Security Advisory

Security Advisory

Zero-Day Vulnerability in Windows (CVE-2024-49138): PoC Released, Exploited in the Wild

Summary

OEM

Microsoft

Severity

Critical

CVSS Score

7.8

CVE

CVE-2024-49138

Exploited in Wild

Yes

Patch/Remediation Available

Yes

Advisory Version

1.0

Publicly POC Available

Yes


Overview

The vulnerability CVE-2024-49138, affecting the Windows Common Log File System (CLFS) driver, enables attackers to gain SYSTEM privileges via a heap-based buffer overflow. Security researcher MrAle_98 published a proof-of-concept (PoC) exploit, increasing its potential misuse.

Vulnerability Name

CVE ID

Product Affected

Severity

CLFS Privilege Escalation

CVE-2024-49138

Microsoft Windows

High

Technical Summary

CVE-2024-49138 is a heap-based buffer overflow vulnerability in the Windows Common Log File System (CLFS) driver, allowing attackers to escalate privileges to SYSTEM level. It affects a wide range of Windows systems, including the latest versions, such as Windows 11 23H2. Initially discovered by CrowdStrike’s Advanced Research Team, Microsoft confirmed active exploitation prior to its December 2024 patch release. Security researcher MrAle_98 published a proof-of-concept exploit on GitHub, increasing the likelihood of threat actor replication and exploitation.

CVE ID

System Affected

Vulnerability Details

Impact

CVE-2024-49138

Windows 10, Windows 11, Windows Server 2008–2025

Heap buffer overflow in CLFS driver enabling SYSTEM access. Exploited in the wild and PoC publicly released.

Enables attackers to elevate their privileges to SYSTEM level, granting them complete control over an affected device.

Remediations

  1. Update Systems: Apply Microsoft’s December 2024 patches without delay.
  2. Monitor Systems: Be alert for unusual privilege escalations or indicators of compromise.
  3. Limit Access: Implement robust access controls and harden systems.

Conclusion:

The public release of a proof-of-concept exploit heightens risks, making immediate patching essential. Organizations must prioritize updates, monitor for exploitation, and implement strict access controls.

References

Security Advisory

Privilege Escalation Vulnerability in ComboBlocks Plugin Affects Thousands of Sites

A critical vulnerability in the ComboBlocks WordPress plugin (formerly Post Grid and Gutenberg Blocks) exposes over 40,000 websites to potential complete takeover by unauthenticated attackers. This vulnerability exists due to improper handling of user meta during the registration process, enabling privilege escalation. It affects versions 2.2.85 to 2.3.3 and has been addressed in version 2.3.4.

OEM

WordPress

Severity

Critical

Date of Announcement

2025-01-17

CVSS score

9.8

CVE

CVE-2024-9636

Exploited in Wild

No

Patch/Remediation Available

Yes 

Advisory Version

1.0

Overview

ComboBlocks, a plugin designed to enhance website design and functionality, was found to have a critical security flaw (CVE-2024-9636) that could allow unauthenticated attackers to register as administrators, granting them full control over the affected websites.

Vulnerability Name

CVE ID

Product Affected

Severity

CVSS Score

Unauthenticated Privilege Escalation
Vulnerability

 CVE-2024-9636

ComboBlocks WordPress Plugin

Critical

9.8

Technical Summary

CVE ID

System Affected

Vulnerability Details

Impact

CVE-2024-9636

ComboBlocks plugin (2.2.85 - 2.3.3)

The vulnerability stems from improper restriction of user meta updates during profile registration. This flaw allows unauthenticated attackers to register as administrators, granting them full control over the website.


Complete website takeover and malware injection.

Remediations

  1. Update Plugin: Immediately update the ComboBlocks plugin to version 2.3.4 or later.
  2. Review Administrative Accounts:
  • Audit all user accounts with administrative privileges.
  • Revoke any unauthorized access.
  1. Enhance Security Posture:
  • Enable multi-factor authentication (MFA) for all admin accounts.
  • Restrict user permissions based on the principle of least privilege.
  • Use a web application firewall (WAF) to filter and block malicious traffic.
  1. Monitor and Log Activity:
  • Activate detailed logging for user registration and privilege changes.
  • Configure alerts for unusual activity, such as mass registrations or privilege escalations.
  1. Implement Preventative Measures:
  • Regularly update all plugins and themes.
  • Backup the WordPress site frequently to ensure quick recovery in case of any compromise.

