Zero-day vulnerabilities discovered: 643
Missing Authorization
The vulnerability allows a remote attacker to compromise the affected system.
The vulnerability exists due to insecure default configuration. A remote non-authenticated attacker can send a specially crafted request to the server and execute arbitrary code on the target system.
Note, the vulnerability is being actively exploited in the wild.
Software: Emby Server
Links:
https://emby.media/support/articles/advisory-23-05.html
OS Command Injection
The vulnerability allows a remote attacker to execute arbitrary shell commands on the target system.
The vulnerability exists due to improper input validation when processing .tar archives. A remote unauthenticated attacker can send a specially crafted archive to the appliance and execute arbitrary Perl commands on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
Note, the vulnerability is being actively exploited in the wild.
Software: Email Security Gateway (ESG)
Links:
https://www.barracuda.com/company/legal/esg-vulnerability
Use-after-free
The vulnerability allows a remote attacker to compromise vulnerable system.
The vulnerability exists due to a use-after-free error in WebKit. A remote attacker can trick the victim to visit a specially crafted web page, trigger a use-after-free error and execute arbitrary code on the system.
Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable system.
Note, the vulnerability is being actively exploited in the wild.
Software: Apple iOS
Links:
https://support.apple.com/en-us/HT213757
Out-of-bounds read
The vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to a boundary condition in WebKit. A remote attacker can trick the victim to visit a specially crafted webpage, trigger an out-of-bounds read error and read contents of memory on the system.
Note, the vulnerability is being actively exploited in the wild.
Software: Apple iOS
Links:
https://support.apple.com/en-us/HT213757
Buffer overflow
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error in WebKit. A remote attacker can trick the victim to visit a specially crafted web page, trigger memory corruption and break out of Web Content sandbox.
Note, the vulnerability is being actively exploited in the wild.
Software: Apple iOS
Links:
https://support.apple.com/en-us/HT213757
Security features bypass
The vulnerability allows a local user to bypass implemented security restrictions.
The vulnerability exists due to improper implementation of the Secure Boot feature. An attacker with physical access to the system or a local user with Administrative rights can bypass Secure Boot.
Software: Windows
Links:
https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2023-24932
Buffer overflow
The vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to a boundary error within the Win32k driver. A local user can trigger memory corruption and execute arbitrary code with SYSTEM privileges.
Note, the vulnerability is being actively exploited in the wild.
Software: Windows
Links:
https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2023-29336
Inclusion of sensitive information in log files
The vulnerability allows a local application to gain access to sensitive information.
The vulnerability exists due to kernel pointers are printed into the log file. A local application can read the log file and use the kernel pointers to bypass ASLR protection.
Note, the vulnerability is being exploited in the wild.
Software: Samsung Mobile Firmware
Links:
https://security.samsungmobile.com/securityUpdate.smsb?year=2023&month=05
Integer overflow
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to integer overflow in Skia component in Google Chrome. A remote attacker can trick the victim to open a specially crafted web page, trigger an integer overflow and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
Note, the vulnerability is being actively exploited in the wild.
Software: Google Chrome
Links:
https://chromereleases.googleblog.com/2023/04/stable-channel-update-for-desktop_18.html
Type Confusion
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a type confusion error within the V8 engine in Google Chrome. A remote attacker can create a specially crafted web page, trick the victim into visiting it, trigger a type confusion error and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
Note, the vulnerability is being actively exploited in the wild.
Software: Google Chrome
Links:
https://chromereleases.googleblog.com/2023/04/stable-channel-update-for-desktop_14.html
Buffer overflow
The vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to a boundary error in Windows Common Log File System Driver. A local user can trigger memory corruption and execute arbitrary code with SYSTEM privileges.
Note, the vulnerability is being actively exploited in the wild.
According to Kaspersky, the vulnerability has been exploited in February 2023 against small and medium-sized businesses in the Middle East, in North America, and previously in Asia regions.
Software: Windows
Known/fameous malware:
Nokoyawa ransomware
Use-after-free
The vulnerability allows a remote attacker to compromise vulnerable system.
The vulnerability exists due to a use-after-free error when processing HTML content in WebKit. A remote attacker can trick the victim to open a specially crafted website, trigger a use-after-free error and execute arbitrary code on the system.
Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable system.
Note, the vulnerability is being actively exploited in the wild.
Software: Apple iOS
Links:
https://support.apple.com/en-us/HT213720
Out-of-bounds write
The vulnerability allows a local application to escalate privileges on the system.
The vulnerability exists due to a boundary error in IOSurfaceAccelerator. A local application can trigger an out-of-bounds write and execute arbitrary code with kernel privileges.
Note, the vulnerability is being actively exploited in the wild.
Software: Apple iOS
Links:
https://support.apple.com/en-us/HT213720
Embedded malicious code (backdoor)
The vulnerability allows a remote attacker to gain unauthorized access to the application.
The vulnerability exists due to presence of embedded malicious functionality in the application code (aka backdoor) that allows a remote attacker to gain unauthorized access to the application.
Software: Electron Mac App, Electron Windows App
Links:
https://www.3cx.com/blog/news/desktopapp-security-alert/
Memory leak
The vulnerability allows a local application to gain access to sensitive information.
The vulnerability exists due memory leak. A local application can force the driver to leak memory and gain access to sensitive information.
Note, this vulnerability is being actively exploited in the wild.
The vulnerability was used as part of exploitation chain against Samsung Internet Browser and targeted victims in December 2022 with one-time links sent via SMS to devices located in the United Arab Emirates (UAE).
Software: Valhall GPU Kernel Driver, Bifrost GPU Kernel Driver, Midgard GPU Kernel Driver
The vulnerability was used as part of exploitation chain against Samsung Internet Browser and targeted victims in December 2022 with one-time links sent via SMS to devices located in the United Arab Emirates (UAE).
Links:
https://blog.google/threat-analysis-group/spyware-vendors-use-0-days-and-n-days-against-popular-platforms/
Improper access control
The vulnerability allows a remote attacker to compromise the affected system.
The vulnerability exists due to improper access restrictions in the master service interface on port 7741/TCP. A remote attacker can send a specially crafted request to the affected server and execute arbitrary code on the system.
Note, the vulnerability is being actively exploited in the wild.
Software: Crypto Application Server (CAS)
Links:
https://generalbytes.atlassian.net/wiki/spaces/ESD/pages/2885222430/Security+Incident+March+17-18th+2023
Improper access control
The vulnerability allows a remote attacker to gain unauthorized access to otherwise restricted functionality.
The vulnerability exists due to improper access restrictions. A remote attacker can bypass implemented security restrictions and gain unauthorized access to the application.
Note, the vulnerability is being actively exploited in the wild.
Software: ColdFusion
Deserialization of Untrusted Data
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to insecure input validation when processing serialized data. A remote attacker can pass specially crafted data to the application and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
Note, the vulnerability is being actively exploited in the wild.
Software: ColdFusion
Information disclosure
The vulnerability allows a remote attacker to compromise the affected system.
The vulnerability exists due to the application leaks the Net-NTLMv2 hash. A remote attacker can send a specially crafted email to the victim and obtain the Net-NTLMv2 hash of the Windows account. The victim does not need to open the email, as the vulnerability is triggered automatically when it is retrieved and processed by the email server, e.g. before the email is viewed in the preview pane.
The obtained NTLMv2 hash can be used in the NTLM Relay attack against another service to authenticate as the user.
Note, the vulnerability is being actively exploited in the wild.
Software: Microsoft Outlook
Links:
https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2023-23397
Security features bypass
The vulnerability allows a remote attacker to bypass implemented security restrictions.
The vulnerability exists due to incorrect implementation of the Windows SmartScreen Security Feature. A remote attacker can trick the victim to open a specially crafted file and bypass the Mark of the Web (MOTW) defenses.
Note, the vulnerability is being actively exploited in the wild.
Software: Windows
Links:
https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2023-24880
Path traversal
The vulnerability allows a local user to perform directory traversal attacks.
The vulnerability exists due to input validation error when processing certain CLI command. A local user can read and write arbitrary files on the system.
Note, the vulnerability is being actively exploited in the wild.
Software: FortiOS
Permissions, Privileges, and Access Controls
The vulnerability allows a local application to escalate privileges on the system.
The vulnerability exists due to improperly imposed security restrictions in Android Framework. A local application can escalate privileges on the device.
Note, the vulnerability is being actively exploited in the wild.
Software: Google Android
Known/fameous malware:
Pinduoduo backdoor
Links:
Buffer overflow
The vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to a boundary error within the Windows Graphics Component. A local user can trigger memory corruption and execute arbitrary code with SYSTEM privileges.
Note, the vulnerability is being actively exploited in the wild.
Software: Windows
Links:
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2023-21823
Buffer overflow
The vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to a boundary error in Windows Common Log File System Driver. A local user can trigger memory corruption and execute arbitrary code with SYSTEM privileges.
Note, the vulnerability is being actively exploited in the wild.
Software: Windows
Links:
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2023-23376
Security features bypass
The vulnerability allows a remote attacker to compromise the affected system.
The vulnerability exists due to unspecified error when processing files. A remote attacker can trick the victim to open a specially crafted file, bypass Office macro policies used to block untrusted or malicious files and execute arbitrary code on the system.
Note, the vulnerability is being actively exploited in the wild.
Software: Microsoft Publisher
Links:
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2023-21715
Type Confusion
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a type confusion error when parsing web content in WebKit. A remote attacker can trick the victim to visit a specially crafted website, trigger a type confusion error and execute arbitrary code on the target system.
Note, the vulnerability is being actively exploited in the wild.
Software: Apple iOS
Known/fameous malware:
PWNYOURHOME
Links:
https://support.apple.com/en-us/HT213635
https://citizenlab.ca/2023/04/nso-groups-pegasus-spyware-returns-in-2022/
Deserialization of Untrusted Data
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to insecure input validation when processing serialized data passed to the "/goanywhere/lic/accept" HTTP endpoint of the administrative web interface. A remote attacker can send a specially crafted HTTP request to the application and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
Note, the vulnerability is being actively exploited in the wild.
Software: GoAnywhere MFT
Links:
https://infosec.exchange/@briankrebs/109795710941843934
Use-after-free
The vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to a use-after-free error within the snd_ctl_elem_read() function in the Linux kernel sound subsystem. A local user can trigger a use-after-free error and execute arbitrary code on the system.
Note, the vulnerability is being actively exploited in the wild.
Software: Linux kernel
Buffer overflow
The vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to a boundary error within the Windows Advanced Local Procedure Call (ALPC). A local user can trigger memory corruption and execute arbitrary code with SYSTEM privileges.
Note, the vulnerability is being actively exploited in the wild.
Software: Windows
Links:
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2023-21674
Type Confusion
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a type confusion error in WebKit. A remote attacker can trick the victim to visit a specially crafted website, trigger a type confusion error and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
Note, the vulnerability is being actively exploited in the wild.
Software: Apple iOS
Links:
https://support.apple.com/en-us/HT213516
Improper control of a resource through its lifetime
The vulnerability allows a remote attacker to compromise the affected system.
The vulnerability exists due to improper access restrictions in systems configured as a SAML SP or a SAML IdP. A remote non-authenticated attacker can gain unauthorized access to the system.
Note, the vulnerability is being actively exploited in the wild.
Software: Citrix Access Gateway
Links:
https://www.citrix.com/blogs/2022/12/13/critical-security-update-now-available-for-citrix-adc-citrix-gateway/
Security features bypass
The vulnerability allows a remote attacker to bypass implemented security restrictions.
The vulnerability exists due to an error in Windows SmartScreen. A remote attacker can bypass Mark of the Web (MOTW) defenses and potentially compromise the affected system.
Note, the vulnerability is being actively exploited in the wild.
Software: Windows
Links:
https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-44698
Heap-based buffer overflow
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error within the sslvpnd daemon. A remote non-authenticated attacker can pass specially crafted data to the SSL-VPN interface, trigger a heap-based buffer overflow and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
Note, the vulnerability is being actively exploited in the wild.
Software: FortiOS
Links:
https://fortiguard.fortinet.com/psirt/FG-IR-22-398
Type Confusion
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a type confusion error within the V8 engine in Google Chrome. A remote attacker can create a specially crafted web page, trick the victim into visiting it, trigger a type confusion error and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
Note, the vulnerability is being actively exploited in the wild.
Software: Google Chrome
Links:
https://chromereleases.googleblog.com/2022/12/stable-channel-update-for-desktop.html
Heap-based buffer overflow
The vulnerability allows a remote attacker to compromise vulnerable system.
The vulnerability exists due to a boundary error when processing untrusted HTML content in GPU. A remote attacker can create a specially crafted web page, trick the victim into opening it, trigger a heap-based buffer overflow and execute arbitrary code on the target system.
Note, the vulnerability is being actively exploited in the wild.
Software: Google Chrome
Links:
https://chromereleases.googleblog.com/2022/11/stable-channel-update-for-desktop_24.html
Security features bypass
The vulnerability allows a remote attacker to compromise the target system.
The vulnerability exists due to security features bypass in Windows Mark of the Web functionality. A remote attacker can trick a victim to open a specially crafted file and bypass Protected View in Microsoft Office, as demonstrated using a specially crafted ZIP archive.
Note, the vulnerability is being actively exploited in the wild.
Software: Windows
Buffer overflow
The vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to a boundary error within the Windows CNG Key Isolation Service. A local user can run a specially crafted program to trigger memory corruption and execute arbitrary code with SYSTEM privileges.
Note, the vulnerability is being actively exploited in the wild.
Software: Windows
Links:
https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-41125
Buffer overflow
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error when processing HTML content within the JScript9 engine. A remote attacker can trick the victim into visiting a malicious website, trigger memory corruption and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
Note, the vulnerability is being actively exploited in the wild.
The vulnerability was exploited by APT37 in late October 2022 against South Korea.
Software: Windows
Buffer overflow
The vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to a boundary error within the Windows Print Spooler. A local user can run a specially crafted program to trigger memory corruption and execute arbitrary code with SYSTEM privileges.
Note, the vulnerability is being actively exploited in the wild.
Software: Windows
Links:
https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-41073
Type Confusion
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a type confusion error within the V8 engine in Google Chrome. A remote attacker can create a specially crafted web page, trick the victim into visiting it, trigger a type confusion error and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
Note, the vulnerability is being actively exploited in the wild.
Software: Google Chrome
Links:
https://chromereleases.googleblog.com/2022/10/stable-channel-update-for-desktop_27.html
Out-of-bounds write
The vulnerability allows a local application to escalate privileges on the system.
The vulnerability exists due to a boundary error within the OS kernel component. A local application can trigger an out-of-bounds write error and execute arbitrary code with kernel privileges.
Note, the vulnerability is being actively exploited in the wild.
Software: Apple iOS
Links:
https://support.apple.com/en-us/HT213489
Buffer overflow
The vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to a boundary error within the Windows COM+ Event System Service. A local user can trigger memory corruption and execute arbitrary code with SYSTEM privileges.
Note, the vulnerability is being actively exploited in the wild.
Software: Windows
Links:
https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-41033
Missing Authorization
The vulnerability allows a remote attacker to compromise the affected system.
The vulnerability exists due to missing authorization in the management functionality responsible for file uploads. A remote non-authenticated attacker can upload a malicious file on the server and execute it.
Successful exploitation of the vulnerability may result in full system compromise.
Note, the vulnerability is being exploited in the wild.
Software: bingo!CMS
Links:
https://www.bingo-cms.jp/information/20221011.html
Server-Side Request Forgery (SSRF)
The disclosed vulnerability allows a remote user to perform SSRF attacks.
The vulnerability exists due to insufficient validation of user-supplied input within the Exchange OWA Autodiscover service.. A remote user can send a specially crafted HTTP request and trick the application to initiate requests to arbitrary systems.
Successful exploitation of this vulnerability may allow a remote attacker to execute arbitrary code on the target system.
Note, the vulnerability is being actively exploited in the wild.
Software: Microsoft Exchange Server
Links:
https://msrc-blog.microsoft.com/2022/09/29/customer-guidance-for-reported-zero-day-vulnerabilities-in-microsoft-exchange-server/
Deserialization of Untrusted Data
The vulnerability allows a remote user to execute arbitrary code on the target system.
The vulnerability exists due to insecure input validation when processing serialized data. A remote user with access to PowerShell Remoting on vulnerable Exchange systems can pass specially crafted data to the application and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
Software: Microsoft Exchange Server
Links:
https://gteltsc.vn/blog/warning-new-attack-campaign-utilized-a-new-0day-rce-vulnerability-on-microsoft-exchange-server-12715.html
Code Injection
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to improper input validation in the User Portal and Webadmin interfaces of Sophos Firewall. A remote non-authenticated attacker can send a specially crafted request and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
Note, the vulnerability is being actively exploited in the wild.
Software: Sophos Firewall
Links:
https://www.sophos.com/en-us/security-advisories/sophos-sa-20220923-sfos-rce
Buffer overflow
The vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to a boundary error within the Windows Common Log File System Driver. A local unprivileged user can run a specially crafted program to trigger memory corruption and execute arbitrary code with SYSTEM privileges.
Note, the vulnerability is being actively exploited in the wild.
Software: Windows
Links:
https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-37969
Insufficient verification of data authenticity
The vulnerability allows a remote user to compromise the affected system.
The vulnerability exists due to improper input validation within the rollback functionality. A remote authenticated user with access to the administrative console can force the agent into downloading unverified rollback components and compromise the affected system.
Note, the vulnerability is being actively exploited in the wild.
Software: Apex One
Links:
https://appweb.trendmicro.com/SupportNews/NewsDetail.aspx?id=4553
https://success.trendmicro.com/jp/solution/000291471
Buffer overflow
The vulnerability allows a local application to escalate privileges on the system.
The vulnerability exists due to a boundary error within the OS kernel. A local application can trigger memory corruption and execute arbitrary code with elevated privileges.
Note, the vulnerability is being actively exploited in the wild.
Software: macOS
Links:
https://support.apple.com/en-us/HT213444
Improper Authorization
The vulnerability allows a remote attacker to compromise the web application.
The vulnerability exists due to missing authorization checks. A remote non-authenticated attacker can send a specially crafted request to the affected plugin and add an administrative user account into your WordPress installation.
Successful exploitation of the vulnerability may allow an attacker to execute arbitrary PHP code on the server.
Note, the vulnerability is being actively exploited in the wild as of September 8.
Software: WPGateway
Links:
https://www.wordfence.com/blog/2022/09/psa-zero-day-vulnerability-in-wpgateway-actively-exploited-in-the-wild/
Improper Authorization
The vulnerability allows a remote attacker to download arbitrary files from the server.
The vulnerability exists due to missing authorization for the feature responsible for remote downloading remote backups. A remote non-authenticated attacker can download arbitrary files from the server.
Note, the vulnerability is being actively exploited in the wild.
Software: BackupBuddy
Links:
https://ithemes.com/blog/wordpress-vulnerability-report-special-edition-september-6-2022-backupbuddy/
Input validation error
The vulnerability allows a remote attacker to compromise the affected system.
The vulnerability exists due to unspecified vulnerability. A remote non-authenticated attacker can send a specially crafted request to the affected system and execute arbitrary code.
Note, the vulnerability is being actively exploited in the wild by the DeadBolt ransomware.
Software: Photo Station
Known/fameous malware:
DeadBolt
Links:
https://www.qnap.com/en/security-advisory/qsa-22-24
Input validation error
The vulnerability allows a remote attacker to compromise the affected system.
The vulnerability exists due to insufficient validation of user-supplied input within the Mojo component in Google Chrome. A remote attacker can trick the victim into visiting a specially crafted website and execute arbitrary code on the system.
Note, the vulnerability is being actively exploited in the wild.
Software: Google Chrome
Links:
https://chromereleases.googleblog.com/2022/09/stable-channel-update-for-desktop.html
Improper access control
The vulnerability allows a remote attacker to compromise the affected system.
The vulnerability exists due to improper access restrictions to the default installation page. A remote attacker can connect to the default installation URL and create an administrative user account.
Note, the vulnerability is being active exploited in the wild.
Software: Crypto Application Server (CAS)
Links:
https://generalbytes.atlassian.net/wiki/spaces/ESD/pages/2785509377/Security+Incident+August+18th+2022
Out-of-bounds write
The vulnerability allows a remote attacker to compromise vulnerable system.
The vulnerability exists due to a boundary error in WebKit when processing HTML content. A remote attacker can create a specially crafted website, trick the victim into opening it, trigger an out-of-bounds write and execute arbitrary code on the target system.
Note, the vulnerability is being actively exploited in the wild.
Software: macOS
Out-of-bounds write
The vulnerability allows a local application to escalate privileges on the system.
The vulnerability exists due to a boundary error within the OS kernel component. A local application can trigger an out-of-bounds write error and execute arbitrary code on the system with kernel privileges.
Note, the vulnerability is being actively exploited in the wild.
Software: macOS
Input validation error
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to improper input validation in Intents component in Google Chrome. A remote attacker can trick the victim to open a specially crafted web page and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
Note, the vulnerability is being actively exploited in the wild.
Software: Google Chrome
Links:
https://chromereleases.googleblog.com/2022/08/stable-channel-update-for-desktop_16.html
Buffer overflow
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error in Windows Support Diagnostic Tool (MSDT) when processing files. A remote attacker can create a specially crafted file, trick the victim into opening it, trigger memory corruption and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
Note, the vulnerability is being actively exploited in the wild.
Software: Windows
Links:
https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-34713
Buffer overflow
The vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to a boundary error within the Microsoft Windows Client/Server Runtime Subsystem (CSRSS). A local user can run a specially crafted program to execute arbitrary code with SYSTEM privileges.
Note, the vulnerability is being actively exploited in the wild.
Software: Windows
Links:
https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-22047
Heap-based buffer overflow
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error within WebRTC implementation. A remote attacker can trick the victim ti visit a specially crafted website, trigger a heap-based buffer overflow and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
Note, the vulnerability is being actively exploited in the wild.
The vulnerability was reported to Google by the Avast Threat Intelligence team on 2022-07-01.
Software: Google Chrome
The vulnerability was reported to Google by the Avast Threat Intelligence team on 2022-07-01.
Links:
https://chromereleases.googleblog.com/2022/07/stable-channel-update-for-desktop.html
OS Command Injection
The vulnerability allows a remote attacker to execute arbitrary shell commands on the target system.
The vulnerability exists due to improper input validation in the Mitel Service Appliance component of MiVoice Connect (Mitel Service Appliances тАУ SA 100, SA 400, and Virtual SA). A remote unauthenticated attacker can send a specially crafted HTTP GET request to the application and execute arbitrary OS commands on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
Note, the vulnerability is being actively exploited in the wild.
Software: MiVoice Connect
Links:
https://www.mitel.com/support/security-advisories/mitel-product-security-advisory-22-0002
Code Injection
The vulnerability allows a remote attacker to compromise the affected system.
The vulnerability exists due to improper input validation when processing OGNL expressions. A remote non-authenticated attacker can send a specially crafted request to the Confluence Server and execute arbitrary code on the system.
Note, the vulnerability is being actively exploited in the wild.Software: Atlassian Confluence Server
OS Command Injection
The vulnerability allows a remote attacker to execute arbitrary shell commands on the target system.
The vulnerability exists due to improper input validation when processing URL within the Microsoft Windows Support Diagnostic Tool (MSDT). A remote unauthenticated attacker can trick the victim to open a specially crafted file, which calls the ms-msdt tool and execute arbitrary OS commands on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
Note, the vulnerability is being actively exploited in the wild.
UPDATED
The vulnerability resides within MSTD and not in Microsoft Word. Microsoft Word is an attack vector and not the source of vulnerability.
Software: Microsoft Word
Links:
https://twitter.com/nao_sec/status/1530196847679401984 https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-30190
Improper access control
The vulnerability allows a remote attacker to gain unauthorized access to sensitive information.
The vulnerability exists due to unrestricted access to the Redis instance running within the NOSi container, accessible via port 6379/tcp (the health check RPM opens this port by default). A remote non-authenticated attacker can connect to the Redis instance and obtain sensitive information or modify it.
Note, the vulnerability is being actively exploited in the wild.
Software: Cisco IOS XR
Man-in-the-Middle (MitM) attack
The vulnerability allows a remote attacker to compromise the affected system.
The vulnerability exists within the Windows LSA service. A remote attacker can call a method on the LSARPC interface and coerce the domain controller to authenticate to the attacker using NTLM. As a result, an attacker can obtain credentials and compromise the affected system via the NTLM Relay Attack.
Note, the vulnerability is being actively exploited in the wild.
Software: Windows
Links:
https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-26925
Type Confusion
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a type confusion error in V8 engine in Google Chrome. A remote attacker can trick the victim to visit a specially crafted web page, trigger a type confusion error and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
Note, the vulnerability is being actively exploited in the wild.
Software: Google Chrome
Links:
https://chromereleases.googleblog.com/2022/04/stable-channel-update-for-desktop_14.html
Buffer overflow
The vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to a boundary error within the Windows Common Log File System Driver. A local user can run a specially crafted program to trigger memory corruption and execute arbitrary code with elevated privileges.
Note, the vulnerability is being actively exploited in the wild.
Software: Windows
Links:
https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-24521
Out-of-bounds read
The vulnerability allows a local user to gain access to potentially sensitive information.
The vulnerability exists due to a boundary condition within Intel Graphics Driver. A local user can trigger an out-of-bounds read error and read contents of kernel memory.
