Tod Beardsley<p>So here's a dumb question. Does CVE-2025-33053 actually affect Apache <a href="https://infosec.exchange/tags/mod_dav" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>mod_dav</span></a> after all?</p><p><a href="https://infosec.exchange/tags/CISA" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>CISA</span></a> <a href="https://infosec.exchange/tags/KEV" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>KEV</span></a> seems to be implying this: "This vulnerability could affect various products that implement WebDAV, including but not limited to Microsoft Windows."</p><p>Like, is it a protocol bug, or a product bug? The <a href="https://www.cve.org/cverecord?id=CVE-2025-33053" rel="nofollow noopener" target="_blank">CVE</a> only lists Microsoft products as affected.</p>
shakedown.social is one of the many independent Mastodon servers you can use to participate in the fediverse.
A community for live music fans with roots in the jam scene. Shakedown Social is run by a team of volunteers (led by @clifff and @sethadam1) and funded by donations.
Administered by:
Server stats:
261active users
shakedown.social: About · Status · Profiles directory · Privacy policy
Mastodon: About · Get the app · Keyboard shortcuts · View source code · v4.4.0
#Kev
0 posts · 0 participants · 0 posts today
Tod Beardsley<p><a href="https://infosec.exchange/tags/CISA" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>CISA</span></a> added the Erlang/OTP and RoundCube bugs to the <a href="https://infosec.exchange/tags/KEV" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>KEV</span></a> today.</p><p><span class="h-card" translate="no"><a href="https://infosec.exchange/@runZeroInc" class="u-url mention" rel="nofollow noopener" target="_blank">@<span>runZeroInc</span></a></span> already has queries for both of these -- the Erlang/OTP one since April. rZ users should be well ahead of this today.</p><p><a href="https://www.runzero.com/blog/erlang-otp-ssh/" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://www.</span><span class="ellipsis">runzero.com/blog/erlang-otp-ss</span><span class="invisible">h/</span></a></p><p><a href="https://www.runzero.com/blog/roundcube-webmail/" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://www.</span><span class="ellipsis">runzero.com/blog/roundcube-web</span><span class="invisible">mail/</span></a></p>
Tod Beardsley<p><a href="https://infosec.exchange/tags/CISA" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>CISA</span></a> posts up a passel of new KEVs, completely blowing through the k-rad 1337 count.</p><p>Technically, it looks like CVE-2025-32709 is the winrar of Most LEET Bug on <a href="https://infosec.exchange/tags/KEV" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>KEV</span></a>.</p>
Tod Beardsley<p><a href="https://infosec.exchange/tags/CISA" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>CISA</span></a> adds CVE-2025-47729 to the <a href="https://infosec.exchange/tags/KEV" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>KEV</span></a> -- which is for the crazy hacked up version of Signal used by high-ranking US government officials.</p><p>Wowzo. That's something.</p><p><a href="https://www.cve.org/CVERecord?id=CVE-2025-47729" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://www.</span><span class="ellipsis">cve.org/CVERecord?id=CVE-2025-</span><span class="invisible">47729</span></a></p>
Tod Beardsley<p><a href="https://infosec.exchange/tags/CISA" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>CISA</span></a> ends RSS for <a href="https://infosec.exchange/tags/KEV" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>KEV</span></a>. Sigh.</p><p>UPDATE: No they didn't! H/t <span class="h-card" translate="no"><a href="https://infosec.exchange/@ntkramer" class="u-url mention" rel="nofollow noopener" target="_blank">@<span>ntkramer</span></a></span> </p><p>"Update May 13: In an effort to enhance user experience and highlight the most timely and actionable information for cyber defenders, CISA announced a shift in how we share cybersecurity alerts and advisories. We recognize this has caused some confusion in the cyber community. As such, we have paused immediate changes while we re-assess the best approach to sharing with our stakeholders."</p><p><a href="https://www.cisa.gov/news-events/alerts/2025/05/12/update-how-cisa-shares-cyber-related-alerts-and-notifications" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://www.</span><span class="ellipsis">cisa.gov/news-events/alerts/20</span><span class="invisible">25/05/12/update-how-cisa-shares-cyber-related-alerts-and-notifications</span></a></p>