References

Security Advisory

Critical Security Updates: Microsoft Jan 2025 Patch Tuesday Fixes 8 Zero-Days & 159 Vulnerabilities 

Summary 

Microsoft has released its January 2025 Patch Tuesday updates, delivering critical fixes. Key products impacted include Windows Telephony Service, Windows Digital Media, and MSMQ, among others.

Key take away:

  • Microsoft addressed 159 vulnerabilities across multiple products, including eight zero-day flaws, with three actively exploited in the January 2025 Patch Tuesday updates.
  • Key vulnerabilities include privilege escalation flaws in Hyper-V and remote code execution bugs in Microsoft Excel.
  • This marks highest number of fixes in a single month since at least 2017.
OEM Microsoft 
Severity Critical 
Date of Announcement 2025-01-14 
No. of Vulnerabilities Patched 159 
Actively Exploited yes 
Exploited in Wild Yes 
Advisory Version 1.0 

Overview 

Critical updates were issued for Windows Hyper-V, Windows Themes, Microsoft Access, and Windows App Package Installer. The vulnerabilities include elevation of privilege, remote code execution, and spoofing attacks, impacting various systems. The patch targets a range of critical issues across Microsoft products, categorized as follows: 

  • 58 Remote Code Execution (RCE) Vulnerabilities 
  • 40 Elevation of Privilege (EoP) Vulnerabilities 
  • 22 Information Disclosure Vulnerabilities 
  • 20 Denial of Service (DoS) Vulnerabilities 
  • 14 Security Feature Bypass 
  • 5 Spoofing Vulnerabilities 

The highlighted vulnerabilities include 8 zero-day flaws, 3 of which are currently being actively exploited. 

Vulnerability Name CVE ID Product Affected Severity CVSS Score 
Elevation of privilege vulnerability  CVE-2025-21333CVE-2025-21334CVE-2025-21335 Windows High 7.8 
Elevation of Privilege Vulnerability CVE-2025-21275 Windows High 7.8 
Remote Code Execution Vulnerability CVE-2025-21186,CVE-2025-21366, CVE-2025-21395 Windows High 7.8 
Spoofing Vulnerability CVE-2025-21308 Windows Medium 6.5 

Technical Summary 

CVE ID System Affected Vulnerability Details Impact 
 CVE-2025-21333CVE-2025-21334CVE-2025-21335  Windows Hyper-V NT Kernel No information has been released on how elevation of privilege vulnerabilities in Windows Hyper-V NT Kernel Integration VSP, which allow attackers to gain SYSTEM privileges, were exploited in attacks, as they were disclosed anonymously.    Allow attackers to gain SYSTEM privileges 
  CVE-2025-21275  Windows App Package Installer Elevation of privilege vulnerability in the Windows App Package Installer, potentially leading to SYSTEM privileges.   Attackers could gain SYSTEM privileges 
 CVE-2025-21186,CVE-2025-21366, CVE-2025-21395   Microsoft Access  Remote code execution vulnerabilities in Microsoft Access, exploitable via specially crafted Access documents.   Remote Code Execution 
 CVE-2025-21308   Windows Themes Spoofing vulnerability in Windows Themes; viewing a specially crafted theme file in Windows Explorer can lead to NTLM credential theft.   NTLM credential theft 

Source:  Microsoft       

Additional Critical Patches Address High-Severity Vulnerabilities 

  • Eight of this month’s patches address Virtual Secure Mode components, requiring administrators to follow Microsoft’s guidance for updating virtualization-based security (VBS) issues. (CVE-2025-21280, CVE-2025-21284, CVE-2025-21299, CVE-2025-21321, CVE-2025-21331, CVE-2025-21336, CVE-2025-21340, CVE-2025-21370). 
  • Windows NTLM V1 Elevation of Privilege Vulnerability (CVE-2025-21311). 
  • Windows OLE Remote Code Execution Vulnerability (CVE-2025-21298). 