Note, the vulnerability is being actively exploited in the wild.
Software: macOS
Links:
https://support.apple.com/en-us/HT213220
Out-of-bounds write
The vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to a boundary error within the AppleAVD subsystem. A local user can run a specially crafted program to trigger an out-of-bounds write and execute arbitrary code with kernel privileges.
Note, the vulnerability is being actively exploited in the wild.
Software: macOS
Links:
https://support.apple.com/en-us/HT213220
Arbitrary file upload
The vulnerability allows a remote attacker to compromise vulnerable system.
The vulnerability exists due to improper access restrictions in the Trend Micro Apex Central management console. A remote non-authenticated attacker can upload arbitrary file to the system and execute it.
Note, the vulnerability is being actively exploited in the wild.
Software: Apex Central
Links:
https://success.trendmicro.com/dcx/s/solution/000290678?language=en_US
Code Injection
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to improper input validation. A remote attacker can send a specially crafted HTTP request to the affected application and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
Note, the vulnerability is being actively exploited in the wild.
This vulnerability was dubbed "Spring4Shell".
Software: Pivotal Spring Framework
Links:
https://lab.wallarm.com/update-on-0-day-vulnerabilities-in-spring-spring4shell-and-cve-2022-22963/
Input validation error
The vulnerability allows a remote attacker to compromise the affected device.
The vulnerability exists due to insufficient validation of user-supplied input in the User Portal and Webadmin. A remote attacker can send specially crafted requests to the web interface and execute arbitrary code on the system.
Successful exploitation of the vulnerability may allow an attacker to compromise the affected device.
Note, the vulnerability is being actively exploited in the wild.
Sophos has observed this vulnerability being used to target a small set of specific organizations primarily in the South Asia region.
Software: Sophos Firewall
Type Confusion
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a type confusion error within the V8 component in Google Chrome. A remote attacker can create a specially crafted web page, trick the victim into visiting it, trigger a type confusion error and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
Note, the vulnerability is being actively exploited in the wild.
Software: Google Chrome
Links:
https://chromereleases.googleblog.com/2022/03/stable-channel-update-for-desktop_25.html
Use-after-free
The vulnerability allows a remote attacker to compromise vulnerable system.
The vulnerability exists due to a use-after-free error when processing messages in the WebGPU IPC framework. A remote attacker can trick the victim to open a specially crafted web page, trigger a use-after-free error and execute arbitrary code on the system.
Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable system.
Note, the vulnerability is being actively exploited in the wild.
Software: Mozilla Firefox
Links:
https://www.mozilla.org/en-US/security/advisories/mfsa2022-09/
Use-after-free
The vulnerability allows a remote attacker to compromise vulnerable system.
The vulnerability exists due to a use-after-free error when processing XSLT parameter. A remote attacker can trick the victim to open a specially crafted web page, trigger a use-after-free error and execute arbitrary code on the system.
Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable system.
Note, the vulnerability is being actively exploited in the wild.
Software: Mozilla Firefox
Links:
https://www.mozilla.org/en-US/security/advisories/mfsa2022-09/
Use-after-free
The vulnerability allows a remote attacker to compromise vulnerable system.
The vulnerability exists due to a use-after-free error within the Animation component in Google Chrome. A remote attacker can create a specially crafted web page, trick the victim into visiting it, trigger use-after-free error and execute arbitrary code on the target system.
Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable system.
Note, the vulnerability is being actively exploited in the wild.
Software: Google Chrome
Links:
https://chromereleases.googleblog.com/2022/02/stable-channel-update-for-desktop_14.html
OS Command Injection
The vulnerability allows a remote attacker to execute arbitrary shell commands on the target system.
The vulnerability exists due to improper input validation. A remote unauthenticated attacker can send a specially crafted HTTP POST request to the application and execute arbitrary OS commands on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
Software: Adobe Commerce (formerly Magento Commerce)
Links:
https://helpx.adobe.com/security/products/magento/apsb22-12.html
Use-after-free
The vulnerability allows a remote attacker to compromise vulnerable system.
The vulnerability exists due to a use-after-free error when processing HTML content in WebKit. A remote attacker can trick the victim to visit a specially crafted web page, trigger a use-after-free error and execute arbitrary code on the system.
Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable system.
Note, the vulnerability is being actively exploited in the wild.
Software: Apple iOS
Links:
https://support.apple.com/en-us/HT213093
Cross-site scripting
The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.
The vulnerability exists due to insufficient sanitization of user-supplied data. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website.
Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.
Note, the vulnerability is being actively exploited in the wild in the targeted attacks aimed to exfiltrated data.
Software: Zimbra Collaboration
Links:
https://www.volexity.com/blog/2022/02/03/operation-emailthief-active-exploitation-of-zero-day-xss-vulnerability-in-zimbra/
Buffer overflow
The vulnerability allows a malicious application to execute arbitrary code with elevated privileges.
The vulnerability exists due to a boundary error within the IOMobileFrameBuffer subsystem. A malicious application can trigger buffer overflow and execute arbitrary code with kernel privileges.
Note, the vulnerability is being actively exploited in the wild.
Software: Apple iOS
Links:
https://support.apple.com/en-us/HT213053
Buffer overflow
The vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to a boundary error within the Win32k.sys driver. A local user can run a specially crafted program to trigger a buffer overflow and execute arbitrary code on the system with elevated privileges.
Note, the vulnerability is being actively exploited in the wild.
Software: Windows
Input validation error
The vulnerability allows a remote attacker to compromise the affected system.
The vulnerability exists due to insufficient validation of user-supplied input in the Phone Apps (restapps) module for FreePBX. A remote attacker can send specially crafted input to the application and execute arbitrary code on the system.
Note, the vulnerability is being actively exploited in the wild.
Software: Phone Apps
Links:
https://community.freepbx.org/t/security-issue-potential-rest-phone-apps-rce/80109 https://wiki.freepbx.org/display/FOP/2021-12-21+SECURITY%3A+Potential+Rest+Phone+Apps+RCE https://community.freepbx.org/t/0-day-freepbx-exploit/80092
Use-after-free
The vulnerability allows a remote attacker to compromise vulnerable system.
The vulnerability exists due to a use-after-free error within the V8 engine. A remote attacker can create a specially crafted web page, trick the victim into visiting it, trigger use-after-free error and execute arbitrary code on the target system.
Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable system.
Note, the vulnerability is being actively exploited in the wild.
Software: Google Chrome
Links:
https://chromereleases.googleblog.com/2021/12/stable-channel-update-for-desktop_13.html
Permissions, Privileges, and Access Controls
The vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to incorrect permissions in windows installer service. A local user can run a specially crafted program to execute arbitrary code with SYSTEM privileges.
The vulnerability exists due to incomplete patch for #VU58061 (CVE-2021-41379).
Note, the vulnerability is being actively exploited in the wild.
Software: Windows
Known/fameous malware:
Emotet, Trickbot, Bazaloader
Arbitrary file upload
The vulnerability allows a remote attacker to compromise vulnerable system.
The vulnerability exists due to insufficient validation of file during file upload in the web management interface. A remote attacker can upload a malicious file and execute it on the server.
Note, the vulnerability is being actively exploited in the wild.
The vulnerability allows multiple APT actors to gain access to an unrestricted file upload function and execute arbitrary code on the system.
Software: IPVPN, MPVPN, WARP
Input validation error
The vulnerability allows a remote attacker to compromise the affected system.
The vulnerability exists due to improper input validation when processing Excel files. A remote attacker can create a specially crafted Excel file, trick the victim into opening it and execute arbitrary code on the system.
Note, the vulnerability is being exploited in the wild.
Software: Microsoft Office
Links:
https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-42292
Input validation error
The vulnerability allows a remote user to compromise the affected system.
The vulnerability exists due to insufficient validation of cmdlet arguments. A remote user can run a specially crafted cmdlet and execute arbitrary commands on the system.
Note, the vulnerability is being actively exploited in the wild.
Software: Microsoft Exchange Server
Links:
https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-42321
Use-after-free
The vulnerability allows a malicious application to escalate privileges on the system.
The vulnerability exists due to a use-after-free error in the Android kernel component within the epoll_loop_check_proc() function. A malicious application can trigger a use-after-free error and execute arbitrary code with kernel privileges.
Note, the vulnerability is being actively exploited in the wild.
Software: Google Android
Links:
https://source.android.com/security/bulletin/2021-11-01#2021-11-06-security-patch-level-vulnerability-details
Improperly implemented security check for standard
The vulnerability allows a remote attacker to compromise the affected system.
The vulnerability exists due to incorrect implementation in the V8 engine in Google Chrome. A remote attacker can create a specially crafted web page, trick the victim into visiting it and compromise the system.
Note, the vulnerability is being actively exploited in the wild.
Software: Google Chrome
Links:
https://chromereleases.googleblog.com/2021/10/stable-channel-update-for-desktop_28.html
Exposed dangerous method or function
The vulnerability allows a remote attacker to compromise the affected system.
The vulnerability exists due to insecure implementation in V8 engine in Google Chrome. A remote attacker can create a specially crafted website, trick the victim into visiting it and execute arbitrary code on the system.
Note, the vulnerability is being actively exploited in the wild.
Software: Google Chrome
Links:
https://chromereleases.googleblog.com/2021/10/stable-channel-update-for-desktop_28.html
SQL injection
The vulnerability allows a remote attacker to execute arbitrary SQL queries in database.
The vulnerability exists due to insufficient sanitization of user-supplied data. A remote attacker can send a specially crafted request to the affected application and execute arbitrary SQL commands within the application database.
Successful exploitation of this vulnerability may allow a remote attacker to read, delete, modify data in database and gain complete control over the affected application.
Note, the vulnerability is being actively exploited in the wild.The vulnerability allows a remote attacker to cause SQL injection, leading to remote code execution.
Software: BillQuick Web Suite
The vulnerability allows a remote attacker to cause SQL injection, leading to remote code execution.
Use-after-free
The vulnerability allows a local user to escalate privileges on the system.Software: Windows
Known/fameous malware:
MysterySnail
Integer overflow
The vulnerability allows a malicious application to escalate privileges on the system.
The vulnerability exists due to a boundary error within the IOMobileFrameBuffer subsystem. A malicious application can trigger integer overflow and execute arbitrary code on with kernel privileges.
Note, the vulnerability is being actively exploited in the wild.
Software: Apple iOS
Links:
https://support.apple.com/en-us/HT212846
Path traversal
The vulnerability allows a remote attacker to perform directory traversal attacks.
The vulnerability exists due to input validation error when processing directory traversal sequences. A remote attacker can send a specially crafted HTTP request to map URLs to files outside the expected document root. If files outside of the document root are not protected by "require all denied" these requests can succeed. Additionally this flaw could leak the source of interpreted files like CGI scripts.
The vulnerability can be used to execute arbitrary OS commands on the system.
Note, the vulnerability is being actively exploited in the wild.
Software: Apache HTTP Server
Links:
https://httpd.apache.org/security/vulnerabilities_24.html
Information disclosure
The vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to excessive data output in core in Google Chrome. A remote attacker can trick the victim to open a specially crafted web page and gain access to sensitive information.
Note, the vulnerability is being actively exploited in the wild.
Software: Google Chrome
Links:
https://chromereleases.googleblog.com/2021/09/stable-channel-update-for-desktop_30.html
Use-after-free
The vulnerability allows a remote attacker to compromise vulnerable system.
The vulnerability exists due to a use-after-free error within the V8 browser engine in Google Chrome. A remote attacker can create a specially crafted web page, trick the victim into visiting it, trigger use-after-free error and execute arbitrary code on the target system.
Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable system.
Note, the vulnerability is being actively exploited in the wild.
Software: Google Chrome
Links:
https://chromereleases.googleblog.com/2021/09/stable-channel-update-for-desktop_30.html
Use-after-free
The vulnerability allows a remote attacker to compromise vulnerable system.
The vulnerability exists due to a use-after-free error when processing HTML content within the Portals component in Google Chrome. A remote attacker can create a specially crafted website, trick the victim into visiting it, trigger a use-after-free error and execute arbitrary code on the system.
Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable system.
Note, the vulnerability is being actively exploited in the wild.
Software: Google Chrome
Links:
https://chromereleases.googleblog.com/2021/09/stable-channel-update-for-desktop_24.html
Type Confusion
The vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to a type confusion error within the XNU subsystem. A local user can run a specially crafted program to trigger a type confusion error and execute arbitrary code with elevated privileges.
Note, the vulnerability is being actively exploited in the wild.
Software: macOS
Links:
https://support.apple.com/en-us/HT212825
Deserialization of Untrusted Data
The vulnerability allows a local application to escalate privileges on the system.
The vulnerability exists due to insecure input validation when processing serialized data within the Core Telephony service. A local application can pass specially crafted data to the service and execute arbitrary code on the target system.
Note, the vulnerability is being actively exploited in the wild.
Software: macOS
Code Injection
The vulnerability allows a remote user to execute arbitrary code on the target system.
The vulnerability exists due to improper input validation. A remote administrator can execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
Note, the vulnerability is being actively exploited in the wild.The vulnerability was used by multiple ransomware gangs to remotely execute code to PPX-AnyLink devices
Software: PPX-AnyLink 6004, PPX-AnyLink 6006, PPX-AnyLink 6900F, PPX-AnyLink 6900, PPX-AnyLink 6904, PPX-AnyLink 8000
The vulnerability was used by multiple ransomware gangs to remotely execute code to PPX-AnyLink devices
Use-after-free
The vulnerability allows a remote attacker to compromise vulnerable system.
The vulnerability exists due to a use-after-free error within the Indexed DB API component in Google Chrome. A remote attacker can create a specially crafted web page, trick the victim into visiting it, trigger use-after-free error and execute arbitrary code on the target system.
Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable system.
Note, the vulnerability is being actively exploited in-the-wild.
Software: Google Chrome
Links:
https://chromereleases.googleblog.com/2021/09/stable-channel-update-for-desktop.html
Out-of-bounds write
The vulnerability allows a remote attacker to compromise vulnerable system.
The vulnerability exists due to a boundary error when processing untrusted HTML content in V8. A remote attacker can create a specially crafted web page, trick the victim into opening it, trigger out-of-bounds write and execute arbitrary code on the target system.
Note, the vulnerability is being actively exploited in-the-wild.
Software: Google Chrome
Links:
https://chromereleases.googleblog.com/2021/09/stable-channel-update-for-desktop.html
Use-after-free
The vulnerability allows a remote attacker to compromise vulnerable system.
The vulnerability exists due to a use-after-free error when processing HTML content in WebKit. A remote attacker can trick the victim to visit a specially crafted web page, trigger a use-after-free error and execute arbitrary code on the system.
Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable system.
Note, the vulnerability is being actively exploited in-the-wild.
Software: Apple iOS
Links:
https://support.apple.com/en-us/HT212807
Improper access control
The vulnerability allows a remote attacker to compromise the affected system.
The vulnerability exists due to improper access restrictions to the "/RestAPI/LogonCustomization" and "/RestAPI/Connection" REST API endpoints. A remote non-authenticated attacker can send specially HTTP requests to the aforementioned REST API endpoints and execute arbitrary code on the system.
Note, the vulnerability is being actively exploited in the wild.
Software: Zoho ManageEngine ADSelfService Plus
Links:
https://www.manageengine.com/products/self-service-password/kb/how-to-fix-authentication-bypass-vulnerability-in-REST-API.html
Code Injection
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to improper input validation within the MSHTML component. A remote attacker can create a specially crafted Office document with a malicious ActiveX control inside, trick the victim into opening the document and execute arbitrary code on the system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
Note, the vulnerability is being actively exploited in the wild.
Software: Windows
Links:
https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-40444
Integer overflow
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to integer overflow when processing PDF files within the CoreGraphics component. A remote attacker can trick the victim to open a specially crafted PDF file, trigger integer overflow and execute arbitrary code on the target system.
Note, the vulnerability is being active exploited in-the-wild via the FORCEDENTRY tool against Bahraini activists.
The vulnerability is believed to be used against Bahraini activists.
Software: Apple iOS
Known/fameous malware:
FORCEDENTRY
The vulnerability is believed to be used against Bahraini activists.
Links:
https://citizenlab.ca/2021/08/bahrain-hacks-activists-with-nso-group-zero-click-iphone-exploits/
Buffer overflow
The vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to a boundary error within the Windows Update Medic Service. A local user can run a specially crafted program to execute arbitrary code with elevated privileges.
Note, the vulnerability is being actively exploited in the wild.
Software: Windows
Links:
https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-36948
Buffer overflow
The vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to a boundary error. A local user can run a specially crafted program to trigger memory corruption and execute arability code with elevated privileges.
Note, the vulnerability is being actively exploited in the wild.
Software: Apex One
Links:
https://success.trendmicro.com/solution/000287819
Arbitrary file upload
The vulnerability allows a remote user to compromise vulnerable system.
The vulnerability exists due to insufficient validation of file during file upload within the productтАЩs management console . A remote user can upload a malicious file and execute it on the server.
Note, the vulnerability is being actively exploited in the wild.
Software: Apex One
Links:
https://success.trendmicro.com/solution/000287819
Buffer overflow
The vulnerability allows a local application to escalate privileges on the system.
The vulnerability exists due to a boundary within the IOMobileFrameBuffer subsystem. A local application can trigger memory corruption and execute arbitrary code on the target system with kernel privileges.
Note, the vulnerability is being actively exploited in the wild.
Software: Apple iOS
Type Confusion
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a type confusion error within the V8 component in Google Chrome. A remote attacker can create a specially crafted web page, trick the victim into visiting it, trigger a type confusion error and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
Note, the vulnerability is being actively exploited in the wild.
Software: Google Chrome
Links:
https://chromereleases.googleblog.com/2021/07/stable-channel-update-for-desktop.html
SQL injection
The vulnerability allows a remote attacker to execute arbitrary SQL queries in database.
The vulnerability exists due to insufficient sanitization of user-supplied data. A remote attacker can send a specially crafted request to the affected application and execute arbitrary SQL commands within the application database.
Successful exploitation of this vulnerability may allow a remote attacker to read, delete, modify data in database and gain complete control over the affected application.
Note, the vulnerability is being actively exploited in the wild.
The vulnerability was used to compromise WooCommerce plugin.
Software: WooCommerce
The vulnerability was used to compromise WooCommerce plugin.
Buffer overflow
The vulnerability allows a local user to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error in Windows kernel. A local user can run a specially crafted program to trigger memory corruption and execute arbitrary code on the system with elevated privileges.
Note, the vulnerability is being actively exploited in the wild.Software: Windows
Links:
https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-31979
Buffer overflow
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error when processing HTML content in Microsoft scripting engine. A remote attacker can create a specially crafted web page, trick the victim into opening it, trigger memory corruption and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
Note, the vulnerability is being actively exploited in the wild.
Software: Windows
Links:
https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-34448
Buffer overflow
The vulnerability allows a local user to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error. A local user can run a specially crafted program to trigger memory corruption and execute arbitrary code on the system with elevated privileges.
Note, the vulnerability is being actively exploited in the wild.
Software: Windows
Links:
https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-33771
Buffer overflow
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error. A remote attacker can send a specially crafted request to the Serv-U server, trigger memory corruption and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
Note, the vulnerability is being actively exploited in the wild.
MicrosoftтАЩs research indicates this vulnerability exploit involves a limited, targeted set of customers and a single threat actor.
Software: Serv-U FTP Server
MicrosoftтАЩs research indicates this vulnerability exploit involves a limited, targeted set of customers and a single threat actor.
Links:
https://www.solarwinds.com/trust-center/security-advisories/cve-2021-35211
Input validation error
The vulnerability allows a remote attacker to compromise the affected system.
The vulnerability exists due to unspecified error. A remote attacker can compromise the affected system.
Note, the vulnerability is being actively exploited in the wild by the REvil ransomware.
Software: Kaseya VSA
Known/fameous malware:
REvil
Links:
https://helpdesk.kaseya.com/hc/en-gb/articles/4403440684689
Code Injection
The vulnerability allows a remote user to execute arbitrary code on the target system.
The vulnerability exists due to improper input validation within the RpcAddPrinterDriverEx() function. A remote user can send a specially crafted request to the Windows Print Spooler and execute arbitrary code with SYSTEM privileges.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
Note, the vulnerability is being considered a zero-day and dubbed PrintNightmare. This is a different vulnerability than #VU54508 (CVE-2021-1675).
The PoC-code for this vulnerability was being made publicly available by mistake before official patch release. The vulnerability is considered a zero-day.
Software: Windows Server
The PoC-code for this vulnerability was being made publicly available by mistake before official patch release. The vulnerability is considered a zero-day.
Improper access control
The vulnerability allows a remote attacker to delete all data on the system.
The vulnerability exists due to improper access restrictions to the administrator API. A remote non-authenticated attacker can send a specially crafted HTTP request to the exposed API and perform a system factory restore, deleting all data on the NAS device.
Note, the vulnerability is being actively exploited in the wild along with vulnerability #VU15460.
Software: WD My Book Live Duo, WD My Book Live
Links:
https://www.westerndigital.com/support/productsecurity/wdc-21008-recommended-security-measures-wd-mybooklive-wd-mybookliveduo
Use-after-free
The vulnerability allows a remote attacker to compromise vulnerable system.
The vulnerability exists due to a use-after-free error within the WebGL component in Google Chrome. A remote attacker can create a specially crafted web page, trick the victim into visiting it, trigger use-after-free error and execute arbitrary code on the target system.
Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable system.
Note, the vulnerability is being actively exploited in the wild.
Software: Google Chrome
Links:
https://chromereleases.googleblog.com/2021/06/stable-channel-update-for-desktop_17.html
Use-after-free
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error when processing HTML content within the WebKit component in Apple iOS. A remote attacker can create a specially crafted web page, trick the victim into opening it, trigger a use-after-free error and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
Note, the vulnerability is being actively exploited in the wild.
Software: Apple iOS
Links:
https://support.apple.com/en-us/HT212548
Buffer overflow
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error when processing HTML content within the WebKit component in Apple iOS. A remote attacker can create a specially crafted web page, trick the victim into opening it, trigger memory corruption and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
Note, the vulnerability is being actively exploited in the wild.
Software: Apple iOS
Links:
https://support.apple.com/en-us/HT212548
Type Confusion
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a type confusion error within the V8 component in Google Chrome. A remote attacker can create a specially crafted web page, trick the victim into visiting it, trigger a type confusion error and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
Note, the vulnerability is being actively exploited in the wild.
Software: Google Chrome
Security restrictions bypass
The vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to improperly imposed security restrictions in Microsoft Enhanced Cryptographic Provider. A local user can bypass implemented security restrictions and read or modify otherwise restricted information.
Note, the vulnerability is being actively exploited in the wild and related to a zero-day vulnerability in Adobe Reader #VU53125 (CVE-2021-28550) patched on May 11.Software: Windows
Links:
https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-31201
Security restrictions bypass
The vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to improperly imposed security restrictions in Microsoft Enhanced Cryptographic Provider. A local user can bypass implemented security restrictions and read or modify otherwise restricted information.
Note, the vulnerability is being actively exploited in the wild and related to a zero-day vulnerability in Adobe Reader #VU53125 (CVE-2021-28550) patched on May 11.
Software: Windows
Links:
https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-31199
Improper Privilege Management
The vulnerability allows a remote attacker to compromise the affected system.
The vulnerability exists due to improper privilege management within the Microsoft DWM Core Library. A remote attacker can trick the victim to run a specially crafted executable or script and execute arbitrary code on the system.
The vulnerability was reported by DBAPPSecurity Lieying Lab.
Software: Windows
The vulnerability was reported by DBAPPSecurity Lieying Lab.
Links:
https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-33739
Buffer overflow
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error when processing HTML content within Windows MSHTML Platform. A remote attacker can create a specially crafted web page, trick the victim into opening it, trigger memory corruption and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
The vulnerability was reported by GoogleтАЩs Threat Analysis Group.
Software: Windows
The vulnerability was reported by GoogleтАЩs Threat Analysis Group.
Links:
https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-33742
Permissions, Privileges, and Access Controls
The vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists within the NTFS subsystem in Microsoft Windows. A local user can run a specially crafted program to execute arbitrary code with elevated privileges.
The vulnerability was reported to Microsoft by Kaspersky Lab.
Software: Windows
The vulnerability was reported to Microsoft by Kaspersky Lab.
Links:
https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-31955
Improper Privilege Management
The vulnerability allows a local user to gain access to sensitive information.
The vulnerability exists due to improper privilege management. A local unprivileged user can read contents of Kernel memory from a user mode process.
Note, the vulnerability is being actively exploited in the wild.
The vulnerability was reported to Microsoft by Kaspersky Lab.
Software: Windows
The vulnerability was reported to Microsoft by Kaspersky Lab.
Links:
https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-31955
Arbitrary file upload
The vulnerability allows a remote attacker to compromise vulnerable system.
The vulnerability exists due to insufficient validation of file during file upload in "wp-admin" or "wp-content/plugins/fancy-product-designer/inc". A remote attacker can upload a malicious file and execute it on the server.
Note, the vulnerability is being actively exploited in the wild.
The vulnerability was used to upload arbitrary files on the target system.
Software: Fancy Product Designer
The vulnerability was used to upload arbitrary files on the target system.
Links:
https://www.wordfence.com/blog/2021/06/critical-0-day-in-fancy-product-designer-under-active-attack/
Input validation error
The vulnerability allows a local user to bypass Privacy preferences.
