CISA has warned U.S. federal companies to safe their techniques in opposition to ongoing assaults concentrating on a high-severity Home windows kernel vulnerability.
Tracked as CVE-2024-35250, this safety flaw is because of an untrusted pointer dereference weak spot that permits native attackers to realize SYSTEM privileges in low-complexity assaults that do not require person interplay.
Whereas Microsoft did not share extra particulars in a safety advisory revealed in June, the DEVCORE Analysis Staff that discovered the flaw and reported it to Microsoft by Development Micro’s Zero Day Initiative says the weak system part is the Microsoft Kernel Streaming Service (MSKSSRV.SYS).
DEVCORE safety researchers used this MSKSSRV privilege escalation safety flaw to compromise a completely patched Home windows 11 system on the primary day of this yr’s Pwn2Own Vancouver 2024 hacking contest.
Redmond patched the bug throughout the June 2024 Patch Tuesday, with proof-of-concept exploit code launched on GitHub 4 months later.
“An attacker who successfully exploited this vulnerability could gain SYSTEM privileges,” the corporate says in a safety advisory that has but to be up to date to point the vulnerability is below energetic exploitation.
DEVCORE revealed the next video demo of their CVE-2024-35250 proof-of-concept exploit getting used to hack a Home windows 11 23H2 machine.
As we speak, CISA additionally added a crucial Adobe ColdFusion vulnerability (tracked as CVE-2024-20767), which Adobe patched in March. Since then, a number of proof-of-concept exploits have been revealed on-line.
CVE-2024-20767 is because of an improper entry management weak spot that permits unauthenticated, distant attackers to learn the system and different delicate information. In response to SecureLayer7, efficiently exploiting ColdFusion servers with the admin panel uncovered on-line also can permit attackers to bypass safety measures and carry out arbitrary file system writes.
The Fofa search engine tracks over 145,000 Web-exposed ColdFusion servers, though it’s not possible to pinpoint the precise ones with remotely accessible admin panels.
CISA added each vulnerabilities to its Recognized Exploited Vulnerabilities catalog, tagging them as actively exploited. As mandated by the Binding Operational Directive (BOD) 22-01, federal companies should safe their networks inside three weeks by January 6.
“These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise,” the cybersecurity company mentioned.
Whereas CISA’s KEV catalog primarily alerts federal companies about safety bugs that needs to be patched as quickly as attainable, personal organizations are additionally suggested to prioritize mitigating these vulnerabilities to dam ongoing assaults.
A Microsoft spokesperson was not instantly accessible for remark when contacted by BleepingComputer earlier right now for extra particulars relating to CVE-2024-35250 within the wild exploitation.
