Notices by screaminggoat (screaminggoat@infosec.exchange)

Happy #PatchTuesday from Ivanti: February Security Update

• Security Advisory Ivanti Cloud Services Application (CSA) (CVE-2024-47908, CVE-2024-11771)
• N-MDM - Security Advisory Ivanti Neurons for MDM (N-MDM)
• February Security Advisory Ivanti Connect Secure (ICS),Ivanti Policy Secure (IPS) and Ivanti Secure Access Client (ISAC) (Multiple CVEs)

We are not aware of any customers being exploited by these vulnerabilities prior to public disclosure. These vulnerabilities were disclosed through our responsible disclosure program.

#Ivanti #ivantiCSA #neurons #connectsecure #cve #vulnerability #infosec #cybersecurity

Happy #PatchTuesday from SolarWinds:

• Sensitive data disclosure vulnerability (CVE-2024-45718) 4.6 medium
• SolarWinds Platform Information Disclosure Vulnerability (CVE-2024-52611) 3.5 low
• SolarWinds Platform Server-Side Request Forgery Vulnerability (CVE-2024-52606) 3.5 low

No mention of exploitation.

#solarwinds #cve #vulnerability

Happy Patch Tuesday to those still suffering. All new security advisories from today will be posted under this toot as a conversation.

Happy #PatchTuesday from Adobe:

• APSB25-01 Security Update Available for Adobe InDesign (7 CVEs)
• APSB25-08 Security update available for Adobe Commerce (31)
• APSB25-09 Security updates available for Substance 3D Stager (1)
• APSB25-10 Security Update Available for Adobe InCopy (1)
• APSB25-11 Security Updates Available for Adobe Illustrator (3)
• APSB25-12 Security updates available for Substance 3D Designer (1)
• APSB25-13 Security updates available for Adobe Photoshop Elements (1)

Adobe is not aware of any exploits in the wild for any of the issues addressed in these updates.

#adobe #cve #indesign #photoshop #incopy #vulnerability #infosec #cybersecurity

Happy #PatchTuesday from Microsoft: 4 ZERO-DAYS (2 EXPLOITED) out of 56 new CVEs

• CVE-2025-21377 (6.5 medium) NTLM Hash Disclosure Spoofing Vulnerability (PUBLICLY DISCLOSED)
• CVE-2025-21194 (7.1 high) Microsoft Surface Security Feature Bypass Vulnerability (PUBLICLY DISCLOSED)
• CVE-2025-21418 (7.8 high) Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability (EXPLOITED)
• CVE-2025-21391 (7.1 high) Windows Storage Elevation of Privilege Vulnerability (EXPLOITED)

#microsoft #zeroday #cve #eitw #activeexploitation #vulnerability #infosec #cybersecurity

Happy #PatchTuesday from Fortinet:

1. FG-IR-24-422 CVE-2024-52966 (2.3 low) Disclosure of Logs of Devices not belonging to the Current ADOM from Log View
2. FG-IR-23-261 CVE-2023-40721 (6.7 medium) FortiOS / FortiProxy / FortiPAM / FortiSwitchManager - Format string vulnerability in CLI commands
3. FG-IR-24-300 CVE-2024-52968 (6.7 medium) Improper Authentication in FortiMonitor Agent
4. FG-IR-23-279 CVE-2024-40586 (6.7 medium) Improper access control to FortiSslvpnNamedPipe
5. FG-IR-24-311 CVE-2024-40585 (6.5 medium) Insertion of sensitive information into Event log
6. FG-IR-24-063 CVE-2024-27781 (7.1 high) Multiple Reflected and Stored Cross-Site Scripting
7. FG-IR-24-147 CVE-2024-36508 (6.0 medium) Multiple arbitrary file deletion in the CLI
8. FG-IR-24-438 CVE-2024-50567 and CVE-2024-50569 (7.2 high) OS Command Injections
9. FG-IR-24-220 CVE-2024-40584 (7.2 high) OS command injection in external connector
10. FG-IR-25-015 CVE-2025-24470 (8.6 high) Off-by-slash vulnerability in Nginx config
11. FG-IR-24-302 CVE-2024-40591 (8.8 high) Permission escalation due to an Improper Privilege Management
12. FG-IR-23-324 CVE-2024-27780 (3.1 low) Reflected XSS (cross site scripting) in incident page
13. FG-IR-24-160 CVE-2024-35279 (8.1 high) Stack buffer overflow in fabric service
14. FG-IR-24-094 CVE-2024-33504 (4.1 medium) Use of Hard-coded Cryptographic Key to encrypt sensitive data

