CERT-EU - Publications - Security Advisories

2022-087: Critical Vulnerability in Citrix Gateway and Citrix ADC

Tuesday, December 13, 2022 04:50:00 PM CET

On December 13, 2022, Citrix released a Security Bulletin regarding a critical vulnerability CVE-2022-27518 affecting its Citrix Gateway and Citrix ADC products. If exploited, this vulnerability can enable an unauthenticated remote attacker to perform arbitrary code execution on the appliance. According to NSA, the vulnerability is being exploited by APT5 group. APT5 is also known to have exploited Pulse Secure VPN vulnerabilities in 2021. It is then highly recommended to install the last security updates.

2022-086: Remote Code Execution Vulnerability in FortiOS SSL-VPN

Tuesday, December 13, 2022 01:50:00 PM CET

On December 12, 2022, Fortinet released an advisory concerning a heap-based buffer overflow critical vulnerability in FortiOS SSL-VPN that could allow may allow a remote unauthenticated attacker to execute arbitrary code or commands via specifically crafted requests. This vulnerability CVE-2022-42475 has the CVSS score of 9.3.
Fortinet is aware of one instance where this vulnerability was exploited in the wild. They do not believe this to be trivial to exploit, however they are advising customers using SSL-VPN to upgrade immediately.

2022-085: Type Confusion Vulnerability in Chrome Browser

Monday, December 05, 2022 02:10:00 PM CET

On December 2, 2022, Google released a new version of its Chrome browser fixing a high-severity flaw, identified by "CVE-2022-4262" that could allow a remote attacker to potentially exploit heap corruption via a crafted HTML page. Google is aware of reports that an exploit for CVE-2022-4262 exists in the wild. It is highly recommended to apply the update.

2022-084: Critical Vulnerability in Visual Studio Code

Friday, December 02, 2022 11:40:00 AM CET

On November 22, Microsoft published a security advisory about a Remote Code Execution vulnerability in Visual Studio Code. The severity is rated critical as a remote code execution vulnerability exists in VS Code 1.71 and earlier versions for malicious notebooks. These notebooks could use command URIs to execute arbitrary commands, including potentially dangerous commands.

2022-083: Critical Vulnerabilities in NVIDIA GPU Display Driver

Thursday, December 01, 2022 05:50:00 PM CET

On November 28, NVIDIA released a software security update for its GPU display driver for Windows, containing a fix for a high-severity flaw that threat actors can exploit to perform, among other things, code execution and privilege escalation.

2022-082: Multiple Vulnerabilities in SolarWinds Platform

Thursday, December 01, 2022 05:50:00 PM CET

On November 22, SolarWinds released a patch note for SolarWinds Platform 2022.4 fixing 7 vulnerabilities including 4 high rated vulnerabilities that could lead to arbitrary commands executed.

2022-081: Critical Vulnerabilities in Atlassian Products

Friday, November 18, 2022 04:30:00 PM CET

On November 16, 2022, Atlassian released two advisories for critical vulnerabilities in the Crowd Server and Data Center identity management platform, and in Bitbucket Server and Data Center. Tracked as "CVE-2022-43782", the first vulnerability allows an attacker to authenticate as the Crowd application and subsequently call privileged endpoints on the Crowd platform. The second vulnerability, tracked as "CVE-2022-43781", is a command injection vulnerability in BitBucket that lets an attacker with permission to control their username to exploit this issue and execute arbitrary code on the system.

2022-080: Remote Code Execution Vulnerabilities in F5 Products

Friday, November 18, 2022 11:30:00 AM CET

On November 16, 2022, F5 released an advisory on F5 Big-IP and Big-IQ concerning two CVE with high severity. The first one, "CVE-2022-41622", is a cross-site request forgery (CSRF), for which the exploitation can allow an unauthenticated attacker to perform critical actions on the system, even if the management interface is not exposed on the Internet. The second vulnerability, "CVE-2022-41800", can allow an attacker with administrative privileges to execute arbitrary commands on the device.

2022-079: Exploited 0-days and Critical Vulnerabilities in Microsoft Windows

Wednesday, November 09, 2022 12:30:00 PM CET

On November 8, 2022, Microsoft released its Patch Tuesday advisory which contains information about 68 flaws, for which 11 are rated as critical, and 6 are exploited 0-day vulnerabilities. The exploitation of these vulnerabilities could lead to elevation of privilege, security feature bypass, remote code execution, information disclosure, denial of service and spoofing. It is highly recommended applying the fixes as soon as possible.

2022-078: Severe Vulnerabilities in Citrix Gateway and Citrix ADC

Wednesday, November 09, 2022 10:25:00 AM CET

On November 8, 2022, Citrix released a Security Bulletin regarding three severe vulnerabilities affecting its Citrix Gateway and Citrix ADC products. Under specific configurations, the three vulnerabilities can enable attackers to gain unauthorised access to the device, perform remote desktop takeover, or bypass the login brute force protection. It is highly recommended installing the last security updates.

2022-077: Several High Vulnerabilities in Splunk Enterprise

Friday, November 04, 2022 03:55:00 PM CET

On November 2, 2022, Splunk released the quarterly Security Patch Update which included nine HIGH severity vulnerabilities. The most severe vulnerabilities, which have a CVSS score of "8.8" out of 10, are "CVE-2022-43571" for Remote Code Execution (RCE) through dashboard PDF generation component, "CVE-2022-43570" for XML External Entity Injection through a custom View and "CVE-2022-43568" for Reflected Cross-Site Scripting via the radio template.

2022-076: Critical Vulnerability in VMware Cloud Foundation

Monday, October 31, 2022 10:20:00 AM CET

On October 25, 2022, VMWare released a new version of Cloud Foundation (NSX-V) fixing a critical Remote Code Execution vulnerability. VMware has confirmed that exploit code leveraging "CVE-2021-39144" against impacted products has been published. It is highly recommended applying the last version.

