Understanding CVE-2023-49103: A Critical Vulnerability in ownCloud Graph API
ownCloud is a widely used open-source platform designed for file synchronization, sharing, and collaboration. It allows organizations to host their own cloud storage, ensuring data sovereignty and compliance with privacy regulations. Its flexibility and rich feature set have made it popular among enterprises and individual users alike. However, as with any software, vulnerabilities can emerge, and in late 2023, a critical security flaw – CVE-2023-49103 – was discovered in its Graph API application. This flaw could allow unauthorized access to sensitive configuration details, such as admin passwords, mail server credentials, and license keys. The risk is especially severe for organizations using ownCloud in containerized environments, where environment variables may be exposed. Let’s break down the vulnerability, its impact, and mitigation steps. Details of the vulnerability The vulnerability resides in the graphapi application of ownCloud. It leverages a third-party library file, GetPhpInfo.php, which calls the PHP phpinfo() function. This function, while commonly used for debugging, outputs detailed information about the server’s PHP configuration. In containerized deployments, environment variables – which often include sensitive information – are exposed, posing a severe security risk. Docker-based deployments of ownCloud are particularly susceptible, as Docker containers often rely on environment variables to pass sensitive information like database credentials and API keys during runtime. Attackers exploiting this vulnerability can use the phpinfo() output to capture these details, potentially compromising the entire containerized setup. Even disabling the graphapi app doesn’t fully mitigate the issue, as the vulnerable file remains accessible unless explicitly removed. Impact of CVE-2023-49103 When exploited, this vulnerability allows attackers to extract sensitive information without requiring authentication. The exposed data could include: ownCloud administrator passwords Mail server credentials Database credentials ownCloud license key Such information disclosures could lead to data breaches, unauthorized access to critical systems, and further exploitation of the organization’s infrastructure. Exploitation in the wild This vulnerability has been actively exploited, highlighting the urgency for remediation. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2023-49103 to its Known Exploited Vulnerabilities (KEV) Catalog, emphasizing the need for immediate action by affected organizations. Steps to mitigate the vulnerability If your organization uses ownCloud, the following steps are advised to mitigate the risk posed by CVE-2023-49103: Update the Graph API application Upgrade to version 0.3.1 or later of the graphapi app. The updated version removes the vulnerable GetPhpInfo.php file, addressing the root cause of the issue. Remove the vulnerable file If upgrading isn’t immediately possible, manually delete the file located at: owncloud/apps/graphapi/vendor/microsoft/microsoft-graph/tests/GetPhpInfo.php Disable the phpinfo() function Modify your PHP configuration to disable the phpinfo() function. This precaution reduces the risk of similar vulnerabilities in the future. Change all exposed credentials Immediately rotate any credentials that may have been exposed, including: Admin passwords Mail server logins Database credentials API and storage keys Secure Docker environments For Docker-based deployments, use secret management tools like Docker Secrets or HashiCorp Vault to handle sensitive data instead of relying on environment variables. Limit access to containerized services and ensure proper network segmentation. Regularly scan Docker images for vulnerabilities and keep them updated. Keep your ownCloud server updated Ensure your ownCloud instance is running the latest server version, as updates often include critical security patches. Proactive security measures While addressing CVE-2023-49103 is essential, organizations should adopt broader security measures to prevent similar risks in the future: Conduct regular security audits Routine assessments can identify vulnerabilities before they are exploited. Implement environment variable best practices Minimize sensitive data stored in environment variables and use secret management tools. Utilize web application firewalls (WAFs) WAFs can help block unauthorized access attempts. Train teams on security protocols Ensure your IT teams are aware of emerging threats and understand mitigation strategies. Recommended content The Immersive Labs catalog includes a lab dedicated to CVE-2023-49103. This lab provides a vulnerable version of ownCloud hosted within a vulnerable Docker container. This lab offers an in-depth understanding of the vulnerability and its associated exploit through practical, hands-on