The vulnerability exists due to insufficient validation of user-supplied input within the TCC subsystem. A malicious application can bypass Privacy preferences and gain full disk access, perform screen recording or gain other permissions without requiring user's explicit consent.
Note, the vulnerability is being actively exploited in the wild by XCSSET malware.
Software: macOS
Known/fameous malware:
XCSSET
Links:
https://support.apple.com/en-us/HT212529
https://www.jamf.com/blog/zero-day-tcc-bypass-discovered-in-xcsset-malware/
Use-after-free
The vulnerability allows a remote attacker to compromise vulnerable system.
The vulnerability exists due to a use-after-free error when processing PDF content. A remote attacker can create a specially crafted PDF file, trick the victim into opening it, trigger a use-after-free error and execute arbitrary code on the system.
Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable system.
Note, the vulnerability is being actively exploited in the wild.
Software: Adobe Reader
Links:
https://helpx.adobe.com/security/products/acrobat/apsb21-29.html
Detection of Error Condition Without Action
The vulnerability allows a local user to perform a denial of service (DoS) attack.
The vulnerability exists due to improper error handling within the Graphics component. A local user can trigger a new GPU address allocation failure and perform a denial of service attack.
Note, the vulnerability is being used in limited targeted attacks.
Software: Google Android
Links:
https://source.android.com/security/bulletin/2021-05-01
Use-after-free
The vulnerability allows a local user to escalate privileges on the system
The vulnerability exists due to a use-after-free error in Graphics component when handling memory mapping of multiple processes simultaneously. A local user can escalate privileges on the system.
Note, the vulnerability is being used in limited targeted attacks.
Software: Google Android
Links:
https://source.android.com/security/bulletin/2021-05-01
Buffer overflow
The vulnerability allows a local application to escalate privileges on the system.
The vulnerability exists due to a boundary error within the Arm Mali GPU kernel driver. This affects Bifrost r0p0 through r28p0 before r29p0, Valhall r19p0 through r28p0 before r29p0, and Midgard r8p0 through r30p0. A local application can trigger memory corruption and execute arbitrary code on the system with elevated privileges.
Note, the vulnerability is being actively exploited in the wild.
Software: Google Android
Links:
https://source.android.com/security/bulletin/2021-05-01
Use-after-free
The vulnerability allows a local application to escalate privileges on the system.
The vulnerability exists due to a use-after-free error within the Arm Mali GPU kernel driver. This affects Bifrost r0p0 through r28p0 before r29p0, Valhall r19p0 through r28p0 before r29p0, and Midgard r4p0 through r30p0. A local application can trigger a use-after-free error and execute arbitrary code on the system with elevated privileges.
Note, the vulnerability is being actively exploited in the wild.
Software: Google Android
Links:
https://source.android.com/security/bulletin/2021-05-01
Buffer overflow
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error in WebKit. A remote attacker can create a specially crafted web page, trick the victim into opening it, trigger memory corruption and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
Note, the vulnerability is being actively exploited in the wild.
Software: Apple iOS
Links:
https://support.apple.com/en-us/HT212341
Integer overflow
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to integer overflow in WebKit. A remote attacker can create a specially crafted web page, trick the victim into visiting it, trigger integer overflow and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
Note, the vulnerability is being actively exploited in the wild.
Software: macOS
Buffer overflow
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error in WebKit. A remote attacker can create a specially crafted web page, trick the victim into opening it, trigger memory corruption and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
Note, the vulnerability is being actively exploited in the wild.
Software: macOS
Use-after-free
The vulnerability allows a remote attacker to compromise vulnerable system.
The vulnerability exists due to a use-after-free error when processing web content within the WebKit Storage component. A remote attacker can create a specially crafted web page, trick the victim into visiting it, trigger a use-after-free error and execute arbitrary code on the system.
Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable system.
Note, the vulnerability is being actively exploited in the wild.
Software: macOS
Links:
https://support.apple.com/en-us/HT212325
Security features bypass
The vulnerability allows a remote attacker to bypass implemented security restrictions.
The vulnerability exists due to a logic issue within the Gatekeeper checks. A remote attacker can craft a specially crafted payload that is not checked by Gatekeeper and bypasses File Quarantine and Application Notarization protections as well. As a result, a malicious binary can be executed on the system.
Note, the vulnerability is being actively exploited in the wild.
The Jamf Protect detections team observed this exploit being used in the wild by a variant of the Shlayer adware dropper, as early as January 9th, 2021.
Software: macOS
Known/fameous malware:
Shlayer
Path traversal
The vulnerability allows a remote user to perform directory traversal attacks.
The vulnerability exists due to input validation error when processing directory traversal sequences within the "branding" feature. A remote authenticated user can send a specially crafted HTTP request and read arbitrary files on the system with NT AUTHORITY\SYSTEM account.
Request example:
https://<SonicWall ES host>/dload_apps?action=<any value>&path=..%2F..%2F..%2F..%2F..%2Fwindows%2Fsystem32%2Fcalc.exe&id=update
Note, the vulnerability is being actively exploited in the wild.
The vulnerability was used in a chained attack to compromise the vulnerable systems.
Software: SonicWall On-premise Email Security (ES)
Links:
Type Confusion
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a type confusion error within the V8 browser engine in Google Chrome. A remote attacker can create a specially crafted web page, trick the victim into visiting it, trigger a type confusion error and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
Note, the vulnerability is being actively exploited in the wild.
Software: Google Chrome
Links:
https://chromereleases.googleblog.com/2021/04/stable-channel-update-for-desktop_20.html
Improper Authentication
The vulnerability allows a remote attacker to bypass authentication process and compromise the affected device.
The vulnerability exists due to multiple issues in web interface. A remote non-authenticated attacker can bypass authentication process and gain unauthorized access to the application via license server web services.
Successful exploitation of the vulnerability may allow an attacker to execute arbitrary code on the system.
Note, the vulnerability is being actively exploited in the wild.
Software: Pulse Connect Secure
Links:
Buffer overflow
The vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to a boundary error within win32k.sys driver in Microsoft Windows. A local user can run a specially crafted program to trigger memory corruption and execute arbitrary code with elevated privileges.
Note, the vulnerability is being actively exploited in the wild.
Software: Windows
Links:
https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-28310
Arbitrary file upload
The vulnerability allows a remote user to compromise vulnerable system.
The vulnerability exists due to insufficient validation of file during file upload within the branding feature. A remote administrator can upload a malicious ZIP archive to the system to an arbitrary location using directory traversal sequences in the filenames inside the uploaded archive and compromise the affected system.
Note, the vulnerability is being actively exploited in the wild.
The vulnerability was used in a chained attack to compromise the affected system.
Software: SonicWall On-premise Email Security (ES)
Improper Authentication
The vulnerability allows a remote attacker to bypass authentication process.
The vulnerability exists due to an error in when processing authentication requests within the "/createou?data=", responsible for administration capabilities, specifically within the feature that allows application administrators to authorize an additional administrator account from a separate Microsoft Active Directory Organization Unit (AD OU). Requests to this form are not verified to require previous authentication to the appliance. A remote non-authenticated attacker can send a specially crafted XML document via HTTP GET or POST method, create a тАЬrole.ouadminтАЭ account and authenticate to the application as an administrator.
Note, the vulnerability is being actively exploited in the wild.
Software: SonicWall On-premise Email Security (ES)
Universal cross-site scripting
The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.
The vulnerability exists due to insufficient sanitization of user-supplied data within the WebKit engine. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of arbitrary website.
Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.
Note, the vulnerability is being actively exploited in the wild.
Software: Apple iOS
Links:
https://support.apple.com/en-us/HT212256
Use-after-free
The vulnerability allows a remote attacker to compromise vulnerable system.
The vulnerability exists due to a use-after-free error within Blink component in Google Chrome. A remote attacker can create a specially crafted webpage, trick the victim into visiting it, trigger a use-after-free error and execute arbitrary code on the system.
Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable system.
Note, this vulnerability is being actively exploited in the wild.
Software: Google Chrome
Links:
https://chromereleases.googleblog.com/2021/03/stable-channel-update-for-desktop_12.html
Improper Authentication
The vulnerability allows a remote attacker to bypass authentication process.
The vulnerability exists due to an error in when processing authentication requests. A remote attacker can bypass authentication process and gain administrative access to the application.
Note, the vulnerability is being actively exploited in the wild.
Software: The Plus Addons for Elementor Page Builder
Links:
https://www.wordfence.com/blog/2021/03/critical-0-day-in-the-plus-addons-for-elementor-allows-site-takeover/
Use-after-free
The vulnerability allows a local application to escalate privileges on the system.
The vulnerability exists due to a boundary error within the dpu driver. A local application can trigger a use-after-free error and execute arbitrary code with kernel privileges.
Note, the vulnerability is being actively exploited in the wild.
Software: Samsung Mobile Firmware
Links:
https://googleprojectzero.blogspot.com/2022/11/a-very-powerful-clipboard-samsung-in-the-wild-exploit-chain.html
Improper access control
The vulnerability allows a local application to gain access to sensitive information.
The vulnerability exists due to improper access restrictions to the sec_log file. A local application can read the log file and obtain sensitive system information.
Note, the vulnerability is being actively exploited in the wild.
Software: Samsung Mobile Firmware
Links:
https://googleprojectzero.blogspot.com/2022/11/a-very-powerful-clipboard-samsung-in-the-wild-exploit-chain.html
Permissions, Privileges, and Access Controls
The vulnerability allows a local application to escalate privileges on the system.
The vulnerability exists due to improper access control in clipboard service. A local application can use the clipboard service to read and write arbitrary files on the device.
Note, the vulnerability is being actively exploited in the wild.
Software: Samsung Mobile Firmware
Links:
https://googleprojectzero.blogspot.com/2022/11/a-very-powerful-clipboard-samsung-in-the-wild-exploit-chain.html
Security restrictions bypass
The vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to application does not properly impose security restrictions in BIOS firmware for X10 UP-series (H3 Single Socket тАЬDenlowтАЭ) motherboard. A local user can plant malware into motherboard firmware and establish permanent persistence on the system, even if OS is reinstalled.
Note, the vulnerability is being actively exploited in the wild by the TrickBoot malware.
Software: X10SLL-S/-SF, X10SL7-F, X10SLA-F, X10SLM+-LN4F, X10SLM+-F, X10SLL+-F, X10SLM-F, X10SLL-F, X10SLH-F
Known/fameous malware:
TrickBoot
Links:
https://www.supermicro.com/en/support/security/Trickbot
Server-Side Request Forgery (SSRF)
The vulnerability allows a remote attacker to execute arbitrary code on the system.The vulnerability exists due to insufficient validation of user-supplied input. A remote attacker can send specially crafted HTTP request to the Microsoft Exchange OWA interface, upload arbitrary file on the server and execute it.
Note, this vulnerability is being actively exploited in the wild.
Software: Microsoft Exchange Server
Input validation error
The vulnerability allows a remote attacker to execute arbitrary code on the system.
The vulnerability exists due to insufficient validation of user-supplied input. A remote attacker can send specially crafted data to the Exchange server and execute arbitrary code on the system.
Note, this vulnerability is being actively exploited in the wild.
Software: Microsoft Exchange Server
Input validation error
The vulnerability allows a remote attacker to execute arbitrary code on the system.
The vulnerability exists due to insufficient validation of user-supplied input. A remote attacker can send specially crafted data to the Exchange server and execute arbitrary code on the system.
Note, this vulnerability is being actively exploited in the wild.
Software: Microsoft Exchange Server
Input validation error
The vulnerability allows a remote attacker to execute arbitrary code on the system.
The vulnerability exists due to insufficient validation of user-supplied input. A remote attacker can send specially crafted data to the Exchange server and execute arbitrary code on the system.
Note, this vulnerability is being actively exploited in the wild.
Software: Microsoft Exchange Server
Improper control of a resource through its lifetime
The vulnerability allows a remote attacker to compromise the affected system.
The vulnerability exists due to improper control of object lifetime in audio in Google Chrome. A remote attacker can trick the victim to visit a specially crafted webpage, trigger a stack-based buffer overflow and execute arbitrary code on the system.
Note, the vulnerability is being actively exploited in the wild.
Software: Google Chrome
Links:
https://chromereleases.googleblog.com/2021/03/stable-channel-update-for-desktop.html
Heap-based buffer overflow
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error when processing PDF files. A remote attacker can create a specially crafted PDf file, trick the victim into opening it, trigger a heap-based buffer overflow and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
Note, the vulnerability is being actively exploited in the wild.
Software: Adobe Reader
Links:
https://helpx.adobe.com/security/products/acrobat/apsb21-09.html
Buffer overflow
The vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to a boundary error when the Win32k.sys driver in Windows kernel. A local user can run a specially crafted program to trigger memory corruption and execute arbitrary code on the system with elevated privileges.
Note, the vulnerability is being actively exploited in the wild.
Software: Windows
Links:
https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-1732
Double Free
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error when processing ".mht" files. A remote attacker can trick the victim to visit a specially crafted webpage, trigger a double free error and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
Note, the vulnerability is being actively exploited in the wild.
The vulnerability was used by the Lazarus group to target security researchers worldwide.
Software: Microsoft Internet Explorer
The vulnerability was used by the Lazarus group to target security researchers worldwide.
Links:
https://enki.co.kr/blog/2021/02/04/ie_0day.html
https://twitter.com/dnpushme/status/1357264755333816320
Heap-based buffer overflow
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error within the V8 engine in Google Chrome. A remote attacker can create a specially crafted web page, trick the victim into opening it, trigger heap-based buffer overflow and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
Note, the vulnerability is being actively exploited in the wild.
Software: Google Chrome
Links:
https://chromereleases.googleblog.com/2021/02/stable-channel-update-for-desktop_4.html
Business Logic Errors
The vulnerability allows a remote attacker to execute arbitrary code on the system.
The vulnerability exists due to a logic issue in the WebKit component. A remote attacker can trick a victim to visit a malicious website and execute arbitrary code on the system.
Note: The vulnerability is being actively exploited in the wild.
Software: Apple iOS, iPadOS
Business Logic Errors
The vulnerability allows a remote attacker to execute arbitrary code on the system.
The vulnerability exists due to a logic issue in the WebKit component. A remote attacker can trick a victim to visit a malicious website and execute arbitrary code on the system.
Note: The vulnerability is being actively exploited in the wild.
Software: Apple iOS, iPadOS
Race condition
The vulnerability allows a remote attacker to escalate privileges on the system.
The vulnerability exists due to a race condition in the Kernel component. A remote attacker can use a malicious application and escalate privileges on the system.
Note: The vulnerability is being actively exploited in the wild.
Software: Apple iOS, iPadOS
SQL injection
The vulnerability allows a remote attacker to execute arbitrary SQL queries in database.
The vulnerability exists due to insufficient sanitization of user-supplied data. A remote non-authenticated attacker can send a specially crafted HTTP request to the SSL-VPN appliance and execute arbitrary SQL commands within the application database.
Successful exploitation of this vulnerability may allow a remote attacker to access usernames, passwords and other session related information.
Note, the vulnerability is being actively exploited in the wild.
SonicWall identified a coordinated attack on its internal systems by highly sophisticated threat actors exploiting zero-day vulnerabilities on certain SonicWall secure remote access products.
At this point both SMA 100 and NetExtender VPN Client are considered affected. Investigation of the incident is still ongoing.
Software: SMA 100
SonicWall identified a coordinated attack on its internal systems by highly sophisticated threat actors exploiting zero-day vulnerabilities on certain SonicWall secure remote access products.
At this point both SMA 100 and NetExtender VPN Client are considered affected. Investigation of the incident is still ongoing.
Links:
https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2021-0001
https://www.sonicwall.com/support/product-notification/urgent-security-notice-netextender-vpn-client-10-x-sma-100-series-vulnerability-updated-jan-23-2021/210122173415410/
Input validation error
The vulnerability allows a remote attacker to compromise the affected system.
The vulnerability exists due to insufficient validation of user-supplied input. A remote attacker can pass specially crafted input to the application and execute arbitrary code on the system.
Note, the vulnerability is being actively exploited in the wild.
Software: Windows Defender
Links:
https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-1647
SQL injection
The vulnerability allows a remote attacker to execute arbitrary SQL queries in database.
The vulnerability exists due to insufficient sanitization of user-supplied data passed to the web interface. A remote non-authenticated attacker can send a specially crafted request to the affected application and execute arbitrary SQL commands within the application database.
Successful exploitation of this vulnerability may allow a remote attacker to read, delete, modify data in database and gain complete control over the affected application.
Note, the vulnerability is being actively exploited in the wild in mid-December 2020 and January 2021.
The vulnerability was used to compromise several companies worldwide, such as Reserve Bank of New Zealand, the Australian Securities and Investments Commission (ASIC), law firm Allens, the University of Colorado, the Washington State Auditor Office, and the QIMR Berghofer Medical Research Institute and Singtel.
The attacks were detected in the mid_December 2020 and continued in January 2021.
Software: Accellion FTA
The vulnerability was used to compromise several companies worldwide, such as Reserve Bank of New Zealand, the Australian Securities and Investments Commission (ASIC), law firm Allens, the University of Colorado, the Washington State Auditor Office, and the QIMR Berghofer Medical Research Institute and Singtel.
The attacks were detected in the mid_December 2020 and continued in January 2021.
Links:
https://www.accellion.com/company/press-releases/accellion-provides-update-to-recent-fta-security-incident/
Improper Authentication
The vulnerability allows a remote attacker to bypass authentication process.
The vulnerability exists due to an error in when processing authentication requests within the SolarWinds Orion API. If an attacker appends a PathInfo
parameter of WebResource.adx
, ScriptResource.adx
, i18n.ashx
, or Skipi18n
to a request to a SolarWinds Orion server, SolarWinds may set the SkipAuthorization flag, which may allow the API request to be processed without requiring authentication. This vulnerability could allow a remote non-authenticated attacker to bypass
authentication and execute API commands which may result in a compromise
of the SolarWinds instance.
Note, this vulnerability is dubbed SUPERNOVA and is being exploited in the wild.
Software: Orion Platform
Known/fameous malware:
SUPERNOVA
Embedded malicious code (backdoor)
The vulnerability allows a remote attacker to gain unauthorized access to the application.
The vulnerability exists due to presence of embedded malicious functionality in the application code (aka backdoor) that allows a remote attacker to gain unauthorized access to the application.
According to SolarWinds, Orion Platform software builds for versions 2019.4 HF 5 through 2020.2.1 are affected.
Note, this vulnerability is being actively exploited in the wild in a supply chain attack and is dubbed SUNBURST.
State-backed hackers are targeting government entities and private businesses all over the world in a global supply chain attack, in which they deploy a malicious SolarWinds update to compromise networks, according to a new report from the cybersecurity firm FireEye.
Known/fameous malware:
Behavior:Win32/Solorigate.C!dha
Links:
Improper access control
The vulnerability allows a remote attacker to gain unauthorized access to otherwise restricted functionality.
The vulnerability exists due to improper access restrictions. A remote attacker can access the debug log after the password reset, grab the reset link and take over the admin account.
Note: The vulnerability is being actively exploited in the wild.
This vulnerability allows a remote attacker to reset admin account passwords.
Software: Easy WP SMTP
This vulnerability allows a remote attacker to reset admin account passwords.
Use-after-free
The vulnerability allows a remote attacker to compromise vulnerable system.
The vulnerability exists due to a use-after-free error within the site isolation component in Google Chrome. A remote attacker can create a specially crafted web page, trick the victim into visiting it, trigger use-after-free error and execute arbitrary code on the target system.
Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable system.
Note, the vulnerability is being actively exploited in the wild.
Software: Google Chrome
Links:
https://chromereleases.googleblog.com/2020/11/stable-channel-update-for-desktop_11.html
Improperly implemented security check for standard
The vulnerability allows a remote attacker to compromise the affected system.
The vulnerability exists due to incorrect implementation in V8 in Google Chrome. A remote attacker can create a specially crafted web page, trick the victim into visiting it and compromise the system.
Note, the vulnerability is being actively exploited in the wild.
Software: Google Chrome
Links:
https://chromereleases.googleblog.com/2020/11/stable-channel-update-for-desktop_11.html
Out-of-bounds read
The vulnerability allows a local user to gain access to potentially sensitive information.
The vulnerability exists due to a boundary condition within macOS kernel. A local user can run a specially crafted program to gain access to sensitive kernel information on the system.
Note, this vulnerability is being actively exploited in the wild.
Software: macOS
Links:
https://support.apple.com/kb/HT211947
Type Confusion
The vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to a type confusion error in macOS kernel. A local user can run a specially crafted application to trigger a type confusion error and execute arbitrary code with elevated privileges.
Note, this vulnerability is being actively exploited in the wild.
Software: macOS
Links:
https://support.apple.com/kb/HT211947
Memory corruption
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error when processing fonts within the FontParser component. A remote attacker can create a specially crafted document or web page, trick the victim into opening it, trigger memory corruption and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
Note, this vulnerability is being actively exploited in the wild.
Software: macOS
Links:
https://support.apple.com/kb/HT211947
Heap-based buffer overflow
The vulnerability allows a remote attacker to compromise the affected system.
The vulnerability exists due to a heap-based buffer overflow when processing untrusted HTML content in UI in Google Chrome on Android. An remote attacker, who had compromised the renderer process, can perform a sandbox escape via a crafted HTML page.
Successful exploitation of the vulnerability may allow an attacker to compromise the affected system.
Note, the vulnerability is being actively exploited in the wild.
Software: Google Chrome for Android
Links:
https://chromereleases.googleblog.com/2020/11/chrome-for-android-update.html
Improperly implemented security check for standard
The vulnerability allows a remote attacker to compromise the affected system.
The vulnerability exists due to incorrect implementation in V8 engine in Google Chrome. A remote attacker can create a specially crafted web page, trick the victim into visiting it and compromise the system.
Note, this vulnerability is being actively exploited in the wild.
Software: Google Chrome
Links:
https://chromereleases.googleblog.com/2020/11/stable-channel-update-for-desktop.html
Buffer overflow
The vulnerability allows a local user to escalate privilege son the system.
The vulnerability exists due to a boundary error within the Windows Kernel Cryptography Driver cng.sys, which exposes a "\Device\CNG" device to user-mode programs and supports a variety of IOCTLs with non-trivial input structures. A local user can run a specially crafted program to trigger memory corruption and execute arbitrary code on the system with elevated privileges.
Note, this vulnerability is being actively exploited in the wild.
This vulnerability was used in a trageted attacks along with the #VU47741 issue in FreeType library to attack users of Google Chrome.
Software: Windows
This vulnerability was used in a trageted attacks along with the #VU47741 issue in FreeType library to attack users of Google Chrome.
Improper input validation
The vulnerability allows a remote non-authenticated attacker to execute arbitrary code.
The vulnerability exists due to improper input validation within the Pluggable authentication module (PAM) component in Oracle Solaris. A remote non-authenticated attacker can exploit this vulnerability to execute arbitrary code.
Note, this vulnerability is being actively exploited in the wild.
According to FireEye, the vulnerability is being exploited in the wild by the actor tracked as UNC1945.
Software: Oracle Solaris
Heap-based buffer overflow
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error in freetype library when processing TTF files. A remote attacker can pass specially crafted TTF file with PNG sbit glyphs to the application, trigger heap-based buffer overflow and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
Note, this vulnerability is being actively exploited in the wild.
Software: FreeType
Arbitrary file upload
The vulnerability allows a remote attacker to compromise vulnerable system.
The vulnerability exists due to insufficient validation of file during file upload in wp-file-manager in the "lib/php/connector.minimal.php" and "lib/files/hardfork.php" files. A remote attacker can upload a malicious file and execute it on the server.
Note: The vulnerability is being actively exploited in the wild.┬а
The vulnerability exploitation was detected on September 1st, 2020. The attackers can remotely upload arbitrary files and execute arbitrary code.
Software: File Manager
Links:
https://wpvulndb.com/vulnerabilities/10389/
Resource exhaustion
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to insufficient queue management for Internet Group Management Protocol (IGMP) packets in the Distance Vector Multicast Routing Protocol (DVMRP) feature of Cisco┬аIOS XR Software. A remote attacker can trigger resource exhaustion by sending crafted IGMP┬а traffic to the affected device and perform a denial of service (DoS) attack.
Note: this vulnerability is being actively exploited in the wild.On August 31 Cisco has updated the original advisory to indicate the second vulnerability exploited in the wild.
Software: Cisco IOS XR
Resource exhaustion
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to insufficient queue management for Internet Group Management Protocol (IGMP) packets in the Distance Vector Multicast Routing Protocol (DVMRP) feature of Cisco┬аIOS XR Software. A remote attacker can trigger resource exhaustion by sending crafted IGMP┬а traffic to the affected device and perform a denial of service (DoS) attack.
Note: this vulnerability is being actively exploited in the wild.
On August 28, 2020, the Cisco Product Security Incident Response Team (PSIRT) became aware of attempted exploitation of this vulnerability in the wild.
Software: Cisco IOS XR
On August 28, 2020, the Cisco Product Security Incident Response Team (PSIRT) became aware of attempted exploitation of this vulnerability in the wild.
Links:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iosxr-dvmrp-memexh-dSmpdvfz
Buffer overflow
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error within the scripting engine. A remote attacker can create a specially crafted webpage, trick the victim into opening it, trigger memory corruption and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
Note: this vulnerability is being actively exploited in the wild.
Software: Microsoft Internet Explorer
Links:
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1380
Cryptographic issues
The vulnerability allows a remote attacker to bypass implemented security restrictions.