2022-075: Type Confusion Vulnerability in Chrome Browser

Friday, October 28, 2022 05:30:00 PM CEST

On October 27, 2022, Google released a new version of its Chrome browser fixing a high-severity flaw, identified by "CVE-2022-3723". Google is aware of reports that an exploit for CVE-2022-3723 exists in the wild. It is highly recommended to apply the update.

2022-074: DoS Vulnerabilities in Pulse Secure Products

Friday, October 28, 2022 10:25:00 AM CEST

On October 13, 2022, Ivanti released an advisory regarding two vulnerabilities affecting Ivanti Connect Secure (ICS), Ivanti Policy Secure (IPS), and Ivanti Neurons for Zero-Trust Gateway that could lead to DoS conditions if exploited. It is recommended to upgrade to the latest version of these products.

2022-073: UPDATE: OpenSSL Critical Vulnerability

Tuesday, November 01, 2022 09:55:00 PM CET

On November 1, 2022, the OpenSSL project team has released a new version of the openssl library version 3. The version 3.0.7 fixes two HIGH vulnerabilities, CVE-2022-3602 and CVE-2022-3786, that could lead to Denial of Service conditions, or Remote Code Execution in some cases. It is recommended upgrading openssl to the last versions. Proof of concepts are now available.

2022-072: Apache Commons Text Vulnerability

Wednesday, October 19, 2022 11:00:00 AM CEST

A vulnerability, tracked as CVE-2022-42889 with a CVSS score of 9.8 was found in Apache Commons Text packages in versions 1.5 through 1.9. The affected versions allow an attacker to benefit from a variable interpolation process contained in Apache Commons Text, which can cause properties to be dynamically defined. Server applications are vulnerable to remote code execution (RCE) and unintentional contact with untrusted remote servers

2022-071: Junos OS: Multiple Vulnerabilities in J-Web

Monday, October 17, 2022 01:50:00 AM CEST

Multiple vulnerabilities have been found in the J-Web component of Juniper Networks Junos OS. One or more of these issues could lead to unauthorized local file access, cross-site scripting attacks, path injection and traversal, or local file inclusion.

2022-070: UPDATE: FortiOS and FortiProxy Critical Vulnerability

Friday, October 14, 2022 11:30:00 AM CEST

On 10th of October, 2022, Fortinet released a security advisory to warn about a critical vulnerability (CVSS v3 score: 9.6), tracked as CVE-2022-40684, impacting the FortiOS, FortiProxy and FortiSwitchManager. The exploitation of this vulnerability allows an unauthenticated attacker to perform operations on the administrative interface via specially crafted HTTP or HTTPS requests.
Fortinet is aware of at least one instance where this vulnerability was exploited and hence it is recommended to remediate this vulnerability with the utmost urgency.
A proof-of-concept (PoC) exploit and a technical root cause analysis for this vulnerability has been published by the Horizon3.ai security researchers.

2022-069: UPDATE: Remote Code Execution in Zimbra Collaboration Suite

Friday, October 14, 2022 10:30:00 AM CEST

In September 2022, a remote code execution vulnerability similar to CVE-2022-30333 (SA2022-063) was reported for Zimbra Collaboration Suite. Tracked as CVE-2022-41352 since September 25, 2022, this yet-unpatched flaw is due to an unsafe use of a vulnerable "cpio" utility by the Zimbra's antivirus engine Amavis. The exploitation of this vulnerability allows a remote unauthenticated attacker to execute arbitrary code on a vulnerable Zimbra instance.
Proof of Concepts (POC) are publicly available for this vulnerability and reported actively exploited.

2022-068: UPDATE: New Microsoft Exchange Zero-Day Vulnerabilities

Wednesday, December 21, 2022 01:50:00 PM CET

On September 28, 2022, the security researchers at Vietnamese cybersecurity vendor GTSC published a blog post claiming they have discovered an attack campaign which utilised two zero-day bugs in Microsoft Exchange that could allow an attacker a remote code execution. The attackers are chaining the pair of zero-days to deploy web shells, notably China Choppers, on compromised servers for persistence and data theft, as well as move laterally to other systems on the victims' networks.
Microsoft had identified the vulnerabilities as CVE-2022-41040, a Server-Side Request Forgery (SSRF) vulnerability, while the second, identified as CVE-2022-41082, allows remote code execution (RCE) when PowerShell is accessible to the attacker. CrowdStrike recently discovered a new exploit method (called OWASSRF) consisting of CVE-2022-41080 and CVE-2022-41082 to achieve remote code execution (RCE) through Outlook Web Access (OWA).

2022-067: Critical WhatsApp Vulnerabilities

Friday, September 30, 2022 02:12:00 PM CEST

WhatsApp has patched two remote code execution vulnerabilities in its September update. These could have allowed an attacker to remotely access a device and execute commands. The vulnerabilities were discovered by WhatsApp internal security team and there are no indications that these have already been exploited.

2022-066: Vulnerabilities affecting multiple versions of the BIND 9

Tuesday, September 27, 2022 02:05:00 PM CEST

On September 21, 2022, the Internet Systems Consortium (ISC) has released security advisories that address vulnerabilities affecting multiple versions of the ISC’s Berkeley Internet Name Domain (BIND) 9. A remote attacker could exploit these vulnerabilities to potentially cause denial-of-service conditions.

2022-065: RCE Vulnerability in Sophos Firewall

Monday, September 26, 2022 12:20:00 PM CEST

On September 23, 2022, Sophos warned about a critical code injection security vulnerability in the company’s Firewall product that is being exploited in the wild. They observed the vulnerability being used to target a small set of specific organisations, primarily in the South Asia region.

2022-064: Multiple Critical Vulnerabilities in Microsoft Products

Thursday, September 15, 2022 11:00:00 AM CEST

On the 13th of September, Microsoft released its September 2022 Patch Tuesday advisory including fixes for 2 zero-day vulnerabilities identified "CVE-2022-37969" and "CVE-2022-23960" which affect several Windows system versions.
The patch also contains fixes for five critical vulnerabilities affecting Microsoft Dynamics, Windows IKE Extension and Windows TCP/IP.
It is highly recommended to patch the affected devices.