mauvehed 🐿️ (KØMVH)<p>I wrote a Discord bot to monitor for CVEs being mentioned in chat, and then it will fetch the details and post it back to chat.</p><p>It also has a feature to monitor for new KEV notifications and send them to a dedicated channel</p><p>Collab with me. Use it. Abuse it. What ever ya want!</p><p><a href="https://github.com/mauvehed/kevvy" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="">github.com/mauvehed/kevvy</span><span class="invisible"></span></a></p><p><a href="https://defcon.social/tags/CVSS" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>CVSS</span></a> <a href="https://defcon.social/tags/CVE" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>CVE</span></a> <a href="https://defcon.social/tags/KEV" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>KEV</span></a> <a href="https://defcon.social/tags/CISA" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>CISA</span></a> <a href="https://defcon.social/tags/Vulnerabilties" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Vulnerabilties</span></a> <a href="https://defcon.social/tags/Discord" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Discord</span></a></p>
CybersecKyle<p>CISA Adds Microsoft and Zimbra Flaws to KEV Catalog Amid Active Exploitation <a href="https://thehackernews.com/2025/02/cisa-adds-microsoft-and-zimbra-flaws-to.html" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">thehackernews.com/2025/02/cisa</span><span class="invisible">-adds-microsoft-and-zimbra-flaws-to.html</span></a></p><p><a href="https://infosec.exchange/tags/cybersec" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>cybersec</span></a> <a href="https://infosec.exchange/tags/cybersecurity" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>cybersecurity</span></a> <a href="https://infosec.exchange/tags/infosec" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>infosec</span></a> <a href="https://infosec.exchange/tags/KEV" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>KEV</span></a></p>
John Leonard<p>CISA adds critical Mitel and Oracle vulnerabilities to exploited list</p><p>Exploitation could allow attackers to gain unauthorised access to an organisation's entire unified communications infrastructure</p><p><a href="https://www.computing.co.uk/news/2025/security/cisa-adds-critical-mitel-and-oracle-vulnerabilities-to-exploited-list" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://www.</span><span class="ellipsis">computing.co.uk/news/2025/secu</span><span class="invisible">rity/cisa-adds-critical-mitel-and-oracle-vulnerabilities-to-exploited-list</span></a></p><p><a href="https://mastodon.social/tags/infosec" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>infosec</span></a> <a href="https://mastodon.social/tags/cybcersecurity" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>cybcersecurity</span></a> <a href="https://mastodon.social/tags/technews" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>technews</span></a> <a href="https://mastodon.social/tags/mitel" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>mitel</span></a> <a href="https://mastodon.social/tags/oracle" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>oracle</span></a> <a href="https://mastodon.social/tags/cisa" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>cisa</span></a> <a href="https://mastodon.social/tags/kev" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>kev</span></a></p>
Wade Baker<p>ICYMI: The inaugural study on EPSS performance and broader vulnerability exploitation trends published this week. If you've ever wanted data-driven answers to questions like these listed in the ToC shown here, download it today (free, no registration req'd): <a href="https://www.cyentia.com/epss-study/" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://www.</span><span class="">cyentia.com/epss-study/</span><span class="invisible"></span></a></p><p><a href="https://infosec.exchange/tags/vulnerabilitymanagement" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>vulnerabilitymanagement</span></a> <a href="https://infosec.exchange/tags/vulnerability" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>vulnerability</span></a> <a href="https://infosec.exchange/tags/vulnerabilities" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>vulnerabilities</span></a> <br><a href="https://infosec.exchange/tags/vulnerability_exploits" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>vulnerability_exploits</span></a> <a href="https://infosec.exchange/tags/exploit" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>exploit</span></a> <a href="https://infosec.exchange/tags/exploitation" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>exploitation</span></a> <a href="https://infosec.exchange/tags/cyberattack" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>cyberattack</span></a> <a href="https://infosec.exchange/tags/cyberattacks" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>cyberattacks</span></a> <a href="https://infosec.exchange/tags/epss" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>epss</span></a> <a href="https://infosec.exchange/tags/cvss" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>cvss</span></a> <a href="https://infosec.exchange/tags/kev" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>kev</span></a></p>
