Security vulnerabilities are a common occurrence in managing any business’s organizational security. The prompt patching and remediation of any new vulnerabilities are critical to reducing the outside attack surface. Netizen’s Security Operations Center (SOC) has compiled five critical vulnerabilities from December that should be immediately patched or addressed if present in your environment. Detailed writeups below:
CVE-2024-11667
CVE-2024-11667 is a critical directory traversal vulnerability affecting multiple Zyxel firewall product lines. The issue resides in the web management interface of the devices, where improper handling of crafted URLs allows attackers to exploit the flaw to download or upload files without authorization. This vulnerability affects the ATP series firmware versions V5.00 through V5.38, USG FLEX series firmware versions V5.00 through V5.38, USG FLEX 50(W) series firmware versions V5.10 through V5.38, and USG20(W)-VPN series firmware versions V5.10 through V5.38.
The vulnerability is particularly dangerous as it requires no authentication or user interaction to exploit, making it easily accessible to remote attackers. By sending specially crafted URLs to the vulnerable interface, attackers can manipulate the file system of the device, potentially retrieving sensitive files or uploading malicious content. This could lead to unauthorized access, compromise of the device, or further attacks such as malware deployment or lateral movement within the network. The vulnerability poses a severe risk to the confidentiality, integrity, and availability of the affected systems and networks they protect.
The severity of this vulnerability is highlighted by its CVSS v2 base score of 10.0 and CVSS v3 base score of 9.8, categorizing it as critical. Zyxel has addressed this issue by releasing security updates, and users are strongly encouraged to update their firmware to the latest available version as detailed in the company’s advisory. Additionally, restricting access to the web management interface to trusted IP addresses and disabling the interface if not actively in use can help mitigate potential exploitation. Administrators are also advised to monitor device logs for any signs of unauthorized access or suspicious activities.
Further details about this vulnerability and mitigation steps are available in several resources, including the Zyxel Security Advisory and reports from SecurityWeek and SecurityAffairs. Users should prioritize applying the recommended patches and implementing best practices to secure their systems against this exploit.
CVE-2024-49138
CVE-2024-49138 is a high-severity vulnerability found in the Windows Common Log File System (CLFS) Driver. It allows an attacker to escalate privileges on an affected system. This vulnerability is particularly concerning because it has been exploited as a zero-day in the wild, making immediate remediation critical. The flaw could enable an attacker to execute code with elevated privileges, potentially leading to full system compromise.
This vulnerability has been addressed as part of Microsoft’s December 2024 Patch Tuesday updates, which included fixes for 70 CVEs, 16 of which were rated critical. Given the active exploitation of CVE-2024-49138, it is highly recommended that organizations prioritize deploying the relevant patches to mitigate the risk of further exploitation. The vulnerability is rated with a CVSS v2 base score of 6.8 and a CVSS v3 base score of 7.8, reflecting the potential for significant impact if exploited.
Administrators should ensure their systems are updated with the latest security patches released by Microsoft. In addition, monitoring for unusual activity, especially in relation to CLFS operations, may help detect exploitation attempts. Further information and guidance are available on the Microsoft Security Response Center website, the Tenable blog, and other security advisories, which provide detailed recommendations for protecting systems against this and related vulnerabilities.
CVE-2024-20767
CVE-2024-20767 is a high-severity vulnerability affecting Adobe ColdFusion versions 2023.6, 2021.12, and earlier. This flaw stems from improper access control, which allows attackers to perform arbitrary file system reads. Exploitation could enable unauthorized access or modification of restricted files. Crucially, this vulnerability can be exploited without requiring user interaction but does require the ColdFusion admin panel to be exposed to the internet.
Adobe has issued patches to address this issue, and administrators are strongly advised to update affected ColdFusion installations immediately. The vulnerability is rated with a CVSS v3 base score of 7.4, indicating the potential for significant impact, particularly in environments where the ColdFusion admin interface is accessible externally.
