabilities (CVE-2020-0932).
This vulnerability allows authenticated users to execute arbitrary code on a SharePoint server in the context of the service account. To successfully exploit the vulnerability, attacker needs some specific permission (Add or Customize Pages). However, in the default configuration of SharePoint this permission is given to any user as any user can create its own SharePoint site.

2020-024: Multiple Vulnerabilities in the Autodesk FBX Library

Friday, April 24, 2020 10:44:00 PM CEST

On April 15, 2020, Microsoft has announced the release of updates to address multiple vulnerabilities found in the Autodesk FBX library which is integrated into certain Microsoft applications such as Microsoft Office, Office 365 ProPlus and Paint 3D.
Applications and services that utilize the FBX-SDK Ver. 2020.0 or earlier can be impacted by buffer overflow, type confusion, use-after-free, integer overflow, NULL pointer dereference, and heap overflow vulnerabilities. This can lead to remote code execution.

2020-023: Pulse Connect Secure Severe Vulnerabilities

Thursday, April 23, 2020 11:29:00 AM CEST

On April 6, 2020, three issues were discovered in Host Checker policy enforcement on Pulse Secure Pulse Connect Secure (PCS). These vulnerabilities were encoded as CVE-2020-11580 (No certificate Validation), CVE-2020-11581 (Command Injection), CVE-2020-11582 (DNS Rebindig). These vulnerabilities could allow a man-in-the-middle (MITM) attacker to perform a remote code execution (RCE) attack.
CERT-EU is not aware of any malicious exploitation for those vulnerabilities, but we have to take into consideration that the file on which these vulnerabilities are built ("tncc.jar") is not obfuscated in any way and the original source code can be obtained with almost any Java decompiler and customized in a malicious manner.

2020-022: Liferay Portal - Exploited Remote Code Execution Vulnerabilities

Friday, April 17, 2020 10:16:00 AM CEST

On March 20, 2020, Code White released two proof-of-concepts for vulnerabilities on Liferay Portal. These vulnerabilities were patched by Liferay. However, CERT-EU is aware of these vulnerabilities being actually exploited by malicious threat actors to gain illicit access to unpatched exposed servers.
This second vulnerability is massively scanned for exploitation and CERT-EU is aware of ongoing campaigns exploiting this vulnerability as several proof of concept are available online. It is strongly recommended to check the version of Liferay portal being used and look for traces of intrusion on the potentially impacted servers.

2020-021: Critical Vulnerability in VMware vCenter

Saturday, April 11, 2020 08:49:00 AM CEST

On April 9, 2020, VMware vCenter Server updates were issued, which address sensitive information disclosure vulnerability in the VMware Directory Service "vmdir" (CVE-2020-3952). A malicious actor with network access to an affected deployment may be able to extract highly sensitive information which could be used to compromise vCenter Server or other services. VMware has evaluated the severity of this issue to be in the Critical severity range with a maximum CVSSv3 base score of 10.0.

2020-020: Critical Vulnerabilities in Firefox

Monday, April 06, 2020 05:26:00 PM CEST

On the 3rd of April 2020, Mozilla released an advisory concerning two critical vulnerabilities affecting Firefox browser. According to Mozilla, both vulnerabilities are related to "use-after-free" bugs and have been exploited in the wild in targeted attacks.
It is strongly recommended to update Firefox and Firefox ESR to the latest version available.

2020-019: Apache Web Server Vulnerability

Monday, April 06, 2020 02:47:00 PM CEST

On the 1st of April 2020, a new vulnerability was made public related to Apache Web server. Apache HTTP Server is prone to an open-redirection vulnerability because it fails to properly validate the redirect URLs. Specifically, this issue affects the "mod_rewrite" configurations. An attacker can leverage this issue by constructing a crafted URI and target a user to follow it.

2020-018: Serious PHP Vulnerability

Friday, April 03, 2020 02:31:00 PM CEST

In PHP versions 7.3.x below 7.3.16 and 7.4.x below 7.4.34, while using "mb_strtolower()" function with "UTF-32LE" encoding, certain invalid strings could cause PHP to overwrite stack-allocated buffer. This could lead to memory corruption, crashes, and potentially code execution. No exploits have been observed for the moment.