experience. You’ll exploit the vulnerable instance to gain access to sensitive information, allowing you unauthorized access to the system as a privileged user. Conclusion CVE-2023-49103 underscores the importance of proactive security measures in software deployment. For organizations leveraging ownCloud, this vulnerability serves as a reminder to maintain vigilance, regularly update systems, and adopt comprehensive security practices. By promptly addressing the issue and implementing the recommended mitigations, organizations can safeguard their sensitive data and reduce the likelihood of compromise. Share your thoughts If this vulnerability impacted your organization, what steps did you take to fix it, and what changes have you made to prevent future issues?Patch Tuesday February 2025
CVE-2025-21418 - 7.8 - Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability Top of the list for things to patch this month is a local privilege escalation that threat actors are actively exploiting in the wild. No information is provided on which threat actors or how they are using it, but what we do know is that an attacker exploiting this vulnerability will be able to gain SYSTEM-level permissions on the affected host. As this is a local exploit, it does mean that an attacker or malicious insider must already have access to the target machine, typically through a phishing attack, malicious document, or another remote code execution vulnerability. Despite its relatively low score of 7.8 compared to a Critical 9.8, local privilege escalation vulnerabilities are valuable to attackers as they allow them to disable security tooling, dump credentials, or move laterally across the network to exploit the increased access. CVE-2025-21377 - 6.5 - NTLM Hash Disclosure Spoofing Vulnerability Another CVE to patch sooner rather than later is a zero-day that was discovered and disclosed in December 2024, with Microsoft announcing at the time that patches would not be available until 2025. Tracked as CVE-2025-21377, this vulnerability allows a threat actor to steal a victim's NTLM credentials by sending them a malicious file. The user doesn't have to open or run the executable, but simply viewing the file in Explorer could be enough to trigger the vulnerability. This specific vulnerability is known as an NTLM relay or pass-the-hash attack, and threat actors love this style of attack as it allows them to impersonate users in the network. If an attacker can collect your NTLM hash, they effectively have the encoded version of your password and can log in to workstations, servers, or other Microsoft servers as if they had your username and password. Preventing outbound SMB traffic can help limit the exposure, as this is such a prevalent technique Microsoft has specific guidance available on their website on Mitigating Pass-the-Hash (PtH) attacks CVE-2025-21400 - 8.0 - Microsoft SharePoint Server Remote Code Execution Vulnerability Microsoft SharePoint is a web-based platform that integrates with Microsoft Office, used to store, organize, and share information from any device. Details around this remote code execution vulnerability in SharePoint suggest that an attacker needs to be authenticated to exploit it. Exploiting this vulnerability requires a client to connect to a malicious, attacker-controlled server, and with this access, an attacker could achieve code execution on the client. In a network-based attack, if the attacker has access to a client that belongs to the “Site Owners” group, meaning they have full control of the client system, they can write injectable code to send to the SharePoint server that amounts to code execution. CVE-2025-21408 - 8.8 - Microsoft Edge (Chromium-based) Remote Code Execution Vulnerability Microsoft Edge (Chromium-based) Remote Code Execution Vulnerability refers to a potential security issue that, if exploited, could allow an attacker to execute arbitrary code in the context of the current user. Vulnerabilities such as these are often attributed to the way Microsoft Edge (Chromium-based) handles objects in memory. In relation to this specific vulnerability, successful exploitation requires a victim user to click on a malicious link so that the attacker can initiate remote code execution (RCE) on Edge’s renderer process – which is part of a multi-process architecture that handles much of the code that runs on a webpage, including JavaScript, HTML, and CSS. The idea is that sites and sessions are isolated so the misbehavior of one site doesn’t affect another in the same browser session. An attacker could potentially do a number of things after exploiting this vulnerability, including injecting malicious scripts into the running browser session, exploiting cross-site-scripting (XSS) vulnerabilities, stealing credentials from browser sessions, or deploying script-based malware that can be used to gain access to the user's machine. Microsoft has released a patch for this vulnerability, which users are encouraged to download. CVE-2025-21391 - 7.1 - Windows Storage Elevation of Privilege Vulnerability In today’s Patch Tuesday release by Microsoft, we see two vulnerabilities listed as ‘exploited in the wild.’ One is a Windows Storage Elevation of Privilege Vulnerability, given the Common Vulnerabilities and Exposure ID number CVE-2025-21391. With a CVSS score of 7.1, the CVSS metrics outline that this vulnerability doesn't affect confidentiality, so no sensitive data can be accessed. However, it can severely affect data integrity and availability. The impact of this vulnerability is classified as an Escalation of Privilege, indicating that the successful exploitation could allow an attacker to assume higher privileges on the compromised system. However, Microsoft has outlined that if the attacker successfully exploited this vulnerability, they could only delete targeted files on a system. Microsoft has released patches to mitigate this vulnerability. It's recommended for administrators to apply these immediately. CVE-2025-21376 - 8.1 - Windows Lightweight Directory Access Protocol (LDAP) Remote Code Execution Vulnerability LDAP (Lightweight Directory Access Protocol) is a critical component of Windows environments, serving as the backbone for authentication, directory services, and centralized identity management. A recently disclosed critical vulnerability in Microsoft’s LDAP implementation poses a severe risk, allowing remote code execution due to a combination of race conditions, integer underflow, and heap-based buffer overflows. Exploiting this flaw requires an attacker to chain these exploits together by sending specially crafted requests to a vulnerable LDAP server, potentially gaining full control over the system. A compromise could lead to lateral movement, privilege escalation, and widespread network breaches because LDAP is integral to Active Directory, which underpins authentication and access control in enterprise environments. This vulnerability follows a history of LDAP-related exploits, such as privilege escalation flaws and buffer overflow attacks, reinforcing the importance of securing directory services. Organizations must prioritize patching and hardening LDAP configurations to mitigate exploitation risks and protect their Windows infrastructure from potential attacks. This vulnerability represents a serious security risk to systems running vulnerable Microsoft LDAP servers. Due to its high value, attackers will spend more time creating an exploit for this vulnerability, which is an echoed theory by Microsoft, as it has been stated that this vulnerability is more likely to be exploited. Administrators are strongly urged to promptly apply the available security patches and implement recommended mitigation steps to protect against exploitation. CVE-2025-21379 - 7.1 - DHCP Client Service Remote Code Execution Vulnerability The DHCP Client Service is a crucial component in Windows environments, responsible for dynamically assigning IP addresses and network configurations to devices. A newly identified critical vulnerability in this service allows for remote code execution due to a Use After Free flaw, which can lead to memory corruption and arbitrary code execution. While the attack complexity is high, exploitation requires the attacker to position themselves in the network path between the target and its requested resource, executing a machine-in-the-middle (MITM) attack to intercept or manipulate DHCP responses. Additionally, the attack vector is classified as adjacent, meaning the attacker must be on the same local network segment, such as a shared Wi-Fi or Ethernet switch, making remote exploitation over a WAN infeasible. While this brings the criticality of the vulnerability down, it is still feasible for attackers to want to put this in their attacker's toolkit, and given DHCP’s fundamental role in network connectivity, a successful attack could compromise endpoint security, facilitate lateral movement, and enable further network exploitation. This vulnerability underscores the importance of securing DHCP communications through network segmentation, encryption, and prompt patching to mitigate potential threats. CVE-2025-21381 - 7.8 - Microsoft Excel Remote Code Execution Vulnerability Microsoft Excel is a widely used productivity tool in enterprise environments, making vulnerabilities within it highly valuable for attackers, especially for phishing and malware distribution. A newly disclosed critical vulnerability, CVE-2025-21381, allows for remote code execution due to an Untrusted Pointer Dereference flaw. This flaw occurs when a program accesses a memory location using a pointer that has not been properly validated and can be attacker-controlled. It can lead to memory corruption and arbitrary code execution when processing maliciously crafted