TeamPass before 3.1.3.1 does not properly check whether a mail_me (aka action_mail) operation is on behalf of an administrator or manager.

**Exploitability Metrics**

Attack Vector: This metric reflects the context by which vulnerability exploitation is possible. This metric value (and consequently the resulting severity) will be larger the more remote (logically, and physically) an attacker can be in order to exploit the vulnerable system. The assumption is that the number of potential attackers for a vulnerability that could be exploited from across a network is larger than the number of potential attackers that could exploit a vulnerability requiring physical access to a device, and therefore warrants a greater severity.

Attack Complexity: This metric captures measurable actions that must be taken by the attacker to actively evade or circumvent existing built-in security-enhancing conditions in order to obtain a working exploit. These are conditions whose primary purpose is to increase security and/or increase exploit engineering complexity. A vulnerability exploitable without a target-specific variable has a lower complexity than a vulnerability that would require non-trivial customization. This metric is meant to capture security mechanisms utilized by the vulnerable system.

Attack Requirements: This metric captures the prerequisite deployment and execution conditions or variables of the vulnerable system that enable the attack. These differ from security-enhancing techniques/technologies (ref Attack Complexity) as the primary purpose of these conditions is not to explicitly mitigate attacks, but rather, emerge naturally as a consequence of the deployment and execution of the vulnerable system.

Privileges Required: This metric describes the level of privileges an attacker must possess prior to successfully exploiting the vulnerability. The method by which the attacker obtains privileged credentials prior to the attack (e.g., free trial accounts), is outside the scope of this metric. Generally, self-service provisioned accounts do not constitute a privilege requirement if the attacker can grant themselves privileges as part of the attack.

User interaction: This metric captures the requirement for a human user, other than the attacker, to participate in the successful compromise of the vulnerable system. This metric determines whether the vulnerability can be exploited solely at the will of the attacker, or whether a separate user (or user-initiated process) must participate in some manner.

**Vulnerable System Impact Metrics**

Confidentiality: This metric measures the impact to the confidentiality of the information managed by the VULNERABLE SYSTEM due to a successfully exploited vulnerability. Confidentiality refers to limiting information access and disclosure to only authorized users, as well as preventing access by, or disclosure to, unauthorized ones.

Integrity: This metric measures the impact to integrity of a successfully exploited vulnerability. Integrity refers to the trustworthiness and veracity of information. Integrity of the VULNERABLE SYSTEM is impacted when an attacker makes unauthorized modification of system data. Integrity is also impacted when a system user can repudiate critical actions taken in the context of the system (e.g. due to insufficient logging).

Availability: This metric measures the impact to the availability of the VULNERABLE SYSTEM resulting from a successfully exploited vulnerability. While the Confidentiality and Integrity impact metrics apply to the loss of confidentiality or integrity of data (e.g., information, files) used by the system, this metric refers to the loss of availability of the impacted system itself, such as a networked service (e.g., web, database, email). Since availability refers to the accessibility of information resources, attacks that consume network bandwidth, processor cycles, or disk space all impact the availability of a system.

**Subsequent System Impact Metrics**

Confidentiality: This metric measures the impact to the confidentiality of the information managed by the SUBSEQUENT SYSTEM due to a successfully exploited vulnerability. Confidentiality refers to limiting information access and disclosure to only authorized users, as well as preventing access by, or disclosure to, unauthorized ones.

Integrity: This metric measures the impact to integrity of a successfully exploited vulnerability. Integrity refers to the trustworthiness and veracity of information. Integrity of the SUBSEQUENT SYSTEM is impacted when an attacker makes unauthorized modification of system data. Integrity is also impacted when a system user can repudiate critical actions taken in the context of the system (e.g. due to insufficient logging).

Availability: This metric measures the impact to the availability of the SUBSEQUENT SYSTEM resulting from a successfully exploited vulnerability. While the Confidentiality and Integrity impact metrics apply to the loss of confidentiality or integrity of data (e.g., information, files) used by the system, this metric refers to the loss of availability of the impacted system itself, such as a networked service (e.g., web, database, email). Since availability refers to the accessibility of information resources, attacks that consume network bandwidth, processor cycles, or disk space all impact the availability of a system.

GHSA-7rm3-4w6j-8xx4: TeamPass mail_me operation authorization issue

TeamPass before 3.1.3.1 does not properly prevent a user from acting with the privileges of a different user_id.

