Arctic Wolf Presents
The Most Exploited Vulnerabilities of 2024
2024 saw another jump in the volume of vulnerabilities published, with the year’s total tally at 40,289, a 72% increase compared to 2023. With so many vulnerabilities for security teams to track and respond to, it’s vital to understand which mattered most to threat actors as they launched attacks throughout 2024.
Another Record Setting Year
* For CVEs published in the last 12 years
Not only does the increase in the sheer number of vulnerabilities cause concern, but the amount of critical and high-severity vulnerabilities increased by 13.46% in 2024 compared to 2023. While it’s important to note that not every vulnerability signals an imminent cyber threat – an increase in web-based applications correlates to a possible overall increase in vulnerabilities – the data does highlight the importance of implementing a thorough vulnerability management program to stay on top of critical and high-severity vulnerabilities that may impact core business applications.
- 5,297
- 5,191
- 7,939
- 6,504
- 6,454
- 14,714
- 16,557
- 17,344
- 18,325
- 20,171
- 25,226
- 29,065
- 40,289
YoY Vulnerability CVSS v3 Severity Breakdown
Total
A look at the Top 25 Vulnerabilities
In our list of the 25 most exploited vulnerabilities of the year, you'll uncover trends and insights you can use to guide your remediation and vulnerability management plans in the new year. Hopefully this list helps your organization understand how valuable risk-based vulnerability management is, especially as expanded attack surfaces and the rise of web-based applications have led to a vast increase in the sheer number of vulnerabilities, alongside an increase in the number of critical and high-severity vulnerabilities.
Vulnerability Name
CVE-2024-21887
A rough start to the year: The exploit chain involving CVE-2024-21887 and CVE-2023-46805 became one of the most widely exploited vulnerabilities of 2024. Approximately 2,000 Ivanti VPN devices were compromised across various industry verticals.
View PatchCVE-2024-21887 At A Glance
A critical vulnerability in the web component of Ivanti Connect Secure (versions 9.x and 22.x) and Ivanti Policy Secure could allow an authenticated threat actor to send specially crafted requests and execute arbitrary commands on a vulnerable appliance. The flaw was chained with CVE-2023-46805 during the period of exploitation. Although the activity was disclosed at the start of January, patches were not available for several weeks, leaving many devices worldwide exposed. The attacks, which targeted Ivanti VPN devices, began in December 2023 but peaked in January, compromising approximately 2,000 devices across various industry verticals. Notably, CISA warned that even after factory resets, compromised Ivanti devices could remain vulnerable to further exploitation.
Impact
Could allow an authenticated threat actor to send specially crafted requests and execute arbitrary commands on a vulnerable Ivanti VPN device.
Arctic Wolf Observations and Analysis
The attacks, which began in December 2023 and peaked in January 2024, targeted Ivanti VPN devices, compromising approximately 2,000 devices across various industry verticals. Even after factory resets, CISA warned that compromised devices remained vulnerable to further exploitation.
Vulnerability Name
CVE-2023-46805
A rough start to the year: The exploit chain involving CVE-2024-21887 and CVE-2023-46805 became one of the most widely exploited vulnerabilities of 2024. The attacks, which targeted Ivanti VPN devices, began in December 2023 but peaked in January, compromising approximately 2,000 devices across various industry verticals.
CVE-2023-46805 At A Glance
A high-severity authentication bypass vulnerability in the web component of Ivanti ICS 9.x, 22.x, and Ivanti Policy Secure allows a remote attacker to access restricted resources by bypassing control checks. The flaw was chained with CVE-2024-21887 during the period of exploitation. Although the activity was disclosed at the start of January, patches were not available for several weeks, leaving many devices worldwide exposed. The attacks, which targeted Ivanti VPN devices, began in December 2023 but peaked in January, compromising approximately 2,000 devices across various industry verticals. Notably, CISA warned that even after factory resets, compromised Ivanti devices could remain vulnerable to further exploitation.
Impact
Could allow a remote threat actor to access the vulnerable Ivanti VPN device by bypassing control checks.
