CISO

Security Advisory

GitLab Releases Patch to Fix Critical and High-Severity Vulnerabilities 

GitLab releases fixes for vulnerabilities in patch releases. There are two types of patch releases: scheduled releases, and ad-hoc critical patches for high-severity vulnerabilities.

Summary 

OEM Gitlab 
Severity High 
CVEs CVE-2024-5655, CVE-2024-6385, CVE-2024-6678, CVE-2024-8970, CVE-2025-0194, CVE-2024-6324, CVE-2024-12431, CVE-2024-13041 
Exploited in Wild No 
Patch/Remediation Available Yes 
Advisory Version 1.0 

Overview 

The vulnerabilities could potentially impact unauthorized access, data manipulation, and service disruption. These have been disclosed through GitLab’s HackerOne bug bounty program. Latest Versions 17.7.1, 17.6.3, and 17.5.5 are now available for immediate download and upgrade to address these issues. 

Vulnerability Name CVE ID Product Affected Severity 
Import Functionality Vulnerabilities CVE-2024-6385 GitLab CE/EE Critical 
Import Functionality Vulnerabilities  CVE-2024-5655  GitLab CE/EE High 
Import Functionality Vulnerabilities CVE-2024-6678 GitLab CE/EE High 
Import Functionality Vulnerabilities CVE-2024-8970 GitLab CE/EE High 
Access Token Exposure in Logs CVE-2025-0194 GitLab CE/EE Medium 
Cyclic Reference of Epics Leading to DoS CVE-2024-6324 GitLab CE/EE Medium 
Unauthorized Manipulation of Issue Status CVE-2024-12431 GitLab CE/EE Medium 
Instance SAML Bypass CVE-2024-13041 GitLab CE/EE Medium 

Technical Summary 

This update addresses several significant vulnerabilities identified in GitLab CE/EE: 

CVE ID System Affected Vulnerability Details Impact 
CVE-2024-6385    GitLab CE/EE     Vulnerability in import functionality allowing potential exploitation     Allows attackers to exploit the system.  
CVE-2024-5655 
CVE-2024-6678 
CVE-2024-8970 
CVE-2025-0194 GitLab CE/EE Possible exposure of access tokens in logs under certain conditions. Potential unauthorized access to sensitive resources. 
CVE-2024-6324 GitLab CE/EE Cyclic references between epics could lead to resource exhaustion, causing a Denial of Service (DoS). Service disruption due to resource exhaustion. 
CVE-2024-12431 GitLab CE/EE Unauthorized users could manipulate issue statuses in public projects, potentially disrupting workflows. Workflow disruption and compromised data integrity. 
CVE-2024-13041 GitLab CE/EE Flaw in instance SAML configuration allowing bypass of external provider settings. Unauthorized access to internal projects or groups. 

Key Changes to Import Functionality: 

  • Post-import mapping: This new feature allows administrators to assign imported contributions and memberships to users after the import process is complete, enhancing control and security. 
  • Email-independent mapping: The updated mapping process no longer relies on email addresses, providing greater flexibility and security when importing from instances with different email domains. 
  • User control: Users on the destination instance now have the power to accept or reject assigned contributions, adding another layer of security and preventing unauthorized access. 

Remediation

  • Upgrade GitLab Instances: All users are strongly advised to upgrade to versions 17.7.1, 17.6.3, or 17.5.5 immediately to mitigate these vulnerabilities. 
  • Disable Importers Temporarily: Until upgrades are complete, disable importers to avoid exploitation. If import functionality is essential, enable it only during the import process and disable it afterward. 
  • Adopt Updated Features: Leverage the new post-import mapping, email-independent mapping, and user control enhancements for increased security.  

Conclusion: 

The vulnerabilities addressed in this patch release highlight the importance of timely updates and proactive security measures. GitLab’s redesign of its import functionality and the prompt patch release demonstrate a commitment to user security. Upgrading to the latest patched versions and adhering to the recommended actions is critical to maintaining a secure environment.  