Remediation

  • Apply Updates: Immediately install the January 2025 Patch Tuesday updates to address these vulnerabilities. 
  • Disable NTLM: For CVE-2025-21308, consider disabling NTLM or enabling the “Restrict NTLM: Outgoing NTLM traffic to remote servers” policy to mitigate the risk.  
  • Exercise Caution with Untrusted Files: Avoid opening or interacting with files from untrusted sources, especially those with extensions associated with Microsoft Access. 

Conclusion: 

The January 2025 Patch Tuesday release addresses critical vulnerabilities that could allow attackers to gain elevated privileges, execute arbitrary code, or steal credentials. Prompt application of these updates is essential to maintain system security. Additionally, implementing recommended mitigations, such as disabling NTLM, can provide further protection against potential exploits. 

References

https://msrc.microsoft.com/update-guide/releaseNote/2025-Jan

Security Advisory

Banshee Stealer: A Growing Threat to macOS Users 

Overview 

Cybersecurity researchers at Check Point Research (CPR) have discovered a sophisticated macOS malware called Banshee Stealer, putting over 100 million macOS users globally at risk. The malware, designed to exfiltrate sensitive user data, demonstrates advanced evasion techniques, posing a significant threat to users and organizations relying on macOS. 

Key Threat Details: 

Malware Capabilities: 

  • Data Theft: Banshee Stealer targets browser credentials, cryptocurrency wallets, and sensitive files, compromising user security. 
  • User Deception: It displays fake system pop-ups to trick users into revealing their macOS passwords, facilitating unauthorized access. 
  • Encryption and Exfiltration: Stolen data is compressed, encrypted, and transmitted to command-and-control (C&C) servers through stealthy channels, making detection challenging. 

C&C decryption     Source: Cybersecurity News 

Evasion Tactics: 

  • Advanced Encryption: The malware utilizes encryption techniques similar to Apple’s XProtect, camouflaging itself to evade detection by traditional antivirus systems. 
  • Stealth Operations: It operates seamlessly within system processes, avoiding scrutiny from debugging tools and remaining undetected for extended periods. 

Distribution Mechanisms: 

  • Phishing Websites: Banshee Stealer impersonates trusted software downloads, including Telegram and Chrome, to deceive users into downloading malicious files. 
  • Fake GitHub Repositories: It distributes DMG files with deceptive reviews and stars to gain user trust, facilitating the spread of the malware. 

Repository releases     source: Cybersecurity News 

Recent Developments: 

  • Expanded Targeting: The latest version of Banshee Stealer has removed geographic restrictions, such as the Russian language check, broadening its target audience globally. 
  • Source Code Leak: Following a source code leak, there has been increased activity, enabling other threat actors to develop variants and intensify the threat landscape. 

Impact: 

  • Users: Compromised browser data, cryptocurrency wallets, and personal files can lead to identity theft and financial losses. 
  • Organizations: Potential data breaches can result in reputational damage, financial losses, and legal implications. 
  • Global Threat: The malware’s expanded targeting underscores the need for enhanced vigilance among macOS users worldwide. 

Indicators of Compromise (IOCs): 

The IOCs listed below are associated with the threat. For the full list of IOCs, please refer to the link

IP Address and Domain  File Hash 
41.216.183[.]49 00c68fb8bcb44581f15cb4f888b4dec8cd6d528cacb287dc1bdeeb34299b8c93 
Alden[.]io 1dcf3b607d2c9e181643dd6bf1fd85e39d3dc4f95b6992e5a435d0d900333416 
api7[.]cfd 3bcd41e8da4cf68bb38d9ef97789ec069d393306a5d1ea5846f0c4dc0d5beaab 
Authorisev[.]site b978c70331fc81804dea11bf0b334aa324d94a2540a285ba266dd5bbfbcbc114 

Recommendations: 

To mitigate the risks associated with Banshee Stealer, consider implementing the following proactive measures: 