Not Simon<p><strong>watchTowr</strong> may have successfully replicated CVE-2024-3400 (10.0 critical, disclosed 12 April 2024 by Palo Alto Networks as an exploited zero-day, CWE-77: Command Injection; OS Command Injection Vulnerability in GlobalProtect Gateway, added to CISA KEV Catalog). Instead of releasing a Proof of Concept, they provided a "detection artefact generator tool" 🔗 <a href="https://labs.watchtowr.com/palo-alto-putting-the-protecc-in-globalprotect-cve-2024-3400/" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">labs.watchtowr.com/palo-alto-p</span><span class="invisible">utting-the-protecc-in-globalprotect-cve-2024-3400/</span></a></p><p><a href="https://infosec.exchange/tags/CVE_2024_3400" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>CVE_2024_3400</span></a> <a href="https://infosec.exchange/tags/PaloAltoNetworks" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>PaloAltoNetworks</span></a> <a href="https://infosec.exchange/tags/zeroday" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>zeroday</span></a> <a href="https://infosec.exchange/tags/activeexploitation" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>activeexploitation</span></a> <a href="https://infosec.exchange/tags/eitw" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>eitw</span></a> <a href="https://infosec.exchange/tags/kev" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>kev</span></a> <a href="https://infosec.exchange/tags/KnownExploitedVulnerabilitiesCatalog" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>KnownExploitedVulnerabilitiesCatalog</span></a> <a href="https://infosec.exchange/tags/vulnerability" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>vulnerability</span></a> <a href="https://infosec.exchange/tags/threatintel" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>threatintel</span></a> <a href="https://infosec.exchange/tags/IOC" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>IOC</span></a></p>
Not Simon<p><span class="h-card" translate="no"><a href="https://infosec.exchange/@jullrich" class="u-url mention" rel="nofollow noopener" target="_blank">@<span>jullrich</span></a></span> of <strong>SANS ISC</strong> warns that the widely shared GitHub exploit is almost certainly fake (cc: <span class="h-card" translate="no"><a href="https://infosec.town/@mttaggart" class="u-url mention" rel="nofollow noopener" target="_blank">@<span>mttaggart</span></a></span> ) and two IP addresses were attempting CVE-2024-3400 exploitation: <code>173.255.223.159</code> and <code>146.70.192.174</code> 🔗 <a href="https://isc.sans.edu/diary/rss/30838" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="">isc.sans.edu/diary/rss/30838</span><span class="invisible"></span></a></p><p><a href="https://infosec.exchange/tags/CVE_2024_3400" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>CVE_2024_3400</span></a> <a href="https://infosec.exchange/tags/PaloAltoNetworks" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>PaloAltoNetworks</span></a> <a href="https://infosec.exchange/tags/zeroday" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>zeroday</span></a> <a href="https://infosec.exchange/tags/activeexploitation" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>activeexploitation</span></a> <a href="https://infosec.exchange/tags/eitw" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>eitw</span></a> <a href="https://infosec.exchange/tags/kev" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>kev</span></a> <a href="https://infosec.exchange/tags/KnownExploitedVulnerabilitiesCatalog" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>KnownExploitedVulnerabilitiesCatalog</span></a> <a href="https://infosec.exchange/tags/vulnerability" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>vulnerability</span></a> <a href="https://infosec.exchange/tags/threatintel" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>threatintel</span></a> <a href="https://infosec.exchange/tags/IOC" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>IOC</span></a></p>
Not Simon<p>Happy hotfix day from <strong>Palo Alto Networks</strong> who released 3 hotfixes for CVE-2024-3400 (10.0 critical, disclosed 12 April 2024 as an exploited zero-day) with 15 more hotfixes expected in the coming days: 🔗 <a href="https://security.paloaltonetworks.com/CVE-2024-3400" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">security.paloaltonetworks.com/</span><span class="invisible">CVE-2024-3400</span></a></p><ul><li><strong>PAN-OS 10.2:</strong><ul><li>10.2.9-h1 (Released 14 April)</li><li>10.2.8-h3 (ETA: 15 April)</li><li>10.2.7-h8 (ETA: 15 April)</li><li>10.2.6-h3 (ETA: 15 April)</li><li>10.2.5-h6 (ETA: 16 April)</li><li>10.2.3-h13 (ETA: 17 April)</li><li>10.2.1-h2 (ETA: 17 April)</li><li>10.2.2-h5 (ETA: 18 April)</li><li>10.2.0-h3 (ETA: 18 April)</li><li>10.2.4-h16 (ETA: 19 April)</li></ul></li><li><strong>PAN-OS 11.0:</strong><ul><li>11.0.4-h1 (Released 14 April)</li><li>11.0.3-h10 (ETA: 15 April)</li><li>11.0.2-h4 (ETA: 16 April)</li><li>11.0.1-h4 (ETA: 17 April)</li><li>11.0.0-h3 (ETA: 18 April)</li></ul></li><li><strong>PAN-OS 11.1:</strong><ul><li>11.1.2-h3 (Released 14 April)</li><li>11.1.1-h1 (ETA: 16 April)</li><li>11.1.0-h3 (ETA: 17 April)</li></ul></li></ul><p><a href="https://infosec.exchange/tags/CVE_2024_3400" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>CVE_2024_3400</span></a> <a href="https://infosec.exchange/tags/PaloAltoNetworks" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>PaloAltoNetworks</span></a> <a href="https://infosec.exchange/tags/zeroday" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>zeroday</span></a> <a