The vulnerability exists due to Windows incorrectly validates file signatures. A remote attacker can create a specially crafted file to bypass implemented security restrictions and successfully load a malicious file.
Note: this vulnerability is being actively exploited in the wild.
Software: Windows
Links:
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1464
Stored cross-site scripting
The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.
The vulnerability exists due to insufficient sanitization of user-supplied data. A remote authenticated attacker can inject and execute arbitrary HTML and script code in user's browser in context of vulnerable website.
Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.
Note: The vulnerability is being actively exploited in the wild.
The vulnerability exploitation was detected on May 14, 2020. The authenticated attackers can inject, via the AJAX API, JavaScript code into the pluginтАЩs settings and use it to target the administrator in the backend of WordPress.
Software: Login/Signup Popup ( Inline Form + Woocommerce )
The vulnerability exploitation was detected on May 14, 2020. The authenticated attackers can inject, via the AJAX API, JavaScript code into the pluginтАЩs settings and use it to target the administrator in the backend of WordPress.
Arbitrary file upload
The vulnerability allows a remote attacker to compromise vulnerable system.
The vulnerability exists due to insufficient validation of file during file upload. A remote authenticated attacker can upload a malicious file and execute it on the blog.
This vulnerability is exploitable if users have open registration, hovewer in conjunction with a vulnerability in Ultimate Addons for Elementor (SB2020051119), it is possible to be exploited, even if the site does not have user registration enabled.
Note: The vulnerability is being actively exploited in the wild.
The vulnerability exploitation was detected on May 06, 2020. The attackers can remotely execute arbitrary code.
Software: Elementor Pro
SQL injection
The vulnerability allows a remote attacker to execute arbitrary SQL queries in database.
The vulnerability exists due to insufficient sanitization of user-supplied data passed to the User Portal or Admin interfaces. A remote non-authenticated attacker can send a specially crafted request to the affected application and execute arbitrary SQL commands within the application database.
Successful exploitation of this vulnerability may allow a remote attacker to read, delete, modify data in database and gain complete control over the affected application.
Note, this vulnerability is being actively exploited in the wild.
The vulnerability exploitation was detected on April 22, 2020. Malware dubbed Asnar├╢k used SQL injection vulnerability to compromise the affected devices and steal users' credentials.
Software: Sophos Firewall
Known/fameous malware:
Asnar├╢k
Out-of-bounds write
The vulnerability allows a remote attacker to compromise vulnerable system.
The vulnerability exists due to a boundary error when processing email in the iOS MobileMail. A remote attacker can send a specially crafted email message, trigger an out-of-bounds write and execute arbitrary code on the target system. No user interaction is required to execute arbitrary code.
Note, this vulnerability is being actively exploited in the wild.
According to security researchers this vulnerability is being actively exploited since January 2018.
Software: Apple iOS
According to security researchers this vulnerability is being actively exploited since January 2018.
Links:
https://blog.zecops.com/vulnerabilities/unassisted-ios-attacks-via-mobilemail-maild-in-the-wild/
Buffer overflow
The vulnerability allows a local user to escalate privilege so the system.
The vulnerability exists due to a boundary error in the Windows Kernel when handling objects in memory. A local user can use a specially crafted application, trigger memory corruption and execute arbitrary code on the target system with elevated privileges.
Note, this vulnerability is being actively exploited in the wild.
Software: Windows
Links:
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1027
Use-after-free
The vulnerability allows a remote attacker to compromise vulnerable system.
The vulnerability exists due to a use-after-free error caused by a race condition handling ReadableStream. A remote attacker can create a specially crafted website, trick the victim into visiting it, trigger a use-after-free error and execute arbitrary code on the system.
Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable system.
Note, this vulnerability is being actively exploited in the wild in targeted attacks.
Software: Mozilla Firefox
Links:
https://www.mozilla.org/en-US/security/advisories/mfsa2020-11/
Use-after-free
The vulnerability allows a remote attacker to compromise vulnerable system.
The vulnerability exists due to a use-after-free error caused by a race condition running the nsDocShell destructor. A remote attacker can create a specially crafted website, trick the victim into visiting it, trigger a use-after-free error and execute arbitrary code on the system.
Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable system.
Note, this vulnerability is being actively exploited in the wild in targeted attacks.
Software: Mozilla Firefox
Links:
https://www.mozilla.org/en-US/security/advisories/mfsa2020-11/
Buffer overflow
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error within the Windows Adobe Type Manager Library when parsing a specially-crafted multi-master font - Adobe Type 1 PostScript format. A remote attacker can create a specially crafted document, trick the victim into opening it, trigger memory corruption and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
Note, this vulnerability is being actively exploited in the wild.
Software: Windows
Buffer overflow
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error within the Windows Adobe Type Manager Library when parsing a specially-crafted multi-master font - Adobe Type 1 PostScript format. A remote attacker can create a specially crafted document, trick the victim into opening it, trigger memory corruption and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
Note, this vulnerability is being actively exploited in the wild.
Software: Windows
Links:
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV200006
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1020
Use of hard-coded credentials
The vulnerability allows a remote attacker to gain full access to vulnerable system.
The vulnerability exists due to presence of hard-coded credentials in application code. A remote unauthenticated attacker can access the affected system using the hard-coded credentials.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
Hard-coded accounts:
root/icatch99
report/8Jg0SR8K50
Note, this vulnerability is being actively exploited in the wild since August 2019.
The vulnerability exploitation was uncovered by 360Netlab in August 2019. Several attack groups were using vulnerabilities in Lilin DVR firmware spread Chalubo, FBot, and Moobot botnets.
Software: DHD216A, DHD216, DHD208A, DHD208, DHD204A, DHD204, DHD304A, DHD308A, DHD316A, DHD504A, DHD508A, DHD516A
Known/fameous malware:
Chalubo, FBot, Moobot
The vulnerability exploitation was uncovered by 360Netlab in August 2019. Several attack groups were using vulnerabilities in Lilin DVR firmware spread Chalubo, FBot, and Moobot botnets.
Links:
https://blog.netlab.360.com/multiple-botnets-are-spreading-using-lilin-dvr-0-day-en/
Input validation error
The vulnerability allows a remote attacker to compromise the target system.
The vulnerability exists due to a content validation escape issue. A remote authenticated attacker can pass specially crafted input to the application and manipulate certain agent client components.
Note: the vulnerability is being actively exploited in the wild.
Vendor reports in the wild exploitation of this vulnerability.
Software: Apex One
Vendor reports in the wild exploitation of this vulnerability.
Links:
https://success.trendmicro.com/solution/000245571
Code Injection
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to improper input validation in the migration tool component. A remote authenticated attacker can send a specially crafted request and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
Note: the vulnerability is being actively exploited in the wild.
Vendor reports in the wild exploitation of this vulnerability.
Software: OfficeScan
Vendor reports in the wild exploitation of this vulnerability.
Links:
https://success.trendmicro.com/solution/000245571
Improper access control
The vulnerability allows a remote attacker to gain unauthorized access to otherwise restricted functionality.
The vulnerability exists due to improper access restrictions. A remote attacker can bypass implemented security restrictions and gain unauthorized access to the application, leading to data modification and deletion, including the potential to delete the entire contents of any table in a vulnerable siteтАЩs database.
Note: the vulnerability is being actively exploited in the wild.
The vulnerability was used in the wild to compromise websites with vulnerable plugin. The attackers can modify and delete the pluginтАЩs data.
The vulnerability was used in the wild to compromise websites with vulnerable plugin. The attackers can modify and delete the pluginтАЩs data.
Stored cross-site scripting
The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.
The vulnerability exists due to insufficient sanitization of user-supplied data in the "wp-admin/admin-ajax.php" file with the "aj_steps" AJAX action. A remote authenticated attacker can inject and execute arbitrary HTML and script code in user's browser in context of vulnerable website.
Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.
Note: the vulnerability is being actively exploited in the wild.
The vulnerability was used in the wild to compromise websites with vulnerable plugin. The attackers can modify the pluginтАЩs settings.
The vulnerability was used in the wild to compromise websites with vulnerable plugin. The attackers can modify the pluginтАЩs settings.
Stored cross-site scripting
The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.
The vulnerability exists due to insufficient sanitization of user-supplied data in the pluginтАЩs setup process. A remote attacker can inject and execute arbitrary HTML and script code in user's browser in context of vulnerable website.
Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.
Note: the vulnerability is being actively exploited in the wild.
The vulnerability was used in the wild to compromise websites with vulnerable plugin. The attackers can modify the pluginтАЩs settings.
The vulnerability was used in the wild to compromise websites with vulnerable plugin. The attackers can modify the pluginтАЩs settings.
Stored cross-site scripting
The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.
The vulnerability exists due to insufficient sanitization of user-supplied data in several AJAX actions. A remote authenticated attacker can inject and execute arbitrary HTML and script code in user's browser in context of vulnerable website.
Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.
Note: the vulnerability is being actively exploited in the wild.
The vulnerability was used in the wild to compromise websites with vulnerable plugin. The attackers can modify the pluginтАЩs settings.
The vulnerability was used in the wild to compromise websites with vulnerable plugin. The attackers can modify the pluginтАЩs settings.
Improper access control
The vulnerability allows a remote attacker to gain unauthorized access to otherwise restricted functionality.
The vulnerability exists due to improper access restrictions. A remote attacker can bypass implemented security restrictions and inject new fields and scripts into the WooCommerce checkout page.
Note: the vulnerability is being actively exploited in the wild.
The vulnerability was used in the wild to compromise websites with vulnerable plugin. The attackers downloaded Woo-Add-To-Carts plugin on the system and created administrative accounts.
The vulnerability was used in the wild to compromise websites with vulnerable plugin. The attackers downloaded Woo-Add-To-Carts plugin on the system and created administrative accounts.
Type Confusion
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a type confusion error in V8 component. A remote attacker can create a specially crafted web page, trick the victim into visiting it, trigger a type confusion error and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
Note: This vulnerability is being actively exploited in the wild.
Software: Google Chrome
Buffer overflow
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error within the scripting engine. A remote attacker can create a specially crafted webpage, trick the victim into opening it, trigger memory corruption and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
Software: Microsoft Internet Explorer
Links:
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV200001
Type Confusion
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a type confusion error with StoreElementHole and FallibleStoreElement when processing HTML content in IonMonkey JIT compiler. A remote attacker can create a specially crafted webpage, trick the victim into visiting it, trigger a type confusion error and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
Note, this vulnerability is being actively exploited in the wild.
The vulnerability was reported by Qihoo 360 ATA researchers.
Software: Mozilla Firefox
The vulnerability was reported by Qihoo 360 ATA researchers.
Links:
https://www.mozilla.org/en-US/security/advisories/mfsa2020-03/
Buffer overflow
The vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to a boundary error when processing objects in memory within the Win32k component. A local user can create a malicious application, launch it on the system and execute arbitrary code with SYSTEM privileges.
Note, this vulnerability is being actively exploited in the wild.
This vulnerability was reported by Anton Ivanov and Alexey Kulaev of Kaspersky Lab. This vulnerability was used in Operation WizardOpium campaign against Korean users.
Software: Windows
This vulnerability was reported by Anton Ivanov and Alexey Kulaev of Kaspersky Lab. This vulnerability was used in Operation WizardOpium campaign against Korean users.
Improper Neutralization of Special Elements in Output Used by a Downstream Component
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to the affected devices allow remote code execution as root (without authentication) via shell metacharacters to the "cgi-bin/mainfunction.cgi" URI.
Note, this vulnerability is being actively exploited in the wild starting from December 4, 2019.
The vulnerability in WebUI of DrayTek Vigor enterprise routers is being exploited in the wild at least from December 4, 2019. Two affected scripts are believed to be used by two different attack groups to eavesdrop on FTP and email traffic inside corporate networks.
Software: Vigor 2960
Links:
Buffer overflow
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error within the scripting engine. A remote attacker can create a specially crafted webpage, trick the victim into opening it, trigger memory corruption and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
Software: Microsoft Internet Explorer
Links:
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1429
Use-after-free
The vulnerability allows a remote attacker to compromise vulnerable system.
The vulnerability exists due to a use-after-free error when processing HTML content within the audio component. A remote attacker can create a specially crafted web page, trick the victim into visiting it, trigger a use-after-free error and execute arbitrary code on the target system.
Note, this vulnerability is being actively exploited in the wild.
Kaspersky Lab has identified in the wild exploitation of the vulnerability. This vulnerability was used in Operation WizardOpium campaign against Korean users.
Software: Google Chrome
Kaspersky Lab has identified in the wild exploitation of the vulnerability. This vulnerability was used in Operation WizardOpium campaign against Korean users.
Links:
Use-after-free
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a use-after-free error within the scripting engine in JScript.dll. A remote attacker can create a specially crafted webpage, trick the victim into opening it, trigger memory corruption and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
Note: this vulnerability is being actively exploited in the wild.
Software: Microsoft Internet Explorer
Buffer overflow
The vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to a boundary error within the ws2ifsl.sys (Winsock). A local user can run a specially crafted application, trigger memory corruption and execute arbitrary code on the target system with elevated privileges.
Note, this vulnerability is being actively exploited in the wild.
Software: Windows
Buffer overflow
The vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to a boundary error within the Windows Common Log File System (CLFS) driver. A local user can create a specially crafted application and execute arbitrary code on the system with elevated privileges.
Note, this vulnerability is being actively exploited in the wild.
Software: Windows
NULL pointer dereference
The vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to a NULL pointer dereference error when processing objects in memory within the Win32k component. A local user can create a malicious application, launch it on the system and execute arbitrary code with SYSTEM privileges.
Note, this vulnerability is being actively exploited in the wild.
Software: Windows
Known/fameous malware:
Win32/Exploit.CVE-2019-1132.A
VBA/TrojanDropper.Agent.ABM
VBA/TrojanDropper.Agent.AGK
Win32/Spy.Buhtrap.W
Win32/Spy.Buhtrap.AK
Win32/RiskWare.Meterpreter.G
Links:
Permissions, Privileges, and Access Controls
The vulnerability allows a local to escalate privileges on the system.
The vulnerability exists due to the way splwow64.exe handles certain calls. A local user can abuse this functionality to elevate privileges on an affected system from low-integrity to medium-integrity.
Note, this vulnerability is being actively exploited in the wild.
Software: Windows
Permissions, Privileges, and Access Controls
The vulnerability allows a remote attacker to bypass sandbox restrictions.
The vulnerability exists due to insufficient vetting of parameters passed with the Prompt:Open
IPC message between child and parent processes. A remote attacker can create a specially crafted web page that can make the non-sandboxed parent process open web content chosen by a compromised child process.
An attacker can combine this behavior along with another vulnerability to execute arbitrary code on the system with privileges on the current user.
Note, this vulnerability is being exploited in the wild along with SB2019061805 (CVE-2019-11707)
This vulnerability was used along with CVE-2019-11707 in a targeted attack against Conbase.
Software: Mozilla Firefox
This vulnerability was used along with CVE-2019-11707 in a targeted attack against Conbase.
Deserialization of Untrusted Data
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to insecure input validation when processing serialized data within XMLDecoder class. A remote non-authenticated attacker can pass specially crafted data to the application and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
Note: this vulnerability is being actively exploited in the wild.
Oracle has released a security alert, notifying users on in the wild exploitation of the vulnerability.
Software: Oracle WebLogic Server
Type Confusion
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a type confusion error when manipulating JavaScript objects due to issues in Array.pop
. A remote attacker can create a specially crafted web page, trick the victim into visiting it, trigger a type confusion error and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
Note: this vulnerability is being actively exploited in the wild along with SB2019062002 (CVE-2019-11708).
The vulnerability was reported by Mozilla to be actively exploited in the wild.
This vulnerability as reportedly used in a targeted attack against Coinbase employees on Monday, June 17 2019.
The vulnerability was used in conjunction with another sandbox bypass issue CVE-2019-11708, patched by Mozilla on June 20, 2019.
This vulnerability was independently discovered and reported to Mozilla by a security researcher Samuel Gro├Я on April 15. It took Mozilla 64 days to issue a security fix.
Software: Mozilla Firefox
The vulnerability was reported by Mozilla to be actively exploited in the wild.
This vulnerability as reportedly used in a targeted attack against Coinbase employees on Monday, June 17 2019.
The vulnerability was used in conjunction with another sandbox bypass issue CVE-2019-11708, patched by Mozilla on June 20, 2019.
This vulnerability was independently discovered and reported to Mozilla by a security researcher Samuel Gro├Я on April 15. It took Mozilla 64 days to issue a security fix.
Links:
Input validation error
The vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to the way Windows Error Reporting (WER) handles files. A local user can create a specially crafted WER file and execute arbitrary code on the system in kernel mode.
Note: this vulnerability is being actively exploited in the wild.
Software: Windows
Buffer overflow
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error within the WhatsApp VOIP stack when processing SRTCP packets. A remote attacker can send a series of specially crafted SRTCP packets sent to a target phone number, trigger buffer overflow and execute arbitrary code on the target device.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
Note: this vulnerability is being actively exploited in the wild.
The vulnerability was used in a targeted attack against a limited number of people. First vulnerability exploitation was detected on May 12 2019. The attackers targeted a phone of a UK-based human rights lawyer to install spyware.
Software: WhatsApp Messenger for Android
Known/fameous malware:
Pegasus
Links:
Improper access control
The vulnerability allows a remote attacker to gain unauthorized access to the website.
The vulnerability exists due to improper access restrictions when processing HTTP requests. A remote attacker can pass specially crafted configuration to the affected application and inject arbitrary JavaScript code WordPress configuration.
Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable application.
Note: the vulnerability is being actively exploited i the wild.
Improper access control vulnerability in the plugin allowed attacker to inject malicious JavaScript code and redirect users to phishing websites.
Software: Related Posts
Buffer overflow
The vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to a boundary error when processing objects in memory within the Win32k component. A local user can create a malicious application, launch it on the system and execute arbitrary code with SYSTEM privileges.
Note: this vulnerability is being actively exploited in the wild.
The vulnerability was reported to Microsoft by Vasily Berdnikov and Boris Larin from Kaspersky Lab.
Software: Windows
Buffer overflow
The vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to a boundary error when processing objects in memory within the Microsoft Graphics Win32k component. A local user can create a malicious application, launch it on the system and execute arbitrary code with SYSTEM privileges.
Note: this vulnerability is being actively exploited in the wild.
The vulnerability was reported to Microsoft by Donghai Zhu of Alibaba Cloud Intelligence Security Team.
Software: Windows
Hidden functionality (backdoor)
The vulnerability allows a remote attacker to compromise vulnerable system
The vulnerability exists due to hidden functionality (backdoor) is present in software. A remote attacker can use this functionality to gain full access to the application and compromise the affected system.
Note: this backdoor was implented as a result of ASUS servers compromise within the APT attack dubbed тАЬOperation ShadowHammerтАЭ. The campaign ran from June to at least November 2018.
Software: ASUS Live Update
Cross-site scripting
The vulnerability allows a remote attacker to perform cross-site scripting attacks.
The vulnerability exists due to usage of the eval() JavaScript call on data passed via the "swp_url" HTTP GET parameter to "/wp-admin/admin-post.php" script, when "swp_debug" is set to "load_options", allowing to permanently inject and execute arbitrary JavaScript code on the website. A remote unauthenticated attacker can store a specially crafted JavaScript code into database and execute it in browser of every website visitor.
Note: this vulnerability is being actively exploited in the wild.
Exploitation example:
http://[host]/wp-admin/admin-post.php?swp_debug=load_options&swp_url=http://[malicious_js_script]/
A stored XSS vulnerability in the Social Warfare plugin, used by 70 000 users, led to a mass hacking campaign of WordPress websites.
Software: WordPress Social Sharing Plugin – Social Warfare
Links:
Deserialization of Untrusted Data
The vulnerability allows a remote attacker to compromise vulnerable website.
The vulnerability exists due to insecure input validation when processing serialized data passed via the "swpsmtp_import_settings" HTTP POST parameter to /easy-wp-smtp.php script. A remote unauthenticated attacker can import arbitrary wp_options and reconfigure WordPress to allow user registration with administrative privileges.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable website.
Note: this vulnerability is being actively exploited in the wild.
WordPress websites were under attack due to vulnerability in a popular WP plugin since March 15, 2019.
Software: Easy WP SMTP
Memory corruption
The vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to a boundary error within the Win32k.sys driver. A local user can execute a specially crafted application, trigger memory corruption and execute arbitrary code on the target system with elevated privileges.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
Kaspersky Lab has detected and reported a zero-day vulnerability in Win32k.sys driver in Microsoft Windows.
Software: Windows
NULL pointer dereference
The vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to a NULL pointer dereference error in the win32k!MNGetpItemFromIndex when NtUserMNDragOver() system call within the win32k.sys kernel driver. A local user can use a specially crafted application to escape sandbox and execute arbitrary code on the target system with SYSTEM privileges.
Note, this vulnerability is being actively exploited in the wild along with vulnerability in Google Chrome described in (SB2019030405).
On March 7th Google has reported in the wild exploitation of vulnerability in Microsoft Windows. During the attack the adversary used another zero-day vulnerability in Google Chrome in order to execute code on the system and vulnerability in Microsoft Windows to escalate privileges.
The initial attack was detected in late February.
Software: Windows
Links:
Use-after-free
The vulnerability allows a remote attacker to compromise vulnerable system.
The vulnerability exists due to a use-after-free error in FileReader. A remote attacker can trick the victim into opening a specially crafted file with Google Chrome, trigger use-after-free error and execute arbitrary code on the target system.
Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable system.
Note: the vulnerability is being exploited in the wild.
The vulnerability in Google Chrome was used in a targeted attack along with another zero-day in Microsoft Windows.
The initial attack was detected in late February.
Software: Google Chrome
The vulnerability in Google Chrome was used in a targeted attack along with another zero-day in Microsoft Windows.
The initial attack was detected in late February.
Dangerous file upload
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to insufficient validation of user-supplied input when processing file uploads. A remote attacker can upload and execute arbitrary code on the target system with privileges of the ColdFusion service. Successful exploitation of the vulnerability requires that the attacker has the ability to upload files.
Note, this vulnerability is being actively exploited in the wild.
Software: ColdFusion
Exposed dangerous method or function
The vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to the PDF viewer allows sending information to a third-party domain via the "this.submitForm()" PDF Javascript API.┬аA remote attacker can trick the victim into opening a specially crafted PDF file with Google Chrome and obtain sensitive information.
Note: the vulnerability is being actively exploited in the wild.
Vulnerability exploitation was spotted by EdgeSpot in late December 2018. The company detected multiple PDF samples in the wild that use dangerous JavaScript method to send information, retrieved from user's computer to a third-party domain.
Software: Google Chrome
Out-of-bounds read
The vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to boundary error when processing HTML content. A remote attacker can trick the victim to open a specially crafted webpage, trigger out-of-bounds read and test for the presence of files on disk.
Software: Microsoft Internet Explorer
Privilege escalation
The vulnerability allows a local attacker to gain elevated privileges.According to Ben Hawkes, team leader at Project Zero, the vulnerability has been exploited in the wild as 0day.
Software: Apple iOS
Memory corruption
The vulnerability allows a local attacker to gain elevated privileges.According to Ben Hawkes, team leader at Project Zero, the vulnerability has been exploited in the wild as 0day.
Software: Apple iOS
Memory corruption
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error when processing web pages. A remote attacker can create a specially crafted web page, trick the victim into visiting it, trigger memory corruption and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
Note: this vulnerability is being actively exploited in the wild.
Software: Microsoft Internet Explorer
Race condition
The vulnerability allows a local user to execute arbitrary code with elevated privileges.
The vulnerability exists due to a race condition within the Kernel Transaction Manager driver (ntoskrnl.exe) when processing transacted file operations in kernel mode. A local user can create a specially program, and run arbitrary code on the system n kernel mode.
Note: the vulnerability is being exploited in the wild.
This vulnerability was reported to Microsoft by Kaspersky Lab. It is believed it was used by FruityArmor and SandCat APT groups against companies in the Middle East and Africa.
Software: Windows
Links:
Use-after-free
The vulnerability allows a remote attacker to compromise vulnerable system.
The vulnerability exists due to a use-after-free error when processing SWF files. A remote attacker can create a specially crafted .swf file, trick the victim to open it and execute arbitrary code on system with privileges of the current user.
Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable system.
Note: this vulnerability is being exploited in the wild.
Vulnerability exploitation was spotted by several security companies. The attack was detected on November 29, 2018 and seems to be executed by a Ukrainian APT group UA-APT.
360 Core Security dubbed the attack "Operation Poison Needles".
Software: Adobe Flash Player
Vulnerability exploitation was spotted by several security companies. The attack was detected on November 29, 2018 and seems to be executed by a Ukrainian APT group UA-APT.
360 Core Security dubbed the attack "Operation Poison Needles".
Links:
Buffer overflow
The vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to a boundary error within Win32k.sys driver. A local user can create a specially crafted application, run it on vulnerable system and execute code withe superuser privileges.
Note: this vulnerability is being actively exploited in limited targeted attacks.
The vulnerability was privately reported to Microsoft by Kaspersky Lab.
Software: Windows
Segmentation fault
The vulnerability allows a remote attacker to cause DoS condition on the target system.According to MITRE statement, the vulnerability has been exploited in the wild in November 2018.