  1. Avoid Untrusted Downloads: 
  • Refrain from downloading software from unverified sources, particularly free or “cracked” versions. 
  • Verify the authenticity of GitHub repositories before downloading any files. 
  1. Strengthening System Defenses: 
  • Regularly update macOS and all installed applications to patch known vulnerabilities. 
  • Deploy advanced security solutions with real-time threat detection and proactive intelligence. 
  1. Enhance Awareness and Training: 
  • Educate users on identifying phishing websites and suspicious downloads. 
  • Encourage caution when responding to system prompts or entering credentials. 
  1. Enable Two-Factor Authentication (2FA): 
  • Secure accounts with 2FA to minimize the impact of stolen credentials. 
  1. Monitor System Activity: 
  • Regularly review system logs for unauthorized changes or suspicious activity. 
  • Use tools to monitor unexpected outgoing data transmissions. 
  • Utilize threat intelligence feeds to detect and block IOCs like malicious IPs, domains, and file hashes.  
  • Continuously monitor network traffic, emails, and file uploads to identify and mitigate threats early. 

Conclusion: 

The rise of the Banshee malware exemplifies the increasing sophistication of threats targeting macOS. Users and organizations must adopt layered security defenses, maintain vigilance, and prioritize awareness to mitigate the risks of advanced malware like Banshee. By leveraging updated tools and practices, you can safeguard critical systems and data from evolving cyber threats. 

References

Security Advisory

Important Security Alert: SonicWall Issues Patch for SSL-VPN Vulnerabilities 

SonicWall has released an Critical advisory urging administrators to address a critical vulnerability in its SSL-VPN product.

The flaw, identified as CVE-2024-53704, poses a significant security risk, allowing attackers to exploit the system remotely. Administrators are strongly encouraged to update their systems immediately to mitigate potential threats. SonicWall has released an Critical advisory urging administrators to address a critical vulnerability in its SSL-VPN product.

Key Details:

  • The vulnerability allows unauthenticated remote attackers to execute arbitrary code on affected systems.
  • It impacts SonicWall’s SSL-VPN products, widely used for secure remote access.
  • Exploitation of this bug could lead to severe consequences, including unauthorized access to sensitive data, network infiltration, and system compromise.

Summary 

OEM SonicWall 
Severity High 
CVSS 8.2 
CVEs CVE-2024-53704 
Exploited in Wild No 
Patch/Remediation Available Yes 
Advisory Version 1.0 

Overview 

The security flaw, tracked as CVE-2024-53704, presents a serious risk, enabling remote exploitation by attackers. Administrators are highly advised to apply the necessary patches without delay to protect against potential threats.  

Vulnerability Name CVE ID Product Affected Severity Affected Version 
Improper Authentication CVE-2024-53704 SonicWall  High 7.1.x (7.1.1-7058 and older), 7.1.2-7019 
8.0.0-8035 
A privilege escalation vulnerability CVE-2024-53706 SonicWall High  7.1.x (7.1.1-7058 and older), 7.1.2-7019 
A weakness in the SSLVPN authentication token generator CVE-2024-40762 SonicWall High  7.1.x (7.1.1-7058 and older), 7.1.2-7019 
A server-side request forgery (SSRF) vulnerability CVE-2024-53705 SonicWall Medium 6.5.4.15-117n and older 
7.0.x (7.0.1-5161 and older) 

Technical Summary 

CVE ID System Affected Vulnerability Details Impact 
 CVE-2024-53704  Gen7 Firewalls, Gen7 NSv, TZ80 An Improper Authentication vulnerability in the SSLVPN authentication mechanism allows a remote attacker to bypass authentication.  Bypass authentication 
 CVE-2024-53706  Gen7 Cloud Platform NSv A vulnerability in the Gen7 SonicOS Cloud platform NSv (AWS and Azure editions only), allows a remote authenticated local low-privileged attacker to elevate privileges to `root` and potentially lead to code execution.  Allow attackers to gain root privileges and potentially execute code. 
  CVE-2024-40762  Gen7 Firewalls, Gen7 NSv, TZ80 Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) in the SonicOS SSLVPN authentication token generator that, in certain cases, can be predicted by an attacker potentially resulting in authentication bypass. Weak PRNG in authentication tokens can lead to authentication bypass in SSLVPN. 
 CVE-2024-53705  Gen6 Hardware Firewalls, Gen7 Firewalls, Gen7 NSv A Server-Side Request Forgery vulnerability in the SonicOS SSH management interface allows a remote attacker to establish a TCP connection to an IP address on any port when the user is logged in to the firewall. Allow attackers to establish TCP connections to arbitrary IP addresses and ports 

