CVE-2022-40684: Remote Authentication Bypass Vulnerability in Fortinet Firewalls, Web Proxies

Emergent threats evolve quickly, and as we learn more about this vulnerability, this blog post will evolve, too. On October 3, 2022, Fortinet released a software update that indicates then-current versions of their FortiOS firewall and FortiProxy web proxy software are vulnerable to CVE-2022-4068...

Defending Against the Zero Day: Analyzing Attacker Behavior Post-Exploitation of Microsoft Exchange

In recent weeks, there has been quite a lot of reporting on the exploitation of the latest disclosed vulnerabilities in Microsoft’s Exchange Server by an attacker referred to as HAFNIUM. One of the major reasons these latest vulnerabilities are so dangerous and appealing to attackers is that they...

Analyzing the Attack Landscape: Rapid7’s 2021 Vulnerability Intelligence Report

Every year, our research team at Rapid7 analyzes thousands of vulnerabilities to understand root causes, dispel misconceptions, and explain why some flaws are more likely to be exploited than others. By continuously reviewing the vulnerability landscape and sharing our research team’s insights, w...

Driver-Based Attacks: Past and Present

"People that write Ring 0 code and write it badly are a danger to society." - Mickey Shkatov There is no security boundary between an administrator and the Windows kernel, according to the Microsoft Security Servicing Criteria for Windows. In our analysis of CVE-2021-21551, a write-what-where...

Widespread Exploitation of VMware Workspace ONE Access CVE-2022-22954

On April 6, 2022, VMware published VMSA-2022-0011, which detailed multiple security vulnerabilities. The most severe of these is CVE-2022-22954, a critical remote code execution vulnerability affecting VMware’s Workspace ONE Access and Identity Manager solutions. The vulnerability arises from a...

Active Exploitation of Multiple Vulnerabilities in Zimbra Collaboration Suite

Over the past few weeks, five different vulnerabilities affecting Zimbra Collaboration Suite have come to our attention, one of which is unpatched, and four of which are being actively and widely exploited in the wild by well-organized threat actors. We urge organizations who use Zimbra to patch ...

CVE-2022-42889: Keep Calm and Stop Saying "4Shell"

UPDATE 10/18/22: A previous version of this blog indicated that five JDK versions JDK 15+ were not impacted due to the exclusion of the Nashorn JavaScript engine. However, an updated PoC came out that uses the JEXL engine as an exploit path. If JEXL is present, the code executes successfully, so...

Rapid7’s InsightIDR Enables Detection And Response to Microsoft Exchange Zero-Day

Starting February 27, 2021, Rapid7 has observed a notable increase in the exploitation of Microsoft Exchange through existing detections in InsightIDR’s Attacker Behavior Analytics ABA. The Managed Detection and Response MDR identified multiple, related compromises in the past 72 hours. In most...

CVE-2022-3786 and CVE-2022-3602: Two High-Severity Buffer Overflow Vulnerabilities in OpenSSL Fixed

The Rapid7 research team will update this blog post as we learn more details about this vulnerability and its attack surface area. The OpenSSL project released version 3.0.7 on November 1, 2022, to address CVE-2022-3786 and CVE-2022-3602, two high-severity vulnerabilities affecting OpenSSL’s 3.0....

Metasploit Wrap-Up

VMware Workspace ONE Access RCE Community contributor wvu has developed a new Metasploit Module which exploits CVE-2022-22954, an unauthenticated server-side template injection SSTI in VMware Workspace ONE Access, to execute shell commands as the ‘horizon’ user. This module has a CVSSv3 base scor...

Conti Ransomware Group Internal Chats Leaked Over Russia-Ukraine Conflict

UPDATE: As of March 2, 2022, Conti began taking down exposed infrastructure as a result of the chat disclosure. At that time, we assessed that due to their sophisticated capability, deep funding, and quick recovery from exposed infrastructure in November 2021, they remained an active and...

NICER Protocol Deep Dive: Internet Exposure of Remote Desktop (RDP)

Welcome to the NICER Protocol Deep Dive blog series! When we started researching what all was out on the internet way back in January, we had no idea we'd end up with a hefty, 137-page tome of a research report. The sheer length of such a thing might put off folks who might otherwise learn a thin...