Software: Suricata
Input validation error
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to insufficient validation of SIP traffic. A remote attacker can send specially crafted SIP packets to the affected device, cause high CPU load that may lead to denial of service conditions.
Note, this vulnerability is being actively exploited in the wild against a limited number of targets.
The vulnerability was discovered during the resolution of a Cisco TAC support case and reported by Cisco PSIRT.
Software: Cisco ASA 5500-X Series
Logic error
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The weakness exists due to a logical bug is revealed when embedding a video via the 'online video' feature. A remote attacker can embed a video inside a Word document, edit the XML file named document.xml, replace the video link with a crafted payload created by the attacker which opens Internet Explorer Download Manager with the embedded code execution file and execute arbitrary code with elevated privileges.
Successful exploitation of the vulnerability may result in system compromise.
Note: as of October 31, 2018 the vulnerability is being actively exploited in the wild.
Trend Micro has issued a report detailing in the wild exploitation of a publicly disclosed vulnerability in Microsoft Word. According to VirusTotal timestamps, the first wave of exploitation began on October 31, 2018. The vulnerability was disclosed on October 25.
Software: Microsoft Word
Known/fameous malware:
TROJ_EXPLOIT.AOOCAI
TSPY_URSNIF.OIBEAO
Links:
Arbitrary file upload
The vulnerability allows a remote attacker to compromise vulnerable system.The vulnerability exists in the plugin's source code that handles file uploads to PHP servers due to software allows upload of arbitrary files to the system. A remote unauthenticated attacker can upload arbitrary .htaccess file to impose security restrictions to its upload folder and upload backdoors and web shells.
The vulnerability is publicly known since at least 2015.
Software: jQuery File Upload
Links:
Privilege escalation
The vulnerability allows a remote attacker to gain elevated privileges on the target system.
The weakness exists due to the software fail to do capability checks when executing its internal action save_setting
to make such configuration changes when processing arbitrary options and values to this endpoint. A remote attacker can set the users_can_register
option to 1, and change the default_role
of new users to тАЬadministratorтАЭ to simply fill out the form at /wp-login.php?action=register
and immediately access a privileged account, change these options back to normal and install a malicious plugin or theme containing a web shell or other malware to further infect the victim site.
Note: this vulnerability is being actively exploited in the wild.
Vulnerability exploitation has been spotted in the wild by WordPress website owners. The initial attack was first reported on October 13. The attackers used vulnerability in plugin to gain administrative privileges on the affected websites.
Software: WP GDPR Compliance
Use-after-free
The vulnerability allows a local attacker to gain elevated privileges on the target system.
The vulnerability exists due to a use-after free error in win32kfull!xxxDestroyWindow Win32k component. A local user can run a specially crafted application, trigger memory corruption and execute arbitrary code in kernel mode.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
Note: the vulnerability has been actively exploited in the wild.
According to Kaspersky Lab, the vulnerability is being actively exploited by the FruityArmor APT actor.
Software: Windows
Known/fameous malware:
HEUR:Exploit.Win32.Generic
HEUR:Trojan.Win32.Generic
PDM:Exploit.Win32.Generic
Backdoor
VestaCP repository was compromised around May 2018 and contained malware at least until June 2018. As a result, user's credentials, generated by VestaCP, and other information were stolen by the attackers.
Software: Vesta Control Panel
Known/fameous malware:
Linux/ChachaDDoS
Spoofing attack
The vulnerability allows a remote attacker to conduct spoofing attack.
The weakness exists due to the way macOS processes URI handlers with enabled "Open Safe Files" setting in Safari browser. A remote attacker can create a specially crafted web page, trick the victim into clicking on a spoof dialog box and force unauthorized downloading of malicious file (e.g. ZIP-archive). Once downloaded, the archive will be automatically extracted.
Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable system.
Note: the vulnerability is being exploited in the wild by the WindShift APT actor against government organizations in the Middle East.
Software: Apple Safari
Information disclosure
The vulnerability allows a remote authenticated attacker to gain access to potentially sensitive information.
The vulnerability exists due to the way that the Windows SMB Server handles certain requests. A remote authenticated user can gain unauthorized access to sensitive information on the system.
Note: this vulnerability has being exploited in the wild. The exploit code was detected in the Bemstour exploit tool in September 2018 and has being used by Buckeye (APT3) APT group.
Software: Windows
Known/fameous malware:
Bemstour exploit tool
Privilege escalation
The vulnerability allows a local attacker to gain elevated privileges on the target system.
The vulnerability exists due to ALPC access control flaw. A local attacker can create a hard link from a readable file on the system to a '.job' file in the 'c:\windows\tasks' directory, invoke the _SchRpcSetSecurity() method of the task scheduler service ALPC endpoint to overwrite the linked file and gain system level privileges on the target system. The vulnerability was dubbed "SendboxEscaper".
Note: the vulnerability is being exploited in the wild by the PowerPool group.
Software: Windows
Improper input validation
The vulnerability allows a remote attacker to execute arbitrary commands on the target system.
The vulnerability exists due to an error when validating file paths in Windows Shell. A remote attacker can create a specially crafted file, trick the victim into opening it and execute arbitrary system commands on the vulnerable system.
Software: Windows
Use-after-free
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a use-after-free error in VBScript when the scripting engine handles objects in memory in Internet Explorer. A remote unauthenticated attacker can trick the victim into visiting a specially crafted website, trigger memory corruption and execute arbitrary code with elevated privileges.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
Note: The vulnerability has been exploited in the wild.
The vulnerability was spotted in the wild by Trend Micro researcher on July 11, 2018. The exploit sample detected by the researchers was using the same obfuscation technique as exploits for CVE-2018-8174, spotted in the wild by Qihoo 360 in April 2018.
Software: Microsoft Internet Explorer
Known/fameous malware:
HTML_EXPLOIT.YYRV
The vulnerability was spotted in the wild by Trend Micro researcher on July 11, 2018. The exploit sample detected by the researchers was using the same obfuscation technique as exploits for CVE-2018-8174, spotted in the wild by Qihoo 360 in April 2018.
Links:
Stack-based buffer overflow
The vulnerability allows a remote attacker to compromise target system.
The vulnerability exists due to a stack-based buffer overflow when processing .swf files. A remote attacker can create a specially crafted .swf file, trick the victim into opening it, trigger memory corruption and execute arbitrary code on the target system.
Successful exploitation of the vulnerability may allow the attacker to compromise vulnerable system.
Note: this vulnerability is being actively exploited in the wild.
Software: Adobe Flash Player
Improper input validation
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to improper input validation within the AcubeFileCtrl.ocx ActiveX component. A remote attacker can trick the victim into visiting a specially crafted web page and execute arbitrary code on the target system.
Note: this vulnerability is being actively exploited in the wild.
The South Korean CERT has reported in the wild exploitation of a remote code execution vulnerability in a popular ActiveX component. The group behind this attack is called Andariel Group. the group is tied to activity of a known North Korean adversary Lazarus Group.
Software: Samsung SDS Acube ActiveX Control
Links:
Cross-site request forgery
The vulnerability allows a remote attacker to perform CSRF attacks.Vulnerability exploitation was spotted by users of DrayTek routers. Attackers used CSRF vulnerability to change DNS settings of multiple routers to address: 38.134.121.95.
Software: DrayTek firmware
Links:
https://helpforum.sky.com/t5/Sky-Q/Sky-Q-and-Draytek-router/td-p/2835571
https://www.draytek.co.uk/support/security-advisories/kb-advisory-csrf-and-dns-dhcp-web-attacks
https://www.draytek.com/en/about/news/2018/notification-of-urgent-security-updates-to-draytek-router...
https://www.bleepingcomputer.com/news/security/draytek-router-zero-day-under-attack/
Double free memory error
The vulnerability allows a remote attacker to execute arbitrary code on the target system.In March 2018 ESET detected attacks using two zero-day vulnerabilities in Microsoft win32k.sys driver (CVE-2018-8120) and and Adobe Acrobat.
Software: Adobe Acrobat
Known/fameous malware:
JS/Exploit.Pdfka.QNV trojan (ESET)
Buffer overflow
The vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to boundary error in win32k.sys driver. A local user can execute arbitrary code with SYSTEM privileges.
Note: this vulnerability is being actively exploited in limited targeted attacks.The vulnerability was reported by ESET in March 2018. The attackers used this vulnerability along with double free error in Adobe Acrobat CVE-2018-4990.
Software: Windows
Known/fameous malware:
Win32/Exploit.CVE-2018-8120.A trojan (ESET)
Improper input validation
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.The vulnerability exists due to an input validation error where malicious events injected with depth = 2^63 - 1 render rooms unusable, related to federation/federation_base.py and handlers/message.py. A remote attacker can send malicious messages and perform a denial of service attack.
Note: this vulnerability has been exploited in the wild in April 2018.
The attack was performed on Sunday, April 29 against #matrix:matrix.org and #matrix-dev:matrix.org that made the rooms temporarily unusable.
Software: Synapse
Integer overflow
The vulnerability allows a remote attacker to steal digital assets.
The vulnerability exists due to integer overflow within the transferFrom() function of a smart contract implementation for Useless Ethereum Token (UET). A remote attacker can steal assets (e.g., transfer all victims' balances into their account) because certain computations involving _value are incorrect.
The vulnerability was dubbed "transferFlaw" and has been exploited in the wild in December 2017.
This particular vulnerability affects a publicly traded ERC20 token listed in a top exchange. According to PeckShield this vulnerability has been already exploited in the wild since 2017/12/23 in multiple transactions.
Software: Useless Ethereum Token
Integer overflow
The vulnerability allows a remote attacker to manipulate digital assets.
The vulnerability exists due to integer overflow in a smart contract implementation for SmartMesh (aka SMT) within Ethereum ERC20 token. A remote unauthenticated attacker can increase digital assets via crafted _fee and _value parameter.
Note: the vulnerability was actively exploited in April 2018 and was dubbed "proxyOverflow".
Vulnerability exploitation was spotted on April 24 by a blockchain security startup PeckShield. As a result, OKEx has suspended all ERC-20 tokens.
Software: SmartMesh ERC20 token
Improper authentication
The vulnerability allows a remote attacker to execute arbitrary code on the target system.The vulnerability was exploited against a very limited number of targets.
Software: MikroTik RouterOS
Integer overflow
The vulnerability allows a remote attacker to perform unauthorized actions.The vulnerability exploitation resulted in suspension of all BeautyChain (BEC) transactions.
Software: ERC-20
Memory corruption
The vulnerability allows a remote attacker to execute arbitrary code on the target system.Vulnerability exploitation was detected by Qihoo 360. The company uncovered a zero-day vulnerability in IE, dubbed тАШdouble playтАЩ, that was triggered by weaponized MS Office documents. The experts have been observing an APT group targeting a limited number of users exploiting the zero-day flaw.
Hackers can use the тАШdouble playтАЩ flaw to implant a backdoor Trojan and take full control over the vulnerable machine.
The APT group was delivering an Office document with a malicious web page embedded, once the user opens the document, the exploit code and malicious payloads are downloaded and executed from a remote server. The later phase of this attack leverages a public UAC bypass technique and uses file steganography and memory reflection loading to avoid traffic monitoring and achieve loading with no files. This тАШdouble playтАЩ vulnerability may affect the latest versions of Internet Explorer and applications that are with IE kernel.
For now most of the victims are located in Asia.
In May 2018 the vulnerability was added into the RIG exploit kit, after the PoC code became publicly available.
Software: Windows
Known/fameous malware:
RIG exploit kit
Improper authentication
The vulnerability allows a remote attacker to bypass authentication checks and gain full access to the affected system.The vulnerability was used to compromise hosting servers. The attack was reportedly performed from IP addresses, located in China.
This vulnerability triggered an outage of Digitalocean in NYC regions.
Software: Vesta Control Panel
Remote code execution
The vulnerability allows a remote attacker to execute arbitrary code on the target system.The vulnerability was used in the wild against PyBitmessage v0.6.2 users. According to vendor's notice, Bitmessage developer Peter ┼аurda's Bitmessage addresses were compromised as well by the attackers.
Software: PyBitmessage
Use-after-free
The vulnerability allows a remote attacker to execute arbitrary code on the target system.KR-CERT reported in the wild exploitation of zero-day vulnerability in the latest version of Adobe Flash Player. According to the South Korean Computer Emergency Response Team (KR-CERT), the exploit has being used in the wild since mid-November 2017.
Security experts for FireEye linked the vulnerability to the hacking group TEMP.Reaper. The IP-addresses from which attacks were connected with the C&C-servers belong to the Internet provider Star JV - a joint venture of North Korea and Thailand.
Cisco Talos observed use of vulnerability in attacks conducted by Group 123.
According to FireEye, after successful exploitation of the vulnerability the system is infected with DOGCALL malware.
Cisco Talos specialists also reported cyberattacks using the malicious software, which they called Rokrat.
As revealed by security experts for Morphisec Labs Michael Gorelik and Assaf Kachlon the vulnerability has been used in a watering hole attack against Hong Kong Telecommunications company.
Software: Adobe Flash Player
Known/fameous malware:
DOGCALL
Rokrat
KR-CERT reported in the wild exploitation of zero-day vulnerability in the latest version of Adobe Flash Player. According to the South Korean Computer Emergency Response Team (KR-CERT), the exploit has being used in the wild since mid-November 2017.
Security experts for FireEye linked the vulnerability to the hacking group TEMP.Reaper. The IP-addresses from which attacks were connected with the C&C-servers belong to the Internet provider Star JV - a joint venture of North Korea and Thailand.
Cisco Talos observed use of vulnerability in attacks conducted by Group 123.
According to FireEye, after successful exploitation of the vulnerability the system is infected with DOGCALL malware.
Cisco Talos specialists also reported cyberattacks using the malicious software, which they called Rokrat.
As revealed by security experts for Morphisec Labs Michael Gorelik and Assaf Kachlon the vulnerability has been used in a watering hole attack against Hong Kong Telecommunications company.
Links:
https://www.krcert.or.kr/data/secNoticeView.do?bulletin_writing_sequence=26998
https://www.bleepingcomputer.com/news/security/new-adobe-flash-zero-day-spotted-in-the-wild/
https://www.fireeye.com/blog/threat-research/2018/02/attacks-leveraging-adobe-zero-day.html
http://blog.talosintelligence.com/2018/02/group-123-goes-wild.html
http://blog.morphisec.com/watering-hole-attack-hong-kong-telecom-site-flash-exploit-cve-2018-4878
Memory corruption
The vulnerability allows a remote attacker to execute arbitrary code on the target system.Software: Microsoft Word
Command injection
The vulnerability allows a remote attacker with administrator privileges to perform command injection attack on the target system.The vulnerability has been used in Satori attacks against Huawei's router model HG532. The most targeted countries include the United States, Italy, Germany, and Egypt.
Software: Huawei HG532
Known/fameous malware:
Satori botnet, Mirai malware
Information disclosure
The vulnerability allows a remote authenticated attacker to obtain potentially sensitive information on the target system.Software: Roundcube
Type confusion
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a type confusion error when processing .swf files. A remote unauthenticated attacker can create a specially crafted .swf file, trick the victim into opening it and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
Note: this vulnerability is being actively exploited in the wild.
According to Kaspersky Lab, the vulnerability has being exploited by the BlackOasis threat actor. The recent attacks leveraging today's zero-day sent malicious Office documents to victims, which came with an embedded ActiveX object that contained the Flash CVE-2017-11292 exploit.
Software: Adobe Flash Player
Known/fameous malware:
FINSPY
Memory corruption
The vulnerability allows a remote attacker to execute arbitrary code on the target system.The weakness was reported to Microsoft by researchers at China-based security firm Qihoo 360. The experts said they first observed an attack exploiting this vulnerability on September 28. The attacks targeted a small number of the companyтАЩs customers and they involved malicious RTF files.
Software: Microsoft Office
Backdoor
CCleaner version 5.33.6162 and CCleaner Cloud version 1.07.3191 were shipped with a backdoor code from official vendorтАЩs website. The incident was detected on September 12.Avast reported a security breach, which involved compromise of one of the CCleaner distribution servers. As a result, the adversary was able to distribute a backdoored version of CCleaner application between August 15 and September 12. The compromised version of CCleaner was distributed from the official vendor's website.
Software: CCleaner
Improper input validation
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to uncpecified error when processing untrusted input. A remote unauthenticated attacker can execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
Note: this vulnerability is being actively exploited in the wild.
The vulnerability was detected by FireEye researchers. The attacker used Microsoft Office RTF document to leverage RCE in .NET Framework and deploy FINSPY malware. The malicious document тАЬ╨Я╤А╨╛╨╡╨║╤В.docтАЭ (MD5: fe5c4d6bb78e170abf5cf3741868ea4c) had Russian name and might have been used to target a Russian speaker.
Software: Microsoft .NET Framework
Known/fameous malware:
FINSPY
Backdoor
The vulnerability allows a remote attacker to gain complete control over affected system.A backdoor code was detected in NetSarang software on August 4, 2017. Next day, on August 5 the developer has released an update to resolve the issue. As of August 15, there is an evidence, that the code has being utilized by one instance in Hong Kong.
The malicious code was delivered to the vendor's clients by compromising the software update mechanism. The backdoor was included into updates, issued on July 18, 2017. The update contained ShadowPad backdoor.
Software: Xftp
Known/fameous malware:
ShadowPad backdoor
Race condition
The vulnerability allows a local user to execute arbitrary code with escalated privileges.Software: Linux kernel
Backdoor
The vulnerability allows a remote attacker to gain unauthorized access to victim's browser.The browser extension for Google Chrome has been hijacked on Google Web Store.
Software: Web Developer (Chrome extension)
Backdoor
The vulnerability allows a remote attacker to gain unauthorized access to victim's browser.The browser extension has been hijacked on Google Web Store.
Software: Copyfish (Chrome extension)
Backdoor
The vulnerability allows a remote attacker to gain unauthorized access to victim's browser.The browser extension was hijacked on July 3, 2017 and a backdoor was distributed via Google Web Store. The attackers have published non-existing version of the extension 20.1.1.
Software: Social Fixer (Chrome extension)
Backdoor
The security issue exists due to presence of backdoor code in updates, distributed from the official website. After update installation, the system becomes infected with NotPetya ransomware.The backdoor code was distributed via automatic update functionality. The infected version 10.01.189 contained backdoor code, which downloaded and installed NotPetya ransomware along with other tools, indented to distribute malware within local network. 75% of victims were located in Ukraine.
Software: M.E.Doc
Known/fameous malware:
NotPetya
The backdoor code was distributed via automatic update functionality. The infected version 10.01.189 contained backdoor code, which downloaded and installed NotPetya ransomware along with other tools, indented to distribute malware within local network. 75% of victims were located in Ukraine.
Security restrictions bypass
The vulnerability allows a remote attacker to bypass security restrictions on the target system.There are confirmed reports indicating that this vulnerability has been publicly exploited in spam campaigns. The attackers were creating accounts, uploading files with spam links to advertise or influence SEO rankings.
Software: Drupal
Backdoor
The vulnerability allows a remote attacker to gain unauthorized access to victim's browser.The browser extension was hijacked on Google Web Store. That update included alert10.js, malware that opens popups saying you have a virus.
Software: Chrometana (Chrome extension)
Buffer overflow
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to boundary error when Windows Search handles objects in memory. A remote unauthenticated attacker can send specially crafted messages to the Windows Search service and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
Note: this vulnerability is being actively exploited in the wild.
Software: Windows
Improper input validation
The vulnerability allows a remote attacker to compromise vulnerable system.
The vulnerability exists due to an error when processing .LNK files. A remote attacker can create a specially crafted .LNK file and execute arbitrary code on the target system.
Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable system.
Note: the vulnerability is being actively exploited in the wild.
Software: Windows
Backdoor
The vulnerability allows a remote attacker to gain unauthorized access to victim's browser.The browser extension was hijacked on Google Web Store. The injected script was displaying and advertisement via alert10.js script, informing victims that their PC has been infected with malware and suggesting to purchase fake antivirus.
Software: Infinity New Tab (Chrome extension)
Buffer overflow
The vulnerability allows a remote attacker to compromise vulnerable system.The vulnerability was disclosed by the Shadow Brokers hacking team.
Software: Windows
Known/fameous malware:
EsteemAudit
Type confusion
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a type confusion error when processing EPS wiles within Microsoft Office documents. A remote unauthenticated attacker can create a specially crafted document, trick the victim into opening it and execute arbitrary code on the target system with privileges of the current victim.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
Note: this vulnerability is being actively exploited in the wild.
The vulnerability was used by APT28 team along with another zero-day CVE-2017-0263.
Software: Microsoft Office
Known/fameous malware:
GAMEFISH
Elevation of privilege
The vulnerability allows a local user to elevate privileges on the system.
The vulnerability exists due to boundary error in Win32k.sys driver. A local user can escalate privileges on the system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
Note: this vulnerability is being actively exploited.
The vulnerability was used by APT28 team along with another zero-day CVE-2017-0262.
Software: Windows
Known/fameous malware:
GAMEFISH
Memory corruption
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The weakness exists due to boundary error. A remote attacker can create a specially crafted website, trick the victim into visiting it, trigger memory corruption and execute arbitrary code with privileges of the current user.
Successful exploitation of the vulnerability results in arbitrary code execution.Software: Microsoft Internet Explorer
Improper access control
The vulnerability allows a remote attacker to compromise vulnerable device.
The vulnerability exists due to unknown error, which leads to QNAP device compromise. Vulnerability details are not disclosed yet.
Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable device.
Note: the vulnerability is being actively exploited in the wild.
QNAP reported a security issue involving unauthorized access to the QNAP devices. Several QNAP NAS devices running QTS have been injected with XMR mining programs, specifically from mineXMR.com.
Software: QNAP QTS
Type confusion
The vulnerability allows a remote unauthenticated attacker to execute arbitrary commands on a targeted system.Software: Ghostscript
Stack-based buffer overflow
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error when processing mailbox names in the EXAMINE IMAP command. A remote authenticated attacker can send an EXAMINE IMAP command containing an overly long mailbox name, trigger stack-based buffer overflow and execute arbitrary code on the target system.
Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable system.
Note: this vulnerability has been exploited in the wild and was disclosed by the Shadow Brokers leak.
The list of affected products, according to software vendor:
The exploit code was disclosed by the Shadow Brokers leak.
Software: IBM Domino
Known/fameous malware:
EMPHASISMINE exploit
Use-after-free
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a use-after-free error when processing EPS images within Microsoft Office files. A remote attacker can create a specially crafted Office file with malicious EPS image, trick the victim into opening it and execute arbitrary code on the target system with privileges of the current user.
Successful exploitation of this vulnerability may allow an attacker to compromise vulnerable system.
Note: this vulnerability is being actively exploited in the wild.
The vulnerability was used by Turla and an unknown financially motivated actor.
Software: Microsoft Office
Known/fameous malware:
SHIRIME
NETWIRE
Links:
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/2017-2605
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0261
https://www.fireeye.com/blog/threat-research/2017/05/eps-processing-zero-days.html
https://blogs.technet.microsoft.com/msrc/2017/05/09/coming-together-to-address-encapsulated-postscri...
Cross-domain scripting
The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.
The vulnerability is caused by incorrect filtration of input data. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in victimтАЩs browser in security context of another domain.
Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.
Note: this vulnerability is being exploited in the wild.
Software: Microsoft Internet Explorer
Improper input validation
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to improper input validation. A remote unauthenticated attacker can create a specially crafted Office document, trick the victim into opening it with Microsoft Office or WordPad and execute arbitrary code on the target system with privileges of the current user.
Successful exploitation of this vulnerability may result in compromise vulnerable system.
Note: the vulnerability is being actively exploited.
The detected samples are organized as Word files containing Dridex botnet ID 7500 (more specially, RTF files with тАЬ.docтАЭ extension name). The exploit works on all Microsoft Office versions, including the latest Office 2016 running on Windows 10. The earliest attack dates to late January, according to McAfee.
According to FireEye, the malware leveraging this vulnerability was used to target Russian-speaking victims. As early as Jan. 25, 2017, lure documents referencing a Russian Ministry of Defense decree and a manual allegedly published in the "Donetsk People's Republic" exploited CVE-2017-0199 to deliver FINSPY payloads.
This vulnerability was also used by Patya.A ransomware in malware outbreak on 27 June, 2017 as one of the attack vectors.
Software: Microsoft Office
Known/fameous malware:
Malware.Binary.Rtf
Dridex botnet
FINSPY
LATENTBOT
Petya.A
Links:
https://securingtomorrow.mcafee.com/mcafee-labs/critical-office-zero-day-attacks-detected-wild/
https://www.fireeye.com/blog/threat-research/2017/04/acknowledgement_ofa.html
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0199
https://www.fireeye.com/blog/threat-research/2017/04/cve-2017-0199_useda.html
https://www.fireeye.com/blog/threat-research/2017/04/cve-2017-0199-hta-handler.html
Buffer overflow
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error in ScStoragePathFromUrl() function in the WebDAV service when processing overly long HTTP header beginning with "If: <http://" in a PROPFIND request. A remote unauthenticated attacker can trigger buffer overflow and execute arbitrary code on the target system with privileges of the IIS service.
Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable system.
Note: this vulnerability is being actively exploited in the wild in July and August 2016.
There are reports that this vulnerability is being actively exploited in the wild against legacy installations of Microsoft IIS 6.0 in July and August 2016. At the time of publication the product was no longer supported by the vendor. However Microsoft has decided to release a security patch to address this issue on June 13, 2017.