2022-063: Path Traversal Vulnerability in Unrar affects Zimbra software

Wednesday, August 31, 2022 02:55:00 PM CEST

In May 2022, security research team from SonarSource discovered a 0-day vulnerability in the "unrar" utility for Linux and Unix systems. This utility is a third party tool used in Zimbra. The exploitation of this vulnerability allows a remote attacker to execute arbitrary code on a vulnerable Zimbra instance without requiring any prior authentication or knowledge about it.

Proof of Concepts (POC) are now publicly available as well as a metasploit module.

2022-062: Remote Command Execution Vulnerability in Gitlab

Thursday, August 25, 2022 11:58:00 AM CEST

On the 22nd of August 2022, GitLab released a security advisory regarding a Remote Command Execution affecting its products. This vulnerability exists in the "import via Github" functionality. Exploiting this vulnerability, allows an authenticated user to achieve remote code execution on the affected server.

2022-061: Reflected Amplification DoS Vulnerability in PAN-OS

Thursday, August 11, 2022 01:35:00 PM CEST

On August 10, 2022, PaloAlto released a security advisory regarding a Denial-of-Service (DoS) vulnerability affecting PAN-OS. Exploiting this vulnerability, a network-based attacker would be able to obfuscate its identity and implicate the vulnerable firewall as the source of an attack.
While some software updates are not yet available, some mitigation and workarounds are available and should be applied as soon as possible.

2022-060: Multiple Critical Vulnerabilities in Microsoft Products

Wednesday, August 10, 2022 02:20:00 PM CEST

On August 9, Microsoft released its August 2022 Patch Tuesday advisory including fixes for 2 zero-day vulnerabilities identified "CVE-2022-34713" and "CVE-2022-30134", which affect respectively Microsoft Windows Support Diagnostic Tool (MSDT) and Microsoft Exchange Server.
The patch also contains fixes for 17 critical vulnerabilities affecting Active Directory Domain Services, Azure Batch Node Agent, Microsoft Exchange Server, Remote Access Service Point-to-Point Tunneling Protocol, Windows Hyper-V and Windows Kernel (SMB Client and Server), Windows Point-to-Point Tunneling Protocol and Windows Secure Socket Tunneling Protocol (SSTP).
It is highly recommended patching affected devices

2022-059: Critical Vulnerabilities in Cisco VPN Routers

Thursday, August 04, 2022 12:15:00 PM CEST

On August 3, Cisco released a security advisory and patches regarding several critical vulnerabilities affecting Cisco VPN routers.

It is highly recommended upgrading affected appliances as soon as possible.

2022-058: Critical Shell Command Injection Vulnerability in Apache Spark

Wednesday, August 03, 2022 09:15:00 AM CEST

On July 18, Apache Spark released a security bulletin regarding a newly found critical vulnerability within Apache Spark's ACL implementation, tracked as CVE-2022-33891 and with a CVSS score of 8.8 out of 10. The flaw was discovered by a security researcher, with the proof of concept (PoC) exploit already available on GitHub and exploitation attempts in the wild being detected since, at least, July 26th.

Apache Spark is an open-source, unified engine for large-scale data analytics, which executes data engineering, data science, and machine learning tasks. Additionally, it provides high-level APIs in multiple programming languages.

2022-057: Critical Vulnerability in VMware Products

Wednesday, August 03, 2022 09:15:00 AM CEST

On August 2, 2022, multiple critical vulnerabilities were reported by VMware. Exploitation of these vulnerabilities may lead to an unauthenticated remote code execution on the affected servers.

2022-056: Critical Vulnerabilities In Samba

Monday, August 01, 2022 05:01:00 PM CEST

On June 27, 2022, The Samba Team has released security updates to address several vulnerabilities in their product. Exploitation of these vulnerabilities may allow an attacker to cause a DoS condition, data leakage, or even to take control of all the domain.

2022-055: Possible Information Disclosure in MobileIron for Android

Thursday, July 28, 2022 04:26:00 PM CEST

The problem affects Android users using MobileIron and having Use smart send option enabled in Email+ client. When "User A" forwards/replies email to "User B", "User B" receives a different email body instead of original email. This could lead to information disclosure especially in case of receipients being outside of the sender's organisation.

2022-054: Critical SQL Injection Vulnerability

Monday, July 25, 2022 04:21:00 PM CEST

On July 21st, 2022, SonicWall released security patches for their Analytics On-Prem and GMS products, addressing a critical SQL injection flaw. Currently, no reports of a proof of concept (PoC) have been made public and there is no active exploitation in the wild. Nevertheless, immediate update to the patched versions is recommended.

2022-053: Oracle Critical Patch Update - July 2022

Monday, July 25, 2022 09:48:00 AM CEST

On July 19th, 2022, Oracle released their quarterly Critical Patch Update advisory, a collection of patches that addresses multiple critical security flaws, affecting several of their products. Many of these vulnerabilities may be remotely exploited without the need for user credentials. It is therefore highly recommended to apply the security patches without delay.

2022-052: UPDATE: Critical Vulnerability in Questions for Confluence

Tuesday, August 02, 2022 02:45:00 PM CEST

On July 20th, Atlassian released a security advisory to address a critical vulnerability that affects the Questions for Confluence app. Having the app enabled on Confluence Server or Data Center, it creates the Confluence user account "disabledsystemuser". The account is is intended to aid administrators, and it is created with a hardcoded password and is added to the "confluence-users" group, which allows viewing and editing all non-restricted pages within Confluence by default. A remote, unauthenticated attacker with knowledge of the hardcoded password could exploit this to log into Confluence and access any pages the "confluence-users" group has access to.

[UPDATE] The "disabledsystemuser" account is configured with a third party email address that is not controlled by Atlassian, meaning that an affected instance configured to send notifications, will e-mail that address and potentially disclosing information.

The hardcoded password was publicly disclosed by an external party in Twitter on July 21st, which makes the exploitation in the wild highly likely, therefore immediate update to a patched version is highly recommended.

