Rootshell Platform continuously scans a user’s estate for any issues that are being actively exploited by threat actors in the wild. If any of these vulnerabilities are detected, users are alerted immediately by the platform.

In this article, we have rounded up the top active exploits that are currently being monitored by Rootshell.

CVE-2023-21674 – Windows Advanced Local Procedure Call (ALPC) Elevation of Privilege Vulnerability

CVE-2023-21674 is a vulnerability in Windows Advanced Local Procedure Call (ALPC) that could lead to a browser sandbox escape and allow attackers to gain SYSTEM privileges on a wide variety of Windows and Windows Server installations.

CVE-2023-21549 – Windows SMB Witness Service Elevation of Privilege Vulnerability

To exploit this vulnerability, an attacker could execute a specially crafted malicious script which executes an RPC call to an RPC host. This could result in elevation of privilege on the server. What privileges could be gained by an attacker who successfully exploited the vulnerability? An attacker who successfully exploited this vulnerability could execute RPC functions that are restricted to privileged accounts only.

CVE-2023-20025 – Cisco Small Business Routers Web Based Management Security Bypass

Cisco has warned of two security vulnerabilities affecting end-of-life (EoL) Small Business RV016, RV042, RV042G, and RV082 routers that it said will not be fixed, even as it acknowledged the public availability of proof-of-concept (PoC) exploit. The issues are rooted in the router’s web-based management interface, enabling a remote adversary to sidestep authentication or execute malicious commands on the underlying operating system. The most severe of the two is CVE-2023-20025 (CVSS score: 9.0), which is the result of improper validation of user input within incoming HTTP packets A threat actor could exploit it remotely by sending a specially crafted HTTP request to vulnerable routers’ web-based management interface to bypass authentication and obtain elevated permissions.

CVE-2022-4874 & CVE-2022-48734 – Netcomm and TP-Link routers Remote Code Execution

Security vulnerabilities have been disclosed in Netcomm and TP-Link routers, some of which could be weaponized to achieve remote code execution. The flaws, tracked as CVE-2022-4873 and CVE-2022-4874, concern a case of stack-based buffer overflow and authentication bypass and impact Netcomm router models NF20MESH, NF20, and NL1902 running software versions earlier than R6B035. “The two vulnerabilities, when chained together, permit a remote, unauthenticated attacker to execute arbitrary code.

CVE-2022-47966 – Zoho ManageEngine Artibrary Code Execution

Users of Zoho ManageEngine are being urged to patch their instances against a critical security vulnerability ahead of the release of a proof-of-concept (PoC) exploit code. The issue in question is CVE-2022-47966, an unauthenticated remote code execution vulnerability affecting several products due to the use of an outdated third-party dependency, Apache Santuario. “This vulnerability allows an unauthenticated adversary to execute arbitrary code,” Zoho warned in an advisory issued late last year, noting that it affects all ManageEngine setups that have the SAML single sign-on (SSO) feature enabled, or had it enabled in the past.

CVE-2022-47911 & CVE-2022-45444 – Sewio, InHand Networks, Sauter Controls, and Siemens Critical Security Flaws

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has released several Industrial Control Systems (ICS) advisories warning of critical security flaws affecting products from Sewio, InHand Networks, Sauter Controls, and Siemens.

CVE-2022-46169 – Cacti Servers Authentication Bypass

A majority of internet-exposed Cacti servers have not been patched against a recently patched critical security vulnerability that has come under active exploitation in the wild. The issue in question relates to CVE-2022-46169 (CVSS score: 9.8), a combination of authentication bypass and command injection that enables an unauthenticated user to execute arbitrary code on an affected version of the open-source, web-based monitoring solution.

CVE-2022-44877 – Centos Web Panel Arbitrary Code Execution

An issue in the /login/index.php component of Centos Web Panel 7 before v0.9.8.1147 allows unauthenticated attackers to execute arbitrary system commands via crafted HTTP requests.

CVE-2021-35394 – Realtek Jungle SDK Arbitrary Command Injection

Realtek Jungle SDK version v2.x up to v3.4.14B provides a diagnostic tool called ‘MP Daemon’ that is usually compiled as ‘UDPServer’ binary. The binary is affected by multiple memory corruption vulnerabilities and an arbitrary command injection vulnerability that can be exploited by remote unauthenticated attackers.

CVE-2022-34689 – CryptoAPI Authorization Spoofing

CryptoAPI helps developers secure Windows-based apps using cryptography; the API can be used, for instance, to validate certificates and verify identities. The vulnerability in question (CVE-2022-34689) can be exploited by miscreants to digitally sign malicious executables in a way that tricks Windows and apps into believing the files are from trusted, legitimate sources and can be opened or installed. Exploiting this will involve getting said files onto victims’ machines and run. Alternatively, an attacker can craft a TLS certificate that appears to belong to another organization and trick an application into trusting the cert, if that application uses CryptoAPI to analyse the certificate. The app believes the attacker is the spoofed organization. The bug isn’t a remote code execution flaw; it’s a vulnerability that allows someone to pretend to be another to an application or operating system, in the context of identity and certificate cryptography checks on Windows.

CVE-2020-0601 – CryptoAPI Trusted File Spoofing

A spoofing vulnerability exists in the way Windows CryptoAPI (Crypt32.dll) validates Elliptic Curve Cryptography (ECC) certificates. An attacker could exploit the vulnerability by using a spoofed code-signing certificate to sign a malicious executable, making it appear the file was from a trusted, legitimate source, aka ‘Windows CryptoAPI Spoofing Vulnerability

Subscribe So You Never Miss an Update

Your data will be processed in accordance with our Privacy Policy