References: 

Image 
 
A close-up of a warning sign Description automatically generated 

Security Advisory

Ivanti Connect Secure VPN Actively Being Exploited in the Wild 

Ivanti announced two critical vulnerabilities impacting its Connect Secure (ICS) VPN appliances: CVE-2025-0282 and CVE-2025-0283. Notably, CVE-2025-0282 has been actively exploited in the wild since mid-December 2024.

As per Ivanti threat actors have attempted to bypass detection by the ICT, Ivanti has provided examples demonstrating the differences between successful scans and unsuccessful ones on compromised devices to help users identify potential compromises.

Summary 

OEM Ivanti  
Severity Critical 
CVSS 9.0 
CVEs CVE-2025-0282, CVE-2025-0283  
Exploited in Wild  Yes 
Patch/Remediation Available Yes 
Advisory Version 1.0 

Overview 

This stack-based buffer overflow flaw allows unauthenticated attackers to execute arbitrary code on affected devices. Another  Vulnerability, CVE-2025-0283, could allow a local authenticated attacker to escalate privileges. Ivanti has released patches for Connect Secure and recommends immediate updates to mitigate the risk. 

Vulnerability Name CVE ID Product Affected Severity Affected Version 
Stack-Based Buffer Overflow Vulnerability  CVE-2025-0282 Ivanti Critical 22.7R2 through 22.7R2.4  22.7R1 through 22.7R1.2  22.7R2 through 22.7R2.3  
Stack-Based Buffer Overflow Vulnerability CVE-2025-0283  Ivanti High 22.7R2.4 and prior 9.1R18.9 and prior  22.7R1.2 and prior 22.7R2.3 and prior  

Technical Summary 

CVE ID System Affected Vulnerability Details Impact 
CVE-2025-0282  Ivanti Connect Secure, Ivanti Policy Secure, Ivanti Neurons for ZTA gateways  A stack-based buffer overflow in Ivanti Connect Secure before version 22.7R2.5, Ivanti Policy Secure before version 22.7R1.2, and Ivanti Neurons for ZTA gateways before version 22.7R2.3 allows a remote unauthenticated attacker to achieve remote code execution.  RCE, System compromise, Data theft, Network breaches, and Service disruptions.  
CVE-2025-0283  Ivanti Connect Secure, Ivanti Policy Secure, Ivanti Neurons for ZTA gateways  A stack-based buffer overflow in Ivanti Connect Secure before version 22.7R2.5, Ivanti Policy Secure before version 22.7R1.2, and Ivanti Neurons for ZTA gateways before version 22.7R2.3 allows a local authenticated attacker to escalate their privileges Allow Local Authenticated Attackers to Escalate Privileges. 

Remediation

  • Ensure that the appropriate patches or updates are applied to the relevant Ivanti 
  • Organizations using ICS appliances are strongly advised to apply these patches and follow Ivanti’s Security Advisory to safeguard their systems.

versions as listed below: 

Affected Version(s) Fixes and Releases 
22.7R2 through 22.7R2.4  22.7R2.5  
22.7R2.4 and prior,  9.1R18.9 and prior  22.7R2.5  
22.7R2 through 22.7R2.3  22.7R2.5, Patch planned availability Jan. 21  
22.7R2.3 and prior  22.7R2.5, Patch planned availability Jan. 21  
22.7R1 through 22.7R1.2  Patch planned availability Jan. 21  
22.7R1.2 and prior  Patch planned availability Jan. 21  
  • Ivanti Connect Secure: Upgrade to version 22.7R2.5, perform a clean ICT scan, and factory reset appliances before putting them into production for added security. 
  • Ivanti Connect Secure (Compromise Detected): Perform a factory reset and upgrade to version 22.7R2.5 to remove malware and ensure continued monitoring with security tools. 
  • Ivanti Policy Secure: Ensure the appliance is not exposed to the internet, as the risk of exploitation is lower, and expect a fix on January 21, 2025. 
  • Ivanti Neurons for ZTA Gateways: Ensure ZTA gateways are connected to a controller for protection, with a fix available on January 21, 2025. 

General Recommendation 

  • Regularly update software and systems to address known vulnerabilities. 
  • Implement continuous monitoring to identify any unauthorized access or suspicious activities. 
  • Use strong authentication and access controls to minimize unauthorized access and reduce attack surfaces. 
  • Create and Maintain an incident response plan to quickly mitigate the impact of any security breach. 