2022-051: Cisco Nexus Dashboard Multiple Vulnerabilities

Friday, July 22, 2022 05:19:00 PM CEST

On July 20th, Cisco released a security advisory, that addresses one Critical and two High severity vlnerabilities found in Cisco Nexus Dashboard. The vulnerabilities could allow an unauthenticated remote attacker to execute arbitrary commands, read or upload container image files, or perform a cross-site request forgery attack. Cisco's Product Security Incident Response Team (PSIRT) is not aware of any active exploitation of these vulnerabilities in the wild and the company has released software updates to address these vulnerabilities.

2022-050: Multiple Critical Vulnerabilities in Microsoft Products

Thursday, July 14, 2022 09:15:00 AM CEST

On the 12th of July, Microsoft released July's 2022 Patch Tuesday including fixes for one actively exploited zero-day vulnerability and a total of 84 flaws. A zero-day vulnerability tracked as CVE-2022-22047 concerns a Windows CSRSS elevation of privilege, allowing an attacker to gain SYSTEM privileges. Out of the 84 other security flows, four of them are classified as Critical, as they allow remote code execution. These critical vulnerabilities affect Microsoft Graphics Component, Windows Network File System and Windows Remote Procedure Call. They are tracked as CVE-2022-22029, CVE-2022-22039, CVE-2022-22038 and CVE-2022-30221. Bleeping Computer released a full report, listing all the vulnerabilities assessed by Microsoft Security Updates, and giving a description of each vulnerability and also the systems that it affects.

2022-049: TheHive Unauthentified API Endpoint Leaking Data

Tuesday, July 05, 2022 01:35:00 PM CEST

On the 4th of July 2022, StrangeBee published an advisory about a critical vulnerability that, if exploited, could leak sensitive information about current activities in TheHive (creation, modification, deletion of any object). It is strongly recommended to update to the latest versions available.

2022-048: Critical Remote Code Execution Vulnerability in GitLab

Monday, July 04, 2022 05:30:00 PM CEST

On June 30, 2022, GitLab released new software versions that fix several vulnerabilities, one of which is a critical remote command execution vulnerability identified "CVE-2022-2185", with a CVSS score of 9.9 out of 10. It is highly recommended to upgrade GitLab servers to the latest available version.

2022-047: Jira Full-Read SSRF Vulnerability

Friday, July 01, 2022 11:36:00 PM CEST

On June 29th, Atlassian published a security advisory for a high severity security vulnerability in Mobile Plugin for Jira Data Center and Server. The vulnerability allows a remote authenticated user to perform a full read server-side request forgery via a batch endpoint. This vulnerability is tracked as CVE-2022-26135. Atlassian rates the severity level of this vulnerability as high, according to their published scale (7.0 - 8.9).

2022-046: Critical PHP Flaw Exposes QNAP NAS Devices to RCE Attacks

Wednesday, June 22, 2022 06:36:00 PM CEST

On 22nd of June 2022, QNAP published an advisory about specific products that are vulnerable to remote code execution (RCE) when certain conditions are met. The CVE-2019-11043 is reported to affect PHP versions 7.1.x below 7.1.33, 7.2.x below 7.2.24 and 7.3.x below 7.3.11. In certain configurations of FPM setup, it is possible to cause FPM module to write past allocated buffers into the space reserved for FCGI protocol data, thus opening the possibility of remote code execution.

2022-045: TheHive and Cortex Active Directory Authentication Bypass

Wednesday, June 22, 2022 06:03:00 PM CEST

On 22nd of June 2022 StrangeBee published an advisory about a critical vulnerability in the Active Directory (AD) authentication module of TheHive.
The vulnerability allows impersonating any account on the platform, including administrators. The exploit is possible if the configured AD is on-premise. If the Active Directory authentication module is not enabled nor configured, or if Azure AD is used, the system is not vulnerable.

2022-044: MS-DFSNM NTLM Relay Attack for Windows Domain Takeover

Tuesday, June 21, 2022 11:18:00 AM CEST

On the 18th of June 2022, a security researcher published a proof of concept for MS-DFSNM coerce authentication using "NetrDfsRemoveStdRoot" method. This type of attack allows Windows domain takeover. To coerce a remote server to authenticate against a malicious NTLM relay, threat actors could use various methods, including the MS-RPRN, MS-EFSRPC (PetitPotam), and MS-FSRVP protocols.

2022-043: Critical Vulnerability in Citrix ADM

Friday, June 17, 2022 02:44:00 PM CEST

On the 14th of June 2022, Citrix released security updates to address vulnerabilities in Application Delivery Management that could allow an unauthenticated attacker to log in as administrator.
All supported versions of Citrix ADM server and Citrix ADM agent are affected by this vulnerability.

2022-042: Critical Vulnerability in Windows NFS

Wednesday, June 15, 2022 04:09:00 PM CEST

On the 14th of June 2022, Microsoft - as part of the June Patch Tuesday release - has issued several (55) security fixes for various vulnerabilities. Among others, the update fixes the critical vulnerability "CVE-2022-30136" which is a RCE vulnerability in the network file system (NFS). The vulnerability can be exploited by an unauthenticated attacker using a specially crafted call to a NFS service. The vulnerability is not exploitable in NFSV2.0 or NFSV3.0.
There is no evidence that this vulnerability is exploited in the wild. However, it is recommended to patch as soon as possible.

2022-041: Critical Vulnerability in GitLab

Friday, June 03, 2022 11:45:00 PM CEST

On June 1, 2022, GitLab released updates fixing several vulnerabilities, one of which could lead to Account Take Over. This critical vulnerability is identified "CVE-2022-1680" with a severity score of 9.9 out of 10.

2022-040: UPDATE: Critical Remote Code Execution Vulnerability in Confluence

Friday, June 03, 2022 09:37:00 AM CEST

On June 2, 2020, Confluence released an advisory about a critical vulnerability, identified "CVE-2022-26134" with a severity score of 10 out of 10, which could lead to unauthenticated Remote Code Execution if exploited.
There is active exploitation of this vulnerability leading to installation of webshells and crypto-miners. Moreover, a POC of the vulnerability exploitation is now publicly available.

