Exploitable Command Injection in F5 BIG-IP (CVE-2025-20029)
F5 BIG-IP
Continue ReadingCXO
Palo Alto Firewall Vulnerabilities Under Active Exploitation
An authentication bypass vulnerability (CVE-2025-0108) in Palo Alto Networks PAN-OS allows unauthenticated attackers with network access to bypass authentication on the management web interface.
Summary
| OEM | Palo Alto |
| Severity | High |
| Date of Announcement | 2025-02-19 |
| CVEs | CVE-2025-0108 |
| CVSS Score | 8.8 |
| Exploited in Wild | Yes |
| Patch/Remediation Available | Yes |
| Advisory Version | 1.0 |
Overview
‘Palo Alto Networks says threat actors used a publicly available PoC exploit in attack attempts against firewall customers with PAN-OS management interfaces exposed to the internet’.
This poses a significant risk, particularly when the interface is exposed to the internet or untrusted networks. CISA has added it to its Known Exploited Vulnerabilities catalog due to active exploitation.
| Vulnerability Name | CVE ID | Product Affected | Severity | Affected Version |
| Authentication Bypass Vulnerability | CVE-2025-0108 | Pan OS | High | PAN-OS 10.1: 10.1.0 through 10.1.14 PAN-OS 10.2: 10.2.0 through 10.2.13 PAN-OS 11.1: 11.1.0* through 11.1.6 PAN-OS 11.2: 11.2.0 through 11.2.4 |
Technical Summary
This authentication bypass flaw enables attackers to invoke specific PHP scripts without proper authorization, potentially compromising the integrity and confidentiality of the system. Attackers are chaining it with CVE-2024-9474 and CVE-2025-0111 to target unpatched instances. The risk is highest when the management interface is exposed directly to the internet, potentially enabling unauthorized access and manipulation of system configurations.
| Vulnerability Name | Details | Severity | Impact |
| Authentication Bypass Vulnerability | This is an authentication bypass in PAN-OS allowing unauthenticated attackers to invoke PHP scripts on the management interface, compromising system integrity. The vulnerability is critical when exposed to the internet and can be exploited by chaining CVE-2024-9474 and CVE-2025-0111. | High | Root access of the affected system, unauthorized file exfiltration. |
Recommendations
- Apply the security updates released on February 12, 2025, for PAN-OS versions 10.1, 10.2, 11.1, and 11.2 immediately.
Here are the details of the required upgrades:
| Version | Updated Version |
| PAN-OS 11.2 | Upgrade to 11.2.4-h4 or later |
| PAN-OS 11.1 | Upgrade to 11.1.6-h1 or later |
| PAN-OS 10.2 | Upgrade to 10.2.13-h3 or later |
| PAN-OS 10.1 | Upgrade to 10.1.14-h9 or later |
General Recommendations
- Restrict access to PAN-OS management interfaces to trusted IPs only.
- Continuously monitor for suspicious activity, including unauthorized file access and PHP script executions.
- Follow best practices for firewall security, including network segmentation and regular vulnerability assessments.
- Block IP addresses reported by GreyNoise that are actively targeting CVE-2025-0108, as well as any additional threat intelligence sources identifying malicious activity.
Conclusion
The active exploitation of these vulnerabilities highlights the critical need for timely patch management and robust access controls. Given the increasing attack surface and publicly available proof-of-concept exploits, organizations should prioritize remediation to prevent potential breaches. Palo Alto Networks urges customers to secure their firewalls immediately to mitigate this growing threat.
The vulnerability is therefore of high severity on the CVSS and users were warned that while the PHP scripts that can be invoked, do not themselves enable remote code execution.