GHSA-9wmc-988h-2mv2: TeamPass privileges issue

The ABB Cylon Aspect BMS/BAS controller suffers from an unauthenticated shell command execution vulnerability through the deployStart.php script. This allows any user to trigger the execution of 'rundeploy.sh' script, which initializes the Java deployment server that sets various configurations, potentially causing unauthorized server initialization and performance issues.

Title: ABB Cylon Aspect 3.08.02 (deployStart.php) Unauthenticated Command Execution  
Advisory ID: ZSL-2024-5891  
Type: Local/Remote  
Impact: Security Bypass, DoS  
Risk: (5/5)  
Release Date: 30.12.2024

**Summary**

ASPECT is an award-winning scalable building energy management and control solution designed to allow users seamless access to their building data through standard building protocols including smart devices.

**Description**

The ABB Cylon Aspect BMS/BAS controller suffers from an unauthenticated shell command execution vulnerability through the deployStart.php script. This allows any user to trigger the execution of 'rundeploy.sh' script, which initializes the Java deployment server that sets various configurations, potentially causing unauthorized server initialization and performance issues.

**Vendor**

ABB Ltd. - https://www.global.abb

**Affected Version**

NEXUS Series, MATRIX-2 Series, ASPECT-Enterprise, ASPECT-Studio  
Firmware: <=3.08.02

**Tested On**

GNU/Linux 3.15.10 (armv7l)  
GNU/Linux 3.10.0 (x86\_64)  
GNU/Linux 2.6.32 (x86\_64)  
Intel(R) Atom(TM) Processor E3930 @ 1.30GHz  
Intel(R) Xeon(R) Silver 4208 CPU @ 2.10GHz  
PHP/7.3.11  
PHP/5.6.30  
PHP/5.4.16  
PHP/4.4.8  
PHP/5.3.3  
AspectFT Automation Application Server  
lighttpd/1.4.32  
lighttpd/1.4.18  
Apache/2.2.15 (CentOS)  
OpenJDK Runtime Environment (rhel-2.6.22.1.-x86\_64)  
OpenJDK 64-Bit Server VM (build 24.261-b02, mixed mode)  
ErgoTech MIX Deployment Server 2.0.0

**Vendor Status**

\[21.04.2024\] Vulnerability discovered.  
\[22.04.2024\] Vendor contacted.  
\[22.04.2024\] Vendor responds.  
\[02.05.2024\] Working with the vendor.  
\[03.12.2024\] Vendor releases version 3.08.03 to address this issue.  
\[30.12.2024\] Coordinated public security advisory released.

**PoC**

abb\_aspect\_rce19.txt

**Credits**

Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk\>

**References**

\[1\] https://search.abb.com/library/Download.aspx?DocumentID=9AKK108469A7497&LanguageCode=en&DocumentPartId=&Action=Launch  
\[2\] https://www.cve.org/CVERecord?id=CVE-2024-48840  
\[3\] https://packetstorm.news/files/id/183307/

**Changelog**

\[30.12.2024\] - Initial release  
\[02.01.2025\] - Added reference \[3\]

**Contact**

Zero Science Lab

Web: https://www.zeroscience.mk  
e-mail: lab@zeroscience.mk

ABB Cylon Aspect 3.08.02 (deployStart.php) Unauthenticated Command Execution

Cyber insurance should augment your cybersecurity strategy — not replace it.

Source: Mungkhood Studio via Shutterstock

COMMENTARY

Cybersecurity insurance is the fastest-growing segment of the global insurance market, and there's a good reason for that. Cybersecurity has become one of the most critical requirements for organizations of all types — from small business to large corporation — as cyber threats remain constant. 

Unsurprisingly, cyber-insurance rates increased substantially from 2018 to 2022. Though overall cyber-insurance premiums began to decrease in 2023, many organizations are still seeing their rates rise.

**Costs Are Increasing — for Those Able to Get Insured**

The cyber-insurance industry is maturing just as quickly as cyber threats are growing in quantity, scale, and sophistication. As payouts and annual premiums increase, coverage limits are becoming more restrictive.

In a 2023 survey of US organizations, "79% saw insurance costs increase, with 67% facing an increase of 50-100%." Smaller companies, with fewer than 250 employees, were more likely to be denied coverage than large businesses (28% versus 8%). The primary reason small businesses were rejected was their lack of security protocols.

