A critical severity flaw exists in all versions of Atlassian’s Confluence Data Center and Server. It is classified as CVE-2023-22518 with a CVSS score of 9.1 and is defined as an Improper Authorization Vulnerability by Atlassian. There is no evidence of active exploitation, but the CISO of Atlassian, Bala Sathiamurthy, has stated that customers should refer to the security advisory and take immediate action to protect their instances of Confluence Data Center and Server.

A critical vulnerability in the F5 BIG-IP Configuration Utility, identified as CVE-2023-46747, has been patched. Reported to have a CVSS score of 9.8, the vulnerability allows an attacker with network access to access the BIG-IP system through the management port and/or self IP addresses to execute arbitrary system commands.

Citrix has released a security advisory regarding two of its products, Citrix ADC and Citrix Gateway, when they are configured as a Gateway or AAA virtual server. A related Critical vulnerability with a CVSS score of 9.4, CVE-2023-4966 , is under active targeted exploitation. This vulnerability has to do with sensitive information disclosure and was reported to have targeted attacks related to session hijacking.

VMware has released security updates for its vCenter Server. The vulnerability, CVE-2023-34048, is classified as Critical with a CVSS score of 9.8. VMware defines this vulnerability as an out-of-bounds write related to the DCERPC protocol which is used for remote procedure calls. It could allow a remote attacker to perform remote code execution on the target system requiring no privileges or user interaction.

CVE-2023-20273 is a vulnerability used in conjunction with CVE-2023-20198, a vulnerability we reported last week. It was found by Cisco that threat actors exploited these two issues by first using CVE-2023-20198 to gain initial access to escalate privilege to the highest level in the application to create a local user and password combination. With this local user account created, the attacker than leveraged CVE-2023-20273 to elevate privilege even further to root level and write to the file system.

CVE-2023-38831 is an actively exploited, high severity vulnerability in RARLabs WinRAR software, a popular archiving and extraction software for .RAR and .ZIP file formats. WinRAR versions before 6.23 allow attackers to execute arbitrary code when a user attempts to view a benign file within a ZIP archive. This occurs when a ZIP archive includes a benign file within a malicious folder having the same name (e.g., The archive contains a picture.jpg file and a picture folder containing a malicious executable). When the benign picture.jpg file gets processed, so does the malicious folder.

CVE-2023-20198 is a recently disclosed Critical Privilege Escalation vulnerability with active exploitation. It is one of the few vulnerabilities which has been disclosed by Cisco with a CVSS score of 10, the highest possible score. The vulnerability allows a remote, unauthenticated attacker to create an account on an affected system with privilege level 15 access, the highest level. Using this account, the attacker is able to gain control of the affected system.

A serious vulnerability, CVE-2023-43261, has been discovered in certain industrial routers manufactured by Chinese IoT and video surveillance product maker Milesight, particularly affecting several UR-series industrial cellular routers. This vulnerability allows unauthorized remote attackers to access sensitive system log files, including 'httpd.log', potentially compromising security.

CVE-2023-44487 is a recently disclosed denial-of-service vulnerability that exists in the HTTP/2 protocol. It is known as rapid reset and has been actively exploited in the wild from August 2023 to October 2023. The outbreak of this vulnerability has caused record-breaking DDoS attacks as Cloudflare has reported a measure of 201 million requests per second, nearly tripling their last largest reported attack. These record-breaking attacks are also reported by other vendors such as Google and Amazon Web Services.