Cybersafe Solutions Security Advisory Bulletin January 31, 2025

In this week's Security Advisory:

• SimpleHelp Remote Access Vulnerabilities Exploited in the Wild
• Cisco Patches Critical Vulnerability in Meeting Management
• VMware Patches SQL Injection Vulnerability in Avi Load Balancer
• Apple Announces Patches for Multiple OS Versions
• QNAP Patches Six Rsync Vulnerabilities
• Zyxel Zero-Day Under Active Exploitation
• Security Updates Released for Google Chrome

It is being reported that these vulnerabilities are now being exploited in the wild. Users should patch immediately if they have not done so already.

• https://www.securityweek.com/simplehelp-remote-access-software-exploited-in-attacks/

Original Advisory:

Simple Help is a remote support software that allows an IT staff to remotely access user workstations without the user's interactions. The most critical vulnerability CVE-2024-57726 (CVSS 9.9/10), allows an attacker with technician access to elevate themselves to an admin role. These attackers can then interact with user machines if unattended access is configured. Two other high-severity vulnerabilities were also fixed in the released patch, CVE-2024-57727 (CVSS 7.5/10) and CVE-2024-57728 (CVSS 7.2/10).

Affected Versions

• Version 5.5.7 and earlier.

More Reading/Information

• https://simple-help.com/kb---security-vulnerabilities-01-2025#steps-to-secure-simplehelp 

• https://www.securityweek.com/vulnerabilities-in-simplehelp-remote-access-software-may-lead-to-system-compromise/ 

Cisco Patches Critical Vulnerability in Meeting Management

Cisco has released an advisory for a critical privilege escalation vulnerability in its Meeting Management application. The vulnerability, CVE-2025-20156 (CVSS 9.9), resides in the REST API and could allow a remote authenticated user to escalate their privileges from a low level to an admin role. Successful exploitation would allow an attacker to control all nodes the affected application manages. 

Affected Versions

• CMM version 3.9.
• CMM versions 3.8. and earlier

More Reading/Information

• https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-cmm-privesc-uy2Vf8pc#fs 

• https://thehackernews.com/2025/01/cisco-fixes-critical-privilege.html

VMware Patches SQL Injection Vulnerability in Avi Load Balancer

VMware released an advisory yesterday for an SQL injection vulnerability in its Avi Load Balancer. This application helps organizations distribute and manage incoming traffic across multiple servers as well as web app security. The vulnerability, CVE-2025-22217 (CSS 8.6/10), could lead to an attacker gaining wider access to a database.

Affected Versions

• Avi Load Balancer versions 30.1.1, 30.1.2, 30.2.1, and 30.2.2

More Reading/Information

• https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/25346 

• https://www.securityweek.com/vmware-warns-of-high-risk-blind-sql-injection-bug-in-avi-load-balancer/ 

Apple Announces Patches for Multiple OS Versions

Apple has announced updates to a variety of its products addressing multiple vulnerabilities, including a zero-day vulnerability that it says has been exploited in the wild. The zero-day vulnerability, CVE-2025-24085, affects the CoreMedia function of Apple iOS and reports suggest it has been actively exploited against versions of iOS before 17.2. If exploited the vulnerability could permit a malicious application to elevate its privilege.

Affected Versions

• A full list can be found here

More Reading/Information

• https://support.apple.com/en-us/100100 

• https://thehackernews.com/2025/01/apple-patches-actively-exploited-zero.html

QNAP Patches Six Rsync Vulnerabilities

QNAP has released a patch for six rsync vulnerabilities affecting its HBS 3 Hybrid Backup Sync. The vulnerabilities could be chained together by a remote user to execute arbitrary code on the system. The attacker would need at least read access to the server to be able to exploit these vulnerabilities.

Affected Versions

• HBS 3 Hybrid Backup Sync 25.1.x.

More Reading/Information

• https://www.qnap.com/en/security-advisory/qsa-25-02 

• https://www.bleepingcomputer.com/news/security/qnap-fixes-six-rsync-vulnerabilities-in-hbs-nas-backup-recovery-app/ 

Zyxel Zero-Day Under Active Exploitation

Security researchers issued a warning that a critical zero-day vulnerability affecting Zyxel CPE Series devices is being exploited in the wild. The vulnerability, CVE-2024-40891, is a critical command injection vulnerability that has not been publicly disclosed or patched. No patch is available currently, users are advised to follow the recommendations below if they use a Zyxel CPE device.

More Reading/Information

• https://www.securityweek.com/new-zyxel-zero-day-under-attack-no-patch-available/ 

• https://www.greynoise.io/blog/active-exploitation-of-zero-day-zyxel-cpe-vulnerability-cve-2024-40891 

Security Updates Released for Google Chrome

Google Chrome has released a new version to address multiple vulnerabilities. The most critical of these vulnerabilities could lead to a remote code execution attempt. There are no reports of these being exploited in the wild yet.

More Reading/Information

• https://www.cisecurity.org/advisory/multiple-vulnerabilities-in-google-chrome-could-allow-for-arbitrary-code-execution_2025-009 

• https://chromereleases.googleblog.com/2025/01/stable-channel-update-for-desktop_22.html 

Recommendations

Please review your environment to ensure the above-mentioned issues are patched in a timely manner.  It is security best practice to regularly update and/or patch software to the latest versions.  The vulnerabilities above highlight the security benefits of limiting deployed software to "vendor-supported versions" only.  This dramatically increases the likelihood that new vulnerabilities have a patch issued for them.  Likewise, Cybersafe strongly encourages maintaining an inventory of current software in your environment, which helps ensure and inform your patch and vulnerability management program.