The good news is that the work you do to strengthen your organization's overall security posture and identity hygiene is also the work that will satisfy many of the compliance requirements underwriters are looking for — resulting in better security protections and better insurance coverage and premiums.

**Tips to Ensure Affordable Cybersecurity Protection**

Self-assess: To help with the process, proactively self-assess your risk profile and ask yourself the hard questions before the underwriters do. Conduct a thorough self-assessment of your current cybersecurity posture, identifying strengths and weaknesses.

This process has two main benefits: 

1.  It gives you a clear picture of where you stand now. 
    
2.  It guides you to evaluate policy options that will cover your specific risks.
    

Don't underestimate risks: Make sure not to underestimate your company's or industry's risks. Everyone is vulnerable to cyberattacks, not just traditional high-risk sectors such as financial services. In recent years, we've seen cyber incidents across many verticals, including healthcare, energy, and retail.

Insurance providers categorize rates based on industry-specific risks, comparing you to your peers in the process. Understand your sector's unique vulnerabilities — even if you haven't had to worry about them in the past—and be prepared to demonstrate how you're addressing them. 

Know your coverage limits: That leads me to my next piece of advice — understand your coverage limits. Thoroughly review the limits, sublimits, and exclusions in your policy. Pay close attention to what the coverage provides in terms of the full scope of potential losses, including third-party liabilities and regulatory fines. You can often negotiate terms, including specific clauses and deductibles, during the process.

Not all policies are the same. Many insurance providers focus on particular verticals or demographics. They each have different views of risk and leverage a range of data points to make their decisions. Do your research on individual providers to find the best fit for your organization so regularly review your policy. The threat landscape is always changing, and the coverage you need may evolve along with it. Conduct periodic reviews of your policy well ahead of your renewal term date to make sure it is still meeting your needs.

Understand your requirements: It's important to pay attention to the compliance requirements. Many policies explicitly call out compliance requirements. Failing to meet these standards can result in having your claims denied. Carefully assess your policy's requirements to verify that you are fulfilling them.

When engaging with insurance providers, be ready to show your work. Demonstrate the effectiveness of your security controls, particularly those related to identity hygiene. If you're renewing your policy, show how you've matured your approach to cyber-risk since your last assessment. What tangible improvements have you made? What products are you using to automate processes?

Focus on areas that underwriters prioritize, such as privileged access management and credential protection. Quantify your progress by highlighting reductions in accounts with administrative access or new requirements for regular password updates. Providers are looking for year-over-year maturity — moving from ad hoc, manual approaches to clean, consistent, automated, and sustainable hygiene practices. Be sure that you are getting full credit for your hard work.

**Conclusion**

As cyber threats continue to evolve, so must our approach to mitigating them. Bolster your cybersecurity posture in a holistic manner — self-assessing your risk profile, addressing vulnerabilities, and striving for continuous improvement — and you can better safeguard your organization against threats and control your cyber-insurance costs.

Prepare for increasingly rigorous risk assessments from providers moving forward. Underwriters now have access to extensive data about cyber threats and protections. Expect them to ask more granular questions and do deeper inspections into the efficacy of controls, especially those around identity-related risks, such as privileged access and credential theft. Anticipate their questions, and be prepared with comprehensive, up-to-date answers.

Cyber insurance should augment your cybersecurity strategy, not replace it. Prioritize implementing robust, ongoing cyber practices that protect your organization.

**About the Author**

CEO & Founder, SPHERE

Rita Gurevich is the CEO and founder of SPHERE, leading the strategic growth and vision for the organization.

Rita began her career at Lehman Brothers and helped oversee the distribution of technology assets after their bankruptcy in 2008. From this, Rita gained a deep understanding in analyzing identities, data platforms, and overall application and system landscape that had to be distributed across all the buying entities. At the same time, the enhanced regulatory environment focusing on protecting data from misuse, forced large enterprises to manage and control access more proactively across their on-premises and cloud environments.

With this knowledge, Gurevich founded SPHERE, an identity hygiene organization that provides critical discovery, security and compliance solutions centered around identity security and access control problems that organizations face. The company has developed a repeatable and effective approach to automating the discovery, remediation, and management of access controls across any scope. Rita has overseen the growth of SPHERE into a leading software company providing its clients with the only end-to-end identity hygiene solution available today.

