Most recent bundles.

PoC LDAPNightmare: The CVE Mix-Up (as noted by @wdormann@infosec.exchange)

2025-02-22T14:14:50.562024+00:00

A PoC for CVE-2024-49113 titled “Windows Lightweight Directory Access Protocol (LDAP) Denial of Service Vulnerability.” is provided by SafeBreach. However, there was confusion between CVE-2024-49113 (DoS) and CVE-2024-49112 (RCE - CVSS 9.8), as noted by @wdormann@infosec.exchange: https://github.com/SafeBreach-Labs/CVE-2024-49113/commit/eb76381b2927ce78c86743267d898b4ebfcbb187

MediaTek January 2025 Product Security Bulletin (severe vulnerability)

2025-02-22T14:14:50.561860+00:00

MediaTek has released its January 2025 Product Security Bulletin: https://corp.mediatek.com/product-security-bulletin/January-2025 Out-of-bounds write vulnerabilities in power management (CVE-2024-20140) and the Digital Audio subsystem (CVE-2024-20143, CVE-2024-20144, CVE-2024-20145). These vulnerabilities could lead to local privilege escalation, potentially allowing attackers to gain unauthorized access to sensitive data or system functionalities. These vulnerabilities could lead to local privilege escalation, potentially allowing attackers to gain unauthorized access to sensitive data or system functionalities. Other vulnerabilities addressed include issues in the WLAN driver (CVE-2024-20146, CVE-2024-20148) that could lead to remote code execution and an out-of-bounds write vulnerability in the M4U subsystem (CVE-2024-20105) that could allow for local privilege escalation. MediaTek has notified device manufacturers (OEMs) about these vulnerabilities and provided corresponding security patches. Users are strongly encouraged to check for updates from their device manufacturers and apply them as soon as possible to mitigate these security risks.

2025-01-05 Android security bulletin - MediaTek components

2025-02-22T14:14:50.561698+00:00

Vulnerabilities affecting MediaTek components and further details are available directly from MediaTek. The severity assessment of these issues is provided directly by MediaTek. | CVE | References | Severity | Subcomponent | |--------------------|----------------|------------|--------------| | CVE-2024-20154 | A-376809176 | Critical | Modem | | CVE-2024-20146 | A-376814209 | High | wlan | | CVE-2024-20148 | A-376814212 | High | wlan | | CVE-2024-20105 | A-376821905 | High | m4u | | CVE-2024-20140 | A-376816308 | High | power | | CVE-2024-20143 | A-376814208 | High | DA | | CVE-2024-20144 | A-376816309 | High | DA | | CVE-2024-20145 | A-376816311 | High | DA | The user must update the device as soon as possible.

A triple-exploit chain. auth bypass (1) to exposed dbus interface (2) to command injection (3) (from @da_667@infosec.exchange)

2025-02-22T14:14:50.561534+00:00

A triple-exploit chain. auth bypass (1) to exposed dbus interface (2) to command injection (3): https://www.exploit-db.com/exploits/45100

CMSimple 5.16 vulnerabilities leading to RCE

2025-02-22T14:14:50.561362+00:00

#### Vulnerabilities in CMSimple 5.16 leading to RCE * CVE-2024-57546 - An issue in CMSimple v.5.16 allows a remote attacker to obtain sensitive information via a crafted script to the validate link function. * CVE-2024-57547 - Insecure Permissions vulnerability in CMSimple v.5.16 allows a remote attacker to obtain sensitive information via a crafted script to the Functionality of downloading php backup files. * CVE-2024-57548 - CMSimple 5.16 allows the user to edit log.php file via print page. * CVE-2024-57549 - CMSimple 5.16 allows the user to read cms source code through manipulation of the file name in the file parameter of a GET request. #### Original research [https://github.com/h4ckr4v3n/cmsimple5.16_research](https://github.com/h4ckr4v3n/cmsimple5.16_research)

Command injection and insecure default credentials vulnerabilities in certain legacy DSL CPE from Zyxel