Remediation

  • Update: Impacted users are recommended to upgrade to the following versions to address the security risk: 
 Firewalls Versions Fixes and Releases 
Gen 6 / 6.5 hardware firewalls SonicOS 6.5.5.1-6n or newer 
Gen 6 / 6.5 NSv firewalls SonicOS 6.5.4.v-21s-RC2457 or newer 
Gen 7 firewalls SonicOS 7.0.1-5165 or newer; 7.1.3-7015 and higher 
TZ80: SonicOS SonicOS 8.0.0-8037 or newer 

Recommendations: 

  • Patch Without Delay: Install the latest firmware update from SonicWall to resolve this vulnerability. Detailed instructions are available in SonicWall’s official advisory. 
  • Monitor Network Activity: Regularly monitor network traffic for signs of suspicious or unauthorized access. 
  • Limit Access: Restrict VPN access to trusted users and enforce Multi-Factor Authentication (MFA) for all accounts. 
  • Stay Updated: Subscribe to SonicWall’s security alerts and updates to stay informed about upcoming vulnerabilities. 

References: 

Security Advisory

GitLab Releases Patch to Fix Critical and High-Severity Vulnerabilities 

GitLab releases fixes for vulnerabilities in patch releases. There are two types of patch releases: scheduled releases, and ad-hoc critical patches for high-severity vulnerabilities.

Summary 

OEM Gitlab 
Severity High 
CVEs CVE-2024-5655, CVE-2024-6385, CVE-2024-6678, CVE-2024-8970, CVE-2025-0194, CVE-2024-6324, CVE-2024-12431, CVE-2024-13041 
Exploited in Wild No 
Patch/Remediation Available Yes 
Advisory Version 1.0 

Overview 

The vulnerabilities could potentially impact unauthorized access, data manipulation, and service disruption. These have been disclosed through GitLab’s HackerOne bug bounty program. Latest Versions 17.7.1, 17.6.3, and 17.5.5 are now available for immediate download and upgrade to address these issues. 

Vulnerability Name CVE ID Product Affected Severity 
Import Functionality Vulnerabilities CVE-2024-6385 GitLab CE/EE Critical 
Import Functionality Vulnerabilities  CVE-2024-5655  GitLab CE/EE High 
Import Functionality Vulnerabilities CVE-2024-6678 GitLab CE/EE High 
Import Functionality Vulnerabilities CVE-2024-8970 GitLab CE/EE High 
Access Token Exposure in Logs CVE-2025-0194 GitLab CE/EE Medium 
Cyclic Reference of Epics Leading to DoS CVE-2024-6324 GitLab CE/EE Medium 
Unauthorized Manipulation of Issue Status CVE-2024-12431 GitLab CE/EE Medium 
Instance SAML Bypass CVE-2024-13041 GitLab CE/EE Medium 

Technical Summary 

This update addresses several significant vulnerabilities identified in GitLab CE/EE: 

CVE ID System Affected Vulnerability Details Impact 
CVE-2024-6385    GitLab CE/EE     Vulnerability in import functionality allowing potential exploitation     Allows attackers to exploit the system.  
CVE-2024-5655 
CVE-2024-6678 
CVE-2024-8970 
CVE-2025-0194 GitLab CE/EE Possible exposure of access tokens in logs under certain conditions. Potential unauthorized access to sensitive resources. 
CVE-2024-6324 GitLab CE/EE Cyclic references between epics could lead to resource exhaustion, causing a Denial of Service (DoS). Service disruption due to resource exhaustion. 
CVE-2024-12431 GitLab CE/EE Unauthorized users could manipulate issue statuses in public projects, potentially disrupting workflows. Workflow disruption and compromised data integrity. 
CVE-2024-13041 GitLab CE/EE Flaw in instance SAML configuration allowing bypass of external provider settings. Unauthorized access to internal projects or groups. 

