Report Name: Check Point 2024 Cyber Security Report WITHOUT Qualys
Generated: 2024-02-22 14:44:01

Vulristics Vulnerability Scores

All vulnerabilities: 13
Urgent: 8
Critical: 3
High: 0
Medium: 2
Low: 0

Basic Vulnerability Scores

All vulnerabilities: 13
Critical: 5
High: 7
Medium: 1
Low: 0

Products

Product Name Prevalence U C H M L A Comment

Microsoft Message Queuing 0.9 1 2 3 Microsoft Message Queuing or MSMQ is a message queue implementation developed by Microsoft and deployed in its Windows Server operating systems since Windows NT 4 and Windows 95

Windows Win32k 0.9 2 2 The Win32k.sys driver is the kernel side of some core parts of the Windows subsystem. Its main functionality is the GUI of Windows; it's responsible for window management.

Cisco ASA 0.8 1 1 A family of network security devices from Cisco that provide firewall, intrusion prevention (IPS) and virtual private network (VPN) capabilities

Cisco IOS 0.8 1 1 The Internetworking Operating System is a family of proprietary network operating systems used on several router and network switch models manufactured by Cisco Systems

WinRAR 0.8 1 1 WinRAR is a trialware file archiver utility for Windows, developed by Eugene Roshal of win.rar GmbH

Apache Tomcat 0.7 1 1 Apache Tomcat is a free and open-source implementation of the Jakarta Servlet, Jakarta Expression Language, and WebSocket technologies

ESXi 0.7 2 2 VMware ESXi (formerly ESX) is an enterprise-class, type-1 hypervisor developed by VMware for deploying and serving virtual computers

NetScaler Application Delivery Controller 0.5 2 2 Product detected by a:citrix:netscaler_application_delivery_controller (exists in CPE dict)

Product Name	Prevalence	U	C	M	A	Comment
Microsoft Message Queuing	0.9		1	2	3	Microsoft Message Queuing or MSMQ is a message queue implementation developed by Microsoft and deployed in its Windows Server operating systems since Windows NT 4 and Windows 95
Windows Win32k	0.9	2			2	The Win32k.sys driver is the kernel side of some core parts of the Windows subsystem. Its main functionality is the GUI of Windows; it's responsible for window management.
Cisco ASA	0.8		1		1	A family of network security devices from Cisco that provide firewall, intrusion prevention (IPS) and virtual private network (VPN) capabilities
Cisco IOS	0.8		1		1	The Internetworking Operating System is a family of proprietary network operating systems used on several router and network switch models manufactured by Cisco Systems
WinRAR	0.8	1			1	WinRAR is a trialware file archiver utility for Windows, developed by Eugene Roshal of win.rar GmbH
Apache Tomcat	0.7	1			1	Apache Tomcat is a free and open-source implementation of the Jakarta Servlet, Jakarta Expression Language, and WebSocket technologies
ESXi	0.7	2			2	VMware ESXi (formerly ESX) is an enterprise-class, type-1 hypervisor developed by VMware for deploying and serving virtual computers
NetScaler Application Delivery Controller	0.5	2			2	Product detected by a:citrix:netscaler_application_delivery_controller (exists in CPE dict)

Vulnerability Types

Vulnerability Type Criticality U C H M L A

Remote Code Execution 1.0 4 2 6

Authentication Bypass 0.98 1 1

Elevation of Privilege 0.85 2 2

Information Disclosure 0.83 1 1

Denial of Service 0.7 2 2

Memory Corruption 0.5 1 1

Vulnerability Type	Criticality	U	C	M	A
Remote Code Execution	1.0	4	2		6
Authentication Bypass	0.98		1		1
Elevation of Privilege	0.85	2			2
Information Disclosure	0.83	1			1
Denial of Service	0.7			2	2
Memory Corruption	0.5	1			1

Comments

Source U C H M L A

Check Point 8 3 2 13

Source	U	C	H	M	L	A
Check Point	8	3		2		13

Vulnerabilities

Urgent (8)

1. Remote Code Execution - Apache Tomcat (CVE-2023-47246) - Urgent [950]

Description: In SysAid On-Premise before 23.3.36, a path traversal vulnerability leads to code execution after an attacker writes a file to the Tomcat webroot, as exploited in the wild in November 2023.