Arctic Wolf Observations and Analysis
The attacks, which began in December 2023 and peaked in January 2024, targeted Ivanti VPN devices, compromising approximately 2,000 devices across various industry verticals. Even after factory resets, CISA warned that compromised devices remained vulnerable to further exploitation.
Vulnerability Name
CVE-2024-1709
The first instance of ScreenConnect vulnerabilities being exploited in the wild. This maximum-severity flaw chained with CVE-2024-1708 allowed ransomware groups to target vulnerable ScreenConnect instances.
CVE-2024-1709 At A Glance
A maximum-severity authentication bypass vulnerability that allows a remote attacker with network access create new administrator-level accounts on affected devices, which could lead to remote code execution. This vulnerability was observed chained with CVE-2024-1708. Although threat actors have historically used ScreenConnect itself as a tool, this exploitation marked the first instance of vulnerabilities in ScreenConnect being reported as exploited in the wild. Shortly after disclosure, several proof-of-concept exploits were publicly released, and exploitation was found to be trivial. Black Basta and Bl00dy ransomware groups were reported to have exploited the vulnerability.
Impact
A remote attacker with network access could exploit this vulnerability to create new administrator-level accounts on affected devices, potentially leading to remote code execution.
Arctic Wolf Observations and Analysis
Arctic Wolf observed several instances of exploitation in customer environments shortly after proof-of-concept exploits were made available. Black Basta and Bl00dy ransomware groups were reported to have exploited the vulnerability.
Vulnerability Name
CVE-2024-1708
The first instance of ScreenConnect vulnerabilities being exploited in the wild. This vulnerability chained with the maximum-severity flaw CVE-2024-1709 allowed ransomware groups to target vulnerable ScreenConnect instances.
CVE-2024-1708 At A Glance
A high-severity path traversal vulnerability that allows a remote attacker to execute remote code. This vulnerability was observed chained with CVE-2024-1708. Although threat actors have historically used ScreenConnect itself as a tool, this exploitation marked the first instance of vulnerabilities in ScreenConnect being reported as exploited in the wild. Shortly after disclosure, several proof-of-concept exploits were publicly released, with exploitation found to be trivial. Black Basta and Bl00dy ransomware groups were reported to have exploited the vulnerability.
Impact
A high-severity path traversal vulnerability that allows a remote attacker to execute remote code.
Arctic Wolf Observations and Analysis
Arctic Wolf observed several instances of exploitation in customer environments shortly after proof-of-concept exploits were made available. Black Basta and Bl00dy ransomware groups were reported to have exploited the vulnerability.
Vulnerability Name
CVE-2024-3400
Exploited by threat actors as a zero-day vulnerability to implant backdoors on firewall devices.
CVE-2024-3400 At A Glance
A maximum-severity command injection vulnerability that allows an unauthenticated attacker to execute commands with root privileges on the firewall. Several vendors reported that threat actors exploited this vulnerability as a zero-day to implant a custom Python-based backdoor on firewall devices. This allowed the threat actors to download additional tools to compromised devices to gain deeper access into victims’ networks which allowed the extraction of sensitive credentials and files.
Impact
A maximum severity command injection vulnerability that allows an unauthenticated attacker to execute commands with root privileges on the firewall.
Arctic Wolf Observations and Analysis
Several vendors reported that threat actors exploited this vulnerability as a zero-day to implant a custom Python backdoor on firewall devices. Arctic Wolf also observed instances of exploitation in customer environments.
Vulnerability Name
CVE-2024-40766
A critical vulnerability in SonicWall Firewalls allows unauthorized access and crash under specific conditions. Exploited in Fog and Akira ransomware attacks.
CVE-2024-40766 At A Glance
A critical-severity vulnerability impacting several SonicWall Firewall models allows unauthorized resource access and, under specific conditions, causes the firewall to crash. Arctic Wolf observed suspected use of this vulnerability in Fog and Akira ransomware intrusions across customer environments in various industries since early August. Initial access to victim environments involved the use of SonicWall SSL VPN accounts.