Excel files. Exploiting this vulnerability would enable an attacker to execute malicious code on a victim’s system simply by convincing them to open a compromised document. This method is often used in spear-phishing campaigns and malware distribution, such as Emotet and Dridex. Excel vulnerabilities are particularly dangerous because Excel macros and embedded scripts have historically been a significant attack vector for APT groups, ransomware operators, and financial fraud campaigns, often bypassing traditional security defenses. Given its widespread use in corporate environments, this vulnerability highlights the ongoing risk posed by weaponized office documents, reinforcing the need for patching, disabling macros by default, and implementing advanced email filtering to prevent exploitation.New CTI Lab: CVE-2025-0411 (7-ZIP MoTW bypass) – Defensive
The Zero Day Initiative (ZDI) team at Trend Micro identified the exploitation of a zero-day vulnerability in the 7-ZIP application dubbed CVE-2025-0411, which was used in a SmokeLoader malware campaign targeting eastern European entities. 7zip is used all over the world by individuals and organizations, so it's essential users understand this campaign. CVE-2025-0411 (7-ZIP MoTW bypass) – Defensive CVE-2025-0411 is a Mark-of-the-Web (MoTW) bypass vulnerability that exists within 7 ZIP installations with a version older than 24.09. This vulnerability allows attackers to bypass the MoTW protection mechanism employed by the Windows operating system, designed to warn users after downloading potentially malicious software. Bypassing MoTW for attackers increases the chances of successful phishing attempts, which is one of the largest ways attackers get into organizations. Due to MoTW being bypassed, users are not warned of potential malicious intent if they were to execute files. Because of this, attackers spend a lot of time trying to find different MoTW vulnerabilities and are often patched in Microsoft's patch Tuesdays due to their prevalence. Why should you care? Bypassing security controls is ideal for attackers. If their downloaded files do not get warned against by Windows, then the chances of successful attack chain execution is much higher! Therefore, we created a lab to identify what this attack process looks like for defensive teams and how to identify each stage. The lab teaches you what to look out for when this vulnerability is exploited and how campaigns have used it in the real world. Who is it for? Incident responders SOC analyst Malware reverse engineers CTI Analysts Threat Hunters Here is the link to the 7zip lab: https://immersivelabs.com/labs/cve-2025-0411-7-zip-motw-bypass-defensive Related Labs, designed to give you similar skills: https://immersivelabs.online/series/elasticsearch-threat-hunting-apt29/labs https://immersivelabs.online/series/introduction-to-elastic/labsNew CTI Labs: Zero-day Behaviour: PDF Samples & UAC-0063 Intrusion: SIEM Analysis
Based on the report released by NCSC's CTO, a number of important cyber security developments occurred throughout the past week. We have created two labs on what we thought were interesting parts of the report to align with what NCSC is seeing out in the wild. Zero-day Behaviour: PDF Samples PDFs are used by everyone, and a researcher has found that you can embed commands that will communicate out to attacker-controlled servers – depending on which PDF reader a company has, you can exfiltrate NTLM data to aid in further attacks. PDFs can be used to initial access an attack, such as sending a malicious one via email. Therefore, we have created a lab for defensive teams to analyze what these PDFs look like under the hood and how to identify this newly found behavior. UAC-0063 Intrusion: SIEM Analysis It has been observed that the threat group UAC-0063 has been sending malicious documents around the world, targeting Asia and Eastern Europe in their latest operation. Their aim is cyber espionage and to gather information about governments, NGOs, defense, and academia. With their malware dubbed HATVIBE, they have been seen to use legitimate diplomatic documents with their malicious code embedded inside them. The lab provides an analysis of the attack chain, where our customers will understand what happens when one of the malicious documents is clicked on and what detections can be put in place to detect the attack. Why should our customers care? These two labs are based on information that the NCSC has thought the industry needs to know. Understanding the updated attack techniques of threat groups and new ways to execute commands in PDFs is incredibly important because social engineering is still one of the highest methods of initial access. Therefore, our customers will be able to analyze both these threats to develop detections early or to gain familiarity with how these threats work. Who is it for? Incident responders SOC analyst Malware reverse engineers CTI Analysts Threat Hunters Here is the link to the PDF lab: https://immersivelabs.online/labs/zero-day-behaviour-pdf-samples Here is the link to the UAC-0063 lab: https://immersivelabs.online/labs/uac-0063-siem-analysisOperational CTI: How Immersive Builds Labs for Real-World Threat Preparedness
This event has now ended. You can watch the recording here. --- 📢 Today's the day! Our exclusive Community webinar 'Operational CTI: How Immersive Builds Labs for Real-World Threat Preparedness' will be live at 3pm GMT (10am EST). Here's a few tips to help you get the most from your experience: 🚀 This is a live, interactive session. Make sure you join the session promptly in order to get the full experience. 🔗 To join today's session, visit the event page or simply use the Zoom link. ❓You’ll also have the opportunity to participate in a Q&A with our expert panel so you can leave with an action plan to turn your ideas into reality! You can pre-submit questions here. Event Description Have you ever wondered how Immersive Labs can release CTI labs on the latest threats so quickly? Come backstage with us on this ✨ Community Exclusive ✨ event to learn just how we do it. BenMcCarthy and benhopkins, two of the experts from the CTI team will reveal what it takes to make a lab, some of their favourites from 2024 and what is to come from the CTI team. Agenda What are CTI labs and how do we select labs to build? Build Stage 1 - Research Build Stage 2 - "Labified" Build Stage 3 - Content Build Stage 4 - QA Some of our favourite labs Examples of speedy launches of labs C2 research What next for our Threat Research and CTI Labs You’ll also have the opportunity to pre-submit questions here so you can ensure that you leave with all of the information you need! This is a Community Exclusive event: Hit the attend button to register. This webinar will be live at 3pm GMT and will be recorded.Unmasking Holiday Hackers
Imagine the following scenario… You receive a text message from a “delivery service”. It asks you to click a link to validate your personal information so they can deliver a parcel. Thinking it’s a precious holiday package from one of your many online orders, you click it. You input your credit card number to validate the order, and you enter your address to ensure it’s delivered to the right place before you have time to realize what’s just happened… 💥 You’ve given all your information to a scammer! 🤯This is textbook smishing, but that doesn’t change the fact that it’s incredibly effective. This exact situation happened to Grant Smith – however, he just so happened to be a certified Ethical Hacker. Smith shared his story and subsequent investigation details with Wired. In the article, we learn that: In total, people entered 438,669 unique credit cards into 1,133 domains used by the scammers. More than 50,000 email addresses were logged, including hundreds of university email addresses and 20 military or government email domains. The victims were spread across the United States, with more than 1.2 million pieces of information being entered in total. California, the state with the most, had 141,000 entries. Nobody wants to be part of this user cohort, but smishing attacks are becoming more common and more sophisticated. Around the holiday season, we interact with more businesses and technologies across multiple digital channels – and urgency only increases the closer we get to Christmas, growing your personal threat surface. You can help reduce your chances of being a victim of cybercrimes by upskilling with these labs: Staying Safe Online: Safer Browsing Staying Safe Online: Identity Theft Ready to take the reins of the sleigh and get into an investigation like Smith’s yourself? For a holiday-spirited investigation around a phishing attack – start with A Christmas Catastrophe: A Christmas Phish. From there, you can build a gingerbread house solid foundation for your security skills. Consider exploring the Introduction to Penetration Testing and Hack Your First Computer collections. If you’re ready to dig deep and build knowledge and skills to use open-source tooling at the next level, you can follow Grant’s steps with Immersive Labs collections! Scan with Nmap Nmap is one of the most popular network scanner tools available. In this introductory collection, you‘ll learn what Nmap is and how to use it to enumerate for hosts, ports, and services on a target. Intercept web traffic with Burp Suite Burp Suite is a popular tool used for pen testing and assessing web application security. This skill collection will take you from the basics of configuring and using Burp Suite to expertly traversing and applying its range of tools and features. Scan with NsLookup in Introduction to Networking This collection focuses on core networking concepts and the basics of networking connectivity, network topologies, and general networking concepts including IP addresses and domain name systems (DNS). Name Server Lookup allows users to query the DNS to retrieve information like IP addresses associated with domain names. Analyze web socket communications with Packet Analysis Reading packets and understanding the structure of packet captures are essential skills in cybersecurity. This collection introduces the main packet analysis tools and how to look for flags inside packet headers. Conduct Web Log Analysis This collection introduces you to the log files produced by web application servers and how they can be interpreted. You’ll be shown how to use common command line tools to analyze the log artifacts, what you can infer from the information captured in logs, and how this information can be helpful when responding to a suspected incident. Use SQL Injection Basics and SQL Injection to access databases Learn core SQL injection techniques and build on those skills to extract information from databases. When a vulnerability exists, this data can be accessed in various ways. Conduct advanced database investigations with Introduction to Linux Exploitation and Linux Command Line Gain foundational knowledge on Linux-based software exploitation, commonly used tools, and how the Linux Command Line Interface (CLI) can be used to perform different tasks. The labs in this skill collection range from navigating around a file structure to combining multiple commands to achieve a specific goal. Report valid cyber crimes to authorities! One such avenue is the Internet Crime Complaint Center. Or, if you’re working on an internal investigation for your employer, you should ensure strict adherence to your processes and playbooks for threat escalation and remediation processes. While you may not need to complete end-to-end tasks like the above frequently, it’s an asset to understand an offensive security mindset and key open-source tooling to conduct an investigation. Put your Nice List skills to use by continuing your offensive security journey and consider a Certified Ethical Hacker certification. You might even just earn an invite to the North Pole! Or, keep upskilling in Immersive Labs to earn more security badges and advance your career as an offensive security practitioner. You can be the light that guides the sleigh through the dark world of cyber criminals! Share your thoughts Did you find this case study interesting? Did you find some cross-functional training to bookmark for your personal growth? Please share your thoughts in the comments below! Give those hackers some coal to put somewhere special – their stocking, of course! Make sure you're following the Human Connection Blog to get updates to your inbox!Patch Tuesday December 2024
CVE-2024-49138 - 7.8 - Windows Common Log File System Driver Elevation of Privilege Vulnerability Top of the list of things to patch this cycle is a trio of vulnerabilities in the Windows Common Log File System Driver. Don't be fooled by their relatively low score of 7.8. At least one of these (CVE-2024-49138) is being actively exploited in the wild by threat actors, making it likely that the other two vulnerabilities will also be discovered. This vulnerability is a local privilege escalation, which means that an attacker must gain initial access to the host to gain SYSTEM-level privileges. With this higher level of permissions, the threat actor can move laterally across the network, dump credentials to pivot to a domain controller or even disable security tooling to avoid detection by a blue team. CVE-2024-49114 - 7.8 - Windows Cloud Files Mini Filter Driver Elevation of Privilege Vulnerability High on the list for patching should be CVE-2024-21310, a privilege escalation vulnerability in Cloud Files Mini Filter Driver. Listed as “exploitation more likely” by Microsoft, the patch notes have striking similarities to other vulnerabilities reported in the same component that are actively being exploited – and appearing on the CISA Known Exploited Vulnerabilities list late in 2023. This likely contributes to the “exploitation more likely,” as it is a proven and effective exploit for attackers and with existing public examples could make it faster to weaponise. If an attacker exploits this vulnerability, they can gain SYSTEM-level privileges on the local machine. This type of privilege escalation step is frequently seen by threat actors in network compromises, as it can enable the attacker to disable security tools or run credential dumping tools like mimikatz that can then enable lateral movement or the compromise of domain accounts. CVE-2024-49093 - 8.8 - Windows Resilient File System (ReFS) Elevation of Privilege The Resilient File System (ReFS) is a modern file system developed by Microsoft, designed to provide enhanced data integrity, scalability, and fault tolerance compared to the New Technology File System (NTFS). Introduced with Windows Server 2012, ReFS is optimized for large-scale storage solutions, virtualization workloads, and environments requiring high data reliability. It incorporates features like integrity streams to detect and repair data corruption, support for massive volumes and file sizes (up to 35 petabytes), and efficient data management through technologies like block cloning. While it lacks some NTFS features, such as file compression and encryption, ReFS is particularly suited for enterprise applications, such as Hyper-V storage and resilient storage spaces. It offers improved performance and reliability for mission-critical workloads. This vulnerability has been described as “exploitation more likely” by Microsoft and also said to have low attack complexity required to perform the attack. All the user has to do is execute the exploit in a low-privilege AppContainer, and they are able to execute code or access resources at a mich higher integrity level above the AppContainer. CVE-2024-49126 - 8.1 - Windows Local Security Authority Subsystem Service (LSASS) Remote Code Execution Vulnerability The Local Security Authority Subsystem Service (LSASS) is a critical system process in Microsoft Windows that enforces security policies and manages user authentication. It verifies users’ logging into a Windows system by handling credentials, such as passwords and security tokens, and interacts with Active Directory for domain authentication. LSASS also generates and manages access tokens that applications and services use to determine user permissions. This process runs with high privileges, making it a frequent target for attackers aiming to extract credentials from memory or perform lateral movement in a network using tools like the famous Mimikatz. Protecting LSASS is vital, and modern versions of Windows include features like Credential Guard and process isolation to mitigate risks associated with its exploitation. This vulnerability is a use-after-free vulnerability where the attacker has to take advantage of a race condition to get access to sensitive data that is not properly protected or locked, this requires no interaction from the user, nor does it require any special privileges to begin the attack. It is a remote code vulnerability affecting service accounts and an attacker can take advantage of this by triggering malicious code in the context of the server’s account through a network call. CVE-2024-49117 - 8.8 - Windows Hyper-V Remote Code Execution Vulnerability This vulnerability could be exploited by an attacker who has authenticated access to a guest virtual machine (VM). The attacker could send carefully crafted file operation requests to interact with the hardware resources allocated to the VM. This vulnerability has been tagged as “return of wrong status code,” which adds further context to the vulnerability by highlighting a potential miscommunication between components during an attack. If the underlying system incorrectly returns a status code suggesting that an operation was successful when it was not—or fails to indicate that an unexpected or malicious operation has occurred—it can facilitate exploitation. In this scenario, such miscommunication could obscure warning signs or error handling mechanisms that might otherwise mitigate the attack, making the vulnerability easier to exploit and harder to detect. Due the fact that hyper-v is baked into the Windows operating system so heavily, it is recommended to ensure you patch this even though it requires access to a guest OS running on a machine. CVE-2024-49112 - 9.8 - Windows Lightweight Directory Access Protocol (LDAP) Remote Code Execution (RCE) A significant flaw has been identified in the Lightweight Directory Access Protocol (LDAP) service on all versions of Windows since Windows 7 / Server 2008 R2 that can allow for an unauthenticated attacker with network access to gain code execution on the underlying server. LDAP is most commonly seen on servers that are Domain Controllers inside a Windows network and LDAP must be exposed to other servers and clients within an enterprise environment for the domain to function. Microsoft hasn’t released specific information about the vulnerability at present, but has indicated that the attack complexity is low and authentication is not required. Furthermore, they advise that exposure of this service either via the internet or to untrusted networks should be stopped immediately. They have said that an attacker can make a series of crafted calls to the LDAP service and gain access within the context of that service, which will be running with SYSTEM privileges. Because of the Domain Controller status of the machine account, it is assessed this will instantly allow the attacker to perform a DCSync attack and get access to all credential hashes within the domain. It is also assessed that an attacker will only need to gain low privileged access to a Windows host within a domain or a foothold within the network in order to exploit this service - gaining complete control over the domain. Discovery of how to exploit this condition will be of the utmost importance to attackers, especially ransomware operators, as complete control of a Domain Controller in an Active Directory environment can allow for access to every Windows machine as part of that domain and allow for the deployment of ransomware to every machine. Microsoft also suggests blocking access to ‘inbound RPC’ connections from untrusted networks, which may indicate that the vulnerability can be exploited by a number of RPC channels, not only via the standard LDAP ports. Environments which make use of Windows networks using Domain Controllers should patch this vulnerability as a matter of urgency and ensure that Domain Controllers are actively monitored for signs of exploitation. CVE-2024-49122 - 7.8 - Microsoft Message Queuing (MSMQ) Remote Code Execution Vulnerability This December 2024 Patch Tuesday saw a vulnerability in Microsoft Message Queuing (MSMQ) being disclosed. Denoted as CVE-2024-49122, Microsoft has outlined this vulnerability as “exploitation more likely’ and as a “remote code execution” impact. MSMQ allows asynchronous communication between applications across various networks and systems by sending and reading messages from the queue. This vulnerability requires a high level of attack complexity and for the attacker to win a race condition. Successful exploitation can be achieved by sending a maliciously crafted MSMQ packet to a server, which will result in a remote code execution.CVE-2024-5910: Understanding the Critical Expedition Vulnerability
CVE-2024-5910 is a critical vulnerability in Palo Alto Networks' Expedition tool, widely used for firewall configuration migrations. The flaw, stemming from missing authentication for a critical function, allows attackers with network access to the Expedition interface to gain administrative privileges without authorization. This issue (which has a CVSS score of 9.3!) represents a significant security risk, particularly for organizations using Expedition to manage sensitive configuration data. What is Expedition? Expedition simplifies the migration of firewall configurations from third-party systems to Palo Alto Networks devices. This process often involves importing sensitive credentials, secrets, and configurations, making the tool's security paramount. Exploit details The vulnerability could be exploited by sending crafted requests to reset the administrator password, granting attackers access to the system. Once inside, malicious actors could extract sensitive information, tamper with configurations, or launch further attacks against connected systems. Public proof of concept (PoC) code for exploiting this vulnerability is now available, increasing the urgency of mitigation measures. Which systems are affected? This vulnerability affects Expedition versions before 1.2.92, as detailed in the advisory from Palo Alto Networks. Systems that expose Expedition to the internet are at heightened risk, with recent scans identifying several instances accessible online. Mitigation steps Update Expedition: Upgrade to version 1.2.92 or later, where the vulnerability has been patched. Restrict access: Ensure that network access to the Expedition tool is limited to trusted hosts and users. There’s no valid reason for the tool to be accessible from untrusted networks. Change credentials: Rotate all administrator passwords, API keys, and firewall credentials processed through Expedition to mitigate potential compromises. Monitor for indicators of compromise (IoCs): Look for unusual activities in logs or changes to configurations, which may indicate exploitation. Recommended content To learn more about this vulnerability by interacting with it in a sandboxed environment, we have both offensive and a defensive labs in the platform. The offensive scenario allows you to perform the exploitation using the PoC, whereas our defensive scenario upskills users by describing how to identify the IoCs – giving participants a deep understanding of how the exploit would appear in their environment. To find these labs and others, simply type the relevant CVE number into the Immersive Labs Search Bar. Final thoughts CVE-2024-5910 underscores the importance of promptly addressing vulnerabilities in tools that manage critical infrastructure configurations. Organizations should also stay on top of new and emerging threats, patch affected systems immediately, and follow best practices for securing administrative tools like Expedition. Using the Immersive Labs platform, organizations can gain a deep understanding of the most critical vulnerabilities and exploits and prepare for them in a practical and safe setting. For more details from the affected vendor, refer to the official Palo Alto Networks security advisory.