Key Changes to Import Functionality: 

  • Post-import mapping: This new feature allows administrators to assign imported contributions and memberships to users after the import process is complete, enhancing control and security. 
  • Email-independent mapping: The updated mapping process no longer relies on email addresses, providing greater flexibility and security when importing from instances with different email domains. 
  • User control: Users on the destination instance now have the power to accept or reject assigned contributions, adding another layer of security and preventing unauthorized access. 

Remediation

  • Upgrade GitLab Instances: All users are strongly advised to upgrade to versions 17.7.1, 17.6.3, or 17.5.5 immediately to mitigate these vulnerabilities. 
  • Disable Importers Temporarily: Until upgrades are complete, disable importers to avoid exploitation. If import functionality is essential, enable it only during the import process and disable it afterward. 
  • Adopt Updated Features: Leverage the new post-import mapping, email-independent mapping, and user control enhancements for increased security.  

Conclusion: 

The vulnerabilities addressed in this patch release highlight the importance of timely updates and proactive security measures. GitLab’s redesign of its import functionality and the prompt patch release demonstrate a commitment to user security. Upgrading to the latest patched versions and adhering to the recommended actions is critical to maintaining a secure environment.  

References: 

Image 
 
A close-up of a warning sign Description automatically generated 

Security Advisory

Ivanti Connect Secure VPN Actively Being Exploited in the Wild 

Ivanti announced two critical vulnerabilities impacting its Connect Secure (ICS) VPN appliances: CVE-2025-0282 and CVE-2025-0283. Notably, CVE-2025-0282 has been actively exploited in the wild since mid-December 2024.

As per Ivanti threat actors have attempted to bypass detection by the ICT, Ivanti has provided examples demonstrating the differences between successful scans and unsuccessful ones on compromised devices to help users identify potential compromises.

Summary 

OEM Ivanti  
Severity Critical 
CVSS 9.0 
CVEs CVE-2025-0282, CVE-2025-0283  
Exploited in Wild  Yes 
Patch/Remediation Available Yes 
Advisory Version 1.0 

Overview 

This stack-based buffer overflow flaw allows unauthenticated attackers to execute arbitrary code on affected devices. Another  Vulnerability, CVE-2025-0283, could allow a local authenticated attacker to escalate privileges. Ivanti has released patches for Connect Secure and recommends immediate updates to mitigate the risk. 

Vulnerability Name CVE ID Product Affected Severity Affected Version 
Stack-Based Buffer Overflow Vulnerability  CVE-2025-0282 Ivanti Critical 22.7R2 through 22.7R2.4  22.7R1 through 22.7R1.2  22.7R2 through 22.7R2.3  
Stack-Based Buffer Overflow Vulnerability CVE-2025-0283  Ivanti High 22.7R2.4 and prior 9.1R18.9 and prior  22.7R1.2 and prior 22.7R2.3 and prior  

Technical Summary 

CVE ID System Affected Vulnerability Details Impact 
CVE-2025-0282  Ivanti Connect Secure, Ivanti Policy Secure, Ivanti Neurons for ZTA gateways  A stack-based buffer overflow in Ivanti Connect Secure before version 22.7R2.5, Ivanti Policy Secure before version 22.7R1.2, and Ivanti Neurons for ZTA gateways before version 22.7R2.3 allows a remote unauthenticated attacker to achieve remote code execution.  RCE, System compromise, Data theft, Network breaches, and Service disruptions.  
CVE-2025-0283  Ivanti Connect Secure, Ivanti Policy Secure, Ivanti Neurons for ZTA gateways  A stack-based buffer overflow in Ivanti Connect Secure before version 22.7R2.5, Ivanti Policy Secure before version 22.7R1.2, and Ivanti Neurons for ZTA gateways before version 22.7R2.3 allows a local authenticated attacker to escalate their privileges Allow Local Authenticated Attackers to Escalate Privileges. 