CVE-2022-36804: Easily Exploitable Vulnerability in Atlassian Bitbucket Server and Data Center

On August 24, 2022, Atlassian published an advisory for Bitbucket Server and Data Center alerting users to CVE-2022-36804. The advisory reveals a command injection vulnerability in multiple API endpoints, which allows an attacker with access to a public repository or with read permissions to a...

Critical vCenter Server File Upload Vulnerability (CVE-2021-22005)

See the Updates section at the end of this post for new information as it comes to light, including reports of exploitation. Description On Tuesday, September 21, 2021, VMware published security advisory VMSA-2021-0020, which includes details on CVE-2021-22005, a critical file upload vulnerabilit...

Attackers Targeting Fortinet Devices and SAP Applications

The following blog was co-authored by Caitlin Condon and Bob Rudis, also known in his own words as “some caveman from Maine.” Last week, the U.S. Cybersecurity and Infrastructure Security Agency CISA and the FBI published a joint alert to warn users that APT threat actors were likely exploiting...

CVE-2022-1026: Kyocera Net View Address Book Exposure

Rapid7 researcher Aaron Herndon has discovered that several models of Kyocera multifunction printers running vulnerable versions of Net View unintentionally expose sensitive user information, including usernames and passwords, through an insufficiently protected address book export function. This...

Exploitation of Unpatched Zero-Day Remote Code Execution Vulnerability in Zimbra Collaboration Suite (CVE-2022-41352)

Note: Zimbra release 9.0.0 P27 addressed this vulnerability on October 10, 2022. CVE-2022-41352 is an unpatched remote code execution vulnerability in Zimbra Collaboration Suite discovered in the wild due to active exploitation. The vulnerability is due to the method cpio in which Zimbra’s...

Active Exploitation of Confluence CVE-2022-26134

On June 2, 2022, Atlassian published a security advisory for CVE-2022-26134, a critical unauthenticated remote code execution vulnerability in Confluence Server and Confluence Data Center. The vulnerability was unpatched when it was published on June 2. As of June 3, both patches and a temporary...

The Everyperson’s Guide to Log4Shell (CVE-2021-44228)

If you work in security, the chances are that you have spent the last several days urgently responding to the Log4Shell vulnerability CVE-2021-44228, investigating where you have instances of Log4j in your environment, and questioning your vendors about their response. You have likely already rea...

Indiscriminate Exploitation of Microsoft Exchange Servers (CVE-2021-24085)

The following blog post was co-authored by Andrew Christian and Brendan Watters. Beginning Feb. 27, 2021, Rapid7’s Managed Detection and Response MDR team has observed a notable increase in the automated exploitation of vulnerable Microsoft Exchange servers to upload a webshell granting attackers...

Metasploit Wrap-Up

MobileIron MDM Hessian-Based Java Deserialization RCE Our very own wvu-r7 has added exploits/linux/http/mobileironmdmhessianrce, which exploits an ACL bypass in MobileIron MDM products to execute a Java deserialization attack using a Groovy gadget against a Hessian based endpoint. CVE-2020-15505...

Active Exploitation of Pulse Connect Secure Zero-Day (CVE-2021-22893)

On Tuesday, April 20, 2021, security firm FireEye published detailed analysis of multiple threat campaigns targeting Ivanti’s Pulse Connect Secure VPN. According to FireEye’s analysis, threat actors have been leveraging multiple techniques to bypass single- and multi-factor authentication on Puls...

GitLab Unauthenticated Remote Code Execution CVE-2021-22205 Exploited in the Wild

CVE | Vendor Advisory | AttackerKB | IVM Content | Patching Urgency | Last Update ---|---|---|---|---|--- CVE-2021-22205 | GitLab Advisory | AttackerKB | Evaluating | ASAP | November 1, 2021 On April 14, 2021, GitLab published a security release to address CVE-2021-22205, a critical remote code...

Dropping Files on a Domain Controller Using CVE-2021-43893

On December 14, 2021, during the Log4Shell chaos, Microsoft published CVE-2021-43893, a remote privilege escalation vulnerability affecting the Windows Encrypted File System EFS. The vulnerability was credited to James Forshaw of Google Project Zero, but perhaps owing to the Log4Shell atmosphere,...

Metasploit Wrap-up

PrintNightmare Rapid7 security researchers Christophe De La Fuente, and Spencer McIntyre, have added a new module for CVE-2021-34527, dubbed PrintNightmare. This module builds upon the research of Xuefeng Li, Zhang Yunhai, Zhiniang Peng, Zhipeng Huo, and cube0x0. The module triggers a remote DLL...