2022-039: UPDATE: Follina Vulnerability in Microsoft Office Products

Monday, May 30, 2022 12:59:00 PM CEST

On the 29th of May 2022, the Nao_Sec team, an independent Cyber Security Research Team, discovered a malicious Office document shared on Virustotal. This document is using an unusual, but known scheme to infect its victims. The scheme was not detected as malicious by some EDR, like Microsoft Defender for Endpoint. This vulnerability could lead to code execution without the need of user interaction, as it does not involve macros, except if the "Protected View" mode is enabled and the "Preview mode" is disabled in Windows Explorer.
On the 30th of May 2022, Microsoft started to track this vulnerability identified "CVE-2022-30190" (aka Follina) with a severity score of 7.8 out of 10.
On the 14th of June 2022, Microsoft has released security updates as part of June Patch Tuesday. One of the fixes applies to this actively exploited vulnerability. This update does not prevent Microsoft Office tools from loading Windows protocol URI handlers without user interaction, but will instead block PowerShell injection and disable this attack vector.

2022-038: Zoom Vulnerabilities

Friday, May 27, 2022 04:29:00 PM CEST

On the 17th of May 2022, Zoom released an advisory about two high vulnerabilities. They are tracked as CVE-2022-22786 with a CVSS score of 7.5 and CVE-2022-22784 with a CVSS score of 8.1. A successful exploitation of both of these vulnerabilities could be used in a more sophisticated attack to trick a user into downgrading their Zoom client to a less secure version and to forge XMPP messages from the server, respectively.

2022-037: Path Traversal SPL Injection in Splunk Products

Friday, May 20, 2022 07:48:00 PM CEST

On May 3rd, 2022, Splunk released a security advisory for path traversal in search parameter that can potentiall allow external content injection. An attacker can cause the application to load data from incorrect endpoints, URLs leading to outcomes such as running arbitrary SPL queries.
A vulnerability was found in Splunk Enterprise up to 8.1.1 and it has been declared as critical and named CVE-2022-26889.

2022-036: UPDATE: Critical Vulnerabilities in VMware Products

Thursday, May 19, 2022 10:57:00 AM CEST

On the 18th of May 2022, VMware released an advisory about two critical vulnerabilities. Tracked as CVE-2022-22972 and CVE-2022-22973 with a respective CVSS score of 9.8 and 7.8, a successful exploitation of these vulnerabilities allows an unauthenticated attacker to achieve an authentication bypass affecting local domain users and a privilege escalation gaining "root" access.
On the 25th of May 2022, security researchers at attack surface assessment company Horizon3 announced that they managed to create a working proof-of-concept (PoC) exploit code for CVE-2022-22972 and will likely release a technical report at the end of the week. No technical details have been released yet, but the plan includes publishing exploit code that demonstrates the attack vector.
It is strongly recommended to apply the patches as soon as possible.

2022-035: Critical Remote Code Execution in Zyxel Products

Tuesday, May 17, 2022 10:02:00 AM CEST

In April 2022, a security researcher from Rapid7 discovered and reported a vulnerability that affects Zyxel firewall and VPN devices for business (advisory publicly released on 12th May 2022). Tracked as CVE-2022-30525 with a CVSS score of 9.8, a successful exploitation of this vulnerability allows an unauthenticated and remote attacker to achieve code execution as the "nobody" user.
A public exploit is available and a module had been added to the Metasploit penetration testing framework. This vulnerability is currently exploited in the wild by attackers to get access to information systems.
It is strongly recommended to apply the vendor patch as soon as possible.

2022-034: UPDATE: Multiple Critical Vulnerabilities in Microsoft Products

Wednesday, May 11, 2022 03:53:00 PM CEST

On May 11th, Microsoft issued May 2022 Patch Tuesday including fixes for three zero-day vulnerabilities and 75 flaws. Among the zero-days, the vulnerability tracked as CVE-2022-26925 is actively exploited in the wild. It is a new NTLM Relay Attack using an LSARPC flaw, allowing an unauthenticated attacker to coerce the domain controller to authenticate to the attacker using NTLM. The two other zero-days are a denial of service vulnerability in Hyper-V, tracked as CVE-2022-22713, and new remote code execution vulnerability in Azure Synapse and Azure Data Factory, tracked as CVE-2022-29972 and presented in CERT-EU Security Advisory 2022-033.
Out of the 75 flaws, eight are classified as Critical, allowing remote code execution or elevation of privilege. These vulnerabilities affect a lot of different Microsoft components, including Excel, Windows LDAP, Remote Desktop Protocol, LSA and others.
Bleepingcomputer released a full report, listing all the vulnerabilites assessed by Microsoft Security Updates, and giving a description of each vulnerability and also the systems that it affects.
On May 13, additional information became available about authentication issues followed by the installation of the patches on Domain Controller servers. However, on May 19, the issue related to authentication failures of Domain Controlers was resolved in out-of-band updates. Please see the [Recommendations] section of this advisory for details.

2022-033: Critical RCE Vulnerabilities in Microsoft Azure Synapse

Tuesday, May 10, 2022 03:06:00 PM CEST

On May 9th, Microsoft issued one security advisory addressing a critical RCE vulnerability in the third-party Open Database Connectivity (ODBC) driver used to connect to Amazon Redshift in Azure Synapse pipelines and Azure Data Factory Integration Runtime (IR). This vulnerability CVE-2022-29972 has CVSS score of 8.2 out of 10 and it may allow an attacker to perform remote command execution across IR infrastructure not limited to a single tenant.
According to Microsoft article, there was no evidence of misuse or malicious activity. Only self-host IR environments without auto-update need to take action to safeguard their deployments.