2025-02-22T14:14:50.561186+00:00

## Summary Zyxel recently became aware of CVE-2024-40890 and CVE-2024-40891 being mentioned in a post on GreyNoise’s blog. Additionally, VulnCheck informed us that they will publish the technical details regarding CVE-2024-40891 and CVE-2025-0890 on their blog. We have confirmed that the affected models reported by VulnCheck, VMG1312-B10A, VMG1312-B10B, VMG1312-B10E, VMG3312-B10A, VMG3313-B10A, VMG3926-B10B, VMG4325-B10A, VMG4380-B10A, VMG8324-B10A, VMG8924-B10A, SBG3300, and SBG3500, are legacy products that have reached end-of-life (EOL) for years. Therefore, we strongly recommend that users replace them with newer-generation products for optimal protection. What are the vulnerabilities? ### CVE-2024-40890 **UNSUPPORTED WHEN ASSIGNED** A post-authentication command injection vulnerability in the CGI program of certain legacy DSL CPE models, including VMG1312-B10A, VMG1312-B10B, VMG1312-B10E, VMG3312-B10A, VMG3313-B10A, VMG3926-B10B, VMG4325-B10A, VMG4380-B10A, VMG8324-B10A, VMG8924-B10A, SBG3300, and SBG3500, could allow an authenticated attacker to execute operating system (OS) commands on an affected device by sending a crafted HTTP POST request. It is important to note that WAN access is disabled by default on these devices, and this attack can only be successful if user-configured passwords have been compromised. ### CVE-2024-40891 **UNSUPPORTED WHEN ASSIGNED** A post-authentication command injection vulnerability in the management commands of certain legacy DSL CPE models, including VMG1312-B10A, VMG1312-B10B, VMG1312-B10E, VMG3312-B10A, VMG3313-B10A, VMG3926-B10B, VMG4325-B10A, VMG4380-B10A, VMG8324-B10A, VMG8924-B10A, SBG3300, and SBG3500. This vulnerability could allow an authenticated attacker to execute OS commands on an affected device via Telnet. It is important to note that WAN access and the Telnet function are disabled by default on these devices, and this attack can only be successful if the user-configured passwords have been compromised. ### CVE-2025-0890 **UNSUPPORTED WHEN ASSIGNED** Insecure default credentials for the Telnet function in certain legacy DSL CPE models, including VMG1312-B10A, VMG1312-B10B, VMG1312-B10E, VMG3312-B10A, VMG3313-B10A, VMG3926-B10B, VMG4325-B10A, VMG4380-B10A, VMG8324-B10A, VMG8924-B10A, SBG3300, and SBG3500, could allow an attacker to log in to the management interface if the administrators have the option to change the default credentials but fail to do so. It is important to note that WAN access and the Telnet function are disabled by default on these devices. What should you do? The following models—VMG1312-B10A, VMG1312-B10B, VMG1312-B10E, VMG3312-B10A, VMG3313-B10A, VMG3926-B10B, VMG4325-B10A, VMG4380-B10A, VMG8324-B10A, VMG8924-B10A, SBG3300, and SBG3500—are legacy products that have reached EOL status for several years. In accordance with industry product life cycle management practices, Zyxel advises customers to replace these legacy products with newer-generation equipment for optimal protection. If you obtained your Zyxel product through an internet service provider (ISP), please contact the ISP for support. For ISPs, please contact your Zyxel sales or service representatives for further details. Additionally, disabling remote access and periodically changing passwords are proactive measures that can help prevent potential attacks. Coordinated Timeline: * 2024-07-13: VulnCheck notified Zyxel about vulnerabilities in the EOL CPE VMG4325-B10A without providing any reports. * 2024-07-14: Zyxel requested VulnCheck to provide a detailed report; however, VulnCheck did not respond. * 2024-07-31: VulnCheck published CVE-2024-40890 and CVE-2024-40891 on their blog without informing Zyxel. * 2025-01-28: GreyNoise published CVE-2024-40890 and CVE-2024-40891 on their blog. * 2025-01-29: Zyxel received VulnCheck’s report regarding CVE-2024-40890, CVE-2024-40891, and CVE-2025-0890. * 2025-01-29: Zyxel became aware of the vulnerabilities in certain legacy DSL CPE models.