href="https://infosec.exchange/tags/activeexploitation" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>activeexploitation</span></a> <a href="https://infosec.exchange/tags/eitw" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>eitw</span></a> <a href="https://infosec.exchange/tags/kev" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>kev</span></a> <a href="https://infosec.exchange/tags/KnownExploitedVulnerabilitiesCatalog" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>KnownExploitedVulnerabilitiesCatalog</span></a> <a href="https://infosec.exchange/tags/vulnerability" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>vulnerability</span></a> <a href="https://infosec.exchange/tags/threatintel" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>threatintel</span></a> <a href="https://infosec.exchange/tags/IOC" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>IOC</span></a></p>
Not Simon<p>It should come as no surprise that <strong>Palo Alto Networks</strong> did not release hotfixes* for affected versions of PAN-OS 10.2, PAN-OS 11.0, and PAN-OS 11 by the self-imposed deadline of Sunday 14 April 2024 like they estimated in their security advisory. 48 hours to develop/test/release is a tight delivery window with the whole infosec community breathing down their necks.</p><p><a href="https://infosec.exchange/tags/CVE_2024_3400" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>CVE_2024_3400</span></a> <a href="https://infosec.exchange/tags/PaloAltoNetworks" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>PaloAltoNetworks</span></a> <a href="https://infosec.exchange/tags/zeroday" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>zeroday</span></a> <a href="https://infosec.exchange/tags/activeexploitation" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>activeexploitation</span></a> <a href="https://infosec.exchange/tags/eitw" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>eitw</span></a> <a href="https://infosec.exchange/tags/kev" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>kev</span></a> <a href="https://infosec.exchange/tags/KnownExploitedVulnerabilitiesCatalog" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>KnownExploitedVulnerabilitiesCatalog</span></a> <a href="https://infosec.exchange/tags/vulnerability" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>vulnerability</span></a> <a href="https://infosec.exchange/tags/threatintel" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>threatintel</span></a> <a href="https://infosec.exchange/tags/IOC" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>IOC</span></a></p>
Not Simon<p><strong>CISA</strong> put out an additional security alert about CVE-2024-3400, noting that Palo Alto Networks released workaround guidance for the command injection vulnerability. 🔗 <a href="https://www.cisa.gov/news-events/alerts/2024/04/12/palo-alto-networks-releases-guidance-vulnerability-pan-os-cve-2024-3400" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://www.</span><span class="ellipsis">cisa.gov/news-events/alerts/20</span><span class="invisible">24/04/12/palo-alto-networks-releases-guidance-vulnerability-pan-os-cve-2024-3400</span></a></p><p><a href="https://infosec.exchange/tags/CVE_2024_3400" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>CVE_2024_3400</span></a> <a href="https://infosec.exchange/tags/PaloAltoNetworks" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>PaloAltoNetworks</span></a> <a href="https://infosec.exchange/tags/zeroday" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>zeroday</span></a> <a href="https://infosec.exchange/tags/activeexploitation" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>activeexploitation</span></a> <a href="https://infosec.exchange/tags/eitw" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>eitw</span></a> <a href="https://infosec.exchange/tags/kev" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>kev</span></a> <a href="https://infosec.exchange/tags/KnownExploitedVulnerabilitiesCatalog" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>KnownExploitedVulnerabilitiesCatalog</span></a> <a href="https://infosec.exchange/tags/vulnerability" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>vulnerability</span></a> <a href="https://infosec.exchange/tags/CISA" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>CISA</span></a></p>
Not Simon<p>Just to make it easier to read through the various reports (saying almost the same exact thing), I've assembled a Palo Alto Networks zero-day <strong>MEGA</strong> list:</p><ul><li><strong>Palo Alto Networks</strong> security advisory: <a href="https://security.paloaltonetworks.com/CVE-2024-3400" rel="nofollow noopener" target="_blank">CVE-2024-3400 PAN-OS: OS Command Injection Vulnerability in GlobalProtect Gateway</a></li></ul><p>UPDATE: Volexity and Unit 42 talk about the threat actor, campaign, and include indicators of compromise:</p><ul><li><strong>Volexity</strong>: <a href="https://www.volexity.com/blog/2024/04/12/zero-day-exploitation-of-unauthenticated-remote-code-execution-vulnerability-in-globalprotect-cve-2024-3400" rel="nofollow noopener" target="_blank">Zero-Day Exploitation of Unauthenticated Remote Code Execution