In this week's Security Advisory:
- Proof-of-Concept released for LDAP Vulnerability in Windows Servers
- Active Ongoing VPN Credential Compromise Campaigns
- CISA Announces Mitel MiCollab Vulnerabilities Exploited in the Wild
- Multiple Vulnerabilities Patched in Dell, HPE, and MediaTalk Products
- Android Patches Critical RCE Vulnerabilities in January Patch Cycle
- Security Updates Released for Google Chrome and Mozilla Firefox
SafeBreach has released a proof-of-concept exploit for a recently patched Windows LDAP vulnerability, CVE-2024-49113 (CVSS 7.5/10). Microsoft released a patch in December 2024, along with a patch for CVE-2024-49112 (CVSS 9.8/10). SafeBreach's report details how CVE-2024-49113 can be exploited causing a DOS condition relieved only by a reboot. The researchers note that achieving remote code execution (RCE) from the exploit is likely possible. Given the fact that threat actors have now been given the framework to do so, it's highly likely they will. LDAP is a ubiquitous protocol in Microsoft Active Directory environments. Cybersafe strongly recommends applying the patch or placing these services behind a firewall which will only allow communications from known good sources.
Affected Versions
- Potentially all unpatched Windows Servers.
More Reading/Information
- https://www.safebreach.com/blog/ldapnightmare-safebreach-labs-publishes-first-proof-of-concept-exploit-for-cve-2024-49113/
- https://www.securityweek.com/exploit-code-published-for-potentially-dangerous-windows-ldap-vulnerability/
Active Ongoing VPN Credential Compromise Campaigns
Cybersafe's Threat Intelligence team has observed multiple campaigns attempting to gain access to VPN accounts through brute force. Since VPNs are entry points into protected networks, this makes them an attractive target for threat actors. If successful, these types of attacks frequently lead to further malicious access. Due to this, it is important to make sure your VPN deployment is properly hardened.
More Reading/Information
CISA Adds Mitel MiCollab Vulnerabilities to Known Exploited Vulnerabilities
CISA has added two vulnerabilities affecting Mitel MiCollab, they are CVE-2024-41713 (CVSS 9.8/10) and CVE-2024-55550 (CVSS 2.7/10). CVE-2024-41713 could allow an unauthenticated user to gain access to provisioning information and perform administrative actions on the server. This comes after a Proof-of-Concept exploit was released by WatchTowr labs in December. Currently, there is no public information that these have been exploited but that could be coming soon with the decision by CISA.
Affected Versions
- Mitel MiCollab 9.8 SP1 FP2 (9.8.1.201) and earlier.
More Reading/Information
- https://www.securityweek.com/cisa-warns-of-mitel-micollab-vulnerabilities-exploited-in-attacks/
- https://www.mitel.com/support/security-advisories/mitel-product-security-advisory-misa-2024-0029
Multiple Vulnerabilities Patched in Dell, HPE, and MediaTek Products
Dell has released patches for multiple products that were affected by the Apache Tomcat vulnerability, CVE-2024-52316, from this past November, which could lead to an authentication bypass. They also patched CVE-2025-22395 (CVSS 8.2/10) in its Update Package Framework.
Hewlett Packard announced patches for multiple vulnerabilities for components used in its SAN switches running Brocade Fabric OS that could lead to escalation of privilege, remote code execution, authentication bypass, and denial-of-service.
MediaTek has patched multiple vulnerabilities, the most severe affects the modem components of different chipsets that can be exploited without user interaction. That is tracked as CVE-2024-20154.
Affected Versions
- Apply the Patches to any affected products.
More Reading/Information
- https://www.dell.com/support/security/en-us/
- https://support.hpe.com/hpesc/public/docDisplay?docId=hpesbst04758en_us&docLocale=en_US
- https://corp.mediatek.com/product-security-bulletin/January-2025
- https://www.securityweek.com/dell-hpe-mediatek-patch-vulnerabilities-in-their-products/
Android Patches Critical RCE Vulnerabilities in January Patch Cycle
Android published its January Security Bulletin, which addressed twenty-four vulnerabilities in Android’s Framework, Media Framework, and System components. The vulnerabilities include multiple issues including privilege escalation, remote code execution, Denial-of-service, and information disclosure. Google made no mention of these vulnerabilities being exploited in the wild.
Affected Versions
A full list can be found here
More Reading/Information
- https://source.android.com/docs/security/bulletin/2025-01-01
- https://www.securityweek.com/first-android-update-of-2025-patches-critical-code-execution-vulnerabilities/
Security Updates Released for Google Chrome and Mozilla Firefox
Google Chrome announced patches with an updated browser version, which has addressed four vulnerabilities. Successful exploitation can lead to arbitrary code execution. Mozilla has released updates to Firefox to address eleven vulnerabilities, including three high severities that are vulnerable to remote code execution.
More Reading/Information
- https://chromereleases.googleblog.com/2025/01/stable-channel-update-for-desktop.html
- https://www.mozilla.org/en-US/security/advisories/mfsa2025-01/
Recommendations
Please review your environment to ensure the above-mentioned issues are patched in a timely manner. It is security best practice to regularly update and/or patch software to the latest versions. The vulnerabilities above highlight the security benefits of limiting deployed software to "vendor-supported versions" only. This dramatically increases the likelihood that new vulnerabilities have a patch issued for them. Likewise, Cybersafe strongly encourages maintaining an inventory of current software in your environment, which helps ensure and inform your patch and vulnerability management program.