Component	Value	Weight	Comment
Exploited in the Wild	1.0	18	Exploitation in the wild is mentioned on Vulners (AttackerKB object, cisa_kev object), AttackerKB, NVD:CISAKEV websites
Public Exploit Exists	1.0	17	The existence of a publicly available exploit is mentioned on NVD:Exploit:www.sysaid.com website
Criticality of Vulnerability Type	1.0	15	Remote Code Execution
Vulnerable Product is Common	0.7	14	Apache Tomcat is a free and open-source implementation of the Jakarta Servlet, Jakarta Expression Language, and WebSocket technologies
CVSS Base Score	1.0	10	CVSS Base Score is 9.8. According to NVD data source
EPSS Percentile	1.0	10	EPSS Probability is 0.94354, EPSS Percentile is 0.99127

Check Point: After the MOVEit attack, exploitation of zero-day vulnerabilities for ransomware attacks continued. Threat actors associated with CLOP were observed exploiting a zero-day vulnerability within the SysAid IT support software, potentially impacting over 5,000 customers. The company disclosed in an advisory that it became aware of this new vulnerability (CVE-2023-47246] on November 2, but the earliest reports of the exploitation date back to October. Beyond CLOp, Akira and Lockbit, two of the most prolific ransomware actors, have been exploiting a zero-day vulnerability (CVE-2023-20269) in Cisco appliances, enabling attackers to conduct brute force attacks against existing accounts.

2. Remote Code Execution - WinRAR (CVE-2023-38831) - Urgent [942]

Description: RARLAB WinRAR before 6.23 allows attackers to execute arbitrary code when a user attempts to view a benign file within a ZIP archive. The issue occurs because a ZIP archive may include a benign file (such as an ordinary .JPG file) and also a folder that has the same name as the benign file, and the contents of the folder (which may include executable content) are processed during an attempt to access only the benign file. This was exploited in the wild in April through October 2023.

Component	Value	Weight	Comment
Exploited in the Wild	1.0	18	Exploitation in the wild is mentioned on Vulners (AttackerKB object, cisa_kev object), AttackerKB, NVD:CISAKEV websites
Public Exploit Exists	1.0	17	The existence of a publicly available exploit is mentioned on NVD:Exploit:www.group-ib.com website
Criticality of Vulnerability Type	1.0	15	Remote Code Execution
Vulnerable Product is Common	0.8	14	WinRAR is a trialware file archiver utility for Windows, developed by Eugene Roshal of win.rar GmbH
CVSS Base Score	0.8	10	CVSS Base Score is 7.8. According to NVD data source
EPSS Percentile	1.0	10	EPSS Probability is 0.33602, EPSS Percentile is 0.96921

Check Point: vulnerability (CVE-2023-38831) to steal from

3. Remote Code Execution - ESXi (CVE-2021-21974) - Urgent [938]

Description: OpenSLP as used in ESXi (7.0 before ESXi70U1c-17325551, 6.7 before ESXi670-202102401-SG, 6.5 before ESXi650-202102101-SG) has a heap-overflow vulnerability. A malicious actor residing within the same network segment as ESXi who has access to port 427 may be able to trigger the heap-overflow issue in OpenSLP service resulting in remote code execution.

Component	Value	Weight	Comment
Exploited in the Wild	1.0	18	Exploitation in the wild is mentioned on Vulners (AttackerKB object), AttackerKB websites
Public Exploit Exists	1.0	17	The existence of a publicly available exploit is mentioned on NVD:Exploit:packetstormsecurity.com website
Criticality of Vulnerability Type	1.0	15	Remote Code Execution
Vulnerable Product is Common	0.7	14	VMware ESXi (formerly ESX) is an enterprise-class, type-1 hypervisor developed by VMware for deploying and serving virtual computers
CVSS Base Score	0.9	10	CVSS Base Score is 8.8. According to NVD data source
EPSS Percentile	1.0	10	EPSS Probability is 0.87964, EPSS Percentile is 0.98558

Check Point: Check Point IPS provides protection against this threat (VMWare OpenSLP Heap Buffer Overflow (CVE-2019-5544; CVE-2021-21974)) Social media platform Reddit suffered a security breach, after an employee fell victim to a phishing attack. According to the company’s statement, while internal documents and source code were stolen, user information and credentials have not been impacted.