References: 

Security Advisory

Race Condition Vulnerability in OpenSSH (CVE-2024-6387): PoC Exploit Released  

Race Condition Vulnerability in OpenSSH (CVE-2024-6387): PoC Exploit Released  

OpenSSH is a suite of networking utilities based on the Secure Shell (SSH) protocol. It is extensively used for secure remote login, remote server management and administration, and file transfers via SCP and SFTP. OpenSSH server process ‘sshd’ is affected by a signal handler race condition allowing unauthenticated remote code execution with root privileges on glibc-based Linux systems.

Summary 

Application OpenSSH 
Severity High 
CVSS 8.1 
CVEs CVE-2024-6387 
Exploited in Wild Yes 
Patch/Remediation Available Yes 
Advisory Version 1.0 

Overview 

CVE-2024-6387, a high-severity vulnerability in OpenSSH’s server (sshd), has been identified and is currently being exploited in the wild. Known as “regreSSHion,” this flaw involves a sophisticated race condition during the authentication phase, allowing unauthenticated remote attackers to execute arbitrary code with root privileges.

A proof-of-concept (PoC) exploit for this critical vulnerability has been released, further raising concerns. 

The vulnerability affects millions of OpenSSH servers globally, with older versions particularly at risk. Rated with a CVSS score of 8.1, the flaw poses a significant security threat. Over 14 million OpenSSH server instances exposed to the Internet have been identified as potentially vulnerable, with around 700,000 instances facing external internet threats. 

Vulnerability Name CVE ID Product Affected Severity Fixed Version 
Race Condition vulnerability   CVE-2024-6387  OpenSSH (8.5p1–9.8p1)  High  OpenSSH 9.8p2 or later 

Technical Summary 

CVE-2024-6387, also known as “regreSSHion,” is a critical vulnerability in OpenSSH’s server (sshd) caused by a signal handler race condition. This issue arises when the SIGALRM handler, triggered during a failed login attempt exceeding LoginGraceTime, invokes non-async-signal-safe functions like syslog(). The Vulnerability allows unauthenticated remote attackers to execute arbitrary code with root privileges, primarily affecting glibc-based Linux systems.

Exploitation is technically complex but feasible and has been demonstrated in controlled environments on 32-bit systems. OpenBSD systems are unaffected due to their different signal-handling mechanisms. 

CVE ID System Affected Vulnerability Details Impact 
CVE-2024-6387 OpenSSH v8.5p1 through 9.8p1 on glibc-based Linux systems Signal handler race condition in sshd’s SIGALRM, triggered during login timeout (LoginGraceTime). Remote Code Execution (Root Privileges) 

Impact:

This Vulnerability if exploited could lead to complete system takeover.

Remediation

  • Immediate Patch: Upgrade OpenSSH to version 9.8p2 or later, which resolves the issue. 
  • Access Restrictions: Implement firewall rules or TCP wrappers to limit SSH access to trusted IP ranges. 
  • Monitor Activity: Use intrusion detection systems (IDS) to analyze logs for unusual activity, failed login attempts, or exploitation patterns. 

Indicators of Compromise (IOCs): 

IP Address / Hostname File Hash 
209.141.53[.]247 0df799f05c6d97e2b7d4b26c8e7246f7 
108.174.58[.]28 11cc5f00b466d4f9be4e0a46f2eb51ae 
195.85.205[.]47 1f452448cea986aedc88ba50d48691f7 
62.72.191[.]203 207eb58423234306edaecb3ec89935d8 
botbot.ddosvps.cc  

Below are some IOCs associated with the threat. For a complete list of IOCs, refer to the AlienVault Pulse for CVE-2024-6387 

Conclusion: 

The public release of a PoC exploit for CVE-2024-6387 marks a critical moment for organizations relying on OpenSSH. While exploitation requires significant effort, the potential impact of a successful attack—complete system compromise and privilege escalation—is severe.

Swift patching and the adoption of layered security measures are imperative to mitigate the risks. 