References:
- https://www.securityweek.com/palo-alto-networks-confirms-exploitation-of-firewall-vulnerability/
- https://www.greynoise.io/blog/greynoise-observes-active-exploitation-of-pan-os-authentication-bypass-vulnerability-cve-2025-0108#GreyNoise
Authentication Bypass Vulnerability in FortiOS & FortiProxy
Summary
A critical authentication bypass vulnerability [CWE-288] has been identified in FortiOS and FortiProxy, tracked as CVE-2025-24472 . This is affecting their affecting FortiOS and FortiProxy products and being exploited in the wild.
| OEM | Fortinet |
| Severity | Critical |
| CVSS | 9.6 |
| CVEs | CVE-2025-24472 |
| Exploited in Wild | Yes |
| Patch/Remediation Available | Yes |
| Advisory Version | 1.0 |
Overview
This flaw, with the CVSSv3 score of 9.6, could allow a remote attacker to obtain super-admin privileges by sending specially crafted requests to the Node.js WebSocket module.
| Vulnerability Name | CVE ID | Product Affected | Severity | Affected Version |
| Authentication Bypass Vulnerability | CVE-2025-24472 | FortiOS FortiProxy | Critical | FortiOS v7.0 – v7.0.16 FortiProxy v7.0 – v7.0.19 FortiProxy v7.2 – v7.2.12 |
Technical Summary
| CVE ID | Vulnerability Details | Impact |
| CVE-2025-24472 | An authentication bypass using an alternate path (CWE-288) vulnerability in FortiOS and FortiProxy , present in certain versions, could enable a remote attacker to obtain super-admin privileges by sending requests to the Node.js websocket module or by crafting CSF proxy requests. | Execute unauthorized code or commands |
Recommendations:
- Update: Ensure that the appropriate patches or updates are applied to the relevant versions listed below
| Version | Fixes and Releases |
| FortiOS 7.0 – 7.0.16 | Upgrade to 7.0.17 or latest version |
| FortiProxy 7.0 – 7.0.19 | Upgrade to 7.0.20 or latest version |
| FortiProxy 7.2 – 7.2.12 | Upgrade to 7.2.13 or latest version |
Workarounds:
Below are some workarounds provided by the Fortinet team.
- Disable HTTP/HTTPS administrative interface
- Limit IP addresses that can reach the administrative interface via local-in policies
According to Fortinet, attackers exploit the two vulnerabilities to generate random admin or local users on affected devices, adding them to new and existing SSL VPN user groups. They have also been seen modifying firewall policies and other configurations and accessing SSLVPN instances with previously established rogue accounts “to gain a tunnel to the internal network.network.”
References:
Microsoft Updates Patch Tuesday for Feb 2025; Address 67 Vulnerabilities, Includes 2 Exploited Zero-Days
Summary
Microsoft’s February 2025 Patch Tuesday addresses multiple security vulnerabilities, including four zero-days, with two actively exploited in the wild. This update covers a total of 67 security flaws, with three classified as critical Remote Code Execution (RCE) vulnerabilities.
Microsoft issued a revision for an older zero-day that threatens the latest Windows desktop and server versions.
| OEM | Microsoft |
| Severity | Critical |
| Date of Announcement | 2025-02-11 |
| No. of Vulnerabilities Patched | 67 |
| Actively Exploited | Yes |
| Exploited in Wild | Yes |
| Advisory Version | 1.0 |
Overview
The affected products include Windows, Microsoft Office, Microsoft Surface, and various network services. Organizations are strongly advised to apply these patches immediately to mitigate security risks and potential cyberattacks.
- 63 Microsoft CVEs addressed
- 4 non-Microsoft CVEs included
The highlighted vulnerabilities include 4 zero-day flaws, 2 of which are currently being actively exploited.
