NinjaOperator (83)

RCE vulnerability that effects Bently Nevada 3701 (OT device)
Maintenance interface has undocumented,
hardcoded credentials

Source: https://www.forescout.com/resources/ot-icefall-report/

Authenticated Remote Code Execution in Tp-Link Routers. PoC is publicly available

https://github.com/aaronsvk/CVE-2022-30075

Muhstik Gang has been seen exploiting this vulnerability to target Redis servers
Poc is publicly available https://github.com/aodsec/CVE-2022-0543

An improper input validation vulnerability exists within Solarwinds Serv-U 15.2.3 Hotfix1. Exploit code is not publicly available.

According to Florian Roth: “You can detect the exploitation of Windows InstallerFileTakeOver LPE CVE-2021-41379 with the published PoC with events from the ‘Application’ Eventlog
Search for EventID 1033 and the keyword ‘test pkg’
https://twitter.com/cyb3rops/status/1462711685484101634

Remote Desktop Client Remote Code Execution Vulnerability

Source: https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-38666

Here’s a report from S1 https://www.sentinelone.com/labs/tipc-remote-linux-kernel-heap-overflow-allows-arbitrary-code-execution/

Undisclosed threat actors exploited this vulnerability to gain initial access to and deploy ransomware to a US-based engineering company.

A RCE vulnerability exists in vCenter Server 6.7 and 7.0 which could allow an actor to with access to port 443 can execute commands and software on unpatched vCenter Server deployments by uploading a specially crafted file.
https://www.bleepingcomputer.com/news/security/vmware-warns-of-critical-bug-in-default-vcenter-server-installs/#.YUoiQlUeVM8

Microsoft MSHTML Remote Code Execution Vulnerability
Microsoft is investigating reports of a remote code execution vulnerability in MSHTML that affects Microsoft Windows. Microsoft is aware of targeted attacks that attempt to exploit this vulnerability by using specially-crafted Microsoft Office documents.

A threat actor could craft a malicious ActiveX control to be used by a Microsoft Office document that hosts the browser rendering engine. The attacker would then have to convince the user to open the malicious document. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-40444

PoC exploit is publicly available https://github.com/httpvoid/writeups/blob/main/Confluence-RCE.md

Unknown actors are actively exploiting a disclosed command injection vulnerability affecting WebSVN, an open-source web application for browsing source.
The actors used a command injection to download a shell script that will infect the system with malware.
https://unit42.paloaltonetworks.com/cve-2021-32305-websvn/

An unauthenticated actor can perform configuration actions on mailboxes belonging to arbitrary users. Which can be used to copy all emails addressed to a target and account and forward them to an account controlled by the threat actor.

https://www.zerodayinitiative.com/blog/2021/8/30/proxytoken-an-authentication-bypass-in-microsoft-exchange-server

PoC exploit is publicly available https://www.atredis.com/blog/2021/8/18/sophos-utm-cve-2020-25223

PoC is publicly available https://blog.orange.tw/2021/08/proxyoracle-a-new-attack-surface-on-ms-exchange-part-2.html?m=1
Microsoft has already patched this vulnerabilities and exploitation has not been observed. However, threat actors could exploit these vulnerabilities by sending users an email to visit a malicious link and recover passwords in plaintext.

Stored and Reflected XSS Vulnerability in Nagios Log Server. Actors could execute malicious JavaScript on targets machines such as stealing cookies or redirecting users.
PoC is publicly available
https://attackerkb.com/topics/GWZl4INBU4/cve-2021-35479?referrer=search