Impact
A critical-severity vulnerability that allows unauthorized resource access and, under specific conditions, causes affected SonicWall Firewalls to crash.
Arctic Wolf Observations and Analysis
Arctic Wolf observed suspected use of this vulnerability in Fog and Akira ransomware intrusions across customer environments in various industries since early August. Initial access to victim environments involved the use of SonicWall SSL VPN accounts.
Vulnerability Name
CVE-2024-47575
Also known as FortiJump, a critical-severity zero-day vulnerability lets attackers execute commands on vulnerable FortiManager devices, exploited since June 2024.
CVE-2024-47575 At A Glance
A critical-severity zero-day vulnerability, also known as "FortiJump," disclosed in October allows a threat actor to use an unauthorized FortiManager device to execute arbitrary code and/or commands against vulnerable FortiManager devices. Fortinet had privately contacted some customers before the official public disclosure. This vulnerability ended up being exploited on at least 50 FortiManager devices across several industries, with exploitation observed in the wild as early as June.
Impact
A threat actor could exploit this zero-day vulnerability to use an unauthorized FortiManager device to execute arbitrary code and/or commands on vulnerable FortiManager devices.
Arctic Wolf Observations and Analysis
At least 50 FortiManager devices across various industries globally were exploited. The vulnerability was exploited in the wild as early as June 2024.
Vulnerability Name
CVE-2024-0012
In November, attackers exploited internet-exposed firewall management interfaces using a critical unauthenticated remote code execution vulnerability, chained with CVE-2024-9474. Proof of concept (PoC) exploits triggered immediate, widespread attacks.
CVE-2024-0012 At A Glance
In November, Palo Alto Networks revealed a critical unauthenticated remote code execution vulnerability being exploited against internet-exposed firewall management interfaces, chained with CVE-2024-9474. The situation escalated quickly, as proof of concept (PoC) exploit code was made publicly available shortly after the initial disclosure, leading to immediate exploitation by threat actors. Arctic Wolf observed suspected activity where PoC exploits were directly copied, with the name of the vendor who published the PoC still visible. Exploitation spread rapidly, with several vendors reporting similar activity.
Impact
A remote unauthenticated attacker could exploit this vulnerability to execute arbitrary code on internet-exposed firewall management interfaces.
Arctic Wolf Observations and Analysis
Evidence was revealed that exploits were directly copied from publicly available PoC code, with the name of the vendor who published the PoC still visible. Upon being published, the PoC exploits led to immediate widespread attacks. Several vendors observed similar activity.
Vulnerability Name
CVE-2024-9474
In November, attackers exploited internet-exposed firewall management interfaces using a critical unauthenticated remote code execution vulnerability, chained with CVE-2024-0012. Proof of concept (PoC) exploits triggered immediate, widespread attacks.
CVE-2024-9474 At A Glance
In November, Palo Alto Networks revealed a privilege escalation vulnerability that can be chained with CVE-2024-0012. Shortly after disclosure, proof-of-concept (PoC) exploit code was publicly released, leading to immediate exploitation by threat actors. Arctic Wolf observed PoC exploits directly copied from the vendor that published them. Several vendors reported similar activity. While CVE-2024-9474 is less severe, chaining it with CVE-2024-0012 allows threat actors to bypass authentication, gain administrator access to the management web interface, and escalate privileges to perform root-level actions on the firewall.
Impact
A threat actor can chain this vulnerability with CVE-2024-0012 allows threat actors to bypass authentication, gain administrator access to the management web interface, and escalate privileges to perform root-level actions on the firewall.
Arctic Wolf Observations and Analysis
Evidence was revealed that exploits were directly copied from publicly available PoC code, with the name of the vendor who published the PoC still visible. Upon being published, the PoC exploits led to immediate widespread attacks. Several vendors observed similar activity.
Vulnerability Name
CVE-2024-50623
In early December, an insufficient patch for CVE-2024-50623, initially addressed in October, was exploited. The Cl0p ransomware group claimed responsibility, extorting at least 66 victims as of the time of writing.
