Sonny

Get FortiRekt, I Am The Super_Admin Now - Fortinet FortiOS Authentication Bypass CVE-2024-55591

Welcome to Monday, and what an excitingly fresh start to the week we're all having. Grab your coffee, grab your vodka - we're diving into a currently exploited-in-the-wild critical Authentication Bypass affecting foRtinet's (we are returning the misspelling gesture 🥰) flagship SSLVPN appliance, the FortiGate.

Cleo Harmony, VLTrader, and LexiCom - RCE via Arbitrary File Write (CVE-2024-50623)

We were having a nice uneventful week at watchTowr, when we got news of some ransomware operators using a zero-day exploit in Cleo MFT software - namely, LexiCom, VLTransfer, and Harmony - applications that many large enterprises rely on to share files securely. Cleo have a (paywalled) advisory, linked to

Where There’s Smoke, There’s Fire - Mitel MiCollab CVE-2024-35286, CVE-2024-41713 And An 0day

It is not just APTs that like to target telephone systems, but ourselves at watchTowr too. We can't overstate the consequences of an attacker crossing the boundary from the 'computer system' to the 'telephone system'. We've seen attackers realise this in 2024,

Pots and Pans, AKA an SSLVPN - Palo Alto PAN-OS CVE-2024-0012 and CVE-2024-9474

It'll be no surprise that 2024, 2023, 2022, and every other year of humanities' existence has been tough for SSLVPN appliances. Anyhow, there are new vulnerabilities (well, two of them) that are being exploited in the Palo Alto Networks firewall and SSLVPN offering, and as ever, we’

Palo Alto - Putting The Protecc In GlobalProtect (CVE-2024-3400)

Welcome to April 2024, again. We’re back, again. Over the weekend, we were all greeted by now-familiar news—a nation-state was exploiting a “sophisticated” vulnerability for full compromise in yet another enterprise-grade SSLVPN device. We’ve seen all the commentary around the certification process of these devices for certain

IBM QRadar - When The Attacker Controls Your Security Stack (CVE-2022-26377)

Welcome to April 2024. A depressing year so far - we've seen critical vulnerabilities across a wide range of enterprise software stacks. In addition, we've seen surreptitious and patient threat actors light our industry on fire with slowly introduced backdoors in the XZ library. Today, in

“To live is to fight, to fight is to live! - IBM ODM Remote Code Execution

In previous blogs, we’ve discussed some of the big players in the enterprise software space, but there is one that we have not mentioned before, that is - quite frankly - the heavy-weight champion of the world in terms of applications for large enterprises. With over a hundred years

Ivanti Connect Secure CVE-2024-22024 - Are We Now Part Of Ivanti?

As astute readers of our Twitter account (https://twitter.com/watchtowrcyber) and blog will know, we’ve recently been heavily involved in understanding the recent spatter of vulnerabilities in Ivanti products - most recently, their Connect Secure product which portrays itself as an SSLVPN device. We’re incredibly proud of

Form Tools Remote Code Execution: We Need To Talk About PHP

When looking across the attack surface of large enterprises, the expectation is the utilisation of well-known heavy-hitting software and appliances. Think your Citrix's, Cisco's, MOVEit's, and other such excitement. These products are enterprise-grade, in the sense that they typically go through some sort of

XXE, You Can Depend On Me (OpenCMS CVE-2023-42344 and Friends)

In the idealistic world of security research, we’d be faced with the latest versions of off-the-shelf enterprise products, primed with fresh hardened code ready for analysis and code kung-fu. In reality, however, enterprises and users often don’t update their installations unless world-ending, impactful security flaws are demonstrated or