2020-017: UPDATE: Remote-Code-Execution Vulnerabilities in All Versions of Windows

Tuesday, March 24, 2020 11:14:00 AM CET

On the 23th of March 2020, Microsoft released a security advisory for two remote-code-execution vulnerabilities affecting all versions of Windows. The two vulnerabilities are linked to the Adobe Type Manager Library. An attacker could exploit these vulnerabilities by convincing a user to open or preview a specially crafted document.
Microsoft is aware of ongoing attacks which could exploit these 0-days vulnerabilities. A patch is not available yet but Microsoft provides advice on workarounds to limit the exploitability of the vulnerabilities.
Update: On the 24th of March 2020, Microsoft updated the advisory, explaining that the attack mostly affect Windows 7 and that the vulnerability is not considered as critical for recent Windows 10 systems.

2020-016: Multiple Critical Vulnerabilities in Trend Micro

Wednesday, March 18, 2020 03:15:00 PM CET

On the 16th of March 2020, Trend Micro has released critical patches for two remote code execution vulnerabilities in Trend Micro Apex One and OfficeScan XG along with other three critical vulnerabilities. Trend Micro confirmed that they identified active attempts against the zero-day vulnerabilities, but without disclosing more details.
It is strongly recommended to update, especially because exploits are available and there were attack attempts. Even if the zero-days require user authentication, they could be used in a post-compromise scenario to either disable the security products or elevate the attackers' privileges on machines running the two Trend Micro antivirus products.

2020-015: Critical Vulnerability in VMWare Products

Friday, March 13, 2020 05:09:00 PM CET

On the 12th of March 2020, VMWare released an advisory concerning three vulnerabilities in VMWare products. The most critical one (CVE-2020-3947) could be exploited by an attacker to execute code on a host system from a malicious or compromised guest.
It is strongly recommended to update VMWare Workstation and VMWare Fusion, especially for security analysts running malware in Virtual Machines for analysis.

2020-014: UPDATE: SMBv3 - Critical Remote Code Execution Vulnerability

Wednesday, March 11, 2020 01:28:00 PM CET

On the 10th of March 2020, Microsoft released a security advisory for a remote code execution vulnerability affecting Microsoft Server Message Block 3.1.1 (SMBv3) protocol. An "unauthenticated" attacker who successfully exploited the vulnerability could "execute code" on a target "SMB Server or SMB Client". The vulnerability is referenced as CVE-2020-0796.

2020-013: Critical PPP Daemon Vulnerability

Friday, March 06, 2020 08:42:00 PM CET

A new dangerous (and 17 years old!) remote code execution vulnerability has been discovered by Ilja Van Sprundel from IOActive. It affects the PPP daemon ("pppd") software that comes installed on almost all Linux-based operating systems and powers the firmware of many other networking devices. The affected "pppd" software is an implementation of Point-to-Point Protocol (PPP) that enables communication and data transfer between nodes, primarily used to establish Internet links such as those over dial-up modems, DSL broadband connections, and Virtual Private Networks.
The vulnerability is tracked as CVE-2020-8597 with "CVSS Score 9.8" and can be exploited by unauthenticated attackers to remotely execute arbitrary code on affected systems and take full control over them.

2020-012: Cisco Webex Players Vulnerabilities

Friday, March 06, 2020 04:07:00 PM CET

High serverity vulnerabilities were patched in Cisco Webex video conferencing platform. In particular they affect Cisco Webex Network Recording Player for Microsoft Windows and Cisco Webex Player for Microsoft Windows. If exploited, these could allow an attacker to execute code on the affected systems.
The vulnerabilities are tracked as CVE-2020-3127 and CVE-2020-3128 and are both 7.8 out of 10.0 on the CVSS scale.

2020-011: Multiple XSS Vulnerabilities in Wordpress Plugins

Tuesday, March 03, 2020 06:01:00 PM CET

Several cross-site scripting (XSS) vulnerabilities were fond in popular WordPress plugins. Some of them could give attackers complete control of sites.
It is to be mentioned that this year we have already observed other vulnerabilities in WordPress plugins.

2020-010: Microsoft Exchange Server - Remote Code Execution Vulnerability

Wednesday, February 26, 2020 09:05:00 PM CET

Microsoft released a fix for a remote code execution vulnerability in Microsoft Exchange (CVE-2020-0688). The vulnerability exists because Exchange fails to create unique cryptographic keys at installation time, leading to all Exchange servers using the same "validationKey" and "decryptionKey" values.

Knowledge of a the validation key allows an authenticated user with a mailbox on the server to pass arbitrary objects to be deserialized by the web application. That runs as "SYSTEM", leading to remote code execution with the highest privileges.

On February 25th 2020, Zero Day Initiative released a blog post detailing how to exploit the vulnerability. Any user with an account on an Exchange server can easily exploit the remote code execution vulnerability.