CVE-2024-50623 At A Glance
In early December, Arctic Wolf began observing a novel campaign exploiting Cleo Managed File Transfer (MFT) products across several customer environments. This vulnerability allows remote threat actors to upload and download files to a Cleo MFT product instance, which could lead to remote code execution. Multiple security vendors published observations suggesting the activity stemmed from an insufficient patch for CVE-2024-50623, which was initially addressed in October. The exploitation became widespread, and weeks later, the Cl0p ransomware group claimed responsibility. As of the time of writing, they have extorted at least 66 victims.
Impact
This vulnerability allows remote threat actors to upload and download files to a Cleo MFT product instance, which could lead to remote code execution.
Arctic Wolf Observations and Analysis
The exploitation became widespread, and weeks later, the Cl0p ransomware group claimed responsibility. As of the time of writing, they have extorted at least 66 victims.
Vulnerability Name
CVE-2024-12356
A command injection vulnerability that allows an unauthenticated attacker to inject commands executed as the site user. It was discovered by BeyondTrust during their investigation into the U.S. Treasury breach in December.
CVE-2024-12356 At A Glance
A vulnerability in BeyondTrust, impacting its Remote Support (RS) and Privileged Remote Access (PRA) software, was disclosed in December. The flaw, CVE-2024-12356, is a command injection vulnerability with a critical severity rating. If successfully exploited, it allows an unauthenticated remote threat actor to execute operating system commands within the context of the site user. This vulnerability was discovered by BeyondTrust during their investigation into the U.S. Treasury breach. However, there is no evidence to suggest this vulnerability was specifically used in that incident. It was later reported by CISA as exploited in the wild shortly after disclosure.
Impact
If successfully exploited, this vulnerability allows an unauthenticated remote threat actor to execute operating system commands within the context of the site user.
Arctic Wolf Observations and Analysis
BeyondTrust discovered this vulnerability during their investigation into the U.S. Treasury breach in December. However, no evidence suggests this flaw was specifically used in that incident. Shortly after its disclosure, CISA announced that the vulnerbaility has been exploited in the wild.
Vulnerability Name
CVE-2024-9537
The vulnerability responsible for the Rackspace Monitoring breach in September 2024. It was a zero-day flaw in a third-party utility that allows remote code execution.
CVE-2024-9537 At A Glance
In September, the managed cloud computing company Rackspace reported a breach tied to their Rackspace Monitoring product, which uses the ScienceLogic SL1 platform. Days later, Rackspace revealed that a threat actor had exploited an undocumented zero-day vulnerability in a third-party utility bundled with SL1. The vulnerability was a remote code execution flaw in a non-ScienceLogic utility. ScienceLogic, informed by Rackspace, developed a patch to remediate the issue and distributed it to all customers. To limit exposure, ScienceLogic has not disclosed the utility's name, as it may be included in other products. Although the vulnerability originated in a third-party utility, CVE-2024-9537 was assigned as ScienceLogic's specific issue. As of the time of writing, the third-party utility has not been publicly identified.
Impact
A threat actor can exploit this third-party utility to achieve remote code execution in vulnerable systems.
Arctic Wolf Observations and Analysis
Leveraged in the Rackspace Monitoring breach.
Vulnerability Name
CVE-2024-40711
A critical deserialization vulnerability that can lead to remote code execution, leveraged to deploy several ransomware variants, including the first publicly reported instances of "Frag" ransomware.
CVE-2024-40711 At A Glance
Veeam Backup and Replication contains a critical deserialization vulnerability that allows an unauthenticated user to perform remote code execution. Threat actors have been observed exploiting this vulnerability to deploy Akira and Fog ransomware. They initially gained access to targeted systems through compromised VPN gateways that lacked multifactor authentication. Additionally, a threat actors exploited this vulnerability to deploy a novel ransomware variant, "Frag,".
Impact
Allows unauthenticated threat actor to perform remote code execution via a deserialization flaw.