2022-032: UPDATE: Critical Vulnerability Affecting F5 Devices

Thursday, May 05, 2022 02:17:00 PM CEST

On the 4th or May 2022, F5 released several patches addressing 43 vulnerabilities, including one identified as critical - CVE-2022-1388. This vulnerability has the CVSS score of 9.8 out of 10, and it may allow an unauthenticated attacker with network access to the iControl REST interface to execute arbitrary system commands, create or delete files, and disable services.
On the 9th of May 2022, Horizon3 - along with other groups - released a proof-of-concept exploit. Moreover, there was an increase of exploitation attempts in the last few days. We advice you to patch as quickly as possible and restrict the access to the F5 BIG-IP management interface only to authorised people.

2022-031: Jira Authentication Bypass Vulnerability

Tuesday, April 26, 2022 04:42:00 PM CEST

On April 20th, Atlassian published a security advisory for a critical vulnerability in the Jira and Jira Service Management products, that are vulnerable to an authentication bypass in its web authentication framework, Jira Seraph. This vulnerability is tracked as CVE-2022-0540, with a severity score of 9.9 out of 10 on the CVSS scoring system. Atlassian has released software updates that address this vulnerability.

2022-030: Cisco Umbrella Virtual Appliance Vulnerability

Friday, April 22, 2022 10:01:00 AM CEST

On the 20th of April Cisco released a security advisory about a high severity vulnerability in the key-based SSH authentication mechanism of Cisco Umbrella Virtual Appliance (VA). The vulnerability could allow an unauthenticated, remote attacker to impersonate a VA. Cisco has released software updates that address this vulnerability.

2022-029: UPDATE: Oracle Java SE RCE Vulnerability

Thursday, April 21, 2022 02:21:00 PM CEST

Oracle published a Critical Patch Update Advisory - April 2022 which is a collection of patches for multiple security vulnerabilities. This Critical Patch Update contains 520 new security patches across the product families.
One of the vulnerabilities is CVE-2022-21449. It is an exploitable vulnerability which allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Exploitation of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data.
On the 20th of April, a researcher has released a Proof-of-Concept code, which make potential attacks much more likely.

2022-028: Apache Struts RCE Vulnerability

Wednesday, April 20, 2022 02:59:00 PM CEST

The Apache Software Foundation has released a security advisory about a possible remote code execution vulnerability CVE-2021-31805 in the Apache Struts web application framework. This vulnerability was previously addressed with CVE-2020-17530 but the fix was incomplete.

2022-027: CISCO WLC Critical Vulnerability

Saturday, April 16, 2022 12:26:00 PM CEST

Cisco has released a security advisory to warn about a critical vulnerability (CVSS v3 score: 10.0), tracked as CVE-2022-20695, impacting the Wireless LAN Controller (WLC) software. A vulnerability in the authentication functionality of Cisco Wireless LAN Controller (WLC) Software could allow an unauthenticated, remote attacker to bypass authentication controls and log into the device through the management interface.

2022-026: Critical Vulnerabilities in Microsoft Windows

Wednesday, April 13, 2022 02:47:00 PM CEST

On April 12th, Microsoft issued the monthly Patch Tuesday where 128 vulnerabilities were fixed. Three of them were classified as Critical as they allow remote code execution (RCE) with no user interaction. Two other vulnerabilities rated as important can be used for privilege escalation, but since one of them is already being actively exploited and the other has a public exploit, we recommend to patch all of them as soon as possible.

2022-025: UPDATE: Critical Vulnerabilities in VMware

Thursday, April 07, 2022 01:45:00 PM CEST

On April 6th, VMware released several security patches for critical-severity flaws affecting multiple products. The vulnerabilities identified as "CVE-2022-22954", "CVE-2022-22955", "CVE-2022-22956", "CVE-2022-22957", and "CVE-2022-22958" can lead to multiple effects such as remote code execution and authentication bypass.
VMware also patched high and medium severity bugs that could be exploited for Cross-Site Request Forgery (CSRF) attacks ("CVE-2022-22959"), privilege escalation ("CVE-2022-22960"), and gain access to information without authorisation ("CVE-2022-22961").
On May 20th, Unit 42 has observed numerous instances of "CVE-2022-22954" being exploited in the wild. When successful, "CVE-2022-22960" can be leveraged to run commands as a root user. It is strongly recommended to patch as soon as possible.

2022-024: Critical Vulnerability in Gitlab

Monday, April 04, 2022 12:53:00 PM CEST

On 31/03/2022, GitLab released an advisory for a critical password security vulnerability in GitLab Community and Enterprise products tracked as CVE-2022-1162. Discovered by the internal team of Gitlab, this vulnerability allows remote attacker to taker over user accounts. GitLab is not aware of accounts compromised by exploiting this vulnerability.
Evaluated with a score of 9.1 out of 10, CERT-EU recommends to patch as soon as possible.

2022-023: UPDATE: Critical RCE Vulnerability in Spring Core

Thursday, March 31, 2022 02:48:00 PM CEST

On 29/03/2022, some cybersecurity analysts were alarmed following the publication of a few posts from a Chinese Twitter account. These tweets contained screenshots showing a 0-day exploit in Spring Core, a popular Java library.
The vulnerability has been assigned "CVE-2022-22965", and it is being referred to as "Spring4Shell". The key points known at this time are:
- This vulnerability allows an unauthenticated attacker to execute arbitrary code on the targeted system.
- Proofs-of-Concept (PoCs) of this vulnerability are publicly available.
- Patches have been released.
CERT-EU recommends to patch as soon as possible.
Additionally, another Spring vulnerability was also part of the recent discussions on the internet - assigned CVE number "CVE-2022-22963" (CVSS score 9.0), it is a remote code execution vulnerability in Spring Cloud Function, which is a separate Java library from Spring Core. Public POCs are available. CERT-EU recommend to also patch this vulnerability as soon as possible.

2022-022: Critical RCE Vulnerability in SonicWall Firewalls

Tuesday, March 29, 2022 10:14:00 AM CEST

On 25/03/2022, SonicWall has fixed a critical vulnerability (CVE-2022-22274) in SonicWall firewall product, which allows remote unauthenticated attacker to cause Denial-of-Service (DoS) that potentially results in code execution in the firewall. This vulnerability has a score of 9.4 out of 10.
CERT-EU strongly recommends to patch this vulnerability as soon as possible.

