Security Intelligence
Loading table of contents...
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has recently added five security vulnerabilities affecting software from Cisco, Hitachi Vantara, Microsoft Windows, and Progress WhatsUp Gold to its Known Exploited Vulnerabilities (KEV) catalog, indicating active exploitation by threat actors.
One notable vulnerability is CVE-2023-20118, a command injection flaw in the web-based management interface of Cisco Small Business RV Series routers. This vulnerability allows authenticated, remote attackers to gain root-level privileges and access unauthorized data. Unfortunately, these routers have reached end-of-life status and remain unpatched, leaving them susceptible to exploitation.
Another critical issue is CVE-2024-4885, a path traversal vulnerability in Progress WhatsUp Gold. This flaw enables unauthenticated attackers to achieve remote code execution. Despite being fixed in version 2023.1.3 in June 2024, reports indicate ongoing exploitation attempts, with multiple IP addresses from countries like Hong Kong, Russia, Brazil, South Korea, and the United Kingdom involved in malicious activities targeting this vulnerability.
Stay on top of emerging threats.
Sign up to receive a weekly roundup of our security intelligence feed. You'll be the first to know of emerging attack vectors, threats, and vulnerabilities.
The remaining three vulnerabilities include:
- CVE-2024-21412, a Windows SmartScreen security feature bypass that allows attackers to evade security warnings when opening malicious files
- CVE-2024-4117, a Microsoft Windows flaw that enables remote code execution through specially crafted documents
- CVE-2024-4468, an authentication bypass issue in Hitachi Vantara Pentaho, which allows unauthorized attackers to execute arbitrary code on affected systems
In response to these active threats, CISA has mandated that Federal Civilian Executive Branch (FCEB) agencies apply necessary mitigations by March 24, 2025, to secure their networks. This directive underscores the critical importance of addressing these vulnerabilities promptly to protect against potential cyberattacks.
Source: The Hacker News
Analysis
Although CISA’s KEV catalog warns organizations of actively exploited flaws, it does not always disclose who is behind the attacks or the exact techniques used. It has been reported, however, that CVE-2023-20118, has been exploited to integrate vulnerable Cisco devices into the PolarEdge botnet.
This botnet, active since late 2023, targets edge devices from multiple vendors to install a TLS-based backdoor, enabling persistent access and command execution. Over 2,000 devices worldwide have been compromised, particularly in Asia and South America, where attackers use them to proxy malicious traffic, launch DDoS attacks, and conduct cyber espionage. Since Cisco’s affected routers are end-of-life, they remain permanently vulnerable unless manually removed or protected with firewall restrictions.
Additionally, CVE-2024-21412 has been exploited by the Water Hydra APT group to deliver the DarkMe remote access trojan (RAT). This campaign specifically targets financial market traders, using the flaw to evade Microsoft’s security warnings and execute malicious payloads undetected. Once infected, the DarkMe RAT provides attackers with remote control over victim systems, enabling data theft, espionage, and financial fraud. This highlights the growing threat of security feature bypass techniques, which allow attackers to infiltrate systems even when protections are in place.
Mitigation
Field Effect’s Security Intelligence professionals constantly monitor the cyber threat landscape for threats related to vulnerabilities like those mentioned above. Field Effect MDR users are automatically notified if vulnerable software and hardware is detected in their environment and are encouraged to review these AROs as quickly as possible via the Field Effect Portal.
Field Effect strongly encourages users exposed to the vulnerabilities listed above to install the necessary patches and remove EoL devices from their networks as soon as possible.
