There is a prolonged and organized cyber campaign aimed at compromising the NuGet package manager. This campaign, which began in August 2023, is characterized by the deployment of a large number of malicious NuGet packages. The threat actors involved have displayed a high level of sophistication, adapting their tactics over time. Initially, they relied on basic downloaders in install scripts, but they have since transitioned to exploiting NuGet’s MSBuild integrations. This shift in strategy indicates a significant level of technical proficiency and persistence on the part of the attackers.

A critical severity flaw exists in all versions of Atlassian’s Confluence Data Center and Server. It is classified as CVE-2023-22518 with a CVSS score of 9.1 and is defined as an Improper Authorization Vulnerability by Atlassian. There is no evidence of active exploitation, but the CISO of Atlassian, Bala Sathiamurthy, has stated that customers should refer to the security advisory and take immediate action to protect their instances of Confluence Data Center and Server.

A critical vulnerability in the F5 BIG-IP Configuration Utility, identified as CVE-2023-46747, has been patched. Reported to have a CVSS score of 9.8, the vulnerability allows an attacker with network access to access the BIG-IP system through the management port and/or self IP addresses to execute arbitrary system commands.

Citrix has released a security advisory regarding two of its products, Citrix ADC and Citrix Gateway, when they are configured as a Gateway or AAA virtual server. A related Critical vulnerability with a CVSS score of 9.4, CVE-2023-4966 , is under active targeted exploitation. This vulnerability has to do with sensitive information disclosure and was reported to have targeted attacks related to session hijacking.

VMware has released security updates for its vCenter Server. The vulnerability, CVE-2023-34048, is classified as Critical with a CVSS score of 9.8. VMware defines this vulnerability as an out-of-bounds write related to the DCERPC protocol which is used for remote procedure calls. It could allow a remote attacker to perform remote code execution on the target system requiring no privileges or user interaction.

American Family Insurance (AmFam), a prominent insurance company, experienced a cyberattack resulting in significant disruptions to its IT systems. This incident was detected after customers reported website outages. The company promptly took precautionary measures to safeguard data and resources by shutting down affected business systems. While the outage has impacted customers, agents, and employees, critical operations remain unaffected. The investigation is ongoing, and no compromises to vital business or customer data systems have been identified thus far.

CVE-2023-20273 is a vulnerability used in conjunction with CVE-2023-20198, a vulnerability we reported last week. It was found by Cisco that threat actors exploited these two issues by first using CVE-2023-20198 to gain initial access to escalate privilege to the highest level in the application to create a local user and password combination. With this local user account created, the attacker than leveraged CVE-2023-20273 to elevate privilege even further to root level and write to the file system.

CVE-2023-38831 is an actively exploited, high severity vulnerability in RARLabs WinRAR software, a popular archiving and extraction software for .RAR and .ZIP file formats. WinRAR versions before 6.23 allow attackers to execute arbitrary code when a user attempts to view a benign file within a ZIP archive. This occurs when a ZIP archive includes a benign file within a malicious folder having the same name (e.g., The archive contains a picture.jpg file and a picture folder containing a malicious executable). When the benign picture.jpg file gets processed, so does the malicious folder.

CVE-2023-20198 is a recently disclosed Critical Privilege Escalation vulnerability with active exploitation. It is one of the few vulnerabilities which has been disclosed by Cisco with a CVSS score of 10, the highest possible score. The vulnerability allows a remote, unauthenticated attacker to create an account on an affected system with privilege level 15 access, the highest level. Using this account, the attacker is able to gain control of the affected system.