A threat intelligence advisory has been released by Microsoft Threat Intelligence regarding a vulnerability impacting VMware’s ESXi bare metal hypervisor. A patch has been released for the vulnerability, which is categorized as CVE-2024-37085 (CVSS 3.1: 6.8), yet it is actively being used by threat actors (i.e., Storm-0506, Storm-1175, Octo Tempest, Manatee Tempest) in a ransomware campaign. The vulnerability is defined as an authentication bypass vulnerability, which allows a malicious actor with enough permissions to gain full access to an ESXi host through active directory (AD). This is done by re-creating the configured AD group (ESXi Admins) after it had been deleted from the active directory.

The Florida Department of Health (DOH) is currently addressing a significant ransomware attack that has severely impacted its vital statistics system, which processes birth and death certificates. The cybercriminal group RansomHub has claimed responsibility for the attack, asserting that it stole over 100 gigabytes of data, including personally identifiable information (PII) and protected health information (PHI). RansomHub began leaking the stolen data after the DoH missed a July 1 payment of ransom deadline.

On June 3, Cybersecurity researchers Sina Kheirkhah of Summoning Team and Soroush Dalili successfully completed a proof of concept exploit leveraging two vulnerabilities, CVE-2024-4358 and CVE-2024-1800. These vulnerabilities affect Progress Telerik Report Server and allow remote code execution utilizing deserialization and authentication bypass.

A critical vulnerability has been confirmed in select D-Link NAS devices, including DNS-340L, DNS-320L, DNS-327L, and DNS-325. Evidence suggests that other D-Link NAS devices may also be affected. The vulnerability, identified as CVE-2024-3273 (CVSS: 9.8), exploits the /cgi-bin/nas_sharing.cgi component of the HTTP GET Request Handler. By manipulating this component, an attacker can perform remote command injection to obtain hardcoded credentials. A publicly disclosed exploit developed by NetSecFish has confirmed the presence of this vulnerability. Network scans indicate that over 92,000 devices are affected.

A critical vulnerability categorized as CVE-2024-24919 (CVSS 3.1: 7.5) has been identified in multiple Check Point products by the Check Point Research Division. This zero-day vulnerability allows attackers to access specific information on gateways connected to the internet with Remote Access VPN or Mobile Access enabled. On May 24th, Check Point detected increased threat actor activity targeting Remote Access VPN environments. On May 27th, a customer reported an attack leveraging this vulnerability.

A vulnerability exists in the Universal Disk Format (UDF) for MacOS Sonoma versions prior to 14.5. This vulnerability, classified as CVE-2024-27842, was discovered by CertiK SkyFall. According to Apple, an attacker may be able to make an app execute arbitrary code with kernel-level privileges. Security researcher Wang Tielei has released Proof of Concept (PoC) exploit code demonstrating the existence of this vulnerability.

GitHub has remediated an authentication bypass vulnerability under CVE-2024-4985 (CVSSv4: 10.0). This vulnerability allows an attacker to use SAML single sign-on (SSO) authentication to sign in as a user with administrator privileges. This affects GitHub Enterprise Server (GHES) versions prior to 3.13.0 that use SAML SSO with encrypted assertions.

CVE-2024-34359 (CVSSv3: 9.7) is a critical vulnerability in the Jinja2 template engine within the llama_cpp_python package, used in AI applications. The inadequate security measures in Jinja2 allow attackers to inject malicious templates that can execute arbitrary code on the host system. The vulnerability was discovered by retr0reg, who also provided a proof-of-concept exploit.

Microsoft released their security updates for May of 2024 which include fixes for two zero-day vulnerabilities: CVE-2024-30040 (CVSSv3: 8.8) and CVE-2024-30051 (CVSSv3:7.8). CVE-2024-30051 (Windows DWM Core Library Elevation of Privilege Vulnerability) allows for a local attacker to exploit this vulnerability to gain system-level privileges. CVE-2024-30040 (Windows MSHTML Platform Security Feature Bypass Vulnerability) allows a remote attacker to bypass OLE mitigations in M365 and Microsoft Office that protect users from vulnerable COM/OLE controls. It requires an attacker to convince a user to load a malicious file into a vulnerable system and manipulate it. This can allow an unauthenticated attacker to achieve remote arbitrary code execution from the context of the user. Both of these vulnerabilities are known to be exploited and have each been added to CISA’s Known Exploited Vulnerabilities Catalog, giving them a heightened patch priority and associated risk.