Metasploit Wrap-Up

SAP Internet Graphics Server IGS This week includes a new module targeting the SAP Internet Graphics Server application, contributed by community member Vladimir Ivanov. This particular module covers two CVEs that are both XML External Entity XXE bugs that are remotely exploitable. The module com...

CVE-2020-1472 "Zerologon" Critical Privilege Escalation: What You Need To Know

Updates September 16, 2020 Samba domain controllers before 4.8 have been confirmed to be vulnerable to CVE-2020-1472. There are now multiple public PoC exploits available, most if not all of which are modifications to Secura’s original PoC built on Impacket. There are reports of the vulnerability...

VMware vCenter Server CVE-2021-21972 Remote Code Execution Vulnerability: What You Need to Know

This blog post was co-authored by Bob Rudis and Caitlin Condon. What’s up? On Feb. 23, 2021, VMware published an advisory VMSA-2021-0002 describing three weaknesses affecting VMware ESXi, VMware vCenter Server, and VMware Cloud Foundation. Before digging into the individual vulnerabilities, it is...

Microsoft Exchange 2010 End of Support and Overall Patching Study

Today's topic is Exchange 2010, which reaches end of support EoS on Oct. 13, 2020, as well as a survey of other versions of Exchange and how well they are being kept up-to-date. During our work with Project Sonar, we consistently see the use of old and EoS software on the internet. This is...

Oracle WebLogic Unauthenticated Complete Takeover (CVE-2020-14882/CVE-2020-14750): What You Need to Know

What’s up? As if October 2020 hasn’t been scary enough, Rapid7 Labs, the SANS Internet Storm Center ISC, and other researchers have caught attackers opting for tricks instead of treats this week as they seek out and attempt to compromise internet-facing WebLogic servers that are vulnerable to...

Apache HTTP Server CVE-2021-41773 Exploited in the Wild

CVE | Vendor Advisory | AttackerKB | IVM Content | Patching Urgency | Last Update ---|---|---|---|---|--- CVE-2021-41773, CVE-2021-42013 | Apache Advisory | AttackerKB | Available | ASAP | October 12, 2021 15:00 ET See the Updates section at the end of this post for information on developments th...

Metasploit Wrap-Up

RCE Exploit For CVE-2020-0796 SMBGhost This week our very own Spencer McIntyre has added an exploit for CVE-2020-0796, which leverages a vulnerability within the Microsoft Server Message Block 3.1.1 SMBv3 protocol to gain unauthenticated remote code execution against unpatched Windows 10 v1903 an...

ProxyShell: More Widespread Exploitation of Microsoft Exchange Servers

This attack is ongoing. See the Updates section at the end of this post for new information as it comes to light. Rapid7 also has a technical analysis of the ProxyShell exploit chain in AttackerKB. On August 5, 2021, in a Black Hat USA talk, DEVCORE researcher Orange Tsai shared information on...

VMware ESXi OpenSLP Remote Code Execution Vulnerability (CVE-2020-3992 and CVE-2019-5544): What You Need To Know

What’s up? On November 6, 2020 Microsoft’s Kevin Beaumont alerted the community to evidence of active exploitation attempts of CVE-2020-3992 and/or CVE-2019-5544, which are remote code execution RCE vulnerabilities in VMware ESXi’s service location protocol SLP service. VMware had issued a patch...

Open-Source Security: Getting to the Root of the Problem

The past few weeks have shown us the importance and wide reach of open-source security. In December 2021, public disclosure of the Log4Shell vulnerability in Log4j, an open-source logging library, caused a cascade of dependency analysis by developers in organizations around the world. The inciden...

For Microsoft Exchange Server Vulnerabilities, Patching Remains Patchy

If you've been keeping tabs on the state of vulnerabilities, you've probably noticed that Microsoft Exchange has been in the news more than usual lately. Back in March 2021, Microsoft acknowledged a series of threats exploiting zero-day CVEs in on-premises instances of Exchange Server. Since then...

Metasploit Wrap-Up

Windows Local Privilege Escalation for standard users In this week’s release, we have an exciting new module that has been added by our very own Grant Willcox which exploits CVE-2022-26904, and allows for normal users to execute code as NT AUTHORITY/SYSTEM on Windows machines from Windows 7 up to...