Software: Microsoft IIS
Known/fameous malware:
EXPLODINGCAN
There are reports that this vulnerability is being actively exploited in the wild against legacy installations of Microsoft IIS 6.0 in July and August 2016. At the time of publication the product was no longer supported by the vendor. However Microsoft has decided to release a security patch to address this issue on June 13, 2017.
Spoofing attack
The vulnerability allows a remote attacker to perform spoofing attack.The vulnerability exists due to improper parsing of right-to-left override (RLO) character when processing names of the transmitted files in Telegram Desktop for Windows. A remote attacker can create a specially crafted filename with malicious content (e.g. a JavaScript file), disguise it as an image and trick the victim into opening it.
Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable system.
Note: this vulnerability has been exploited in the wild since March until October in 2017, according to Kaspersky Lab and was silently fixed by the vendor.
According to Kaspersky Lab, this vulnerability was exploited in the wild since March 2017 until October 2017. The attackers used the vulnerability to install cryptocurrency miners on victimsтАЩ computers.
Software: Telegram Desktop for Windows
According to Kaspersky Lab, this vulnerability was exploited in the wild since March 2017 until October 2017. The attackers used the vulnerability to install cryptocurrency miners on victimsтАЩ computers.
Improper input validation
The vulnerability allows a remote attacker to gain access to vulnerable device.
The vulnerability exists due to improper input validation in Cisco Cluster Management Protocol (CMP) implementation and failure to restrict usage of CMP-specific Telnet options only to internal, local communications between cluster members. A remote unauthenticated attacker can send specially crafted CMP-specific Telnet options while establishing a Telnet session with an affected Cisco device configured to accept Telnet connections and cause the affected device to reload or obtain full control over vulnerable device.
Successful exploitation of this vulnerability may allow an attacker to gain full access to vulnerable device.
Note: information about this vulnerability was publicly disclosed by WikiLeaks documents dubbed CIA Vault 7.
The vulnerability was disclosed by WikiLeaks in documents dubbed CIA Vault 7. It is believed that this vulnerability was used by CIA agents to penetrate government and corporate networks.
Software: Cisco IOS
Improper input validation
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to an error when parsing requests in Microsoft Server Message Block 1.0 (SMBv1) server. A remote unauthenticated attacker can send specially crafted SMB packets and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
On April 14, 2017 the Shadow Brokers team made the exploit pack publicly available. The exploits are believed to be stolen from the NSA.
It is unclear, which CVE has been assigned to this vulnerability. Possible CVEs: CVE-2017-0143, CVE-2017-0144, CVE-2017-0145, CVE-2017-0148.
Software: Windows
Known/fameous malware:
EternalSynergy exploit
Improper input validation
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to an error when parsing requests in Microsoft Server Message Block 1.0 (SMBv1) server. A remote unauthenticated attacker can send specially crafted SMB packets and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
On April 14, 2017 the Shadow Brokers team made the exploit pack publicly available. The exploits are believed to be stolen from the NSA.
It is unclear, which CVE has been assigned to this vulnerability. Possible CVEs: CVE-2017-0143, CVE-2017-0144, CVE-2017-0145, CVE-2017-0148.
This vulnerability was used to spread WannaCry and NotPetya ransomwere.
Software: Windows
Known/fameous malware:
EternalRomance exploit
WannaCry
NotPetya
Information disclosure
The vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to an error when parsing requests in Microsoft Server Message Block 1.0 (SMBv1) server. A remote unauthenticated attacker can send specially crafted SMB packets and gain access to potentially sensitive data.
Successful exploitation of this vulnerability may allow an attacker to gain access to potentially sensitive information.
Note: this vulnerability has been exploited in the wild and is publicly known as EternalChampion exploit.
On April 14, 2017 the Shadow Brokers team made the exploit pack publicly available. The exploits are believed to be stolen from the NSA.
Software: Windows
Known/fameous malware:
EternalChampion exploit
Improper input validation
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to an error when parsing requests in Microsoft Server Message Block 1.0 (SMBv1) server. A remote unauthenticated attacker can send specially crafted SMB packets and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
Note: this vulnerability has been exploited in the wild and is publicly known as EternalChampion exploit.
On April 14, 2017 the Shadow Brokers team made the exploit pack publicly available. The exploits are believed to be stolen from the NSA.
Software: Windows
Known/fameous malware:
EternalChampion exploit
Improper input validation
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to an error when parsing requests in Microsoft Server Message Block 1.0 (SMBv1) server. A remote unauthenticated attacker can send specially crafted SMB packets and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
On April 14, 2017 the Shadow Brokers team made the exploit pack publicly available. The exploits are believed to be stolen from the NSA.
It is unclear, which CVE has been assigned to this vulnerability. Possible CVEs: CVE-2017-0143, CVE-2017-0144, CVE-2017-0145, CVE-2017-0148.
On May 12, 2017 the malicious team has hit over 100,000 organizations in 150 countries. The hackers encrypted files from the target system and demanded 300-600$.
Software: Windows
Known/fameous malware:
WannaCry (Wana Decryptor) malware (the hackers added .WCRY extention to the targte files). The malware is believed to be connected to Lazarus Group from North Korea.
EternalBlue exploit.
Privilege escalation
The vulnerability allows a local attacker to gain elevated privileges on the target system.The vulnerability was used by Zirconium cyber-espionage group against older versions of Windows.
Software: Windows
Information disclosure
The vulnerability allows a remote attacker to obtain potentially sensitive information on the target system.
The vulnerability exists due to improper handling of objects in memory by Microsoft XML Core Services (MSXML). A remote unauthenticated attacker can create a specially crafted Web site, trick the victim into visiting it and test for the presence of files on disk.
Successful exploitation of this vulnerability results in information disclosure.
Note: the vulnerability was being actively exploited.
This vulnerability was used in the AdGholas malvertising campaign and later integrated into the Neutrino exploit kit. The vulnerability was reported to Microsoft in September 2016. The first malware sample, discovered in the wild, is connected with AdGholas campaign in July 2016. The exploit came back again in September 2016 with the Neutrino exploit kit.
Software: Microsoft XML Core Services
Known/fameous malware:
Neutrino exploit kit
Memory corruption
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to boundary error when accessing objects in memory. A remote unauthenticated attacker can create a specially crafted web site, trick the victim into visiting it, trigger memory corruption and execute arbitrary code on the target system with privileges of the current user.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
Note: this vulnerability is being actively exploited in the wild.
Software: Microsoft Internet Explorer
Stack-based buffer overflow
The vulnerability allows a remote attacker to execute arbitrary code on the target system.Remote code execution exploit was revealed during Vault 7 leak. It is possible, that this vulnerability was used to compromise Mikrotik routers in Slingshot APT campaign.
Software: MikroTik RouterOS
Known/fameous malware:
ChimayRed
Backdoor
The vulnerability allows a remote attacker to gain unauthorized access to victim's browser.The browser extension was hijacked on Google Web Store. The attackers were able to distributed malware to the extension user's. The attack occurred around March 1, 2017.
Software: Web Paint (Chrome extension)
Format string vulnerability
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a format string error within cgiemail and cgiecho binaries when processing template files. A remote authenticated attacker can create a specially crafted file, containing form string specifiers and execute arbitrary code on the target system.
Successful exploitation may allow an attacker to compromise vulnerable system.
Note: this vulnerability has been exploited in the wild and was disclosed by the Shadow Brokers leak. The exploit is known as ElegantEagle.
The exploit code was disclosed by the Shadow Brokers leak dubbed ElegantEagle, exploiting vulnerability in cgiemail.
Software: cPanel
Known/fameous malware:
ElegantEagle exploit
Use-after-free error
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to use-after-free error when processing .swf files. A remote attacker can create a specially crafted SWF file, trick the victim into opening it, cause memory corruption and execute arbitrary code with privileges of the current user.
Successful exploitation of the vulnerability results in compromise of vulnerable system.
Note: this vulnerability is being actively exploited in the wild.
Software: Adobe Flash Player
Use-after-free
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to use-after-free error when processing SVG animation in nsSMILTimeContainer::NotifyTimeChange() function. A remote attacker can create a specially crafted web page, host malicious SVG file on it and execute arbitrary code on vulnerable system.
Successful exploitation may allow an attacker to gain complete control over vulnerable system.
Note: this vulnerability is being publicly exploited against Tor Browser users.
Exploited in the wild against TOR Browser users. Exploit code was publicly disclosed as well before Mozilla released the patch.
Software: Tor Browser
Links:
https://www.mozilla.org/en-US/security/advisories/mfsa2016-92/
https://www.mozilla.org/en-US/thunderbird/45.5.1/releasenotes/
http://blog.morphisec.com/tor/firefox-zero-day-prevented-by-morphisec
http://news.softpedia.com/news/mozilla-patches-svg-animation-remote-code-execution-in-firefox-and-th...
https://blog.malwarebytes.com/threat-analysis/2016/11/tor-browser-zero-day-strikes-again/
https://nakedsecurity.sophos.com/2016/12/01/firefox-and-tor-users-update-now-0-day-exploit-in-the-wi...
http://news.softpedia.com/news/mozilla-patches-svg-animation-remote-code-execution-in-firefox-and-th...
http://www.digitalriser.com/serious-firefox-tor-browser-vulnerability.html
https://www.helpnetsecurity.com/2016/12/01/firefox-tor-browser-0-day-patched/
https://arstechnica.com/security/2016/11/tor-releases-urgent-update-for-firefox-0day-thats-under-act...
https://www.symantec.com/security_response/attacksignatures/detail.jsp?asid=23741
http://thehackernews.com/2016/11/firefox-tor-update.html
http://www.eweek.com/security/mozilla-patches-zero-day-flaw-in-firefox.html
LDAP injection
The vulnerability allows a remote attacker to execute arbitrary code on the target system.Software: Jenkins
Memory Corruption
A remote attacker can execute arbitrary code on the target system.
The vulnerability exists due to incorrect handling of objects in memory in Windows font library when processing Open Type fonts. A remote attacker can create a specially crafted font file and cause memory corruption.
Successful exploitation of the vulnerability may allow an attacker to execute arbitrary code on vulnerable system with privileges of the current user.
Note: this vulnerability is being actively exploited in the wild.
The vulnerability started to appear on the radar in June 2016 as it was used in "low-volume attacks primarily focused on targets in South Korea". A successful attack exploited a flaw in the Windows font library to elevate privileges, and to install a backdoor on target systems called Hankray.
Software: Windows
Known/fameous malware:
Trojan Horse Exp.CVE-2016-7256.
Links:
https://technet.microsoft.com/library/security/ms16-132
https://www.symantec.com/security_response/writeup.jsp?docid=2017-011706-2200-99
http://www.securityweek.com/microsoft-patches-windows-zero-day-exploited-russian-hackers
http://www.netsec.news/patch-tuesday-sees-68-microsoft-vulnerabilities-fixed/
https://www.ghacks.net/2017/01/18/microsoft-windows-10-hardening-against-0-day-exploits/
http://www.removesoft-tips.com/exp-cve-2016-7256-removal-guide-how-do-i-remove-exp-cve-2016-7256-com...
https://hotforsecurity.bitdefender.com/blog/if-youre-going-to-use-windows-it-makes-security-sense-to...
http://www.digitaltrends.com/computing/anniversary-update-shielded-against-two-exploits/
http://www.thewindowsclub.com/windows-10-mitigate-zero-day-exploits
http://windowsreport.com/microsoft-windows-10-zero-day-exploit/
Privilege escalation
The vulnerability allows a local user to gain elevated privileges on the target system.
The weakness is due to improper handling of objects in memory by win32k.sys. By sending a specially crafted system call NtSetWindowLongPtr(), a local attacker can set index GWLP_ID to WS_CHILD value on a window handle with GWL_STYLE and execute arbitrary code with system privileges.
Successful explotation of the vulnerability results in privilege escalation.
Note: this vulnerability is being actively exploited in the wild.
The zero-day was being actively exploited by Russian hackers (APT28, Fancy Bear, Pawn Storm, Sednit, Tsar Team, and Sofacy).
Software: Windows
Links:
https://www.symantec.com/security_response/writeup.jsp?docid=2016-110821-3527-99
https://technet.microsoft.com/library/security/ms16-135
https://security.googleblog.com/2016/10/disclosing-vulnerabilities-to-protect.html
http://www.netsec.news/patch-tuesday-sees-68-microsoft-vulnerabilities-fixed/
https://securingtomorrow.mcafee.com/mcafee-labs/digging-windows-kernel-privilege-escalation-vulnerab...
http://securityaffairs.co/wordpress/53242/hacking/cve-2016-7255-zero-day.html
http://blog.trendmicro.com/trendlabs-security-intelligence/one-bit-rule-system-analyzing-cve-2016-72...
https://cyware.com/news/one-bit-to-rule-a-system-analyzing-cve-2016-7255-exploit-in-the-wild-84cb5e1...
http://www.darkreading.com/endpoint/microsoft-november-security-updates-include-fix-for-zero-day-fla...
https://www.grahamcluley.com/pawn-storm-microsoft-zero-day/
https://nakedsecurity.sophos.com/2016/11/09/november-patch-tuesday-fixes-controversial-windows-0-day...
http://sensorstechforum.com/cve-2016-7255-67-vulnerabilities-addressed-microsoft/
Use-after-free error
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to use-after-free error when handling .swf files. A remote attacker can trick the victim to visit a website or open a file with malicious Flash file and execute arbitrary code on the target system with privileges of the current user.
Note: this vulnerability was being actively exploited in the wild.
The vulnerability was disclosed by Neel Mehta and Billy Leonard of the Google Threat Analysis Group.
The vulnerability was exploited by Russian hacker group APT28.
Software: Adobe Flash Player
Links:
https://security.googleblog.com/2016/10/disclosing-vulnerabilities-to-protect.html https://helpx.adobe.com/security/products/flash-player/apsb16-36.html https://technet.microsoft.com/library/security/ms16-128
https://threatpost.com/adobe-patches-flash-zero-day-under-attack/121567/
http://securityaffairs.co/wordpress/52739/hacking/cve-2016-7855-adobe.html
http://sensorstechforum.com/cve-2016-7855-flash-bug-exploited-limited-attacks/
http://www.securityweek.com/adobe-patches-flash-vulnerability-used-targeted-attacks
http://thehackernews.com/2016/10/google-windows-zero-day.html
http://opensources.info/cve-2016-7855-flaw-in-adobe-flash-player-exploited-in-targeted-attacks/
https://www.infosecurity-magazine.com/news/flash-windows-zerodays-are-being/
https://fossbytes.com/microsoft-windows-zero-day-vulnerability-google-told-people/
https://www.theregister.co.uk/2016/10/26/adobe_patches_fresh_flash_zeroday/
https://www.symantec.com/connect/blogs/flash-zero-day-being-exploited-targeted-attacks
http://www.pcworld.com/article/3135715/security/emergency-flash-player-patch-fixes-zero-day-critical...
http://thecharlestendellshow.com/microsoft-patches-cve-2016-7255-windows-zero-day-exploited-by-fancy...
https://arstechnica.com/security/2016/11/fancy-bear-goes-all-out-to-beat-adobe-msft-zero-day-patches...
Privilege escalation
The vulnerability allows a local user to obtain elevated privileges on the target system.The vulnerability was discovered by security researcher Phil Oester and is called "DIRTY COW".
It is believed that the vulnerability was being exploited in the wild for quite some time.
Software: Linux kernel
Links:
https://cdn.kernel.org/pub/linux/kernel/v4.x/testing/linux-4.9-rc2.tar.xz
https://dirtycow.ninja/
https://h20566.www2.hpe.com/hpsc/doc/public/display?docId=emr_na-c05352241
https://en.wikipedia.org/wiki/Dirty_COW
http://unix.stackexchange.com/questions/317981/dirty-cow-exploit-cve-2016-5195/318046
https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...
http://www.techinformant.in/dirty-cow-cve-2016-5195-vulnerability/
http://thehackernews.com/2016/10/linux-kernel-exploit.html
http://news.softpedia.com/news/linux-kernel-zero-day-cve-2016-5195-patched-after-being-deployed-in-l...
http://securityaffairs.co/wordpress/52521/hacking/dirty-cow-exploit.html
http://www.informationsecuritybuzz.com/expert-comments/dirty-cow-linux-vulnerability/
Information disclosure
The vulnerability allows a remote attacker to obtain potentially sensitive information on the target system.Proofpoint researchers Will Metcalf and Kafeine first detected and reported CVE-2016-3298 in April 2016 as part of a тАЬGooNkyтАЭ infection chain along with CVE-2016-3351, but the information disclosure vulnerability was most likely already in use by the AdGholas group.
CVE-2016-3298 and CVE-2016-3351 were reported to Microsoft between October and December of 2015.
Software: Microsoft Internet Explorer
Known/fameous malware:
Exploit Kit: Neutrino
Links:
https://www.proofpoint.com/uk/threat-insight/post/microsoft-patches-CVE-2016-3298-second-information...
https://technet.microsoft.com/en-us/library/security/ms16-118.aspx
https://blog.trendmicro.com/trendlabs-security-intelligence/cve-2016-3298-microsoft-fixes-another-ie...
http://securityaffairs.co/wordpress/52186/hacking/microsoft-zero-da.html
https://www.brokenbrowser.com/detecting-local-files-to-evade-analysts/
https://threatpost.com/microsoft-patches-five-zero-days-under-attack/121211/
https://www.scmagazine.com/patch-tuesday-microsoft-patches-five-zero-day-vulnerabilities/article/548...
http://thehackernews.com/2016/10/Microsoft-security-patch-updates.html
https://blog.malwarebytes.com/cybercrime/exploits/2016/08/browser-based-fingerprinting-implications-...
http://www.securityweek.com/attackers-use-internet-explorer-zero-day-avoid-researchers
http://news.softpedia.com/news/microsoft-patches-four-zero-days-used-in-live-attacks-509222.shtml
http://wccftech.com/zero-day-exploited-update-windows-right-away/
https://www.beencrypted.com/attackers-uses-ie-edge-zero-day-avoid-researchers/
Arbitrary code execution
The vulnerability allows a remote attacker to execute arbitrary code on the target system.The vulnerability has been used by an APT group Kaspersky Lab call FruityArmor. Victims have been identified in Thailand, Iran, Algeria, Yemen, Saudi Arabia and Sweden.
Software: Windows
Memory corruption
The vulnerability allows a remote attacker to execute arbitrary code on the target system.Software: Microsoft Edge
Links:
https://technet.microsoft.com/library/security/ms16-119
https://threatpost.com/microsoft-patches-five-zero-days-under-attack/121211/
http://thehackernews.com/2016/10/Microsoft-security-patch-updates.html
http://www.securitynewspaper.com/2016/10/12/microsoft-patches-four-zero-days-used-live-attacks/
http://www.securityweek.com/microsoft-patches-4-vulnerabilities-exploited-wild
https://www.tripwire.com/state-of-security/vulnerability-management/vert-threat-alert-october-2016-p...
http://www.slideshare.net/LANDESK/october2016-patchtuesdayshavlik
http://www.zdnet.com/article/microsoft-hackers-have-exploited-zero-days-in-windows-10s-edge-office-i...
https://www.helpnetsecurity.com/2016/10/12/october-patch-tuesday/
http://www.dailystar.co.uk/tech/news/553358/Microsoft-Windows-10-critical-flaws-security-update-fix-...
Memory corruption
The vulnerability allows a remote attacker to execute arbitrary code on the target system.Software: Microsoft Word
Links:
https://technet.microsoft.com/en-us/library/security/ms16-121.aspx
http://thehackernews.com/2016/10/Microsoft-security-patch-updates.html
https://threatpost.com/microsoft-patches-five-zero-days-under-attack/121211/
https://www.symantec.com/security_response/vulnerability.jsp?bid=93372
http://thehackernews.com/2016/10/Microsoft-security-patch-updates.html
http://www.securitynewspaper.com/2016/10/12/microsoft-patches-four-zero-days-used-live-attacks/
http://www.networkworld.com/article/3130109/security/microsoft-released-10-patches-6-rated-critical-...
https://www.scmagazine.com/patch-tuesday-microsoft-patches-five-zero-day-vulnerabilities/article/548...
http://www.zdnet.com/article/microsoft-hackers-have-exploited-zero-days-in-windows-10s-edge-office-i...
http://securityaffairs.co/wordpress/52186/hacking/microsoft-zero-da.html
https://www.helpnetsecurity.com/2016/10/12/october-patch-tuesday/
https://www.scmagazineuk.com/microsoft-bundles-security-updates--no-more-pick-and-choose/article/547...
Information disclosure
The vulnerability allows a remote user to access potentially sensitive information on the target system.
The weakness exists due to insufficient checks of IKE packats when handling ISAKMP requests. By sending specially crafted IKEv1 packets to the IKE service via IPv4 or IPv6 a malicious user can obtain memory contents.
Successful exploitation of the vulnerability leads to confidential information disclosure on the vulnerable system.
Note: this vulnerability was being actively exploited in the wild. It was disclosed as part of Equation Group Leak and is reffered as BENIGNCERTAIN exploit.
The vulnerability was revealed after The Shadow Brokers hacking group published documents stolen from Equation Group on Saturday 13 August 2016. The exploit code was dubbed BENIGNCERTAIN and presumably was used by NSA operatives to infiltrate networks of government organizations and private companies.
Neither Cisco has developed a patch for the flaw, nor any workarounds are available.
Software: Cisco IOS
Known/fameous malware:
BENIGNCERTAIN
Links:
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160916-ikev1
http://thehackernews.com/2016/09/cisco-nsa-exploit.html
https://threatpost.com/cisco-warns-of-ios-flaw-vulnerable-to-shadowbrokers-attack/120668/
https://www.tecklyfe.com/ikev1-information-disclosure-vulnerability-multiple-cisco-products/
http://www.securityweek.com/cisco-finds-new-zero-day-linked-shadow-brokers-exploit
http://bestsecuritysearch.com/vulnerability-ikev1-cisco-products/
http://searchsecurity.techtarget.com/news/450304648/Shadow-Brokers-Cisco-vulnerability-exploited-in-...
https://www.grahamcluley.com/cisco-customers-targeted-hackers-using-leaked-nsa-hacking-tools/
https://www.enisa.europa.eu/publications/info-notes/the-201cshadow-brokers201d-story
http://thecharlestendellshow.com/over-840000-cisco-systems-affected-by-the-equation-groups-flaw-cve-...
https://www.scmagazine.com/cisco-warns-of-exploitation-of-new-flaws-linked-to-shadow-brokers-exploit...
https://plannedlink.co.uk/2016/09/20/cve-2016-6415-cisco-confirms-a-new-0day-linked-to-equation-grou...
http://securityaffairs.co/wordpress/51410/hacking/cve-2016-6415.html
https://motherboard.vice.com/en_us/article/hackers-hit-cisco-customers-leaked-nsa-hacking-tools-shad...
http://www.hackbusters.com/news/stories/858203-cisco-ikev1-information-disclosure-benigncertain-cve-...
http://news.softpedia.com/news/shadow-brokers-beningcertain-tool-deployed-in-live-attacks-508455.sht...
http://www.securityinform.com/2016/09/22/859-000-cisco-devices-affected-by-critical-zero-day-vulnera...
Memory corruption
The vulnerability allows a remote attacker to obtain potentially sensitive information on the target system.
The weakness exists due to boundary error when handling of malicious files. A remote attacker can create a specially crafted content, trick the victim into opening it, trigger memory corruption and gain access to arbitrary data.
Microsoft has known about CVE-2016-3351 since 2015.
Exploited By AdGholas and GooNky Malvertising Groups.
Software: Microsoft Internet Explorer
Links:
https://www.proofpoint.com/us/threat-insight/post/Microsoft-Patches-Zero-Day-Exploited-By-AdGholas-G...
https://technet.microsoft.com/library/security/ms16-104
https://technet.microsoft.com/library/security/MS16-105
https://www.symantec.com/security_response/attacksignatures/detail.jsp?asid=29628
http://blog.trendmicro.com/trendlabs-security-intelligence/cve-2016-3298-microsoft-fixes-another-ie-...
http://securityaffairs.co/wordpress/51494/hacking/internet-explorer-exploits.html
http://wccftech.com/zero-day-exploited-update-windows-right-away/
https://www.brokenbrowser.com/detecting-local-files-to-evade-analysts/
http://www.securityweek.com/microsoft-patches-browser-vulnerability-exploited-attacks
https://www.scmagazineuk.com/microsoft-bundles-security-updates--no-more-pick-and-choose/article/547...
http://www.securingcomputer.com/news/microsoft-patches-browser-vulnerability-exploited-attacks
http://www.zdnet.com/article/microsoft-patches-critical-ie-bug-that-was-under-attack-for-nearly-thre...
http://techgenix.com/microsoft-patches-ie-malvertising-vulnerability/
Buffer overflow
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists within text processor when parsing .inp files. A remote attacker can create a specially crafted .inp file, trick the victim to open it and execute arbitrary code on the target system with privileges of the current user.
Successful exploitation of this vulnerability may result in full system compromise.
Note: this vulnerability is being actively exploited in the wild against financial institutions in Asia. The latest attack report is dated November 3, 2017.
Exploit code was used in targeted attacks against financial institutions in Asia. Victims of these attacks have been observed in U.K., U.S, Myanmar, Sri-Lanka and Uganda. The sector for the victims include both financial and governmental institutions.
Attacks are similar to attacks exploiting vulnerabilities in the Hangul Word Processor against government targets in South Korea.