4. Remote Code Execution - NetScaler Application Delivery Controller (CVE-2023-3519) - Urgent [916]

Description: Unauthenticated remote code execution

Component	Value	Weight	Comment
Exploited in the Wild	1.0	18	Exploitation in the wild is mentioned on Vulners (AttackerKB object, cisa_kev object), AttackerKB, NVD:CISAKEV websites
Public Exploit Exists	1.0	17	The existence of a publicly available exploit is mentioned on Vulners website ([saint] Citrix ADC nsppe buffer overflow, [saint] Citrix ADC nsppe buffer overflow, [githubexploit] Exploit for Code Injection in Citrix Netscaler Application Delivery Controller, [githubexploit] Exploit for Code Injection in Citrix Netscaler Application Delivery Controller, [githubexploit] Exploit for Code Injection in Citrix Netscaler Application Delivery Controller, [githubexploit] Exploit for Code Injection in Citrix Netscaler Application Delivery Controller, [githubexploit] Exploit for Code Injection in Citrix Netscaler Application Delivery Controller, [githubexploit] Exploit for Code Injection in Citrix Netscaler Application Delivery Controller, [githubexploit] Exploit for Code Injection in Citrix Netscaler Application Delivery Controller, [githubexploit] Exploit for Code Injection in Citrix Netscaler Application Delivery Controller, [githubexploit] Exploit for Code Injection in Citrix Netscaler Application Delivery Controller, [githubexploit] Exploit for Code Injection in Citrix Netscaler Application Delivery Controller, [githubexploit] Exploit for Code Injection in Citrix Netscaler Application Delivery Controller, [zdt] Citrix ADC (NetScaler) Remote Code Execution Exploit, [packetstorm] Citrix ADC (NetScaler) Remote Code Execution, [metasploit] Citrix ADC (NetScaler) Forms SSO Target RCE)
Criticality of Vulnerability Type	1.0	15	Remote Code Execution
Vulnerable Product is Common	0.5	14	Product detected by a:citrix:netscaler_application_delivery_controller (exists in CPE dict)
CVSS Base Score	1.0	10	CVSS Base Score is 9.8. According to NVD data source
EPSS Percentile	1.0	10	EPSS Probability is 0.91241, EPSS Percentile is 0.98785

Check Point: These vulnerabilities, particularly ProxyShell and Citrix RCE (CVE-2023-3519), can enable threat actors to install webshells on internet-facing vulnerable devices. The devices targeted in those vulnerabilities, such as Exchange servers and NetScaler Gateways, are often internet-facing, constituting prime targets. Once compromised, these devices continue to function as dormant footholds for the threat actor, even after patching.

Check Point: While diving deeper into the incident and trying to locate the initial infection vector, we identified CVE-2023-3519, a remote code execution vulnerability in Citrix NetScaler systems as the initial point of compromise. This vulnerability had been exploited to deploy a webshell on the device, which remained undetected even after the system was patched. This oversight allowed the threat actor to maintain network access. Three months post-exploitation, this webshell was activated by another threat actor who intended to deploy ransomware. Fortunately, due to the customer's alertness and CPIRT's prompt response, the ransomware attack was successfully thwarted before it could inflict damage.

5. Elevation of Privilege - Windows Win32k (CVE-2021-1732) - Urgent [897]

Description: Windows Win32k Elevation of Privilege Vulnerability

Component	Value	Weight	Comment
Exploited in the Wild	1.0	18	Exploitation in the wild is mentioned on Vulners (AttackerKB object, cisa_kev object), AttackerKB, NVD:CISAKEV websites
Public Exploit Exists	1.0	17	The existence of a publicly available exploit is mentioned on NVD:Exploit:packetstormsecurity.com website
Criticality of Vulnerability Type	0.85	15	Elevation of Privilege
Vulnerable Product is Common	0.9	14	The Win32k.sys driver is the kernel side of some core parts of the Windows subsystem. Its main functionality is the GUI of Windows; it's responsible for window management.
CVSS Base Score	0.8	10	CVSS Base Score is 7.8. According to NVD data source
EPSS Percentile	0.7	10	EPSS Probability is 0.00436, EPSS Percentile is 0.74044

Check Point: The Check Point research team has uncovered new techniques used by the Raspberry Robin malware. These methods include several anti-evasion techniques, obfuscation, and anti-VM measures. The malware also exploits two vulnerabilities in Win32k (CVE-2020-1054 and CVE-2021-1732) in order to elevate its privileges.