2022-021: UPDATE: Critical RCE Vulnerability in Sophos Firewalls

Monday, March 28, 2022 10:28:00 AM CEST

On 25/03/2022, Sophos has fixed a critical vulnerability (CVE-2022-1040) in Sophos firewall product, which allows remote code execution. This vulnerability enables an unauthenticated attacker to gain control over the targeted system. This vulnerability has a score of 9.8 out of 10.
[Update] : This vulnerability is currently under active exploitation in the wild.
CERT-EU strongly recommends to patch this vulnerability as soon as possible.

2022-020: Multiple Critical Vulnerabilities in VMware Carbon Black

Friday, March 25, 2022 01:23:00 PM CET

On 23/03/2022, VMware has published multiple critical vulnerabilities ("CVE-2022-22951", "CVE-2022-22952") in VMware products which allow remote code execution. These vulnerabilities may lead to gaining control over the targeted system. Both vulnerabilities rated with CVSSv3 base score of 9.1 out of 10.

2022-019: Multiple Critical Vulnerabilities in Veeam

Monday, March 21, 2022 06:14:00 PM CET

On 12/03/2022 Veeam has published multiple critical vulnerabilities (CVE-2022-26500, CVE-2022-26501) in Veeam products which allow remote code execution without authentication. This vulnerability may lead to gaining control over the targeted system. The publication was last modified by Veeam on 18/03/2022.

2022-018: Serious Vulnerability in Linux Kernel

Thursday, March 17, 2022 10:28:00 AM CET

On February 22, Red Hat released a security advisory for fixing a severe vulnerability in the "netfilter" subcomponent in the Linux kernel. Listed as CVE-2022-25636 with a CVSS score of 7.8, it could allow a local attacker with a user account on the system to gain access to out-of-bounds memory, leading to a system crash or a privilege escalation. This vulnerability is present in all recent major distributions and exploits for this vulnerability ware already published.
It is recommended to update the Linux distributions as soon as possible.

2022-017: OpenSSL/LibreSSL Vulnerability

Wednesday, March 16, 2022 11:45:00 AM CET

On March 15th, the OpenSSL project revealed a high severity vulnerability that can lead to Denial-Of-Service for the applications that use certificates from untrusted sources. It can be exploited remotely by an attacker using a specialy crafted certificate that can trigger an infinite loop. LibreSSL was also impacted by this vulnerability and it has been also patched.

2022-016: Important Vulnerability in Windows SMBv3

Thursday, March 10, 2022 11:05:00 PM CET

On March 8th, Microsoft fixed in the monthly Patch Tuesday 71 vulnerabilities with three classified as Critical as they allow remote code execution. A remote code execution vulnerability classified as Important affects Windows SMBv3 Client/Server.
The vulnerability tracked as CVE-2022-24508 is a remote code execution vulnerability allowing an authenticated user to execute malicious code on Windows 10 version 2004 and newer systems via SMBv3. No active exploitation of this vulnerability is known yet.

2022-015: Critical Vulnerability in Microsoft Exchange Server

Thursday, March 10, 2022 11:55:00 AM CET

On March 8th, Microsoft issued the monthly Patch Tuesday where 71 vulnerabilities were fixed. Three of them were classified as Critical as they allow remote code execution (RCE). One of these critical vulnerabilities affects Microsoft Exchange Server.
The vulnerability tracked as CVE-2022-23277 is a remote code execution vulnerability that can be exploited by an authenticated attacker to perfom RCE on Microsoft Excahnge. No active exploitation of this vulnerability is known yet.

2022-014: Privilege Escalation Vulnerability in Linux Kernel

Tuesday, March 08, 2022 11:28:00 AM CET

On March 7th, a security researcher disclosed the Dirty Pipe vulnerability affecting Linux Kernel 5.8 and later versions. The vulnerability is tracked as CVE-2022-0847 and allows a non-privileged user to inject and overwrite data in read-only files including SUID processes that run as root.
As per the researcher, the vulnerability is similar to CVE-2016-5195 Dirty Cow, but it is even easier to exploit.

2022-013: Multiple Vulnerabilities in VMware

Thursday, February 17, 2022 03:39:00 PM CET

On January 15th, VMware released several security patches for high-severity flaws affecting multiple products. The vulnerabilities identified as "CVE-2021-22040", "CVE-2021-22041", "CVE-2021-22042", "CVE-2021-22043", "CVE-2021-22050", "CVE-2022-22945" can lead to multiple effects such as arbitrary code execution, denial of service, and privilege escalation.
There is no evidence that any of the weaknesses are exploited in the wild. However, it is recommended to patch as soon as possible.

2022-012: UPDATE: Critical Vulnerabilities in PHP Everywhere WordPress Plugin

Thursday, February 10, 2022 07:50:00 PM CET

On January 4th, researchers found three critical ‘PHP Everywhere’ plugin for WordPress. These vulnerabilities identified as "CVE-2022-24663", "CVE-2022-24664" and"CVE-2022-24665" affect many WordPress sites and can lead to remote code execution (RCE) that could be leveraged to achieve a complete site takeover. All three have a CVSS score of 9.9.
The vulnerabilities were found on January 4th, but due to the responsible disclosure process, the information about them has been publicly published 30 days after the release of patched version. No proof-of-concept or ongoing exploitation of these vulnerabilities have been observed yet. However, it is highly recommended to apply the patches as soon as possible.

2022-011: ICM Vulnerability in SAP Software

Wednesday, February 09, 2022 07:08:00 PM CET

On February 8, the SAP Product Security Response Team released new patches addressing CVEs in SAP products. One of them is categorised as critical vulnerabilitY with the CVSS score of 10. This vulnerability identified as "CVE-2022-22536" is affecting many SAP products and it can lead to different impacts such as: ransomware attack, theft of sensitive data, financial fraud, disruption of mission-critical business processes, etc.
No proof-of-concept or ongoing exploitation of these vulnerabilities have been observed yet. However, it is highly recommended to apply the patch as soon as possible.