Organizations must act promptly to safeguard their systems and monitor for signs of active exploitation. By staying informed and proactive, businesses can minimize the potential fallout from this serious vulnerability. 

References: 

  • https://nvd.nist.gov/vuln/detail/cve-2024-6387 
  • https://www.yorku.ca/uit/2025/01/openssh-remote-code-execution-regresshion-cve-2024-6387/

Security Advisory

Critical Windows Privilege Escalation Vulnerability with Public Exploit

Cybersecurity researchers reported a critical Windows privilege escalation vulnerability, identified as CVE-2024-43641 affecting Microsoft Windows. This flaw, which affects various editions of Windows Server 2025, Windows 10, and Windows 11, has been assigned a CVSS v3.1 score of 7.8, indicating high severity.

Summary 

OEM Microsoft 
Severity High 
CVSS 7.8 
CVEs CVE-2024-43641 
Exploited in Wild No 
Patch/Remediation Available Yes 
Advisory Version 1.0 

Overview 

A significant Windows Registry Elevation of Privilege vulnerability, identified as CVE-2024-43641, affects multiple editions of Windows. A recently released Proof-of-Concept (PoC) exploit demonstrates how attackers can exploit this flaw to gain elevated privileges. 

Vulnerability Name CVE ID Product Affected Severity 
Windows Registry Elevation of Privilege Vulnerability  CVE-2024-43641  Windows    High 

Technical Summary 

The vulnerability, CVE-2024-43641, exploits a design flaw in Windows registry hive memory management, specifically during a double-fetch process under memory pressure. This flaw allows malicious SMB servers to respond with differing data for consecutive read requests, breaking kernel assumptions and enabling privilege escalation to SYSTEM level. Key technical details are as follows: 

CVE ID System Affected Vulnerability Details Impact 
CVE-2024-43641 Windows 10, Windows 11, Windows Server 2008–2025 The vulnerability involves improper handling of registry hive memory management under memory pressure. A malicious SMB server can respond with differing data to consecutive read requests, breaking kernel assumptions. Exploitation leverages a “False File Immutability” (FFI) condition. Allows attackers to escalate privileges, execute arbitrary code, and compromise system integrity. 

Remediation

  • Apply Patches: Users and system administrators are strongly advised to promptly apply the latest security updates. 
  • Monitor Activity: 
  • Monitor logs for suspicious activity related to registry operations. 
  • The cybersecurity community is actively monitoring the situation for any indications of active exploitation in the wild. 

Conclusion: 

CVE-2024-43641 is a high-severity vulnerability with a publicly available PoC exploit. It is crucial to apply security patches immediately and follow best practices to mitigate the risk of exploitation. Organizations must stay alert and monitor ongoing developments to ensure complete protection against this emerging threat. 

References: 

Security Advisory

Exploit Proof-of-Concept Released for Windows Lightweight Directory Access Protocol (LDAP CVE-2024-49113 )

CVE-2024-49113 LDAP

Continue Reading
Security Advisory

Cleo Releases Patch for Critical Vulnerabilities Exploited in the Wild

Summary

OEM

Cleo

Severity

Critical

CVSS score

9.8

CVE

CVE-2024-55956, CVE-2024-50623

Exploited in Wild

Yes

Patch/Remediation Available

Yes 

Advisory Version

1.0

Overview

The Clop ransomware group has exploited critical vulnerabilities in Cleo’s Managed File Transfer (MFT) solutions, specifically targeting Cleo Harmony, VLTrader, and LexiCom. These vulnerabilities, identified as CVE-2024-50623 and CVE-2024-55956, allow unauthenticated attackers to execute arbitrary code on affected systems, leading to potential data breaches and system compromises.

Vulnerability Name

CVE ID

Product Affected

Severity

CVSS Score

Fixed Version

Unauthenticated Command Execution

CVE-2024-55956

Cleo products

Critical

9.8

5.8.0.24 or latest

Unrestricted File Upload/Download Vulnerability

CVE-2024-50623

Cleo products

Critical

9.8

5.8.0.24 or latest

Technical Summary

CVE ID

System Affected

Vulnerability Details

Impact

CVE-2024-55956

Cleo Harmony, VLTrader, LexiCom

This flaw enables unauthenticated users to import and execute arbitrary Bash or PowerShell commands on the host system by leveraging the default settings of the Autorun directory. Attackers can write a ZIP file containing a malicious XML file describing a new host. The malicious XML file contained a Mailbox action associated with the new host, which when run would execute an arbitrary OS command.