Remediation

  • Ensure that the appropriate patches or updates are applied to the relevant Ivanti 
  • Organizations using ICS appliances are strongly advised to apply these patches and follow Ivanti’s Security Advisory to safeguard their systems.

versions as listed below: 

Affected Version(s) Fixes and Releases 
22.7R2 through 22.7R2.4  22.7R2.5  
22.7R2.4 and prior,  9.1R18.9 and prior  22.7R2.5  
22.7R2 through 22.7R2.3  22.7R2.5, Patch planned availability Jan. 21  
22.7R2.3 and prior  22.7R2.5, Patch planned availability Jan. 21  
22.7R1 through 22.7R1.2  Patch planned availability Jan. 21  
22.7R1.2 and prior  Patch planned availability Jan. 21  
  • Ivanti Connect Secure: Upgrade to version 22.7R2.5, perform a clean ICT scan, and factory reset appliances before putting them into production for added security. 
  • Ivanti Connect Secure (Compromise Detected): Perform a factory reset and upgrade to version 22.7R2.5 to remove malware and ensure continued monitoring with security tools. 
  • Ivanti Policy Secure: Ensure the appliance is not exposed to the internet, as the risk of exploitation is lower, and expect a fix on January 21, 2025. 
  • Ivanti Neurons for ZTA Gateways: Ensure ZTA gateways are connected to a controller for protection, with a fix available on January 21, 2025. 

General Recommendation 

  • Regularly update software and systems to address known vulnerabilities. 
  • Implement continuous monitoring to identify any unauthorized access or suspicious activities. 
  • Use strong authentication and access controls to minimize unauthorized access and reduce attack surfaces. 
  • Create and Maintain an incident response plan to quickly mitigate the impact of any security breach. 

References: 

Security Advisory

Race Condition Vulnerability in OpenSSH (CVE-2024-6387): PoC Exploit Released  

Race Condition Vulnerability in OpenSSH (CVE-2024-6387): PoC Exploit Released  

OpenSSH is a suite of networking utilities based on the Secure Shell (SSH) protocol. It is extensively used for secure remote login, remote server management and administration, and file transfers via SCP and SFTP. OpenSSH server process ‘sshd’ is affected by a signal handler race condition allowing unauthenticated remote code execution with root privileges on glibc-based Linux systems.

Summary 

Application OpenSSH 
Severity High 
CVSS 8.1 
CVEs CVE-2024-6387 
Exploited in Wild Yes 
Patch/Remediation Available Yes 
Advisory Version 1.0 

Overview 

CVE-2024-6387, a high-severity vulnerability in OpenSSH’s server (sshd), has been identified and is currently being exploited in the wild. Known as “regreSSHion,” this flaw involves a sophisticated race condition during the authentication phase, allowing unauthenticated remote attackers to execute arbitrary code with root privileges.

A proof-of-concept (PoC) exploit for this critical vulnerability has been released, further raising concerns. 

The vulnerability affects millions of OpenSSH servers globally, with older versions particularly at risk. Rated with a CVSS score of 8.1, the flaw poses a significant security threat. Over 14 million OpenSSH server instances exposed to the Internet have been identified as potentially vulnerable, with around 700,000 instances facing external internet threats. 

Vulnerability Name CVE ID Product Affected Severity Fixed Version 
Race Condition vulnerability   CVE-2024-6387  OpenSSH (8.5p1–9.8p1)  High  OpenSSH 9.8p2 or later 

Technical Summary 

CVE-2024-6387, also known as “regreSSHion,” is a critical vulnerability in OpenSSH’s server (sshd) caused by a signal handler race condition. This issue arises when the SIGALRM handler, triggered during a failed login attempt exceeding LoginGraceTime, invokes non-async-signal-safe functions like syslog(). The Vulnerability allows unauthenticated remote attackers to execute arbitrary code with root privileges, primarily affecting glibc-based Linux systems.

Exploitation is technically complex but feasible and has been demonstrated in controlled environments on 32-bit systems. OpenBSD systems are unaffected due to their different signal-handling mechanisms. 

CVE ID System Affected Vulnerability Details Impact 
CVE-2024-6387 OpenSSH v8.5p1 through 9.8p1 on glibc-based Linux systems Signal handler race condition in sshd’s SIGALRM, triggered during login timeout (LoginGraceTime). Remote Code Execution (Root Privileges) 

Impact:

This Vulnerability if exploited could lead to complete system takeover.