Fortinet downplays the CVSSv3.1 score by listing temporal only, I have listed base score instead. No mention of exploitation.

#fortinet #fortios #fortiproxy #fortiswitchmanager #cve #vulnerability #infosec #cybersecurity

subtoot about Fortinet zero-day. Those infosec publications are running WILD calling it an exploited zero-day (complete with a backstory) with absolutely no evidence. Are we reading the same security advisory? What the fuck are you guys conjuring up and extrapolating from 2025-02-11: Added CVE-2025-24472 and its acknowledgement?

EDIT: You've heard of "patch-diffing." Get ready for advisory-diffing:
https://web.archive.org/web/20250114161659/https://fortiguard.fortinet.com/psirt/FG-IR-24-535 (14 January 2025)
versus https://fortiguard.fortinet.com/psirt/FG-IR-24-535 (11 February 2025):

• An Authentication Bypass Using an Alternate Path or Channel vulnerability [CWE-288] affecting FortiOS and FortiProxy may allow a remote attacker to gain super-admin privileges via crafted requests to Node.js websocket module or via crafted CSF proxy requests.
• Follow the recommended upgrade path using our tool at: https://docs.fortinet.com/upgrade-tool https://docs.fortinet.com/upgrade-tool
• Please note that the above IP parameters are under attacker control and therefore can be any other IP address. not the actual source IP addresses of the attack traffic, they are generated arbitrarily by the attacker as a parameter. Because of this they should not be used for any blocking.
• edit 2set intf "allany"
• Please note as well that an attacker needs to know an admin account's username to perform the attack and log in the CLI. Therefore, having a non-standard and non-guessable username for admin accounts does offer some protection, and is, in general, a best practice. Keep in mind however that the targeted websocket not being an authentication point, nothing would prevent an attacker from bruteforcing the username.
• CSF requests issue:Disable Security Fabric from the CLI:Config system csfSet status disableend

Some of these are explained in the changelog, but I wanted to be certain.

Happy #PatchTuesday: Exploited Fortinet zero-day??? FG-IR-24-535
CVE-2025-24472 (8.1 high) Authentication bypass in Node.js websocket module and CSF requests
If this security advisory looks familiar, that's because it belongs to the previous Fortinet exploited zero-day CVE-2024-55591 (9.6 critical) . This was tacked onto the same advisory, with no context other than the changelog:

2025-02-11: Added CVE-2025-24472 and its acknowledgement

@BleepingComputer seems to think it is: Fortinet warns of new zero-day exploited to hijack firewalls but I'm skeptical.

#fortinet #infosec #CVE_2024_55591 #vulnerability #cve #CVE_2025_24472 #cybersecurity #eitw #activeexploitation #zeroday

CISA: CISA Adds Four Known Exploited Vulnerabilities to Catalog

• CVE-2025-21418 (7.8 high) Microsoft Windows Ancillary Function Driver for WinSock Heap-Based Buffer Overflow Vulnerability
• CVE-2025-21391 (7.1 high) Microsoft Windows Storage Link Following Vulnerability
• CVE-2024-40890 (8.8 high) Zyxel DSL CPE OS Command Injection Vulnerability
• CVE-2024-40891 (8.8 high) Zyxel DSL CPE OS Command Injection Vulnerability

The Zyxel stuff is not new, but since the Microsoft zero-days are part of #PatchTuesday, I'm including them in this conversation.