| Vulnerability Name | CVE ID | Product Affected | Severity | CVSS Score |
| Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability | CVE-2025-21418 | Windows | High | 7.8 |
| Windows Storage Elevation of Privilege Vulnerability | CVE-2025-21391 | Windows | High | 7.1 |
| Microsoft Surface Security Feature Bypass Vulnerability | CVE-2025-21194 | Windows | High | 7.1 |
| NTLM Hash Disclosure Spoofing Vulnerability | CVE-2025-21377 | Windows | Medium | 6.5 |
Technical Summary
| CVE ID | System Affected | Vulnerability Details | Impact |
| CVE-2025-21418 | Windows server and Windows 10 & 11 | Windows ancillary function driver for winsock elevation of privilege vulnerability enables attackers to escalate privileges to SYSTEM level. Specific exploitation details are not disclosed. | Unauthorized access with SYSTEM privileges. |
| CVE-2025-21391 | Windows server and Windows 10 & 11 | Windows storage elevation of privilege vulnerability allows attackers to delete targeted files on a system, potentially leading to service unavailability. Does not expose confidential data. | Deletion of critical data, leading to service disruption. |
| CVE-2025-21194 | Microsoft Surface | Microsoft surface security feature bypass vulnerability allows attackers to bypass UEFI protections, compromising the secure kernel. Likely related to “PixieFail” vulnerabilities affecting the IPv6 network stack in Tianocore’s EDK II firmware. | Bypass of security features, potentially compromising system integrity. |
| CVE-2025-21377 | Windows server and Windows 10 & 11 | NTLM hash disclosure spoofing vulnerability exposes NTLM hashes when a user interacts with a malicious file. Simply selecting or right-clicking a file could trigger a remote connection, allowing an attacker to capture NTLM hashes for cracking or pass-the-hash attacks. | Potential for attackers to authenticate as the user, leading to unauthorized access. |
Source: Microsoft
In addition to the actively exploited vulnerabilities, several other critical flaws were also addressed:
- CVE-2025-21376: A Windows Lightweight Directory Access Protocol (LDAP) RCE vulnerability that could allow attackers to execute arbitrary code remotely.
- CVE-2025-21379: A DHCP Client Service RCE vulnerability that may enable remote attackers to execute code with elevated privileges.
- CVE-2025-21381: An RCE vulnerability in Microsoft Excel that could be triggered through malicious spreadsheet files.
Remediation:
- Apply Updates: Immediately install the February 2025 Patch Tuesday updates to address these vulnerabilities.
Conclusion:
The February 2025 Patch Tuesday release addresses critical security vulnerabilities, including actively exploited zero-days. Timely application of these updates is essential to protect systems from potential threats. Organizations should review the affected products and implement the necessary patches and mitigations to maintain security integrity.
The attack vector is local, meaning the attacker needs local access — physically or remotely, using SSH method without user interaction and if successful in exploiting, can give the attacker system privileges.
References:
Apple’s USB Restricted Mode Exploited in Targeted Attacks
| OEM | Apple |
| Severity | High |
| CVSS | Not Assigned |
| CVEs | CVE-2025-24200 |
| Exploited in Wild | No |
| Patch/Remediation Available | Yes |
| Advisory Version | 1.0 |
Overview
Apple has issued emergency security patches to mitigate a zero-day vulnerability, CVE-2025-24200, which has been actively exploited in sophisticated attacks targeting specific individuals. The flaw allows attackers to bypass USB Restricted Mode on a locked device, potentially exposing sensitive data. Initially identified by The Citizen Lab, this vulnerability is believed to have been leveraged in real-world scenarios against high-profile targets. Apple has responded by enhancing state management in iOS 18.3.1 and iPadOS 18.3.1 to prevent exploitation.
| Vulnerability Name | CVE ID | Product Affected | Severity |
| USB Restricted Mode Bypass Vulnerability | CVE-2025-24200 | Apple | High |
Technical Summary
The vulnerability, tracked as CVE-2025-24200, affects USB Restricted Mode, a security feature introduced in 2018 to prevent data transfer over USB when a device remains locked for seven days. A flaw in the Accessibility framework allows an attacker with physical access to disable USB Restricted Mode, bypassing this protection and potentially accessing sensitive data.