Check Point: Check Point Threat Emulation and IPS provide protection against this threat (Trojan.Wins.RaspberryRobin; Microsoft Win32k Elevation of Privilege (CVE-2021-1732), Microsoft Win32k Elevation of Privilege (CVE-2020-1054))

6. Elevation of Privilege - Windows Win32k (CVE-2020-1054) - Urgent [885]

Description: An elevation of privilege vulnerability exists in Windows when the Windows kernel-mode driver fails to properly handle objects in memory, aka 'Win32k Elevation of Privilege Vulnerability'. This CVE ID is unique from CVE-2020-1143.

Component	Value	Weight	Comment
Exploited in the Wild	1.0	18	Exploitation in the wild is mentioned on Vulners (AttackerKB object, cisa_kev object), AttackerKB, NVD:CISAKEV websites
Public Exploit Exists	1.0	17	The existence of a publicly available exploit is mentioned on NVD:Exploit:packetstormsecurity.com website
Criticality of Vulnerability Type	0.85	15	Elevation of Privilege
Vulnerable Product is Common	0.9	14	The Win32k.sys driver is the kernel side of some core parts of the Windows subsystem. Its main functionality is the GUI of Windows; it's responsible for window management.
CVSS Base Score	0.8	10	CVSS Base Score is 7.8. According to NVD data source
EPSS Percentile	0.6	10	EPSS Probability is 0.00228, EPSS Percentile is 0.60109

Check Point: The Check Point research team has uncovered new techniques used by the Raspberry Robin malware. These methods include several anti-evasion techniques, obfuscation, and anti-VM measures. The malware also exploits two vulnerabilities in Win32k (CVE-2020-1054 and CVE-2021-1732) in order to elevate its privileges.

Check Point: Check Point Threat Emulation and IPS provide protection against this threat (Trojan.Wins.RaspberryRobin; Microsoft Win32k Elevation of Privilege (CVE-2021-1732), Microsoft Win32k Elevation of Privilege (CVE-2020-1054))

7. Information Disclosure - NetScaler Application Delivery Controller (CVE-2023-4966) - Urgent [874]

Description: Sensitive information disclosure in NetScaler ADC and NetScaler Gateway when configured as a Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) or AAA ?virtual?server.

Component	Value	Weight	Comment
Exploited in the Wild	1.0	18	Exploitation in the wild is mentioned on Vulners (AttackerKB object, cisa_kev object), AttackerKB, NVD:CISAKEV websites
Public Exploit Exists	1.0	17	The existence of a publicly available exploit is mentioned on Vulners website ([githubexploit] Exploit for Vulnerability in Citrix Netscaler Application Delivery Controller, [githubexploit] Exploit for Vulnerability in Citrix Netscaler Application Delivery Controller, [githubexploit] Exploit for Vulnerability in Citrix Netscaler Application Delivery Controller, [githubexploit] Exploit for Vulnerability in Citrix Netscaler Application Delivery Controller, [githubexploit] Exploit for Vulnerability in Citrix Netscaler Application Delivery Controller, [githubexploit] Exploit for Vulnerability in Citrix Netscaler Application Delivery Controller, [githubexploit] Exploit for Vulnerability in Citrix Netscaler Application Delivery Controller, [githubexploit] Exploit for Vulnerability in Citrix Netscaler Application Delivery Controller, [githubexploit] Exploit for Vulnerability in Citrix Netscaler Application Delivery Controller, [metasploit] Citrix ADC (NetScaler) Bleed Scanner)
Criticality of Vulnerability Type	0.83	15	Information Disclosure
Vulnerable Product is Common	0.5	14	Product detected by a:citrix:netscaler_application_delivery_controller (exists in CPE dict)
CVSS Base Score	0.9	10	CVSS Base Score is 9.4. According to NVD data source
EPSS Percentile	1.0	10	EPSS Probability is 0.96397, EPSS Percentile is 0.9952

Check Point: CITRIXBLEED (CVE-2023-4966) This critical vulnerability in Citrix NetScaler platforms allows remote unauthenticated attackers to extract system memory data which includes session tokens. These are then used to hijack legitimate sessions, bypassing password and MFA procedures. Due to its ease of use and the availability of proof-of-concept exploits, CitrixBleed was extensively exploited by several ransomware groups including LockBit, Medusa and Akira.

8. Memory Corruption - ESXi (CVE-2019-5544) - Urgent [848]

Description: OpenSLP as used in ESXi and the Horizon DaaS appliances has a heap overwrite issue. VMware has evaluated the severity of this issue to be in the Critical severity range with a maximum CVSSv3 base score of 9.8.