UPDATE
Researchers from Palo Alto Networks published a write-up on November 2 2017, describing 3 latest exploits, leveraging this particular vulnerability.
The decoy documents used by the InPage exploits in the latest attacks suggest that the targets are likely to be politically or militarily motivated. They contained subjects such as intelligence reports and political situations related to India, the Kashmir region, or terrorism being used as lure documents.
Software: InPage
Known/fameous malware:
Zeus-type malware
CONFUCIUS_B
Links:
https://securelist.com/blog/research/76717/inpage-zero-day-exploit-used-to-attack-financial-institut...
https://threatpost.com/inpage-zero-day-used-in-attacks-against-banks/122112/
http://www.securityweek.com/organizations-asia-targeted-inpage-zero-day
http://securityaffairs.co/wordpress/53725/intelligence/inpage-zero-day.html
http://techgenix.com/banks-hacked-via-inpage/
https://www.theregister.co.uk/2016/11/24/attackers_use_yearsold_software_zero_day_to_pop_asia_pac_ba...
http://www.itnewsafrica.com/2016/11/asian-and-african-banks-are-attacked-using-a-zero-day-vulnerabil...
https://cyware.com/news/organizations-in-asia-targeted-with-inpage-zero-day-37293662
https://frederickdamasus.com/2016/11/zero-day-attacks-african-asian-banks.html/
https://thetechportal.com/2016/11/24/banks-attacked-zero-day-kaspersky/
http://technewsdir.com/asian-and-african-banks-attacked-using-a-zero-day-vulnerability-kaspersky
https://researchcenter.paloaltonetworks.com/2017/11/unit42-recent-inpage-exploits-lead-multiple-malw...
Memory corruption
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to boundary error in WebKit. A remote attacker can create a specially crafted Web site, trick the victim into visiting it, trigger memory corruption and execute arbitrary code with privileges of the current user.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
Note: the vulnerability was being actively exploited.
The Citizen Lab discovery exposed three zero-day exploits ((CVE-2016-4655, CVE-2016-4656, CVE-2016-4657)) used by тАЬPegasusтАЭ, a lawful interception cyberespionage tool developed by the Israeli-based NSO Group and sold to government agencies (UAE Human Rights Defender (Ahmed Mansoor)).
Software: Apple iOS
Known/fameous malware:
Trident exploit.
Links:
http://www.securityweek.com/apple-issues-emergency-fix-ios-zero-days-what-you-need-know
https://www.symantec.com/connect/blogs/trident-trio-ios-zero-days-being-exploited-wild
https://citizenlab.org/2016/08/million-dollar-dissident-iphone-zero-day-nso-group-uae/
https://jndok.github.io/2016/10/04/pegasus-writeup/
https://blog.lookout.com/blog/2016/08/25/trident-pegasus/
http://securityaffairs.co/wordpress/50788/mobile-2/ios-9-3-4-trident-exploit.html
https://citizenlab.org/2016/08/million-dollar-dissident-iphone-zero-day-nso-group-uae/
https://en.wikipedia.org/wiki/Pegasus_(spyware)
http://indianexpress.com/article/technology/tech-news-technology/apple-ios-trident-exploit-all-you-n...
http://www.technewsworld.com/story/83845.html
http://www.eweek.com/security/apple-rushes-out-patch-for-new-ios-zero-day-flaws.html
http://www.darkreading.com/vulnerabilities---threats/apple-releases-patch-for-trident-a-trio-of-ios-...
Memory corruption
The vulnerability allows a local attacker to gain elevated privileges on the target system.
The vulnerability exists due to a boundary error when processing a malicious application. A local attacker can run a specially crafted application, trigger memory corruption and execute arbitrary code with SYSTEM privileges.
Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable system.
Note: the vulnerability was being actively exploited.
The Citizen Lab discovery exposed three zero-day exploits ((CVE-2016-4655, CVE-2016-4656, CVE-2016-4657)) used by тАЬPegasusтАЭ, a lawful interception cyberespionage tool developed by the Israeli-based NSO Group and sold to government agencies (UAE Human Rights Defender (Ahmed Mansoor)).
Software: Apple iOS
Known/fameous malware:
Trident exploit.
Links:
http://www.securityweek.com/apple-issues-emergency-fix-ios-zero-days-what-you-need-know
https://www.symantec.com/connect/blogs/trident-trio-ios-zero-days-being-exploited-wild
https://citizenlab.org/2016/08/million-dollar-dissident-iphone-zero-day-nso-group-uae/
https://jndok.github.io/2016/10/04/pegasus-writeup/
https://blog.lookout.com/blog/2016/08/25/trident-pegasus/
http://securityaffairs.co/wordpress/50788/mobile-2/ios-9-3-4-trident-exploit.html
https://citizenlab.org/2016/08/million-dollar-dissident-iphone-zero-day-nso-group-uae/
https://en.wikipedia.org/wiki/Pegasus_(spyware)
http://indianexpress.com/article/technology/tech-news-technology/apple-ios-trident-exploit-all-you-n...
http://www.technewsworld.com/story/83845.html
http://www.eweek.com/security/apple-rushes-out-patch-for-new-ios-zero-day-flaws.html
http://www.darkreading.com/vulnerabilities---threats/apple-releases-patch-for-trident-a-trio-of-ios-...
Information disclosure
The vulnerability allows a remote attacker to obtain potentially sensitive information on the target system.
The weakness exists due to improper input validation. A remote attacker can run a specially crafted application, bypass security restrictions and obtain portions of kernel memory.
Successful exploitation of the vulnerability results in information disclosure on the vulnerable system.The Citizen Lab discovery exposed three zero-day exploits ((CVE-2016-4655, CVE-2016-4656, CVE-2016-4657)) used by тАЬPegasusтАЭ, a lawful interception cyberespionage tool developed by the Israeli-based NSO Group and sold to government agencies (UAE Human Rights Defender (Ahmed Mansoor)).
Software: Apple iOS
Known/fameous malware:
Trident exploit.
Links:
https://support.apple.com/en-us/HT207107
http://www.securityweek.com/apple-issues-emergency-fix-ios-zero-days-what-you-need-know
https://www.symantec.com/connect/blogs/trident-trio-ios-zero-days-being-exploited-wild
https://citizenlab.org/2016/08/million-dollar-dissident-iphone-zero-day-nso-group-uae/
https://jndok.github.io/2016/10/04/pegasus-writeup/
https://blog.lookout.com/blog/2016/08/25/trident-pegasus/
http://securityaffairs.co/wordpress/50788/mobile-2/ios-9-3-4-trident-exploit.html
https://citizenlab.org/2016/08/million-dollar-dissident-iphone-zero-day-nso-group-uae/
https://en.wikipedia.org/wiki/Pegasus_(spyware)
http://indianexpress.com/article/technology/tech-news-technology/apple-ios-trident-exploit-all-you-n...
http://www.technewsworld.com/story/83845.html
http://www.eweek.com/security/apple-rushes-out-patch-for-new-ios-zero-day-flaws.html
http://www.darkreading.com/vulnerabilities---threats/apple-releases-patch-for-trident-a-trio-of-ios-...
CLI parser buffer overflow
The vulnerability allows a local user to cause denial of service or execute arbitrary code on the target system.
The vulnerability exists due to a boundary error in the command-line interface (CLI) parser. A local authenticated user can trigger buffer overflow and reload the affected device or execute arbitrary code on the target system.
Successful exploitation of this vulnerability will allow a local user to execute arbitrary code on vulnerable system.
The following models of CISCO ASA appliances are affected:
Note: this is a zero-day vulnerability, discovered after security breach of The Equation Group. The exploit code for this vulnerability was publicly exposed and is referred as EPICBANANA Exploit.
The vulnerability was revealed after The Shadow Brokers hacking group published documents stolen from Equation Group in 2013. The exploit code was dubbed BENIGNCERTAIN and presumably was used by NSA operatives to infiltrate networks of government organizations and private companies
Neither Cisco has developed a patch for the flaw, nor any workarounds are available.
Firstly the vulnerability received a patch back in 2011.
Software: Cisco PIX Firewall
Known/fameous malware:
EPICBANANA.
Links:
https://tools.cisco.com/security/center/viewErp.x?alertId=ERP-56516
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160817-asa-cli
https://blogs.cisco.com/security/shadow-brokers
http://www.thesecurityblogger.com/the-shadow-brokers-epicbananas-and-extrabacon-exploits/
https://www.tripwire.com/state-of-security/latest-security-news/cisco-confirms-two-exploits-found-in...
https://www.bleepingcomputer.com/news/security/researchers-find-strong-connection-between-nsa-hacker...
http://thehackernews.com/2016/08/nsa-hack-exploit.html
http://news.softpedia.com/news/cisco-patches-zero-day-exposed-in-shadow-brokers-leak-507410.shtml
https://arstechnica.com/security/2016/08/cisco-confirms-nsa-linked-zeroday-targeted-its-firewalls-fo...
https://www.symantec.com/connect/blogs/equation-has-secretive-cyberespionage-group-been-breached
https://www.helpnetsecurity.com/2016/08/18/cisco-fortinet-exploits-leaked/
http://techgenix.com/nsa-hack-cisco-releases-patches/
https://www.riskbasedsecurity.com/2016/08/the-shadow-brokers-lifting-the-shadows-of-the-nsas-equatio...
http://www.eweek.com/security/shadow-brokers-flaw-poses-zero-day-risks-cisco-and-fortinet-warn.html
https://duo.com/blog/newly-released-exploits-affect-cisco-juniper-and-other-vendors
SNMP remote code execution
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error when handling SNMP packets. A remote attacker with knowledge of SNMP community string can cause buffer overflow and cause the target device to reload or execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in full compromise of affected system.
The following models of CISCO ASA appliances are affected:
Note: this is a zero-day vulnerability, discovered after security breach of The Equation Group. The exploit code for this vulnerability was publicly exposed and is referred as EXTRABACON Exploit.
The vulnerability was revealed after The Shadow Brokers hacking group published documents stolen from Equation Group in 2013. The exploit code was dubbed ExtraBacon and presumably used by NSA operatives to infiltrate networks of government organizations and private companies.
Software: Cisco ASA Series
Known/fameous malware:
ExtraBacon.
Links:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160817-asa-snmp
https://www.surecloud.com/security-bulletins/cisco-asa-pix-firewall-zero-day-vulnerability-cve-2016-...
http://securityaffairs.co/wordpress/51410/hacking/cve-2016-6415.html
https://threatpost.com/cisco-begins-patching-equation-group-asa-zero-day/120124/
http://www.bankinfosecurity.com/cisco-patches-asa-devices-against-extrabacon-a-9360
http://news.softpedia.com/news/cisco-patches-zero-day-exposed-in-shadow-brokers-leak-507410.shtml
https://threatpost.com/leaked-shadowbrokers-attack-upgraded-to-target-current-versions-of-cisco-asa/...
https://arstechnica.com/security/2016/08/cisco-confirms-nsa-linked-zeroday-targeted-its-firewalls-fo...
ttps://thehackernews.com/2016/08/nsa-hack-exploit.html
https://duo.com/blog/newly-released-exploits-affect-cisco-juniper-and-other-vendors
http://www.securityweek.com/cisco-finds-new-zero-day-linked-shadow-brokers-exploit
https://www.symantec.com/connect/blogs/equation-has-secretive-cyberespionage-group-been-breached
https://www.helpnetsecurity.com/2016/08/18/cisco-fortinet-exploits-leaked/
Buffer overflow
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exist due to a boundary error within cookie parser. A remote attacker can send a specially crafted HTTP request, cause memory corruption and execute arbitrary code on vulnerable system.
Successful exploitation of the vulnerability may allow an attacker to gain unauthorized access to vulnerable system.
Note:the vulnerability was being actively exploited.
Information about zero-day vulnerabilities in Cisco and FortiOS products was exposed after NSA data leak in August 2016. The tools bear digital signatures that match those used by the Equation Group, a group that has alleged links to the NSA. The incident highlights the risk of hoarding zero-day vulnerabilities.
EGREGIOUSBLUNDER is one of multiple Equation Group vulnerabilities and exploits disclosed on 2016/08/14 by a group known as the Shadow Brokers.
Software: FortiOS
Links:
http://fortiguard.com/advisory/FG-IR-16-023
http://www.computerworld.com/article/3109307/security/cisco-and-fortinet-issue-patches-against-nsa-m...
https://www.sans.org/newsletters/newsbites/xviii/66#201
https://www.trendmicro.com/vinfo/us/threat-encyclopedia/vulnerability/7381/fortinet-fortigate-cookie...
http://netformation.com/level-3-pov/shadow-brokers-hit-the-light-of-day
https://vulners.com/nessus/FORTIOS_COOKIE_PARSING_BOF.NASL
https://www.riskbasedsecurity.com/2016/08/the-shadow-brokers-lifting-the-shadows-of-the-nsas-equatio...
https://tools.cisco.com/security/center/viewAlert.x?alertId=48526
https://www.tenable.com/plugins/index.php?view=single&id=93196
Security bypass
The vulnerabiity allows a remote attacker to bypass security restrictions on the target system.In August 2016 Mozilla bug-tracking service was hacked. Hackers were able to steal information about not yet patched vulnerabilities in Mozilla Firefox and use one of them in a targeted attack against users of Russian news website.
The malicious exfiltration server, hosted in Ukraine, has been online since July 27, 2015.
The vulnerability was reported by researcher Cody Crews.
Software: Mozilla Firefox
Known/fameous malware:
JS/Exploit.CVE-2015-4495 (ESET).
Links:
http://www.computerworld.com/article/2980745/web-browsers/mozilla-admits-bug-tracker-breach-led-to-a...
https://www.mozilla.org/en-US/security/advisories/mfsa2015-78/
https://blog.mozilla.org/security/2015/08/06/firefox-exploit-found-in-the-wild/
http://www.welivesecurity.com/2015/08/11/firefox-under-fire-anatomy-of-latest-0-day-attack/
http://www.securityweek.com/mozilla-patches-firefox-zero-day-exploited-wild
https://www.redpacketsecurity.com/firefox-0day-cve-2015-4495/
https://access.redhat.com/articles/1563163
https://www.symantec.com/connect/blogs/firefox-vulnerability-could-allow-attackers-steal-documents
http://securityaffairs.co/wordpress/39198/cyber-crime/0-day-firefox.html
https://www.hedgehogsecurity.co.uk/firefox-users-should-update-immediately/
https://www.eset.com/int/about/newsroom/company/firefox-0-day-attack/
Memory corruption
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The weakness exists due to boundary error when handling .swf files. A remote attacker can create a specially crafted SWF file, trick the victim into opening it, trigger memory corruption and execute arbitrary code with privileges of the current user.
Successful exploitation of the vulnerability results in arbitrary code execution on the vulnerable system.
Note: the vulnerability was being actively exploited.
The vulnerability was reported by Anton Ivanovn of Kaspersky.
Used by ScarCruft hacking team in Operation Daybreak and Operation Erebus as suggested by Kaspersky Lab.
It has been used in targeted attacks carried out by a new ScarCruft APT group operating primarily against high-profile victims in China, South Korea, India, Russia, Nepal, Romania, and Kuwait.
Software: Adobe Flash Player
Links:
https://helpx.adobe.com/security/products/flash-player/apsb16-18.html
https://helpx.adobe.com/security/products/flash-player/apsa16-03.html
https://securelist.com/blog/research/75082/cve-2016-4171-adobe-flash-zero-day-used-in-targeted-attac...
http://securityaffairs.co/wordpress/48400/hacking/cve-2016-4171-flash-0-day.html
http://www.securityweek.com/flash-zero-day-exploited-targeted-attacks
https://community.norton.com/en/blogs/security-covered-norton/critical-adobe-flash-player-vulnerabil...
https://threatpost.com/scarcruft-apt-group-used-latest-flash-zero-day-in-two-dozen-attacks/118642/
http://zerosecurity.org/2016/06/flash-zero-day-cve-2016-4171
http://neurogadget.net/2016/06/21/hackers-exploiting-critical-adobe-flash-player-vulnerability/33701
https://www.scmagazine.com/adobe-patches-critical-zero-day-vulnerability-in-flash-player/article/529...
http://activecypher.com/cve-2016-4171-another-flash-zero-day-exploited-in-targeted-attacks/
https://nakedsecurity.sophos.com/2016/06/15/critical-flash-vulnerability-is-being-exploited-in-the-w...
https://www.beyondtrust.com/blog/critical-zero-day-vulnerability-cve-2016-4171-basic-mitigation/
https://arstechnica.com/security/2016/06/critical-adobe-flash-bug-under-active-attack-currently-has-...
http://wccftech.com/flash-zero-day-vulnerability-exploited-in-the-wild/
http://www.digitaltrends.com/computing/adobe-exploit-scarcruft/
http://www.theinquirer.net/inquirer/news/2461612/new-threat-uses-flash-zero-day-to-attack-big-busine...
http://thecharlestendellshow.com/scarcruft-apt-group-exploited-flash-zero-day-in-high-profile-attack...
https://www.intego.com/mac-security-blog/adobe-flash-alert-0-day-exploit-for-vulnerability-in-the-wi...
http://www.bankinfosecurity.com/adobe-flings-flash-fix-for-fresh-apt-target-a-9207
Arbitrary file upload
The vulnerability allows a remote attacker to upload arbitrary files to compromise the target system.Researchers at Sucuri said that attacks against WordPress sites running the plugin started on May 26.
Software: WP Mobile detector
Links:
https://www.pluginvulnerabilities.com/2016/05/31/aribitrary-file-upload-vulnerability-in-wp-mobile-d...
https://threatpost.com/wordpress-patches-zero-day-in-wp-mobile-detector-plugin/118458/ https://www.recoverwp.com/en/arbitrary-file-upload-vulnerability-in-wp-mobile-detector/
https://blog.sucuri.net/2016/06/wp-mobile-detector-vulnerability-being-exploited-in-the-wild.html
http://news.softpedia.com/news/wordpress-sites-under-attack-from-new-zero-day-in-wp-mobile-detector-...
https://vulners.com/threatpost/WORDPRESS-PATCHES-ZERO-DAY-IN-WP-MOBILE-DETECTOR-PLUGIN/118458
http://www.spamfighter.com/News-20313-WordPress-Websites-Being-Assaulted-Through-Fresh-0-Day-within-...
http://www.builditdigital.com/blog/wp-mobile-detector-plugin-makes-over-10-000-wordpress-sites-vulne...
http://www.zdnet.com/article/over-10000-wordpress-sites-vulnerable-to-exploit/
Improper input validation
The vulnerability allows a remote attacker to perform a denial of service attack.
The vulnerability exists due to a logic error when parsing IPv6 Neighbor Discovery (ND) packets, sent directly to the device. A remote attacker can send specially crafted IPv6 traffic to the affected device and cause the device to stop processing IPv6 traffic.
Successful exploitation of the vulnerability will result in denial of service attack.
Note: according to Cisco, this vulnerability is being exploited in the wild.
Software: Cisco IOS XR
Memory corruption
The vulnerability allows a remote attacker to execute arbitrary code on the target system.Used to target South Korean organizations.
A banking (Duuzer back door) trojan distributed by Sundown Exploit Kit (EK) to target South Korean organizations. Later it was included into Magnitude and KaiXin EKs.
Software: Microsoft Internet Explorer
Known/fameous malware:
Exploit kit: Magnitude, Neutrino, RIG, Sundown.
Links:
http://theori.io/research/cve-2016-0189
https://github.com/theori-io/cve-2016-0189
https://technet.microsoft.com/library/security/MS16-053
https://technet.microsoft.com/library/security/ms16-051
https://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0189
http://malware.dontneedcoffee.com/2016/07/cve-2016-0189-internet-explorer-and.html
https://www.symantec.com/security_response/writeup.jsp?docid=2016-061306-3604-99
https://www.symantec.com/connect/blogs/internet-explorer-zero-day-exploit-used-targeted-attacks-sout...
https://www.symantec.com/security_response/attacksignatures/detail.jsp?asid=70147
http://malware.dontneedcoffee.com/2016/07/cve-2016-0189-internet-explorer-and.html
http://blog.trendmicro.com/trendlabs-security-intelligence/may-2016-patch-tuesday-fixes-browser-scri...
https://www.fireeye.com/blog/threat-research/2016/07/exploit_kits_quickly.html
https://www.virusbulletin.com/blog/2017/01/paper-journey-and-evolution-god-mode-2016-cve-2016-0189/
http://www.securityweek.com/microsoft-patches-flaws-exploited-targeted-attacks
http://sensorstechforum.com/may-2016-patch-tuesday-cve-2016-0189-kb3155533-kb3156764/
http://securityaffairs.co/wordpress/54093/intelligence/cnacom-campaign.html
https://www.zscaler.com/blogs/research/cnacom-open-source-exploitation-strategic-web-compromise
http://forensicblogs.com/tag/cve-2016-0189/
https://threatpost.com/patched-ie-zero-day-incorporated-into-neutrino-ek/119321/
http://securityaffairs.co/wordpress/49383/cyber-crime/neutrino-ek-ie-flaw.html
http://www.securityweek.com/ie-exploit-added-neutrino-after-experts-publish-poc
http://www.cybersecurity-review.com/internet-explorer-zero-day-exploit-used-in-targeted-attacks-in-s...
http://www.zdnet.com/article/south-korea-victim-of-internet-explorer-zero-day-vulnerability/
http://thecharlestendellshow.com/experts-published-ie-exploit-code-and-crooks-added-it-to-neutrino-e...
https://cybernewsgroup.co.uk/ie-exploit-added-to-neutrino-after-experts-publish-poc/
http://www.networkworld.com/article/3068505/microsoft-fixes-actively-attacked-ie-flaw-and-50-other-v...
https://www.scmagazine.com/patch-tuesday-microsoft-rolls-out-16-bulletins-eight-rated-critical/artic...
http://news.redpiranha.net/Landing-Page-Containing-CVE-2016-0189-Exploit-Code-Used-to-Target-Taiwane...
http://www.darkreading.com/attacks-breaches/windows-0-day-exploit-used-in-recent-wave-of-pos-attacks...
https://securityintelligence.com/news/proof-of-compromise-new-neutrino-exploit-runs-on-research/
https://www.grahamcluley.com/neutrino-exploit-kit-adds-zero-day-flaw-arsenal/
Type confusion
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The weakness exists due to type confusion error when processing .swf files. A remote attacker can create a specially crafted Web site, trick the victim into visiting it, trigger memory corruption and execute arbitrary code with privileges of the current user.
Successful exploitation of the vulnerability results in arbitrary code execution.The vulnerability was reported by Genwei Jiang.
The zero-day was used by the Pawn Storm and APT3 cyber espionage groups in Operation Erebus campaign and seen in payloads included with CryptXXX, Cerber and DMA Locker ransomware, as well as the Gootkit Trojan.
Software: Adobe Flash Player
Known/fameous malware:
Exploit kit: Angler, Magnitude, Neutrino, RIG.
Links:
https://www.fireeye.com/blog/threat-research/2016/05/cve-2016-4117-flash-zero-day.html
https://helpx.adobe.com/security/products/flash-player/apsa16-02.html
https://helpx.adobe.com/security/products/flash-player/apsb16-15.html
http://securityaffairs.co/wordpress/47197/hacking/cve-2016-4117-adobe-flash-zero.html
https://security.berkeley.edu/news/vulnerable-adobe-flash-player-allows-remote-code-execution-cve-20...
http://news.softpedia.com/news/nine-days-later-flash-zero-day-cve-2016-4117-already-added-to-exploit...
https://www.helpnetsecurity.com/2016/05/16/flash-0day-exploit-booby-trapped-office-file/
http://securityaffairs.co/wordpress/47379/cyber-crime/cve-2016-4117-exploit-chain.html
https://andreafortuna.org/cve-2016-4117-a-new-adobe-flash-0-day-in-the-wild-56e78d519bf5#.9ogjnryxb
http://www.pcworld.com/article/3073561/security/a-recently-patched-flash-player-exploit-is-being-use...
https://www.peerlyst.com/posts/cve-2016-4117-fireeye-revealed-the-exploit-chain-of-recent-attacks-he...
https://www.proofpoint.com/us/threat-insight/post/microsoft-word-intruder-8-adds-support-for-flash-v...
http://neurogadget.net/2016/05/29/adobe-flash-player-exploit-used-hackers-attack-users/31733
http://www.bankinfosecurity.com/zero-day-attacks-pummel-ie-flash-a-9093
Input validation error
The vulnerability allows a remote attacker to execute arbitrary code on the target system.Code execution vulnerability in ImageMagick was found by Nikolay Ermishkin from Mail.Ru Security Team while researching original report.
Security researcher Behrouz Sadeghipour discovered that the vulnerability was present in the web domain belonging to Polyvore.
The vulnerabilily is dubbed "ImageTragick".
Software: ImageMagick
Links:
https://imagetragick.com/
http://www.slackware.com/security/viewer.php?l=slackware-security&y=2016&m=slackware-security.440568
http://blog.trendmicro.com/trendlabs-security-intelligence/imagemagick-vulnerability-allows-remote-c...
http://www.darknet.org.uk/2016/05/multiple-serious-imagemagick-zero-day-vulnerabilities/
http://www.zdnet.com/article/yahoos-polyvore-vulnerable-to-imagemagick-flaw-researcher-receives-litt...
http://www.securityweek.com/yahoo-rewards-researcher-imagemagick-hack
http://sec.sangfor.com.cn:88/vulns/290.html
https://www.helpnetsecurity.com/2016/05/04/imagemagick-zero-day-flaw/
http://www.sangfor.com/source/blog-network-security/696.html
https://arstechnica.com/security/2016/05/exploits-gone-wild-hackers-target-critical-image-processing...
http://www.nickhammond.com/fixing-imagemagick-cve-20163714-with-ansible/
http://www.securityweek.com/attackers-exploit-critical-imagemagick-vulnerability
Privilege escalation
The vulnerability allows a local attacker to gain elevated privileges on the target system.