Vulnerability in GlobalProtect (CVE-2024-3400)</a></li><li><strong>Unit 42:</strong> <a href="https://unit42.paloaltonetworks.com/cve-2024-3400/" rel="nofollow noopener" target="_blank">Threat Brief: Operation MidnightEclipse, Post-Exploitation Activity Related to CVE-2024-3400</a></li></ul><p>Here's the rest of the related reporting:</p><ul><li><strong>Zscaler:</strong> <a href="https://www.zscaler.com/blogs/security-research/another-cve-pan-os-zero-day-another-reason-consider-zero-trust-0" rel="nofollow noopener" target="_blank">Another CVE (PAN-OS Zero Day), Another Reason to Consider Zero Trust</a></li><li><strong>The Register:</strong> <a href="https://www.theregister.com/2024/04/12/palo_alto_pan_flaw/" rel="nofollow noopener" target="_blank">Zero-day exploited right now in Palo Alto Networks' GlobalProtect gateways</a></li><li><strong>Bleeping Computer:</strong> <ol><li><a href="https://www.bleepingcomputer.com/news/security/palo-alto-networks-warns-of-pan-os-firewall-zero-day-used-in-attacks/" rel="nofollow noopener" target="_blank">Palo Alto Networks warns of PAN-OS firewall zero-day used in attacks</a></li><li>(update) <a href="https://www.bleepingcomputer.com/news/security/palo-alto-networks-zero-day-exploited-since-march-to-backdoor-firewalls/" rel="nofollow noopener" target="_blank">Palo Alto Networks zero-day exploited since March to backdoor firewalls</a></li></ol></li><li><strong>SANS ISC:</strong> <a href="https://isc.sans.edu/diary/rss/30834" rel="nofollow noopener" target="_blank">Critical Palo Alto GlobalProtect Vulnerability Exploited (CVE-2024-3400)</a></li><li><strong>CERT-EU:</strong> <a href="https://cert.europa.eu/publications/security-advisories/2024-037/" rel="nofollow noopener" target="_blank">Critical Vulnerability in PAN-OS software</a></li><li><strong>Qualys:</strong> <a href="https://threatprotect.qualys.com/2024/04/12/pan-os-os-command-injection-vulnerability-exploited-in-the-wild-cve-2024-3400/" rel="nofollow noopener" target="_blank">PAN-OS OS Command Injection Vulnerability Exploited in the Wild (CVE-2024-3400)</a></li><li><strong>Rapid7:</strong> <a href="https://www.rapid7.com/blog/post/2024/04/12/etr-cve-2024-3400-critical-command-injection-vulnerability-in-palo-alto-networks-firewalls-2/" rel="nofollow noopener" target="_blank">CVE-2024-3400: Critical Command Injection Vulnerability in Palo Alto Networks Firewalls</a></li><li><strong>The Hacker News:</strong> <ol><li><a href="https://thehackernews.com/2024/04/zero-day-alert-critical-palo-alto.html" rel="nofollow noopener" target="_blank">Zero-Day Alert: Critical Palo Alto Networks PAN-OS Flaw Under Active Attack</a></li><li>(update) <a href="https://thehackernews.com/2024/04/hackers-deploy-python-backdoor-in-palo.html" rel="nofollow noopener" target="_blank">Hackers Deploy Python Backdoor in Palo Alto Zero-Day Attack</a></li></ol></li><li><strong>Security Week:</strong> <ol><li><a href="https://www.securityweek.com/palo-alto-networks-warns-of-exploited-firewall-vulnerability/" rel="nofollow noopener" target="_blank">Palo Alto Networks Warns of Exploited Firewall Vulnerability</a></li><li>(update) <a href="https://www.securityweek.com/state-sponsored-hackers-exploit-zero-day-to-backdoor-palo-alto-networks-firewalls/" rel="nofollow noopener" target="_blank">State-Sponsored Hackers Exploit Zero-Day to Backdoor Palo Alto Networks Firewalls</a></li></ol></li><li><strong>SOCRadar:</strong> <a href="https://socradar.io/critical-os-command-injection-vulnerability-in-palo-altos-globalprotect-gateway-cve-2024-3400-the-patch-is-not-available-yet/" rel="nofollow noopener" target="_blank">Critical OS Command Injection Vulnerability in Palo Alto's GlobalProtect Gateway: CVE-2024-3400. The patch is not available yet.</a></li><li><strong>CISA:</strong> <ol><li><a href="https://www.cisa.gov/news-events/alerts/2024/04/12/cisa-adds-one-known-exploited-vulnerability-catalog" rel="nofollow noopener" target="_blank">CISA Adds One Known Exploited Vulnerability to Catalog</a></li><li><a href="https://www.cisa.gov/news-events/alerts/2024/04/12/palo-alto-networks-releases-guidance-vulnerability-pan-os-cve-2024-3400" rel="nofollow noopener" target="_blank">Palo Alto Networks Releases Guidance for Vulnerability in PAN-OS, CVE-2024-3400</a></li></ol></li><li><strong>The Record:</strong> <a href="https://therecord.media/vpn-zero-day-palo-alto-networks" rel="nofollow noopener" target="_blank">Palo Alto Networks warns of zero-day in VPN product</a></li><li><strong>Ars Technica:</strong><a href="https://arstechnica.com/security/2024/04/highly-capable-hackers-root-corporate-networks-by-exploiting-firewall-0-day/" rel="nofollow noopener" target="_blank">“Highly capable” hackers root corporate networks by exploiting firewall 0-day</a></li></ul><p><a href="https://infosec.exchange/tags/CVE_2024_3400" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>CVE_2024_3400</span></a> <a href="https://infosec.exchange/tags/PaloAltoNetworks" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>PaloAltoNetworks</span></a> <a href="https://infosec.exchange/tags/zeroday" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>zeroday</span></a> <a