Remediation

  • Immediate Patch: Upgrade OpenSSH to version 9.8p2 or later, which resolves the issue. 
  • Access Restrictions: Implement firewall rules or TCP wrappers to limit SSH access to trusted IP ranges. 
  • Monitor Activity: Use intrusion detection systems (IDS) to analyze logs for unusual activity, failed login attempts, or exploitation patterns. 

Indicators of Compromise (IOCs): 

IP Address / Hostname File Hash 
209.141.53[.]247 0df799f05c6d97e2b7d4b26c8e7246f7 
108.174.58[.]28 11cc5f00b466d4f9be4e0a46f2eb51ae 
195.85.205[.]47 1f452448cea986aedc88ba50d48691f7 
62.72.191[.]203 207eb58423234306edaecb3ec89935d8 
botbot.ddosvps.cc  

Below are some IOCs associated with the threat. For a complete list of IOCs, refer to the AlienVault Pulse for CVE-2024-6387 

Conclusion: 

The public release of a PoC exploit for CVE-2024-6387 marks a critical moment for organizations relying on OpenSSH. While exploitation requires significant effort, the potential impact of a successful attack—complete system compromise and privilege escalation—is severe.

Swift patching and the adoption of layered security measures are imperative to mitigate the risks. 

Organizations must act promptly to safeguard their systems and monitor for signs of active exploitation. By staying informed and proactive, businesses can minimize the potential fallout from this serious vulnerability. 

References: 

  • https://nvd.nist.gov/vuln/detail/cve-2024-6387 
  • https://www.yorku.ca/uit/2025/01/openssh-remote-code-execution-regresshion-cve-2024-6387/

Security Advisory

Critical Windows Privilege Escalation Vulnerability with Public Exploit

Cybersecurity researchers reported a critical Windows privilege escalation vulnerability, identified as CVE-2024-43641 affecting Microsoft Windows. This flaw, which affects various editions of Windows Server 2025, Windows 10, and Windows 11, has been assigned a CVSS v3.1 score of 7.8, indicating high severity.

Summary 

OEM Microsoft 
Severity High 
CVSS 7.8 
CVEs CVE-2024-43641 
Exploited in Wild No 
Patch/Remediation Available Yes 
Advisory Version 1.0 

Overview 

A significant Windows Registry Elevation of Privilege vulnerability, identified as CVE-2024-43641, affects multiple editions of Windows. A recently released Proof-of-Concept (PoC) exploit demonstrates how attackers can exploit this flaw to gain elevated privileges. 

Vulnerability Name CVE ID Product Affected Severity 
Windows Registry Elevation of Privilege Vulnerability  CVE-2024-43641  Windows    High 

Technical Summary 

The vulnerability, CVE-2024-43641, exploits a design flaw in Windows registry hive memory management, specifically during a double-fetch process under memory pressure. This flaw allows malicious SMB servers to respond with differing data for consecutive read requests, breaking kernel assumptions and enabling privilege escalation to SYSTEM level. Key technical details are as follows: 

CVE ID System Affected Vulnerability Details Impact 
CVE-2024-43641 Windows 10, Windows 11, Windows Server 2008–2025 The vulnerability involves improper handling of registry hive memory management under memory pressure. A malicious SMB server can respond with differing data to consecutive read requests, breaking kernel assumptions. Exploitation leverages a “False File Immutability” (FFI) condition. Allows attackers to escalate privileges, execute arbitrary code, and compromise system integrity. 

Remediation

  • Apply Patches: Users and system administrators are strongly advised to promptly apply the latest security updates. 
  • Monitor Activity: 
  • Monitor logs for suspicious activity related to registry operations. 
  • The cybersecurity community is actively monitoring the situation for any indications of active exploitation in the wild. 

Conclusion: 

CVE-2024-43641 is a high-severity vulnerability with a publicly available PoC exploit. It is crucial to apply security patches immediately and follow best practices to mitigate the risk of exploitation. Organizations must stay alert and monitor ongoing developments to ensure complete protection against this emerging threat. 

References: 

Security Advisory

Exploit Proof-of-Concept Released for Windows Lightweight Directory Access Protocol (LDAP CVE-2024-49113 )

CVE-2024-49113 LDAP

Continue Reading
Scroll to top