Component	Value	Weight	Comment
Exploited in the Wild	1.0	18	Exploitation in the wild is mentioned on Vulners (AttackerKB object, cisa_kev object), AttackerKB, NVD:CISAKEV websites
Public Exploit Exists	1.0	17	The existence of a publicly available exploit is mentioned on Vulners website ([githubexploit] Exploit for Out-of-bounds Write in Vmware Horizon Daas, [githubexploit] Exploit for Out-of-bounds Write in Vmware Horizon Daas)
Criticality of Vulnerability Type	0.5	15	Memory Corruption
Vulnerable Product is Common	0.7	14	VMware ESXi (formerly ESX) is an enterprise-class, type-1 hypervisor developed by VMware for deploying and serving virtual computers
CVSS Base Score	1.0	10	CVSS Base Score is 9.8. According to NVD data source
EPSS Percentile	0.9	10	EPSS Probability is 0.04189, EPSS Percentile is 0.9193

Check Point: Check Point IPS provides protection against this threat (VMWare OpenSLP Heap Buffer Overflow (CVE-2019-5544; CVE-2021-21974)) Social media platform Reddit suffered a security breach, after an employee fell victim to a phishing attack. According to the company’s statement, while internal documents and source code were stolen, user information and credentials have not been impacted.

Critical (3)

9. Remote Code Execution - Microsoft Message Queuing (CVE-2023-21554) - Critical [769]

Description: Microsoft Message Queuing Remote Code Execution Vulnerability

Component	Value	Weight	Comment
Exploited in the Wild	0	18	Exploitation in the wild is NOT mentioned in available Data Sources
Public Exploit Exists	1.0	17	The existence of a publicly available exploit is mentioned on Vulners website ([githubexploit] Exploit for Vulnerability in Microsoft, [githubexploit] Exploit for Vulnerability in Microsoft, [metasploit] CVE-2023-21554 - QueueJumper - MSMQ RCE Check)
Criticality of Vulnerability Type	1.0	15	Remote Code Execution
Vulnerable Product is Common	0.9	14	Microsoft Message Queuing or MSMQ is a message queue implementation developed by Microsoft and deployed in its Windows Server operating systems since Windows NT 4 and Windows 95
CVSS Base Score	1.0	10	CVSS Base Score is 9.8. According to NVD data source
EPSS Percentile	1.0	10	EPSS Probability is 0.96122, EPSS Percentile is 0.99445

Check Point: Check Point Research has discovered three vulnerabilities (CVE-2023-28302, CVE-2023-21769 and CVE-2023-21554) in the “Microsoft Message Queuing” service, commonly known as MSMQ. The most severe of these, dubbed QueueJumper by CPR (CVE-2023-21554), is a critical vulnerability that could allow unauthenticated attackers to remotely execute arbitrary code in the context of the Windows service process mqsvc.exe.

Check Point: Check Point IPS provides protection against this threat (Microsoft Message Queuing Remote Code Execution (CVE-2023-21554)) Check Point Research flags a sharp increase in cyberattacks targeting IoT Devices, with 41% increase in the average number of weekly attacks per organization during the first two months of 2023, compared to 2022. On average, every week, 54% of organizations suffer from attempted cyber-attacks targeting IoT devices, mostly in Europe followed by APAC and Latin America.

10. Remote Code Execution - Cisco IOS (CVE-2017-6742) - Critical [728]

Description: The Simple Network Management Protocol (SNMP) subsystem of Cisco IOS 12.0 through 12.4 and 15.0 through 15.6 and IOS XE 2.2 through 3.17 contains multiple vulnerabilities that could allow an authenticated, remote attacker to remotely execute code on an affected system or cause an affected system to reload. An attacker could exploit these vulnerabilities by sending a crafted SNMP packet to an affected system via IPv4 or IPv6. Only traffic directed to an affected system can be used to exploit these vulnerabilities. The vulnerabilities are due to a buffer overflow condition in the SNMP subsystem of the affected software. The vulnerabilities affect all versions of SNMP: Versions 1, 2c, and 3. To exploit these vulnerabilities via SNMP Version 2c or earlier, the attacker must know the SNMP read-only community string for the affected system. To exploit these vulnerabilities via SNMP Version 3, the attacker must have user credentials for the affected system. All devices that have enabled SNMP and have not explicitly excluded the affected MIBs or OIDs should be considered vulnerable. Cisco Bug IDs: CSCve54313.

