#rce

A novel backdoor malware and a loader that customizes payload names for each victim have been added to the threat group's cybercriminal tool set.

The Acronis Cyber Protect appliance, in its default configuration, allows the anonymous registration of new protect/backup agents on new endpoints. This API endpoint also generates bearer tokens which the agent then uses to authenticate to the appliance. As the management web console is running on the same port as the API for the agents, this bearer token is also valid for any actions on the web console. This allows an attacker with network access to the appliance to start the registration of a new agent, retrieve a bearer token that provides admin access to the available functions in the web console. The web console contains multiple possibilities to execute arbitrary commands on both the agents (e.g., via PreCommands for a backup) and also the appliance (e.g., via a Validation job on the agent of the appliance). These options can easily be set with the provided bearer token, which leads to a complete compromise of all agents and the appliance itself.

This Metasploit module exploits a missing authentication vulnerability affecting FortiManager and FortiManager Cloud devices to achieve unauthenticated RCE with root privileges. The vulnerable FortiManager versions are 7.6.0, 7.4.0 through 7.4.4, 7.2.0 through 7.2.7, 7.0.0 through 7.0.12, 6.4.0 through 6.4.14, and 6.2.0 through 6.2.12. The vulnerable FortiManager Cloud versions are 7.4.1 through 7.4.4, 7.2.1 through 7.2.7, 7.0.1 through 7.0.12, and 6.4 (all versions).

On Asterisk, prior to versions 18.24.2, 20.9.2, and 21.4.2 and certified-asterisk versions 18.9-cert11 and 20.7-cert2, an AMI user with write=originate may change all configuration files in the /etc/asterisk/ directory. Writing a new extension can be created which performs a system command to achieve RCE as the asterisk service user (typically asterisk). Default parking lot in FreePBX is called "Default lot" on the website interface, however its actually parkedcalls. Tested against Asterisk 19.8.0 and 18.16.0 on Freepbx SNG7-PBX16-64bit-2302-1.

View CSAF 1. EXECUTIVE SUMMARY CVSS v4 8.5 ATTENTION: Low attack complexity Vendor: ICONICS, Mitsubishi Electric Equipment: ICONICS GENESIS64 Product Suite and Mitsubishi Electric MC Works64 Vulnerabilities: Uncontrolled Search Path Element, Dead Code 2. RISK EVALUATION Successful exploitation of these vulnerabilities could result in remote code execution. 3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS ICONICS reports that the following versions of ICONICS and Mitsubishi Electric products are affected: GENESIS64 AlarmWorX Multimedia (AlarmWorX64 MMX): Versions prior to 10.97.3 (CVE-2024-8299 and CVE-2024-9852) GENESIS64: Version 10.97.2, 10.97.2 CFR1, 10.97.2 CFR2, and 10.97.3 (CVE-2024-8300) Mitsubishi Electric MC Works64: all versions (CVE-2024-8299, CVE-2024-9852) 3.2 Vulnerability Overview 3.2.1 Uncontrolled Search Path Element CWE-427 An uncontrolled search path element in the AlarmWorX64 MMX Phone agent can provide the potential for DLL hijacking and malicious code execution. CVE-202...

Cybersecurity researchers have disclosed a set of flaws impacting Palo Alto Networks and SonicWall virtual private network (VPN) clients that could be potentially exploited to gain remote code execution on Windows and macOS systems. "By targeting the implicit trust VPN clients place in servers, attackers can manipulate client behaviours, execute arbitrary commands, and gain high levels of access

SmokeLoader malware has resurfaced with enhanced capabilities and functionalities, targeting your personal data.

Red Hat Security Advisory 2024-10666-03 - An update for the gimp:2.8.22 module is now available for Red Hat Enterprise Linux 7 Extended Lifecycle Support. Issues addressed include a buffer overflow vulnerability.

**Vulnerability type: Prototype Pollution** **Affected Package:** Product: @intlify/shared Version: 10.0.4 **Vulnerability Location(s):** `node_modules/@intlify/shared/dist/shared.cjs:232:26` **Description:** The latest version of `@intlify/shared (10.0.4)` is vulnerable to Prototype Pollution through the entry function(s) `lib.deepCopy`. An attacker can supply a payload with `Object.prototype` setter to introduce or modify properties within the global prototype chain, causing denial of service (DoS) the minimum consequence. Moreover, the consequences of this vulnerability can escalate to other injection-based attacks, depending on how the library integrates within the application. For instance, if the polluted property propagates to sensitive Node.js APIs (e.g., exec, eval), it could enable an attacker to execute arbitrary commands within the application's context. **PoC:** ```bash // install the package with the latest version ~$ npm install @intlify/shared@10.0.4 // run t...

### Impact Executing policy checks using custom schematron files via the CLI invokes an XSL transformation that may theoretically lead to a remote code execution (RCE) vulnerability. ### Patches We are currently working on a patch that will be released when ready. ### Workarounds This doesn't affect the standard validation and policy checks functionality, veraPDF's common use cases. Most veraPDF users don't insert any custom XSLT code into policy profiles, which are based on Schematron syntax rather than direct XSL transforms. For users who do, only load custom policy files from sources you trust. ### References Original issue: #1488