#cisa #kev #cisakev #KnownExploitedVulnerabilitiesCatalog #vulnerability #zeroday #eitw #activeexploitation #infosec #cybersecurity #cve

Happy #PatchTuesday with GitLab: GitLab Patch Release: 17.8.2, 17.7.4, 17.6.5
8 CVEs (1 high severity, 7 medium). At a glance, no mention of exploitation.

#gitlab #cve #vulnerability #infosec #cybersecurity

RE: Fortinet's CVE-2024-24472
Bleeping Computer: Fortinet discloses second firewall auth bypass patched in January

Update 2/11/25 07:32 PM ET: After publishing our story, Fortinet has informed us that the new CVE-2025-24472 flaw added to FG-IR-24-535 today is not a zero-day and was already fixed in January.

@cR0w I called it 💪 Not a zero-day.

#fortinet #cve #infosec #cybersecurity #vulnerability

Assetnote: Nginx/Apache Path Confusion to Auth Bypass in PAN-OS (CVE-2025-0108)
If I'm reading this correctly, Assetnote dropped vulnerability details and proof of concept for CVE-2025-0108 (CVSSv4: 8.8 high) PAN-OS: Authentication Bypass in the Management Web Interface. They are describing this as a zero-day auth bypass, but it should be called "patch bypass." See related PAN security advisory.

Fun operational mistake: Assetnote wrote This vulnerability was fixed in versions xx and yy and assigned CVE zz. in their conclusion.

#paloaltonetworks #CVE_2025_0108 #infosec #vulnerability #cve #cybersecurity #poc #proofofconcept

Happy #PatchTuesday from Palo Alto Networks (LIKELY ZERO-DAYS):
(Note: PAN likes to downplay severity by showing the base + threat metrics CVSSv4 score. I listed base score only)

1. CVE-2025-0113 (CVSSv4.0: 7.6 high) Cortex XDR Broker VM: Unauthorized Access to Broker VM Docker Containers
2. CVE-2025-0112 (CVSSv4: 6.8 medium) Cortex XDR Agent: Local Windows User Can Disable the Agent
3. CVE-2025-0110 (CVSSv4.0: 8.6 high) PAN-OS OpenConfig Plugin: Command Injection Vulnerability in OpenConfig Plugin
   • Exploit Maturity: POC 🤔
4. PAN-SA-2025-0005 GlobalProtect Clientless VPN: Same-Origin Policy Does Not Apply When Using Clientless VPN
5. PAN-SA-2025-0004 Chromium: Monthly Vulnerability Update (February 2025) (multiple CVEs)
6. CVE-2025-0109 (CVSSv4: 6.9 medium) PAN-OS: Unauthenticated File Deletion Vulnerability on the Management Web Interface
   • Exploit Maturity: POC 🤔
7. CVE-2025-0111 (CVSSv4: 7.1 high) PAN-OS: Authenticated File Read Vulnerability in the Management Web Interface
8. EDIT: NEW! CVE-2025-0108 (CVSSv4: 8.8 high) PAN-OS: Authentication Bypass in the Management Web Interface

Palo Alto Networks is not aware of any malicious exploitation of this issue.

My new concern is whether I should say #zeroday for CVE-2025-0110 and 0109. Based on the First criteria for Exploit Maturity:

Based on threat intelligence sources each of the following must apply:

• Proof-of-concept is publicly available
• No knowledge of reported attempts to exploit this vulnerability
• No knowledge of publicly available solutions used to simplify attempts to exploit the vulnerability

#paloaltonetworks #infosec #vulnerability #cve #cybersecurity #poc #proofofconcept

BishopFox: SonicWall CVE-2024-53704: SSL VPN Session Hijacking
See parent toots for the security advisory. BishopFox intends to publish vulnerability CVE-2024-53704 (9.8 critical) SonicOS SSLVPN Authentication Bypass Vulnerability in the next 90 days.