Some researchers point-out that scanning for vulnerable Exchange servers is ongoing.

2020-009: Critical Vulnerability in ThemeGrill Demo Importer Wordpress Plugin

Wednesday, February 19, 2020 06:27:00 PM CET

A critical vulnerability affecting the ThemeGrill Demo Importer plugin has been identified. Theme Grill Demo Importer is a plugin that can be used to import ThemeGrill official themes demo content, widgets and theme settings. The plugin is affected by a vulnerability that allows any unauthenticated user to wipe the entire database to its default state after which they are automatically logged in as an administrator. There are more than 100K active installations of the plugin.

2020-008: WordPress Profile Builder Plugin Critical Vulnerability

Tuesday, February 18, 2020 03:39:00 PM CET

A critical vulnerability affecting the WordPress Profile Builder Plugin has been identified. Profile Builder is a plugin designed to create custom forms that allow users to register, edit their profile, etc. The plugin is affected by a broken authentication vulnerability, allowing unauthenticated users to register or edit their account and gain Administrator privileges using the plugin's form. It is estimated that around 50K sites are running the free version of Profile Builder and around 15k the Pro and Hobbyist version.

2020-007: Vulnerabilities in WordPress GDPR Cookie Consent Plugin

Friday, February 14, 2020 02:04:00 PM CET

Critical vulnerabilities affecting the WordPress GDPR Cookie Consent plugin have been identified. This plugin is used to make websites GDPR compliant. The vulnerability was reported by the security researcher Jerome Bruandet from NinTechNet. The exploitation of the vulnerabilities lead to privilege escalation and authenticated stored XSS. This plugin has 700k active installs.

2020-006: Internet Explorer Zero-Day Vulnerability

Monday, January 20, 2020 02:01:00 PM CET

Microsoft released an advisory notifying about a remote code execution (RCE) vulnerability existing in the scripting engine of Internet Explorer (IE). The vulnerability allows an attacker to corrupt the memory of the IE and execute code with the privileges of the current user. Currently, there is no patch for the reported vulnerability.

2020-005: UPDATE: Critical Vulnerabilities in WordPress Plugins

Wednesday, January 15, 2020 03:04:00 PM CET

Critical vulnerabilities that are affecting two WordPress plugins have been identified. The vulnerabilities affect InfiniteWP Client and the WP Time Capsule plugins and allow a remote attacker to login into an administrator account without password. Vulnerabilities in WP Database Reset allowed any unauthenticated user to reset any table from the database to the initial WordPress set-up state.

2020-004: Critical Vulnerabilities in Multiple Oracle Products

Wednesday, January 15, 2020 12:57:00 PM CET

Oracle has published an advisory about hundreds of critical vulnerabilities that are affecting several of its products. Many of the vulnerabilities can be remotely exploited without authentication and without user interaction. Expedient patching of the affected products is highly recommended.

2020-003: Critical Vulnerabilities in Microsoft Windows

Wednesday, January 15, 2020 12:47:00 PM CET

Several critical vulnerabilities affecting Microsoft Windows were patched on 14th of January 2020, as part of the regular patch Tuesday. Some the vulnerabilities are quite critical, so it is extremely important to apply the patches as soon as possible.

A vulnerability identified as CVE-2020-0601 is affecting the Microsoft Windows CryptoAPI enabling a malicious software to appear as authentically signed by a trusted or trustworthy organisation. Other vulnerabilities, identified as CVE-2020-0609, CVE-2020-0610, and CVE-2020-0611 respectively, are affecting the Windows Remote Desktop Server and Client, and could lead to remote code execution.

2020-002: UPDATE: Critical Vulnerability in Citrix Products

Monday, January 13, 2020 12:22:00 PM CET

A critical vulnerability affecting Citrix products has been disclosed in December 2019. The vulnerability, identified as CVE-2019-19781, could allow an attacker to get access to the internal network without requiring authentication. Numerous exploits to leverage this vulnerability have been publicly released. As of 24/01/2020 all patches are available, but an investigation of potential compromises is advised.

2020-001: Critical Vulnerability in Mozilla Firefox

Friday, January 10, 2020 03:25:00 PM CET

A critical vulnerability affecting Mozilla Firefox has been been disclosed. The vulnerability identified as CVE-2019-17026 allows attackers to write to and read from memory locations that are off-limits, and could lead to information disclosures, security bypass and crashes. This vulnerability is actively being exploited in the wild.

Security Advisories