Component	Value	Weight	Comment
Exploited in the Wild	1.0	18	Exploitation in the wild is mentioned on Vulners (AttackerKB object, cisa_kev object), AttackerKB, NVD:CISAKEV websites
Public Exploit Exists	0	17	The exploit's existence is NOT mentioned in available Data Sources
Criticality of Vulnerability Type	1.0	15	Remote Code Execution
Vulnerable Product is Common	0.8	14	The Internetworking Operating System is a family of proprietary network operating systems used on several router and network switch models manufactured by Cisco Systems
CVSS Base Score	0.9	10	CVSS Base Score is 8.8. According to NVD data source
EPSS Percentile	0.8	10	EPSS Probability is 0.00613, EPSS Percentile is 0.78089

Check Point: JaguarTooth JaguarTooth is a Cisco IOS malware that targets and modifies routers' authentication mechanisms to allow unauthenticated backdoor access. It collects and exfiltrates device and network information, including firmware versions and network configurations, via the Trivial File Transfer Protocol (TFTP). JaguarTooth was deployed through the exploitation of a known Simple Network Management Protocol (SNMP) vulnerability, CVE-2017-6742.

11. Authentication Bypass - Cisco ASA (CVE-2023-20269) - Critical [689]

Description: A vulnerability in the remote access VPN feature of Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to conduct a brute force attack in an attempt to identify valid username and password combinations or an authenticated, remote attacker to establish a clientless SSL VPN session with an unauthorized user. This vulnerability is due to improper separation of authentication, authorization, and accounting (AAA) between the remote access VPN feature and the HTTPS management and site-to-site VPN features. An attacker could exploit this vulnerability by specifying a default connection profile/tunnel group while conducting a brute force attack or while establishing a clientless SSL VPN session using valid credentials. A successful exploit could allow the attacker to achieve one or both of the following: Identify valid credentials that could then be used to establish an unauthorized remote access VPN session. Establish a clientless SSL VPN session (only when running Cisco ASA Software Release 9.16 or earlier). Notes: Establishing a client-based remote access VPN tunnel is not possible as these default connection profiles/tunnel groups do not and cannot have an IP address pool configured. This vulnerability does not allow an attacker to bypass authentication. To successfully establish a remote access VPN session, valid credentials are required, including a valid second factor if multi-factor authentication (MFA) is configured. Cisco will release software updates that address this vulnerability. There are workarounds that address this vulnerability.

Component	Value	Weight	Comment
Exploited in the Wild	1.0	18	Exploitation in the wild is mentioned on Vulners (AttackerKB object, cisa_kev object), AttackerKB, NVD:CISAKEV websites
Public Exploit Exists	0	17	The exploit's existence is NOT mentioned in available Data Sources
Criticality of Vulnerability Type	0.98	15	Authentication Bypass
Vulnerable Product is Common	0.8	14	A family of network security devices from Cisco that provide firewall, intrusion prevention (IPS) and virtual private network (VPN) capabilities
CVSS Base Score	0.5	10	CVSS Base Score is 5.0. According to NVD data source
EPSS Percentile	0.9	10	EPSS Probability is 0.02588, EPSS Percentile is 0.89937

Check Point: After the MOVEit attack, exploitation of zero-day vulnerabilities for ransomware attacks continued. Threat actors associated with CLOP were observed exploiting a zero-day vulnerability within the SysAid IT support software, potentially impacting over 5,000 customers. The company disclosed in an advisory that it became aware of this new vulnerability (CVE-2023-47246] on November 2, but the earliest reports of the exploitation date back to October. Beyond CLOp, Akira and Lockbit, two of the most prolific ransomware actors, have been exploiting a zero-day vulnerability (CVE-2023-20269) in Cisco appliances, enabling attackers to conduct brute force attacks against existing accounts.