The vulnerability exists due to improper handling of objects in memory by the kernel-mode driver. A local attacker can run a specially crafted program, gain elevated privileges and execute arbitrary code with SYSTEM privileges.
Successful exploitation of this vulnerability may result in arbitrary code execution on the vulnerable system.
Note: the vulnerability was being actively exploited.
Used to compromise organizations in the USA and Canada. First attacks were detected in 08.03.2016.
Software: Windows
Known/fameous malware:
PUNCHBABY or PUNCHTRACK Trojan.
Links:
https://www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Exploit:Win64/CVE-2016...
https://www.fireeye.com/blog/threat-research/2016/05/windows-zero-day-payment-cards.html
https://technet.microsoft.com/library/security/ms16-039 http://www.securitytracker.com/id/1035532
http://blog.trendmicro.com/tippingpoint-threat-intelligence-zero-day-coverage-week-april-11-2016/
http://blog.cybersheath.com/adobe-and-windows-zero-day-exploits-in-the-wild
https://threatpost.com/microsoft-zero-day-exposes-100-companies-to-pos-attack/118026/
https://arstechnica.com/security/2016/05/beware-of-in-the-wild-0day-attacks-exploiting-windows-and-f...
http://sensorstechforum.com/windows-zero-day-exploited-to-steal-credit-card-data-from-us-companies/
http://www.securityweek.com/windows-zero-day-leveraged-financial-attacks
http://www.zdnet.com/article/microsoft-windows-zero-day-exposes-companies-to-crippling-cyberattacks/
Privilege escalation
The vulnerability allows a local attacker to gain elevated privileges on the target system.
The vulnerability exists due to improper handling of objects in memory by the kernel-mode driver. A local attacker can run a specially crafted program, gain elevated privileges and execute arbitrary code with SYSTEM privileges.
Successful exploitation of this vulnerability may result in arbitrary code execution on the vulnerable system.
Note: the vulnerability was being actively exploited.
The Badlock vulnerability.
Software: Windows
Links:
https://technet.microsoft.com/en-us/library/security/ms16-039.aspx
https://threatpost.com/fruityarmor-apt-group-used-recently-patched-windows-zero-day/121398/
http://www.networkworld.com/article/3054645/security/microsoft-rated-6-of-13-security-updates-as-cri...
https://securelist.com/blog/research/76396/windows-zero-day-exploit-used-in-targeted-attacks-by-frui...
http://www.infoworld.com/article/3055572/security/dont-let-badlock-distract-you-from-real-vulnerabil...
http://news.softpedia.com/news/microsoft-releases-critical-windows-edge-browser-office-security-upda...
https://www.infosecurity-magazine.com/news/patch-tuesday-badlock-bulletin/
Type confusion
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The weakness exists due to type confusion error when handling .swf files. A remote attacker can create a specially crafted Web site, trick the victim into visiting it, trigger memory corruption and execute arbitrary code with privileges of the current user.
Successful exploitation of the vulnerability results in arbitrary code execution.The weakness was presented by Kafeine (EmergingThreats/Proofpoint), Genwei Jiang (FireEye, Inc.) and Clement Lecigne (Google).
According to FireEye, on April 2, Kafeine provided details on a version of the Magnitude Exploit Kit that was originally believed to be exploiting known Adobe Flash vulnerabilities.
Software: Adobe Flash Player
Known/fameous malware:
Magnitude, Neutrino and Nuclear Pack Exploit Kit.
Cerber and DMA Locker ransomware.
Links:
https://helpx.adobe.com/security/products/flash-player/apsa16-01.html
https://www.fireeye.com/blog/threat-research/2016/04/cve-2016-1019_a_new.html
http://blog.trendmicro.com/trendlabs-security-intelligence/look-adobe-flash-player-cve-2016-1019-zer...
https://www.proofpoint.com/us/threat-insight/post/killing-zero-day-in-the-egg
http://securityaffairs.co/wordpress/46107/malware/adobe-fixes-cve-2016-1019.html
https://www.bleepingcomputer.com/news/security/adobe-releases-security-advisory-on-critical-vulnerab...
http://www.zdnet.com/article/cyberattackers-botch-integration-of-adobe-flash-zero-day-vulnerability-...
http://www.eweek.com/security/adobe-patches-zero-day-flaw-used-by-exploit-kit.html
https://www.grahamcluley.com/adobe-flash-responsible-six-top-10-bugs-used-exploit-kits-2016/
http://hub-apac.insight.com/h/i/236881036-zero-day-attack-discovered-in-magnitude-exploit-kit-target...
https://trushieldinc.com/adobe-flash-player-zero-day-exploit/
https://blog.malwarebytes.com/threat-analysis/exploits-threat-analysis/2016/04/botched-flash-0day-ge...
http://www.symantec.com/connect/blogs/new-flash-zero-day-exploited-attackers-wild
http://blog.trendmicro.com/trendlabs-security-intelligence/cve-2016-1019-zero-day-integrated-in-expl...
https://threatpost.com/emergency-update-coming-for-flash-vulnerability-under-attack/117219/
http://www.ecommercetimes.com/story/83348.html
Integer overflow
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The weakness exists due to integer overflow. A remote attacker can create a specially crafted Web site, trick the victim into visiting it and execute arbitrary code with privileges of the current user.
Successful exploitation of the vulnerability results in arbitrary code execution.The vulnerability was reported by Anton Ivanov from Kaspersky Lab. The vulnerability was used by the ScarCruft group in Operation Daybreak campaign.
Software: Adobe Flash Player
Known/fameous malware:
Used in Angler Exploit Kit.
Links:
https://helpx.adobe.com/security/products/flash-player/apsb16-08.html
http://blog.trendmicro.com/trendlabs-security-intelligence/root-cause-analysis-recent-flash-zero-day...
http://blog.trendmicro.com/trendlabs-security-intelligence/adobe-issues-emergency-patch-flash-zero-d...
ttp://blog.trendmicro.com/trendlabs-security-intelligence/tag/cve-2016-1010/
https://security.berkeley.edu/news/adobe-flash-player-multiple-zero-day-vulnerabilities-cve-2016-101...
https://technet.microsoft.com/en-us/library/security/MS16-036
http://securityaffairs.co/wordpress/45226/breaking-news/adobe-emergency-out-of-band-update.html
https://news.ycombinator.com/item?id=11262403
https://www.slashgear.com/adobe-flash-player-update-fixes-critical-vulnerabilities-11431218/
https://securify.co.in/adobe-flash-player/zero-day-adobe-flash-player-vulnerability-cve-2016-1010-2/
https://arstechnica.com/security/2016/03/adobe-issues-emergency-patch-for-actively-exploited-code-ex...
https://nakedsecurity.sophos.com/2016/03/11/flash-zero-day-prompts-emergency-update-from-adobe/
https://www.scmagazine.com/adobe-patches-active-flash-player-flaw/article/528925/
https://hotforsecurity.bitdefender.com/blog/update-flash-now-targeted-attacks-exploiting-security-ho...
http://www.securityweek.com/adobe-patches-flash-zero-day-under-attack
http://www.spamfighter.com/News-20163-Security-Bug-Used-in-Live-Attacks-is-Fixed-by-Releasing-Adobe-...
http://www.pcworld.com/article/3043055/security/emergency-flash-player-patch-fixes-actively-exploite...
http://wccftech.com/adobe-patches-yet-another-critical-flash-exploit/
https://www.infosecurity-magazine.com/news/adobe-issues-patch-for-23-flash/
http://www.eweek.com/blogs/security-watch/adobe-updates-flash-to-patch-zero-day-flaw.html
Use-after-free error
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a use-after-free error when processing malicious .swf content. A remote attacker can create a specially crafted .SWF file, trick the victim into opening it, trigger memory corruption and execute arbitrary code with privileges of the current user.
Successful exploitation of the vulnerability may result in complete compromise of vulnerable system.
According to Kasperksy Lab report, this vulnerability has bein actively exploited in the wild by BlackOasis APT actor.
According to Kaspersky Lab, this vulnerability has being exploited in the wild by BlackOasis actor in June 2015.
Software: Adobe Flash Player
Use-after-free error
The vulnerability allows a local attacker to gain elevated privileges on the target system.The critical Linux kernel flaw (CVE-2016-0728) has been identified by a group of researchers at a startup named Perception Point.
The vulnerability has existed since 2012, but was disclosed in January, 2016.
Software: Linux kernel
Links:
http://thehackernews.com/2016/01/linux-kernel-hacker.html
http://perception-point.io/2016/01/14/analysis-and-exploitation-of-a-linux-kernel-vulnerability-cve-...
https://www.cyberciti.biz/faq/linux-cve-2016-0728-0-day-local-privilege-escalation-vulnerability-fix...
http://williamdurand.fr/2016/01/21/patching-linux-kernel-raspbian/
http://securityaffairs.co/wordpress/43758/hacking/linux-kernel-vulnerability-fixed.html
http://www.pcworld.com/article/3023870/security/linux-kernel-flaw-endangers-millions-of-pcs-servers-...
https://syslint.com/blog/tutorial/new-linux-kernel-zero-day-exploit-vulnerability-cve-2016-0728/
https://l3net.wordpress.com/2016/01/20/firejail-target-practice-cve-2016-0728/
https://threatpost.com/serious-linux-kernel-vulnerability-patched/115923/
http://www.securityweek.com/linux-kernel-flaw-puts-millions-devices-risk
Improper input validation
The vulnerability allows a remote attacker to execute arbitrary code on the target system.On July 5, 2015, a large amount of data from one company was leaked to the Internet with a hacker known as тАЬPhineas FisherтАЭ claiming responsibility for the breach.
Software: Microsoft Silverlight
Known/fameous malware:
Used in Angler, Hunter, RIG and Sundown Exploit Kit.
Links:
https://technet.microsoft.com/en-us/library/security/MS16-006
https://securelist.com/blog/research/73255/the-mysterious-case-of-cve-2016-0034-the-hunt-for-a-micro...
https://www.symantec.com/security_response/writeup.jsp?docid=2016-011507-1032-99
http://blog.trendmicro.com/trendlabs-security-intelligence/malvertising-campaign-in-us-leads-to-angl...
http://www.broadanalysis.com/2016/03/21/silverlight-exploit-leads-to-teslacrypt-cve-2016-0034/
http://sensorstechforum.com/attack-involves-silverlight-exploit-cve-2016-0034-angler-ek-and-teslacry...
http://www.securityweek.com/hacking-team-leak-leads-discovery-silverlight-zero-day
http://www.securityweek.com/exploit-recently-patched-silverlight-flaw-added-angler
https://www.trustwave.com/Resources/SpiderLabs-Blog/Sundown-EK-%E2%80%93-Stealing-Its-Way-to-the-Top...
http://securityaffairs.co/wordpress/44774/cyber-crime/angler-ek-silverlight-exploit.html
https://blog.qualys.com/securitylabs/2016/01/14/hunting-for-vulnerable-functions-in-microsoft-silver...
http://www.zdnet.com/article/microsoft-silverlight-exploit-spotted-in-angler-kit/
http://www.zdnet.com/article/kaspersky-lab-discovers-silverlight-zero-day-vulnerability/
http://news.softpedia.com/news/hackers-wasted-their-time-adding-a-silverlight-exploit-to-the-angler-...
https://www.scmagazine.com/as-kaspersky-labs-researchers-predicted-exploits-of-silverlight-vulnerabi...
http://blog.morphisec.com/javascript-in-ie-overtakes-flash-as-number-one-target-for-angler-exploit-k...
https://threatpost.com/new-silverlight-attacks-appear-in-angler-exploit-kit/116409/
https://arstechnica.com/security/2016/02/malicious-websites-exploit-silverlight-bug-that-can-pwn-mac...
http://www.darkreading.com/vulnerabilities---threats/kaspersky-caught-scent-of-silverlight-zero-day-...
Integer overflow
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The weakness exists due to integer overflow. A remote attacker can create a specially crafted Web site, trick the victim into visiting it, trigger memory corruption and execute arbitrary code with privileges of the current user.
Successful exploitation results in arbitrary code execution on the vulnerable system.
Note: the vulnerability was being actively exploited.
Software: Adobe Flash Player
Known/fameous malware:
Exploit kits: Angler, Neutrino, Nuclear Pack and RIG
Links:
https://helpx.adobe.com/security/products/flash-player/apsb16-01.html
https://blogs.forcepoint.com/security-labs/popular-site-leads-angler-ek-cve-2015-8651-flash-player-e...
https://www.symantec.com/security_response/writeup.jsp?docid=2015-122818-3536-99&tabid=2
https://blogs.forcepoint.com/security-labs/popular-site-leads-angler-ek-cve-2015-8651-flash-player-e...
https://krebsonsecurity.com/tag/cve-2015-8651/
https://blogs.technet.microsoft.com/mmpc/2016/06/20/reverse-engineering-dubniums-flash-targeting-exp...
https://krebsonsecurity.com/tag/cve-2015-8651/
https://www.scmagazine.com/adobe-issues-critical-flash-player-patch/article/533434/
http://vulnerablespace.blogspot.com/2016/06/malware-analysing-and-repurposing-rigs.html
https://blog.qualys.com/laws-of-vulnerabilities/2015/12/28/last-adobe-0-day-patched-for-the-year
https://www.reddit.com/r/ReverseEngineering/comments/43a1i5/an_analysis_on_the_principle_of_cve20158...
http://www.securityweek.com/adobe-issues-emergency-patch-flash-zero-day-under-attack
http://securityaffairs.co/wordpress/43131/cyber-crime/adobe-flash-zero-day.html
http://securityaffairs.co/wordpress/54120/reports/exploit-kits-top-flaws.html
https://blog.malwarebytes.com/threat-analysis/exploits-threat-analysis/2016/07/a-look-into-some-rig-...
http://www.darkreading.com/vulnerabilities---threats/here-are-4-vulnerabilities-ransomware-attacks-a...
https://www.recordedfuture.com/recent-ransomware-vulnerabilities/
http://resources.infosecinstitute.com/most-exploited-vulnerabilities-by-whom-when-and-how/#gref
http://neurogadget.net/2016/12/08/adobe-flash-player-bugs-issues-exploits-computers/48666
http://thehackernews.com/2015/12/adobe-flash-security-update.html
http://www.theregister.co.uk/2015/12/28/adobe_flash_security_update/
https://www.solutionary.com/resource-center/blog/2015/12/adobe-flash-player-vulnerability/
http://wccftech.com/flash-player-receives-emergency-security-patch/
http://news.softpedia.com/news/adobe-fixes-flash-zero-day-bug-discovered-by-huawei-498184.shtml
Information disclosure
The vulnerability allows a remote attacker to obtain potentially sensitive information on the target system.Revealed during source code review by the vendor.
Software: Juniper ScreenOS
Links:
https://kb.juniper.net/InfoCenter/index?page=content&id=JSA10713&cat=SIRT_1&actp=LIST
https://blog.cryptographyengineering.com/2015/12/22/on-juniper-backdoor/
http://securityaffairs.co/wordpress/42983/hacking/juniper-backdoor-attacks-honeypot.html
https://adamcaudill.com/2015/12/17/much-ado-about-juniper/
http://www.dmnews.com/news-bytes/juniper-warns-of-two-attacks-of-unauthorised-code-on-its-routers/ar...
http://resources.infosecinstitute.com/infosec-year-end-highlights/#gref
https://www.wired.com/2015/12/researchers-solve-the-juniper-mystery-and-they-say-its-partially-the-n...
https://thehackernews2.blogspot.com/2016/12/backdoor-found-in-sonys-ip-security.html
http://blogs.splunk.com/2016/01/05/discover-and-monitor-juniper-vulnerability-cve-2015-7755-exploits...
http://www.securityweek.com/juniper-firewall-backdoor-password-found-6-hours
http://www.theregister.co.uk/2015/12/20/juniper_details_two_attacks_from_unauthorised_code/
Authentication bypass
The vulnerability allows a remote attacker to bypass authentication on the target system.Revealed during source code review by the vendor.
Software: Juniper ScreenOS
Links:
https://kb.juniper.net/InfoCenter/index?page=content&id=JSA10713&cat=SIRT_1&actp=LIST
https://blog.cryptographyengineering.com/2015/12/22/on-juniper-backdoor/
http://securityaffairs.co/wordpress/42983/hacking/juniper-backdoor-attacks-honeypot.html
https://adamcaudill.com/2015/12/17/much-ado-about-juniper/
http://www.dmnews.com/news-bytes/juniper-warns-of-two-attacks-of-unauthorised-code-on-its-routers/ar...
http://resources.infosecinstitute.com/infosec-year-end-highlights/#gref
https://www.wired.com/2015/12/researchers-solve-the-juniper-mystery-and-they-say-its-partially-the-n...
https://thehackernews2.blogspot.com/2016/12/backdoor-found-in-sonys-ip-security.html
http://blogs.splunk.com/2016/01/05/discover-and-monitor-juniper-vulnerability-cve-2015-7755-exploits...
http://www.securityweek.com/juniper-firewall-backdoor-password-found-6-hours
http://www.theregister.co.uk/2015/12/20/juniper_details_two_attacks_from_unauthorised_code/
Remote PHP code execution
The vulnerability allows a remote attacker to execute arbitrary PHP code on the target system.
The vulnerability exists due to insufficient filtration of HTTP User-Agent header and filter-search HTTP POST parameter before storing them into database. A remote unauthenticated attacker can permanently inject and execute arbitrary PHP code on the target system with privileges of the web server.
Successful exploitation of this vulnerability will allow a remote attacker to gain complete control over the vulnerable web application and execute arbitrary PHP code on the target system.
Note: this is a zero-day vulnerability and it is being exploited in the wild.
The vulnerability was used to compromise vulnerable websites for 16000 (sometimes - 20000) times per day.
Software: Joomla!
Links:
https://developer.joomla.org/security-centre/630-20151214-core-remote-code-execution-vulnerability.h...
https://www.trustwave.com/Resources/SpiderLabs-Blog/Joomla-0-Day-Exploited-In-the-Wild-(CVE-2015-856...
https://www.masergy.com/blog/joomla-remote-code-execution-vulnerability-cve-2015-8562
http://securityaffairs.co/wordpress/43108/cyber-crime/cve-2015-8562-joomla-flaw.html
https://www.liquidweb.com/kb/protecting-joomla-sites-against-cve-2015-8562/
https://security.berkeley.edu/news/joomla-core-150-345-remote-code-execution-cve-2015-8562
http://www.webhostingtalk.com/showthread.php?t=1536679
http://jaitsec.blogspot.com/2015/12/testing-joomla-for-cve-2015-8562.html
http://www.securityweek.com/vulnerable-joomla-servers-see-16000-daily-attacks
http://blogs.quickheal.com/joomla-exploit-cve-2015-8562-still-at-large/
http://news.softpedia.com/news/latest-joomla-vulnerability-targeted-by-attackers-16-600-times-per-da...
Memory corruption
The vulnerability allows a local attacker to gain elevated privileges on the target system.
The vulnerability exists due to boundary error when handling of objects in kernel memory. A local attacker can execute a specially crafted program, trigger memory corruption and gain SYSTEM privileges.
Successful exploitation of this vulnerability results in privilege escalation on the vulnerable system.
Note: the vulnerability was being actively exploited.
Software: Windows
Links:
https://www2.trustwave.com/rs/815-RFM-693/images/2016%20Trustwave%20Global%20Security%20Report.pdf
https://technet.microsoft.com/library/security/ms15-135
https://www.symantec.com/security_response/vulnerability.jsp?bid=78514
http://www.securityweek.com/microsoft-patches-windows-office-flaws-exploited-wild
Security bypass
The vulnerability allows a remote attacker to bypass security restrictions on the target system.The weakness exists due to unknown error related to the Java SE Deployment component. A remote attacker can bypass the click-to-play protection in Java.
Successful exploitation of the vulnerability results in security bypass on the vulnerable system.
Note: the vulnerability was being actively exploited.
Exploited by the Fancy Bear APT.
This was quite useful in Pawn Storm, as it used exploits targeting these vulnerabilities to carry out targeted attacks against North Atlantic Treaty Organization (NATO) members and the White House earlier this year.
Software: Oracle Java SE
Links:
http://blog.trendmicro.com/trendlabs-security-intelligence/new-headaches-how-the-pawn-storm-zero-day...
https://blog.qualys.com/laws-of-vulnerabilities/2015/10/21/oracle-critical-patch-update-october-2015
http://www.oracle.com/technetwork/topics/security/cpuoct2015-2367953.html http://resources.infosecinstitute.com/the-shadow-of-the-russian-cyber-army-behind-the-2016-president...
Type confusion
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The weakness exists due to type confusion error. A remote attacker can create a specially crafted Web site, trick the victim into visiting it, trigger memory corruption and execute arbitrary code with privileges of the current user.
Successful exploitation results in arbitrary code execution on the vulnerable system.
Note: the vulnerability was being actively exploited.
Was used in Pawn Storm Campaign Targeting Foreign Affairs Ministries. Exploited by the Fancy Bear APT.
The vulnerability was reported by Peter Pi of Trend Micro.
Software: Adobe Flash Player
Known/fameous malware:
Exploit Kits: Angler, Hunter, Magnitude, Neutrino, Nuclear Pack, RIG, Spartan.
Links:
https://helpx.adobe.com/security/products/flash-player/apsa15-05.html
https://helpx.adobe.com/security/products/flash-player/apsb15-27.html
http://blog.trendmicro.com/trendlabs-security-intelligence/new-adobe-flash-zero-day-used-in-pawn-sto...
http://resources.infosecinstitute.com/the-shadow-of-the-russian-cyber-army-behind-the-2016-president...
https://www.symantec.com/security_response/attacksignatures/detail.jsp?asid=28924
https://www.symantec.com/security_response/writeup.jsp?docid=2015-101903-5534-99
https://www.mysonicwall.com/sonicalert/searchresults.aspx?ev=article&id=869
http://www.theregister.co.uk/2016/12/08/need_xmas_ideas_try_cve20157645_a_flash_gift_that_keeps_on_g...
http://www.securityweek.com/adobe-patches-flash-zero-day-exploited-pawn-storm
http://vulnerablespace.blogspot.com/2016/04/malware-analysing-and-repurposing.html
https://blog.malwarebytes.com/threat-analysis/2015/10/new-flash-player-zero-day-in-the-wild/
https://arstechnica.com/security/2015/10/new-zero-day-exploit-hits-fully-patched-adobe-flash/
http://securityaffairs.co/wordpress/41123/cyber-crime/flash-zero-day-exploit.html
http://www.infoworld.com/article/3046531/security/ransomware-targets-flash-and-silverlight-vulnerabi...
https://www.tripwire.com/state-of-security/latest-security-news/flash-player-zero-day-patched-by-ado...
http://www.welivesecurity.com/2015/10/15/adobe-flash-zero-day/
https://threatpost.com/emergency-adobe-flash-zero-day-patch-arrives-ahead-of-schedule/115073/
http://thehackernews.com/2015/10/flash-patch-update.html
https://www.scmagazine.com/adobe-addresses-latest-flash-player-zero-day-vulnerability/article/533522...
Arbitrary code execution
The vulnerability allows a remote authenticated attacker to execute arbitrary code on the target system.
The vulnerability exists due to improper handling of Media Center link (.mcl) files. A remote attacker can create a specially crafted Media Center link (.mcl) file that references malicious code, trick the victim into opening it and execute arbitrary code with privileges of the current user.
Successful exploitation of this vulnerability results in system compromise.Note: the vulnerability was being actively exploited.
This vulnerability is related to a previously unreported zero-day exploit discovered in the Hacking Team leaked emails. Trend Micro researchers (Aaron Luo, Kenney Lu, and Ziv Chang) discovered the exploit and subsequently reported their findings to Microsoft.
Software: Windows Media Center
Links:
https://www2.trustwave.com/rs/815-RFM-693/images/2016%20Trustwave%20Global%20Security%20Report.pdf
http://blog.trendmicro.com/trendlabs-security-intelligence/windows-media-center-hacking-team-bug-fix...
https://technet.microsoft.com/library/security/ms15-100
http://www.cio.com/article/2982358/microsoft-patches-yet-another-hacking-team-zero-day-exploit.html
http://blog.trendmicro.com/trendlabs-security-intelligence/windows-media-center-hacking-team-bug-fix...
http://resources.infosecinstitute.com/exploiting-ms15-100-cve-2015-2509/#gref
http://www.csoonline.com/article/2982487/vulnerabilities/microsoft-patches-yet-another-hacking-team-...
http://securityaffairs.co/wordpress/40019/hacking/windows-media-center-ht-bug.html
https://vulners.com/metasploit/MSF:EXPLOIT/WINDOWS/FILEFORMAT/MS15_100_MCL_EXE
https://www.symantec.com/security_response/vulnerability.jsp?bid=76594
http://www.pcworld.com/article/2982361/microsoft-patches-yet-another-hacking-team-zero-day-exploit.h...