Apple has mentioned “This issue has been exploited in extremely sophisticated attacks against specific individuals.” The vulnerability was discovered by Bill Marczak, a senior researcher at The Citizen Lab.
| CVE ID | System Affected | Vulnerability Details | Impact |
| CVE-2025-24200 | iPhone XS and later iPad Pro (13-inch) iPad Pro 12.9-inch (3rd generation and later) iPad Pro 11-inch (1st generation and later) iPad Air (3rd generation and later) iPad (7th generation and later) iPad mini (5th generation and later) | A flaw in the Accessibility framework allows a physical attacker to disable USB Restricted Mode, bypassing protections designed to prevent unauthorized data transfer. | Unauthorized access to sensitive data |
Remediation:
- Users are strongly advised to update their devices to the latest versions:
- iOS: Update to version 18.3.1
- iPadOS: Update to version 18.3.1
- To update your device, go to Settings > General > Software Update, and follow the on-screen instructions.
Conclusion
The CVE-2025-24200 vulnerability poses a serious risk to device security, particularly for individuals targeted in sophisticated cyberattacks. While the exploitation has been limited to specific individuals, all users of affected devices should install the latest updates immediately to mitigate potential risks. Apple remains committed to user security by addressing vulnerabilities promptly and ensuring continuous protection against emerging threats.
References:
Active Exploitation of Microsoft Outlook RCE Vulnerability (CVE-2024-21413)
A critical remote code execution (RCE) vulnerability, CVE-2024-21413, affecting Microsoft Outlook has been actively exploited.
CISA has directed U.S. federal agencies to secure their systems against ongoing cyberattacks targeting this vulnerability, tracked as CVE-2024–21413. The flaw was originally discovered by Check Point vulnerability researcher Haifei Li and is a result of improper input validation when processing emails containing malicious links.
| OEM | Microsoft |
| Severity | Critical |
| CVSS | 9.8 |
| CVEs | CVE-2024-21413 |
| Exploited in Wild | Yes |
| Patch/Remediation Available | Yes |
| Advisory Version | 1.0 |
Overview
The flaw allows attackers to bypass security protections, leading to NTLM credential theft and arbitrary code execution. The vulnerability is critical, and Microsoft has released patches to mitigate the risk.
| Vulnerability Name | CVE ID | Product Affected | Severity |
| Remote Code Execution Vulnerability | CVE-2024-21413 | Microsoft | Critical |
Technical Summary
The CVE-2024-21413 vulnerability arises due to improper input validation in Microsoft Outlook when handling emails containing malicious links. Exploitation of this flaw enables attackers to bypass Protected View, a security feature designed to prevent execution of harmful content embedded in Office files.
By manipulating URLs with the file:// protocol and inserting an exclamation mark followed by arbitrary text, attackers can evade Outlook’s built-in security measures, tricking users into opening malicious Office files in editing mode instead of read-only mode. The Preview Pane also serves as an attack vector, enabling zero-click exploitation. Here is the POC also available for this vulnerabilty.
| CVE ID | System Affected | Vulnerability Details | Impact |
| CVE-2024-21413 | Microsoft Office LTSC 2021, Microsoft 365 Apps, Microsoft Outlook 2016, Microsoft Office 2019 | Exploits improper input validation to bypass Outlook security protections using manipulated hyperlinks. | NTLM credential theft, remote code execution, potential full system compromise |
Remediation:
- Apply Security Patches: Ensure that all the Microsoft Office products are updated with the latest security patches.
- Disable NTLM Authentication: Where feasible, reduce reliance on NTLM authentication to prevent credential theft.
General Remediation:
- Monitor Network Activity: Watch unusual outbound connections to attacker-controlled servers.
- User Awareness Training: Educate employees on recognizing phishing attempts and avoiding click on suspicious links or attachments.
- Enable Advanced Threat Protection: Use security tools like Microsoft Defender to enhance security monitoring and detection.
- Regularly Update Software: Maintain a routine patching schedule to ensure all systems are protected against known vulnerabilities.
- Restrict Macros and External Content: Configure Microsoft Office to block macros and disable automatic external content execution.