Metasploit Wrap-Up

ProxyLogon More Microsoft news this week! Firstly, a big thank you to community contributors GreyOrder, Orange Tsai, and mekhalleh RAMELLA Sébastien, who added three new modules that allow an attacker to bypass authentication and impersonate an administrative user CVE-2021-26855 on vulnerable...

Metasploit Wrap-Up

Insert 'What Year Is It' meme h00die contributed the Mikrotik unauthenticated directory traversal file read auxiliary gather module, largely a port of the PoC by Ali Mosajjal. The vulnerability CVE-2018-14847 allows any file from the router to be read through the Winbox server in RouterOS due to ...

Metasploit Wrap-Up

Welcome, Little Hippo: PetitPotam Our very own @zeroSteiner ported the PetitPotam exploit to Metasploit this week. This module leverages CVE-2021-36942, a vulnerability in the Windows Encrypting File System EFS API, to capture machine NTLM hashes. This uses the EfsRpcOpenFileRaw function of the...

Using InsightVM to Find Apache Log4j CVE-2021-44228

There are many methods InsightVM can use to identify vulnerable software. Which method is best depends on the software and specific vulnerability in question, not to mention variability that comes into play with differing network topologies and Scan Engine deployment strategies. When it comes to ...

Microsoft SAM File Readability CVE-2021-36934: What You Need to Know

On Monday, July 19, 2021, community security researchers began reporting that the Security Account Manager SAM file on Windows 10 and 11 systems was READ-enabled for all local users. The SAM file is used to store sensitive security information, such as hashed user and admin passwords. READ...

Metasploit Wrap-Up

OMIGOD It's RCE We are excited to announce that we now have a module for the OMIGOD vulnerability that exploits CVE-2021-38647 courtesy of our very own Spencer McIntyre! Successful exploitation will allow an unauthenticated attacker to gain root level code execution against affected servers. Give...

CVE-2021-21985: What you need to know about the latest critical vCenter Server vulnerability

On Tuesday, May 25, 2021, VMware published security advisory VMSA-2021-0010, which includes details on CVE-2021-21985, a critical remote code execution vulnerability in the vSphere Client HTML5 component of vCenter Server 6.5, 6.7, and 7.0 and VMware Cloud Foundation 3.x and 4.x. The vulnerabilit...

NICER Protocol Deep Dive: Internet Exposure of HTTP and HTTPS

Welcome to the NICER Protocol Deep Dive blog series! When we started researching what all was out on the internet way back in January, we had no idea we'd end up with a hefty, 137-page tome of a research report. The sheer length of such a thing might put off folks who might otherwise learn a thin...

Rapid7 Discovered Vulnerabilities in Cisco ASA, ASDM, and FirePOWER Services Software

Rapid7 discovered vulnerabilities and “non-security” issues affecting Cisco Adaptive Security Software ASA, Adaptive Security Device Manager ASDM, and FirePOWER Services Software for ASA. Rapid7 initially reported the issues to Cisco in separate disclosures in February and March 2022. Rapid7 and...

Active Exploitation of Apache HTTP Server CVE-2021-40438

CVE | Vendor Advisory | AttackerKB | IVM Content | Patching Urgency | Last Update ---|---|---|---|---|--- CVE-2021-40438 | Apache Advisory | AttackerKB | 09/16/2021 multiple | ASAP | December 1, 2021 14:00 ET On September 16, 2021, Apache released version 2.4.49 of HTTP Server, which included a f...

CVE-2022-30525 (FIXED): Zyxel Firewall Unauthenticated Remote Command Injection

Rapid7 discovered and reported a vulnerability that affects Zyxel firewalls supporting Zero Touch Provisioning ZTP, which includes the ATP series, VPN series, and the USG FLEX series including USG20-VPN and USG20W-VPN. The vulnerability, identified as CVE-2022-30525, allows an unauthenticated and...

Managed Service Providers Used in Coordinated, Mass Ransomware Attack Impacting Hundreds of Companies

Rapid7 is aware of and tracking all information surrounding a coordinated, mass ransomware attack reported to be affecting hundreds of organizations. Huntress Labs is maintaining a public Reddit thread documenting the scope and triage of an event that has, as of the original post date see updates...

Metasploit Weekly Wrap-Up

Log4Shell in MobileIron Core Thanks to jbaines-r7 we have yet another Log4Shell exploit. Similar to the other Log4Shell exploit modules, the exploit works by sending a JNDI string that once received by the server will be deserialized, resulting in unauthenticated remote code execution as the tomc...