2022-010: RCE Vulnerabilities in Microsoft Sharepoint and DNS

Wednesday, February 09, 2022 07:02:00 PM CET

On February 8, Microsoft released 51 new patches addressing CVEs in various Microsoft products. Two of them are categorised as significant (rating: High) vulnerabilities with the CVSS score of 8.8. The first vulnerability identified as "CVE-2022-22005" is affecting Microsoft SharePoint Server, and it can lead to remote code execution in case the attacker is authenticated and possess the permissions for page creation. The second vulnerability identified as "CVE-2022-21984" is affecting the Microsoft DNS Server, and it can lead also to remote code execution if the DNS server has the dynamic updates enabled.
No proof-of-concept or ongoing exploitation of these vulnerabilities are have been observed yet, however, it is highly recommended to apply the patches as soon as possible.

2022-009: Critical Vulnerability in Cisco VPN Routers

Monday, February 07, 2022 06:08:00 PM CET

On January 4th, Cisco has issued advisories and software updates to address multiple vulnerabilities of which the three most serious are identified as: "CVE-2022-20699", "CVE-2022-20700", "CVE-2022-20708" with a severity score of 10 out of 10.
- "CVE-2022-20699" could lead to Remote Code Execution by unauthenticated attackers with "root" privileges.
- "CVE-2022-20700" could allow a remote attacker to elevate privileges to "root".
- "CVE-2022-20708" could allow an unauthenticated, remote attacker to inject and execute arbitrary commands on the underlying operating system.
Concerning the "CVE-2022-20699" vulnerability, a public presentation has recently been done at the OffensiveCon2022 followed by a leak of the exploit on Twitter. It is unknown what PoC exploits are available for the other vulnerabilities. However, once security updates are released, these PoCs tend to become publicly fairly quickly.
It is recommended to update as soon as possible.

2022-008: Critical Vulnerability in Samba

Tuesday, February 01, 2022 04:57:00 PM CET

On January 31, Samba has issued advisories and software updates to address multiple vulnerabilities one of which, identified as "CVE-2021-44142", could lead to Remote Code Execution with "root" privileges. It is recommended to update as soon as possible.

2022-007: Serious Vulnerability in All Major Linux Distributions

Thursday, January 27, 2022 06:27:00 PM CET

On January 25, Polkit's authors released a patch for their software fixing a severe vulnerability that could lead to local privilege escalation on all Major Linux distributions (including Ubuntu, Debian, Fedora, and CentOS).
Exploits for this vulnerability already exist in the wild.
It is recommended to update Linux distributions as soon as possible.

2022-006: Critical Vulnerabilities in Multiple Oracle Products

Thursday, January 20, 2022 06:24:00 PM CET

On January 18th, Oracle released their quarterly Critical Patch Update advisory, a collection of patches that addresses hundreds of critical security flaws, affecting several of their products. Many of these vulnerabilities may be remotely exploited without the need for user credentials. It is therefore highly recommended to apply the security patches without delay.

2022-005: Critical Vulnerability in Ivanti Products

Wednesday, January 19, 2022 10:25:00 AM CET

On January 17th, Ivanti updated its advisory related to "CVE-2021-44228" vulnerability affecting some of its products. While this CVE affects the Java logging library "log4j", all products using this library are vulnerable to Unauthenticated Remote Code Execution.

2022-004: Multiple Vulnerabilities in GitLab

Monday, January 17, 2022 04:42:00 PM CET

On January 11th, GitLab released significant security updates to address multiple vulnerabilities, including an arbitrary file read issue rated as ‘critical’ and two high-impact vulnerabilities, among others. The update tackles a vulnerability involving cross-site scripting (XSS) in Notes, along with a high-impact authentication-related flaw involving a lack of state parameter on GitHub import project OAuth.
Gitlab strongly encourages users to upgrade to 14.6.2, 14.5.3, or 14.4.5 for GitLab Community Edition (CE) and Enterprise Edition (EE), in order to safeguard their environments.

2022-003: UPDATE: New Critical Vulnerabilities in Microsoft Products

Friday, January 14, 2022 05:26:00 PM CET

On the 11th of January 2022, Microsoft released a software update to mitigate several vulnerabilities that affect many of its products. Few of them could lead to remote code execution on certain versions of Microsoft Windows and Server, Microsoft Exchange Servers, and Microsoft Office, Word, Excel and Sharepoint.
No active exploitation of these vulnerabilities is known yet, however, regarding the "CVE-2022-21907" vulnerability, Microsoft said that organisations should prioritise fixing it, because this vulnerability can become wormable - that is - after infection, the virus can spread laterally on the intranet. Also, a proof-of-concept code is already available publicaly.
This is why it is generally recommended to apply the patches as soon as possible, but please refer to [Recommendations] section for additional notes.

2022-002: Critical RCE Vulnerability in H2 Database Console

Friday, January 07, 2022 06:35:00 PM CET

On the 6th of January 2022, security researchers from JFrog identified a critical JNDI-based vulnerability in the H2 database console that exploits the same root cause as the Log4Shell vulnerability. Identified by CVE-2021-42392, this security flaw could lead to unauthenticated remote code execution.
H2 is an open-source relational database management system written in Java that can be embedded within applications or run in a client-server mode.

2022-001: Important Vulnerability in VMWare

Thursday, January 06, 2022 01:03:00 PM CET

On the 4th of January 2022, VMware has released a security alert for a vulnerability affecting VMware Workstation, Fusion, ESXi Server and Cloud Foundation. This vulnerability tracked as CVE-2021-22045 has an important CVSSv3 score of 7.7. A malicious actor with access to a virtual machine with CD-ROM device emulation may be able to exploit a heap overflow vulnerability in conjunction with other issues to execute code on the hypervisor from a virtual machine.
Successful exploitation requires CD image to be attached to the virtual machine.