href="https://infosec.exchange/tags/activeexploitation" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>activeexploitation</span></a> <a href="https://infosec.exchange/tags/eitw" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>eitw</span></a> <a href="https://infosec.exchange/tags/kev" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>kev</span></a> <a href="https://infosec.exchange/tags/KnownExploitedVulnerabilitiesCatalog" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>KnownExploitedVulnerabilitiesCatalog</span></a> <a href="https://infosec.exchange/tags/vulnerability" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>vulnerability</span></a> <a href="https://infosec.exchange/tags/threatintel" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>threatintel</span></a> <a href="https://infosec.exchange/tags/IOC" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>IOC</span></a></p>
Not Simon<p>Hot off the press! <strong>CISA</strong> adds CVE-2024-3400 (10.0 critical, disclosed 12 April 2024, PAN-OS: OS Command Injection Vulnerability in GlobalProtect Gateway) to the Known Exploited Vulnerabilities (KEV) Catalog 🔗 (to be updated later) <a href="https://www.cisa.gov/known-exploited-vulnerabilities-catalog" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://www.</span><span class="ellipsis">cisa.gov/known-exploited-vulne</span><span class="invisible">rabilities-catalog</span></a></p><p><a href="https://infosec.exchange/tags/CVE_2024_3400" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>CVE_2024_3400</span></a> <a href="https://infosec.exchange/tags/PaloAltoNetworks" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>PaloAltoNetworks</span></a> <a href="https://infosec.exchange/tags/zeroday" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>zeroday</span></a> <a href="https://infosec.exchange/tags/activeexploitation" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>activeexploitation</span></a> <a href="https://infosec.exchange/tags/eitw" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>eitw</span></a> <a href="https://infosec.exchange/tags/kev" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>kev</span></a> <a href="https://infosec.exchange/tags/KnownExploitedVulnerabilitiesCatalog" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>KnownExploitedVulnerabilitiesCatalog</span></a> <a href="https://infosec.exchange/tags/vulnerability" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>vulnerability</span></a></p>
Not Simon<p><strong>Ivanti</strong> has a frequently asked questions (FAQ) blog post from 14 February 2024 addressing questions about their Ivanti Connect Secure, Policy Secure and ZTA gateway products. Important to note that <em>"As of 14 February, Ivanti has a build available for all supported versions."</em> It also responds to Eclypsium's claim of old open source code. They also dispute reporting that CVE-2024-22024 (8.3. high, disclosed 12 February by Ivanti) was being exploited after disclosure. "It is unfortunate that media reports continue to cover statements and unverified numbers from third parties that are incorrect or inflated." Ivanti officially responds to the accusations that they didn't credit watchTowr for reporting CVE-2024-22024. This reads like damage control for Ivanti's Public Relations. <br>🔗 <a href="https://www.ivanti.com/blog/key-faqs-related-to-ivanti-connect-secure-policy-secure-and-zta-gateway-vulnerabilities" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://www.</span><span class="ellipsis">ivanti.com/blog/key-faqs-relat</span><span class="invisible">ed-to-ivanti-connect-secure-policy-secure-and-zta-gateway-vulnerabilities</span></a></p><p><a href="https://infosec.exchange/tags/Ivanti" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Ivanti</span></a> <a href="https://infosec.exchange/tags/ConnectSecure" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>ConnectSecure</span></a> <a href="https://infosec.exchange/tags/vulnerability" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>vulnerability</span></a> <a href="https://infosec.exchange/tags/zeroday" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>zeroday</span></a> <a href="https://infosec.exchange/tags/eitw" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>eitw</span></a> <a href="https://infosec.exchange/tags/activeexploitation" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>activeexploitation</span></a> <a href="https://infosec.exchange/tags/UTA0178" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>UTA0178</span></a> <a href="https://infosec.exchange/tags/UNC5221" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>UNC5221</span></a> <a href="https://infosec.exchange/tags/CVE_2023_46805" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>CVE_2023_46805</span></a> <a href="https://infosec.exchange/tags/CVE_2024_21887" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>CVE_2024_21887</span></a> <a href="https://infosec.exchange/tags/KEV" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>KEV</span></a> <a href="https://infosec.exchange/tags/KnownExploitedVulnerabilitiesCatalog" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>KnownExploitedVulnerabilitiesCatalog</span></a> <a href="https://infosec.exchange/tags/CISA" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>CISA</span></a> <a href="https://infosec.exchange/tags/CVE_2024_21888" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>CVE_2024_21888</span></a> <a href="https://infosec.exchange/tags/CVE_2024_21893" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>CVE_2024_21893</span></a> <a href="https://infosec.exchange/tags/CVE_2024_22024" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>CVE_2024_22024</span></a></p>