How to Get the Most Out of Cyber Insurance

The ABB Cylon controller suffers from an authenticated path traversal vulnerability. This can be exploited through the 'devName' POST parameter in the ethernetUpdate.php script to write partially controlled content, such as IP address values, into arbitrary file paths, potentially leading to configuration tampering and system compromise including denial of service scenario through ethernet configuration backup file overwrite.

ABB Cylon Aspect 3.08.02 (ethernetUpdate.php) Authenticated Path Traversal

Title: ABB Cylon Aspect 3.08.02 (ethernetUpdate.php) Authenticated Path Traversal  
Advisory ID: ZSL-2024-5890  
Type: Local/Remote  
Impact: Manipulation of Data, DoS, Security Bypass  
Risk: (4/5)  
Release Date: 30.12.2024

**Summary**

ASPECT is an award-winning scalable building energy management and control solution designed to allow users seamless access to their building data through standard building protocols including smart devices.

**Description**

The ABB Cylon controller suffers from an authenticated path traversal vulnerability. This can be exploited through the 'devName' POST parameter in the ethernetUpdate.php script to write partially controlled content, such as IP address values, into arbitrary file paths, potentially leading to configuration tampering and system compromise including denial of service scenario through ethernet configuration backup file overwrite.

**Vendor**

ABB Ltd. - https://www.global.abb

**Affected Version**

NEXUS Series, MATRIX-2 Series, ASPECT-Enterprise, ASPECT-Studio  
Firmware: <=3.08.02

**Tested On**

GNU/Linux 3.15.10 (armv7l)  
GNU/Linux 3.10.0 (x86\_64)  
GNU/Linux 2.6.32 (x86\_64)  
Intel(R) Atom(TM) Processor E3930 @ 1.30GHz  
Intel(R) Xeon(R) Silver 4208 CPU @ 2.10GHz  
PHP/7.3.11  
PHP/5.6.30  
PHP/5.4.16  
PHP/4.4.8  
PHP/5.3.3  
AspectFT Automation Application Server  
lighttpd/1.4.32  
lighttpd/1.4.18  
Apache/2.2.15 (CentOS)  
OpenJDK Runtime Environment (rhel-2.6.22.1.-x86\_64)  
OpenJDK 64-Bit Server VM (build 24.261-b02, mixed mode)  
ErgoTech MIX Deployment Server 2.0.0

**Vendor Status**

\[21.04.2024\] Vulnerability discovered.  
\[22.04.2024\] Vendor contacted.  
\[22.04.2024\] Vendor responds.  
\[02.05.2024\] Working with the vendor.  
\[03.12.2024\] Vendor releases version 3.08.03 to address this issue.  
\[30.12.2024\] Public security advisory released.

**PoC**

abb\_aspect\_dir2.txt

**Credits**

Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk\>

**References**

\[1\] https://search.abb.com/library/Download.aspx?DocumentID=9AKK108469A7497&LanguageCode=en&DocumentPartId=&Action=Launch  
\[2\] https://packetstorm.news/files/id/183306/

**Changelog**

\[30.12.2024\] - Initial release  
\[02.01.2025\] - Added reference \[2\]

**Contact**

Zero Science Lab

Web: https://www.zeroscience.mk  
e-mail: lab@zeroscience.mk

Proactive defenses, cross-sector collaboration, and resilience are key to combating increasingly sophisticated threats.

Source: Artur Szczybylo via Alamy Stock Photo

From the growing sophistication of zero-day exploits to the entrenchment of nation-state and cybercriminal alliances, 2024 delivered more evidence of how quickly the threat landscape continues to evolve. The year reinforced hard truths about the persistence of attackers and the systemic challenges of defense. We look back on some of the events that defined 2024 and the tactical insights that security teams can apply to stay ahead in the ongoing battle in 2025.

**Surging Zero-Day Exploits and Nation-State Collaboration**

Threat researchers continued to see a year-over-year increase of zero days. Recent analysis by Mandiant of 138 vulnerabilities that were disclosed in 2023 found the majority (97) were exploited as zero-days — an increase from 2022. Tom Kellermann, senior vice president of cyber strategy at Contrast Security, expects that number to increase in 2024.

The growth is a direct result of geopolitical tensions, he says. Nation-state actors, particularly China, are exploiting these types of vulnerabilities at unprecedented rates.

"The Chinese specifically have been doing tremendous research into exploiting zero-days and discovering them," Kellermann says. "I think everyone's kind of on their back foot when dealing with this because traditional cybersecurity defenses can't thwart those attacks."