Conclusion:
The exploitation of CVE-2024-21413 underscores the ongoing threat posed by improperly validated inputs in widely used enterprise software. With this vulnerability being actively exploited and the POC publicly available, organizations must prioritize patching, strengthen monitoring, and follow best security practices to minimize risks. CISA has included CVE-2024-21413 in its Known Exploited Vulnerabilities (KEV) catalog, emphasizing the need for immediate action.
References:
Zero-Day Vulnerability in Microsoft Sysinternals Tools
Summary
A critical 0-Day vulnerability has been identified in nearly all Microsoft Sysinternals tools, allowing attackers to exploit DLL injection techniques to execute arbitrary code. This presents a significant risk to IT administrators and developers who rely on these utilities for system analysis and troubleshooting.
| OEM | Microsoft |
| Severity | High |
| Date of Announcement | 2025-02-05 |
| CVEs | Not Yet Assigned |
| Exploited in Wild | No |
| Patch/Remediation Available | No |
| Advisory Version | 1.0 |
| Vulnerability Name | Zero-Day |
Overview
Despite being reported to Microsoft over 90 days ago, the vulnerability remains unpatched, as Microsoft considers it a “defense-in-depth” issue rather than a critical security flaw.
| Vulnerability Name | CVE ID | Product Affected | Severity | Impact |
| zero-day | Not Yet Assigned | Microsoft Sysinternals Tools (Process Explorer, Autoruns, Bginfo, and potentially others) | High | Arbitrary Code Execution, Privilege Escalation, Malware Deployment |
Technical Summary
The vulnerability is caused by improper handling of DLL loading paths in affected Sysinternals utilities. When these tools search for required DLLs, they follow a specific search order, which may include untrusted locations such as network shares or user-writable directories.
The issue arises from how Sysinternals tools prioritize DLL search paths, favoring untrusted directories such as:
- The Current Working Directory (CWD)
- Network locations (e.g., shared drives)
- User-writable paths over secure system directories
This flaw allows attackers to place a malicious DLL in the same directory as a Sysinternals executable, tricking the application into loading the rogue DLL instead of the legitimate system DLL.
Exploit Workflow
- Attacker crafts a malicious DLL (e.g., cryptbase.dll or TextShaping.dll) containing a payload such as a reverse shell, ransomware, or trojan.
- The DLL is placed in the same directory as a vulnerable Sysinternals tool.
- The user unknowingly executes the tool (e.g., Bginfo.exe or procexp.exe) from that directory.
- The malicious DLL is loaded instead of the legitimate system DLL.
- Attackers gains code execution with the privileges of the running process (potentially SYSTEM privileges if run with admin rights).
Recommendations
- Avoid Running Sysinternals Tools from Network Locations
- Always copy tools to a local trusted directory before execution.
- Disable execution of .exe files from network drives if feasible.
- Restrict DLL Search Paths
- Use SafeDLLSearchMode to prioritize secure directories.
- Implement DLL redirection to force tools to load DLLs from trusted paths.
- Implement Application Control Policies
- Use AppLocker or Windows Defender Application Control (WDAC) to block unauthorized DLLs from loading.
- Restrict execution of Sysinternals tools to trusted admin-only directories.
- Verify DLL Integrity Before Execution
- Use SigCheck (Sysinternals) to ensure all loaded DLLs are digitally signed.
- Block execution of unsigned or suspicious DLLs in sensitive directories.
- Monitor for Suspicious DLL Loading Behavior
- Enable Sysmon logging to detect anomalous DLL loads (Event ID 7).
- Monitor for executions of Sysinternals tools from network shares (Event ID 4688).
Conclusion
Despite being responsibly disclosed to Microsoft in October 2024, the vulnerability in Sysinternals tools remains unpatched as of February 2025. Microsoft classifies it as a “defense-in-depth” issue, dismissing it as non-critical, while security researchers highlight its severe impact on enterprises, especially those running tools from network shares. This leaves users reliant on manual mitigations to avoid exploitation.