Not Simon<p><strong>Ivanti</strong> updated their knowledge base article with an available patch: </p><blockquote><p>Update 1 February: A patch addressing all known vulnerabilities is now available for Ivanti Connect Secure version 22.5R2.2 and Ivanti Policy Secure 22.5R1.1. </p></blockquote><p><a href="https://forums.ivanti.com/s/article/KB-CVE-2023-46805-Authentication-Bypass-CVE-2024-21887-Command-Injection-for-Ivanti-Connect-Secure-and-Ivanti-Policy-Secure-Gateways?language=en_US" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">forums.ivanti.com/s/article/KB</span><span class="invisible">-CVE-2023-46805-Authentication-Bypass-CVE-2024-21887-Command-Injection-for-Ivanti-Connect-Secure-and-Ivanti-Policy-Secure-Gateways?language=en_US</span></a></p><p><a href="https://infosec.exchange/tags/Ivanti" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Ivanti</span></a> <a href="https://infosec.exchange/tags/ConnectSecure" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>ConnectSecure</span></a> <a href="https://infosec.exchange/tags/vulnerability" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>vulnerability</span></a> <a href="https://infosec.exchange/tags/zeroday" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>zeroday</span></a> <a href="https://infosec.exchange/tags/eitw" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>eitw</span></a> <a href="https://infosec.exchange/tags/activeexploitation" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>activeexploitation</span></a> <a href="https://infosec.exchange/tags/UTA0178" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>UTA0178</span></a> <a href="https://infosec.exchange/tags/UNC5221" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>UNC5221</span></a> <a href="https://infosec.exchange/tags/CVE_2023_46805" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>CVE_2023_46805</span></a> <a href="https://infosec.exchange/tags/CVE_2024_21887" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>CVE_2024_21887</span></a> <a href="https://infosec.exchange/tags/KEV" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>KEV</span></a> <a href="https://infosec.exchange/tags/KnownExploitedVulnerabilitiesCatalog" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>KnownExploitedVulnerabilitiesCatalog</span></a> <a href="https://infosec.exchange/tags/CISA" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>CISA</span></a> <a href="https://infosec.exchange/tags/CVE_2024_21888" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>CVE_2024_21888</span></a> <a href="https://infosec.exchange/tags/CVE_2024_21893" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>CVE_2024_21893</span></a></p>
Not Simon<p>Ivanti identified <strong>two new vulnerabilities (one actively exploited)</strong> in connection to the Ivanti Connect Secure zero-days from 10 January 2024. They are:</p><ul><li>CVE-2024-21888 (8.8 high) privilege escalation in web component "We have no evidence of customers being impacted by CVE-2024-21888 at this time"</li><li>CVE-2024-21893 (8.2 high, exploited in the wild) sever side request forgery (SSRF) in the SAML component "At the time of publication, the exploitation of CVE-2024-21893 appears to be targeted"</li></ul><p><strong>A patch is now available for Ivanti Connect Secure (versions 9.1R14.4, 9.1R17.2, 9.1R18.3, 22.4R2.2 and 22.5R1.1) and ZTA version 22.6R1.3.</strong><br>🔗 <a href="https://forums.ivanti.com/s/article/KB-CVE-2023-46805-Authentication-Bypass-CVE-2024-21887-Command-Injection-for-Ivanti-Connect-Secure-and-Ivanti-Policy-Secure-Gateways?language=en_US" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">forums.ivanti.com/s/article/KB</span><span class="invisible">-CVE-2023-46805-Authentication-Bypass-CVE-2024-21887-Command-Injection-for-Ivanti-Connect-Secure-and-Ivanti-Policy-Secure-Gateways?language=en_US</span></a><br>blog post: <a href="https://www.ivanti.com/blog/security-update-for-ivanti-connect-secure-and-ivanti-policy-secure-gateways" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://www.