The rise in these kinds of attacks includes a new trend in 2024: collaboration or coordination between nation-states and cybercrime rings, says Stephan Jou, senior director of security analytics at OpenText Cybersecurity.

"In this model, an attack with nation-state characteristics is launched at the same time, or followed closely by, an attack on the same target by an independent for-profit threat actor. Russia, for example, has been seen to collaborate with malware-as-a-service gangs, including Killnet, LokiBot, Gumblar, Pony Loader, and Amadey. China has entered similar relationships with the Storm-0558 and Red Relay cybercrime rings, typically to support its geopolitical agenda in the South China Sea."

Chester Wisniewski, global field CTO at Sophos, says China-sponsored attackers have developed assembly-line zero-day exploits shared through state-mandated disclosure laws. Attackers initially used zero-days in targeted attacks, then escalated them to widespread exploitation to cover their tracks. Proactive patch management and collaboration between vendors and organizations to mitigate threats is critical, he says.

"The real problem is this accumulation of stuff that's not getting patched," Wisniewski says. "We just keep launching more equipment out there onto the Internet. And it's getting more and more polluted, and nobody's responsible for taking care of it."

Jou agrees and says the lesson here is that defense against even sophisticated attacks comes back to the same basics: patch management, endpoint protection, email security, awareness training, and backup and disaster recovery planning.

"By ensuring that these unglamorous but essential best practices are in place, security teams can rob threat actors of many of their favorite tactics to abuse networks and businesses," he says.

**Resiliency Planning Needs More Focus**

Ransomware attacks in 2024 highlighted the fragility of supply chains and business continuity. Ransomware operators are now targeting service providers and supply chain networks, Wisniewski says. A cyberattack on Ahold Delhaize, the parent company of major US supermarket chains, including Stop & Shop, Hannaford, Food Lion, and Giant Food, disrupted services across its network in November, impacting more than 2,000 stores. For several days, customers had issues with online grocery delivery, offline websites, and limited pharmacy services.

Improving business continuity strategies to include modern segmentation tools can help minimize operational disruptions during incidents, Wisniewski says.

"When one part of a supply chain goes down, it impacts thousands of businesses," he says. "This amplifies the economic and operational pressure to comply with attackers' demands. You can't plan never to fail, but you can plan to fail gracefully."

Another headline-making business continuity incident this year was the CrowdStrike outage. In July, the company released a faulty software update that affected approximately 8.5 million devices running the Windows operating system. The glitch triggered widespread system crashes that resulted in multiple disruptions, particularly in the travel industry. Delta Air Lines was forced to cancel thousands of flights due to system disruptions. 

The event dominated news cycles for several days. In its wake, analysts pointed to the critical need for better process adherence and visibility. But Dror Liwer, cofounder of Coro, says it also highlights a need for security leaders to  effectively communicate with diverse stakeholders — whether technical teams, business executives, or external parties — when managing the fallout of a large-scale incident.

**Critical Infrastructure Is a Growing Target**

Attacks on critical infrastructure reached new levels in 2024. In September, the Cybersecurity and Infrastructure Security Agency (CISA) issued a notice that government-run water systems were at risk of attack by nation-states after officials reported a cybersecurity issue at a facility in Arkansas City, Kansas, which was forced to switch to manual operations while the situation was resolved.

Barry Mainz, CEO of Forescout, says cyberattacks are evolving to target critical services, like municipal water authorities and airport landing systems. This year made it clear that attackers are shifting their focus from well-protected facilities to more vulnerable upstream systems, like water supplies and power grids, he says.

"If you just zoom out a bit and look at where the vulnerabilities are, the bad actors are saying, 'Well, it's a lot harder now since people are spending money to secure certain IT functions. We're going to go down the food chain a little bit,'" Mainz says.

One of the key challenges in securing critical infrastructure is the inherent complexity of operational environments. Many industrial systems operate using legacy equipment that was never designed with cybersecurity in mind. In addition, there is often a lack of visibility into connected devices within these environments, which can make detecting threats extremely difficult.

"I think the lesson is we've got to invest in a cybersecurity strategy for not only IT systems but \[operational technology\] systems," Mainz says. "And also we need to think structurally about how we manage those systems because the people that actually manage those OT systems, they're not IT professionals.”