High (0)

Medium (2)

12. Denial of Service - Microsoft Message Queuing (CVE-2023-21769) - Medium [394]

Description: Microsoft Message Queuing Denial of Service Vulnerability

Component	Value	Weight	Comment
Exploited in the Wild	0	18	Exploitation in the wild is NOT mentioned in available Data Sources
Public Exploit Exists	0	17	The exploit's existence is NOT mentioned in available Data Sources
Criticality of Vulnerability Type	0.7	15	Denial of Service
Vulnerable Product is Common	0.9	14	Microsoft Message Queuing or MSMQ is a message queue implementation developed by Microsoft and deployed in its Windows Server operating systems since Windows NT 4 and Windows 95
CVSS Base Score	0.8	10	CVSS Base Score is 7.5. According to NVD data source
EPSS Percentile	0.2	10	EPSS Probability is 0.00063, EPSS Percentile is 0.24648

Check Point: Check Point Research has discovered three vulnerabilities (CVE-2023-28302, CVE-2023-21769 and CVE-2023-21554) in the “Microsoft Message Queuing” service, commonly known as MSMQ. The most severe of these, dubbed QueueJumper by CPR (CVE-2023-21554), is a critical vulnerability that could allow unauthenticated attackers to remotely execute arbitrary code in the context of the Windows service process mqsvc.exe.

13. Denial of Service - Microsoft Message Queuing (CVE-2023-28302) - Medium [394]

Description: Microsoft Message Queuing Denial of Service Vulnerability

Component	Value	Weight	Comment
Exploited in the Wild	0	18	Exploitation in the wild is NOT mentioned in available Data Sources
Public Exploit Exists	0	17	The exploit's existence is NOT mentioned in available Data Sources
Criticality of Vulnerability Type	0.7	15	Denial of Service
Vulnerable Product is Common	0.9	14	Microsoft Message Queuing or MSMQ is a message queue implementation developed by Microsoft and deployed in its Windows Server operating systems since Windows NT 4 and Windows 95
CVSS Base Score	0.8	10	CVSS Base Score is 7.5. According to NVD data source
EPSS Percentile	0.2	10	EPSS Probability is 0.00063, EPSS Percentile is 0.24648

Check Point: Check Point Research has discovered three vulnerabilities (CVE-2023-28302, CVE-2023-21769 and CVE-2023-21554) in the “Microsoft Message Queuing” service, commonly known as MSMQ. The most severe of these, dubbed QueueJumper by CPR (CVE-2023-21554), is a critical vulnerability that could allow unauthenticated attackers to remotely execute arbitrary code in the context of the Windows service process mqsvc.exe.

Low (0)

Exploitation in the wild detected (10)

Remote Code Execution (5)

Apache Tomcat (CVE-2023-47246)

WinRAR (CVE-2023-38831)

Check Point: vulnerability (CVE-2023-38831) to steal from

ESXi (CVE-2021-21974)

NetScaler Application Delivery Controller (CVE-2023-3519)

Cisco IOS (CVE-2017-6742)

Elevation of Privilege (2)

Windows Win32k (CVE-2020-1054, CVE-2021-1732)

Check Point: The Check Point research team has uncovered new techniques used by the Raspberry Robin malware. These methods include several anti-evasion techniques, obfuscation, and anti-VM measures. The malware also exploits two vulnerabilities in Win32k (CVE-2020-1054 and CVE-2021-1732) in order to elevate its privileges.

Information Disclosure (1)

NetScaler Application Delivery Controller (CVE-2023-4966)

Memory Corruption (1)

ESXi (CVE-2019-5544)

Authentication Bypass (1)

Cisco ASA (CVE-2023-20269)

Check Point: After the MOVEit attack, exploitation of zero-day vulnerabilities for ransomware attacks continued. Threat actors associated with CLOP were observed exploiting a zero-day vulnerability within the SysAid IT support software, potentially impacting over 5,000 customers. The company disclosed in an advisory that it became aware of this new vulnerability (CVE-2023-47246] on November 2, but the earliest reports of the exploitation date back to October. Beyond CLOp, Akira and Lockbit, two of the most prolific ransomware actors, have been exploiting a zero-day vulnerability (CVE-2023-20269) in Cisco appliances, enabling attackers to conduct brute force attacks against existing accounts.

Public exploit exists, but exploitation in the wild is NOT detected (1)

Remote Code Execution (1)

Microsoft Message Queuing (CVE-2023-21554)

Other Vulnerabilities (2)

Denial of Service (2)

Microsoft Message Queuing (CVE-2023-21769, CVE-2023-28302)

Check Point: Check Point Research has discovered three vulnerabilities (CVE-2023-28302, CVE-2023-21769 and CVE-2023-21554) in the “Microsoft Message Queuing” service, commonly known as MSMQ. The most severe of these, dubbed QueueJumper by CPR (CVE-2023-21554), is a critical vulnerability that could allow unauthenticated attackers to remotely execute arbitrary code in the context of the Windows service process mqsvc.exe.