</span><span class="ellipsis">ivanti.com/blog/security-updat</span><span class="invisible">e-for-ivanti-connect-secure-and-ivanti-policy-secure-gateways</span></a><br>security advisory: <a href="https://forums.ivanti.com/s/article/CVE-2024-21888-Privilege-Escalation-for-Ivanti-Connect-Secure-and-Ivanti-Policy-Secure?language=en_US" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">forums.ivanti.com/s/article/CV</span><span class="invisible">E-2024-21888-Privilege-Escalation-for-Ivanti-Connect-Secure-and-Ivanti-Policy-Secure?language=en_US</span></a></p><p><a href="https://infosec.exchange/tags/Ivanti" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Ivanti</span></a> <a href="https://infosec.exchange/tags/ConnectSecure" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>ConnectSecure</span></a> <a href="https://infosec.exchange/tags/vulnerability" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>vulnerability</span></a> <a href="https://infosec.exchange/tags/zeroday" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>zeroday</span></a> <a href="https://infosec.exchange/tags/eitw" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>eitw</span></a> <a href="https://infosec.exchange/tags/activeexploitation" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>activeexploitation</span></a> <a href="https://infosec.exchange/tags/UTA0178" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>UTA0178</span></a> <a href="https://infosec.exchange/tags/UNC5221" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>UNC5221</span></a> <a href="https://infosec.exchange/tags/CVE_2023_46805" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>CVE_2023_46805</span></a> <a href="https://infosec.exchange/tags/CVE_2024_21887" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>CVE_2024_21887</span></a> <a href="https://infosec.exchange/tags/KEV" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>KEV</span></a> <a href="https://infosec.exchange/tags/KnownExploitedVulnerabilitiesCatalog" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>KnownExploitedVulnerabilitiesCatalog</span></a> <a href="https://infosec.exchange/tags/CISA" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>CISA</span></a> <a href="https://infosec.exchange/tags/CVE_2024_21888" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>CVE_2024_21888</span></a> <a href="https://infosec.exchange/tags/CVE_2024_21893" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>CVE_2024_21893</span></a></p>
Not Simon<p>Just your periodic update from <strong>Ivanti</strong> regarding their CVE-2023-46805 (8.2 high) and CVE-2024-21887 (9.1 critical) zero-days (both disclosed 10 January 2024 as exploited in the wild, has Proofs of Concept, mass exploitation):</p><p>"<strong>Update 26 January:</strong> The targeted release of patches for supported versions is delayed, this delay impacts all subsequent planned patch releases. We are now targeting next week to release a patch for Ivanti Connect Secure (versions 9.1R17x, 9.1R18x, 22.4R2x and 22.5R1.1), Ivanti Policy Secure (versions 9.1R17x, 9.1R18x and 22.5R1x) and ZTA version 22.6R1x.<br>Patches for supported versions will still be released on a staggered schedule. Instructions on how to upgrade to a supported version will also be provided.<br><strong>The timing of patch release is subject to change as we prioritize the security and quality of each release.</strong> Please ensure you are following this article to receive updates as they become available."<br>🔗 <a href="https://forums.ivanti.com/s/article/KB-CVE-2023-46805-Authentication-Bypass-CVE-2024-21887-Command-Injection-for-Ivanti-Connect-Secure-and-Ivanti-Policy-Secure-Gateways?language=en_US" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">forums.ivanti.com/s/article/KB</span><span class="invisible">-CVE-2023-46805-Authentication-Bypass-CVE-2024-21887-Command-Injection-for-Ivanti-Connect-Secure-and-Ivanti-Policy-Secure-Gateways?language=en_US</span></a></p><p><a href="https://infosec.exchange/tags/Ivanti" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Ivanti</span></a> <a href="https://infosec.exchange/tags/ConnectSecure" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>ConnectSecure</span></a> <a href="https://infosec.exchange/tags/vulnerability" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>vulnerability</span></a> <a href="https://infosec.exchange/tags/zeroday" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>zeroday</span></a> <a href="https://infosec.exchange/tags/eitw" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>eitw</span></a> <a href="https://infosec.exchange/tags/activeexploitation" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>activeexploitation</span></a> <a href="https://infosec.exchange/tags/UTA0178" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>UTA0178</span></a> <a href="https://infosec.exchange/tags/UNC5221" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>UNC5221</span></a> <a href="https://infosec.exchange/tags/CVE_2023_46805" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>CVE_2023_46805</span></a> <a href="https://infosec.exchange/tags/CVE_2024_21887" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>CVE_2024_21887</span></a> <a href="https://infosec.exchange/tags/KEV" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>KEV</span></a> <a href="https://infosec.exchange/tags/KnownExploitedVulnerabilitiesCatalog" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>KnownExploitedVulnerabilitiesCatalog</span></a> <a href="https://infosec.exchange/tags/CISA" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>CISA</span></a></p>
TrendingLive feeds
Mastodon is the best way to keep up with what's happening.
Follow anyone across the fediverse and see it all in chronological order. No algorithms, ads, or clickbait in sight.
Create accountLoginDrag & drop to upload