Arctic Wolf Observations and Analysis
Threat actors have been observed exploiting this vulnerability to deploy Akira, Fog, and Frag ransomware.
Vulnerability Name
CVE-2024-7593
A critical authentication bypass vulnerability in Ivanti Virtual Traffic Manager (vTM) results from a flaw in vTM’s authentication algorithm.
CVE-2024-7593 At A Glance
A critical authentication bypass vulnerability in Ivanti Virtual Traffic Manager (vTM) results from a flaw in vTM’s authentication algorithm. This allows a remote unauthenticated threat actor to bypass the admin panel in vulnerable vTM instances. At the time of disclosure, Ivanti acknowledged that a proof of concept was publicly available, and the vulnerability was added to CISA’s Known Exploited Vulnerabilities Catalog the following month.
Impact
Allows a remote unauthenticated threat actor to bypass the admin panel in vulnerable vTM instances.
Arctic Wolf Observations and Analysis
At the time of disclosure, Ivanti acknowledged that a proof of concept was publicly available, and the vulnerability was added to CISA’s Known Exploited Vulnerabilities Catalog the following month.
Vulnerability Name
CVE-2024-27198
A critical authentication bypass vulnerability in JetBrains TeamCity allows a threat actor to perform admin actions.
CVE-2024-27198 At A Glance
A critical authentication bypass vulnerability in JetBrains TeamCity allows a threat actor to perform admin actions. Threat actors in the wild have been observed leveraging this vulnerability to deploy ransomware, beacons, and cryptocurrency miners.
Impact
Allows a threat actor to perform admin actions.
Arctic Wolf Observations and Analysis
Threat actors in the wild have been observed leveraging this vulnerability to deploy ransomware, beacons, and cryptocurrency miners.
Vulnerability Name
CVE-2024-49039
A high-severity Windows Task Scheduler Elevation of Privilege vulnerability. The Russian nexus threat actor group RomCom leveraged this vulnerability in a chain with a remote code execution flaw in Firefox (CVE-2024-49039) to deploy a backdoors.
CVE-2024-49039 At A Glance
A high-severity Windows Task Scheduler Elevation of Privilege vulnerability allows threat actors to elevate their privileges to a medium integrity level by running a specially crafted application on the target system. This vulnerability was fixed in Microsoft’s November 2024 Patch Tuesday update. The Russian nexus threat actor group RomCom was behind global attacks in 2024 that leveraged this vulnerability in a chain with a remote code execution flaw in Firefox (CVE-2024-49039) to deploy a backdoor.
Impact
Allows threat actors to elevate their privileges to a medium integrity level by running a specially crafted application on the target system.
Arctic Wolf Observations and Analysis
The Russian nexus threat actor group RomCom was behind global attacks in 2024 that leveraged this vulnerability in a chain with a remote code execution flaw in Firefox (CVE-2024-49039) to deploy a backdoor.
Vulnerability Name
CVE-2024-20353
A high-severity vulnerability impacting Cisco Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) that leads to a denial-of-service (DoS) condition. It was leveraged in the "ArcaneDoor" campaign, where threat actors targeted perimeter network devices from multiple vendors.
CVE-2024-20353 At A Glance
A high-severity vulnerability impacting Cisco Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) allows an unauthenticated, remote attacker to cause a device to reload unexpectedly, leading to a denial-of-service (DoS) condition. Exploited in the first half of 2024 in conjunction with CVE-2024-20359, this vulnerability was part of a campaign called “ArcaneDoor,” which focused on espionage and gaining unauthorized access to sensitive information from targeted government entities and organizations in critical infrastructure. Specifically, this vulnerability was used to cause target ASA devices to reboot, triggering the unzipping and installation of the threat actor’s malware.
Impact
Allows an unauthenticated, remote attacker to cause a device to reload unexpectedly, leading to a denial-of-service (DoS) condition.