Organizations should verify that their ColdFusion installations are updated to the latest secure versions and ensure that the admin panel is not exposed to the internet unless absolutely necessary. Additional security measures, such as firewall rules and IP whitelisting, can further reduce the risk of exploitation.
More details about this vulnerability, along with remediation steps, can be found in the Adobe security bulletin and advisories from cybersecurity organizations like CISA. The exploitation of this vulnerability highlights the importance of regularly reviewing and securing administrative interfaces to prevent unauthorized access.
CVE-2024-35250
CVE-2024-35250 is a high-severity vulnerability in the Windows Kernel-Mode Driver that enables attackers to escalate privileges to the System level. First addressed by Microsoft in June 2024, this flaw has been actively exploited, earning a place on CISA’s Known Exploited Vulnerabilities (KEV) catalog, with federal agencies instructed to mitigate it by January 2025. The vulnerability, a local privilege escalation issue, requires an attacker to have initial access to a target system for exploitation.
The vulnerability gained significant attention during its disclosure by DevCore researchers, who were credited for responsibly reporting the issue to Microsoft. It was also exploited during the Pwn2Own Vancouver 2024 hacking competition, where the team demonstrated an effective exploit and secured a $30,000 prize. A proof-of-concept (PoC) exploit surfaced in October, increasing the urgency for organizations to apply the provided patch.
While exploitation requires local access, the potential consequences of this flaw are severe, as attackers can achieve full system-level control. Organizations are strongly advised to verify that the vulnerability has been patched in their environments and to enforce robust access controls to limit the potential for initial compromise.
This issue is often discussed alongside critical vulnerability, CVE-2024-20767, which affects Adobe ColdFusion. That vulnerability allows arbitrary file system reads and has been actively exploited. Both vulnerabilities underscore the critical need for timely patch management and proactive monitoring to mitigate risks associated with known exploits.
CVE-2024-49122
CVE-2024-49122 is a critical remote code execution (RCE) vulnerability in Microsoft Message Queuing (MSMQ), a messaging protocol used by many Microsoft services and applications. This flaw was addressed in the December 2024 Patch Tuesday updates, which included fixes for numerous vulnerabilities across Microsoft products.
The vulnerability allows attackers to exploit MSMQ by sending specially crafted messages to a vulnerable server, leading to the execution of arbitrary code with the same privileges as the system’s user. With a CVSS v3 base score of 8.1, CVE-2024-49122 is considered highly critical, especially in environments where MSMQ is exposed to the internet or is accessible by malicious actors within an internal network. Successful exploitation could lead to system compromise, data loss, or disruption of services.
Microsoft has issued a patch to mitigate the risk associated with CVE-2024-49122, and organizations are strongly advised to apply it immediately. As this vulnerability is classified as a high-risk threat, attackers could exploit it to execute arbitrary code, potentially compromising the integrity of sensitive systems or data. Given the high severity and ease of exploitation, patching this vulnerability is crucial for maintaining the security of affected systems.
How Can Netizen Help?
Netizen ensures that security gets built-in and not bolted-on. Providing advanced solutions to protect critical IT infrastructure such as the popular “CISO-as-a-Service” wherein companies can leverage the expertise of executive-level cybersecurity professionals without having to bear the cost of employing them full time.
We also offer compliance support, vulnerability assessments, penetration testing, and more security-related services for businesses of any size and type.
Additionally, Netizen offers an automated and affordable assessment tool that continuously scans systems, websites, applications, and networks to uncover issues. Vulnerability data is then securely analyzed and presented through an easy-to-interpret dashboard to yield actionable risk and compliance information for audiences ranging from IT professionals to executive managers.
Netizen is an ISO 27001:2013 (Information Security Management), ISO 9001:2015, and CMMI V 2.0 Level 3 certified company. We are a proud Service-Disabled Veteran-Owned Small Business that is recognized by the U.S. Department of Labor for hiring and retention of military veterans.
Questions or concerns? Feel free to reach out to us any time –
https://www.netizen.net/contact