A better approach, he says, involves adopting advanced monitoring and threat detection tools as well as fostering collaboration between IT and OT teams. By breaking down silos and improving communication, organizations can better address the unique security requirements of critical infrastructure. Mainz pointed to the importance of government and private-sector partnerships in bolstering defenses.

**Telecom Can't Be Trusted**

We wrap up 2024 with news that Salt Typhoon, a cyber-espionage group allegedly linked to the Chinese government, has successfully infiltrated telecommunications networks in multiple countries. In the US alone, FBI officials say at least eight major telecom companies, including AT&T, Verizon, and Lumen Technologies, were compromised. The group gained access to sensitive data, such as call logs, unencrypted text messages, and, in some cases, live call audio. The FBI recommended that Americans use encrypted messaging apps, like Signal and WhatsApp, to ensure their communications stay hidden.

The ongoing issues around nation-state attackers and their use of telecom is one of his biggest worries heading into 2025, Kellermann says. He also points to T-Mobile's acquisition of Sprint in 2020, which he says is concerning because "Sprint used to be the classified backbone network of the US government." This means that if there are security vulnerabilities within T-Mobile's infrastructure, they could potentially compromise sensitive government communications or systems that were part of Sprint's legacy network. 

"I think the people are ignoring that and are not paying attention fully," he says.

**About the Author**

Contributing Writer, Dark Reading

Joan Goodchild is a veteran journalist, editor, and writer who has been covering security for more than a decade. She has written for several publications and previously served as editor-in-chief for CSO Online.

What Security Lessons Did We Learn in 2024?

SUMMARY A recent report from the German news outlet Spiegel has revealed a significant security breach impacting hundreds…

****SUMMARY****

*   Sensitive data for 800,000 Volkswagen Group EVs was exposed on an unsecured cloud server.

*   The data leak, discovered by a whistle-blower, included GPS data and vehicle status, enabling owner tracking.

*   Affected users included politicians, police, and intelligence employees, with most vehicles in Europe.

*   The data leak revealed personal routines and locations, posing serious privacy risks.

*   The issue stemmed from Cariad’s system misconfiguration, which has since been addressed.

A recent report from the German news outlet Spiegel has revealed a significant security breach impacting hundreds of thousands of Volkswagen Group electric vehicle owners. The investigation found that sensitive location data for 800,000 vehicles, including those from Volkswagen, Audi, SEAT, and Skoda, was left exposed on an unsecured cloud server for months. 

The vulnerability was discovered by an anonymous whistle-blower and reported to the Chaos Computer Club (CCC), a prominent European hacker association. The exposure included personal data, including GPS coordinates and vehicle status, including detailed information about VW ID.3 and ID.4 owners stored on an unsecured Amazon cloud server. This allowed anyone with the right know-how to track the movements and habits of affected owners. 

https://berlin-ak.ftp.media.ccc.de//congress/2024/h264-hd/38c3-598-deu-Wir\_wissen\_wo\_dein\_Auto\_steht\_-\_Volksdaten\_von\_Volkswagen.mp4

Reportedly, the impacted EVs were located worldwide with the majority found in Germany and other parts of Europe. The affected owners not just include ordinary citizens but also prominent figures like German politicians, police officers, and even suspected intelligence service employees just like in October 2023 when a third-party contractor exposed over 500,000 Irish Police vehicle seizure records.  

This exposure extended far beyond simple vehicle location tracking. By linking vehicle data with other personal information, the researchers were able to gain unprecedented insights into the daily lives of affected owners.

For example, according to Spiegel’s report, it was able to track the movements of two German politicians with alarming precision, pinpointing their locations at various locations including a retirement home and military barracks, and profiling a mayor with her car tracking her movements from her work to her physical therapist.

That’s not all! Spiegel discovered terabytes of data on Amazon cloud storage, including the precise location of 460,000 vehicles, which could reveal crucial details of their owners. Moreover, the data also included information about the Hamburg police department’s electric cars, politicians, business leaders, Federal Intelligent Services employees, and the US Air Force’s Ramstein Air Base drivers.

The root of this security failure lies within Cariad, the Volkswagen Group’s software division. The company confirmed that a misconfiguration within their systems allowed unauthorized access to the sensitive data.

While Cariad insists that no financial or personally identifiable information was compromised, the potential for misuse of the exposed location data remains a significant threat. Cybercriminals could exploit this information for a variety of malicious purposes, including targeted stalking, blackmail, and even physical attacks.  

