Rootshell Platform continuously scans a user’s estate for any issues that are being actively exploited by threat actors in the wild. If any of these vulnerabilities are detected, users are alerted immediately by the platform.

In this article, we have rounded up the top active exploits that are currently being monitored by Rootshell.

Remote Command Execution

The vulnerability, tracked as CVE-2021-35587, carries a CVSS score of 9.8 and impacts Oracle Access Manager (OAM) versions 11.1.2.3.0, 12.2.1.3.0, and 12.2.1.4.0. Successful exploitation of the remote command execution bug could enable an unauthenticated attacker with network access to completely compromise and take over Access Manager instances.

Several proof-of-concept exploits for CVE-2021-35587 have been published on GitHub, but according to CISA, successful exploitation attempts have now been detected in the wild.

Heap Buffer Overflow

Google has released an emergency security update for the desktop version of the Chrome web browser, addressing the eighth zero-day vulnerability exploited in attacks this year. The high-severity flaw is tracked as CVE-2022-4135 and is a heap buffer overflow in GPU, discovered by Google’s Threat Analysis Group on November 22, 2022.

Google has released Chrome Version 107.0.5304.121 for Mac and Linux and 107.0.5304.121/.122 for Windows to fix a zero-day vulnerability (CVE-2022-4135).

Based on the official site for Chrome updates, “Google is aware of reports that an exploit for CVE-2022-4135 exists in the wild.”

Remote Code Execution

Multiple high-severity security flaws have been disclosed as affecting Juniper Networks devices, some of which could be exploited to achieve code execution. Chief among them is a remote pre-authenticated PHP archive file deserialization vulnerability (CVE-2022-22241, CVSS score: 8.1) in the J-Web component of Junos OS. “This vulnerability can be exploited by an unauthenticated remote attacker to get remote phar files deserialized, leading to arbitrary file write, which leads to a remote code execution.”

Remote Code Execution

During September 2022, Microsoft issued two security vulnerabilities affecting Microsoft Exchange servers (Not M365).  These vulnerabilities are named ProxyNotShell vulnerabilities. ProxyNotShell vulnerabilities are exploited by adversaries for remote code execution (RCE) in vulnerable Exchange servers in the wild.

The ProxyNotShell vulnerabilities affected the latest versions of the Exchange server, and a proof-of-concept for the vulnerabilities was released. Microsoft patched Exchange Server on November 8, 2022, and organizations are advised to install the updates as soon as possible.

The exploit is confirmed to be working against systems running Exchange Server 2016 and 2019, and the code needs some modification to get it to work when targeting Exchange Server 2013.

On the 18th November, Rootshell began seeing attempts on our honeypot servers to exploit this issue.

Escalation of Privileges

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to a boundary error within the Windows Print Spooler. A local user can run a specially crafted program to trigger memory corruption and execute arbitrary code with SYSTEM privileges.

Note, the vulnerability is being actively exploited in the wild.

Security Feature Bypass

Microsoft Windows Mark of the Web (MOTW) contains a security feature bypass vulnerability resulting in a limited loss of integrity and availability of security features.

Escalation of Privileges

Microsoft Windows Cryptographic Next Generation (CNG) Key Isolation Service contains an unspecified vulnerability which allows an attacker to gain SYSTEM-level privileges.

Remote Code Execution

Microsoft Windows contains an unspecified vulnerability in the JScript9 scripting language which allows for remote code execution.

Denial of Service

CVE-2022-3270 (CVSS score: 9.8), is a critical vulnerability that affects Festo automation controllers using the Festo Generic Multicast (FGMC) protocol to reboot the devices without requiring any authentication and cause a denial of service (DoS) condition.