The Sysinternals tools, developed by Microsoft, are a widely-utilized suite of utilities designed to provide in-depth insights into the processes, services, and configurations of Windows systems.
References:
macOS Security at Risk: PoC Exploit for CVE-2025-24118 Kernel Flaw
macOS Security at Risk: PoC Exploit for CVE-2025-24118 Kernel Flaw
A newly discovered race condition in Apple’s macOS kernel (XNU) could allow attackers to escalate privileges, corrupt memory, and potentially achieve kernel-level code execution.
Tracked as CVE-2025-24118 and assigned a CVSS score of 9.8 (Critical), this vulnerability was patched in macOS Sonoma 14.7.3, macOS Sequoia 15.3, and iPadOS 17.7.4.
This vulnerability can be reliably triggered by an unprivileged local attacker using a multi-threaded attack that forces frequent credential updates.
| OEM | Apple |
| Severity | Critical |
| CVSS | 9.8 |
| CVEs | CVE-2025-24118 |
| Exploited in Wild | No |
| Publicly POC Available | Yes |
| Patch/Remediation Available | Yes |
| Advisory Version | 1.0 |
Overview
A proof-of-concept (PoC) exploit is publicly available, making it critical for users to apply the patch on priority. The vulnerability arises from a race condition in Apple’s XNU kernel due to improper handling of per-thread credentials in read-only structures.
| Vulnerability Name | CVE ID | Product Affected | Severity |
| Race Condition Vulnerability | CVE-2025-24118 | Apple | Critical |
Technical Summary
This issue results from a combination of Safe Memory Reclamation (SMR), per-thread credentials, read-only page mappings and memcpy behavior, leading to unauthorized credential modification.
| CVE ID | System Affected | Vulnerability Details | Impact |
| CVE-2025-24118 | macOS Sonoma prior to 14.7.3 macOS Sequoia prior to 15.3 iPadOS prior to 17.7.4 | A concurrency issue in XNU kernel allows corruption of a thread’s kauth_cred_t credential pointer through a non-atomic memory update. This results in a time-of-check to time-of-use (TOCTOU) race condition. | Privilege escalation, memory corruption, potential kernel-level code execution |
Remediation:
- Patch Installation: Users should upgrade to macOS Sonoma 14.7.3, macOS Sequoia 15.3, and iPadOS 17.7.4 to mitigate the risk.
Conclusion:
CVE-2025-24118 is a critical race condition vulnerability in Apple’s XNU kernel that allows local attackers to escalate privileges and compromise system integrity. Users and organizations are strongly advised to apply the latest patches provided by Apple to protect against potential exploits.
References:
Apple Patched Actively Exploited Zero-Day Vulnerability
Summary
CVE-2025-24085 is a zero-day vulnerability in Apple’s “Core Media framework” which enables malicious applications to potentially gain elevated privileges on impacted devices. It falls under the “Memory Corruption vulnerability category”, posing significant security risks such as unauthorized access to sensitive data or potential device control.
| OEM | Apple Inc |
| Severity | High |
| CVEs | CVE-2025-24085 |
| Exploited in Wild | Yes |
| Patch/Remediation Available | Yes |
| Advisory Version | 1.0 |
| Vulnerability Name | CVE ID | Product Affected | Severity | Affected Version |
| Privilege escalation vulnerability | CVE-2025-24085 | Apple | High | iPhone-XS and later, macOS Sequoia iPad-Pro (3rd generation and later), iPad Air (3rd generation and later), iPad (7th generation and later), iPad mini (5th generation and later) Apple Watch: Series 6 and later Apple TV: All models |
Technical Summary
| CVE ID | System Affected | Vulnerability Details | Impact |
| CVE-2025-24085 | iPhone, iPad, Mac, Apple Watch, Apple TV | CVE-2025-24085 is a memory management vulnerability in Apple’s Core Media framework, responsible for processing audio and video content. The vulnerability stems from improper handling of media data, allowing attackers to execute arbitrary code with elevated privileges. It can be remotely exploited through malicious media files, creating significant security risks. | Arbitrary Code Execution, Privilege Escalation, Sensitive Data Exposure, Remote Exploitation via Media Files |
Remediation:
- Update: Ensure the latest patches are applied to affected Apple devices as listed below
| Affected Version(s) | Fixes and Releases |
| iOS 17.2 and later | iOS 18.3 |
| iPadOS 17.2 and later | iPadOS 18.3 |
| macOS Sequoia (all previous versions) | macOS Sequoia 15.3 |
| watchOS 10.3 and later | watchOS 11.3 |
| tvOS 17.2 and later | tvOS 18.3 |
| visionOS 1.3 and later | visionOS 2.3 |
Apple has fixed this vulnerability in these software versions. Update devices immediately to mitigate the risk of exploitation.