Our current research indicates more than 5,000 affected SonicWall devices remain accessible on the internet. Although significant reverse-engineering effort was required to find and exploit the vulnerability, the exploit itself is rather trivial.

UPDATED 10 February 2025: Bishopfox included full exploitation details in their blog post.

#sonicwall #CVE_2024_53704 #sonicos #sslvpn #vulnerability #CVE #infosec #cybersecurity

Happy #PatchTuesday (well it is a Tuesday) from SonicWall: SonicOS Affected By Multiple Vulnerabilities

• CVE-2024-40762 (7.1 high) SonicOS SSLVPN Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)
• CVE-2024-53704 (8.2 high) SonicOS SSLVPN Authentication Bypass Vulnerability
• CVE-2024-53705 (6.5 medium) SonicOS SSH Management Server-Side Request Forgery Vulnerability
• CVE-2024-53706 (7.8 high) Gen7 SonicOS Cloud NSv SSH Config Function Local Privilege Escalation Vulnerability

There is no evidence that these vulnerabilities are being exploited in the wild.

h/t: @xnyhps

#sonicwall #vulnerability #cve #infosec #cybersecurity

@zeljkazorz @buherator @GossiTheDog ASEC's appears to be the closest and I'm trying to determine if Godzilla (web shell) and Godzilla (post-exploitation framework) are one and the same.

This is the web shell version https://github.com/BeichenDream/Godzilla frequently referenced.

Interestingly "19d87910d1a7ad9632161fd9dd6a54c8a059a64fc5f5a41cf5055cd37ec0499d" from Microsoft isn't hot yet on VirusTotal

@nopatience we should ask for the expert opinion of pilot @GossiTheDog who has flown thousands of hours of various Microsoft Flight Simulators. @Viss @cR0w @chillybot @jerry @lerg

Palo Alto Networks PAN-SA-2025-0003 Informational: PAN-OS BIOS and Bootloader Security Bulletin
See parent toot above. Palo Alto Networks is in damage control mode, after Eclypsium reported that their Next Generation Firewall (NGFW) products were still impacted by multiple known vulnerabilities.

Palo Alto Networks is aware of claims of multiple vulnerabilities in hardware device firmware and bootloaders included in our PA-Series (hardware) firewalls.
Palo Alto Networks is not aware of any malicious exploitation of these issues in our products. We are aware of a blog post discussing these issues.

#paloaltonetworks #panw #vulnerability #cve #infosec #cybersecurity #eclypsium

Eclysium: PANdora's Box: Vulnerabilities Found in NGFW
Eclysium evaluated three Palo Alto Networks appliances, finding known vulnerabilities ranging from "Boothole" (buffer overflow to RCE) and secure boot bypass to LogoFail, PixieFail, leaked keys bypass, etc. Elypsium provides a timeline with the most recent update requesting that they wait for a patch before going public with the details, but no estimated time of patch release.

#paloaltonetworks #panos #pixiefail #logofail #boothole #secureboot #panw #infosec #vulnerability #cve #cybersecurity

SonicWall exploited zero-day: SMA1000 Pre-Authentication Remote Command Execution Vulnerability
CVE-2025-23006 (9.8 critical) Pre-authentication deserialization of untrusted data vulnerability has been identified in the SMA1000 Appliance Management Console (AMC) and Central Management Console (CMC), which in specific conditions could potentially enable a remote unauthenticated attacker to execute arbitrary OS commands.

IMPORTANT: SonicWall PSIRT has been notified of possible active exploitation of the referenced vulnerability by threat actors

cc: @goatyell @cR0w @GossiTheDog @briankrebs

#zeroday #CVE_2025_23006 #sonicwall #vulnerability #CVE #infosec #cybersecurity #eitw #activeexploitation