Unauthenticated RCE on Some Netgear WiFi Routers, PSV-2023-0039

2025-02-22T14:14:50.561000+00:00

NETGEAR has released fixes for an unauthenticated RCE security vulnerability on the following product models: * XR1000 fixed in firmware version 1.0.0.74 * XR1000v2 fixed in firmware version 1.1.0.22 * XR500 fixed in firmware version 2.3.2.134 NETGEAR strongly recommends that you download the latest firmware as soon as possible.

disabling cert checks: "we have not learned much" from @bagder@mastodon.social

2025-02-22T14:14:50.560795+00:00

The article "Disabling cert checks: we have not learned much" by Daniel Stenberg, published on February 11, 2025, discusses the persistent issue of developers disabling SSL/TLS certificate verification in applications, despite the security risks involved. Stenberg reflects on the history of SSL/TLS usage, emphasizing that since 2002, curl has verified server certificates by default to prevent man-in-the-middle attacks. He highlights common challenges that lead developers to disable certificate verification, such as development environment mismatches, outdated CA stores, or expired certificates. Despite efforts to educate and design APIs that encourage secure practices, the problem persists, indicating a need for continued emphasis on the importance of proper certificate verification in software development. A quick CVE search immediately reveals security vulnerabilities for exactly this problem published only last year: * CVE-2024-32928 – The libcurl CURLOPT_SSL_VERIFYPEER option was disabled on a subset of requests made by Nest production devices. * CVE-2024-56521 – An issue was discovered in TCPDF before 6.8.0. If libcurl is used, CURLOPT_SSL_VERIFYHOST and CURLOPT_SSL_VERIFYPEER are set unsafely. * CVE-2024-5261 – In affected versions of Collabora Online, in LibreOfficeKit, curl’s TLS certificate verification was disabled (CURLOPT_SSL_VERIFYPEER of false).

A Mirai botnet is attempting exploitation in the wild using a new (at least to us) set of CVEs

2025-02-22T14:14:50.560538+00:00

A Mirai botnet is attempting exploitation in the wild using a new set of CVEs, focusing mostly on IoT devices. Includes: - Tenda CVE-2024-41473 - Draytek CVE-2024-12987 - HuangDou UTCMS V9 CVE-2024-9916 - Totolink CVE-2024-2353 CVE-2024-24328 CVE-2024-24329 - (likely) Four-Faith CVE-2024-9644 Source: The Shadowserver Foundation

Potential privilege escalation in IDPKI (CVE-2024-39327, CVE-2024-39328, CVE-2024-51505)

2025-02-22T14:14:50.557475+00:00

A security assessment of IDPKI implementation revealed a weakness potentially allowing an operator to exceed its privileges. In the course of a pentest security assessment of IDPKI, some security measures protecting internal communications were found potentially compromised for an internal user with high privileges. None of these vulnerabilities put Certificate Authority (CA) private key at risk. Eviden analyzed the root cause of the weakness. It revealed two separate vulnerabilities. During validation of the fix, an additional vulnerability of similar nature was identified, leveraging some race condition to alter an internal automata state and achieve a system privilege escalation: * CVE-2024-39327: The vulnerability could allow the possibility to obtain CA signing in an illegitimate way. * CVE-2024-39328: Highly trusted role (Config Admin) could exceed their configuration privileges in a multi-partition environment and access some confidential data. Data integrity and availability is not at risk. * CVE-2024-51505: Highly trusted role (Config Admin) could leverage a race condition to escalate privileges. * CVE-2024-39327 correction has been validated and published. * CVE-2024-39328 correction has been validated and published. This vulnerability has no impact in mono-partition nor in SaaS environments. * CVE-2024-51505 risk is increased if the last fixes are not applied, as a lower privileged role is required. A fix is available and published.