General Recommendations:
- Untrusted Media: Avoid opening suspicious media files, emails, or links from unknown sources, as the vulnerability can be exploited remotely via malicious media.
- Automatic Updates: Enable automatic updates on all Apple devices to ensure timely installation of future security patches.
References:
High-Severity SMB Server Flaws (CVE-2024-56626 & CVE-2024-56627) in Linux Kernel
High-Severity SMB Server Flaws (CVE-2024-56626 & CVE-2024-56627) in Linux Kernel
Jordy Zomer, a Security researcher have recently discovered two critical vulnerabilities in KSMBD, the in-kernel SMB server for Linux. These vulnerabilities, CVE-2024-56626 and CVE-2024-56627, could allow attackers to gain control of vulnerable systems.
SUMMARY
| OEM | Linux |
| Severity | High |
| CVSS | 7.8 |
| CVEs | CVE-2024-56626, CVE-2024-56627 |
| Exploited in Wild | No |
| Publicly POC Available | Yes |
| Patch/Remediation Available | Yes |
| Advisory Version | 1.0 |
These vulnerabilities affect Linux kernel versions greater than 5.15 and have been addressed in version 6.13-rc2. Proof-of-concept (PoC) exploits have been publicly released, emphasizing the critical nature of these issues.
| Vulnerability Name | CVE ID | Product Affected | Severity | Affected Version |
| Out-of-bounds write vulnerability in ksmbd. | CVE-2024-56626 | Linux | High | Linux kernel versions greater than 5.15 |
| Out-of-bounds read vulnerability in ksmbd. | CVE-2024-56627 | Linux | High | Linux kernel versions greater than 5.15 |
Technical Summary
| CVE ID | System Affected | Vulnerability Details | Impact |
| CVE-2024-56626 | Linux Kernel | A vulnerability in ksmbd’s ksmbd_vfs_stream_write allowed negative offsets from clients, causing out-of-bounds writes and potential memory corruption. It was triggered when using vfs objects = streams_xattr in ksmbd.conf. The issue has been fixed in recent kernel updates. | Attackers can execute arbitrary code with kernel privileges |
| CVE-2024-56627 | Linux Kernel | A vulnerability in ksmbd’s ksmbd_vfs_stream_write allowed negative client offsets, enabling out-of-bounds writes and potential memory corruption. This issue occurred when the vfs objects = streams_xattr parameter was set in ksmbd.conf and has been resolved in recent kernel updates. | Attackers can read sensitive kernel memory, leading to information disclosure |
Remediation:
- Update: Ensure that the appropriate patches or updates are applied to the relevant versions
listed below
| Version | Fixes and Releases |
| kernel version > 5.15 | kernel version 6.13-rc2 |
Conclusion:
The discovery of CVE-2024-56626 and CVE-2024-56627 highlights critical security flaws in the Linux kernel’s SMB server implementation. Given the availability of proof-of-concept exploits, immediate action is essential to protect systems from potential exploitation. Regularly updating systems and applying security patches are vital practices to maintain a secure environment.
References: