Key Findings

Vulnerabilities

Critical Enterprise Software

Microsoft Office
In June 2023, Microsoft disclosed an unpatched security vulnerability in multiple Windows and Office products that has been exploited in the wild and can lead to remote code execution (RCE). According to Microsoft, the vulnerability, CVE-2023-36884 (CVSS 8.8), could be exploited by creating a “specially crafted Microsoft Office document that enables a threat actor to perform RCE in the context of the victim.” A Russia-based threat group, labeled Storm-0978, exploited this vulnerability. This group has targeted government and defense entities in Europe and North America and has used lures related to the Ukrainian World Congress. The CVE-2023-36884 vulnerability affects Excel.exe, Graph.exe, MSAccess.exe, MSPub.exe, Powerpnt.exe, Visio.exe, WinProj.exe, WinWord.exe, and Wordpad.exe. The vulnerability was added to the U.S. CISA’s Known Exploited Vulnerabilities (KEV) Catalog on July 17, 2023. Organizations are required to follow vendor recommendations, as the vulnerability has not been patched at the time of writing.

VMware vRealize
The CVE-2023-20864 (CVSS 9.8) vulnerability impacting vRealize Log Insight was disclosed in April 2023. Threat actors can abuse this deserialization vulnerability to run arbitrary code as root on compromised systems. In July 2023, VMware warned customers that an exploit code was available for the vulnerability, which Likely increases the probability of attack. The number of externally exposed vRealize devices is relatively low. However, upon gaining internal access, attackers often exploit vulnerable software and services to gain further unauthorized network access and move laterally. The vulnerability affects version 8.10.2 and was patched with the release of version 8.12.

Content Management Systems

Adobe ColdFusion
In July 2023, Adobe released an emergency ColdFusion security update addressing CVE-2023-38203 (CVSS 9.8). The vulnerability is a deserialization of untrusted data that could allow threat actors to conduct arbitrary code execution. Security researchers with Rapid7 reported that this vulnerability is likely a bypass for CVE-2023-29300 (CVSS 9.8). Attackers exploited in the wild by chaining the vulnerability with CVE-2023-29298 (CVSS 7.5) to deploy web shells to gain remote access to devices.

Also in July 2023, Adobe released a security advisory warning of CVE-2023-38204 (CVSS 9.8), which could lead to arbitrary code execution and is also considered a deserialization of untrusted data vulnerability. There is no evidence that the vulnerability has been exploited in the wild.

Citrix
In June 2023, Citrix released an update for CVE-2023-24489 (CVSS 9.1) affecting Citrix ShareFile – a cloud-based file-sharing and collaboration application. According to Citrix, the vulnerability impacts “the customer-managed ShareFile storage zones controller,” indicating that an unauthenticated adversary can exploit the flaw to arbitrarily upload files or execute code. The vulnerability was patched in June 2023 with the release of version 5.11.24. Also in July 2023, security researchers with GreyNoise reported that threat actors had begun targeting the vulnerability to target victim organizations. The proof-of-concept (PoC) exploit available for the vulnerability indicates that threat actors of lower skill levels can more easily exploit the flaw to execute attacks over the next 12 months.

WooCommerce Payments Plugin
CVE-2023-28121 (CVSS 9.8) is an authentication bypass vulnerability affecting the WooCommerce Payments WordPress Plugin that researchers report “enables unauthenticated attackers to impersonate arbitrary users and perform some actions as the impersonated user.” The vulnerability was patched in April 2023, but Wordfence reported in July 2023 that threat actors had exploited the vulnerability to launch a large-scale campaign. Threat actors conducted reconnaissance prior to exploiting the vulnerability in this campaign, making the campaign more targeted than previous campaigns targeting vulnerabilities in WooCommerce applications. The attacks contained a header that Defiant claims “causes vulnerable sites to treat any additional payloads as coming from an admin user.”

VPN and Proxy Clients

Citrix NetScaler ADC and Gateway
In July 2023, Citrix alerted customers of three vulnerabilities affecting NetScaler ADC and NetScaler Gateway, which already have exploits in the wild. The most severe vulnerability, CVE-2023-3519 (CVSS 9.8), could be exploited to execute code remotely without authentication. Threat actors have actively exploited the CVE-2023-3519 vulnerability to drop a web shell on a critical infrastructure organization’s environment. The web shell enabled the threat actors to perform discovery on the victim’s AD and collect and exfiltrate AD data. The vulnerability was added to the U.S. CISA’s KEV Catalog on July 19, 2023, and organizations are required to have their instances patched by August 9, 2023.

Another vulnerability, CVE-2023-3466 (CVSS 8.3), is a cross-site scripting (XSS) flaw that attackers can exploit if a victim access an attacker’s browser link on the same network. Finally, CVE-2023-3467 (CVSS 8.3) allows an attacker to elevate privileges to those of a root administrator (nsroot).

Fortinet
In July 2023, Fortinet disclosed a critical vulnerability, CVE-2023-33308 (CVSS 9.8), which could allow a remote attacker to perform arbitrary code execution on vulnerable devices. This stack-based overflow vulnerability occurs when a program writes more data than it is allocated to buffer on the stack. The U.S. CISA published an alert on the vulnerability, warning organizations to implement the available patches.

Remote Access and IT Management

Ivanti EPMM
In July 2023, Ivanti released patches for CVE-2023-35078 (CVSS 10.0), which affected its Endpoint Manager Mobile (EPMM) mobile device management software. This remote unauthenticated API access vulnerability has been actively exploited in the wild. Another Ivanti EPMM vulnerability, CVE-2023-35081 (CVSS 7.2), was identified in July 2023. This flaw allows an unauthenticated administrator to perform arbitrary file writes to the EPMM server. A threat actor could exploit this vulnerability in conjunction with CVE-2023-35078. This flaw impacts supported versions 11.10, 11.9, and 11.8, but older versions are also at risk. Attackers reportedly exploited both vulnerabilities to breach the IT systems of 12 Norwegian government ministries.

Routers

MikroTik RouterOS
Security researchers with VulnCheck warned of a critical vulnerability, CVE-2023-30799 (CVSS 9.1), which attackers could exploit in large-scale attacks to target over 500,000 exposed and potentially vulnerable MikroTik RouterOS systems designed to run on MikroTik routers and network devices. Attackers can remotely exploit this vulnerability to elevate privileges from admin to "super-admin" and obtain a root shell on the router. The vulnerability was first disclosed in 2022 at Recon, and a released PoC exploit allowed one to obtain a root shell on the RouterOS x86 VM. VulnCheck researchers have published new exploits targeting a wider range of MikroTik hardware. Shodan indexed between 500,000 and 900,000 RouterOS systems vulnerable to CVE-2023-30799. The RouterOS web and Winbox interfaces leverage custom encryption schemes that attackers can decrypt and inspect using tools such as Snort and Suricata. These malicious actors can gain a foothold and remain undetected by the RouterOS user interface.

Browser

Mozilla Firefox
Mozilla released Firefox 115 to deliver patches for 12 vulnerabilities, including two use-after-free vulnerabilities. CVE-2023-37201 (CVSS 8.8) exists in the WebRTC certificate generator, which. enables real-time communication (RTC) capabilities in web browsers and mobile applications. CVE-2023-37202 (CVSS 8.8) results from a compartment mismatch in the JavaScript and WebAssembly engine, SpiderMonkey. According to Mozilla, “Cross-compartment wrappers wrapping a scripted proxy could have caused objects from other compartments to be stored in the main compartment resulting in a use-after-free,” and “Some of the vulnerabilities showed evidence of memory corruption, that, with enough effort could likely have been exploited to run arbitrary code.”

Software Development, Documentation and Code/Project Repositories

Atlassian Confluence Server, Data Center, and Bamboo Data Center
In July 2023, Atlassian disclosed three RCE vulnerabilities affecting Atlassian’s Confluence Server, Data Center, and Bamboo Data Center. CVE-2023-22505 (CVSS 8.5) and CVE-2023-22508 (CVSS 8.0) affect the Confluence Server and Data Center, while CVE-2023-22506 (CVSS 7.5) impacts the Bamboo Data Center. Successful exploitation of the vulnerabilities could allow threat actors to access users’ cloud infrastructure, software supply chain, and more—putting the software at risk for system takeover. Threat actors do have to be authenticated to successfully exploit these vulnerabilities, and no user interaction is required.

Honorable Mentions

Cisco vManage
Cisco released a warning of a critical unauthenticated REST API access vulnerability, CVE-2023-20214 (CVSS 9.1), impacting its SD-WAN vManage. An unauthenticated, remote attacker could exploit this insufficient request validation flaw by sending a crafted API request to an affected vManage instance. Successful exploitation could grant them read or limited write permissions. The vulnerability only affects the REST API and does not impact the web-based management interface or the CLI. At the time of writing, there are no workarounds to address the vulnerability, and there is no evidence that the vulnerability has been exploited in the wild.

OpenSSH
Security researchers with Qualys reported an analysis of the now-patched vulnerability in OpenSSH that attackers could potentially exploit to remotely run arbitrary commands on compromised hosts. The vulnerability, CVE-2023-38408 (CVSS 9.8), impacts all versions of OpenSSH before 9.3p2. Successful exploitation requires the presence of certain libraries on the victim system and the forwarding of the SSH authentication agent to an attacker-controlled system. This SSH authentication agent stores login keys to help users remotely log in without entering their passphrases each time. Researchers report that a PoC exploit against default installations of Ubuntu Desktop 22.04 and 21.10 was released, but other Linux distributions are vulnerable.

SonicWall Global Management System and Analytics
In July 2023, SonicWall warned customers to urgently patch multiple critical vulnerabilities impacting the Global Management System (GMS) firewall management and Analytics network reporting engine software suites. The company addressed over 15 vulnerabilities in the updates, 4 of which earned a critical score. CVE-2023-34124 (CVSS 9.4) is a web service authentication bypass vulnerability. CVE-2023-34133 (CVSS 9.8) covers multiple unauthenticated SQL injection and security filter bypass issues. CVE-2023-34134 (CVSS 9.8) is a password hash read via web service vulnerability. CVE-2023-34137 (CVSS 9.4) is a CAS authentication bypass vulnerability. Unauthenticated threat actors can remotely exploit these vulnerabilities in low-complexity attacks that do not require user interaction. At the time of writing, there is no evidence that the vulnerabilities have been exploited in the wild.

Zimbra
In July 2023, Zimbra warned of CVE-2023-34192 (CVSS 9.0), a cross-site scripting (XSS) vulnerability affecting open-source email Zimbra Collaboration Suite (ZCS) version 8.8.15. Remote, authenticated threat actors could exploit this flaw to execute arbitrary code through a crafted script to the /h/autoSaveDraft function. Zimbra reported that the vulnerability has been actively exploited. They have not yet disclosed the attack details as of this writing, which is Likely an attempt to give organizations an opportunity to patch it.

In July 2023, Zimbra released ZCS 10.0.2, ZCS 9.0.0 Patch 34, and ZCS 8.8.15 Patch 41 to address CVE-2023-38750, another actively exploited XSS vulnerability that “could lead to the exposure of internal JSP and XML files.”

Analysis and Potential Impacts of These Vulnerabilities
Optiv’s gTIC assesses with High Confidence that threat actors will continue or begin to target these vulnerabilities over the next 12 months to steal sensitive information and credentials, or to deploy malware—including backdoors, cryptominers, ransomware, and information stealers. It is Likely that both cybercriminal and APT groups will target these vulnerabilities.

Based on the knowledge that threat actors often mimic each other's behavior and tools, the Optiv gTIC provides its Prioritized Software and Services list of the most commonly targeted and exploited software and services that organizations should prioritize in terms of patch management, hardening, asset inventory, and visibility. These products and services are known to be targeted by all types of cyber adversaries, including hacktivists, cybercriminals, and state-sponsored entities. These are products and services that are currently, and forecasted with High Confidence to be, targeted and exploited by adversaries. Many of the vulnerabilities discussed above impact software and services included on the gTIC’s prioritized list.