The most featured CVEs in this week’s security newsletters, with public Proof-of-Concepts, ordered by mention count.

For the most up-to-date and accurate info, visit the NIST links. Always audit PoCs thoroughly before running them.

CVE-2024-3273

• Severity: 9.8: CRITICAL
• Impacted Products: D-Link DNS-320L, DNS-325, DNS-327L and DNS-340L up to 20240403.
• Description: Affected is an unknown function of the file /cgi-bin/nas_sharing.cgi of the component HTTP GET Request Handler. The manipulation of the argument system leads to command injection. It is possible to launch the attack remotely.
• Remediation: Follow developer guidance here.
• More Info: CVE-2024-3273
• PoC: https://github.com/nickswink/D-Link-NAS-Devices-Unauthenticated-RCE/

CVE-2024-27804

• Severity: Awaiting analysis
• Impacted Products: The following products prior to the listed versions: iOS 17.5 and iPadOS 17.5, tvOS 17.5, watchOS 10.5, macOS Sonoma 14.5.
• Description: Memory handling issue. An app may be able to execute arbitrary code with kernel privileges.
• Remediation: Follow developer guidance.
• More Info: CVE-2024-27804
• PoC: https://github.com/R00tkitSMM/CVE-2024-27804/

References

This list was scraped from the quite amazing and highly recommended newsletters below:

• ~this week in security~
• Unsupervised Learning
• @RISK
• Hive Five
• Vulnerable U
• tl;dr sec

Thanks for reading! For corrections, omissions (e.g. newsletter recs) feel free to get in touch.