The most featured CVEs in this week’s security newsletters, with public Proof-of-Concepts, ordered by mention count.

For the most up-to-date and accurate info, visit the NIST links. Always audit PoCs thoroughly before running them.

CVE-2024-4547 & CVE-2024-4548

• Severity: 9.8 CRITICAL
• Impacted Products: Delta Electronics DIAEnergie v1.10.1.8610 and prior
• Description: A SQL injection vulnerability exists in Delta Electronics DIAEnergie when CEBC.exe processes a ‘RecalculateHDMWYC’ or ‘RecalculateScript’ message. This message is split into four fields using ‘~’ as the separator, and an unauthenticated remote attacker can exploit this vulnerability through the fourth field to perform SQL injection.
• Remediation: Apply the latest updates or patches from Delta Electronics to fix the vulnerability. Minimize exposure by limiting network access to the vulnerable service.
• More Info: NVD CVE-2024-4548
• PoC: https://www.tenable.com/security/research/tra-2024-13

CVE-2024-3400

• Severity: 10 CRITICAL
• Impacted Products: Palo Alto Networks PAN-OS, specifically versions 10.2.0, 11.0.0, and 11.1.0
• Description: The vulnerability is a command injection flaw in the GlobalProtect feature of PAN-OS, allowing an unauthenticated attacker to execute arbitrary code with root privileges on the firewall. Notably, Cloud NGFW, Panorama appliances, and Prisma Access are not affected.
• Remediation: Users are advised to apply mitigations as per vendor instructions when available. For vulnerable versions, enable Threat Prevention IDs or disable device telemetry until patches are issued.
• More Info: NVD CVE-2024-3400
• PoC: https://labs.watchtowr.com/palo-alto-putting-the-protecc-in-globalprotect-cve-2024-3400/

CVE-2024-2912

• Severity: 9.8 CRITICAL
• Impacted Products: BentoML
• Description: BentoML is vulnerable to a deserialization attack. An attacker could exploit this vulnerability by providing a specially crafted POST message and run arbitrary code.
• Remediation: Check guidance.
• More Info: NVD CVE-2024-2912
• PoC: https://huntr.com/bounties/349a1cce-6bb5-4345-82a5-bf7041b65a68

CVE-2024-2876

• Severity: 9.8 CRITICAL
• Impacted Products: Icegram Email Subscribers & Newsletters v. 5.7.14 and earlier
• Description: An Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’) vulnerability exists that, when exploited, allows a remote attacker to obtain potentially sensitive information.
• Remediation: Check guidance.
• More Info: NVD CVE-2024-2876
• PoC: https://github.com/c0d3zilla/CVE-2024-2876/blob/main/POC

CVE-2024-2667

• Severity: 9.8 CRITICAL
• Impacted Products: InstaWP Connect – 1-click WP Staging & Migration plugin for WordPress
• Description: The InstaWP Connect – 1-click WP Staging & Migration plugin for WordPress is vulnerable to arbitrary file uploads due to insufficient file validation in the /wp-json/instawp-connect/v1/config REST API endpoint in all versions up to, and including, 0.1.0.22. This makes it possible for unauthenticated attackers to upload arbitrary files.
• Remediation: Check guidance.
• More Info: NVD CVE-2024-2667
• PoC: https://github.com/Puvipavan/CVE-2024-2667

CVE-2024-26026 & CVE-2024-21793

• Severity: Currently Under Analysis
• Impacted Products: F5 Next Central Manager
• Description: An OData and SQL injection vulnerability exists in the BIG-IP Next Central Manager API (URI). An unauthenticated attacker can exploit this vulnerability to execute malicious SQL statements through the BIG-IP NEXT Central Manager API (URI).
• Remediation: Check guidance.
• More Info: NVD CVE-2024-2026
• PoC: https://eclypsium.com/blog/big-vulnerabilities-in-next-gen-big-ip/

CVE-2024-21111

• Severity: 7.8 HIGH
• Impacted Products: Oracle VM VirtualBox, Oracle Virtualization (Core component), versions prior to 7.0.16
• Description: This vulnerability allows a low privileged attacker with system logon access to the infrastructure running Oracle VM VirtualBox to potentially take over the Oracle VM VirtualBox. This issue is specifically noted to affect Windows hosts.
• Remediation: Users should upgrade to a non-vulnerable version. For specific mitigation techniques, refer to Oracle’s official security advisory.
• More Info: NVD CVE-2024-21111
• PoC: https://github.com/mansk1es/CVE-2024-21111

References

This list was scraped from the quite amazing and highly recommended newsletters below:

• ~this week in security~
• Unsupervised Learning
• @RISK
• Hive Five
• Vulnerable U
• tl;dr sec

Thanks for reading! For corrections, omissions (e.g. newsletter recs) feel free to get in touch.