Arctic Wolf Observations and Analysis
This vulnerability was part of a campaign called “ArcaneDoor,” which focused on espionage and gaining unauthorized access to sensitive information from targeted government entities and organizations in critical infrastructure.
Vulnerability Name
CVE-2024-21893
A bypass for the mitigations of the infamous exploit chain impacting Ivanti VPN devices in 2024, which involved CVE-2024-46805 and CVE-2024-21887.
CVE-2024-21893 At A Glance
A server-side request forgery (SSRF) flaw present in the SAML component of Ivanti Connect Secure, Ivanti Policy Secure, and Ivanti Neurons allows an unauthenticated threat actor to access restricted resources. Ivanti reported that a limited number of customers have been affected by this vulnerability. It was a bypass for the mitigations of the infamous exploit chain impacting Ivanti VPN devices in 2024, which involved CVE-2024-46805 and CVE-2024-21887.
Impact
Allows an unauthenticated threat actor to access restricted resources.
Arctic Wolf Observations and Analysis
Ivanti reported that a limited number of customers have been affected by this vulnerability.
Vulnerability Name
CVE-2024-38193
A high-severity zero-day elevation of privilege vulnerability in the Windows Ancillary Function Driver for WinSock that was exploited by the North Korean nexus threat actor group, Lazarus.
CVE-2024-38193 At A Glance
A high-severity zero-day elevation of privilege vulnerability in the Windows Ancillary Function Driver for WinSock allows a local threat actor to gain SYSTEM privileges. This vulnerability was reported to have been exploited by the North Korean nexus threat actor group, Lazarus, in conjunction with the deployment of Fudmodule malware. CVE-2024-38193 was fixed in Microsoft's August 2024 Patch Tuesday Update.
Impact
Allows a local threat actor to gain SYSTEM privileges.
Arctic Wolf Observations and Analysis
Reported to have been exploited by the North Korean nexus threat actor group, Lazarus.
Vulnerability Name
CVE-2024-30051
A high-severity privilege escalation vulnerability in the Windows DWM Core Library was patched in Microsoft’s May Patch Tuesday update.
CVE-2024-30051 At A Glance
A high-severity privilege escalation vulnerability in the Windows DWM Core Library was patched in Microsoft’s May Patch Tuesday update. This vulnerability allows a local threat actor to escalate privileges. Exploitation in the wild has been observed, with Qakbot and other malware being used.
Impact
This vulnerability allows a local threat actor to escalate privileges.
Arctic Wolf Observations and Analysis
Exploitation in the wild has been reported, with Qakbot and other malware being used.
Vulnerability Name
CVE-2024-38178
A high-severity memory corruption vulnerability in the Windows Scripting Engine exploited as a zero-day by the North Korean nexus threat actor ScarCruft.
CVE-2024-38178 At A Glance
A high-severity memory corruption vulnerability in the Windows Scripting Engine. An unauthenticated threat actor could exploit this vulnerability to achieve Remote Code Execution (RCE) if the target uses Microsoft Edge in Internet Explorer Mode. Exploitation requires an authenticated user to click a crafted URL. This vulnerability was exploited as a zero-day by the North Korean nexus threat actor ScarCruft, who used it to deliver RokRAT malware. The campaign involved compromising the server of an unmated domestic advertising agency to inject exploit code into advertisement scripts, which were then served to victim machines.
Impact
An unauthenticated threat actor could exploit this vulnerability to achieve Remote Code Execution (RCE) if the target uses Microsoft Edge in Internet Explorer Mode.
Arctic Wolf Observations and Analysis
This vulnerability was exploited as a zero-day by the North Korean nexus threat actor ScarCruft, who used it to deliver RokRAT malware.
Vulnerability Name
CVE-2024-38112
A high-severity Windows MSHTML Platform Spoofing Vulnerability exploited as zero-day by the Void Banshee threat actor.