The CCC promptly contacted Lower Saxony’s State Data Protection Officer, Federal Ministry of the Interior, and other security bodies, and gave VW Group and Cariad 30 days to address the issue before going public. Cariad’s technical team promptly and responsibly blocked unauthorized access to customer data.

1.  **Cicada3301 Ransomware Hits French Peugeot Dealership**
2.  **Fuel Industry Software Provider Exposes SSNs and PII Data**
3.  **Builder.ai Database Exposes 1.29 TB of Unsecured Records**
4.  **Microsoft Power Pages Expose Millions of Records Globally**
5.  **13GB Data of Automobile Insurance Giant AA Exposed Online**

Exposed Cloud Server Tracks 800,000 Volkswagen, Audi, and Skoda EVs

SUMMARY: VulnCheck has discovered a critical new vulnerability (CVE-2024-12856) affecting Four-Faith industrial routers (F3x24 and F3x36), with evidence…

****SUMMARY:****

*   **Vulnerability**: CVE-2024-12856 impacts Four-Faith routers (models F3x24 and F3x36), allowing remote code execution.

*   **Exploit Path**: Attackers use the /apply.cgi endpoint to exploit the adj_time_year parameter.

*   **Risk**: Over 15,000 devices with default credentials are at high risk.

*   **Impact**: Exploits enable malware installation, data theft, and network disruption.

*   **Fix**: Update firmware, change default credentials, and use Suricata rules for detection.

VulnCheck has discovered a critical new vulnerability (CVE-2024-12856) affecting Four-Faith industrial routers (F3x24 and F3x36), with evidence of active exploitation in the wild. This, as per the company, is a post-authentication flaw vulnerability that allows attackers to remotely execute commands on vulnerable devices by exploiting a weakness in the router’s system time adjustment functionality.

“The attack can be conducted against, at least, the Four-Faith F3x24 and F3x36 over HTTP using the /apply.cgi endpoint. Censys finds approximately 15,000 internet-facing devices,” VulnCheck researcher Jacob Baines wrote in the blog post shared with Hackread.com.

As per the investigation from the VulnCheck Initial Access team, the attack specifically targets the /apply.cgi endpoint, which allows for system configuration changes. By manipulating the adj\_time\_year parameter (responsible for modifying the router’s system time) within a POST request, attackers can inject malicious commands.

This bypasses authentication as the attack leverages the router’s default credentials. However, this vulnerability should not be confused with CVE-2019-12168 even though both flow through the same apply.cgi endpoint, Baines noted.

In addition, VulnCheck observed exploitation attempts originating from the IP address 178.215.23891. The firmware version’s default credentials could potentially escalate the vulnerability into an unauthenticated and remote OS command execution issue if not altered.

Furthermore, another research blog published in November 2024 also documented the exploitation of this vulnerability, with the observed User-Agent matching the User-Agent VulnCheck observed, although with a different payload, corroborating VulnCheck’s findings.

Successful exploitation allows attackers to execute remote code on a router, install malware, steal sensitive data, disrupt network operations, and use the router as a launch point for further attacks.

To mitigate this threat, VulnCheck has provided a Suricata rule to detect exploitation attempts on the network. This rule monitors HTTP traffic, specifically looking for POST requests to /apply.cgi with the adjust\_sys\_time parameter and suspicious patterns in the adj\_time\_year field.

VulnCheck has also responsibly disclosed this vulnerability to Four-Faith and its customers. Users are advised to contact Four-Faith directly for information on patches, affected models, and firmware versions.

Routers, responsible for directing internet traffic, are often overlooked in security measures, making them easy targets for cybercriminals. The prevalence of default passwords and outdated firmware creates a significant security risk, as they often contain unpatched vulnerabilities. 

Recently, Censys uncovered 14 critical vulnerabilities in DrayTek Vigor routers, including a buffer overflow and OS command injection flaw. Now the discovery of vulnerability in Four-Faith routers further shows the need for improved security measures to protect routers and their users.

1.  **New Botnets Exploit Old D-Link Router for DDoS Attacks**
2.  **Condi DDoS Botnet Targets Vulnerable TP-Link AX21 Routers**
3.  **FBI: Hackers Target Ubiquiti Routers for Data, Botnet Creation**
4.  **ASUS, NordVPN Partner to Integrate VPN Service into Routers**
5.  **6,000 Asus Routers Hacked in 72 Hours by** **TheMoon Malware**

Tag

#vulnerability