Execution of arbitrary commands, resulting in full system compromise.

CVE-2024-50623

Cleo Harmony, VLTrader, LexiCom

This vulnerability permits unauthenticated attackers to upload and download files without restrictions via the ‘/Synchronization’ endpoint. By uploading malicious files, attackers can achieve remote code execution. The exploitation involves writing malicious code to specific files, such as “webserverAjaxSwingconftemplatesdefault-pagebody-footerVL.html”, which is then leveraged to execute an attacker-controlled payload, potentially in the form of a webshell.

Unauthorized file manipulation and potential system compromise.

Remediations

  • Update Cleo Harmony, VLTrader, and LexiCom to the updated version 5.8.0.24 or latest one.

Recommendations

  • It is strongly advised to move any internet-exposed Cleo systems behind a firewall until patches are applied to prevent unauthorized exploitation.
  • Disable autorun files in Cleo software by clearing the “Autorun Directory” field under “Options” to limit the attack surface; this doesn’t resolve the file-write vulnerability.
  • Implement monitoring for signs of the “Cleopatra” backdoor and other malicious activities associated with Clop ransomware.
  • Conduct a thorough audit of your systems to identify any malicious files or abnormal system behavior associated with Cleo software. This includes checking logs, directories, and network traffic for unusual activities related to the known exploit chain.
  • If you have an EDR solution, block the attacker IPs associated with the exploit to prevent further external communication with compromised systems.
  • Ensure regular backups of critical data are performed and stored securely offline to facilitate recovery in case of any ransomware attack.

IOCs

Based on the research
These are the attacker IP addresses embedded in the encoded PowerShell

IP Address IOCs

File IOCs

176.123.5[.]126

60282967-dc91-40ef-a34c-38e992509c2c.xml

5.149.249[.]226

healthchecktemplate.txt

185.181.230[.]103

healthcheck.txt

209.127.12[.]38

181.214.147[.]164

192.119.99[.]42

References

Security Advisory

Critical Flaw in WordPress Hunk Companion Plugin Enables Unauthorized Plugin Installation

Summary

OEM

WordPress

Severity

Critical

Date of Announcement

2024-12-13

CVSS score

9.8

CVE

CVE-2024-11972

Exploited in Wild

Yes

Patch/Remediation Available

Yes 

Advisory Version

1.0

Overview

A Critical flaw in the WordPress Hunk Companion plugin has been actively exploited to enable unauthorized installation and activation of plugins. This vulnerability stems from insufficient authorization checks on a REST API endpoint. Exploited sites may see attackers silently install malicious or outdated plugins, leading to severe security risks, including remote code execution (RCE), unauthorized access, and website compromise.

Vulnerability Name

CVE ID

Product Affected

Severity

CVSS Score

Hunk Companion Plugin Vulnerability

CVE-2024-11972

Hunk Companion Plugin for WordPress

Critical

9.8

Technical Summary

CVE ID

System Affected

Vulnerability Details

Impact

CVE-2024-11972

Hunk Companion plugin versions  prior to 1.8.4

This vulnerability is caused by improper validation mechanisms in the file hunk-companion/import/app/app.php, a script responsible for handling plugin import and installation processes. At its core, the bug permits unauthenticated requests to bypass critical permission checks intended to ensure that only authorized users can install plugins.

This vulnerability potentially leads to remote code execution, unauthorized access, and full website compromise.

Remediations

  • “Hunk Companion” WordPress plugin, should update to version 9.0 or later.

General Recommendations

  • Regularly inspect your WordPress site for unknown plugins or modifications.
  • Reducing the risk of delayed patching can be achieved by enabling automatic updates for all plugins
  • Review server and WordPress logs for unauthorized login attempts to detect possible compromise.
  • Keep all plugins, themes, and WordPress core updated. Use strong, unique passwords and enable two-factor authentication for admin accounts.

References

Scroll to top