CVE-2024-38112 At A Glance
A high-severity Windows MSHTML Platform Spoofing Vulnerability that a remote threat actor can exploit by sending a victim a malicious file, which the victim must execute. CVE-2024-38112 was patched in Microsoft’s July 2024 Patch Tuesday update. This vulnerability was exploited as a zero-day by the Void Banshee threat actor. As part of their campaign, the group used CVE-2024-38112 to infect victim machines with the Atlantida information stealer, targeting North American, European, and Southeast Asian regions.
Impact
A remote threat actor can exploit this vulnerability by sending a victim a malicious file that the victim would have to execute.
Arctic Wolf Observations and Analysis
This vulnerability was exploited as a zero-day by the Void Banshee threat actor, targeting North American, European, and Southeast Asian regions.
Vulnerability Name
CVE-2024-38106
A high-severity elevation of privilege vulnerability in the Windows Kernel. Exploited as a zero-day by the North Korean nexus threat actor Citrine Sleet.
CVE-2024-38106 At A Glance
A high-severity elevation of privilege vulnerability in the Windows Kernel. A local threat actor can exploit this vulnerability by winning a race condition to obtain SYSTEM privileges. CVE-2024-38106 was exploited by the North Korean nexus threat actor tracked by Microsoft as Citrine Sleet in attacks targeting the cryptocurrency sector.
Impact
A local threat actor can exploit this vulnerability by winning a race condition to obtain SYSTEM privileges.
Arctic Wolf Observations and Analysis
Exploited by the North Korean nexus threat actor tracked by Microsoft as Citrine Sleet in attacks targeting the cryptocurrency sector.
Vulnerability Name
CVE-2024-43451
A medium-severity NTLM hash disclosure spoofing vulnerability that exposes a user's NTLMv2 hash, enabling an attacker to authenticate as the user. Used as a zero-day vulnerability by a suspected Russian nexus threat actor to target Ukraine.
CVE-2024-43451 At A Glance
A medium-severity NTLM hash disclosure spoofing vulnerability that exposes a user's NTLMv2 hash, enabling an attacker to authenticate as the user. Exploitation requires minimal user interaction, such as single-clicking or right-clicking a malicious file. CVE-2024-38106 was exploited as a zero-day by a suspected Russian nexus threat actor to target Ukraine. The attackers sent phishing emails from a compromised Ukrainian government server, prompting victims to renew their academic certificates. The vulnerability is triggered when the victim interacts with a URL file embedded in the message.
Impact
A threat actor can exploit this to obtain a user's NTLMv2 hash, allowing them to authenticate as the user. Exploitation requires minimal user interaction, such as single-clicking or right-clicking a malicious file.
Arctic Wolf Observations and Analysis
Used as a zero-day vulnerability by a suspected Russian nexus threat actor to target Ukraine.
Vulnerability Name
CVE-2024-20359
A medium-severity vulnerability affecting Cisco Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) that allows code execution with root-level privileges. It was leveraged in the "ArcaneDoor" campaign, where threat actors targeted perimeter network devices from multiple vendors.
CVE-2024-20359 At A Glance
A medium-severity vulnerability affecting Cisco Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) that allows an authenticated local attacker with administrator-level privileges to execute code with root-level privileges. This vulnerability was exploited in the first half of 2024 as part of a campaign called "ArcaneDoor," which leveraged CVE-2024-20353. The campaign focused on espionage and gaining unauthorized access to sensitive information from government entities and critical infrastructure organizations.
Impact
Allows an authenticated local attacker with administrator-level privileges to execute code with root-level privileges.
Arctic Wolf Observations and Analysis
This vulnerability was part of a campaign called “ArcaneDoor,” which focused on espionage and gaining unauthorized access to sensitive information from targeted government entities and organizations in critical infrastructure.
2024 Most Exploited Vulnerabilities
AVAILABLE FOR DOWNLOAD
What 2023 Taught Us About Vulnerabilities
Connect with the Arctic Wolf Cybersecurity Team Today
A combination of Arctic Wolf security operations solutions coupled with expert insights from our Concierge Security® Team (CST) can guide your organization through Arctic Wolf’s mission to End Cyber Risk. Fill out the form to learn more and we’ll be in touch with you shortly.
